github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-11-16 01:12:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github_mirrors:Feb_06_2024-Dev
Branches Tags
github_mirrors:main github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc
...
compare: github_mirrors:orianelou-patch-7
Branches Tags
github_mirrors:fix-entry-file-token-arg github_mirrors:main github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc

148 Commits
Feb_06_202 ... orianelou-

Author SHA1 Message Date
orianelou
8a6809fb52 Create open-appsec-k8s-v1beta2.yaml 2024-12-31 10:13:04 +02:00
orianelou
20e8e65e14 Update open-appsec-k8s-full-example-config-v1beta2.yaml 2024-12-30 16:52:26 +02:00
orianelou
414130a789 Update open-appsec-k8s-full-example-config-v1beta2.yaml 2024-12-30 16:40:13 +02:00
orianelou
9d704455e8 Update open-appsec-k8s-full-example-config-v1beta2.yaml 2024-12-30 16:30:36 +02:00
orianelou
602442fed4 Update open-appsec-k8s-full-example-config-v1beta2.yaml 2024-12-30 16:24:12 +02:00
orianelou
4e9a90db01 Update open-appsec-k8s-full-example-config-v1beta2.yaml 2024-12-30 16:21:15 +02:00
orianelou
20f92afbc2 Update open-appsec-k8s-full-example-config-v1beta2.yaml 2024-12-30 16:18:59 +02:00
orianelou
ee7adc37d0 Update open-appsec-k8s-full-example-config-v1beta2.yaml 2024-12-30 16:13:51 +02:00
orianelou
c0b3e9c0d0 Update open-appsec-k8s-full-example-config-v1beta2.yaml 2024-12-30 14:34:17 +02:00
orianelou
f1f4b13327 Update open-appsec-k8s-prevent-config-v1beta2.yaml 2024-12-30 13:51:59 +02:00
orianelou
4354a98d37 Update open-appsec-k8s-default-config-v1beta2.yaml 2024-12-30 13:51:19 +02:00
orianelou
09fa11516c Update open-appsec-k8s-full-example-config-v1beta2.yaml 2024-12-30 13:39:09 +02:00
orianelou
446b043128 Rename pen-appsec-k8s-full-example-config-v1beta2.yaml to open-appsec-k8s-full-example-config-v1beta2.yaml 2024-12-30 13:36:31 +02:00
orianelou
91bcadf930 Create pen-appsec-k8s-full-example-config-v1beta2.yaml 2024-12-30 13:35:05 +02:00
orianelou
0824cf4b23 Update README.md 2024-12-30 09:42:10 +02:00
orianelou
96ce290e5f Update open-appsec-crd-v1beta2.yaml 2024-12-19 14:42:51 +02:00
orianelou
de8e2d9970 Merge pull request #210 from openappsec/orianelou-test-as-top-level-7 
Update local_policy.yaml
 2024-12-12 12:50:29 +02:00
orianelou
0048708af1 Update local_policy.yaml 2024-12-12 12:49:40 +02:00
orianelou
4fe0f44e88 Update local_policy.yaml 2024-12-12 12:45:22 +02:00
orianelou
5f139d13d7 Update docker-compose.yaml 2024-12-09 10:59:01 +02:00
orianelou
919d775a73 Update docker-compose.yaml 2024-12-05 14:42:04 +02:00
orianelou
ac8e353598 Update docker-compose.yaml 2024-12-05 13:43:23 +02:00
Daniel-Eisenberg
0663f20691 Merge pull request #207 from openappsec/Nov_28_2024-Dev 
Nov 28 2024 dev
 2024-12-01 11:53:26 +02:00
Ned Wright
2dda6231f6 sync code 2024-11-28 10:53:40 +00:00
Ned Wright
1c1f0b7e29 sync code 2024-11-28 10:41:59 +00:00
orianelou
6255e1f30d Rename docker-compose.yaml to docker-compose.yaml 2024-11-06 14:57:50 +02:00
orianelou
454aacf622 Rename .env to .env 2024-11-06 14:57:31 +02:00
orianelou
c91ccba5a8 Create .env 2024-11-06 14:01:40 +02:00
orianelou
b1f897191c Create docker-compose.yaml 2024-11-06 14:01:20 +02:00
Daniel-Eisenberg
027ddfea21 Merge pull request #200 from openappsec/Oct_14_2024-Dev 
Oct 14 2024 dev
 2024-11-05 12:12:10 +02:00
orianelou
d1a2906b29 Create default.conf 2024-11-03 14:23:34 +02:00
Ned Wright
b1ade9bba0 code sync 2024-10-15 06:57:25 +00:00
Ned Wright
36d302b77e code sync 2024-10-14 16:43:58 +00:00
Ned Wright
1d7d38b0a6 code sync 2024-10-14 16:39:35 +00:00
Ned Wright
1b7eafaa23 code sync 2024-10-14 16:32:23 +00:00
Ned Wright
c2ea2cda6d sync code 2024-10-14 14:51:28 +00:00
orianelou
b58f7781e6 Update local_policy.yaml 2024-10-01 13:05:23 +03:00
orianelou
7153d222c0 Update local_policy.yaml 2024-10-01 13:03:59 +03:00
orianelou
f1ec8959b7 Update apisix-standalone.yaml 2024-10-01 12:49:25 +03:00
Daniel-Eisenberg
4a7336b276 Merge pull request #190 from openappsec/Sep_17_2024-Dev 
sync code
 2024-09-30 14:53:51 +03:00
orianelou
4d0042e933 Create apisix-standalone.yaml 2024-09-30 14:10:35 +03:00
orianelou
015915497a Create docker-compose.yaml 2024-09-30 14:09:43 +03:00
Ned Wright
586150fe4f sync code 2024-09-17 10:53:09 +00:00
orianelou
3fe0b42fcd Merge pull request #189 from openappsec/Sep_15_2024-Dev 
sync code
 2024-09-15 17:25:26 +03:00
orianelou
84e10c7129 Merge pull request #186 from chkp-omriat2/main 
Updating crowdsec auxiliary
 2024-09-15 17:25:13 +03:00
Ned Wright
eddd250409 sync code 2024-09-15 02:49:26 +00:00
chkp-omriat2
294cb600f8 Updating crowdsec auxiliary 2024-09-10 06:09:54 +00:00
Ned Wright
f4bad4c4d9 Remove non-active files 2024-09-02 14:16:01 +03:00
WrightNed
6e916599d9 Merge pull request #179 from openappsec/Aug_20_2024-Dev 
Aug 20th update
 2024-08-27 12:33:46 +03:00
orianelou
24d53aed53 Update docker-compose.yaml 2024-08-27 10:50:25 +03:00
WrightNed
93fb3da2f8 Merge pull request #177 from wiaam96/patch-1 
Update entry.sh
 2024-08-22 15:17:49 +03:00
wiaam96
e7378c9a5f Update entry.sh 2024-08-22 15:15:24 +03:00
Ned Wright
110f0c8bd2 Aug 20th update 2024-08-21 08:42:14 +00:00
WrightNed
ca31aac08a Merge pull request #174 from openappsec/orianelou-patch-6 
Update docker-compose.yaml
 2024-08-20 15:17:02 +03:00
orianelou
161b6dd180 Update docker-compose.yaml 2024-08-20 14:50:01 +03:00
WrightNed
84327e0b19 Merge pull request #170 from openappsec/orianelou-patch-4 
Create docker-compose.yaml
 2024-08-05 13:12:40 +03:00
orianelou
b9723ba6ce Create docker-compose.yaml 
added compose for docker SWAG
 2024-08-05 12:06:37 +03:00
WrightNed
00e183b8c6 Merge pull request #169 from openappsec/Jul_31_2024-Dev 
Jul 31st update
 2024-08-01 18:10:44 +03:00
WrightNed
e859c167ed Merge pull request #167 from openappsec/orianelou-crds 
Orianelou crds
 2024-08-01 18:10:11 +03:00
Ned Wright
384b59cc87 Jul 31st update 2024-07-31 17:15:35 +00:00
orianelou
805e958cb9 Create open-appsec-crd-latest.yaml 2024-07-25 12:06:59 +03:00
orianelou
5bcd7cfcf1 Create open-appsec-crd-v1beta2.yaml 2024-07-25 12:05:57 +03:00
orianelou
ae6f2faeec Create open-appsec-crd-v1beta1.yaml 2024-07-25 12:04:22 +03:00
WrightNed
705a5e6061 Merge pull request #166 from openappsec/Jul_23_2024-Dev 
Jul 23rd update
 2024-07-24 16:01:45 +03:00
WrightNed
c33b74a970 Merge pull request #164 from chkp-omris/main 
update intelligence
 2024-07-24 15:54:58 +03:00
chkp-omris
2da9fbc385 update intelligence 2024-07-23 13:15:33 +00:00
Ned Wright
f58e9a6128 Jul 23rd update 2024-07-23 11:08:24 +00:00
WrightNed
57ea5c72c5 Merge pull request #156 from openappsec/Jul_04_2024-Dev 
Jul 4th update
 2024-07-07 08:47:38 +03:00
Ned Wright
962bd31d46 Jul 4th update 2024-07-04 14:10:34 +00:00
WrightNed
01770475ec Merge pull request #153 from openappsec/Jun_26_2024-Dev 
June 27th update
 2024-07-01 11:42:11 +03:00
Ned Wright
78b114a274 June 27th update 2024-06-27 12:05:38 +00:00
WrightNed
81b1aec487 Merge pull request #148 from openappsec/orianelou-new-policy-files 
Orianelou new policy files
 2024-06-19 16:18:41 +03:00
orianelou
be6591a670 Update local_policy.yaml 2024-06-17 13:49:48 +03:00
orianelou
663782009c Update local_policy.yaml 2024-06-17 13:49:18 +03:00
orianelou
9392bbb26c Update local_policy.yaml 2024-06-17 13:49:01 +03:00
orianelou
46682bcdce Update local_policy.yaml 2024-06-17 13:48:39 +03:00
orianelou
057bc42375 Update local_policy.yaml 2024-06-17 13:47:24 +03:00
orianelou
88e0ccd308 Rename open-appsec-k8s-default-config-v1beta21.yaml to open-appsec-k8s-default-config-v1beta1.yaml 2024-06-17 13:45:02 +03:00
orianelou
4241b9c574 Create open-appsec-k8s-prevent-config-v1beta2.yaml 2024-06-17 13:44:45 +03:00
orianelou
4af9f18ada Create open-appsec-k8s-default-config-v1beta2.yaml 2024-06-17 13:44:25 +03:00
orianelou
3b533608b1 Create open-appsec-k8s-prevent-config-v1beta1.yaml 2024-06-17 13:42:13 +03:00
orianelou
74bb3086ec Create open-appsec-k8s-default-config-v1beta21.yaml 2024-06-17 13:41:29 +03:00
orianelou
504d1415a5 Create local_policy.yaml 2024-06-17 13:39:40 +03:00
orianelou
18b1b63c42 Create local_policy.yaml 2024-06-17 13:38:31 +03:00
orianelou
ded2a5ffc2 Create local_policy.yaml 2024-06-17 13:36:23 +03:00
orianelou
1254bb37b2 Create local_policy.yaml 2024-06-17 13:34:35 +03:00
orianelou
cf16343caa Create open-appsec-k8s-prevent-config-v1beta2.yaml 2024-06-16 10:56:16 +03:00
orianelou
78c4209406 Rename config/k8s/v1beta2/default/open-appsec-k8s-default-config-v1beta2.yaml to config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml 2024-06-16 10:55:23 +03:00
orianelou
3c8672c565 Rename config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml to config/k8s/v1beta2/default/open-appsec-k8s-default-config-v1beta2.yaml 2024-06-16 10:54:05 +03:00
orianelou
48d6baed3b Rename config/linux/v1beta2/local_policy.yaml to config/linux/v1beta2/default/local_policy.yaml 2024-06-16 10:44:39 +03:00
orianelou
8770257a60 Create local_policy.yaml for linux prevent 2024-06-16 10:44:21 +03:00
Ned Wright
fd5d093b24 Add --no-upgrade option to docker 2024-06-03 14:19:41 +00:00
WrightNed
d6debf8d8d Merge pull request #141 from openappsec/May_27_2024-Dev 
May 27 2024 dev
 2024-06-02 10:15:10 +03:00
Ned Wright
395b754575 Add dammy get-cloud-metadata.sh script 2024-05-29 11:01:17 +00:00
Ned Wright
dc000372c4 Turn on optimization by default 2024-05-27 12:05:16 +00:00
Ned Wright
941c641174 Change cloud default logging 2024-05-27 11:56:05 +00:00
Ned Wright
fdc148aa9b May 27 update 2024-05-27 09:05:33 +00:00
orianelou
307fd8897d Rename config/k8s/open-appsec-k8s-default-config-v1beta2.yaml to config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml 2024-05-21 15:24:55 +03:00
orianelou
afd2b4930b Create open-appsec-k8s-default-config-v1beta2.yaml 2024-05-21 15:24:33 +03:00
orianelou
1fb9a29223 Create local_policy.yaml 2024-05-21 15:22:54 +03:00
WrightNed
253ca70de6 Merge pull request #136 from chkp-omris/main 
Update agent-intelligence-service package
 2024-05-19 15:30:22 +03:00
chkp-omris
938f625535 Merge branch 'openappsec:main' into main 2024-05-19 15:21:46 +03:00
chkp-omris
183d14fc55 Update agent-intelligence-service package 2024-05-19 12:21:10 +00:00
WrightNed
1f3d4ed5e1 Merge pull request #135 from openappsec/Apr_21_2024-Dev 
Apr 21 2024 dev
 2024-05-19 11:08:26 +03:00
WrightNed
fdbd6d3786 Merge pull request #115 from openappsec/orianelou-patch-3 
Update docker-compose.yaml
 2024-05-19 11:07:22 +03:00
Ned Wright
4504138a4a Change all deployments to embedded 2024-04-22 09:46:50 +00:00
Ned Wright
66ed4a8d81 April 21th 2024 update 2024-04-21 13:57:46 +00:00
WrightNed
189c9209c9 Merge pull request #122 from openappsec/Apr_14_2024-Dev 
Apr 14 2024 dev
 2024-04-17 12:40:41 +03:00
Ned Wright
1a1580081c Add watchdog changes 2024-04-16 14:06:43 +00:00
Ned Wright
942b2ef8b4 2024 April 14th update 2024-04-14 12:55:54 +00:00
Ned Wright
7a7f65a77a Detect docker on http transaction installation 2024-04-14 11:28:53 +00:00
Ned Wright
98639d9cb6 configuration loading changes 2024-04-04 17:11:06 +00:00
Ned Wright
b3de81d9d9 Updating orchestration_package.sh 2024-03-31 08:48:55 +00:00
Ned Wright
a77fd9a6d0 Remove old data 2024-03-27 14:30:40 +00:00
Ned Wright
8454b2dd9b Open Appsec helm chart automation Wed Mar 27 16:27:33 IST 2024 latest 2024-03-27 16:27:33 +02:00
Ned Wright
3913e1e8b3 Update entry.sh 2024-03-26 16:05:23 +00:00
WrightNed
262b2e59ff Merge pull request #117 from openappsec/Mar_21_2024-Dev 
Mar 21 2024 dev
 2024-03-26 13:53:49 +02:00
Ned Wright
a01c65994a Edit components/security_apps/layer_7_access_control/layer_7_access_control.cc 2024-03-25 14:53:52 +00:00
WrightNed
1d13973ae2 Update entry.sh 2024-03-25 15:56:00 +02:00
Ned Wright
c20fa9f966 Mar 21st 2024 update 2024-03-21 15:31:38 +00:00
orianelou
ecbb34bc17 Update docker-compose.yaml 
changes comment type
 2024-03-21 11:24:12 +02:00
WrightNed
0d22790ebe Merge pull request #113 from openappsec/WrightNed-patch-1 
Update orchestration_package.sh
 2024-03-12 13:02:27 +02:00
WrightNed
9f86c4607e Update orchestration_package.sh 2024-03-12 13:01:44 +02:00
WrightNed
0e47ed8595 Merge pull request #110 from openappsec/Feb_28_2024 
Feb 28 2024
 2024-03-10 15:23:57 +02:00
Ned Wright
42b0bf2981 Fix typo 2024-03-10 13:21:51 +00:00
Ned Wright
75b40933ec Change default to log to cloud 2024-02-28 18:27:39 +00:00
Ned Wright
b795661328 Moving yq to be taken from environment 2024-02-28 15:04:14 +00:00
Ned Wright
eb509dfa85 Moving yq to be taken from environment 2024-02-28 14:09:18 +00:00
WrightNed
ec834aeafb Merge pull request #106 from openappsec/orianelou-patch-apisix 
Orianelou patch apisix
 2024-02-26 10:52:27 +02:00
orianelou
2c9ec1e48c Delete apisix directory 2024-02-26 10:50:43 +02:00
orianelou
55b5973c15 Create docker-compose.yaml 2024-02-26 10:50:16 +02:00
orianelou
63b5a63ded Create apisix-standalone.yaml 2024-02-26 10:49:23 +02:00
orianelou
b08047cc33 Create apisix-standalone.yaml: 2024-02-25 11:41:04 +02:00
orianelou
328808c15f Create docker-compose.yaml 2024-02-25 11:40:12 +02:00
WrightNed
c255621cd6 Merge pull request #94 from bmbeverst/fix_tests 
Fix new helm-unittest tests
 2024-02-22 14:24:37 +02:00
Ned Wright
3afc4acfc5 open-appsec helm chart update Mon Feb 19 17:27:50 IST 2024 2024-02-19 17:27:50 +02:00
WrightNed
4e6ed5734a Merge pull request #104 from openappsec/Feb_13_2024 
Feb 13 2024
 2024-02-18 13:52:06 +02:00
WrightNed
102a0308c2 Fix getenforce redirection 2024-02-18 13:51:09 +02:00
Ned Wright
2fa866d1c5 Declarative when connected to management improvements 2024-02-14 16:31:44 +00:00
Ned Wright
8479ad58ed Remove package parameters 2024-02-14 16:10:29 +00:00
WrightNed
e9c36c3bbf Merge pull request #102 from openappsec/main 
Rebase
 2024-02-13 22:10:05 +02:00
WrightNed
ee2c098995 Merge pull request #98 from benjja/main 
Log file couldn't be created
 2024-02-13 22:06:13 +02:00
Ned Wright
4def79504e open-appsec helm chart update Mon Feb 12 17:56:07 IST 2024 2024-02-12 17:56:07 +02:00
WrightNed
636e667e85 Merge pull request #99 from openappsec/Feb_06_2024-Dev 
Feb 06 2024 dev
 2024-02-08 20:00:57 +02:00
Benjamin Richter
caa9623d0a Merge pull request #1 from benjja/benjja-log-file-creation 
Add missing slash
 2024-02-05 00:10:13 +01:00
Benjamin Richter
f06600605a Add missing slash 
Because of the missing slash, it was not possible to create the log file.
 2024-02-05 00:08:13 +01:00
Brooks Beverstock
aa8cfd1b2a fix: Set kind to Vanilla in ingress-nginx tests, so they pass. 2024-01-24 17:07:35 -05:00
Brooks Beverstock
5452d68f9b fix: Rename expected test name due to chart name change, from ingress-nginx to open-appsec-k8s-nginx-ingress. 2024-01-24 17:06:53 -05:00
940 changed files with 174564 additions and 123110 deletions
Expand all files Collapse all files

2
CMakeLists.txt
View File

@@ -1,7 +1,7 @@
cmake_minimum_required (VERSION 2.8.4)
project (ngen)
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC -Wall -Wno-terminate")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -O2 -fPIC -Wall -Wno-terminate")
execute_process(COMMAND grep -c "Alpine Linux" /etc/os-release OUTPUT_VARIABLE IS_ALPINE)
if(NOT IS_ALPINE EQUAL "0")

7
README.md
View File

@@ -74,7 +74,7 @@ For Linux, if youve built your own package use the following commands:
```bash
$ install-cp-nano-agent.sh --install --hybrid_mode
$ install-cp-nano-service-http-transaction-handler.sh install
$ install-cp-nano-service-http-transaction-handler.sh --install
$ install-cp-nano-attachment-registration-manager.sh --install
```
You can add the ```--token <token>``` and ```--email <email address>``` options to the first command, to get a token follow [documentation](https://docs.openappsec.io/getting-started/using-the-web-ui-saas/connect-deployed-agents-to-saas-management-k8s-and-linux).
@@ -96,7 +96,7 @@ open-appsec GitHub includes four main repositories:
## Installing external dependencies
Before compiling the services, you'll need to ensure the latest development versions of the following libraries:
Before compiling the services, you'll need to ensure the latest development versions of the following libraries and tools:
* Boost
* OpenSSL
* PCRE2
@@ -107,12 +107,13 @@ Before compiling the services, you'll need to ensure the latest development vers
* Redis
* Hiredis
* MaxmindDB
* yq
An example of installing the packages on Alpine:
```bash
$ apk update
$ apk add boost-dev openssl-dev pcre2-dev libxml2-dev gtest-dev curl-dev hiredis-dev redis libmaxminddb-dev
$ apk add boost-dev openssl-dev pcre2-dev libxml2-dev gtest-dev curl-dev hiredis-dev redis libmaxminddb-dev yq
```
## Compiling and packaging the agent code

18
attachments/nginx/nginx_attachment_util/nginx_attachment_util.cc
View File

@@ -155,6 +155,24 @@ getWaitingForVerdictThreadTimeout()
return conf_data.getNumericalValue("waiting_for_verdict_thread_timeout_msec");
}
unsigned int
getMinRetriesForVerdict()
{
return conf_data.getNumericalValue("min_retries_for_verdict");
}
unsigned int
getMaxRetriesForVerdict()
{
return conf_data.getNumericalValue("max_retries_for_verdict");
}
unsigned int
getReqBodySizeTrigger()
{
return conf_data.getNumericalValue("body_size_trigger");
}
int
isIPAddress(c_str ip_str)
{

36
attachments/nginx/nginx_attachment_util/nginx_attachment_util_ut/nginx_attachment_util_ut.cc
View File

@@ -63,31 +63,37 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
"\"waiting_for_verdict_thread_timeout_msec\": 75,\n"
"\"req_header_thread_timeout_msec\": 10,\n"
"\"ip_ranges\": " + createIPRangesString(ip_ranges) + ",\n"
"\"static_resources_path\": \"" + static_resources_path + "\""
"\"static_resources_path\": \"" + static_resources_path + "\",\n"
"\"min_retries_for_verdict\": 1,\n"
"\"max_retries_for_verdict\": 3,\n"
"\"body_size_trigger\": 777\n"
"}\n";
ofstream valid_configuration_file(attachment_configuration_file_name);
valid_configuration_file << valid_configuration;
valid_configuration_file.close();
EXPECT_EQ(initAttachmentConfig(attachment_configuration_file_name.c_str()), 1);
EXPECT_EQ(getDbgLevel(), 2);
EXPECT_EQ(getDbgLevel(), 2u);
EXPECT_EQ(getStaticResourcesPath(), static_resources_path);
EXPECT_EQ(isFailOpenMode(), 0);
EXPECT_EQ(getFailOpenTimeout(), 1234);
EXPECT_EQ(getFailOpenTimeout(), 1234u);
EXPECT_EQ(isFailOpenHoldMode(), 1);
EXPECT_EQ(getFailOpenHoldTimeout(), 4321);
EXPECT_EQ(getFailOpenHoldTimeout(), 4321u);
EXPECT_EQ(isFailOpenOnSessionLimit(), 1);
EXPECT_EQ(getMaxSessionsPerMinute(), 0);
EXPECT_EQ(getNumOfNginxIpcElements(), 200);
EXPECT_EQ(getKeepAliveIntervalMsec(), 10000);
EXPECT_EQ(getResProccessingTimeout(), 420);
EXPECT_EQ(getReqProccessingTimeout(), 42);
EXPECT_EQ(getRegistrationThreadTimeout(), 101);
EXPECT_EQ(getReqHeaderThreadTimeout(), 10);
EXPECT_EQ(getReqBodyThreadTimeout(), 155);
EXPECT_EQ(getResHeaderThreadTimeout(), 1);
EXPECT_EQ(getResBodyThreadTimeout(), 0);
EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75);
EXPECT_EQ(getMaxSessionsPerMinute(), 0u);
EXPECT_EQ(getNumOfNginxIpcElements(), 200u);
EXPECT_EQ(getKeepAliveIntervalMsec(), 10000u);
EXPECT_EQ(getResProccessingTimeout(), 420u);
EXPECT_EQ(getReqProccessingTimeout(), 42u);
EXPECT_EQ(getRegistrationThreadTimeout(), 101u);
EXPECT_EQ(getReqHeaderThreadTimeout(), 10u);
EXPECT_EQ(getReqBodyThreadTimeout(), 155u);
EXPECT_EQ(getResHeaderThreadTimeout(), 1u);
EXPECT_EQ(getResBodyThreadTimeout(), 0u);
EXPECT_EQ(getMinRetriesForVerdict(), 1u);
EXPECT_EQ(getMaxRetriesForVerdict(), 3u);
EXPECT_EQ(getReqBodySizeTrigger(), 777u);
EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75u);
EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD);
EXPECT_EQ(isDebugContext("1.2.3.4", "5.6.7.8", 80, "GET", "test", "/abc"), 1);

11
build_system/apisix/apisix-standalone.yaml Normal file
View File

@@ -0,0 +1,11 @@
# example local declarative configuration file for apisix in standalone mode
routes:
-
uri: /anything
upstream:
nodes:
"httpbin.org:80": 1
type: roundrobin
#END

46
build_system/apisix/docker-compose.yaml Normal file
View File

@@ -0,0 +1,46 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
version: "3"
services:
apisix:
container_name: apisix
image: "ghcr.io/openappsec/apisix-attachment:latest"
ipc: host
restart: always
volumes:
- ./apisix-localconfig/apisix-standalone.yaml:/usr/local/apisix/conf/apisix.yaml:ro
environment:
- APISIX_STAND_ALONE=true
ports:
- "9180:9180/tcp"
- "9080:9080/tcp"
- "9091:9091/tcp"
- "9443:9443/tcp"
appsec-agent:
container_name: appsec-agent
image: 'ghcr.io/openappsec/agent:latest'
ipc: host
restart: unless-stopped
environment:
# adjust with your own email below
- user_email=user@email.com
- registered_server="APISIX Server"
volumes:
- ./appsec-config:/etc/cp/conf
- ./appsec-data:/etc/cp/data
- ./appsec-logs:/var/log/nano_agent
- ./appsec-localconfig:/ext/appsec
command: /cp-nano-agent --standalone

6
build_system/charts/open-appsec-k8s-nginx-ingress/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 12.2.8
digest: sha256:0d13b8b0c66b8e18781eac510ce58b069518ff14a6a15ad90375e7f0ffad71fe
generated: "2024-03-26T14:53:49.928153508Z"

14
build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml
View File

@@ -1,13 +1,13 @@
annotations:
artifacthub.io/changes: |-
- "Add controller.metrics.serviceMonitor.annotations in Helm chart"
- "fix(labels): use complete labels variable on default-backend deployment"
- "chart: allow setting allocateLoadBalancerNodePorts (#10693)"
- "[release-1.9] feat(helm): add documentation about metric args (#10695)"
- "Update Ingress-Nginx version controller-v1.9.5"
artifacthub.io/changes: '- "Update Ingress-Nginx version controller-v1.10.0"'
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: latest
dependencies:
- condition: appsec.tuning.enabled
name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 12.2.8
keywords:
- ingress
- nginx
@@ -15,4 +15,4 @@ kubeVersion: '>=1.20.0-0'
name: open-appsec-k8s-nginx-ingress
sources:
- https://github.com/kubernetes/ingress-nginx
version: 4.9.0
version: 4.10.0

12
build_system/charts/open-appsec-k8s-nginx-ingress/README.md
View File

@@ -2,7 +2,7 @@
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
![Version: 4.9.0](https://img.shields.io/badge/Version-4.9.0-informational?style=flat-square) ![AppVersion: 1.9.5](https://img.shields.io/badge/AppVersion-1.9.5-informational?style=flat-square)
![Version: 4.10.0](https://img.shields.io/badge/Version-4.10.0-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square)
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
@@ -253,11 +253,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334"` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.0"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
@@ -317,8 +317,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `false` | |
| controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:b3aba22b1da80e7acfc52b115cae1d4c687172cbf2b742d5b502419c25ff340e"` | |
| controller.image.digestChroot | string | `"sha256:9a8d7b25a846a6461cd044b9aea9cf6cad972bcf2e64d9fd246c0279979aad2d"` | |
| controller.image.digest | string | `"sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c"` | |
| controller.image.digestChroot | string | `"sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.image.readOnlyRootFilesystem | bool | `false` | |
@@ -326,7 +326,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.image.runAsNonRoot | bool | `true` | |
| controller.image.runAsUser | int | `101` | |
| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.image.tag | string | `"v1.9.5"` | |
| controller.image.tag | string | `"v1.10.0"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |

9
build_system/charts/open-appsec-k8s-nginx-ingress/changelog/helm-chart-4.10.0.md Normal file
View File

@@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.10.0
* - "Update Ingress-Nginx version controller-v1.10.0"
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.9.1...helm-chart-4.10.0

10
build_system/charts/open-appsec-k8s-nginx-ingress/changelog/helm-chart-4.9.1.md Normal file
View File

@@ -0,0 +1,10 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.9.1
* - "update web hook cert gen to latest release v20231226-1a7112e06"
* - "Update Ingress-Nginx version controller-v1.9.6"
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.9.0...helm-chart-4.9.1

21
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/.helmignore Normal file
View File

@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

6
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 2.2.4
digest: sha256:634d19e9b7f6e4c07d7c04a0161ab96b3f83335ebdd70b35b952319ef0a2586b
generated: "2023-03-14T07:26:55.449518929Z"

31
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/Chart.yaml Normal file
View File

@@ -0,0 +1,31 @@
annotations:
category: Database
licenses: Apache-2.0
apiVersion: v2
appVersion: 15.2.0
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
tags:
- bitnami-common
version: 2.x.x
description: PostgreSQL (Postgres) is an open source object-relational database known
for reliability and data integrity. ACID-compliant, it supports foreign keys, joins,
views, triggers and stored procedures.
home: https://github.com/bitnami/charts/tree/main/bitnami/postgresql
icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png
keywords:
- postgresql
- postgres
- database
- sql
- replication
- cluster
maintainers:
- name: Bitnami
url: https://github.com/bitnami/charts
name: postgresql
sources:
- https://github.com/bitnami/containers/tree/main/bitnami/postgresql
- https://www.postgresql.org/
version: 12.2.8

685
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/README.md Normal file
View File

@@ -0,0 +1,685 @@
<!--- app-name: PostgreSQL -->
# PostgreSQL packaged by Bitnami
PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures.
[Overview of PostgreSQL](http://www.postgresql.org)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
```console
helm repo add my-repo https://charts.bitnami.com/bitnami
helm install my-release my-repo/postgresql
```
## Introduction
This chart bootstraps a [PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
For HA, please see [this repo](https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha)
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
To install the chart with the release name `my-release`:
```console
helm repo add my-repo https://charts.bitnami.com/bitnami
helm install my-release my-repo/postgresql
```
The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
helm delete my-release
```
The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release.
To delete the PVC's associated with `my-release`:
```console
kubectl delete pvc -l release=my-release
```
> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it.
## Parameters
### Global parameters
| Name | Description | Value |
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` |
| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` |
| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` |
| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` |
| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` |
| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` |
### Common parameters
| Name | Description | Value |
| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- |
| `kubeVersion` | Override Kubernetes version | `""` |
| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` |
| `commonLabels` | Add labels to all the deployed resources | `{}` |
| `commonAnnotations` | Add annotations to all the deployed resources | `{}` |
| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
| `diagnosticMode.command` | Command to override all containers in the statefulset | `["sleep"]` |
| `diagnosticMode.args` | Args to override all containers in the statefulset | `["infinity"]` |
### PostgreSQL common parameters
| Name | Description | Value |
| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `image.registry` | PostgreSQL image registry | `docker.io` |
| `image.repository` | PostgreSQL image repository | `bitnami/postgresql` |
| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.2.0-debian-11-r21` |
| `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify image pull secrets | `[]` |
| `image.debug` | Specify if debug values should be set | `false` |
| `auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` |
| `auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided | `""` |
| `auth.username` | Name for a custom user to create | `""` |
| `auth.password` | Password for the custom user to create. Ignored if `auth.existingSecret` is provided | `""` |
| `auth.database` | Name for a custom database to create | `""` |
| `auth.replicationUsername` | Name of the replication user | `repl_user` |
| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` is provided | `""` |
| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` |
| `auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `postgres-password` |
| `auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` |
| `auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `replication-password` |
| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` |
| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |
| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. | `0` |
| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` |
| `containerPorts.postgresql` | PostgreSQL container port | `5432` |
| `audit.logHostname` | Log client hostnames | `false` |
| `audit.logConnections` | Add client log-in operations to the log file | `false` |
| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` |
| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` |
| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` |
| `audit.clientMinMessages` | Message log level to share with the user | `error` |
| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` |
| `audit.logTimezone` | Timezone for the log timestamps | `""` |
| `ldap.enabled` | Enable LDAP support | `false` |
| `ldap.server` | IP address or name of the LDAP server. | `""` |
| `ldap.port` | Port number on the LDAP server to connect to | `""` |
| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` |
| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` |
| `ldap.basedn` | Root DN to begin the search for the user in | `""` |
| `ldap.binddn` | DN of user to bind to LDAP | `""` |
| `ldap.bindpw` | Password for the user to bind to LDAP | `""` |
| `ldap.searchAttribute` | Attribute to match against the user name in the search | `""` |
| `ldap.searchFilter` | The search filter to use when doing search+bind authentication | `""` |
| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` |
| `ldap.tls.enabled` | Se to true to enable TLS encryption | `false` |
| `ldap.uri` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. | `""` |
| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` |
| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` |
| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) | `true` |
| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs | `""` |
| `tls.enabled` | Enable TLS traffic support | `false` |
| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` |
| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` |
| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` |
| `tls.certFilename` | Certificate filename | `""` |
| `tls.certKeyFilename` | Certificate key filename | `""` |
| `tls.certCAFilename` | CA Certificate filename | `""` |
| `tls.crlFilename` | File containing a Certificate Revocation List | `""` |
### PostgreSQL Primary parameters
| Name | Description | Value |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` |
| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` |
| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` |
| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` |
| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` |
| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` |
| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` |
| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` |
| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` |
| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` |
| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` |
| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` |
| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` |
| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` |
| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` |
| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` |
| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` |
| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` |
| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` |
| `primary.command` | Override default container command (useful when using custom images) | `[]` |
| `primary.args` | Override default container args (useful when using custom images) | `[]` |
| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` |
| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` |
| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` |
| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` |
| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` |
| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` |
| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` |
| `primary.podSecurityContext.enabled` | Enable security context | `true` |
| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` |
| `primary.containerSecurityContext.enabled` | Enable container security context | `true` |
| `primary.containerSecurityContext.runAsUser` | User ID for the container | `1001` |
| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` |
| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` |
| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` |
| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` |
| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` |
| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` |
| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` |
| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` |
| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` |
| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` |
| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` |
| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` |
| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` |
| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` |
| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` |
| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` |
| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` |
| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` |
| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` |
| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` |
| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` |
| `primary.service.type` | Kubernetes Service type | `ClusterIP` |
| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` |
| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` |
| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` |
| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` |
| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` |
| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `primary.service.headless.annotations` | Additional custom annotations for headless PostgreSQL primary service | `{}` |
| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` |
| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` |
| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` |
| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` |
| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` |
| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
| `primary.persistence.annotations` | Annotations for the PVC | `{}` |
| `primary.persistence.labels` | Labels for the PVC | `{}` |
| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
| `primary.persistence.dataSource` | Custom PVC data source | `{}` |
### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
| Name | Description | Value |
| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` |
| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` |
| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` |
| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` |
| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` |
| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` |
| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` |
| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` |
| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` |
| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` |
| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` |
| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` |
| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` |
| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` |
| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` |
| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` |
| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` |
| `readReplicas.containerSecurityContext.enabled` | Enable container security context | `true` |
| `readReplicas.containerSecurityContext.runAsUser` | User ID for the container | `1001` |
| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` |
| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` |
| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` |
| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` |
| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` |
| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` |
| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` |
| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` |
| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` |
| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` |
| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` |
| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` |
| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` |
| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` |
| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` |
| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` |
| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` |
| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` |
| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` |
| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` |
| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` |
| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` |
| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` |
| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` |
| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` |
| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` |
| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` |
| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `readReplicas.service.headless.annotations` | Additional custom annotations for headless PostgreSQL read only service | `{}` |
| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` |
| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` |
| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` |
| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` |
| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` |
| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` |
| `readReplicas.persistence.labels` | Labels for the PVC | `{}` |
| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` |
### NetworkPolicy parameters
| Name | Description | Value |
| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `networkPolicy.enabled` | Enable network policies | `false` |
| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` |
| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` |
| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `{}` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `{}` |
| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` |
| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` |
### Volume Permissions parameters
| Name | Description | Value |
| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r106` |
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` |
| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` |
### Other Parameters
| Name | Description | Value |
| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` |
| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `false` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` |
| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` |
| `rbac.rules` | Custom RBAC rules to set | `[]` |
| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
### Metrics Parameters
| Name | Description | Value |
| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------------- |
| `metrics.enabled` | Start a prometheus exporter | `false` |
| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` |
| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` |
| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.12.0-debian-11-r77` |
| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` |
| `metrics.customMetrics` | Define additional custom metrics | `{}` |
| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` |
| `metrics.containerSecurityContext.enabled` | Enable PostgreSQL Prometheus exporter containers' Security Context | `true` |
| `metrics.containerSecurityContext.runAsUser` | Set PostgreSQL Prometheus exporter containers' Security Context runAsUser | `1001` |
| `metrics.containerSecurityContext.runAsNonRoot` | Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot | `true` |
| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` |
| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` |
| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` |
| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` |
| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` |
| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` |
| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` |
| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` |
| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` |
| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` |
| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` |
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` |
| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` |
| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` |
| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` |
| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` |
| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` |
| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
helm install my-release \
--set auth.postgresPassword=secretpassword
my-repo/postgresql
```
The above command sets the PostgreSQL `postgres` account password to `secretpassword`.
> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.
> **Warning** Setting a password will be ignored on new installation in case when previous Posgresql release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
helm install my-release -f values.yaml my-repo/postgresql
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Customizing primary and read replica services in a replicated configuration
At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object.
### Use a different PostgreSQL version
To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/).
### postgresql.conf / pg_hba.conf files as configMap
This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`.
You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter.
In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options.
### Initialize a fresh instance
The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string.
In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter.
The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
### Securing traffic using TLS
TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart:
- `tls.enabled`: Enable TLS support. Defaults to `false`
- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults.
- `tls.certFilename`: Certificate filename. No defaults.
- `tls.certKeyFilename`: Certificate key filename. No defaults.
For example:
- First, create the secret with the cetificates files:
```console
kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt
```
- Then, use the following parameters:
```console
volumePermissions.enabled=true
tls.enabled=true
tls.certificatesSecret="certificates-tls-secret"
tls.certFilename="cert.crt"
tls.certKeyFilename="cert.key"
```
> Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected.
### Sidecars
If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
```yaml
# For the PostgreSQL primary
primary:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
# For the PostgreSQL replicas
readReplicas:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
### Metrics
The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml).
The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details.
### Use of global variables
In more complex scenarios, we may have the following tree of dependencies
```text
+--------------+
| |
+------------+ Chart 1 +-----------+
| | | |
| --------+------+ |
| | |
| | |
| | |
| | |
v v v
+-------+------+ +--------+------+ +--------+------+
| | | | | |
| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 |
| | | | | |
+--------------+ +---------------+ +---------------+
```
The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters:
```text
postgresql.auth.username=testuser
subchart1.postgresql.auth.username=testuser
subchart2.postgresql.auth.username=testuser
postgresql.auth.password=testpass
subchart1.postgresql.auth.password=testpass
subchart2.postgresql.auth.password=testpass
postgresql.auth.database=testdb
subchart1.postgresql.auth.database=testdb
subchart2.postgresql.auth.database=testdb
```
If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows:
```text
global.postgresql.auth.username=testuser
global.postgresql.auth.password=testpass
global.postgresql.auth.database=testdb
```
This way, the credentials will be available in all of the subcharts.
## Persistence
The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container.
Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished.
## NetworkPolicy
To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`.
For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace:
```console
kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
```
With NetworkPolicy enabled, traffic will be limited to just port 5432.
For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL.
This label will be displayed in the output of a successful install.
## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image
- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image.
- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift.
- For OpenShift up to 4.10, let set the volume permissions, security context, runAsUser and fsGroup automatically by OpenShift and disable the predefined settings of the helm chart: primary.securityContext.enabled=false,primary.containerSecurityContext.enabled=false,volumePermissions.enabled=false,shmVolume.enabled=false
- For OpenShift 4.11 and higher, let set OpenShift the runAsUser and fsGroup automatically. Configure the pod and container security context to restrictive defaults and disable the volume permissions setup: primary.
podSecurityContext.fsGroup=null,primary.podSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.runAsUser=null,primary.containerSecurityContext.allowPrivilegeEscalation=false,primary.containerSecurityContext.runAsNonRoot=true,primary.containerSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.capabilities.drop=['ALL'],volumePermissions.enabled=false,shmVolume.enabled=false
### Setting Pod's affinity
This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters.
## Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## Upgrading
### To 12.0.0
This major version changes the default PostgreSQL image from 14.x to 15.x. Follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html) to upgrade to 15.x.
### To any previous version
Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/).
## License
Copyright &copy; 2023 Bitnami
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
<http://www.apache.org/licenses/LICENSE-2.0>
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

22
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/.helmignore Normal file
View File

@@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

24
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/Chart.yaml Normal file
View File

@@ -0,0 +1,24 @@
annotations:
category: Infrastructure
licenses: Apache-2.0
apiVersion: v2
appVersion: 2.2.4
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: https://github.com/bitnami/charts/tree/main/bitnami/common
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
keywords:
- common
- helper
- template
- function
- bitnami
maintainers:
- name: Bitnami
url: https://github.com/bitnami/charts
name: common
sources:
- https://github.com/bitnami/charts
- https://www.bitnami.com/
type: library
version: 2.2.4

233
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/README.md Normal file
View File

@@ -0,0 +1,233 @@
# Bitnami Common Library Chart
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts.
## TL;DR
```yaml
dependencies:
- name: common
version: 1.x.x
repository: https://charts.bitnami.com/bitnami
```
```console
helm dependency update
```
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "common.names.fullname" . }}
data:
myvalue: "Hello World"
```
## Introduction
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
## Parameters
## Special input schemas
### ImageRoot
```yaml
registry:
type: string
description: Docker registry where the image is located
example: docker.io
repository:
type: string
description: Repository and image name
example: bitnami/nginx
tag:
type: string
description: image tag
example: 1.16.1-debian-10-r63
pullPolicy:
type: string
description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
pullSecrets:
type: array
items:
type: string
description: Optionally specify an array of imagePullSecrets (evaluated as templates).
debug:
type: boolean
description: Set to true if you would like to see extra information on logs
example: false
## An instance would be:
# registry: docker.io
# repository: bitnami/nginx
# tag: 1.16.1-debian-10-r63
# pullPolicy: IfNotPresent
# debug: false
```
### Persistence
```yaml
enabled:
type: boolean
description: Whether enable persistence.
example: true
storageClass:
type: string
description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
example: "-"
accessMode:
type: string
description: Access mode for the Persistent Volume Storage.
example: ReadWriteOnce
size:
type: string
description: Size the Persistent Volume Storage.
example: 8Gi
path:
type: string
description: Path to be persisted.
example: /bitnami
## An instance would be:
# enabled: true
# storageClass: "-"
# accessMode: ReadWriteOnce
# size: 8Gi
# path: /bitnami
```
### ExistingSecret
```yaml
name:
type: string
description: Name of the existing secret.
example: mySecret
keyMapping:
description: Mapping between the expected key name and the name of the key in the existing secret.
type: object
## An instance would be:
# name: mySecret
# keyMapping:
# password: myPasswordKey
```
#### Example of use
When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets.
```yaml
# templates/secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
labels:
app: {{ include "common.names.fullname" . }}
type: Opaque
data:
password: {{ .Values.password | b64enc | quote }}
# templates/dpl.yaml
---
...
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
...
# values.yaml
---
name: mySecret
keyMapping:
password: myPasswordKey
```
### ValidateValue
#### NOTES.txt
```console
{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
```
If we force those values to be empty we will see some alerts
```console
helm install test mychart --set path.to.value00="",path.to.value01=""
'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d)
'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d)
```
## Upgrading
### To 1.0.0
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
#### What changes were introduced in this major version?
- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information.
- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
#### Considerations when upgrading to this version
- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
#### Useful links
- <https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/>
- <https://helm.sh/docs/topics/v2_v3_migration/>
- <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/>
## License
Copyright &copy; 2023 Bitnami
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
<http://www.apache.org/licenses/LICENSE-2.0>
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

106
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_affinities.tpl Normal file
View File

@@ -0,0 +1,106 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return a soft nodeAffinity definition
{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.soft" -}}
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . | quote }}
{{- end }}
weight: 1
{{- end -}}
{{/*
Return a hard nodeAffinity definition
{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.hard" -}}
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . | quote }}
{{- end }}
{{- end -}}
{{/*
Return a nodeAffinity definition
{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.nodes.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.nodes.hard" . -}}
{{- end -}}
{{- end -}}
{{/*
Return a topologyKey definition
{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}}
*/}}
{{- define "common.affinities.topologyKey" -}}
{{ .topologyKey | default "kubernetes.io/hostname" -}}
{{- end -}}
{{/*
Return a soft podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}}
*/}}
{{- define "common.affinities.pods.soft" -}}
{{- $component := default "" .component -}}
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
{{- range $key, $value := $extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
weight: 1
{{- end -}}
{{/*
Return a hard podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}}
*/}}
{{- define "common.affinities.pods.hard" -}}
{{- $component := default "" .component -}}
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
{{- range $key, $value := $extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
{{- end -}}
{{/*
Return a podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.pods" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.pods.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.pods.hard" . -}}
{{- end -}}
{{- end -}}

154
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_capabilities.tpl Normal file
View File

@@ -0,0 +1,154 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the target Kubernetes version
*/}}
{{- define "common.capabilities.kubeVersion" -}}
{{- if .Values.global }}
{{- if .Values.global.kubeVersion }}
{{- .Values.global.kubeVersion -}}
{{- else }}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{- else }}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for poddisruptionbudget.
*/}}
{{- define "common.capabilities.policy.apiVersion" -}}
{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "policy/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "common.capabilities.networkPolicy.apiVersion" -}}
{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for cronjob.
*/}}
{{- define "common.capabilities.cronjob.apiVersion" -}}
{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "batch/v1beta1" -}}
{{- else -}}
{{- print "batch/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "common.capabilities.deployment.apiVersion" -}}
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "common.capabilities.statefulset.apiVersion" -}}
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "common.capabilities.ingress.apiVersion" -}}
{{- if .Values.ingress -}}
{{- if .Values.ingress.apiVersion -}}
{{- .Values.ingress.apiVersion -}}
{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end }}
{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for RBAC resources.
*/}}
{{- define "common.capabilities.rbac.apiVersion" -}}
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "rbac.authorization.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "rbac.authorization.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for CRDs.
*/}}
{{- define "common.capabilities.crd.apiVersion" -}}
{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apiextensions.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiextensions.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for APIService.
*/}}
{{- define "common.capabilities.apiService.apiVersion" -}}
{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apiregistration.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiregistration.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for Horizontal Pod Autoscaler.
*/}}
{{- define "common.capabilities.hpa.apiVersion" -}}
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
{{- if .beta2 -}}
{{- print "autoscaling/v2beta2" -}}
{{- else -}}
{{- print "autoscaling/v2beta1" -}}
{{- end -}}
{{- else -}}
{{- print "autoscaling/v2" -}}
{{- end -}}
{{- end -}}
{{/*
Returns true if the used Helm version is 3.3+.
A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure.
This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error.
**To be removed when the catalog's minimun Helm version is 3.3**
*/}}
{{- define "common.capabilities.supportsHelmVersion" -}}
{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }}
{{- true -}}
{{- end -}}
{{- end -}}

23
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_errors.tpl Normal file
View File

@@ -0,0 +1,23 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Through error when upgrading using empty passwords values that must not be empty.
Usage:
{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
Required password params:
- validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
- context - Context - Required. Parent context.
*/}}
{{- define "common.errors.upgrade.passwords.empty" -}}
{{- $validationErrors := join "" .validationErrors -}}
{{- if and $validationErrors .context.Release.IsUpgrade -}}
{{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}}
{{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}}
{{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}}
{{- $errorString = print $errorString "\n%s" -}}
{{- printf $errorString $validationErrors | fail -}}
{{- end -}}
{{- end -}}

80
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_images.tpl Normal file
View File

@@ -0,0 +1,80 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper image name
{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }}
*/}}
{{- define "common.images.image" -}}
{{- $registryName := .imageRoot.registry -}}
{{- $repositoryName := .imageRoot.repository -}}
{{- $separator := ":" -}}
{{- $termination := .imageRoot.tag | toString -}}
{{- if .global }}
{{- if .global.imageRegistry }}
{{- $registryName = .global.imageRegistry -}}
{{- end -}}
{{- end -}}
{{- if .imageRoot.digest }}
{{- $separator = "@" -}}
{{- $termination = .imageRoot.digest | toString -}}
{{- end -}}
{{- if $registryName }}
{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
{{- else -}}
{{- printf "%s%s%s" $repositoryName $separator $termination -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead)
{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
*/}}
{{- define "common.images.pullSecrets" -}}
{{- $pullSecrets := list }}
{{- if .global }}
{{- range .global.imagePullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- if (not (empty $pullSecrets)) }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names evaluating values as templates
{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }}
*/}}
{{- define "common.images.renderPullSecrets" -}}
{{- $pullSecrets := list }}
{{- $context := .context }}
{{- if $context.Values.global }}
{{- range $context.Values.global.imagePullSecrets -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- end -}}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- end -}}
{{- end -}}
{{- if (not (empty $pullSecrets)) }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}

68
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_ingress.tpl Normal file
View File

@@ -0,0 +1,68 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Generate backend entry that is compatible with all Kubernetes API versions.
Usage:
{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}
Params:
- serviceName - String. Name of an existing service backend
- servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer.
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.ingress.backend" -}}
{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
serviceName: {{ .serviceName }}
servicePort: {{ .servicePort }}
{{- else -}}
service:
name: {{ .serviceName }}
port:
{{- if typeIs "string" .servicePort }}
name: {{ .servicePort }}
{{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }}
number: {{ .servicePort | int }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Print "true" if the API pathType field is supported
Usage:
{{ include "common.ingress.supportsPathType" . }}
*/}}
{{- define "common.ingress.supportsPathType" -}}
{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Returns true if the ingressClassname field is supported
Usage:
{{ include "common.ingress.supportsIngressClassname" . }}
*/}}
{{- define "common.ingress.supportsIngressClassname" -}}
{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if cert-manager required annotations for TLS signed
certificates are set in the Ingress annotations
Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
Usage:
{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }}
*/}}
{{- define "common.ingress.certManagerRequest" -}}
{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }}
{{- true -}}
{{- end -}}
{{- end -}}

18
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_labels.tpl Normal file
View File

@@ -0,0 +1,18 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Kubernetes standard labels
*/}}
{{- define "common.labels.standard" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
helm.sh/chart: {{ include "common.names.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
*/}}
{{- define "common.labels.matchLabels" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}

66
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_names.tpl Normal file
View File

@@ -0,0 +1,66 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "common.names.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "common.names.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "common.names.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified dependency name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
Usage:
{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }}
*/}}
{{- define "common.names.dependency.fullname" -}}
{{- if .chartValues.fullnameOverride -}}
{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .chartName .chartValues.nameOverride -}}
{{- if contains $name .context.Release.Name -}}
{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
*/}}
{{- define "common.names.namespace" -}}
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a fully qualified app name adding the installation's namespace.
*/}}
{{- define "common.names.fullname.namespace" -}}
{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}

165
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_secrets.tpl Normal file
View File

@@ -0,0 +1,165 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Generate secret name.
Usage:
{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
Params:
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
- defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.secrets.name" -}}
{{- $name := (include "common.names.fullname" .context) -}}
{{- if .defaultNameSuffix -}}
{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- with .existingSecret -}}
{{- if not (typeIs "string" .) -}}
{{- with .name -}}
{{- $name = . -}}
{{- end -}}
{{- else -}}
{{- $name = . -}}
{{- end -}}
{{- end -}}
{{- printf "%s" $name -}}
{{- end -}}
{{/*
Generate secret key.
Usage:
{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
Params:
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
- key - String - Required. Name of the key in the secret.
*/}}
{{- define "common.secrets.key" -}}
{{- $key := .key -}}
{{- if .existingSecret -}}
{{- if not (typeIs "string" .existingSecret) -}}
{{- if .existingSecret.keyMapping -}}
{{- $key = index .existingSecret.keyMapping $.key -}}
{{- end -}}
{{- end }}
{{- end -}}
{{- printf "%s" $key -}}
{{- end -}}
{{/*
Generate secret password or retrieve one if already created.
Usage:
{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }}
Params:
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
- key - String - Required - Name of the key in the secret.
- providedValues - List<String> - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
- length - int - Optional - Length of the generated random password.
- strong - Boolean - Optional - Whether to add symbols to the generated random password.
- chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
- context - Context - Required - Parent context.
The order in which this function returns a secret password:
1. Already existing 'Secret' resource
(If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
2. Password provided via the values.yaml
(If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
3. Randomly generated secret password
(A new random secret password with the length specified in the 'length' parameter will be generated and returned)
*/}}
{{- define "common.secrets.passwords.manage" -}}
{{- $password := "" }}
{{- $subchart := "" }}
{{- $chartName := default "" .chartName }}
{{- $passwordLength := default 10 .length }}
{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }}
{{- if $secretData }}
{{- if hasKey $secretData .key }}
{{- $password = index $secretData .key | quote }}
{{- else }}
{{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
{{- end -}}
{{- else if $providedPasswordValue }}
{{- $password = $providedPasswordValue | toString | b64enc | quote }}
{{- else }}
{{- if .context.Values.enabled }}
{{- $subchart = $chartName }}
{{- end -}}
{{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
{{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
{{- $passwordValidationErrors := list $requiredPasswordError -}}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
{{- if .strong }}
{{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
{{- $password = randAscii $passwordLength }}
{{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
{{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }}
{{- else }}
{{- $password = randAlphaNum $passwordLength | b64enc | quote }}
{{- end }}
{{- end -}}
{{- printf "%s" $password -}}
{{- end -}}
{{/*
Reuses the value from an existing secret, otherwise sets its value to a default value.
Usage:
{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }}
Params:
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
- key - String - Required - Name of the key in the secret.
- defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
- context - Context - Required - Parent context.
*/}}
{{- define "common.secrets.lookup" -}}
{{- $value := "" -}}
{{- $defaultValue := required "\n'common.secrets.lookup': Argument 'defaultValue' missing or empty" .defaultValue -}}
{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}}
{{- if and $secretData (hasKey $secretData .key) -}}
{{- $value = index $secretData .key -}}
{{- else -}}
{{- $value = $defaultValue | toString | b64enc -}}
{{- end -}}
{{- printf "%s" $value -}}
{{- end -}}
{{/*
Returns whether a previous generated secret already exists
Usage:
{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }}
Params:
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
- context - Context - Required - Parent context.
*/}}
{{- define "common.secrets.exists" -}}
{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }}
{{- if $secret }}
{{- true -}}
{{- end -}}
{{- end -}}

23
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_storage.tpl Normal file
View File

@@ -0,0 +1,23 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper Storage Class
{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
*/}}
{{- define "common.storage.class" -}}
{{- $storageClass := .persistence.storageClass -}}
{{- if .global -}}
{{- if .global.storageClass -}}
{{- $storageClass = .global.storageClass -}}
{{- end -}}
{{- end -}}
{{- if $storageClass -}}
{{- if (eq "-" $storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" $storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}

13
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_tplvalues.tpl Normal file
View File

@@ -0,0 +1,13 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

62
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_utils.tpl Normal file
View File

@@ -0,0 +1,62 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Print instructions to get a secret value.
Usage:
{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }}
*/}}
{{- define "common.utils.secret.getvalue" -}}
{{- $varname := include "common.utils.fieldToEnvVar" . -}}
export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d)
{{- end -}}
{{/*
Build env var name given a field
Usage:
{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }}
*/}}
{{- define "common.utils.fieldToEnvVar" -}}
{{- $fieldNameSplit := splitList "-" .field -}}
{{- $upperCaseFieldNameSplit := list -}}
{{- range $fieldNameSplit -}}
{{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}}
{{- end -}}
{{ join "_" $upperCaseFieldNameSplit }}
{{- end -}}
{{/*
Gets a value from .Values given
Usage:
{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }}
*/}}
{{- define "common.utils.getValueFromKey" -}}
{{- $splitKey := splitList "." .key -}}
{{- $value := "" -}}
{{- $latestObj := $.context.Values -}}
{{- range $splitKey -}}
{{- if not $latestObj -}}
{{- printf "please review the entire path of '%s' exists in values" $.key | fail -}}
{{- end -}}
{{- $value = ( index $latestObj . ) -}}
{{- $latestObj = $value -}}
{{- end -}}
{{- printf "%v" (default "" $value) -}}
{{- end -}}
{{/*
Returns first .Values key with a defined value or first of the list if all non-defined
Usage:
{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }}
*/}}
{{- define "common.utils.getKeyFromList" -}}
{{- $key := first .keys -}}
{{- $reverseKeys := reverse .keys }}
{{- range $reverseKeys }}
{{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }}
{{- if $value -}}
{{- $key = . }}
{{- end -}}
{{- end -}}
{{- printf "%s" $key -}}
{{- end -}}

14
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/_warnings.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Warning about using rolling tag.
Usage:
{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
*/}}
{{- define "common.warnings.rollingTag" -}}
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- end -}}

72
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/validations/_cassandra.tpl Normal file
View File

@@ -0,0 +1,72 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate Cassandra required passwords are not empty.
Usage:
{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.cassandra.passwords" -}}
{{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
{{- $enabled := include "common.cassandra.values.enabled" . -}}
{{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
{{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.cassandra.values.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.cassandra.values.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.cassandra.dbUser.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.dbUser.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled cassandra.
Usage:
{{ include "common.cassandra.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.cassandra.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.cassandra.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key dbUser
Usage:
{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.cassandra.values.key.dbUser" -}}
{{- if .subchart -}}
cassandra.dbUser
{{- else -}}
dbUser
{{- end -}}
{{- end -}}

103
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/validations/_mariadb.tpl Normal file
View File

@@ -0,0 +1,103 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MariaDB required passwords are not empty.
Usage:
{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret"
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.mariadb.passwords" -}}
{{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mariadb.values.enabled" . -}}
{{- $architecture := include "common.mariadb.values.architecture" . -}}
{{- $authPrefix := include "common.mariadb.values.key.auth" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- if not (empty $valueUsername) -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replication") -}}
{{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.auth.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.mariadb.auth.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.auth.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled mariadb.
Usage:
{{ include "common.mariadb.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.mariadb.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.mariadb.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for architecture
Usage:
{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.architecture" -}}
{{- if .subchart -}}
{{- .context.Values.mariadb.architecture -}}
{{- else -}}
{{- .context.Values.architecture -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key auth
Usage:
{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.key.auth" -}}
{{- if .subchart -}}
mariadb.auth
{{- else -}}
auth
{{- end -}}
{{- end -}}

108
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/validations/_mongodb.tpl Normal file
View File

@@ -0,0 +1,108 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MongoDB&reg; required passwords are not empty.
Usage:
{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MongoDB&reg; values are stored, e.g: "mongodb-passwords-secret"
- subchart - Boolean - Optional. Whether MongoDB&reg; is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.mongodb.passwords" -}}
{{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mongodb.values.enabled" . -}}
{{- $authPrefix := include "common.mongodb.values.key.auth" . -}}
{{- $architecture := include "common.mongodb.values.architecture" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyDatabase := printf "%s.database" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}}
{{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}}
{{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }}
{{- if and $valueUsername $valueDatabase -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replicaset") -}}
{{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.auth.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.mongodb.auth.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.auth.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled mongodb.
Usage:
{{ include "common.mongodb.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.mongodb.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.mongodb.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key auth
Usage:
{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MongoDB&reg; is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.key.auth" -}}
{{- if .subchart -}}
mongodb.auth
{{- else -}}
auth
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for architecture
Usage:
{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MongoDB&reg; is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.architecture" -}}
{{- if .subchart -}}
{{- .context.Values.mongodb.architecture -}}
{{- else -}}
{{- .context.Values.architecture -}}
{{- end -}}
{{- end -}}

103
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/validations/_mysql.tpl Normal file
View File

@@ -0,0 +1,103 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MySQL required passwords are not empty.
Usage:
{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret"
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.mysql.passwords" -}}
{{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mysql.values.enabled" . -}}
{{- $architecture := include "common.mysql.values.architecture" . -}}
{{- $authPrefix := include "common.mysql.values.key.auth" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- if not (empty $valueUsername) -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replication") -}}
{{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
*/}}
{{- define "common.mysql.values.auth.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.mysql.auth.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.auth.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled mysql.
Usage:
{{ include "common.mysql.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.mysql.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.mysql.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for architecture
Usage:
{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
*/}}
{{- define "common.mysql.values.architecture" -}}
{{- if .subchart -}}
{{- .context.Values.mysql.architecture -}}
{{- else -}}
{{- .context.Values.architecture -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key auth
Usage:
{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
*/}}
{{- define "common.mysql.values.key.auth" -}}
{{- if .subchart -}}
mysql.auth
{{- else -}}
auth
{{- end -}}
{{- end -}}

129
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/validations/_postgresql.tpl Normal file
View File

@@ -0,0 +1,129 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate PostgreSQL required passwords are not empty.
Usage:
{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret"
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.postgresql.passwords" -}}
{{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
{{- $enabled := include "common.postgresql.values.enabled" . -}}
{{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
{{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
{{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
{{- if (eq $enabledReplication "true") -}}
{{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to decide whether evaluate global values.
Usage:
{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
Params:
- key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
*/}}
{{- define "common.postgresql.values.use.global" -}}
{{- if .context.Values.global -}}
{{- if .context.Values.global.postgresql -}}
{{- index .context.Values.global.postgresql .key | quote -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.existingSecret" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
{{- if .subchart -}}
{{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
{{- else -}}
{{- default (.context.Values.existingSecret | quote) $globalValue -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled postgresql.
Usage:
{{ include "common.postgresql.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.postgresql.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key postgressPassword.
Usage:
{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.postgressPassword" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
{{- if not $globalValue -}}
{{- if .subchart -}}
postgresql.postgresqlPassword
{{- else -}}
postgresqlPassword
{{- end -}}
{{- else -}}
global.postgresql.postgresqlPassword
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled.replication.
Usage:
{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.enabled.replication" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.postgresql.replication.enabled -}}
{{- else -}}
{{- printf "%v" .context.Values.replication.enabled -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key replication.password.
Usage:
{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.replicationPassword" -}}
{{- if .subchart -}}
postgresql.replication.password
{{- else -}}
replication.password
{{- end -}}
{{- end -}}

76
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/validations/_redis.tpl Normal file
View File

@@ -0,0 +1,76 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate Redis&reg; required passwords are not empty.
Usage:
{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret"
- subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.redis.passwords" -}}
{{- $enabled := include "common.redis.values.enabled" . -}}
{{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}}
{{- $standarizedVersion := include "common.redis.values.standarized.version" . }}
{{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }}
{{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }}
{{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }}
{{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}}
{{- if eq $useAuth "true" -}}
{{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled redis.
Usage:
{{ include "common.redis.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.redis.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.redis.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right prefix path for the values
Usage:
{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
*/}}
{{- define "common.redis.values.keys.prefix" -}}
{{- if .subchart -}}redis.{{- else -}}{{- end -}}
{{- end -}}
{{/*
Checks whether the redis chart's includes the standarizations (version >= 14)
Usage:
{{ include "common.redis.values.standarized.version" (dict "context" $) }}
*/}}
{{- define "common.redis.values.standarized.version" -}}
{{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}}
{{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }}
{{- if $standarizedAuthValues -}}
{{- true -}}
{{- end -}}
{{- end -}}

46
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/templates/validations/_validations.tpl Normal file
View File

@@ -0,0 +1,46 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate values must not be empty.
Usage:
{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
*/}}
{{- define "common.validations.values.multiple.empty" -}}
{{- range .required -}}
{{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
{{- end -}}
{{- end -}}
{{/*
Validate a value must not be empty.
Usage:
{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
- subchart - String - Optional - Name of the subchart that the validated password is part of.
*/}}
{{- define "common.validations.values.single.empty" -}}
{{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }}
{{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }}
{{- if not $value -}}
{{- $varname := "my-value" -}}
{{- $getCurrentValue := "" -}}
{{- if and .secret .field -}}
{{- $varname = include "common.utils.fieldToEnvVar" . -}}
{{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
{{- end -}}
{{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}}
{{- end -}}
{{- end -}}

5
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/charts/common/values.yaml Normal file
View File

@@ -0,0 +1,5 @@
## bitnami/common
## It is required by CI/CD tools and processes.
## @skip exampleValue
##
exampleValue: common-chart

91
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,91 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
** Please be patient while the chart is being deployed **
{{- if .Values.diagnosticMode.enabled }}
The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }}
Get the list of pods by executing:
kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
Access the pod you want to debug by executing
kubectl exec --namespace {{ .Release.Namespace }} -ti <NAME OF THE POD> -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash
In order to replicate the container startup scripts execute this command:
/opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh
{{- else }}
PostgreSQL can be accessed via port {{ include "postgresql.service.port" . }} on the following DNS names from within your cluster:
{{ include "postgresql.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection
{{- if eq .Values.architecture "replication" }}
{{ include "postgresql.readReplica.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read only connection
{{- end }}
{{- $customUser := include "postgresql.username" . }}
{{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }}
To get the password for "postgres" run:
export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{include "postgresql.adminPasswordKey" .}}}" | base64 -d)
To get the password for "{{ $customUser }}" run:
export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{include "postgresql.userPasswordKey" .}}}" | base64 -d)
{{- else }}
To get the password for "{{ default "postgres" $customUser }}" run:
export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{ ternary "password" (include "postgresql.adminPasswordKey" .) (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d)
{{- end }}
To connect to your database run the following command:
kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \
--command -- psql --host {{ include "postgresql.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }}
> NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist"
To connect to your database from outside the cluster execute the following commands:
{{- if contains "NodePort" .Values.primary.service.type }}
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.primary.fullname" . }})
PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }}
{{- else if contains "LoadBalancer" .Values.primary.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.primary.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }}
{{- else if contains "ClusterIP" .Values.primary.service.type }}
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.primary.fullname" . }} {{ include "postgresql.service.port" . }}:{{ include "postgresql.service.port" . }} &
PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }}
{{- end }}
{{- end }}
WARNING: The configured password will be ignored on new installation in case when previous Posgresql release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue.
{{- include "postgresql.validateValues" . -}}
{{- include "common.warnings.rollingTag" .Values.image -}}
{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}

399
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,399 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Create a default fully qualified app name for PostgreSQL Primary objects
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "postgresql.primary.fullname" -}}
{{- if eq .Values.architecture "replication" }}
{{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- include "common.names.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name for PostgreSQL read-only replicas objects
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "postgresql.readReplica.fullname" -}}
{{- printf "%s-%s" (include "common.names.fullname" .) .Values.readReplicas.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the default FQDN for PostgreSQL primary headless service
We truncate at 63 chars because of the DNS naming spec.
*/}}
{{- define "postgresql.primary.svc.headless" -}}
{{- printf "%s-hl" (include "postgresql.primary.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end -}}
{{/*
Create the default FQDN for PostgreSQL read-only replicas headless service
We truncate at 63 chars because of the DNS naming spec.
*/}}
{{- define "postgresql.readReplica.svc.headless" -}}
{{- printf "%s-hl" (include "postgresql.readReplica.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end -}}
{{/*
Return the proper PostgreSQL image name
*/}}
{{- define "postgresql.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper PostgreSQL metrics image name
*/}}
{{- define "postgresql.metrics.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper image name (for the init container volume-permissions image)
*/}}
{{- define "postgresql.volumePermissions.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "postgresql.imagePullSecrets" -}}
{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }}
{{- end -}}
{{/*
Return the name for a custom user to create
*/}}
{{- define "postgresql.username" -}}
{{- if .Values.global.postgresql.auth.username }}
{{- .Values.global.postgresql.auth.username -}}
{{- else -}}
{{- .Values.auth.username -}}
{{- end -}}
{{- end -}}
{{/*
Return the name for a custom database to create
*/}}
{{- define "postgresql.database" -}}
{{- if .Values.global.postgresql.auth.database }}
{{- printf "%s" (tpl .Values.global.postgresql.auth.database $) -}}
{{- else if .Values.auth.database -}}
{{- printf "%s" (tpl .Values.auth.database $) -}}
{{- end -}}
{{- end -}}
{{/*
Get the password secret.
*/}}
{{- define "postgresql.secretName" -}}
{{- if .Values.global.postgresql.auth.existingSecret }}
{{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}}
{{- else if .Values.auth.existingSecret -}}
{{- printf "%s" (tpl .Values.auth.existingSecret $) -}}
{{- else -}}
{{- printf "%s" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the replication-password key.
*/}}
{{- define "postgresql.replicationPasswordKey" -}}
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }}
{{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey }}
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}}
{{- else if .Values.auth.secretKeys.replicationPasswordKey -}}
{{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}}
{{- else -}}
{{- "replication-password" -}}
{{- end -}}
{{- else -}}
{{- "replication-password" -}}
{{- end -}}
{{- end -}}
{{/*
Get the admin-password key.
*/}}
{{- define "postgresql.adminPasswordKey" -}}
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }}
{{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey }}
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}}
{{- else if .Values.auth.secretKeys.adminPasswordKey -}}
{{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}}
{{- end -}}
{{- else -}}
{{- "postgres-password" -}}
{{- end -}}
{{- end -}}
{{/*
Get the user-password key.
*/}}
{{- define "postgresql.userPasswordKey" -}}
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }}
{{- if or (empty (include "postgresql.username" .)) (eq (include "postgresql.username" .) "postgres") }}
{{- printf "%s" (include "postgresql.adminPasswordKey" .) -}}
{{- else -}}
{{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey }}
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}}
{{- else if .Values.auth.secretKeys.userPasswordKey -}}
{{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}}
{{- end -}}
{{- end -}}
{{- else -}}
{{- ternary "password" "postgres-password" (and (not (empty (include "postgresql.username" .))) (ne (include "postgresql.username" .) "postgres")) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a secret object should be created
*/}}
{{- define "postgresql.createSecret" -}}
{{- if not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret) -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return PostgreSQL service port
*/}}
{{- define "postgresql.service.port" -}}
{{- if .Values.global.postgresql.service.ports.postgresql }}
{{- .Values.global.postgresql.service.ports.postgresql -}}
{{- else -}}
{{- .Values.primary.service.ports.postgresql -}}
{{- end -}}
{{- end -}}
{{/*
Return PostgreSQL service port
*/}}
{{- define "postgresql.readReplica.service.port" -}}
{{- if .Values.global.postgresql.service.ports.postgresql }}
{{- .Values.global.postgresql.service.ports.postgresql -}}
{{- else -}}
{{- .Values.readReplicas.service.ports.postgresql -}}
{{- end -}}
{{- end -}}
{{/*
Get the PostgreSQL primary configuration ConfigMap name.
*/}}
{{- define "postgresql.primary.configmapName" -}}
{{- if .Values.primary.existingConfigmap -}}
{{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s-configuration" (include "postgresql.primary.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created for PostgreSQL primary with the configuration
*/}}
{{- define "postgresql.primary.createConfigmap" -}}
{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) }}
{{- true -}}
{{- else -}}
{{- end -}}
{{- end -}}
{{/*
Get the PostgreSQL primary extended configuration ConfigMap name.
*/}}
{{- define "postgresql.primary.extendedConfigmapName" -}}
{{- if .Values.primary.existingExtendedConfigmap -}}
{{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}}
{{- else -}}
{{- printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the PostgreSQL read replica extended configuration ConfigMap name.
*/}}
{{- define "postgresql.readReplicas.extendedConfigmapName" -}}
{{- printf "%s-extended-configuration" (include "postgresql.readReplica.fullname" .) -}}
{{- end -}}
{{/*
Return true if a configmap object should be created for PostgreSQL primary with the extended configuration
*/}}
{{- define "postgresql.primary.createExtendedConfigmap" -}}
{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) }}
{{- true -}}
{{- else -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration
*/}}
{{- define "postgresql.readReplicas.createExtendedConfigmap" -}}
{{- if .Values.readReplicas.extendedConfiguration }}
{{- true -}}
{{- else -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "postgresql.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap should be mounted with PostgreSQL configuration
*/}}
{{- define "postgresql.mountConfigurationCM" -}}
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Get the initialization scripts ConfigMap name.
*/}}
{{- define "postgresql.initdb.scriptsCM" -}}
{{- if .Values.primary.initdb.scriptsConfigMap -}}
{{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}}
{{- else -}}
{{- printf "%s-init-scripts" (include "postgresql.primary.fullname" .) -}}
{{- end -}}
{{- end -}}
{/*
Return true if TLS is enabled for LDAP connection
*/}}
{{- define "postgresql.ldap.tls.enabled" -}}
{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) }}
{{- true -}}
{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Get the readiness probe command
*/}}
{{- define "postgresql.readinessProbeCommand" -}}
{{- $customUser := include "postgresql.username" . }}
- |
{{- if (include "postgresql.database" .) }}
exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
{{- else }}
exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
{{- end }}
{{- if contains "bitnami/" .Values.image.repository }}
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "postgresql.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}}
{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/*
Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap
*/}}
{{- define "postgresql.validateValues.ldapConfigurationMethod" -}}
{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }}
postgresql: ldap.url, ldap.server
You cannot set both `ldap.url` and `ldap.server` at the same time.
Please provide a unique way to configure LDAP.
More info at https://www.postgresql.org/docs/current/auth-ldap.html
{{- end -}}
{{- end -}}
{{/*
Validate values of Postgresql - If PSP is enabled RBAC should be enabled too
*/}}
{{- define "postgresql.validateValues.psp" -}}
{{- if and .Values.psp.create (not .Values.rbac.create) }}
postgresql: psp.create, rbac.create
RBAC should be enabled if PSP is enabled in order for PSP to work.
More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies
{{- end -}}
{{- end -}}
{{/*
Return the path to the cert file.
*/}}
{{- define "postgresql.tlsCert" -}}
{{- if .Values.tls.autoGenerated }}
{{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}}
{{- else -}}
{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
{{- end -}}
{{- end -}}
{{/*
Return the path to the cert key file.
*/}}
{{- define "postgresql.tlsCertKey" -}}
{{- if .Values.tls.autoGenerated }}
{{- printf "/opt/bitnami/postgresql/certs/tls.key" -}}
{{- else -}}
{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
{{- end -}}
{{- end -}}
{{/*
Return the path to the CA cert file.
*/}}
{{- define "postgresql.tlsCACert" -}}
{{- if .Values.tls.autoGenerated }}
{{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}}
{{- else -}}
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}}
{{- end -}}
{{- end -}}
{{/*
Return the path to the CRL file.
*/}}
{{- define "postgresql.tlsCRL" -}}
{{- if .Values.tls.crlFilename -}}
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a TLS credentials secret object should be created
*/}}
{{- define "postgresql.createTlsSecret" -}}
{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the path to the CA cert file.
*/}}
{{- define "postgresql.tlsSecretName" -}}
{{- if .Values.tls.autoGenerated }}
{{- printf "%s-crt" (include "common.names.fullname" .) -}}
{{- else -}}
{{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
{{- end -}}
{{- end -}}

4
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/extra-list.yaml Normal file
View File

@@ -0,0 +1,4 @@
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

32
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/networkpolicy-egress.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
metadata:
name: {{ printf "%s-egress" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
policyTypes:
- Egress
egress:
{{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }}
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- to:
- namespaceSelector: {}
{{- end }}
{{- if .Values.networkPolicy.egressRules.customRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }}
{{- end }}
{{- end }}

24
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/primary/configmap.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if (include "postgresql.primary.createConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-configuration" (include "postgresql.primary.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: primary
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- if .Values.primary.configuration }}
postgresql.conf: |-
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.primary.pgHbaConfiguration }}
pg_hba.conf: |
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

18
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/primary/extended-configmap.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if (include "postgresql.primary.createExtendedConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: primary
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
override.conf: |-
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }}
{{- end }}

15
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/primary/initialization-configmap.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-init-scripts" (include "postgresql.primary.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }}
{{- end }}

16
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/primary/metrics-configmap.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
{{- end }}

33
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/primary/metrics-svc.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.commonAnnotations .Values.metrics.service.annotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.metrics.service.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: ClusterIP
sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
{{- if .Values.metrics.service.clusterIP }}
clusterIP: {{ .Values.metrics.service.clusterIP }}
{{- end }}
ports:
- name: http-metrics
port: {{ .Values.metrics.service.ports.metrics }}
targetPort: http-metrics
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: primary
{{- end }}

57
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/primary/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,57 @@
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
metadata:
name: {{ printf "%s-ingress" (include "postgresql.primary.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: primary
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: primary
ingress:
{{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }}
- from:
{{- if .Values.networkPolicy.metrics.namespaceSelector }}
- namespaceSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.metrics.podSelector }}
- podSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }}
{{- end }}
ports:
- port: {{ .Values.metrics.containerPorts.metrics }}
{{- end }}
{{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }}
- from:
{{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }}
- namespaceSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }}
- podSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }}
{{- end }}
ports:
- port: {{ .Values.containerPorts.postgresql }}
{{- end }}
{{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }}
- from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }}
app.kubernetes.io/component: read
ports:
- port: {{ .Values.containerPorts.postgresql }}
{{- end }}
{{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }}
{{- end }}
{{- end }}

48
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/primary/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,48 @@
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "postgresql.primary.fullname" . }}
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if .Values.metrics.serviceMonitor.labels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.metrics.serviceMonitor.jobLabel }}
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
{{- end }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
{{- if .Values.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
app.kubernetes.io/component: metrics
endpoints:
- port: http-metrics
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
{{- end }}

640
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/primary/statefulset.yaml Normal file
View File

@@ -0,0 +1,640 @@
{{- $customUser := include "postgresql.username" . }}
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ include "postgresql.primary.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: primary
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.primary.labels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.labels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.commonAnnotations .Values.primary.annotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.primary.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
replicas: 1
serviceName: {{ include "postgresql.primary.svc.headless" . }}
{{- if .Values.primary.updateStrategy }}
updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: primary
template:
metadata:
name: {{ include "postgresql.primary.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: primary
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.primary.podLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.podLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if or (include "postgresql.primary.createConfigmap" .) (include "postgresql.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }}
annotations:
{{- if (include "postgresql.primary.createConfigmap" .) }}
checksum/configuration: {{ include (print $.Template.BasePath "/primary/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if (include "postgresql.primary.createExtendedConfigmap" .) }}
checksum/extended-configuration: {{ include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.primary.podAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- if .Values.primary.extraPodSpec }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }}
{{- end }}
serviceAccountName: {{ include "postgresql.serviceAccountName" . }}
{{- include "postgresql.imagePullSecrets" . | nindent 6 }}
{{- if .Values.primary.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.primary.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.primary.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.primary.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.primary.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.primary.priorityClassName }}
priorityClassName: {{ .Values.primary.priorityClassName }}
{{- end }}
{{- if .Values.primary.schedulerName }}
schedulerName: {{ .Values.primary.schedulerName | quote }}
{{- end }}
{{- if .Values.primary.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }}
{{- end }}
{{- if .Values.primary.podSecurityContext.enabled }}
securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
hostNetwork: {{ .Values.primary.hostNetwork }}
hostIPC: {{ .Values.primary.hostIPC }}
{{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled)) .Values.primary.initContainers }}
initContainers:
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
- name: copy-certs
image: {{ include "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.primary.resources }}
resources: {{- toYaml .Values.primary.resources | nindent 12 }}
{{- end }}
# We don't require a privileged container in this case
{{- if .Values.primary.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -ec
- |
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
chmod 600 {{ include "postgresql.tlsCertKey" . }}
volumeMounts:
- name: raw-certificates
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
{{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }}
- name: init-chmod-data
image: {{ include "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -ec
- |
{{- if .Values.primary.persistence.enabled }}
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }}
{{- else }}
chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }}
{{- end }}
mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
{{- else }}
xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }}
{{- end }}
{{- end }}
{{- if .Values.shmVolume.enabled }}
chmod -R 777 /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
{{- else }}
chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
{{- end }}
chmod 600 {{ include "postgresql.tlsCertKey" . }}
{{- end }}
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
{{- else }}
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.primary.persistence.enabled }}
- name: data
mountPath: {{ .Values.primary.persistence.mountPath }}
{{- if .Values.primary.persistence.subPath }}
subPath: {{ .Values.primary.persistence.subPath }}
{{- end }}
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
{{- end }}
{{- end }}
{{- if .Values.primary.initContainers }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }}
{{- end }}
{{- end }}
containers:
- name: postgresql
image: {{ include "postgresql.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.primary.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
{{- else if .Values.primary.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.primary.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
- name: POSTGRESQL_PORT_NUMBER
value: {{ .Values.containerPorts.postgresql | quote }}
- name: POSTGRESQL_VOLUME_DIR
value: {{ .Values.primary.persistence.mountPath | quote }}
{{- if .Values.primary.persistence.mountPath }}
- name: PGDATA
value: {{ .Values.postgresqlDataDir | quote }}
{{- end }}
# Authentication
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
- name: POSTGRES_USER
value: {{ $customUser | quote }}
{{- if .Values.auth.enablePostgresUser }}
{{- if .Values.auth.usePasswordFiles }}
- name: POSTGRES_POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgres-password"
{{- else }}
- name: POSTGRES_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "postgresql.secretName" . }}
key: {{ include "postgresql.adminPasswordKey" . }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.auth.usePasswordFiles }}
- name: POSTGRES_PASSWORD_FILE
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
{{- else }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "postgresql.secretName" . }}
key: {{ include "postgresql.userPasswordKey" . }}
{{- end }}
{{- if (include "postgresql.database" .) }}
- name: POSTGRES_DB
value: {{ (include "postgresql.database" .) | quote }}
{{- end }}
# Replication
{{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }}
- name: POSTGRES_REPLICATION_MODE
value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }}
- name: POSTGRES_REPLICATION_USER
value: {{ .Values.auth.replicationUsername | quote }}
{{- if .Values.auth.usePasswordFiles }}
- name: POSTGRES_REPLICATION_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/replication-password"
{{- else }}
- name: POSTGRES_REPLICATION_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "postgresql.secretName" . }}
key: {{ include "postgresql.replicationPasswordKey" . }}
{{- end }}
{{- if not (eq .Values.replication.synchronousCommit "off") }}
- name: POSTGRES_SYNCHRONOUS_COMMIT_MODE
value: {{ .Values.replication.synchronousCommit | quote }}
- name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS
value: {{ .Values.replication.numSynchronousReplicas | quote }}
{{- end }}
- name: POSTGRES_CLUSTER_APP_NAME
value: {{ .Values.replication.applicationName }}
{{- end }}
# Initdb
{{- if .Values.primary.initdb.args }}
- name: POSTGRES_INITDB_ARGS
value: {{ .Values.primary.initdb.args | quote }}
{{- end }}
{{- if .Values.primary.initdb.postgresqlWalDir }}
- name: POSTGRES_INITDB_WALDIR
value: {{ .Values.primary.initdb.postgresqlWalDir | quote }}
{{- end }}
{{- if .Values.primary.initdb.user }}
- name: POSTGRESQL_INITSCRIPTS_USERNAME
value: {{ .Values.primary.initdb.user }}
{{- end }}
{{- if .Values.primary.initdb.password }}
- name: POSTGRESQL_INITSCRIPTS_PASSWORD
value: {{ .Values.primary.initdb.password | quote }}
{{- end }}
# Standby
{{- if .Values.primary.standby.enabled }}
- name: POSTGRES_MASTER_HOST
value: {{ .Values.primary.standby.primaryHost }}
- name: POSTGRES_MASTER_PORT_NUMBER
value: {{ .Values.primary.standby.primaryPort | quote }}
{{- end }}
# LDAP
- name: POSTGRESQL_ENABLE_LDAP
value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }}
{{- if .Values.ldap.enabled }}
{{- if or .Values.ldap.url .Values.ldap.uri }}
- name: POSTGRESQL_LDAP_URL
value: {{ coalesce .Values.ldap.url .Values.ldap.uri }}
{{- else }}
- name: POSTGRESQL_LDAP_SERVER
value: {{ .Values.ldap.server }}
- name: POSTGRESQL_LDAP_PORT
value: {{ .Values.ldap.port | quote }}
- name: POSTGRESQL_LDAP_SCHEME
value: {{ .Values.ldap.scheme }}
{{- if (include "postgresql.ldap.tls.enabled" .) }}
- name: POSTGRESQL_LDAP_TLS
value: "1"
{{- end }}
- name: POSTGRESQL_LDAP_PREFIX
value: {{ .Values.ldap.prefix | quote }}
- name: POSTGRESQL_LDAP_SUFFIX
value: {{ .Values.ldap.suffix | quote }}
- name: POSTGRESQL_LDAP_BASE_DN
value: {{ coalesce .Values.ldap.baseDN .Values.ldap.basedn }}
- name: POSTGRESQL_LDAP_BIND_DN
value: {{ coalesce .Values.ldap.bindDN .Values.ldap.binddn}}
{{- if or (not (empty .Values.ldap.bind_password)) (not (empty .Values.ldap.bindpw)) }}
- name: POSTGRESQL_LDAP_BIND_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "postgresql.secretName" . }}
key: ldap-password
{{- end }}
- name: POSTGRESQL_LDAP_SEARCH_ATTR
value: {{ coalesce .Values.ldap.search_attr .Values.ldap.searchAttribute }}
- name: POSTGRESQL_LDAP_SEARCH_FILTER
value: {{ coalesce .Values.ldap.search_filter .Values.ldap.searchFilter }}
{{- end }}
{{- end }}
# TLS
- name: POSTGRESQL_ENABLE_TLS
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
{{- if .Values.tls.enabled }}
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
- name: POSTGRESQL_TLS_CERT_FILE
value: {{ include "postgresql.tlsCert" . }}
- name: POSTGRESQL_TLS_KEY_FILE
value: {{ include "postgresql.tlsCertKey" . }}
{{- if .Values.tls.certCAFilename }}
- name: POSTGRESQL_TLS_CA_FILE
value: {{ include "postgresql.tlsCACert" . }}
{{- end }}
{{- if .Values.tls.crlFilename }}
- name: POSTGRESQL_TLS_CRL_FILE
value: {{ include "postgresql.tlsCRL" . }}
{{- end }}
{{- end }}
# Audit
- name: POSTGRESQL_LOG_HOSTNAME
value: {{ .Values.audit.logHostname | quote }}
- name: POSTGRESQL_LOG_CONNECTIONS
value: {{ .Values.audit.logConnections | quote }}
- name: POSTGRESQL_LOG_DISCONNECTIONS
value: {{ .Values.audit.logDisconnections | quote }}
{{- if .Values.audit.logLinePrefix }}
- name: POSTGRESQL_LOG_LINE_PREFIX
value: {{ .Values.audit.logLinePrefix | quote }}
{{- end }}
{{- if .Values.audit.logTimezone }}
- name: POSTGRESQL_LOG_TIMEZONE
value: {{ .Values.audit.logTimezone | quote }}
{{- end }}
{{- if .Values.audit.pgAuditLog }}
- name: POSTGRESQL_PGAUDIT_LOG
value: {{ .Values.audit.pgAuditLog | quote }}
{{- end }}
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
value: {{ .Values.audit.pgAuditLogCatalog | quote }}
# Others
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
value: {{ .Values.audit.clientMinMessages | quote }}
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
{{- if .Values.primary.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }}
envFrom:
{{- if .Values.primary.extraEnvVarsCM }}
- configMapRef:
name: {{ .Values.primary.extraEnvVarsCM }}
{{- end }}
{{- if .Values.primary.extraEnvVarsSecret }}
- secretRef:
name: {{ .Values.primary.extraEnvVarsSecret }}
{{- end }}
{{- end }}
ports:
- name: tcp-postgresql
containerPort: {{ .Values.containerPorts.postgresql }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.primary.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.primary.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }}
exec:
command:
- /bin/sh
- -c
{{- if (include "postgresql.database" .) }}
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
{{- else }}
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
{{- end }}
{{- end }}
{{- if .Values.primary.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.primary.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }}
exec:
command:
- /bin/sh
- -c
{{- if (include "postgresql.database" .) }}
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
{{- else }}
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
{{- end }}
{{- end }}
{{- if .Values.primary.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.primary.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }}
exec:
command:
- /bin/sh
- -c
- -e
{{- include "postgresql.readinessProbeCommand" . | nindent 16 }}
{{- end }}
{{- end }}
{{- if .Values.primary.resources }}
resources: {{- toYaml .Values.primary.resources | nindent 12 }}
{{- end }}
{{- if .Values.primary.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
{{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
- name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d/
{{- end }}
{{- if .Values.primary.initdb.scriptsSecret }}
- name: custom-init-scripts-secret
mountPath: /docker-entrypoint-initdb.d/secret
{{- end }}
{{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
- name: postgresql-extended-config
mountPath: /bitnami/postgresql/conf/conf.d/
{{- end }}
{{- if .Values.auth.usePasswordFiles }}
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
{{- if .Values.tls.enabled }}
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
readOnly: true
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- if .Values.primary.persistence.enabled }}
- name: data
mountPath: {{ .Values.primary.persistence.mountPath }}
{{- if .Values.primary.persistence.subPath }}
subPath: {{ .Values.primary.persistence.subPath }}
{{- end }}
{{- end }}
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
- name: postgresql-config
mountPath: /bitnami/postgresql/conf
{{- end }}
{{- if .Values.primary.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ include "postgresql.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
{{- if .Values.metrics.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.metrics.customMetrics }}
args: ["--extend.query-path", "/conf/custom-metrics.yaml"]
{{- end }}
env:
{{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }}
- name: DATA_SOURCE_URI
value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }}
{{- if .Values.auth.usePasswordFiles }}
- name: DATA_SOURCE_PASS_FILE
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
{{- else }}
- name: DATA_SOURCE_PASS
valueFrom:
secretKeyRef:
name: {{ include "postgresql.secretName" . }}
key: {{ include "postgresql.userPasswordKey" . }}
{{- end }}
- name: DATA_SOURCE_USER
value: {{ default "postgres" $customUser | quote }}
{{- if .Values.metrics.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
ports:
- name: http-metrics
containerPort: {{ .Values.metrics.containerPorts.metrics }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.metrics.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.metrics.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
tcpSocket:
port: http-metrics
{{- end }}
{{- if .Values.metrics.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.metrics.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
httpGet:
path: /
port: http-metrics
{{- end }}
{{- if .Values.metrics.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.metrics.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
httpGet:
path: /
port: http-metrics
{{- end }}
{{- end }}
volumeMounts:
{{- if .Values.auth.usePasswordFiles }}
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
{{- if .Values.metrics.customMetrics }}
- name: custom-metrics
mountPath: /conf
readOnly: true
{{- end }}
{{- if .Values.metrics.resources }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.primary.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }}
{{- end }}
volumes:
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
- name: postgresql-config
configMap:
name: {{ include "postgresql.primary.configmapName" . }}
{{- end }}
{{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
- name: postgresql-extended-config
configMap:
name: {{ include "postgresql.primary.extendedConfigmapName" . }}
{{- end }}
{{- if .Values.auth.usePasswordFiles }}
- name: postgresql-password
secret:
secretName: {{ include "postgresql.secretName" . }}
{{- end }}
{{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
- name: custom-init-scripts
configMap:
name: {{ include "postgresql.initdb.scriptsCM" . }}
{{- end }}
{{- if .Values.primary.initdb.scriptsSecret }}
- name: custom-init-scripts-secret
secret:
secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
secret:
secretName: {{ include "postgresql.tlsSecretName" . }}
- name: postgresql-certificates
emptyDir: {}
{{- end }}
{{- if .Values.primary.extraVolumes }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
- name: custom-metrics
configMap:
name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }}
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
emptyDir:
medium: Memory
{{- if .Values.shmVolume.sizeLimit }}
sizeLimit: {{ .Values.shmVolume.sizeLimit }}
{{- end }}
{{- end }}
{{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }}
- name: data
persistentVolumeClaim:
claimName: {{ tpl .Values.primary.persistence.existingClaim $ }}
{{- else if not .Values.primary.persistence.enabled }}
- name: data
emptyDir: {}
{{- else }}
volumeClaimTemplates:
- metadata:
name: data
{{- if .Values.primary.persistence.annotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.annotations "context" $) | nindent 10 }}
{{- end }}
{{- if .Values.primary.persistence.labels }}
labels: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.labels "context" $) | nindent 10 }}
{{- end }}
spec:
accessModes:
{{- range .Values.primary.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
{{- if .Values.primary.persistence.dataSource }}
dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }}
{{- end }}
resources:
requests:
storage: {{ .Values.primary.persistence.size | quote }}
{{- if .Values.primary.persistence.selector }}
selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }}
{{- end }}
{{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }}
{{- end }}

37
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/primary/svc-headless.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "postgresql.primary.svc.headless" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: primary
{{- if or .Values.primary.service.headless.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.primary.service.headless.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.service.headless.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
# Use this annotation in addition to the actual publishNotReadyAddresses
# field below because the annotation will stop being respected soon but the
# field is broken in some versions of Kubernetes:
# https://github.com/kubernetes/kubernetes/issues/58662
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
type: ClusterIP
clusterIP: None
# We want all pods in the StatefulSet to have their addresses published for
# the sake of the other Postgresql pods even before they're ready, since they
# have to be able to talk to each other in order to become ready.
publishNotReadyAddresses: true
ports:
- name: tcp-postgresql
port: {{ template "postgresql.service.port" . }}
targetPort: tcp-postgresql
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: primary

53
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/primary/svc.yaml Normal file
View File

@@ -0,0 +1,53 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "postgresql.primary.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: primary
{{- if or .Values.commonAnnotations .Values.primary.service.annotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.primary.service.annotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.service.annotations "context" $) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.primary.service.type }}
{{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }}
externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerSourceRanges)) }}
loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges }}
{{- end }}
{{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }}
{{- end }}
{{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }}
clusterIP: {{ .Values.primary.service.clusterIP }}
{{- end }}
{{- if .Values.primary.service.sessionAffinity }}
sessionAffinity: {{ .Values.primary.service.sessionAffinity }}
{{- end }}
{{- if .Values.primary.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
ports:
- name: tcp-postgresql
port: {{ template "postgresql.service.port" . }}
targetPort: tcp-postgresql
{{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }}
nodePort: {{ .Values.primary.service.nodePorts.postgresql }}
{{- else if eq .Values.primary.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.primary.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: primary

22
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/prometheusrule.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.metrics.prometheusRule.labels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.labels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
groups:
- name: {{ include "common.names.fullname" . }}
rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }}
{{- end }}

41
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/psp.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- if and $pspAvailable .Values.psp.create }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
privileged: false
volumes:
- 'configMap'
- 'secret'
- 'persistentVolumeClaim'
- 'emptyDir'
- 'projected'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}

18
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/read/extended-configmap.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if (include "postgresql.readReplicas.createExtendedConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-extended-configuration" (include "postgresql.readReplica.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: read
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
override.conf: |-
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extendedConfiguration "context" $ ) | nindent 4 }}
{{- end }}

16
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/read/metrics-configmap.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics (eq .Values.architecture "replication") }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
{{- end }}

33
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/read/metrics-svc.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if and .Values.metrics.enabled (eq .Values.architecture "replication") }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: metrics-read
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.commonAnnotations .Values.metrics.service.annotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.metrics.service.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: ClusterIP
sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
{{- if .Values.metrics.service.clusterIP }}
clusterIP: {{ .Values.metrics.service.clusterIP }}
{{- end }}
ports:
- name: http-metrics
port: {{ .Values.metrics.service.ports.metrics }}
targetPort: http-metrics
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: read
{{- end }}

36
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/read/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,36 @@
{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
metadata:
name: {{ printf "%s-ingress" (include "postgresql.readReplica.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: read
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: read
ingress:
{{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }}
- from:
{{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }}
- namespaceSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector }}
- podSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector "context" $) | nindent 14 }}
{{- end }}
ports:
- port: {{ .Values.containerPorts.postgresql }}
{{- end }}
{{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules "context" $) | nindent 4 }}
{{- end }}
{{- end }}

48
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/read/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,48 @@
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled (eq .Values.architecture "replication") }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "postgresql.readReplica.fullname" . }}
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: metrics-read
{{- if .Values.metrics.serviceMonitor.labels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.metrics.serviceMonitor.jobLabel }}
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
{{- end }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
{{- if .Values.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
app.kubernetes.io/component: metrics-read
endpoints:
- port: http-metrics
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
{{- end }}

537
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/read/statefulset.yaml Normal file
View File

@@ -0,0 +1,537 @@
{{- if eq .Values.architecture "replication" }}
{{- $customUser := include "postgresql.username" . }}
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ include "postgresql.readReplica.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: read
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.readReplicas.labels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.labels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.commonAnnotations .Values.readReplicas.annotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.readReplicas.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
replicas: {{ .Values.readReplicas.replicaCount }}
serviceName: {{ include "postgresql.readReplica.svc.headless" . }}
{{- if .Values.readReplicas.updateStrategy }}
updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: read
template:
metadata:
name: {{ include "postgresql.readReplica.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: read
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.readReplicas.podLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if or (include "postgresql.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }}
annotations:
{{- if (include "postgresql.readReplicas.createExtendedConfigmap" .) }}
checksum/extended-configuration: {{ include (print $.Template.BasePath "/read/extended-configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.readReplicas.podAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- if .Values.readReplicas.extraPodSpec }}
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }}
{{- end }}
serviceAccountName: {{ include "postgresql.serviceAccountName" . }}
{{- include "postgresql.imagePullSecrets" . | nindent 6 }}
{{- if .Values.readReplicas.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.readReplicas.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.readReplicas.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.readReplicas.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.readReplicas.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.readReplicas.priorityClassName }}
priorityClassName: {{ .Values.readReplicas.priorityClassName }}
{{- end }}
{{- if .Values.readReplicas.schedulerName }}
schedulerName: {{ .Values.readReplicas.schedulerName | quote }}
{{- end }}
{{- if .Values.readReplicas.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }}
{{- end }}
{{- if .Values.readReplicas.podSecurityContext.enabled }}
securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
hostNetwork: {{ .Values.readReplicas.hostNetwork }}
hostIPC: {{ .Values.readReplicas.hostIPC }}
{{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled)) .Values.readReplicas.initContainers }}
initContainers:
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
- name: copy-certs
image: {{ include "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.readReplicas.resources }}
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
{{- end }}
# We don't require a privileged container in this case
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -ec
- |
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
chmod 600 {{ include "postgresql.tlsCertKey" . }}
volumeMounts:
- name: raw-certificates
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
{{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }}
- name: init-chmod-data
image: {{ include "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.readReplicas.resources }}
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -ec
- |
{{- if .Values.readReplicas.persistence.enabled }}
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }}
{{- else }}
chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }}
{{- end }}
mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
{{- else }}
xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }}
{{- end }}
{{- end }}
{{- if .Values.shmVolume.enabled }}
chmod -R 777 /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
{{- else }}
chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
{{- end }}
chmod 600 {{ include "postgresql.tlsCertKey" . }}
{{- end }}
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
{{- else }}
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
{{ if .Values.readReplicas.persistence.enabled }}
- name: data
mountPath: {{ .Values.readReplicas.persistence.mountPath }}
{{- if .Values.readReplicas.persistence.subPath }}
subPath: {{ .Values.readReplicas.persistence.subPath }}
{{- end }}
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
{{- end }}
{{- end }}
{{- if .Values.readReplicas.initContainers }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }}
{{- end }}
{{- end }}
containers:
- name: postgresql
image: {{ include "postgresql.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
{{- else if .Values.readReplicas.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.readReplicas.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
- name: POSTGRESQL_PORT_NUMBER
value: {{ .Values.containerPorts.postgresql | quote }}
- name: POSTGRESQL_VOLUME_DIR
value: {{ .Values.readReplicas.persistence.mountPath | quote }}
{{- if .Values.readReplicas.persistence.mountPath }}
- name: PGDATA
value: {{ .Values.postgresqlDataDir | quote }}
{{- end }}
# Authentication
{{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }}
{{- if .Values.auth.usePasswordFiles }}
- name: POSTGRES_POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgres-password"
{{- else }}
- name: POSTGRES_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "postgresql.secretName" . }}
key: {{ include "postgresql.adminPasswordKey" . }}
{{- end }}
{{- end }}
{{- if .Values.auth.usePasswordFiles }}
- name: POSTGRES_PASSWORD_FILE
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
{{- else }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "postgresql.secretName" . }}
key: {{ include "postgresql.userPasswordKey" . }}
{{- end }}
# Replication
- name: POSTGRES_REPLICATION_MODE
value: "slave"
- name: POSTGRES_REPLICATION_USER
value: {{ .Values.auth.replicationUsername | quote }}
{{- if .Values.auth.usePasswordFiles }}
- name: POSTGRES_REPLICATION_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/replication-password"
{{- else }}
- name: POSTGRES_REPLICATION_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "postgresql.secretName" . }}
key: {{ include "postgresql.replicationPasswordKey" . }}
{{- end }}
- name: POSTGRES_CLUSTER_APP_NAME
value: {{ .Values.replication.applicationName }}
- name: POSTGRES_MASTER_HOST
value: {{ include "postgresql.primary.fullname" . }}
- name: POSTGRES_MASTER_PORT_NUMBER
value: {{ include "postgresql.service.port" . | quote }}
# TLS
- name: POSTGRESQL_ENABLE_TLS
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
{{- if .Values.tls.enabled }}
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
- name: POSTGRESQL_TLS_CERT_FILE
value: {{ include "postgresql.tlsCert" . }}
- name: POSTGRESQL_TLS_KEY_FILE
value: {{ include "postgresql.tlsCertKey" . }}
{{- if .Values.tls.certCAFilename }}
- name: POSTGRESQL_TLS_CA_FILE
value: {{ include "postgresql.tlsCACert" . }}
{{- end }}
{{- if .Values.tls.crlFilename }}
- name: POSTGRESQL_TLS_CRL_FILE
value: {{ include "postgresql.tlsCRL" . }}
{{- end }}
{{- end }}
# Audit
- name: POSTGRESQL_LOG_HOSTNAME
value: {{ .Values.audit.logHostname | quote }}
- name: POSTGRESQL_LOG_CONNECTIONS
value: {{ .Values.audit.logConnections | quote }}
- name: POSTGRESQL_LOG_DISCONNECTIONS
value: {{ .Values.audit.logDisconnections | quote }}
{{- if .Values.audit.logLinePrefix }}
- name: POSTGRESQL_LOG_LINE_PREFIX
value: {{ .Values.audit.logLinePrefix | quote }}
{{- end }}
{{- if .Values.audit.logTimezone }}
- name: POSTGRESQL_LOG_TIMEZONE
value: {{ .Values.audit.logTimezone | quote }}
{{- end }}
{{- if .Values.audit.pgAuditLog }}
- name: POSTGRESQL_PGAUDIT_LOG
value: {{ .Values.audit.pgAuditLog | quote }}
{{- end }}
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
value: {{ .Values.audit.pgAuditLogCatalog | quote }}
# Others
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
value: {{ .Values.audit.clientMinMessages | quote }}
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
{{- if .Values.readReplicas.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }}
envFrom:
{{- if .Values.readReplicas.extraEnvVarsCM }}
- configMapRef:
name: {{ .Values.readReplicas.extraEnvVarsCM }}
{{- end }}
{{- if .Values.readReplicas.extraEnvVarsSecret }}
- secretRef:
name: {{ .Values.readReplicas.extraEnvVarsSecret }}
{{- end }}
{{- end }}
ports:
- name: tcp-postgresql
containerPort: {{ .Values.containerPorts.postgresql }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.readReplicas.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.readReplicas.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }}
exec:
command:
- /bin/sh
- -c
{{- if (include "postgresql.database" .) }}
- exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
{{- else }}
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
{{- end }}
{{- end }}
{{- if .Values.readReplicas.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.readReplicas.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }}
exec:
command:
- /bin/sh
- -c
{{- if (include "postgresql.database" .) }}
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
{{- else }}
- exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
{{- end }}
{{- end }}
{{- if .Values.readReplicas.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.readReplicas.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }}
exec:
command:
- /bin/sh
- -c
- -e
{{- include "postgresql.readinessProbeCommand" . | nindent 16 }}
{{- end }}
{{- end }}
{{- if .Values.readReplicas.resources }}
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
{{- end }}
{{- if .Values.readReplicas.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.auth.usePasswordFiles }}
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
{{- if .Values.readReplicas.extendedConfiguration }}
- name: postgresql-extended-config
mountPath: /bitnami/postgresql/conf/conf.d/
{{- end }}
{{- if .Values.tls.enabled }}
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
readOnly: true
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- if .Values.readReplicas.persistence.enabled }}
- name: data
mountPath: {{ .Values.readReplicas.persistence.mountPath }}
{{- if .Values.readReplicas.persistence.subPath }}
subPath: {{ .Values.readReplicas.persistence.subPath }}
{{- end }}
{{- end }}
{{- if .Values.readReplicas.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ include "postgresql.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
{{- if .Values.metrics.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.metrics.customMetrics }}
args: [ "--extend.query-path", "/conf/custom-metrics.yaml" ]
{{- end }}
env:
{{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }}
- name: DATA_SOURCE_URI
value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }}
{{- if .Values.auth.usePasswordFiles }}
- name: DATA_SOURCE_PASS_FILE
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
{{- else }}
- name: DATA_SOURCE_PASS
valueFrom:
secretKeyRef:
name: {{ include "postgresql.secretName" . }}
key: {{ include "postgresql.userPasswordKey" . }}
{{- end }}
- name: DATA_SOURCE_USER
value: {{ default "postgres" $customUser | quote }}
{{- if .Values.metrics.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
ports:
- name: http-metrics
containerPort: {{ .Values.metrics.containerPorts.metrics }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.metrics.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.metrics.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
tcpSocket:
port: http-metrics
{{- end }}
{{- if .Values.metrics.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.metrics.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
httpGet:
path: /
port: http-metrics
{{- end }}
{{- if .Values.metrics.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.metrics.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
httpGet:
path: /
port: http-metrics
{{- end }}
{{- end }}
volumeMounts:
{{- if .Values.auth.usePasswordFiles }}
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
{{- if .Values.metrics.customMetrics }}
- name: custom-metrics
mountPath: /conf
readOnly: true
{{- end }}
{{- if .Values.metrics.resources }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.readReplicas.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.readReplicas.extendedConfiguration }}
- name: postgresql-extended-config
configMap:
name: {{ include "postgresql.readReplicas.extendedConfigmapName" . }}
{{- end }}
{{- if .Values.auth.usePasswordFiles }}
- name: postgresql-password
secret:
secretName: {{ include "postgresql.secretName" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
secret:
secretName: {{ include "postgresql.tlsSecretName" . }}
- name: postgresql-certificates
emptyDir: {}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
- name: custom-metrics
configMap:
name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }}
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
emptyDir:
medium: Memory
{{- if .Values.shmVolume.sizeLimit }}
sizeLimit: {{ .Values.shmVolume.sizeLimit }}
{{- end }}
{{- end }}
{{- if .Values.readReplicas.extraVolumes }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }}
{{- end }}
{{- if and .Values.readReplicas.persistence.enabled .Values.readReplicas.persistence.existingClaim }}
- name: data
persistentVolumeClaim:
claimName: {{ tpl .Values.readReplicas.persistence.existingClaim $ }}
{{- else if not .Values.readReplicas.persistence.enabled }}
- name: data
emptyDir: {}
{{- else }}
volumeClaimTemplates:
- metadata:
name: data
{{- if .Values.readReplicas.persistence.annotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }}
{{- end }}
{{- if .Values.readReplicas.persistence.labels }}
labels: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.labels "context" $) | nindent 10 }}
{{- end }}
spec:
accessModes:
{{- range .Values.readReplicas.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
{{- if .Values.readReplicas.persistence.dataSource }}
dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }}
{{- end }}
resources:
requests:
storage: {{ .Values.readReplicas.persistence.size | quote }}
{{- if .Values.readReplicas.persistence.selector }}
selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }}
{{- end -}}
{{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }}
{{- end }}
{{- end }}

39
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/read/svc-headless.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{- if eq .Values.architecture "replication" }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "postgresql.readReplica.svc.headless" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: read
{{- if or .Values.readReplicas.service.headless.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.readReplicas.service.headless.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.service.headless.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
# Use this annotation in addition to the actual publishNotReadyAddresses
# field below because the annotation will stop being respected soon but the
# field is broken in some versions of Kubernetes:
# https://github.com/kubernetes/kubernetes/issues/58662
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
type: ClusterIP
clusterIP: None
# We want all pods in the StatefulSet to have their addresses published for
# the sake of the other Postgresql pods even before they're ready, since they
# have to be able to talk to each other in order to become ready.
publishNotReadyAddresses: true
ports:
- name: tcp-postgresql
port: {{ include "postgresql.readReplica.service.port" . }}
targetPort: tcp-postgresql
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: read
{{- end }}

55
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/read/svc.yaml Normal file
View File

@@ -0,0 +1,55 @@
{{- if eq .Values.architecture "replication" }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "postgresql.readReplica.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: read
{{- if or .Values.commonAnnotations .Values.readReplicas.service.annotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.readReplicas.service.annotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.annotations "context" $) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.readReplicas.service.type }}
{{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }}
externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerSourceRanges)) }}
loadBalancerSourceRanges: {{ .Values.readReplicas.service.loadBalancerSourceRanges }}
{{- end }}
{{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }}
{{- end }}
{{- if and .Values.readReplicas.service.clusterIP (eq .Values.readReplicas.service.type "ClusterIP") }}
clusterIP: {{ .Values.readReplicas.service.clusterIP }}
{{- end }}
{{- if .Values.readReplicas.service.sessionAffinity }}
sessionAffinity: {{ .Values.readReplicas.service.sessionAffinity }}
{{- end }}
{{- if .Values.readReplicas.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
ports:
- name: tcp-postgresql
port: {{ include "postgresql.readReplica.service.port" . }}
targetPort: tcp-postgresql
{{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }}
nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }}
{{- else if eq .Values.readReplicas.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.readReplicas.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: read
{{- end }}

31
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/role.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if .Values.rbac.create }}
kind: Role
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
# yamllint disable rule:indentation
rules:
{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- if and $pspAvailable .Values.psp.create }}
- apiGroups:
- 'policy'
resources:
- 'podsecuritypolicies'
verbs:
- 'use'
resourceNames:
- {{ include "common.names.fullname" . }}
{{- end }}
{{- if .Values.rbac.rules }}
{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
{{- end }}
# yamllint enable rule:indentation
{{- end }}

22
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- if .Values.rbac.create }}
kind: RoleBinding
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
kind: Role
name: {{ include "common.names.fullname" . }}
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ include "postgresql.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

103
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,103 @@
{{- $host := include "postgresql.primary.fullname" . }}
{{- $port := include "postgresql.service.port" . }}
{{- $postgresPassword := "" }}
{{- if .Values.auth.enablePostgresUser }}
{{- $postgresPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.secretName" .) "key" $.Values.auth.secretKeys.adminPasswordKey "providedValues" (list "global.postgresql.auth.postgresPassword" "auth.postgresPassword") "context" $) | trimAll "\"" | b64dec }}
{{- end }}
{{- $replicationPassword := "" }}
{{- if eq .Values.architecture "replication" }}
{{- $replicationPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.secretName" .) "key" $.Values.auth.secretKeys.replicationPasswordKey "providedValues" (list "auth.replicationPassword") "context" $) | trimAll "\"" | b64dec }}
{{- end }}
{{- $ldapPassword := "" }}
{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
{{- $ldapPassword = coalesce .Values.ldap.bind_password .Values.ldap.bindpw }}
{{- end }}
{{- $customUser := include "postgresql.username" . }}
{{- $password := "" }}
{{- if not (empty (include "postgresql.username" .)) }}
{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.secretName" .) "key" $.Values.auth.secretKeys.userPasswordKey "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) | trimAll "\"" | b64dec }}
{{- end }}
{{- $database := include "postgresql.database" . }}
{{- if (include "postgresql.createSecret" .) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if .Values.auth.enablePostgresUser }}
postgres-password: {{ $postgresPassword | b64enc | quote }}
{{- end }}
{{- if not (empty (include "postgresql.username" .)) }}
password: {{ $password | b64enc | quote }}
{{- end }}
{{- if eq .Values.architecture "replication" }}
replication-password: {{ $replicationPassword | b64enc | quote }}
{{- end }}
# We don't auto-generate LDAP password when it's not provided as we do for other passwords
{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
ldap-password: {{ $ldapPassword | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.serviceBindings.enabled }}
{{- if .Values.auth.enablePostgresUser }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}-svcbind-postgres
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: servicebinding.io/postgresql
data:
provider: {{ print "bitnami" | b64enc | quote }}
type: {{ print "postgresql" | b64enc | quote }}
host: {{ $host | b64enc | quote }}
port: {{ $port | b64enc | quote }}
user: {{ print "postgres" | b64enc | quote }}
database: {{ print "postgres" | b64enc | quote }}
password: {{ $postgresPassword | b64enc | quote }}
uri: {{ printf "postgresql://postgres:%s@%s:%s/postgres" $postgresPassword $host $port | b64enc | quote }}
{{- end }}
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}-svcbind-custom-user
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: servicebinding.io/postgresql
data:
provider: {{ print "bitnami" | b64enc | quote }}
type: {{ print "postgresql" | b64enc | quote }}
host: {{ $host | b64enc | quote }}
port: {{ $port | b64enc | quote }}
user: {{ $customUser | b64enc | quote }}
password: {{ $password | b64enc | quote }}
{{- if $database }}
database: {{ $database | b64enc | quote }}
{{- end }}
uri: {{ printf "postgresql://%s:%s@%s:%s/%s" $customUser $password $host $port $database | b64enc | quote }}
{{- end }}
{{- end }}

19
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "postgresql.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.serviceAccount.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}

28
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/templates/tls-secrets.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- if (include "postgresql.createTlsSecret" . ) }}
{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }}
{{- $ca := genCA "postgresql-ca" 365 }}
{{- $fullname := include "common.names.fullname" . }}
{{- $releaseNamespace := .Release.Namespace }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $primaryHeadlessServiceName := include "postgresql.primary.svc.headless" . }}
{{- $readHeadlessServiceName := include "postgresql.readReplica.svc.headless" . }}
{{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }}
{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
{{- end }}

156
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/values.schema.json Normal file
View File

@@ -0,0 +1,156 @@
{
"$schema": "http://json-schema.org/schema#",
"type": "object",
"properties": {
"architecture": {
"type": "string",
"title": "PostgreSQL architecture",
"form": true,
"description": "Allowed values: `standalone` or `replication`"
},
"auth": {
"type": "object",
"title": "Authentication configuration",
"form": true,
"properties": {
"enablePostgresUser": {
"type": "boolean",
"title": "Enable \"postgres\" admin user",
"description": "Assign a password to the \"postgres\" admin user. Otherwise, remote access will be blocked for this user",
"form": true
},
"postgresPassword": {
"type": "string",
"title": "Password for the \"postgres\" admin user",
"description": "Defaults to a random 10-character alphanumeric string if not set",
"form": true
},
"database": {
"type": "string",
"title": "PostgreSQL custom database",
"description": "Name of the custom database to be created during the 1st initialization of PostgreSQL",
"form": true
},
"username": {
"type": "string",
"title": "PostgreSQL custom user",
"description": "Name of the custom user to be created during the 1st initialization of PostgreSQL. This user only has permissions on the PostgreSQL custom database",
"form": true
},
"password": {
"type": "string",
"title": "Password for the custom user to create",
"description": "Defaults to a random 10-character alphanumeric string if not set",
"form": true
},
"replicationUsername": {
"type": "string",
"title": "PostgreSQL replication user",
"description": "Name of user used to manage replication.",
"form": true,
"hidden": {
"value": "standalone",
"path": "architecture"
}
},
"replicationPassword": {
"type": "string",
"title": "Password for PostgreSQL replication user",
"description": "Defaults to a random 10-character alphanumeric string if not set",
"form": true,
"hidden": {
"value": "standalone",
"path": "architecture"
}
}
}
},
"persistence": {
"type": "object",
"properties": {
"size": {
"type": "string",
"title": "Persistent Volume Size",
"form": true,
"render": "slider",
"sliderMin": 1,
"sliderMax": 100,
"sliderUnit": "Gi"
}
}
},
"resources": {
"type": "object",
"title": "Required Resources",
"description": "Configure resource requests",
"form": true,
"properties": {
"requests": {
"type": "object",
"properties": {
"memory": {
"type": "string",
"form": true,
"render": "slider",
"title": "Memory Request",
"sliderMin": 10,
"sliderMax": 2048,
"sliderUnit": "Mi"
},
"cpu": {
"type": "string",
"form": true,
"render": "slider",
"title": "CPU Request",
"sliderMin": 10,
"sliderMax": 2000,
"sliderUnit": "m"
}
}
}
}
},
"replication": {
"type": "object",
"form": true,
"title": "Replication Details",
"properties": {
"enabled": {
"type": "boolean",
"title": "Enable Replication",
"form": true
},
"readReplicas": {
"type": "integer",
"title": "read Replicas",
"form": true,
"hidden": {
"value": "standalone",
"path": "architecture"
}
}
}
},
"volumePermissions": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"form": true,
"title": "Enable Init Containers",
"description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup"
}
}
},
"metrics": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"title": "Configure metrics exporter",
"form": true
}
}
}
}
}

1425
build_system/charts/open-appsec-k8s-nginx-ingress/charts/postgresql/values.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

5
build_system/charts/open-appsec-k8s-nginx-ingress/templates/_params.tpl
View File

@@ -29,7 +29,7 @@
- --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
{{- end }}
{{- if and (not .Values.controller.scope.enabled) .Values.controller.scope.namespaceSelector }}
- --watch-namespace-selector={{ default "" .Values.controller.scope.namespaceSelector }}
- --watch-namespace-selector={{ .Values.controller.scope.namespaceSelector }}
{{- end }}
{{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
- --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
@@ -54,6 +54,9 @@
{{- if .Values.controller.watchIngressWithoutClass }}
- --watch-ingress-without-class=true
{{- end }}
{{- if not .Values.controller.metrics.enabled }}
- --enable-metrics={{ .Values.controller.metrics.enabled }}
{{- end }}
{{- if .Values.controller.enableTopologyAwareRouting }}
- --enable-topology-aware-routing=true
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml
View File

@@ -142,6 +142,8 @@ spec:
value: {{ .Values.appsec.storage.name }}-svc
- name: LEARNING_HOST
value: {{ .Values.appsec.learning.name }}-svc
- name: TUNING_HOST
value: {{ .Values.appsec.tuning.name }}-svc
{{- else }}
- name: PLAYGROUND
value: "true"

3
build_system/charts/open-appsec-k8s-nginx-ingress/templates/clusterrolebinding.yaml
View File

@@ -16,4 +16,7 @@ subjects:
- kind: ServiceAccount
name: {{ template "ingress-nginx.serviceAccountName" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
- kind: ServiceAccount
name: tuning-svc-account
namespace: {{ .Release.Namespace | quote }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-prometheusrules.yaml
View File

@@ -1,4 +1,4 @@
{{- if and ( .Values.controller.metrics.enabled ) ( .Values.controller.metrics.prometheusRule.enabled ) ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) -}}
{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-policy.yaml
View File

@@ -34,7 +34,7 @@ spec:
http-headers: false
request-body: false
log-destination:
cloud: false
cloud: true
stdout:
format: json-formatted
---

71
build_system/charts/open-appsec-k8s-nginx-ingress/templates/tuning-deployment.yaml Normal file
View File

@@ -0,0 +1,71 @@
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) .Values.appsec.tuning.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.appsec.tuning.name }}-deployment
labels:
app: {{ .Values.appsec.tuning.name }}-lbl
spec:
replicas: {{ .Values.appsec.tuning.replicaCount }}
selector:
matchLabels:
app: {{ .Values.appsec.tuning.name }}-lbl
template:
metadata:
labels:
app: {{ .Values.appsec.tuning.name }}-lbl
group: fog-core
spec:
securityContext:
{{- with .Values.appsec.tuning.securityContext }}
fsGroup: {{ .fsGroup }}
runAsGroup: {{ .runAsGroup }}
runAsUser: {{ .runAsUser }}
{{- end }}
serviceAccountName: tuning-svc-account
containers:
- name: {{ .Values.appsec.tuning.name }}
imagePullPolicy: Always
{{- with .Values.appsec.tuning.image }}
image: {{ .registry }}/{{ .image }}:{{ .tag }}
{{- end }}
ports:
- containerPort: {{ .Values.appsec.tuning.port }}
livenessProbe:
failureThreshold: {{ .Values.appsec.tuning.failureThreshold }}
httpGet:
path: /health/live
port: {{ .Values.appsec.tuning.port }}
scheme: HTTP
initialDelaySeconds: {{ .Values.appsec.tuning.initialDelaySeconds }}
periodSeconds: {{ .Values.appsec.tuning.periodSeconds }}
timeoutSeconds: {{ .Values.appsec.tuning.timeoutSeconds }}
readinessProbe:
failureThreshold: {{ .Values.appsec.tuning.failureThreshold }}
httpGet:
path: /health/ready
port: {{ .Values.appsec.tuning.port }}
scheme: HTTP
initialDelaySeconds: {{ .Values.appsec.tuning.initialDelaySeconds }}
periodSeconds: {{ .Values.appsec.tuning.periodSeconds }}
successThreshold: {{ .Values.appsec.tuning.successThreshold }}
timeoutSeconds: {{ .Values.appsec.tuning.timeoutSeconds }}
env:
- name: K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MODE
value: "stand-alone"
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "common.names.fullname" .Subcharts.postgresql }}
key: {{ include "postgresql.adminPasswordKey" .Subcharts.postgresql }}
- name: QUERY_DB_NAME_FMT
value: "postgres://postgres:%s@{{ include "postgresql.primary.fullname" .Subcharts.postgresql }}:5432/i2datatubeschemasecurityeventlogsv03?sslmode=disable"
- name: QUERY_DB_ROOT_FMT
value: "postgres://postgres:%s@{{ include "postgresql.primary.fullname" .Subcharts.postgresql }}:5432/?sslmode=disable"
- name: RP_BASEURL
value: http://{{ .Values.appsec.storage.name }}-svc/api
{{- end }}

7
build_system/charts/open-appsec-k8s-nginx-ingress/templates/tuning-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,7 @@
{{- if and .Values.appsec.tuning.serviceAccount.create .Values.appsec.tuning.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: tuning-svc-account
namespace: {{ .Release.Namespace }}
{{- end }}

13
build_system/charts/open-appsec-k8s-nginx-ingress/templates/tuning-svc.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) .Values.appsec.tuning.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.appsec.tuning.name }}-svc
spec:
ports:
- name: "http"
port: 80
targetPort: {{ .Values.appsec.tuning.port }}
selector:
app: {{ .Values.appsec.tuning.name }}-lbl
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-configmap-addheaders_test.yaml
View File

@@ -21,7 +21,7 @@ tests:
of: ConfigMap
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-custom-add-headers
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-custom-add-headers
- equal:
path: data.X-Another-Custom-Header
value: Value

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-configmap-proxyheaders_test.yaml
View File

@@ -21,7 +21,7 @@ tests:
of: ConfigMap
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-custom-proxy-headers
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-custom-proxy-headers
- equal:
path: data.X-Custom-Header
value: Value

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-configmap_test.yaml
View File

@@ -11,4 +11,4 @@ tests:
of: ConfigMap
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller

37
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-daemonset_test.yaml
View File

@@ -6,6 +6,7 @@ tests:
- it: should create a DaemonSet if `controller.kind` is "DaemonSet"
set:
controller.kind: DaemonSet
kind: Vanilla
asserts:
- hasDocuments:
count: 1
@@ -13,4 +14,38 @@ tests:
of: DaemonSet
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller
- it: should create a DaemonSet with argument `--enable-metrics=false` if `controller.metrics.enabled` is false
set:
controller.kind: DaemonSet
kind: Vanilla
controller.metrics.enabled: false
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a DaemonSet without argument `--enable-metrics=false` if `controller.metrics.enabled` is true
set:
controller.kind: DaemonSet
kind: Vanilla
controller.metrics.enabled: true
asserts:
- notContains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a DaemonSet with resource limits if `controller.resources.limits` is set
set:
controller.kind: DaemonSet
kind: Vanilla
controller.resources.limits.cpu: 500m
controller.resources.limits.memory: 512Mi
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 500m
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 512Mi

20
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-deployment_test.yaml
View File

@@ -11,20 +11,38 @@ tests:
of: Deployment
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller
- it: should create a Deployment with 3 replicas if `controller.replicaCount` is 3
set:
controller.replicaCount: 3
kind: Vanilla
asserts:
- equal:
path: spec.replicas
value: 3
- it: should create a Deployment with argument `--enable-metrics=false` if `controller.metrics.enabled` is false
set:
controller.metrics.enabled: false
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a Deployment without argument `--enable-metrics=false` if `controller.metrics.enabled` is true
set:
controller.metrics.enabled: true
asserts:
- notContains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a Deployment with resource limits if `controller.resources.limits` is set
set:
controller.resources.limits.cpu: 500m
controller.resources.limits.memory: 512Mi
kind: Vanilla
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-hpa_test.yaml
View File

@@ -14,4 +14,4 @@ tests:
of: HorizontalPodAutoscaler
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-keda_test.yaml
View File

@@ -14,4 +14,4 @@ tests:
of: ScaledObject
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-networkpolicy_test.yaml
View File

@@ -20,4 +20,4 @@ tests:
of: NetworkPolicy
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-service-internal_test.yaml
View File

@@ -22,4 +22,4 @@ tests:
of: Service
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller-internal
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller-internal

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-service-metrics_test.yaml
View File

@@ -20,4 +20,4 @@ tests:
of: Service
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller-metrics
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller-metrics

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/controller-service_test.yaml
View File

@@ -20,7 +20,7 @@ tests:
of: Service
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-controller
- it: should create a Service of type "NodePort" if `controller.service.external.enabled` is true and `controller.service.type` is "NodePort"
set:

2
build_system/charts/open-appsec-k8s-nginx-ingress/tests/default-backend-service_test.yaml
View File

@@ -20,7 +20,7 @@ tests:
of: Service
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-defaultbackend
value: RELEASE-NAME-open-appsec-k8s-nginx-ingress-defaultbackend
- it: should create a Service with port 80 if `defaultBackend.service.port` is 80
set:

31
build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml
View File

@@ -26,9 +26,9 @@ controller:
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
tag: "v1.9.5"
digest: sha256:b3aba22b1da80e7acfc52b115cae1d4c687172cbf2b742d5b502419c25ff340e
digestChroot: sha256:9a8d7b25a846a6461cd044b9aea9cf6cad972bcf2e64d9fd246c0279979aad2d
tag: "v1.10.0"
digest: sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
digestChroot: sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096
pullPolicy: IfNotPresent
runAsNonRoot: true
# www-data -> uid 101
@@ -781,8 +781,8 @@ controller:
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
tag: v20231011-8b53cabe0
digest: sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
tag: v1.4.0
digest: sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334
pullPolicy: IfNotPresent
# -- Provide a priority class name to the webhook patching job
##
@@ -1193,6 +1193,27 @@ appsec:
image: smartsync-shared-files
tag: latest
tuning:
name: open-appsec-tuning
image:
registry: ghcr.io/openappsec
image: smartsync-tuning
tag: latest
enabled: false
replicaCount: 1
securityContext:
fsGroup: 2000
runAsGroup: 2000
runAsUser: 1000
port: 8080
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 10
successThreshold: 1
serviceAccount:
create: true
# -- For nginx vanilla installation use kind Vanilla (no appsec components).
# -- For nginx with appsec installation use kind AppSec (default: nginx + appsec without state).
# -- For nginx with appsec (statefulset) installation use kind AppSecStateful.

71
build_system/charts/open-appsec-kong/CHANGELOG.md
View File

@@ -1,7 +1,78 @@
# Changelog
## 2.38.0
### Changes
* Added support for setting `SVC.tls.appProtocol` and `SVC.http.appProtocol` values to configure the appProtocol fields
for Kubernetes Service HTTP and TLS ports. It might be useful for integration with external load balancers like GCP.
[#1018](https://github.com/Kong/charts/pull/1018)
## 2.37.1
* Rename the controller status port. This fixes a collision with the proxy status port in the Prometheus ServiceMonitor.
[#1008](https://github.com/Kong/charts/pull/1008)
## 2.37.0
### Changes
* Bumped default `kong/kubernetes-ingress-controller` image tag and updated CRDs to 3.1.
[#1011](https://github.com/Kong/charts/pull/1011)
* Bumped default `kong` image tag to 3.6.
[#1011](https://github.com/Kong/charts/pull/1011)
## 2.36.0
### Fixed
* Add `KongLicense` RBAC rules.
[#1006](https://github.com/Kong/charts/pull/1006)
## 2.35.1
### Fixed
* The plugin helper no longer sets the plugin list when not in use.
[#1002](https://github.com/Kong/charts/pull/1002)
## 2.35.0
### Added
* Added controller's RBAC rules for `KongVault` CRD (installed only when KIC
version >= 3.1.0).
[#992](https://github.com/Kong/charts/pull/992)
### Fixed
* Added a missing `envFrom` render in the main Kong proxy container.
[#994](https://github.com/Kong/charts/pull/994)
## 2.34.0
### Added
* The `envFrom` and `ingressController.envFrom` values.yaml keys now populate
the container field of the same name. This loads environment variables from
ConfigMap or Secret resource keys in bulk:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
[#987](https://github.com/Kong/charts/pull/987)
* Kong listens now use both IPv4 and IPv6 addresses.
[#986](https://github.com/Kong/charts/pull/986)
## 2.33.3
### Fixed
* Add RBAC rules for get, list and watch operations on namespaces so that Gateway API
controllers in KIC can access using a cached controller-runtime client.
[#974](https://github.com/Kong/charts/pull/974)
## 2.33.2
### Fixed
* Fix a template bug related to the `affinity` field for migrations Pods.
[#972](https://github.com/Kong/charts/pull/972)

4
build_system/charts/open-appsec-kong/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 1.1.3
appVersion: 1.1.8
dependencies:
- condition: postgresql.enabled
name: postgresql
@@ -14,4 +14,4 @@ maintainers:
name: open-appsec-kong
sources:
- https://github.com/Kong/charts/tree/main/charts/kong
version: 2.33.2
version: 2.38.0

76
build_system/charts/open-appsec-kong/README.md
View File

@@ -613,10 +613,11 @@ directory.
| image.effectiveSemver | Semantic version to use for version-dependent features (if `tag` is not a semver) | |
| image.pullPolicy | Image pull policy | `IfNotPresent` |
| image.pullSecrets | Image pull secrets | `null` |
| replicaCount | Kong instance count. It has no effect when `autoscaling.enabled` is set to true | `1` |
| replicaCount | Kong instance count. It has no effect when `autoscaling.enabled` is set to true | `1` |
| plugins | Install custom plugins into Kong via ConfigMaps or Secrets | `{}` |
| env | Additional [Kong configurations](https://getkong.org/docs/latest/configuration/) | |
| customEnv | Custom Environment variables without `KONG_` prefix | |
| customEnv | Custom Environment variables without `KONG_` prefix | |
| envFrom | Populate environment variables from ConfigMap or Secret keys | |
| migrations.preUpgrade | Run "kong migrations up" jobs | `true` |
| migrations.postUpgrade | Run "kong migrations finish" jobs | `true` |
| migrations.annotations | Annotations for migration job pods | `{"sidecar.istio.io/inject": "false" |
@@ -665,40 +666,42 @@ nodes.
mixed TCP/UDP LoadBalancer Services). It _does not_ support the `http`, `tls`,
or `ingress` sections, as it is used only for stream listens.
| Parameter | Description | Default |
|------------------------------------|---------------------------------------------------------------------------------------|--------------------------|
| SVC.enabled | Create Service resource for SVC (admin, proxy, manager, etc.) | |
| SVC.http.enabled | Enables http on the service | |
| SVC.http.servicePort | Service port to use for http | |
| SVC.http.containerPort | Container port to use for http | |
| SVC.http.nodePort | Node port to use for http | |
| SVC.http.hostPort | Host port to use for http | |
| SVC.http.parameters | Array of additional listen parameters | `[]` |
| SVC.tls.enabled | Enables TLS on the service | |
| SVC.tls.containerPort | Container port to use for TLS | |
| SVC.tls.servicePort | Service port to use for TLS | |
| SVC.tls.nodePort | Node port to use for TLS | |
| SVC.tls.hostPort | Host port to use for TLS | |
| SVC.tls.overrideServiceTargetPort | Override service port to use for TLS without touching Kong containerPort | |
| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` |
| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | |
| SVC.clusterIP | k8s service clusterIP | |
| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | |
| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | |
| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` |
| SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | |
| SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` |
| SVC.ingress.ingressClassName | Set the ingressClassName to associate this Ingress with an IngressClass | |
| SVC.ingress.hostname | Ingress hostname | `""` |
| SVC.ingress.path | Ingress path. | `/` |
| SVC.ingress.pathType | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix` | `ImplementationSpecific` |
| SVC.ingress.hosts | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys | `[]` |
| SVC.ingress.tls | Name of secret resource or slice of `secretName` and `hosts` keys | |
| SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
| SVC.ingress.labels | Ingress labels. Additional custom labels to add to the ingress. | `{}` |
| SVC.annotations | Service annotations | `{}` |
| SVC.labels | Service labels | `{}` |
| Parameter | Description | Default |
|-----------------------------------|-------------------------------------------------------------------------------------------|--------------------------|
| SVC.enabled | Create Service resource for SVC (admin, proxy, manager, etc.) | |
| SVC.http.enabled | Enables http on the service | |
| SVC.http.servicePort | Service port to use for http | |
| SVC.http.containerPort | Container port to use for http | |
| SVC.http.nodePort | Node port to use for http | |
| SVC.http.hostPort | Host port to use for http | |
| SVC.http.parameters | Array of additional listen parameters | `[]` |
| SVC.http.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | |
| SVC.tls.enabled | Enables TLS on the service | |
| SVC.tls.containerPort | Container port to use for TLS | |
| SVC.tls.servicePort | Service port to use for TLS | |
| SVC.tls.nodePort | Node port to use for TLS | |
| SVC.tls.hostPort | Host port to use for TLS | |
| SVC.tls.overrideServiceTargetPort | Override service port to use for TLS without touching Kong containerPort | |
| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` |
| SVC.tls.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | |
| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | |
| SVC.clusterIP | k8s service clusterIP | |
| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | |
| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | |
| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` |
| SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | |
| SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` |
| SVC.ingress.ingressClassName | Set the ingressClassName to associate this Ingress with an IngressClass | |
| SVC.ingress.hostname | Ingress hostname | `""` |
| SVC.ingress.path | Ingress path. | `/` |
| SVC.ingress.pathType | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix` | `ImplementationSpecific` |
| SVC.ingress.hosts | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys | `[]` |
| SVC.ingress.tls | Name of secret resource or slice of `secretName` and `hosts` keys | |
| SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
| SVC.ingress.labels | Ingress labels. Additional custom labels to add to the ingress. | `{}` |
| SVC.annotations | Service annotations | `{}` |
| SVC.labels | Service labels | `{}` |
#### Admin Service mTLS
@@ -741,6 +744,7 @@ section of `values.yaml` file:
| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false |
| env | Specify Kong Ingress Controller configuration via environment variables | |
| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | |
| envFrom | Populate environment variables from ConfigMap or Secret keys | |
| ingressClass | The name of this controller's ingressClass | kong |
| ingressClassAnnotations | The ingress-class value for controller | kong |
| args | List of ingress-controller cli arguments | [] |

26
build_system/charts/open-appsec-kong/ci/.chartsnap.yaml Normal file
View File

@@ -0,0 +1,26 @@
# It's a configuration file used by helm-chartsnap to ignore dynamically generated fields
# when comparing the chart's snapshot with the rendered chart.
# See https://github.com/jlandowner/helm-chartsnap?tab=readme-ov-file#handling-dynamic-values-.
dynamicFields:
- apiVersion: v1
kind: Secret
name: chartsnap-postgresql
jsonPath:
- /data/postgres-password
- apiVersion: v1
kind: Secret
name: chartsnap-kong-validation-webhook-keypair
jsonPath:
- /data/tls.crt
- /data/tls.key
- apiVersion: v1
kind: Secret
name: chartsnap-kong-validation-webhook-ca-keypair
jsonPath:
- /data/tls.crt
- /data/tls.key
- apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
name: chartsnap-kong-validations
jsonPath:
- /webhooks/0/clientConfig/caBundle

371
build_system/charts/open-appsec-kong/ci/__snapshots__/admin-api-service-clusterip-values.snap Normal file
View File

@@ -0,0 +1,371 @@
[admin-api-service-clusterip-values]
SnapShot = """
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
checksum/dbless.config: 626be043e4a43b0d55af934d06216254abe132b29af82450379439ecd927219a
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
version: \"3.6\"
spec:
automountServiceAccountToken: false
containers:
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 0.0.0.0:8444 http2 ssl, [::]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_DECLARATIVE_CONFIG
value: /kong_dbless/kong.yml
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8444
name: admin-tls
protocol: TCP
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
- mountPath: /kong_dbless/
name: kong-custom-dbless-config-volume
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 0.0.0.0:8444 http2 ssl, [::]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_DECLARATIVE_CONFIG
value: /kong_dbless/kong.yml
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
- mountPath: /kong_dbless/
name: kong-custom-dbless-config-volume
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- configMap:
name: chartsnap-kong-custom-dbless-config
name: kong-custom-dbless-config-volume
- object:
apiVersion: v1
data:
kong.yml: |
_format_version: \"1.1\"
services:
- name: example.com
url: http://example.com
routes:
- name: example
paths:
- \"/example\"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-custom-dbless-config
namespace: default
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-admin
namespace: default
spec:
ports:
- name: kong-admin-tls
port: 8444
protocol: TCP
targetPort: 8444
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: ClusterIP
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
"""

920
build_system/charts/open-appsec-kong/ci/__snapshots__/custom-labels-values.snap Normal file
View File

@@ -0,0 +1,920 @@
[custom-labels-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
acme.com/some-key: some-value
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
version: \"3.6\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: cstatus
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
acme.com/some-key: some-value
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
"""

912
build_system/charts/open-appsec-kong/ci/__snapshots__/default-values.snap Normal file
View File

@@ -0,0 +1,912 @@
[default-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
version: \"3.6\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ANONYMOUS_REPORTS
value: \"false\"
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: cstatus
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
"""

941
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-1-values.snap Normal file
View File

@@ -0,0 +1,941 @@
[kong-ingress-1-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
version: \"3.6\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: cstatus
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy
namespace: default
spec:
rules:
- http:
paths:
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /
pathType: ImplementationSpecific
tls:
- hosts: null
secretName: kong.proxy.example.secret
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
name: kong.proxy.example.secret
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
"""

943
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-2-values.snap Normal file
View File

@@ -0,0 +1,943 @@
[kong-ingress-2-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
version: \"3.6\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: cstatus
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy
namespace: default
spec:
rules:
- host: proxy.kong.example
http:
paths:
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- proxy.kong.example
secretName: kong.proxy.example.secret
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
name: kong.proxy.example.secret
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
"""

930
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-3-values.snap Normal file
View File

@@ -0,0 +1,930 @@
[kong-ingress-3-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
version: \"3.6\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: cstatus
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.6
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy
namespace: default
spec:
rules:
- host: proxy.kong.example
http:
paths:
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /
pathType: ImplementationSpecific
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- konglicenses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.6\"
helm.sh/chart: kong-2.38.0
name: chartsnap-kong
namespace: default
"""

Some files were not shown because too many files have changed in this diff Show More