From edd357f29734c15bb72ed2955bf663bdc10677ca Mon Sep 17 00:00:00 2001 From: noam Date: Mon, 24 Jul 2023 17:24:40 +0300 Subject: [PATCH] Update charts --- .../open-appsec-k8s-nginx-ingress/Chart.yaml | 11 +- .../open-appsec-k8s-nginx-ingress/README.md | 52 ++++--- .../README.md.gotmpl | 16 +- .../changelog/Changelog-4.7.0.md | 14 ++ .../changelog/Changelog-4.7.1.md | 12 ++ .../templates/_helpers.tpl | 6 +- .../templates/appsec-learning-pvc.yaml | 2 + .../templates/appsec-pvc.yaml | 2 +- .../templates/appsec-settings-configmap.yaml | 32 ++++ .../templates/appsec-settings-secret.yaml | 12 ++ ...ontroller-statefulset.yaml => appsec.yaml} | 60 +++++++- .../templates/controller-daemonset.yaml | 18 ++- .../templates/controller-deployment.yaml | 64 +------- .../templates/controller-hpa.yaml | 11 +- .../templates/controller-keda.yaml | 5 + .../controller-poddisruptionbudget.yaml | 5 +- .../templates/controller-service.yaml | 3 + .../templates/default-backend-hpa.yaml | 41 +++--- .../templates/learning-deployment.yaml | 2 + .../templates/learning-services.yaml | 2 + .../open-appsec-k8s-nginx-ingress/values.yaml | 78 ++++++---- .../charts/open-appsec-kong/CHANGELOG.md | 44 +++++- .../charts/open-appsec-kong/Chart.yaml | 4 +- .../charts/open-appsec-kong/README.md | 11 +- .../ci/admin-api-service-clusterip.yaml | 6 + .../ci/kong-ingress-1-values.yaml | 16 ++ .../ci/kong-ingress-2-values.yaml | 17 +++ .../ci/kong-ingress-3-values.yaml | 10 ++ .../ci/kong-ingress-4-values.yaml | 43 ++++++ .../open-appsec-kong/ci/test1-values.yaml | 3 - .../quickstart-enterprise-licensed-aio.yaml | 10 +- .../full-k4k8s-with-kong-enterprise.yaml | 2 +- .../minimal-k4k8s-with-kong-enterprise.yaml | 2 +- .../minimal-kong-controller.yaml | 2 +- .../minimal-kong-enterprise-dbless.yaml | 2 +- ...inimal-kong-enterprise-hybrid-control.yaml | 2 +- .../minimal-kong-enterprise-hybrid-data.yaml | 3 +- .../minimal-kong-hybrid-control.yaml | 2 +- .../minimal-kong-hybrid-data.yaml | 2 +- .../minimal-kong-standalone.yaml | 2 +- .../open-appsec-kong/templates/_helpers.tpl | 137 ++++++++++++++---- .../templates/appsec-learning-pvc.yaml | 2 + .../templates/appsec-pvc.yaml | 2 +- .../templates/appsec-settings-configmap.yaml | 32 ++++ .../templates/appsec-settings-secret.yaml | 12 ++ .../open-appsec-kong/templates/appsec.yaml | 54 +++++-- .../templates/deployment.yaml | 6 +- .../templates/ingress-class.yaml | 2 +- .../templates/learning-deployment.yaml | 2 + .../templates/learning-services.yaml | 2 + .../open-appsec-kong/templates/psp.yaml | 4 +- .../templates/service-kong-proxy.yaml | 1 - .../charts/open-appsec-kong/values.yaml | 71 +++++++-- 53 files changed, 707 insertions(+), 251 deletions(-) create mode 100644 build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.0.md create mode 100644 build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.1.md create mode 100644 build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-configmap.yaml create mode 100644 build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-secret.yaml rename build_system/charts/open-appsec-k8s-nginx-ingress/templates/{controller-statefulset.yaml => appsec.yaml} (84%) create mode 100644 build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml create mode 100644 build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml create mode 100644 build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml create mode 100644 build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml create mode 100644 build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml create mode 100644 build_system/charts/open-appsec-kong/templates/appsec-settings-configmap.yaml create mode 100644 build_system/charts/open-appsec-kong/templates/appsec-settings-secret.yaml diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml index 7695ccf..d9067d7 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml @@ -1,11 +1,12 @@ annotations: artifacthub.io/changes: | - - "[helm] Support custom port configuration for internal service (#9846)" - - "Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)" - - "Update Ingress-Nginx version controller-v1.7.1" + - "Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)" + - "feat(helm): Add loadBalancerClass (#9562)" + - "added helmshowvalues example (#10019)" + - "Update Ingress-Nginx version controller-v1.8.1" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.7.1 +appVersion: 1.8.1 keywords: - ingress - nginx @@ -13,4 +14,4 @@ kubeVersion: '>=1.20.0-0' name: open-appsec-k8s-nginx-ingress sources: - https://github.com/kubernetes/ingress-nginx -version: 4.6.1 +version: 4.7.1 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md index 108a509..9550918 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.6.1](https://img.shields.io/badge/Version-4.6.1-informational?style=flat-square) ![AppVersion: 1.7.1](https://img.shields.io/badge/AppVersion-1.7.1-informational?style=flat-square) +![Version: 4.7.1](https://img.shields.io/badge/Version-4.7.1-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -79,14 +79,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https: ### Prometheus Metrics -The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. +The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`) ### ingress-nginx nginx\_status page/stats server -Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller: +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller: - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. @@ -143,8 +143,10 @@ controller: internal: enabled: true annotations: - # Create internal ELB - service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # Create internal NLB + service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" + # Create internal ELB(Deprecated) + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" # Any other annotation can be declared here. ``` @@ -187,13 +189,15 @@ controller: # Any other annotation can be declared here. ``` +The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer). + An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`. ### Ingress Admission Webhooks -With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. **This feature is enabled by default since 0.31.0.** With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) @@ -202,7 +206,7 @@ With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fi A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks. 1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits. -2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate. +2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate. 3. Validating and Mutating webhook configurations are created in the cluster. 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations @@ -248,11 +252,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.networkPolicyEnabled | bool | `false` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v20230312-helm-chart-4.5.2-28-g66a760794"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v20230407"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | @@ -273,7 +277,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | | controller.autoscaling.annotations | object | `{}` | | -| controller.autoscaling.apiVersion | string | `"autoscaling/v2"` | | | controller.autoscaling.behavior | object | `{}` | | | controller.autoscaling.enabled | bool | `false` | | | controller.autoscaling.maxReplicas | int | `11` | | @@ -294,14 +297,14 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | -| controller.extraArgs | object | `{}` | Additional command line arguments to pass to nginx-ingress-controller E.g. to specify the default SSL certificate you can use | +| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. | | controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module | | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | -| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. | +| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. | | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. | | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged | | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not | @@ -310,13 +313,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407"` | | -| controller.image.digestChroot | string | `"sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988"` | | +| controller.image.digest | string | `"sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd"` | | +| controller.image.digestChroot | string | `"sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.7.1"` | | +| controller.image.tag | string | `"v1.8.1"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | @@ -353,7 +356,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.metrics.prometheusRule.enabled | bool | `false` | | | controller.metrics.prometheusRule.rules | list | `[]` | | | controller.metrics.service.annotations | object | `{}` | | -| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | +| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource | | controller.metrics.service.loadBalancerSourceRanges | list | `[]` | | | controller.metrics.service.servicePort | int | `10254` | | @@ -366,13 +369,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.metrics.serviceMonitor.relabelings | list | `[]` | | | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | | controller.metrics.serviceMonitor.targetLabels | list | `[]` | | -| controller.minAvailable | int | `1` | Define either 'minAvailable' or 'maxUnavailable', never both. | +| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | -| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | +| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f"` | | +| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0"` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podSecurityContext | object | `{}` | Security Context policies for controller pods | @@ -390,7 +393,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.readinessProbe.successThreshold | int | `1` | | | controller.readinessProbe.timeoutSeconds | int | `1` | | | controller.replicaCount | int | `1` | | -| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | +| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | | controller.resources.requests.cpu | string | `"100m"` | | | controller.resources.requests.memory | string | `"90Mi"` | | | controller.scope.enabled | bool | `false` | Enable 'scope' or not | @@ -402,15 +405,17 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.service.enableHttps | bool | `true` | | | controller.service.enabled | bool | `true` | | | controller.service.external.enabled | bool | `true` | | -| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | +| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. | | controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). | +| controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. | | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. | | controller.service.internal.ports | object | `{}` | Custom port mapping for internal service | | controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service | | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | | controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | | controller.service.labels | object | `{}` | | +| controller.service.loadBalancerClass | string | `""` | Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | | controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | | controller.service.loadBalancerSourceRanges | list | `[]` | | | controller.service.nodePorts.http | string | `""` | | @@ -435,7 +440,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false | | defaultBackend.affinity | object | `{}` | | | defaultBackend.autoscaling.annotations | object | `{}` | | -| defaultBackend.autoscaling.apiVersion | string | `"autoscaling/v2"` | | | defaultBackend.autoscaling.enabled | bool | `false` | | | defaultBackend.autoscaling.maxReplicas | int | `2` | | | defaultBackend.autoscaling.minReplicas | int | `1` | | @@ -465,7 +469,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.minAvailable | int | `1` | | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | -| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | +| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | | defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | @@ -479,7 +483,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.replicaCount | int | `1` | | | defaultBackend.resources | object | `{}` | | | defaultBackend.service.annotations | object | `{}` | | -| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | +| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | defaultBackend.service.loadBalancerSourceRanges | list | `[]` | | | defaultBackend.service.servicePort | int | `80` | | | defaultBackend.service.type | string | `"ClusterIP"` | | diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md.gotmpl b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md.gotmpl index b3d35b6..17b029b 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md.gotmpl +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md.gotmpl @@ -76,14 +76,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https: ### Prometheus Metrics -The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. +The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`) ### ingress-nginx nginx\_status page/stats server -Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller: +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller: - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. @@ -140,8 +140,10 @@ controller: internal: enabled: true annotations: - # Create internal ELB - service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # Create internal NLB + service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" + # Create internal ELB(Deprecated) + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" # Any other annotation can be declared here. ``` @@ -184,13 +186,15 @@ controller: # Any other annotation can be declared here. ``` +The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer). + An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`. ### Ingress Admission Webhooks -With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. **This feature is enabled by default since 0.31.0.** With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) @@ -199,7 +203,7 @@ With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fi A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks. 1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits. -2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate. +2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate. 3. Validating and Mutating webhook configurations are created in the cluster. 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.0.md b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.0.md new file mode 100644 index 0000000..7399da7 --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.0.md @@ -0,0 +1,14 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.7.0 + +* helm: Fix opentelemetry module installation for daemonset (#9792) +* Update charts/* to keep project name display aligned (#9931) +* HPA: Use capabilites & align manifests. (#9521) +* PodDisruptionBudget spec logic update (#9904) +* add option for annotations in PodDisruptionBudget (#9843) +* Update Ingress-Nginx version controller-v1.8.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.1...helm-chart-4.7.0 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.1.md b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.1.md new file mode 100644 index 0000000..4d69a71 --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.1.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.7.1 + +* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406) +* feat(helm): Add loadBalancerClass (#9562) +* added helmshowvalues example (#10019) +* Update Ingress-Nginx version controller-v1.8.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.0...helm-chart-4.7.1 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl index 7db5b2c..548e8cf 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl @@ -201,8 +201,12 @@ Extra modules. - name: {{ .name }} image: {{ .image }} + {{- if .distroless | default false }} + command: ['/init_module'] + {{- else }} command: ['sh', '-c', '/usr/local/bin/init_module.sh'] - {{- if (.containerSecurityContext) }} + {{- end }} + {{- if .containerSecurityContext }} securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }} {{- end }} volumeMounts: diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-learning-pvc.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-learning-pvc.yaml index 706049d..6d46c81 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-learning-pvc.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-learning-pvc.yaml @@ -1,3 +1,4 @@ +{{- if not (eq .Values.kind "Vanilla") -}} {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}} kind: PersistentVolumeClaim apiVersion: v1 @@ -18,3 +19,4 @@ spec: storageClassName: {{ required "A storage class for learning data is required" .Values.appsec.persistence.learning.storageClass.name }} {{- end -}} {{- end }} +{{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-pvc.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-pvc.yaml index 3839dad..73abb55 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-pvc.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-pvc.yaml @@ -1,4 +1,4 @@ -{{- if (eq .Values.controller.kind "Deployment") -}} +{{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }} kind: PersistentVolumeClaim apiVersion: v1 metadata: diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-configmap.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-configmap.yaml new file mode 100644 index 0000000..b7c5eab --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-configmap.yaml @@ -0,0 +1,32 @@ +{{- if not (eq .Values.kind "Vanilla") -}} +{{- if .Values.appsec.configMapContent }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" | quote }} +data: + {{- if .Values.appsec.configMapContent.crowdsec }} + CROWDSEC_ENABLED: {{ .Values.appsec.configMapContent.crowdsec.enabled | default "false" | quote }} + {{- if .Values.appsec.configMapContent.crowdsec.api }} + CROWDSEC_API_URL: {{ .Values.appsec.configMapContent.crowdsec.api.url | default "http://crowdsec-service:8080/v1/decisions/stream" }} + {{- else }} + CROWDSEC_API_URL: "http://crowdsec-service:8080/v1/decisions/stream" + {{- end }} + {{- if .Values.appsec.configMapContent.crowdsec.auth }} + CROWDSEC_AUTH_METHOD: {{ .Values.appsec.configMapContent.crowdsec.auth.method | default "apikey" }} + {{- else }} + CROWDSEC_AUTH_METHOD: "apikey" + {{- end }} + {{- if .Values.appsec.configMapContent.crowdsec.mode }} + CROWDSEC_MODE: {{ .Values.appsec.configMapContent.crowdsec.mode | default "prevent" }} + {{- else }} + CROWDSEC_MODE: "prevent" + {{- end }} + {{- if .Values.appsec.configMapContent.crowdsec.logging }} + CROWDSEC_LOGGING: {{ .Values.appsec.configMapContent.crowdsec.logging | default "enabled" }} + {{- else }} + CROWDSEC_LOGGING: "enabled" + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-secret.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-secret.yaml new file mode 100644 index 0000000..7fc1def --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-secret.yaml @@ -0,0 +1,12 @@ +{{- if not (eq .Values.kind "Vanilla") -}} +{{ if .Values.appsec.secretContent }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.appsec.secretName | default "appsec-settings-secret" | quote }} +data: + {{- if and .Values.appsec.secretContent.crowdsec .Values.appsec.secretContent.crowdsec.auth }} + CROWDSEC_AUTH_DATA: {{ .Values.appsec.secretContent.crowdsec.auth.data | b64enc }} + {{- end }} +{{ end }} +{{ end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-statefulset.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml similarity index 84% rename from build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-statefulset.yaml rename to build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml index d1dc718..147692b 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-statefulset.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml @@ -1,6 +1,15 @@ -{{- if or (eq .Values.controller.kind "StatefulSet") (eq .Values.controller.kind "Both") -}} +{{- if (not (eq .Values.kind "Vanilla")) }} +{{- include "isControllerTagValid" . -}} apiVersion: apps/v1 +{{- if (eq .Values.kind "AppSec") }} +{{- if (eq .Values.controller.kind "DaemonSet") }} +kind: DaemonSet +{{- else }} +kind: Deployment +{{- end }} +{{- else if eq .Values.kind "AppSecStateful" }} kind: StatefulSet +{{- end }} metadata: labels: {{- include "ingress-nginx.labels" . | nindent 4 }} @@ -19,15 +28,25 @@ spec: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller {{- if not .Values.controller.autoscaling.enabled }} + {{- if eq .Values.kind "AppSecStateful" }} serviceName: "open-appsec-stateful-set" + {{- end }} + {{- if or (not (eq .Values.controller.kind "DaemonSet")) (and (eq .Values.kind "AppSecStateful") (eq .Values.controller.kind "DaemonSet")) }} replicas: {{ .Values.controller.replicaCount }} {{- end }} + {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- if .Values.controller.updateStrategy }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} + updateStrategy: + {{- else }} strategy: + {{- end }} {{ toYaml .Values.controller.updateStrategy | nindent 4 }} {{- end }} - #minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- if (eq .Values.kind "AppSec") }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- end }} template: metadata: {{- if .Values.controller.podAnnotations }} @@ -79,6 +98,10 @@ spec: - name: {{ .Values.appsec.name }} securityContext: {{ toYaml .Values.appsec.securityContext | nindent 12 }} + {{- $tag := .Values.appsec.image.tag }} + {{- if .Values.appsec.configMapContent.crowdsec.enabled }} + {{- $tag = "crowdsec-1.2314-rc1" }} + {{- end }} {{- with .Values.appsec.image }} image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}" {{- end }} @@ -106,6 +129,8 @@ spec: env: - name: user_email value: {{ .Values.appsec.userEmail }} + - name: registered_server + value: "NGINX Server" {{- if eq .Values.appsec.playground false }} - name: SHARED_STORAGE_HOST value: {{ .Values.appsec.storage.name }}-svc @@ -115,20 +140,29 @@ spec: - name: PLAYGROUND value: "true" {{- end }} + envFrom: + - configMapRef: + name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" }} + - secretRef: + name: {{ .Values.appsec.secretName | default "appsec-settings-secret" }} resources: {{ toYaml .Values.resources | nindent 12 }} volumeMounts: - name: advanced-model mountPath: /advanced-model - {{- if .Values.appsec.persistence.enabled }} + {{- if (eq .Values.appsec.persistence.enabled true) }} - name: appsec-conf mountPath: /etc/cp/conf - name: appsec-data mountPath: /etc/cp/data {{- end }} - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} - image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}" + {{- $tag := .Values.appsec.nginx.image.tag }} + {{- if .Values.appsec.configMapContent.crowdsec.enabled }} + {{- $tag = "1.2303.1-rc1-v1.3.0" }} + {{- end }} + {{- with .Values.appsec.nginx.image }} + image: "{{ .repository }}:{{ .tag }}" {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} @@ -240,7 +274,11 @@ spec: {{- end }} {{- if .Values.controller.opentelemetry.enabled}} {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} + {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext ) | nindent 8}} + {{ else }} + {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}} + {{- end }} {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} @@ -266,6 +304,14 @@ spec: configMap: name: advanced-model-config optional: true + {{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }} + - name: appsec-conf + persistentVolumeClaim: + claimName: {{ .Values.appsec.name }}-conf + - name: appsec-data + persistentVolumeClaim: + claimName: {{ .Values.appsec.name }}-data + {{- end }} {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} - name: modules emptyDir: {} @@ -294,7 +340,7 @@ spec: {{ toYaml .Values.controller.extraVolumes | nindent 8 }} {{- end }} {{- end }} -{{- if .Values.appsec.persistence.enabled }} + {{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }} volumeClaimTemplates: - metadata: name: appsec-conf diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml index bce21a7..9435f9e 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml @@ -1,4 +1,4 @@ -{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}} +{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both")) -}} {{- include "isControllerTagValid" . -}} apiVersion: apps/v1 kind: DaemonSet @@ -53,12 +53,12 @@ spec: imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} {{- end }} {{- if .Values.controller.priorityClassName }} - priorityClassName: {{ .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName | quote }} {{- end }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} securityContext: {{- end }} - {{- if .Values.controller.podSecurityContext }} + {{- if .Values.controller.podSecurityContext }} {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} {{- end }} {{- if .Values.controller.sysctls }} @@ -143,11 +143,15 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} volumeMounts: - {{- if .Values.controller.extraModules }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - name: modules + {{ if .Values.controller.image.chroot }} + mountPath: /chroot/modules_mount + {{ else }} mountPath: /modules_mount + {{ end }} {{- end }} {{- if .Values.controller.customTemplate.configMapName }} - mountPath: /etc/nginx/template @@ -169,9 +173,7 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - - - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} initContainers: {{- if .Values.controller.extraInitContainers }} {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml index fa87209..4ade7d1 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml @@ -1,4 +1,4 @@ -{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}} +{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} {{- include "isControllerTagValid" . -}} apiVersion: apps/v1 kind: Deployment @@ -76,59 +76,9 @@ spec: shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} {{- end }} containers: - - name: {{ .Values.appsec.name }} - securityContext: - {{ toYaml .Values.appsec.securityContext | nindent 12 }} - {{- with .Values.appsec.image }} - image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}" - {{- end }} - command: - - {{ .Values.appsec.command }} - imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} - args: - {{- if (eq "standalone" .Values.appsec.mode) }} - - --hybrid-mode - - --token - - cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0 - {{- else }} - - --token - - {{ .Values.appsec.agentToken }} - {{- end -}} - {{- if .Values.appsec.customFog.enabled }} - - --fog - - {{ .Values.appsec.customFog.fogAddress }} - {{- end }} - {{- if .Values.appsec.proxy }} - - --proxy - - {{ .Values.appsec.proxy }} - {{- end }} - imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} - env: - - name: user_email - value: {{ .Values.appsec.userEmail }} - {{- if eq .Values.appsec.playground false }} - - name: SHARED_STORAGE_HOST - value: {{ .Values.appsec.storage.name }}-svc - - name: LEARNING_HOST - value: {{ .Values.appsec.learning.name }}-svc - {{- else }} - - name: PLAYGROUND - value: "true" - {{- end }} - resources: - {{ toYaml .Values.resources | nindent 12 }} - volumeMounts: - - name: advanced-model - mountPath: /advanced-model - {{- if .Values.appsec.persistence.enabled }} - - name: appsec-conf - mountPath: /etc/cp/conf - - name: appsec-data - mountPath: /etc/cp/data - {{- end }} - name: {{ .Values.controller.containerName }} {{- with .Values.controller.image }} - image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}" + image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} @@ -240,7 +190,7 @@ spec: {{- end }} {{- if .Values.controller.opentelemetry.enabled}} {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}} + {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}} {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} @@ -260,14 +210,8 @@ spec: {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - volumes: - - name: appsec-conf - persistentVolumeClaim: - claimName: {{ .Values.appsec.name }}-conf - - name: appsec-data - persistentVolumeClaim: - claimName: {{ .Values.appsec.name }}-data {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + volumes: {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} - name: modules emptyDir: {} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml index d1e78bd..f212bc4 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml @@ -1,12 +1,9 @@ -{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} -{{- if not .Values.controller.keda.enabled }} - -apiVersion: {{ .Values.controller.autoscaling.apiVersion }} +{{- if and (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}} +apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }} kind: HorizontalPodAutoscaler metadata: - annotations: {{- with .Values.controller.autoscaling.annotations }} - {{- toYaml . | trimSuffix "\n" | nindent 4 }} + annotations: {{ toYaml . | nindent 4 }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} @@ -48,5 +45,3 @@ spec: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} -{{- end }} - diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml index 875157e..c0d95a9 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml @@ -25,6 +25,11 @@ spec: cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} minReplicaCount: {{ .Values.controller.keda.minReplicas }} maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} +{{- with .Values.controller.keda.fallback }} + fallback: + failureThreshold: {{ .failureThreshold | default 3 }} + replicas: {{ .replicas | default $.Values.controller.keda.maxReplicas }} +{{- end }} triggers: {{- with .Values.controller.keda.triggers }} {{ toYaml . | indent 2 }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml index 899d3cc..91be580 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml @@ -10,12 +10,15 @@ metadata: {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} namespace: {{ .Release.Namespace }} + {{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} spec: selector: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller - {{- if .Values.controller.minAvailable }} + {{- if and .Values.controller.minAvailable (not (hasKey .Values.controller "maxUnavailable")) }} minAvailable: {{ .Values.controller.minAvailable }} {{- else if .Values.controller.maxUnavailable }} maxUnavailable: {{ .Values.controller.maxUnavailable }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml index 2b28196..b2735d2 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml @@ -28,6 +28,9 @@ spec: {{- if .Values.controller.service.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} +{{- if .Values.controller.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.controller.service.loadBalancerClass }} +{{- end }} {{- if .Values.controller.service.externalTrafficPolicy }} externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml index 924125f..faaf4fa 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml @@ -1,37 +1,40 @@ {{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }} -apiVersion: {{ .Values.defaultBackend.autoscaling.apiVersion }} +apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }} kind: HorizontalPodAutoscaler metadata: + {{- with .Values.defaultBackend.autoscaling.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: default-backend {{- with .Values.defaultBackend.labels }} {{- toYaml . | nindent 4 }} {{- end }} - name: {{ template "ingress-nginx.defaultBackend.fullname" . }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} namespace: {{ .Release.Namespace }} spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ template "ingress-nginx.defaultBackend.fullname" . }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} metrics: -{{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ . }} -{{- end }} -{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ . }} -{{- end }} + {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-deployment.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-deployment.yaml index cc75d85..90e967a 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-deployment.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-deployment.yaml @@ -1,3 +1,4 @@ +{{- if not (eq .Values.kind "Vanilla") -}} {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }} apiVersion: apps/v1 kind: Deployment @@ -137,3 +138,4 @@ spec: claimName: {{ .Values.appsec.name }}-storage {{- end }} {{- end }} +{{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-services.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-services.yaml index b919392..e9c2bdb 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-services.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-services.yaml @@ -1,3 +1,4 @@ +{{- if not (eq .Values.kind "Vanilla") -}} {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }} apiVersion: v1 kind: Service @@ -31,3 +32,4 @@ spec: selector: app: {{ .Values.appsec.storage.name }}-lbl {{- end }} +{{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml index f3bc2be..f2dac65 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml @@ -18,14 +18,14 @@ controller: image: ## Keep false as default for now! chroot: false - registry: ghcr.io/openappsec - image: nginx-ingress-attachment + registry: registry.k8s.io + image: ingress-nginx/controller ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: latest - digest: - digestChroot: sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988 + tag: "v1.8.1" + digest: sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + digestChroot: sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627 pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 @@ -55,7 +55,7 @@ controller: # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. dnsPolicy: ClusterFirst # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network - # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + # Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply reportNodeInternalIp: false # -- Process Ingress objects without ingressClass annotation/ingressClassName field # Overrides value for --watch-ingress-without-class flag of the controller binary @@ -150,7 +150,7 @@ controller: # -- Maxmind license key to download GeoLite2 Databases. ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases maxmindLicenseKey: "" - # -- Additional command line arguments to pass to nginx-ingress-controller + # -- Additional command line arguments to pass to Ingress-Nginx Controller # E.g. to specify the default SSL certificate you can use extraArgs: {} ## extraArgs: @@ -166,7 +166,7 @@ controller: # name: secret-resource # -- Use a `DaemonSet` or `Deployment` - kind: StatefulSet + kind: Deployment # -- Annotations to be added to the controller Deployment or DaemonSet ## annotations: {} @@ -257,7 +257,7 @@ controller: ## terminationGracePeriodSeconds: 300 # -- Node labels for controller pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: kubernetes.io/os: linux @@ -302,15 +302,16 @@ controller: healthCheckPath: "/healthz" # -- Address to bind the health check endpoint. # It is better to set this option to the internal node address - # if the ingress nginx controller is running in the `hostNetwork: true` mode. + # if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. healthCheckHost: "" # -- Annotations to be added to controller pods ## podAnnotations: {} replicaCount: 1 - # -- Define either 'minAvailable' or 'maxUnavailable', never both. + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. minAvailable: 1 - # -- Define either 'minAvailable' or 'maxUnavailable', never both. + # -- Maximum unavalaile pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. # maxUnavailable: 1 ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes @@ -326,7 +327,6 @@ controller: memory: 90Mi # Mutually exclusive with keda autoscaling autoscaling: - apiVersion: autoscaling/v2 enabled: false annotations: {} minReplicas: 1 @@ -368,6 +368,9 @@ controller: maxReplicas: 11 pollingInterval: 30 cooldownPeriod: 300 + # fallback: + # failureThreshold: 3 + # replicas: 11 restoreToOriginalReplicaCount: false scaledObject: annotations: {} @@ -417,12 +420,14 @@ controller: # clusterIP: "" # -- List of IP addresses at which the controller services are available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips ## externalIPs: [] # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer loadBalancerIP: "" loadBalancerSourceRanges: [] + # -- Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" enableHttp: true enableHttps: true ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. @@ -473,8 +478,8 @@ controller: enabled: false # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. annotations: {} - # loadBalancerIP: "" - + # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. + loadBalancerIP: "" # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. loadBalancerSourceRanges: [] ## Set external traffic policy to: "Local" to preserve source IP on @@ -547,7 +552,7 @@ controller: opentelemetry: enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f + image: registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0 containerSecurityContext: allowPrivilegeEscalation: false admissionWebhooks: @@ -609,8 +614,8 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v20230312-helm-chart-4.5.2-28-g66a760794 - digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + tag: v20230407 + digest: sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## @@ -652,7 +657,7 @@ controller: # clusterIP: "" # -- List of IP addresses at which the stats-exporter service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips ## externalIPs: [] # loadBalancerIP: "" @@ -810,7 +815,7 @@ defaultBackend: # key: value # -- Node labels for default backend pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: kubernetes.io/os: linux @@ -838,7 +843,6 @@ defaultBackend: # emptyDir: {} autoscaling: - apiVersion: autoscaling/v2 annotations: {} enabled: false minReplicas: 1 @@ -850,7 +854,7 @@ defaultBackend: # clusterIP: "" # -- List of IP addresses at which the default backend service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips ## externalIPs: [] # loadBalancerIP: "" @@ -907,7 +911,7 @@ appsec: repository: ghcr.io/openappsec image: agent tag: latest - pullPolicy: IfNotPresent + pullPolicy: Always securityContext: {} # capabilities: @@ -916,7 +920,26 @@ appsec: # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 - + nginx: + image: + repository: "ghcr.io/openappsec/nginx-ingress-attachment" + tag: "latest" + configMapName: appsec-settings-configmap + configMapContent: + crowdsec: + enabled: false + mode: prevent + logging: enabled + api: + url: http://crowdsec-service:8080/v1/decisions/stream + auth: + method: apikey + secretName: appsec-settings-secret + # If you would like to use your own secret with CrowdSec authentication data, please remove the following block + secretContent: + crowdsec: + auth: + data: "00000000000000000000000000000000" resources: # limits: # cpu: 100m @@ -980,3 +1003,8 @@ appsec: image: smartsync-shared-files tag: latest +# -- For nginx vanilla installation use kind Vanilla (no appsec components). +# -- For nginx with appsec installation use kind AppSec (default: nginx + appsec without state). +# -- For nginx with appsec (statefulset) installation use kind AppSecStateful. +kind: AppSec + diff --git a/build_system/charts/open-appsec-kong/CHANGELOG.md b/build_system/charts/open-appsec-kong/CHANGELOG.md index 099edd6..d1396d2 100644 --- a/build_system/charts/open-appsec-kong/CHANGELOG.md +++ b/build_system/charts/open-appsec-kong/CHANGELOG.md @@ -1,6 +1,46 @@ # Changelog -## Unreleased +## 2.25.0 + +- Generate the `adminApiService.name` value from `.Release.Name` rather than + hardcoding to `kong` + [#839](https://github.com/Kong/charts/pull/839) + +## 2.24.0 + +### Improvements + +* Running `tpl` against user-supplied labels and annotations used in Deployment + [#814](https://github.com/Kong/charts/pull/814) + + Example: + ```yaml + podLabels: + version: "{{ .Values.image.tag }}" # Will render dynamically when overridden downstream + ``` + +* Fail to render templates when PodSecurityPolicy was requested but cluster doesn't + serve its API. + [#823](https://github.com/Kong/charts/pull/823) +* Add support for multiple hosts and tls configurations for Kong proxy `Ingress`. + [#813](https://github.com/Kong/charts/pull/813) +* Bump postgres default tag to `13.11.0-debian-11-r20` which includes arm64 images. + [#834](https://github.com/Kong/charts/pull/834) + +### Fixed + +* Fix Ingress and HPA API versions during capabilities checking + [#827](https://github.com/Kong/charts/pull/827) + +## 2.23.0 + +### Improvements + +* Add custom label configuration option for Kong proxy `Ingress`. + [#812](https://github.com/Kong/charts/pull/812) +* Bump default `kong/kubernetes-ingress-controller` image tag to 2.10. + Bump default `kong` image tag to 3.3. + [#815](https://github.com/Kong/charts/pull/815) ## 2.22.0 @@ -30,7 +70,7 @@ ## 2.20.2 -### Fixed +### Fixed * Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode is disabled by default. diff --git a/build_system/charts/open-appsec-kong/Chart.yaml b/build_system/charts/open-appsec-kong/Chart.yaml index ed627d7..38c21be 100644 --- a/build_system/charts/open-appsec-kong/Chart.yaml +++ b/build_system/charts/open-appsec-kong/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: "3.2" +appVersion: "3.3" dependencies: - condition: postgresql.enabled name: postgresql @@ -16,4 +16,4 @@ maintainers: name: open-appsec-kong sources: - https://github.com/Kong/charts/tree/main/charts/kong -version: 2.22.0 +version: 2.25.0 diff --git a/build_system/charts/open-appsec-kong/README.md b/build_system/charts/open-appsec-kong/README.md index 66570dc..009046b 100644 --- a/build_system/charts/open-appsec-kong/README.md +++ b/build_system/charts/open-appsec-kong/README.md @@ -679,11 +679,13 @@ or `ingress` sections, as it is used only for stream listens. | SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | | | SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` | | SVC.ingress.ingressClassName | Set the ingressClassName to associate this Ingress with an IngressClass | | -| SVC.ingress.tls | Name of secret resource, containing TLS secret | | | SVC.ingress.hostname | Ingress hostname | `""` | | SVC.ingress.path | Ingress path. | `/` | | SVC.ingress.pathType | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix` | `ImplementationSpecific` | +| SVC.ingress.hosts | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys | `[]` | +| SVC.ingress.tls | Name of secret resource or slice of `secretName` and `hosts` keys | | | SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` | +| SVC.ingress.labels | Ingress labels. Additional custom labels to add to the ingress. | `{}` | | SVC.annotations | Service annotations | `{}` | | SVC.labels | Service labels | `{}` | @@ -744,6 +746,7 @@ section of `values.yaml` file: | userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | | | terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 | | gatewayDiscovery.enabled | Enables Kong instance service discovery (for more details see [gatewayDiscovery section][gd_section]) | false | +| gatewayDiscovery.generateAdminApiService | Generate the admin API service name based on the release name (for more details see [gatewayDiscovery section][gd_section]) | false | | gatewayDiscovery.adminApiService.namespace | The namespace of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | `.Release.Namespace` | | gatewayDiscovery.adminApiService.name | The name of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | "" | | konnect.enabled | Enable synchronisation of data plane configuration with Konnect Runtime Group | false | @@ -796,12 +799,16 @@ You'll be able to configure this feature through configuration section under service. (provided under the hood via `CONTROLLER_KONG_ADMIN_SVC` environment variable). - The following admin API Service flags have to be provided in order for gateway + The following admin API Service flags have to be present in order for gateway discovery to work: - `ingressController.gatewayDiscovery.adminApiService.name` - `ingressController.gatewayDiscovery.adminApiService.namespace` + If you set `ingressController.gatewayDiscovery.generateAdminApiService` to `true`, + the chart will generate values for `name` and `namespace` based on the current release name and + namespace. This is useful when consuming the `kong` chart as a subchart. + Using this feature requires a split release installation of Gateways and Ingress Controller. For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md). diff --git a/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml b/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml new file mode 100644 index 0000000..18e5fa3 --- /dev/null +++ b/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml @@ -0,0 +1,6 @@ +admin: + enabled: true + type: ClusterIP + +ingressController: + enabled: false diff --git a/build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml b/build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml new file mode 100644 index 0000000..ac31482 --- /dev/null +++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml @@ -0,0 +1,16 @@ +# CI test for empty hostname including tls secret using string +proxy: + type: NodePort + ingress: + enabled: true + tls: "kong.proxy.example.secret" + +extraObjects: +- apiVersion: v1 + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + kind: Secret + metadata: + name: kong.proxy.example.secret + type: kubernetes.io/tls diff --git a/build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml b/build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml new file mode 100644 index 0000000..4f7239d --- /dev/null +++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml @@ -0,0 +1,17 @@ +# CI test for hostname including tls secret using string +proxy: + type: NodePort + ingress: + enabled: true + hostname: "proxy.kong.example" + tls: "kong.proxy.example.secret" + +extraObjects: +- apiVersion: v1 + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + kind: Secret + metadata: + name: kong.proxy.example.secret + type: kubernetes.io/tls diff --git a/build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml b/build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml new file mode 100644 index 0000000..1afcd3e --- /dev/null +++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml @@ -0,0 +1,10 @@ +# CI test for using ingress hosts configuration +proxy: + type: NodePort + ingress: + enabled: true + hosts: + - host: proxy.kong.example + paths: + - path: / + pathType: ImplementationSpecific diff --git a/build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml b/build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml new file mode 100644 index 0000000..5c84b24 --- /dev/null +++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml @@ -0,0 +1,43 @@ +# CI test for testing combined ingress hostname and hosts configuration including tls configuraion using slice +proxy: + type: NodePort + ingress: + enabled: true + hostname: "proxy.kong.example" + hosts: + - host: "proxy2.kong.example" + paths: + - path: /foo + pathType: Prefix + - path: /bar + pathType: Prefix + - host: "proxy3.kong.example" + paths: + - path: /baz + pathType: Prefix + tls: + - hosts: + - "proxy.kong.example" + secretName: "proxy.kong.example.secret" + - hosts: + - "proxy2.kong.example" + - "proxy3.kong.example" + secretName: "proxy.kong.example.secret2" + +extraObjects: +- apiVersion: v1 + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + kind: Secret + metadata: + name: kong.proxy.example.secret + type: kubernetes.io/tls +- apiVersion: v1 + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmakNDQW1ZQ0NRREVtWjF0cnJwaURqQU5CZ2txaGtpRzl3MEJBUXNGQURDQmdERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhGekFWCkJnTlZCQU1NRGlvdWEyOXVaeTVsZUdGdGNHeGxNQjRYRFRJek1EWXlPVEE0TVRjek4xb1hEVE16TURZeU5qQTQKTVRjek4xb3dnWUF4Q3pBSkJnTlZCQVlUQWxoWU1SSXdFQVlEVlFRSURBbFRkR0YwWlU1aGJXVXhFVEFQQmdOVgpCQWNNQ0VOcGRIbE9ZVzFsTVJRd0VnWURWUVFLREF0RGIyMXdZVzU1VG1GdFpURWJNQmtHQTFVRUN3d1NRMjl0CmNHRnVlVk5sWTNScGIyNU9ZVzFsTVJjd0ZRWURWUVFEREE0cUxtdHZibWN1WlhoaGJYQnNaVENDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlSR1g1VytsRW8wcGg2eTJqeHN6TGZOcjMvNlpFOQpPR0pPMGl1WmpwRml2dHBya24ydDlqYTRaNUdYOGh4NUczS1FsRkhrVFBmV01BWmUzdldINTF0alZzYjZwY2UwCjlkMUo4WXNxWkh5RHVlUzBrS3RUbEFmc0F5MnVjL3ZvUUdmOTdZeUI2TlJ4TEJmNHBnSVJ4eHpGM3o0Q1ZOSTgKTzE5Ym1PYVo1Vkk1QWZpbENSMUI1ekxuN2VoeEJHOHhTQmRtQUg0eWFob2t5RXk2a0ZtRzJCaEtJWjdsL1BZYQpqbU1yQ3cwekRVampvblBublZTWTkxL0EwNUJVTVk5OEZsME00QVV5T1V3enBaajhqMXhLMTNqUVlGeXJwUHQwCklHNUdLR044akVCcnRkdGVlcGZIdFZuekFWYnhoT0hkcXZoUWhrSDJDSGVwOStIQkNIL25VL1VDQXdFQUFUQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQkcxVVYyUFRJekhrNEt4cjBHT0NXalhjTTdKUU9hbUJQM3dZSCswRgpyc09YUG9IOHVLV25XYjhSSGE1MDhMenU4MGNzS1lYcnZ4SEhDcmcxdXJjRnl3bnNMaUtMNGhsQklTd2ZMNzFFClVXODhQdGYyWTdjTnJZRzNLc2MvMWVpait1RWd5bVdCbjkraVYzbzE5VERwRjlZZWZwYzNUUDJqMGhNUHcwMlgKa1gzSlh3b250NnBQaDhlQjhXRU1OZkF5NzZmb0lMcytVd0Fjck56QkpjSVZSTERoZWFNMFNFd0xCNUpuaWZ5ZwplRE1aSE56MkhLais0NU1wTzFOSDBtd3ZJRTRLQjNITUNSSlMybmZFbWVMcFdCMWpmZTV6T2o1bWhTeS82M0RVCldDQll1aUhtelFWaGxJS21lQzBlVmd3bGtkMTFrUDRNM1hoWnB6V09aQ1BoaGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQy9VUmwrVnZwUktOS1kKZXN0bzhiTXkzemE5LyttUlBUaGlUdElybVk2UllyN2FhNUo5cmZZMnVHZVJsL0ljZVJ0eWtKUlI1RXozMWpBRwpYdDcxaCtkYlkxYkcrcVhIdFBYZFNmR0xLbVI4Zzdua3RKQ3JVNVFIN0FNdHJuUDc2RUJuL2UyTWdlalVjU3dYCitLWUNFY2NjeGQ4K0FsVFNQRHRmVzVqbW1lVlNPUUg0cFFrZFFlY3k1KzNvY1FSdk1VZ1haZ0IrTW1vYUpNaE0KdXBCWmh0Z1lTaUdlNWZ6MkdvNWpLd3NOTXcxSTQ2Sno1NTFVbVBkZndOT1FWREdQZkJaZERPQUZNamxNTTZXWQovSTljU3RkNDBHQmNxNlQ3ZENCdVJpaGpmSXhBYTdYYlhucVh4N1ZaOHdGVzhZVGgzYXI0VUlaQjlnaDNxZmZoCndRaC81MVAxQWdNQkFBRUNnZ0VCQUlCZ0l3TXJ5ZnY3c0pTd2tSMXlVaFNvdzByckZnZG5WUlppWFpUMERUNXgKVEMrMFR6QVdNMGkwcElxRnN1aDRPM3E4bVVuNkw4dDk1ZXZnYlN2RWJmSmN6alhtcXFjL1BsdW02blcvbEg0WQp4Znc1VFhvcE13Tzkwc1FzYzVkdFdRcHUwWitlN0dUaEsvMUowOXMvb3FRa0FwRFJiNmxDMFhSRE9tNUNoaWFNCi95Z2M2dGUzUHkrRXpzSmRMRm9YWndFQnVQWTB2KzlBclhpNmlUMllaN1ZacE9iZzQxcm1ocHNObTFLNmdJajUKZFZKNGZYa2Z5V0hsSmJBYzVTRDkrVWMrTGFjUEcxSjVJUWx6eTM0WlM0ZG9VQ2lmODZuVHFzSnFVTU1sNXYxcAp3SFFUZFI2MkdnWnRPM1grOU4vdHE3SExqU0tHY0JEd3E4bEM4QXZ0VHdFQ2dZRUErWWpVdzI1em42aWhjaXFpCmo3dDJiQVdLdzdlbng1RXFzU25ZOG1PYzR2TDdNa1YyN2ZhYXp1cW8wUEtOeWJOa1grUlhIMDN4S0NDd0x0N0UKLzRDUlFHMGNkQmhBQ2szMkpadllrQmxESUZ3VmtnMHVnNGk4Snp6VjVCT2hEeWdwZUhJTDVVTkx2eGJDbVh6MAo1bXNYRktPYW1HYkFCbE9KTEZsR1R4WWdzeWtDZ1lFQXhFWWI0dFVmRmhiTmpJTUMyd1hFRXdWZkJYOFJqNzVqCjN6SkwxV3o4YWxUQmxFemZYOTZiNmg3VjFNT1NHcmlabFJ1cGpEaUFsUkhPZytDSXlPbmdISFkwd2xTaHNmemQKSDluL2dOdUZsanFuQkF3OVpaSW9hbE1zUVVER3RLSnVIejhEYzlVNzRFMGM3WldQWk1Ub0pNdFV2Zkl5T0pZSgpQODh1YnYvam4rMENnWUJaNmpzNFhKRmZRNFZCUFNtc2Z4RXg1V0ZXR3RSakxlVGpSNy83djNjbHRBWmQyL2Y1CjBUV0JQNzhxNDJ2QjlWbEMwR1d3U3dhTnZoR2VJZmw4VTVpRFRZM0dLNExQODcyeFdaSFVnclhVY0RuNWtiUmsKQXg1QlNVT05WcUZmYzhwVnMwcWtCdmJCV1hNdm1YNHBsUWNSRWM3QUFhNUoyVW9CWi8zVXU1VjIyUUtCZ0ZnVQpKanQ2N0lKYkpVN2pGQXI1NFcydndWNlVFV3R5UXh0TVZOK29FdlljcHVwSVBRMm10azB3SFVGbnFrODNmQ1IvCnoyeFBodFJlczFCWEdNc2d1U1BNb0F4OU1qclBnT1BrVGxhakxLV29HSDhtaHY3bndoOUV4OTFZbGxORmVTbW8KZTRJbHRNTUpsK3UrYkNVS2dDclMzR3FKSDZScElDbDBiaC85MFVaWkFvR0FaUEsrdldLQ0N6aHNhSnVWak1VSQpiTEJlMi9CM0xxTVBhakFLTjVTNU9GYlpBZm5NeE9BT1lnd25iWmdpZGVkcVk2QkIyLytVVGt4MW1IUjhKcmpGCnRyN20wS2VvRFY4dmQxSENvSkF3b2hqQ1B6SkJhSW9WYWNkRFNsMDNIOVFEck4yd0RFYUxoWFBlVkRoNGZ2NmQKa3d6V3FZWUlETzRKQlp5L21Wa0t4NFU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + kind: Secret + metadata: + name: kong.proxy.example.secret2 + type: kubernetes.io/tls diff --git a/build_system/charts/open-appsec-kong/ci/test1-values.yaml b/build_system/charts/open-appsec-kong/ci/test1-values.yaml index 4d171b5..b0a9c85 100644 --- a/build_system/charts/open-appsec-kong/ci/test1-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/test1-values.yaml @@ -28,9 +28,6 @@ ingressController: podLabels: app: kong environment: test -# - podSecurityPolicies are enabled -podSecurityPolicy: - enabled: true # - ingress resources are created with hosts admin: type: NodePort diff --git a/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml b/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml index a7d8d55..e4c4bf2 100644 --- a/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml +++ b/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml @@ -146,7 +146,7 @@ extraLabels: konghq.com/component: quickstart image: repository: kong/kong-gateway - tag: "3.2" + tag: "3.3" ingressController: enabled: true env: @@ -162,7 +162,7 @@ ingressController: publish_service: kong/quickstart-kong-proxy image: repository: docker.io/kong/kubernetes-ingress-controller - tag: "2.8" + tag: "2.10" ingressClass: default installCRDs: false manager: @@ -278,8 +278,4 @@ status: tls: containerPort: 8543 enabled: false -updateStrategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 100% - type: RollingUpdate + diff --git a/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml b/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml index f5f1d32..56a6d08 100644 --- a/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml +++ b/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml @@ -12,7 +12,7 @@ image: repository: kong/kong-gateway - tag: "3.2" + tag: "3.3" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml index cec10c2..f222d38 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml @@ -9,7 +9,7 @@ image: repository: kong/kong-gateway - tag: "3.2" + tag: "3.3" admin: enabled: true diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml index 59f88e3..3be8e0d 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml @@ -2,7 +2,7 @@ image: repository: kong - tag: "3.2" + tag: "3.3" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml index aaeca12..2610935 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml @@ -4,7 +4,7 @@ image: repository: kong/kong-gateway - tag: "3.2" + tag: "3.3" enterprise: enabled: true diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml index 8c7df15..ffc316a 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml @@ -14,7 +14,7 @@ image: repository: kong/kong-gateway - tag: "3.2" + tag: "3.3" env: database: postgres diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml index 772ed21..012d9b6 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml @@ -12,7 +12,7 @@ image: repository: kong/kong-gateway - tag: "3.2" + tag: "3.3" env: role: data_plane @@ -43,4 +43,3 @@ portal: portalapi: enabled: false - diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml index 374c24b..a48028a 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml @@ -6,7 +6,7 @@ image: repository: kong - tag: "3.2" + tag: "3.3" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml index 4c81af7..84d9c40 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml @@ -11,7 +11,7 @@ image: repository: kong - tag: "3.2" + tag: "3.3" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml index 2dfbfc3..ca06308 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml @@ -6,7 +6,7 @@ image: repository: kong - tag: "3.2" + tag: "3.3" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/templates/_helpers.tpl b/build_system/charts/open-appsec-kong/templates/_helpers.tpl index 1604c5f..205bc72 100644 --- a/build_system/charts/open-appsec-kong/templates/_helpers.tpl +++ b/build_system/charts/open-appsec-kong/templates/_helpers.tpl @@ -32,7 +32,7 @@ app.kubernetes.io/instance: "{{ .Release.Name }}" app.kubernetes.io/managed-by: "{{ .Release.Service }}" app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- range $key, $value := .Values.extraLabels }} -{{ $key }}: {{ $value | quote }} +{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} {{- end }} {{- end -}} @@ -78,13 +78,16 @@ Create Ingress resource for a Kong service {{- $path := .ingress.path -}} {{- $hostname := .ingress.hostname -}} {{- $pathType := .ingress.pathType -}} -apiVersion: {{ .ingressVersion }} +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ .fullName }}-{{ .serviceName }} namespace: {{ .namespace }} labels: {{- .metaLabels | nindent 4 }} + {{- range $key, $value := .ingress.labels }} + {{- $key | nindent 4 }}: {{ $value | quote }} + {{- end }} {{- if .ingress.annotations }} annotations: {{- range $key, $value := .ingress.annotations }} @@ -92,33 +95,74 @@ metadata: {{- end }} {{- end }} spec: -{{- if (and (not (eq .ingressVersion "extensions/v1beta1")) .ingress.ingressClassName) }} +{{- if .ingress.ingressClassName }} ingressClassName: {{ .ingress.ingressClassName }} {{- end }} rules: - - host: {{ $hostname | quote }} - http: + {{- if ( not (or $hostname .ingress.hosts)) }} + - http: paths: - backend: - {{- if (not (eq .ingressVersion "networking.k8s.io/v1")) }} - serviceName: {{ .fullName }}-{{ .serviceName }} - servicePort: {{ $servicePort }} - {{- else }} service: name: {{ .fullName }}-{{ .serviceName }} port: number: {{ $servicePort }} - {{- end }} path: {{ $path }} - {{- if (not (eq .ingressVersion "extensions/v1beta1")) }} pathType: {{ $pathType }} + {{- else if $hostname }} + - host: {{ $hostname | quote }} + http: + paths: + - backend: + service: + name: {{ .fullName }}-{{ .serviceName }} + port: + number: {{ $servicePort }} + path: {{ $path }} + pathType: {{ $pathType }} + {{- end }} + {{- range .ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - backend: + {{- if .backend -}} + {{ .backend | toYaml | nindent 12 }} + {{- else }} + service: + name: {{ $.fullName }}-{{ $.serviceName }} + port: + number: {{ $servicePort }} {{- end }} + {{- if (and $hostname (and (eq $path .path))) }} + {{- fail "duplication of specified ingress path" }} + {{- end }} + path: {{ .path }} + pathType: {{ .pathType }} + {{- end }} + {{- end }} {{- if (hasKey .ingress "tls") }} tls: - - hosts: - - {{ $hostname | quote }} - secretName: {{ .ingress.tls }} - {{- end -}} + {{- if (kindIs "string" .ingress.tls) }} + - hosts: + {{- range .ingress.hosts }} + - {{ .host | quote }} + {{- end }} + {{- if $hostname }} + - {{ $hostname | quote }} + {{- end }} + secretName: {{ .ingress.tls }} + {{- else if (kindIs "slice" .ingress.tls) }} + {{- range .ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + {{- end }} {{- end -}} {{/* @@ -326,7 +370,18 @@ Return the admin API service name for service discovery {{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}} {{- if $gatewayDiscovery.enabled -}} {{- $adminApiService := $gatewayDiscovery.adminApiService -}} - {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiService -}} + {{- $adminApiServiceName := $gatewayDiscovery.adminApiService.name -}} + {{- $generateAdminApiService := $gatewayDiscovery.generateAdminApiService -}} + + {{- if and $generateAdminApiService $adminApiService.name -}} + {{- fail (printf ".Values.ingressController.gatewayDiscovery.adminApiService and .Values.ingressController.gatewayDiscovery.generateAdminApiService must not be provided at the same time") -}} + {{- end -}} + + {{- if $generateAdminApiService -}} + {{- $adminApiServiceName = (printf "%s-%s" .Release.Name "gateway-admin") -}} + {{- else }} + {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiServiceName -}} + {{- end }} {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} {{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }} @@ -337,9 +392,7 @@ Return the admin API service name for service discovery {{- end }} {{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}} - {{- $name := $adminApiService.name -}} - {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $name -}} - {{- printf "%s/%s" $namespace $name -}} + {{- printf "%s/%s" $namespace $adminApiServiceName -}} {{- else -}} {{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}} {{- end -}} @@ -1526,22 +1579,44 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration. - watch {{- end -}} -{{- define "kong.ingressVersion" -}} -{{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") -}} -networking.k8s.io/v1 -{{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress") -}} -networking.k8s.io/v1beta1 -{{- else -}} -extensions/v1beta1 -{{- end -}} -{{- end -}} - {{- define "kong.autoscalingVersion" -}} -{{- if (.Capabilities.APIVersions.Has "autoscaling/v2/HorizontalPodAutoscaler") -}} +{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}} autoscaling/v2 -{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2/HorizontalPodAutoscaler") -}} +{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}} autoscaling/v2beta2 {{- else -}} autoscaling/v1 {{- end -}} {{- end -}} + +{{- define "kong.policyVersion" -}} +{{- if (.Capabilities.APIVersions.Has "policy/v1beta1" ) -}} +policy/v1beta1 +{{- else -}} +{{- fail (printf "Cluster doesn't have policy/v1beta1 API." ) }} +{{- end -}} +{{- end -}} + +{{- define "kong.renderTpl" -}} + {{- if typeIs "string" .value }} +{{- tpl .value .context }} + {{- else }} +{{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{- define "kong.ingressVersion" -}} +{{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1") -}} +networking.k8s.io/v1 +{{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") -}} +networking.k8s.io/v1beta1 +{{- else -}} +extensions/v1beta1 +{{- end -}} +{{- end -}} +{{/* +appsec labels +*/}} +{{- define "appsec.labels" -}} +{{- end -}} + diff --git a/build_system/charts/open-appsec-kong/templates/appsec-learning-pvc.yaml b/build_system/charts/open-appsec-kong/templates/appsec-learning-pvc.yaml index 706049d..6d46c81 100644 --- a/build_system/charts/open-appsec-kong/templates/appsec-learning-pvc.yaml +++ b/build_system/charts/open-appsec-kong/templates/appsec-learning-pvc.yaml @@ -1,3 +1,4 @@ +{{- if not (eq .Values.kind "Vanilla") -}} {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}} kind: PersistentVolumeClaim apiVersion: v1 @@ -18,3 +19,4 @@ spec: storageClassName: {{ required "A storage class for learning data is required" .Values.appsec.persistence.learning.storageClass.name }} {{- end -}} {{- end }} +{{- end }} diff --git a/build_system/charts/open-appsec-kong/templates/appsec-pvc.yaml b/build_system/charts/open-appsec-kong/templates/appsec-pvc.yaml index b392c00..7966a5c 100644 --- a/build_system/charts/open-appsec-kong/templates/appsec-pvc.yaml +++ b/build_system/charts/open-appsec-kong/templates/appsec-pvc.yaml @@ -1,4 +1,4 @@ -{{- if (eq .Values.kind "AppSecStateful") -}} +{{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }} kind: PersistentVolumeClaim apiVersion: v1 metadata: diff --git a/build_system/charts/open-appsec-kong/templates/appsec-settings-configmap.yaml b/build_system/charts/open-appsec-kong/templates/appsec-settings-configmap.yaml new file mode 100644 index 0000000..b7c5eab --- /dev/null +++ b/build_system/charts/open-appsec-kong/templates/appsec-settings-configmap.yaml @@ -0,0 +1,32 @@ +{{- if not (eq .Values.kind "Vanilla") -}} +{{- if .Values.appsec.configMapContent }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" | quote }} +data: + {{- if .Values.appsec.configMapContent.crowdsec }} + CROWDSEC_ENABLED: {{ .Values.appsec.configMapContent.crowdsec.enabled | default "false" | quote }} + {{- if .Values.appsec.configMapContent.crowdsec.api }} + CROWDSEC_API_URL: {{ .Values.appsec.configMapContent.crowdsec.api.url | default "http://crowdsec-service:8080/v1/decisions/stream" }} + {{- else }} + CROWDSEC_API_URL: "http://crowdsec-service:8080/v1/decisions/stream" + {{- end }} + {{- if .Values.appsec.configMapContent.crowdsec.auth }} + CROWDSEC_AUTH_METHOD: {{ .Values.appsec.configMapContent.crowdsec.auth.method | default "apikey" }} + {{- else }} + CROWDSEC_AUTH_METHOD: "apikey" + {{- end }} + {{- if .Values.appsec.configMapContent.crowdsec.mode }} + CROWDSEC_MODE: {{ .Values.appsec.configMapContent.crowdsec.mode | default "prevent" }} + {{- else }} + CROWDSEC_MODE: "prevent" + {{- end }} + {{- if .Values.appsec.configMapContent.crowdsec.logging }} + CROWDSEC_LOGGING: {{ .Values.appsec.configMapContent.crowdsec.logging | default "enabled" }} + {{- else }} + CROWDSEC_LOGGING: "enabled" + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/build_system/charts/open-appsec-kong/templates/appsec-settings-secret.yaml b/build_system/charts/open-appsec-kong/templates/appsec-settings-secret.yaml new file mode 100644 index 0000000..7fc1def --- /dev/null +++ b/build_system/charts/open-appsec-kong/templates/appsec-settings-secret.yaml @@ -0,0 +1,12 @@ +{{- if not (eq .Values.kind "Vanilla") -}} +{{ if .Values.appsec.secretContent }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.appsec.secretName | default "appsec-settings-secret" | quote }} +data: + {{- if and .Values.appsec.secretContent.crowdsec .Values.appsec.secretContent.crowdsec.auth }} + CROWDSEC_AUTH_DATA: {{ .Values.appsec.secretContent.crowdsec.auth.data | b64enc }} + {{- end }} +{{ end }} +{{ end }} diff --git a/build_system/charts/open-appsec-kong/templates/appsec.yaml b/build_system/charts/open-appsec-kong/templates/appsec.yaml index a8969ac..e7c020d 100644 --- a/build_system/charts/open-appsec-kong/templates/appsec.yaml +++ b/build_system/charts/open-appsec-kong/templates/appsec.yaml @@ -8,7 +8,7 @@ kind: Deployment {{- end }} {{- else if eq .Values.kind "AppSecStateful" }} kind: StatefulSet -{{- end }} +{{- end }} metadata: name: {{ template "kong.fullname" . }} namespace: {{ template "kong.namespace" . }} @@ -18,13 +18,13 @@ metadata: {{- if .Values.deploymentAnnotations }} annotations: {{- range $key, $value := .Values.deploymentAnnotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} {{- end }} {{- end }} spec: {{- if not .Values.autoscaling.enabled }} {{- if eq .Values.kind "AppSecStateful" }} - serviceName: "cp-appsec-stateful-set" + serviceName: "open-appsec-stateful-set" {{- end }} {{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }} replicas: {{ .Values.replicaCount }} @@ -58,7 +58,7 @@ spec: {{- end }} {{- if .Values.podAnnotations }} {{- range $key, $value := .Values.podAnnotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} {{- end }} {{- end }} labels: @@ -67,7 +67,7 @@ spec: app: {{ template "kong.fullname" . }} version: {{ .Chart.AppVersion | quote }} {{- if .Values.podLabels }} - {{ toYaml .Values.podLabels | nindent 8 }} + {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }} {{- end }} spec: {{- if .Values.deployment.hostNetwork }} @@ -90,6 +90,7 @@ spec: - name: {{ . }} {{- end }} {{- end }} + {{- if .Values.deployment.kong.enabled }} initContainers: - name: clear-stale-pid image: {{ include "kong.getRepoTag" .Values.image }} @@ -112,6 +113,7 @@ spec: {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }} {{- include "kong.wait-for-db" . | nindent 6 }} {{- end }} + {{- end }} {{- if .Values.deployment.hostAliases }} hostAliases: {{- toYaml .Values.deployment.hostAliases | nindent 6 }} @@ -137,6 +139,10 @@ spec: successThreshold: 1 securityContext: {{ toYaml .Values.appsec.securityContext | nindent 12 }} + {{- $tag := .Values.appsec.image.tag }} + {{- if .Values.appsec.configMapContent.crowdsec.enabled }} + {{- $tag = "crowdsec-1.2314-rc1" }} + {{- end }} {{- with .Values.appsec.image }} image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}" {{- end }} @@ -162,6 +168,15 @@ spec: {{- end }} imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} env: + - name: registered_server + value: "Kong Server" + {{- if .Values.appsec.userEmail }} + {{- if eq .Values.appsec.userEmail "PROVIDE-EMAIL-HERE" }} + {{- fail "Please replace PROVIDE-EMAIL-HERE with an email address" }} + {{- end }} + - name: user_email + value: {{ .Values.appsec.userEmail }} + {{- end }} {{- if eq .Values.appsec.playground false }} - name: SHARED_STORAGE_HOST value: {{ .Values.appsec.storage.name }}-svc @@ -171,17 +186,22 @@ spec: - name: PLAYGROUND value: "true" {{- end }} + envFrom: + - configMapRef: + name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" }} + - secretRef: + name: {{ .Values.appsec.secretName | default "appsec-settings-secret" }} resources: {{ toYaml .Values.resources | nindent 12 }} - {{- if eq .Values.kind "AppSecStateful" }} volumeMounts: - name: advanced-model mountPath: /advanced-model + {{- if (eq .Values.appsec.persistence.enabled true) }} - name: appsec-conf mountPath: /etc/cp/conf - name: appsec-data mountPath: /etc/cp/data - {{- end }} + {{- end }} {{- if .Values.ingressController.enabled }} {{- include "kong.controller-container" . | nindent 6 }} {{ end }} @@ -190,6 +210,10 @@ spec: {{- end }} {{- if .Values.deployment.kong.enabled }} - name: "proxy" + {{- $tag := .Values.appsec.kong.image.tag }} + {{- if .Values.appsec.configMapContent.crowdsec.enabled }} + {{- $tag = "1.2303.1-rc1-v1.3.0" }} + {{- end }} {{- with .Values.appsec.kong.image }} image: "{{ .repository }}:{{ .tag }}" {{- end }} @@ -338,6 +362,10 @@ spec: {{ toYaml .Values.readinessProbe | indent 10 }} livenessProbe: {{ toYaml .Values.livenessProbe | indent 10 }} + {{- if .Values.startupProbe }} + startupProbe: +{{ toYaml .Values.startupProbe | indent 10 }} + {{- end }} resources: {{ toYaml .Values.resources | indent 10 }} {{- end }} {{/* End of Kong container spec */}} @@ -365,6 +393,14 @@ spec: configMap: name: advanced-model-config optional: true + {{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }} + - name: appsec-conf + persistentVolumeClaim: + claimName: {{ .Values.appsec.name }}-conf + - name: appsec-data + persistentVolumeClaim: + claimName: {{ .Values.appsec.name }}-data + {{- end }} {{- include "kong.volumes" . | nindent 8 -}} {{- include "kong.userDefinedVolumes" . | nindent 8 -}} {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} @@ -400,9 +436,9 @@ spec: path: ca.crt - key: namespace path: namespace - {{- end -}} + {{- end }} {{- end }} - {{- if eq .Values.kind "AppSecStateful" }} + {{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }} volumeClaimTemplates: - metadata: name: appsec-conf diff --git a/build_system/charts/open-appsec-kong/templates/deployment.yaml b/build_system/charts/open-appsec-kong/templates/deployment.yaml index 88f2bf0..f10536c 100644 --- a/build_system/charts/open-appsec-kong/templates/deployment.yaml +++ b/build_system/charts/open-appsec-kong/templates/deployment.yaml @@ -14,7 +14,7 @@ metadata: {{- if .Values.deploymentAnnotations }} annotations: {{- range $key, $value := .Values.deploymentAnnotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} {{- end }} {{- end }} spec: @@ -51,7 +51,7 @@ spec: {{- end }} {{- if .Values.podAnnotations }} {{- range $key, $value := .Values.podAnnotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} {{- end }} {{- end }} labels: @@ -60,7 +60,7 @@ spec: app: {{ template "kong.fullname" . }} version: {{ .Chart.AppVersion | quote }} {{- if .Values.podLabels }} - {{ toYaml .Values.podLabels | nindent 8 }} + {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }} {{- end }} spec: {{- if .Values.deployment.hostNetwork }} diff --git a/build_system/charts/open-appsec-kong/templates/ingress-class.yaml b/build_system/charts/open-appsec-kong/templates/ingress-class.yaml index a5ba15f..d2ac47d 100644 --- a/build_system/charts/open-appsec-kong/templates/ingress-class.yaml +++ b/build_system/charts/open-appsec-kong/templates/ingress-class.yaml @@ -1,6 +1,6 @@ {{/* Default to not managing if unsupported or created outside this chart */}} {{- $includeIngressClass := false -}} -{{- if (and .Values.ingressController.enabled (not (eq (include "kong.ingressVersion" .) "extensions/v1beta1"))) -}} +{{- if .Values.ingressController.enabled -}} {{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") -}} {{- with (lookup "networking.k8s.io/v1" "IngressClass" "" .Values.ingressController.ingressClass) -}} {{- if (hasKey .metadata "annotations") -}} diff --git a/build_system/charts/open-appsec-kong/templates/learning-deployment.yaml b/build_system/charts/open-appsec-kong/templates/learning-deployment.yaml index a4828e4..36ee246 100644 --- a/build_system/charts/open-appsec-kong/templates/learning-deployment.yaml +++ b/build_system/charts/open-appsec-kong/templates/learning-deployment.yaml @@ -1,3 +1,4 @@ +{{- if not (eq .Values.kind "Vanilla") -}} {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }} apiVersion: apps/v1 kind: Deployment @@ -139,3 +140,4 @@ spec: claimName: {{ .Values.appsec.name }}-storage {{- end }} {{- end }} +{{- end }} diff --git a/build_system/charts/open-appsec-kong/templates/learning-services.yaml b/build_system/charts/open-appsec-kong/templates/learning-services.yaml index 0b6aef0..9da3117 100644 --- a/build_system/charts/open-appsec-kong/templates/learning-services.yaml +++ b/build_system/charts/open-appsec-kong/templates/learning-services.yaml @@ -1,3 +1,4 @@ +{{- if not (eq .Values.kind "Vanilla") -}} {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }} apiVersion: v1 kind: Service @@ -31,3 +32,4 @@ spec: selector: app: {{ .Values.appsec.storage.name }}-lbl {{- end }} +{{- end }} diff --git a/build_system/charts/open-appsec-kong/templates/psp.yaml b/build_system/charts/open-appsec-kong/templates/psp.yaml index eb5626a..bc98447 100644 --- a/build_system/charts/open-appsec-kong/templates/psp.yaml +++ b/build_system/charts/open-appsec-kong/templates/psp.yaml @@ -1,5 +1,5 @@ -{{- if and (.Values.podSecurityPolicy.enabled) (.Capabilities.APIVersions.Has "policy/v1beta1") }} -apiVersion: policy/v1beta1 +{{- if and (.Values.podSecurityPolicy.enabled) }} +apiVersion: {{ include "kong.policyVersion" . }} kind: PodSecurityPolicy metadata: name: {{ template "kong.serviceAccountName" . }}-psp diff --git a/build_system/charts/open-appsec-kong/templates/service-kong-proxy.yaml b/build_system/charts/open-appsec-kong/templates/service-kong-proxy.yaml index a592ddc..58a255e 100644 --- a/build_system/charts/open-appsec-kong/templates/service-kong-proxy.yaml +++ b/build_system/charts/open-appsec-kong/templates/service-kong-proxy.yaml @@ -2,7 +2,6 @@ {{- if and .Values.proxy.enabled (or .Values.proxy.http.enabled .Values.proxy.tls.enabled) -}} {{- $serviceConfig := dict -}} {{- $serviceConfig := merge $serviceConfig .Values.proxy -}} -{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}} {{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}} {{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}} {{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}} diff --git a/build_system/charts/open-appsec-kong/values.yaml b/build_system/charts/open-appsec-kong/values.yaml index 2abe28d..0cb8fc1 100644 --- a/build_system/charts/open-appsec-kong/values.yaml +++ b/build_system/charts/open-appsec-kong/values.yaml @@ -121,10 +121,10 @@ extraLabels: {} # Specify Kong's Docker image and repository details here image: repository: kong - tag: "3.2" + tag: "3.3" # Kong Enterprise # repository: kong/kong-gateway - # tag: "3.2" + # tag: "3.3" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -334,16 +334,46 @@ proxy: # Enable/disable exposure using ingress. enabled: false ingressClassName: - # Ingress hostname - # TLS secret name. - # tls: kong-proxy.example.com-tls - hostname: - # Map of ingress annotations. + # To specify annotations or labels for the ingress, add them to the respective + # "annotations" or "labels" dictionaries below. annotations: {} - # Ingress path. + labels: {} + # Ingress hostname + hostname: + # Ingress path (when used with hostname above). path: / - # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + # Each path in an Ingress is required to have a corresponding path type (when used with hostname above). (ImplementationSpecific/Exact/Prefix) pathType: ImplementationSpecific + # Ingress hosts. Use this instead of or in combination with hostname to specify multiple ingress host configurations + hosts: [] + # - host: kong-proxy.example.com + # paths: + # # Ingress path. + # - path: /* + # # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + # pathType: ImplementationSpecific + # - host: kong-proxy-other.example.com + # paths: + # # Ingress path. + # - path: /other + # # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + # pathType: ImplementationSpecific + # backend: + # service: + # name: kong-other-proxy + # port: + # number: 80 + # + # TLS secret(s) + # tls: kong-proxy.example.com-tls + # Or if multiple hosts/secrets needs to be configured: + # tls: + # - secretName: kong-proxy.example.com-tls + # hosts: + # - kong-proxy.example.com + # - secretName: kong-proxy-other.example.com-tls + # hosts: + # - kong-proxy-other.example.com # Optionally specify a static load balancer IP. # loadBalancerIP: @@ -484,7 +514,7 @@ ingressController: enabled: true image: repository: kong/kubernetes-ingress-controller - tag: "2.9" + tag: "2.10" # Optionally set a semantic version for version-gated features. This can normally # be left unset. You only need to set this if your tag is not a semver string, # such as when you are using a "next" tag. Set this to the effective semantic @@ -495,6 +525,7 @@ ingressController: gatewayDiscovery: enabled: false + generateAdminApiService: false adminApiService: namespace: "" name: "" @@ -661,7 +692,7 @@ postgresql: image: # use postgres < 14 until is https://github.com/Kong/kong/issues/8533 resolved and released # enterprise (kong-gateway) supports postgres 14 - tag: 13.6.0-debian-10-r52 + tag: 13.11.0-debian-11-r20 service: ports: postgresql: "5432" @@ -1200,7 +1231,7 @@ appsec: repository: ghcr.io/openappsec image: agent tag: latest - pullPolicy: IfNotPresent + pullPolicy: Always securityContext: {} @@ -1214,6 +1245,22 @@ appsec: image: repository: "ghcr.io/openappsec/kong-gateway-attachment" tag: "latest" + configMapName: appsec-settings-configmap + configMapContent: + crowdsec: + enabled: false + mode: prevent + logging: enabled + api: + url: http://crowdsec-service:8080/v1/decisions/stream + auth: + method: apikey + secretName: appsec-settings-secret + # If you would like to use your own secret with CrowdSec authentication data, please remove the following block + secretContent: + crowdsec: + auth: + data: "00000000000000000000000000000000" resources: # limits: # cpu: 100m