Open Appsec helm chart automation Mon Nov 20 16:05:56 IST 2023 latest

2025-09-29 19:24:26 +03:00 · 2023-11-20 16:05:56 +02:00
parent 7f712b21e4
commit b2781d63d4
63 changed files with 698 additions and 135 deletions
--- a/build_system/charts/open-appsec-kong/templates/_helpers.tpl
+++ b/build_system/charts/open-appsec-kong/templates/_helpers.tpl
@@ -447,14 +447,28 @@ The name of the service used for the ingress controller's validation webhook
 {{ include "kong.fullname" . }}-validation-webhook
 {{- end -}}

+
+{{/*
+The name of the Service which will be used by the controller to update the Ingress status field.
+*/}}
+
+{{- define "kong.controller-publish-service" -}}
+{{- $proxyOverride := "" -}}
+  {{- if .Values.proxy.nameOverride -}}
+    {{- $proxyOverride = ( tpl .Values.proxy.nameOverride . ) -}}
+  {{- end -}}
+{{- (printf "%s/%s" ( include "kong.namespace" . ) ( default ( printf "%s-proxy" (include "kong.fullname" . )) $proxyOverride )) -}}
+{{- end -}}
+
 {{- define "kong.ingressController.env" -}}
 {{/*
    ====== AUTO-GENERATED ENVIRONMENT VARIABLES ======
 */}}

+
 {{- $autoEnv := dict -}}
  {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
-  {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s" ( include "kong.namespace" . ) ( .Values.proxy.nameOverride | default ( printf "%s-proxy" (include "kong.fullname" . )))) -}}
+  {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}}
  {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
  {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}

@@ -1253,6 +1267,24 @@ resource roles into their separate templates.
  - namespaces
  verbs:
  - list
+{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongupstreampolicies
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongupstreampolicies/status
+  verbs:
+  - get
+  - patch
+  - update
+{{- end }}
 {{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
 - apiGroups:
  - configuration.konghq.com
@@ -1429,7 +1461,7 @@ resource roles into their separate templates.
  - get
  - patch
  - update
-{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }}
+{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
 - apiGroups:
  - gateway.networking.k8s.io
  resources:
@@ -1620,7 +1652,7 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration.
  - list
  - watch
 {{- end }}
-{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }}
+{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
 - apiGroups:
  - gateway.networking.k8s.io
  resources:
--- a/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml
+++ b/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml
@@ -80,9 +80,15 @@ webhooks:
    apiVersions:
    - 'v1'
    operations:
+{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+    - CREATE
+{{- end }}
    - UPDATE
    resources:
    - secrets
+{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+    - services
+{{- end }}
 {{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
  - apiGroups:
    - networking.k8s.io
@@ -98,6 +104,7 @@ webhooks:
    apiVersions:
    - 'v1alpha2'
    - 'v1beta1'
+    - 'v1'
    operations:
    - CREATE
    - UPDATE
--- a/build_system/charts/open-appsec-kong/templates/appsec.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec.yaml
@@ -70,6 +70,9 @@ spec:
        {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
        {{- end }}
    spec:
+      {{- if .Values.deployment.hostname }}
+      hostname: {{ .Values.deployment.hostname }}
+      {{- end }}
      {{- if .Values.deployment.hostNetwork }}
      hostNetwork: true
      {{- end }}
--- a/build_system/charts/open-appsec-kong/templates/deployment.yaml
+++ b/build_system/charts/open-appsec-kong/templates/deployment.yaml
@@ -63,6 +63,9 @@ spec:
        {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
        {{- end }}
    spec:
+      {{- if .Values.deployment.hostname }}
+      hostname: {{ .Values.deployment.hostname }}
+      {{- end }}
      {{- if .Values.deployment.hostNetwork }}
      hostNetwork: true
      {{- end }}
--- a/build_system/charts/open-appsec-kong/templates/pdb.yaml
+++ b/build_system/charts/open-appsec-kong/templates/pdb.yaml
@@ -1,4 +1,10 @@
 {{- if .Values.podDisruptionBudget.enabled }}
+{{- if and (not .Values.autoscaling.enabled) (le (int .Values.replicaCount) 1) }}
+{{- fail "Enabling PodDisruptionBudget with replicaCount: 1 and no autoscaling prevents pod restarts during upgrades" }}
+{{- end }}
+{{- if and .Values.autoscaling.enabled (le (int .Values.autoscaling.minReplicas) 1) }}
+{{- fail "Enabling PodDisruptionBudget with autoscaling.minReplicas: 1 prevents pod restarts during upgrades" }}
+{{- end }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
--- a/build_system/charts/open-appsec-kong/templates/servicemonitor.yaml
+++ b/build_system/charts/open-appsec-kong/templates/servicemonitor.yaml
@@ -24,7 +24,7 @@ spec:
    {{- if .Values.serviceMonitor.metricRelabelings }}
    metricRelabelings: {{ toYaml .Values.serviceMonitor.metricRelabelings | nindent 6 }}
    {{- end }}
-  {{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) -}}
+  {{- if and .Values.ingressController.enabled (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
  - targetPort: cmetrics
    scheme: http
    {{- if .Values.serviceMonitor.interval }}
--- a/build_system/charts/open-appsec-kong/templates/tests/test-resources.yaml
+++ b/build_system/charts/open-appsec-kong/templates/tests/test-resources.yaml
@@ -32,9 +32,9 @@ metadata:
  name: "{{ .Release.Name }}-httpbin"
  annotations:
    httpbin.ingress.kubernetes.io/rewrite-target: /
-    kubernetes.io/ingress.class: "kong"
    konghq.com/strip-path: "true"
 spec:
+  ingressClassName: kong
  rules:
  - http:
      paths:
@@ -46,14 +46,14 @@ spec:
            port:
              number: 80
 ---
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: GatewayClass
 metadata:
  name: "{{ .Release.Name }}-kong-test"
 spec:
  controllerName: konghq.com/kic-gateway-controller
 ---
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: Gateway
 metadata:
  name: "{{ .Release.Name }}-kong-test"
@@ -66,7 +66,7 @@ spec:
    protocol: HTTP
    port: 80
 ---
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: HTTPRoute
 metadata:
  name: "{{ .Release.Name }}-httpbin"