diff --git a/build_system/charts/open-appsec-kong/CHANGELOG.md b/build_system/charts/open-appsec-kong/CHANGELOG.md index 670f0cb..099edd6 100644 --- a/build_system/charts/open-appsec-kong/CHANGELOG.md +++ b/build_system/charts/open-appsec-kong/CHANGELOG.md @@ -1,8 +1,158 @@ # Changelog +## Unreleased + +## 2.22.0 + +### Improvements + +* Removed redundant RBAC permissions for non-existing subresources `secrets/status` + and `endpoints/status`. + [#798](https://github.com/Kong/charts/pull/798) +* For Kong Ingress Controller in version >= 2.10, RBAC permissions for `Endpoints` + are not configured anymore (because it uses `EndpointSlices`). + [#798](https://github.com/Kong/charts/pull/798) +* Added support for setting `certificates.cluster.commonName`. This allows a custom + certificate `CommonName` to be provided when deploying Kong Gateway in hybrid + mode using Cert Manager [#804](https://github.com/Kong/charts/pull/804) + +## 2.21.0 + +### Improvements + +* Added support for `startupProbe` on Kong pods. This can be configured via + `.Values.startupProbe`. To maintain backward compatibility, it is disabled by default. + [#792](https://github.com/Kong/charts/pull/792) +* Customize Admission Webhook namespaceSelectors and compose them from values. + [#794](https://github.com/Kong/charts/pull/794) +* Added `CustomResourceDefinition` `list` and `watch` permissions to controller's ClusterRole. + [#796](https://github.com/Kong/charts/pull/796) + +## 2.20.2 + +### Fixed + +* Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode + is disabled by default. + To enable it, set `.Values.ingressController.konnect.license.enabled=true`. + [#793](https://github.com/Kong/charts/pull/793) + +## 2.20.1 + +### Fixed + +* Fix correct timestamp format and remove `isCA` in certificates + [#791](https://github.com/Kong/charts/pull/791) + +## 2.20.0 + +### Improvements + +* Added support for automatic license provisioning for Gateways managed by + Ingress Controllers in Konnect mode (`.Values.ingressController.konnect.enabled=true`). + [#787](https://github.com/Kong/charts/pull/787) + +## 2.19.1 + +### Fixed + +* Fix `webhook-cert` being mounted regardless if `.Values.ingressController.enabled` + is set. + [#779](https://github.com/Kong/charts/pull/779) + +## 2.19.0 + +### Improvements + +* Security context enforces read-only root filesystem by default. This is not + expected to affect most configurations, but [will affect custom plugins that + write to the container filesystem](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2170). + [#770](https://github.com/Kong/charts/pull/770) + +## 2.18.0 + +### Improvements + +* Added support for the Admin API service TLS client verification. + [#780](https://github.com/Kong/charts/pull/780 + +## 2.17.1 + +### Fixed + +* The `-redhat` suffix on official KIC images is no longer considered part of + the semver string for version checks. + [#779](https://github.com/Kong/charts/pull/779) + +## 2.17.0 + +### Improvements + +* Added support for controller's gateway discovery. + With `ingressController.gatewayDiscovery.enabled` set to `true` Kong Ingress Controller + will enable gateway discovery using an Admin API service. + For more information on this please see [the corresponding README.md section][kic_gateway_discovery_readme]. + This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher. + [#747](https://github.com/Kong/charts/pull/747) +* Added experimental support for the ingress controller's Konnect sync feature via `ingressController.konnect.*` values. + This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher and + requires `ingressController.gatewayDiscovery.enabled` set to `true`. + [#746](https://github.com/Kong/charts/pull/746) +* Added support for annotations on the admission webhook ValidatingWebhookConfiguration. + [#760](https://github.com/Kong/charts/pull/760) +* Added support for `subject` and `privateKey` properties on certificates. + [#762](https://github.com/Kong/charts/pull/762) +* Added support for loadBalancerClass in LoadBalancer type services. + [#767](https://github.com/Kong/charts/pull/767) +* Added support for `GRPCRoute`s. + [#772](https://github.com/Kong/charts/pull/772) +* Default Kong version is bumped to 3.2. + [#773](https://github.com/Kong/charts/pull/773) +* Added support for admissionhook to include labels. + [#768](https://github.com/Kong/charts/pull/768) + +### Under the hood + +* Add kube-linter to the CI pipeline to ensure produced manifests comply + with community best practices. + [#751](https://github.com/Kong/charts/pull/751) + +[kic_gateway_discovery_readme]: ./README.md#the-gatewaydiscovery-section + +## 2.16.5 + +### Fixed + +* Fix autoscaling version detection. + [#752](https://github.com/Kong/charts/pull/752) +* Don't include a clear-stale-pid initContainer when kong gateway is not + enabled in the deployment. + [#749](https://github.com/Kong/charts/pull/749) + +## 2.16.4 + +### Fixed + +* HorizontalPodAutoscaler's API version is detected properly. + [#744](https://github.com/Kong/charts/pull/744) + +## 2.16.3 + +### Fixed + +* Fix template issue preventing custom dblessconfig volume from being mounted. + [#741](https://github.com/Kong/charts/pull/741) + +## 2.16.2 + +### Fixed + +* The admission webhook is disabled when the ingress controller is disabled, as + the admission webhook requires a service provided by the ingress controller. + ## 2.16.1 -### Fixed +### Fixed * serviceAccount projected volume is properly provisioned for GKE clusters >= 1.20. [#735](https://github.com/Kong/charts/pull/735) diff --git a/build_system/charts/open-appsec-kong/Chart.yaml b/build_system/charts/open-appsec-kong/Chart.yaml index 43d5fa8..ed627d7 100644 --- a/build_system/charts/open-appsec-kong/Chart.yaml +++ b/build_system/charts/open-appsec-kong/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: "3.1" +appVersion: "3.2" dependencies: - condition: postgresql.enabled name: postgresql @@ -16,4 +16,4 @@ maintainers: name: open-appsec-kong sources: - https://github.com/Kong/charts/tree/main/charts/kong -version: 2.16.1 +version: 2.22.0 diff --git a/build_system/charts/open-appsec-kong/README.md b/build_system/charts/open-appsec-kong/README.md index 4322fb2..66570dc 100644 --- a/build_system/charts/open-appsec-kong/README.md +++ b/build_system/charts/open-appsec-kong/README.md @@ -52,6 +52,7 @@ $ helm install kong/kong --generate-name - [Configuration](#configuration) - [Kong parameters](#kong-parameters) - [Kong Service Parameters](#kong-service-parameters) + - [Admin Service mTLS](#admin-service-mtls) - [Stream listens](#stream-listens) - [Ingress Controller Parameters](#ingress-controller-parameters) - [The `env` section](#the-env-section) @@ -335,6 +336,9 @@ first and then upgrade the data plane release](https://docs.konghq.com/gateway/l #### Certificates +> This example shows how to use Kong Hybrid mode with `cluster_mtls: shared`. +> For an example of `cluster_mtls: pki` see the [hybrid-cert-manager example](https://github.com/Kong/charts/blob/main/charts/kong/example-values/hybrid-cert-manager/) + Hybrid mode uses TLS to secure the CP/DP node communication channel, and requires certificates for it. You can generate these either using `kong hybrid gen_cert` on a local Kong installation or using OpenSSL: @@ -431,7 +435,7 @@ admin: ```yaml env: role: data_plane - database: off + database: "off" cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt @@ -462,7 +466,7 @@ should, however, migrate to an issuer using a CA your clients trust for actual usage. The `proxy`, `admin`, `portal`, and `cluster` subsections under `certificates` -let you choose hostnames or override issuers on a per-certificate basis for the +let you choose hostnames, override issuers, set `subject` or set `privateKey` on a per-certificate basis for the proxy, admin API and Manager, Portal and Portal API, and hybrid mode mTLS services, respectively. @@ -668,6 +672,7 @@ or `ingress` sections, as it is used only for stream listens. | SVC.tls.parameters | Array of additional listen parameters | `["http2"]` | | SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | | | SVC.clusterIP | k8s service clusterIP | | +| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | | | SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` | | SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | | | SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` | @@ -682,6 +687,17 @@ or `ingress` sections, as it is used only for stream listens. | SVC.annotations | Service annotations | `{}` | | SVC.labels | Service labels | `{}` | +#### Admin Service mTLS + +On top of the common parameters listed above, the `admin` service supports parameters for mTLS client verification. +If any of `admin.tls.client.caBundle` or `admin.tls.client.secretName` are set, the admin service will be configured to +require mTLS client verification. If both are set, `admin.tls.client.caBundle` will take precedence. + +| Parameter | Description | Default | +|-----------------------------|---------------------------------------------------------------------------------------------|---------| +| admin.tls.client.caBundle | CA certificate to use for TLS verification of the Admin API client (PEM-encoded). | `""` | +| admin.tls.client.secretName | CA certificate secret name - must contain a `tls.crt` key with the PEM-encoded certificate. | `""` | + #### Stream listens The proxy configuration additionally supports creating stream listens. These @@ -701,30 +717,46 @@ are configured using an array of objects under `proxy.stream` and `udpProxy.stre All of the following properties are nested under the `ingressController` section of `values.yaml` file: -| Parameter | Description | Default | -|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| -| enabled | Deploy the ingress controller, rbac and crd | true | -| image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller | -| image.tag | Version of the ingress controller | 2.0 | -| image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | | -| readinessProbe | Kong ingress controllers readiness probe | | -| livenessProbe | Kong ingress controllers liveness probe | | -| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false | -| env | Specify Kong Ingress Controller configuration via environment variables | | -| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | | -| ingressClass | The name of this controller's ingressClass | kong | -| ingressClassAnnotations | The ingress-class value for controller | kong | -| args | List of ingress-controller cli arguments | [] | -| watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] | -| admissionWebhook.enabled | Whether to enable the validating admission webhook | true | -| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore | -| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 | -| admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false | -| admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | | -| admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | | -| deployment.userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | | -| deployment.userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | | -| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 | +| Parameter | Description | Default | +|--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| +| enabled | Deploy the ingress controller, rbac and crd | true | +| image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller | +| image.tag | Version of the ingress