github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Open Appsec helm chart automation Mon Nov 20 16:05:56 IST 2023 latest

Browse Source
This commit is contained in:
Ned Wright 2023-11-20 16:05:56 +02:00
parent 7f712b21e4
commit b2781d63d4
63 changed files with 698 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml
View File

@ -1,6 +1,5 @@
annotations:
artifacthub.io/changes: |
- "Update Ingress-Nginx version controller-v1.9.1"
artifacthub.io/changes: '- "Update Ingress-Nginx version controller-v1.9.4"'
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: latest
@ -11,4 +10,4 @@ kubeVersion: '>=1.20.0-0'
name: open-appsec-k8s-nginx-ingress
sources:
- https://github.com/kubernetes/ingress-nginx
version: 4.8.1
version: 4.8.3

13
build_system/charts/open-appsec-k8s-nginx-ingress/README.md
View File

@ -2,7 +2,7 @@
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
![Version: 4.8.1](https://img.shields.io/badge/Version-4.8.1-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square)
![Version: 4.8.3](https://img.shields.io/badge/Version-4.8.3-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square)
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
@ -251,11 +251,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v20230407"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
| controller.admissionWebhooks.patch.podAnnotations | object | `{}` | |
@ -314,13 +314,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `true` | |
| controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25"` | |
| controller.image.digestChroot | string | `"sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836"` | |
| controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` | |
| controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.image.registry | string | `"registry.k8s.io"` | |
| controller.image.runAsUser | int | `101` | |
| controller.image.tag | string | `"v1.9.1"` | |
| controller.image.tag | string | `"v1.9.4"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
@ -498,6 +498,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
| podSecurityPolicy.enabled | bool | `false` | |
| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
| rbac.create | bool | `true` | |

10
build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.2.md Normal file
View File

@ -0,0 +1,10 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.2
* - "update nginx base, httpbun, e2e, helm webhook cert gen (#10506)"
* - "Update Ingress-Nginx version controller-v1.9.3"
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.1...helm-chart-4.8.2

8
build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.3.md Normal file
View File

@ -0,0 +1,8 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.3
* Update Ingress-Nginx version controller-v1.9.4
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.2...helm-chart-4.8.3

11
build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl
View File

@ -30,6 +30,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}}
{{- end -}}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "ingress-nginx.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Container SecurityContext.

12
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/cert-manager.yaml
View File

@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
selfSigned: {}
---
@ -15,7 +15,7 @@ apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "ingress-nginx.fullname" . }}-root-cert
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }}
@ -32,7 +32,7 @@ apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "ingress-nginx.fullname" . }}-root-issuer
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
ca:
secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
@ -43,7 +43,7 @@ apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
@ -55,8 +55,8 @@ spec:
{{- end }}
dnsNames:
- {{ include "ingress-nginx.controller.fullname" . }}-admission
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}.svc
subject:
organizations:
- ingress-nginx-admission

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
View File

@ -19,5 +19,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace | quote }}
namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml
View File

@ -3,7 +3,7 @@ apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-create
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View File

@ -3,7 +3,7 @@ apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-patch
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml
View File

@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/role.yaml
View File

@ -2,8 +2,8 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml
View File

@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -20,5 +20,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace | quote }}
namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml
View File

@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/validating-webhook.yaml
View File

@ -38,7 +38,7 @@ webhooks:
- v1
clientConfig:
service:
namespace: {{ .Release.Namespace | quote }}
namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
name: {{ include "ingress-nginx.controller.fullname" . }}-admission
path: /networking/v1/ingresses
{{- if .Values.controller.admissionWebhooks.timeoutSeconds }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml
View File

@ -18,7 +18,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/clusterrolebinding.yaml
View File

@ -15,5 +15,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "ingress-nginx.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-addheaders.yaml
View File

@ -9,6 +9,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ toYaml .Values.controller.addHeaders | nindent 2 }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-proxyheaders.yaml
View File

@ -9,6 +9,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-tcp.yaml
View File

@ -12,6 +12,6 @@ metadata:
annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-tcp
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-udp.yaml
View File

@ -12,6 +12,6 @@ metadata:
annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-udp
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ tpl (toYaml .Values.udp) . | nindent 2 }}
{{- end }}

8
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap.yaml
View File

@ -11,17 +11,17 @@ metadata:
annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data:
allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}"
{{- if .Values.controller.addHeaders }}
add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
{{- end }}
{{- if .Values.controller.proxySetHeaders }}
proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
proxy-set-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
{{- end }}
{{- if .Values.dhParam }}
ssl-dh-param: {{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }}
ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }}
{{- end }}
{{- range $key, $value := .Values.controller.config }}
{{- $key | nindent 2 }}: {{ $value | quote }}

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml
View File

@ -1,4 +1,4 @@
{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both")) -}}
{{- if and (eq .Values.kind "Vanilla") (eq .Values.controller.kind "DaemonSet") -}}
{{- include "isControllerTagValid" . -}}
apiVersion: apps/v1
kind: DaemonSet
@ -10,7 +10,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml
View File

@ -1,4 +1,4 @@
{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
{{- if and (eq .Values.kind "Vanilla") (eq .Values.controller.kind "Deployment") -}}
{{- include "isControllerTagValid" . -}}
apiVersion: apps/v1
kind: Deployment
@ -10,7 +10,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml
View File

@ -1,4 +1,4 @@
{{- if and (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}}
{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}}
apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }}
kind: HorizontalPodAutoscaler
metadata:
@ -12,7 +12,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
scaleTargetRef:
apiVersion: apps/v1

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml
View File

@ -1,4 +1,4 @@
{{- if and .Values.controller.keda.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
{{- if and .Values.controller.keda.enabled (eq .Values.controller.kind "Deployment") -}}
# https://keda.sh/docs/
apiVersion: {{ .Values.controller.keda.apiVersion }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-networkpolicy.yaml
View File

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
podSelector:
matchLabels:

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml
View File

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-role.yaml
View File

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
rules:
- apiGroups:
- ""

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-rolebinding.yaml
View File

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@ -17,5 +17,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "ingress-nginx.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-secret.yaml
View File

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data:
dhparam.pem: {{ .Values.dhParam }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml
View File

@ -13,7 +13,7 @@ metadata:
{{- toYaml .Values.controller.service.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-internal
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: "{{ .Values.controller.service.type }}"
{{- if .Values.controller.service.internal.loadBalancerIP }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-metrics.yaml
View File

@ -12,7 +12,7 @@ metadata:
{{- toYaml .Values.controller.metrics.service.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-metrics
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.controller.metrics.service.type }}
{{- if .Values.controller.metrics.service.clusterIP }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-webhook.yaml
View File

@ -12,7 +12,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.controller.admissionWebhooks.service.type }}
{{- if .Values.controller.admissionWebhooks.service.clusterIP }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml
View File

@ -13,7 +13,7 @@ metadata:
{{- toYaml .Values.controller.service.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.controller.service.type }}
{{- if .Values.controller.service.clusterIP }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml
View File

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "ingress-nginx.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.serviceAccount.annotations }}
annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }}

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml
View File

@ -6,7 +6,7 @@ metadata:
{{- if .Values.controller.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }}
{{- else }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
@ -35,7 +35,7 @@ spec:
{{- else }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
- {{ include "ingress-nginx.namespace" . }}
{{- end }}
{{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
targetLabels:

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-deployment.yaml
View File

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
selector:
matchLabels:

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml
View File

@ -12,7 +12,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
scaleTargetRef:
apiVersion: apps/v1

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-networkpolicy.yaml
View File

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
podSelector:
matchLabels:

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-poddisruptionbudget.yaml
View File

@ -10,7 +10,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
selector:
matchLabels:

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-role.yaml
View File

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-backend
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
rules:
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-rolebinding.yaml
View File

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-backend
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@ -17,5 +17,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-service.yaml
View File

@ -12,7 +12,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.defaultBackend.service.type }}
{{- if .Values.defaultBackend.service.clusterIP }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-serviceaccount.yaml
View File

@ -9,6 +9,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
{{- end }}

15
build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml
View File

@ -7,6 +7,9 @@
# nameOverride:
# fullnameOverride:
# -- Override the deployment namespace; defaults to .Release.Namespace
namespaceOverride: ""
## Labels to apply to all resources
##
commonLabels: {}
@ -24,9 +27,9 @@ controller:
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
tag: "v1.9.1"
digest: sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25
digestChroot: sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836
tag: "v1.9.4"
digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
pullPolicy: IfNotPresent
# www-data -> uid 101
runAsUser: 101
@ -640,8 +643,8 @@ controller:
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
tag: v20230407
digest: sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
tag: v20231011-8b53cabe0
digest: sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
pullPolicy: IfNotPresent
# -- Provide a priority class name to the webhook patching job
##
@ -699,7 +702,7 @@ controller:
## jobLabel: "app.kubernetes.io/name"
namespace: ""
namespaceSelector: {}
## Default: scrape .Release.Namespace only
## Default: scrape .Release.Namespace or namespaceOverride only
## To scrape all, use the following:
## namespaceSelector:
## any: true

50
build_system/charts/open-appsec-kong/CHANGELOG.md
View File

@ -4,10 +4,59 @@
Nothing yet.
## 2.32.0
### Improvements
* Add new `deployment.hostname` value to make identifying instances in
controlplane/dataplane configurations easier.
[#943](https://github.com/Kong/charts/pull/943)
## 2.31.0
### Improvements
* Added controller's RBAC rules for `KongUpstreamPolicy` CRD.
[#917](https://github.com/Kong/charts/pull/917)
* Added services resource to admission webhook config for KIC >= 3.0.0.
[#919](https://github.com/Kong/charts/pull/919)
* Update default ingress controller version to v3.0
[#929](https://github.com/Kong/charts/pull/929)
[#930](https://github.com/Kong/charts/pull/930)
### Fixed
* The target port for cmetrics should only be applied if the ingress controller is enabled.
[#926](https://github.com/Kong/charts/pull/926)
* Fix RBAC for Gateway API v1.
[#928](https://github.com/Kong/charts/pull/928)
* Enable Admission webhook for Gateway API v1 resources.
[#928](https://github.com/Kong/charts/pull/928)
## 2.30.0
### Improvements
* Prevent installing PodDisruptionBudget for `replicaCount: 1` or `autoscaling.minReplicas: 1`.
[#896](https://github.com/Kong/charts/pull/896)
* The admission webhook now will be triggered on Secrets creation for KIC 2.12.1+.
[#907](https://github.com/Kong/charts/pull/907)
* Container security context defaults now comply with the restricted pod
security standard. This includes an enforced run as user ID set to 1000. UID
1000 is used for official Kong images other than Alpine images (which use UID
100) and for KIC images 3.0.0+ (older images use UID 65532). Images that do
not use UID 1000 can still run with this user, as static image files are
world-accessible and runtime-created files are created in temporary
directories created for the run as user.
[#911](https://github.com/Kong/charts/pull/911)
* Allow using templates (via `tpl`) when specifying `proxy.nameOverride`.
[#914](https://github.com/Kong/charts/pull/914)
## 2.29.0
### Improvements
* Make it possible to set the admission webhook's `timeoutSeconds`.
[#894](https://github.com/Kong/charts/pull/894)
## 2.28.1
@ -16,6 +65,7 @@ Nothing yet.
* The admission webhook now includes Gateway API resources and Ingress
resources for controller versions 2.12+. This version introduces new
validations for Kong's regex path implementation.
[#892](https://github.com/Kong/charts/pull/892)
## 2.28.0

10
build_system/charts/open-appsec-kong/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 1.1.0
appVersion: 1.1.1
dependencies:
- condition: postgresql.enabled
name: postgresql
@ -9,11 +9,9 @@ description: The Cloud-Native Ingress and API-management
home: https://konghq.com/
icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png
maintainers:
- email: harry@konghq.com
name: hbagdi
- email: traines@konghq.com
name: rainest
- email: team-k8s@konghq.com
name: team-k8s-bot
name: open-appsec-kong
sources:
- https://github.com/Kong/charts/tree/main/charts/kong
version: 2.29.0
version: 2.32.0

81
build_system/charts/open-appsec-kong/README.md
View File

@ -11,10 +11,10 @@ This chart bootstraps all the components needed to run Kong on a
## TL;DR;
```bash
$ helm repo add kong https://charts.konghq.com
$ helm repo update
helm repo add kong https://charts.konghq.com
helm repo update
$ helm install kong/kong --generate-name
helm install kong/kong --generate-name
```
## Table of contents
@ -91,10 +91,10 @@ $ helm install kong/kong --generate-name
To install Kong:
```bash
$ helm repo add kong https://charts.konghq.com
$ helm repo update
helm repo add kong https://charts.konghq.com
helm repo update
$ helm install kong/kong --generate-name
helm install kong/kong --generate-name
```
## Uninstall
@ -102,7 +102,7 @@ $ helm install kong/kong --generate-name
To uninstall/delete a Helm release `my-release`:
```bash
$ helm delete my-release
helm delete my-release
```
The command removes all the Kubernetes components associated with the
@ -451,6 +451,11 @@ documentation on Service
DNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/)
for more detail.
If you use multiple Helm releases to manage different data plane configurations
attached to the same control plane, setting the `deployment.hostname` field
will help you keep track of which is which in the `/clustering/data-plane`
endpoint.
### Cert Manager Integration
By default, Kong will create self-signed certificates on start for its TLS
@ -508,9 +513,9 @@ event you need to recover from unintended CRD deletion.
### InitContainers
The chart is able to deploy initcontainers along with Kong. This can be very
The chart is able to deploy initContainers along with Kong. This can be very
useful when there's a requirement for custom initialization. The
`deployment.initcontainers` field in values.yaml takes an array of objects that
`deployment.initContainers` field in values.yaml takes an array of objects that
get appended as-is to the existing `spec.template.initContainers` array in the
kong deployment resource.
@ -581,7 +586,11 @@ namespaces. Limiting access requires several changes to configuration:
Setting `deployment.daemonset: true` deploys Kong using a [DaemonSet
controller](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/)
instead of a Deployment controller. This runs a Kong Pod on every kubelet in
the Kubernetes cluster.
the Kubernetes cluster. For such configuration it may be desirable to configure
Pods to use the network of the host they run on instead of a dedicated network
namespace. The benefit of this approach is that the Kong can bind ports directly
to Kubernetes nodes' network interfaces, without the extra network translation
imposed by NodePort Services. It can be achieved by setting `deployment.hostNetwork: true`.
### Using dnsPolicy and dnsConfig
@ -725,7 +734,7 @@ section of `values.yaml` file:
|--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
| enabled | Deploy the ingress controller, rbac and crd | true |
| image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller |
| image.tag | Version of the ingress controller | `2.12` |
| image.tag | Version of the ingress controller | `3.0` |
| image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | |
| readinessProbe | Kong ingress controllers readiness probe | |
| livenessProbe | Kong ingress controllers liveness probe | |
@ -791,6 +800,12 @@ Kong Ingress Controller v2.9 has introduced gateway discovery which allows
the controller to discover Gateway instances that it should configure using
an Admin API Kubernetes service.
Using this feature requires a split release installation of Gateways and Ingress Controller.
For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
or use the [`ingress` chart](../ingress/README.md) which can handle this for you.
##### Configuration
You'll be able to configure this feature through configuration section under
`ingressController.gatewayDiscovery`:
@ -813,12 +828,17 @@ You'll be able to configure this feature through configuration section under
the chart will generate values for `name` and `namespace` based on the current release name and
namespace. This is useful when consuming the `kong` chart as a subchart.
Using this feature requires a split release installation of Gateways and Ingress Controller.
For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
Additionally, you can control the addresses that are generated for your Gateways
via the `--gateway-discovery-dns-strategy` CLI flag that can be set on the Ingress Controller
(or an equivalent environment variable: `CONTROLLER_GATEWAY_DISCOVERY_DNS_STRATEGY`).
It accepts 3 values which change the way that Gateway addresses are generated:
- `service` - for service scoped pod DNS names: `pod-ip-address.service-name.my-namespace.svc.cluster-domain.example`
- `pod` - for namespace scope pod DNS names: `pod-ip-address.my-namespace.pod.cluster-domain.example`
- `ip` (default, retains behavior introduced in v2.9) - for regular IP addresses
When using `gatewayDiscovery`, you should consider configuring the Admin service to use mTLS client verification to make
this interface secure. Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway
instances.
this interface secure.
Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway instances.
On the controller release side, that can be achieved by setting `ingressController.adminApi.tls.client.enabled` to `true`.
By default, Helm will generate a certificate Secret named `<release name>-admin-api-keypair` and
@ -838,6 +858,7 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam
| deployment.minReadySeconds | Minimum number of seconds for which newly created pods should be ready without any of its container crashing, for it to be considered available. | |
| deployment.initContainers | Create initContainers. Please go to Kubernetes doc for the spec of the initContainers | |
| deployment.daemonset | Use a DaemonSet instead of a Deployment | `false` |
| deployment.hostname | Set the Deployment's `.spec.template.hostname`. Kong reports this as its hostname. | |
| deployment.hostNetwork | Enable hostNetwork, which binds to the ports to the host | `false` |
| deployment.userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | |
| deployment.userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | |
@ -878,7 +899,7 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam
| priorityClassName | Set pod scheduling priority class for Kong pods | `""` |
| secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` |
| securityContext | Set the securityContext for Kong Pods | `{}` |
| containerSecurityContext | Set the securityContext for Containers | `{"readOnlyRootFilesystem": true}` |
| containerSecurityContext | Set the securityContext for Containers | See values.yaml |
| serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | `false` |
| serviceMonitor.interval | Scraping interval | `30s` |
| serviceMonitor.namespace | Where to create ServiceMonitor | |
@ -1013,7 +1034,7 @@ If you have paid for a license, but you do not have a copy of yours, please
contact Kong Support. Once you have it, you will need to store it in a Secret:
```bash
$ kubectl create secret generic kong-enterprise-license --from-file=license=./license.json
kubectl create secret generic kong-enterprise-license --from-file=license=./license.json
```
Set the secret name in `values.yaml`, in the `.enterprise.license_secret` key.
@ -1031,7 +1052,7 @@ from \<your username\> \> Edit Profile \> API Key. Use this to create registry
secrets:
```bash
$ kubectl create secret docker-registry kong-enterprise-edition-docker \
kubectl create secret docker-registry kong-enterprise-edition-docker \
--docker-server=hub.docker.io \
--docker-username=<username-provided-to-you> \
--docker-password=<password-provided-to-you>
@ -1107,14 +1128,30 @@ whereas this is optional for the Developer Portal on versions 0.36+. Providing
Portal session configuration in values.yaml provides the default session
configuration, which can be overridden on a per-workspace basis.
```bash
cat admin_gui_session_conf
```
$ cat admin_gui_session_conf
```json
{"cookie_name":"admin_session","cookie_samesite":"off","secret":"admin-secret-CHANGEME","cookie_secure":true,"storage":"kong"}
$ cat portal_session_conf
```
```bash
cat portal_session_conf
```
```json
{"cookie_name":"portal_session","cookie_samesite":"off","secret":"portal-secret-CHANGEME","cookie_secure":true,"storage":"kong"}
$ kubectl create secret generic kong-session-config --from-file=admin_gui_session_conf --from-file=portal_session_conf
```
```bash
kubectl create secret generic kong-session-config --from-file=admin_gui_session_conf --from-file=portal_session_conf
```
```bash
secret/kong-session-config created
```
The exact plugin settings may vary in your environment. The `secret` should
always be changed for both configurations.
@ -1175,7 +1212,7 @@ between the initial install and upgrades. Both operations are a "sync" in Argo
terms. This affects when migration Jobs execute in database-backed Kong
installs.
The chart sets the `Sync` and `BeforeHookCreation` deletion
The chart sets the `Sync` and `BeforeHookCreation` deletion
[hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/)
on the `init-migrations` and `pre-upgrade-migrations` Jobs.

10
build_system/charts/open-appsec-kong/UPGRADE.md
View File

@ -193,7 +193,7 @@ database](https://www.postgresql.org/docs/current/backup-dump.html) and
creating a separate release if you wish to continue using 8.6.8:
```
$ helm install my-release -f values.yaml --version 8.6.8 bitnami/postgresql
helm install my-release -f values.yaml --version 8.6.8 bitnami/postgresql
```
Afterwords, you will upgrade your Kong chart release with
@ -233,26 +233,28 @@ upgrade in multiple steps:
First, pin the controller version and upgrade to chart 2.4.0:
```console
$ helm upgrade --wait \
helm upgrade --wait \
--set ingressController.image.tag=<CURRENT_CONTROLLER_VERSION> \
--version 2.4.0 \
--namespace <YOUR_RELEASE_NAMESPACE> \
<YOUR_RELEASE_NAME> kong/kong
```
Second, temporarily disable the ingress controller:
```console
$ helm upgrade --wait \
helm upgrade --wait \
--set ingressController.enabled=false \
--set deployment.serviceaccount.create=true \
--version 2.4.0 \
--namespace <YOUR_RELEASE_NAMESPACE> \
<YOUR_RELEASE_NAME> kong/kong
```
Finally, re-enable the ingress controller at the new version:
```console
$ helm upgrade --wait \
helm upgrade --wait \
--set ingressController.enabled=true \
--set ingressController.image.tag=<NEW_CONTROLLER_VERSION> \
--version 2.4.0 \

4
build_system/charts/open-appsec-kong/ci/single-image-default-values.yaml
View File

@ -2,7 +2,7 @@
# use single image strings instead of repository/tag
image:
unifiedRepoTag: kong:3.4
unifiedRepoTag: kong:3.4.1
env:
anonymous_reports: "off"
@ -10,4 +10,4 @@ ingressController:
env:
anonymous_reports: "false"
image:
unifiedRepoTag: kong/kubernetes-ingress-controller:2.12
unifiedRepoTag: kong/kubernetes-ingress-controller:3.0

3
build_system/charts/open-appsec-kong/ci/test2-values.yaml
View File

@ -45,9 +45,6 @@ proxy:
parameters:
- ssl
# - PDB is enabled
podDisruptionBudget:
enabled: true
# update strategy
updateStrategy:
type: "RollingUpdate"

3
build_system/charts/open-appsec-kong/ci/test5-values.yaml
View File

@ -37,9 +37,6 @@ proxy:
annotations: {}
path: /
# - PDB is enabled
podDisruptionBudget:
enabled: true
# update strategy
updateStrategy:
type: "RollingUpdate"

394
build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml
View File

@ -1,4 +1,4 @@
# generated using: kubectl kustomize 'github.com/kong/kubernetes-ingress-controller/config/crd?ref=v2.12.0'
# generated using: kubectl kustomize 'github.com/kong/kubernetes-ingress-controller/config/crd?ref=v3.0.0'
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -773,7 +773,9 @@ spec:
`Services` can be a target, OR `Endpoints` can be targets).
properties:
algorithm:
description: Algorithm is the load balancing algorithm to use.
description: 'Algorithm is the load balancing algorithm to use. Accepted
values are: "round-robin", "consistent-hashing", "least-connections",
"latency".'
enum:
- round-robin
- consistent-hashing
@ -945,6 +947,13 @@ spec:
type: integer
type: object
type: object
x-kubernetes-validations:
- message: '''proxy'' field is no longer supported, use Service''s annotations
instead'
rule: '!has(self.proxy)'
- message: '''route'' field is no longer supported, use Ingress'' annotations
instead'
rule: '!has(self.route)'
served: true
storage: true
subresources:
@ -1198,6 +1207,387 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
labels:
gateway.networking.k8s.io/policy: direct
name: kongupstreampolicies.configuration.konghq.com
spec:
group: configuration.konghq.com
names:
categories:
- kong-ingress-controller
kind: KongUpstreamPolicy
listKind: KongUpstreamPolicyList
plural: kongupstreampolicies
shortNames:
- kup
singular: kongupstreampolicy
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: "KongUpstreamPolicy allows configuring algorithm that should
be used for load balancing traffic between Kong Upstream's Targets. It also
allows configuring health checks for Kong Upstream's Targets. \n Its configuration
is similar to Kong Upstream object (https://docs.konghq.com/gateway/latest/admin-api/#upstream-object),
and it is applied to Kong Upstream objects created by the controller. \n
It can be attached to Services. To attach it to a Service, it has to be
annotated with `konghq.com/upstream-policy: <name>`, where `<name>` is the
name of the KongUpstreamPolicy object in the same namespace as the Service.
\n When attached to a Service, it will affect all Kong Upstreams created
for the Service. \n When attached to a Service used in a Gateway API *Route
rule with multiple BackendRefs, all of its Services MUST be configured with
the same KongUpstreamPolicy. Otherwise, the controller will *ignore* the
KongUpstreamPolicy. \n Note: KongUpstreamPolicy doesn't implement Gateway
API's GEP-713 strictly. In particular, it doesn't use the TargetRef for
attaching to Services and Gateway API *Routes - annotations are used instead.
This is to allow reusing the same KongUpstreamPolicy for multiple Services
and Gateway API *Routes."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec contains the configuration of the Kong upstream.
properties:
algorithm:
description: 'Algorithm is the load balancing algorithm to use. Accepted
values are: "round-robin", "consistent-hashing", "least-connections",
"latency".'
enum:
- round-robin
- consistent-hashing
- least-connections
- latency
type: string
hashOn:
description: HashOn defines how to calculate hash for consistent-hashing
load balancing algorithm. Algorithm must be set to "consistent-hashing"
for this field to have effect.
properties:
cookie:
description: Cookie is the name of the cookie to use as hash input.
type: string
cookiePath:
description: CookiePath is cookie path to set in the response
headers.
type: string
header:
description: Header is the name of the header to use as hash input.
type: string
input:
description: Input allows using one of the predefined inputs (ip,
consumer, path). For other parametrized inputs, use one of the
fields below.
enum:
- ip
- consumer
- path
type: string
queryArg:
description: QueryArg is the name of the query argument to use
as hash input.
type: string
uriCapture:
description: URICapture is the name of the URI capture group to
use as hash input.
type: string
type: object
hashOnFallback:
description: HashOnFallback defines how to calculate hash for consistent-hashing
load balancing algorithm if the primary hash function fails. Algorithm
must be set to "consistent-hashing" for this field to have effect.
properties:
cookie:
description: Cookie is the name of the cookie to use as hash input.
type: string
cookiePath:
description: CookiePath is cookie path to set in the response
headers.
type: string
header:
description: Header is the name of the header to use as hash input.
type: string
input:
description: Input allows using one of the predefined inputs (ip,
consumer, path). For other parametrized inputs, use one of the
fields below.
enum:
- ip
- consumer
- path
type: string
queryArg:
description: QueryArg is the name of the query argument to use
as hash input.
type: string
uriCapture:
description: URICapture is the name of the URI capture group to
use as hash input.
type: string
type: object
healthchecks:
description: Healthchecks defines the health check configurations
in Kong.
properties:
active:
description: Active configures active health check probing.
properties:
concurrency:
description: Concurrency is the number of targets to check
concurrently.
minimum: 1
type: integer
headers:
additionalProperties:
items:
type: string
type: array
description: Headers is a list of HTTP headers to add to the
probe request.
type: object
healthy:
description: Healthy configures thresholds and HTTP status
codes to mark targets healthy for an upstream.
properties:
httpStatuses:
description: HTTPStatuses is a list of HTTP status codes
that Kong considers a success.
items:
description: HTTPStatus is an HTTP status code.
maximum: 599
minimum: 100
type: integer
type: array
interval:
description: Interval is the interval between active health
checks for an upstream in seconds when in a healthy
state.
minimum: 0
type: integer
successes:
description: Successes is the number of successes to consider
a target healthy.
minimum: 0
type: integer
type: object
httpPath:
description: HTTPPath is the path to use in GET HTTP request
to run as a probe.
pattern: ^/.*$
type: string
httpsSni:
description: HTTPSSNI is the SNI to use in GET HTTPS request
to run as a probe.
type: string
httpsVerifyCertificate:
description: HTTPSVerifyCertificate is a boolean value that
indicates if the certificate should be verified.
type: boolean
timeout:
description: Timeout is the probe timeout in seconds.
minimum: 0
type: integer
type:
description: Type determines whether to perform active health
checks using HTTP or HTTPS, or just attempt a TCP connection.
Accepted values are "http", "https", "tcp", "grpc", "grpcs".
enum:
- http
- https
- tcp
- grpc
- grpcs
type: string
unhealthy:
description: Unhealthy configures thresholds and HTTP status
codes to mark targets unhealthy for an upstream.
properties:
httpFailures:
description: HTTPFailures is the number of failures to
consider a target unhealthy.
minimum: 0
type: integer
httpStatuses:
description: HTTPStatuses is a list of HTTP status codes
that Kong considers a failure.
items:
description: HTTPStatus is an HTTP status code.
maximum: 599
minimum: 100
type: integer
type: array
interval:
description: Interval is the interval between active health
checks for an upstream in seconds when in an unhealthy
state.
minimum: 0
type: integer
tcpFailures:
description: TCPFailures is the number of TCP failures
in a row to consider a target unhealthy.
minimum: 0
type: integer
timeouts:
description: Timeouts is the number of timeouts in a row
to consider a target unhealthy.
minimum: 0
type: integer
type: object
type: object
passive:
description: Passive configures passive health check probing.
properties:
healthy:
description: Healthy configures thresholds and HTTP status
codes to mark targets healthy for an upstream.
properties:
httpStatuses:
description: HTTPStatuses is a list of HTTP status codes
that Kong considers a success.
items:
description: HTTPStatus is an HTTP status code.
maximum: 599
minimum: 100
type: integer
type: array
interval:
description: Interval is the interval between active health
checks for an upstream in seconds when in a healthy
state.
minimum: 0
type: integer
successes:
description: Successes is the number of successes to consider
a target healthy.
minimum: 0
type: integer
type: object
type:
description: Type determines whether to perform passive health
checks interpreting HTTP/HTTPS statuses, or just check for
TCP connection success. Accepted values are "http", "https",
"tcp", "grpc", "grpcs".
enum:
- http
- https
- tcp
- grpc
- grpcs
type: string
unhealthy:
description: Unhealthy configures thresholds and HTTP status
codes to mark targets unhealthy.
properties:
httpFailures:
description: HTTPFailures is the number of failures to
consider a target unhealthy.
minimum: 0
type: integer
httpStatuses:
description: HTTPStatuses is a list of HTTP status codes
that Kong considers a failure.
items:
description: HTTPStatus is an HTTP status code.
maximum: 599
minimum: 100
type: integer
type: array
interval:
description: Interval is the interval between active health
checks for an upstream in seconds when in an unhealthy
state.
minimum: 0
type: integer
tcpFailures:
description: TCPFailures is the number of TCP failures
in a row to consider a target unhealthy.
minimum: 0
type: integer
timeouts:
description: Timeouts is the number of timeouts in a row
to consider a target unhealthy.
minimum: 0
type: integer
type: object
type: object
threshold:
description: Threshold is the minimum percentage of the upstreams
targets weight that must be available for the whole upstream
to be considered healthy.
type: integer
type: object
slots:
description: Slots is the number of slots in the load balancer algorithm.
If not set, the default value in Kong for the algorithm is used.
maximum: 65536
minimum: 10
type: integer
type: object
type: object
x-kubernetes-validations:
- message: Only one of spec.hashOn.(input|cookie|header|uriCapture|queryArg)
can be set.
rule: 'has(self.spec.hashOn) ? [has(self.spec.hashOn.input), has(self.spec.hashOn.cookie),
has(self.spec.hashOn.header), has(self.spec.hashOn.uriCapture), has(self.spec.hashOn.queryArg)].filter(fieldSet,
fieldSet == true).size() <= 1 : true'
- message: When spec.hashOn.cookie is set, spec.hashOn.cookiePath is required.
rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookie) ? has(self.spec.hashOn.cookiePath)
: true'
- message: When spec.hashOn.cookiePath is set, spec.hashOn.cookie is required.
rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookiePath) ? has(self.spec.hashOn.cookie)
: true'
- message: spec.algorithm must be set to "consistent-hashing" when spec.hashOn
is set.
rule: 'has(self.spec.hashOn) ? has(self.spec.algorithm) && self.spec.algorithm
== "consistent-hashing" : true'
- message: Only one of spec.hashOnFallback.(input|header|uriCapture|queryArg)
can be set.
rule: 'has(self.spec.hashOnFallback) ? [has(self.spec.hashOnFallback.input),
has(self.spec.hashOnFallback.header), has(self.spec.hashOnFallback.uriCapture),
has(self.spec.hashOnFallback.queryArg)].filter(fieldSet, fieldSet == true).size()
<= 1 : true'
- message: spec.algorithm must be set to "consistent-hashing" when spec.hashOnFallback
is set.
rule: 'has(self.spec.hashOnFallback) ? has(self.spec.algorithm) && self.spec.algorithm
== "consistent-hashing" : true'
- message: spec.hashOnFallback.cookie must not be set.
rule: 'has(self.spec.hashOnFallback) ? !has(self.spec.hashOnFallback.cookie)
: true'
- message: spec.hashOnFallback.cookiePath must not be set.
rule: 'has(self.spec.hashOnFallback) ? !has(self.spec.hashOnFallback.cookiePath)
: true'
- message: spec.healthchecks.passive.healthy.interval must not be set.
rule: 'has(self.spec.healthchecks) && has(self.spec.healthchecks.passive)
&& has(self.spec.healthchecks.passive.healthy) ? !has(self.spec.healthchecks.passive.healthy.interval)
: true'
- message: spec.healthchecks.passive.unhealthy.interval must not be set.
rule: 'has(self.spec.healthchecks) && has(self.spec.healthchecks.passive)
&& has(self.spec.healthchecks.passive.unhealthy) ? !has(self.spec.healthchecks.passive.unhealthy.interval)
: true'
- message: spec.hashOnFallback must not be set when spec.hashOn.cookie is
set.
rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookie) ? !has(self.spec.hashOnFallback)
: true'
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0

7
build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml
View File

@ -9,7 +9,6 @@ admin:
konghq.com/https-redirect-status-code: "301"
konghq.com/protocols: https
konghq.com/strip-path: "true"
kubernetes.io/ingress.class: default
nginx.ingress.kubernetes.io/app-root: /
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/permanent-redirect-code: "301"
@ -176,8 +175,8 @@ manager:
ingress:
annotations:
konghq.com/https-redirect-status-code: "301"
kubernetes.io/ingress.class: default
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
ingressClassName: kong
enabled: true
hostname: kong.127-0-0-1.nip.io
path: /
@ -209,7 +208,7 @@ portal:
konghq.com/https-redirect-status-code: "301"
konghq.com/protocols: https
konghq.com/strip-path: "false"
kubernetes.io/ingress.class: default
ingressClassName: kong
enabled: true
hostname: developer.127-0-0-1.nip.io
path: /
@ -232,8 +231,8 @@ portalapi:
konghq.com/https-redirect-status-code: "301"
konghq.com/protocols: https
konghq.com/strip-path: "true"
kubernetes.io/ingress.class: default
nginx.ingress.kubernetes.io/app-root: /
ingressClassName: kong
enabled: true
hostname: developer.127-0-0-1.nip.io
path: /api

9
build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml
View File

@ -40,8 +40,7 @@ admin:
enabled: true
tls: CHANGEME-admin-tls-secret
hostname: admin.kong.CHANGEME.example
annotations:
kubernetes.io/ingress.class: "kong"
ingressClassName: kong
path: /
proxy:
@ -148,8 +147,7 @@ portal:
enabled: true
tls: CHANGEME-portal-tls-secret
hostname: portal.kong.CHANGEME.example
annotations:
kubernetes.io/ingress.class: "kong"
ingressClassName: kong
path: /
externalIPs: []
@ -177,8 +175,7 @@ portalapi:
enabled: true
tls: CHANGEME-portalapi-tls-secret
hostname: portalapi.kong.CHANGEME.example
annotations:
kubernetes.io/ingress.class: "kong"
ingressClassName: kong
path: /
externalIPs: []

38
build_system/charts/open-appsec-kong/templates/_helpers.tpl
View File

@ -447,14 +447,28 @@ The name of the service used for the ingress controller's validation webhook
{{ include "kong.fullname" . }}-validation-webhook
{{- end -}}
{{/*
The name of the Service which will be used by the controller to update the Ingress status field.
*/}}
{{- define "kong.controller-publish-service" -}}
{{- $proxyOverride := "" -}}
{{- if .Values.proxy.nameOverride -}}
{{- $proxyOverride = ( tpl .Values.proxy.nameOverride . ) -}}
{{- end -}}
{{- (printf "%s/%s" ( include "kong.namespace" . ) ( default ( printf "%s-proxy" (include "kong.fullname" . )) $proxyOverride )) -}}
{{- end -}}
{{- define "kong.ingressController.env" -}}
{{/*
====== AUTO-GENERATED ENVIRONMENT VARIABLES ======
*/}}
{{- $autoEnv := dict -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s" ( include "kong.namespace" . ) ( .Values.proxy.nameOverride | default ( printf "%s-proxy" (include "kong.fullname" . )))) -}}
{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}}
{{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
{{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
@ -1253,6 +1267,24 @@ resource roles into their separate templates.
- namespaces
verbs:
- list
{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
{{- end }}
{{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- configuration.konghq.com
@ -1429,7 +1461,7 @@ resource roles into their separate templates.
- get
- patch
- update
{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }}
{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
- apiGroups:
- gateway.networking.k8s.io
resources:
@ -1620,7 +1652,7 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration.
- list
- watch
{{- end }}
{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }}
{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
- apiGroups:
- gateway.networking.k8s.io
resources:

7
build_system/charts/open-appsec-kong/templates/admission-webhook.yaml
View File

@ -80,9 +80,15 @@ webhooks:
apiVersions:
- 'v1'
operations:
{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- CREATE
{{- end }}
- UPDATE
resources:
- secrets
{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- services
{{- end }}
{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- networking.k8s.io
@ -98,6 +104,7 @@ webhooks:
apiVersions:
- 'v1alpha2'
- 'v1beta1'
- 'v1'
operations:
- CREATE
- UPDATE

3
build_system/charts/open-appsec-kong/templates/appsec.yaml
View File

@ -70,6 +70,9 @@ spec:
{{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
{{- end }}
spec:
{{- if .Values.deployment.hostname }}
hostname: {{ .Values.deployment.hostname }}
{{- end }}
{{- if .Values.deployment.hostNetwork }}
hostNetwork: true
{{- end }}

3
build_system/charts/open-appsec-kong/templates/deployment.yaml
View File

@ -63,6 +63,9 @@ spec:
{{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
{{- end }}
spec:
{{- if .Values.deployment.hostname }}
hostname: {{ .Values.deployment.hostname }}
{{- end }}
{{- if .Values.deployment.hostNetwork }}
hostNetwork: true
{{- end }}

6
build_system/charts/open-appsec-kong/templates/pdb.yaml
View File

@ -1,4 +1,10 @@
{{- if .Values.podDisruptionBudget.enabled }}
{{- if and (not .Values.autoscaling.enabled) (le (int .Values.replicaCount) 1) }}
{{- fail "Enabling PodDisruptionBudget with replicaCount: 1 and no autoscaling prevents pod restarts during upgrades" }}
{{- end }}
{{- if and .Values.autoscaling.enabled (le (int .Values.autoscaling.minReplicas) 1) }}
{{- fail "Enabling PodDisruptionBudget with autoscaling.minReplicas: 1 prevents pod restarts during upgrades" }}
{{- end }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:

2
build_system/charts/open-appsec-kong/templates/servicemonitor.yaml
View File

@ -24,7 +24,7 @@ spec:
{{- if .Values.serviceMonitor.metricRelabelings }}
metricRelabelings: {{ toYaml .Values.serviceMonitor.metricRelabelings | nindent 6 }}
{{- end }}
{{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) -}}
{{- if and .Values.ingressController.enabled (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- targetPort: cmetrics
scheme: http
{{- if .Values.serviceMonitor.interval }}

8
build_system/charts/open-appsec-kong/templates/tests/test-resources.yaml
View File

@ -32,9 +32,9 @@ metadata:
name: "{{ .Release.Name }}-httpbin"
annotations:
httpbin.ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: "kong"
konghq.com/strip-path: "true"
spec:
ingressClassName: kong
rules:
- http:
paths:
@ -46,14 +46,14 @@ spec:
port:
number: 80
---
apiVersion: gateway.networking.k8s.io/v1alpha2
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
name: "{{ .Release.Name }}-kong-test"
spec:
controllerName: konghq.com/kic-gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1alpha2
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: "{{ .Release.Name }}-kong-test"
@ -66,7 +66,7 @@ spec:
protocol: HTTP
port: 80
---
apiVersion: gateway.networking.k8s.io/v1alpha2
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: "{{ .Release.Name }}-httpbin"

23
build_system/charts/open-appsec-kong/values.yaml
View File

@ -60,6 +60,11 @@ deployment:
# Use a DaemonSet controller instead of a Deployment controller
daemonset: false
hostNetwork: false
# Set the Deployment's spec.template.hostname field.
# This propagates to Kong API endpoints that report
# the hostname, such as the admin API root and hybrid mode
# /clustering/data-planes endpoint
hostname: ""
# kong_prefix empty dir size
prefixDir:
sizeLimit: 256Mi
@ -510,13 +515,13 @@ dblessConfig:
# -----------------------------------------------------------------------------
# Kong Ingress Controller's primary purpose is to satisfy Ingress resources
# created in k8s. It uses CRDs for more fine grained control over routing and
# created in k8s. It uses CRDs for more fine grained control over routing and
# for Kong specific configuration.
ingressController:
enabled: true
image:
repository: kong/kubernetes-ingress-controller
tag: "2.12"
tag: "3.0"
# Optionally set a semantic version for version-gated features. This can normally
# be left unset. You only need to set this if your tag is not a semver string,
# such as when you are using a "next" tag. Set this to the effective semantic
@ -948,6 +953,14 @@ securityContext: {}
# securityContext for containers.
containerSecurityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 1000
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
## Optional DNS configuration for Kong pods
# dnsPolicy: ClusterFirst
@ -968,7 +981,7 @@ serviceMonitor:
# If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see:
# https://github.com/Kong/charts/blob/main/charts/kong/README.md#prometheus-operator-integration
enabled: false
# interval: 10s
# interval: 30s
# Specifies namespace, where ServiceMonitor should be installed
# namespace: monitoring
# labels:
@ -1234,7 +1247,7 @@ appsec:
#registry:
repository: ghcr.io/openappsec
image: "agent"
tag: "1.1.0"
tag: "1.1.1"
pullPolicy: Always
securityContext:
@ -1248,7 +1261,7 @@ appsec:
kong:
image:
repository: "ghcr.io/openappsec/kong-attachment"
tag: "1.1.0"
tag: "1.1.1"
configMapName: appsec-settings-configmap
configMapContent:
crowdsec: