Merge branch 'Dec-24-2023' of https://github.com/openappsec/openappsec into Dec-24-2023

AppSec mode fix

CMakeLists.txt

@@ -1,10 +1,10 @@
 cmake_minimum_required (VERSION 2.8.4)
 project (ngen)
 
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC -Wall -Wno-terminate -Dalpine")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC -Wall -Wno-terminate")
 
 execute_process(COMMAND grep -c "Alpine Linux" /etc/os-release OUTPUT_VARIABLE IS_ALPINE)
-if(IS_ALPINE EQUAL "1")
+if(NOT IS_ALPINE EQUAL "0")
     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Dalpine")
 endif()
 

build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml

@@ -1,6 +1,5 @@
 annotations:
-  artifacthub.io/changes: |
-    - "Update Ingress-Nginx version controller-v1.9.1"
+  artifacthub.io/changes: '- "Update Ingress-Nginx version controller-v1.9.4"'
   artifacthub.io/prerelease: "false"
 apiVersion: v2
 appVersion: latest
@@ -11,4 +10,4 @@ kubeVersion: '>=1.20.0-0'
 name: open-appsec-k8s-nginx-ingress
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 4.8.1
+version: 4.8.3

build_system/charts/open-appsec-k8s-nginx-ingress/README.md

@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.8.1](https://img.shields.io/badge/Version-4.8.1-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square)
+![Version: 4.8.3](https://img.shields.io/badge/Version-4.8.3-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -251,11 +251,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v20230407"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
@@ -314,13 +314,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `true` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25"` |  |
-| controller.image.digestChroot | string | `"sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836"` |  |
+| controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` |  |
+| controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.registry | string | `"registry.k8s.io"` |  |
 | controller.image.runAsUser | int | `101` |  |
-| controller.image.tag | string | `"v1.9.1"` |  |
+| controller.image.tag | string | `"v1.9.4"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
@@ -498,6 +498,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
 | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
 | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
+| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
 | podSecurityPolicy.enabled | bool | `false` |  |
 | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
 | rbac.create | bool | `true` |  |

build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.2.md

@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.2
+
+* - "update nginx base, httpbun, e2e, helm webhook cert gen (#10506)"
+* - "Update Ingress-Nginx version controller-v1.9.3"
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.1...helm-chart-4.8.2

build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.3.md

@@ -0,0 +1,8 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.3
+* Update Ingress-Nginx version controller-v1.9.4
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.2...helm-chart-4.8.3

build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl

@@ -30,6 +30,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "ingress-nginx.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
 
 {{/*
 Container SecurityContext.

build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/cert-manager.yaml

@@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   selfSigned: {}
 ---
@@ -15,7 +15,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-root-cert
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
   duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }}
@@ -32,7 +32,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-root-issuer
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   ca:
     secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
@@ -43,7 +43,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   secretName: {{ include "ingress-nginx.fullname" . }}-admission
   duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
@@ -55,8 +55,8 @@ spec:
     {{- end }}
   dnsNames:
     - {{ include "ingress-nginx.controller.fullname" . }}-admission
-    - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}
-    - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc
+    - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}
+    - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}.svc
   subject:
     organizations:
       - ingress-nginx-admission

build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml

@@ -19,5 +19,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ include "ingress-nginx.fullname" . }}-admission
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml

@@ -3,7 +3,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-admission-create
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml

@@ -3,7 +3,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-admission-patch
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml

@@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/role.yaml

@@ -2,8 +2,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
+  name:  {{ include "ingress-nginx.fullname" . }}-admission
+  namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml

@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -20,5 +20,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ include "ingress-nginx.fullname" . }}-admission
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/validating-webhook.yaml

@@ -38,7 +38,7 @@ webhooks:
       - v1
     clientConfig:
       service:
-        namespace: {{ .Release.Namespace | quote }}
+        namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
         name: {{ include "ingress-nginx.controller.fullname" . }}-admission
         path: /networking/v1/ingresses
     {{- if .Values.controller.admissionWebhooks.timeoutSeconds }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml

@@ -18,7 +18,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   {{- if .Values.controller.annotations }}
   annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
   {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/clusterrolebinding.yaml

@@ -15,5 +15,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "ingress-nginx.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-addheaders.yaml

@@ -9,6 +9,6 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data: {{ toYaml .Values.controller.addHeaders | nindent 2 }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-proxyheaders.yaml

@@ -9,6 +9,6 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-tcp.yaml

@@ -12,6 +12,6 @@ metadata:
   annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }}
 {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-tcp
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-udp.yaml

@@ -12,6 +12,6 @@ metadata:
   annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }}
 {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-udp
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data: {{ tpl (toYaml .Values.udp) . | nindent 2 }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap.yaml

@@ -11,17 +11,17 @@ metadata:
   annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }}
 {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data:
   allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}"
 {{- if .Values.controller.addHeaders }}
-  add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
+  add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
 {{- end }}
 {{- if .Values.controller.proxySetHeaders }}
-  proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
+  proxy-set-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
 {{- end }}
 {{- if .Values.dhParam }}
-  ssl-dh-param: {{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }}
+  ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }}
 {{- end }}
 {{- range $key, $value := .Values.controller.config }}
   {{- $key | nindent 2 }}: {{ $value | quote }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both")) -}}
+{{- if and (eq .Values.kind "Vanilla") (eq .Values.controller.kind "DaemonSet") -}}
 {{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: DaemonSet
@@ -10,7 +10,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   {{- if .Values.controller.annotations }}
   annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
   {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
+{{- if and (eq .Values.kind "Vanilla") (eq .Values.controller.kind "Deployment") -}}
 {{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: Deployment
@@ -10,7 +10,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   {{- if .Values.controller.annotations }}
   annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
   {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml

@@ -1,4 +1,4 @@
-{{- if and (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}}
+{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}}
 apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }}
 kind: HorizontalPodAutoscaler
 metadata:
@@ -12,7 +12,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.controller.keda.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
+{{- if and .Values.controller.keda.enabled (eq .Values.controller.kind "Deployment") -}}
 # https://keda.sh/docs/
 
 apiVersion: {{ .Values.controller.keda.apiVersion }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-networkpolicy.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   podSelector:
     matchLabels:

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   {{- if .Values.controller.annotations }}
   annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
   {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-role.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 rules:
   - apiGroups:
       - ""

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-rolebinding.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -17,5 +17,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "ingress-nginx.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-secret.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data:
   dhparam.pem: {{ .Values.dhParam }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml

@@ -13,7 +13,7 @@ metadata:
     {{- toYaml .Values.controller.service.labels | nindent 4 }}
   {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}-internal
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   type: "{{ .Values.controller.service.type }}"
 {{- if .Values.controller.service.internal.loadBalancerIP }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-metrics.yaml

@@ -12,7 +12,7 @@ metadata:
     {{- toYaml .Values.controller.metrics.service.labels | nindent 4 }}
   {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}-metrics
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   type: {{ .Values.controller.metrics.service.type }}
 {{- if .Values.controller.metrics.service.clusterIP }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-webhook.yaml

@@ -12,7 +12,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   type: {{ .Values.controller.admissionWebhooks.service.type }}
 {{- if .Values.controller.admissionWebhooks.service.clusterIP }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml

@@ -13,7 +13,7 @@ metadata:
     {{- toYaml .Values.controller.service.labels | nindent 4 }}
   {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   type: {{ .Values.controller.service.type }}
 {{- if .Values.controller.service.clusterIP }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ template "ingress-nginx.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   {{- if .Values.serviceAccount.annotations }}
   annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
   {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml

@@ -6,7 +6,7 @@ metadata:
 {{- if .Values.controller.metrics.serviceMonitor.namespace }}
   namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }}
 {{- else }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
@@ -35,7 +35,7 @@ spec:
 {{- else }}
   namespaceSelector:
     matchNames:
-      - {{ .Release.Namespace }}
+      - {{ include "ingress-nginx.namespace" . }}
 {{- end }}
 {{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
   targetLabels:

build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-deployment.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   selector:
     matchLabels:

build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml

@@ -12,7 +12,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1

build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-networkpolicy.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   podSelector:
     matchLabels:

build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-poddisruptionbudget.yaml

@@ -10,7 +10,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   selector:
     matchLabels:

build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-role.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-backend
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 rules:
   - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
     resources:      ['podsecuritypolicies']

build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-rolebinding.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-backend
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -17,5 +17,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-service.yaml

@@ -12,7 +12,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   type: {{ .Values.defaultBackend.service.type }}
 {{- if .Values.defaultBackend.service.clusterIP }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-serviceaccount.yaml

@@ -9,6 +9,6 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml

@@ -7,6 +7,9 @@
 # nameOverride:
 # fullnameOverride:
 
+# -- Override the deployment namespace; defaults to .Release.Namespace
+namespaceOverride: ""
+
 ## Labels to apply to all resources
 ##
 commonLabels: {}
@@ -24,9 +27,9 @@ controller:
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "v1.9.1"
-    digest: sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25
-    digestChroot: sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836
+    tag: "v1.9.4"
+    digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
+    digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
@@ -640,8 +643,8 @@ controller:
         ## for backwards compatibility consider setting the full image url via the repository value below
         ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
         ## repository:
-        tag: v20230407
-        digest: sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
+        tag: v20231011-8b53cabe0
+        digest: sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         pullPolicy: IfNotPresent
       # -- Provide a priority class name to the webhook patching job
       ##
@@ -699,7 +702,7 @@ controller:
       ## jobLabel: "app.kubernetes.io/name"
       namespace: ""
       namespaceSelector: {}
-      ## Default: scrape .Release.Namespace only
+      ## Default: scrape .Release.Namespace or namespaceOverride only
       ## To scrape all, use the following:
       ## namespaceSelector:
       ##   any: true

build_system/charts/open-appsec-kong/CHANGELOG.md

@@ -4,10 +4,59 @@
 
 Nothing yet.
 
+## 2.32.0
+
+### Improvements
+
+* Add new `deployment.hostname` value to make identifying instances in
+  controlplane/dataplane configurations easier.
+  [#943](https://github.com/Kong/charts/pull/943)
+
+## 2.31.0
+
+### Improvements
+
+* Added controller's RBAC rules for `KongUpstreamPolicy` CRD.
+  [#917](https://github.com/Kong/charts/pull/917)
+* Added services resource to admission webhook config for KIC >= 3.0.0.
+  [#919](https://github.com/Kong/charts/pull/919)
+* Update default ingress controller version to v3.0
+  [#929](https://github.com/Kong/charts/pull/929)
+  [#930](https://github.com/Kong/charts/pull/930)
+
+### Fixed
+
+* The target port for cmetrics should only be applied if the ingress controller is enabled.
+  [#926](https://github.com/Kong/charts/pull/926)
+* Fix RBAC for Gateway API v1.
+  [#928](https://github.com/Kong/charts/pull/928)
+* Enable Admission webhook for Gateway API v1 resources.
+  [#928](https://github.com/Kong/charts/pull/928)
+
+## 2.30.0
+
+### Improvements
+
+* Prevent installing PodDisruptionBudget for `replicaCount: 1` or `autoscaling.minReplicas: 1`.
+  [#896](https://github.com/Kong/charts/pull/896)
+* The admission webhook now will be triggered on Secrets creation for KIC 2.12.1+.
+  [#907](https://github.com/Kong/charts/pull/907)
+* Container security context defaults now comply with the restricted pod
+  security standard. This includes an enforced run as user ID set to 1000. UID
+  1000 is used for official Kong images other than Alpine images (which use UID
+  100) and for KIC images 3.0.0+ (older images use UID 65532). Images that do
+  not use UID 1000 can still run with this user, as static image files are
+  world-accessible and runtime-created files are created in temporary
+  directories created for the run as user.
+  [#911](https://github.com/Kong/charts/pull/911)
+* Allow using templates (via `tpl`) when specifying `proxy.nameOverride`.
+  [#914](https://github.com/Kong/charts/pull/914)
+
 ## 2.29.0
 
 ### Improvements
 * Make it possible to set the admission webhook's `timeoutSeconds`.
+  [#894](https://github.com/Kong/charts/pull/894)
 
 ## 2.28.1
 
@@ -16,6 +65,7 @@ Nothing yet.
 * The admission webhook now includes Gateway API resources and Ingress
   resources for controller versions 2.12+. This version introduces new
   validations for Kong's regex path implementation.
+  [#892](https://github.com/Kong/charts/pull/892)
 
 ## 2.28.0
 

build_system/charts/open-appsec-kong/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.1.0
+appVersion: 1.1.1
 dependencies:
 - condition: postgresql.enabled
   name: postgresql
@@ -9,11 +9,9 @@ description: The Cloud-Native Ingress and API-management
 home: https://konghq.com/
 icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png
 maintainers:
-- email: harry@konghq.com
-  name: hbagdi
-- email: traines@konghq.com
-  name: rainest
+- email: team-k8s@konghq.com
+  name: team-k8s-bot
 name: open-appsec-kong
 sources:
 - https://github.com/Kong/charts/tree/main/charts/kong
-version: 2.29.0
+version: 2.32.0

build_system/charts/open-appsec-kong/README.md

@@ -11,10 +11,10 @@ This chart bootstraps all the components needed to run Kong on a
 ## TL;DR;
 
 ```bash
-$ helm repo add kong https://charts.konghq.com
-$ helm repo update
+helm repo add kong https://charts.konghq.com
+helm repo update
 
-$ helm install kong/kong --generate-name
+helm install kong/kong --generate-name
 ```
 
 ## Table of contents
@@ -91,10 +91,10 @@ $ helm install kong/kong --generate-name
 To install Kong:
 
 ```bash
-$ helm repo add kong https://charts.konghq.com
-$ helm repo update
+helm repo add kong https://charts.konghq.com
+helm repo update
 
-$ helm install kong/kong --generate-name
+helm install kong/kong --generate-name
 ```
 
 ## Uninstall
@@ -102,7 +102,7 @@ $ helm install kong/kong --generate-name
 To uninstall/delete a Helm release `my-release`:
 
 ```bash
-$ helm delete my-release
+helm delete my-release
 ```
 
 The command removes all the Kubernetes components associated with the
@@ -451,6 +451,11 @@ documentation on Service
 DNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/)
 for more detail.
 
+If you use multiple Helm releases to manage different data plane configurations
+attached to the same control plane, setting the `deployment.hostname` field
+will help you keep track of which is which in the `/clustering/data-plane`
+endpoint.
+
 ### Cert Manager Integration
 
 By default, Kong will create self-signed certificates on start for its TLS
@@ -508,9 +513,9 @@ event you need to recover from unintended CRD deletion.
 