controller | 2.0 | +| image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | | +| readinessProbe | Kong ingress controllers readiness probe | | +| livenessProbe | Kong ingress controllers liveness probe | | +| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false | +| env | Specify Kong Ingress Controller configuration via environment variables | | +| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | | +| ingressClass | The name of this controller's ingressClass | kong | +| ingressClassAnnotations | The ingress-class value for controller | kong | +| args | List of ingress-controller cli arguments | [] | +| watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] | +| admissionWebhook.enabled | Whether to enable the validating admission webhook | true | +| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore | +| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 | +| admissionWebhook.annotations | Annotations for the Validation Webhook Configuration | | +| admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false | +| admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | | +| admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | | +| admissionWebhook.namespaceSelector | Add namespaceSelector to the webhook. Please go to [Kubernetes doc for the specs](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) | | +| userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | | +| userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | | +| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 | +| gatewayDiscovery.enabled | Enables Kong instance service discovery (for more details see [gatewayDiscovery section][gd_section]) | false | +| gatewayDiscovery.adminApiService.namespace | The namespace of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | `.Release.Namespace` | +| gatewayDiscovery.adminApiService.name | The name of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | "" | +| konnect.enabled | Enable synchronisation of data plane configuration with Konnect Runtime Group | false | +| konnect.runtimeGroupID | Konnect Runtime Group's unique identifier. | | +| konnect.apiHostname | Konnect API hostname. Defaults to a production US-region. | us.kic.api.konghq.com | +| konnect.tlsClientCertSecretName | Name of the secret that contains Konnect Runtime Group's client TLS certificate. | konnect-client-tls | +| konnect.license.enabled | Enable automatic license provisioning for Gateways managed by Ingress Controller in Konnect mode. | false | +| adminApi.tls.client.enabled | Enable TLS client verification for the Admin API. By default, Helm will generate certificates automatically. | false | +| adminApi.tls.client.certProvided | Use user-provided certificates. If set to false, Helm will generate certificates. | false | +| adminApi.tls.client.secretName | Client TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" | +| adminApi.tls.client.caSecretName | CA TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" | + +[gd_section]: #the-gatewayDiscovery-section #### The `env` section For a complete list of all configuration values you can set in the @@ -746,6 +778,46 @@ kong: TZ: "Europe/Berlin" ``` +#### The `gatewayDiscovery` section + +Kong Ingress Controller v2.9 has introduced gateway discovery which allows +the controller to discover Gateway instances that it should configure using +an Admin API Kubernetes service. + +You'll be able to configure this feature through configuration section under +`ingressController.gatewayDiscovery`: + +- If `ingressController.gatewayDiscovery.enabled` is set to `false`: the ingress controller + will control a pre-determined set of Gateway instances based on Admin API URLs + (provided under the hood via `CONTROLLER_KONG_ADMIN_URL` environment variable). + +- If `ingressController.gatewayDiscovery.enabled` is set to `true`: the ingress controller + will dynamically locate Gateway instances by watching the specified Kubernetes + service. + (provided under the hood via `CONTROLLER_KONG_ADMIN_SVC` environment variable). + + The following admin API Service flags have to be provided in order for gateway + discovery to work: + + - `ingressController.gatewayDiscovery.adminApiService.name` + - `ingressController.gatewayDiscovery.adminApiService.namespace` + +Using this feature requires a split release installation of Gateways and Ingress Controller. +For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md). + +When using `gatewayDiscovery`, you should consider configuring the Admin service to use mTLS client verification to make +this interface secure. Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway +instances. + +On the controller release side, that can be achieved by setting `ingressController.adminApi.tls.client.enabled` to `true`. +By default, Helm will generate a certificate Secret named `-admin-api-keypair` and +a CA Secret named `-admin-api-ca-keypair` for you. + +To provide your own cert, set `ingressController.adminApi.tls.client.certProvided` to +`true`, `ingressController.adminApi.tls.client.secretName` to the name of the Secret containing your client cert, and `ingressController.adminApi.tls.client.caSecretName` to the name of the Secret containing your CA cert. + +On the Gateway release side, set either `admin.tls.client.secretName` to the name of your CA Secret or set `admin.tls.client.caBundle` to the CA certificate string. + ### General Parameters | Parameter | Description | Default | @@ -772,6 +844,7 @@ kong: | updateStrategy | update strategy for deployment | `{}` | | readinessProbe | Kong readiness probe | | | livenessProbe | Kong liveness probe | | +| startupProbe | Kong startup probe | | | lifecycle | Proxy container lifecycle hooks | see `values.yaml` | | terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pods | 30 | | affinity | Node/pod affinities | | @@ -794,7 +867,7 @@ kong: | priorityClassName | Set pod scheduling priority class for Kong pods | `""` | | secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` | | securityContext | Set the securityContext for Kong Pods | `{}` | -| containerSecurityContext | Set the securityContext for Containers | `{}` | +| containerSecurityContext | Set the securityContext for Containers | `{"readOnlyRootFilesystem": true}` | | serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | `false` | | serviceMonitor.interval | Scraping interval | `30s` | | serviceMonitor.namespace | Where to create ServiceMonitor | | diff --git a/build_system/charts/open-appsec-kong/UPGRADE.md b/build_system/charts/open-appsec-kong/UPGRADE.md index 004f1e6..adca053 100644 --- a/build_system/charts/open-appsec-kong/UPGRADE.md +++ b/build_system/charts/open-appsec-kong/UPGRADE.md @@ -17,6 +17,7 @@ upgrading from a previous version. ## Table of contents - [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions) +- [2.17.0](#2170) - [2.13.0](#2130) - [2.8.0](#280) - [2.7.0](#270) @@ -82,6 +83,26 @@ https://raw.githubusercontent.com/Kong/charts/kong-/charts/kong/crds/cu For example, if your release is 2.6.4, you would apply `https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml`. +## 2.19.0 + +2.19 sets a default [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) +that declares a read-only root filesystem for Kong containers. The base Kong and KIC +images are compatible with this setting. The chart mounts temporary writeable +emptyDir filesystems for locations that require writeable files (`/tmp` and +`/kong_prefix/`). + +This setting limit attack surface and should be compatible with most +installations. However, if you use custom plugins that write to disk, you must +either mount a writeable emptyDir for them or override the new defaults by +setting: + +``` +containerSecurityContext: + readOnlyRootFilesystem: false +``` + +in your values.yaml. + ## 2.13.0 2.13.0 includes updated CRDs. You must [apply these manually](#updates-to-crds) diff --git a/build_system/charts/open-appsec-kong/crds/crd-openappsec-practice.yaml b/build_system/charts/open-appsec-kong/crds/crd-openappsec-practice.yaml index 99143f7..1d1adbf 100644 --- a/build_system/charts/open-appsec-kong/crds/crd-openappsec-practice.yaml +++ b/build_system/charts/open-appsec-kong/crds/crd-openappsec-practice.yaml @@ -109,7 +109,7 @@ spec: configmap: type: array items: - type: string + type: string openapi-schema-validation: type: object properties: diff --git a/build_system/charts/open-appsec-kong/crds/crd-openappsec-sources-identifier.yaml b/build_system/charts/open-appsec-kong/crds/crd-openappsec-sources-identifier.yaml index bf15df6..a3eb0c4 100644 --- a/build_system/charts/open-appsec-kong/crds/crd-openappsec-sources-identifier.yaml +++ b/build_system/charts/open-appsec-kong/crds/crd-openappsec-sources-identifier.yaml @@ -1,40 +1,40 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata : - name : sourcesidentifiers.openappsec.io - -spec: - group: openappsec.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: array - items: - type: object - properties: - sourceIdentifier: - type: string - enum: - - headerkey - - JWTKey - - cookie - - sourceip - - x-forwarded-for - value: - type: array - items: - type: string - - scope: Cluster - names: - plural: sourcesidentifiers - singular: sourcesidentifier - kind: SourcesIdentifier - shortNames: - - sourcesidentifier +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata : + name : sourcesidentifiers.openappsec.io + +spec: + group: openappsec.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: array + items: + type: object + properties: + sourceIdentifier: + type: string + enum: + - headerkey + - JWTKey + - cookie + - sourceip + - x-forwarded-for + value: + type: array + items: + type: string + + scope: Cluster + names: + plural: sourcesidentifiers + singular: sourcesidentifier + kind: SourcesIdentifier + shortNames: + - sourcesidentifier diff --git a/build_system/charts/open-appsec-kong/crds/crd-openappsec-trusted-sources.yaml b/build_system/charts/open-appsec-kong/crds/crd-openappsec-trusted-sources.yaml index 17bf760..7042f44 100644 --- a/build_system/charts/open-appsec-kong/crds/crd-openappsec-trusted-sources.yaml +++ b/build_system/charts/open-appsec-kong/crds/crd-openappsec-trusted-sources.yaml @@ -1,32 +1,32 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata : - name : trustedsources.openappsec.io - -spec: - group: openappsec.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - minNumOfSources: - type: integer - sourcesIdentifiers: - type: array - items: - type: string - - scope: Cluster - names: - plural: trustedsources - singular: trustedsource - kind: TrustedSource - shortNames: - - trustedsource +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata : + name : trustedsources.openappsec.io + +spec: + group: openappsec.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + minNumOfSources: + type: integer + sourcesIdentifiers: + type: array + items: + type: string + + scope: Cluster + names: + plural: trustedsources + singular: trustedsource + kind: TrustedSource + shortNames: + - trustedsource diff --git a/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml b/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml index 869c820..890ee0b 100644 --- a/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml +++ b/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml @@ -448,8 +448,8 @@ spec: type: object upstream: description: Upstream represents a virtual hostname and can be used to - loadbalance incoming requests over multiple targets (e.g. Kubernetes - `Services` can be a target, OR `Endpoints` can be targets). + load balance incoming requests over multiple targets (e.g. Kubernetes + Services can be a target, or URLs can be targets). properties: algorithm: description: Algorithm is the load balancing algorithm to use. diff --git a/build_system/charts/open-appsec-kong/example-values/README.md b/build_system/charts/open-appsec-kong/example-values/README.md index 685ba09..27971f8 100644 --- a/build_system/charts/open-appsec-kong/example-values/README.md +++ b/build_system/charts/open-appsec-kong/example-values/README.md @@ -52,5 +52,21 @@ common Kong deployment scenarios on Kubernetes. restarts them, so starting control planes second, but around the same time will usually work), but is the smoothest option. +* [minimal-kong-gd-controller.yaml](minimal-kong-gd-controller.yaml) and + [minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a + single controller and cluster of gateway instances. The controller release + configuration must specify the names of the gateway proxy and admin + Services. The examples use `gw` as the gateway release name. If you wish to + use another name, set the controller configuration to match. For example, if + you use `hydrogen` as your gateway release name, set + `proxy.nameOverride=hydrogen-kong-proxy` and + `ingressController.adminApiService.name=hydrogen-kong-admin`. + +* [minimal-kong-gd-controller-konnect.yaml](minimal-kong-gd-controller-konnect.yaml) and + [minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a single Ingress + Controller with Kong's Konnect sync feature enabled and a cluster of gateway instances. + In order to make it work, `ingressController.konnect.runtimeGroupID` has to be + supplied and a `konnect-client-tls` secret has to be created upfront. + All Enterprise examples require some level of additional user configuration to install properly. Read the comments at the top of each file for instructions. diff --git a/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml b/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml index 6496eb6..a7d8d55 100644 --- a/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml +++ b/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml @@ -146,7 +146,7 @@ extraLabels: konghq.com/component: quickstart image: repository: kong/kong-gateway - tag: "3.1" + tag: "3.2" ingressController: enabled: true env: diff --git a/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml b/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml index b526f9b..f5f1d32 100644 --- a/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml +++ b/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml @@ -12,7 +12,7 @@ image: repository: kong/kong-gateway - tag: "3.1" + tag: "3.2" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/README.md b/build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/README.md new file mode 100644 index 0000000..7196e22 --- /dev/null +++ b/build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/README.md @@ -0,0 +1,83 @@ +This README explains how to install Kong in DB-backed mode with Postgres and Cert Manager + +# Install Postgres + +Use the bitnami chart to install Postgres. Read the output to understand how to connect to the database. + +```bash +helm install postgres oci://registry-1.docker.io/bitnamicharts/postgresql -n db --create-namespace +``` + +Once connected, create a postgres user and database: + +```sql +CREATE USER kong WITH PASSWORD 'super_secret'; CREATE DATABASE kong OWNER kong; +``` + +# Cert Manager + +Install Cert Manager in to your cluster: + +```bash +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml +helm install \ + cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --version v1.11.0 +``` + +Create a self signed CA + Issuer for future use: + +```yaml +echo " +apiVersion: v1 +kind: Namespace +metadata: + name: kong +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: my-selfsigned-ca + namespace: kong +spec: + isCA: true + commonName: my-selfsigned-ca + secretName: root-secret + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: ClusterIssuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: my-ca-issuer + namespace: kong +spec: + ca: + secretName: root-secret +" | kubectl apply -f - +``` + +# Kong + +Deploy Kong using the `cp-values.yaml` and `dp-values.yaml` in this folder: + +```bash +helm install kong-cp kong/kong -n kong --values cp-values.yaml +helm install kong-dp kong/kong -n kong --values dp-values.yaml +``` + +You should now have Kong running in hybrid mode diff --git a/build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/cp-values.yaml b/build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/cp-values.yaml new file mode 100644 index 0000000..749c08e --- /dev/null +++ b/build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/cp-values.yaml @@ -0,0 +1,25 @@ +env: + role: control_plane + database: postgres + pg_host: postgres-postgresql.db.svc.cluster.local + pg_user: kong + pg_password: super_secret + +cluster: + enabled: true + tls: + enabled: true + +certificates: + enabled: true + issuer: my-ca-issuer + cluster: + enabled: true + commonName: custom.example.com + +proxy: + enabled: false + +ingressController: + env: + publish_service: kong/kong-cp-kong-proxy diff --git a/build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/dp-values.yaml b/build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/dp-values.yaml new file mode 100644 index 0000000..4e53377 --- /dev/null +++ b/build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/dp-values.yaml @@ -0,0 +1,22 @@ +env: + role: data_plane + database: "off" + cluster_control_plane: kong-cp-kong-cluster.kong.svc.cluster.local:8005 + +cluster: + enabled: true + tls: + enabled: true + +certificates: + enabled: true + issuer: my-ca-issuer + cluster: + enabled: true + commonName: custom.example.com + +admin: + enabled: false + +ingressController: + enabled: false diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml index 7548403..cec10c2 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml @@ -9,7 +9,7 @@ image: repository: kong/kong-gateway - tag: "3.1" + tag: "3.2" admin: enabled: true diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml index a742ffc..59f88e3 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml @@ -2,7 +2,7 @@ image: repository: kong - tag: "3.1" + tag: "3.2" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml index 3a3b60e..aaeca12 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml @@ -4,7 +4,7 @@ image: repository: kong/kong-gateway - tag: "3.1" + tag: "3.2" enterprise: enabled: true diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml index 8074015..8c7df15 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml @@ -14,7 +14,7 @@ image: repository: kong/kong-gateway - tag: "3.1" + tag: "3.2" env: database: postgres diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml index a7ddaa9..772ed21 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml @@ -12,7 +12,7 @@ image: repository: kong/kong-gateway - tag: "3.1" + tag: "3.2" env: role: data_plane diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller-konnect.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller-konnect.yaml new file mode 100644 index 0000000..68c0731 --- /dev/null +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller-konnect.yaml @@ -0,0 +1,24 @@ +deployment: + kong: + enabled: false + +proxy: + ## This must match the gateway release's proxy Service name. + ## The Service name uses the pattern "-kong-proxy". + ## In this example, the companion gateway release is named "gw" + nameOverride: gw-kong-proxy + +ingressController: + enabled: true + + gatewayDiscovery: + enabled: true + adminApiService: + ## This must match the gateway release's admin Service name. + ## The Service name uses the pattern "-kong-admin". + ## In this example, the companion gateway release is named "gw" + name: gw-kong-admin + + konnect: + enabled: true + runtimeGroupID: "00000000-0000-0000-0000-000000000000" # CHANGEME diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller.yaml new file mode 100644 index 0000000..44f1174 --- /dev/null +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller.yaml @@ -0,0 +1,33 @@ +deployment: + kong: + enabled: false + +proxy: + ## This must match the gateway release's proxy Service name. + ## The Service name uses the pattern "-kong-proxy". + ## In this example, the companion gateway release is named "gw" + nameOverride: gw-kong-proxy + +ingressController: + enabled: true + + gatewayDiscovery: + enabled: true + adminApiService: + ## This must match the gateway release's admin Service name. + ## The Service name uses the pattern "-kong-admin". + ## In this example, the companion gateway release is named "gw" + name: gw-kong-admin + + adminApi: + tls: + client: + # Enable TLS client authentication for the Admin API. + enabled: true + # We're specifying the name of the secret to have a static name that we + # will use in the gateway release. + caSecretName: "admin-api-ca-cert" + + env: + # This must match the gateway release's proxy Service HTTPs port name. + kong_admin_svc_port_names: "kong-admin-tls" diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-gateway.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-gateway.yaml new file mode 100644 index 0000000..f45303d --- /dev/null +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-gateway.yaml @@ -0,0 +1,17 @@ +admin: + enabled: true + type: ClusterIP + clusterIP: None + tls: + client: + secretName: "admin-api-ca-cert" + +ingressController: + enabled: false + +replicaCount: 3 +## This example creates a static 3-Pod Kong gateway Deployment. +## To use autoscaling instead, comment the above replicaCount and uncomment +## the autoscaling section below. +# autoscaling: +# enabled: true diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml index 7c122cc..374c24b 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml @@ -6,7 +6,7 @@ image: repository: kong - tag: "3.1" + tag: "3.2" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml index 0a6566e..4c81af7 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml @@ -11,7 +11,7 @@ image: repository: kong - tag: "3.1" + tag: "3.2" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml index dfa2a2b..2dfbfc3 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml @@ -6,7 +6,7 @@ image: repository: kong - tag: "3.1" + tag: "3.2" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/templates/_helpers.tpl b/build_system/charts/open-appsec-kong/templates/_helpers.tpl index 9440e16..1604c5f 100644 --- a/build_system/charts/open-appsec-kong/templates/_helpers.tpl +++ b/build_system/charts/open-appsec-kong/templates/_helpers.tpl @@ -153,6 +153,9 @@ spec: - {{ $cidr }} {{- end }} {{- end }} + {{- if .loadBalancerClass }} + loadBalancerClass: {{ .loadBalancerClass }} + {{- end }} {{- end }} {{- if .externalIPs }} externalIPs: @@ -316,6 +319,32 @@ Create a single listen (IP+port+parameter combo) {{- $listen | join " " -}} {{- end -}} +{{/* +Return the admin API service name for service discovery +*/}} +{{- define "kong.adminSvc" -}} +{{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}} +{{- if $gatewayDiscovery.enabled -}} + {{- $adminApiService := $gatewayDiscovery.adminApiService -}} + {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiService -}} + + {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + {{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + {{- end }} + + {{- if .Values.deployment.kong.enabled }} + {{- fail "deployment.kong.enabled and ingressController.gatewayDiscovery.enabled are mutually exclusive and cannot be enabled at once. Gateway discovery requires a split release installation of Gateways and Ingress Controller." }} + {{- end }} + + {{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}} + {{- $name := $adminApiService.name -}} + {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $name -}} + {{- printf "%s/%s" $namespace $name -}} +{{- else -}} + {{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}} +{{- end -}} +{{- end -}} + {{/* Return the local admin API URL, preferring HTTPS if available */}} @@ -370,16 +399,61 @@ The name of the service used for the ingress controller's validation webhook */}} {{- $autoEnv := dict -}} -{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}} -{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s-proxy" ( include "kong.namespace" . ) (include "kong.fullname" .)) -}} -{{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}} -{{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}} -{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}} -{{- if .Values.ingressController.admissionWebhook.enabled }} - {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}} -{{- end }} -{{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }} - {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}} + {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s" ( include "kong.namespace" . ) ( .Values.proxy.nameOverride | default ( printf "%s-proxy" (include "kong.fullname" . )))) -}} + {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}} + {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}} + + {{- if .Values.ingressController.admissionWebhook.enabled }} + {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}} + {{- end }} + {{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }} + {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}} + {{- end }} + +{{/* + ====== ADMIN API CONFIGURATION ====== +*/}} + + {{- if .Values.ingressController.gatewayDiscovery.enabled -}} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (include "kong.adminSvc" . ) -}} + {{- else -}} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}} + {{- end -}} + + {{- if .Values.ingressController.adminApi.tls.client.enabled }} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_CERT_FILE" "/etc/secrets/admin-api-cert/tls.crt" -}} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_KEY_FILE" "/etc/secrets/admin-api-cert/tls.key" -}} + {{- end }} + +{{/* + ====== KONNECT ENVIRONMENT VARIABLES ====== +*/}} + +{{- if .Values.ingressController.konnect.enabled }} + {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + {{- fail (printf "Konnect sync is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + {{- end }} + + {{- if not .Values.ingressController.gatewayDiscovery.enabled }} + {{- fail "ingressController.gatewayDiscovery.enabled has to be true when ingressController.konnect.enabled"}} + {{- end }} + + {{- $konnect := .Values.ingressController.konnect -}} + {{- $_ := required "ingressController.konnect.runtimeGroupID is required when ingressController.konnect.enabled" $konnect.runtimeGroupID -}} + + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_SYNC_ENABLED" true -}} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_RUNTIME_GROUP_ID" $konnect.runtimeGroupID -}} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_ADDRESS" (printf "https://%s" .Values.ingressController.konnect.apiHostname) -}} + + {{- $tlsCert := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.crt") -}} + {{- $tlsKey := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.key") -}} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_CERT" $tlsCert -}} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_KEY" $tlsKey -}} + + {{- if $konnect.license.enabled }} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_LICENSING_ENABLED" true -}} + {{- end }} {{- end }} {{/* @@ -420,10 +494,10 @@ The name of the service used for the ingress controller's validation webhook {{- define "kong.volumes" -}} - name: {{ template "kong.fullname" . }}-prefix-dir - emptyDir: + emptyDir: sizeLimit: {{ .Values.deployment.prefixDir.sizeLimit }} - name: {{ template "kong.fullname" . }}-tmp - emptyDir: + emptyDir: sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }} {{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}} {{- if .Values.certificates.cluster.enabled }} @@ -478,8 +552,9 @@ The name of the service used for the ingress controller's validation webhook {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} - {{- if gt $dblessSourceCount 1 -}} - {{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}} + {{- if gt $dblessSourceCount 1 -}} + {{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}} + {{- else if eq $dblessSourceCount 1 }} - name: kong-custom-dbless-config-volume {{- if .Values.dblessConfig.configMap }} configMap: @@ -494,7 +569,7 @@ The name of the service used for the ingress controller's validation webhook {{- end }} {{- end }} -{{- if .Values.ingressController.admissionWebhook.enabled }} +{{- if and .Values.ingressController.enabled .Values.ingressController.admissionWebhook.enabled }} - name: webhook-cert secret: {{- if .Values.ingressController.admissionWebhook.certificate.provided }} @@ -503,6 +578,11 @@ The name of the service used for the ingress controller's validation webhook secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair {{- end }} {{- end }} +{{- if or $.Values.admin.tls.client.secretName $.Values.admin.tls.client.caBundle }} +- name: admin-client-ca + configMap: + name: {{ template "kong.fullname" . }}-admin-client-ca +{{- end -}} {{- range $secretVolume := .Values.secretVolumes }} - name: {{ . }} secret: @@ -518,6 +598,19 @@ The name of the service used for the ingress controller's validation webhook secret: secretName: {{ .name }} {{- end }} +{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }} +- name: admin-api-cert + secret: + secretName: {{ template "adminApiService.certSecretName" . }} +{{- end }} +{{- end -}} + +{{- define "controller.adminApiCertVolumeMount" -}} +{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }} +- name: admin-api-cert + mountPath: /etc/secrets/admin-api-cert + readOnly: true +{{- end -}} {{- end -}} {{- define "kong.userDefinedVolumeMounts" -}} @@ -552,12 +645,17 @@ The name of the service used for the ingress controller's validation webhook {{- end }} {{- end }} {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} - {{- if gt $dblessSourceCount 1 -}} + {{- if eq $dblessSourceCount 1 -}} {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} - name: kong-custom-dbless-config-volume mountPath: /kong_dbless/ {{- end }} {{- end }} +{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }} +- name: admin-client-ca + mountPath: /etc/admin-client-ca/ + readOnly: true +{{- end -}} {{- range .Values.secretVolumes }} - name: {{ . }} mountPath: /etc/secrets/{{ . }} @@ -638,7 +736,7 @@ The name of the service used for the ingress controller's validation webhook {{- if .effectiveSemver -}} {{- .effectiveSemver -}} {{- else -}} -{{- .tag -}} +{{- (trimSuffix "-redhat" .tag) -}} {{- end -}} {{- end -}} @@ -702,6 +800,7 @@ The name of the service used for the ingress controller's validation webhook readOnly: true {{- end }} {{- include "kong.userDefinedVolumeMounts" .Values.ingressController | nindent 2 }} + {{- include "controller.adminApiCertVolumeMount" . | nindent 2 }} {{- end -}} {{- define "secretkeyref" -}} @@ -758,10 +857,18 @@ the template that it itself is using form the above sections. {{- $listenConfig := merge $listenConfig . -}} {{- $_ := set $listenConfig "address" $address -}} {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} + + {{- if or .tls.client.secretName .tls.client.caBundle -}} + {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}} + {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}} + {{- end -}} + {{- end -}} {{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}} {{- if (and .Values.certificates.cluster.enabled .Values.cluster.enabled) -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_MTLS" "pki" -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_SERVER_NAME" .Values.certificates.cluster.commonName -}} {{- $_ := set $autoEnv "KONG_CLUSTER_CA_CERT" "/etc/cert-manager/cluster/ca.crt" -}} {{- $_ := set $autoEnv "KONG_CLUSTER_CERT" "/etc/cert-manager/cluster/tls.crt" -}} {{- $_ := set $autoEnv "KONG_CLUSTER_CERT_KEY" "/etc/cert-manager/cluster/tls.key" -}} @@ -914,7 +1021,7 @@ the template that it itself is using form the above sections. {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} -{{- if gt $dblessSourceCount 1 -}} +{{- if eq $dblessSourceCount 1 -}} {{- $_ := set $autoEnv "KONG_DECLARATIVE_CONFIG" "/kong_dbless/kong.yml" -}} {{- end }} {{- end }} @@ -1037,6 +1144,13 @@ role sets used in the charts. Updating these requires separating out cluster resource roles into their separate templates. */}} {{- define "kong.kubernetesRBACRules" -}} +- apiGroups: + - "" + resources: + - namespaces + verbs: + - list +{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - apiGroups: - "" resources: @@ -1044,20 +1158,7 @@ resource roles into their separate templates. verbs: - list - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - list -- apiGroups: - - "" - resources: - - endpoints/status - verbs: - - get - - patch - - update +{{- end }} - apiGroups: - "" resources: @@ -1087,14 +1188,6 @@ resource roles into their separate templates. verbs: - list - watch -- apiGroups: - - "" - resources: - - secrets/status - verbs: - - get - - patch - - update - apiGroups: - "" resources: @@ -1306,6 +1399,22 @@ resource roles into their separate templates. verbs: - get - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes/status + verbs: + - get + - patch + - update {{- end }} {{- if (.Capabilities.APIVersions.Has "networking.internal.knative.dev/v1alpha1") }} - apiGroups: @@ -1341,6 +1450,14 @@ resource roles into their separate templates. - get - patch - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch {{- end -}} {{/* @@ -1373,6 +1490,15 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration. - get - patch - update +{{- if (semverCompare ">= 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +{{- end }} {{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }} - apiGroups: - gateway.networking.k8s.io @@ -1411,9 +1537,9 @@ extensions/v1beta1 {{- end -}} {{- define "kong.autoscalingVersion" -}} -{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}} +{{- if (.Capabilities.APIVersions.Has "autoscaling/v2/HorizontalPodAutoscaler") -}} autoscaling/v2 -{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}} +{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2/HorizontalPodAutoscaler") -}} autoscaling/v2beta2 {{- else -}} autoscaling/v1 diff --git a/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml b/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml index 7d56a90..f887ccf 100644 --- a/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml +++ b/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml @@ -1,4 +1,4 @@ -{{- if .Values.ingressController.admissionWebhook.enabled }} +{{- if (and .Values.ingressController.admissionWebhook.enabled .Values.ingressController.enabled) }} {{- $certCert := "" -}} {{- $certKey := "" -}} {{- $caCert := "" -}} @@ -34,8 +34,18 @@ metadata: namespace: {{ template "kong.namespace" . }} labels: {{- include "kong.metaLabels" . | nindent 4 }} + {{- if .Values.ingressController.admissionWebhook.annotations }} + annotations: + {{- range $key, $value := .Values.ingressController.admissionWebhook.