github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Updating Kong helm chart

Browse Source
This commit is contained in:
Ned Wright 2023-06-01 16:15:31 +00:00
parent 45e51ddbf7
commit 795d07bd41
36 changed files with 1438 additions and 655 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
build_system/charts/open-appsec-kong/CHANGELOG.md
View File

@ -1,8 +1,158 @@
# Changelog # Changelog
## Unreleased
## 2.22.0
### Improvements
* Removed redundant RBAC permissions for non-existing subresources `secrets/status`
and `endpoints/status`.
[#798](https://github.com/Kong/charts/pull/798)
* For Kong Ingress Controller in version >= 2.10, RBAC permissions for `Endpoints`
are not configured anymore (because it uses `EndpointSlices`).
[#798](https://github.com/Kong/charts/pull/798)
* Added support for setting `certificates.cluster.commonName`. This allows a custom
certificate `CommonName` to be provided when deploying Kong Gateway in hybrid
mode using Cert Manager [#804](https://github.com/Kong/charts/pull/804)
## 2.21.0
### Improvements
* Added support for `startupProbe` on Kong pods. This can be configured via
`.Values.startupProbe`. To maintain backward compatibility, it is disabled by default.
[#792](https://github.com/Kong/charts/pull/792)
* Customize Admission Webhook namespaceSelectors and compose them from values.
[#794](https://github.com/Kong/charts/pull/794)
* Added `CustomResourceDefinition` `list` and `watch` permissions to controller's ClusterRole.
[#796](https://github.com/Kong/charts/pull/796)
## 2.20.2
### Fixed
* Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode
is disabled by default.
To enable it, set `.Values.ingressController.konnect.license.enabled=true`.
[#793](https://github.com/Kong/charts/pull/793)
## 2.20.1
### Fixed
* Fix correct timestamp format and remove `isCA` in certificates
[#791](https://github.com/Kong/charts/pull/791)
## 2.20.0
### Improvements
* Added support for automatic license provisioning for Gateways managed by
Ingress Controllers in Konnect mode (`.Values.ingressController.konnect.enabled=true`).
[#787](https://github.com/Kong/charts/pull/787)
## 2.19.1
### Fixed
* Fix `webhook-cert` being mounted regardless if `.Values.ingressController.enabled`
is set.
[#779](https://github.com/Kong/charts/pull/779)
## 2.19.0
### Improvements
* Security context enforces read-only root filesystem by default. This is not
expected to affect most configurations, but [will affect custom plugins that
write to the container filesystem](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2170).
[#770](https://github.com/Kong/charts/pull/770)
## 2.18.0
### Improvements
* Added support for the Admin API service TLS client verification.
[#780](https://github.com/Kong/charts/pull/780
## 2.17.1
### Fixed
* The `-redhat` suffix on official KIC images is no longer considered part of
the semver string for version checks.
[#779](https://github.com/Kong/charts/pull/779)
## 2.17.0
### Improvements
* Added support for controller's gateway discovery.
With `ingressController.gatewayDiscovery.enabled` set to `true` Kong Ingress Controller
will enable gateway discovery using an Admin API service.
For more information on this please see [the corresponding README.md section][kic_gateway_discovery_readme].
This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher.
[#747](https://github.com/Kong/charts/pull/747)
* Added experimental support for the ingress controller's Konnect sync feature via `ingressController.konnect.*` values.
This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher and
requires `ingressController.gatewayDiscovery.enabled` set to `true`.
[#746](https://github.com/Kong/charts/pull/746)
* Added support for annotations on the admission webhook ValidatingWebhookConfiguration.
[#760](https://github.com/Kong/charts/pull/760)
* Added support for `subject` and `privateKey` properties on certificates.
[#762](https://github.com/Kong/charts/pull/762)
* Added support for loadBalancerClass in LoadBalancer type services.
[#767](https://github.com/Kong/charts/pull/767)
* Added support for `GRPCRoute`s.
[#772](https://github.com/Kong/charts/pull/772)
* Default Kong version is bumped to 3.2.
[#773](https://github.com/Kong/charts/pull/773)
* Added support for admissionhook to include labels.
[#768](https://github.com/Kong/charts/pull/768)
### Under the hood
* Add kube-linter to the CI pipeline to ensure produced manifests comply
with community best practices.
[#751](https://github.com/Kong/charts/pull/751)
[kic_gateway_discovery_readme]: ./README.md#the-gatewaydiscovery-section
## 2.16.5
### Fixed
* Fix autoscaling version detection.
[#752](https://github.com/Kong/charts/pull/752)
* Don't include a clear-stale-pid initContainer when kong gateway is not
enabled in the deployment.
[#749](https://github.com/Kong/charts/pull/749)
## 2.16.4
### Fixed
* HorizontalPodAutoscaler's API version is detected properly.
[#744](https://github.com/Kong/charts/pull/744)
## 2.16.3
### Fixed
* Fix template issue preventing custom dblessconfig volume from being mounted.
[#741](https://github.com/Kong/charts/pull/741)
## 2.16.2
### Fixed
* The admission webhook is disabled when the ingress controller is disabled, as
the admission webhook requires a service provided by the ingress controller.
## 2.16.1 ## 2.16.1
### Fixed ### Fixed
* serviceAccount projected volume is properly provisioned for GKE clusters >= 1.20. * serviceAccount projected volume is properly provisioned for GKE clusters >= 1.20.
[#735](https://github.com/Kong/charts/pull/735) [#735](https://github.com/Kong/charts/pull/735)

4
build_system/charts/open-appsec-kong/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v2 apiVersion: v2
appVersion: "3.1" appVersion: "3.2"
dependencies: dependencies:
- condition: postgresql.enabled - condition: postgresql.enabled
name: postgresql name: postgresql
@ -16,4 +16,4 @@ maintainers:
name: open-appsec-kong name: open-appsec-kong
sources: sources:
- https://github.com/Kong/charts/tree/main/charts/kong - https://github.com/Kong/charts/tree/main/charts/kong
version: 2.16.1 version: 2.22.0

127
build_system/charts/open-appsec-kong/README.md
View File

@ -52,6 +52,7 @@ $ helm install kong/kong --generate-name
- [Configuration](#configuration) - [Configuration](#configuration)
- [Kong parameters](#kong-parameters) - [Kong parameters](#kong-parameters)
- [Kong Service Parameters](#kong-service-parameters) - [Kong Service Parameters](#kong-service-parameters)
- [Admin Service mTLS](#admin-service-mtls)
- [Stream listens](#stream-listens) - [Stream listens](#stream-listens)
- [Ingress Controller Parameters](#ingress-controller-parameters) - [Ingress Controller Parameters](#ingress-controller-parameters)
- [The `env` section](#the-env-section) - [The `env` section](#the-env-section)
@ -335,6 +336,9 @@ first and then upgrade the data plane release](https://docs.konghq.com/gateway/l
#### Certificates #### Certificates
> This example shows how to use Kong Hybrid mode with `cluster_mtls: shared`.
> For an example of `cluster_mtls: pki` see the [hybrid-cert-manager example](https://github.com/Kong/charts/blob/main/charts/kong/example-values/hybrid-cert-manager/)
Hybrid mode uses TLS to secure the CP/DP node communication channel, and Hybrid mode uses TLS to secure the CP/DP node communication channel, and
requires certificates for it. You can generate these either using `kong hybrid requires certificates for it. You can generate these either using `kong hybrid
gen_cert` on a local Kong installation or using OpenSSL: gen_cert` on a local Kong installation or using OpenSSL:
@ -431,7 +435,7 @@ admin:
```yaml ```yaml
env: env:
role: data_plane role: data_plane
database: off database: "off"
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt
@ -462,7 +466,7 @@ should, however, migrate to an issuer using a CA your clients trust for actual
usage. usage.
The `proxy`, `admin`, `portal`, and `cluster` subsections under `certificates` The `proxy`, `admin`, `portal`, and `cluster` subsections under `certificates`
let you choose hostnames or override issuers on a per-certificate basis for the let you choose hostnames, override issuers, set `subject` or set `privateKey` on a per-certificate basis for the
proxy, admin API and Manager, Portal and Portal API, and hybrid mode mTLS proxy, admin API and Manager, Portal and Portal API, and hybrid mode mTLS
services, respectively. services, respectively.
@ -668,6 +672,7 @@ or `ingress` sections, as it is used only for stream listens.
| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` | | SVC.tls.parameters | Array of additional listen parameters | `["http2"]` |
| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | | | SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | |
| SVC.clusterIP | k8s service clusterIP | | | SVC.clusterIP | k8s service clusterIP | |
| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | |
| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` | | SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | | | SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | |
| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` | | SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` |
@ -682,6 +687,17 @@ or `ingress` sections, as it is used only for stream listens.
| SVC.annotations | Service annotations | `{}` | | SVC.annotations | Service annotations | `{}` |
| SVC.labels | Service labels | `{}` | | SVC.labels | Service labels | `{}` |
#### Admin Service mTLS
On top of the common parameters listed above, the `admin` service supports parameters for mTLS client verification.
If any of `admin.tls.client.caBundle` or `admin.tls.client.secretName` are set, the admin service will be configured to
require mTLS client verification. If both are set, `admin.tls.client.caBundle` will take precedence.
| Parameter | Description | Default |
|-----------------------------|---------------------------------------------------------------------------------------------|---------|
| admin.tls.client.caBundle | CA certificate to use for TLS verification of the Admin API client (PEM-encoded). | `""` |
| admin.tls.client.secretName | CA certificate secret name - must contain a `tls.crt` key with the PEM-encoded certificate. | `""` |
#### Stream listens #### Stream listens
The proxy configuration additionally supports creating stream listens. These The proxy configuration additionally supports creating stream listens. These
@ -701,30 +717,46 @@ are configured using an array of objects under `proxy.stream` and `udpProxy.stre
All of the following properties are nested under the `ingressController` All of the following properties are nested under the `ingressController`
section of `values.yaml` file: section of `values.yaml` file:
| Parameter | Description | Default | | Parameter | Description | Default |
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| |--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
| enabled | Deploy the ingress controller, rbac and crd | true | | enabled | Deploy the ingress controller, rbac and crd | true |
| image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller | | image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller |
| image.tag | Version of the ingress controller | 2.0 | | image.tag | Version of the ingress controller | 2.0 |
| image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | | | image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | |
| readinessProbe | Kong ingress controllers readiness probe | | | readinessProbe | Kong ingress controllers readiness probe | |
| livenessProbe | Kong ingress controllers liveness probe | | | livenessProbe | Kong ingress controllers liveness probe | |
| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false | | installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false |
| env | Specify Kong Ingress Controller configuration via environment variables | | | env | Specify Kong Ingress Controller configuration via environment variables | |
| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | | | customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | |
| ingressClass | The name of this controller's ingressClass | kong | | ingressClass | The name of this controller's ingressClass | kong |
| ingressClassAnnotations | The ingress-class value for controller | kong | | ingressClassAnnotations | The ingress-class value for controller | kong |
| args | List of ingress-controller cli arguments | [] | | args | List of ingress-controller cli arguments | [] |
| watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] | | watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] |
| admissionWebhook.enabled | Whether to enable the validating admission webhook | true | | admissionWebhook.enabled | Whether to enable the validating admission webhook | true |
| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore | | admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore |
| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 | | admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 |
| admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false | | admissionWebhook.annotations | Annotations for the Validation Webhook Configuration | |
| admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | | | admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false |
| admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | | | admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | |
| deployment.userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | | | admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | |
| deployment.userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | | | admissionWebhook.namespaceSelector | Add namespaceSelector to the webhook. Please go to [Kubernetes doc for the specs](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) | |
| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 | | userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | |
| userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | |
| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 |
| gatewayDiscovery.enabled | Enables Kong instance service discovery (for more details see [gatewayDiscovery section][gd_section]) | false |
| gatewayDiscovery.adminApiService.namespace | The namespace of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | `.Release.Namespace` |
| gatewayDiscovery.adminApiService.name | The name of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | "" |
| konnect.enabled | Enable synchronisation of data plane configuration with Konnect Runtime Group | false |
| konnect.runtimeGroupID | Konnect Runtime Group's unique identifier. | |
| konnect.apiHostname | Konnect API hostname. Defaults to a production US-region. | us.kic.api.konghq.com |
| konnect.tlsClientCertSecretName | Name of the secret that contains Konnect Runtime Group's client TLS certificate. | konnect-client-tls |
| konnect.license.enabled | Enable automatic license provisioning for Gateways managed by Ingress Controller in Konnect mode. | false |
| adminApi.tls.client.enabled | Enable TLS client verification for the Admin API. By default, Helm will generate certificates automatically. | false |
| adminApi.tls.client.certProvided | Use user-provided certificates. If set to false, Helm will generate certificates. | false |
| adminApi.tls.client.secretName | Client TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" |
| adminApi.tls.client.caSecretName | CA TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" |
[gd_section]: #the-gatewayDiscovery-section
#### The `env` section #### The `env` section
For a complete list of all configuration values you can set in the For a complete list of all configuration values you can set in the
@ -746,6 +778,46 @@ kong:
TZ: "Europe/Berlin" TZ: "Europe/Berlin"
``` ```
#### The `gatewayDiscovery` section
Kong Ingress Controller v2.9 has introduced gateway discovery which allows
the controller to discover Gateway instances that it should configure using
an Admin API Kubernetes service.
You'll be able to configure this feature through configuration section under
`ingressController.gatewayDiscovery`:
- If `ingressController.gatewayDiscovery.enabled` is set to `false`: the ingress controller
will control a pre-determined set of Gateway instances based on Admin API URLs
(provided under the hood via `CONTROLLER_KONG_ADMIN_URL` environment variable).
- If `ingressController.gatewayDiscovery.enabled` is set to `true`: the ingress controller
will dynamically locate Gateway instances by watching the specified Kubernetes
service.
(provided under the hood via `CONTROLLER_KONG_ADMIN_SVC` environment variable).
The following admin API Service flags have to be provided in order for gateway
discovery to work:
- `ingressController.gatewayDiscovery.adminApiService.name`
- `ingressController.gatewayDiscovery.adminApiService.namespace`
Using this feature requires a split release installation of Gateways and Ingress Controller.
For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
When using `gatewayDiscovery`, you should consider configuring the Admin service to use mTLS client verification to make
this interface secure. Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway
instances.
On the controller release side, that can be achieved by setting `ingressController.adminApi.tls.client.enabled` to `true`.
By default, Helm will generate a certificate Secret named `<release name>-admin-api-keypair` and
a CA Secret named `<release name>-admin-api-ca-keypair` for you.
To provide your own cert, set `ingressController.adminApi.tls.client.certProvided` to
`true`, `ingressController.adminApi.tls.client.secretName` to the name of the Secret containing your client cert, and `ingressController.adminApi.tls.client.caSecretName` to the name of the Secret containing your CA cert.
On the Gateway release side, set either `admin.tls.client.secretName` to the name of your CA Secret or set `admin.tls.client.caBundle` to the CA certificate string.
### General Parameters ### General Parameters
| Parameter | Description | Default | | Parameter | Description | Default |
@ -772,6 +844,7 @@ kong:
| updateStrategy | update strategy for deployment | `{}` | | updateStrategy | update strategy for deployment | `{}` |
| readinessProbe | Kong readiness probe | | | readinessProbe | Kong readiness probe | |
| livenessProbe | Kong liveness probe | | | livenessProbe | Kong liveness probe | |
| startupProbe | Kong startup probe | |
| lifecycle | Proxy container lifecycle hooks | see `values.yaml` | | lifecycle | Proxy container lifecycle hooks | see `values.yaml` |
| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pods | 30 | | terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pods | 30 |
| affinity | Node/pod affinities | | | affinity | Node/pod affinities | |
@ -794,7 +867,7 @@ kong:
| priorityClassName | Set pod scheduling priority class for Kong pods | `""` | | priorityClassName | Set pod scheduling priority class for Kong pods | `""` |
| secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` | | secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` |
| securityContext | Set the securityContext for Kong Pods | `{}` | | securityContext | Set the securityContext for Kong Pods | `{}` |
| containerSecurityContext | Set the securityContext for Containers | `{}` | | containerSecurityContext | Set the securityContext for Containers | `{"readOnlyRootFilesystem": true}` |
| serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | `false` | | serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | `false` |
| serviceMonitor.interval | Scraping interval | `30s` | | serviceMonitor.interval | Scraping interval | `30s` |
| serviceMonitor.namespace | Where to create ServiceMonitor | | | serviceMonitor.namespace | Where to create ServiceMonitor | |

21
build_system/charts/open-appsec-kong/UPGRADE.md
View File

@ -17,6 +17,7 @@ upgrading from a previous version.
## Table of contents ## Table of contents
- [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions) - [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions)
- [2.17.0](#2170)
- [2.13.0](#2130) - [2.13.0](#2130)
- [2.8.0](#280) - [2.8.0](#280)
- [2.7.0](#270) - [2.7.0](#270)
@ -82,6 +83,26 @@ https://raw.githubusercontent.com/Kong/charts/kong-<version>/charts/kong/crds/cu
For example, if your release is 2.6.4, you would apply For example, if your release is 2.6.4, you would apply
`https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml`. `https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml`.
## 2.19.0
2.19 sets a default [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
that declares a read-only root filesystem for Kong containers. The base Kong and KIC
images are compatible with this setting. The chart mounts temporary writeable
emptyDir filesystems for locations that require writeable files (`/tmp` and
`/kong_prefix/`).
This setting limit attack surface and should be compatible with most
installations. However, if you use custom plugins that write to disk, you must
either mount a writeable emptyDir for them or override the new defaults by
setting:
```
containerSecurityContext:
readOnlyRootFilesystem: false
```
in your values.yaml.
## 2.13.0 ## 2.13.0
2.13.0 includes updated CRDs. You must [apply these manually](#updates-to-crds) 2.13.0 includes updated CRDs. You must [apply these manually](#updates-to-crds)

2
build_system/charts/open-appsec-kong/crds/crd-openappsec-practice.yaml
View File

@ -109,7 +109,7 @@ spec:
configmap: configmap:
type: array type: array
items: items:
type: string type: string
openapi-schema-validation: openapi-schema-validation:
type: object type: object
properties: properties:

80
build_system/charts/open-appsec-kong/crds/crd-openappsec-sources-identifier.yaml
View File

@ -1,40 +1,40 @@
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata : metadata :
name : sourcesidentifiers.openappsec.io name : sourcesidentifiers.openappsec.io
spec: spec:
group: openappsec.io group: openappsec.io
versions: versions:
- name: v1beta1 - name: v1beta1
served: true served: true
storage: true storage: true
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
properties: properties:
spec: spec:
type: array type: array
items: items:
type: object type: object
properties: properties:
sourceIdentifier: sourceIdentifier:
type: string type: string
enum: enum:
- headerkey - headerkey
- JWTKey - JWTKey
- cookie - cookie
- sourceip - sourceip
- x-forwarded-for - x-forwarded-for
value: value:
type: array type: array
items: items:
type: string type: string
scope: Cluster scope: Cluster
names: names:
plural: sourcesidentifiers plural: sourcesidentifiers
singular: sourcesidentifier singular: sourcesidentifier
kind: SourcesIdentifier kind: SourcesIdentifier
shortNames: shortNames:
- sourcesidentifier - sourcesidentifier

64
build_system/charts/open-appsec-kong/crds/crd-openappsec-trusted-sources.yaml
View File

@ -1,32 +1,32 @@
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata : metadata :
name : trustedsources.openappsec.io name : trustedsources.openappsec.io
spec: spec:
group: openappsec.io group: openappsec.io
versions: versions:
- name: v1beta1 - name: v1beta1
served: true served: true
storage: true storage: true
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
properties: properties:
spec: spec:
type: object type: object
properties: properties:
minNumOfSources: minNumOfSources:
type: integer type: integer
sourcesIdentifiers: sourcesIdentifiers:
type: array type: array
items: items:
type: string type: string
scope: Cluster scope: Cluster
names: names:
plural: trustedsources plural: trustedsources
singular: trustedsource singular: trustedsource
kind: TrustedSource kind: TrustedSource
shortNames: shortNames:
- trustedsource - trustedsource

4
build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml
View File

@ -448,8 +448,8 @@ spec:
type: object type: object
upstream: upstream:
description: Upstream represents a virtual hostname and can be used to description: Upstream represents a virtual hostname and can be used to
loadbalance incoming requests over multiple targets (e.g. Kubernetes load balance incoming requests over multiple targets (e.g. Kubernetes
`Services` can be a target, OR `Endpoints` can be targets). Services can be a target, or URLs can be targets).
properties: properties:
algorithm: algorithm:
description: Algorithm is the load balancing algorithm to use. description: Algorithm is the load balancing algorithm to use.

16
build_system/charts/open-appsec-kong/example-values/README.md
View File

@ -52,5 +52,21 @@ common Kong deployment scenarios on Kubernetes.
restarts them, so starting control planes second, but around the same time restarts them, so starting control planes second, but around the same time
will usually work), but is the smoothest option. will usually work), but is the smoothest option.
* [minimal-kong-gd-controller.yaml](minimal-kong-gd-controller.yaml) and
[minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a
single controller and cluster of gateway instances. The controller release
configuration must specify the names of the gateway proxy and admin
Services. The examples use `gw` as the gateway release name. If you wish to
use another name, set the controller configuration to match. For example, if
you use `hydrogen` as your gateway release name, set
`proxy.nameOverride=hydrogen-kong-proxy` and
`ingressController.adminApiService.name=hydrogen-kong-admin`.
* [minimal-kong-gd-controller-konnect.yaml](minimal-kong-gd-controller-konnect.yaml) and
[minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a single Ingress
Controller with Kong's Konnect sync feature enabled and a cluster of gateway instances.
In order to make it work, `ingressController.konnect.runtimeGroupID` has to be
supplied and a `konnect-client-tls` secret has to be created upfront.
All Enterprise examples require some level of additional user configuration to All Enterprise examples require some level of additional user configuration to
install properly. Read the comments at the top of each file for instructions. install properly. Read the comments at the top of each file for instructions.

2
build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml
View File

@ -146,7 +146,7 @@ extraLabels:
konghq.com/component: quickstart konghq.com/component: quickstart
image: image:
repository: kong/kong-gateway repository: kong/kong-gateway
tag: "3.1" tag: "3.2"
ingressController: ingressController:
enabled: true enabled: true
env: env:

2
build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml
View File

@ -12,7 +12,7 @@
image: image:
repository: kong/kong-gateway repository: kong/kong-gateway
tag: "3.1" tag: "3.2"
env: env:
prefix: /kong_prefix/ prefix: /kong_prefix/

83
build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/README.md Normal file
View File

@ -0,0 +1,83 @@
This README explains how to install Kong in DB-backed mode with Postgres and Cert Manager
# Install Postgres
Use the bitnami chart to install Postgres. Read the output to understand how to connect to the database.
```bash
helm install postgres oci://registry-1.docker.io/bitnamicharts/postgresql -n db --create-namespace
```
Once connected, create a postgres user and database:
```sql
CREATE USER kong WITH PASSWORD 'super_secret'; CREATE DATABASE kong OWNER kong;
```
# Cert Manager
Install Cert Manager in to your cluster:
```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.11.0
```
Create a self signed CA + Issuer for future use:
```yaml
echo "
apiVersion: v1
kind: Namespace
metadata:
name: kong
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-selfsigned-ca
namespace: kong
spec:
isCA: true
commonName: my-selfsigned-ca
secretName: root-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: my-ca-issuer
namespace: kong
spec:
ca:
secretName: root-secret
" | kubectl apply -f -
```
# Kong
Deploy Kong using the `cp-values.yaml` and `dp-values.yaml` in this folder:
```bash
helm install kong-cp kong/kong -n kong --values cp-values.yaml
helm install kong-dp kong/kong -n kong --values dp-values.yaml
```
You should now have Kong running in hybrid mode

25
build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/cp-values.yaml Normal file
View File

@ -0,0 +1,25 @@
env:
role: control_plane
database: postgres
pg_host: postgres-postgresql.db.svc.cluster.local
pg_user: kong
pg_password: super_secret
cluster:
enabled: true
tls:
enabled: true
certificates:
enabled: true
issuer: my-ca-issuer
cluster:
enabled: true
commonName: custom.example.com
proxy:
enabled: false
ingressController:
env:
publish_service: kong/kong-cp-kong-proxy

22
build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/dp-values.yaml Normal file
View File

@ -0,0 +1,22 @@
env:
role: data_plane
database: "off"
cluster_control_plane: kong-cp-kong-cluster.kong.svc.cluster.local:8005
cluster:
enabled: true
tls:
enabled: true
certificates:
enabled: true
issuer: my-ca-issuer
cluster:
enabled: true
commonName: custom.example.com
admin:
enabled: false
ingressController:
enabled: false

2
build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml
View File

@ -9,7 +9,7 @@
image: image:
repository: kong/kong-gateway repository: kong/kong-gateway
tag: "3.1" tag: "3.2"
admin: admin:
enabled: true enabled: true

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml
View File

@ -2,7 +2,7 @@
image: image:
repository: kong repository: kong
tag: "3.1" tag: "3.2"
env: env:
prefix: /kong_prefix/ prefix: /kong_prefix/

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml
View File

@ -4,7 +4,7 @@
image: image:
repository: kong/kong-gateway repository: kong/kong-gateway
tag: "3.1" tag: "3.2"
enterprise: enterprise:
enabled: true enabled: true

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml
View File

@ -14,7 +14,7 @@
image: image:
repository: kong/kong-gateway repository: kong/kong-gateway
tag: "3.1" tag: "3.2"
env: env:
database: postgres database: postgres

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml
View File

@ -12,7 +12,7 @@
image: image:
repository: kong/kong-gateway repository: kong/kong-gateway
tag: "3.1" tag: "3.2"
env: env:
role: data_plane role: data_plane

24
build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller-konnect.yaml Normal file
View File

@ -0,0 +1,24 @@
deployment:
kong:
enabled: false
proxy:
## This must match the gateway release's proxy Service name.
## The Service name uses the pattern "<release name>-kong-proxy".
## In this example, the companion gateway release is named "gw"
nameOverride: gw-kong-proxy
ingressController:
enabled: true
gatewayDiscovery:
enabled: true
adminApiService:
## This must match the gateway release's admin Service name.
## The Service name uses the pattern "<release name>-kong-admin".
## In this example, the companion gateway release is named "gw"
name: gw-kong-admin
konnect:
enabled: true
runtimeGroupID: "00000000-0000-0000-0000-000000000000" # CHANGEME

33
build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller.yaml Normal file
View File

@ -0,0 +1,33 @@
deployment:
kong:
enabled: false
proxy:
## This must match the gateway release's proxy Service name.
## The Service name uses the pattern "<release name>-kong-proxy".
## In this example, the companion gateway release is named "gw"
nameOverride: gw-kong-proxy
ingressController:
enabled: true
gatewayDiscovery:
enabled: true
adminApiService:
## This must match the gateway release's admin Service name.
## The Service name uses the pattern "<release name>-kong-admin".
## In this example, the companion gateway release is named "gw"
name: gw-kong-admin
adminApi:
tls:
client:
# Enable TLS client authentication for the Admin API.
enabled: true
# We're specifying the name of the secret to have a static name that we
# will use in the gateway release.
caSecretName: "admin-api-ca-cert"
env:
# This must match the gateway release's proxy Service HTTPs port name.
kong_admin_svc_port_names: "kong-admin-tls"

17
build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-gateway.yaml Normal file
View File

@ -0,0 +1,17 @@
admin:
enabled: true
type: ClusterIP
clusterIP: None
tls:
client:
secretName: "admin-api-ca-cert"
ingressController:
enabled: false
replicaCount: 3
## This example creates a static 3-Pod Kong gateway Deployment.
## To use autoscaling instead, comment the above replicaCount and uncomment
## the autoscaling section below.
# autoscaling:
# enabled: true

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml
View File

@ -6,7 +6,7 @@
image: image:
repository: kong repository: kong
tag: "3.1" tag: "3.2"
env: env:
prefix: /kong_prefix/ prefix: /kong_prefix/

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml
View File

@ -11,7 +11,7 @@
image: image:
repository: kong repository: kong
tag: "3.1" tag: "3.2"
env: env:
prefix: /kong_prefix/ prefix: /kong_prefix/

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml
View File

@ -6,7 +6,7 @@
image: image:
repository: kong repository: kong
tag: "3.1" tag: "3.2"
env: env:
prefix: /kong_prefix/ prefix: /kong_prefix/

210
build_system/charts/open-appsec-kong/templates/_helpers.tpl
View File

@ -153,6 +153,9 @@ spec:
- {{ $cidr }} - {{ $cidr }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .loadBalancerClass }}
loadBalancerClass: {{ .loadBalancerClass }}
{{- end }}
{{- end }} {{- end }}
{{- if .externalIPs }} {{- if .externalIPs }}
externalIPs: externalIPs:
@ -316,6 +319,32 @@ Create a single listen (IP+port+parameter combo)
{{- $listen | join " " -}} {{- $listen | join " " -}}
{{- end -}} {{- end -}}
{{/*
Return the admin API service name for service discovery
*/}}
{{- define "kong.adminSvc" -}}
{{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}}
{{- if $gatewayDiscovery.enabled -}}
{{- $adminApiService := $gatewayDiscovery.adminApiService -}}
{{- $_ := required ".ingressController.gatewayDiscovery.adminApiService has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiService -}}
{{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
{{- fail "deployment.kong.enabled and ingressController.gatewayDiscovery.enabled are mutually exclusive and cannot be enabled at once. Gateway discovery requires a split release installation of Gateways and Ingress Controller." }}
{{- end }}
{{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}}
{{- $name := $adminApiService.name -}}
{{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $name -}}
{{- printf "%s/%s" $namespace $name -}}
{{- else -}}
{{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}}
{{- end -}}
{{- end -}}
{{/* {{/*
Return the local admin API URL, preferring HTTPS if available Return the local admin API URL, preferring HTTPS if available
*/}} */}}
@ -370,16 +399,61 @@ The name of the service used for the ingress controller's validation webhook
*/}} */}}
{{- $autoEnv := dict -}} {{- $autoEnv := dict -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}} {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s-proxy" ( include "kong.namespace" . ) (include "kong.fullname" .)) -}} {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s" ( include "kong.namespace" . ) ( .Values.proxy.nameOverride | default ( printf "%s-proxy" (include "kong.fullname" . )))) -}}
{{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}} {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
{{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}} {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}}
{{- if .Values.ingressController.admissionWebhook.enabled }} {{- if .Values.ingressController.admissionWebhook.enabled }}
{{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}} {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}}
{{- end }} {{- end }}
{{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }} {{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }}
{{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}} {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}}
{{- end }}
{{/*
====== ADMIN API CONFIGURATION ======
*/}}
{{- if .Values.ingressController.gatewayDiscovery.enabled -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (include "kong.adminSvc" . ) -}}
{{- else -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}}
{{- end -}}
{{- if .Values.ingressController.adminApi.tls.client.enabled }}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_CERT_FILE" "/etc/secrets/admin-api-cert/tls.crt" -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_KEY_FILE" "/etc/secrets/admin-api-cert/tls.key" -}}
{{- end }}
{{/*
====== KONNECT ENVIRONMENT VARIABLES ======
*/}}
{{- if .Values.ingressController.konnect.enabled }}
{{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- fail (printf "Konnect sync is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- end }}
{{- if not .Values.ingressController.gatewayDiscovery.enabled }}
{{- fail "ingressController.gatewayDiscovery.enabled has to be true when ingressController.konnect.enabled"}}
{{- end }}
{{- $konnect := .Values.ingressController.konnect -}}
{{- $_ := required "ingressController.konnect.runtimeGroupID is required when ingressController.konnect.enabled" $konnect.runtimeGroupID -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_SYNC_ENABLED" true -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_RUNTIME_GROUP_ID" $konnect.runtimeGroupID -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_ADDRESS" (printf "https://%s" .Values.ingressController.konnect.apiHostname) -}}
{{- $tlsCert := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.crt") -}}
{{- $tlsKey := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.key") -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_CERT" $tlsCert -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_KEY" $tlsKey -}}
{{- if $konnect.license.enabled }}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_LICENSING_ENABLED" true -}}
{{- end }}
{{- end }} {{- end }}
{{/* {{/*
@ -420,10 +494,10 @@ The name of the service used for the ingress controller's validation webhook
{{- define "kong.volumes" -}} {{- define "kong.volumes" -}}
- name: {{ template "kong.fullname" . }}-prefix-dir - name: {{ template "kong.fullname" . }}-prefix-dir
emptyDir: emptyDir:
sizeLimit: {{ .Values.deployment.prefixDir.sizeLimit }} sizeLimit: {{ .Values.deployment.prefixDir.sizeLimit }}
- name: {{ template "kong.fullname" . }}-tmp - name: {{ template "kong.fullname" . }}-tmp
emptyDir: emptyDir:
sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }} sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }}
{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}} {{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
{{- if .Values.certificates.cluster.enabled }} {{- if .Values.certificates.cluster.enabled }}
@ -478,8 +552,9 @@ The name of the service used for the ingress controller's validation webhook
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
{{- if gt $dblessSourceCount 1 -}} {{- if gt $dblessSourceCount 1 -}}
{{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}} {{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}}
{{- else if eq $dblessSourceCount 1 }}
- name: kong-custom-dbless-config-volume - name: kong-custom-dbless-config-volume
{{- if .Values.dblessConfig.configMap }} {{- if .Values.dblessConfig.configMap }}
configMap: configMap:
@ -494,7 +569,7 @@ The name of the service used for the ingress controller's validation webhook
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.ingressController.admissionWebhook.enabled }} {{- if and .Values.ingressController.enabled .Values.ingressController.admissionWebhook.enabled }}
- name: webhook-cert - name: webhook-cert
secret: secret:
{{- if .Values.ingressController.admissionWebhook.certificate.provided }} {{- if .Values.ingressController.admissionWebhook.certificate.provided }}
@ -503,6 +578,11 @@ The name of the service used for the ingress controller's validation webhook
secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if or $.Values.admin.tls.client.secretName $.Values.admin.tls.client.caBundle }}
- name: admin-client-ca
configMap:
name: {{ template "kong.fullname" . }}-admin-client-ca
{{- end -}}
{{- range $secretVolume := .Values.secretVolumes }} {{- range $secretVolume := .Values.secretVolumes }}
- name: {{ . }} - name: {{ . }}
secret: secret:
@ -518,6 +598,19 @@ The name of the service used for the ingress controller's validation webhook
secret: secret:
secretName: {{ .name }} secretName: {{ .name }}
{{- end }} {{- end }}
{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
- name: admin-api-cert
secret:
secretName: {{ template "adminApiService.certSecretName" . }}
{{- end }}
{{- end -}}
{{- define "controller.adminApiCertVolumeMount" -}}
{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
- name: admin-api-cert
mountPath: /etc/secrets/admin-api-cert
readOnly: true
{{- end -}}
{{- end -}} {{- end -}}
{{- define "kong.userDefinedVolumeMounts" -}} {{- define "kong.userDefinedVolumeMounts" -}}
@ -552,12 +645,17 @@ The name of the service used for the ingress controller's validation webhook
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
{{- if gt $dblessSourceCount 1 -}} {{- if eq $dblessSourceCount 1 -}}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- name: kong-custom-dbless-config-volume - name: kong-custom-dbless-config-volume
mountPath: /kong_dbless/ mountPath: /kong_dbless/
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }}
- name: admin-client-ca
mountPath: /etc/admin-client-ca/
readOnly: true
{{- end -}}
{{- range .Values.secretVolumes }} {{- range .Values.secretVolumes }}
- name: {{ . }} - name: {{ . }}
mountPath: /etc/secrets/{{ . }} mountPath: /etc/secrets/{{ . }}
@ -638,7 +736,7 @@ The name of the service used for the ingress controller's validation webhook
{{- if .effectiveSemver -}} {{- if .effectiveSemver -}}
{{- .effectiveSemver -}} {{- .effectiveSemver -}}
{{- else -}} {{- else -}}
{{- .tag -}} {{- (trimSuffix "-redhat" .tag) -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -702,6 +800,7 @@ The name of the service used for the ingress controller's validation webhook
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- include "kong.userDefinedVolumeMounts" .Values.ingressController | nindent 2 }} {{- include "kong.userDefinedVolumeMounts" .Values.ingressController | nindent 2 }}
{{- include "controller.adminApiCertVolumeMount" . | nindent 2 }}
{{- end -}} {{- end -}}
{{- define "secretkeyref" -}} {{- define "secretkeyref" -}}
@ -758,10 +857,18 @@ the template that it itself is using form the above sections.
{{- $listenConfig := merge $listenConfig . -}} {{- $listenConfig := merge $listenConfig . -}}
{{- $_ := set $listenConfig "address" $address -}} {{- $_ := set $listenConfig "address" $address -}}
{{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}}
{{- if or .tls.client.secretName .tls.client.caBundle -}}
{{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}}
{{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}} {{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
{{- if (and .Values.certificates.cluster.enabled .Values.cluster.enabled) -}} {{- if (and .Values.certificates.cluster.enabled .Values.cluster.enabled) -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_MTLS" "pki" -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_SERVER_NAME" .Values.certificates.cluster.commonName -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_CA_CERT" "/etc/cert-manager/cluster/ca.crt" -}} {{- $_ := set $autoEnv "KONG_CLUSTER_CA_CERT" "/etc/cert-manager/cluster/ca.crt" -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_CERT" "/etc/cert-manager/cluster/tls.crt" -}} {{- $_ := set $autoEnv "KONG_CLUSTER_CERT" "/etc/cert-manager/cluster/tls.crt" -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_CERT_KEY" "/etc/cert-manager/cluster/tls.key" -}} {{- $_ := set $autoEnv "KONG_CLUSTER_CERT_KEY" "/etc/cert-manager/cluster/tls.key" -}}
@ -914,7 +1021,7 @@ the template that it itself is using form the above sections.
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
{{- if gt $dblessSourceCount 1 -}} {{- if eq $dblessSourceCount 1 -}}
{{- $_ := set $autoEnv "KONG_DECLARATIVE_CONFIG" "/kong_dbless/kong.yml" -}} {{- $_ := set $autoEnv "KONG_DECLARATIVE_CONFIG" "/kong_dbless/kong.yml" -}}
{{- end }} {{- end }}
{{- end }} {{- end }}
@ -1037,6 +1144,13 @@ role sets used in the charts. Updating these requires separating out cluster
resource roles into their separate templates. resource roles into their separate templates.
*/}} */}}
{{- define "kong.kubernetesRBACRules" -}} {{- define "kong.kubernetesRBACRules" -}}
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@ -1044,20 +1158,7 @@ resource roles into their separate templates.
verbs: verbs:
- list - list
- watch - watch
- apiGroups: {{- end }}
- ""
resources:
- namespaces
verbs:
- list
- apiGroups:
- ""
resources:
- endpoints/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@ -1087,14 +1188,6 @@ resource roles into their separate templates.
verbs: verbs:
- list - list
- watch - watch
- apiGroups:
- ""
resources:
- secrets/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@ -1306,6 +1399,22 @@ resource roles into their separate templates.
verbs: verbs:
- get - get
- update - update
- apiGroups:
- gateway.networking.k8s.io
resources:
- grpcroutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- grpcroutes/status
verbs:
- get
- patch
- update
{{- end }} {{- end }}
{{- if (.Capabilities.APIVersions.Has "networking.internal.knative.dev/v1alpha1") }} {{- if (.Capabilities.APIVersions.Has "networking.internal.knative.dev/v1alpha1") }}
- apiGroups: - apiGroups:
@ -1341,6 +1450,14 @@ resource roles into their separate templates.
- get - get
- patch - patch
- update - update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
{{- end -}} {{- end -}}
{{/* {{/*
@ -1373,6 +1490,15 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration.
- get - get
- patch - patch
- update - update
{{- if (semverCompare ">= 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
{{- end }}
{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }} {{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }}
- apiGroups: - apiGroups:
- gateway.networking.k8s.io - gateway.networking.k8s.io
@ -1411,9 +1537,9 @@ extensions/v1beta1
{{- end -}} {{- end -}}
{{- define "kong.autoscalingVersion" -}} {{- define "kong.autoscalingVersion" -}}
{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}} {{- if (.Capabilities.APIVersions.Has "autoscaling/v2/HorizontalPodAutoscaler") -}}
autoscaling/v2 autoscaling/v2
{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}} {{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2/HorizontalPodAutoscaler") -}}
autoscaling/v2beta2 autoscaling/v2beta2
{{- else -}} {{- else -}}
autoscaling/v1 autoscaling/v1

15
build_system/charts/open-appsec-kong/templates/admission-webhook.yaml
View File

@ -1,4 +1,4 @@
{{- if .Values.ingressController.admissionWebhook.enabled }} {{- if (and .Values.ingressController.admissionWebhook.enabled .Values.ingressController.enabled) }}
{{- $certCert := "" -}} {{- $certCert := "" -}}
{{- $certKey := "" -}} {{- $certKey := "" -}}
{{- $caCert := "" -}} {{- $caCert := "" -}}
@ -34,8 +34,18 @@ metadata:
namespace: {{ template "kong.namespace" . }} namespace: {{ template "kong.namespace" . }}
labels: labels:
{{- include "kong.metaLabels" . | nindent 4 }} {{- include "kong.metaLabels" . | nindent 4 }}
{{- if .Values.ingressController.admissionWebhook.annotations }}
annotations:
{{- range $key, $value := .Values.ingressController.admissionWebhook.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
webhooks: webhooks:
- name: validations.kong.konghq.com - name: validations.kong.konghq.com
{{- with .Values.ingressController.admissionWebhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
objectSelector: objectSelector:
matchExpressions: matchExpressions:
- key: owner - key: owner
@ -89,6 +99,9 @@ metadata:
namespace: {{ template "kong.namespace" . }} namespace: {{ template "kong.namespace" . }}
labels: labels:
{{- include "kong.metaLabels" . | nindent 4 }} {{- include "kong.metaLabels" . | nindent 4 }}
{{- if .Values.ingressController.admissionWebhook.service.labels }}
{{- toYaml .Values.ingressController.admissionWebhook.service.labels | nindent 4 }}
{{- end }}
spec: spec:
ports: ports:
- name: webhook - name: webhook

885
build_system/charts/open-appsec-kong/templates/appsec.yaml
View File

@ -1,447 +1,438 @@
{{- if and (not (eq .Values.kind "Vanilla")) (or .Values.deployment.kong.enabled .Values.ingressController.enabled) }} {{- if and (not (eq .Values.kind "Vanilla")) (or .Values.deployment.kong.enabled .Values.ingressController.enabled) }}
apiVersion: apps/v1 apiVersion: apps/v1
{{- if (eq .Values.kind "AppSec") }} {{- if (eq .Values.kind "AppSec") }}
{{- if .Values.deployment.daemonset }} {{- if .Values.deployment.daemonset }}
kind: DaemonSet kind: DaemonSet
{{- else }} {{- else }}
kind: Deployment kind: Deployment
{{- end }} {{- end }}
{{- else if eq .Values.kind "AppSecStateful" }} {{- else if eq .Values.kind "AppSecStateful" }}
kind: StatefulSet kind: StatefulSet
{{- end }} {{- end }}
metadata: metadata:
name: {{ template "kong.fullname" . }} name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }} namespace: {{ template "kong.namespace" . }}
labels: labels:
{{- include "kong.metaLabels" . | nindent 4 }} {{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: app app.kubernetes.io/component: app
{{- if .Values.deploymentAnnotations }} {{- if .Values.deploymentAnnotations }}
annotations: annotations:
{{- range $key, $value := .Values.deploymentAnnotations }} {{- range $key, $value := .Values.deploymentAnnotations }}
{{ $key }}: {{ $value | quote }} {{ $key }}: {{ $value | quote }}
{{- end }} {{- end }}
{{- end }} {{- end }}
spec: spec:
{{- if not .Values.autoscaling.enabled }} {{- if not .Values.autoscaling.enabled }}
{{- if eq .Values.kind "AppSecStateful" }} {{- if eq .Values.kind "AppSecStateful" }}
serviceName: "cp-appsec-stateful-set" serviceName: "cp-appsec-stateful-set"
{{- end }} {{- end }}
{{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }} {{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }}
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
{{- end }} {{- end }}
{{- end }} {{- end }}
selector: selector:
matchLabels: matchLabels:
{{- include "kong.selectorLabels" . | nindent 6 }} {{- include "kong.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }} {{- if .Values.updateStrategy }}
{{- if .Values.deployment.daemonset }} {{- if .Values.deployment.daemonset }}
updateStrategy: updateStrategy:
{{- else }} {{- else }}
strategy: strategy:
{{- end }} {{- end }}
{{ toYaml .Values.updateStrategy | indent 4 }} {{ toYaml .Values.updateStrategy | indent 4 }}
{{- end }} {{- end }}
{{- if .Values.deployment.minReadySeconds }} {{- if .Values.deployment.minReadySeconds }}
minReadySeconds: {{ .Values.deployment.minReadySeconds }} minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- end }} {{- end }}
template: template:
metadata: metadata:
annotations: annotations:
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
{{- end }} {{- end }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }} {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
{{- if .Values.dblessConfig.config }} {{- if .Values.dblessConfig.config }}
checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }} checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.podAnnotations }} {{- if .Values.podAnnotations }}
{{- range $key, $value := .Values.podAnnotations }} {{- range $key, $value := .Values.podAnnotations }}
{{ $key }}: {{ $value | quote }} {{ $key }}: {{ $value | quote }}
{{- end }} {{- end }}
{{- end }} {{- end }}
labels: labels:
{{- include "kong.metaLabels" . | nindent 8 }} {{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: app app.kubernetes.io/component: app
app: {{ template "kong.fullname" . }} app: {{ template "kong.fullname" . }}
version: {{ .Chart.AppVersion | quote }} version: {{ .Chart.AppVersion | quote }}
{{- if .Values.podLabels }} {{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | nindent 8 }} {{ toYaml .Values.podLabels | nindent 8 }}
{{- end }} {{- end }}
spec: spec:
{{- if .Values.deployment.hostNetwork }} {{- if .Values.deployment.hostNetwork }}
hostNetwork: true hostNetwork: true
{{- end }} {{- end }}
{{- if .Values.priorityClassName }} {{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}" priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }} {{- end }}
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }} serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }} {{- end }}
{{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
automountServiceAccountToken: true automountServiceAccountToken: true
{{- else }} {{- else }}
automountServiceAccountToken: false automountServiceAccountToken: false
{{ end }} {{ end }}
{{- if .Values.image.pullSecrets }} {{- if .Values.image.pullSecrets }}
imagePullSecrets: imagePullSecrets:
{{- range .Values.image.pullSecrets }} {{- range .Values.image.pullSecrets }}
- name: {{ . }} - name: {{ . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
initContainers: initContainers:
- name: clear-stale-pid - name: clear-stale-pid
image: {{ include "kong.getRepoTag" .Values.image }} image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext: securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }} {{ toYaml .Values.containerSecurityContext | nindent 10 }}
resources: resources:
{{ toYaml .Values.resources | indent 10 }} {{ toYaml .Values.resources | indent 10 }}
command: command:
- "rm" - "rm"
- "-vrf" - "-vrf"
- "$KONG_PREFIX/pids" - "$KONG_PREFIX/pids"
env: env:
{{- include "kong.env" . | nindent 8 }} {{- include "kong.env" . | nindent 8 }}
volumeMounts: volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }} {{- include "kong.volumeMounts" . | nindent 8 }}
{{- if .Values.deployment.initContainers }} {{- if .Values.deployment.initContainers }}
{{- toYaml .Values.deployment.initContainers | nindent 6 }} {{- toYaml .Values.deployment.initContainers | nindent 6 }}
{{- end }} {{- end }}
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }} {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-db" . | nindent 6 }} {{- include "kong.wait-for-db" . | nindent 6 }}
{{- end }} {{- end }}
{{- if .Values.deployment.hostAliases }} {{- if .Values.deployment.hostAliases }}
hostAliases: hostAliases:
{{- toYaml .Values.deployment.hostAliases | nindent 6 }} {{- toYaml .Values.deployment.hostAliases | nindent 6 }}
{{- end}} {{- end}}
{{- if .Values.dnsPolicy }} {{- if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy | quote }} dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- end }} {{- end }}
{{- if .Values.dnsConfig }} {{- if .Values.dnsConfig }}
dnsConfig: dnsConfig:
{{ toYaml .Values.dnsConfig | indent 8 }} {{ toYaml .Values.dnsConfig | indent 8 }}
{{- end }} {{- end }}
containers: containers:
- name: {{ .Values.appsec.name }} - name: {{ .Values.appsec.name }}
readinessProbe: readinessProbe:
exec: exec:
command: command:
- sh - sh
- -c - -c
- '[ -f /etc/cp/HttpTransactionHandler/cp-nano-http-transaction-handler ] && exit 0 || exit 1' - '[ -f /etc/cp/HttpTransactionHandler/cp-nano-http-transaction-handler ] && exit 0 || exit 1'
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 5 periodSeconds: 5
failureThreshold: 120 failureThreshold: 120
successThreshold: 1 successThreshold: 1
securityContext: securityContext:
{{ toYaml .Values.appsec.securityContext | nindent 12 }} {{ toYaml .Values.appsec.securityContext | nindent 12 }}
{{- with .Values.appsec.image }} {{- with .Values.appsec.image }}
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}" image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
{{- end }} {{- end }}
command: command:
- {{ .Values.appsec.command }} - {{ .Values.appsec.command }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
args: args:
{{- if (eq "standalone" .Values.appsec.mode) }} {{- if (eq "standalone" .Values.appsec.mode) }}
- --hybrid-mode - --hybrid-mode
- --token - --token
- cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0 - cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
{{- else }} {{- else }}
- --token - --token
- {{ .Values.appsec.agentToken }} - {{ .Values.appsec.agentToken }}
{{- end }} {{- end }}
{{- if .Values.appsec.customFog.enabled }} {{- if .Values.appsec.customFog.enabled }}
- --fog - --fog
- {{ .Values.appsec.customFog.fogAddress }} - {{ .Values.appsec.customFog.fogAddress }}
{{- end }} {{- end }}
{{- if .Values.appsec.proxy }} {{- if .Values.appsec.proxy }}
- --proxy - --proxy
- {{ .Values.appsec.proxy }} - {{ .Values.appsec.proxy }}
{{- end }} {{- end }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
env: env:
{{- if eq .Values.appsec.playground false }} {{- if eq .Values.appsec.playground false }}
- name: SHARED_STORAGE_HOST - name: SHARED_STORAGE_HOST
value: {{ .Values.appsec.storage.name }}-svc value: {{ .Values.appsec.storage.name }}-svc
- name: LEARNING_HOST - name: LEARNING_HOST
value: {{ .Values.appsec.learning.name }}-svc value: {{ .Values.appsec.learning.name }}-svc
{{- else }} {{- else }}
- name: PLAYGROUND - name: PLAYGROUND
value: "true" value: "true"
{{- end }} {{- end }}
{{- if .Values.appsec.email }} resources:
{{- if eq .Values.appsec.email "STUB" }} {{ toYaml .Values.resources | nindent 12 }}
{{- fail "Please replace STUB with an email address" }} {{- if eq .Values.kind "AppSecStateful" }}
{{- end }} volumeMounts:
- name: user_email - name: advanced-model
value: {{ .Values.appsec.email }} mountPath: /advanced-model
{{- end }} - name: appsec-conf
- name: registered_server mountPath: /etc/cp/conf
value: "Kong Server" - name: appsec-data
resources: mountPath: /etc/cp/data
{{ toYaml .Values.resources | nindent 12 }} {{- end }}
{{- if eq .Values.kind "AppSecStateful" }} {{- if .Values.ingressController.enabled }}
volumeMounts: {{- include "kong.controller-container" . | nindent 6 }}
- name: advanced-model {{ end }}
mountPath: /advanced-model {{- if .Values.deployment.sidecarContainers }}
- name: appsec-conf {{- toYaml .Values.deployment.sidecarContainers | nindent 6 }}
mountPath: /etc/cp/conf {{- end }}
- name: appsec-data {{- if .Values.deployment.kong.enabled }}
mountPath: /etc/cp/data - name: "proxy"
{{- end }} {{- with .Values.appsec.kong.image }}
{{- if .Values.ingressController.enabled }} image: "{{ .repository }}:{{ .tag }}"
{{- include "kong.controller-container" . | nindent 6 }} {{- end }}
{{ end }} imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.deployment.sidecarContainers }} securityContext:
{{- toYaml .Values.deployment.sidecarContainers | nindent 6 }} {{ toYaml .Values.containerSecurityContext | nindent 10 }}
{{- end }} env:
{{- if .Values.deployment.kong.enabled }} {{- include "kong.no_daemon_env" . | nindent 8 }}
- name: "proxy" lifecycle:
{{- with .Values.appsec.kong.image }} {{- toYaml .Values.lifecycle | nindent 10 }}
image: "{{ .repository }}:{{ .tag }}" ports:
{{- end }} {{- if (and .Values.admin.http.enabled .Values.admin.enabled) }}
imagePullPolicy: {{ .Values.image.pullPolicy }} - name: admin
securityContext: containerPort: {{ .Values.admin.http.containerPort }}
{{ toYaml .Values.containerSecurityContext | nindent 10 }} {{- if .Values.admin.http.hostPort }}
env: hostPort: {{ .Values.admin.http.hostPort }}
{{- include "kong.no_daemon_env" . | nindent 8 }} {{- end}}
lifecycle: protocol: TCP
{{- toYaml .Values.lifecycle | nindent 10 }} {{- end }}
ports: {{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }}
{{- if (and .Values.admin.http.enabled .Values.admin.enabled) }} - name: admin-tls
- name: admin containerPort: {{ .Values.admin.tls.containerPort }}
containerPort: {{ .Values.admin.http.containerPort }} {{- if .Values.admin.tls.hostPort }}
{{- if .Values.admin.http.hostPort }} hostPort: {{ .Values.admin.tls.hostPort }}
hostPort: {{ .Values.admin.http.hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: TCP {{- end }}
{{- end }} {{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }}
{{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }} - name: proxy
- name: admin-tls containerPort: {{ .Values.proxy.http.containerPort }}
containerPort: {{ .Values.admin.tls.containerPort }} {{- if .Values.proxy.http.hostPort }}
{{- if .Values.admin.tls.hostPort }} hostPort: {{ .Values.proxy.http.hostPort }}
hostPort: {{ .Values.admin.tls.hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: TCP {{- end }}
{{- end }} {{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}}
{{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }} - name: proxy-tls
- name: proxy containerPort: {{ .Values.proxy.tls.containerPort }}
containerPort: {{ .Values.proxy.http.containerPort }} {{- if .Values.proxy.tls.hostPort }}
{{- if .Values.proxy.http.hostPort }} hostPort: {{ .Values.proxy.tls.hostPort }}
hostPort: {{ .Values.proxy.http.hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: TCP {{- end }}
{{- end }} {{- range .Values.proxy.stream }}
{{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}} - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
- name: proxy-tls containerPort: {{ .containerPort }}
containerPort: {{ .Values.proxy.tls.containerPort }} {{- if .hostPort }}
{{- if .Values.proxy.tls.hostPort }} hostPort: {{ .hostPort }}
hostPort: {{ .Values.proxy.tls.hostPort }} {{- end}}
{{- end}} protocol: {{ .protocol }}
protocol: TCP {{- end }}
{{- end }} {{- range .Values.udpProxy.stream }}
{{- range .Values.proxy.stream }} - name: streamudp-{{ .containerPort }}
- name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }} containerPort: {{ .containerPort }}
containerPort: {{ .containerPort }} {{- if .hostPort }}
{{- if .hostPort }} hostPort: {{ .hostPort }}
hostPort: {{ .hostPort }} {{- end}}
{{- end}} protocol: {{ .protocol }}
protocol: {{ .protocol }} {{- end }}
{{- end }} {{- if (and .Values.status.http.enabled .Values.status.enabled)}}
{{- range .Values.udpProxy.stream }} - name: status
- name: streamudp-{{ .containerPort }} containerPort: {{ .Values.status.http.containerPort }}
containerPort: {{ .containerPort }} {{- if .Values.status.http.hostPort }}
{{- if .hostPort }} hostPort: {{ .Values.status.http.hostPort }}
hostPort: {{ .hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: {{ .protocol }} {{- end }}
{{- end }} {{- if (and .Values.status.tls.enabled .Values.status.enabled) }}
{{- if (and .Values.status.http.enabled .Values.status.enabled)}} - name: status-tls
- name: status containerPort: {{ .Values.status.tls.containerPort }}
containerPort: {{ .Values.status.http.containerPort }} {{- if .Values.status.tls.hostPort }}
{{- if .Values.status.http.hostPort }} hostPort: {{ .Values.status.tls.hostPort }}
hostPort: {{ .Values.status.http.hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: TCP {{- end }}
{{- end }} {{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }}
{{- if (and .Values.status.tls.enabled .Values.status.enabled) }} - name: cluster-tls
- name: status-tls containerPort: {{ .Values.cluster.tls.containerPort }}
containerPort: {{ .Values.status.tls.containerPort }} {{- if .Values.cluster.tls.hostPort }}
{{- if .Values.status.tls.hostPort }} hostPort: {{ .Values.cluster.tls.hostPort }}
hostPort: {{ .Values.status.tls.hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: TCP {{- end }}
{{- end }} {{- if .Values.enterprise.enabled }}
{{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }} {{- if (and .Values.manager.http.enabled .Values.manager.enabled) }}
- name: cluster-tls - name: manager
containerPort: {{ .Values.cluster.tls.containerPort }} containerPort: {{ .Values.manager.http.containerPort }}
{{- if .Values.cluster.tls.hostPort }} {{- if .Values.manager.http.hostPort }}
hostPort: {{ .Values.cluster.tls.hostPort }} hostPort: {{ .Values.manager.http.hostPort }}
{{- end}} {{- end}}
protocol: TCP protocol: TCP
{{- end }} {{- end }}
{{- if .Values.enterprise.enabled }} {{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }}
{{- if (and .Values.manager.http.enabled .Values.manager.enabled) }} - name: manager-tls
- name: manager containerPort: {{ .Values.manager.tls.containerPort }}
containerPort: {{ .Values.manager.http.containerPort }} {{- if .Values.manager.tls.hostPort }}
{{- if .Values.manager.http.hostPort }} hostPort: {{ .Values.manager.tls.hostPort }}
hostPort: {{ .Values.manager.http.hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: TCP {{- end }}
{{- end }} {{- if (and .Values.portal.http.enabled .Values.portal.enabled) }}
{{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }} - name: portal
- name: manager-tls containerPort: {{ .Values.portal.http.containerPort }}
containerPort: {{ .Values.manager.tls.containerPort }} {{- if .Values.portal.http.hostPort }}
{{- if .Values.manager.tls.hostPort }} hostPort: {{ .Values.portal.http.hostPort }}
hostPort: {{ .Values.manager.tls.hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: TCP {{- end }}
{{- end }} {{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }}
{{- if (and .Values.portal.http.enabled .Values.portal.enabled) }} - name: portal-tls
- name: portal containerPort: {{ .Values.portal.tls.containerPort }}
containerPort: {{ .Values.portal.http.containerPort }} {{- if .Values.portal.tls.hostPort }}
{{- if .Values.portal.http.hostPort }} hostPort: {{ .Values.portal.tls.hostPort }}
hostPort: {{ .Values.portal.http.hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: TCP {{- end }}
{{- end }} {{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }}
{{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }} - name: portalapi
- name: portal-tls containerPort: {{ .Values.portalapi.http.containerPort }}
containerPort: {{ .Values.portal.tls.containerPort }} {{- if .Values.portalapi.http.hostPort }}
{{- if .Values.portal.tls.hostPort }} hostPort: {{ .Values.portalapi.http.hostPort }}
hostPort: {{ .Values.portal.tls.hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: TCP {{- end }}
{{- end }} {{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }}
{{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }} - name: portalapi-tls
- name: portalapi containerPort: {{ .Values.portalapi.tls.containerPort }}
containerPort: {{ .Values.portalapi.http.containerPort }} {{- if .Values.portalapi.tls.hostPort }}
{{- if .Values.portalapi.http.hostPort }} hostPort: {{ .Values.portalapi.tls.hostPort }}
hostPort: {{ .Values.portalapi.http.hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: TCP {{- end }}
{{- end }} {{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }}
{{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }} - name: clustert-tls
- name: portalapi-tls containerPort: {{ .Values.clustertelemetry.tls.containerPort }}
containerPort: {{ .Values.portalapi.tls.containerPort }} {{- if .Values.clustertelemetry.tls.hostPort }}
{{- if .Values.portalapi.tls.hostPort }} hostPort: {{ .Values.clustertelemetry.tls.hostPort }}
hostPort: {{ .Values.portalapi.tls.hostPort }} {{- end}}
{{- end}} protocol: TCP
protocol: TCP {{- end }}
{{- end }} {{- end }}
{{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }} volumeMounts:
- name: clustert-tls {{- include "kong.volumeMounts" . | nindent 10 }}
containerPort: {{ .Values.clustertelemetry.tls.containerPort }} {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
{{- if .Values.clustertelemetry.tls.hostPort }} readinessProbe:
hostPort: {{ .Values.clustertelemetry.tls.hostPort }} {{ toYaml .Values.readinessProbe | indent 10 }}
{{- end}} livenessProbe:
protocol: TCP {{ toYaml .Values.livenessProbe | indent 10 }}
{{- end }} resources:
{{- end }} {{ toYaml .Values.resources | indent 10 }}
volumeMounts: {{- end }} {{/* End of Kong container spec */}}
{{- include "kong.volumeMounts" . | nindent 10 }} {{- if .Values.affinity }}
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }} affinity:
readinessProbe: {{ toYaml .Values.affinity | indent 8 }}
{{ toYaml .Values.readinessProbe | indent 10 }} {{- end }}
livenessProbe: {{- if .Values.topologySpreadConstraints }}
{{ toYaml .Values.livenessProbe | indent 10 }} topologySpreadConstraints:
resources: {{ toYaml .Values.topologySpreadConstraints | indent 8 }}
{{ toYaml .Values.resources | indent 10 }} {{- end }}
{{- end }} {{/* End of Kong container spec */}} securityContext:
{{- if .Values.affinity }} {{- include "kong.podsecuritycontext" . | nindent 8 }}
affinity: {{- if .Values.nodeSelector }}
{{ toYaml .Values.affinity | indent 8 }} nodeSelector:
{{- end }} {{ toYaml .Values.nodeSelector | indent 8 }}
{{- if .Values.topologySpreadConstraints }} {{- end }}
topologySpreadConstraints: terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{ toYaml .Values.topologySpreadConstraints | indent 8 }} {{- if .Values.tolerations }}
{{- end }} tolerations:
securityContext: {{ toYaml .Values.tolerations | indent 8 }}
{{- include "kong.podsecuritycontext" . | nindent 8 }} {{- end }}
{{- if .Values.nodeSelector }} volumes:
nodeSelector: - name: advanced-model
{{ toYaml .Values.nodeSelector | indent 8 }} configMap:
{{- end }} name: advanced-model-config
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} optional: true
{{- if .Values.tolerations }} {{- include "kong.volumes" . | nindent 8 -}}
tolerations: {{- include "kong.userDefinedVolumes" . | nindent 8 -}}
{{ toYaml .Values.tolerations | indent 8 }} {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
{{- end }} - name: {{ template "kong.serviceAccountTokenName" . }}
volumes: {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
- name: advanced-model See the related documentation of semver module that Helm depends on for semverCompare:
configMap: https://github.com/Masterminds/semver#working-with-prerelease-versions
name: advanced-model-config Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
optional: true {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
{{- include "kong.volumes" . | nindent 8 -}} projected:
{{- include "kong.userDefinedVolumes" . | nindent 8 -}} sources:
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} - serviceAccountToken:
- name: {{ template "kong.serviceAccountTokenName" . }} expirationSeconds: 3607
{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well. path: token
See the related documentation of semver module that Helm depends on for semverCompare: - configMap:
https://github.com/Masterminds/semver#working-with-prerelease-versions items:
Related Helm issue: https://github.com/helm/helm/issues/3810 */}} - key: ca.crt
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} path: ca.crt
projected: name: kube-root-ca.crt
sources: - downwardAPI:
- serviceAccountToken: items:
expirationSeconds: 3607 - fieldRef:
path: token apiVersion: v1
- configMap: fieldPath: metadata.namespace
items: path: namespace
- key: ca.crt {{- else }}
path: ca.crt secret:
name: kube-root-ca.crt secretName: {{ template "kong.serviceAccountTokenName" . }}
- downwardAPI: items:
items: - key: token
- fieldRef: path: token
apiVersion: v1 - key: ca.crt
fieldPath: metadata.namespace path: ca.crt
path: namespace - key: namespace
{{- else }} path: namespace
secret: {{- end -}}
secretName: {{ template "kong.serviceAccountTokenName" . }} {{- end }}
items: {{- if eq .Values.kind "AppSecStateful" }}
- key: token volumeClaimTemplates:
path: token - metadata:
- key: ca.crt name: appsec-conf
path: ca.crt spec:
- key: namespace accessModes: [ "ReadWriteOnce" ]
path: namespace # Need to create a storage class resource.
{{- end -}} {{- if .Values.appsec.persistence.storageClass }}
{{- end }} {{- if (eq "-" .Values.appsec.persistence.storageClass) }}
{{- if eq .Values.kind "AppSecStateful" }} storageClassName: ""
volumeClaimTemplates: {{- else }}
- metadata: storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
name: appsec-conf {{- end -}}
spec: {{- end }}
accessModes: [ "ReadWriteOnce" ] resources:
# Need to create a storage class resource. requests:
{{- if .Values.appsec.persistence.storageClass }} storage: {{ .Values.appsec.persistence.conf.size | quote }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }} - metadata:
storageClassName: "" name: appsec-data
{{- else }} spec:
storageClassName: "{{ .Values.appsec.persistence.storageClass }}" accessModes: [ "ReadWriteOnce" ]
{{- end -}} # Need to create a storage class resource.
{{- end }} {{- if .Values.appsec.persistence.storageClass }}
resources: {{- if (eq "-" .Values.appsec.persistence.storageClass) }}
requests: storageClassName: ""
storage: {{ .Values.appsec.persistence.conf.size | quote }} {{- else }}
- metadata: storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
name: appsec-data {{- end -}}
spec: {{- end }}
accessModes: [ "ReadWriteOnce" ] resources:
# Need to create a storage class resource. requests:
{{- if .Values.appsec.persistence.storageClass }} storage: {{ .Values.appsec.persistence.data.size | quote }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }} {{- end }}
storageClassName: "" {{- end }}
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
resources:
requests:
storage: {{ .Values.appsec.persistence.data.size | quote }}
{{- end }}
{{- end }}

26
build_system/charts/open-appsec-kong/templates/certificate.yaml
View File

@ -6,6 +6,8 @@
{{- $_ := set $genericCertificateConfig "metaLabels" (include "kong.metaLabels" .) -}} {{- $_ := set $genericCertificateConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $genericCertificateConfig "globalIssuer" .Values.certificates.issuer -}} {{- $_ := set $genericCertificateConfig "globalIssuer" .Values.certificates.issuer -}}
{{- $_ := set $genericCertificateConfig "globalClusterIssuer" .Values.certificates.clusterIssuer -}} {{- $_ := set $genericCertificateConfig "globalClusterIssuer" .Values.certificates.clusterIssuer -}}
{{- $_ := set $genericCertificateConfig "globalSubject" .Values.certificates.subject -}}
{{- $_ := set $genericCertificateConfig "globalPrivateKey" .Values.certificates.privateKey -}}
{{- $_ := set $genericCertificateConfig "defaultIssuer" (printf "%s-%s-%s" .Release.Name .Chart.Name "selfsigned-issuer") -}} {{- $_ := set $genericCertificateConfig "defaultIssuer" (printf "%s-%s-%s" .Release.Name .Chart.Name "selfsigned-issuer") -}}
{{- if .Values.certificates.admin.enabled }} {{- if .Values.certificates.admin.enabled }}
@ -28,10 +30,7 @@
{{- if .Values.certificates.cluster.enabled }} {{- if .Values.certificates.cluster.enabled }}
{{- $certificateConfig := dict -}} {{- $certificateConfig := dict -}}
{{- $certificateConfig = mustMerge (mustDeepCopy $genericCertificateConfig) $certificateConfig -}} {{- $certificateConfig = mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.cluster -}}
{{- $_ := set $certificateConfig "dnsNames" (list) -}}
{{- $_ := set $certificateConfig "commonName" "kong_cluster" -}}
{{- $certificateConfig = (mustMerge $certificateConfig .Values.certificates.cluster) -}}
{{- $_ := set $certificateConfig "serviceName" "cluster" -}} {{- $_ := set $certificateConfig "serviceName" "cluster" -}}
{{- include "kong.certificate" $certificateConfig -}} {{- include "kong.certificate" $certificateConfig -}}
{{- end }} {{- end }}
@ -54,9 +53,22 @@ spec:
{{- range (append .dnsNames .commonName) }} {{- range (append .dnsNames .commonName) }}
- {{ . | quote }} - {{ . | quote }}
{{- end }} {{- end }}
renewBefore: 360h renewBefore: 360h0m0s
duration: 2160h duration: 2160h0m0s
isCA: false {{ if .subject -}}
subject:
{{- toYaml .subject | nindent 4 }}
{{ else if .globalSubject -}}
subject:
{{- toYaml .globalSubject | nindent 4 }}
{{- end }}
{{ if .privateKey -}}
privateKey:
{{- toYaml .privateKey | nindent 4 }}
{{ else if .globalPrivateKey -}}
privateKey:
{{- toYaml .globalPrivateKey | nindent 4 }}
{{- end }}
{{ if .clusterIssuer -}} {{ if .clusterIssuer -}}
issuerRef: issuerRef:
name: {{ .clusterIssuer }} name: {{ .clusterIssuer }}

3
build_system/charts/open-appsec-kong/templates/controller-rbac-resources.yaml
View File

@ -35,12 +35,14 @@ rules:
- configmaps - configmaps
verbs: verbs:
- create - create
{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
- endpoints - endpoints
verbs: verbs:
- get - get
{{- end }}
# Begin KIC 2.x leader permissions # Begin KIC 2.x leader permissions
- apiGroups: - apiGroups:
- "" - ""
@ -67,7 +69,6 @@ rules:
- "" - ""
resources: resources:
- services - services
- endpoints
verbs: verbs:
- get - get
--- ---

6
build_system/charts/open-appsec-kong/templates/deployment.yaml
View File

@ -83,6 +83,7 @@ spec:
- name: {{ . }} - name: {{ . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.deployment.kong.enabled }}
initContainers: initContainers:
- name: clear-stale-pid - name: clear-stale-pid
image: {{ include "kong.getRepoTag" .Values.image }} image: {{ include "kong.getRepoTag" .Values.image }}
@ -105,6 +106,7 @@ spec:
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }} {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-db" . | nindent 6 }} {{- include "kong.wait-for-db" . | nindent 6 }}
{{- end }} {{- end }}
{{- end }}
{{- if .Values.deployment.hostAliases }} {{- if .Values.deployment.hostAliases }}
hostAliases: hostAliases:
{{- toYaml .Values.deployment.hostAliases | nindent 6 }} {{- toYaml .Values.deployment.hostAliases | nindent 6 }}
@ -271,6 +273,10 @@ spec:
{{ toYaml .Values.readinessProbe | indent 10 }} {{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe: livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }} {{ toYaml .Values.livenessProbe | indent 10 }}
{{- if .Values.startupProbe }}
startupProbe:
{{ toYaml .Values.startupProbe | indent 10 }}
{{- end }}
resources: resources:
{{ toYaml .Values.resources | indent 10 }} {{ toYaml .Values.resources | indent 10 }}
{{- end }} {{/* End of Kong container spec */}} {{- end }} {{/* End of Kong container spec */}}

6
build_system/charts/open-appsec-kong/templates/hpa.yaml
View File

@ -17,10 +17,10 @@ spec:
behavior: behavior:
{{- toYaml .Values.autoscaling.behavior | nindent 4 }} {{- toYaml .Values.autoscaling.behavior | nindent 4 }}
{{- end }} {{- end }}
{{- if not (.Capabilities.APIVersions.Has "autoscaling/v2beta2") }} {{- if contains "autoscaling/v2" (include "kong.autoscalingVersion" . ) }}
targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 80 }}
{{- else }}
metrics: metrics:
{{- toYaml .Values.autoscaling.metrics | nindent 4 }} {{- toYaml .Values.autoscaling.metrics | nindent 4 }}
{{- else }}
targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 80 }}
{{- end }} {{- end }}
{{- end }} {{- end }}

2
build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml
View File

@ -59,7 +59,7 @@ spec:
{{- toYaml .Values.migrations.sidecarContainers | nindent 6 }} {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
{{- end }} {{- end }}
- name: {{ template "kong.name" . }}-post-upgrade-migrations - name: {{ template "kong.name" . }}-post-upgrade-migrations
{{- if eq .Values.kind "Vanilla" }} {{- if eq .Values.kind "Vanilla" }}
image: {{ include "kong.getRepoTag" .Values.image }} image: {{ include "kong.getRepoTag" .Values.image }}
{{- else }} {{- else }}
image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }} image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }}

2
build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml
View File

@ -59,7 +59,7 @@ spec:
{{- toYaml .Values.migrations.sidecarContainers | nindent 6 }} {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
{{- end }} {{- end }}
- name: {{ template "kong.name" . }}-upgrade-migrations - name: {{ template "kong.name" . }}-upgrade-migrations
{{- if eq .Values.kind "Vanilla" }} {{- if eq .Values.kind "Vanilla" }}
image: {{ include "kong.getRepoTag" .Values.image }} image: {{ include "kong.getRepoTag" .Values.image }}
{{- else }} {{- else }}
image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }} image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }}

96
build_system/charts/open-appsec-kong/templates/service-kong-admin.yaml
View File

@ -15,3 +15,99 @@
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "adminApiService.certSecretName" -}}
{{- default (printf "%s-admin-api-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.secretName -}}
{{- end -}}
{{- define "adminApiService.caSecretName" -}}
{{- default (printf "%s-admin-api-ca-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.caSecretName -}}
{{- end -}}
{{- $clientVerifyEnabled := .Values.ingressController.adminApi.tls.client.enabled -}}
{{- $clientCertProvided := .Values.ingressController.adminApi.tls.client.certProvided -}}
{{/* If the client verification is enabled but no secret was provided by the user, let's generate certificates. */ -}}
{{- if and $clientVerifyEnabled (not $clientCertProvided) }}
{{- $certCert := "" -}}
{{- $certKey := "" -}}
{{- $cn := printf "admin.%s.svc" ( include "kong.namespace" . ) -}}
{{- $ca := genCA "admin-api-ca" 3650 -}}
{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
{{- $certCert = $cert.Cert -}}
{{- $certKey = $cert.Key -}}
{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */}}
{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.certSecretName" .)) -}}
{{- if $certSecret }}
{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
{{- end }}
{{- $caCert := $ca.Cert -}}
{{- $caKey := $ca.Key -}}
{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */ -}}
{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.caSecretName" .))}}
{{- if $caSecret }}
{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "adminApiService.certSecretName" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ b64enc $certCert }}
tls.key: {{ b64enc $certKey }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "adminApiService.caSecretName" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ b64enc $caCert }}
tls.key: {{ b64enc $caKey }}
{{- end }}
{{- /* Create a CA ConfigMap for Kong. */ -}}
{{- $secretProvided := $.Values.admin.tls.client.secretName -}}
{{- $bundleProvided := $.Values.admin.tls.client.caBundle -}}
{{- if or $secretProvided $bundleProvided -}}
{{- $cert := "" -}}
{{- if $secretProvided -}}
{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
{{- if $certSecret }}
{{- $cert = (b64dec (get $certSecret.data "tls.crt")) -}}
{{- else -}}
{{- fail (printf "%s/%s secret not found" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
{{- end }}
{{- end }}
{{- if $bundleProvided -}}
{{- $cert = $.Values.admin.tls.client.caBundle -}}
{{- end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kong.fullname" . }}-admin-client-ca
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
data:
tls.crt: {{ $cert | quote }}
{{- end -}}

