github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Updating Kong helm chart

Browse Source
This commit is contained in:
Ned Wright 2023-06-01 16:15:31 +00:00
parent 45e51ddbf7
commit 795d07bd41
36 changed files with 1438 additions and 655 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
build_system/charts/open-appsec-kong/CHANGELOG.md
View File

@ -1,8 +1,158 @@
# Changelog
## Unreleased
## 2.22.0
### Improvements
* Removed redundant RBAC permissions for non-existing subresources `secrets/status`
and `endpoints/status`.
[#798](https://github.com/Kong/charts/pull/798)
* For Kong Ingress Controller in version >= 2.10, RBAC permissions for `Endpoints`
are not configured anymore (because it uses `EndpointSlices`).
[#798](https://github.com/Kong/charts/pull/798)
* Added support for setting `certificates.cluster.commonName`. This allows a custom
certificate `CommonName` to be provided when deploying Kong Gateway in hybrid
mode using Cert Manager [#804](https://github.com/Kong/charts/pull/804)
## 2.21.0
### Improvements
* Added support for `startupProbe` on Kong pods. This can be configured via
`.Values.startupProbe`. To maintain backward compatibility, it is disabled by default.
[#792](https://github.com/Kong/charts/pull/792)
* Customize Admission Webhook namespaceSelectors and compose them from values.
[#794](https://github.com/Kong/charts/pull/794)
* Added `CustomResourceDefinition` `list` and `watch` permissions to controller's ClusterRole.
[#796](https://github.com/Kong/charts/pull/796)
## 2.20.2
### Fixed
* Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode
is disabled by default.
To enable it, set `.Values.ingressController.konnect.license.enabled=true`.
[#793](https://github.com/Kong/charts/pull/793)
## 2.20.1
### Fixed
* Fix correct timestamp format and remove `isCA` in certificates
[#791](https://github.com/Kong/charts/pull/791)
## 2.20.0
### Improvements
* Added support for automatic license provisioning for Gateways managed by
Ingress Controllers in Konnect mode (`.Values.ingressController.konnect.enabled=true`).
[#787](https://github.com/Kong/charts/pull/787)
## 2.19.1
### Fixed
* Fix `webhook-cert` being mounted regardless if `.Values.ingressController.enabled`
is set.
[#779](https://github.com/Kong/charts/pull/779)
## 2.19.0
### Improvements
* Security context enforces read-only root filesystem by default. This is not
expected to affect most configurations, but [will affect custom plugins that
write to the container filesystem](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2170).
[#770](https://github.com/Kong/charts/pull/770)
## 2.18.0
### Improvements
* Added support for the Admin API service TLS client verification.
[#780](https://github.com/Kong/charts/pull/780
## 2.17.1
### Fixed
* The `-redhat` suffix on official KIC images is no longer considered part of
the semver string for version checks.
[#779](https://github.com/Kong/charts/pull/779)
## 2.17.0
### Improvements
* Added support for controller's gateway discovery.
With `ingressController.gatewayDiscovery.enabled` set to `true` Kong Ingress Controller
will enable gateway discovery using an Admin API service.
For more information on this please see [the corresponding README.md section][kic_gateway_discovery_readme].
This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher.
[#747](https://github.com/Kong/charts/pull/747)
* Added experimental support for the ingress controller's Konnect sync feature via `ingressController.konnect.*` values.
This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher and
requires `ingressController.gatewayDiscovery.enabled` set to `true`.
[#746](https://github.com/Kong/charts/pull/746)
* Added support for annotations on the admission webhook ValidatingWebhookConfiguration.
[#760](https://github.com/Kong/charts/pull/760)
* Added support for `subject` and `privateKey` properties on certificates.
[#762](https://github.com/Kong/charts/pull/762)
* Added support for loadBalancerClass in LoadBalancer type services.
[#767](https://github.com/Kong/charts/pull/767)
* Added support for `GRPCRoute`s.
[#772](https://github.com/Kong/charts/pull/772)
* Default Kong version is bumped to 3.2.
[#773](https://github.com/Kong/charts/pull/773)
* Added support for admissionhook to include labels.
[#768](https://github.com/Kong/charts/pull/768)
### Under the hood
* Add kube-linter to the CI pipeline to ensure produced manifests comply
with community best practices.
[#751](https://github.com/Kong/charts/pull/751)
[kic_gateway_discovery_readme]: ./README.md#the-gatewaydiscovery-section
## 2.16.5
### Fixed
* Fix autoscaling version detection.
[#752](https://github.com/Kong/charts/pull/752)
* Don't include a clear-stale-pid initContainer when kong gateway is not
enabled in the deployment.
[#749](https://github.com/Kong/charts/pull/749)
## 2.16.4
### Fixed
* HorizontalPodAutoscaler's API version is detected properly.
[#744](https://github.com/Kong/charts/pull/744)
## 2.16.3
### Fixed
* Fix template issue preventing custom dblessconfig volume from being mounted.
[#741](https://github.com/Kong/charts/pull/741)
## 2.16.2
### Fixed
* The admission webhook is disabled when the ingress controller is disabled, as
the admission webhook requires a service provided by the ingress controller.
## 2.16.1
### Fixed
### Fixed
* serviceAccount projected volume is properly provisioned for GKE clusters >= 1.20.
[#735](https://github.com/Kong/charts/pull/735)

4
build_system/charts/open-appsec-kong/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v2
appVersion: "3.1"
appVersion: "3.2"
dependencies:
- condition: postgresql.enabled
name: postgresql
@ -16,4 +16,4 @@ maintainers:
name: open-appsec-kong
sources:
- https://github.com/Kong/charts/tree/main/charts/kong
version: 2.16.1
version: 2.22.0

127
build_system/charts/open-appsec-kong/README.md
View File

@ -52,6 +52,7 @@ $ helm install kong/kong --generate-name
- [Configuration](#configuration)
- [Kong parameters](#kong-parameters)
- [Kong Service Parameters](#kong-service-parameters)
- [Admin Service mTLS](#admin-service-mtls)
- [Stream listens](#stream-listens)
- [Ingress Controller Parameters](#ingress-controller-parameters)
- [The `env` section](#the-env-section)
@ -335,6 +336,9 @@ first and then upgrade the data plane release](https://docs.konghq.com/gateway/l
#### Certificates
> This example shows how to use Kong Hybrid mode with `cluster_mtls: shared`.
> For an example of `cluster_mtls: pki` see the [hybrid-cert-manager example](https://github.com/Kong/charts/blob/main/charts/kong/example-values/hybrid-cert-manager/)
Hybrid mode uses TLS to secure the CP/DP node communication channel, and
requires certificates for it. You can generate these either using `kong hybrid
gen_cert` on a local Kong installation or using OpenSSL:
@ -431,7 +435,7 @@ admin:
```yaml
env:
role: data_plane
database: off
database: "off"
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt
@ -462,7 +466,7 @@ should, however, migrate to an issuer using a CA your clients trust for actual
usage.
The `proxy`, `admin`, `portal`, and `cluster` subsections under `certificates`
let you choose hostnames or override issuers on a per-certificate basis for the
let you choose hostnames, override issuers, set `subject` or set `privateKey` on a per-certificate basis for the
proxy, admin API and Manager, Portal and Portal API, and hybrid mode mTLS
services, respectively.
@ -668,6 +672,7 @@ or `ingress` sections, as it is used only for stream listens.
| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` |
| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | |
| SVC.clusterIP | k8s service clusterIP | |
| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | |
| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | |
| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` |
@ -682,6 +687,17 @@ or `ingress` sections, as it is used only for stream listens.
| SVC.annotations | Service annotations | `{}` |
| SVC.labels | Service labels | `{}` |
#### Admin Service mTLS
On top of the common parameters listed above, the `admin` service supports parameters for mTLS client verification.
If any of `admin.tls.client.caBundle` or `admin.tls.client.secretName` are set, the admin service will be configured to
require mTLS client verification. If both are set, `admin.tls.client.caBundle` will take precedence.
| Parameter | Description | Default |
|-----------------------------|---------------------------------------------------------------------------------------------|---------|
| admin.tls.client.caBundle | CA certificate to use for TLS verification of the Admin API client (PEM-encoded). | `""` |
| admin.tls.client.secretName | CA certificate secret name - must contain a `tls.crt` key with the PEM-encoded certificate. | `""` |
#### Stream listens
The proxy configuration additionally supports creating stream listens. These
@ -701,30 +717,46 @@ are configured using an array of objects under `proxy.stream` and `udpProxy.stre
All of the following properties are nested under the `ingressController`
section of `values.yaml` file:
| Parameter | Description | Default |
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
| enabled | Deploy the ingress controller, rbac and crd | true |
| image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller |
| image.tag | Version of the ingress controller | 2.0 |
| image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | |
| readinessProbe | Kong ingress controllers readiness probe | |
| livenessProbe | Kong ingress controllers liveness probe | |
| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false |
| env | Specify Kong Ingress Controller configuration via environment variables | |
| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | |
| ingressClass | The name of this controller's ingressClass | kong |
| ingressClassAnnotations | The ingress-class value for controller | kong |
| args | List of ingress-controller cli arguments | [] |
| watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] |
| admissionWebhook.enabled | Whether to enable the validating admission webhook | true |
| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore |
| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 |
| admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false |
| admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | |
| admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | |
| deployment.userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | |
| deployment.userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | |
| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 |
| Parameter | Description | Default |
|--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
| enabled | Deploy the ingress controller, rbac and crd | true |
| image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller |
| image.tag | Version of the ingress controller | 2.0 |
| image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | |
| readinessProbe | Kong ingress controllers readiness probe | |
| livenessProbe | Kong ingress controllers liveness probe | |
| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false |
| env | Specify Kong Ingress Controller configuration via environment variables | |
| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | |
| ingressClass | The name of this controller's ingressClass | kong |
| ingressClassAnnotations | The ingress-class value for controller | kong |
| args | List of ingress-controller cli arguments | [] |
| watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] |
| admissionWebhook.enabled | Whether to enable the validating admission webhook | true |
| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore |
| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 |
| admissionWebhook.annotations | Annotations for the Validation Webhook Configuration | |
| admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false |
| admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | |
| admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | |
| admissionWebhook.namespaceSelector | Add namespaceSelector to the webhook. Please go to [Kubernetes doc for the specs](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) | |
| userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | |
| userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | |
| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 |
| gatewayDiscovery.enabled | Enables Kong instance service discovery (for more details see [gatewayDiscovery section][gd_section]) | false |
| gatewayDiscovery.adminApiService.namespace | The namespace of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | `.Release.Namespace` |
| gatewayDiscovery.adminApiService.name | The name of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | "" |
| konnect.enabled | Enable synchronisation of data plane configuration with Konnect Runtime Group | false |
| konnect.runtimeGroupID | Konnect Runtime Group's unique identifier. | |
| konnect.apiHostname | Konnect API hostname. Defaults to a production US-region. | us.kic.api.konghq.com |
| konnect.tlsClientCertSecretName | Name of the secret that contains Konnect Runtime Group's client TLS certificate. | konnect-client-tls |
| konnect.license.enabled | Enable automatic license provisioning for Gateways managed by Ingress Controller in Konnect mode. | false |
| adminApi.tls.client.enabled | Enable TLS client verification for the Admin API. By default, Helm will generate certificates automatically. | false |
| adminApi.tls.client.certProvided | Use user-provided certificates. If set to false, Helm will generate certificates. | false |
| adminApi.tls.client.secretName | Client TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" |
| adminApi.tls.client.caSecretName | CA TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" |
[gd_section]: #the-gatewayDiscovery-section
#### The `env` section
For a complete list of all configuration values you can set in the
@ -746,6 +778,46 @@ kong:
TZ: "Europe/Berlin"
```
#### The `gatewayDiscovery` section
Kong Ingress Controller v2.9 has introduced gateway discovery which allows
the controller to discover Gateway instances that it should configure using
an Admin API Kubernetes service.
You'll be able to configure this feature through configuration section under
`ingressController.gatewayDiscovery`:
- If `ingressController.gatewayDiscovery.enabled` is set to `false`: the ingress controller
will control a pre-determined set of Gateway instances based on Admin API URLs
(provided under the hood via `CONTROLLER_KONG_ADMIN_URL` environment variable).
- If `ingressController.gatewayDiscovery.enabled` is set to `true`: the ingress controller
will dynamically locate Gateway instances by watching the specified Kubernetes
service.
(provided under the hood via `CONTROLLER_KONG_ADMIN_SVC` environment variable).
The following admin API Service flags have to be provided in order for gateway
discovery to work:
- `ingressController.gatewayDiscovery.adminApiService.name`
- `ingressController.gatewayDiscovery.adminApiService.namespace`
Using this feature requires a split release installation of Gateways and Ingress Controller.
For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
When using `gatewayDiscovery`, you should consider configuring the Admin service to use mTLS client verification to make
this interface secure. Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway
instances.
On the controller release side, that can be achieved by setting `ingressController.adminApi.tls.client.enabled` to `true`.
By default, Helm will generate a certificate Secret named `<release name>-admin-api-keypair` and
a CA Secret named `<release name>-admin-api-ca-keypair` for you.
To provide your own cert, set `ingressController.adminApi.tls.client.certProvided` to
`true`, `ingressController.adminApi.tls.client.secretName` to the name of the Secret containing your client cert, and `ingressController.adminApi.tls.client.caSecretName` to the name of the Secret containing your CA cert.
On the Gateway release side, set either `admin.tls.client.secretName` to the name of your CA Secret or set `admin.tls.client.caBundle` to the CA certificate string.
### General Parameters
| Parameter | Description | Default |
@ -772,6 +844,7 @@ kong:
| updateStrategy | update strategy for deployment | `{}` |
| readinessProbe | Kong readiness probe | |
| livenessProbe | Kong liveness probe | |
| startupProbe | Kong startup probe | |
| lifecycle | Proxy container lifecycle hooks | see `values.yaml` |
| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pods | 30 |
| affinity | Node/pod affinities | |
@ -794,7 +867,7 @@ kong:
| priorityClassName | Set pod scheduling priority class for Kong pods | `""` |
| secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` |
| securityContext | Set the securityContext for Kong Pods | `{}` |
| containerSecurityContext | Set the securityContext for Containers | `{}` |
| containerSecurityContext | Set the securityContext for Containers | `{"readOnlyRootFilesystem": true}` |
| serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | `false` |
| serviceMonitor.interval | Scraping interval | `30s` |
| serviceMonitor.namespace | Where to create ServiceMonitor | |

21
build_system/charts/open-appsec-kong/UPGRADE.md
View File

@ -17,6 +17,7 @@ upgrading from a previous version.
## Table of contents
- [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions)
- [2.17.0](#2170)
- [2.13.0](#2130)
- [2.8.0](#280)
- [2.7.0](#270)
@ -82,6 +83,26 @@ https://raw.githubusercontent.com/Kong/charts/kong-<version>/charts/kong/crds/cu
For example, if your release is 2.6.4, you would apply
`https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml`.
## 2.19.0
2.19 sets a default [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
that declares a read-only root filesystem for Kong containers. The base Kong and KIC
images are compatible with this setting. The chart mounts temporary writeable
emptyDir filesystems for locations that require writeable files (`/tmp` and
`/kong_prefix/`).
This setting limit attack surface and should be compatible with most
installations. However, if you use custom plugins that write to disk, you must
either mount a writeable emptyDir for them or override the new defaults by
setting:
```
containerSecurityContext:
readOnlyRootFilesystem: false
```
in your values.yaml.
## 2.13.0
2.13.0 includes updated CRDs. You must [apply these manually](#updates-to-crds)

2
build_system/charts/open-appsec-kong/crds/crd-openappsec-practice.yaml
View File

@ -109,7 +109,7 @@ spec:
configmap:
type: array
items:
type: string
type: string
openapi-schema-validation:
type: object
properties:

80
build_system/charts/open-appsec-kong/crds/crd-openappsec-sources-identifier.yaml
View File

@ -1,40 +1,40 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : sourcesidentifiers.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: array
items:
type: object
properties:
sourceIdentifier:
type: string
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
value:
type: array
items:
type: string
scope: Cluster
names:
plural: sourcesidentifiers
singular: sourcesidentifier
kind: SourcesIdentifier
shortNames:
- sourcesidentifier
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : sourcesidentifiers.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: array
items:
type: object
properties:
sourceIdentifier:
type: string
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
value:
type: array
items:
type: string
scope: Cluster
names:
plural: sourcesidentifiers
singular: sourcesidentifier
kind: SourcesIdentifier
shortNames:
- sourcesidentifier

64
build_system/charts/open-appsec-kong/crds/crd-openappsec-trusted-sources.yaml
View File

@ -1,32 +1,32 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : trustedsources.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
minNumOfSources:
type: integer
sourcesIdentifiers:
type: array
items:
type: string
scope: Cluster
names:
plural: trustedsources
singular: trustedsource
kind: TrustedSource
shortNames:
- trustedsource
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : trustedsources.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
minNumOfSources:
type: integer
sourcesIdentifiers:
type: array
items:
type: string
scope: Cluster
names:
plural: trustedsources
singular: trustedsource
kind: TrustedSource
shortNames:
- trustedsource

4
build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml
View File

@ -448,8 +448,8 @@ spec:
type: object
upstream:
description: Upstream represents a virtual hostname and can be used to
loadbalance incoming requests over multiple targets (e.g. Kubernetes
`Services` can be a target, OR `Endpoints` can be targets).
load balance incoming requests over multiple targets (e.g. Kubernetes
Services can be a target, or URLs can be targets).
properties:
algorithm:
description: Algorithm is the load balancing algorithm to use.