 ### InitContainers
 
-The chart is able to deploy initcontainers along with Kong. This can be very
+The chart is able to deploy initContainers along with Kong. This can be very
 useful when there's a requirement for custom initialization. The
-`deployment.initcontainers` field in values.yaml takes an array of objects that
+`deployment.initContainers` field in values.yaml takes an array of objects that
 get appended as-is to the existing `spec.template.initContainers` array in the
 kong deployment resource.
 
@@ -581,7 +586,11 @@ namespaces. Limiting access requires several changes to configuration:
 Setting `deployment.daemonset: true` deploys Kong using a [DaemonSet
 controller](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/)
 instead of a Deployment controller. This runs a Kong Pod on every kubelet in
-the Kubernetes cluster.
+the Kubernetes cluster. For such configuration it may be desirable to configure
+Pods to use the network of the host they run on instead of a dedicated network
+namespace. The benefit of this approach is that the Kong can bind ports directly
+to Kubernetes nodes' network interfaces, without the extra network translation
+imposed by NodePort Services. It can be achieved by setting `deployment.hostNetwork: true`.
 
 ### Using dnsPolicy and dnsConfig
 
@@ -725,7 +734,7 @@ section of `values.yaml` file:
 |--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
 | enabled                                    | Deploy the ingress controller, rbac and crd                                                                                                              | true                               |
 | image.repository                           | Docker image with the ingress controller                                                                                                                 | kong/kubernetes-ingress-controller |
-| image.tag                                  | Version of the ingress controller                                                                                                                        | `2.12`                             |
+| image.tag                                  | Version of the ingress controller                                                                                                                        | `3.0`                              |
 | image.effectiveSemver                      | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version                                      |                                    |
 | readinessProbe                             | Kong ingress controllers readiness probe                                                                                                                 |                                    |
 | livenessProbe                              | Kong ingress controllers liveness probe                                                                                                                  |                                    |
@@ -791,6 +800,12 @@ Kong Ingress Controller v2.9 has introduced gateway discovery which allows
 the controller to discover Gateway instances that it should configure using
 an Admin API Kubernetes service.
 
+Using this feature requires a split release installation of Gateways and Ingress Controller.
+For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
+or use the [`ingress` chart](../ingress/README.md) which can handle this for you.
+
+##### Configuration
+
 You'll be able to configure this feature through configuration section under
 `ingressController.gatewayDiscovery`:
 
@@ -813,12 +828,17 @@ You'll be able to configure this feature through configuration section under
   the chart will generate values for `name` and `namespace` based on the current release name and
   namespace. This is useful when consuming the `kong` chart as a subchart.
 
-Using this feature requires a split release installation of Gateways and Ingress Controller.
-For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
+Additionally, you can control the addresses that are generated for your Gateways
+via the `--gateway-discovery-dns-strategy` CLI flag that can be set on the Ingress Controller
+(or an equivalent environment variable: `CONTROLLER_GATEWAY_DISCOVERY_DNS_STRATEGY`).
+It accepts 3 values which change the way that Gateway addresses are generated:
+- `service` - for service scoped pod DNS names: `pod-ip-address.service-name.my-namespace.svc.cluster-domain.example`
+- `pod` - for namespace scope pod DNS names: `pod-ip-address.my-namespace.pod.cluster-domain.example`
+- `ip` (default, retains behavior introduced in v2.9) - for regular IP addresses
 
 When using `gatewayDiscovery`, you should consider configuring the Admin service to use mTLS client verification to make
-this interface secure. Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway
-instances.
+this interface secure.
+Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway instances.
 
 On the controller release side, that can be achieved by setting `ingressController.adminApi.tls.client.enabled` to `true`.
 By default, Helm will generate a certificate Secret named `<release name>-admin-api-keypair` and
@@ -838,6 +858,7 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam
 | deployment.minReadySeconds         | Minimum number of seconds for which newly created pods should be ready without any of its container crashing, for it to be considered available. |                     |
 | deployment.initContainers          | Create initContainers. Please go to Kubernetes doc for the spec of the initContainers |                     |
 | deployment.daemonset               | Use a DaemonSet instead of a Deployment                                               | `false`             |
+| deployment.hostname                | Set the Deployment's `.spec.template.hostname`. Kong reports this as its hostname.    |                     |
 | deployment.hostNetwork             | Enable hostNetwork, which binds to the ports to the host                              | `false`             |
 | deployment.userDefinedVolumes      | Create volumes. Please go to Kubernetes doc for the spec of the volumes               |                     |
 | deployment.userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts     |                     |
@@ -878,7 +899,7 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam
 | priorityClassName                  | Set pod scheduling priority class for Kong pods                                       | `""`                |
 | secretVolumes                      | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]`                |
 | securityContext                    | Set the securityContext for Kong Pods                                                 | `{}`                |
-| containerSecurityContext           | Set the securityContext for Containers                                                | `{"readOnlyRootFilesystem": true}`                |
+| containerSecurityContext           | Set the securityContext for Containers                                                | See values.yaml     |
 | serviceMonitor.enabled             | Create ServiceMonitor for Prometheus Operator                                         | `false`             |
 | serviceMonitor.interval            | Scraping interval                                                                     | `30s`               |
 | serviceMonitor.namespace           | Where to create ServiceMonitor                                                        |                     |
@@ -1013,7 +1034,7 @@ If you have paid for a license, but you do not have a copy of yours, please
 contact Kong Support. Once you have it, you will need to store it in a Secret:
 
 ```bash
-$ kubectl create secret generic kong-enterprise-license --from-file=license=./license.json
+kubectl create secret generic kong-enterprise-license --from-file=license=./license.json
 ```
 
 Set the secret name in `values.yaml`, in the `.enterprise.license_secret` key.
@@ -1031,7 +1052,7 @@ from \<your username\> \> Edit Profile \> API Key. Use this to create registry
 secrets:
 
 ```bash
-$ kubectl create secret docker-registry kong-enterprise-edition-docker \
+kubectl create secret docker-registry kong-enterprise-edition-docker \
     --docker-server=hub.docker.io \
     --docker-username=<username-provided-to-you> \
     --docker-password=<password-provided-to-you>
@@ -1107,14 +1128,30 @@ whereas this is optional for the Developer Portal on versions 0.36+. Providing
 Portal session configuration in values.yaml provides the default session
 configuration, which can be overridden on a per-workspace basis.
 
+```bash
+cat admin_gui_session_conf
 ```
-$ cat admin_gui_session_conf
+
+```json
 {"cookie_name":"admin_session","cookie_samesite":"off","secret":"admin-secret-CHANGEME","cookie_secure":true,"storage":"kong"}
-$ cat portal_session_conf
+```
+
+```bash
+cat portal_session_conf
+```
+
+```json
 {"cookie_name":"portal_session","cookie_samesite":"off","secret":"portal-secret-CHANGEME","cookie_secure":true,"storage":"kong"}
-$ kubectl create secret generic kong-session-config --from-file=admin_gui_session_conf --from-file=portal_session_conf
+```
+
+```bash
+kubectl create secret generic kong-session-config --from-file=admin_gui_session_conf --from-file=portal_session_conf
+```
+
+```bash
 secret/kong-session-config created
 ```
+
 The exact plugin settings may vary in your environment. The `secret` should
 always be changed for both configurations.
 
@@ -1175,7 +1212,7 @@ between the initial install and upgrades. Both operations are a "sync" in Argo
 terms. This affects when migration Jobs execute in database-backed Kong
 installs.
 
-The chart sets the `Sync` and `BeforeHookCreation` deletion 
+The chart sets the `Sync` and `BeforeHookCreation` deletion
 [hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/)
 on the `init-migrations` and `pre-upgrade-migrations` Jobs.
 

build_system/charts/open-appsec-kong/UPGRADE.md

@@ -193,7 +193,7 @@ database](https://www.postgresql.org/docs/current/backup-dump.html) and
 creating a separate release if you wish to continue using 8.6.8:
 
 ```
-$ helm install my-release -f values.yaml --version 8.6.8 bitnami/postgresql
+helm install my-release -f values.yaml --version 8.6.8 bitnami/postgresql
 ```
 
 Afterwords, you will upgrade your Kong chart release with
@@ -233,26 +233,28 @@ upgrade in multiple steps:
 First, pin the controller version and upgrade to chart 2.4.0:
 
 ```console
-$ helm upgrade --wait \
+helm upgrade --wait \
   --set ingressController.image.tag=<CURRENT_CONTROLLER_VERSION> \
   --version 2.4.0 \
   --namespace <YOUR_RELEASE_NAMESPACE> \
   <YOUR_RELEASE_NAME> kong/kong
 ```
+
 Second, temporarily disable the ingress controller:
 
 ```console
-$ helm upgrade --wait \
+helm upgrade --wait \
   --set ingressController.enabled=false \
   --set deployment.serviceaccount.create=true \
   --version 2.4.0 \
   --namespace <YOUR_RELEASE_NAMESPACE> \
   <YOUR_RELEASE_NAME> kong/kong
 ```
+
 Finally, re-enable the ingress controller at the new version:
 
 ```console
-$ helm upgrade --wait \
+helm upgrade --wait \
   --set ingressController.enabled=true \
   --set ingressController.image.tag=<NEW_CONTROLLER_VERSION> \
   --version 2.4.0 \

build_system/charts/open-appsec-kong/ci/single-image-default-values.yaml

@@ -2,7 +2,7 @@
 # use single image strings instead of repository/tag
 
 image:
-  unifiedRepoTag: kong:3.4
+  unifiedRepoTag: kong:3.4.1
 
 env:
   anonymous_reports: "off"
@@ -10,4 +10,4 @@ ingressController:
   env:
     anonymous_reports: "false"
   image:
-    unifiedRepoTag: kong/kubernetes-ingress-controller:2.12
+    unifiedRepoTag: kong/kubernetes-ingress-controller:3.0

build_system/charts/open-appsec-kong/ci/test2-values.yaml

@@ -45,9 +45,6 @@ proxy:
     parameters:
     - ssl
 
-# - PDB is enabled
-podDisruptionBudget:
-  enabled: true
 # update strategy
 updateStrategy:
   type: "RollingUpdate"

build_system/charts/open-appsec-kong/ci/test5-values.yaml

@@ -37,9 +37,6 @@ proxy:
     annotations: {}
     path: /
 
-# - PDB is enabled
-podDisruptionBudget:
-  enabled: true
 # update strategy
 updateStrategy:
   type: "RollingUpdate"

build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml

@@ -1,4 +1,4 @@
-# generated using: kubectl kustomize 'github.com/kong/kubernetes-ingress-controller/config/crd?ref=v2.12.0'
+# generated using: kubectl kustomize 'github.com/kong/kubernetes-ingress-controller/config/crd?ref=v3.0.0'
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -773,7 +773,9 @@ spec:
               `Services` can be a target, OR `Endpoints` can be targets).
             properties:
               algorithm:
-                description: Algorithm is the load balancing algorithm to use.
+                description: 'Algorithm is the load balancing algorithm to use. Accepted
+                  values are: "round-robin", "consistent-hashing", "least-connections",
+                  "latency".'
                 enum:
                 - round-robin
                 - consistent-hashing
@@ -945,6 +947,13 @@ spec:
                 type: integer
             type: object
         type: object
+        x-kubernetes-validations:
+        - message: '''proxy'' field is no longer supported, use Service''s annotations
+            instead'
+          rule: '!has(self.proxy)'
+        - message: '''route'' field is no longer supported, use Ingress'' annotations
+            instead'
+          rule: '!has(self.route)'
     served: true
     storage: true
     subresources:
@@ -1198,6 +1207,387 @@ spec:
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    gateway.networking.k8s.io/policy: direct
+  name: kongupstreampolicies.configuration.konghq.com
+spec:
+  group: configuration.konghq.com
+  names:
+    categories:
+    - kong-ingress-controller
+    kind: KongUpstreamPolicy
+    listKind: KongUpstreamPolicyList
+    plural: kongupstreampolicies
+    shortNames:
+    - kup
+    singular: kongupstreampolicy
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: "KongUpstreamPolicy allows configuring algorithm that should
+          be used for load balancing traffic between Kong Upstream's Targets. It also
+          allows configuring health checks for Kong Upstream's Targets. \n Its configuration
+          is similar to Kong Upstream object (https://docs.konghq.com/gateway/latest/admin-api/#upstream-object),
+          and it is applied to Kong Upstream objects created by the controller. \n
+          It can be attached to Services. To attach it to a Service, it has to be
+          annotated with `konghq.com/upstream-policy: <name>`, where `<name>` is the
+          name of the KongUpstreamPolicy object in the same namespace as the Service.
+          \n When attached to a Service, it will affect all Kong Upstreams created
+          for the Service. \n When attached to a Service used in a Gateway API *Route
+          rule with multiple BackendRefs, all of its Services MUST be configured with
+          the same KongUpstreamPolicy. Otherwise, the controller will *ignore* the
+          KongUpstreamPolicy. \n Note: KongUpstreamPolicy doesn't implement Gateway
+          API's GEP-713 strictly. In particular, it doesn't use the TargetRef for
+          attaching to Services and Gateway API *Routes - annotations are used instead.
+          This is to allow reusing the same KongUpstreamPolicy for multiple Services
+          and Gateway API *Routes."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec contains the configuration of the Kong upstream.
+            properties:
+              algorithm:
+                description: 'Algorithm is the load balancing algorithm to use. Accepted
+                  values are: "round-robin", "consistent-hashing", "least-connections",
+                  "latency".'
+                enum:
+                - round-robin
+                - consistent-hashing
+                - least-connections
+                - latency
+                type: string
+              hashOn:
+                description: HashOn defines how to calculate hash for consistent-hashing
+                  load balancing algorithm. Algorithm must be set to "consistent-hashing"
+                  for this field to have effect.
+                properties:
+                  cookie:
+                    description: Cookie is the name of the cookie to use as hash input.
+                    type: string
+                  cookiePath:
+                    description: CookiePath is cookie path to set in the response
+                      headers.
+                    type: string
+                  header:
+                    description: Header is the name of the header to use as hash input.
+                    type: string
+                  input:
+                    description: Input allows using one of the predefined inputs (ip,
+                      consumer, path). For other parametrized inputs, use one of the
+                      fields below.
+                    enum:
+                    - ip
+                    - consumer
+                    - path
+                    type: string
+                  queryArg:
+                    description: QueryArg is the name of the query argument to use
+                      as hash input.
+                    type: string
+                  uriCapture:
+                    description: URICapture is the name of the URI capture group to
+                      use as hash input.
+                    type: string
+                type: object
+              hashOnFallback:
+                description: HashOnFallback defines how to calculate hash for consistent-hashing
+                  load balancing algorithm if the primary hash function fails. Algorithm
+                  must be set to "consistent-hashing" for this field to have effect.
+                properties:
+                  cookie:
+                    description: Cookie is the name of the cookie to use as hash input.
+                    type: string
+                  cookiePath:
+                    description: CookiePath is cookie path to set in the response
+                      headers.
+                    type: string
+                  header:
+                    description: Header is the name of the header to use as hash input.
+                    type: string
+                  input:
+                    description: Input allows using one of the predefined inputs (ip,
+                      consumer, path). For other parametrized inputs, use one of the
+                      fields below.
+                    enum:
+                    - ip
+                    - consumer
+                    - path
+                    type: string
+                  queryArg:
+                    description: QueryArg is the name of the query argument to use
+                      as hash input.
+                    type: string
+                  uriCapture:
+                    description: URICapture is the name of the URI capture group to
+                      use as hash input.
+                    type: string
+                type: object
+              healthchecks:
+                description: Healthchecks defines the health check configurations
+                  in Kong.
+                properties:
+                  active:
+                    description: Active configures active health check probing.
+                    properties:
+                      concurrency:
+                        description: Concurrency is the number of targets to check
+                          concurrently.
+                        minimum: 1
+                        type: integer
+                      headers:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        description: Headers is a list of HTTP headers to add to the
+                          probe request.
+                        type: object
+                      healthy:
+                        description: Healthy configures thresholds and HTTP status
+                          codes to mark targets healthy for an upstream.
+                        properties:
+                          httpStatuses:
+                            description: HTTPStatuses is a list of HTTP status codes
+                              that Kong considers a success.
+                            items:
+                              description: HTTPStatus is an HTTP status code.
+                              maximum: 599
+                              minimum: 100
+                              type: integer
+                            type: array
+                          interval:
+                            description: Interval is the interval between active health
+                              checks for an upstream in seconds when in a healthy
+                              state.
+                            minimum: 0
+                            type: integer
+                          successes:
+                            description: Successes is the number of successes to consider
+                              a target healthy.
+                            minimum: 0
+                            type: integer
+                        type: object
+                      httpPath:
+                        description: HTTPPath is the path to use in GET HTTP request
+                          to run as a probe.
+                        pattern: ^/.*$
+                        type: string
+                      httpsSni:
+                        description: HTTPSSNI is the SNI to use in GET HTTPS request
+                          to run as a probe.
+                        type: string
+                      httpsVerifyCertificate:
+                        description: HTTPSVerifyCertificate is a boolean value that
+                          indicates if the certificate should be verified.
+                        type: boolean
+                      timeout:
+                        description: Timeout is the probe timeout in seconds.
+                        minimum: 0
+                        type: integer
+                      type:
+                        description: Type determines whether to perform active health
+                          checks using HTTP or HTTPS, or just attempt a TCP connection.
+                          Accepted values are "http", "https", "tcp", "grpc", "grpcs".
+                        enum:
+                        - http
+                        - https
+                        - tcp
+                        - grpc
+                        - grpcs
+                        type: string
+                      unhealthy:
+                        description: Unhealthy configures thresholds and HTTP status
+                          codes to mark targets unhealthy for an upstream.
+                        properties:
+                          httpFailures:
+                            description: HTTPFailures is the number of failures to
+                              consider a target unhealthy.
+                            minimum: 0
+                            type: integer
+                          httpStatuses:
+                            description: HTTPStatuses is a list of HTTP status codes
+                              that Kong considers a failure.
+                            items:
+                              description: HTTPStatus is an HTTP status code.
+                              maximum: 599
+                              minimum: 100
+                              type: integer
+                            type: array
+                          interval:
+                            description: Interval is the interval between active health
+                              checks for an upstream in seconds when in an unhealthy
+                              state.
+                            minimum: 0
+                            type: integer
+                          tcpFailures:
+                            description: TCPFailures is the number of TCP failures
+                              in a row to consider a target unhealthy.
+                            minimum: 0
+                            type: integer
+                          timeouts:
+                            description: Timeouts is the number of timeouts in a row
+                              to consider a target unhealthy.
+                            minimum: 0
+                            type: integer
+                        type: object
+                    type: object
+                  passive:
+                    description: Passive configures passive health check probing.
+                    properties:
+                      healthy:
+                        description: Healthy configures thresholds and HTTP status
+                          codes to mark targets healthy for an upstream.
+                        properties:
+                          httpStatuses:
+                            description: HTTPStatuses is a list of HTTP status codes
+                              that Kong considers a success.
+                            items:
+                              description: HTTPStatus is an HTTP status code.
+                              maximum: 599
+                              minimum: 100
+                              type: integer
+                            type: array
+                          interval:
+                            description: Interval is the interval between active health
+                              checks for an upstream in seconds when in a healthy
+                              state.
+                            minimum: 0
+                            type: integer
+                          successes:
+                            description: Successes is the number of successes to consider
+                              a target healthy.
+                            minimum: 0
+                            type: integer
+                        type: object
+                      type:
+                        description: Type determines whether to perform passive health
+                          checks interpreting HTTP/HTTPS statuses, or just check for
+                          TCP connection success. Accepted values are "http", "https",
+                          "tcp", "grpc", "grpcs".
+                        enum:
+                        - http
+                        - https
+                        - tcp
+                        - grpc
+                        - grpcs
+                        type: string
+                      unhealthy:
+                        description: Unhealthy configures thresholds and HTTP status
+                          codes to mark targets unhealthy.
+                        properties:
+                          httpFailures:
+                            description: HTTPFailures is the number of failures to
+                              consider a target unhealthy.
+                            minimum: 0
+                            type: integer
+                          httpStatuses:
+                            description: HTTPStatuses is a list of HTTP status codes
+                              that Kong considers a failure.
+                            items:
+                              description: HTTPStatus is an HTTP status code.
+                              maximum: 599
+                              minimum: 100
+                              type: integer
+                            type: array
+                          interval:
+                            description: Interval is the interval between active health
+                              checks for an upstream in seconds when in an unhealthy
+                              state.
+                            minimum: 0
+                            type: integer
+                          tcpFailures:
+                            description: TCPFailures is the number of TCP failures
+                              in a row to consider a target unhealthy.
+                            minimum: 0
+                            type: integer
+                          timeouts:
+                            description: Timeouts is the number of timeouts in a row
+                              to consider a target unhealthy.
+                            minimum: 0
+                            type: integer
+                        type: object
+                    type: object
+                  threshold:
+                    description: Threshold is the minimum percentage of the upstream’s
+                      targets’ weight that must be available for the whole upstream
+                      to be considered healthy.
+                    type: integer
+                type: object
+              slots:
+                description: Slots is the number of slots in the load balancer algorithm.
+                  If not set, the default value in Kong for the algorithm is used.
+                maximum: 65536
+                minimum: 10
+                type: integer
+            type: object
+        type: object
+        x-kubernetes-validations:
+        - message: Only one of spec.hashOn.(input|cookie|header|uriCapture|queryArg)
+            can be set.
+          rule: 'has(self.spec.hashOn) ? [has(self.spec.hashOn.input), has(self.spec.hashOn.cookie),
+            has(self.spec.hashOn.header), has(self.spec.hashOn.uriCapture), has(self.spec.hashOn.queryArg)].filter(fieldSet,
+            fieldSet == true).size() <= 1 : true'
+        - message: When spec.hashOn.cookie is set, spec.hashOn.cookiePath is required.
+          rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookie) ? has(self.spec.hashOn.cookiePath)
+            : true'
+        - message: When spec.hashOn.cookiePath is set, spec.hashOn.cookie is required.
+          rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookiePath) ? has(self.spec.hashOn.cookie)
+            : true'
+        - message: spec.algorithm must be set to "consistent-hashing" when spec.hashOn
+            is set.
+          rule: 'has(self.spec.hashOn) ? has(self.spec.algorithm) && self.spec.algorithm
+            == "consistent-hashing" : true'
+        - message: Only one of spec.hashOnFallback.(input|header|uriCapture|queryArg)
+            can be set.
+          rule: 'has(self.spec.hashOnFallback) ? [has(self.spec.hashOnFallback.input),
+            has(self.spec.hashOnFallback.header), has(self.spec.hashOnFallback.uriCapture),
+            has(self.spec.hashOnFallback.queryArg)].filter(fieldSet, fieldSet == true).size()
+            <= 1 : true'
+        - message: spec.algorithm must be set to "consistent-hashing" when spec.hashOnFallback
+            is set.
+          rule: 'has(self.spec.hashOnFallback) ? has(self.spec.algorithm) && self.spec.algorithm
+            == "consistent-hashing" : true'
+        - message: spec.hashOnFallback.cookie must not be set.
+          rule: 'has(self.spec.hashOnFallback) ? !has(self.spec.hashOnFallback.cookie)
+            : true'
+        - message: spec.hashOnFallback.cookiePath must not be set.
+          rule: 'has(self.spec.hashOnFallback) ? !has(self.spec.hashOnFallback.cookiePath)
+            : true'
+        - message: spec.healthchecks.passive.healthy.interval must not be set.
+          rule: 'has(self.spec.healthchecks) && has(self.spec.healthchecks.passive)
+            && has(self.spec.healthchecks.passive.healthy) ? !has(self.spec.healthchecks.passive.healthy.interval)
+            : true'
+        - message: spec.healthchecks.passive.unhealthy.interval must not be set.
+          rule: 'has(self.spec.healthchecks) && has(self.spec.healthchecks.passive)
+            && has(self.spec.healthchecks.passive.unhealthy) ? !has(self.spec.healthchecks.passive.unhealthy.interval)
+            : true'
+        - message: spec.hashOnFallback must not be set when spec.hashOn.cookie is
+            set.
+          rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookie) ? !has(self.spec.hashOnFallback)
+            : true'
+    served: true
+    storage: true
+    subresources:
+      status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.13.0

build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml

@@ -9,7 +9,6 @@ admin:
       konghq.com/https-redirect-status-code: "301"
       konghq.com/protocols: https
       konghq.com/strip-path: "true"
-      kubernetes.io/ingress.class: default
       nginx.ingress.kubernetes.io/app-root: /
       nginx.ingress.kubernetes.io/backend-protocol: HTTPS
       nginx.ingress.kubernetes.io/permanent-redirect-code: "301"
@@ -176,8 +175,8 @@ manager:
   ingress:
     annotations:
       konghq.com/https-redirect-status-code: "301"
-      kubernetes.io/ingress.class: default
       nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    ingressClassName: kong
     enabled: true
     hostname: kong.127-0-0-1.nip.io
     path: /
@@ -209,7 +208,7 @@ portal:
       konghq.com/https-redirect-status-code: "301"
       konghq.com/protocols: https
       konghq.com/strip-path: "false"
-      kubernetes.io/ingress.class: default
+    ingressClassName: kong
     enabled: true
     hostname: developer.127-0-0-1.nip.io
     path: /
@@ -232,8 +231,8 @@ portalapi:
       konghq.com/https-redirect-status-code: "301"
       konghq.com/protocols: https
       konghq.com/strip-path: "true"
-      kubernetes.io/ingress.class: default
       nginx.ingress.kubernetes.io/app-root: /
+    ingressClassName: kong
     enabled: true
     hostname: developer.127-0-0-1.nip.io
     path: /api

build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml

@@ -40,8 +40,7 @@ admin:
     enabled: true
     tls: CHANGEME-admin-tls-secret
     hostname: admin.kong.CHANGEME.example
-    annotations:
-      kubernetes.io/ingress.class: "kong"
+    ingressClassName: kong
     path: /
 
 proxy:
@@ -148,8 +147,7 @@ portal:
     enabled: true
     tls: CHANGEME-portal-tls-secret
     hostname: portal.kong.CHANGEME.example
-    annotations:
-      kubernetes.io/ingress.class: "kong"
+    ingressClassName: kong
     path: /
 
   externalIPs: []
@@ -177,8 +175,7 @@ portalapi:
     enabled: true
     tls: CHANGEME-portalapi-tls-secret
     hostname: portalapi.kong.CHANGEME.example
-    annotations:
-      kubernetes.io/ingress.class: "kong"
+    ingressClassName: kong
     path: /
 
   externalIPs: []

build_system/charts/open-appsec-kong/templates/_helpers.tpl

@@ -447,14 +447,28 @@ The name of the service used for the ingress controller's validation webhook
 {{ include "kong.fullname" . }}-validation-webhook
 {{- end -}}
 
+
+{{/*
+The name of the Service which will be used by the controller to update the Ingress status field.
+*/}}
+
+{{- define "kong.controller-publish-service" -}}
+{{- $proxyOverride := "" -}}
+  {{- if .Values.proxy.nameOverride -}}
+    {{- $proxyOverride = ( tpl .Values.proxy.nameOverride . ) -}}
+  {{- end -}}
+{{- (printf "%s/%s" ( include "kong.namespace" . ) ( default ( printf "%s-proxy" (include "kong.fullname" . )) $proxyOverride )) -}}
+{{- end -}}
+
 {{- define "kong.ingressController.env" -}}
 {{/*
     ====== AUTO-GENERATED ENVIRONMENT VARIABLES ======
 */}}
 
+
 {{- $autoEnv := dict -}}
   {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
-  {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s" ( include "kong.namespace" . ) ( .Values.proxy.nameOverride | default ( printf "%s-proxy" (include "kong.fullname" . )))) -}}
+  {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}}
   {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
   {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
 
@@ -1253,6 +1267,24 @@ resource roles into their separate templates.
   - namespaces
   verbs:
   - list
+{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongupstreampolicies
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongupstreampolicies/status
+  verbs:
+  - get
+  - patch
+  - update
+{{- end }}
 {{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
 - apiGroups:
   - configuration.konghq.com
@@ -1429,7 +1461,7 @@ resource roles into their separate templates.
   - get
   - patch
   - update
-{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }}
+{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
@@ -1620,7 +1652,7 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration.
   - list
   - watch
 {{- end }}
-{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }}
+{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
 - apiGroups:
   - gateway.networking.k8s.io
   resources:

build_system/charts/open-appsec-kong/templates/admission-webhook.yaml

@@ -80,9 +80,15 @@ webhooks:
     apiVersions:
     - 'v1'
     operations:
+{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+    - CREATE
+{{- end }}
     - UPDATE
     resources:
     - secrets
+{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+    - services
+{{- end }}
 {{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
   - apiGroups:
     - networking.k8s.io
@@ -98,6 +104,7 @@ webhooks:
     apiVersions:
     - 'v1alpha2'
     - 'v1beta1'
+    - 'v1'
     operations:
     - CREATE
     - UPDATE

build_system/charts/open-appsec-kong/templates/appsec.yaml

@@ -70,6 +70,9 @@ spec:
         {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.deployment.hostname }}
+      hostname: {{ .Values.deployment.hostname }}
+      {{- end }}
       {{- if .Values.deployment.hostNetwork }}
       hostNetwork: true
       {{- end }}

build_system/charts/open-appsec-kong/templates/deployment.yaml

@@ -63,6 +63,9 @@ spec:
         {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.deployment.hostname }}
+      hostname: {{ .Values.deployment.hostname }}
+      {{- end }}
       {{- if .Values.deployment.hostNetwork }}
       hostNetwork: true
       {{- end }}

build_system/charts/open-appsec-kong/templates/pdb.yaml

@@ -1,4 +1,10 @@
 {{- if .Values.podDisruptionBudget.enabled }}
+{{- if and (not .Values.autoscaling.enabled) (le (int .Values.replicaCount) 1) }}
+{{- fail "Enabling PodDisruptionBudget with replicaCount: 1 and no autoscaling prevents pod restarts during upgrades" }}
+{{- end }}
+{{- if and .Values.autoscaling.enabled (le (int .Values.autoscaling.minReplicas) 1) }}
+{{- fail "Enabling PodDisruptionBudget with autoscaling.minReplicas: 1 prevents pod restarts during upgrades" }}
+{{- end }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:

build_system/charts/open-appsec-kong/templates/servicemonitor.yaml

@@ -24,7 +24,7 @@ spec:
     {{- if .Values.serviceMonitor.metricRelabelings }}
     metricRelabelings: {{ toYaml .Values.serviceMonitor.metricRelabelings | nindent 6 }}
     {{- end }}
-  {{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) -}}
+  {{- if and .Values.ingressController.enabled (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
   - targetPort: cmetrics
     scheme: http
     {{- if .Values.serviceMonitor.interval }}

build_system/charts/open-appsec-kong/templates/tests/test-resources.yaml

@@ -32,9 +32,9 @@ metadata:
   name: "{{ .Release.Name }}-httpbin"
   annotations:
     httpbin.ingress.kubernetes.io/rewrite-target: /
-    kubernetes.io/ingress.class: "kong"
     konghq.com/strip-path: "true"
 spec:
+  ingressClassName: kong
   rules:
   - http:
       paths:
@@ -46,14 +46,14 @@ spec:
             port:
               number: 80
 ---
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: GatewayClass
 metadata:
   name: "{{ .Release.Name }}-kong-test"
 spec:
   controllerName: konghq.com/kic-gateway-controller
 ---
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: Gateway
 metadata:
   name: "{{ .Release.Name }}-kong-test"
@@ -66,7 +66,7 @@ spec:
     protocol: HTTP
     port: 80
 ---
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: HTTPRoute
 metadata:
   name: "{{ .Release.Name }}-httpbin"

build_system/charts/open-appsec-kong/values.yaml

@@ -60,6 +60,11 @@ deployment:
   # Use a DaemonSet controller instead of a Deployment controller
   daemonset: false
   hostNetwork: false
+  # Set the Deployment's spec.template.hostname field.
+  # This propagates to Kong API endpoints that report
+  # the hostname, such as the admin API root and hybrid mode
+  # /clustering/data-planes endpoint
+  hostname: ""
   # kong_prefix empty dir size
   prefixDir:
     sizeLimit: 256Mi
@@ -510,13 +515,13 @@ dblessConfig:
 # -----------------------------------------------------------------------------
 
 # Kong Ingress Controller's primary purpose is to satisfy Ingress resources
-# created in k8s.  It uses CRDs for more fine grained control over routing and
+# created in k8s. It uses CRDs for more fine grained control over routing and
 # for Kong specific configuration.
 ingressController:
   enabled: true
   image:
     repository: kong/kubernetes-ingress-controller
-    tag: "2.12"
+    tag: "3.0"
     # Optionally set a semantic version for version-gated features. This can normally
     # be left unset. You only need to set this if your tag is not a semver string,
     # such as when you are using a "next" tag. Set this to the effective semantic
@@ -948,6 +953,14 @@ securityContext: {}
 # securityContext for containers.
 containerSecurityContext:
   readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  runAsUser: 1000
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+    - ALL
 
 ## Optional DNS configuration for Kong pods
 # dnsPolicy: ClusterFirst
@@ -968,7 +981,7 @@ serviceMonitor:
   # If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see:
   # https://github.com/Kong/charts/blob/main/charts/kong/README.md#prometheus-operator-integration
   enabled: false
-  # interval: 10s
+  # interval: 30s
   # Specifies namespace, where ServiceMonitor should be installed
   # namespace: monitoring
   # labels:
@@ -1234,7 +1247,7 @@ appsec:
     #registry:
     repository: ghcr.io/openappsec
     image: "agent"
-    tag: "1.1.0"
+    tag: "1.1.1"
     pullPolicy: Always
 
     securityContext:
@@ -1248,7 +1261,7 @@ appsec:
   kong:
     image:
       repository: "ghcr.io/openappsec/kong-attachment"
-      tag: "1.1.0"
+      tag: "1.1.1"
   configMapName: appsec-settings-configmap
   configMapContent:
     crowdsec:

components/include/i_update_communication.h

@@ -26,6 +26,7 @@ using OrchData      = Maybe<std::string>;
 class I_UpdateCommunication
 {
 public:
+    virtual void init() = 0;
     virtual Maybe<void> sendPolicyVersion(
         const std::string &policy_version,
         const std::string &policy_versions

components/security_apps/local_policy_mgmt_gen/CMakeLists.txt

@@ -13,6 +13,7 @@ add_library(local_policy_mgmt_gen
     local_policy_mgmt_gen.cc
     new_appsec_policy_crd_parser.cc
     new_appsec_linux_policy.cc
+    new_auto_upgrade.cc
     new_custom_response.cc
     new_trusted_sources.cc
     new_log_trigger.cc

components/security_apps/local_policy_mgmt_gen/access_control_practice.cc

@@ -18,16 +18,12 @@ using namespace std;
 USE_DEBUG_FLAG(D_LOCAL_POLICY);
 // LCOV_EXCL_START Reason: no test exist
 
-static const set<string> valid_modes    = {"prevent", "detect", "inactive"};
-static const set<string> valid_units    = {"minute", "second"};
-
-static const std::unordered_map<std::string, std::string> key_to_mode_val = {
-    { "prevent-learn", "Prevent"},
-    { "detect-learn", "Detect"},
-    { "prevent", "Prevent"},
-    { "detect", "Detect"},
-    { "inactive", "Inactive"}
+static const map<string, string> valid_modes_to_key = {
+    {"prevent", "Active"},
+    {"detect", "Detect"},
+    {"inactive", "Inactive"}
 };
+static const set<string> valid_units    = {"minute", "second"};
 
 static const std::unordered_map<std::string, std::string> key_to_units_val = {
     { "second", "Second"},
@@ -78,7 +74,7 @@ RateLimitSection::RateLimitSection(
 {
     bool any = asset_name == "Any" && url == "Any" && uri == "Any";
     string asset_id = any ? "Any" : url+uri;
-    context = "assetId(" + asset_id + ")";
+    context = any ? "All()" : "assetId(" + asset_id + ")";
 }
 
 void
@@ -86,7 +82,7 @@ RateLimitSection::save(cereal::JSONOutputArchive &out_ar) const
 {
     out_ar(
         cereal::make_nvp("context",         context),
-        cereal::make_nvp("mode",            key_to_mode_val.at(mode)),
+        cereal::make_nvp("mode",            mode),
         cereal::make_nvp("practiceId",      practice_id),
         cereal::make_nvp("name",            name),
         cereal::make_nvp("rules",           rules)
@@ -180,9 +176,13 @@ void
 AccessControlRateLimit::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading Access control rate limit";
-    parseAppsecJSONKey<string>("overrideMode", mode, archive_in, "Inactive");
-    if (valid_modes.count(mode) == 0) {
-        dbgWarning(D_LOCAL_POLICY) << "AppSec access control rate limit override mode invalid: " << mode;
+    string in_mode;
+    parseAppsecJSONKey<string>("overrideMode", in_mode, archive_in, "inactive");
+    if (valid_modes_to_key.find(in_mode) == valid_modes_to_key.end()) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec access control rate limit override mode invalid: " << in_mode;
+        mode = "Inactive";
+    } else {
+        mode = valid_modes_to_key.at(in_mode);
     }
     parseAppsecJSONKey<std::vector<AccessControlRateLimiteRules>>("rules", rules, archive_in);
 }

components/security_apps/local_policy_mgmt_gen/appsec_practice_section.cc

@@ -12,6 +12,7 @@
 // limitations under the License.
 
 #include "appsec_practice_section.h"
+#include <algorithm>
 
 using namespace std;
 
@@ -186,11 +187,11 @@ AppSecPracticeWebAttacks::getMinimumConfidence() const
 const string &
 AppSecPracticeWebAttacks::getMode(const string &default_mode) const
 {
-    if (mode == "Unset" || (key_to_practices_val.find(mode) == key_to_practices_val.end())) {
+    if (mode == "Unset" || (key_to_practices_val2.find(mode) == key_to_practices_val2.end())) {
         dbgError(D_LOCAL_POLICY) << "Couldn't find a value for key: " << mode << ". Returning " << default_mode;
         return default_mode;
     }
-    return key_to_practices_val.at(mode);
+    return key_to_practices_val2.at(mode);
 }
 
 void
@@ -238,6 +239,7 @@ AppSecPracticeOpenSchemaAPI::getConfigMap() const
 {
     return config_map;
 }
+
 // LCOV_EXCL_STOP
 void
 AppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
@@ -272,6 +274,7 @@ AppSecPracticeSpec::getSnortSignatures() const
 {
     return snort_signatures;
 }
+
 // LCOV_EXCL_STOP
 
 const AppSecPracticeWebAttacks &
@@ -337,6 +340,7 @@ ParsedMatch::ParsedMatch(const ExceptionMatch &exceptions)
         parsed_match.push_back(ParsedMatch(exception_match));
     }
 }
+
 // LCOV_EXCL_STOP
 
 void
@@ -375,6 +379,7 @@ AppSecOverride::AppSecOverride(const InnerException &parsed_exceptions)
     map<string, string> behavior = {{parsed_exceptions.getBehaviorKey(), parsed_exceptions.getBehaviorValue()}};
     parsed_behavior.push_back(behavior);
 }
+
 // LCOV_EXCL_STOP
 
 void
@@ -426,10 +431,11 @@ WebAppSection::WebAppSection(
     web_attack_mitigation_mode(parsed_appsec_spec.getWebAttacks().getMode(default_mode)),
     practice_advanced_config(parsed_appsec_spec),
     anti_bots(parsed_appsec_spec.getAntiBot()),
-    trusted_sources({parsed_trusted_sources})
+    trusted_sources({ parsed_trusted_sources })
 {
-    web_attack_mitigation = true;
+    web_attack_mitigation = web_attack_mitigation_mode != "Disabled";
     web_attack_mitigation_action =
+        web_attack_mitigation_mode != "Prevent" ? "Transparent" :
         web_attack_mitigation_severity == "critical" ? "low" :
         web_attack_mitigation_severity == "high" ? "balanced" :
         web_attack_mitigation_severity == "medium" ? "high" :
@@ -473,9 +479,9 @@ WebAppSection::WebAppSection(
     web_attack_mitigation_mode(_web_attack_mitigation_mode),
     practice_advanced_config(_practice_advanced_config),
     anti_bots(_anti_bots),
-    trusted_sources({parsed_trusted_sources})
+    trusted_sources({ parsed_trusted_sources })
 {
-    web_attack_mitigation = true;
+    web_attack_mitigation = web_attack_mitigation_mode != "Disabled";
     web_attack_mitigation_action =
         web_attack_mitigation_mode != "Prevent" ? "Transparent" :
         web_attack_mitigation_severity == "critical" ? "low" :
@@ -488,6 +494,7 @@ WebAppSection::WebAppSection(
         overrides.push_back(AppSecOverride(source_ident));
     }
 }
+
 // LCOV_EXCL_STOP
 
 void
@@ -525,7 +532,18 @@ WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("botProtection_v2",            detect_str)
     );
 }
+
 // LCOV_EXCL_START Reason: no test exist
+
+bool
+WebAppSection::operator<(const WebAppSection &other) const
+{
+    // for sorting from the most specific to the least specific rule
+    if (application_urls == default_appsec_url) return false;
+    if (other.application_urls == default_appsec_url) return true;
+    return application_urls.size() > other.application_urls.size();
+}
+
 void
 WebAPISection::save(cereal::JSONOutputArchive &out_ar) const
 {
@@ -554,8 +572,29 @@ WebAPISection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("overrides",                      empty_list)
     );
 }
+
+bool
+WebAPISection::operator<(const WebAPISection &other) const
+{
+    // for sorting from the most specific to the least specific rule
+    if (application_urls == default_appsec_url) return false;
+    if (other.application_urls == default_appsec_url) return true;
+    return application_urls.size() > other.application_urls.size();
+}
+
 // LCOV_EXCL_STOP
 
+AppSecRulebase::AppSecRulebase(
+    std::vector<WebAppSection> _webApplicationPractices,
+    std::vector<WebAPISection> _webAPIPractices
+) :
+    webApplicationPractices(_webApplicationPractices),
+    webAPIPractices(_webAPIPractices)
+{
+    sort(webAPIPractices.begin(), webAPIPractices.end());
+    sort(webApplicationPractices.begin(), webApplicationPractices.end());
+}
+
 void
 AppSecRulebase::save(cereal::JSONOutputArchive &out_ar) const
 {
@@ -719,11 +758,7 @@ AppsecLinuxPolicy::serialize(cereal::JSONInputArchive &archive_in)
     parseAppsecJSONKey<vector<AppSecCustomResponseSpec>>("custom-responses", custom_responses, archive_in);
     parseAppsecJSONKey<vector<AppsecException>>("exceptions", exceptions, archive_in);
     parseAppsecJSONKey<vector<TrustedSourcesSpec>>("trusted-sources", trusted_sources, archive_in);
-    parseAppsecJSONKey<vector<SourceIdentifierSpecWrapper>>(
-        "source-identifiers",
-        sources_identifiers,
-        archive_in
-    );
+    parseAppsecJSONKey<vector<SourceIdentifierSpecWrapper>>("source-identifiers", sources_identifiers, archive_in);
 }
 
 const AppsecPolicySpec &
@@ -768,7 +803,6 @@ AppsecLinuxPolicy::getAppsecSourceIdentifierSpecs() const
     return sources_identifiers;
 }
 
-
 const vector<RPMSettings> &
 AppsecLinuxPolicy::rpmGetRPSettings() const
 {

components/security_apps/local_policy_mgmt_gen/exceptions_section.cc

@@ -241,11 +241,21 @@ ExceptionMatch::ExceptionMatch(const NewAppsecException &parsed_exception)
         items.push_back(ExceptionMatch("sourceIdentifier", parsed_exception.getSourceIdentifier()));
     }
     if (!parsed_exception.getSourceIp().empty()) {
-        items.push_back(ExceptionMatch("sourceIp", parsed_exception.getSourceIp()));
+        items.push_back(ExceptionMatch("sourceIP", parsed_exception.getSourceIp()));
     }
     if (!parsed_exception.getUrl().empty()) {
         items.push_back(ExceptionMatch("url", parsed_exception.getUrl()));
     }
+
+    // when there is only one operand, there's no need for an additional 'and'/'or' condition enclosing it
+    if (items.size() == 1) {
+        auto & other = items[0];
+        match_type = other.match_type;
+        op = other.op;
+        key = other.key;
+        value = other.value;
+        items = other.items;
+    }
 }
 
 void

components/security_apps/local_policy_mgmt_gen/include/appsec_practice_section.h

@@ -296,6 +296,8 @@ public:
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
+    bool operator< (const WebAppSection &other) const;
+
 private:
     std::string application_urls;
     std::string asset_id;
@@ -350,6 +352,8 @@ public:
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
+    bool operator< (const WebAPISection &other) const;
+
 private:
     std::string application_urls;
     std::string asset_id;
@@ -371,10 +375,7 @@ class AppSecRulebase
 public:
     AppSecRulebase(
         std::vector<WebAppSection> _webApplicationPractices,
-        std::vector<WebAPISection> _webAPIPractices)
-        :
-        webApplicationPractices(_webApplicationPractices),
-        webAPIPractices(_webAPIPractices) {}
+        std::vector<WebAPISection> _webAPIPractices);
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 

components/security_apps/local_policy_mgmt_gen/include/local_policy_common.h

@@ -56,6 +56,16 @@ static const std::unordered_map<std::string, std::string> key_to_practices_val =
     { "inactive", "Inactive"}
 };
 
+static const std::unordered_map<std::string, std::string> key_to_practices_val2 = {
+    { "prevent-learn", "Prevent"},
+    { "detect-learn", "Learn"},
+    { "prevent", "Prevent"},
+    { "detect", "Detect"},
+    { "inactive", "Disabled"}
+};
+
+static const std::string default_appsec_url = "http://*:*";
+
 template <typename T>
 void
 parseAppsecJSONKey(

components/security_apps/local_policy_mgmt_gen/include/new_appsec_linux_policy.h

@@ -32,7 +32,7 @@
 #include "new_practice.h"
 #include "access_control_practice.h"
 #include "new_trusted_sources.h"
-
+#include "new_auto_upgrade.h"
 
 class V1beta2AppsecLinuxPolicy : Singleton::Consume<I_Environment>
 {
@@ -48,7 +48,8 @@ public:
         const std::vector<NewAppSecCustomResponse> &_custom_responses,
         const std::vector<NewAppsecException> &_exceptions,
         const std::vector<NewTrustedSourcesSpec> &_trusted_sources,
-        const std::vector<NewSourcesIdentifiers> &_sources_identifiers)
+        const std::vector<NewSourcesIdentifiers> &_sources_identifiers,
+        const AppSecAutoUpgradeSpec &_auto_upgrade)
             :
         policies(_policies),
         threat_prevection_practices(_threat_prevention_practices),
@@ -57,7 +58,8 @@ public:
         custom_responses(_custom_responses),
         exceptions(_exceptions),
         trusted_sources(_trusted_sources),
-        sources_identifiers(_sources_identifiers) {}
+        sources_identifiers(_sources_identifiers),
+        auto_upgrade(_auto_upgrade) {}
     // LCOV_EXCL_STOP
     void serialize(cereal::JSONInputArchive &archive_in);
 
@@ -69,6 +71,7 @@ public:
     const std::vector<NewAppsecException> & getAppsecExceptions() const;
     const std::vector<NewTrustedSourcesSpec> & getAppsecTrustedSourceSpecs() const;
     const std::vector<NewSourcesIdentifiers> & getAppsecSourceIdentifierSpecs() const;
+    const AppSecAutoUpgradeSpec & getAppSecAutoUpgradeSpec() const;
     void addSpecificRule(const NewParsedRule &_rule);
 
 private:
@@ -80,6 +83,7 @@ private:
     std::vector<NewAppsecException> exceptions;
     std::vector<NewTrustedSourcesSpec> trusted_sources;
     std::vector<NewSourcesIdentifiers> sources_identifiers;
+    AppSecAutoUpgradeSpec auto_upgrade;
 };
 
 #endif // __NEW_APPSEC_LINUX_POLICY_H__

components/security_apps/local_policy_mgmt_gen/include/new_appsec_policy_crd_parser.h

@@ -42,6 +42,7 @@ public:
     const std::string & getSourceIdentifiers() const;
     const std::string & getCustomResponse() const;
     const std::string & getTrustedSources() const;
+    const std::string & getUpgradeSettings() const;
     const std::string & getHost() const;
     const std::string & getMode() const;
 
@@ -56,6 +57,7 @@ private:
     std::string                 source_identifiers;
     std::string                 custom_response;
     std::string                 trusted_sources;
+    std::string                 upgrade_settings;
     std::string                 host;
     std::string                 mode;
 };

components/security_apps/local_policy_mgmt_gen/include/new_auto_upgrade.h

@@ -0,0 +1,47 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __NEW_AUTO_UPGRADE_H__
+#define __NEW_AUTO_UPGRADE_H__
+
+#include <string>
+#include <cereal/archives/json.hpp>
+#include <boost/uuid/uuid.hpp>
+#include <boost/uuid/uuid_generators.hpp>
+#include <boost/uuid/uuid_io.hpp>
+
+#include "config.h"
+#include "debug.h"
+#include "local_policy_common.h"
+
+class AppSecAutoUpgradeSpec
+{
+public:
+    void load(cereal::JSONInputArchive &archive_in);
+    void save(cereal::JSONOutputArchive& out_ar) const;
+
+    const std::string & getAppSecClassName() const;
+    const std::string & getName() const;
+    void setName(const std::string &_name);
+
+private:
+    std::string mode = "automatic";
+    std::vector<std::string> days;
+    std::string upgrade_window_start_hour_UTC;
+    uint upgrade_window_duration;
+
+    std::string name;
+    std::string appsec_class_name;
+};
+
+#endif // __NEW_AUTO_UPGRADE_H__

components/security_apps/local_policy_mgmt_gen/include/new_log_trigger.h

@@ -30,9 +30,11 @@ class NewAppsecTriggerAccessControlLogging
 public:
     void load(cereal::JSONInputArchive &archive_in);
 
+    bool isAcAllowEvents() const { return ac_allow_events; }
+    bool isAcDropEvents() const { return ac_drop_events; }
 private:
-    bool allow_events = false;
-    bool drop_events = false;
+    bool ac_allow_events = false;
+    bool ac_drop_events = false;
 };
 
 class NewAppsecTriggerAdditionalSuspiciousEventsLogging : public ClientRest
@@ -158,6 +160,7 @@ public:
     const NewAppsecTriggerLogging & getAppsecTriggerLogging() const;
     const NewAppsecTriggerExtendedLogging & getAppsecTriggerExtendedLogging() const;
     const NewAppsecTriggerLogDestination & getAppsecTriggerLogDestination() const;
+    const NewAppsecTriggerAccessControlLogging & getAppsecTriggerAccessControlLogging() const;
 
 private:
     NewAppsecTriggerAccessControlLogging access_control_logging;

components/security_apps/local_policy_mgmt_gen/include/new_practice.h

@@ -481,17 +481,22 @@ private:
 class NewSnortSignaturesAndOpenSchemaAPI
 {
 public:
+    NewSnortSignaturesAndOpenSchemaAPI() : is_temporary(false) {};
+
     void load(cereal::JSONInputArchive &archive_in);
 
     void addFile(const std::string &file_name);
     const std::string & getOverrideMode() const;
     const std::vector<std::string> & getConfigMap() const;
     const std::vector<std::string> & getFiles() const;
+    bool isTemporary() const;
+    void setTemporary(bool val);
 
 private:
     std::string override_mode;
     std::vector<std::string> config_map;
     std::vector<std::string> files;
+    bool is_temporary;
 };
 
 class NewAppSecWebBotsURI

components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h

@@ -51,6 +51,7 @@ enum class AnnotationTypes {
     WEB_USER_RES,
     SOURCE_IDENTIFIERS,
     TRUSTED_SOURCES,
+    UPGRADE_SETTINGS,
     COUNT
 };
 
@@ -96,16 +97,17 @@ class PolicyWrapper
 {
 public:
     PolicyWrapper(
-        const SettingsWrapper &_settings,
+        const SettingsRulebase &_settings,
         const SecurityAppsWrapper &_security_apps)
             :
         settings(_settings),
         security_apps(_security_apps) {}
 
-    void save(cereal::JSONOutputArchive &out_ar) const;
+    const SettingsRulebase & getSettings() const { return settings; }
+    const SecurityAppsWrapper & getSecurityApps() const { return security_apps; }
 
 private:
-    SettingsWrapper settings;
+    SettingsRulebase settings;
     SecurityAppsWrapper security_apps;
 };
 
@@ -139,7 +141,11 @@ private:
 
     std::tuple<std::string, std::string, std::string> splitHostName(const std::string &host_name);
 
-    std::string dumpPolicyToFile(const PolicyWrapper &policy, const std::string &policy_path);
+    std::string dumpPolicyToFile(
+        const PolicyWrapper &policy,
+        const std::string &policy_path,
+        const std::string &settings_path = "/etc/cp/conf/settings.json"
+    );
 
     PolicyWrapper combineElementsToPolicy(const std::string &policy_version);
 
@@ -155,7 +161,7 @@ private:
         std::map<AnnotationTypes, std::string> &rule_annotations
     );
 
-    void createSnortProtecionsSection(const std::string &file_name, const std::string &practic_name);
+    void createSnortProtecionsSection(const std::string &file_name, bool is_temporary);
 
     void
     createSnortSections(
@@ -245,6 +251,7 @@ private:
     std::map<std::string, RateLimitSection> rate_limit;
     std::map<std::string, UsersIdentifiersRulebase> users_identifiers;
     std::map<std::string, AppSecTrustedSources> trusted_sources;
+    AppSecAutoUpgradeSpec upgrade_settings;
 };
 
 template<class T, class R>

components/security_apps/local_policy_mgmt_gen/include/settings_section.h

@@ -22,6 +22,7 @@
 #include "config.h"
 #include "debug.h"
 #include "local_policy_common.h"
+#include "new_auto_upgrade.h"
 
 // LCOV_EXCL_START Reason: no test exist
 class AgentSettingsSection
@@ -41,12 +42,18 @@ private:
 class SettingsRulebase
 {
 public:
-    SettingsRulebase(std::vector<AgentSettingsSection> _agentSettings) : agentSettings(_agentSettings) {}
+    SettingsRulebase(
+        std::vector<AgentSettingsSection> _agentSettings,
+        const AppSecAutoUpgradeSpec &_upgradeSettings)
+            :
+        agentSettings(_agentSettings),
+        upgrade_settings(_upgradeSettings) {}
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
 private:
     std::vector<AgentSettingsSection> agentSettings;
+    AppSecAutoUpgradeSpec upgrade_settings;
 };
 
 class SettingsWrapper

components/security_apps/local_policy_mgmt_gen/include/triggers_section.h

@@ -44,6 +44,8 @@ public:
         bool _responseBody,
         bool _tpDetect,
         bool _tpPrevent,
+        bool _acAllow,
+        bool _acDrop,
         bool _webBody,
         bool _webHeaders,
         bool _webRequests,
@@ -76,6 +78,8 @@ private:
     bool responseBody;
     bool tpDetect;
     bool tpPrevent;
+    bool acAllow;
+    bool acDrop;
     bool webBody;
     bool webHeaders;
     bool webRequests;
@@ -158,9 +162,11 @@ class AppsecTriggerAccessControlLogging
 public:
     void load(cereal::JSONInputArchive &archive_in);
 
+    bool isAcAllowEvents() const { return ac_allow_events; }
+    bool isAcDropEvents() const { return ac_drop_events; }
 private:
-    bool allow_events = false;
-    bool drop_events = false;
+    bool ac_allow_events = false;
+    bool ac_drop_events = false;
 };
 
 class AppsecTriggerAdditionalSuspiciousEventsLogging : public ClientRest
@@ -281,6 +287,7 @@ public:
     const AppsecTriggerLogging & getAppsecTriggerLogging() const;
     const AppsecTriggerExtendedLogging & getAppsecTriggerExtendedLogging() const;
     const AppsecTriggerLogDestination & getAppsecTriggerLogDestination() const;
+    const AppsecTriggerAccessControlLogging & getAppsecTriggerAccessControlLogging() const;
 
 private:
     AppsecTriggerAccessControlLogging access_control_logging;

components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc

@@ -159,6 +159,7 @@ extractElementsFromNewRule(
     policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(rule.getCustomResponse());
     policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(rule.getSourceIdentifiers());
     policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(rule.getTrustedSources());
+    policy_elements_names[AnnotationTypes::UPGRADE_SETTINGS].insert(rule.getUpgradeSettings());
 }
 
 map<AnnotationTypes, unordered_set<string>>
@@ -356,8 +357,9 @@ K8sPolicyUtils::createSnortFile(vector<NewAppSecPracticeSpec> &practices) const
 {
     for (NewAppSecPracticeSpec &practice : practices) {
         auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<K8sPolicyUtils>();
-        auto path = "/etc/cp/conf/snort/snort_k8s_" + practice.getName() + ".rule";
+        auto path = getFilesystemPathConfig() + "/conf/snort/snort_k8s_" + practice.getName() + ".rule";
         bool append_mode = false;
+        practice.getSnortSignatures().setTemporary(true);
         for (const string &config_map : practice.getSnortSignatures().getConfigMap())
         {
             auto maybe_configmap = getObjectFromCluster<ConfigMaps>(
@@ -441,6 +443,15 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
         policy_elements_names[AnnotationTypes::TRUSTED_SOURCES]
     );
 
+    vector<AppSecAutoUpgradeSpec> vec_upgrade_settings = extractV1Beta2ElementsFromCluster<AppSecAutoUpgradeSpec>(
+        "autoupgrade",
+        policy_elements_names[AnnotationTypes::UPGRADE_SETTINGS]
+    );
+    if (vec_upgrade_settings.size() > 1) {
+        dbgWarning(D_LOCAL_POLICY) << "Only one definition of upgrade settings is required.";
+    }
+    auto upgrade_settings = vec_upgrade_settings.empty() ? AppSecAutoUpgradeSpec() : vec_upgrade_settings.front();
+
     V1beta2AppsecLinuxPolicy appsec_policy = V1beta2AppsecLinuxPolicy(
         appsec_policy_spec.getSpec(),
         threat_prevention_practices,
@@ -449,7 +460,8 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
         web_user_responses,
         exceptions,
         trusted_sources,
-        source_identifiers
+        source_identifiers,
+        upgrade_settings
     );
     return appsec_policy;
 }

components/security_apps/local_policy_mgmt_gen/new_appsec_linux_policy.cc

@@ -64,6 +64,12 @@ V1beta2AppsecLinuxPolicy::getAppsecSourceIdentifierSpecs() const
     return sources_identifiers;
 }
 
+const AppSecAutoUpgradeSpec &
+V1beta2AppsecLinuxPolicy::getAppSecAutoUpgradeSpec() const
+{
+    return auto_upgrade;
+}
+
 void
 V1beta2AppsecLinuxPolicy::addSpecificRule(const NewParsedRule &_rule)
 {
@@ -97,4 +103,5 @@ V1beta2AppsecLinuxPolicy::serialize(cereal::JSONInputArchive &archive_in)
     parseAppsecJSONKey<vector<NewAppsecException>>("exceptions", exceptions, archive_in);
     parseAppsecJSONKey<vector<NewTrustedSourcesSpec>>("trustedSources", trusted_sources, archive_in);
     parseAppsecJSONKey<vector<NewSourcesIdentifiers>>("sourcesIdentifiers", sources_identifiers, archive_in);
+    parseAppsecJSONKey<AppSecAutoUpgradeSpec>("autoUpgrade", auto_upgrade, archive_in);
 }

components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc

@@ -35,6 +35,7 @@ NewParsedRule::load(cereal::JSONInputArchive &archive_in)
     parseAppsecJSONKey<string>("customResponse", custom_response, archive_in);
     parseAppsecJSONKey<string>("sourceIdentifiers", source_identifiers, archive_in);
     parseAppsecJSONKey<string>("trustedSources", trusted_sources, archive_in);
+    parseAppsecJSONKey<string>("autoUpgrade", upgrade_settings, archive_in);
     try {
         archive_in(cereal::make_nvp("host", host));
     } catch (const cereal::Exception &e)
@@ -86,6 +87,12 @@ NewParsedRule::getTrustedSources() const
     return trusted_sources;
 }
 
+const string &
+NewParsedRule::getUpgradeSettings() const
+{
+    return upgrade_settings;
+}
+
 const string &
 NewParsedRule::getHost() const
 {

components/security_apps/local_policy_mgmt_gen/new_auto_upgrade.cc

@@ -0,0 +1,118 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "new_auto_upgrade.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_LOCAL_POLICY);
+
+static const set<string> valid_modes = {"automatic", "manual", "scheduled"};
+static const set<string> valid_days_of_week = {
+    "monday",
+    "tuesday",
+    "wednesday",
+    "thursday",
+    "friday",
+    "saturday",
+    "sunday"
+};
+
+class AppSecScheduledUpgrade
+{
+public:
+    void
+    load(cereal::JSONInputArchive &archive_in)
+    {
+        parseAppsecJSONKey<vector<string>>("days", days, archive_in);
+        for (const string &day : days) {
+            if (valid_days_of_week.count(day) == 0) {
+                dbgWarning(D_LOCAL_POLICY) << "AppSec upgrade day invalid: " << day;
+            }
+        }
+        parseAppsecJSONKey<string>("upgradeWindowStartHourUTC", upgrade_window_start_hour_UTC, archive_in, "0:00");
+        parseAppsecJSONKey<uint>("upgradeWindowDuration", upgrade_window_duration, archive_in, 4);
+    }
+
+    const vector<string> &
+    getDays() const
+    {
+        return days;
+    }
+
+    const string &
+    getUpgradeWindowStartHourUTC() const
+    {
+        return upgrade_window_start_hour_UTC;
+    }
+
+    const uint &
+    getUpgradeWindowDuration() const
+    {
+        return upgrade_window_duration;
+    }
+
+private:
+    vector<string> days;
+    string upgrade_window_start_hour_UTC = "0:00";
+    uint upgrade_window_duration = 4;
+};
+
+void
+AppSecAutoUpgradeSpec::load(cereal::JSONInputArchive &archive_in)
+{
+    dbgTrace(D_LOCAL_POLICY) << "Loading AppSec upgrade settings spec";
+    parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
+    parseAppsecJSONKey<string>("name", name, archive_in);
+    parseAppsecJSONKey<string>("mode", mode, archive_in);
+    if (valid_modes.count(mode) == 0) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec upgrade mode invalid: " << mode;
+    }
+    if (mode != "scheduled") return;
+
+    AppSecScheduledUpgrade schedule;
+    parseAppsecJSONKey<AppSecScheduledUpgrade>("schedule", schedule, archive_in);
+    days = schedule.getDays();
+    upgrade_window_start_hour_UTC = schedule.getUpgradeWindowStartHourUTC();
+    upgrade_window_duration = schedule.getUpgradeWindowDuration();
+}
+
+void
+AppSecAutoUpgradeSpec::save(cereal::JSONOutputArchive& out_ar) const
+{
+    out_ar(cereal::make_nvp("upgradeMode", mode));
+    if (mode != "scheduled") return;
+    out_ar(
+        cereal::make_nvp("upgradeTime", upgrade_window_start_hour_UTC),
+        cereal::make_nvp("upgradeDurationHours", upgrade_window_duration),
+        cereal::make_nvp("upgradeDay", days)
+    );
+}
+
+void
+AppSecAutoUpgradeSpec::setName(const string &_name)
+{
+    name = _name;
+}
+
+const string &
+AppSecAutoUpgradeSpec::getName() const
+{
+    return name;
+}
+
+const string &
+AppSecAutoUpgradeSpec::getAppSecClassName() const
+{
+    return appsec_class_name;
+}

components/security_apps/local_policy_mgmt_gen/new_exceptions.cc

@@ -23,9 +23,9 @@ static const set<string> valid_actions = {"skip", "accept", "drop", "suppressLog
 void
 NewAppsecExceptionCondition::load(cereal::JSONInputArchive &archive_in)
 {
-    dbgTrace(D_LOCAL_POLICY) << "Loading New AppSec exception condition";
     parseAppsecJSONKey<string>("key", key, archive_in);
     parseAppsecJSONKey<string>("value", value, archive_in);
+    dbgTrace(D_LOCAL_POLICY) << "Key: " << key << " Value: " << value;
 }
 
 const string &

components/security_apps/local_policy_mgmt_gen/new_log_trigger.cc

@@ -26,8 +26,8 @@ void
 NewAppsecTriggerAccessControlLogging::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger - Access Control Logging";
-    parseAppsecJSONKey<bool>("allowEvents", allow_events, archive_in, false);
-    parseAppsecJSONKey<bool>("dropEvents", drop_events, archive_in, false);
+    parseAppsecJSONKey<bool>("allowEvents", ac_allow_events, archive_in, false);
+    parseAppsecJSONKey<bool>("dropEvents", ac_drop_events, archive_in, false);
 }
 
 void
@@ -307,6 +307,13 @@ NewAppsecLogTrigger::getAppsecTriggerLogging() const
     return appsec_logging;
 }
 
+const NewAppsecTriggerAccessControlLogging &
+NewAppsecLogTrigger::getAppsecTriggerAccessControlLogging() const
+{
+    return access_control_logging;
+}
+
+
 const NewAppsecTriggerExtendedLogging &
 NewAppsecLogTrigger::getAppsecTriggerExtendedLogging() const
 {

components/security_apps/local_policy_mgmt_gen/new_practice.cc

@@ -107,9 +107,9 @@ void
 NewAppSecWebAttackProtections::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Attack Protections";
-    parseAppsecJSONKey<string>("csrfEnabled", csrf_protection, archive_in, "inactive");
-    parseAppsecJSONKey<string>("errorDisclosureEnabled", error_disclosure, archive_in, "inactive");
-    parseAppsecJSONKey<string>("openRedirectEnabled", open_redirect, archive_in, "inactive");
+    parseAppsecJSONKey<string>("csrfProtection", csrf_protection, archive_in, "inactive");
+    parseAppsecJSONKey<string>("errorDisclosure", error_disclosure, archive_in, "inactive");
+    parseAppsecJSONKey<string>("openRedirect", open_redirect, archive_in, "inactive");
     parseAppsecJSONKey<bool>("nonValidHttpMethods", non_valid_http_methods, archive_in, false);
 }
 
@@ -210,11 +210,11 @@ NewAppSecPracticeWebAttacks::getMinimumConfidence() const
 const string &
 NewAppSecPracticeWebAttacks::getMode(const string &default_mode) const
 {
-    if (mode == "Unset" || (key_to_practices_val.find(mode) == key_to_practices_val.end())) {
+    if (mode == "Unset" || (key_to_practices_val2.find(mode) == key_to_practices_val2.end())) {
         dbgError(D_LOCAL_POLICY) << "Couldn't find a value for key: " << mode << ". Returning " << default_mode;
         return default_mode;
     }
-    return key_to_practices_val.at(mode);
+    return key_to_practices_val2.at(mode);
 }
 
 SnortProtectionsSection::SnortProtectionsSection(
@@ -441,6 +441,8 @@ NewSnortSignaturesAndOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in)
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice";
     parseAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
     parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
+    parseAppsecJSONKey<vector<string>>("files", files, archive_in);
+    is_temporary = false;
     if (valid_modes.count(override_mode) == 0) {
         dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode;
     }
@@ -470,6 +472,18 @@ NewSnortSignaturesAndOpenSchemaAPI::getConfigMap() const
     return config_map;
 }
 
+bool
+NewSnortSignaturesAndOpenSchemaAPI::isTemporary() const
+{
+    return is_temporary;
+}
+
+void
+NewSnortSignaturesAndOpenSchemaAPI::setTemporary(bool val)
+{
+    is_temporary = val;
+}
+
 void
 IpsProtectionsRulesSection::save(cereal::JSONOutputArchive &out_ar) const
 {

components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc

@@ -38,12 +38,6 @@ SecurityAppsWrapper::save(cereal::JSONOutputArchive &out_ar) const
     );
 }
 
-void
-PolicyWrapper::save(cereal::JSONOutputArchive &out_ar) const
-{
-    security_apps.save(out_ar);
-}
-
 string
 PolicyMakerUtils::getPolicyName(const string &policy_path)
 {
@@ -150,16 +144,19 @@ PolicyMakerUtils::splitHostName(const string &host_name)
 }
 
 string
-PolicyMakerUtils::dumpPolicyToFile(const PolicyWrapper &policy, const string &policy_path)
+PolicyMakerUtils::dumpPolicyToFile(
+    const PolicyWrapper &policy,
+    const string &policy_path,
+    const string &settings_path)
 {
     clearElementsMaps();
 
-    stringstream ss;
+    stringstream policy_ss, settings_ss;
     {
-        cereal::JSONOutputArchive ar(ss);
-        policy.save(ar);
+        cereal::JSONOutputArchive ar(policy_ss);
+        policy.getSecurityApps().save(ar);
     }
-    string policy_str = ss.str();
+    string policy_str = policy_ss.str();
     try {
         ofstream policy_file(policy_path);
         policy_file << policy_str;
@@ -169,6 +166,20 @@ PolicyMakerUtils::dumpPolicyToFile(const PolicyWrapper &policy, const string &po
         return "";
     }
 
+    {
+        cereal::JSONOutputArchive ar(settings_ss);
+        policy.getSettings().save(ar);
+    }
+    string settings_str = settings_ss.str();
+    try {
+        ofstream settings_file(settings_path);
+        settings_file << settings_str;
+        settings_file.close();
+    } catch (const ofstream::failure &e) {
+        dbgDebug(D_NGINX_POLICY) << "Error while writing settings to " << settings_path << ", Error: " << e.what();
+    }
+    dbgDebug(D_LOCAL_POLICY) << settings_path << " content: " << settings_str;
+
     return policy_str;
 }
 
@@ -517,6 +528,8 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
         trigger_spec.getAppsecTriggerAdditionalSuspiciousEventsLogging().getMinimumSeverity();
     bool tpDetect = trigger_spec.getAppsecTriggerLogging().isDetectEvents();
     bool tpPrevent = trigger_spec.getAppsecTriggerLogging().isPreventEvents();
+    bool acAllow = trigger_spec.getAppsecTriggerAccessControlLogging().isAcAllowEvents();
+    bool acDrop = trigger_spec.getAppsecTriggerAccessControlLogging().isAcDropEvents();
     bool webRequests = trigger_spec.getAppsecTriggerLogging().isAllWebRequests();
     bool webUrlPath = trigger_spec.getAppsecTriggerExtendedLogging().isUrlPath();
     bool webUrlQuery = trigger_spec.getAppsecTriggerExtendedLogging().isUrlQuery();
@@ -555,6 +568,8 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
         responseBody,
         tpDetect,
         tpPrevent,
+        acAllow,
+        acDrop,
         webBody,
         webHeaders,
         webRequests,
@@ -1004,13 +1019,21 @@ PolicyMakerUtils::createIpsSections(
 }
 
 void
-PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, const string &practice_name)
+PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, bool is_temporary)
 {
-    auto path = getFilesystemPathConfig() + "/conf/snort/snort_k8s_" + practice_name;
-    if (snort_protections.find(path) != snort_protections.end()) return;
+    auto path = getFilesystemPathConfig() + "/conf/snort/" + file_name;
+    string in_file = is_temporary ? path + ".rule" : path;
 
-    auto snort_scriipt_path = getFilesystemPathConfig() + "/scripts/snort_to_ips_local.py";
-    auto cmd = "python " + snort_scriipt_path + " " + path + ".rule " + path + ".out " + path + ".err";
+    if (snort_protections.find(path) != snort_protections.end()) {
+        dbgTrace(D_LOCAL_POLICY) << "Snort protections section for file " << file_name << " already exists";
+        return;
+    }
+    dbgTrace(D_LOCAL_POLICY)
+        << "Reading snort signatures from"
+        << (is_temporary ? " temporary" : "") << " file " << path;
+
+    auto snort_script_path = getFilesystemPathConfig() + "/scripts/snort_to_ips_local.py";
+    auto cmd = "python3 " + snort_script_path + " " + in_file + " " + path + ".out " + path + ".err";
 
     auto res = Singleton::Consume<I_ShellCmd>::by<LocalPolicyMgmtGenerator>()->getExecOutput(cmd);
 
