Updating Kong helm chart

build_system/charts/open-appsec-kong/example-values/README.md

@@ -52,5 +52,21 @@ common Kong deployment scenarios on Kubernetes.
   restarts them, so starting control planes second, but around the same time
   will usually work), but is the smoothest option.
 
+* [minimal-kong-gd-controller.yaml](minimal-kong-gd-controller.yaml) and
+  [minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a
+  single controller and cluster of gateway instances. The controller release
+  configuration must specify the names of the gateway proxy and admin
+  Services. The examples use `gw` as the gateway release name. If you wish to
+  use another name, set the controller configuration to match. For example, if
+  you use `hydrogen` as your gateway release name, set
+  `proxy.nameOverride=hydrogen-kong-proxy` and
+  `ingressController.adminApiService.name=hydrogen-kong-admin`.
+
+* [minimal-kong-gd-controller-konnect.yaml](minimal-kong-gd-controller-konnect.yaml) and
+  [minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a single Ingress
+  Controller with Kong's Konnect sync feature enabled and a cluster of gateway instances.
+  In order to make it work, `ingressController.konnect.runtimeGroupID` has to be
+  supplied and a `konnect-client-tls` secret has to be created upfront.
+
 All Enterprise examples require some level of additional user configuration to
 install properly. Read the comments at the top of each file for instructions.

build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml

@@ -146,7 +146,7 @@ extraLabels:
   konghq.com/component: quickstart
 image:
   repository: kong/kong-gateway
-  tag: "3.1"
+  tag: "3.2"
 ingressController:
   enabled: true
   env:

build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml

@@ -12,7 +12,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.1"
+  tag: "3.2"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/README.md

@@ -0,0 +1,83 @@
+This README explains how to install Kong in DB-backed mode with Postgres and Cert Manager
+
+# Install Postgres
+
+Use the bitnami chart to install Postgres. Read the output to understand how to connect to the database.
+
+```bash
+helm install postgres oci://registry-1.docker.io/bitnamicharts/postgresql -n db --create-namespace
+```
+
+Once connected, create a postgres user and database:
+
+```sql
+CREATE USER kong WITH PASSWORD 'super_secret'; CREATE DATABASE kong OWNER kong;
+```
+
+# Cert Manager
+
+Install Cert Manager in to your cluster:
+
+```bash
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --version v1.11.0
+```
+
+Create a self signed CA + Issuer for future use:
+
+```yaml
+echo "
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kong
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: my-selfsigned-ca
+  namespace: kong
+spec:
+  isCA: true
+  commonName: my-selfsigned-ca
+  secretName: root-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: my-ca-issuer
+  namespace: kong
+spec:
+  ca:
+    secretName: root-secret
+" | kubectl apply -f -
+```
+
+# Kong
+
+Deploy Kong using the `cp-values.yaml` and `dp-values.yaml` in this folder:
+
+```bash
+helm install kong-cp kong/kong -n kong --values cp-values.yaml
+helm install kong-dp kong/kong -n kong --values dp-values.yaml
+```
+
+You should now have Kong running in hybrid mode

build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/cp-values.yaml

@@ -0,0 +1,25 @@
+env:
+  role: control_plane
+  database: postgres
+  pg_host: postgres-postgresql.db.svc.cluster.local
+  pg_user: kong
+  pg_password: super_secret
+
+cluster:
+  enabled: true
+  tls:
+    enabled: true
+
+certificates:
+  enabled: true
+  issuer: my-ca-issuer
+  cluster:
+    enabled: true
+    commonName: custom.example.com
+
+proxy:
+  enabled: false
+
+ingressController:
+  env:
+    publish_service: kong/kong-cp-kong-proxy

build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/dp-values.yaml

@@ -0,0 +1,22 @@
+env:
+  role: data_plane
+  database: "off"
+  cluster_control_plane: kong-cp-kong-cluster.kong.svc.cluster.local:8005
+
+cluster:
+  enabled: true
+  tls:
+    enabled: true
+
+certificates:
+  enabled: true
+  issuer: my-ca-issuer
+  cluster:
+    enabled: true
+    commonName: custom.example.com
+
+admin:
+  enabled: false
+
+ingressController:
+  enabled: false

build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml

@@ -9,7 +9,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.1"
+  tag: "3.2"
 
 admin:
   enabled: true

build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml

@@ -2,7 +2,7 @@
 
 image:
   repository: kong
-  tag: "3.1"
+  tag: "3.2"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml

@@ -4,7 +4,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.1"
+  tag: "3.2"
 
 enterprise:
   enabled: true

build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml

@@ -14,7 +14,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.1"
+  tag: "3.2"
 
 env:
   database: postgres

build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml

@@ -12,7 +12,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.1"
+  tag: "3.2"
 
 env:
   role: data_plane

build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller-konnect.yaml

@@ -0,0 +1,24 @@
+deployment:
+  kong:
+    enabled: false
+
+proxy:
+  ## This must match the gateway release's proxy Service name.
+  ## The Service name uses the pattern "<release name>-kong-proxy".
+  ## In this example, the companion gateway release is named "gw"
+  nameOverride: gw-kong-proxy
+
+ingressController:
+  enabled: true
+
+  gatewayDiscovery:
+    enabled: true
+    adminApiService:
+      ## This must match the gateway release's admin Service name.
+      ## The Service name uses the pattern "<release name>-kong-admin".
+      ## In this example, the companion gateway release is named "gw"
+      name: gw-kong-admin
+
+  konnect:
+    enabled: true
+    runtimeGroupID: "00000000-0000-0000-0000-000000000000" # CHANGEME

build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller.yaml

@@ -0,0 +1,33 @@
+deployment:
+  kong:
+    enabled: false
+
+proxy:
+  ## This must match the gateway release's proxy Service name.
+  ## The Service name uses the pattern "<release name>-kong-proxy".
+  ## In this example, the companion gateway release is named "gw"
+  nameOverride: gw-kong-proxy
+
+ingressController:
+  enabled: true
+
+  gatewayDiscovery:
+    enabled: true
+    adminApiService:
+      ## This must match the gateway release's admin Service name.
+      ## The Service name uses the pattern "<release name>-kong-admin".
+      ## In this example, the companion gateway release is named "gw"
+      name: gw-kong-admin
+
+  adminApi:
+    tls:
+      client:
+        # Enable TLS client authentication for the Admin API.
+        enabled: true
+        # We're specifying the name of the secret to have a static name that we
+        # will use in the gateway release.
+        caSecretName: "admin-api-ca-cert"
+
+  env:
+    # This must match the gateway release's proxy Service HTTPs port name.
+    kong_admin_svc_port_names: "kong-admin-tls"

build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-gateway.yaml

@@ -0,0 +1,17 @@
+admin:
+  enabled: true
+  type: ClusterIP
+  clusterIP: None
+  tls:
+    client:
+      secretName: "admin-api-ca-cert"
+
+ingressController:
+  enabled: false
+
+replicaCount: 3
+## This example creates a static 3-Pod Kong gateway Deployment.
+## To use autoscaling instead, comment the above replicaCount and uncomment
+## the autoscaling section below.
+# autoscaling:
+#   enabled: true

build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml

@@ -6,7 +6,7 @@
 
 image:
   repository: kong
-  tag: "3.1"
+  tag: "3.2"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml

@@ -11,7 +11,7 @@
 
 image:
   repository: kong
-  tag: "3.1"
+  tag: "3.2"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml

@@ -6,7 +6,7 @@
 
 image:
   repository: kong
-  tag: "3.1"
+  tag: "3.2"
 
 env:
   prefix: /kong_prefix/