16
build_system/charts/open-appsec-kong/example-values/README.md
View File

@ -52,5 +52,21 @@ common Kong deployment scenarios on Kubernetes.
restarts them, so starting control planes second, but around the same time
will usually work), but is the smoothest option.
* [minimal-kong-gd-controller.yaml](minimal-kong-gd-controller.yaml) and
[minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a
single controller and cluster of gateway instances. The controller release
configuration must specify the names of the gateway proxy and admin
Services. The examples use `gw` as the gateway release name. If you wish to
use another name, set the controller configuration to match. For example, if
you use `hydrogen` as your gateway release name, set
`proxy.nameOverride=hydrogen-kong-proxy` and
`ingressController.adminApiService.name=hydrogen-kong-admin`.
* [minimal-kong-gd-controller-konnect.yaml](minimal-kong-gd-controller-konnect.yaml) and
[minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a single Ingress
Controller with Kong's Konnect sync feature enabled and a cluster of gateway instances.
In order to make it work, `ingressController.konnect.runtimeGroupID` has to be
supplied and a `konnect-client-tls` secret has to be created upfront.
All Enterprise examples require some level of additional user configuration to
install properly. Read the comments at the top of each file for instructions.

2
build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml
View File

@ -146,7 +146,7 @@ extraLabels:
konghq.com/component: quickstart
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
ingressController:
enabled: true
env:

2
build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml
View File

@ -12,7 +12,7 @@
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
env:
prefix: /kong_prefix/

83
build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/README.md Normal file
View File

@ -0,0 +1,83 @@
This README explains how to install Kong in DB-backed mode with Postgres and Cert Manager
# Install Postgres
Use the bitnami chart to install Postgres. Read the output to understand how to connect to the database.
```bash
helm install postgres oci://registry-1.docker.io/bitnamicharts/postgresql -n db --create-namespace
```
Once connected, create a postgres user and database:
```sql
CREATE USER kong WITH PASSWORD 'super_secret'; CREATE DATABASE kong OWNER kong;
```
# Cert Manager
Install Cert Manager in to your cluster:
```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.11.0
```
Create a self signed CA + Issuer for future use:
```yaml
echo "
apiVersion: v1
kind: Namespace
metadata:
name: kong
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-selfsigned-ca
namespace: kong
spec:
isCA: true
commonName: my-selfsigned-ca
secretName: root-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: my-ca-issuer
namespace: kong
spec:
ca:
secretName: root-secret
" | kubectl apply -f -
```
# Kong
Deploy Kong using the `cp-values.yaml` and `dp-values.yaml` in this folder:
```bash
helm install kong-cp kong/kong -n kong --values cp-values.yaml
helm install kong-dp kong/kong -n kong --values dp-values.yaml
```
You should now have Kong running in hybrid mode

25
build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/cp-values.yaml Normal file
View File

@ -0,0 +1,25 @@
env:
role: control_plane
database: postgres
pg_host: postgres-postgresql.db.svc.cluster.local
pg_user: kong
pg_password: super_secret
cluster:
enabled: true
tls:
enabled: true
certificates:
enabled: true
issuer: my-ca-issuer
cluster:
enabled: true
commonName: custom.example.com
proxy:
enabled: false
ingressController:
env:
publish_service: kong/kong-cp-kong-proxy

22
build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/dp-values.yaml Normal file
View File

@ -0,0 +1,22 @@
env:
role: data_plane
database: "off"
cluster_control_plane: kong-cp-kong-cluster.kong.svc.cluster.local:8005
cluster:
enabled: true
tls:
enabled: true
certificates:
enabled: true
issuer: my-ca-issuer
cluster:
enabled: true
commonName: custom.example.com
admin:
enabled: false
ingressController:
enabled: false

2
build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml
View File

@ -9,7 +9,7 @@
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
admin:
enabled: true

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml
View File

@ -2,7 +2,7 @@
image:
repository: kong
tag: "3.1"
tag: "3.2"
env:
prefix: /kong_prefix/

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml
View File

@ -4,7 +4,7 @@
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
enterprise:
enabled: true

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml
View File

@ -14,7 +14,7 @@
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
env:
database: postgres

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml
View File

@ -12,7 +12,7 @@
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
env:
role: data_plane

24
build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller-konnect.yaml Normal file
View File

@ -0,0 +1,24 @@
deployment:
kong:
enabled: false
proxy:
## This must match the gateway release's proxy Service name.
## The Service name uses the pattern "<release name>-kong-proxy".
## In this example, the companion gateway release is named "gw"
nameOverride: gw-kong-proxy
ingressController:
enabled: true
gatewayDiscovery:
enabled: true
adminApiService:
## This must match the gateway release's admin Service name.
## The Service name uses the pattern "<release name>-kong-admin".
## In this example, the companion gateway release is named "gw"
name: gw-kong-admin
konnect:
enabled: true
runtimeGroupID: "00000000-0000-0000-0000-000000000000" # CHANGEME

33
build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller.yaml Normal file
View File

@ -0,0 +1,33 @@
deployment:
kong:
enabled: false
proxy:
## This must match the gateway release's proxy Service name.
## The Service name uses the pattern "<release name>-kong-proxy".
## In this example, the companion gateway release is named "gw"
nameOverride: gw-kong-proxy
ingressController:
enabled: true
gatewayDiscovery:
enabled: true
adminApiService:
## This must match the gateway release's admin Service name.
## The Service name uses the pattern "<release name>-kong-admin".
## In this example, the companion gateway release is named "gw"
name: gw-kong-admin
adminApi:
tls:
client:
# Enable TLS client authentication for the Admin API.
enabled: true
# We're specifying the name of the secret to have a static name that we
# will use in the gateway release.
caSecretName: "admin-api-ca-cert"
env:
# This must match the gateway release's proxy Service HTTPs port name.
kong_admin_svc_port_names: "kong-admin-tls"

17
build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-gateway.yaml Normal file
View File

@ -0,0 +1,17 @@
admin:
enabled: true
type: ClusterIP
clusterIP: None
tls:
client:
secretName: "admin-api-ca-cert"
ingressController:
enabled: false
replicaCount: 3
## This example creates a static 3-Pod Kong gateway Deployment.
## To use autoscaling instead, comment the above replicaCount and uncomment
## the autoscaling section below.
# autoscaling:
# enabled: true

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml
View File

@ -6,7 +6,7 @@
image:
repository: kong
tag: "3.1"
tag: "3.2"
env:
prefix: /kong_prefix/

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml
View File

@ -11,7 +11,7 @@
image:
repository: kong
tag: "3.1"
tag: "3.2"
env:
prefix: /kong_prefix/

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml
View File

@ -6,7 +6,7 @@
image:
repository: kong
tag: "3.1"
tag: "3.2"
env:
prefix: /kong_prefix/