@@ -1026,7 +1049,7 @@ PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, const st
     }
 
     auto i_orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<LocalPolicyMgmtGenerator>();
-    i_orchestration_tools->removeFile(path + ".rule");
+    if (is_temporary) i_orchestration_tools->removeFile(in_file);
     i_orchestration_tools->removeFile(path + ".out");
     i_orchestration_tools->removeFile(path + ".err");
 
@@ -1055,7 +1078,14 @@ PolicyMakerUtils::createSnortSections(
         apssec_practice.getSnortSignatures().getFiles().size() == 0) {
         return;
     }
-    createSnortProtecionsSection(apssec_practice.getSnortSignatures().getFiles()[0], apssec_practice.getName());
+
+    if (apssec_practice.getSnortSignatures().isTemporary()) {
+        createSnortProtecionsSection("snort_k8s_" + apssec_practice.getName(), true);
+    } else if (apssec_practice.getSnortSignatures().getFiles().size() > 0) {
+        // when support for multiple files is ready, will iterate over the files array
+        auto file = apssec_practice.getSnortSignatures().getFiles()[0];
+        createSnortProtecionsSection(file, false);
+    }
 
     SnortProtectionsSection snort_section = SnortProtectionsSection(
         context,
@@ -1160,7 +1190,7 @@ PolicyMakerUtils::createWebAppSection(
         apssec_practice.getWebAttacks().getMaxUrlSizeBytes()
     );
     WebAppSection web_app = WebAppSection(
-        full_url == "Any" ? "" : full_url,
+        full_url == "Any" ? default_appsec_url : full_url,
         rule_config.getAssetId(),
         rule_config.getAssetName(),
         rule_config.getAssetId(),
@@ -1271,17 +1301,16 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
 
 }
 
-SettingsWrapper
-createProfilesSection()
+SettingsRulebase
+createSettingsSection(const AppSecAutoUpgradeSpec &upgrade_settings)
 {
     string agent_settings_key = "agent.test.policy";
     string agent_settings_value = "local policy";
     AgentSettingsSection agent_setting_1 = AgentSettingsSection(agent_settings_key, agent_settings_value);
 
-    SettingsRulebase settings_rulebase_1 = SettingsRulebase({agent_setting_1});
-    return SettingsWrapper(settings_rulebase_1);
+    return SettingsRulebase({agent_setting_1}, upgrade_settings);
+
 }
-// LCOV_EXCL_STOP
 
 PolicyWrapper
 PolicyMakerUtils::combineElementsToPolicy(const string &policy_version)
@@ -1313,8 +1342,8 @@ PolicyMakerUtils::combineElementsToPolicy(const string &policy_version)
         policy_version
     );
 
-    SettingsWrapper profiles_section = createProfilesSection();
-    PolicyWrapper policy_wrapper = PolicyWrapper(profiles_section, security_app_section);
+    SettingsRulebase settings_section = createSettingsSection(upgrade_settings);
+    PolicyWrapper policy_wrapper = PolicyWrapper(settings_section, security_app_section);
 
     return policy_wrapper;
 }
@@ -1433,7 +1462,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
 
         if (!web_apps.count(rule_config.getAssetName())) {
             WebAppSection web_app = WebAppSection(
-                full_url == "Any" ? "" : full_url,
+                full_url == "Any" ? default_appsec_url : full_url,
                 rule_config.getAssetId(),
                 rule_config.getAssetName(),
                 rule_config.getAssetId(),
@@ -1553,6 +1582,7 @@ PolicyMakerUtils::createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsed
         rule_annotations
     );
 
+    upgrade_settings = policy.getAppSecAutoUpgradeSpec();
 }
 // LCOV_EXCL_STOP
 

components/security_apps/local_policy_mgmt_gen/triggers_section.cc

@@ -35,6 +35,8 @@ LogTriggerSection::LogTriggerSection(
     bool _responseBody,
     bool _tpDetect,
     bool _tpPrevent,
+    bool _acAllow,
+    bool _acDrop,
     bool _webBody,
     bool _webHeaders,
     bool _webRequests,
@@ -58,6 +60,8 @@ LogTriggerSection::LogTriggerSection(
     responseBody(_responseBody),
     tpDetect(_tpDetect),
     tpPrevent(_tpPrevent),
+    acAllow(_acAllow),
+    acDrop(_acDrop),
     webBody(_webBody),
     webHeaders(_webHeaders),
     webRequests(_webRequests),
@@ -88,8 +92,8 @@ LogTriggerSection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("triggerName",              name),
         cereal::make_nvp("triggerType",              trigger_type),
         cereal::make_nvp("verbosity",                verbosity),
-        cereal::make_nvp("acAllow",                  false),
-        cereal::make_nvp("acDrop",                   false),
+        cereal::make_nvp("acAllow",                  acAllow),
+        cereal::make_nvp("acDrop",                   acDrop),
         cereal::make_nvp("complianceViolations",     false),
         cereal::make_nvp("complianceWarnings",       false),
         cereal::make_nvp("extendloggingMinSeverity", extendloggingMinSeverity),
@@ -242,8 +246,8 @@ void
 AppsecTriggerAccessControlLogging::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger - Access Control Logging";
-    parseAppsecJSONKey<bool>("allow-events", allow_events, archive_in, false);
-    parseAppsecJSONKey<bool>("drop-events", drop_events, archive_in, false);
+    parseAppsecJSONKey<bool>("allow-events", ac_allow_events, archive_in, false);
+    parseAppsecJSONKey<bool>("drop-events", ac_drop_events, archive_in, false);
 }
 
 void
@@ -526,6 +530,13 @@ AppsecTriggerSpec::getAppsecTriggerLogDestination() const
     return log_destination;
 }
 
+const AppsecTriggerAccessControlLogging &
+AppsecTriggerSpec::getAppsecTriggerAccessControlLogging() const
+{
+    return access_control_logging;
+}
+
+
 void
 TriggersWrapper::save(cereal::JSONOutputArchive &out_ar) const
 {

components/security_apps/orchestration/details_resolver/details_resolver.cc

@@ -127,7 +127,7 @@ DetailsResolver::Impl::isReverseProxy()
 {
 #if defined(gaia) || defined(smb)
     auto is_reverse_proxy = DetailsResolvingHanlder::getCommandOutput("cpprod_util CPPROD_IsConfigured CPwaap");
-    if (is_reverse_proxy.ok()) {
+    if (is_reverse_proxy.ok() && !is_reverse_proxy.unpack().empty()) {
         return is_reverse_proxy.unpack().front() == '1';
     }
 #endif
@@ -142,7 +142,7 @@ DetailsResolver::Impl::isKernelVersion3OrHigher()
         "| cut -d '.' -f 1 | awk -F: '{ if ( $1 >= 3 ) {print 1} else {print 0}}'";
 
     auto is_gogo = DetailsResolvingHanlder::getCommandOutput(cmd);
-    if (is_gogo.ok()) {
+    if (is_gogo.ok() && !is_gogo.unpack().empty()) {
         return is_gogo.unpack().front() == '1';
     }
     return false;
@@ -155,7 +155,7 @@ DetailsResolver::Impl::isGwNotVsx()
     static const string is_vsx_cmd = "cpprod_util FWisVSX";
     auto is_gw = DetailsResolvingHanlder::getCommandOutput(is_gw_cmd);
     auto is_vsx = DetailsResolvingHanlder::getCommandOutput(is_vsx_cmd);
-    if (is_gw.ok() && is_vsx.ok()) {
+    if (is_gw.ok() && is_vsx.ok() && !is_gw.unpack().empty() && !is_vsx.unpack().empty()) {
         return is_gw.unpack().front() == '1' && is_vsx.unpack().front() == '0';
     }
     return false;

components/security_apps/orchestration/details_resolver/details_resolving_handler.cc

@@ -108,7 +108,7 @@ DetailsResolvingHanlder::Impl::getCommandOutput(const string &cmd)
     if (!result.ok()) return result;
 
     auto unpacked_result = result.unpack();
-    if (unpacked_result.back() == '\n') unpacked_result.pop_back();
+    if (!unpacked_result.empty() && unpacked_result.back() == '\n') unpacked_result.pop_back();
 
     return unpacked_result;
 }

components/security_apps/orchestration/include/declarative_policy_utils.h

@@ -14,7 +14,6 @@
 #include "i_orchestration_tools.h"
 #include "i_agent_details.h"
 #include "i_orchestration_status.h"
-#include "i_messaging.h"
 #include "i_mainloop.h"
 #include "i_encryptor.h"
 #include "i_details_resolver.h"
@@ -23,6 +22,7 @@
 #include "i_shell_cmd.h"
 #include "i_encryptor.h"
 #include "i_env_details.h"
+#include "i_declarative_policy.h"
 #include "maybe_res.h"
 #include "event.h"
 #include "rest.h"
@@ -43,6 +43,7 @@ private:
 
 class DeclarativePolicyUtils
         :
+    public Singleton::Provide<I_DeclarativePolicy>::SelfInterface,
     public Singleton::Consume<I_ShellCmd>,
     Singleton::Consume<I_LocalPolicyMgmtGen>,
     Singleton::Consume<I_EnvDetails>,
@@ -75,13 +76,13 @@ public:
         const std::string &tenant_id,
         const std::string &profile_id,
         const std::string &fog_address
-    );
-    std::string getUpdate(CheckUpdateRequest &request);
-    bool shouldApplyPolicy();
-    void turnOffApplyPolicyFlag();
+    ) override;
+    std::string getUpdate(CheckUpdateRequest &request) override;
+    bool shouldApplyPolicy() override;
+    void turnOffApplyPolicyFlag() override;
+    void turnOnApplyPolicyFlag() override;
 
-    std::string getCurrVersion() { return curr_version; }
-    std::string getCurrPolicy() { return curr_policy; }
+    std::string getCurrPolicy() override { return curr_policy; }
 
     void upon(const ApplyPolicyEvent &event) override;
 

components/security_apps/orchestration/include/fog_communication.h

@@ -47,7 +47,7 @@ public:
     ) const override;
 
 private:
-    DeclarativePolicyUtils declarative_policy_utils;
+    I_DeclarativePolicy *i_declarative_policy = nullptr;
 };
 
 #endif // __FOG_COMMUNICATION_H__

components/security_apps/orchestration/include/hybrid_communication.h

@@ -54,7 +54,7 @@ public:
 private:
     Maybe<std::string> getNewVersion();
 
-    DeclarativePolicyUtils declarative_policy_utils;
+    I_DeclarativePolicy *i_declarative_policy = nullptr;
 };
 
 #endif // __HYBRID_COMMUNICATION_H__

components/security_apps/orchestration/include/i_declarative_policy.h

@@ -0,0 +1,33 @@
+#ifndef __I_DECLARATIVE_POLICY__
+#define __I_DECLARATIVE_POLICY__
+
+#include <string>
+
+#include "singleton.h"
+#include "orchestrator/rest_api/orchestration_check_update.h"
+
+class I_DeclarativePolicy
+{
+public:
+    virtual bool shouldApplyPolicy() = 0;
+
+    virtual std::string getUpdate(CheckUpdateRequest &request) = 0;
+
+    virtual void sendUpdatesToFog(
+        const std::string &access_token,
+        const std::string &tenant_id,
+        const std::string &profile_id,
+        const std::string &fog_address
+    ) = 0;
+
+    virtual std::string getCurrPolicy() = 0;
+
+    virtual void turnOffApplyPolicyFlag() = 0;
+    virtual void turnOnApplyPolicyFlag() = 0;
+
+protected:
+    virtual ~I_DeclarativePolicy() {}
+};
+
+
+#endif // __I_DECLARATIVE_POLICY__

components/security_apps/orchestration/include/mock/mock_update_communication.h

@@ -27,9 +27,13 @@ class MockUpdateCommunication :
     public Singleton::Provide<I_UpdateCommunication>::From<MockProvider<I_UpdateCommunication>>
 {
 public:
+    void init() {}
     MOCK_METHOD0(authenticateAgent, Maybe<void>());
     MOCK_METHOD1(getUpdate, Maybe<void>(CheckUpdateRequest &));
-    MOCK_METHOD1(downloadAttributeFile, Maybe<std::string>(const GetResourceFile &));
+    MOCK_METHOD2(
+        downloadAttributeFile,
+        Maybe<std::string>(const GetResourceFile &, const std::string &)
+    );
     MOCK_METHOD1(setAddressExtenesion, void(const std::string &));
     MOCK_CONST_METHOD2(sendPolicyVersion, Maybe<void>(const std::string &, const std::string &));
 };

components/security_apps/orchestration/orchestration_comp.cc

@@ -218,6 +218,11 @@ private:
     Maybe<void>
     start()
     {
+        auto update_communication = Singleton::Consume<I_UpdateCommunication>::by<OrchestrationComp>();
+        auto agent_mode = getOrchestrationMode();
+        auto policy_mgmt_mode = getSettingWithDefault<string>("management", "profileManagedMode");
+        bool declarative = agent_mode == OrchestrationMode::HYBRID || policy_mgmt_mode == "declarative";
+
         bool enforce_policy_flag = false;
         Maybe<OrchestrationPolicy> maybe_policy = genError("Empty policy");
         string policy_version = "";
@@ -281,7 +286,6 @@ private:
             return genError("Failed to set fog address from policy");
         }
 
-        auto update_communication = Singleton::Consume<I_UpdateCommunication>::by<OrchestrationComp>();
         auto authentication_res = update_communication->authenticateAgent();
         if (authentication_res.ok() && !policy_version.empty()) {
             auto service_controller = Singleton::Consume<I_ServiceController>::by<OrchestrationComp>();
@@ -292,10 +296,7 @@ private:
             }
         }
 
-        auto agent_mode = Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>()->getOrchestrationMode();
-        if (agent_mode == OrchestrationMode::HYBRID) {
-            return Maybe<void>();
-        }
+	if (declarative) Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOnApplyPolicyFlag();
         return authentication_res;
     }
 
@@ -1668,6 +1669,7 @@ private:
 
         if (getAttribute("no-setting", "CROWDSEC_ENABLED") == "true") tags.insert(Tags::CROWDSEC);
         if (getAttribute("no-setting", "PLAYGROUND") == "true") tags.insert(Tags::PLAYGROUND);
+        if (getAttribute("no-setting", "nginxproxymanager") == "true") tags.insert(Tags::NGINX_PROXY_MANAGER);
 
         Report registration_report(
             "Local Agent Data",
@@ -1892,6 +1894,7 @@ private:
         auto result = i_shell_cmd->getExecOutput(openssl_dir_cmd);
         if (result.ok()) {
             string val_openssl_dir = result.unpack();
+            if (val_openssl_dir.empty()) return;
             if (val_openssl_dir.back() == '\n') val_openssl_dir.pop_back();
             dbgTrace(D_ORCHESTRATOR)
                 << "Adding OpenSSL default directory to agent details. Directory: "

components/security_apps/orchestration/service_controller/service_controller.cc

@@ -27,6 +27,7 @@
 #include "log_generator.h"
 #include "i_orchestration_tools.h"
 #include "customized_cereal_map.h"
+#include "declarative_policy_utils.h"
 
 using namespace std;
 using namespace ReportIS;
@@ -745,6 +746,7 @@ ServiceController::Impl::updateServiceConfiguration(
         dbgDebug(D_ORCHESTRATOR) << "Policy file was not updated. Sending reload command regarding settings and data";
         auto signal_services = sendSignalForServices(nano_services_to_update, "");
         if (!signal_services.ok()) return signal_services.passErr();
+        Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
         return Maybe<void>();
     }
 
@@ -888,6 +890,7 @@ ServiceController::Impl::updateServiceConfiguration(
         if (new_policy_path.compare(config_file_path) == 0) {
             dbgDebug(D_ORCHESTRATOR) << "Enforcing the default policy file";
             policy_version = version_value;
+            Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
             return Maybe<void>();
         }
 
@@ -906,6 +909,7 @@ ServiceController::Impl::updateServiceConfiguration(
     }
 
     if (!was_policy_updated && !send_signal_for_services_err.empty()) return genError(send_signal_for_services_err);
+    Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
     return Maybe<void>();
 }
 

components/security_apps/orchestration/service_controller/service_controller_ut/service_controller_ut.cc

@@ -7,6 +7,7 @@
 #include "service_controller.h"
 #include "config.h"
 #include "config_component.h"
+#include "declarative_policy_utils.h"
 #include "mock/mock_orchestration_tools.h"
 #include "mock/mock_orchestration_status.h"
 #include "mock/mock_time_get.h"
@@ -158,10 +159,26 @@ public:
         return string_stream.str();
     }
 
+    void
+    expectNewConfigRequest(const string &req_body, const string &response)
+    {
+        EXPECT_CALL(
+            mock_message,
+            sendSyncMessage(
+                HTTPMethod::POST,
+                "/set-new-configuration",
+                req_body,
+                _,
+                _
+            )
+        ).WillOnce(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, response)));
+    }
+
     const uint16_t                      l4_firewall_service_port = 8888;
     const uint16_t                      waap_service_port = 7777;
     ::Environment                       env;
     ConfigComponent                     config;
+    DeclarativePolicyUtils              declarative_policy_utils;
     string                              configuration_dir;
     string                              policy_extension;
     string                              settings_extension;
@@ -176,7 +193,7 @@ public:
     string                              services_port;
     StrictMock<MockTimeGet>             time;
     StrictMock<MockRestApi>             mock_rest_api;
-    StrictMock<MockMessaging>           mock_message;
+    StrictMock<MockMessaging>         mock_message;
     StrictMock<MockMainLoop>            mock_ml;
     StrictMock<MockShellCmd>            mock_shell_cmd;
     StrictMock<MockOrchestrationStatus> mock_orchestration_status;
@@ -254,6 +271,9 @@ TEST_F(ServiceControllerTest, UpdateConfiguration)
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
     EXPECT_EQ(i_service_controller->getPolicyVersions(), "");
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -262,23 +282,7 @@ TEST_F(ServiceControllerTest, UpdateConfiguration)
     string general_settings_path = "/my/settings/path";
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
 
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_CALL(
         mock_shell_cmd,
@@ -369,6 +373,9 @@ TEST_F(ServiceControllerTest, supportVersions)
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
     EXPECT_EQ(i_service_controller->getPolicyVersions(), "");
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -377,23 +384,7 @@ TEST_F(ServiceControllerTest, supportVersions)
     string general_settings_path = "/my/settings/path";
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
 
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_CALL(
         mock_shell_cmd,
@@ -464,6 +455,9 @@ TEST_F(ServiceControllerTest, TimeOutUpdateConfiguration)
 
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -493,24 +487,7 @@ TEST_F(ServiceControllerTest, TimeOutUpdateConfiguration)
 
     string general_settings_path = "/my/settings/path";
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, general_settings_path).ok());
     EXPECT_EQ(i_service_controller->getPolicyVersion(), version_value);
@@ -585,6 +562,9 @@ TEST_F(ServiceControllerTest, writeRegisteredServicesFromFile)
 
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -593,23 +573,7 @@ TEST_F(ServiceControllerTest, writeRegisteredServicesFromFile)
     string general_settings_path = "/my/settings/path";
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
 
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_CALL(
         mock_shell_cmd,
@@ -732,24 +696,11 @@ TEST_F(ServiceControllerTest, noPolicyUpdate)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_CALL(
         mock_shell_cmd,
@@ -818,6 +769,9 @@ TEST_F(ServiceControllerTest, SettingsAndPolicyUpdateCombinations)
 
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -835,24 +789,7 @@ TEST_F(ServiceControllerTest, SettingsAndPolicyUpdateCombinations)
 
     string general_settings_path = "/my/settings/path";
     string reply_msg1 = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg1)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg1);
 
     // both policy and settings now being updated
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, general_settings_path).ok());
@@ -871,26 +808,14 @@ TEST_F(ServiceControllerTest, SettingsAndPolicyUpdateCombinations)
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
+
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     general_settings_path += "/new";
 
     string reply_msg2 = "{\"id\": 2, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    Flags<MessageConnConfig> conn_flags2;
-    conn_flags2.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 2,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags2,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillRepeatedly(Return(Maybe<string>(reply_msg2)));
+    expectNewConfigRequest("{\n    \"id\": 2,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg2);
 
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, general_settings_path).ok());
     EXPECT_EQ(i_service_controller->getPolicyVersion(), version_value);
@@ -964,6 +889,9 @@ TEST_F(ServiceControllerTest, backup)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(
         mock_orchestration_tools,
         copyFile(l4_firewall_policy_path, l4_firewall_policy_path + backup_extension)
@@ -988,21 +916,8 @@ TEST_F(ServiceControllerTest, backup)
     ).WillRepeatedly(Return(string("registered and running")));
 
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            _,
-            _,
-            _,
-            "127.0.0.1",
-            l4_firewall_service_port,
-            _,
-            "/set-new-configuration",
-            _,
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    EXPECT_CALL(mock_message, sendSyncMessage(_, "/set-new-configuration", _, _, _))
+        .WillOnce(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, reply_msg)));
 
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, "").ok());
@@ -1077,6 +992,9 @@ TEST_F(ServiceControllerTest, backup_file_doesnt_exist)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(
         mock_orchestration_tools,
         copyFile(l4_firewall_policy_path, l4_firewall_policy_path + backup_extension)
@@ -1103,21 +1021,7 @@ TEST_F(ServiceControllerTest, backup_file_doesnt_exist)
     ).WillRepeatedly(Return(string("registered and running")));
 
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            _,
-            _,
-            _,
-            "127.0.0.1",
-            l4_firewall_service_port,
-            _,
-            "/set-new-configuration",
-            _,
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, "").ok());
@@ -1192,6 +1096,9 @@ TEST_F(ServiceControllerTest, backupAttempts)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(
         mock_orchestration_tools,
         copyFile(l4_firewall_policy_path, l4_firewall_policy_path + backup_extension)
@@ -1218,21 +1125,7 @@ TEST_F(ServiceControllerTest, backupAttempts)
     ).WillRepeatedly(Return(string("registered and running")));
 
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            _,
-            _,
-            _,
-            "127.0.0.1",
-            l4_firewall_service_port,
-            _,
-            "/set-new-configuration",
-            _,
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_CALL(mock_ml, yield(false)).Times(2);
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -1316,6 +1209,9 @@ TEST_F(ServiceControllerTest, MultiUpdateConfiguration)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("orchestration", orchestration_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, writeFile(l4_firewall, l4_firewall_policy_path, false))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, writeFile(orchestration, orchestration_policy_path, false))
@@ -1336,23 +1232,7 @@ TEST_F(ServiceControllerTest, MultiUpdateConfiguration)
     ).WillRepeatedly(Return(string("registered and running")));
 
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, "").ok());
     set<string> changed_policies = {
@@ -1389,6 +1269,9 @@ TEST_F(ServiceControllerTest, emptyServices)
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, "").ok());
 }
 
@@ -1440,6 +1323,9 @@ TEST_F(ServiceControllerTest, failingWhileLoadingCurrentConfiguration)
         .WillOnce(Return(json_parser_return));
     EXPECT_CALL(mock_orchestration_tools, doesFileExist(l4_firewall_policy_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, readFile(l4_firewall_policy_path)).WillOnce(Return(err));
+
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
     EXPECT_FALSE(i_service_controller->updateServiceConfiguration(file_name, "").ok());
 }
 
@@ -1509,6 +1395,8 @@ TEST_F(ServiceControllerTest, failingWhileCopyingCurrentConfiguration)
     );
     EXPECT_CALL(mock_orchestration_tools, doesFileExist(l4_firewall_policy_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, readFile(l4_firewall_policy_path)).WillOnce(Return(old_configuration));
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
     EXPECT_CALL(
         mock_orchestration_tools,
         copyFile(l4_firewall_policy_path, l4_firewall_policy_path + backup_extension)
@@ -1578,6 +1466,9 @@ TEST_F(ServiceControllerTest, ErrorUpdateConfigurationRest)
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY)
     );
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
 
     EXPECT_TRUE(i_service_controller->isServiceInstalled("family1_id2"));
@@ -1672,6 +1563,8 @@ TEST_F(ServiceControllerTest, errorWhileWrtingNewConfiguration)
     );
     EXPECT_CALL(mock_orchestration_tools, doesFileExist(l4_firewall_policy_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, readFile(l4_firewall_policy_path)).WillOnce(Return(old_configuration));
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
     EXPECT_CALL(
         mock_orchestration_tools,
         copyFile(l4_firewall_policy_path, l4_firewall_policy_path + backup_extension)
@@ -1710,21 +1603,7 @@ TEST_F(ServiceControllerTest, testMultitenantConfFiles)
     EXPECT_CALL(tenant_manager, getInstances("tenant2", "1235")).WillOnce(Return(empty_ids));
 
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            _,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            _,
-            string("/set-new-configuration"),
-            _,
-            _,
-            _
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     for(auto entry : tenant_files_input) {
         auto tenant = entry.first.first;
@@ -1801,6 +1680,9 @@ TEST_F(ServiceControllerTest, testMultitenantConfFiles)
             "l4_firewall", l4_firewall_policy_path_new, OrchestrationStatusConfigType::POLICY)
         );
 
+        EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, conf_file_name))
+            .WillRepeatedly(Return(version_value));
+
         string new_policy_file_path = "/etc/cp/conf/tenant_" + tenant + "_profile_" + profile + "/" + "policy.json";
         EXPECT_CALL(mock_orchestration_tools, copyFile(new_policy_file_path, new_policy_file_path + backup_extension))
             .WillOnce(Return(true));
@@ -1906,6 +1788,9 @@ TEST_F(ServiceControllerTest, test_delayed_reconf)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -1934,23 +1819,7 @@ TEST_F(ServiceControllerTest, test_delayed_reconf)
         << "    \"error_message\": \"\""
         << "}";
 
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     auto func = [&] (chrono::microseconds) { set_reconf_status->performRestCall(reconf_status); };
     EXPECT_CALL(mock_ml, yield(chrono::microseconds(2000000))).WillOnce(Invoke(func));

components/security_apps/orchestration/update_communication/declarative_policy_utils.cc

@@ -27,7 +27,7 @@ DeclarativePolicyUtils::init()
         auto mainloop = Singleton::Consume<I_MainLoop>::by<DeclarativePolicyUtils>();
         mainloop->addRecurringRoutine(
             I_MainLoop::RoutineType::Offline,
-            chrono::minutes(1),
+            chrono::seconds(30),
             [&] () { periodicPolicyLoad(); },
             "Automatic Policy Loading"
         );
@@ -57,6 +57,12 @@ DeclarativePolicyUtils::turnOffApplyPolicyFlag()
     should_apply_policy = false;
 }
 
+void
+DeclarativePolicyUtils::turnOnApplyPolicyFlag()
+{
+    should_apply_policy = true;
+}
+
 Maybe<string>
 DeclarativePolicyUtils::getLocalPolicyChecksum()
 {

components/security_apps/orchestration/update_communication/fog_communication.cc

@@ -32,7 +32,7 @@ void
 FogCommunication::init()
 {
     FogAuthenticator::init();
-    declarative_policy_utils.init();
+    i_declarative_policy = Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>();
 }
 
 Maybe<void>
@@ -67,15 +67,15 @@ FogCommunication::getUpdate(CheckUpdateRequest &request)
         Maybe<string> maybe_new_data = request.getData();
         string data_checksum = maybe_new_data.ok() ? maybe_new_data.unpack() : "";
 
-        if (declarative_policy_utils.shouldApplyPolicy()) {
-            string policy_response = declarative_policy_utils.getUpdate(request);
+        if (i_declarative_policy->shouldApplyPolicy()) {
+            string policy_response = i_declarative_policy->getUpdate(request);
             if (!policy_response.empty()) {
                 dbgTrace(D_ORCHESTRATOR) << "Apply policy - declarative mode";
                 auto agent_details = Singleton::Consume<I_AgentDetails>::by<DeclarativePolicyUtils>();
                 auto maybe_fog_address = agent_details->getFogDomain();
                 string fog_address = maybe_fog_address.ok() ? maybe_fog_address.unpack() : "";
 
-                declarative_policy_utils.sendUpdatesToFog(
+                i_declarative_policy->sendUpdatesToFog(
                     unpacked_access_token,
                     agent_details->getTenantId(),
                     agent_details->getProfileId(),
@@ -83,7 +83,6 @@ FogCommunication::getUpdate(CheckUpdateRequest &request)
                 );
             }
             request = CheckUpdateRequest(manifest_checksum, policy_response, settings_checksum, data_checksum, "", "");
-            declarative_policy_utils.turnOffApplyPolicyFlag();
         } else {
             request = CheckUpdateRequest(manifest_checksum, "", settings_checksum, data_checksum, "", "");
         }
@@ -103,7 +102,7 @@ FogCommunication::downloadAttributeFile(const GetResourceFile &resourse_file)
     string policy_mgmt_mode = getSettingWithDefault<string>("management", "profileManagedMode");
     if (policy_mgmt_mode == "declarative" && resourse_file.getFileName() =="policy") {
         dbgDebug(D_ORCHESTRATOR) << "Download policy on declarative mode - returnig the local policy";
-        return declarative_policy_utils.getCurrPolicy();
+        return i_declarative_policy->getCurrPolicy();
     }
     static const string file_attribute_str = "/api/v2/agents/resources/";
     Maybe<string> attribute_file = Singleton::Consume<I_Messaging>::by<FogCommunication>()->downloadFile(