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} webhooks: - name: validations.kong.konghq.com + {{- with .Values.ingressController.admissionWebhook.namespaceSelector }} + namespaceSelector: + {{- toYaml . | nindent 4 }} + {{- end }} objectSelector: matchExpressions: - key: owner @@ -89,6 +99,9 @@ metadata: namespace: {{ template "kong.namespace" . }} labels: {{- include "kong.metaLabels" . | nindent 4 }} + {{- if .Values.ingressController.admissionWebhook.service.labels }} + {{- toYaml .Values.ingressController.admissionWebhook.service.labels | nindent 4 }} + {{- end }} spec: ports: - name: webhook diff --git a/build_system/charts/open-appsec-kong/templates/appsec.yaml b/build_system/charts/open-appsec-kong/templates/appsec.yaml index 420b97c..a8969ac 100644 --- a/build_system/charts/open-appsec-kong/templates/appsec.yaml +++ b/build_system/charts/open-appsec-kong/templates/appsec.yaml @@ -1,447 +1,438 @@ -{{- if and (not (eq .Values.kind "Vanilla")) (or .Values.deployment.kong.enabled .Values.ingressController.enabled) }} -apiVersion: apps/v1 -{{- if (eq .Values.kind "AppSec") }} -{{- if .Values.deployment.daemonset }} -kind: DaemonSet -{{- else }} -kind: Deployment -{{- end }} -{{- else if eq .Values.kind "AppSecStateful" }} -kind: StatefulSet -{{- end }} -metadata: - name: {{ template "kong.fullname" . }} - namespace: {{ template "kong.namespace" . }} - labels: - {{- include "kong.metaLabels" . | nindent 4 }} - app.kubernetes.io/component: app - {{- if .Values.deploymentAnnotations }} - annotations: - {{- range $key, $value := .Values.deploymentAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- if eq .Values.kind "AppSecStateful" }} - serviceName: "cp-appsec-stateful-set" - {{- end }} - {{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }} - replicas: {{ .Values.replicaCount }} - {{- end }} - {{- end }} - selector: - matchLabels: - {{- include "kong.selectorLabels" . | nindent 6 }} - {{- if .Values.updateStrategy }} - {{- if .Values.deployment.daemonset }} - updateStrategy: - {{- else }} - strategy: - {{- end }} -{{ toYaml .Values.updateStrategy | indent 4 }} - {{- end }} - {{- if .Values.deployment.minReadySeconds }} - minReadySeconds: {{ .Values.deployment.minReadySeconds }} - {{- end }} - - template: - metadata: - annotations: - {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} - kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} - {{- end }} - {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }} - {{- if .Values.dblessConfig.config }} - checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }} - {{- end }} - {{- end }} - {{- if .Values.podAnnotations }} - {{- range $key, $value := .Values.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - labels: - {{- include "kong.metaLabels" . | nindent 8 }} - app.kubernetes.io/component: app - app: {{ template "kong.fullname" . }} - version: {{ .Chart.AppVersion | quote }} - {{- if .Values.podLabels }} - {{ toYaml .Values.podLabels | nindent 8 }} - {{- end }} - spec: - {{- if .Values.deployment.hostNetwork }} - hostNetwork: true - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" - {{- end }} - {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} - serviceAccountName: {{ template "kong.serviceAccountName" . }} - {{- end }} - {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} - automountServiceAccountToken: true - {{- else }} - automountServiceAccountToken: false - {{ end }} - {{- if .Values.image.pullSecrets }} - imagePullSecrets: - {{- range .Values.image.pullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - initContainers: - - name: clear-stale-pid - image: {{ include "kong.getRepoTag" .Values.image }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - securityContext: - {{ toYaml .Values.containerSecurityContext | nindent 10 }} - resources: -{{ toYaml .Values.resources | indent 10 }} - command: - - "rm" - - "-vrf" - - "$KONG_PREFIX/pids" - env: - {{- include "kong.env" . | nindent 8 }} - volumeMounts: - {{- include "kong.volumeMounts" . | nindent 8 }} - {{- if .Values.deployment.initContainers }} - {{- toYaml .Values.deployment.initContainers | nindent 6 }} - {{- end }} - {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }} - {{- include "kong.wait-for-db" . | nindent 6 }} - {{- end }} - {{- if .Values.deployment.hostAliases }} - hostAliases: - {{- toYaml .Values.deployment.hostAliases | nindent 6 }} - {{- end}} - {{- if .Values.dnsPolicy }} - dnsPolicy: {{ .Values.dnsPolicy | quote }} - {{- end }} - {{- if .Values.dnsConfig }} - dnsConfig: -{{ toYaml .Values.dnsConfig | indent 8 }} - {{- end }} - containers: - - name: {{ .Values.appsec.name }} - readinessProbe: - exec: - command: - - sh - - -c - - '[ -f /etc/cp/HttpTransactionHandler/cp-nano-http-transaction-handler ] && exit 0 || exit 1' - initialDelaySeconds: 30 - periodSeconds: 5 - failureThreshold: 120 - successThreshold: 1 - securityContext: - {{ toYaml .Values.appsec.securityContext | nindent 12 }} - {{- with .Values.appsec.image }} - image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}" - {{- end }} - command: - - {{ .Values.appsec.command }} - imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} - args: - {{- if (eq "standalone" .Values.appsec.mode) }} - - --hybrid-mode - - --token - - cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0 - {{- else }} - - --token - - {{ .Values.appsec.agentToken }} - {{- end }} - {{- if .Values.appsec.customFog.enabled }} - - --fog - - {{ .Values.appsec.customFog.fogAddress }} - {{- end }} - {{- if .Values.appsec.proxy }} - - --proxy - - {{ .Values.appsec.proxy }} - {{- end }} - imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} - env: - {{- if eq .Values.appsec.playground false }} - - name: SHARED_STORAGE_HOST - value: {{ .Values.appsec.storage.name }}-svc - - name: LEARNING_HOST - value: {{ .Values.appsec.learning.name }}-svc - {{- else }} - - name: PLAYGROUND - value: "true" - {{- end }} - {{- if .Values.appsec.email }} - {{- if eq .Values.appsec.email "STUB" }} - {{- fail "Please replace STUB with an email address" }} - {{- end }} - - name: user_email - value: {{ .Values.appsec.email }} - {{- end }} - - name: registered_server - value: "Kong Server" - resources: - {{ toYaml .Values.resources | nindent 12 }} - {{- if eq .Values.kind "AppSecStateful" }} - volumeMounts: - - name: advanced-model - mountPath: /advanced-model - - name: appsec-conf - mountPath: /etc/cp/conf - - name: appsec-data - mountPath: /etc/cp/data - {{- end }} - {{- if .Values.ingressController.enabled }} - {{- include "kong.controller-container" . | nindent 6 }} - {{ end }} - {{- if .Values.deployment.sidecarContainers }} - {{- toYaml .Values.deployment.sidecarContainers | nindent 6 }} - {{- end }} - {{- if .Values.deployment.kong.enabled }} - - name: "proxy" - {{- with .Values.appsec.kong.image }} - image: "{{ .repository }}:{{ .tag }}" - {{- end }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - securityContext: - {{ toYaml .Values.containerSecurityContext | nindent 10 }} - env: - {{- include "kong.no_daemon_env" . | nindent 8 }} - lifecycle: - {{- toYaml .Values.lifecycle | nindent 10 }} - ports: - {{- if (and .Values.admin.http.enabled .Values.admin.enabled) }} - - name: admin - containerPort: {{ .Values.admin.http.containerPort }} - {{- if .Values.admin.http.hostPort }} - hostPort: {{ .Values.admin.http.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }} - - name: admin-tls - containerPort: {{ .Values.admin.tls.containerPort }} - {{- if .Values.admin.tls.hostPort }} - hostPort: {{ .Values.admin.tls.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }} - - name: proxy - containerPort: {{ .Values.proxy.http.containerPort }} - {{- if .Values.proxy.http.hostPort }} - hostPort: {{ .Values.proxy.http.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}} - - name: proxy-tls - containerPort: {{ .Values.proxy.tls.containerPort }} - {{- if .Values.proxy.tls.hostPort }} - hostPort: {{ .Values.proxy.tls.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- range .Values.proxy.stream }} - - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }} - containerPort: {{ .containerPort }} - {{- if .hostPort }} - hostPort: {{ .hostPort }} - {{- end}} - protocol: {{ .protocol }} - {{- end }} - {{- range .Values.udpProxy.stream }} - - name: streamudp-{{ .containerPort }} - containerPort: {{ .containerPort }} - {{- if .hostPort }} - hostPort: {{ .hostPort }} - {{- end}} - protocol: {{ .protocol }} - {{- end }} - {{- if (and .Values.status.http.enabled .Values.status.enabled)}} - - name: status - containerPort: {{ .Values.status.http.containerPort }} - {{- if .Values.status.http.hostPort }} - hostPort: {{ .Values.status.http.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if (and .Values.status.tls.enabled .Values.status.enabled) }} - - name: status-tls - containerPort: {{ .Values.status.tls.containerPort }} - {{- if .Values.status.tls.hostPort }} - hostPort: {{ .Values.status.tls.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }} - - name: cluster-tls - containerPort: {{ .Values.cluster.tls.containerPort }} - {{- if .Values.cluster.tls.hostPort }} - hostPort: {{ .Values.cluster.tls.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if .Values.enterprise.enabled }} - {{- if (and .Values.manager.http.enabled .Values.manager.enabled) }} - - name: manager - containerPort: {{ .Values.manager.http.containerPort }} - {{- if .Values.manager.http.hostPort }} - hostPort: {{ .Values.manager.http.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }} - - name: manager-tls - containerPort: {{ .Values.manager.tls.containerPort }} - {{- if .Values.manager.tls.hostPort }} - hostPort: {{ .Values.manager.tls.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if (and .Values.portal.http.enabled .Values.portal.enabled) }} - - name: portal - containerPort: {{ .Values.portal.http.containerPort }} - {{- if .Values.portal.http.hostPort }} - hostPort: {{ .Values.portal.http.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }} - - name: portal-tls - containerPort: {{ .Values.portal.tls.containerPort }} - {{- if .Values.portal.tls.hostPort }} - hostPort: {{ .Values.portal.tls.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }} - - name: portalapi - containerPort: {{ .Values.portalapi.http.containerPort }} - {{- if .Values.portalapi.http.hostPort }} - hostPort: {{ .Values.portalapi.http.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }} - - name: portalapi-tls - containerPort: {{ .Values.portalapi.tls.containerPort }} - {{- if .Values.portalapi.tls.hostPort }} - hostPort: {{ .Values.portalapi.tls.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }} - - name: clustert-tls - containerPort: {{ .Values.clustertelemetry.tls.containerPort }} - {{- if .Values.clustertelemetry.tls.hostPort }} - hostPort: {{ .Values.clustertelemetry.tls.hostPort }} - {{- end}} - protocol: TCP - {{- end }} - {{- end }} - volumeMounts: - {{- include "kong.volumeMounts" . | nindent 10 }} - {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }} - readinessProbe: -{{ toYaml .Values.readinessProbe | indent 10 }} - livenessProbe: -{{ toYaml .Values.livenessProbe | indent 10 }} - resources: -{{ toYaml .Values.resources | indent 10 }} - {{- end }} {{/* End of Kong container spec */}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} - {{- end }} - {{- if .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{ toYaml .Values.topologySpreadConstraints | indent 8 }} - {{- end }} - securityContext: - {{- include "kong.podsecuritycontext" . | nindent 8 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 8 }} - {{- end }} - volumes: - - name: advanced-model - configMap: - name: advanced-model-config - optional: true - {{- include "kong.volumes" . | nindent 8 -}} - {{- include "kong.userDefinedVolumes" . | nindent 8 -}} - {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} - - name: {{ template "kong.serviceAccountTokenName" . }} - {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well. - See the related documentation of semver module that Helm depends on for semverCompare: - https://github.com/Masterminds/semver#working-with-prerelease-versions - Related Helm issue: https://github.com/helm/helm/issues/3810 */}} - {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} - projected: - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace - {{- else }} - secret: - secretName: {{ template "kong.serviceAccountTokenName" . }} - items: - - key: token - path: token - - key: ca.crt - path: ca.crt - - key: namespace - path: namespace - {{- end -}} - {{- end }} - {{- if eq .Values.kind "AppSecStateful" }} - volumeClaimTemplates: - - metadata: - name: appsec-conf - spec: - accessModes: [ "ReadWriteOnce" ] - # Need to create a storage class resource. - {{- if .Values.appsec.persistence.storageClass }} - {{- if (eq "-" .Values.appsec.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.appsec.persistence.storageClass }}" - {{- end -}} - {{- end }} - resources: - requests: - storage: {{ .Values.appsec.persistence.conf.size | quote }} - - metadata: - name: appsec-data - spec: - accessModes: [ "ReadWriteOnce" ] - # Need to create a storage class resource. - {{- if .Values.appsec.persistence.storageClass }} - {{- if (eq "-" .Values.appsec.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.appsec.persistence.storageClass }}" - {{- end -}} - {{- end }} - resources: - requests: - storage: {{ .Values.appsec.persistence.data.size | quote }} - {{- end }} -{{- end }} +{{- if and (not (eq .Values.kind "Vanilla")) (or .Values.deployment.kong.enabled .Values.ingressController.enabled) }} +apiVersion: apps/v1 +{{- if (eq .Values.kind "AppSec") }} +{{- if .Values.deployment.daemonset }} +kind: DaemonSet +{{- else }} +kind: Deployment +{{- end }} +{{- else if eq .Values.kind "AppSecStateful" }} +kind: StatefulSet +{{- end }} +metadata: + name: {{ template "kong.fullname" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + app.kubernetes.io/component: app + {{- if .Values.deploymentAnnotations }} + annotations: + {{- range $key, $value := .Values.deploymentAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if eq .Values.kind "AppSecStateful" }} + serviceName: "cp-appsec-stateful-set" + {{- end }} + {{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + selector: + matchLabels: + {{- include "kong.selectorLabels" . | nindent 6 }} + {{- if .Values.updateStrategy }} + {{- if .Values.deployment.daemonset }} + updateStrategy: + {{- else }} + strategy: + {{- end }} +{{ toYaml .Values.updateStrategy | indent 4 }} + {{- end }} + {{- if .Values.deployment.minReadySeconds }} + minReadySeconds: {{ .Values.deployment.minReadySeconds }} + {{- end }} + + template: + metadata: + annotations: + {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} + {{- end }} + {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }} + {{- if .Values.dblessConfig.config }} + checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }} + {{- end }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "kong.metaLabels" . | nindent 8 }} + app.kubernetes.io/component: app + app: {{ template "kong.fullname" . }} + version: {{ .Chart.AppVersion | quote }} + {{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.deployment.hostNetwork }} + hostNetwork: true + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} + serviceAccountName: {{ template "kong.serviceAccountName" . }} + {{- end }} + {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} + automountServiceAccountToken: true + {{- else }} + automountServiceAccountToken: false + {{ end }} + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + initContainers: + - name: clear-stale-pid + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + resources: +{{ toYaml .Values.resources | indent 10 }} + command: + - "rm" + - "-vrf" + - "$KONG_PREFIX/pids" + env: + {{- include "kong.env" . | nindent 8 }} + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 8 }} + {{- if .Values.deployment.initContainers }} + {{- toYaml .Values.deployment.initContainers | nindent 6 }} + {{- end }} + {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }} + {{- include "kong.wait-for-db" . | nindent 6 }} + {{- end }} + {{- if .Values.deployment.hostAliases }} + hostAliases: + {{- toYaml .Values.deployment.hostAliases | nindent 6 }} + {{- end}} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- end }} + {{- if .Values.dnsConfig }} + dnsConfig: +{{ toYaml .Values.dnsConfig | indent 8 }} + {{- end }} + containers: + - name: {{ .Values.appsec.name }} + readinessProbe: + exec: + command: + - sh + - -c + - '[ -f /etc/cp/HttpTransactionHandler/cp-nano-http-transaction-handler ] && exit 0 || exit 1' + initialDelaySeconds: 30 + periodSeconds: 5 + failureThreshold: 120 + successThreshold: 1 + securityContext: + {{ toYaml .Values.appsec.securityContext | nindent 12 }} + {{- with .Values.appsec.image }} + image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}" + {{- end }} + command: + - {{ .Values.appsec.command }} + imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} + args: + {{- if (eq "standalone" .Values.appsec.mode) }} + - --hybrid-mode + - --token + - cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0 + {{- else }} + - --token + - {{ .Values.appsec.agentToken }} + {{- end }} + {{- if .Values.appsec.customFog.enabled }} + - --fog + - {{ .Values.appsec.customFog.fogAddress }} + {{- end }} + {{- if .Values.appsec.proxy }} + - --proxy + - {{ .Values.appsec.proxy }} + {{- end }} + imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} + env: + {{- if eq .Values.appsec.playground false }} + - name: SHARED_STORAGE_HOST + value: {{ .Values.appsec.storage.name }}-svc + - name: LEARNING_HOST + value: {{ .Values.appsec.learning.name }}-svc + {{- else }} + - name: PLAYGROUND + value: "true" + {{- end }} + resources: + {{ toYaml .Values.resources | nindent 12 }} + {{- if eq .Values.kind "AppSecStateful" }} + volumeMounts: + - name: advanced-model + mountPath: /advanced-model + - name: appsec-conf + mountPath: /etc/cp/conf + - name: appsec-data + mountPath: /etc/cp/data + {{- end }} + {{- if .Values.ingressController.enabled }} + {{- include "kong.controller-container" . | nindent 6 }} + {{ end }} + {{- if .Values.deployment.sidecarContainers }} + {{- toYaml .Values.deployment.sidecarContainers | nindent 6 }} + {{- end }} + {{- if .Values.deployment.kong.enabled }} + - name: "proxy" + {{- with .Values.appsec.kong.image }} + image: "{{ .repository }}:{{ .tag }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + env: + {{- include "kong.no_daemon_env" . | nindent 8 }} + lifecycle: + {{- toYaml .Values.lifecycle | nindent 10 }} + ports: + {{- if (and .Values.admin.http.enabled .Values.admin.enabled) }} + - name: admin + containerPort: {{ .Values.admin.http.containerPort }} + {{- if .Values.admin.http.hostPort }} + hostPort: {{ .Values.admin.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }} + - name: admin-tls + containerPort: {{ .Values.admin.tls.containerPort }} + {{- if .Values.admin.tls.hostPort }} + hostPort: {{ .Values.admin.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }} + - name: proxy + containerPort: {{ .Values.proxy.http.containerPort }} + {{- if .Values.proxy.http.hostPort }} + hostPort: {{ .Values.proxy.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}} + - name: proxy-tls + containerPort: {{ .Values.proxy.tls.containerPort }} + {{- if .Values.proxy.tls.hostPort }} + hostPort: {{ .Values.proxy.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- range .Values.proxy.stream }} + - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }} + containerPort: {{ .containerPort }} + {{- if .hostPort }} + hostPort: {{ .hostPort }} + {{- end}} + protocol: {{ .protocol }} + {{- end }} + {{- range .Values.udpProxy.stream }} + - name: streamudp-{{ .containerPort }} + containerPort: {{ .containerPort }} + {{- if .hostPort }} + hostPort: {{ .hostPort }} + {{- end}} + protocol: {{ .protocol }} + {{- end }} + {{- if (and .Values.status.http.enabled .Values.status.enabled)}} + - name: status + containerPort: {{ .Values.status.http.containerPort }} + {{- if .Values.status.http.hostPort }} + hostPort: {{ .Values.status.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.status.tls.enabled .Values.status.enabled) }} + - name: status-tls + containerPort: {{ .Values.status.tls.containerPort }} + {{- if .Values.status.tls.hostPort }} + hostPort: {{ .Values.status.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }} + - name: cluster-tls + containerPort: {{ .Values.cluster.tls.containerPort }} + {{- if .Values.cluster.tls.hostPort }} + hostPort: {{ .Values.cluster.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if .Values.enterprise.enabled }} + {{- if (and .Values.manager.http.enabled .Values.manager.enabled) }} + - name: manager + containerPort: {{ .Values.manager.http.containerPort }} + {{- if .Values.manager.http.hostPort }} + hostPort: {{ .Values.manager.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }} + - name: manager-tls + containerPort: {{ .Values.manager.tls.containerPort }} + {{- if .Values.manager.tls.hostPort }} + hostPort: {{ .Values.manager.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portal.http.enabled .Values.portal.enabled) }} + - name: portal + containerPort: {{ .Values.portal.http.containerPort }} + {{- if .Values.portal.http.hostPort }} + hostPort: {{ .Values.portal.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }} + - name: portal-tls + containerPort: {{ .Values.portal.tls.containerPort }} + {{- if .Values.portal.tls.hostPort }} + hostPort: {{ .Values.portal.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }} + - name: portalapi + containerPort: {{ .Values.portalapi.http.containerPort }} + {{- if .Values.portalapi.http.hostPort }} + hostPort: {{ .Values.portalapi.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }} + - name: portalapi-tls + containerPort: {{ .Values.portalapi.tls.containerPort }} + {{- if .Values.portalapi.tls.hostPort }} + hostPort: {{ .Values.portalapi.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }} + - name: clustert-tls + containerPort: {{ .Values.clustertelemetry.tls.containerPort }} + {{- if .Values.clustertelemetry.tls.hostPort }} + hostPort: {{ .Values.clustertelemetry.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- end }} + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 10 }} + {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 10 }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 10 }} + resources: +{{ toYaml .Values.resources | indent 10 }} + {{- end }} {{/* End of Kong container spec */}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.topologySpreadConstraints | indent 8 }} + {{- end }} + securityContext: + {{- include "kong.podsecuritycontext" . | nindent 8 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + volumes: + - name: advanced-model + configMap: + name: advanced-model-config + optional: true + {{- include "kong.volumes" . | nindent 8 -}} + {{- include "kong.userDefinedVolumes" . | nindent 8 -}} + {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + - name: {{ template "kong.serviceAccountTokenName" . }} + {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well. + See the related documentation of semver module that Helm depends on for semverCompare: + https://github.com/Masterminds/semver#working-with-prerelease-versions + Related Helm issue: https://github.com/helm/helm/issues/3810 */}} + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- else }} + secret: + secretName: {{ template "kong.serviceAccountTokenName" . }} + items: + - key: token + path: token + - key: ca.crt + path: ca.crt + - key: namespace + path: namespace + {{- end -}} + {{- end }} + {{- if eq .Values.kind "AppSecStateful" }} + volumeClaimTemplates: + - metadata: + name: appsec-conf + spec: + accessModes: [ "ReadWriteOnce" ] + # Need to create a storage class resource. + {{- if .Values.appsec.persistence.storageClass }} + {{- if (eq "-" .Values.appsec.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.appsec.persistence.storageClass }}" + {{- end -}} + {{- end }} + resources: + requests: + storage: {{ .Values.appsec.persistence.conf.size | quote }} + - metadata: + name: appsec-data + spec: + accessModes: [ "ReadWriteOnce" ] + # Need to create a storage class resource. + {{- if .Values.appsec.persistence.storageClass }} + {{- if (eq "-" .Values.appsec.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.appsec.persistence.storageClass }}" + {{- end -}} + {{- end }} + resources: + requests: + storage: {{ .Values.appsec.persistence.data.size | quote }} + {{- end }} +{{- end }} diff --git a/build_system/charts/open-appsec-kong/templates/certificate.yaml b/build_system/charts/open-appsec-kong/templates/certificate.yaml index ce4bbee..a7079cd 100644 --- a/build_system/charts/open-appsec-kong/templates/certificate.yaml +++ b/build_system/charts/open-appsec-kong/templates/certificate.yaml @@ -6,6 +6,8 @@ {{- $_ := set $genericCertificateConfig "metaLabels" (include "kong.metaLabels" .) -}} {{- $_ := set $genericCertificateConfig "globalIssuer" .Values.certificates.issuer -}} {{- $_ := set $genericCertificateConfig "globalClusterIssuer" .Values.certificates.clusterIssuer -}} +{{- $_ := set $genericCertificateConfig "globalSubject" .Values.certificates.subject -}} +{{- $_ := set $genericCertificateConfig "globalPrivateKey" .Values.certificates.privateKey -}} {{- $_ := set $genericCertificateConfig "defaultIssuer" (printf "%s-%s-%s" .Release.Name .Chart.Name "selfsigned-issuer") -}} {{- if .Values.certificates.admin.enabled }} @@ -28,10 +30,7 @@ {{- if .Values.certificates.cluster.enabled }} {{- $certificateConfig := dict -}} -{{- $certificateConfig = mustMerge (mustDeepCopy $genericCertificateConfig) $certificateConfig -}} -{{- $_ := set $certificateConfig "dnsNames" (list) -}} -{{- $_ := set $certificateConfig "commonName" "kong_cluster" -}} -{{- $certificateConfig = (mustMerge $certificateConfig .Values.certificates.cluster) -}} +{{- $certificateConfig = mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.cluster -}} {{- $_ := set $certificateConfig "serviceName" "cluster" -}} {{- include "kong.certificate" $certificateConfig -}} {{- end }} @@ -54,9 +53,22 @@ spec: {{- range (append .dnsNames .commonName) }} - {{ . | quote }} {{- end }} - renewBefore: 360h - duration: 2160h - isCA: false + renewBefore: 360h0m0s + duration: 2160h0m0s + {{ if .subject -}} + subject: + {{- toYaml .subject | nindent 4 }} + {{ else if .globalSubject -}} + subject: + {{- toYaml .globalSubject | nindent 4 }} + {{- end }} + {{ if .privateKey -}} + privateKey: + {{- toYaml .privateKey | nindent 4 }} + {{ else if .globalPrivateKey -}} + privateKey: + {{- toYaml .globalPrivateKey | nindent 4 }} + {{- end }} {{ if .clusterIssuer -}} issuerRef: name: {{ .clusterIssuer }} diff --git a/build_system/charts/open-appsec-kong/templates/controller-rbac-resources.yaml b/build_system/charts/open-appsec-kong/templates/controller-rbac-resources.yaml index f1a817f..f5873f0 100644 --- a/build_system/charts/open-appsec-kong/templates/controller-rbac-resources.yaml +++ b/build_system/charts/open-appsec-kong/templates/controller-rbac-resources.yaml @@ -35,12 +35,14 @@ rules: - configmaps verbs: - create +{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - apiGroups: - "" resources: - endpoints verbs: - get +{{- end }} # Begin KIC 2.x leader permissions - apiGroups: - "" @@ -67,7 +69,6 @@ rules: - "" resources: - services - - endpoints verbs: - get --- diff --git a/build_system/charts/open-appsec-kong/templates/deployment.yaml b/build_system/charts/open-appsec-kong/templates/deployment.yaml index f7f5f80..88f2bf0 100644 --- a/build_system/charts/open-appsec-kong/templates/deployment.yaml +++ b/build_system/charts/open-appsec-kong/templates/deployment.yaml @@ -83,6 +83,7 @@ spec: - name: {{ . }} {{- end }} {{- end }} + {{- if .Values.deployment.kong.enabled }} initContainers: - name: clear-stale-pid image: {{ include "kong.getRepoTag" .Values.image }} @@ -105,6 +106,7 @@ spec: {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }} {{- include "kong.wait-for-db" . | nindent 6 }} {{- end }} + {{- end }} {{- if .Values.deployment.hostAliases }} hostAliases: {{- toYaml .Values.deployment.hostAliases | nindent 6 }} @@ -271,6 +273,10 @@ spec: {{ toYaml .Values.readinessProbe | indent 10 }} livenessProbe: {{ toYaml .Values.livenessProbe | indent 10 }} + {{- if .Values.startupProbe }} + startupProbe: +{{ toYaml .Values.startupProbe | indent 10 }} + {{- end }} resources: {{ toYaml .Values.resources | indent 10 }} {{- end }} {{/* End of Kong container spec */}} diff --git a/build_system/charts/open-appsec-kong/templates/hpa.yaml b/build_system/charts/open-appsec-kong/templates/hpa.yaml index 5350660..922ade8 100644 --- a/build_system/charts/open-appsec-kong/templates/hpa.yaml +++ b/build_system/charts/open-appsec-kong/templates/hpa.yaml @@ -17,10 +17,10 @@ spec: behavior: {{- toYaml .Values.autoscaling.behavior | nindent 4 }} {{- end }} - {{- if not (.Capabilities.APIVersions.Has "autoscaling/v2beta2") }} - targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 80 }} - {{- else }} + {{- if contains "autoscaling/v2" (include "kong.autoscalingVersion" . ) }} metrics: {{- toYaml .Values.autoscaling.metrics | nindent 4 }} + {{- else }} + targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 80 }} {{- end }} {{- end }} diff --git a/build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml b/build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml index 68de291..43a8eb7 100644 --- a/build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml +++ b/build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml @@ -59,7 +59,7 @@ spec: {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }} {{- end }} - name: {{ template "kong.name" . }}-post-upgrade-migrations - {{- if eq .Values.kind "Vanilla" }} +{{- if eq .Values.kind "Vanilla" }} image: {{ include "kong.getRepoTag" .Values.image }} {{- else }} image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }} diff --git a/build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml b/build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml index cb731fb..09a5c85 100644 --- a/build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml +++ b/build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml @@ -59,7 +59,7 @@ spec: {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }} {{- end }} - name: {{ template "kong.name" . }}-upgrade-migrations - {{- if eq .Values.kind "Vanilla" }} +{{- if eq .Values.kind "Vanilla" }} image: {{ include "kong.getRepoTag" .Values.image }} {{- else }} image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }} diff --git a/build_system/charts/open-appsec-kong/templates/service-kong-admin.yaml b/build_system/charts/open-appsec-kong/templates/service-kong-admin.yaml index 9503a77..d005016 100644 --- a/build_system/charts/open-appsec-kong/templates/service-kong-admin.yaml +++ b/build_system/charts/open-appsec-kong/templates/service-kong-admin.yaml @@ -15,3 +15,99 @@ {{- end -}} {{- end -}} {{- end -}} + +{{- define "adminApiService.certSecretName" -}} + {{- default (printf "%s-admin-api-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.secretName -}} +{{- end -}} + +{{- define "adminApiService.caSecretName" -}} + {{- default (printf "%s-admin-api-ca-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.caSecretName -}} +{{- end -}} + +{{- $clientVerifyEnabled := .Values.ingressController.adminApi.tls.client.enabled -}} +{{- $clientCertProvided := .Values.ingressController.adminApi.tls.client.certProvided -}} + +{{/* If the client verification is enabled but no secret was provided by the user, let's generate certificates. */ -}} +{{- if and $clientVerifyEnabled (not $clientCertProvided) }} +{{- $certCert := "" -}} +{{- $certKey := "" -}} + +{{- $cn := printf "admin.%s.svc" ( include "kong.namespace" . ) -}} +{{- $ca := genCA "admin-api-ca" 3650 -}} +{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}} + +{{- $certCert = $cert.Cert -}} +{{- $certKey = $cert.Key -}} +{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */}} +{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.certSecretName" .)) -}} +{{- if $certSecret }} +{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}} +{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}} +{{- end }} + +{{- $caCert := $ca.Cert -}} +{{- $caKey := $ca.Key -}} +{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */ -}} +{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.caSecretName" .))}} +{{- if $caSecret }} +{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}} +{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}} +{{- end }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "adminApiService.certSecretName" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $certCert }} + tls.key: {{ b64enc $certKey }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "adminApiService.caSecretName" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $caCert }} + tls.key: {{ b64enc $caKey }} +{{- end }} + +{{- /* Create a CA ConfigMap for Kong. */ -}} +{{- $secretProvided := $.Values.admin.tls.client.secretName -}} +{{- $bundleProvided := $.Values.admin.tls.client.caBundle -}} + +{{- if or $secretProvided $bundleProvided -}} +{{- $cert := "" -}} + +{{- if $secretProvided -}} +{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}} +{{- if $certSecret }} +{{- $cert = (b64dec (get $certSecret.data "tls.crt")) -}} +{{- else -}} +{{- fail (printf "%s/%s secret not found" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}} +{{- end }} +{{- end }} + +{{- if $bundleProvided -}} +{{- $cert = $.Values.admin.tls.client.caBundle -}} +{{- end }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kong.fullname" . }}-admin-client-ca + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +data: + tls.crt: {{ $cert | quote }} +{{- end -}} diff --git a/build_system/charts/open-appsec-kong/values.yaml b/build_system/charts/open-appsec-kong/values.yaml index a506457..2abe28d 100644 --- a/build_system/charts/open-appsec-kong/values.yaml +++ b/build_system/charts/open-appsec-kong/values.yaml @@ -1,5 +1,3 @@ ---- # ----------------------------------------------------------------------------- - # Default values for Kong's Helm Chart. # Declare variables to be passed into your templates. # @@ -13,6 +11,8 @@ # ----------------------------------------------------------------------------- # Deployment parameters +# ----------------------------------------------------------------------------- + deployment: kong: # Enable or disable Kong itself @@ -121,10 +121,10 @@ extraLabels: {} # Specify Kong's Docker image and repository details here image: repository: kong - tag: "3.1" + tag: "3.2" # Kong Enterprise # repository: kong/kong-gateway - # tag: "3.1" + # tag: "3.2" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -141,6 +141,7 @@ admin: # Enterprise users that wish to use Kong Manager with the controller should enable this enabled: false type: NodePort + loadBalancerClass: # To specify annotations or labels for the admin service, add them to the respective # "annotations" or "labels" dictionaries below. annotations: {} @@ -170,7 +171,15 @@ admin: # nodePort: 32443 # Additional listen parameters, e.g. "reuseport", "backlog=16384" parameters: - - http2 + - http2 + + # Specify the CA certificate to use for TLS verification of the Admin API client by: + # - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate. + # - caBundle (PEM-encoded certificate string). + # If both are set, caBundle takes precedence. + client: + caBundle: "" + secretName: "" # Kong admin ingress settings. Useful if you want to expose the Admin # API of Kong outside the k8s cluster. @@ -235,6 +244,7 @@ cluster: parameters: [] type: ClusterIP + loadBalancerClass: # Kong cluster ingress settings. Useful if you want to split CP and DP # in different clusters. @@ -258,6 +268,9 @@ proxy: # Enable creating a Kubernetes service for the proxy enabled: true type: LoadBalancer + loadBalancerClass: + # Override proxy Service name + nameOverride: "" # To specify annotations or labels for the proxy service, add them to the respective # "annotations" or "labels" dictionaries below. annotations: {} @@ -291,18 +304,17 @@ proxy: # nodePort: 32443 # Additional listen parameters, e.g. "reuseport", "backlog=16384" parameters: - - http2 + - http2 # Define stream (TCP) listen # To enable, remove "[]", uncomment the section below, and select your desired - # ports and parameters. Listens are dynamically named after their servicePort, + # ports and parameters. Listens are dynamically named after their containerPort, # e.g. "stream-9000" for the below. # Note: although you can select the protocol here, you cannot set UDP if you # use a LoadBalancer Service due to limitations in current Kubernetes versions. # To proxy both TCP and UDP with LoadBalancers, you must enable the udpProxy Service # in the next section and place all UDP stream listen configuration under it. - stream: - [] + stream: [] # # Set the container (internal) and service (external) ports for this listen. # # These values should normally be the same. If your environment requires they # # differ, note that Kong will match routes based on the containerPort only. @@ -345,6 +357,7 @@ udpProxy: # Enable creating a Kubernetes service for UDP proxying enabled: false type: LoadBalancer + loadBalancerClass: # To specify annotations or labels for the proxy service, add them to the respective # "annotations" or "labels" dictionaries below. annotations: {} @@ -357,8 +370,7 @@ udpProxy: # To enable, remove "[]", uncomment the section below, and select your desired # ports and parameters. Listens are dynamically named after their servicePort, # e.g. "stream-9000" for the below. - stream: - [] + stream: [] # # Set the container (internal) and service (external) ports for this listen. # # These values should normally be the same. If your environment requires they # # differ, note that Kong will match routes based on the containerPort only. @@ -381,8 +393,7 @@ udpProxy: # Subdirectories (which are optional) require separate ConfigMaps/Secrets. # "path" indicates their directory under the main plugin directory: the example # below will mount the contents of kong-plugin-rewriter-migrations at "/opt/kong/rewriter/migrations". -plugins: - {} +plugins: {} # configMaps: # - pluginName: rewriter # name: kong-plugin-rewriter @@ -473,7 +484,7 @@ ingressController: enabled: true image: repository: kong/kubernetes-ingress-controller - tag: "2.8" + tag: "2.9" # Optionally set a semantic version for version-gated features. This can normally # be left unset. You only need to set this if your tag is not a semver string, # such as when you are using a "next" tag. Set this to the effective semantic @@ -482,6 +493,12 @@ ingressController: effectiveSemver: args: [] + gatewayDiscovery: + enabled: false + adminApiService: + namespace: "" + name: "" + # Specify individual namespaces to watch for ingress configuration. By default, # when no namespaces are set, the controller watches all namespaces and uses a # ClusterRole to grant access to Kubernetes resources. When you list specific @@ -516,12 +533,16 @@ ingressController: port: 8080 certificate: provided: false + namespaceSelector: {} # Specifiy the secretName when the certificate is provided via a TLS secret # secretName: "" # Specifiy the CA bundle of the provided certificate. # This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used. # caBundle: # | Add the CA bundle content here. + service: + # Specify custom labels for the validation webhook service. + labels: {} ingressClass: kong # annotations for IngressClass resource (Kubernetes 1.18+) @@ -568,6 +589,46 @@ ingressController: # cpu: 50m # memory: 128Mi + konnect: + enabled: false + + # Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to. + runtimeGroupID: "" + + # Specifies a Konnect API hostname that the controller will use to push its data-plane config to. + # By default, this is set to US region's production API hostname. + # If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com"). + apiHostname: "us.kic.api.konghq.com" + + # Specifies a secret that contains a client TLS certificate that the controller + # will use to authenticate against Konnect APIs. + tlsClientCertSecretName: "konnect-client-tls" + + license: + # Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways. + enabled: false + + adminApi: + tls: + client: + # Enable TLS client authentication for the Admin API. + enabled: false + + # If set to false, Helm will generate certificates for you. + # If set to true, you are expected to provide your own secret (see secretName, caSecretName). + certProvided: false + + # Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API. + # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use + # a specific secret name). + secretName: "" + + # CA TLS certificate/key pair secret name that the client TLS certificate is signed by. + # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use + # a specific secret name). + caSecretName: "" + + # ----------------------------------------------------------------------------- # Postgres sub-chart parameters # ----------------------------------------------------------------------------- @@ -667,8 +728,8 @@ certificates: # Issuers used by the control and data plane releases must match for this certificate. issuer: "" clusterIssuer: "" - # commonName: "kong_cluster" - # dnsNames: [] + commonName: "kong_clustering" + dnsNames: [] # ----------------------------------------------------------------------------- # Miscellaneous parameters @@ -689,8 +750,7 @@ waitImage: pullPolicy: IfNotPresent # update strategy -updateStrategy: - {} +updateStrategy: {} # type: RollingUpdate # rollingUpdate: # maxSurge: "100%" @@ -698,8 +758,7 @@ updateStrategy: # If you want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. -resources: - {} +resources: {} # limits: # cpu: 1 # memory: 2G @@ -731,6 +790,18 @@ livenessProbe: successThreshold: 1 failureThreshold: 3 +# startupProbe for Kong pods +# startupProbe: +# httpGet: +# path: "/status" +# port: status +# scheme: HTTP +# initialDelaySeconds: 5 +# timeoutSeconds: 5 +# periodSeconds: 2 +# successThreshold: 1 +# failureThreshold: 40 + # Proxy container lifecycle hooks # Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ lifecycle: @@ -741,7 +812,7 @@ lifecycle: command: - kong - quit - - "--wait=15" + - '--wait=15' # Sets the termination grace period for pods spawned by the Kubernetes Deployment. # Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution @@ -821,10 +892,10 @@ podSecurityPolicy: supplementalGroups: rule: RunAsAny volumes: - - "configMap" - - "secret" - - "emptyDir" - - "projected" + - 'configMap' + - 'secret' + - 'emptyDir' + - 'projected' allowPrivilegeEscalation: false hostNetwork: false hostIPC: false @@ -833,13 +904,15 @@ podSecurityPolicy: # If you use Kong Enterprise <1.5, this must be set to false. readOnlyRootFilesystem: true + priorityClassName: "" # securityContext for Kong pods. securityContext: {} # securityContext for containers. -containerSecurityContext: {} +containerSecurityContext: + readOnlyRootFilesystem: true ## Optional DNS configuration for Kong pods # dnsPolicy: ClusterFirst @@ -911,7 +984,7 @@ enterprise: smtp_admin_emails: none@example.com smtp_host: smtp.example.com smtp_port: 587 - smtp_auth_type: "" + smtp_auth_type: '' smtp_ssl: nil smtp_starttls: true auth: @@ -919,13 +992,14 @@ enterprise: # be left as-is. If smtp_username is set to anything other than an empty # string, you must create a Secret with an smtp_password key containing # your SMTP password and specify its name here. - smtp_username: "" # e.g. postmaster@example.com + smtp_username: '' # e.g. postmaster@example.com smtp_password_secret: CHANGEME-smtp-password manager: # Enable creating a Kubernetes service for Kong Manager enabled: true type: NodePort + loadBalancerClass: # To specify annotations or labels for the Manager service, add them to the respective # "annotations" or "labels" dictionaries below. annotations: {} @@ -951,7 +1025,7 @@ manager: # nodePort: 32443 # Additional listen parameters, e.g. "reuseport", "backlog=16384" parameters: - - http2 + - http2 ingress: # Enable/disable exposure using ingress. @@ -972,6 +1046,7 @@ portal: # Enable creating a Kubernetes service for the Developer Portal enabled: true type: NodePort + loadBalancerClass: # To specify annotations or labels for the Portal service, add them to the respective # "annotations" or "labels" dictionaries below. annotations: {} @@ -997,7 +1072,7 @@ portal: # nodePort: 32443 # Additional listen parameters, e.g. "reuseport", "backlog=16384" parameters: - - http2 + - http2 ingress: # Enable/disable exposure using ingress. @@ -1018,6 +1093,7 @@ portalapi: # Enable creating a Kubernetes service for the Developer Portal API enabled: true type: NodePort + loadBalancerClass: # To specify annotations or labels for the Portal API service, add them to the respective # "annotations" or "labels" dictionaries below. annotations: {} @@ -1043,7 +1119,7 @@ portalapi: # nodePort: 32443 # Additional listen parameters, e.g. "reuseport", "backlog=16384" parameters: - - http2 + - http2 ingress: # Enable/disable exposure using ingress. @@ -1075,6 +1151,7 @@ clustertelemetry: parameters: [] type: ClusterIP + loadBalancerClass: # Kong clustertelemetry ingress settings. Useful if you want to split # CP and DP in different clusters. @@ -1116,9 +1193,10 @@ extraObjects: [] # plugin: prometheus appsec: - mode: managed + mode: managed name: open-appsec image: + #registry: repository: ghcr.io/openappsec image: agent tag: latest @@ -1134,12 +1212,8 @@ appsec: # runAsUser: 1000 kong: image: - repository: "ghcr.io/openappsec/kong-attachment" + repository: "ghcr.io/openappsec/kong-gateway-attachment" tag: "latest" - # Kong Enterprise with open-appsec attachment - # repository: "ghcr.io/openappsec/kong-gateway-attachment" - # tag: "latest" - resources: # limits: # cpu: 100m