Updating open-appsec helm charts

build_system/charts/open-appsec-kong/CHANGELOG.md

@@ -1,8 +1,36 @@
 # Changelog
 
-## Unreleased
+## 2.33.2
 
-Nothing yet.
+* Fix a template bug related to the `affinity` field for migrations Pods.
+  [#972](https://github.com/Kong/charts/pull/972)
+
+## 2.33.1
+
+### Fixed
+
+* Use changed `incubator.ingress-controller.konghq.com` API group name in `KongServiceFacade`
+  RBAC rules. Refer to [KIC#5302](https://github.com/Kong/kubernetes-ingress-controller/pull/5302)
+  for rename reasoning.
+  [#968](https://github.com/Kong/charts/pull/968)
+
+## 2.33.0
+
+### Improvements
+
+* Only allow `None` ClusterIPs on ClusterIP-type Services.
+  [#961](https://github.com/Kong/charts/pull/961)
+  [#962](https://github.com/Kong/charts/pull/962)
+* Bumped Kong version to 3.5.
+  [#957](https://github.com/Kong/charts/pull/957)
+* Support for `affinity` configuration has been added to migration job templates.
+* Display a warning message when Kong Manager is enabled and the Admin API is disabled.
+* Validate Gateway API's `Gateway` and `HTTPRoute` resources in the controller's
+  admission webhook only when KIC version is 3.0 or higher.
+  [#954](https://github.com/Kong/charts/pull/954)
+* Added controller's RBAC rules for `KongServiceFacade` CRD (installed only when
+  KongServiceFacade feature gate turned on and KIC version >= 3.1.0).
+  [#963](https://github.com/Kong/charts/pull/963)
 
 ## 2.32.0
 

build_system/charts/open-appsec-kong/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.1.1
+appVersion: 1.1.3
 dependencies:
 - condition: postgresql.enabled
   name: postgresql
@@ -14,4 +14,4 @@ maintainers:
 name: open-appsec-kong
 sources:
 - https://github.com/Kong/charts/tree/main/charts/kong
-version: 2.32.0
+version: 2.33.2

build_system/charts/open-appsec-kong/README.md

@@ -609,7 +609,7 @@ directory.
 | Parameter                          | Description                                                                           | Default             |
 | ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
 | image.repository                   | Kong image                                                                            | `kong`              |
-| image.tag                          | Kong image version                                                                    | `3.4`               |
+| image.tag                          | Kong image version                                                                    | `3.5`               |
 | image.effectiveSemver              | Semantic version to use for version-dependent features (if `tag` is not a semver)     |                     |
 | image.pullPolicy                   | Image pull policy                                                                     | `IfNotPresent`      |
 | image.pullSecrets                  | Image pull secrets                                                                    | `null`              |
@@ -777,7 +777,7 @@ section of `values.yaml` file:
 #### The `env` section
 For a complete list of all configuration values you can set in the
 `env` section, please read the Kong Ingress Controller's
-[configuration document](https://github.com/Kong/docs.konghq.com/blob/main/src/kubernetes-ingress-controller/references/cli-arguments.md).
+[configuration document](https://docs.konghq.com/kubernetes-ingress-controller/latest/reference/cli-arguments/).
 
 #### The `customEnv` section
 

build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml

@@ -145,7 +145,7 @@ extraLabels:
   konghq.com/component: quickstart
 image:
   repository: kong/kong-gateway
-  tag: "3.4"
+  tag: "3.5"
 ingressController:
   enabled: true
   env:

build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml

@@ -12,7 +12,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.4"
+  tag: "3.5"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml

@@ -9,7 +9,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.4"
+  tag: "3.5"
 
 admin:
   enabled: true

build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml

@@ -2,7 +2,7 @@
 
 image:
   repository: kong
-  tag: "3.4"
+  tag: "3.5"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml

@@ -4,7 +4,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.4"
+  tag: "3.5"
 
 enterprise:
   enabled: true

build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml

@@ -14,7 +14,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.4"
+  tag: "3.5"
 
 env:
   database: postgres

build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml

@@ -12,7 +12,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.4"
+  tag: "3.5"
 
 env:
   role: data_plane

build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml

@@ -6,7 +6,7 @@
 
 image:
   repository: kong
-  tag: "3.4"
+  tag: "3.5"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml

@@ -11,7 +11,7 @@
 
 image:
   repository: kong
-  tag: "3.4"
+  tag: "3.5"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml

@@ -6,7 +6,7 @@
 
 image:
   repository: kong
-  tag: "3.4"
+  tag: "3.5"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/templates/NOTES.txt

@@ -12,10 +12,17 @@ Once installed, please follow along the getting started guide to start using
 Kong: https://docs.konghq.com/kubernetes-ingress-controller/latest/guides/getting-started/
 
 {{ $warnings := list -}}
+
 {{- if (hasKey .Values.ingressController "serviceAccount") -}}
 {{- if (or (hasKey .Values.ingressController.serviceAccount "name") (hasKey .Values.ingressController.serviceAccount "annotations")) -}}
 {{- $warnings = append $warnings "you have set either .ingressController.serviceAccount.name or .ingressController.serviceAccount.annotations. These settings have moved to .deployment.serviceAccount.name and .deployment.serviceAccount.annotations. You must move your configuration to the new location in values.yaml" -}}
 {{- end -}}
 {{- end -}}
 
+{{- if and .Values.manager.enabled (or .Values.manager.http.enabled .Values.manager.tls.enabled) -}}
+{{- if not (and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled)) -}}
+{{- $warnings = append $warnings "Kong Manager will not be functional because the Admin API is not enabled. Setting both .admin.enabled and .admin.http.enabled and/or .admin.tls.enabled to true to enable the Admin API over HTTP/TLS." -}}
+{{- end -}}
+{{- end -}}
+
 {{- include "kong.deprecation-warnings" $warnings -}}

build_system/charts/open-appsec-kong/templates/_helpers.tpl

@@ -252,8 +252,10 @@ spec:
   externalTrafficPolicy: {{ .externalTrafficPolicy }}
   {{- end }}
   {{- if .clusterIP }}
+  {{- if (or (not (eq .clusterIP "None")) (and (eq .type "ClusterIP") (eq .clusterIP "None"))) }}
   clusterIP: {{ .clusterIP }}
   {{- end }}
+  {{- end }}
   selector:
     {{- .selectorLabels | nindent 4 }}
 {{- end -}}
@@ -1267,6 +1269,25 @@ resource roles into their separate templates.
   - namespaces
   verbs:
   - list
+{{- if and (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image))
+           (contains (print .Values.ingressController.env.feature_gates) "KongServiceFacade=true") }}
+- apiGroups:
+  - incubator.ingress-controller.konghq.com
+  resources:
+  - kongservicefacades
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - incubator.ingress-controller.konghq.com
+  resources:
+  - kongservicefacades/status
+  verbs:
+  - get
+  - patch
+  - update
+{{- end }}
 {{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
 - apiGroups:
   - configuration.konghq.com

build_system/charts/open-appsec-kong/templates/admission-webhook.yaml

@@ -104,7 +104,9 @@ webhooks:
     apiVersions:
     - 'v1alpha2'
     - 'v1beta1'
+{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
     - 'v1'
+{{- end }}
     operations:
     - CREATE
     - UPDATE

build_system/charts/open-appsec-kong/templates/appsec.yaml

@@ -22,6 +22,10 @@ metadata:
   {{- end }}
   {{- end }}
 spec:
+  {{- if eq .Values.kind "AppSecStateful" }}
+  persistentVolumeClaimRetentionPolicy:
+    whenDeleted: Delete
+  {{- end }}
   {{- if not .Values.autoscaling.enabled }}
   {{- if eq .Values.kind "AppSecStateful" }}
   serviceName: "open-appsec-stateful-set"

build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml

@@ -80,6 +80,10 @@ spec:
         {{- toYaml .Values.migrations.resources | nindent 10 }}
       securityContext:
       {{- include "kong.podsecuritycontext" . | nindent 8 }}
+      {{- if .Values.affinity }}
+      affinity:
+      {{- toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
       {{- if .Values.nodeSelector }}
       nodeSelector:
       {{- toYaml .Values.nodeSelector | nindent 8 }}

build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml

@@ -82,6 +82,10 @@ spec:
         {{- toYaml .Values.migrations.resources| nindent 10 }}
       securityContext:
       {{- include "kong.podsecuritycontext" . | nindent 8 }}
+      {{- if .Values.affinity }}
+      affinity:
+      {{- toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
       {{- if .Values.nodeSelector }}
       nodeSelector:
       {{- toYaml .Values.nodeSelector | nindent 8 }}

build_system/charts/open-appsec-kong/templates/migrations.yaml

@@ -86,6 +86,10 @@ spec:
         {{- toYaml .Values.migrations.resources | nindent 10 }}
       securityContext:
       {{- include "kong.podsecuritycontext" . | nindent 8 }}
+      {{- if .Values.affinity }}
+      affinity:
+      {{- toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
       {{- if .Values.nodeSelector }}
       nodeSelector:
       {{- toYaml .Values.nodeSelector | nindent 8 }}

build_system/charts/open-appsec-kong/values.yaml

@@ -126,10 +126,10 @@ extraLabels: {}
 # Specify Kong's Docker image and repository details here
 image:
   repository: kong
-  tag: "3.4"
+  tag: "3.5"
   # Kong Enterprise
   # repository: kong/kong-gateway
-  # tag: "3.4"
+  # tag: "3.5"
 
   # Specify a semver version if your image tag is not one (e.g. "nightly")
   effectiveSemver:
@@ -1247,7 +1247,7 @@ appsec:
     #registry:
     repository: ghcr.io/openappsec
     image: "agent"
-    tag: "1.1.1"
+    tag: "1.1.3"
     pullPolicy: Always
 
     securityContext:
@@ -1261,7 +1261,7 @@ appsec:
   kong:
     image:
       repository: "ghcr.io/openappsec/kong-attachment"
-      tag: "1.1.1"
+      tag: "1.1.3"
   configMapName: appsec-settings-configmap
   configMapContent:
     crowdsec: