github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-09-30 03:34:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

Update charts

Browse Source
This commit is contained in:
noam
2023-07-24 17:24:40 +03:00
parent 08583fdb4c
commit edd357f297
53 changed files with 707 additions and 251 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
build_system/charts/open-appsec-kong/templates/_helpers.tpl
View File

@@ -32,7 +32,7 @@ app.kubernetes.io/instance: "{{ .Release.Name }}"
app.kubernetes.io/managed-by: "{{ .Release.Service }}"
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
{{- end }}
{{- end -}}
@@ -78,13 +78,16 @@ Create Ingress resource for a Kong service
{{- $path := .ingress.path -}}
{{- $hostname := .ingress.hostname -}}
{{- $pathType := .ingress.pathType -}}
apiVersion: {{ .ingressVersion }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .fullName }}-{{ .serviceName }}
namespace: {{ .namespace }}
labels:
{{- .metaLabels | nindent 4 }}
{{- range $key, $value := .ingress.labels }}
{{- $key | nindent 4 }}: {{ $value | quote }}
{{- end }}
{{- if .ingress.annotations }}
annotations:
{{- range $key, $value := .ingress.annotations }}
@@ -92,33 +95,74 @@ metadata:
{{- end }}
{{- end }}
spec:
{{- if (and (not (eq .ingressVersion "extensions/v1beta1")) .ingress.ingressClassName) }}
{{- if .ingress.ingressClassName }}
ingressClassName: {{ .ingress.ingressClassName }}
{{- end }}
rules:
- host: {{ $hostname | quote }}
http:
{{- if ( not (or $hostname .ingress.hosts)) }}
- http:
paths:
- backend:
{{- if (not (eq .ingressVersion "networking.k8s.io/v1")) }}
serviceName: {{ .fullName }}-{{ .serviceName }}
servicePort: {{ $servicePort }}
{{- else }}
service:
name: {{ .fullName }}-{{ .serviceName }}
port:
number: {{ $servicePort }}
{{- end }}
path: {{ $path }}
{{- if (not (eq .ingressVersion "extensions/v1beta1")) }}
pathType: {{ $pathType }}
{{- else if $hostname }}
- host: {{ $hostname | quote }}
http:
paths:
- backend:
service:
name: {{ .fullName }}-{{ .serviceName }}
port:
number: {{ $servicePort }}
path: {{ $path }}
pathType: {{ $pathType }}
{{- end }}
{{- range .ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- backend:
{{- if .backend -}}
{{ .backend | toYaml | nindent 12 }}
{{- else }}
service:
name: {{ $.fullName }}-{{ $.serviceName }}
port:
number: {{ $servicePort }}
{{- end }}
{{- if (and $hostname (and (eq $path .path))) }}
{{- fail "duplication of specified ingress path" }}
{{- end }}
path: {{ .path }}
pathType: {{ .pathType }}
{{- end }}
{{- end }}
{{- if (hasKey .ingress "tls") }}
tls:
- hosts:
- {{ $hostname | quote }}
secretName: {{ .ingress.tls }}
{{- end -}}
{{- if (kindIs "string" .ingress.tls) }}
- hosts:
{{- range .ingress.hosts }}
- {{ .host | quote }}
{{- end }}
{{- if $hostname }}
- {{ $hostname | quote }}
{{- end }}
secretName: {{ .ingress.tls }}
{{- else if (kindIs "slice" .ingress.tls) }}
{{- range .ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
@@ -326,7 +370,18 @@ Return the admin API service name for service discovery
{{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}}
{{- if $gatewayDiscovery.enabled -}}
{{- $adminApiService := $gatewayDiscovery.adminApiService -}}
{{- $_ := required ".ingressController.gatewayDiscovery.adminApiService has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiService -}}
{{- $adminApiServiceName := $gatewayDiscovery.adminApiService.name -}}
{{- $generateAdminApiService := $gatewayDiscovery.generateAdminApiService -}}
{{- if and $generateAdminApiService $adminApiService.name -}}
{{- fail (printf ".Values.ingressController.gatewayDiscovery.adminApiService and .Values.ingressController.gatewayDiscovery.generateAdminApiService must not be provided at the same time") -}}
{{- end -}}
{{- if $generateAdminApiService -}}
{{- $adminApiServiceName = (printf "%s-%s" .Release.Name "gateway-admin") -}}
{{- else }}
{{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiServiceName -}}
{{- end }}
{{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
@@ -337,9 +392,7 @@ Return the admin API service name for service discovery
{{- end }}
{{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}}
{{- $name := $adminApiService.name -}}
{{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $name -}}
{{- printf "%s/%s" $namespace $name -}}
{{- printf "%s/%s" $namespace $adminApiServiceName -}}
{{- else -}}
{{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}}
{{- end -}}
@@ -1526,22 +1579,44 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration.
- watch
{{- end -}}
{{- define "kong.ingressVersion" -}}
{{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") -}}
networking.k8s.io/v1
{{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress") -}}
networking.k8s.io/v1beta1
{{- else -}}
extensions/v1beta1
{{- end -}}
{{- end -}}
{{- define "kong.autoscalingVersion" -}}
{{- if (.Capabilities.APIVersions.Has "autoscaling/v2/HorizontalPodAutoscaler") -}}
{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}}
autoscaling/v2
{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2/HorizontalPodAutoscaler") -}}
{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}}
autoscaling/v2beta2
{{- else -}}
autoscaling/v1
{{- end -}}
{{- end -}}
{{- define "kong.policyVersion" -}}
{{- if (.Capabilities.APIVersions.Has "policy/v1beta1" ) -}}
policy/v1beta1
{{- else -}}
{{- fail (printf "Cluster doesn't have policy/v1beta1 API." ) }}
{{- end -}}
{{- end -}}
{{- define "kong.renderTpl" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
{{- define "kong.ingressVersion" -}}
{{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1") -}}
networking.k8s.io/v1
{{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") -}}
networking.k8s.io/v1beta1
{{- else -}}
extensions/v1beta1
{{- end -}}
{{- end -}}
{{/*
appsec labels
*/}}
{{- define "appsec.labels" -}}
{{- end -}}

2
build_system/charts/open-appsec-kong/templates/appsec-learning-pvc.yaml
View File

@@ -1,3 +1,4 @@
{{- if not (eq .Values.kind "Vanilla") -}}
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}}
kind: PersistentVolumeClaim
apiVersion: v1
@@ -18,3 +19,4 @@ spec:
storageClassName: {{ required "A storage class for learning data is required" .Values.appsec.persistence.learning.storageClass.name }}
{{- end -}}
{{- end }}
{{- end }}

2
build_system/charts/open-appsec-kong/templates/appsec-pvc.yaml
View File

@@ -1,4 +1,4 @@
{{- if (eq .Values.kind "AppSecStateful") -}}
{{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:

32
build_system/charts/open-appsec-kong/templates/appsec-settings-configmap.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if not (eq .Values.kind "Vanilla") -}}
{{- if .Values.appsec.configMapContent }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" | quote }}
data:
{{- if .Values.appsec.configMapContent.crowdsec }}
CROWDSEC_ENABLED: {{ .Values.appsec.configMapContent.crowdsec.enabled | default "false" | quote }}
{{- if .Values.appsec.configMapContent.crowdsec.api }}
CROWDSEC_API_URL: {{ .Values.appsec.configMapContent.crowdsec.api.url | default "http://crowdsec-service:8080/v1/decisions/stream" }}
{{- else }}
CROWDSEC_API_URL: "http://crowdsec-service:8080/v1/decisions/stream"
{{- end }}
{{- if .Values.appsec.configMapContent.crowdsec.auth }}
CROWDSEC_AUTH_METHOD: {{ .Values.appsec.configMapContent.crowdsec.auth.method | default "apikey" }}
{{- else }}
CROWDSEC_AUTH_METHOD: "apikey"
{{- end }}
{{- if .Values.appsec.configMapContent.crowdsec.mode }}
CROWDSEC_MODE: {{ .Values.appsec.configMapContent.crowdsec.mode | default "prevent" }}
{{- else }}
CROWDSEC_MODE: "prevent"
{{- end }}
{{- if .Values.appsec.configMapContent.crowdsec.logging }}
CROWDSEC_LOGGING: {{ .Values.appsec.configMapContent.crowdsec.logging | default "enabled" }}
{{- else }}
CROWDSEC_LOGGING: "enabled"
{{- end }}
{{- end }}
{{- end }}
{{- end }}

12
build_system/charts/open-appsec-kong/templates/appsec-settings-secret.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if not (eq .Values.kind "Vanilla") -}}
{{ if .Values.appsec.secretContent }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.appsec.secretName | default "appsec-settings-secret" | quote }}
data:
{{- if and .Values.appsec.secretContent.crowdsec .Values.appsec.secretContent.crowdsec.auth }}
CROWDSEC_AUTH_DATA: {{ .Values.appsec.secretContent.crowdsec.auth.data | b64enc }}
{{- end }}
{{ end }}
{{ end }}

54
build_system/charts/open-appsec-kong/templates/appsec.yaml
View File

@@ -8,7 +8,7 @@ kind: Deployment
{{- end }}
{{- else if eq .Values.kind "AppSecStateful" }}
kind: StatefulSet
{{- end }}
{{- end }}
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
@@ -18,13 +18,13 @@ metadata:
{{- if .Values.deploymentAnnotations }}
annotations:
{{- range $key, $value := .Values.deploymentAnnotations }}
{{ $key }}: {{ $value | quote }}
{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
{{- end }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
{{- if eq .Values.kind "AppSecStateful" }}
serviceName: "cp-appsec-stateful-set"
serviceName: "open-appsec-stateful-set"
{{- end }}
{{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }}
replicas: {{ .Values.replicaCount }}
@@ -58,7 +58,7 @@ spec:
{{- end }}
{{- if .Values.podAnnotations }}
{{- range $key, $value := .Values.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
{{- end }}
{{- end }}
labels:
@@ -67,7 +67,7 @@ spec:
app: {{ template "kong.fullname" . }}
version: {{ .Chart.AppVersion | quote }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | nindent 8 }}
{{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
{{- end }}
spec:
{{- if .Values.deployment.hostNetwork }}
@@ -90,6 +90,7 @@ spec:
- name: {{ . }}
{{- end }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
initContainers:
- name: clear-stale-pid
image: {{ include "kong.getRepoTag" .Values.image }}
@@ -112,6 +113,7 @@ spec:
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-db" . | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.deployment.hostAliases }}
hostAliases:
{{- toYaml .Values.deployment.hostAliases | nindent 6 }}
@@ -137,6 +139,10 @@ spec:
successThreshold: 1
securityContext:
{{ toYaml .Values.appsec.securityContext | nindent 12 }}
{{- $tag := .Values.appsec.image.tag }}
{{- if .Values.appsec.configMapContent.crowdsec.enabled }}
{{- $tag = "crowdsec-1.2314-rc1" }}
{{- end }}
{{- with .Values.appsec.image }}
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
{{- end }}
@@ -162,6 +168,15 @@ spec:
{{- end }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
env:
- name: registered_server
value: "Kong Server"
{{- if .Values.appsec.userEmail }}
{{- if eq .Values.appsec.userEmail "PROVIDE-EMAIL-HERE" }}
{{- fail "Please replace PROVIDE-EMAIL-HERE with an email address" }}
{{- end }}
- name: user_email
value: {{ .Values.appsec.userEmail }}
{{- end }}
{{- if eq .Values.appsec.playground false }}
- name: SHARED_STORAGE_HOST
value: {{ .Values.appsec.storage.name }}-svc
@@ -171,17 +186,22 @@ spec:
- name: PLAYGROUND
value: "true"
{{- end }}
envFrom:
- configMapRef:
name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" }}
- secretRef:
name: {{ .Values.appsec.secretName | default "appsec-settings-secret" }}
resources:
{{ toYaml .Values.resources | nindent 12 }}
{{- if eq .Values.kind "AppSecStateful" }}
volumeMounts:
- name: advanced-model
mountPath: /advanced-model
{{- if (eq .Values.appsec.persistence.enabled true) }}
- name: appsec-conf
mountPath: /etc/cp/conf
- name: appsec-data
mountPath: /etc/cp/data
{{- end }}
{{- end }}
{{- if .Values.ingressController.enabled }}
{{- include "kong.controller-container" . | nindent 6 }}
{{ end }}
@@ -190,6 +210,10 @@ spec:
{{- end }}
{{- if .Values.deployment.kong.enabled }}
- name: "proxy"
{{- $tag := .Values.appsec.kong.image.tag }}
{{- if .Values.appsec.configMapContent.crowdsec.enabled }}
{{- $tag = "1.2303.1-rc1-v1.3.0" }}
{{- end }}
{{- with .Values.appsec.kong.image }}
image: "{{ .repository }}:{{ .tag }}"
{{- end }}
@@ -338,6 +362,10 @@ spec:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
{{- if .Values.startupProbe }}
startupProbe:
{{ toYaml .Values.startupProbe | indent 10 }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- end }} {{/* End of Kong container spec */}}
@@ -365,6 +393,14 @@ spec:
configMap:
name: advanced-model-config
optional: true
{{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }}
- name: appsec-conf
persistentVolumeClaim:
claimName: {{ .Values.appsec.name }}-conf
- name: appsec-data
persistentVolumeClaim:
claimName: {{ .Values.appsec.name }}-data
{{- end }}
{{- include "kong.volumes" . | nindent 8 -}}
{{- include "kong.userDefinedVolumes" . | nindent 8 -}}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
@@ -400,9 +436,9 @@ spec:
path: ca.crt
- key: namespace
path: namespace
{{- end -}}
{{- end }}
{{- end }}
{{- if eq .Values.kind "AppSecStateful" }}
{{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }}
volumeClaimTemplates:
- metadata:
name: appsec-conf

6
build_system/charts/open-appsec-kong/templates/deployment.yaml
View File

@@ -14,7 +14,7 @@ metadata:
{{- if .Values.deploymentAnnotations }}
annotations:
{{- range $key, $value := .Values.deploymentAnnotations }}
{{ $key }}: {{ $value | quote }}
{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
{{- end }}
{{- end }}
spec:
@@ -51,7 +51,7 @@ spec:
{{- end }}
{{- if .Values.podAnnotations }}
{{- range $key, $value := .Values.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
{{- end }}
{{- end }}
labels:
@@ -60,7 +60,7 @@ spec:
app: {{ template "kong.fullname" . }}
version: {{ .Chart.AppVersion | quote }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | nindent 8 }}
{{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
{{- end }}
spec:
{{- if .Values.deployment.hostNetwork }}

2
build_system/charts/open-appsec-kong/templates/ingress-class.yaml
View File

@@ -1,6 +1,6 @@
{{/* Default to not managing if unsupported or created outside this chart */}}
{{- $includeIngressClass := false -}}
{{- if (and .Values.ingressController.enabled (not (eq (include "kong.ingressVersion" .) "extensions/v1beta1"))) -}}
{{- if .Values.ingressController.enabled -}}
{{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") -}}
{{- with (lookup "networking.k8s.io/v1" "IngressClass" "" .Values.ingressController.ingressClass) -}}
{{- if (hasKey .metadata "annotations") -}}

2
build_system/charts/open-appsec-kong/templates/learning-deployment.yaml
View File

@@ -1,3 +1,4 @@
{{- if not (eq .Values.kind "Vanilla") -}}
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
apiVersion: apps/v1
kind: Deployment
@@ -139,3 +140,4 @@ spec:
claimName: {{ .Values.appsec.name }}-storage
{{- end }}
{{- end }}
{{- end }}

2
build_system/charts/open-appsec-kong/templates/learning-services.yaml
View File

@@ -1,3 +1,4 @@
{{- if not (eq .Values.kind "Vanilla") -}}
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
apiVersion: v1
kind: Service
@@ -31,3 +32,4 @@ spec:
selector:
app: {{ .Values.appsec.storage.name }}-lbl
{{- end }}
{{- end }}

4
build_system/charts/open-appsec-kong/templates/psp.yaml
View File

@@ -1,5 +1,5 @@
{{- if and (.Values.podSecurityPolicy.enabled) (.Capabilities.APIVersions.Has "policy/v1beta1") }}
apiVersion: policy/v1beta1
{{- if and (.Values.podSecurityPolicy.enabled) }}
apiVersion: {{ include "kong.policyVersion" . }}
kind: PodSecurityPolicy
metadata:
name: {{ template "kong.serviceAccountName" . }}-psp

1
build_system/charts/open-appsec-kong/templates/service-kong-proxy.yaml
View File

@@ -2,7 +2,6 @@
{{- if and .Values.proxy.enabled (or .Values.proxy.http.enabled .Values.proxy.tls.enabled) -}}
{{- $serviceConfig := dict -}}
{{- $serviceConfig := merge $serviceConfig .Values.proxy -}}
{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}