Open Appsec helm chart automation Wed Mar 27 16:27:33 IST 2024 latest

2025-09-30 03:34:26 +03:00 · 2024-03-27 16:27:33 +02:00
parent 3913e1e8b3
commit 8454b2dd9b
35 changed files with 3417 additions and 1044 deletions
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.lock
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.lock
@@ -3,4 +3,4 @@ dependencies:
  repository: https://charts.bitnami.com/bitnami
  version: 12.2.8
 digest: sha256:0d13b8b0c66b8e18781eac510ce58b069518ff14a6a15ad90375e7f0ffad71fe
-generated: "2024-02-18T16:45:15.395307713Z"
+generated: "2024-03-26T14:53:49.928153508Z"
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml
@@ -1,7 +1,5 @@
 annotations:
-  artifacthub.io/changes: |-
-    - "update web hook cert gen to latest release v20231226-1a7112e06"
-    - "Update Ingress-Nginx version controller-v1.9.6"
+  artifacthub.io/changes: '- "Update Ingress-Nginx version controller-v1.10.0"'
  artifacthub.io/prerelease: "false"
 apiVersion: v2
 appVersion: latest
@@ -17,4 +15,4 @@ kubeVersion: '>=1.20.0-0'
 name: open-appsec-k8s-nginx-ingress
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 4.9.1
+version: 4.10.0
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md
@@ -2,7 +2,7 @@

 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

-![Version: 4.9.1](https://img.shields.io/badge/Version-4.9.1-informational?style=flat-square) ![AppVersion: 1.9.6](https://img.shields.io/badge/AppVersion-1.9.6-informational?style=flat-square)
+![Version: 4.10.0](https://img.shields.io/badge/Version-4.10.0-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square)

 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.

@@ -253,11 +253,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v20231226-1a7112e06"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.0"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
@@ -317,7 +317,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `false` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c"` |  |
+| controller.image.digest | string | `"sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c"` |  |
 | controller.image.digestChroot | string | `"sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
@@ -326,7 +326,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.image.runAsNonRoot | bool | `true` |  |
 | controller.image.runAsUser | int | `101` |  |
 | controller.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| controller.image.tag | string | `"v1.9.6"` |  |
+| controller.image.tag | string | `"v1.10.0"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/helm-chart-4.10.0.md
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/helm-chart-4.10.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.0
+
+* - "Update Ingress-Nginx version controller-v1.10.0"
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.9.1...helm-chart-4.10.0
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_params.tpl
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_params.tpl
@@ -29,7 +29,7 @@
 - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
 {{- end }}
 {{- if and (not .Values.controller.scope.enabled) .Values.controller.scope.namespaceSelector }}
- --watch-namespace-selector={{ default "" .Values.controller.scope.namespaceSelector }}
+- --watch-namespace-selector={{ .Values.controller.scope.namespaceSelector }}
 {{- end }}
 {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
 - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
@@ -54,6 +54,9 @@
 {{- if .Values.controller.watchIngressWithoutClass }}
 - --watch-ingress-without-class=true
 {{- end }}
+{{- if not .Values.controller.metrics.enabled }}
+- --enable-metrics={{ .Values.controller.metrics.enabled }}
+{{- end }}
 {{- if .Values.controller.enableTopologyAwareRouting }}
 - --enable-topology-aware-routing=true
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-prometheusrules.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-prometheusrules.yaml
@@ -1,4 +1,4 @@
-{{- if and ( .Values.controller.metrics.enabled ) ( .Values.controller.metrics.prometheusRule.enabled ) ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) -}}
+{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-policy.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-policy.yaml
@@ -34,7 +34,7 @@ spec:
    http-headers: false
    request-body: false
  log-destination:
-    cloud: false
+    cloud: true
    stdout:
      format: json-formatted
 ---
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-daemonset_test.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-daemonset_test.yaml
@@ -15,3 +15,37 @@ tests:
      - equal:
          path: metadata.name
          value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller
+
+  - it: should create a DaemonSet with argument `--enable-metrics=false` if `controller.metrics.enabled` is false
+    set:
+      controller.kind: DaemonSet
+      kind: Vanilla
+      controller.metrics.enabled: false
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --enable-metrics=false
+
+  - it: should create a DaemonSet without argument `--enable-metrics=false` if `controller.metrics.enabled` is true
+    set:
+      controller.kind: DaemonSet
+      kind: Vanilla
+      controller.metrics.enabled: true
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: --enable-metrics=false
+
+  - it: should create a DaemonSet with resource limits if `controller.resources.limits` is set
+    set:
+      controller.kind: DaemonSet
+      kind: Vanilla
+      controller.resources.limits.cpu: 500m
+      controller.resources.limits.memory: 512Mi
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.cpu
+          value: 500m
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.memory
+          value: 512Mi
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-deployment_test.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-deployment_test.yaml
@@ -4,8 +4,6 @@ templates:

 tests:
  - it: should create a Deployment
-    set:
-      kind: Vanilla
    asserts:
      - hasDocuments:
          count: 1
@@ -24,6 +22,22 @@ tests:
          path: spec.replicas
          value: 3

+  - it: should create a Deployment with argument `--enable-metrics=false` if `controller.metrics.enabled` is false
+    set:
+      controller.metrics.enabled: false
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --enable-metrics=false
+
+  - it: should create a Deployment without argument `--enable-metrics=false` if `controller.metrics.enabled` is true
+    set:
+      controller.metrics.enabled: true
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: --enable-metrics=false
+
  - it: should create a Deployment with resource limits if `controller.resources.limits` is set
    set:
      controller.resources.limits.cpu: 500m
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml
@@ -26,8 +26,8 @@ controller:
    ## for backwards compatibility consider setting the full image url via the repository value below
    ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
    ## repository:
-    tag: "v1.9.6"
-    digest: sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c
+    tag: "v1.10.0"
+    digest: sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
    digestChroot: sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096
    pullPolicy: IfNotPresent
    runAsNonRoot: true
@@ -781,8 +781,8 @@ controller:
        ## for backwards compatibility consider setting the full image url via the repository value below
        ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
        ## repository:
-        tag: v20231226-1a7112e06
-        digest: sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084
+        tag: v1.4.0
+        digest: sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334
        pullPolicy: IfNotPresent
      # -- Provide a priority class name to the webhook patching job
      ##
@@ -1198,7 +1198,7 @@ appsec:
    image:
      registry: ghcr.io/openappsec
      image: smartsync-tuning
-      tag: 1.1.3
+      tag: latest
    enabled: false
    replicaCount: 1
    securityContext: