diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml index f5e946c..41828ba 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml @@ -1,6 +1,5 @@ annotations: - artifacthub.io/changes: | - - "Update Ingress-Nginx version controller-v1.9.1" + artifacthub.io/changes: '- "Update Ingress-Nginx version controller-v1.9.4"' artifacthub.io/prerelease: "false" apiVersion: v2 appVersion: latest @@ -11,4 +10,4 @@ kubeVersion: '>=1.20.0-0' name: open-appsec-k8s-nginx-ingress sources: - https://github.com/kubernetes/ingress-nginx -version: 4.8.1 +version: 4.8.3 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md index 9016e92..80646c9 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.8.1](https://img.shields.io/badge/Version-4.8.1-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square) +![Version: 4.8.3](https://img.shields.io/badge/Version-4.8.3-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -251,11 +251,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v20230407"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | @@ -314,13 +314,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25"` | | -| controller.image.digestChroot | string | `"sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836"` | | +| controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` | | +| controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.9.1"` | | +| controller.image.tag | string | `"v1.9.4"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | @@ -498,6 +498,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | +| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace | | podSecurityPolicy.enabled | bool | `false` | | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | | rbac.create | bool | `true` | | diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.2.md b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.2.md new file mode 100644 index 0000000..3fbb19f --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.2.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.2 + +* - "update nginx base, httpbun, e2e, helm webhook cert gen (#10506)" +* - "Update Ingress-Nginx version controller-v1.9.3" + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.1...helm-chart-4.8.2 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.3.md b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.3.md new file mode 100644 index 0000000..ca1815b --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.3.md @@ -0,0 +1,8 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.3 +* Update Ingress-Nginx version controller-v1.9.4 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.2...helm-chart-4.8.3 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl index bd268cf..1117dde 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl @@ -30,6 +30,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{- end -}} +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "ingress-nginx.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + {{/* Container SecurityContext. diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/cert-manager.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/cert-manager.yaml index 55fab47..c174422 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/cert-manager.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/cert-manager.yaml @@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: selfSigned: {} --- @@ -15,7 +15,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ include "ingress-nginx.fullname" . }}-root-cert - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: secretName: {{ include "ingress-nginx.fullname" . }}-root-cert duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }} @@ -32,7 +32,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: {{ include "ingress-nginx.fullname" . }}-root-issuer - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: ca: secretName: {{ include "ingress-nginx.fullname" . }}-root-cert @@ -43,7 +43,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: secretName: {{ include "ingress-nginx.fullname" . }}-admission duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }} @@ -55,8 +55,8 @@ spec: {{- end }} dnsNames: - {{ include "ingress-nginx.controller.fullname" . }}-admission - - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }} - - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc + - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }} + - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}.svc subject: organizations: - ingress-nginx-admission diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml index 8719532..00081b5 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -19,5 +19,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace | quote }} + namespace: {{ (include "ingress-nginx.namespace" .) | quote }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml index d93433e..39608d2 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -3,7 +3,7 @@ apiVersion: batch/v1 kind: Job metadata: name: {{ include "ingress-nginx.fullname" . }}-admission-create - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index 0fa3ff9..b1b21cd 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -3,7 +3,7 @@ apiVersion: batch/v1 kind: Job metadata: name: {{ include "ingress-nginx.fullname" . }}-admission-patch - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml index d59da7c..a1ae3c0 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml @@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/role.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/role.yaml index ea7c208..ef46310 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/role.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/role.yaml @@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml index 60c3f4f..7548a9f 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -20,5 +20,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace | quote }} + namespace: {{ (include "ingress-nginx.namespace" .) | quote }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml index 00be54e..814aec9 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/validating-webhook.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/validating-webhook.yaml index f27244d..da001e8 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/validating-webhook.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/validating-webhook.yaml @@ -38,7 +38,7 @@ webhooks: - v1 clientConfig: service: - namespace: {{ .Release.Namespace | quote }} + namespace: {{ (include "ingress-nginx.namespace" .) | quote }} name: {{ include "ingress-nginx.controller.fullname" . }}-admission path: /networking/v1/ingresses {{- if .Values.controller.admissionWebhooks.timeoutSeconds }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml index a399c18..5967768 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml @@ -18,7 +18,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.controller.annotations }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/clusterrolebinding.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/clusterrolebinding.yaml index acbbd8b..a38f84e 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/clusterrolebinding.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/clusterrolebinding.yaml @@ -15,5 +15,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "ingress-nginx.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ (include "ingress-nginx.namespace" .) | quote }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-addheaders.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-addheaders.yaml index dfd49a1..4e4bd13 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-addheaders.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-addheaders.yaml @@ -9,6 +9,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: {{ toYaml .Values.controller.addHeaders | nindent 2 }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-proxyheaders.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-proxyheaders.yaml index 38feb72..0a22600 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-proxyheaders.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-proxyheaders.yaml @@ -9,6 +9,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-tcp.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-tcp.yaml index 0f6088e..131a9ad 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-tcp.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-tcp.yaml @@ -12,6 +12,6 @@ metadata: annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-tcp - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-udp.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-udp.yaml index 3772ec5..7137da9 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-udp.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-udp.yaml @@ -12,6 +12,6 @@ metadata: annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-udp - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: {{ tpl (toYaml .Values.udp) . | nindent 2 }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap.yaml index 9ec2b83..662a162 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap.yaml @@ -11,17 +11,17 @@ metadata: annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" {{- if .Values.controller.addHeaders }} - add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers + add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} {{- if .Values.controller.proxySetHeaders }} - proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers + proxy-set-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers {{- end }} {{- if .Values.dhParam }} - ssl-dh-param: {{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }} + ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }} {{- end }} {{- range $key, $value := .Values.controller.config }} {{- $key | nindent 2 }}: {{ $value | quote }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml index aa7156a..8a6cfbd 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml @@ -1,4 +1,4 @@ -{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both")) -}} +{{- if and (eq .Values.kind "Vanilla") (eq .Values.controller.kind "DaemonSet") -}} {{- include "isControllerTagValid" . -}} apiVersion: apps/v1 kind: DaemonSet @@ -10,7 +10,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.controller.annotations }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml index b60fd12..6cfab01 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml @@ -1,4 +1,4 @@ -{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} +{{- if and (eq .Values.kind "Vanilla") (eq .Values.controller.kind "Deployment") -}} {{- include "isControllerTagValid" . -}} apiVersion: apps/v1 kind: Deployment @@ -10,7 +10,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.controller.annotations }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml index f212bc4..ec9ad73 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml @@ -1,4 +1,4 @@ -{{- if and (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}} +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}} apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }} kind: HorizontalPodAutoscaler metadata: @@ -12,7 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: scaleTargetRef: apiVersion: apps/v1 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml index c0d95a9..bbd2237 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.keda.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} +{{- if and .Values.controller.keda.enabled (eq .Values.controller.kind "Deployment") -}} # https://keda.sh/docs/ apiVersion: {{ .Values.controller.keda.apiVersion }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-networkpolicy.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-networkpolicy.yaml index 15d6012..e68f991 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-networkpolicy.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-networkpolicy.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: podSelector: matchLabels: diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml index 91be580..8cb7d4b 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.controller.annotations }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-role.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-role.yaml index bf98e51..a64b5d7 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-role.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-role.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} rules: - apiGroups: - "" diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-rolebinding.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-rolebinding.yaml index e846a11..cdd1ec2 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-rolebinding.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-rolebinding.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -17,5 +17,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "ingress-nginx.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ (include "ingress-nginx.namespace" .) | quote }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-secret.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-secret.yaml index f374423..f20f534 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-secret.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-secret.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: dhparam.pem: {{ .Values.dhParam }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml index 3966b32..4608a49 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml @@ -13,7 +13,7 @@ metadata: {{- toYaml .Values.controller.service.labels | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }}-internal - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: "{{ .Values.controller.service.type }}" {{- if .Values.controller.service.internal.loadBalancerIP }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-metrics.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-metrics.yaml index b178401..7c15329 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-metrics.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-metrics.yaml @@ -12,7 +12,7 @@ metadata: {{- toYaml .Values.controller.metrics.service.labels | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }}-metrics - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.controller.metrics.service.type }} {{- if .Values.controller.metrics.service.clusterIP }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-webhook.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-webhook.yaml index 2aae24f..2d02e23 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-webhook.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-webhook.yaml @@ -12,7 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.controller.admissionWebhooks.service.type }} {{- if .Values.controller.admissionWebhooks.service.clusterIP }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml index f079fd4..1daec5b 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml @@ -13,7 +13,7 @@ metadata: {{- toYaml .Values.controller.service.labels | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.controller.service.type }} {{- if .Values.controller.service.clusterIP }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml index e9e9f32..df83de3 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ template "ingress-nginx.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.serviceAccount.annotations }} annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml index 482fe7f..bf3734b 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml @@ -6,7 +6,7 @@ metadata: {{- if .Values.controller.metrics.serviceMonitor.namespace }} namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }} {{- else }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} @@ -35,7 +35,7 @@ spec: {{- else }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "ingress-nginx.namespace" . }} {{- end }} {{- if .Values.controller.metrics.serviceMonitor.targetLabels }} targetLabels: diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-deployment.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-deployment.yaml index 87aced4..44c3732 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-deployment.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-deployment.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: selector: matchLabels: diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml index faaf4fa..6993238 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml @@ -12,7 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: scaleTargetRef: apiVersion: apps/v1 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-networkpolicy.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-networkpolicy.yaml index f3a0126..90b3c2b 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-networkpolicy.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-networkpolicy.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: podSelector: matchLabels: diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-poddisruptionbudget.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-poddisruptionbudget.yaml index 00891ce..f869e45 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-poddisruptionbudget.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-poddisruptionbudget.yaml @@ -10,7 +10,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: selector: matchLabels: diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-role.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-role.yaml index a2b457c..dd7868a 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-role.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-role.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} rules: - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-rolebinding.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-rolebinding.yaml index dbaa516..70064e8 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-rolebinding.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-rolebinding.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -17,5 +17,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ (include "ingress-nginx.namespace" .) | quote }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-service.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-service.yaml index 5f1d09a..2cccd6e 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-service.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-service.yaml @@ -12,7 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.defaultBackend.service.type }} {{- if .Values.defaultBackend.service.clusterIP }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-serviceaccount.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-serviceaccount.yaml index b45a95a..2afaf0c 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-serviceaccount.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-serviceaccount.yaml @@ -9,6 +9,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml index d99a2ff..9bf65a2 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml @@ -7,6 +7,9 @@ # nameOverride: # fullnameOverride: +# -- Override the deployment namespace; defaults to .Release.Namespace +namespaceOverride: "" + ## Labels to apply to all resources ## commonLabels: {} @@ -24,9 +27,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.9.1" - digest: sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25 - digestChroot: sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836 + tag: "v1.9.4" + digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3 + digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26 pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 @@ -640,8 +643,8 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v20230407 - digest: sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b + tag: v20231011-8b53cabe0 + digest: sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80 pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## @@ -699,7 +702,7 @@ controller: ## jobLabel: "app.kubernetes.io/name" namespace: "" namespaceSelector: {} - ## Default: scrape .Release.Namespace only + ## Default: scrape .Release.Namespace or namespaceOverride only ## To scrape all, use the following: ## namespaceSelector: ## any: true diff --git a/build_system/charts/open-appsec-kong/CHANGELOG.md b/build_system/charts/open-appsec-kong/CHANGELOG.md index 00435b5..37b8a0a 100644 --- a/build_system/charts/open-appsec-kong/CHANGELOG.md +++ b/build_system/charts/open-appsec-kong/CHANGELOG.md @@ -4,10 +4,59 @@ Nothing yet. +## 2.32.0 + +### Improvements + +* Add new `deployment.hostname` value to make identifying instances in + controlplane/dataplane configurations easier. + [#943](https://github.com/Kong/charts/pull/943) + +## 2.31.0 + +### Improvements + +* Added controller's RBAC rules for `KongUpstreamPolicy` CRD. + [#917](https://github.com/Kong/charts/pull/917) +* Added services resource to admission webhook config for KIC >= 3.0.0. + [#919](https://github.com/Kong/charts/pull/919) +* Update default ingress controller version to v3.0 + [#929](https://github.com/Kong/charts/pull/929) + [#930](https://github.com/Kong/charts/pull/930) + +### Fixed + +* The target port for cmetrics should only be applied if the ingress controller is enabled. + [#926](https://github.com/Kong/charts/pull/926) +* Fix RBAC for Gateway API v1. + [#928](https://github.com/Kong/charts/pull/928) +* Enable Admission webhook for Gateway API v1 resources. + [#928](https://github.com/Kong/charts/pull/928) + +## 2.30.0 + +### Improvements + +* Prevent installing PodDisruptionBudget for `replicaCount: 1` or `autoscaling.minReplicas: 1`. + [#896](https://github.com/Kong/charts/pull/896) +* The admission webhook now will be triggered on Secrets creation for KIC 2.12.1+. + [#907](https://github.com/Kong/charts/pull/907) +* Container security context defaults now comply with the restricted pod + security standard. This includes an enforced run as user ID set to 1000. UID + 1000 is used for official Kong images other than Alpine images (which use UID + 100) and for KIC images 3.0.0+ (older images use UID 65532). Images that do + not use UID 1000 can still run with this user, as static image files are + world-accessible and runtime-created files are created in temporary + directories created for the run as user. + [#911](https://github.com/Kong/charts/pull/911) +* Allow using templates (via `tpl`) when specifying `proxy.nameOverride`. + [#914](https://github.com/Kong/charts/pull/914) + ## 2.29.0 ### Improvements * Make it possible to set the admission webhook's `timeoutSeconds`. + [#894](https://github.com/Kong/charts/pull/894) ## 2.28.1 @@ -16,6 +65,7 @@ Nothing yet. * The admission webhook now includes Gateway API resources and Ingress resources for controller versions 2.12+. This version introduces new validations for Kong's regex path implementation. + [#892](https://github.com/Kong/charts/pull/892) ## 2.28.0 diff --git a/build_system/charts/open-appsec-kong/Chart.yaml b/build_system/charts/open-appsec-kong/Chart.yaml index f94eea2..240357e 100644 --- a/build_system/charts/open-appsec-kong/Chart.yaml +++ b/build_system/charts/open-appsec-kong/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.0 +appVersion: 1.1.1 dependencies: - condition: postgresql.enabled name: postgresql @@ -9,11 +9,9 @@ description: The Cloud-Native Ingress and API-management home: https://konghq.com/ icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png maintainers: -- email: harry@konghq.com - name: hbagdi -- email: traines@konghq.com - name: rainest +- email: team-k8s@konghq.com + name: team-k8s-bot name: open-appsec-kong sources: - https://github.com/Kong/charts/tree/main/charts/kong -version: 2.29.0 +version: 2.32.0 diff --git a/build_system/charts/open-appsec-kong/README.md b/build_system/charts/open-appsec-kong/README.md index 559b8ee..11bc89d 100644 --- a/build_system/charts/open-appsec-kong/README.md +++ b/build_system/charts/open-appsec-kong/README.md @@ -11,10 +11,10 @@ This chart bootstraps all the components needed to run Kong on a ## TL;DR; ```bash -$ helm repo add kong https://charts.konghq.com -$ helm repo update +helm repo add kong https://charts.konghq.com +helm repo update -$ helm install kong/kong --generate-name +helm install kong/kong --generate-name ``` ## Table of contents @@ -91,10 +91,10 @@ $ helm install kong/kong --generate-name To install Kong: ```bash -$ helm repo add kong https://charts.konghq.com -$ helm repo update +helm repo add kong https://charts.konghq.com +helm repo update -$ helm install kong/kong --generate-name +helm install kong/kong --generate-name ``` ## Uninstall @@ -102,7 +102,7 @@ $ helm install kong/kong --generate-name To uninstall/delete a Helm release `my-release`: ```bash -$ helm delete my-release +helm delete my-release ``` The command removes all the Kubernetes components associated with the @@ -451,6 +451,11 @@ documentation on Service DNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) for more detail. +If you use multiple Helm releases to manage different data plane configurations +attached to the same control plane, setting the `deployment.hostname` field +will help you keep track of which is which in the `/clustering/data-plane` +endpoint. + ### Cert Manager Integration By default, Kong will create self-signed certificates on start for its TLS @@ -508,9 +513,9 @@ event you need to recover from unintended CRD deletion. ### InitContainers -The chart is able to deploy initcontainers along with Kong. This can be very +The chart is able to deploy initContainers along with Kong. This can be very useful when there's a requirement for custom initialization. The -`deployment.initcontainers` field in values.yaml takes an array of objects that +`deployment.initContainers` field in values.yaml takes an array of objects that get appended as-is to the existing `spec.template.initContainers` array in the kong deployment resource. @@ -581,7 +586,11 @@ namespaces. Limiting access requires several changes to configuration: Setting `deployment.daemonset: true` deploys Kong using a [DaemonSet controller](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) instead of a Deployment controller. This runs a Kong Pod on every kubelet in -the Kubernetes cluster. +the Kubernetes cluster. For such configuration it may be desirable to configure +Pods to use the network of the host they run on instead of a dedicated network +namespace. The benefit of this approach is that the Kong can bind ports directly +to Kubernetes nodes' network interfaces, without the extra network translation +imposed by NodePort Services. It can be achieved by setting `deployment.hostNetwork: true`. ### Using dnsPolicy and dnsConfig @@ -725,7 +734,7 @@ section of `values.yaml` file: |--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| | enabled | Deploy the ingress controller, rbac and crd | true | | image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller | -| image.tag | Version of the ingress controller | `2.12` | +| image.tag | Version of the ingress controller | `3.0` | | image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | | | readinessProbe | Kong ingress controllers readiness probe | | | livenessProbe | Kong ingress controllers liveness probe | | @@ -791,6 +800,12 @@ Kong Ingress Controller v2.9 has introduced gateway discovery which allows the controller to discover Gateway instances that it should configure using an Admin API Kubernetes service. +Using this feature requires a split release installation of Gateways and Ingress Controller. +For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md). +or use the [`ingress` chart](../ingress/README.md) which can handle this for you. + +##### Configuration + You'll be able to configure this feature through configuration section under `ingressController.gatewayDiscovery`: @@ -813,12 +828,17 @@ You'll be able to configure this feature through configuration section under the chart will generate values for `name` and `namespace` based on the current release name and namespace. This is useful when consuming the `kong` chart as a subchart. -Using this feature requires a split release installation of Gateways and Ingress Controller. -For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md). +Additionally, you can control the addresses that are generated for your Gateways +via the `--gateway-discovery-dns-strategy` CLI flag that can be set on the Ingress Controller +(or an equivalent environment variable: `CONTROLLER_GATEWAY_DISCOVERY_DNS_STRATEGY`). +It accepts 3 values which change the way that Gateway addresses are generated: +- `service` - for service scoped pod DNS names: `pod-ip-address.service-name.my-namespace.svc.cluster-domain.example` +- `pod` - for namespace scope pod DNS names: `pod-ip-address.my-namespace.pod.cluster-domain.example` +- `ip` (default, retains behavior introduced in v2.9) - for regular IP addresses When using `gatewayDiscovery`, you should consider configuring the Admin service to use mTLS client verification to make -this interface secure. Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway -instances. +this interface secure. +Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway instances. On the controller release side, that can be achieved by setting `ingressController.adminApi.tls.client.enabled` to `true`. By default, Helm will generate a certificate Secret named `-admin-api-keypair` and @@ -838,6 +858,7 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam | deployment.minReadySeconds | Minimum number of seconds for which newly created pods should be ready without any of its container crashing, for it to be considered available. | | | deployment.initContainers | Create initContainers. Please go to Kubernetes doc for the spec of the initContainers | | | deployment.daemonset | Use a DaemonSet instead of a Deployment | `false` | +| deployment.hostname | Set the Deployment's `.spec.template.hostname`. Kong reports this as its hostname. | | | deployment.hostNetwork | Enable hostNetwork, which binds to the ports to the host | `false` | | deployment.userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | | | deployment.userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | | @@ -878,7 +899,7 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam | priorityClassName | Set pod scheduling priority class for Kong pods | `""` | | secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` | | securityContext | Set the securityContext for Kong Pods | `{}` | -| containerSecurityContext | Set the securityContext for Containers | `{"readOnlyRootFilesystem": true}` | +| containerSecurityContext | Set the securityContext for Containers | See values.yaml | | serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | `false` | | serviceMonitor.interval | Scraping interval | `30s` | | serviceMonitor.namespace | Where to create ServiceMonitor | | @@ -1013,7 +1034,7 @@ If you have paid for a license, but you do not have a copy of yours, please contact Kong Support. Once you have it, you will need to store it in a Secret: ```bash -$ kubectl create secret generic kong-enterprise-license --from-file=license=./license.json +kubectl create secret generic kong-enterprise-license --from-file=license=./license.json ``` Set the secret name in `values.yaml`, in the `.enterprise.license_secret` key. @@ -1031,7 +1052,7 @@ from \ \> Edit Profile \> API Key. Use this to create registry secrets: ```bash -$ kubectl create secret docker-registry kong-enterprise-edition-docker \ +kubectl create secret docker-registry kong-enterprise-edition-docker \ --docker-server=hub.docker.io \ --docker-username= \ --docker-password= @@ -1107,14 +1128,30 @@ whereas this is optional for the Developer Portal on versions 0.36+. Providing Portal session configuration in values.yaml provides the default session configuration, which can be overridden on a per-workspace basis. +```bash +cat admin_gui_session_conf ``` -$ cat admin_gui_session_conf + +```json {"cookie_name":"admin_session","cookie_samesite":"off","secret":"admin-secret-CHANGEME","cookie_secure":true,"storage":"kong"} -$ cat portal_session_conf +``` + +```bash +cat portal_session_conf +``` + +```json {"cookie_name":"portal_session","cookie_samesite":"off","secret":"portal-secret-CHANGEME","cookie_secure":true,"storage":"kong"} -$ kubectl create secret generic kong-session-config --from-file=admin_gui_session_conf --from-file=portal_session_conf +``` + +```bash +kubectl create secret generic kong-session-config --from-file=admin_gui_session_conf --from-file=portal_session_conf +``` + +```bash secret/kong-session-config created ``` + The exact plugin settings may vary in your environment. The `secret` should always be changed for both configurations. @@ -1175,7 +1212,7 @@ between the initial install and upgrades. Both operations are a "sync" in Argo terms. This affects when migration Jobs execute in database-backed Kong installs. -The chart sets the `Sync` and `BeforeHookCreation` deletion +The chart sets the `Sync` and `BeforeHookCreation` deletion [hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/) on the `init-migrations` and `pre-upgrade-migrations` Jobs. diff --git a/build_system/charts/open-appsec-kong/UPGRADE.md b/build_system/charts/open-appsec-kong/UPGRADE.md index 906d961..8935277 100644 --- a/build_system/charts/open-appsec-kong/UPGRADE.md +++ b/build_system/charts/open-appsec-kong/UPGRADE.md @@ -193,7 +193,7 @@ database](https://www.postgresql.org/docs/current/backup-dump.html) and creating a separate release if you wish to continue using 8.6.8: ``` -$ helm install my-release -f values.yaml --version 8.6.8 bitnami/postgresql +helm install my-release -f values.yaml --version 8.6.8 bitnami/postgresql ``` Afterwords, you will upgrade your Kong chart release with @@ -233,26 +233,28 @@ upgrade in multiple steps: First, pin the controller version and upgrade to chart 2.4.0: ```console -$ helm upgrade --wait \ +helm upgrade --wait \ --set ingressController.image.tag= \ --version 2.4.0 \ --namespace \ kong/kong ``` + Second, temporarily disable the ingress controller: ```console -$ helm upgrade --wait \ +helm upgrade --wait \ --set ingressController.enabled=false \ --set deployment.serviceaccount.create=true \ --version 2.4.0 \ --namespace \ kong/kong ``` + Finally, re-enable the ingress controller at the new version: ```console -$ helm upgrade --wait \ +helm upgrade --wait \ --set ingressController.enabled=true \ --set ingressController.image.tag= \ --version 2.4.0 \ diff --git a/build_system/charts/open-appsec-kong/ci/single-image-default-values.yaml b/build_system/charts/open-appsec-kong/ci/single-image-default-values.yaml index f9183be..0402fe1 100644 --- a/build_system/charts/open-appsec-kong/ci/single-image-default-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/single-image-default-values.yaml @@ -2,7 +2,7 @@ # use single image strings instead of repository/tag image: - unifiedRepoTag: kong:3.4 + unifiedRepoTag: kong:3.4.1 env: anonymous_reports: "off" @@ -10,4 +10,4 @@ ingressController: env: anonymous_reports: "false" image: - unifiedRepoTag: kong/kubernetes-ingress-controller:2.12 + unifiedRepoTag: kong/kubernetes-ingress-controller:3.0 diff --git a/build_system/charts/open-appsec-kong/ci/test2-values.yaml b/build_system/charts/open-appsec-kong/ci/test2-values.yaml index 07ed193..b635642 100644 --- a/build_system/charts/open-appsec-kong/ci/test2-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/test2-values.yaml @@ -45,9 +45,6 @@ proxy: parameters: - ssl -# - PDB is enabled -podDisruptionBudget: - enabled: true # update strategy updateStrategy: type: "RollingUpdate" diff --git a/build_system/charts/open-appsec-kong/ci/test5-values.yaml b/build_system/charts/open-appsec-kong/ci/test5-values.yaml index 76318b4..fbbdb65 100644 --- a/build_system/charts/open-appsec-kong/ci/test5-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/test5-values.yaml @@ -37,9 +37,6 @@ proxy: annotations: {} path: / -# - PDB is enabled -podDisruptionBudget: - enabled: true # update strategy updateStrategy: type: "RollingUpdate" diff --git a/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml b/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml index 03353de..99b3a2c 100644 --- a/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml +++ b/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml @@ -1,4 +1,4 @@ -# generated using: kubectl kustomize 'github.com/kong/kubernetes-ingress-controller/config/crd?ref=v2.12.0' +# generated using: kubectl kustomize 'github.com/kong/kubernetes-ingress-controller/config/crd?ref=v3.0.0' apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -773,7 +773,9 @@ spec: `Services` can be a target, OR `Endpoints` can be targets). properties: algorithm: - description: Algorithm is the load balancing algorithm to use. + description: 'Algorithm is the load balancing algorithm to use. Accepted + values are: "round-robin", "consistent-hashing", "least-connections", + "latency".' enum: - round-robin - consistent-hashing @@ -945,6 +947,13 @@ spec: type: integer type: object type: object + x-kubernetes-validations: + - message: '''proxy'' field is no longer supported, use Service''s annotations + instead' + rule: '!has(self.proxy)' + - message: '''route'' field is no longer supported, use Ingress'' annotations + instead' + rule: '!has(self.route)' served: true storage: true subresources: @@ -1198,6 +1207,387 @@ spec: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + labels: + gateway.networking.k8s.io/policy: direct + name: kongupstreampolicies.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongUpstreamPolicy + listKind: KongUpstreamPolicyList + plural: kongupstreampolicies + shortNames: + - kup + singular: kongupstreampolicy + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: "KongUpstreamPolicy allows configuring algorithm that should + be used for load balancing traffic between Kong Upstream's Targets. It also + allows configuring health checks for Kong Upstream's Targets. \n Its configuration + is similar to Kong Upstream object (https://docs.konghq.com/gateway/latest/admin-api/#upstream-object), + and it is applied to Kong Upstream objects created by the controller. \n + It can be attached to Services. To attach it to a Service, it has to be + annotated with `konghq.com/upstream-policy: `, where `` is the + name of the KongUpstreamPolicy object in the same namespace as the Service. + \n When attached to a Service, it will affect all Kong Upstreams created + for the Service. \n When attached to a Service used in a Gateway API *Route + rule with multiple BackendRefs, all of its Services MUST be configured with + the same KongUpstreamPolicy. Otherwise, the controller will *ignore* the + KongUpstreamPolicy. \n Note: KongUpstreamPolicy doesn't implement Gateway + API's GEP-713 strictly. In particular, it doesn't use the TargetRef for + attaching to Services and Gateway API *Routes - annotations are used instead. + This is to allow reusing the same KongUpstreamPolicy for multiple Services + and Gateway API *Routes." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec contains the configuration of the Kong upstream. + properties: + algorithm: + description: 'Algorithm is the load balancing algorithm to use. Accepted + values are: "round-robin", "consistent-hashing", "least-connections", + "latency".' + enum: + - round-robin + - consistent-hashing + - least-connections + - latency + type: string + hashOn: + description: HashOn defines how to calculate hash for consistent-hashing + load balancing algorithm. Algorithm must be set to "consistent-hashing" + for this field to have effect. + properties: + cookie: + description: Cookie is the name of the cookie to use as hash input. + type: string + cookiePath: + description: CookiePath is cookie path to set in the response + headers. + type: string + header: + description: Header is the name of the header to use as hash input. + type: string + input: + description: Input allows using one of the predefined inputs (ip, + consumer, path). For other parametrized inputs, use one of the + fields below. + enum: + - ip + - consumer + - path + type: string + queryArg: + description: QueryArg is the name of the query argument to use + as hash input. + type: string + uriCapture: + description: URICapture is the name of the URI capture group to + use as hash input. + type: string + type: object + hashOnFallback: + description: HashOnFallback defines how to calculate hash for consistent-hashing + load balancing algorithm if the primary hash function fails. Algorithm + must be set to "consistent-hashing" for this field to have effect. + properties: + cookie: + description: Cookie is the name of the cookie to use as hash input. + type: string + cookiePath: + description: CookiePath is cookie path to set in the response + headers. + type: string + header: + description: Header is the name of the header to use as hash input. + type: string + input: + description: Input allows using one of the predefined inputs (ip, + consumer, path). For other parametrized inputs, use one of the + fields below. + enum: + - ip + - consumer + - path + type: string + queryArg: + description: QueryArg is the name of the query argument to use + as hash input. + type: string + uriCapture: + description: URICapture is the name of the URI capture group to + use as hash input. + type: string + type: object + healthchecks: + description: Healthchecks defines the health check configurations + in Kong. + properties: + active: + description: Active configures active health check probing. + properties: + concurrency: + description: Concurrency is the number of targets to check + concurrently. + minimum: 1 + type: integer + headers: + additionalProperties: + items: + type: string + type: array + description: Headers is a list of HTTP headers to add to the + probe request. + type: object + healthy: + description: Healthy configures thresholds and HTTP status + codes to mark targets healthy for an upstream. + properties: + httpStatuses: + description: HTTPStatuses is a list of HTTP status codes + that Kong considers a success. + items: + description: HTTPStatus is an HTTP status code. + maximum: 599 + minimum: 100 + type: integer + type: array + interval: + description: Interval is the interval between active health + checks for an upstream in seconds when in a healthy + state. + minimum: 0 + type: integer + successes: + description: Successes is the number of successes to consider + a target healthy. + minimum: 0 + type: integer + type: object + httpPath: + description: HTTPPath is the path to use in GET HTTP request + to run as a probe. + pattern: ^/.*$ + type: string + httpsSni: + description: HTTPSSNI is the SNI to use in GET HTTPS request + to run as a probe. + type: string + httpsVerifyCertificate: + description: HTTPSVerifyCertificate is a boolean value that + indicates if the certificate should be verified. + type: boolean + timeout: + description: Timeout is the probe timeout in seconds. + minimum: 0 + type: integer + type: + description: Type determines whether to perform active health + checks using HTTP or HTTPS, or just attempt a TCP connection. + Accepted values are "http", "https", "tcp", "grpc", "grpcs". + enum: + - http + - https + - tcp + - grpc + - grpcs + type: string + unhealthy: + description: Unhealthy configures thresholds and HTTP status + codes to mark targets unhealthy for an upstream. + properties: + httpFailures: + description: HTTPFailures is the number of failures to + consider a target unhealthy. + minimum: 0 + type: integer + httpStatuses: + description: HTTPStatuses is a list of HTTP status codes + that Kong considers a failure. + items: + description: HTTPStatus is an HTTP status code. + maximum: 599 + minimum: 100 + type: integer + type: array + interval: + description: Interval is the interval between active health + checks for an upstream in seconds when in an unhealthy + state. + minimum: 0 + type: integer + tcpFailures: + description: TCPFailures is the number of TCP failures + in a row to consider a target unhealthy. + minimum: 0 + type: integer + timeouts: + description: Timeouts is the number of timeouts in a row + to consider a target unhealthy. + minimum: 0 + type: integer + type: object + type: object + passive: + description: Passive configures passive health check probing. + properties: + healthy: + description: Healthy configures thresholds and HTTP status + codes to mark targets healthy for an upstream. + properties: + httpStatuses: + description: HTTPStatuses is a list of HTTP status codes + that Kong considers a success. + items: + description: HTTPStatus is an HTTP status code. + maximum: 599 + minimum: 100 + type: integer + type: array + interval: + description: Interval is the interval between active health + checks for an upstream in seconds when in a healthy + state. + minimum: 0 + type: integer + successes: + description: Successes is the number of successes to consider + a target healthy. + minimum: 0 + type: integer + type: object + type: + description: Type determines whether to perform passive health + checks interpreting HTTP/HTTPS statuses, or just check for + TCP connection success. Accepted values are "http", "https", + "tcp", "grpc", "grpcs". + enum: + - http + - https + - tcp + - grpc + - grpcs + type: string + unhealthy: + description: Unhealthy configures thresholds and HTTP status + codes to mark targets unhealthy. + properties: + httpFailures: + description: HTTPFailures is the number of failures to + consider a target unhealthy. + minimum: 0 + type: integer + httpStatuses: + description: HTTPStatuses is a list of HTTP status codes + that Kong considers a failure. + items: + description: HTTPStatus is an HTTP status code. + maximum: 599 + minimum: 100 + type: integer + type: array + interval: + description: Interval is the interval between active health + checks for an upstream in seconds when in an unhealthy + state. + minimum: 0 + type: integer + tcpFailures: + description: TCPFailures is the number of TCP failures + in a row to consider a target unhealthy. + minimum: 0 + type: integer + timeouts: + description: Timeouts is the number of timeouts in a row + to consider a target unhealthy. + minimum: 0 + type: integer + type: object + type: object + threshold: + description: Threshold is the minimum percentage of the upstream’s + targets’ weight that must be available for the whole upstream + to be considered healthy. + type: integer + type: object + slots: + description: Slots is the number of slots in the load balancer algorithm. + If not set, the default value in Kong for the algorithm is used. + maximum: 65536 + minimum: 10 + type: integer + type: object + type: object + x-kubernetes-validations: + - message: Only one of spec.hashOn.(input|cookie|header|uriCapture|queryArg) + can be set. + rule: 'has(self.spec.hashOn) ? [has(self.spec.hashOn.input), has(self.spec.hashOn.cookie), + has(self.spec.hashOn.header), has(self.spec.hashOn.uriCapture), has(self.spec.hashOn.queryArg)].filter(fieldSet, + fieldSet == true).size() <= 1 : true' + - message: When spec.hashOn.cookie is set, spec.hashOn.cookiePath is required. + rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookie) ? has(self.spec.hashOn.cookiePath) + : true' + - message: When spec.hashOn.cookiePath is set, spec.hashOn.cookie is required. + rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookiePath) ? has(self.spec.hashOn.cookie) + : true' + - message: spec.algorithm must be set to "consistent-hashing" when spec.hashOn + is set. + rule: 'has(self.spec.hashOn) ? has(self.spec.algorithm) && self.spec.algorithm + == "consistent-hashing" : true' + - message: Only one of spec.hashOnFallback.(input|header|uriCapture|queryArg) + can be set. + rule: 'has(self.spec.hashOnFallback) ? [has(self.spec.hashOnFallback.input), + has(self.spec.hashOnFallback.header), has(self.spec.hashOnFallback.uriCapture), + has(self.spec.hashOnFallback.queryArg)].filter(fieldSet, fieldSet == true).size() + <= 1 : true' + - message: spec.algorithm must be set to "consistent-hashing" when spec.hashOnFallback + is set. + rule: 'has(self.spec.hashOnFallback) ? has(self.spec.algorithm) && self.spec.algorithm + == "consistent-hashing" : true' + - message: spec.hashOnFallback.cookie must not be set. + rule: 'has(self.spec.hashOnFallback) ? !has(self.spec.hashOnFallback.cookie) + : true' + - message: spec.hashOnFallback.cookiePath must not be set. + rule: 'has(self.spec.hashOnFallback) ? !has(self.spec.hashOnFallback.cookiePath) + : true' + - message: spec.healthchecks.passive.healthy.interval must not be set. + rule: 'has(self.spec.healthchecks) && has(self.spec.healthchecks.passive) + && has(self.spec.healthchecks.passive.healthy) ? !has(self.spec.healthchecks.passive.healthy.interval) + : true' + - message: spec.healthchecks.passive.unhealthy.interval must not be set. + rule: 'has(self.spec.healthchecks) && has(self.spec.healthchecks.passive) + && has(self.spec.healthchecks.passive.unhealthy) ? !has(self.spec.healthchecks.passive.unhealthy.interval) + : true' + - message: spec.hashOnFallback must not be set when spec.hashOn.cookie is + set. + rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookie) ? !has(self.spec.hashOnFallback) + : true' + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.13.0 diff --git a/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml b/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml index 521bef6..373ebdd 100644 --- a/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml +++ b/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml @@ -9,7 +9,6 @@ admin: konghq.com/https-redirect-status-code: "301" konghq.com/protocols: https konghq.com/strip-path: "true" - kubernetes.io/ingress.class: default nginx.ingress.kubernetes.io/app-root: / nginx.ingress.kubernetes.io/backend-protocol: HTTPS nginx.ingress.kubernetes.io/permanent-redirect-code: "301" @@ -176,8 +175,8 @@ manager: ingress: annotations: konghq.com/https-redirect-status-code: "301" - kubernetes.io/ingress.class: default nginx.ingress.kubernetes.io/backend-protocol: HTTPS + ingressClassName: kong enabled: true hostname: kong.127-0-0-1.nip.io path: / @@ -209,7 +208,7 @@ portal: konghq.com/https-redirect-status-code: "301" konghq.com/protocols: https konghq.com/strip-path: "false" - kubernetes.io/ingress.class: default + ingressClassName: kong enabled: true hostname: developer.127-0-0-1.nip.io path: / @@ -232,8 +231,8 @@ portalapi: konghq.com/https-redirect-status-code: "301" konghq.com/protocols: https konghq.com/strip-path: "true" - kubernetes.io/ingress.class: default nginx.ingress.kubernetes.io/app-root: / + ingressClassName: kong enabled: true hostname: developer.127-0-0-1.nip.io path: /api diff --git a/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml b/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml index b794e1f..6be6ed8 100644 --- a/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml +++ b/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml @@ -40,8 +40,7 @@ admin: enabled: true tls: CHANGEME-admin-tls-secret hostname: admin.kong.CHANGEME.example - annotations: - kubernetes.io/ingress.class: "kong" + ingressClassName: kong path: / proxy: @@ -148,8 +147,7 @@ portal: enabled: true tls: CHANGEME-portal-tls-secret hostname: portal.kong.CHANGEME.example - annotations: - kubernetes.io/ingress.class: "kong" + ingressClassName: kong path: / externalIPs: [] @@ -177,8 +175,7 @@ portalapi: enabled: true tls: CHANGEME-portalapi-tls-secret hostname: portalapi.kong.CHANGEME.example - annotations: - kubernetes.io/ingress.class: "kong" + ingressClassName: kong path: / externalIPs: [] diff --git a/build_system/charts/open-appsec-kong/templates/_helpers.tpl b/build_system/charts/open-appsec-kong/templates/_helpers.tpl index 836d755..161ab35 100644 --- a/build_system/charts/open-appsec-kong/templates/_helpers.tpl +++ b/build_system/charts/open-appsec-kong/templates/_helpers.tpl @@ -447,14 +447,28 @@ The name of the service used for the ingress controller's validation webhook {{ include "kong.fullname" . }}-validation-webhook {{- end -}} + +{{/* +The name of the Service which will be used by the controller to update the Ingress status field. +*/}} + +{{- define "kong.controller-publish-service" -}} +{{- $proxyOverride := "" -}} + {{- if .Values.proxy.nameOverride -}} + {{- $proxyOverride = ( tpl .Values.proxy.nameOverride . ) -}} + {{- end -}} +{{- (printf "%s/%s" ( include "kong.namespace" . ) ( default ( printf "%s-proxy" (include "kong.fullname" . )) $proxyOverride )) -}} +{{- end -}} + {{- define "kong.ingressController.env" -}} {{/* ====== AUTO-GENERATED ENVIRONMENT VARIABLES ====== */}} + {{- $autoEnv := dict -}} {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}} - {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s" ( include "kong.namespace" . ) ( .Values.proxy.nameOverride | default ( printf "%s-proxy" (include "kong.fullname" . )))) -}} + {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}} {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}} {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}} @@ -1253,6 +1267,24 @@ resource roles into their separate templates. - namespaces verbs: - list +{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update +{{- end }} {{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - apiGroups: - configuration.konghq.com @@ -1429,7 +1461,7 @@ resource roles into their separate templates. - get - patch - update -{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }} +{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}} - apiGroups: - gateway.networking.k8s.io resources: @@ -1620,7 +1652,7 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration. - list - watch {{- end }} -{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }} +{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}} - apiGroups: - gateway.networking.k8s.io resources: diff --git a/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml b/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml index f7e5c40..1be937f 100644 --- a/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml +++ b/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml @@ -80,9 +80,15 @@ webhooks: apiVersions: - 'v1' operations: +{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - CREATE +{{- end }} - UPDATE resources: - secrets +{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - services +{{- end }} {{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - apiGroups: - networking.k8s.io @@ -98,6 +104,7 @@ webhooks: apiVersions: - 'v1alpha2' - 'v1beta1' + - 'v1' operations: - CREATE - UPDATE diff --git a/build_system/charts/open-appsec-kong/templates/appsec.yaml b/build_system/charts/open-appsec-kong/templates/appsec.yaml index 6d686ea..0b9f936 100644 --- a/build_system/charts/open-appsec-kong/templates/appsec.yaml +++ b/build_system/charts/open-appsec-kong/templates/appsec.yaml @@ -70,6 +70,9 @@ spec: {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }} {{- end }} spec: + {{- if .Values.deployment.hostname }} + hostname: {{ .Values.deployment.hostname }} + {{- end }} {{- if .Values.deployment.hostNetwork }} hostNetwork: true {{- end }} diff --git a/build_system/charts/open-appsec-kong/templates/deployment.yaml b/build_system/charts/open-appsec-kong/templates/deployment.yaml index 5307d23..bce3262 100644 --- a/build_system/charts/open-appsec-kong/templates/deployment.yaml +++ b/build_system/charts/open-appsec-kong/templates/deployment.yaml @@ -63,6 +63,9 @@ spec: {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }} {{- end }} spec: + {{- if .Values.deployment.hostname }} + hostname: {{ .Values.deployment.hostname }} + {{- end }} {{- if .Values.deployment.hostNetwork }} hostNetwork: true {{- end }} diff --git a/build_system/charts/open-appsec-kong/templates/pdb.yaml b/build_system/charts/open-appsec-kong/templates/pdb.yaml index da18662..8d918c5 100644 --- a/build_system/charts/open-appsec-kong/templates/pdb.yaml +++ b/build_system/charts/open-appsec-kong/templates/pdb.yaml @@ -1,4 +1,10 @@ {{- if .Values.podDisruptionBudget.enabled }} +{{- if and (not .Values.autoscaling.enabled) (le (int .Values.replicaCount) 1) }} +{{- fail "Enabling PodDisruptionBudget with replicaCount: 1 and no autoscaling prevents pod restarts during upgrades" }} +{{- end }} +{{- if and .Values.autoscaling.enabled (le (int .Values.autoscaling.minReplicas) 1) }} +{{- fail "Enabling PodDisruptionBudget with autoscaling.minReplicas: 1 prevents pod restarts during upgrades" }} +{{- end }} apiVersion: policy/v1 kind: PodDisruptionBudget metadata: diff --git a/build_system/charts/open-appsec-kong/templates/servicemonitor.yaml b/build_system/charts/open-appsec-kong/templates/servicemonitor.yaml index b0f8b4d..db3dfbf 100644 --- a/build_system/charts/open-appsec-kong/templates/servicemonitor.yaml +++ b/build_system/charts/open-appsec-kong/templates/servicemonitor.yaml @@ -24,7 +24,7 @@ spec: {{- if .Values.serviceMonitor.metricRelabelings }} metricRelabelings: {{ toYaml .Values.serviceMonitor.metricRelabelings | nindent 6 }} {{- end }} - {{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) -}} + {{- if and .Values.ingressController.enabled (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - targetPort: cmetrics scheme: http {{- if .Values.serviceMonitor.interval }} diff --git a/build_system/charts/open-appsec-kong/templates/tests/test-resources.yaml b/build_system/charts/open-appsec-kong/templates/tests/test-resources.yaml index cc66be6..79e32d7 100644 --- a/build_system/charts/open-appsec-kong/templates/tests/test-resources.yaml +++ b/build_system/charts/open-appsec-kong/templates/tests/test-resources.yaml @@ -32,9 +32,9 @@ metadata: name: "{{ .Release.Name }}-httpbin" annotations: httpbin.ingress.kubernetes.io/rewrite-target: / - kubernetes.io/ingress.class: "kong" konghq.com/strip-path: "true" spec: + ingressClassName: kong rules: - http: paths: @@ -46,14 +46,14 @@ spec: port: number: 80 --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: GatewayClass metadata: name: "{{ .Release.Name }}-kong-test" spec: controllerName: konghq.com/kic-gateway-controller --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway metadata: name: "{{ .Release.Name }}-kong-test" @@ -66,7 +66,7 @@ spec: protocol: HTTP port: 80 --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: "{{ .Release.Name }}-httpbin" diff --git a/build_system/charts/open-appsec-kong/values.yaml b/build_system/charts/open-appsec-kong/values.yaml index 2c0cb36..4066215 100644 --- a/build_system/charts/open-appsec-kong/values.yaml +++ b/build_system/charts/open-appsec-kong/values.yaml @@ -60,6 +60,11 @@ deployment: # Use a DaemonSet controller instead of a Deployment controller daemonset: false hostNetwork: false + # Set the Deployment's spec.template.hostname field. + # This propagates to Kong API endpoints that report + # the hostname, such as the admin API root and hybrid mode + # /clustering/data-planes endpoint + hostname: "" # kong_prefix empty dir size prefixDir: sizeLimit: 256Mi @@ -510,13 +515,13 @@ dblessConfig: # ----------------------------------------------------------------------------- # Kong Ingress Controller's primary purpose is to satisfy Ingress resources -# created in k8s. It uses CRDs for more fine grained control over routing and +# created in k8s. It uses CRDs for more fine grained control over routing and # for Kong specific configuration. ingressController: enabled: true image: repository: kong/kubernetes-ingress-controller - tag: "2.12" + tag: "3.0" # Optionally set a semantic version for version-gated features. This can normally # be left unset. You only need to set this if your tag is not a semver string, # such as when you are using a "next" tag. Set this to the effective semantic @@ -948,6 +953,14 @@ securityContext: {} # securityContext for containers. containerSecurityContext: readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsUser: 1000 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL ## Optional DNS configuration for Kong pods # dnsPolicy: ClusterFirst @@ -968,7 +981,7 @@ serviceMonitor: # If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see: # https://github.com/Kong/charts/blob/main/charts/kong/README.md#prometheus-operator-integration enabled: false - # interval: 10s + # interval: 30s # Specifies namespace, where ServiceMonitor should be installed # namespace: monitoring # labels: @@ -1234,7 +1247,7 @@ appsec: #registry: repository: ghcr.io/openappsec image: "agent" - tag: "1.1.0" + tag: "1.1.1" pullPolicy: Always securityContext: @@ -1248,7 +1261,7 @@ appsec: kong: image: repository: "ghcr.io/openappsec/kong-attachment" - tag: "1.1.0" + tag: "1.1.1" configMapName: appsec-settings-configmap configMapContent: crowdsec: