github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-11-16 17:31:52 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github_mirrors:1.1.5
Branches Tags
github_mirrors:main github_mirrors:v1beta2-defualt-policy github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc
...
compare: github_mirrors:1.1.9
Branches Tags
github_mirrors:main github_mirrors:v1beta2-defualt-policy github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc

35 Commits
1.1.5 ... 1.1.9

Author SHA1 Message Date
WrightNed
189c9209c9 Merge pull request #122 from openappsec/Apr_14_2024-Dev 
Apr 14 2024 dev
 2024-04-17 12:40:41 +03:00
Ned Wright
1a1580081c Add watchdog changes 2024-04-16 14:06:43 +00:00
Ned Wright
942b2ef8b4 2024 April 14th update 2024-04-14 12:55:54 +00:00
Ned Wright
7a7f65a77a Detect docker on http transaction installation 2024-04-14 11:28:53 +00:00
Ned Wright
98639d9cb6 configuration loading changes 2024-04-04 17:11:06 +00:00
Ned Wright
b3de81d9d9 Updating orchestration_package.sh 2024-03-31 08:48:55 +00:00
Ned Wright
a77fd9a6d0 Remove old data 2024-03-27 14:30:40 +00:00
Ned Wright
8454b2dd9b Open Appsec helm chart automation Wed Mar 27 16:27:33 IST 2024 latest 2024-03-27 16:27:33 +02:00
Ned Wright
3913e1e8b3 Update entry.sh 2024-03-26 16:05:23 +00:00
WrightNed
262b2e59ff Merge pull request #117 from openappsec/Mar_21_2024-Dev 
Mar 21 2024 dev
 2024-03-26 13:53:49 +02:00
Ned Wright
a01c65994a Edit components/security_apps/layer_7_access_control/layer_7_access_control.cc 2024-03-25 14:53:52 +00:00
WrightNed
1d13973ae2 Update entry.sh 2024-03-25 15:56:00 +02:00
Ned Wright
c20fa9f966 Mar 21st 2024 update 2024-03-21 15:31:38 +00:00
WrightNed
0d22790ebe Merge pull request #113 from openappsec/WrightNed-patch-1 
Update orchestration_package.sh
 2024-03-12 13:02:27 +02:00
WrightNed
9f86c4607e Update orchestration_package.sh 2024-03-12 13:01:44 +02:00
WrightNed
0e47ed8595 Merge pull request #110 from openappsec/Feb_28_2024 
Feb 28 2024
 2024-03-10 15:23:57 +02:00
Ned Wright
42b0bf2981 Fix typo 2024-03-10 13:21:51 +00:00
Ned Wright
75b40933ec Change default to log to cloud 2024-02-28 18:27:39 +00:00
Ned Wright
b795661328 Moving yq to be taken from environment 2024-02-28 15:04:14 +00:00
Ned Wright
eb509dfa85 Moving yq to be taken from environment 2024-02-28 14:09:18 +00:00
WrightNed
ec834aeafb Merge pull request #106 from openappsec/orianelou-patch-apisix 
Orianelou patch apisix
 2024-02-26 10:52:27 +02:00
orianelou
2c9ec1e48c Delete apisix directory 2024-02-26 10:50:43 +02:00
orianelou
55b5973c15 Create docker-compose.yaml 2024-02-26 10:50:16 +02:00
orianelou
63b5a63ded Create apisix-standalone.yaml 2024-02-26 10:49:23 +02:00
orianelou
b08047cc33 Create apisix-standalone.yaml: 2024-02-25 11:41:04 +02:00
orianelou
328808c15f Create docker-compose.yaml 2024-02-25 11:40:12 +02:00
WrightNed
c255621cd6 Merge pull request #94 from bmbeverst/fix_tests 
Fix new helm-unittest tests
 2024-02-22 14:24:37 +02:00
Ned Wright
3afc4acfc5 open-appsec helm chart update Mon Feb 19 17:27:50 IST 2024 2024-02-19 17:27:50 +02:00
WrightNed
4e6ed5734a Merge pull request #104 from openappsec/Feb_13_2024 
Feb 13 2024
 2024-02-18 13:52:06 +02:00
WrightNed
102a0308c2 Fix getenforce redirection 2024-02-18 13:51:09 +02:00
Ned Wright
2fa866d1c5 Declarative when connected to management improvements 2024-02-14 16:31:44 +00:00
Ned Wright
8479ad58ed Remove package parameters 2024-02-14 16:10:29 +00:00
WrightNed
e9c36c3bbf Merge pull request #102 from openappsec/main 
Rebase
 2024-02-13 22:10:05 +02:00
Brooks Beverstock
aa8cfd1b2a fix: Set kind to Vanilla in ingress-nginx tests, so they pass. 2024-01-24 17:07:35 -05:00
Brooks Beverstock
5452d68f9b fix: Rename expected test name due to chart name change, from ingress-nginx to open-appsec-k8s-nginx-ingress. 2024-01-24 17:06:53 -05:00
585 changed files with 7814 additions and 40445 deletions
Expand all files Collapse all files

5
README.md
View File

@@ -96,7 +96,7 @@ open-appsec GitHub includes four main repositories:
## Installing external dependencies ## Installing external dependencies
Before compiling the services, you'll need to ensure the latest development versions of the following libraries: Before compiling the services, you'll need to ensure the latest development versions of the following libraries and tools:
* Boost * Boost
* OpenSSL * OpenSSL
* PCRE2 * PCRE2
@@ -107,12 +107,13 @@ Before compiling the services, you'll need to ensure the latest development vers
* Redis * Redis
* Hiredis * Hiredis
* MaxmindDB * MaxmindDB
* yq
An example of installing the packages on Alpine: An example of installing the packages on Alpine:
```bash ```bash
$ apk update $ apk update
$ apk add boost-dev openssl-dev pcre2-dev libxml2-dev gtest-dev curl-dev hiredis-dev redis libmaxminddb-dev $ apk add boost-dev openssl-dev pcre2-dev libxml2-dev gtest-dev curl-dev hiredis-dev redis libmaxminddb-dev yq
``` ```
## Compiling and packaging the agent code ## Compiling and packaging the agent code

11
build_system/apisix/apisix-standalone.yaml Normal file
View File

@@ -0,0 +1,11 @@
# example local declarative configuration file for apisix in standalone mode
routes:
-
uri: /anything
upstream:
nodes:
"httpbin.org:80": 1
type: roundrobin
#END

46
build_system/apisix/docker-compose.yaml Normal file
View File

@@ -0,0 +1,46 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
version: "3"
services:
apisix:
container_name: apisix
image: "ghcr.io/openappsec/apisix-attachment:latest"
ipc: host
restart: always
volumes:
- ./apisix-localconfig/apisix-standalone.yaml:/usr/local/apisix/conf/apisix.yaml:ro
environment:
- APISIX_STAND_ALONE=true
ports:
- "9180:9180/tcp"
- "9080:9080/tcp"
- "9091:9091/tcp"
- "9443:9443/tcp"
appsec-agent:
container_name: appsec-agent
image: 'ghcr.io/openappsec/agent:latest'
ipc: host
restart: unless-stopped
environment:
# adjust with your own email below
- user_email=user@email.com
- registered_server="APISIX Server"
volumes:
- ./appsec-config:/etc/cp/conf
- ./appsec-data:/etc/cp/data
- ./appsec-logs:/var/log/nano_agent
- ./appsec-localconfig:/ext/appsec
command: /cp-nano-agent --standalone

2
build_system/charts/open-appsec-k8s-nginx-ingress/Chart.lock
View File

@@ -3,4 +3,4 @@ dependencies:
repository: https://charts.bitnami.com/bitnami repository: https://charts.bitnami.com/bitnami
version: 12.2.8 version: 12.2.8
digest: sha256:0d13b8b0c66b8e18781eac510ce58b069518ff14a6a15ad90375e7f0ffad71fe digest: sha256:0d13b8b0c66b8e18781eac510ce58b069518ff14a6a15ad90375e7f0ffad71fe
generated: "2024-02-11T17:18:56.196746248Z" generated: "2024-03-26T14:53:49.928153508Z"

6
build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml
View File

@@ -1,7 +1,5 @@
annotations: annotations:
artifacthub.io/changes: |- artifacthub.io/changes: '- "Update Ingress-Nginx version controller-v1.10.0"'
- "update web hook cert gen to latest release v20231226-1a7112e06"
- "Update Ingress-Nginx version controller-v1.9.6"
artifacthub.io/prerelease: "false" artifacthub.io/prerelease: "false"
apiVersion: v2 apiVersion: v2
appVersion: latest appVersion: latest
@@ -17,4 +15,4 @@ kubeVersion: '>=1.20.0-0'
name: open-appsec-k8s-nginx-ingress name: open-appsec-k8s-nginx-ingress
sources: sources:
- https://github.com/kubernetes/ingress-nginx - https://github.com/kubernetes/ingress-nginx
version: 4.9.1 version: 4.10.0

10
build_system/charts/open-appsec-k8s-nginx-ingress/README.md
View File

@@ -2,7 +2,7 @@
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
![Version: 4.9.1](https://img.shields.io/badge/Version-4.9.1-informational?style=flat-square) ![AppVersion: 1.9.6](https://img.shields.io/badge/AppVersion-1.9.6-informational?style=flat-square) ![Version: 4.10.0](https://img.shields.io/badge/Version-4.10.0-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square)
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
@@ -253,11 +253,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084"` | | | controller.admissionWebhooks.patch.image.digest | string | `"sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334"` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v20231226-1a7112e06"` | | | controller.admissionWebhooks.patch.image.tag | string | `"v1.4.0"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
@@ -317,7 +317,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.allowPrivilegeEscalation | bool | `false` | |
| controller.image.chroot | bool | `false` | | | controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c"` | | | controller.image.digest | string | `"sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c"` | |
| controller.image.digestChroot | string | `"sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096"` | | | controller.image.digestChroot | string | `"sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | |
@@ -326,7 +326,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.image.runAsNonRoot | bool | `true` | | | controller.image.runAsNonRoot | bool | `true` | |
| controller.image.runAsUser | int | `101` | | | controller.image.runAsUser | int | `101` | |
| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.image.tag | string | `"v1.9.6"` | | | controller.image.tag | string | `"v1.10.0"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |

9
build_system/charts/open-appsec-k8s-nginx-ingress/changelog/helm-chart-4.10.0.md Normal file
View File

@@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.10.0
* - "Update Ingress-Nginx version controller-v1.10.0"
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.9.1...helm-chart-4.10.0

5
build_system/charts/open-appsec-k8s-nginx-ingress/templates/_params.tpl
View File

@@ -29,7 +29,7 @@
- --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }} - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
{{- end }} {{- end }}
{{- if and (not .Values.controller.scope.enabled) .Values.controller.scope.namespaceSelector }} {{- if and (not .Values.controller.scope.enabled) .Values.controller.scope.namespaceSelector }}
- --watch-namespace-selector={{ default "" .Values.controller.scope.namespaceSelector }} - --watch-namespace-selector={{ .Values.controller.scope.namespaceSelector }}
{{- end }} {{- end }}
{{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }} {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
- --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
@@ -54,6 +54,9 @@
{{- if .Values.controller.watchIngressWithoutClass }} {{- if .Values.controller.watchIngressWithoutClass }}
- --watch-ingress-without-class=true - --watch-ingress-without-class=true
{{- end }} {{- end }}
{{- if not .Values.controller.metrics.enabled }}
- --enable-metrics={{ .Values.controller.metrics.enabled }}
{{- end }}
{{- if .Values.controller.enableTopologyAwareRouting }} {{- if .Values.controller.enableTopologyAwareRouting }}
- --enable-topology-aware-routing=true - --enable-topology-aware-routing=true
{{- end }} {{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-prometheusrules.yaml
View File

@@ -1,4 +1,4 @@
{{- if and ( .Values.controller.metrics.enabled ) ( .Values.controller.metrics.prometheusRule.enabled ) ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) -}} {{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule kind: PrometheusRule
metadata: metadata:

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-policy.yaml
View File

@@ -34,7 +34,7 @@ spec:
http-headers: false http-headers: false
request-body: false request-body: false
log-destination: log-destination:
cloud: false cloud: true
stdout: stdout:
format: json-formatted format: json-formatted
--- ---

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-configmap-addheaders_test.yaml
View File

@@ -21,7 +21,7 @@ tests:
of: ConfigMap of: ConfigMap
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-custom-add-headers value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-custom-add-headers
- equal: - equal:
path: data.X-Another-Custom-Header path: data.X-Another-Custom-Header
value: Value value: Value

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-configmap-proxyheaders_test.yaml
View File

@@ -21,7 +21,7 @@ tests:
of: ConfigMap of: ConfigMap
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-custom-proxy-headers value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-custom-proxy-headers
- equal: - equal:
path: data.X-Custom-Header path: data.X-Custom-Header
value: Value value: Value

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-configmap_test.yaml
View File

@@ -11,4 +11,4 @@ tests:
of: ConfigMap of: ConfigMap
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller

37
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-daemonset_test.yaml
View File

@@ -6,6 +6,7 @@ tests:
- it: should create a DaemonSet if `controller.kind` is "DaemonSet" - it: should create a DaemonSet if `controller.kind` is "DaemonSet"
set: set:
controller.kind: DaemonSet controller.kind: DaemonSet
kind: Vanilla
asserts: asserts:
- hasDocuments: - hasDocuments:
count: 1 count: 1
@@ -13,4 +14,38 @@ tests:
of: DaemonSet of: DaemonSet
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller
- it: should create a DaemonSet with argument `--enable-metrics=false` if `controller.metrics.enabled` is false
set:
controller.kind: DaemonSet
kind: Vanilla
controller.metrics.enabled: false
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a DaemonSet without argument `--enable-metrics=false` if `controller.metrics.enabled` is true
set:
controller.kind: DaemonSet
kind: Vanilla
controller.metrics.enabled: true
asserts:
- notContains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a DaemonSet with resource limits if `controller.resources.limits` is set
set:
controller.kind: DaemonSet
kind: Vanilla
controller.resources.limits.cpu: 500m
controller.resources.limits.memory: 512Mi
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 500m
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 512Mi

20
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-deployment_test.yaml
View File

@@ -11,20 +11,38 @@ tests:
of: Deployment of: Deployment
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller
- it: should create a Deployment with 3 replicas if `controller.replicaCount` is 3 - it: should create a Deployment with 3 replicas if `controller.replicaCount` is 3
set: set:
controller.replicaCount: 3 controller.replicaCount: 3
kind: Vanilla
asserts: asserts:
- equal: - equal:
path: spec.replicas path: spec.replicas
value: 3 value: 3
- it: should create a Deployment with argument `--enable-metrics=false` if `controller.metrics.enabled` is false
set:
controller.metrics.enabled: false
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a Deployment without argument `--enable-metrics=false` if `controller.metrics.enabled` is true
set:
controller.metrics.enabled: true
asserts:
- notContains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a Deployment with resource limits if `controller.resources.limits` is set - it: should create a Deployment with resource limits if `controller.resources.limits` is set
set: set:
controller.resources.limits.cpu: 500m controller.resources.limits.cpu: 500m
controller.resources.limits.memory: 512Mi controller.resources.limits.memory: 512Mi
kind: Vanilla
asserts: asserts:
- equal: - equal:
path: spec.template.spec.containers[0].resources.limits.cpu path: spec.template.spec.containers[0].resources.limits.cpu

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-hpa_test.yaml
View File

@@ -14,4 +14,4 @@ tests:
of: HorizontalPodAutoscaler of: HorizontalPodAutoscaler
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-keda_test.yaml
View File

@@ -14,4 +14,4 @@ tests:
of: ScaledObject of: ScaledObject
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-networkpolicy_test.yaml
View File

@@ -20,4 +20,4 @@ tests:
of: NetworkPolicy of: NetworkPolicy
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-service-internal_test.yaml
View File

@@ -22,4 +22,4 @@ tests:
of: Service of: Service
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller-internal value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller-internal

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-service-metrics_test.yaml
View File

@@ -20,4 +20,4 @@ tests:
of: Service of: Service
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller-metrics value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller-metrics

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-service_test.yaml
View File

@@ -20,7 +20,7 @@ tests:
of: Service of: Service
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller
- it: should create a Service of type "NodePort" if `controller.service.external.enabled` is true and `controller.service.type` is "NodePort" - it: should create a Service of type "NodePort" if `controller.service.external.enabled` is true and `controller.service.type` is "NodePort"
set: set:

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/default-backend-service_test.yaml
View File

@@ -20,7 +20,7 @@ tests:
of: Service of: Service
- equal: - equal:
path: metadata.name path: metadata.name
value: RELEASE-NAME-ingress-nginx-defaultbackend value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-defaultbackend
- it: should create a Service with port 80 if `defaultBackend.service.port` is 80 - it: should create a Service with port 80 if `defaultBackend.service.port` is 80
set: set:

10
build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml
View File

@@ -26,8 +26,8 @@ controller:
## for backwards compatibility consider setting the full image url via the repository value below ## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository: ## repository:
tag: "v1.9.6" tag: "v1.10.0"
digest: sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c digest: sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
digestChroot: sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096 digestChroot: sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
runAsNonRoot: true runAsNonRoot: true
@@ -781,8 +781,8 @@ controller:
## for backwards compatibility consider setting the full image url via the repository value below ## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository: ## repository:
tag: v20231226-1a7112e06 tag: v1.4.0
digest: sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 digest: sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# -- Provide a priority class name to the webhook patching job # -- Provide a priority class name to the webhook patching job
## ##
@@ -1198,7 +1198,7 @@ appsec:
image: image:
registry: ghcr.io/openappsec registry: ghcr.io/openappsec
image: smartsync-tuning image: smartsync-tuning
tag: 1.1.3 tag: latest
enabled: false enabled: false
replicaCount: 1 replicaCount: 1
securityContext: securityContext:

29
build_system/charts/open-appsec-kong/CHANGELOG.md
View File

@@ -1,8 +1,33 @@
# Changelog # Changelog
## Unreleased ## 2.38.0
Nothing yet. ### Changes
* Added support for setting `SVC.tls.appProtocol` and `SVC.http.appProtocol` values to configure the appProtocol fields
for Kubernetes Service HTTP and TLS ports. It might be useful for integration with external load balancers like GCP.
[#1018](https://github.com/Kong/charts/pull/1018)
## 2.37.1
* Rename the controller status port. This fixes a collision with the proxy status port in the Prometheus ServiceMonitor.
[#1008](https://github.com/Kong/charts/pull/1008)
## 2.37.0
### Changes
* Bumped default `kong/kubernetes-ingress-controller` image tag and updated CRDs to 3.1.
[#1011](https://github.com/Kong/charts/pull/1011)
* Bumped default `kong` image tag to 3.6.
[#1011](https://github.com/Kong/charts/pull/1011)
## 2.36.0
### Fixed
* Add `KongLicense` RBAC rules.
[#1006](https://github.com/Kong/charts/pull/1006)
## 2.35.1 ## 2.35.1

4
build_system/charts/open-appsec-kong/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v2 apiVersion: v2
appVersion: 1.1.5 appVersion: 1.1.8
dependencies: dependencies:
- condition: postgresql.enabled - condition: postgresql.enabled
name: postgresql name: postgresql
@@ -14,4 +14,4 @@ maintainers:
name: open-appsec-kong name: open-appsec-kong
sources: sources:
- https://github.com/Kong/charts/tree/main/charts/kong - https://github.com/Kong/charts/tree/main/charts/kong
version: 2.35.1 version: 2.38.0

70
build_system/charts/open-appsec-kong/README.md
View File

@@ -666,40 +666,42 @@ nodes.
mixed TCP/UDP LoadBalancer Services). It _does not_ support the `http`, `tls`, mixed TCP/UDP LoadBalancer Services). It _does not_ support the `http`, `tls`,
or `ingress` sections, as it is used only for stream listens. or `ingress` sections, as it is used only for stream listens.
| Parameter | Description | Default | | Parameter | Description | Default |
|------------------------------------|---------------------------------------------------------------------------------------|--------------------------| |-----------------------------------|-------------------------------------------------------------------------------------------|--------------------------|
| SVC.enabled | Create Service resource for SVC (admin, proxy, manager, etc.) | | | SVC.enabled | Create Service resource for SVC (admin, proxy, manager, etc.) | |
| SVC.http.enabled | Enables http on the service | | | SVC.http.enabled | Enables http on the service | |
| SVC.http.servicePort | Service port to use for http | | | SVC.http.servicePort | Service port to use for http | |
| SVC.http.containerPort | Container port to use for http | | | SVC.http.containerPort | Container port to use for http | |
| SVC.http.nodePort | Node port to use for http | | | SVC.http.nodePort | Node port to use for http | |
| SVC.http.hostPort | Host port to use for http | | | SVC.http.hostPort | Host port to use for http | |
| SVC.http.parameters | Array of additional listen parameters | `[]` | | SVC.http.parameters | Array of additional listen parameters | `[]` |
| SVC.tls.enabled | Enables TLS on the service | | | SVC.http.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | |
| SVC.tls.containerPort | Container port to use for TLS | | | SVC.tls.enabled | Enables TLS on the service | |
| SVC.tls.servicePort | Service port to use for TLS | | | SVC.tls.containerPort | Container port to use for TLS | |
| SVC.tls.nodePort | Node port to use for TLS | | | SVC.tls.servicePort | Service port to use for TLS | |
| SVC.tls.hostPort | Host port to use for TLS | | | SVC.tls.nodePort | Node port to use for TLS | |
| SVC.tls.overrideServiceTargetPort | Override service port to use for TLS without touching Kong containerPort | | | SVC.tls.hostPort | Host port to use for TLS | |
| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` | | SVC.tls.overrideServiceTargetPort | Override service port to use for TLS without touching Kong containerPort | |
| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | | | SVC.tls.parameters | Array of additional listen parameters | `["http2"]` |
| SVC.clusterIP | k8s service clusterIP | | | SVC.tls.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | |
| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | | | SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | |
| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` | | SVC.clusterIP | k8s service clusterIP | |
| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | | | SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | |
| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` | | SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | | | SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | |
| SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` | | SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` |
| SVC.ingress.ingressClassName | Set the ingressClassName to associate this Ingress with an IngressClass | | | SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | |
| SVC.ingress.hostname | Ingress hostname | `""` | | SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` |
| SVC.ingress.path | Ingress path. | `/` | | SVC.ingress.ingressClassName | Set the ingressClassName to associate this Ingress with an IngressClass | |
| SVC.ingress.pathType | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix` | `ImplementationSpecific` | | SVC.ingress.hostname | Ingress hostname | `""` |
| SVC.ingress.hosts | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys | `[]` | | SVC.ingress.path | Ingress path. | `/` |
| SVC.ingress.tls | Name of secret resource or slice of `secretName` and `hosts` keys | | | SVC.ingress.pathType | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix` | `ImplementationSpecific` |
| SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` | | SVC.ingress.hosts | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys | `[]` |
| SVC.ingress.labels | Ingress labels. Additional custom labels to add to the ingress. | `{}` | | SVC.ingress.tls | Name of secret resource or slice of `secretName` and `hosts` keys | |
| SVC.annotations | Service annotations | `{}` | | SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
| SVC.labels | Service labels | `{}` | | SVC.ingress.labels | Ingress labels. Additional custom labels to add to the ingress. | `{}` |
| SVC.annotations | Service annotations | `{}` |
| SVC.labels | Service labels | `{}` |
#### Admin Service mTLS #### Admin Service mTLS

34
build_system/charts/open-appsec-kong/ci/__snapshots__/admin-api-service-clusterip-values.snap
View File

@@ -9,8 +9,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -33,9 +33,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -90,7 +90,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -205,7 +205,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -274,8 +274,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-custom-dbless-config name: chartsnap-kong-custom-dbless-config
namespace: default namespace: default
- object: - object:
@@ -286,8 +286,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-admin name: chartsnap-kong-admin
namespace: default namespace: default
spec: spec:
@@ -309,8 +309,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -336,9 +336,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -364,8 +364,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

98
build_system/charts/open-appsec-kong/ci/__snapshots__/custom-labels-values.snap
View File

@@ -9,8 +9,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations name: chartsnap-kong-validations
namespace: default namespace: default
webhooks: webhooks:
@@ -84,8 +84,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -108,9 +108,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -138,7 +138,7 @@ SnapShot = """
value: https://localhost:8444 value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE - name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0 image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -159,7 +159,7 @@ SnapShot = """
name: cmetrics name: cmetrics
protocol: TCP protocol: TCP
- containerPort: 10254 - containerPort: 10254
name: status name: cstatus
protocol: TCP protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -240,7 +240,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -350,7 +350,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -408,8 +408,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
rules: rules:
- apiGroups: - apiGroups:
@@ -617,6 +617,38 @@ SnapShot = """
- get - get
- list - list
- watch - watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- configuration.konghq.com - configuration.konghq.com
resources: resources:
@@ -657,8 +689,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -677,8 +709,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
rules: rules:
@@ -742,8 +774,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
roleRef: roleRef:
@@ -766,8 +798,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -783,8 +815,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair name: chartsnap-kong-validation-webhook-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -797,8 +829,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -825,9 +857,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -854,8 +886,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook name: chartsnap-kong-validation-webhook
namespace: default namespace: default
spec: spec:
@@ -870,8 +902,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
- object: - object:
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@@ -881,8 +913,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

98
build_system/charts/open-appsec-kong/ci/__snapshots__/default-values.snap
View File

@@ -8,8 +8,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations name: chartsnap-kong-validations
namespace: default namespace: default
webhooks: webhooks:
@@ -82,8 +82,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -105,9 +105,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -137,7 +137,7 @@ SnapShot = """
value: https://localhost:8444 value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE - name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0 image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -158,7 +158,7 @@ SnapShot = """
name: cmetrics name: cmetrics
protocol: TCP protocol: TCP
- containerPort: 10254 - containerPort: 10254
name: status name: cstatus
protocol: TCP protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -241,7 +241,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -353,7 +353,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -410,8 +410,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
rules: rules:
- apiGroups: - apiGroups:
@@ -619,6 +619,38 @@ SnapShot = """
- get - get
- list - list
- watch - watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- configuration.konghq.com - configuration.konghq.com
resources: resources:
@@ -658,8 +690,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -677,8 +709,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
rules: rules:
@@ -741,8 +773,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
roleRef: roleRef:
@@ -764,8 +796,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -780,8 +812,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair name: chartsnap-kong-validation-webhook-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -793,8 +825,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -820,9 +852,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -848,8 +880,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook name: chartsnap-kong-validation-webhook
namespace: default namespace: default
spec: spec:
@@ -863,8 +895,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
- object: - object:
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@@ -873,8 +905,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

102
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-1-values.snap
View File

@@ -8,8 +8,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations name: chartsnap-kong-validations
namespace: default namespace: default
webhooks: webhooks:
@@ -82,8 +82,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -105,9 +105,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -135,7 +135,7 @@ SnapShot = """
value: https://localhost:8444 value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE - name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0 image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -156,7 +156,7 @@ SnapShot = """
name: cmetrics name: cmetrics
protocol: TCP protocol: TCP
- containerPort: 10254 - containerPort: 10254
name: status name: cstatus
protocol: TCP protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -237,7 +237,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -347,7 +347,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -404,8 +404,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -430,8 +430,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
rules: rules:
- apiGroups: - apiGroups:
@@ -639,6 +639,38 @@ SnapShot = """
- get - get
- list - list
- watch - watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- configuration.konghq.com - configuration.konghq.com
resources: resources:
@@ -678,8 +710,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -697,8 +729,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
rules: rules:
@@ -761,8 +793,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
roleRef: roleRef:
@@ -784,8 +816,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -800,8 +832,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair name: chartsnap-kong-validation-webhook-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -822,8 +854,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -849,9 +881,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -877,8 +909,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook name: chartsnap-kong-validation-webhook
namespace: default namespace: default
spec: spec:
@@ -892,8 +924,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
- object: - object:
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@@ -902,8 +934,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

102
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-2-values.snap
View File

@@ -8,8 +8,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations name: chartsnap-kong-validations
namespace: default namespace: default
webhooks: webhooks:
@@ -82,8 +82,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -105,9 +105,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -135,7 +135,7 @@ SnapShot = """
value: https://localhost:8444 value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE - name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0 image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -156,7 +156,7 @@ SnapShot = """
name: cmetrics name: cmetrics
protocol: TCP protocol: TCP
- containerPort: 10254 - containerPort: 10254
name: status name: cstatus
protocol: TCP protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -237,7 +237,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -347,7 +347,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -404,8 +404,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -432,8 +432,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
rules: rules:
- apiGroups: - apiGroups:
@@ -641,6 +641,38 @@ SnapShot = """
- get - get
- list - list
- watch - watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- configuration.konghq.com - configuration.konghq.com
resources: resources:
@@ -680,8 +712,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -699,8 +731,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
rules: rules:
@@ -763,8 +795,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
roleRef: roleRef:
@@ -786,8 +818,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -802,8 +834,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair name: chartsnap-kong-validation-webhook-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -824,8 +856,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -851,9 +883,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -879,8 +911,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook name: chartsnap-kong-validation-webhook
namespace: default namespace: default
spec: spec:
@@ -894,8 +926,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
- object: - object:
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@@ -904,8 +936,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

102
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-3-values.snap
View File

@@ -8,8 +8,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations name: chartsnap-kong-validations
namespace: default namespace: default
webhooks: webhooks:
@@ -82,8 +82,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -105,9 +105,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -135,7 +135,7 @@ SnapShot = """
value: https://localhost:8444 value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE - name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0 image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -156,7 +156,7 @@ SnapShot = """
name: cmetrics name: cmetrics
protocol: TCP protocol: TCP
- containerPort: 10254 - containerPort: 10254
name: status name: cstatus
protocol: TCP protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -237,7 +237,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -347,7 +347,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -404,8 +404,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -428,8 +428,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
rules: rules:
- apiGroups: - apiGroups:
@@ -637,6 +637,38 @@ SnapShot = """
- get - get
- list - list
- watch - watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- configuration.konghq.com - configuration.konghq.com
resources: resources:
@@ -676,8 +708,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -695,8 +727,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
rules: rules:
@@ -759,8 +791,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
roleRef: roleRef:
@@ -782,8 +814,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -798,8 +830,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair name: chartsnap-kong-validation-webhook-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -811,8 +843,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -838,9 +870,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -866,8 +898,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook name: chartsnap-kong-validation-webhook
namespace: default namespace: default
spec: spec:
@@ -881,8 +913,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
- object: - object:
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@@ -891,8 +923,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

102
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-4-values.snap
View File

@@ -8,8 +8,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations name: chartsnap-kong-validations
namespace: default namespace: default
webhooks: webhooks:
@@ -82,8 +82,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -105,9 +105,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -135,7 +135,7 @@ SnapShot = """
value: https://localhost:8444 value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE - name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0 image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -156,7 +156,7 @@ SnapShot = """
name: cmetrics name: cmetrics
protocol: TCP protocol: TCP
- containerPort: 10254 - containerPort: 10254
name: status name: cstatus
protocol: TCP protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -237,7 +237,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -347,7 +347,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -404,8 +404,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -463,8 +463,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
rules: rules:
- apiGroups: - apiGroups:
@@ -672,6 +672,38 @@ SnapShot = """
- get - get
- list - list
- watch - watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- configuration.konghq.com - configuration.konghq.com
resources: resources:
@@ -711,8 +743,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -730,8 +762,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
rules: rules:
@@ -794,8 +826,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
roleRef: roleRef:
@@ -817,8 +849,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -833,8 +865,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair name: chartsnap-kong-validation-webhook-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -864,8 +896,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -891,9 +923,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -919,8 +951,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook name: chartsnap-kong-validation-webhook
namespace: default namespace: default
spec: spec:
@@ -934,8 +966,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
- object: - object:
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@@ -944,8 +976,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

912
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap Normal file
View File

@@ -0,0 +1,912 @@
['kong-ingress-5-3.1-rbac-values']
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
version: \"3.6\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ANONYMOUS_REPORTS
value: \"false\"
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.1.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: cstatus
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
"""

908
build_system/charts/open-appsec-kong/ci/__snapshots__/proxy-appprotocol-values.snap Normal file
View File

@@ -0,0 +1,908 @@
[proxy-appprotocol-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
version: \"3.6\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: cstatus
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- appProtocol: http
name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- appProtocol: https
name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
"""

98
build_system/charts/open-appsec-kong/ci/__snapshots__/service-account.snap
View File

@@ -8,8 +8,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations name: chartsnap-kong-validations
namespace: default namespace: default
webhooks: webhooks:
@@ -82,8 +82,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -105,9 +105,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -135,7 +135,7 @@ SnapShot = """
value: https://localhost:8444 value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE - name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0 image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -156,7 +156,7 @@ SnapShot = """
name: cmetrics name: cmetrics
protocol: TCP protocol: TCP
- containerPort: 10254 - containerPort: 10254
name: status name: cstatus
protocol: TCP protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -237,7 +237,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -347,7 +347,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -404,8 +404,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
rules: rules:
- apiGroups: - apiGroups:
@@ -613,6 +613,38 @@ SnapShot = """
- get - get
- list - list
- watch - watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- configuration.konghq.com - configuration.konghq.com
resources: resources:
@@ -652,8 +684,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -671,8 +703,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
rules: rules:
@@ -735,8 +767,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
roleRef: roleRef:
@@ -758,8 +790,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -774,8 +806,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair name: chartsnap-kong-validation-webhook-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -787,8 +819,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -814,9 +846,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -842,8 +874,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook name: chartsnap-kong-validation-webhook
namespace: default namespace: default
spec: spec:
@@ -857,8 +889,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
- object: - object:
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@@ -867,8 +899,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: my-kong-sa name: my-kong-sa
namespace: default namespace: default
""" """

92
build_system/charts/open-appsec-kong/ci/__snapshots__/single-image-default-values.snap
View File

@@ -8,8 +8,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations name: chartsnap-kong-validations
namespace: default namespace: default
webhooks: webhooks:
@@ -82,8 +82,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -105,9 +105,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -158,7 +158,7 @@ SnapShot = """
name: cmetrics name: cmetrics
protocol: TCP protocol: TCP
- containerPort: 10254 - containerPort: 10254
name: status name: cstatus
protocol: TCP protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -410,8 +410,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
rules: rules:
- apiGroups: - apiGroups:
@@ -619,6 +619,38 @@ SnapShot = """
- get - get
- list - list
- watch - watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- configuration.konghq.com - configuration.konghq.com
resources: resources:
@@ -658,8 +690,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -677,8 +709,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
rules: rules:
@@ -741,8 +773,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
roleRef: roleRef:
@@ -764,8 +796,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -780,8 +812,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair name: chartsnap-kong-validation-webhook-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -793,8 +825,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -820,9 +852,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -848,8 +880,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook name: chartsnap-kong-validation-webhook
namespace: default namespace: default
spec: spec:
@@ -863,8 +895,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
- object: - object:
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@@ -873,8 +905,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

22
build_system/charts/open-appsec-kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap
View File

@@ -9,8 +9,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -32,9 +32,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -249,8 +249,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -276,9 +276,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -304,8 +304,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

106
build_system/charts/open-appsec-kong/ci/__snapshots__/test1-values.snap
View File

@@ -8,8 +8,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations name: chartsnap-kong-validations
namespace: default namespace: default
webhooks: webhooks:
@@ -82,8 +82,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -104,10 +104,10 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
environment: test environment: test
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -139,7 +139,7 @@ SnapShot = """
value: https://localhost:8444 value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE - name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0 image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -160,7 +160,7 @@ SnapShot = """
name: cmetrics name: cmetrics
protocol: TCP protocol: TCP
- containerPort: 10254 - containerPort: 10254
name: status name: cstatus
protocol: TCP protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -252,7 +252,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -370,7 +370,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -447,8 +447,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -473,8 +473,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -497,8 +497,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
rules: rules:
- apiGroups: - apiGroups:
@@ -706,6 +706,38 @@ SnapShot = """
- get - get
- list - list
- watch - watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- configuration.konghq.com - configuration.konghq.com
resources: resources:
@@ -745,8 +777,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -764,8 +796,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
rules: rules:
@@ -828,8 +860,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
roleRef: roleRef:
@@ -851,8 +883,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -867,8 +899,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair name: chartsnap-kong-validation-webhook-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -880,8 +912,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -907,9 +939,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -935,8 +967,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook name: chartsnap-kong-validation-webhook
namespace: default namespace: default
spec: spec:
@@ -950,8 +982,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
- object: - object:
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@@ -960,8 +992,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

152
build_system/charts/open-appsec-kong/ci/__snapshots__/test2-values.snap
View File

@@ -8,8 +8,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations name: chartsnap-kong-validations
namespace: default namespace: default
webhooks: webhooks:
@@ -83,8 +83,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -111,9 +111,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -150,7 +150,7 @@ SnapShot = """
envFrom: envFrom:
- configMapRef: - configMapRef:
name: env-config name: env-config
image: kong/kubernetes-ingress-controller:3.0 image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -171,7 +171,7 @@ SnapShot = """
name: cmetrics name: cmetrics
protocol: TCP protocol: TCP
- containerPort: 10254 - containerPort: 10254
name: status name: cstatus
protocol: TCP protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -270,7 +270,7 @@ SnapShot = """
envFrom: envFrom:
- configMapRef: - configMapRef:
name: env-config name: env-config
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -404,7 +404,7 @@ SnapShot = """
envFrom: envFrom:
- configMapRef: - configMapRef:
name: env-config name: env-config
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -507,7 +507,7 @@ SnapShot = """
envFrom: envFrom:
- configMapRef: - configMapRef:
name: env-config name: env-config
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: wait-for-db name: wait-for-db
resources: {} resources: {}
@@ -724,8 +724,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-init-migrations name: chartsnap-kong-init-migrations
namespace: default namespace: default
spec: spec:
@@ -740,8 +740,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: kong-init-migrations name: kong-init-migrations
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
@@ -819,7 +819,7 @@ SnapShot = """
envFrom: envFrom:
- configMapRef: - configMapRef:
name: env-config name: env-config
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: kong-migrations name: kong-migrations
resources: {} resources: {}
@@ -924,7 +924,7 @@ SnapShot = """
envFrom: envFrom:
- configMapRef: - configMapRef:
name: env-config name: env-config
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: wait-for-postgres name: wait-for-postgres
resources: {} resources: {}
@@ -977,8 +977,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-post-upgrade-migrations name: chartsnap-kong-post-upgrade-migrations
namespace: default namespace: default
spec: spec:
@@ -993,8 +993,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: kong-post-upgrade-migrations name: kong-post-upgrade-migrations
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
@@ -1072,7 +1072,7 @@ SnapShot = """
envFrom: envFrom:
- configMapRef: - configMapRef:
name: env-config name: env-config
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: kong-post-upgrade-migrations name: kong-post-upgrade-migrations
resources: {} resources: {}
@@ -1177,7 +1177,7 @@ SnapShot = """
envFrom: envFrom:
- configMapRef: - configMapRef:
name: env-config name: env-config
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: wait-for-postgres name: wait-for-postgres
resources: {} resources: {}
@@ -1232,8 +1232,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-pre-upgrade-migrations name: chartsnap-kong-pre-upgrade-migrations
namespace: default namespace: default
spec: spec:
@@ -1248,8 +1248,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: kong-pre-upgrade-migrations name: kong-pre-upgrade-migrations
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
@@ -1327,7 +1327,7 @@ SnapShot = """
envFrom: envFrom:
- configMapRef: - configMapRef:
name: env-config name: env-config
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: kong-upgrade-migrations name: kong-upgrade-migrations
resources: {} resources: {}
@@ -1432,7 +1432,7 @@ SnapShot = """
envFrom: envFrom:
- configMapRef: - configMapRef:
name: env-config name: env-config
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: wait-for-postgres name: wait-for-postgres
resources: {} resources: {}
@@ -1481,8 +1481,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -1505,10 +1505,26 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
rules: rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- configuration.konghq.com - configuration.konghq.com
resources: resources:
@@ -1548,8 +1564,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -1567,8 +1583,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
rules: rules:
@@ -1631,8 +1647,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-default name: chartsnap-kong-default
namespace: default namespace: default
rules: rules:
@@ -1841,6 +1857,22 @@ SnapShot = """
- get - get
- list - list
- watch - watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- object: - object:
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
@@ -1849,8 +1881,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
roleRef: roleRef:
@@ -1869,8 +1901,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-default name: chartsnap-kong-default
namespace: default namespace: default
roleRef: roleRef:
@@ -1895,8 +1927,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-bash-wait-for-postgres name: chartsnap-kong-bash-wait-for-postgres
namespace: default namespace: default
- object: - object:
@@ -1917,8 +1949,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -1933,8 +1965,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair name: chartsnap-kong-validation-webhook-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -1961,8 +1993,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -1988,9 +2020,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -2024,8 +2056,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook name: chartsnap-kong-validation-webhook
namespace: default namespace: default
spec: spec:
@@ -2039,8 +2071,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
- object: - object:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -2099,8 +2131,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

30
build_system/charts/open-appsec-kong/ci/__snapshots__/test3-values.snap
View File

@@ -9,8 +9,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -33,9 +33,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -92,7 +92,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -208,7 +208,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -295,8 +295,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-custom-dbless-config name: chartsnap-kong-custom-dbless-config
namespace: default namespace: default
- object: - object:
@@ -307,8 +307,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -334,9 +334,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -362,8 +362,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

34
build_system/charts/open-appsec-kong/ci/__snapshots__/test4-values.snap
View File

@@ -9,8 +9,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -33,9 +33,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -92,7 +92,7 @@ SnapShot = """
value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -212,7 +212,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -271,8 +271,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -304,8 +304,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-custom-dbless-config name: chartsnap-kong-custom-dbless-config
namespace: default namespace: default
- object: - object:
@@ -316,8 +316,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -343,9 +343,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -379,8 +379,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

144
build_system/charts/open-appsec-kong/ci/__snapshots__/test5-values.snap
View File

@@ -8,8 +8,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations name: chartsnap-kong-validations
namespace: default namespace: default
webhooks: webhooks:
@@ -82,8 +82,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
spec: spec:
@@ -110,9 +110,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
version: \"3.5\" version: \"3.6\"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
@@ -142,7 +142,7 @@ SnapShot = """
value: https://localhost:8444 value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE - name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0 image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -163,7 +163,7 @@ SnapShot = """
name: cmetrics name: cmetrics
protocol: TCP protocol: TCP
- containerPort: 10254 - containerPort: 10254
name: status name: cstatus
protocol: TCP protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -261,7 +261,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@@ -388,7 +388,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clear-stale-pid name: clear-stale-pid
resources: {} resources: {}
@@ -477,7 +477,7 @@ SnapShot = """
value: 0.0.0.0:8100, [::]:8100 value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN - name: KONG_STREAM_LISTEN
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: wait-for-db name: wait-for-db
resources: {} resources: {}
@@ -694,8 +694,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-init-migrations name: chartsnap-kong-init-migrations
namespace: default namespace: default
spec: spec:
@@ -710,8 +710,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: kong-init-migrations name: kong-init-migrations
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
@@ -788,7 +788,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: kong-migrations name: kong-migrations
resources: {} resources: {}
@@ -879,7 +879,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: wait-for-postgres name: wait-for-postgres
resources: {} resources: {}
@@ -932,8 +932,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-post-upgrade-migrations name: chartsnap-kong-post-upgrade-migrations
namespace: default namespace: default
spec: spec:
@@ -948,8 +948,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: kong-post-upgrade-migrations name: kong-post-upgrade-migrations
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
@@ -1026,7 +1026,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: kong-post-upgrade-migrations name: kong-post-upgrade-migrations
resources: {} resources: {}
@@ -1117,7 +1117,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: wait-for-postgres name: wait-for-postgres
resources: {} resources: {}
@@ -1172,8 +1172,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-pre-upgrade-migrations name: chartsnap-kong-pre-upgrade-migrations
namespace: default namespace: default
spec: spec:
@@ -1188,8 +1188,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: kong-pre-upgrade-migrations name: kong-pre-upgrade-migrations
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
@@ -1266,7 +1266,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: kong-upgrade-migrations name: kong-upgrade-migrations
resources: {} resources: {}
@@ -1357,7 +1357,7 @@ SnapShot = """
value: \"off\" value: \"off\"
- name: KONG_NGINX_DAEMON - name: KONG_NGINX_DAEMON
value: \"off\" value: \"off\"
image: kong:3.5 image: kong:3.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: wait-for-postgres name: wait-for-postgres
resources: {} resources: {}
@@ -1406,8 +1406,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -1430,8 +1430,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
rules: rules:
- apiGroups: - apiGroups:
@@ -1639,6 +1639,38 @@ SnapShot = """
- get - get
- list - list
- watch - watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups: - apiGroups:
- configuration.konghq.com - configuration.konghq.com
resources: resources:
@@ -1678,8 +1710,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -1697,8 +1729,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
rules: rules:
@@ -1761,8 +1793,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
roleRef: roleRef:
@@ -1787,8 +1819,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-bash-wait-for-postgres name: chartsnap-kong-bash-wait-for-postgres
namespace: default namespace: default
- object: - object:
@@ -1802,8 +1834,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -1818,8 +1850,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair name: chartsnap-kong-validation-webhook-keypair
namespace: default namespace: default
type: kubernetes.io/tls type: kubernetes.io/tls
@@ -1846,8 +1878,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager name: chartsnap-kong-manager
namespace: default namespace: default
spec: spec:
@@ -1873,9 +1905,9 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\" enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy name: chartsnap-kong-proxy
namespace: default namespace: default
spec: spec:
@@ -1901,8 +1933,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook name: chartsnap-kong-validation-webhook
namespace: default namespace: default
spec: spec:
@@ -1916,8 +1948,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
- object: - object:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -1976,8 +2008,8 @@ SnapShot = """
app.kubernetes.io/instance: chartsnap app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\" app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.35.1 helm.sh/chart: kong-2.38.0
name: chartsnap-kong name: chartsnap-kong
namespace: default namespace: default
""" """

7
build_system/charts/open-appsec-kong/ci/kong-ingress-5-3.1-rbac-values.yaml Normal file
View File

@@ -0,0 +1,7 @@
env:
anonymous_reports: "off"
ingressController:
env:
anonymous_reports: "false"
image:
tag: "3.1.0"

7
build_system/charts/open-appsec-kong/ci/proxy-appprotocol-values.yaml Normal file
View File

@@ -0,0 +1,7 @@
# This values test that the `proxy.*.appProtocol` can be set to a custom value.
proxy:
http:
appProtocol: "http"
tls:
appProtocol: "https"

1950
build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml
View File

File diff suppressed because it is too large Load Diff

26
build_system/charts/open-appsec-kong/templates/_helpers.tpl
View File

@@ -213,6 +213,9 @@ spec:
- name: kong-{{ .serviceName }} - name: kong-{{ .serviceName }}
port: {{ .http.servicePort }} port: {{ .http.servicePort }}
targetPort: {{ .http.containerPort }} targetPort: {{ .http.containerPort }}
{{- if .http.appProtocol }}
appProtocol: {{ .http.appProtocol }}
{{- end }}
{{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .http.nodePort))) }} {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .http.nodePort))) }}
nodePort: {{ .http.nodePort }} nodePort: {{ .http.nodePort }}
{{- end }} {{- end }}
@@ -223,6 +226,9 @@ spec:
- name: kong-{{ .serviceName }}-tls - name: kong-{{ .serviceName }}-tls
port: {{ .tls.servicePort }} port: {{ .tls.servicePort }}
targetPort: {{ .tls.overrideServiceTargetPort | default .tls.containerPort }} targetPort: {{ .tls.overrideServiceTargetPort | default .tls.containerPort }}
{{- if .tls.appProtocol }}
appProtocol: {{ .tls.appProtocol }}
{{- end }}
{{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .tls.nodePort))) }} {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .tls.nodePort))) }}
nodePort: {{ .tls.nodePort }} nodePort: {{ .tls.nodePort }}
{{- end }} {{- end }}
@@ -890,7 +896,7 @@ The name of the Service which will be used by the controller to update the Ingre
containerPort: 10255 containerPort: 10255
protocol: TCP protocol: TCP
{{- end }} {{- end }}
- name: status - name: cstatus
containerPort: 10254 containerPort: 10254
protocol: TCP protocol: TCP
env: env:
@@ -1647,6 +1653,24 @@ resource roles into their separate templates.
- get - get
- list - list
- watch - watch
{{- if (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
{{- end -}}
{{- end -}} {{- end -}}
{{/* {{/*

2
build_system/charts/open-appsec-kong/templates/default-policy.yaml
View File

@@ -34,7 +34,7 @@ spec:
http-headers: false http-headers: false
request-body: false request-body: false
log-destination: log-destination:
cloud: false cloud: true
stdout: stdout:
format: json-formatted format: json-formatted
--- ---

12
build_system/charts/open-appsec-kong/values.yaml
View File

@@ -130,7 +130,7 @@ extraLabels: {}
# Specify Kong's Docker image and repository details here # Specify Kong's Docker image and repository details here
image: image:
repository: kong repository: kong
tag: "3.5" tag: "3.6"
# Kong Enterprise # Kong Enterprise
# repository: kong/kong-gateway # repository: kong/kong-gateway
# tag: "3.5" # tag: "3.5"
@@ -317,6 +317,10 @@ proxy:
parameters: parameters:
- http2 - http2
# Specify the Service's TLS port's appProtocol. This can be useful when integrating with
# external load balancers that require the `appProtocol` field to be set (e.g. GCP).
appProtocol: ""
# Define stream (TCP) listen # Define stream (TCP) listen
# To enable, remove "[]", uncomment the section below, and select your desired # To enable, remove "[]", uncomment the section below, and select your desired
# ports and parameters. Listens are dynamically named after their containerPort, # ports and parameters. Listens are dynamically named after their containerPort,
@@ -525,7 +529,7 @@ ingressController:
enabled: true enabled: true
image: image:
repository: kong/kubernetes-ingress-controller repository: kong/kubernetes-ingress-controller
tag: "3.0" tag: "3.1"
# Optionally set a semantic version for version-gated features. This can normally # Optionally set a semantic version for version-gated features. This can normally
# be left unset. You only need to set this if your tag is not a semver string, # be left unset. You only need to set this if your tag is not a semver string,
# such as when you are using a "next" tag. Set this to the effective semantic # such as when you are using a "next" tag. Set this to the effective semantic
@@ -1255,7 +1259,7 @@ appsec:
#registry: #registry:
repository: ghcr.io/openappsec repository: ghcr.io/openappsec
image: "agent" image: "agent"
tag: "1.1.5" tag: "1.1.8"
pullPolicy: Always pullPolicy: Always
securityContext: securityContext:
@@ -1269,7 +1273,7 @@ appsec:
kong: kong:
image: image:
repository: "ghcr.io/openappsec/kong-attachment" repository: "ghcr.io/openappsec/kong-attachment"
tag: "1.1.5" tag: "1.1.8"
configMapName: appsec-settings-configmap configMapName: appsec-settings-configmap
configMapContent: configMapContent:
crowdsec: crowdsec:

18
build_system/docker/entry.sh
View File

@@ -18,6 +18,10 @@ if [ ! -f /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT ]; then
exit 1 exit 1
fi fi
if [ -z $1 ]; then
var_mode="--hybrid_mode"
fi
while true; do while true; do
if [ -z "$1" ]; then if [ -z "$1" ]; then
break break
@@ -27,24 +31,24 @@ while true; do
elif [ "$1" == "--proxy" ]; then elif [ "$1" == "--proxy" ]; then
shift shift
var_proxy="$1" var_proxy="$1"
elif [ "$1" == "--hybrid-mode" ]; then elif [ "$1" == "--hybrid-mode" ] || [ "$1" == "--standalone" ]; then
var_mode="--hybrid_mode" var_mode="--hybrid_mode"
elif [ "$1" == "--token" ]; then elif [ "$1" == "--token" ]; then
shift shift
var_token="$1" var_token="$1"
elif [ "$1" == "--standalone" ]; then
var_mode="--hybrid_mode"
var_token="cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0"
fi fi
shift shift
done done
if [ -z $var_token ]; then if [ -z $var_token ] && [ $var_mode != "--hybrid_mode" ]; then
echo "Error: Token was not provided as input argument." echo "Error: Token was not provided as input argument."
exit 1 exit 1
fi fi
orchestration_service_installation_flags="--token $var_token --container_mode --skip_registration" orchestration_service_installation_flags="--container_mode --skip_registration"
if [ ! -z $var_token ]; then
orchestration_service_installation_flags="$orchestration_service_installation_flags --token $var_token"
fi
if [ ! -z $var_fog_address ]; then if [ ! -z $var_fog_address ]; then
orchestration_service_installation_flags="$orchestration_service_installation_flags --fog $var_fog_address" orchestration_service_installation_flags="$orchestration_service_installation_flags --fog $var_fog_address"
fi fi
@@ -67,7 +71,7 @@ fi
/nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install /nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install
/nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install /nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install
if [ ! -z $CROWDSEC_ENABLED ]; then if [ "$CROWDSEC_ENABLED" == "true" ]; then
/nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install /nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install
/nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install /nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install
fi fi

1
components/CMakeLists.txt
View File

@@ -1,6 +1,5 @@
add_subdirectory(report_messaging) add_subdirectory(report_messaging)
add_subdirectory(http_manager) add_subdirectory(http_manager)
add_subdirectory(generic_rulebase)
add_subdirectory(signal_handler) add_subdirectory(signal_handler)
add_subdirectory(gradual_deployment) add_subdirectory(gradual_deployment)
add_subdirectory(packet) add_subdirectory(packet)

1
components/include/details_resolver.h
View File

@@ -34,6 +34,7 @@ public:
~DetailsResolver(); ~DetailsResolver();
void preload() override; void preload() override;
void init() override;
private: private:
class Impl; class Impl;

2
components/include/downloader.h
View File

@@ -21,6 +21,7 @@
#include "url_parser.h" #include "url_parser.h"
#include "i_agent_details.h" #include "i_agent_details.h"
#include "i_mainloop.h" #include "i_mainloop.h"
#include "i_environment.h"
#include "singleton.h" #include "singleton.h"
#include "component.h" #include "component.h"
@@ -32,6 +33,7 @@ class Downloader
Singleton::Consume<I_Encryptor>, Singleton::Consume<I_Encryptor>,
Singleton::Consume<I_MainLoop>, Singleton::Consume<I_MainLoop>,
Singleton::Consume<I_OrchestrationTools>, Singleton::Consume<I_OrchestrationTools>,
Singleton::Consume<I_Environment>,
Singleton::Consume<I_UpdateCommunication> Singleton::Consume<I_UpdateCommunication>
{ {
public: public:

4
components/include/i_generic_rulebase.h
View File

@@ -17,6 +17,7 @@
#include <vector> #include <vector>
#include "generic_rulebase/parameters_config.h" #include "generic_rulebase/parameters_config.h"
#include "generic_rulebase/triggers_config.h"
#include "generic_rulebase/zone.h" #include "generic_rulebase/zone.h"
#include "config.h" #include "config.h"
@@ -26,6 +27,9 @@ public:
virtual Maybe<Zone, Config::Errors> getLocalZone() const = 0; virtual Maybe<Zone, Config::Errors> getLocalZone() const = 0;
virtual Maybe<Zone, Config::Errors> getOtherZone() const = 0; virtual Maybe<Zone, Config::Errors> getOtherZone() const = 0;
virtual LogTriggerConf getLogTriggerConf(const std::string &trigger_Id) const = 0;
virtual ParameterException getParameterException(const std::string &parameter_Id) const = 0;
using ParameterKeyValues = std::unordered_map<std::string, std::set<std::string>>; using ParameterKeyValues = std::unordered_map<std::string, std::set<std::string>>;
virtual std::set<ParameterBehavior> getBehavior(const ParameterKeyValues &key_value_pairs) const = 0; virtual std::set<ParameterBehavior> getBehavior(const ParameterKeyValues &key_value_pairs) const = 0;

2
components/include/i_orchestration_tools.h
View File

@@ -117,7 +117,7 @@ public:
const std::string &conf_path) const = 0; const std::string &conf_path) const = 0;
virtual bool copyFile(const std::string &src_path, const std::string &dst_path) const = 0; virtual bool copyFile(const std::string &src_path, const std::string &dst_path) const = 0;
virtual bool doesFileExist(const std::string &file_path) const = 0; virtual bool doesFileExist(const std::string &file_path) const = 0;
virtual void getClusterId() const = 0; virtual void setClusterId() const = 0;
virtual void fillKeyInJson( virtual void fillKeyInJson(
const std::string &filename, const std::string &filename,
const std::string &_key, const std::string &_key,

2
components/include/i_waap_telemetry.h
View File

@@ -25,6 +25,7 @@ struct DecisionTelemetryData
std::string source; std::string source;
TrafficMethod method; TrafficMethod method;
int responseCode; int responseCode;
uint64_t elapsedTime;
std::set<std::string> attackTypes; std::set<std::string> attackTypes;
DecisionTelemetryData() : DecisionTelemetryData() :
@@ -36,6 +37,7 @@ struct DecisionTelemetryData
source(), source(),
method(POST), method(POST),
responseCode(0), responseCode(0),
elapsedTime(0),
attackTypes() attackTypes()
{ {
} }

4
components/include/package_handler.h
View File

@@ -17,6 +17,7 @@
#include "i_package_handler.h" #include "i_package_handler.h"
#include "i_orchestration_tools.h" #include "i_orchestration_tools.h"
#include "i_shell_cmd.h" #include "i_shell_cmd.h"
#include "i_environment.h"
#include "component.h" #include "component.h"
class PackageHandler class PackageHandler
@@ -24,7 +25,8 @@ class PackageHandler
public Component, public Component,
Singleton::Provide<I_PackageHandler>, Singleton::Provide<I_PackageHandler>,
Singleton::Consume<I_ShellCmd>, Singleton::Consume<I_ShellCmd>,
Singleton::Consume<I_OrchestrationTools> Singleton::Consume<I_OrchestrationTools>,
Singleton::Consume<I_Environment>
{ {
public: public:
PackageHandler(); PackageHandler();

3
components/include/report_messaging.h
View File

@@ -141,9 +141,12 @@ public:
ReportMessaging & operator<<(const LogField &field); ReportMessaging & operator<<(const LogField &field);
void setForceBuffering(bool _force_buffering);
private: private:
Report report; Report report;
bool is_async_message; bool is_async_message;
bool force_buffering = false;
MessageCategory message_type_tag; MessageCategory message_type_tag;
}; };

1
components/include/telemetry.h
View File

@@ -91,6 +91,7 @@ private:
MetricCalculations::Counter response_2xx{this, "reservedNgenG"}; MetricCalculations::Counter response_2xx{this, "reservedNgenG"};
MetricCalculations::Counter response_4xx{this, "reservedNgenH"}; MetricCalculations::Counter response_4xx{this, "reservedNgenH"};
MetricCalculations::Counter response_5xx{this, "reservedNgenI"}; MetricCalculations::Counter response_5xx{this, "reservedNgenI"};
MetricCalculations::Average<uint64_t> average_latency{this, "reservedNgenJ"};
}; };
class WaapAttackTypesMetrics : public WaapTelemetryBase class WaapAttackTypesMetrics : public WaapTelemetryBase

3
components/include/url_parser.h
View File

@@ -35,8 +35,10 @@ public:
bool isOverSSL() const { return over_ssl; } bool isOverSSL() const { return over_ssl; }
std::string getPort() const { return port; } std::string getPort() const { return port; }
std::string getQuery() const { return query; } std::string getQuery() const { return query; }
std::string getHost() const;
URLProtocol getProtocol() const { return protocol; } URLProtocol getProtocol() const { return protocol; }
std::string toString() const; std::string toString() const;
void setHost(const std::string &new_host);
void setQuery(const std::string &new_query); void setQuery(const std::string &new_query);
private: private:
@@ -47,6 +49,7 @@ private:
std::string base_url; std::string base_url;
std::string port; std::string port;
std::string query; std::string query;
std::string host;
URLProtocol protocol; URLProtocol protocol;
}; };

10
components/report_messaging/report_messaging.cc
View File

@@ -33,7 +33,9 @@ ReportMessaging::~ReportMessaging()
HTTPMethod::POST, HTTPMethod::POST,
url, url,
log_rest, log_rest,
message_type_tag message_type_tag,
MessageMetadata(),
force_buffering
); );
} catch (...) {} } catch (...) {}
} }
@@ -44,3 +46,9 @@ ReportMessaging::operator<<(const LogField &field)
report << field; report << field;
return *this; return *this;
} }
void
ReportMessaging::setForceBuffering(bool _force_buffering)
{
force_buffering = _force_buffering;
}

47
components/report_messaging/report_messaging_ut/report_messaging_ut.cc
View File

@@ -99,12 +99,55 @@ TEST_F(ReportMessagingTest, title_only)
" }\n" " }\n"
"}", "}",
_, _,
_,
_ _
) )
).Times(1); ).Times(1);
ReportMessaging("test", ReportIS::AudienceTeam::AGENT_CORE, 1, true, ReportIS::Tags::ACCESS_CONTROL); ReportMessaging("test", ReportIS::AudienceTeam::AGENT_CORE, 1, true, ReportIS::Tags::ACCESS_CONTROL);
} }
TEST_F(ReportMessagingTest, with_buffering)
{
EXPECT_CALL(
mock_messaging,
sendAsyncMessage(
_,
_,
"{\n"
" \"log\": {\n"
" \"eventTime\": \"Best Time ever\",\n"
" \"eventName\": \"test\",\n"
" \"eventSeverity\": \"Info\",\n"
" \"eventPriority\": \"Low\",\n"
" \"eventType\": \"Event Driven\",\n"
" \"eventLevel\": \"Log\",\n"
" \"eventLogLevel\": \"info\",\n"
" \"eventAudience\": \"Internal\",\n"
" \"eventAudienceTeam\": \"Agent Core\",\n"
" \"eventFrequency\": 0,\n"
" \"eventTags\": [\n"
" \"Access Control\"\n"
" ],\n"
" \"eventSource\": {\n"
" \"eventTraceId\": \"\",\n"
" \"eventSpanId\": \"\",\n"
" \"issuingEngineVersion\": \"\",\n"
" \"serviceName\": \"Unnamed Nano Service\"\n"
" },\n"
" \"eventData\": {\n"
" \"eventObject\": 1\n"
" }\n"
" }\n"
"}",
_,
_,
true
)
).Times(1);
ReportMessaging report("test", ReportIS::AudienceTeam::AGENT_CORE, 1, true, ReportIS::Tags::ACCESS_CONTROL);
report.setForceBuffering(true);
}
TEST_F(ReportMessagingTest, with_dynamic_fields) TEST_F(ReportMessagingTest, with_dynamic_fields)
{ {
EXPECT_CALL( EXPECT_CALL(
@@ -140,6 +183,7 @@ TEST_F(ReportMessagingTest, with_dynamic_fields)
" }\n" " }\n"
"}", "}",
_, _,
_,
_ _
) )
).Times(1); ).Times(1);
@@ -189,6 +233,7 @@ TEST_F(ReportMessagingTest, custom_event_object)
" }\n" " }\n"
"}", "}",
_, _,
_,
_ _
) )
).Times(1); ).Times(1);
@@ -243,6 +288,7 @@ TEST_F(ReportMessagingTest, custom_priority)
" }\n" " }\n"
"}", "}",
_, _,
_,
_ _
) )
).Times(1); ).Times(1);
@@ -309,6 +355,7 @@ TEST_F(ReportMessagingTest, with_env_details)
" }\n" " }\n"
"}", "}",
_, _,
_,
_ _
) )
).Times(1); ).Times(1);

4
components/security_apps/ips/include/ips_basic_policy.h
View File

@@ -50,9 +50,13 @@ public:
private: private:
void readRules(cereal::JSONInputArchive &ar); void readRules(cereal::JSONInputArchive &ar);
void readTriggerId(cereal::JSONInputArchive &ar);
void readExceptionId(cereal::JSONInputArchive &ar);
void readDefaultAction(cereal::JSONInputArchive &ar); void readDefaultAction(cereal::JSONInputArchive &ar);
std::vector<Rule> rules; std::vector<Rule> rules;
std::string trigger_id;
std::string exception_id;
}; };
#endif // __IPS_BASIC_POLICY_H__ #endif // __IPS_BASIC_POLICY_H__

20
components/security_apps/ips/include/ips_signatures.h
View File

@@ -27,6 +27,7 @@
#include "log_generator.h" #include "log_generator.h"
#include "parsed_context.h" #include "parsed_context.h"
#include "pm_hook.h" #include "pm_hook.h"
#include "i_generic_rulebase.h"
/// \namespace IPSSignatureSubTypes /// \namespace IPSSignatureSubTypes
/// \brief Namespace containing subtypes for IPS signatures. /// \brief Namespace containing subtypes for IPS signatures.
@@ -348,8 +349,16 @@ public:
/// \brief Construct a SignatureAndAction object. /// \brief Construct a SignatureAndAction object.
/// \param _signature The complete signature. /// \param _signature The complete signature.
/// \param _action The signature action. /// \param _action The signature action.
SignatureAndAction(std::shared_ptr<CompleteSignature> _signature, SignatureAction _action) : SignatureAndAction(
signature(_signature), action(_action) std::shared_ptr<CompleteSignature> _signature,
SignatureAction _action,
std::string _trigger_id,
std::string _exception_id)
:
signature(_signature),
action(_action),
trigger_id(_trigger_id),
exception_id(_exception_id)
{} {}
/// \brief Check if the signature is matched for prevention. /// \brief Check if the signature is matched for prevention.
@@ -375,6 +384,11 @@ public:
return signature->getContext(); return signature->getContext();
} }
LogTriggerConf getTrigger() const;
std::set<ParameterBehavior>
getBehavior(const std::unordered_map<std::string, std::set<std::string>> &exceptions_dict) const;
private: private:
/// \brief Get the action results for the IPS state. /// \brief Get the action results for the IPS state.
/// \param ips_state The IPS entry. /// \param ips_state The IPS entry.
@@ -382,6 +396,8 @@ private:
std::shared_ptr<CompleteSignature> signature; std::shared_ptr<CompleteSignature> signature;
SignatureAction action; SignatureAction action;
std::string trigger_id;
std::string exception_id;
}; };
} // namespace IPSSignatureSubTypes } // namespace IPSSignatureSubTypes

2
components/security_apps/ips/include/snort_basic_policy.h
View File

@@ -17,6 +17,8 @@ public:
private: private:
IPSSignatureSubTypes::SignatureAction action = IPSSignatureSubTypes::SignatureAction::IGNORE; IPSSignatureSubTypes::SignatureAction action = IPSSignatureSubTypes::SignatureAction::IGNORE;
std::vector<std::string> file_names; std::vector<std::string> file_names;
std::string trigger_id;
std::string exception_id;
}; };
#endif // __SNORT_BASIC_POLICY_H__ #endif // __SNORT_BASIC_POLICY_H__

26
components/security_apps/ips/ips_basic_policy.cc
View File

@@ -17,6 +17,8 @@ void
RuleSelector::load(cereal::JSONInputArchive &ar) RuleSelector::load(cereal::JSONInputArchive &ar)
{ {
readRules(ar); readRules(ar);
readTriggerId(ar);
readExceptionId(ar);
readDefaultAction(ar); readDefaultAction(ar);
} }
@@ -36,7 +38,7 @@ RuleSelector::selectSignatures() const
if (rule.isSignaturedMatched(*signature)) { if (rule.isSignaturedMatched(*signature)) {
if (rule.getAction() != IPSSignatureSubTypes::SignatureAction::IGNORE) { if (rule.getAction() != IPSSignatureSubTypes::SignatureAction::IGNORE) {
signature->setIndicators("Check Point", signatures_version); signature->setIndicators("Check Point", signatures_version);
res.emplace_back(signature, rule.getAction()); res.emplace_back(signature, rule.getAction(), trigger_id, exception_id);
} }
break; break;
} }
@@ -52,6 +54,28 @@ RuleSelector::readRules(cereal::JSONInputArchive &ar)
ar(cereal::make_nvp("rules", rules)); ar(cereal::make_nvp("rules", rules));
} }
void
RuleSelector::readTriggerId(cereal::JSONInputArchive &ar)
{
try {
ar(cereal::make_nvp("triggers", trigger_id));
} catch (const cereal::Exception &e) {
ar.setNextName(nullptr);
trigger_id = "";
}
}
void
RuleSelector::readExceptionId(cereal::JSONInputArchive &ar)
{
try {
ar(cereal::make_nvp("exceptions", exception_id));
} catch (const cereal::Exception &e) {
ar.setNextName(nullptr);
exception_id = "";
}
}
void void
RuleSelector::readDefaultAction(cereal::JSONInputArchive &ar) RuleSelector::readDefaultAction(cereal::JSONInputArchive &ar)
{ {

22
components/security_apps/ips/ips_signatures.cc
View File

@@ -280,8 +280,7 @@ SignatureAndAction::getAction(const IPSEntry &ips_state) const
exceptions_dict["sourceIdentifier"].insert(*env_source_identifier); exceptions_dict["sourceIdentifier"].insert(*env_source_identifier);
} }
I_GenericRulebase *i_rulebase = Singleton::Consume<I_GenericRulebase>::by<IPSComp>(); auto behaviors = getBehavior(exceptions_dict);
auto behaviors = i_rulebase->getBehavior(exceptions_dict);
set<BehaviorValue> override_actions; set<BehaviorValue> override_actions;
vector<string> override_ids; vector<string> override_ids;
@@ -315,6 +314,23 @@ static const auto url_query = LogTriggerConf::WebLogFields::webUrlQuery;
static const auto res_body = LogTriggerConf::WebLogFields::responseBody; static const auto res_body = LogTriggerConf::WebLogFields::responseBody;
static const auto res_code = LogTriggerConf::WebLogFields::responseCode; static const auto res_code = LogTriggerConf::WebLogFields::responseCode;
LogTriggerConf
SignatureAndAction::getTrigger() const
{
if (trigger_id.empty()) return getConfigurationWithDefault(LogTriggerConf(), "rulebase", "log");
return Singleton::Consume<I_GenericRulebase>::by<IPSComp>()->getLogTriggerConf(trigger_id);
}
set<ParameterBehavior>
SignatureAndAction::getBehavior(const unordered_map<string, set<string>> &exceptions_dict) const
{
I_GenericRulebase *i_rulebase = Singleton::Consume<I_GenericRulebase>::by<IPSComp>();
if (exception_id.empty()) return i_rulebase->getBehavior(exceptions_dict);
return i_rulebase->getParameterException(exception_id).getBehavior(exceptions_dict);
}
bool bool
SignatureAndAction::matchSilent(const Buffer &sample) const SignatureAndAction::matchSilent(const Buffer &sample) const
{ {
@@ -398,7 +414,7 @@ SignatureAndAction::isMatchedPrevent(const Buffer &context_buffer, const set<PMP
dbgDebug(D_IPS) << "Signature matched - sending log"; dbgDebug(D_IPS) << "Signature matched - sending log";
auto &trigger = getConfigurationWithDefault(default_triger, "rulebase", "log"); auto trigger = getTrigger();
bool is_prevent = get<0>(override_action) == IPSSignatureSubTypes::SignatureAction::PREVENT; bool is_prevent = get<0>(override_action) == IPSSignatureSubTypes::SignatureAction::PREVENT;
auto severity = signature->getSeverity() < IPSLevel::HIGH ? Severity::HIGH : Severity::CRITICAL; auto severity = signature->getSeverity() < IPSLevel::HIGH ? Severity::HIGH : Severity::CRITICAL;

41
components/security_apps/ips/ips_ut/component_ut.cc
View File

@@ -596,6 +596,8 @@ TEST_F(ComponentTest, check_filtering_by_year)
TEST_F(ComponentTest, log_fields) TEST_F(ComponentTest, log_fields)
{ {
generic_rulebase.preload();
generic_rulebase.init();
string config = string config =
"{" "{"
"\"IPS\": {" "\"IPS\": {"
@@ -632,6 +634,8 @@ TEST_F(ComponentTest, log_fields)
"\"assetId\": \"1-1-1\"," "\"assetId\": \"1-1-1\","
"\"practiceId\": \"2-2-2\"," "\"practiceId\": \"2-2-2\","
"\"practiceName\": \"practice1\"," "\"practiceName\": \"practice1\","
"\"triggers\": \"5eaeefde6765c30010bae8b6\","
"\"exceptions\": \"\","
"\"defaultAction\": \"Detect\"," "\"defaultAction\": \"Detect\","
"\"rules\": [" "\"rules\": ["
"{" "{"
@@ -643,10 +647,36 @@ TEST_F(ComponentTest, log_fields)
"]" "]"
"}" "}"
"]" "]"
"},"
"\"rulebase\": {"
"\"log\": ["
"{"
"\"context\": \"triggerId(5eaeefde6765c30010bae8b6)\","
"\"triggerName\": \"Logging Trigger\","
"\"triggerType\": \"log\","
"\"urlForSyslog\": \"\","
"\"urlForCef\": \"128.1.1.1:333\","
"\"acAllow\": false,"
"\"acDrop\": true,"
"\"complianceViolations\": true,"
"\"complianceWarnings\": true,"
"\"logToAgent\": true,"
"\"logToCloud\": true,"
"\"logToSyslog\": false,"
"\"logToCef\": true,"
"\"tpDetect\": true,"
"\"tpPrevent\": true,"
"\"verbosity\": \"Standard\","
"\"webBody\": true,"
"\"webHeaders\": true,"
"\"webRequests\": true,"
"\"webUrlPath\": true,"
"\"webUrlQuery\": true"
"}"
"]"
"}" "}"
"}"; "}";
loadPolicy(config); loadPolicy(config);
setTrigger();
EXPECT_CALL(table, createStateRValueRemoved(_, _)); EXPECT_CALL(table, createStateRValueRemoved(_, _));
EXPECT_CALL(table, getState(_)).WillRepeatedly(Return(&entry)); EXPECT_CALL(table, getState(_)).WillRepeatedly(Return(&entry));
@@ -829,6 +859,8 @@ TEST_F(ComponentTest, prxeem_exception_bug)
" \"practiceId\": \"2-2-2\"," " \"practiceId\": \"2-2-2\","
" \"practiceName\": \"practice1\"," " \"practiceName\": \"practice1\","
" \"defaultAction\": \"Prevent\"," " \"defaultAction\": \"Prevent\","
" \"triggers\": \"\","
" \"exceptions\": \"6c3867be-4da5-42c2-93dc-8f509a764004\","
" \"rules\": []" " \"rules\": []"
" }" " }"
" ]" " ]"
@@ -847,6 +879,11 @@ TEST_F(ComponentTest, prxeem_exception_bug)
" \"parameterId\": \"6c3867be-4da5-42c2-93dc-8f509a764003\"," " \"parameterId\": \"6c3867be-4da5-42c2-93dc-8f509a764003\","
" \"parameterType\": \"exceptions\"," " \"parameterType\": \"exceptions\","
" \"parameterName\": \"exception\"" " \"parameterName\": \"exception\""
" },"
" {"
" \"parameterId\": \"6c3867be-4da5-42c2-93dc-8f509a764004\","
" \"parameterType\": \"exceptions\","
" \"parameterName\": \"exception\""
" }" " }"
" ]," " ],"
" \"zoneId\": \"\"," " \"zoneId\": \"\","
@@ -855,7 +892,7 @@ TEST_F(ComponentTest, prxeem_exception_bug)
" ]," " ],"
" \"exception\": [" " \"exception\": ["
" {" " {"
" \"context\": \"parameterId(6c3867be-4da5-42c2-93dc-8f509a764003)\"," " \"context\": \"parameterId(6c3867be-4da5-42c2-93dc-8f509a764004)\","
" \"match\": {" " \"match\": {"
" \"type\": \"operator\"," " \"type\": \"operator\","
" \"op\": \"and\"," " \"op\": \"and\","

15
components/security_apps/ips/snort_basic_policy.cc
View File

@@ -16,6 +16,19 @@ using namespace std;
void void
SnortRuleSelector::load(cereal::JSONInputArchive &ar) SnortRuleSelector::load(cereal::JSONInputArchive &ar)
{ {
try {
ar(cereal::make_nvp("triggers", trigger_id));
} catch (const cereal::Exception &e) {
ar.setNextName(nullptr);
trigger_id = "";
}
try {
ar(cereal::make_nvp("exceptions", exception_id));
} catch (const cereal::Exception &e) {
ar.setNextName(nullptr);
exception_id = "";
}
string mode; string mode;
ar(cereal::make_nvp("mode", mode), cereal::make_nvp("files", file_names)); ar(cereal::make_nvp("mode", mode), cereal::make_nvp("files", file_names));
@@ -38,7 +51,7 @@ SnortRuleSelector::selectSignatures() const
for (auto &file : file_names) { for (auto &file : file_names) {
for (auto &signature : (*signatures).getSignatures(file)) { for (auto &signature : (*signatures).getSignatures(file)) {
res.emplace_back(signature, action); res.emplace_back(signature, action, trigger_id, exception_id);
} }
} }
return res; return res;

1
components/security_apps/layer_7_access_control/layer_7_access_control.cc
View File

@@ -37,6 +37,7 @@ public:
if (!ipv4_addresses.empty()) ipv4_address = ipv4_addresses.front(); if (!ipv4_addresses.empty()) ipv4_address = ipv4_addresses.front();
} catch (const cereal::Exception &e) { } catch (const cereal::Exception &e) {
dbgWarning(D_L7_ACCESS_CONTROL) << "Failed to load IP reputation data JSON. Error: " << e.what(); dbgWarning(D_L7_ACCESS_CONTROL) << "Failed to load IP reputation data JSON. Error: " << e.what();
ar.setNextName(nullptr);
} }
} }

43
components/security_apps/local_policy_mgmt_gen/access_control_practice.cc
View File

@@ -12,20 +12,34 @@
// limitations under the License. // limitations under the License.
#include "access_control_practice.h" #include "access_control_practice.h"
#include "new_practice.h"
using namespace std; using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY); USE_DEBUG_FLAG(D_LOCAL_POLICY);
// LCOV_EXCL_START Reason: no test exist // LCOV_EXCL_START Reason: no test exist
static const map<string, string> valid_modes_to_key = { static const set<string> valid_modes = {
"prevent",
"detect",
"inactive",
"prevent-learn",
"detect-learn",
"as-top-level",
"inherited"
};
static const unordered_map<string, string> valid_modes_to_key = {
{"prevent", "Active"}, {"prevent", "Active"},
{"prevent-learn", "Active"},
{"detect", "Detect"}, {"detect", "Detect"},
{"detect-learn", "Detect"},
{"inactive", "Inactive"} {"inactive", "Inactive"}
}; };
static const set<string> valid_units = {"minute", "second"}; static const set<string> valid_units = {"minute", "second"};
static const std::unordered_map<std::string, std::string> key_to_units_val = { static const unordered_map<std::string, std::string> key_to_units_val = {
{ "second", "Second"}, { "second", "Second"},
{ "minute", "Minute"} { "minute", "Minute"}
}; };
@@ -177,13 +191,10 @@ void
AccessControlRateLimit::load(cereal::JSONInputArchive &archive_in) AccessControlRateLimit::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading Access control rate limit"; dbgTrace(D_LOCAL_POLICY) << "Loading Access control rate limit";
string in_mode; parseMandatoryAppsecJSONKey<string>("overrideMode", mode, archive_in, "inactive");
parseAppsecJSONKey<string>("overrideMode", in_mode, archive_in, "detect"); if (valid_modes.find(mode) == valid_modes.end()) {
if (valid_modes_to_key.find(in_mode) == valid_modes_to_key.end()) { dbgWarning(D_LOCAL_POLICY) << "AppSec access control rate limit override mode invalid: " << mode;
dbgWarning(D_LOCAL_POLICY) << "AppSec access control rate limit override mode invalid: " << in_mode; throw PolicyGenException("AppSec access control rate limit override mode invalid: " + mode);
throw PolicyGenException("AppSec access control rate limit override mode invalid: " + in_mode);
} else {
mode = valid_modes_to_key.at(in_mode);
} }
parseAppsecJSONKey<std::vector<AccessControlRateLimiteRules>>("rules", rules, archive_in); parseAppsecJSONKey<std::vector<AccessControlRateLimiteRules>>("rules", rules, archive_in);
} }
@@ -205,9 +216,10 @@ AccessControlRateLimit::getRules() const
} }
const string & const string &
AccessControlRateLimit::getMode() const AccessControlRateLimit::getMode(const std::string &default_mode) const
{ {
return mode; const string &res = getModeWithDefault(mode, default_mode, valid_modes_to_key);
return res;
} }
void void
@@ -216,6 +228,7 @@ AccessControlPracticeSpec::load(cereal::JSONInputArchive &archive_in)
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec";
parseAppsecJSONKey<string>("name", practice_name, archive_in); parseAppsecJSONKey<string>("name", practice_name, archive_in);
parseAppsecJSONKey<string>("practiceMode", mode, archive_in);
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in); parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
parseMandatoryAppsecJSONKey<AccessControlRateLimit>("rateLimit", rate_limit, archive_in); parseMandatoryAppsecJSONKey<AccessControlRateLimit>("rateLimit", rate_limit, archive_in);
} }
@@ -227,7 +240,7 @@ AccessControlPracticeSpec::setName(const string &_name)
} }
const AccessControlRateLimit & const AccessControlRateLimit &
AccessControlPracticeSpec::geRateLimit() const AccessControlPracticeSpec::getRateLimit() const
{ {
return rate_limit; return rate_limit;
} }
@@ -243,4 +256,10 @@ AccessControlPracticeSpec::getName() const
{ {
return practice_name; return practice_name;
} }
const string &
AccessControlPracticeSpec::getMode(const std::string &default_mode) const
{
return isModeInherited(mode) ? default_mode : mode;
}
// LCOV_EXCL_STOP // LCOV_EXCL_STOP

21
components/security_apps/local_policy_mgmt_gen/appsec_practice_section.cc
View File

@@ -133,7 +133,7 @@ AppSecPracticeWebAttacks::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec";
parseAppsecJSONKey<AppSecWebAttackProtections>("protections", protections, archive_in); parseAppsecJSONKey<AppSecWebAttackProtections>("protections", protections, archive_in);
parseAppsecJSONKey<string>("override-mode", mode, archive_in, "Unset"); parseAppsecJSONKey<string>("override-mode", mode, archive_in, "as-top-level");
if (valid_modes.count(mode) == 0) { if (valid_modes.count(mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec practice override mode invalid: " << mode; dbgWarning(D_LOCAL_POLICY) << "AppSec practice override mode invalid: " << mode;
} }
@@ -187,7 +187,7 @@ AppSecPracticeWebAttacks::getMinimumConfidence() const
const string & const string &
AppSecPracticeWebAttacks::getMode(const string &default_mode) const AppSecPracticeWebAttacks::getMode(const string &default_mode) const
{ {
if (mode == "Unset" || (key_to_practices_val2.find(mode) == key_to_practices_val2.end())) { if (isModeInherited(mode) || (key_to_practices_val2.find(mode) == key_to_practices_val2.end())) {
dbgError(D_LOCAL_POLICY) << "Couldn't find a value for key: " << mode << ". Returning " << default_mode; dbgError(D_LOCAL_POLICY) << "Couldn't find a value for key: " << mode << ". Returning " << default_mode;
return default_mode; return default_mode;
} }
@@ -429,6 +429,9 @@ WebAppSection::WebAppSection(
context(_context), context(_context),
web_attack_mitigation_severity(parsed_appsec_spec.getWebAttacks().getMinimumConfidence()), web_attack_mitigation_severity(parsed_appsec_spec.getWebAttacks().getMinimumConfidence()),
web_attack_mitigation_mode(parsed_appsec_spec.getWebAttacks().getMode(default_mode)), web_attack_mitigation_mode(parsed_appsec_spec.getWebAttacks().getMode(default_mode)),
csrf_protection_mode("Disabled"),
open_redirect_mode("Disabled"),
error_disclosure_mode("Disabled"),
practice_advanced_config(parsed_appsec_spec), practice_advanced_config(parsed_appsec_spec),
anti_bots(parsed_appsec_spec.getAntiBot()), anti_bots(parsed_appsec_spec.getAntiBot()),
trusted_sources({ parsed_trusted_sources }) trusted_sources({ parsed_trusted_sources })
@@ -451,6 +454,7 @@ WebAppSection::WebAppSection(
} }
} }
// Used for V1Beta2
WebAppSection::WebAppSection( WebAppSection::WebAppSection(
const string &_application_urls, const string &_application_urls,
const string &_asset_id, const string &_asset_id,
@@ -465,7 +469,8 @@ WebAppSection::WebAppSection(
const PracticeAdvancedConfig &_practice_advanced_config, const PracticeAdvancedConfig &_practice_advanced_config,
const AppsecPracticeAntiBotSection &_anti_bots, const AppsecPracticeAntiBotSection &_anti_bots,
const LogTriggerSection &parsed_log_trigger, const LogTriggerSection &parsed_log_trigger,
const AppSecTrustedSources &parsed_trusted_sources) const AppSecTrustedSources &parsed_trusted_sources,
const NewAppSecWebAttackProtections &protections)
: :
application_urls(_application_urls), application_urls(_application_urls),
asset_id(_asset_id), asset_id(_asset_id),
@@ -489,6 +494,10 @@ WebAppSection::WebAppSection(
web_attack_mitigation_severity == "medium" ? "high" : web_attack_mitigation_severity == "medium" ? "high" :
"Error"; "Error";
csrf_protection_mode = protections.getCsrfProtectionMode(_web_attack_mitigation_mode);
open_redirect_mode = protections.getOpenRedirectMode(_web_attack_mitigation_mode);
error_disclosure_mode = protections.getErrorDisclosureMode(_web_attack_mitigation_mode);
triggers.push_back(TriggersInWaapSection(parsed_log_trigger)); triggers.push_back(TriggersInWaapSection(parsed_log_trigger));
for (const SourcesIdentifiers &source_ident : parsed_trusted_sources.getSourcesIdentifiers()) { for (const SourcesIdentifiers &source_ident : parsed_trusted_sources.getSourcesIdentifiers()) {
overrides.push_back(AppSecOverride(source_ident)); overrides.push_back(AppSecOverride(source_ident));
@@ -510,9 +519,9 @@ WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
cereal::make_nvp("webAttackMitigationAction", web_attack_mitigation_action), cereal::make_nvp("webAttackMitigationAction", web_attack_mitigation_action),
cereal::make_nvp("webAttackMitigationMode", web_attack_mitigation_mode), cereal::make_nvp("webAttackMitigationMode", web_attack_mitigation_mode),
cereal::make_nvp("practiceAdvancedConfig", practice_advanced_config), cereal::make_nvp("practiceAdvancedConfig", practice_advanced_config),
cereal::make_nvp("csrfProtection", disabled_str), cereal::make_nvp("csrfProtection", csrf_protection_mode),
cereal::make_nvp("openRedirect", disabled_str), cereal::make_nvp("openRedirect", open_redirect_mode),
cereal::make_nvp("errorDisclosure", disabled_str), cereal::make_nvp("errorDisclosure", error_disclosure_mode),
cereal::make_nvp("practiceId", practice_id), cereal::make_nvp("practiceId", practice_id),
cereal::make_nvp("practiceName", practice_name), cereal::make_nvp("practiceName", practice_name),
cereal::make_nvp("assetId", asset_id), cereal::make_nvp("assetId", asset_id),

6
components/security_apps/local_policy_mgmt_gen/include/access_control_practice.h
View File

@@ -165,7 +165,7 @@ public:
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);
const std::vector<AccessControlRateLimiteRules> & getRules() const; const std::vector<AccessControlRateLimiteRules> & getRules() const;
const std::string & getMode() const; const std::string & getMode(const std::string &default_mode = "inactive") const;
std::vector<RateLimitRulesSection> createRateLimitRulesSection(const RateLimitRulesTriggerSection &trigger) const; std::vector<RateLimitRulesSection> createRateLimitRulesSection(const RateLimitRulesTriggerSection &trigger) const;
private: private:
@@ -178,15 +178,17 @@ class AccessControlPracticeSpec
public: public:
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);
const AccessControlRateLimit & geRateLimit() const; const AccessControlRateLimit &getRateLimit() const;
const std::string & getAppSecClassName() const; const std::string & getAppSecClassName() const;
const std::string & getName() const; const std::string & getName() const;
const std::string & getMode(const std::string &default_mode = "inactive") const;
void setName(const std::string &_name); void setName(const std::string &_name);
private: private:
AccessControlRateLimit rate_limit; AccessControlRateLimit rate_limit;
std::string appsec_class_name; std::string appsec_class_name;
std::string practice_name; std::string practice_name;
std::string mode;
}; };
#endif // __ACCESS_CONTROL_PRACTICE_H__ #endif // __ACCESS_CONTROL_PRACTICE_H__

7
components/security_apps/local_policy_mgmt_gen/include/appsec_practice_section.h
View File

@@ -278,6 +278,7 @@ public:
const std::vector<InnerException> &parsed_exceptions const std::vector<InnerException> &parsed_exceptions
); );
// used for V1beta2
WebAppSection( WebAppSection(
const std::string &_application_urls, const std::string &_application_urls,
const std::string &_asset_id, const std::string &_asset_id,
@@ -292,7 +293,8 @@ public:
const PracticeAdvancedConfig &_practice_advanced_config, const PracticeAdvancedConfig &_practice_advanced_config,
const AppsecPracticeAntiBotSection &_anti_bots, const AppsecPracticeAntiBotSection &_anti_bots,
const LogTriggerSection &parsed_log_trigger, const LogTriggerSection &parsed_log_trigger,
const AppSecTrustedSources &parsed_trusted_sources); const AppSecTrustedSources &parsed_trusted_sources,
const NewAppSecWebAttackProtections &protections);
void save(cereal::JSONOutputArchive &out_ar) const; void save(cereal::JSONOutputArchive &out_ar) const;
@@ -310,6 +312,9 @@ private:
std::string web_attack_mitigation_action; std::string web_attack_mitigation_action;
std::string web_attack_mitigation_severity; std::string web_attack_mitigation_severity;
std::string web_attack_mitigation_mode; std::string web_attack_mitigation_mode;
std::string csrf_protection_mode;
std::string open_redirect_mode;
std::string error_disclosure_mode;
bool web_attack_mitigation; bool web_attack_mitigation;
std::vector<TriggersInWaapSection> triggers; std::vector<TriggersInWaapSection> triggers;
PracticeAdvancedConfig practice_advanced_config; PracticeAdvancedConfig practice_advanced_config;

3
components/security_apps/local_policy_mgmt_gen/include/local_policy_common.h
View File

@@ -97,8 +97,7 @@ parseAppsecJSONKey(
value = default_value; value = default_value;
if (!mandatory) { if (!mandatory) {
dbgDebug(D_LOCAL_POLICY) dbgDebug(D_LOCAL_POLICY)
<< "Could not parse the required key. Key: \""<< key_name << "Could not parse a non-mandatory key: \""<< key_name << "\", Error: " << e.what();
<< "\", Error: " << e.what();
} else { } else {
throw PolicyGenException( throw PolicyGenException(
"Could not parse a mandatory key: \"" + key_name + "\", Error: " + std::string(e.what()) "Could not parse a mandatory key: \"" + key_name + "\", Error: " + std::string(e.what())

31
components/security_apps/local_policy_mgmt_gen/include/new_practice.h
View File

@@ -24,6 +24,14 @@
#include "debug.h" #include "debug.h"
#include "local_policy_common.h" #include "local_policy_common.h"
bool isModeInherited(const std::string &mode);
const std::string &getModeWithDefault(
const std::string &mode,
const std::string &default_mode,
const std::unordered_map<std::string, std::string> &key_to_val
);
class IpsProtectionsRulesSection class IpsProtectionsRulesSection
{ {
public: public:
@@ -126,8 +134,8 @@ class NewIntrusionPrevention
public: public:
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);
std::vector<IpsProtectionsRulesSection> createIpsRules() const; std::vector<IpsProtectionsRulesSection> createIpsRules(const std::string &default_mode) const;
const std::string & getMode() const; const std::string & getMode(const std::string &default_mode = "inactive") const;
private: private:
std::string override_mode; std::string override_mode;
@@ -273,7 +281,8 @@ public:
const std::string &asset_name, const std::string &asset_name,
const std::string &asset_id, const std::string &asset_id,
const std::string &practice_name, const std::string &practice_name,
const std::string &practice_id const std::string &practice_id,
const std::string &default_mode
) const; ) const;
private: private:
@@ -486,7 +495,7 @@ public:
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);
void addFile(const std::string &file_name); void addFile(const std::string &file_name);
const std::string & getOverrideMode() const; const std::string & getOverrideMode(const std::string &default_mode = "inactive") const;
const std::vector<std::string> & getConfigMap() const; const std::vector<std::string> & getConfigMap() const;
const std::vector<std::string> & getFiles() const; const std::vector<std::string> & getFiles() const;
bool isTemporary() const; bool isTemporary() const;
@@ -530,10 +539,10 @@ class NewAppSecWebAttackProtections
public: public:
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);
const std::string getCsrfProtectionMode() const; const std::string & getCsrfProtectionMode(const std::string &default_mode = "inactive") const;
const std::string & getErrorDisclosureMode() const; const std::string & getErrorDisclosureMode(const std::string &default_mode = "inactive") const;
const std::string & getOpenRedirectMode(const std::string &default_mode = "inactive") const;
bool getNonValidHttpMethods() const; bool getNonValidHttpMethods() const;
const std::string getOpenRedirectMode() const;
private: private:
std::string csrf_protection; std::string csrf_protection;
@@ -551,9 +560,9 @@ public:
int getMaxHeaderSizeBytes() const; int getMaxHeaderSizeBytes() const;
int getMaxObjectDepth() const; int getMaxObjectDepth() const;
int getMaxUrlSizeBytes() const; int getMaxUrlSizeBytes() const;
const std::string & getMinimumConfidence() const; const std::string & getMinimumConfidence(const std::string &default_mode = "inactive") const;
const NewAppSecWebAttackProtections & getprotections() const; const NewAppSecWebAttackProtections & getProtections() const;
const std::string & getMode(const std::string &default_mode = "Inactive") const; const std::string & getMode(const std::string &default_mode = "inactive") const;
private: private:
int max_body_size_kb; int max_body_size_kb;
@@ -578,6 +587,7 @@ public:
const NewFileSecurity & getFileSecurity() const; const NewFileSecurity & getFileSecurity() const;
const std::string & getAppSecClassName() const; const std::string & getAppSecClassName() const;
const std::string & getName() const; const std::string & getName() const;
const std::string & getMode(const std::string &default_mode = "inactive") const;
void setName(const std::string &_name); void setName(const std::string &_name);
private: private:
@@ -589,6 +599,7 @@ private:
NewAppSecPracticeAntiBot anti_bot; NewAppSecPracticeAntiBot anti_bot;
std::string appsec_class_name; std::string appsec_class_name;
std::string practice_name; std::string practice_name;
std::string mode;
}; };
#endif // __NEW_PRACTICE_H__ #endif // __NEW_PRACTICE_H__

10
components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h
View File

@@ -158,7 +158,8 @@ private:
const std::string &source_identifier, const std::string &source_identifier,
const std::string & context, const std::string & context,
const V1beta2AppsecLinuxPolicy &policy, const V1beta2AppsecLinuxPolicy &policy,
std::map<AnnotationTypes, std::string> &rule_annotations std::map<AnnotationTypes, std::string> &rule_annotations,
const std::string &default_mode
); );
void createSnortProtecionsSection(const std::string &file_name, bool is_temporary); void createSnortProtecionsSection(const std::string &file_name, bool is_temporary);
@@ -172,7 +173,8 @@ private:
const std::string &practice_id, const std::string &practice_id,
const std::string &source_identifier, const std::string &source_identifier,
const V1beta2AppsecLinuxPolicy &policy, const V1beta2AppsecLinuxPolicy &policy,
std::map<AnnotationTypes, std::string> &rule_annotations std::map<AnnotationTypes, std::string> &rule_annotations,
const std::string &default_mode
); );
void void
@@ -183,7 +185,8 @@ private:
const std::string &practice_name, const std::string &practice_name,
const std::string & context, const std::string & context,
const V1beta2AppsecLinuxPolicy &policy, const V1beta2AppsecLinuxPolicy &policy,
std::map<AnnotationTypes, std::string> &rule_annotations std::map<AnnotationTypes, std::string> &rule_annotations,
const std::string &default_mode
); );
void void
@@ -192,6 +195,7 @@ private:
const std::string &url, const std::string &url,
const std::string &uri, const std::string &uri,
const std::string &trigger_id, const std::string &trigger_id,
const std::string &default_mode,
const V1beta2AppsecLinuxPolicy &policy, const V1beta2AppsecLinuxPolicy &policy,
std::map<AnnotationTypes, std::string> &rule_annotations std::map<AnnotationTypes, std::string> &rule_annotations
); );

10
components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
View File

@@ -414,7 +414,7 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
vector<AccessControlPracticeSpec> access_control_practices = vector<AccessControlPracticeSpec> access_control_practices =
extractV1Beta2ElementsFromCluster<AccessControlPracticeSpec>( extractV1Beta2ElementsFromCluster<AccessControlPracticeSpec>(
"accesscontrolpractice", "accesscontrolpractices",
policy_elements_names[AnnotationTypes::ACCESS_CONTROL_PRACTICE] policy_elements_names[AnnotationTypes::ACCESS_CONTROL_PRACTICE]
); );
@@ -489,6 +489,8 @@ K8sPolicyUtils::createAppsecPolicyK8s(const string &policy_name, const string &i
!doesVersionExist(maybe_appsec_policy_spec.unpack().getMetaData().getAnnotations(), "v1beta1") !doesVersionExist(maybe_appsec_policy_spec.unpack().getMetaData().getAnnotations(), "v1beta1")
) { ) {
try { try {
std::string v1beta1_error =
maybe_appsec_policy_spec.ok() ? "There is no v1beta1 policy" : maybe_appsec_policy_spec.getErr();
dbgWarning(D_LOCAL_POLICY dbgWarning(D_LOCAL_POLICY
) << "Failed to retrieve Appsec policy with crds version: v1beta1, Trying version: v1beta2"; ) << "Failed to retrieve Appsec policy with crds version: v1beta1, Trying version: v1beta2";
auto maybe_v1beta2_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<NewAppsecPolicySpec>>( auto maybe_v1beta2_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<NewAppsecPolicySpec>>(
@@ -498,7 +500,7 @@ K8sPolicyUtils::createAppsecPolicyK8s(const string &policy_name, const string &i
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
<< "Failed to retrieve AppSec policy. Error: " << maybe_v1beta2_appsec_policy_spec.getErr(); << "Failed to retrieve AppSec policy. Error: " << maybe_v1beta2_appsec_policy_spec.getErr();
return std::make_tuple( return std::make_tuple(
genError("Failed to retrieve AppSec v1beta1 policy. Error: " + maybe_appsec_policy_spec.getErr()), genError("Failed to retrieve AppSec v1beta1 policy. Error: " + v1beta1_error),
genError( genError(
"Failed to retrieve AppSec v1beta2 policy. Error: " + maybe_v1beta2_appsec_policy_spec.getErr() "Failed to retrieve AppSec v1beta2 policy. Error: " + maybe_v1beta2_appsec_policy_spec.getErr()
) )
@@ -584,7 +586,9 @@ K8sPolicyUtils::createAppsecPoliciesFromIngresses()
); );
if (!std::get<0>(maybe_appsec_policy).ok() && !std::get<1>(maybe_appsec_policy).ok()) { if (!std::get<0>(maybe_appsec_policy).ok() && !std::get<1>(maybe_appsec_policy).ok()) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
<< "Failed to create appsec policy. Error: " << "Failed to create appsec policy. v1beta1 Error: "
<< std::get<0>(maybe_appsec_policy).getErr()
<< ". v1beta2 Error: "
<< std::get<1>(maybe_appsec_policy).getErr(); << std::get<1>(maybe_appsec_policy).getErr();
continue; continue;
} }

2
components/security_apps/local_policy_mgmt_gen/new_appsec_linux_policy.cc
View File

@@ -99,7 +99,7 @@ V1beta2AppsecLinuxPolicy::serialize(cereal::JSONInputArchive &archive_in)
archive_in archive_in
); );
parseAppsecJSONKey<vector<NewAppsecLogTrigger>>("logTriggers", log_triggers, archive_in); parseAppsecJSONKey<vector<NewAppsecLogTrigger>>("logTriggers", log_triggers, archive_in);
parseAppsecJSONKey<vector<NewAppSecCustomResponse>>("customResponse", custom_responses, archive_in); parseAppsecJSONKey<vector<NewAppSecCustomResponse>>("customResponses", custom_responses, archive_in);
parseAppsecJSONKey<vector<NewAppsecException>>("exceptions", exceptions, archive_in); parseAppsecJSONKey<vector<NewAppsecException>>("exceptions", exceptions, archive_in);
parseAppsecJSONKey<vector<NewTrustedSourcesSpec>>("trustedSources", trusted_sources, archive_in); parseAppsecJSONKey<vector<NewTrustedSourcesSpec>>("trustedSources", trusted_sources, archive_in);
parseAppsecJSONKey<vector<NewSourcesIdentifiers>>("sourcesIdentifiers", sources_identifiers, archive_in); parseAppsecJSONKey<vector<NewSourcesIdentifiers>>("sourcesIdentifiers", sources_identifiers, archive_in);

2
components/security_apps/local_policy_mgmt_gen/new_exceptions.cc
View File

@@ -44,7 +44,7 @@ void
NewAppsecException::load(cereal::JSONInputArchive &archive_in) NewAppsecException::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading New AppSec exception"; dbgTrace(D_LOCAL_POLICY) << "Loading New AppSec exception";
parseAppsecJSONKey<string>("name", name, archive_in, "exception"); parseAppsecJSONKey<string>("name", name, archive_in);
parseMandatoryAppsecJSONKey<string>("action", action, archive_in, "accept"); parseMandatoryAppsecJSONKey<string>("action", action, archive_in, "accept");
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in); parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
if (valid_actions.count(action) == 0) { if (valid_actions.count(action) == 0) {

254
components/security_apps/local_policy_mgmt_gen/new_practice.cc
View File

@@ -21,8 +21,16 @@ USE_DEBUG_FLAG(D_LOCAL_POLICY);
static const set<string> performance_impacts = {"low", "medium", "high"}; static const set<string> performance_impacts = {"low", "medium", "high"};
static const set<string> severity_levels = {"low", "medium", "high", "critical"}; static const set<string> severity_levels = {"low", "medium", "high", "critical"};
static const set<string> size_unit = {"bytes", "KB", "MB", "GB"}; static const set<string> size_unit = {"bytes", "KB", "MB", "GB"};
static const set<string> confidences_actions = {"prevent", "detect", "inactive"}; static const set<string> confidences_actions = {"prevent", "detect", "inactive", "as-top-level", "inherited"};
static const set<string> valid_modes = {"prevent", "detect", "inactive", "prevent-learn", "detect-learn"}; static const set<string> valid_modes = {
"prevent",
"detect",
"inactive",
"prevent-learn",
"detect-learn",
"as-top-level",
"inherited"
};
static const set<string> valid_confidences = {"medium", "high", "critical"}; static const set<string> valid_confidences = {"medium", "high", "critical"};
static const std::unordered_map<std::string, std::string> key_to_performance_impact_val = { static const std::unordered_map<std::string, std::string> key_to_performance_impact_val = {
{ "low", "Low or lower"}, { "low", "Low or lower"},
@@ -48,6 +56,30 @@ static const std::unordered_map<std::string, uint64_t> unit_to_int = {
{ "MB", 1048576}, { "MB", 1048576},
{ "GB", 1073741824} { "GB", 1073741824}
}; };
static const std::string TRANSPARENT_MODE = "Transparent";
bool
isModeInherited(const string &mode)
{
return mode == "as-top-level" || mode == "inherited";
}
const std::string &
getModeWithDefault(
const std::string &mode,
const std::string &default_mode,
const std::unordered_map<std::string, std::string> &key_to_val)
{
if (isModeInherited(mode) && (key_to_val.find(default_mode) != key_to_val.end())) {
dbgError(D_LOCAL_POLICY) << "Setting to top-level mode: " << default_mode;
return key_to_val.at(default_mode);
}
else if (key_to_val.find(mode) == key_to_val.end()) {
dbgError(D_LOCAL_POLICY) << "Given mode: " << mode << " or top-level: " << default_mode << " is invalid.";
return key_to_val.at("inactive");
}
return key_to_val.at(mode);
}
void void
NewAppSecWebBotsURI::load(cereal::JSONInputArchive &archive_in) NewAppSecWebBotsURI::load(cereal::JSONInputArchive &archive_in)
@@ -84,7 +116,7 @@ NewAppSecPracticeAntiBot::load(cereal::JSONInputArchive &archive_in)
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots";
parseAppsecJSONKey<vector<NewAppSecWebBotsURI>>("injectedUris", injected_uris, archive_in); parseAppsecJSONKey<vector<NewAppSecWebBotsURI>>("injectedUris", injected_uris, archive_in);
parseAppsecJSONKey<vector<NewAppSecWebBotsURI>>("validatedUris", validated_uris, archive_in); parseAppsecJSONKey<vector<NewAppSecWebBotsURI>>("validatedUris", validated_uris, archive_in);
parseAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "Inactive"); parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
if (valid_modes.count(override_mode) == 0) { if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << override_mode; dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << override_mode;
} }
@@ -110,26 +142,33 @@ NewAppSecWebAttackProtections::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<string>("csrfProtection", csrf_protection, archive_in, "inactive"); parseAppsecJSONKey<string>("csrfProtection", csrf_protection, archive_in, "inactive");
parseAppsecJSONKey<string>("errorDisclosure", error_disclosure, archive_in, "inactive"); parseAppsecJSONKey<string>("errorDisclosure", error_disclosure, archive_in, "inactive");
parseAppsecJSONKey<string>("openRedirect", open_redirect, archive_in, "inactive"); parseAppsecJSONKey<string>("openRedirect", open_redirect, archive_in, "inactive");
if (valid_modes.count(csrf_protection) == 0 ||
valid_modes.count(error_disclosure) == 0 ||
valid_modes.count(open_redirect) == 0) {
string error_msg = "AppSec Attack Protections mode invalid. csrf_protection: " + csrf_protection +
" error_disclosure: " + error_disclosure + " open_redirect: " + open_redirect;
dbgWarning(D_LOCAL_POLICY) << error_msg;
throw PolicyGenException(error_msg);
}
parseAppsecJSONKey<bool>("nonValidHttpMethods", non_valid_http_methods, archive_in, false); parseAppsecJSONKey<bool>("nonValidHttpMethods", non_valid_http_methods, archive_in, false);
} }
const string const string &
NewAppSecWebAttackProtections::getCsrfProtectionMode() const NewAppSecWebAttackProtections::getCsrfProtectionMode(const string &default_mode) const
{ {
if (key_to_practices_val.find(csrf_protection) == key_to_practices_val.end()) { return getModeWithDefault(csrf_protection, default_mode, key_to_practices_val2);
dbgError(D_LOCAL_POLICY)
<< "Failed to find a value for "
<< csrf_protection
<< ". Setting CSRF protection to Inactive";
return "Inactive";
}
return key_to_practices_val.at(csrf_protection);
} }
const string & const string &
NewAppSecWebAttackProtections::getErrorDisclosureMode() const NewAppSecWebAttackProtections::getErrorDisclosureMode(const string &default_mode) const
{ {
return error_disclosure; return getModeWithDefault(error_disclosure, default_mode, key_to_practices_val2);
}
const string &
NewAppSecWebAttackProtections::getOpenRedirectMode(const string &default_mode) const
{
return getModeWithDefault(open_redirect, default_mode, key_to_practices_val2);
} }
bool bool
@@ -138,40 +177,24 @@ NewAppSecWebAttackProtections::getNonValidHttpMethods() const
return non_valid_http_methods; return non_valid_http_methods;
} }
const string
NewAppSecWebAttackProtections::getOpenRedirectMode() const
{
if (key_to_practices_val.find(open_redirect) == key_to_practices_val.end()) {
dbgError(D_LOCAL_POLICY)
<< "Failed to find a value for "
<< open_redirect
<< ". Setting Open Redirect mode to Inactive";
return "Inactive";
}
return key_to_practices_val.at(open_redirect);
}
void void
NewAppSecPracticeWebAttacks::load(cereal::JSONInputArchive &archive_in) NewAppSecPracticeWebAttacks::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice web attacks spec"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice web attacks spec";
parseAppsecJSONKey<NewAppSecWebAttackProtections>("protections", protections, archive_in); parseAppsecJSONKey<NewAppSecWebAttackProtections>("protections", protections, archive_in);
parseAppsecJSONKey<string>("overrideMode", mode, archive_in, "Unset"); parseMandatoryAppsecJSONKey<string>("overrideMode", mode, archive_in, "inactive");
if (valid_modes.count(mode) == 0) { if (valid_modes.count(mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec practice override mode invalid: " << mode; dbgWarning(D_LOCAL_POLICY) << "AppSec practice override mode invalid: " << mode;
} }
if (getMode() == "Prevent") { parseAppsecJSONKey<string>("minimumConfidence", minimum_confidence, archive_in, "critical");
parseMandatoryAppsecJSONKey<string>("minimumConfidence", minimum_confidence, archive_in, "critical"); if (valid_confidences.count(minimum_confidence) == 0) {
if (valid_confidences.count(minimum_confidence) == 0) { dbgWarning(D_LOCAL_POLICY)
dbgWarning(D_LOCAL_POLICY) << "AppSec practice override minimum confidence invalid: "
<< "AppSec practice override minimum confidence invalid: " << minimum_confidence;
<< minimum_confidence; throw PolicyGenException("AppSec practice override minimum confidence invalid: " + minimum_confidence);
throw PolicyGenException("AppSec practice override minimum confidence invalid: " + minimum_confidence);
}
} else {
minimum_confidence = "Transparent";
} }
parseAppsecJSONKey<int>("maxBodySizeKb", max_body_size_kb, archive_in, 1000000); parseAppsecJSONKey<int>("maxBodySizeKb", max_body_size_kb, archive_in, 1000000);
parseAppsecJSONKey<int>("maxHeaderSizeBytes", max_header_size_bytes, archive_in, 102400); parseAppsecJSONKey<int>("maxHeaderSizeBytes", max_header_size_bytes, archive_in, 102400);
parseAppsecJSONKey<int>("maxObjectDepth", max_object_depth, archive_in, 40); parseAppsecJSONKey<int>("maxObjectDepth", max_object_depth, archive_in, 40);
@@ -203,19 +226,25 @@ NewAppSecPracticeWebAttacks::getMaxUrlSizeBytes() const
} }
const string & const string &
NewAppSecPracticeWebAttacks::getMinimumConfidence() const NewAppSecPracticeWebAttacks::getMinimumConfidence(const string &default_mode) const
{ {
if (getMode(default_mode) != "Prevent") {
return TRANSPARENT_MODE;
}
return minimum_confidence; return minimum_confidence;
} }
const string & const string &
NewAppSecPracticeWebAttacks::getMode(const string &default_mode) const NewAppSecPracticeWebAttacks::getMode(const string &default_mode) const
{ {
if (mode == "Unset" || (key_to_practices_val2.find(mode) == key_to_practices_val2.end())) { const string &res = getModeWithDefault(mode, default_mode, key_to_practices_val);
dbgError(D_LOCAL_POLICY) << "Couldn't find a value for key: " << mode << ". Returning " << default_mode; return res;
return default_mode; }
}
return key_to_practices_val2.at(mode); const NewAppSecWebAttackProtections &
NewAppSecPracticeWebAttacks::getProtections() const
{
return protections;
} }
SnortProtectionsSection::SnortProtectionsSection( SnortProtectionsSection::SnortProtectionsSection(
@@ -244,7 +273,7 @@ SnortProtectionsSection::save(cereal::JSONOutputArchive &out_ar) const
{ {
out_ar( out_ar(
cereal::make_nvp("context", context), cereal::make_nvp("context", context),
cereal::make_nvp("mode", key_to_mode_val.at(mode)), cereal::make_nvp("mode", mode),
cereal::make_nvp("files", files), cereal::make_nvp("files", files),
cereal::make_nvp("assetName", asset_name), cereal::make_nvp("assetName", asset_name),
cereal::make_nvp("assetId", asset_id), cereal::make_nvp("assetId", asset_id),
@@ -440,8 +469,8 @@ void
NewSnortSignaturesAndOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in) NewSnortSignaturesAndOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice";
parseAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive"); parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
parseMandatoryAppsecJSONKey<vector<string>>("configmap", config_map, archive_in); parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
parseAppsecJSONKey<vector<string>>("files", files, archive_in); parseAppsecJSONKey<vector<string>>("files", files, archive_in);
is_temporary = false; is_temporary = false;
if (valid_modes.count(override_mode) == 0) { if (valid_modes.count(override_mode) == 0) {
@@ -457,9 +486,10 @@ NewSnortSignaturesAndOpenSchemaAPI::addFile(const string &file_name)
} }
const string & const string &
NewSnortSignaturesAndOpenSchemaAPI::getOverrideMode() const NewSnortSignaturesAndOpenSchemaAPI::getOverrideMode(const string &default_mode) const
{ {
return override_mode; const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_val);
return res;
} }
const vector<string> & const vector<string> &
@@ -491,7 +521,7 @@ IpsProtectionsRulesSection::save(cereal::JSONOutputArchive &out_ar) const
{ {
vector<string> protections; vector<string> protections;
out_ar( out_ar(
cereal::make_nvp("action", key_to_mode_val.at(action)), cereal::make_nvp("action", action),
cereal::make_nvp("confidenceLevel", confidence_level), cereal::make_nvp("confidenceLevel", confidence_level),
cereal::make_nvp("clientProtections", true), cereal::make_nvp("clientProtections", true),
cereal::make_nvp("serverProtections", true), cereal::make_nvp("serverProtections", true),
@@ -541,7 +571,7 @@ IpsProtectionsSection::save(cereal::JSONOutputArchive &out_ar) const
cereal::make_nvp("practiceName", practice_name), cereal::make_nvp("practiceName", practice_name),
cereal::make_nvp("practiceId", practice_id), cereal::make_nvp("practiceId", practice_id),
cereal::make_nvp("sourceIdentifier", source_identifier), cereal::make_nvp("sourceIdentifier", source_identifier),
cereal::make_nvp("defaultAction", key_to_mode_val.at(mode)), cereal::make_nvp("defaultAction", mode),
cereal::make_nvp("rules", rules) cereal::make_nvp("rules", rules)
); );
} }
@@ -566,7 +596,7 @@ void
NewIntrusionPrevention::load(cereal::JSONInputArchive &archive_in) NewIntrusionPrevention::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Intrusion Prevention practice"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Intrusion Prevention practice";
parseAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive"); parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
if (valid_modes.count(override_mode) == 0) { if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Intrusion Prevention override mode invalid: " << override_mode; dbgWarning(D_LOCAL_POLICY) << "AppSec Intrusion Prevention override mode invalid: " << override_mode;
throw PolicyGenException("AppSec Intrusion Prevention override mode invalid: " + override_mode); throw PolicyGenException("AppSec Intrusion Prevention override mode invalid: " + override_mode);
@@ -580,13 +610,13 @@ NewIntrusionPrevention::load(cereal::JSONInputArchive &archive_in)
"AppSec Intrusion Prevention max performance impact invalid: " + max_performance_impact "AppSec Intrusion Prevention max performance impact invalid: " + max_performance_impact
); );
} }
parseAppsecJSONKey<string>("minSeverityLevel", min_severity_level, archive_in, "low"); parseAppsecJSONKey<string>("minSeverityLevel", min_severity_level, archive_in, "medium");
if (severity_levels.count(min_severity_level) == 0) { if (severity_levels.count(min_severity_level) == 0) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
<< "AppSec Intrusion Prevention min severity level invalid: " << "AppSec Intrusion Prevention min severity level invalid: "
<< min_severity_level; << min_severity_level;
} }
parseAppsecJSONKey<string>("highConfidenceEventAction", high_confidence_event_action, archive_in, "prevent"); parseAppsecJSONKey<string>("highConfidenceEventAction", high_confidence_event_action, archive_in, "inherited");
if (confidences_actions.count(high_confidence_event_action) == 0) { if (confidences_actions.count(high_confidence_event_action) == 0) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
<< "AppSec Intrusion Prevention high confidence event invalid: " << "AppSec Intrusion Prevention high confidence event invalid: "
@@ -595,7 +625,9 @@ NewIntrusionPrevention::load(cereal::JSONInputArchive &archive_in)
"AppSec Intrusion Prevention high confidence event invalid: " + high_confidence_event_action "AppSec Intrusion Prevention high confidence event invalid: " + high_confidence_event_action
); );
} }
parseAppsecJSONKey<string>("mediumConfidenceEventAction", medium_confidence_event_action, archive_in, "prevent"); parseAppsecJSONKey<string>(
"mediumConfidenceEventAction", medium_confidence_event_action, archive_in, "inherited"
);
if (confidences_actions.count(medium_confidence_event_action) == 0) { if (confidences_actions.count(medium_confidence_event_action) == 0) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
<< "AppSec Intrusion Prevention medium confidence event invalid: " << "AppSec Intrusion Prevention medium confidence event invalid: "
@@ -613,16 +645,16 @@ NewIntrusionPrevention::load(cereal::JSONInputArchive &archive_in)
"AppSec Intrusion Prevention low confidence event action invalid: " + low_confidence_event_action "AppSec Intrusion Prevention low confidence event action invalid: " + low_confidence_event_action
); );
} }
parseAppsecJSONKey<int>("minCveYear", min_cve_Year, archive_in); parseAppsecJSONKey<int>("minCveYear", min_cve_Year, archive_in, 2016);
} }
vector<IpsProtectionsRulesSection> vector<IpsProtectionsRulesSection>
NewIntrusionPrevention::createIpsRules() const NewIntrusionPrevention::createIpsRules(const string &default_mode) const
{ {
vector<IpsProtectionsRulesSection> ips_rules; vector<IpsProtectionsRulesSection> ips_rules;
IpsProtectionsRulesSection high_rule( IpsProtectionsRulesSection high_rule(
min_cve_Year, min_cve_Year,
high_confidence_event_action, getModeWithDefault(high_confidence_event_action, default_mode, key_to_practices_val),
string("High"), string("High"),
max_performance_impact, max_performance_impact,
string(""), string(""),
@@ -632,7 +664,7 @@ NewIntrusionPrevention::createIpsRules() const
IpsProtectionsRulesSection med_rule( IpsProtectionsRulesSection med_rule(
min_cve_Year, min_cve_Year,
medium_confidence_event_action, getModeWithDefault(medium_confidence_event_action, default_mode, key_to_practices_val),
string("Medium"), string("Medium"),
max_performance_impact, max_performance_impact,
string(""), string(""),
@@ -642,7 +674,7 @@ NewIntrusionPrevention::createIpsRules() const
IpsProtectionsRulesSection low_rule( IpsProtectionsRulesSection low_rule(
min_cve_Year, min_cve_Year,
low_confidence_event_action, getModeWithDefault(low_confidence_event_action, default_mode, key_to_practices_val),
string("Low"), string("Low"),
max_performance_impact, max_performance_impact,
string(""), string(""),
@@ -654,9 +686,10 @@ NewIntrusionPrevention::createIpsRules() const
} }
const std::string & const std::string &
NewIntrusionPrevention::getMode() const NewIntrusionPrevention::getMode(const std::string &default_mode) const
{ {
return override_mode; const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_val);
return res;
} }
FileSecurityProtectionsSection::FileSecurityProtectionsSection( FileSecurityProtectionsSection::FileSecurityProtectionsSection(
@@ -711,20 +744,20 @@ FileSecurityProtectionsSection::save(cereal::JSONOutputArchive &out_ar) const
cereal::make_nvp("assetId", asset_id), cereal::make_nvp("assetId", asset_id),
cereal::make_nvp("practiceName", practice_name), cereal::make_nvp("practiceName", practice_name),
cereal::make_nvp("practiceId", practice_id), cereal::make_nvp("practiceId", practice_id),
cereal::make_nvp("action", key_to_mode_val.at(action)), cereal::make_nvp("action", action),
cereal::make_nvp("filesWithoutNameAction", key_to_mode_val.at(files_without_name_action)), cereal::make_nvp("filesWithoutNameAction", files_without_name_action),
cereal::make_nvp("allowFilesWithoutName", allow_files_without_name), cereal::make_nvp("allowFilesWithoutName", allow_files_without_name),
cereal::make_nvp("highConfidence", key_to_mode_val.at(high_confidence_action)), cereal::make_nvp("highConfidence", high_confidence_action),
cereal::make_nvp("mediumConfidence", key_to_mode_val.at(medium_confidence_action)), cereal::make_nvp("mediumConfidence", medium_confidence_action),
cereal::make_nvp("lowConfidence", key_to_mode_val.at(low_confidence_action)), cereal::make_nvp("lowConfidence", low_confidence_action),
cereal::make_nvp("severityLevel", key_to_severity_level_val.at(severity_level)), cereal::make_nvp("severityLevel", key_to_severity_level_val.at(severity_level)),
cereal::make_nvp("fileSizeLimitAction", key_to_mode_val.at(file_size_limit_action)), cereal::make_nvp("fileSizeLimitAction", file_size_limit_action),
cereal::make_nvp("fileSizeLimit", file_size_limit), cereal::make_nvp("fileSizeLimit", file_size_limit),
cereal::make_nvp("requiredFileSizeLimit", required_file_size_limit), cereal::make_nvp("requiredFileSizeLimit", required_file_size_limit),
cereal::make_nvp("requiredArchiveExtraction", required_archive_extraction), cereal::make_nvp("requiredArchiveExtraction", required_archive_extraction),
cereal::make_nvp("archiveFileSizeLimit", archive_file_size_limit), cereal::make_nvp("archiveFileSizeLimit", archive_file_size_limit),
cereal::make_nvp("MultiLevelArchiveAction", key_to_mode_val.at(multi_level_archive_action)), cereal::make_nvp("MultiLevelArchiveAction", multi_level_archive_action),
cereal::make_nvp("UnopenedArchiveAction", key_to_mode_val.at(unopened_archive_action)) cereal::make_nvp("UnopenedArchiveAction", unopened_archive_action)
); );
} }
@@ -748,7 +781,7 @@ void
NewFileSecurityArchiveInspection::load(cereal::JSONInputArchive &archive_in) NewFileSecurityArchiveInspection::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec File Security Archive Inspection practice"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec File Security Archive Inspection practice";
parseAppsecJSONKey<bool>("extractArchiveFiles", extract_archive_files, archive_in, true); parseAppsecJSONKey<bool>("extractArchiveFiles", extract_archive_files, archive_in, false);
parseAppsecJSONKey<uint64_t>("scanMaxFileSize", scan_max_file_size, archive_in, 10); parseAppsecJSONKey<uint64_t>("scanMaxFileSize", scan_max_file_size, archive_in, 10);
parseAppsecJSONKey<string>("scanMaxFileSizeUnit", scan_max_file_size_unit, archive_in, "MB"); parseAppsecJSONKey<string>("scanMaxFileSizeUnit", scan_max_file_size_unit, archive_in, "MB");
if (size_unit.count(scan_max_file_size_unit) == 0) { if (size_unit.count(scan_max_file_size_unit) == 0) {
@@ -763,7 +796,7 @@ NewFileSecurityArchiveInspection::load(cereal::JSONInputArchive &archive_in)
"archivedFilesWithinArchivedFiles", "archivedFilesWithinArchivedFiles",
archived_files_within_archived_files, archived_files_within_archived_files,
archive_in, archive_in,
"prevent"); "inherited");
if (confidences_actions.count(archived_files_within_archived_files) == 0) { if (confidences_actions.count(archived_files_within_archived_files) == 0) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security Archive Inspection archived files within archived files invalid: " << "AppSec File Security Archive Inspection archived files within archived files invalid: "
@@ -777,7 +810,7 @@ NewFileSecurityArchiveInspection::load(cereal::JSONInputArchive &archive_in)
"archivedFilesWhereContentExtractionFailed", "archivedFilesWhereContentExtractionFailed",
archived_files_where_content_extraction_failed, archived_files_where_content_extraction_failed,
archive_in, archive_in,
"prevent"); "inherited");
if (confidences_actions.count(archived_files_where_content_extraction_failed) == 0) { if (confidences_actions.count(archived_files_where_content_extraction_failed) == 0) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security Archive Inspection archived files within archived file invalid: " << "AppSec File Security Archive Inspection archived files within archived file invalid: "
@@ -834,7 +867,7 @@ NewFileSecurityLargeFileInspection::load(cereal::JSONInputArchive &archive_in)
"filesExceedingSizeLimitAction", "filesExceedingSizeLimitAction",
files_exceeding_size_limit_action, files_exceeding_size_limit_action,
archive_in, archive_in,
"prevent"); "inherited");
if (confidences_actions.count(files_exceeding_size_limit_action) == 0) { if (confidences_actions.count(files_exceeding_size_limit_action) == 0) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security Archive Inspection archived files within archived files invalid: " << "AppSec File Security Archive Inspection archived files within archived files invalid: "
@@ -869,18 +902,18 @@ void
NewFileSecurity::load(cereal::JSONInputArchive &archive_in) NewFileSecurity::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec File Security practice"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec File Security practice";
parseAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive"); parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
if (valid_modes.count(override_mode) == 0) { if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec File Security override mode invalid: " << override_mode; dbgWarning(D_LOCAL_POLICY) << "AppSec File Security override mode invalid: " << override_mode;
throw PolicyGenException("AppSec File Security override mode invalid: " + override_mode); throw PolicyGenException("AppSec File Security override mode invalid: " + override_mode);
} }
parseMandatoryAppsecJSONKey<string>("minSeverityLevel", min_severity_level, archive_in, "low"); parseAppsecJSONKey<string>("minSeverityLevel", min_severity_level, archive_in, "medium");
if (severity_levels.count(min_severity_level) == 0) { if (severity_levels.count(min_severity_level) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec File Security min severity level invalid: " << min_severity_level; dbgWarning(D_LOCAL_POLICY) << "AppSec File Security min severity level invalid: " << min_severity_level;
min_severity_level = "low"; min_severity_level = "low";
} }
parseMandatoryAppsecJSONKey<string>( parseAppsecJSONKey<string>(
"highConfidenceEventAction", high_confidence_event_action, archive_in, "inactive" "highConfidenceEventAction", high_confidence_event_action, archive_in, "inherited"
); );
if (confidences_actions.count(high_confidence_event_action) == 0) { if (confidences_actions.count(high_confidence_event_action) == 0) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
@@ -888,8 +921,8 @@ NewFileSecurity::load(cereal::JSONInputArchive &archive_in)
<< high_confidence_event_action; << high_confidence_event_action;
high_confidence_event_action = "inactive"; high_confidence_event_action = "inactive";
} }
parseMandatoryAppsecJSONKey<string>( parseAppsecJSONKey<string>(
"mediumConfidenceEventAction", medium_confidence_event_action, archive_in, "inactive" "mediumConfidenceEventAction", medium_confidence_event_action, archive_in, "inherited"
); );
if (confidences_actions.count(medium_confidence_event_action) == 0) { if (confidences_actions.count(medium_confidence_event_action) == 0) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
@@ -897,8 +930,8 @@ NewFileSecurity::load(cereal::JSONInputArchive &archive_in)
<< medium_confidence_event_action; << medium_confidence_event_action;
medium_confidence_event_action = "inactive"; medium_confidence_event_action = "inactive";
} }
parseMandatoryAppsecJSONKey<string>( parseAppsecJSONKey<string>(
"lowConfidenceEventAction", low_confidence_event_action, archive_in, "inactive" "lowConfidenceEventAction", low_confidence_event_action, archive_in, "detect"
); );
if (confidences_actions.count(low_confidence_event_action) == 0) { if (confidences_actions.count(low_confidence_event_action) == 0) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
@@ -906,7 +939,7 @@ NewFileSecurity::load(cereal::JSONInputArchive &archive_in)
<< low_confidence_event_action; << low_confidence_event_action;
low_confidence_event_action = "inactive"; low_confidence_event_action = "inactive";
} }
parseMandatoryAppsecJSONKey<string>("unnamedFilesAction", unnamed_files_action, archive_in, "inactive"); parseAppsecJSONKey<string>("unnamedFilesAction", unnamed_files_action, archive_in, "inherited");
if (confidences_actions.count(unnamed_files_action) == 0) { if (confidences_actions.count(unnamed_files_action) == 0) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security low unnamed files action invalid: " << "AppSec File Security low unnamed files action invalid: "
@@ -914,10 +947,8 @@ NewFileSecurity::load(cereal::JSONInputArchive &archive_in)
unnamed_files_action = "inactive"; unnamed_files_action = "inactive";
} }
parseAppsecJSONKey<bool>("threatEmulationEnabled", threat_emulation_enabled, archive_in); parseAppsecJSONKey<bool>("threatEmulationEnabled", threat_emulation_enabled, archive_in);
parseMandatoryAppsecJSONKey<NewFileSecurityArchiveInspection>("archiveInspection", archive_inspection, archive_in); parseAppsecJSONKey<NewFileSecurityArchiveInspection>("archiveInspection", archive_inspection, archive_in);
parseMandatoryAppsecJSONKey<NewFileSecurityLargeFileInspection>( parseAppsecJSONKey<NewFileSecurityLargeFileInspection>("largeFileInspection", large_file_inspection, archive_in);
"largeFileInspection", large_file_inspection, archive_in
);
} }
const string & const string &
@@ -944,28 +975,37 @@ NewFileSecurity::createFileSecurityProtectionsSection(
const string &asset_name, const string &asset_name,
const string &asset_id, const string &asset_id,
const string &practice_name, const string &practice_name,
const string &practice_id) const const string &practice_id,
const string &default_mode) const
{ {
string practice_action = (isModeInherited(override_mode) ? default_mode : override_mode);
const string &unnamed_files_action_val =
getModeWithDefault(unnamed_files_action, practice_action, key_to_mode_val);
const string &large_file_action_val = getModeWithDefault(
getLargeFileInspection().getFileSizeLimitAction(),
practice_action,
key_to_mode_val
);
return FileSecurityProtectionsSection( return FileSecurityProtectionsSection(
getLargeFileInspection().getFileSizeLimit(), getLargeFileInspection().getFileSizeLimit(),
getArchiveInspection().getArchiveFileSizeLimit(), getArchiveInspection().getArchiveFileSizeLimit(),
unnamed_files_action == "prevent" ? true : false, unnamed_files_action_val == "Prevent" ? true : false,
getLargeFileInspection().getFileSizeLimitAction() == "prevent" ? true : false, large_file_action_val == "Prevent" ? true : false,
getArchiveInspection().getrequiredArchiveExtraction(), getArchiveInspection().getrequiredArchiveExtraction(),
context, context,
asset_name, asset_name,
asset_id, asset_id,
practice_name, practice_name,
practice_id, practice_id,
override_mode, getModeWithDefault(override_mode, practice_action, key_to_mode_val),
unnamed_files_action, unnamed_files_action_val,
high_confidence_event_action, getModeWithDefault(high_confidence_event_action, practice_action, key_to_mode_val),
medium_confidence_event_action, getModeWithDefault(medium_confidence_event_action, practice_action, key_to_mode_val),
low_confidence_event_action, getModeWithDefault(low_confidence_event_action, practice_action, key_to_mode_val),
min_severity_level, min_severity_level,
getLargeFileInspection().getFileSizeLimitAction(), large_file_action_val,
getArchiveInspection().getMultiLevelArchiveAction(), getModeWithDefault(getArchiveInspection().getMultiLevelArchiveAction(), practice_action, key_to_mode_val),
getArchiveInspection().getUnopenedArchiveAction() getModeWithDefault(getArchiveInspection().getUnopenedArchiveAction(), practice_action, key_to_mode_val)
); );
} }
@@ -974,17 +1014,18 @@ NewAppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec";
parseAppsecJSONKey<NewSnortSignaturesAndOpenSchemaAPI>( parseAppsecJSONKey<NewSnortSignaturesAndOpenSchemaAPI>(
"openapi-schema-validation", "schemaValidation",
openapi_schema_validation, openapi_schema_validation,
archive_in archive_in
); );
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in); parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
parseAppsecJSONKey<NewFileSecurity>("fileSecurity", file_security, archive_in); parseMandatoryAppsecJSONKey<NewFileSecurity>("fileSecurity", file_security, archive_in);
parseAppsecJSONKey<NewIntrusionPrevention>("intrusionPrevention", intrusion_prevention, archive_in); parseMandatoryAppsecJSONKey<NewIntrusionPrevention>("intrusionPrevention", intrusion_prevention, archive_in);
parseAppsecJSONKey<NewSnortSignaturesAndOpenSchemaAPI>("snortSignatures", snort_signatures, archive_in); parseMandatoryAppsecJSONKey<NewSnortSignaturesAndOpenSchemaAPI>("snortSignatures", snort_signatures, archive_in);
parseMandatoryAppsecJSONKey<NewAppSecPracticeWebAttacks>("webAttacks", web_attacks, archive_in); parseMandatoryAppsecJSONKey<NewAppSecPracticeWebAttacks>("webAttacks", web_attacks, archive_in);
parseAppsecJSONKey<NewAppSecPracticeAntiBot>("antiBot", anti_bot, archive_in); parseAppsecJSONKey<NewAppSecPracticeAntiBot>("antiBot", anti_bot, archive_in);
parseAppsecJSONKey<string>("name", practice_name, archive_in); parseAppsecJSONKey<string>("name", practice_name, archive_in);
parseAppsecJSONKey<string>("practiceMode", mode, archive_in, "inherited");
} }
void void
@@ -1040,4 +1081,11 @@ NewAppSecPracticeSpec::getName() const
{ {
return practice_name; return practice_name;
} }
const string &
NewAppSecPracticeSpec::getMode(const string &default_mode) const
{
return isModeInherited(mode) ? default_mode : mode;
}
// LCOV_EXCL_STOP // LCOV_EXCL_STOP

61
components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
View File

@@ -58,7 +58,7 @@ Maybe<T>
PolicyMakerUtils::openFileAsJson(const string &path) PolicyMakerUtils::openFileAsJson(const string &path)
{ {
auto maybe_file_as_json = Singleton::Consume<I_ShellCmd>::by<LocalPolicyMgmtGenerator>()->getExecOutput( auto maybe_file_as_json = Singleton::Consume<I_ShellCmd>::by<LocalPolicyMgmtGenerator>()->getExecOutput(
getFilesystemPathConfig() + "/bin/yq " + path + " -o json" getFilesystemPathConfig() + "/bin/yq eval " + path + " -o json"
); );
if (!maybe_file_as_json.ok()) { if (!maybe_file_as_json.ok()) {
@@ -996,13 +996,16 @@ PolicyMakerUtils::createIpsSections(
const string &source_identifier, const string &source_identifier,
const string & context, const string & context,
const V1beta2AppsecLinuxPolicy &policy, const V1beta2AppsecLinuxPolicy &policy,
map<AnnotationTypes, string> &rule_annotations) map<AnnotationTypes, string> &rule_annotations,
const string &default_mode)
{ {
auto apssec_practice = getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>( auto apssec_practice = getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>(
rule_annotations[AnnotationTypes::PRACTICE], rule_annotations[AnnotationTypes::PRACTICE],
policy); policy);
const string &override_mode =
apssec_practice.getIntrusionPrevention().getMode(apssec_practice.getMode(default_mode));
if (apssec_practice.getIntrusionPrevention().getMode().empty()) return; if (override_mode == "Inactive" || override_mode == "Disabled") return;
IpsProtectionsSection ips_section = IpsProtectionsSection( IpsProtectionsSection ips_section = IpsProtectionsSection(
context, context,
@@ -1011,8 +1014,8 @@ PolicyMakerUtils::createIpsSections(
practice_name, practice_name,
practice_id, practice_id,
source_identifier, source_identifier,
apssec_practice.getIntrusionPrevention().getMode(), override_mode,
apssec_practice.getIntrusionPrevention().createIpsRules() apssec_practice.getIntrusionPrevention().createIpsRules(override_mode)
); );
ips[asset_name] = ips_section; ips[asset_name] = ips_section;
@@ -1068,13 +1071,17 @@ PolicyMakerUtils::createSnortSections(
const string &practice_id, const string &practice_id,
const string &source_identifier, const string &source_identifier,
const V1beta2AppsecLinuxPolicy &policy, const V1beta2AppsecLinuxPolicy &policy,
map<AnnotationTypes, string> &rule_annotations) map<AnnotationTypes, string> &rule_annotations,
const string &default_mode)
{ {
auto apssec_practice = getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>( auto apssec_practice = getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>(
rule_annotations[AnnotationTypes::PRACTICE], rule_annotations[AnnotationTypes::PRACTICE],
policy); policy);
const string &override_mode =
apssec_practice.getSnortSignatures().getOverrideMode(apssec_practice.getMode(default_mode));
if (apssec_practice.getSnortSignatures().getOverrideMode() == "inactive" || if (override_mode == "Inactive" ||
override_mode == "Disabled" ||
apssec_practice.getSnortSignatures().getFiles().size() == 0) { apssec_practice.getSnortSignatures().getFiles().size() == 0) {
return; return;
} }
@@ -1094,7 +1101,7 @@ PolicyMakerUtils::createSnortSections(
practice_name, practice_name,
practice_id, practice_id,
source_identifier, source_identifier,
apssec_practice.getSnortSignatures().getOverrideMode(), override_mode,
apssec_practice.getSnortSignatures().getFiles() apssec_practice.getSnortSignatures().getFiles()
); );
@@ -1109,7 +1116,8 @@ PolicyMakerUtils::createFileSecuritySections(
const string &practice_name, const string &practice_name,
const string &context, const string &context,
const V1beta2AppsecLinuxPolicy &policy, const V1beta2AppsecLinuxPolicy &policy,
map<AnnotationTypes, string> &rule_annotations) map<AnnotationTypes, string> &rule_annotations,
const string &default_mode)
{ {
auto apssec_practice = getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>( auto apssec_practice = getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>(
rule_annotations[AnnotationTypes::PRACTICE], rule_annotations[AnnotationTypes::PRACTICE],
@@ -1122,7 +1130,8 @@ PolicyMakerUtils::createFileSecuritySections(
asset_name, asset_name,
asset_id, asset_id,
practice_name, practice_name,
practice_id practice_id,
apssec_practice.getMode(default_mode)
); );
file_security[asset_name] = file_security_section; file_security[asset_name] = file_security_section;
@@ -1134,6 +1143,7 @@ PolicyMakerUtils::createRateLimitSection(
const string &url, const string &url,
const string &uri, const string &uri,
const string &trigger_id, const string &trigger_id,
const std::string &default_mode,
const V1beta2AppsecLinuxPolicy &policy, const V1beta2AppsecLinuxPolicy &policy,
map<AnnotationTypes, string> &rule_annotations) map<AnnotationTypes, string> &rule_annotations)
{ {
@@ -1157,13 +1167,13 @@ PolicyMakerUtils::createRateLimitSection(
trigger = RateLimitRulesTriggerSection(trigger_id, trigger_name, "Trigger"); trigger = RateLimitRulesTriggerSection(trigger_id, trigger_name, "Trigger");
} }
auto rules = access_control_practice.geRateLimit().createRateLimitRulesSection(trigger); auto rules = access_control_practice.getRateLimit().createRateLimitRulesSection(trigger);
rate_limit[rule_annotations[AnnotationTypes::ACCESS_CONTROL_PRACTICE]] = RateLimitSection( rate_limit[rule_annotations[AnnotationTypes::ACCESS_CONTROL_PRACTICE]] = RateLimitSection(
asset_name, asset_name,
url, url,
uri, uri,
access_control_practice.geRateLimit().getMode(), access_control_practice.getRateLimit().getMode(access_control_practice.getMode(default_mode)),
practice_id, practice_id,
rule_annotations[AnnotationTypes::ACCESS_CONTROL_PRACTICE], rule_annotations[AnnotationTypes::ACCESS_CONTROL_PRACTICE],
rules rules
@@ -1183,6 +1193,8 @@ PolicyMakerUtils::createWebAppSection(
rule_annotations[AnnotationTypes::PRACTICE], rule_annotations[AnnotationTypes::PRACTICE],
policy policy
); );
const string &practice_mode = apssec_practice.getMode(default_mode);
PracticeAdvancedConfig practice_advance_config( PracticeAdvancedConfig practice_advance_config(
apssec_practice.getWebAttacks().getMaxHeaderSizeBytes(), apssec_practice.getWebAttacks().getMaxHeaderSizeBytes(),
apssec_practice.getWebAttacks().getMaxBodySizeKb(), apssec_practice.getWebAttacks().getMaxBodySizeKb(),
@@ -1198,12 +1210,13 @@ PolicyMakerUtils::createWebAppSection(
practice_id, practice_id,
rule_annotations[AnnotationTypes::PRACTICE], rule_annotations[AnnotationTypes::PRACTICE],
rule_config.getContext(), rule_config.getContext(),
apssec_practice.getWebAttacks().getMinimumConfidence(), apssec_practice.getWebAttacks().getMinimumConfidence(practice_mode),
apssec_practice.getWebAttacks().getMode(default_mode), apssec_practice.getWebAttacks().getMode(practice_mode),
practice_advance_config, practice_advance_config,
apssec_practice.getAntiBot(), apssec_practice.getAntiBot(),
log_triggers[rule_annotations[AnnotationTypes::TRIGGER]], log_triggers[rule_annotations[AnnotationTypes::TRIGGER]],
trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]] trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]],
apssec_practice.getWebAttacks().getProtections()
); );
web_apps[rule_config.getAssetName()] = web_app; web_apps[rule_config.getAssetName()] = web_app;
} }
@@ -1271,7 +1284,8 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
current_identifier, current_identifier,
rule_config.getContext(), rule_config.getContext(),
policy, policy,
rule_annotations rule_annotations,
default_mode
); );
createSnortSections( createSnortSections(
@@ -1282,7 +1296,8 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
practice_id, practice_id,
current_identifier, current_identifier,
policy, policy,
rule_annotations rule_annotations,
default_mode
); );
createFileSecuritySections( createFileSecuritySections(
@@ -1292,11 +1307,18 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
rule_annotations[AnnotationTypes::PRACTICE], rule_annotations[AnnotationTypes::PRACTICE],
"assetId(" + rule_config.getAssetId() + ")", "assetId(" + rule_config.getAssetId() + ")",
policy, policy,
rule_annotations rule_annotations,
default_mode
); );
if (!web_apps.count(rule_config.getAssetName())) { if (!web_apps.count(rule_config.getAssetName())) {
createWebAppSection(policy, rule_config, practice_id, asset_name, default_mode, rule_annotations); createWebAppSection(
policy,
rule_config,
practice_id,
asset_name,
default_mode,
rule_annotations);
} }
} }
@@ -1568,6 +1590,7 @@ PolicyMakerUtils::createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsed
std::get<0>(splited_host_name), std::get<0>(splited_host_name),
std::get<2>(splited_host_name), std::get<2>(splited_host_name),
log_triggers[rule_annotations[AnnotationTypes::TRIGGER]].getTriggerId(), log_triggers[rule_annotations[AnnotationTypes::TRIGGER]].getTriggerId(),
rule.getMode(),
policy, policy,
rule_annotations rule_annotations
); );

7
components/security_apps/orchestration/details_resolver/details_resolver.cc
View File

@@ -32,6 +32,7 @@ class DetailsResolver::Impl
Singleton::Provide<I_DetailsResolver>::From<DetailsResolver> Singleton::Provide<I_DetailsResolver>::From<DetailsResolver>
{ {
public: public:
void init() { handler.init(); }
Maybe<string> getHostname() override; Maybe<string> getHostname() override;
Maybe<string> getPlatform() override; Maybe<string> getPlatform() override;
Maybe<string> getArch() override; Maybe<string> getArch() override;
@@ -290,6 +291,12 @@ DetailsResolver::DetailsResolver() : Component("DetailsResolver"), pimpl(make_un
DetailsResolver::~DetailsResolver() {} DetailsResolver::~DetailsResolver() {}
void
DetailsResolver::init()
{
pimpl->init();
}
void void
DetailsResolver::preload() DetailsResolver::preload()
{ {

12
components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h
View File

@@ -216,6 +216,18 @@ getFecApplicable(const string &command_output)
return genError("Could not determine if fec applicable"); return genError("Could not determine if fec applicable");
} }
Maybe<string>
getSMCBasedMgmtId(const string &command_output)
{
return getAttr(command_output, "Mgmt object UUID was not found");
}
Maybe<string>
getSMCBasedMgmtName(const string &command_output)
{
return getAttr(command_output, "Mgmt object Name was not found");
}
Maybe<string> Maybe<string>
getSmbObjectName(const string &command_output) getSmbObjectName(const string &command_output)
{ {

46
components/security_apps/orchestration/details_resolver/details_resolver_handlers/details_resolver_impl.h
View File

@@ -33,7 +33,10 @@
SHELL_PRE_CMD("read sdwan data", SHELL_PRE_CMD("read sdwan data",
"(cpsdwan get_data > /tmp/cpsdwan_getdata_orch.json~) " "(cpsdwan get_data > /tmp/cpsdwan_getdata_orch.json~) "
"&& (mv /tmp/cpsdwan_getdata_orch.json~ /tmp/cpsdwan_getdata_orch.json)") "&& (mv /tmp/cpsdwan_getdata_orch.json~ /tmp/cpsdwan_getdata_orch.json)")
#endif #endif //gaia || smb
#if defined(smb)
SHELL_PRE_CMD("gunzip local.cfg", "gunzip -c $FWDIR/state/local/FW1/local.cfg.gz > /tmp/local.cfg")
#endif //smb
#endif #endif
#ifdef SHELL_CMD_HANDLER #ifdef SHELL_CMD_HANDLER
@@ -115,6 +118,22 @@ SHELL_CMD_HANDLER(
"cat $FWDIR/database/myself_objects.C | awk -F '[:()]' '/:VPN_1/ {print $3}' | head -n 1", "cat $FWDIR/database/myself_objects.C | awk -F '[:()]' '/:VPN_1/ {print $3}' | head -n 1",
getGWIPSecVPNBlade getGWIPSecVPNBlade
) )
SHELL_CMD_HANDLER(
"SMCBasedMgmtId",
"domain_uuid=$(jq -r .domain_uuid /tmp/cpsdwan_getdata_orch.json);"
"[ \"$domain_uuid\" != \"null\" ] && echo \"$domain_uuid\" ||"
"cat $FWDIR/database/myself_objects.C "
"| awk -F'[{}]' '/:masters/ { found=1; next } found && /:Uid/ { uid=tolower($2); print uid; exit }'",
getSMCBasedMgmtId
)
SHELL_CMD_HANDLER(
"SMCBasedMgmtName",
"domain_name=$(jq -r .domain_name /tmp/cpsdwan_getdata_orch.json);"
"[ \"$domain_name\" != \"null\" ] && echo \"$domain_name\" ||"
"cat $FWDIR/database/myself_objects.C "
"| awk -F '[:()]' '/:masters/ {found=1; next} found && /:Name/ {print $3; exit}'",
getSMCBasedMgmtName
)
#endif //gaia #endif //gaia
#if defined(smb) #if defined(smb)
@@ -148,6 +167,23 @@ SHELL_CMD_HANDLER(
"cat $FWDIR/conf/active_blades.txt | grep -o 'IPS [01]' | cut -d ' ' -f2", "cat $FWDIR/conf/active_blades.txt | grep -o 'IPS [01]' | cut -d ' ' -f2",
getSmbGWIPSecVPNBlade getSmbGWIPSecVPNBlade
) )
SHELL_CMD_HANDLER(
"SMCBasedMgmtId",
"domain_uuid=$(jq -r .domain_uuid /tmp/cpsdwan_getdata_orch.json);"
"[ \"$domain_uuid\" != \"null\" ] && echo \"$domain_uuid\" ||"
"cat /tmp/local.cfg "
"| awk -F'[{}]' '/:masters/ { found=1; next } found && /:Uid/ { uid=tolower($2); print uid; exit }'",
getSMCBasedMgmtId
)
SHELL_CMD_HANDLER(
"SMCBasedMgmtName",
"domain_name=$(jq -r .domain_name /tmp/cpsdwan_getdata_orch.json);"
"[ \"$domain_name\" != \"null\" ] && echo \"$domain_name\" ||"
"cat /tmp/local.cfg "
"| awk -F '[:()]' '/:masters/ {found=1; next} found && /:Name/ {print $3; exit}'",
getSMCBasedMgmtName
)
#endif//smb #endif//smb
SHELL_CMD_OUTPUT("kernel_version", "uname -r") SHELL_CMD_OUTPUT("kernel_version", "uname -r")
@@ -187,6 +223,12 @@ FILE_CONTENT_HANDLER(
FILE_CONTENT_HANDLER("os_release", "/etc/os-release", getOsRelease) FILE_CONTENT_HANDLER("os_release", "/etc/os-release", getOsRelease)
#endif // gaia || smb #endif // gaia || smb
FILE_CONTENT_HANDLER("AppSecModelVersion", "/etc/cp/conf/waap/waap.data", getWaapModelVersion) FILE_CONTENT_HANDLER("AppSecModelVersion", "<FILESYSTEM-PREFIX>/conf/waap/waap.data", getWaapModelVersion)
#endif // FILE_CONTENT_HANDLER #endif // FILE_CONTENT_HANDLER
#ifdef SHELL_POST_CMD
#if defined(smb)
SHELL_POST_CMD("remove local.cfg", "rm -rf /tmp/local.cfg")
#endif //smb
#endif

41
components/security_apps/orchestration/details_resolver/details_resolving_handler.cc
View File

@@ -36,9 +36,12 @@ using FileContentHandler = function<Maybe<string>(shared_ptr<istream> file_otput
#include "checkpoint_product_handlers.h" #include "checkpoint_product_handlers.h"
static const string filesystem_place_holder = "<FILESYSTEM-PREFIX>";
class DetailsResolvingHanlder::Impl class DetailsResolvingHanlder::Impl
{ {
public: public:
void init();
map<string, string> getResolvedDetails() const; map<string, string> getResolvedDetails() const;
static Maybe<string> getCommandOutput(const string &cmd); static Maybe<string> getCommandOutput(const string &cmd);
@@ -64,6 +67,26 @@ private:
#undef FILE_CONTENT_HANDLER #undef FILE_CONTENT_HANDLER
}; };
#define SHELL_POST_CMD(NAME, COMMAND) {NAME, COMMAND},
map<string, string> shell_post_commands = {
#include "details_resolver_impl.h"
};
#undef SHELL_POST_CMD
void
DetailsResolvingHanlder::Impl::init()
{
string actual_filesystem_prefix = getFilesystemPathConfig();
for (auto &file_handler : file_content_handlers) {
string &path = file_handler.second.first;
size_t place_holder_size = filesystem_place_holder.size();
if (path.substr(0, place_holder_size) == filesystem_place_holder) {
path = actual_filesystem_prefix + path.substr(place_holder_size);
}
}
}
map<string, string> map<string, string>
DetailsResolvingHanlder::Impl::getResolvedDetails() const DetailsResolvingHanlder::Impl::getResolvedDetails() const
{ {
@@ -114,6 +137,18 @@ DetailsResolvingHanlder::Impl::getResolvedDetails() const
in_file->close(); in_file->close();
} }
for (auto &shell_post_command : shell_post_commands) {
const string &name = shell_post_command.first;
const string &command = shell_post_command.second;
Maybe<int> command_ret = shell->getExecReturnCode(command, timeout);
if (!command_ret.ok()) {
dbgWarning(D_AGENT_DETAILS) << "Failed to run post-command " << name;
} else if (*command_ret) {
dbgWarning(D_AGENT_DETAILS) << "Post-command " << name << " failed (rc: " << *command_ret << ")";
}
}
I_AgentDetailsReporter *reporter = Singleton::Consume<I_AgentDetailsReporter>::by<DetailsResolvingHanlder>(); I_AgentDetailsReporter *reporter = Singleton::Consume<I_AgentDetailsReporter>::by<DetailsResolvingHanlder>();
reporter->addAttr(resolved_details, true); reporter->addAttr(resolved_details, true);
@@ -137,6 +172,12 @@ DetailsResolvingHanlder::Impl::getCommandOutput(const string &cmd)
DetailsResolvingHanlder::DetailsResolvingHanlder() : pimpl(make_unique<Impl>()) {} DetailsResolvingHanlder::DetailsResolvingHanlder() : pimpl(make_unique<Impl>()) {}
DetailsResolvingHanlder::~DetailsResolvingHanlder() {} DetailsResolvingHanlder::~DetailsResolvingHanlder() {}
void
DetailsResolvingHanlder::init()
{
return pimpl->init();
}
map<string, string> map<string, string>
DetailsResolvingHanlder::getResolvedDetails() const DetailsResolvingHanlder::getResolvedDetails() const
{ {

1
components/security_apps/orchestration/details_resolver/details_resolving_handler.h
View File

@@ -31,6 +31,7 @@ public:
DetailsResolvingHanlder(); DetailsResolvingHanlder();
~DetailsResolvingHanlder(); ~DetailsResolvingHanlder();
void init();
std::map<std::string, std::string> getResolvedDetails() const; std::map<std::string, std::string> getResolvedDetails() const;
static Maybe<std::string> getCommandOutput(const std::string &cmd); static Maybe<std::string> getCommandOutput(const std::string &cmd);

2
components/security_apps/orchestration/downloader/CMakeLists.txt
View File

@@ -1,5 +1,5 @@
ADD_DEFINITIONS(-Wno-deprecated-declarations -Dalpine) ADD_DEFINITIONS(-Wno-deprecated-declarations -Dalpine)
add_library(orchestration_downloader curl_client.cc downloader.cc http_client.cc https_client.cc) add_library(orchestration_downloader curl_client.cc downloader.cc http_client.cc https_client.cc https_client_helper.cc)
#add_subdirectory(downloader_ut) #add_subdirectory(downloader_ut)

5
components/security_apps/orchestration/downloader/downloader.cc
View File

@@ -121,6 +121,11 @@ Downloader::Impl::init()
"Default file download path" "Default file download path"
); );
auto maybe_vs_id = Singleton::Consume<I_Environment>::by<Downloader>()->get<string>("VS ID");
if (maybe_vs_id.ok()) {
dir_path = dir_path + "/vs" + maybe_vs_id.unpack();
}
Singleton::Consume<I_OrchestrationTools>::by<Downloader>()->createDirectory(dir_path); Singleton::Consume<I_OrchestrationTools>::by<Downloader>()->createDirectory(dir_path);
} }

14
components/security_apps/orchestration/downloader/http_client.cc
View File

@@ -189,14 +189,12 @@ HTTPClient::getFile(const URLParser &url, ofstream &out_file, bool auth_required
} }
if (url.isOverSSL()) { if (url.isOverSSL()) {
auto get_file_over_ssl_res = getFileSSL(url, out_file, token); if (getFileSSLDirect(url, out_file, token).ok()) return Maybe<void>();
if (!get_file_over_ssl_res.ok()) dbgWarning(D_ORCHESTRATOR) << "Failed to get file over SSL directly. Trying indirectly.";
{ if (getFileSSL(url, out_file, token).ok()) return Maybe<void>();
//CURL fallback //CURL fallback
dbgWarning(D_ORCHESTRATOR) << "Failed to get file over SSL. Trying via CURL (SSL)."; dbgWarning(D_ORCHESTRATOR) << "Failed to get file over SSL. Trying via CURL (SSL).";
return curlGetFileOverSSL(url, out_file, token); return curlGetFileOverSSL(url, out_file, token);
}
return get_file_over_ssl_res;
} }
auto get_file_http_res = getFileHttp(url, out_file, token); auto get_file_http_res = getFileHttp(url, out_file, token);
if (!get_file_http_res.ok()) if (!get_file_http_res.ok())

1
components/security_apps/orchestration/downloader/http_client.h
View File

@@ -34,6 +34,7 @@ public:
private: private:
std::string loadCAChainDir(); std::string loadCAChainDir();
Maybe<void> getFileSSL(const URLParser &url, std::ofstream &out_file, const std::string &_token); Maybe<void> getFileSSL(const URLParser &url, std::ofstream &out_file, const std::string &_token);
Maybe<void> getFileSSLDirect(const URLParser &url, std::ofstream &out_file, const std::string &_token);
Maybe<void> getFileHttp(const URLParser &url, std::ofstream &out_file, const std::string &_token); Maybe<void> getFileHttp(const URLParser &url, std::ofstream &out_file, const std::string &_token);
Maybe<void> curlGetFileOverHttp(const URLParser &url, std::ofstream &out_file, const std::string &_token); Maybe<void> curlGetFileOverHttp(const URLParser &url, std::ofstream &out_file, const std::string &_token);
Maybe<void> curlGetFileOverSSL(const URLParser &url, std::ofstream &out_file, const std::string &_token); Maybe<void> curlGetFileOverSSL(const URLParser &url, std::ofstream &out_file, const std::string &_token);

2
components/security_apps/orchestration/downloader/https_client.cc
View File

@@ -90,7 +90,7 @@ public:
ostream request_stream(&request_); ostream request_stream(&request_);
stringstream http_request; stringstream http_request;
http_request << "GET " << url.getQuery() << " HTTP/1.1\r\n"; http_request << "GET " << url.getQuery() << " HTTP/1.1\r\n";
string host = url.getBaseURL().unpack(); string host = url.getHost();
string port = url.getPort(); string port = url.getPort();
int port_int; int port_int;
try { try {

20
components/security_apps/orchestration/downloader/https_client_helper.cc Normal file
View File

@@ -0,0 +1,20 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "http_client.h"
Maybe<void>
HTTPClient::getFileSSLDirect(const URLParser &, std::ofstream &, const std::string &)
{
return genError("No direct downloading in open-source");
}

1
components/security_apps/orchestration/hybrid_mode_telemetry.cc
View File

@@ -47,6 +47,7 @@ HybridModeMetric::upon(const HybridModeMetricEvent &)
string cmd_output = maybe_cmd_output.unpack(); string cmd_output = maybe_cmd_output.unpack();
trim(cmd_output); trim(cmd_output);
dbgDebug(D_ORCHESTRATOR) << "Watchdog process counter: " << cmd_output; dbgDebug(D_ORCHESTRATOR) << "Watchdog process counter: " << cmd_output;
if (cmd_output.empty()) return;
try { try {
wd_process_restart.report(stoi(cmd_output)); wd_process_restart.report(stoi(cmd_output));

2
components/security_apps/orchestration/include/namespace_data.h
View File

@@ -26,7 +26,7 @@ class NamespaceData : public ClientRest
{ {
public: public:
bool loadJson(const std::string &json); bool loadJson(const std::string &json);
Maybe<std::string> getNamespaceUidByName(const std::string &name); Maybe<std::string> getNamespaceUidByName(const std::string &name) const;
private: private:
std::map<std::string, std::string> ns_name_to_uid; std::map<std::string, std::string> ns_name_to_uid;

8
components/security_apps/orchestration/include/orchestration_policy.h
View File

@@ -21,8 +21,8 @@ class OrchestrationPolicy
{ {
public: public:
const std::string & getFogAddress() const; const std::string & getFogAddress() const;
const unsigned long & getSleepInterval() const; unsigned int getSleepInterval() const;
const unsigned long & getErrorSleepInterval() const; unsigned int getErrorSleepInterval() const;
void serialize(cereal::JSONInputArchive & archive); void serialize(cereal::JSONInputArchive & archive);
@@ -31,8 +31,8 @@ public:
private: private:
std::string fog_address; std::string fog_address;
unsigned long sleep_interval; unsigned int sleep_interval;
unsigned long error_sleep_interval; unsigned int error_sleep_interval;
}; };
#endif // __ORCHESTRATION_POLICY_H__ #endif // __ORCHESTRATION_POLICY_H__

16
components/security_apps/orchestration/modules/modules_ut/orchestration_policy_ut.cc
View File

@@ -43,8 +43,8 @@ TEST_F(PolicyTest, serialization)
ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what(); ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
} }
EXPECT_EQ(15u, orchestration_policy.getErrorSleepInterval()); EXPECT_EQ(15, orchestration_policy.getErrorSleepInterval());
EXPECT_EQ(20u, orchestration_policy.getSleepInterval()); EXPECT_EQ(20, orchestration_policy.getSleepInterval());
EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress()); EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
} }
@@ -63,8 +63,8 @@ TEST_F(PolicyTest, noAgentType)
ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what(); ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
} }
EXPECT_EQ(15u, orchestration_policy.getErrorSleepInterval()); EXPECT_EQ(15, orchestration_policy.getErrorSleepInterval());
EXPECT_EQ(20u, orchestration_policy.getSleepInterval()); EXPECT_EQ(20, orchestration_policy.getSleepInterval());
EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress()); EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
} }
@@ -83,8 +83,8 @@ TEST_F(PolicyTest, zeroSleepIntervels)
ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what(); ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
} }
EXPECT_EQ(0u, orchestration_policy.getErrorSleepInterval()); EXPECT_EQ(0, orchestration_policy.getErrorSleepInterval());
EXPECT_EQ(0u, orchestration_policy.getSleepInterval()); EXPECT_EQ(0, orchestration_policy.getSleepInterval());
EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress()); EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
} }
@@ -152,7 +152,7 @@ TEST_F(PolicyTest, newOptionalFields)
ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what(); ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
} }
EXPECT_EQ(10u, orchestration_policy.getErrorSleepInterval()); EXPECT_EQ(10, orchestration_policy.getErrorSleepInterval());
EXPECT_EQ(30u, orchestration_policy.getSleepInterval()); EXPECT_EQ(30, orchestration_policy.getSleepInterval());
EXPECT_EQ("https://fog-api-gw-agents.cloud.ngen.checkpoint.com", orchestration_policy.getFogAddress()); EXPECT_EQ("https://fog-api-gw-agents.cloud.ngen.checkpoint.com", orchestration_policy.getFogAddress());
} }

9
components/security_apps/orchestration/modules/modules_ut/url_parser_ut.cc
View File

@@ -59,6 +59,15 @@ TEST_F(URLParserTest, parseAWSWithoutSlash)
EXPECT_EQ("", link.getQuery()); EXPECT_EQ("", link.getQuery());
} }
TEST_F(URLParserTest, setHost)
{
URLParser link("http://172.23.92.180:180/something");
EXPECT_EQ(link.getHost(), "172.23.92.180");
link.setHost("my.domain");
EXPECT_EQ(link.getHost(), "my.domain");
}
TEST_F(URLParserTest, protocolIsMissing) TEST_F(URLParserTest, protocolIsMissing)
{ {
// HTTPS is set by default when protocol is not present in URL. // HTTPS is set by default when protocol is not present in URL.

15
components/security_apps/orchestration/modules/orchestration_policy.cc
View File

@@ -22,13 +22,13 @@ OrchestrationPolicy::getFogAddress() const
return fog_address; return fog_address;
} }
const unsigned long & unsigned int
OrchestrationPolicy::getSleepInterval() const OrchestrationPolicy::getSleepInterval() const
{ {
return sleep_interval; return sleep_interval;
} }
const unsigned long & unsigned int
OrchestrationPolicy::getErrorSleepInterval() const OrchestrationPolicy::getErrorSleepInterval() const
{ {
return error_sleep_interval; return error_sleep_interval;
@@ -37,10 +37,13 @@ OrchestrationPolicy::getErrorSleepInterval() const
void void
OrchestrationPolicy::serialize(JSONInputArchive &archive) OrchestrationPolicy::serialize(JSONInputArchive &archive)
{ {
// Split it, so the order doesn't matter. try {
archive(make_nvp("fog-address", fog_address)); archive(make_nvp("fog-address", fog_address));
archive(make_nvp("pulling-interval", sleep_interval)); archive(make_nvp("pulling-interval", sleep_interval));
archive(make_nvp("error-pulling-interval", error_sleep_interval)); archive(make_nvp("error-pulling-interval", error_sleep_interval));
} catch (const cereal::Exception&) {
archive(make_nvp("orchestration", *this));
}
} }
bool bool

2
components/security_apps/orchestration/modules/orchestration_status.cc
View File

@@ -399,7 +399,6 @@ public:
if (!write_result) { if (!write_result) {
dbgWarning(D_ORCHESTRATOR) << "Failed to write Orchestration status. File: " << orchestration_status_path; dbgWarning(D_ORCHESTRATOR) << "Failed to write Orchestration status. File: " << orchestration_status_path;
} }
dbgTrace(D_ORCHESTRATOR) << "Orchestration status file has been updated. File: " << orchestration_status_path;
} }
void void
@@ -459,7 +458,6 @@ public:
seconds(5), seconds(5),
[this] () [this] ()
{ {
dbgTrace(D_ORCHESTRATOR) << "Write Orchestration status file <co-routine>";
writeStatusToFile(); writeStatusToFile();
}, },
"Write Orchestration status file" "Write Orchestration status file"

Some files were not shown because too many files have changed in this diff Show More