210
build_system/charts/open-appsec-kong/templates/_helpers.tpl
View File

@ -153,6 +153,9 @@ spec:
- {{ $cidr }}
{{- end }}
{{- end }}
{{- if .loadBalancerClass }}
loadBalancerClass: {{ .loadBalancerClass }}
{{- end }}
{{- end }}
{{- if .externalIPs }}
externalIPs:
@ -316,6 +319,32 @@ Create a single listen (IP+port+parameter combo)
{{- $listen | join " " -}}
{{- end -}}
{{/*
Return the admin API service name for service discovery
*/}}
{{- define "kong.adminSvc" -}}
{{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}}
{{- if $gatewayDiscovery.enabled -}}
{{- $adminApiService := $gatewayDiscovery.adminApiService -}}
{{- $_ := required ".ingressController.gatewayDiscovery.adminApiService has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiService -}}
{{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
{{- fail "deployment.kong.enabled and ingressController.gatewayDiscovery.enabled are mutually exclusive and cannot be enabled at once. Gateway discovery requires a split release installation of Gateways and Ingress Controller." }}
{{- end }}
{{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}}
{{- $name := $adminApiService.name -}}
{{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $name -}}
{{- printf "%s/%s" $namespace $name -}}
{{- else -}}
{{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}}
{{- end -}}
{{- end -}}
{{/*
Return the local admin API URL, preferring HTTPS if available
*/}}
@ -370,16 +399,61 @@ The name of the service used for the ingress controller's validation webhook
*/}}
{{- $autoEnv := dict -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s-proxy" ( include "kong.namespace" . ) (include "kong.fullname" .)) -}}
{{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
{{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}}
{{- if .Values.ingressController.admissionWebhook.enabled }}
{{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}}
{{- end }}
{{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }}
{{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s" ( include "kong.namespace" . ) ( .Values.proxy.nameOverride | default ( printf "%s-proxy" (include "kong.fullname" . )))) -}}
{{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
{{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
{{- if .Values.ingressController.admissionWebhook.enabled }}
{{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}}
{{- end }}
{{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }}
{{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}}
{{- end }}
{{/*
====== ADMIN API CONFIGURATION ======
*/}}
{{- if .Values.ingressController.gatewayDiscovery.enabled -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (include "kong.adminSvc" . ) -}}
{{- else -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}}
{{- end -}}
{{- if .Values.ingressController.adminApi.tls.client.enabled }}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_CERT_FILE" "/etc/secrets/admin-api-cert/tls.crt" -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_KEY_FILE" "/etc/secrets/admin-api-cert/tls.key" -}}
{{- end }}
{{/*
====== KONNECT ENVIRONMENT VARIABLES ======
*/}}
{{- if .Values.ingressController.konnect.enabled }}
{{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- fail (printf "Konnect sync is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- end }}
{{- if not .Values.ingressController.gatewayDiscovery.enabled }}
{{- fail "ingressController.gatewayDiscovery.enabled has to be true when ingressController.konnect.enabled"}}
{{- end }}
{{- $konnect := .Values.ingressController.konnect -}}
{{- $_ := required "ingressController.konnect.runtimeGroupID is required when ingressController.konnect.enabled" $konnect.runtimeGroupID -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_SYNC_ENABLED" true -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_RUNTIME_GROUP_ID" $konnect.runtimeGroupID -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_ADDRESS" (printf "https://%s" .Values.ingressController.konnect.apiHostname) -}}
{{- $tlsCert := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.crt") -}}
{{- $tlsKey := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.key") -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_CERT" $tlsCert -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_KEY" $tlsKey -}}
{{- if $konnect.license.enabled }}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_LICENSING_ENABLED" true -}}
{{- end }}
{{- end }}
{{/*
@ -420,10 +494,10 @@ The name of the service used for the ingress controller's validation webhook
{{- define "kong.volumes" -}}
- name: {{ template "kong.fullname" . }}-prefix-dir
emptyDir:
emptyDir:
sizeLimit: {{ .Values.deployment.prefixDir.sizeLimit }}
- name: {{ template "kong.fullname" . }}-tmp
emptyDir:
emptyDir:
sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }}
{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
{{- if .Values.certificates.cluster.enabled }}
@ -478,8 +552,9 @@ The name of the service used for the ingress controller's validation webhook
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
{{- if gt $dblessSourceCount 1 -}}
{{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}}
{{- if gt $dblessSourceCount 1 -}}
{{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}}
{{- else if eq $dblessSourceCount 1 }}
- name: kong-custom-dbless-config-volume
{{- if .Values.dblessConfig.configMap }}
configMap:
@ -494,7 +569,7 @@ The name of the service used for the ingress controller's validation webhook
{{- end }}
{{- end }}
{{- if .Values.ingressController.admissionWebhook.enabled }}
{{- if and .Values.ingressController.enabled .Values.ingressController.admissionWebhook.enabled }}
- name: webhook-cert
secret:
{{- if .Values.ingressController.admissionWebhook.certificate.provided }}
@ -503,6 +578,11 @@ The name of the service used for the ingress controller's validation webhook
secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair
{{- end }}
{{- end }}
{{- if or $.Values.admin.tls.client.secretName $.Values.admin.tls.client.caBundle }}
- name: admin-client-ca
configMap:
name: {{ template "kong.fullname" . }}-admin-client-ca
{{- end -}}
{{- range $secretVolume := .Values.secretVolumes }}
- name: {{ . }}
secret:
@ -518,6 +598,19 @@ The name of the service used for the ingress controller's validation webhook
secret:
secretName: {{ .name }}
{{- end }}
{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
- name: admin-api-cert
secret:
secretName: {{ template "adminApiService.certSecretName" . }}
{{- end }}
{{- end -}}
{{- define "controller.adminApiCertVolumeMount" -}}
{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
- name: admin-api-cert
mountPath: /etc/secrets/admin-api-cert
readOnly: true
{{- end -}}
{{- end -}}
{{- define "kong.userDefinedVolumeMounts" -}}
@ -552,12 +645,17 @@ The name of the service used for the ingress controller's validation webhook
{{- end }}
{{- end }}
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
{{- if gt $dblessSourceCount 1 -}}
{{- if eq $dblessSourceCount 1 -}}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- name: kong-custom-dbless-config-volume
mountPath: /kong_dbless/
{{- end }}
{{- end }}
{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }}
- name: admin-client-ca
mountPath: /etc/admin-client-ca/
readOnly: true
{{- end -}}
{{- range .Values.secretVolumes }}
- name: {{ . }}
mountPath: /etc/secrets/{{ . }}
@ -638,7 +736,7 @@ The name of the service used for the ingress controller's validation webhook
{{- if .effectiveSemver -}}
{{- .effectiveSemver -}}
{{- else -}}
{{- .tag -}}
{{- (trimSuffix "-redhat" .tag) -}}
{{- end -}}
{{- end -}}
@ -702,6 +800,7 @@ The name of the service used for the ingress controller's validation webhook
readOnly: true
{{- end }}
{{- include "kong.userDefinedVolumeMounts" .Values.ingressController | nindent 2 }}
{{- include "controller.adminApiCertVolumeMount" . | nindent 2 }}
{{- end -}}
{{- define "secretkeyref" -}}
@ -758,10 +857,18 @@ the template that it itself is using form the above sections.
{{- $listenConfig := merge $listenConfig . -}}
{{- $_ := set $listenConfig "address" $address -}}
{{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}}
{{- if or .tls.client.secretName .tls.client.caBundle -}}
{{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}}
{{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}}
{{- end -}}
{{- end -}}
{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
{{- if (and .Values.certificates.cluster.enabled .Values.cluster.enabled) -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_MTLS" "pki" -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_SERVER_NAME" .Values.certificates.cluster.commonName -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_CA_CERT" "/etc/cert-manager/cluster/ca.crt" -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_CERT" "/etc/cert-manager/cluster/tls.crt" -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_CERT_KEY" "/etc/cert-manager/cluster/tls.key" -}}
@ -914,7 +1021,7 @@ the template that it itself is using form the above sections.
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
{{- if gt $dblessSourceCount 1 -}}
{{- if eq $dblessSourceCount 1 -}}
{{- $_ := set $autoEnv "KONG_DECLARATIVE_CONFIG" "/kong_dbless/kong.yml" -}}
{{- end }}
{{- end }}
@ -1037,6 +1144,13 @@ role sets used in the charts. Updating these requires separating out cluster
resource roles into their separate templates.
*/}}
{{- define "kong.kubernetesRBACRules" -}}
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- ""
resources:
@ -1044,20 +1158,7 @@ resource roles into their separate templates.
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- apiGroups:
- ""
resources:
- endpoints/status
verbs:
- get
- patch
- update
{{- end }}
- apiGroups:
- ""
resources:
@ -1087,14 +1188,6 @@ resource roles into their separate templates.
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- secrets/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
@ -1306,6 +1399,22 @@ resource roles into their separate templates.
verbs:
- get
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- grpcroutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- grpcroutes/status
verbs:
- get
- patch
- update
{{- end }}
{{- if (.Capabilities.APIVersions.Has "networking.internal.knative.dev/v1alpha1") }}
- apiGroups:
@ -1341,6 +1450,14 @@ resource roles into their separate templates.
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
{{- end -}}
{{/*
@ -1373,6 +1490,15 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration.
- get
- patch
- update
{{- if (semverCompare ">= 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
{{- end }}
{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }}
- apiGroups:
- gateway.networking.k8s.io
@ -1411,9 +1537,9 @@ extensions/v1beta1
{{- end -}}
{{- define "kong.autoscalingVersion" -}}
{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}}
{{- if (.Capabilities.APIVersions.Has "autoscaling/v2/HorizontalPodAutoscaler") -}}
autoscaling/v2
{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}}
{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2/HorizontalPodAutoscaler") -}}
autoscaling/v2beta2
{{- else -}}
autoscaling/v1

15
build_system/charts/open-appsec-kong/templates/admission-webhook.yaml
View File

@ -1,4 +1,4 @@
{{- if .Values.ingressController.admissionWebhook.enabled }}
{{- if (and .Values.ingressController.admissionWebhook.enabled .Values.ingressController.enabled) }}
{{- $certCert := "" -}}
{{- $certKey := "" -}}
{{- $caCert := "" -}}
@ -34,8 +34,18 @@ metadata:
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
{{- if .Values.ingressController.admissionWebhook.annotations }}
annotations:
{{- range $key, $value := .Values.ingressController.admissionWebhook.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
webhooks:
- name: validations.kong.konghq.com
{{- with .Values.ingressController.admissionWebhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
objectSelector:
matchExpressions:
- key: owner
@ -89,6 +99,9 @@ metadata:
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
{{- if .Values.ingressController.admissionWebhook.service.labels }}
{{- toYaml .Values.ingressController.admissionWebhook.service.labels | nindent 4 }}
{{- end }}
spec:
ports:
- name: webhook

885
build_system/charts/open-appsec-kong/templates/appsec.yaml
View File

@ -1,447 +1,438 @@
{{- if and (not (eq .Values.kind "Vanilla")) (or .Values.deployment.kong.enabled .Values.ingressController.enabled) }}
apiVersion: apps/v1
{{- if (eq .Values.kind "AppSec") }}
{{- if .Values.deployment.daemonset }}
kind: DaemonSet
{{- else }}
kind: Deployment
{{- end }}
{{- else if eq .Values.kind "AppSecStateful" }}
kind: StatefulSet
{{- end }}
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: app
{{- if .Values.deploymentAnnotations }}
annotations:
{{- range $key, $value := .Values.deploymentAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
{{- if eq .Values.kind "AppSecStateful" }}
serviceName: "cp-appsec-stateful-set"
{{- end }}
{{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{- include "kong.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
{{- if .Values.deployment.daemonset }}
updateStrategy:
{{- else }}
strategy:
{{- end }}
{{ toYaml .Values.updateStrategy | indent 4 }}
{{- end }}
{{- if .Values.deployment.minReadySeconds }}
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- end }}
template:
metadata:
annotations:
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
{{- end }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
{{- if .Values.dblessConfig.config }}
checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }}
{{- end }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- range $key, $value := .Values.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: app
app: {{ template "kong.fullname" . }}
version: {{ .Chart.AppVersion | quote }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | nindent 8 }}
{{- end }}
spec:
{{- if .Values.deployment.hostNetwork }}
hostNetwork: true
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
automountServiceAccountToken: true
{{- else }}
automountServiceAccountToken: false
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
initContainers:
- name: clear-stale-pid
image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
command:
- "rm"
- "-vrf"
- "$KONG_PREFIX/pids"
env:
{{- include "kong.env" . | nindent 8 }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
{{- if .Values.deployment.initContainers }}
{{- toYaml .Values.deployment.initContainers | nindent 6 }}
{{- end }}
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-db" . | nindent 6 }}
{{- end }}
{{- if .Values.deployment.hostAliases }}
hostAliases:
{{- toYaml .Values.deployment.hostAliases | nindent 6 }}
{{- end}}
{{- if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- end }}
{{- if .Values.dnsConfig }}
dnsConfig:
{{ toYaml .Values.dnsConfig | indent 8 }}
{{- end }}
containers:
- name: {{ .Values.appsec.name }}
readinessProbe:
exec:
command:
- sh
- -c
- '[ -f /etc/cp/HttpTransactionHandler/cp-nano-http-transaction-handler ] && exit 0 || exit 1'
initialDelaySeconds: 30
periodSeconds: 5
failureThreshold: 120
successThreshold: 1
securityContext:
{{ toYaml .Values.appsec.securityContext | nindent 12 }}
{{- with .Values.appsec.image }}
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
{{- end }}
command:
- {{ .Values.appsec.command }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
args:
{{- if (eq "standalone" .Values.appsec.mode) }}
- --hybrid-mode
- --token
- cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
{{- else }}
- --token
- {{ .Values.appsec.agentToken }}
{{- end }}
{{- if .Values.appsec.customFog.enabled }}
- --fog
- {{ .Values.appsec.customFog.fogAddress }}
{{- end }}
{{- if .Values.appsec.proxy }}
- --proxy
- {{ .Values.appsec.proxy }}
{{- end }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
env:
{{- if eq .Values.appsec.playground false }}
- name: SHARED_STORAGE_HOST
value: {{ .Values.appsec.storage.name }}-svc
- name: LEARNING_HOST
value: {{ .Values.appsec.learning.name }}-svc
{{- else }}
- name: PLAYGROUND
value: "true"
{{- end }}
{{- if .Values.appsec.email }}
{{- if eq .Values.appsec.email "STUB" }}
{{- fail "Please replace STUB with an email address" }}
{{- end }}
- name: user_email
value: {{ .Values.appsec.email }}
{{- end }}
- name: registered_server
value: "Kong Server"
resources:
{{ toYaml .Values.resources | nindent 12 }}
{{- if eq .Values.kind "AppSecStateful" }}
volumeMounts:
- name: advanced-model
mountPath: /advanced-model
- name: appsec-conf
mountPath: /etc/cp/conf
- name: appsec-data
mountPath: /etc/cp/data
{{- end }}
{{- if .Values.ingressController.enabled }}
{{- include "kong.controller-container" . | nindent 6 }}
{{ end }}
{{- if .Values.deployment.sidecarContainers }}
{{- toYaml .Values.deployment.sidecarContainers | nindent 6 }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
- name: "proxy"
{{- with .Values.appsec.kong.image }}
image: "{{ .repository }}:{{ .tag }}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
lifecycle:
{{- toYaml .Values.lifecycle | nindent 10 }}
ports:
{{- if (and .Values.admin.http.enabled .Values.admin.enabled) }}
- name: admin
containerPort: {{ .Values.admin.http.containerPort }}
{{- if .Values.admin.http.hostPort }}
hostPort: {{ .Values.admin.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }}
- name: admin-tls
containerPort: {{ .Values.admin.tls.containerPort }}
{{- if .Values.admin.tls.hostPort }}
hostPort: {{ .Values.admin.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }}
- name: proxy
containerPort: {{ .Values.proxy.http.containerPort }}
{{- if .Values.proxy.http.hostPort }}
hostPort: {{ .Values.proxy.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}}
- name: proxy-tls
containerPort: {{ .Values.proxy.tls.containerPort }}
{{- if .Values.proxy.tls.hostPort }}
hostPort: {{ .Values.proxy.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- range .Values.proxy.stream }}
- name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- range .Values.udpProxy.stream }}
- name: streamudp-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- if (and .Values.status.http.enabled .Values.status.enabled)}}
- name: status
containerPort: {{ .Values.status.http.containerPort }}
{{- if .Values.status.http.hostPort }}
hostPort: {{ .Values.status.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.status.tls.enabled .Values.status.enabled) }}
- name: status-tls
containerPort: {{ .Values.status.tls.containerPort }}
{{- if .Values.status.tls.hostPort }}
hostPort: {{ .Values.status.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }}
- name: cluster-tls
containerPort: {{ .Values.cluster.tls.containerPort }}
{{- if .Values.cluster.tls.hostPort }}
hostPort: {{ .Values.cluster.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if .Values.enterprise.enabled }}
{{- if (and .Values.manager.http.enabled .Values.manager.enabled) }}
- name: manager
containerPort: {{ .Values.manager.http.containerPort }}
{{- if .Values.manager.http.hostPort }}
hostPort: {{ .Values.manager.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }}
- name: manager-tls
containerPort: {{ .Values.manager.tls.containerPort }}
{{- if .Values.manager.tls.hostPort }}
hostPort: {{ .Values.manager.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.http.enabled .Values.portal.enabled) }}
- name: portal
containerPort: {{ .Values.portal.http.containerPort }}
{{- if .Values.portal.http.hostPort }}
hostPort: {{ .Values.portal.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }}
- name: portal-tls
containerPort: {{ .Values.portal.tls.containerPort }}
{{- if .Values.portal.tls.hostPort }}
hostPort: {{ .Values.portal.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }}
- name: portalapi
containerPort: {{ .Values.portalapi.http.containerPort }}
{{- if .Values.portalapi.http.hostPort }}
hostPort: {{ .Values.portalapi.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }}
- name: portalapi-tls
containerPort: {{ .Values.portalapi.tls.containerPort }}
{{- if .Values.portalapi.tls.hostPort }}
hostPort: {{ .Values.portalapi.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }}
- name: clustert-tls
containerPort: {{ .Values.clustertelemetry.tls.containerPort }}
{{- if .Values.clustertelemetry.tls.hostPort }}
hostPort: {{ .Values.clustertelemetry.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- end }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 10 }}
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- end }} {{/* End of Kong container spec */}}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
{{- end }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
volumes:
- name: advanced-model
configMap:
name: advanced-model-config
optional: true
{{- include "kong.volumes" . | nindent 8 -}}
{{- include "kong.userDefinedVolumes" . | nindent 8 -}}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
- name: {{ template "kong.serviceAccountTokenName" . }}
{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
See the related documentation of semver module that Helm depends on for semverCompare:
https://github.com/Masterminds/semver#working-with-prerelease-versions
Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- else }}
secret:
secretName: {{ template "kong.serviceAccountTokenName" . }}
items:
- key: token
path: token
- key: ca.crt
path: ca.crt
- key: namespace
path: namespace
{{- end -}}
{{- end }}
{{- if eq .Values.kind "AppSecStateful" }}
volumeClaimTemplates:
- metadata:
name: appsec-conf
spec:
accessModes: [ "ReadWriteOnce" ]
# Need to create a storage class resource.
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
resources:
requests:
storage: {{ .Values.appsec.persistence.conf.size | quote }}
- metadata:
name: appsec-data
spec:
accessModes: [ "ReadWriteOnce" ]
# Need to create a storage class resource.
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
resources:
requests:
storage: {{ .Values.appsec.persistence.data.size | quote }}
{{- end }}
{{- end }}
{{- if and (not (eq .Values.kind "Vanilla")) (or .Values.deployment.kong.enabled .Values.ingressController.enabled) }}
apiVersion: apps/v1
{{- if (eq .Values.kind "AppSec") }}
{{- if .Values.deployment.daemonset }}
kind: DaemonSet
{{- else }}
kind: Deployment
{{- end }}
{{- else if eq .Values.kind "AppSecStateful" }}
kind: StatefulSet
{{- end }}
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: app
{{- if .Values.deploymentAnnotations }}
annotations:
{{- range $key, $value := .Values.deploymentAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
{{- if eq .Values.kind "AppSecStateful" }}
serviceName: "cp-appsec-stateful-set"
{{- end }}
{{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{- include "kong.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
{{- if .Values.deployment.daemonset }}
updateStrategy:
{{- else }}
strategy:
{{- end }}
{{ toYaml .Values.updateStrategy | indent 4 }}
{{- end }}
{{- if .Values.deployment.minReadySeconds }}
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- end }}
template:
metadata:
annotations:
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
{{- end }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
{{- if .Values.dblessConfig.config }}
checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }}
{{- end }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- range $key, $value := .Values.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: app
app: {{ template "kong.fullname" . }}
version: {{ .Chart.AppVersion | quote }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | nindent 8 }}
{{- end }}
spec:
{{- if .Values.deployment.hostNetwork }}
hostNetwork: true
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
automountServiceAccountToken: true
{{- else }}
automountServiceAccountToken: false
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
initContainers:
- name: clear-stale-pid
image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
command:
- "rm"
- "-vrf"
- "$KONG_PREFIX/pids"
env:
{{- include "kong.env" . | nindent 8 }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
{{- if .Values.deployment.initContainers }}
{{- toYaml .Values.deployment.initContainers | nindent 6 }}
{{- end }}
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-db" . | nindent 6 }}
{{- end }}
{{- if .Values.deployment.hostAliases }}
hostAliases:
{{- toYaml .Values.deployment.hostAliases | nindent 6 }}
{{- end}}
{{- if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- end }}
{{- if .Values.dnsConfig }}
dnsConfig:
{{ toYaml .Values.dnsConfig | indent 8 }}
{{- end }}
containers:
- name: {{ .Values.appsec.name }}
readinessProbe:
exec:
command:
- sh
- -c
- '[ -f /etc/cp/HttpTransactionHandler/cp-nano-http-transaction-handler ] && exit 0 || exit 1'
initialDelaySeconds: 30
periodSeconds: 5
failureThreshold: 120
successThreshold: 1
securityContext:
{{ toYaml .Values.appsec.securityContext | nindent 12 }}
{{- with .Values.appsec.image }}
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
{{- end }}
command:
- {{ .Values.appsec.command }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
args:
{{- if (eq "standalone" .Values.appsec.mode) }}
- --hybrid-mode
- --token
- cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
{{- else }}
- --token
- {{ .Values.appsec.agentToken }}
{{- end }}
{{- if .Values.appsec.customFog.enabled }}
- --fog
- {{ .Values.appsec.customFog.fogAddress }}
{{- end }}
{{- if .Values.appsec.proxy }}
- --proxy
- {{ .Values.appsec.proxy }}
{{- end }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
env:
{{- if eq .Values.appsec.playground false }}
- name: SHARED_STORAGE_HOST
value: {{ .Values.appsec.storage.name }}-svc
- name: LEARNING_HOST
value: {{ .Values.appsec.learning.name }}-svc
{{- else }}
- name: PLAYGROUND
value: "true"
{{- end }}
resources:
{{ toYaml .Values.resources | nindent 12 }}
{{- if eq .Values.kind "AppSecStateful" }}
volumeMounts:
- name: advanced-model
mountPath: /advanced-model
- name: appsec-conf
mountPath: /etc/cp/conf
- name: appsec-data
mountPath: /etc/cp/data
{{- end }}
{{- if .Values.ingressController.enabled }}
{{- include "kong.controller-container" . | nindent 6 }}
{{ end }}
{{- if .Values.deployment.sidecarContainers }}
{{- toYaml .Values.deployment.sidecarContainers | nindent 6 }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
- name: "proxy"
{{- with .Values.appsec.kong.image }}
image: "{{ .repository }}:{{ .tag }}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
lifecycle:
{{- toYaml .Values.lifecycle | nindent 10 }}
ports:
{{- if (and .Values.admin.http.enabled .Values.admin.enabled) }}
- name: admin
containerPort: {{ .Values.admin.http.containerPort }}
{{- if .Values.admin.http.hostPort }}
hostPort: {{ .Values.admin.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }}
- name: admin-tls
containerPort: {{ .Values.admin.tls.containerPort }}
{{- if .Values.admin.tls.hostPort }}
hostPort: {{ .Values.admin.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }}
- name: proxy
containerPort: {{ .Values.proxy.http.containerPort }}
{{- if .Values.proxy.http.hostPort }}
hostPort: {{ .Values.proxy.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}}
- name: proxy-tls
containerPort: {{ .Values.proxy.tls.containerPort }}
{{- if .Values.proxy.tls.hostPort }}
hostPort: {{ .Values.proxy.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- range .Values.proxy.stream }}
- name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- range .Values.udpProxy.stream }}
- name: streamudp-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- if (and .Values.status.http.enabled .Values.status.enabled)}}
- name: status
containerPort: {{ .Values.status.http.containerPort }}
{{- if .Values.status.http.hostPort }}
hostPort: {{ .Values.status.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.status.tls.enabled .Values.status.enabled) }}
- name: status-tls
containerPort: {{ .Values.status.tls.containerPort }}
{{- if .Values.status.tls.hostPort }}
hostPort: {{ .Values.status.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }}
- name: cluster-tls
containerPort: {{ .Values.cluster.tls.containerPort }}
{{- if .Values.cluster.tls.hostPort }}
hostPort: {{ .Values.cluster.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if .Values.enterprise.enabled }}
{{- if (and .Values.manager.http.enabled .Values.manager.enabled) }}
- name: manager
containerPort: {{ .Values.manager.http.containerPort }}
{{- if .Values.manager.http.hostPort }}
hostPort: {{ .Values.manager.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }}
- name: manager-tls
containerPort: {{ .Values.manager.tls.containerPort }}
{{- if .Values.manager.tls.hostPort }}
hostPort: {{ .Values.manager.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.http.enabled .Values.portal.enabled) }}
- name: portal
containerPort: {{ .Values.portal.http.containerPort }}
{{- if .Values.portal.http.hostPort }}
hostPort: {{ .Values.portal.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }}
- name: portal-tls
containerPort: {{ .Values.portal.tls.containerPort }}
{{- if .Values.portal.tls.hostPort }}
hostPort: {{ .Values.portal.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }}
- name: portalapi
containerPort: {{ .Values.portalapi.http.containerPort }}
{{- if .Values.portalapi.http.hostPort }}
hostPort: {{ .Values.portalapi.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }}
- name: portalapi-tls
containerPort: {{ .Values.portalapi.tls.containerPort }}
{{- if .Values.portalapi.tls.hostPort }}
hostPort: {{ .Values.portalapi.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }}
- name: clustert-tls
containerPort: {{ .Values.clustertelemetry.tls.containerPort }}
{{- if .Values.clustertelemetry.tls.hostPort }}
hostPort: {{ .Values.clustertelemetry.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- end }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 10 }}
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- end }} {{/* End of Kong container spec */}}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
{{- end }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
volumes:
- name: advanced-model
configMap:
name: advanced-model-config
optional: true
{{- include "kong.volumes" . | nindent 8 -}}
{{- include "kong.userDefinedVolumes" . | nindent 8 -}}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
- name: {{ template "kong.serviceAccountTokenName" . }}
{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
See the related documentation of semver module that Helm depends on for semverCompare:
https://github.com/Masterminds/semver#working-with-prerelease-versions
Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- else }}
secret:
secretName: {{ template "kong.serviceAccountTokenName" . }}
items:
- key: token
path: token
- key: ca.crt
path: ca.crt
- key: namespace
path: namespace
{{- end -}}
{{- end }}
{{- if eq .Values.kind "AppSecStateful" }}
volumeClaimTemplates:
- metadata:
name: appsec-conf
spec:
accessModes: [ "ReadWriteOnce" ]
# Need to create a storage class resource.
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
resources:
requests:
storage: {{ .Values.appsec.persistence.conf.size | quote }}
- metadata:
name: appsec-data
spec:
accessModes: [ "ReadWriteOnce" ]
# Need to create a storage class resource.
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
resources:
requests:
storage: {{ .Values.appsec.persistence.data.size | quote }}
{{- end }}
{{- end }}

26
build_system/charts/open-appsec-kong/templates/certificate.yaml
View File

@ -6,6 +6,8 @@
{{- $_ := set $genericCertificateConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $genericCertificateConfig "globalIssuer" .Values.certificates.issuer -}}
{{- $_ := set $genericCertificateConfig "globalClusterIssuer" .Values.certificates.clusterIssuer -}}
{{- $_ := set $genericCertificateConfig "globalSubject" .Values.certificates.subject -}}
{{- $_ := set $genericCertificateConfig "globalPrivateKey" .Values.certificates.privateKey -}}
{{- $_ := set $genericCertificateConfig "defaultIssuer" (printf "%s-%s-%s" .Release.Name .Chart.Name "selfsigned-issuer") -}}
{{- if .Values.certificates.admin.enabled }}
@ -28,10 +30,7 @@
{{- if .Values.certificates.cluster.enabled }}
{{- $certificateConfig := dict -}}
{{- $certificateConfig = mustMerge (mustDeepCopy $genericCertificateConfig) $certificateConfig -}}
{{- $_ := set $certificateConfig "dnsNames" (list) -}}
{{- $_ := set $certificateConfig "commonName" "kong_cluster" -}}
{{- $certificateConfig = (mustMerge $certificateConfig .Values.certificates.cluster) -}}
{{- $certificateConfig = mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.cluster -}}
{{- $_ := set $certificateConfig "serviceName" "cluster" -}}
{{- include "kong.certificate" $certificateConfig -}}
{{- end }}
@ -54,9 +53,22 @@ spec:
{{- range (append .dnsNames .commonName) }}
- {{ . | quote }}
{{- end }}
renewBefore: 360h
duration: 2160h
isCA: false
renewBefore: 360h0m0s
duration: 2160h0m0s
{{ if .subject -}}
subject:
{{- toYaml .subject | nindent 4 }}
{{ else if .globalSubject -}}
subject:
{{- toYaml .globalSubject | nindent 4 }}
{{- end }}
{{ if .privateKey -}}
privateKey:
{{- toYaml .privateKey | nindent 4 }}
{{ else if .globalPrivateKey -}}
privateKey:
{{- toYaml .globalPrivateKey | nindent 4 }}
{{- end }}
{{ if .clusterIssuer -}}
issuerRef:
name: {{ .clusterIssuer }}

3
build_system/charts/open-appsec-kong/templates/controller-rbac-resources.yaml
View File

@ -35,12 +35,14 @@ rules:
- configmaps
verbs:
- create
{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
{{- end }}
# Begin KIC 2.x leader permissions
- apiGroups:
- ""
@ -67,7 +69,6 @@ rules:
- ""
resources:
- services
- endpoints
verbs:
- get
---

6
build_system/charts/open-appsec-kong/templates/deployment.yaml
View File

@ -83,6 +83,7 @@ spec:
- name: {{ . }}
{{- end }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
initContainers:
- name: clear-stale-pid
image: {{ include "kong.getRepoTag" .Values.image }}
@ -105,6 +106,7 @@ spec:
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-db" . | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.deployment.hostAliases }}
hostAliases:
{{- toYaml .Values.deployment.hostAliases | nindent 6 }}
@ -271,6 +273,10 @@ spec:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
{{- if .Values.startupProbe }}
startupProbe:
{{ toYaml .Values.startupProbe | indent 10 }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- end }} {{/* End of Kong container spec */}}

6
build_system/charts/open-appsec-kong/templates/hpa.yaml
View File

@ -17,10 +17,10 @@ spec:
behavior:
{{- toYaml .Values.autoscaling.behavior | nindent 4 }}
{{- end }}
{{- if not (.Capabilities.APIVersions.Has "autoscaling/v2beta2") }}
targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 80 }}
{{- else }}
{{- if contains "autoscaling/v2" (include "kong.autoscalingVersion" . ) }}
metrics:
{{- toYaml .Values.autoscaling.metrics | nindent 4 }}
{{- else }}
targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 80 }}
{{- end }}
{{- end }}

2
build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml
View File

@ -59,7 +59,7 @@ spec:
{{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
{{- end }}
- name: {{ template "kong.name" . }}-post-upgrade-migrations
{{- if eq .Values.kind "Vanilla" }}
{{- if eq .Values.kind "Vanilla" }}
image: {{ include "kong.getRepoTag" .Values.image }}
{{- else }}
image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }}

2
build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml
View File

@ -59,7 +59,7 @@ spec:
{{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
{{- end }}
- name: {{ template "kong.name" . }}-upgrade-migrations
{{- if eq .Values.kind "Vanilla" }}
{{- if eq .Values.kind "Vanilla" }}
image: {{ include "kong.getRepoTag" .Values.image }}
{{- else }}
image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }}

96
build_system/charts/open-appsec-kong/templates/service-kong-admin.yaml
View File

@ -15,3 +15,99 @@
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "adminApiService.certSecretName" -}}
{{- default (printf "%s-admin-api-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.secretName -}}
{{- end -}}
{{- define "adminApiService.caSecretName" -}}
{{- default (printf "%s-admin-api-ca-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.caSecretName -}}
{{- end -}}
{{- $clientVerifyEnabled := .Values.ingressController.adminApi.tls.client.enabled -}}
{{- $clientCertProvided := .Values.ingressController.adminApi.tls.client.certProvided -}}
{{/* If the client verification is enabled but no secret was provided by the user, let's generate certificates. */ -}}
{{- if and $clientVerifyEnabled (not $clientCertProvided) }}
{{- $certCert := "" -}}
{{- $certKey := "" -}}
{{- $cn := printf "admin.%s.svc" ( include "kong.namespace" . ) -}}
{{- $ca := genCA "admin-api-ca" 3650 -}}
{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
{{- $certCert = $cert.Cert -}}
{{- $certKey = $cert.Key -}}
{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */}}
{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.certSecretName" .)) -}}
{{- if $certSecret }}
{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
{{- end }}
{{- $caCert := $ca.Cert -}}
{{- $caKey := $ca.Key -}}
{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */ -}}
{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.caSecretName" .))}}
{{- if $caSecret }}
{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "adminApiService.certSecretName" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ b64enc $certCert }}
tls.key: {{ b64enc $certKey }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "adminApiService.caSecretName" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ b64enc $caCert }}
tls.key: {{ b64enc $caKey }}
{{- end }}
{{- /* Create a CA ConfigMap for Kong. */ -}}
{{- $secretProvided := $.Values.admin.tls.client.secretName -}}
{{- $bundleProvided := $.Values.admin.tls.client.caBundle -}}
{{- if or $secretProvided $bundleProvided -}}
{{- $cert := "" -}}
{{- if $secretProvided -}}
{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
{{- if $certSecret }}
{{- $cert = (b64dec (get $certSecret.data "tls.crt")) -}}
{{- else -}}
{{- fail (printf "%s/%s secret not found" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
{{- end }}
{{- end }}
{{- if $bundleProvided -}}
{{- $cert = $.Values.admin.tls.client.caBundle -}}
{{- end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kong.fullname" . }}-admin-client-ca
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
data:
tls.crt: {{ $cert | quote }}
{{- end -}}

148
build_system/charts/open-appsec-kong/values.yaml
View File

@ -1,5 +1,3 @@
--- # -----------------------------------------------------------------------------
# Default values for Kong's Helm Chart.
# Declare variables to be passed into your templates.
#
@ -13,6 +11,8 @@
# -----------------------------------------------------------------------------
# Deployment parameters
# -----------------------------------------------------------------------------
deployment:
kong:
# Enable or disable Kong itself
@ -121,10 +121,10 @@ extraLabels: {}
# Specify Kong's Docker image and repository details here
image:
repository: kong
tag: "3.1"
tag: "3.2"
# Kong Enterprise
# repository: kong/kong-gateway
# tag: "3.1"
# tag: "3.2"
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@ -141,6 +141,7 @@ admin:
# Enterprise users that wish to use Kong Manager with the controller should enable this
enabled: false
type: NodePort
loadBalancerClass:
# To specify annotations or labels for the admin service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@ -170,7 +171,15 @@ admin:
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
- http2
# Specify the CA certificate to use for TLS verification of the Admin API client by:
# - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate.
# - caBundle (PEM-encoded certificate string).
# If both are set, caBundle takes precedence.
client:
caBundle: ""
secretName: ""
# Kong admin ingress settings. Useful if you want to expose the Admin
# API of Kong outside the k8s cluster.
@ -235,6 +244,7 @@ cluster:
parameters: []
type: ClusterIP
loadBalancerClass:
# Kong cluster ingress settings. Useful if you want to split CP and DP
# in different clusters.
@ -258,6 +268,9 @@ proxy:
# Enable creating a Kubernetes service for the proxy
enabled: true
type: LoadBalancer
loadBalancerClass:
# Override proxy Service name
nameOverride: ""
# To specify annotations or labels for the proxy service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@ -291,18 +304,17 @@ proxy:
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
- http2
# Define stream (TCP) listen
# To enable, remove "[]", uncomment the section below, and select your desired
# ports and parameters. Listens are dynamically named after their servicePort,
# ports and parameters. Listens are dynamically named after their containerPort,
# e.g. "stream-9000" for the below.
# Note: although you can select the protocol here, you cannot set UDP if you
# use a LoadBalancer Service due to limitations in current Kubernetes versions.
# To proxy both TCP and UDP with LoadBalancers, you must enable the udpProxy Service
# in the next section and place all UDP stream listen configuration under it.
stream:
[]
stream: []
# # Set the container (internal) and service (external) ports for this listen.
# # These values should normally be the same. If your environment requires they
# # differ, note that Kong will match routes based on the containerPort only.
@ -345,6 +357,7 @@ udpProxy:
# Enable creating a Kubernetes service for UDP proxying
enabled: false
type: LoadBalancer
loadBalancerClass:
# To specify annotations or labels for the proxy service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@ -357,8 +370,7 @@ udpProxy:
# To enable, remove "[]", uncomment the section below, and select your desired
# ports and parameters. Listens are dynamically named after their servicePort,
# e.g. "stream-9000" for the below.
stream:
[]
stream: []
# # Set the container (internal) and service (external) ports for this listen.
# # These values should normally be the same. If your environment requires they
# # differ, note that Kong will match routes based on the containerPort only.
@ -381,8 +393,7 @@ udpProxy:
# Subdirectories (which are optional) require separate ConfigMaps/Secrets.
# "path" indicates their directory under the main plugin directory: the example
# below will mount the contents of kong-plugin-rewriter-migrations at "/opt/kong/rewriter/migrations".
plugins:
{}
plugins: {}
# configMaps:
# - pluginName: rewriter
# name: kong-plugin-rewriter
@ -473,7 +484,7 @@ ingressController:
enabled: true
image:
repository: kong/kubernetes-ingress-controller
tag: "2.8"
tag: "2.9"
# Optionally set a semantic version for version-gated features. This can normally
# be left unset. You only need to set this if your tag is not a semver string,
# such as when you are using a "next" tag. Set this to the effective semantic
@ -482,6 +493,12 @@ ingressController:
effectiveSemver:
args: []
gatewayDiscovery:
enabled: false
adminApiService:
namespace: ""
name: ""
# Specify individual namespaces to watch for ingress configuration. By default,
# when no namespaces are set, the controller watches all namespaces and uses a
# ClusterRole to grant access to Kubernetes resources. When you list specific
@ -516,12 +533,16 @@ ingressController:
port: 8080
certificate:
provided: false
namespaceSelector: {}
# Specifiy the secretName when the certificate is provided via a TLS secret
# secretName: ""
# Specifiy the CA bundle of the provided certificate.
# This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used.
# caBundle:
# | Add the CA bundle content here.
service:
# Specify custom labels for the validation webhook service.
labels: {}
ingressClass: kong
# annotations for IngressClass resource (Kubernetes 1.18+)
@ -568,6 +589,46 @@ ingressController:
# cpu: 50m
# memory: 128Mi
konnect:
enabled: false
# Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to.
runtimeGroupID: ""
# Specifies a Konnect API hostname that the controller will use to push its data-plane config to.
# By default, this is set to US region's production API hostname.
# If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com").
apiHostname: "us.kic.api.konghq.com"
# Specifies a secret that contains a client TLS certificate that the controller
# will use to authenticate against Konnect APIs.
tlsClientCertSecretName: "konnect-client-tls"
license:
# Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways.
enabled: false
adminApi:
tls:
client:
# Enable TLS client authentication for the Admin API.
enabled: false
# If set to false, Helm will generate certificates for you.
# If set to true, you are expected to provide your own secret (see secretName, caSecretName).
certProvided: false
# Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
secretName: ""
# CA TLS certificate/key pair secret name that the client TLS certificate is signed by.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
caSecretName: ""
# -----------------------------------------------------------------------------
# Postgres sub-chart parameters
# -----------------------------------------------------------------------------
@ -667,8 +728,8 @@ certificates:
# Issuers used by the control and data plane releases must match for this certificate.
issuer: ""
clusterIssuer: ""
# commonName: "kong_cluster"
# dnsNames: []
commonName: "kong_clustering"
dnsNames: []
# -----------------------------------------------------------------------------
# Miscellaneous parameters
@ -689,8 +750,7 @@ waitImage:
pullPolicy: IfNotPresent
# update strategy
updateStrategy:
{}
updateStrategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: "100%"
@ -698,8 +758,7 @@ updateStrategy:
# If you want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
resources:
{}
resources: {}
# limits:
# cpu: 1
# memory: 2G
@ -731,6 +790,18 @@ livenessProbe:
successThreshold: 1
failureThreshold: 3
# startupProbe for Kong pods
# startupProbe:
# httpGet:
# path: "/status"
# port: status
# scheme: HTTP
# initialDelaySeconds: 5
# timeoutSeconds: 5
# periodSeconds: 2
# successThreshold: 1
# failureThreshold: 40
# Proxy container lifecycle hooks
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
lifecycle:
@ -741,7 +812,7 @@ lifecycle:
command:
- kong
- quit
- "--wait=15"
- '--wait=15'
# Sets the termination grace period for pods spawned by the Kubernetes Deployment.
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
@ -821,10 +892,10 @@ podSecurityPolicy:
supplementalGroups:
rule: RunAsAny
volumes:
- "configMap"
- "secret"
- "emptyDir"
- "projected"
- 'configMap'
- 'secret'
- 'emptyDir'
- 'projected'
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
@ -833,13 +904,15 @@ podSecurityPolicy:
# If you use Kong Enterprise <1.5, this must be set to false.
readOnlyRootFilesystem: true
priorityClassName: ""
# securityContext for Kong pods.
securityContext: {}
# securityContext for containers.
containerSecurityContext: {}
containerSecurityContext:
readOnlyRootFilesystem: true
## Optional DNS configuration for Kong pods
# dnsPolicy: ClusterFirst
@ -911,7 +984,7 @@ enterprise:
smtp_admin_emails: none@example.com
smtp_host: smtp.example.com
smtp_port: 587
smtp_auth_type: ""
smtp_auth_type: ''
smtp_ssl: nil
smtp_starttls: true
auth:
@ -919,13 +992,14 @@ enterprise:
# be left as-is. If smtp_username is set to anything other than an empty
# string, you must create a Secret with an smtp_password key containing
# your SMTP password and specify its name here.
smtp_username: "" # e.g. postmaster@example.com
smtp_username: '' # e.g. postmaster@example.com
smtp_password_secret: CHANGEME-smtp-password
manager:
# Enable creating a Kubernetes service for Kong Manager
enabled: true
type: NodePort
loadBalancerClass:
# To specify annotations or labels for the Manager service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@ -951,7 +1025,7 @@ manager:
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
- http2
ingress:
# Enable/disable exposure using ingress.
@ -972,6 +1046,7 @@ portal:
# Enable creating a Kubernetes service for the Developer Portal
enabled: true
type: NodePort
loadBalancerClass:
# To specify annotations or labels for the Portal service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@ -997,7 +1072,7 @@ portal:
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
- http2
ingress:
# Enable/disable exposure using ingress.
@ -1018,6 +1093,7 @@ portalapi:
# Enable creating a Kubernetes service for the Developer Portal API
enabled: true
type: NodePort
loadBalancerClass:
# To specify annotations or labels for the Portal API service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@ -1043,7 +1119,7 @@ portalapi:
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
- http2
ingress:
# Enable/disable exposure using ingress.
@ -1075,6 +1151,7 @@ clustertelemetry:
parameters: []
type: ClusterIP
loadBalancerClass:
# Kong clustertelemetry ingress settings. Useful if you want to split
# CP and DP in different clusters.
@ -1116,9 +1193,10 @@ extraObjects: []
# plugin: prometheus
appsec:
mode: managed
mode: managed
name: open-appsec
image:
#registry:
repository: ghcr.io/openappsec
image: agent
tag: latest
@ -1134,12 +1212,8 @@ appsec:
# runAsUser: 1000
kong:
image:
repository: "ghcr.io/openappsec/kong-attachment"
repository: "ghcr.io/openappsec/kong-gateway-attachment"
tag: "latest"
# Kong Enterprise with open-appsec attachment
# repository: "ghcr.io/openappsec/kong-gateway-attachment"
# tag: "latest"
resources:
# limits:
# cpu: 100m