148
build_system/charts/open-appsec-kong/values.yaml
View File

@ -1,5 +1,3 @@
--- # -----------------------------------------------------------------------------
# Default values for Kong's Helm Chart. # Default values for Kong's Helm Chart.
# Declare variables to be passed into your templates. # Declare variables to be passed into your templates.
# #
@ -13,6 +11,8 @@
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# Deployment parameters # Deployment parameters
# -----------------------------------------------------------------------------
deployment: deployment:
kong: kong:
# Enable or disable Kong itself # Enable or disable Kong itself
@ -121,10 +121,10 @@ extraLabels: {}
# Specify Kong's Docker image and repository details here # Specify Kong's Docker image and repository details here
image: image:
repository: kong repository: kong
tag: "3.1" tag: "3.2"
# Kong Enterprise # Kong Enterprise
# repository: kong/kong-gateway # repository: kong/kong-gateway
# tag: "3.1" # tag: "3.2"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets. ## Optionally specify an array of imagePullSecrets.
@ -141,6 +141,7 @@ admin:
# Enterprise users that wish to use Kong Manager with the controller should enable this # Enterprise users that wish to use Kong Manager with the controller should enable this
enabled: false enabled: false
type: NodePort type: NodePort
loadBalancerClass:
# To specify annotations or labels for the admin service, add them to the respective # To specify annotations or labels for the admin service, add them to the respective
# "annotations" or "labels" dictionaries below. # "annotations" or "labels" dictionaries below.
annotations: {} annotations: {}
@ -170,7 +171,15 @@ admin:
# nodePort: 32443 # nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384" # Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: parameters:
- http2 - http2
# Specify the CA certificate to use for TLS verification of the Admin API client by:
# - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate.
# - caBundle (PEM-encoded certificate string).
# If both are set, caBundle takes precedence.
client:
caBundle: ""
secretName: ""
# Kong admin ingress settings. Useful if you want to expose the Admin # Kong admin ingress settings. Useful if you want to expose the Admin
# API of Kong outside the k8s cluster. # API of Kong outside the k8s cluster.
@ -235,6 +244,7 @@ cluster:
parameters: [] parameters: []
type: ClusterIP type: ClusterIP
loadBalancerClass:
# Kong cluster ingress settings. Useful if you want to split CP and DP # Kong cluster ingress settings. Useful if you want to split CP and DP
# in different clusters. # in different clusters.
@ -258,6 +268,9 @@ proxy:
# Enable creating a Kubernetes service for the proxy # Enable creating a Kubernetes service for the proxy
enabled: true enabled: true
type: LoadBalancer type: LoadBalancer
loadBalancerClass:
# Override proxy Service name
nameOverride: ""
# To specify annotations or labels for the proxy service, add them to the respective # To specify annotations or labels for the proxy service, add them to the respective
# "annotations" or "labels" dictionaries below. # "annotations" or "labels" dictionaries below.
annotations: {} annotations: {}
@ -291,18 +304,17 @@ proxy:
# nodePort: 32443 # nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384" # Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: parameters:
- http2 - http2
# Define stream (TCP) listen # Define stream (TCP) listen
# To enable, remove "[]", uncomment the section below, and select your desired # To enable, remove "[]", uncomment the section below, and select your desired
# ports and parameters. Listens are dynamically named after their servicePort, # ports and parameters. Listens are dynamically named after their containerPort,
# e.g. "stream-9000" for the below. # e.g. "stream-9000" for the below.
# Note: although you can select the protocol here, you cannot set UDP if you # Note: although you can select the protocol here, you cannot set UDP if you
# use a LoadBalancer Service due to limitations in current Kubernetes versions. # use a LoadBalancer Service due to limitations in current Kubernetes versions.
# To proxy both TCP and UDP with LoadBalancers, you must enable the udpProxy Service # To proxy both TCP and UDP with LoadBalancers, you must enable the udpProxy Service
# in the next section and place all UDP stream listen configuration under it. # in the next section and place all UDP stream listen configuration under it.
stream: stream: []
[]
# # Set the container (internal) and service (external) ports for this listen. # # Set the container (internal) and service (external) ports for this listen.
# # These values should normally be the same. If your environment requires they # # These values should normally be the same. If your environment requires they
# # differ, note that Kong will match routes based on the containerPort only. # # differ, note that Kong will match routes based on the containerPort only.
@ -345,6 +357,7 @@ udpProxy:
# Enable creating a Kubernetes service for UDP proxying # Enable creating a Kubernetes service for UDP proxying
enabled: false enabled: false
type: LoadBalancer type: LoadBalancer
loadBalancerClass:
# To specify annotations or labels for the proxy service, add them to the respective # To specify annotations or labels for the proxy service, add them to the respective
# "annotations" or "labels" dictionaries below. # "annotations" or "labels" dictionaries below.
annotations: {} annotations: {}
@ -357,8 +370,7 @@ udpProxy:
# To enable, remove "[]", uncomment the section below, and select your desired # To enable, remove "[]", uncomment the section below, and select your desired
# ports and parameters. Listens are dynamically named after their servicePort, # ports and parameters. Listens are dynamically named after their servicePort,
# e.g. "stream-9000" for the below. # e.g. "stream-9000" for the below.
stream: stream: []
[]
# # Set the container (internal) and service (external) ports for this listen. # # Set the container (internal) and service (external) ports for this listen.
# # These values should normally be the same. If your environment requires they # # These values should normally be the same. If your environment requires they
# # differ, note that Kong will match routes based on the containerPort only. # # differ, note that Kong will match routes based on the containerPort only.
@ -381,8 +393,7 @@ udpProxy:
# Subdirectories (which are optional) require separate ConfigMaps/Secrets. # Subdirectories (which are optional) require separate ConfigMaps/Secrets.
# "path" indicates their directory under the main plugin directory: the example # "path" indicates their directory under the main plugin directory: the example
# below will mount the contents of kong-plugin-rewriter-migrations at "/opt/kong/rewriter/migrations". # below will mount the contents of kong-plugin-rewriter-migrations at "/opt/kong/rewriter/migrations".
plugins: plugins: {}
{}
# configMaps: # configMaps:
# - pluginName: rewriter # - pluginName: rewriter
# name: kong-plugin-rewriter # name: kong-plugin-rewriter
@ -473,7 +484,7 @@ ingressController:
enabled: true enabled: true
image: image:
repository: kong/kubernetes-ingress-controller repository: kong/kubernetes-ingress-controller
tag: "2.8" tag: "2.9"
# Optionally set a semantic version for version-gated features. This can normally # Optionally set a semantic version for version-gated features. This can normally
# be left unset. You only need to set this if your tag is not a semver string, # be left unset. You only need to set this if your tag is not a semver string,
# such as when you are using a "next" tag. Set this to the effective semantic # such as when you are using a "next" tag. Set this to the effective semantic
@ -482,6 +493,12 @@ ingressController:
effectiveSemver: effectiveSemver:
args: [] args: []
gatewayDiscovery:
enabled: false
adminApiService:
namespace: ""
name: ""
# Specify individual namespaces to watch for ingress configuration. By default, # Specify individual namespaces to watch for ingress configuration. By default,
# when no namespaces are set, the controller watches all namespaces and uses a # when no namespaces are set, the controller watches all namespaces and uses a
# ClusterRole to grant access to Kubernetes resources. When you list specific # ClusterRole to grant access to Kubernetes resources. When you list specific
@ -516,12 +533,16 @@ ingressController:
port: 8080 port: 8080
certificate: certificate:
provided: false provided: false
namespaceSelector: {}
# Specifiy the secretName when the certificate is provided via a TLS secret # Specifiy the secretName when the certificate is provided via a TLS secret
# secretName: "" # secretName: ""
# Specifiy the CA bundle of the provided certificate. # Specifiy the CA bundle of the provided certificate.
# This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used. # This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used.
# caBundle: # caBundle:
# | Add the CA bundle content here. # | Add the CA bundle content here.
service:
# Specify custom labels for the validation webhook service.
labels: {}
ingressClass: kong ingressClass: kong
# annotations for IngressClass resource (Kubernetes 1.18+) # annotations for IngressClass resource (Kubernetes 1.18+)
@ -568,6 +589,46 @@ ingressController:
# cpu: 50m # cpu: 50m
# memory: 128Mi # memory: 128Mi
konnect:
enabled: false
# Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to.
runtimeGroupID: ""
# Specifies a Konnect API hostname that the controller will use to push its data-plane config to.
# By default, this is set to US region's production API hostname.
# If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com").
apiHostname: "us.kic.api.konghq.com"
# Specifies a secret that contains a client TLS certificate that the controller
# will use to authenticate against Konnect APIs.
tlsClientCertSecretName: "konnect-client-tls"
license:
# Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways.
enabled: false
adminApi:
tls:
client:
# Enable TLS client authentication for the Admin API.
enabled: false
# If set to false, Helm will generate certificates for you.
# If set to true, you are expected to provide your own secret (see secretName, caSecretName).
certProvided: false
# Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
secretName: ""
# CA TLS certificate/key pair secret name that the client TLS certificate is signed by.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
caSecretName: ""
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# Postgres sub-chart parameters # Postgres sub-chart parameters
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
@ -667,8 +728,8 @@ certificates:
# Issuers used by the control and data plane releases must match for this certificate. # Issuers used by the control and data plane releases must match for this certificate.
issuer: "" issuer: ""
clusterIssuer: "" clusterIssuer: ""
# commonName: "kong_cluster" commonName: "kong_clustering"
# dnsNames: [] dnsNames: []
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# Miscellaneous parameters # Miscellaneous parameters
@ -689,8 +750,7 @@ waitImage:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# update strategy # update strategy
updateStrategy: updateStrategy: {}
{}
# type: RollingUpdate # type: RollingUpdate
# rollingUpdate: # rollingUpdate:
# maxSurge: "100%" # maxSurge: "100%"
@ -698,8 +758,7 @@ updateStrategy:
# If you want to specify resources, uncomment the following # If you want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'. # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
resources: resources: {}
{}
# limits: # limits:
# cpu: 1 # cpu: 1
# memory: 2G # memory: 2G
@ -731,6 +790,18 @@ livenessProbe:
successThreshold: 1 successThreshold: 1
failureThreshold: 3 failureThreshold: 3
# startupProbe for Kong pods
# startupProbe:
# httpGet:
# path: "/status"
# port: status
# scheme: HTTP
# initialDelaySeconds: 5
# timeoutSeconds: 5
# periodSeconds: 2
# successThreshold: 1
# failureThreshold: 40
# Proxy container lifecycle hooks # Proxy container lifecycle hooks
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ # Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
lifecycle: lifecycle:
@ -741,7 +812,7 @@ lifecycle:
command: command:
- kong - kong
- quit - quit
- "--wait=15" - '--wait=15'
# Sets the termination grace period for pods spawned by the Kubernetes Deployment. # Sets the termination grace period for pods spawned by the Kubernetes Deployment.
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution # Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
@ -821,10 +892,10 @@ podSecurityPolicy:
supplementalGroups: supplementalGroups:
rule: RunAsAny rule: RunAsAny
volumes: volumes:
- "configMap" - 'configMap'
- "secret" - 'secret'
- "emptyDir" - 'emptyDir'
- "projected" - 'projected'
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
hostNetwork: false hostNetwork: false
hostIPC: false hostIPC: false
@ -833,13 +904,15 @@ podSecurityPolicy:
# If you use Kong Enterprise <1.5, this must be set to false. # If you use Kong Enterprise <1.5, this must be set to false.
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
priorityClassName: "" priorityClassName: ""
# securityContext for Kong pods. # securityContext for Kong pods.
securityContext: {} securityContext: {}
# securityContext for containers. # securityContext for containers.
containerSecurityContext: {} containerSecurityContext:
readOnlyRootFilesystem: true
## Optional DNS configuration for Kong pods ## Optional DNS configuration for Kong pods
# dnsPolicy: ClusterFirst # dnsPolicy: ClusterFirst
@ -911,7 +984,7 @@ enterprise:
smtp_admin_emails: none@example.com smtp_admin_emails: none@example.com
smtp_host: smtp.example.com smtp_host: smtp.example.com
smtp_port: 587 smtp_port: 587
smtp_auth_type: "" smtp_auth_type: ''
smtp_ssl: nil smtp_ssl: nil
smtp_starttls: true smtp_starttls: true
auth: auth:
@ -919,13 +992,14 @@ enterprise:
# be left as-is. If smtp_username is set to anything other than an empty # be left as-is. If smtp_username is set to anything other than an empty
# string, you must create a Secret with an smtp_password key containing # string, you must create a Secret with an smtp_password key containing
# your SMTP password and specify its name here. # your SMTP password and specify its name here.
smtp_username: "" # e.g. postmaster@example.com smtp_username: '' # e.g. postmaster@example.com
smtp_password_secret: CHANGEME-smtp-password smtp_password_secret: CHANGEME-smtp-password
manager: manager:
# Enable creating a Kubernetes service for Kong Manager # Enable creating a Kubernetes service for Kong Manager
enabled: true enabled: true
type: NodePort type: NodePort
loadBalancerClass:
# To specify annotations or labels for the Manager service, add them to the respective # To specify annotations or labels for the Manager service, add them to the respective
# "annotations" or "labels" dictionaries below. # "annotations" or "labels" dictionaries below.
annotations: {} annotations: {}
@ -951,7 +1025,7 @@ manager:
# nodePort: 32443 # nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384" # Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: parameters:
- http2 - http2
ingress: ingress:
# Enable/disable exposure using ingress. # Enable/disable exposure using ingress.
@ -972,6 +1046,7 @@ portal:
# Enable creating a Kubernetes service for the Developer Portal # Enable creating a Kubernetes service for the Developer Portal
enabled: true enabled: true
type: NodePort type: NodePort
loadBalancerClass:
# To specify annotations or labels for the Portal service, add them to the respective # To specify annotations or labels for the Portal service, add them to the respective
# "annotations" or "labels" dictionaries below. # "annotations" or "labels" dictionaries below.
annotations: {} annotations: {}
@ -997,7 +1072,7 @@ portal:
# nodePort: 32443 # nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384" # Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: parameters:
- http2 - http2
ingress: ingress:
# Enable/disable exposure using ingress. # Enable/disable exposure using ingress.
@ -1018,6 +1093,7 @@ portalapi:
# Enable creating a Kubernetes service for the Developer Portal API # Enable creating a Kubernetes service for the Developer Portal API
enabled: true enabled: true
type: NodePort type: NodePort
loadBalancerClass:
# To specify annotations or labels for the Portal API service, add them to the respective # To specify annotations or labels for the Portal API service, add them to the respective
# "annotations" or "labels" dictionaries below. # "annotations" or "labels" dictionaries below.
annotations: {} annotations: {}
@ -1043,7 +1119,7 @@ portalapi:
# nodePort: 32443 # nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384" # Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: parameters:
- http2 - http2
ingress: ingress:
# Enable/disable exposure using ingress. # Enable/disable exposure using ingress.
@ -1075,6 +1151,7 @@ clustertelemetry:
parameters: [] parameters: []
type: ClusterIP type: ClusterIP
loadBalancerClass:
# Kong clustertelemetry ingress settings. Useful if you want to split # Kong clustertelemetry ingress settings. Useful if you want to split
# CP and DP in different clusters. # CP and DP in different clusters.
@ -1116,9 +1193,10 @@ extraObjects: []
# plugin: prometheus # plugin: prometheus
appsec: appsec:
mode: managed mode: managed
name: open-appsec name: open-appsec
image: image:
#registry:
repository: ghcr.io/openappsec repository: ghcr.io/openappsec
image: agent image: agent
tag: latest tag: latest
@ -1134,12 +1212,8 @@ appsec:
# runAsUser: 1000 # runAsUser: 1000
kong: kong:
image: image:
repository: "ghcr.io/openappsec/kong-attachment" repository: "ghcr.io/openappsec/kong-gateway-attachment"
tag: "latest" tag: "latest"
# Kong Enterprise with open-appsec attachment
# repository: "ghcr.io/openappsec/kong-gateway-attachment"
# tag: "latest"
resources: resources:
# limits: # limits:
# cpu: 100m # cpu: 100m