Update CMakeLists.txt

Merge pull request #47 from openappsec/Aug_23_2023-Dev
Aug 23 2023 dev
2025-11-16 17:31:52 +03:00 · 2023-08-24 20:26:18 +03:00 · 2023-08-24 15:10:14 +03:00 · 2023-08-24 11:56:16 +00:00 · 2023-08-23 20:46:45 +03:00 · 2023-08-23 14:15:32 +00:00
253 changed files with 11478 additions and 3209 deletions
--- a/README.md
+++ b/README.md
@@ -18,8 +18,6 @@ Every request to the application goes through two phases:
 2. If the request is identified as a valid and legitimate request the request is allowed, and forwarded to your application. If, however, the request is considered suspicious or high risk, it then gets evaluated by the unsupervised model, which was trained in your specific environment. This model uses information such as the URL and the users involved to create a final confidence score that determines whether the request should be allowed or blocked.
 The project is currently in Beta and feedback is most welcomed!
 ##  Machine Learning models
 open-appsec uses two models:
@@ -65,106 +63,3 @@ $ install-cp-nano-attachment-registration-manager.sh --install
 ```
 You can add the ```--token <token>``` and ```--email <email address>``` options to the first command, to get a token follow [documentation](https://docs.openappsec.io/getting-started/using-the-web-ui-saas/connect-deployed-agents-to-saas-management-k8s-and-linux). 
 For Docker: follow [documentation](https://docs.openappsec.io/getting-started/start-with-docker) 
 For more information read the [documentation](https://docs.openappsec.io/) or follow the [video tutorials](https://www.openappsec.io/tutorials).
 # Repositories
 open-appsec GitHub includes four main repositories:
 * [openappsec/openappsec](https://github.com/openappsec/openappsec) the main code and logic of open-appsec. Developed in C++.
 * [openappsec/attachment](https://github.com/openappsec/attachment) connects between processes that provide HTTP data (e.g NGINX) and the open-appsec Agent security logic. Developed in C.
 * [openappsec/smartsync](https://github.com/openappsec/smartsync) in charge of correlating learning data from multiple agent instances and delivering a unified learning model for each asset. Developed in Golang.
 * [openappsec/smartsync-shared-files](https://github.com/openappsec/smartsync-shared-files) interface to physical storage used by smartsync service for storing learning data. Developed in Golang.
 # Compilation instructions
 ## Installing external dependencies
 Before compiling the services, you'll need to ensure the latest development versions of the following libraries:
 * Boost
 * OpenSSL
 * PCRE2
 * libxml2
 * GTest
 * GMock
 * cURL
 An example of installing the packages on Alpine:
 ```bash
 $ apk update
 $ apk add boost-dev openssl-dev pcre2-dev libxml2-dev gtest-dev curl-dev
 ```
 ## Compiling and packaging the agent code
 1. Clone this repository
 2. Run CMake command
 3. Run make install command
 ```bash
 $ git clone https://github.com/openappsec/openappsec.git
 $ cd openappsec/
 $ cmake -DCMAKE_INSTALL_PREFIX=build_out .
 $ make install
 $ make package
 ```
 ## Placing the agent code inside an Alpine docker image
 Once the agent code has been compiled and packaged, an Alpine image running it can be created. This requires permissions to execute the `docker` command.
 ```bash
 $ make docker
 ```
 This will create a local image for your docker called `agent-docker`.
 ## Deployment of the agent docker image as a container
 To run a Nano-Agent as a container the following steps are required:
 1. If you are using a container management system / plan on deploying the container using your CI, add the agent docker image to an accessible registry.
 2. If you are planning to manage the agent using the open-appsec UI, then make sure to obtain an agent token from the Management Portal and Enforce.
 3. Run the agent with the following command (where -e https_proxy parameter is optional):
 `docker run -d --name=agent-container --ipc=host -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent -e https_proxy=<user:password@Proxy address:port> -it <agent-image> /cp-nano-agent [--token <token> | --standalone]`
 Example:
 ```bash
 $ docker run -d --name=agent-container --ipc=host -v=/home/admin/agent/conf:/etc/cp/conf -v=/home/admin/agent/data:/etc/cp/data -v=/home/admin/agent/logs:/var/log/nano_agent –e https_proxy=user:password@1.2.3.4:8080 -it agent-docker /cp-nano-agent --standalone
 $ docker ps
 CONTAINER ID        IMAGE               COMMAND                          CREATED             STATUS              PORTS               NAMES
 1e67f2abbfd4        agent-docker        "/cp-nano-agent --hybrid-mode"   1 minute ago        Up 1 minute                             agent-container
 ```
 Note that you are not required to use a token from the Management Portal if you are managing your security policy locally. However, you are required to use the --standalone flag in such cases. In addition, the volumes in the command are mandatory only if you wish to have persistency upon restart/upgrade/crash of the agent and its re-execution.
 Lastly, --ipc=host argument is mandatory in order for the agent to have access to shared memory with a protected attachment (NGINX server).
 4. Create or replace the NGINX container using the [Attachment Repository](https://github.com/openappsec/attachment).
 This will run a docker container using the agent docker image.
 # Contributing
 We welcome everyone that wishes to share their knowledge and expertise to enhance and expand the project.
 Please see the [Contributing Guidelines](https://github.com/openappsec/openappsec/blob/main/CONTRIBUTING.md).
 # Security
 ### Security Audit
 open-appsec code was audited by an independent third party in September-October 2022.
 See the [full report](https://github.com/openappsec/openappsec/blob/main/LEXFO-CHP20221014-Report-Code_audit-OPEN-APPSEC-v1.2.pdf).
 ### Reporting security vulnerabilities
 If you've found a vulnerability or a potential vulnerability in open-appsec please let us know at securityalert@openappsec.io. We'll send a confirmation email to acknowledge your report within 24 hours, and we'll send an additional email when we've identified the issue positively or negatively.
 # License
 open-appsec is open source and available under Apache 2.0 license.
 The basic ML model is open source and available under Apache 2.0 license.
 The advanced ML model is open source and available under Machine Learning Model license, available upon download in the tar file.
--- a/attachments/kernel_modules/core/include/common_is/kdebug_flags.h
+++ b/attachments/kernel_modules/core/include/common_is/kdebug_flags.h
@@ -31,5 +31,6 @@ DEFINE_KDEBUG_FLAG(statefulValidation)
 DEFINE_KDEBUG_FLAG(statelessValidation)
 DEFINE_KDEBUG_FLAG(kernelMetric)
 DEFINE_KDEBUG_FLAG(tproxy)
 DEFINE_KDEBUG_FLAG(tenantStats)
 #endif // DEFINE_KDEBUG_FLAG
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml
@@ -1,11 +1,12 @@
 annotations:
  artifacthub.io/changes: |
-    - "[helm] Support custom port configuration for internal service (#9846)"
+    - "Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)"
-    - "Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)"
+    - "feat(helm): Add loadBalancerClass (#9562)"
-    - "Update Ingress-Nginx version controller-v1.7.1"
+    - "added helmshowvalues example (#10019)"
    - "Update Ingress-Nginx version controller-v1.8.1"
  artifacthub.io/prerelease: "false"
 apiVersion: v2
-appVersion: 1.7.1
+appVersion: 1.8.1
 keywords:
 - ingress
 - nginx
@@ -13,4 +14,4 @@ kubeVersion: '>=1.20.0-0'
 name: open-appsec-k8s-nginx-ingress
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 4.6.1
+version: 4.7.1
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md
@@ -2,7 +2,7 @@
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
-![Version: 4.6.1](https://img.shields.io/badge/Version-4.6.1-informational?style=flat-square) ![AppVersion: 1.7.1](https://img.shields.io/badge/AppVersion-1.7.1-informational?style=flat-square)
+![Version: 4.7.1](https://img.shields.io/badge/Version-4.7.1-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
@@ -79,14 +79,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https:
 ### Prometheus Metrics
-The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
+The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
 You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
 Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)
 ### ingress-nginx nginx\_status page/stats server
-Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
+Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:
 - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
 - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
@@ -143,8 +143,10 @@ controller:
    internal:
      enabled: true
      annotations:
-        # Create internal ELB
+        # Create internal NLB
-        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
        # Create internal ELB(Deprecated)
        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
        # Any other annotation can be declared here.
 ```
@@ -187,13 +189,15 @@ controller:
        # Any other annotation can be declared here.
 ```
 The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
 An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
 Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
 ### Ingress Admission Webhooks
-With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
 **This feature is enabled by default since 0.31.0.**
 With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
@@ -202,7 +206,7 @@ With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fi
 A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
 1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
-2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate.
+2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
 3. Validating and Mutating webhook configurations are created in the cluster.
 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
@@ -248,11 +252,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.networkPolicyEnabled | bool | `false` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v20230312-helm-chart-4.5.2-28-g66a760794"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v20230407"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
@@ -273,7 +277,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
 | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
 | controller.autoscaling.annotations | object | `{}` |  |
 | controller.autoscaling.apiVersion | string | `"autoscaling/v2"` |  |
 | controller.autoscaling.behavior | object | `{}` |  |
 | controller.autoscaling.enabled | bool | `false` |  |
 | controller.autoscaling.maxReplicas | int | `11` |  |
@@ -294,14 +297,14 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
 | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false |
 | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
-| controller.extraArgs | object | `{}` | Additional command line arguments to pass to nginx-ingress-controller E.g. to specify the default SSL certificate you can use |
+| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
 | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
 | controller.extraEnvs | list | `[]` | Additional environment variables to set |
 | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
 | controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module |
 | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
 | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
-| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. |
+| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
 | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. |
 | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged |
 | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
@@ -310,13 +313,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `true` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407"` |  |
+| controller.image.digest | string | `"sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd"` |  |
-| controller.image.digestChroot | string | `"sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988"` |  |
+| controller.image.digestChroot | string | `"sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.registry | string | `"registry.k8s.io"` |  |
 | controller.image.runAsUser | int | `101` |  |
-| controller.image.tag | string | `"v1.7.1"` |  |
+| controller.image.tag | string | `"v1.8.1"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
@@ -353,7 +356,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.metrics.prometheusRule.enabled | bool | `false` |  |
 | controller.metrics.prometheusRule.rules | list | `[]` |  |
 | controller.metrics.service.annotations | object | `{}` |  |
-| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
+| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
 | controller.metrics.service.loadBalancerSourceRanges | list | `[]` |  |
 | controller.metrics.service.servicePort | int | `10254` |  |
@@ -366,13 +369,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.metrics.serviceMonitor.relabelings | list | `[]` |  |
 | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` |  |
 | controller.metrics.serviceMonitor.targetLabels | list | `[]` |  |
-| controller.minAvailable | int | `1` | Define either 'minAvailable' or 'maxUnavailable', never both. |
+| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
 | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | controller.name | string | `"controller"` |  |
-| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # |
+| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
 | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
 | controller.opentelemetry.enabled | bool | `false` |  |
-| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f"` |  |
+| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0"` |  |
 | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
 | controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
 | controller.podSecurityContext | object | `{}` | Security Context policies for controller pods |
@@ -390,7 +393,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.readinessProbe.successThreshold | int | `1` |  |
 | controller.readinessProbe.timeoutSeconds | int | `1` |  |
 | controller.replicaCount | int | `1` |  |
-| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
+| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
 | controller.resources.requests.cpu | string | `"100m"` |  |
 | controller.resources.requests.memory | string | `"90Mi"` |  |
 | controller.scope.enabled | bool | `false` | Enable 'scope' or not |
@@ -402,15 +405,17 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.service.enableHttps | bool | `true` |  |
 | controller.service.enabled | bool | `true` |  |
 | controller.service.external.enabled | bool | `true` |  |
-| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
+| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. |
 | controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
 | controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. |
 | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
 | controller.service.internal.ports | object | `{}` | Custom port mapping for internal service |
 | controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service |
 | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
 | controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
 | controller.service.labels | object | `{}` |  |
 | controller.service.loadBalancerClass | string | `""` | Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
 | controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
 | controller.service.loadBalancerSourceRanges | list | `[]` |  |
 | controller.service.nodePorts.http | string | `""` |  |
@@ -435,7 +440,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
 | defaultBackend.affinity | object | `{}` |  |
 | defaultBackend.autoscaling.annotations | object | `{}` |  |
 | defaultBackend.autoscaling.apiVersion | string | `"autoscaling/v2"` |  |
 | defaultBackend.autoscaling.enabled | bool | `false` |  |
 | defaultBackend.autoscaling.maxReplicas | int | `2` |  |
 | defaultBackend.autoscaling.minReplicas | int | `1` |  |
@@ -465,7 +469,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.minAvailable | int | `1` |  |
 | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | defaultBackend.name | string | `"defaultbackend"` |  |
-| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # |
+| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
 | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
 | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
 | defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
@@ -479,7 +483,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.replicaCount | int | `1` |  |
 | defaultBackend.resources | object | `{}` |  |
 | defaultBackend.service.annotations | object | `{}` |  |
-| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
+| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | defaultBackend.service.loadBalancerSourceRanges | list | `[]` |  |
 | defaultBackend.service.servicePort | int | `80` |  |
 | defaultBackend.service.type | string | `"ClusterIP"` |  |
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md.gotmpl
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md.gotmpl
@@ -76,14 +76,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https:
 ### Prometheus Metrics
-The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
+The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
 You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
 Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)
 ### ingress-nginx nginx\_status page/stats server
-Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
+Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:
 - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
 - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
@@ -140,8 +140,10 @@ controller:
    internal:
      enabled: true
      annotations:
-        # Create internal ELB
+        # Create internal NLB
-        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
        # Create internal ELB(Deprecated)
        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
        # Any other annotation can be declared here.
 ```
@@ -184,13 +186,15 @@ controller:
        # Any other annotation can be declared here.
 ```
 The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
 An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
 Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
 ### Ingress Admission Webhooks
-With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
 **This feature is enabled by default since 0.31.0.**
 With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
@@ -199,7 +203,7 @@ With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fi
 A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
 1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
-2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate.
+2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
 3. Validating and Mutating webhook configurations are created in the cluster.
 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.0.md
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.0.md
@@ -0,0 +1,14 @@
 # Changelog
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 ### 4.7.0
 * helm: Fix opentelemetry module installation for daemonset (#9792)
 * Update charts/* to keep project name display aligned (#9931)
 * HPA: Use capabilites & align manifests. (#9521)
 * PodDisruptionBudget spec logic update (#9904)
 * add option for annotations in PodDisruptionBudget (#9843)
 * Update Ingress-Nginx version controller-v1.8.0
 **Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.1...helm-chart-4.7.0
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.1.md
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.1.md
@@ -0,0 +1,12 @@
 # Changelog
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 ### 4.7.1
 * Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)
 * feat(helm): Add loadBalancerClass (#9562)
 * added helmshowvalues example (#10019)
 * Update Ingress-Nginx version controller-v1.8.1
 **Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.0...helm-chart-4.7.1
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl
@@ -201,8 +201,12 @@ Extra modules.
 - name: {{ .name }}
  image: {{ .image }}
  {{- if .distroless | default false }}
  command: ['/init_module']
  {{- else }}
  command: ['sh', '-c', '/usr/local/bin/init_module.sh']
-  {{- if (.containerSecurityContext) }}
+  {{- end }}
  {{- if .containerSecurityContext }}
  securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }}
  {{- end }}
  volumeMounts:
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-learning-pvc.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-learning-pvc.yaml
@@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}}
 kind: PersistentVolumeClaim
 apiVersion: v1
@@ -18,3 +19,4 @@ spec:
  storageClassName: {{ required "A storage class for learning data is required" .Values.appsec.persistence.learning.storageClass.name }}
 {{- end -}}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-pvc.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-pvc.yaml
@@ -1,4 +1,4 @@
-{{- if (eq .Values.controller.kind "Deployment") -}}
+{{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-configmap.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-configmap.yaml
@@ -0,0 +1,32 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if .Values.appsec.configMapContent }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" | quote }}
 data:
  {{- if .Values.appsec.configMapContent.crowdsec }}
  CROWDSEC_ENABLED: {{ .Values.appsec.configMapContent.crowdsec.enabled | default "false"  | quote }}
  {{- if .Values.appsec.configMapContent.crowdsec.api }}
  CROWDSEC_API_URL: {{ .Values.appsec.configMapContent.crowdsec.api.url | default "http://crowdsec-service:8080/v1/decisions/stream" }}
  {{- else }}
  CROWDSEC_API_URL: "http://crowdsec-service:8080/v1/decisions/stream"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.auth }}
  CROWDSEC_AUTH_METHOD: {{ .Values.appsec.configMapContent.crowdsec.auth.method | default "apikey" }}
  {{- else }}
  CROWDSEC_AUTH_METHOD: "apikey"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.mode }}
  CROWDSEC_MODE: {{ .Values.appsec.configMapContent.crowdsec.mode | default "prevent" }}
  {{- else }}
  CROWDSEC_MODE: "prevent"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.logging }}
  CROWDSEC_LOGGING: {{ .Values.appsec.configMapContent.crowdsec.logging | default "enabled" }}
  {{- else }}
  CROWDSEC_LOGGING: "enabled"
  {{- end }}
  {{- end }}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-secret.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-secret.yaml
@@ -0,0 +1,12 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{ if .Values.appsec.secretContent }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ .Values.appsec.secretName | default "appsec-settings-secret" | quote }}
 data:
  {{- if and .Values.appsec.secretContent.crowdsec .Values.appsec.secretContent.crowdsec.auth }}
  CROWDSEC_AUTH_DATA: {{ .Values.appsec.secretContent.crowdsec.auth.data | b64enc }}
  {{- end }}
 {{ end }}
 {{ end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-statefulset.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-statefulset.yaml
@@ -1,6 +1,15 @@
-{{- if or (eq .Values.controller.kind "StatefulSet") (eq .Values.controller.kind "Both") -}}
+{{- if  (not (eq .Values.kind "Vanilla")) }}
 {{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 {{- if (eq .Values.kind "AppSec") }}
 {{- if (eq .Values.controller.kind "DaemonSet") }}
 kind: DaemonSet
 {{- else }}
 kind: Deployment
 {{- end }}
 {{- else if eq .Values.kind "AppSecStateful" }}
 kind: StatefulSet
 {{- end }}
 metadata:
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
@@ -19,15 +28,25 @@ spec:
      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
      app.kubernetes.io/component: controller
  {{- if not .Values.controller.autoscaling.enabled }}
  {{- if eq .Values.kind "AppSecStateful" }}
  serviceName: "open-appsec-stateful-set"
  {{- end }}
  {{- if or (not (eq .Values.controller.kind "DaemonSet")) (and (eq .Values.kind "AppSecStateful") (eq .Values.controller.kind "DaemonSet")) }}
  replicas: {{ .Values.controller.replicaCount }}
  {{- end }}
  {{- end }}
  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
  {{- if .Values.controller.updateStrategy }}
  {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }}
  updateStrategy:
  {{- else }}
  strategy:
  {{- end }}
    {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
  {{- end }}
-  #minReadySeconds: {{ .Values.controller.minReadySeconds }}
+  {{- if (eq .Values.kind "AppSec") }}
  minReadySeconds: {{ .Values.controller.minReadySeconds }}
  {{- end }}
  template:
    metadata:
    {{- if .Values.controller.podAnnotations }}
@@ -79,6 +98,10 @@ spec:
        - name: {{ .Values.appsec.name }}
          securityContext:
            {{ toYaml .Values.appsec.securityContext | nindent 12 }}
          {{- $tag := .Values.appsec.image.tag }}
          {{- if .Values.appsec.configMapContent.crowdsec.enabled }}
          {{- $tag = "crowdsec-1.2314-rc1" }}
          {{- end }}
          {{- with .Values.appsec.image }}
          image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
          {{- end }}
@@ -106,6 +129,8 @@ spec:
          env:
            - name: user_email
              value: {{ .Values.appsec.userEmail }}
            - name: registered_server
              value: "NGINX Server"
        {{- if eq .Values.appsec.playground false }}
            - name: SHARED_STORAGE_HOST
              value: {{ .Values.appsec.storage.name }}-svc
@@ -115,20 +140,29 @@ spec:
            - name: PLAYGROUND
              value: "true"
        {{- end }}
          envFrom:
          - configMapRef:
              name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" }}
          - secretRef:
              name: {{ .Values.appsec.secretName | default "appsec-settings-secret" }}
          resources:
            {{ toYaml .Values.resources | nindent 12 }}
          volumeMounts:
          - name: advanced-model
            mountPath: /advanced-model
-        {{- if .Values.appsec.persistence.enabled }}
+        {{- if (eq .Values.appsec.persistence.enabled true) }}
          - name: appsec-conf
            mountPath: /etc/cp/conf
          - name: appsec-data
            mountPath: /etc/cp/data
        {{- end }}
        - name: {{ .Values.controller.containerName }}
-          {{- with .Values.controller.image }}
+          {{- $tag := .Values.appsec.nginx.image.tag }}
-          image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
+          {{- if .Values.appsec.configMapContent.crowdsec.enabled }}
          {{- $tag = "1.2303.1-rc1-v1.3.0" }}
          {{- end }}
          {{- with .Values.appsec.nginx.image }}
          image: "{{ .repository }}:{{ .tag }}"
          {{- end }}
          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
        {{- if .Values.controller.lifecycle }}
@@ -240,7 +274,11 @@ spec:
      {{- end }}
      {{- if .Values.controller.opentelemetry.enabled}}
          {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
+          {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }}
          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext ) | nindent 8}}
          {{ else }}
          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}}
          {{- end }}
      {{- end}}
    {{- end }}
    {{- if .Values.controller.hostNetwork }}
@@ -266,6 +304,14 @@ spec:
          configMap:
            name: advanced-model-config
            optional: true
      {{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }}
        - name: appsec-conf
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-conf
        - name: appsec-data
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-data
      {{- end }}
      {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
        - name: modules
          emptyDir: {}
@@ -294,7 +340,7 @@ spec:
        {{ toYaml .Values.controller.extraVolumes | nindent 8 }}
      {{- end }}
    {{- end }}
-{{- if .Values.appsec.persistence.enabled }}
+  {{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }}
  volumeClaimTemplates:
  - metadata:
      name: appsec-conf
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml
@@ -1,4 +1,4 @@
-{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}}
+{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both")) -}}
 {{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: DaemonSet
@@ -53,12 +53,12 @@ spec:
      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
    {{- end }}
    {{- if .Values.controller.priorityClassName }}
-      priorityClassName: {{ .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName | quote }}
    {{- end }}
    {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
      securityContext:
    {{- end }}
-    {{- if .Values.controller.podSecurityContext  }}
+    {{- if .Values.controller.podSecurityContext }}
        {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
    {{- end }}
    {{- if .Values.controller.sysctls }}
@@ -143,11 +143,15 @@ spec:
              hostPort: {{ $key }}
              {{- end }}
          {{- end }}
-        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
+        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
          volumeMounts:
-          {{- if .Values.controller.extraModules }}
+          {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
            - name: modules
            {{ if .Values.controller.image.chroot }}
              mountPath: /chroot/modules_mount
            {{ else }}
              mountPath: /modules_mount
            {{ end }}
          {{- end }}
          {{- if .Values.controller.customTemplate.configMapName }}
            - mountPath: /etc/nginx/template
@@ -169,9 +173,7 @@ spec:
      {{- if .Values.controller.extraContainers }}
        {{ toYaml .Values.controller.extraContainers | nindent 8 }}
      {{- end }}
-
+    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
      initContainers:
      {{- if .Values.controller.extraInitContainers }}
        {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml
@@ -1,4 +1,4 @@
-{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}}
+{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
 {{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: Deployment
@@ -76,59 +76,9 @@ spec:
      shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
    {{- end }}
      containers:
        - name: {{ .Values.appsec.name }}
          securityContext:
            {{ toYaml .Values.appsec.securityContext | nindent 12 }}
          {{- with .Values.appsec.image }}
          image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
          {{- end }}
          command:
          - {{ .Values.appsec.command }}
          imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
          args:
        {{- if (eq "standalone" .Values.appsec.mode) }}
          - --hybrid-mode
          - --token
          - cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
        {{- else }}
          - --token
          - {{ .Values.appsec.agentToken }}
        {{- end -}}
        {{- if .Values.appsec.customFog.enabled }}
          - --fog
          - {{ .Values.appsec.customFog.fogAddress }}
        {{- end }}
        {{- if .Values.appsec.proxy }}
          - --proxy
          - {{ .Values.appsec.proxy }}
        {{- end }}
          imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
          env:
            - name: user_email
              value: {{ .Values.appsec.userEmail }}
        {{- if eq .Values.appsec.playground false }}
            - name: SHARED_STORAGE_HOST
              value: {{ .Values.appsec.storage.name }}-svc
            - name: LEARNING_HOST
              value: {{ .Values.appsec.learning.name }}-svc
        {{- else }}
            - name: PLAYGROUND
              value: "true"
        {{- end }}
          resources:
            {{ toYaml .Values.resources | nindent 12 }}
          volumeMounts:
          - name: advanced-model
            mountPath: /advanced-model
        {{- if .Values.appsec.persistence.enabled }}
          - name: appsec-conf
            mountPath: /etc/cp/conf
          - name: appsec-data
            mountPath: /etc/cp/data
        {{- end }}
        - name: {{ .Values.controller.containerName }}
          {{- with .Values.controller.image }}
-          image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
+          image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}"
          {{- end }}
          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
        {{- if .Values.controller.lifecycle }}
@@ -240,7 +190,7 @@ spec:
      {{- end }}
      {{- if .Values.controller.opentelemetry.enabled}}
          {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
+          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}}
      {{- end}}
    {{- end }}
    {{- if .Values.controller.hostNetwork }}
@@ -260,14 +210,8 @@ spec:
    {{- end }}
      serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
      terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
      volumes:
        - name: appsec-conf
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-conf
        - name: appsec-data
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-data
    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
      volumes:
      {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
        - name: modules
          emptyDir: {}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml
@@ -1,12 +1,9 @@
-{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
+{{- if and (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}}
-{{- if not .Values.controller.keda.enabled }}
+apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }}
 apiVersion: {{ .Values.controller.autoscaling.apiVersion }}
 kind: HorizontalPodAutoscaler
 metadata:
  annotations:
  {{- with .Values.controller.autoscaling.annotations }}
-  {{- toYaml . | trimSuffix "\n" | nindent 4 }}
+  annotations: {{ toYaml . | nindent 4 }}
  {{- end }}
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
@@ -48,5 +45,3 @@ spec:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml
@@ -25,6 +25,11 @@ spec:
  cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }}
  minReplicaCount: {{ .Values.controller.keda.minReplicas }}
  maxReplicaCount: {{ .Values.controller.keda.maxReplicas }}
 {{- with .Values.controller.keda.fallback }}
  fallback:
    failureThreshold: {{ .failureThreshold | default 3 }}
    replicas: {{ .replicas | default $.Values.controller.keda.maxReplicas }}
 {{- end }}
  triggers:
 {{- with .Values.controller.keda.triggers }}
 {{ toYaml . | indent 2 }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml
@@ -10,12 +10,15 @@ metadata:
    {{- end }}
  name: {{ include "ingress-nginx.controller.fullname" . }}
  namespace: {{ .Release.Namespace }}
  {{- if .Values.controller.annotations }}
  annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
  {{- end }}
 spec:
  selector:
    matchLabels:
      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
      app.kubernetes.io/component: controller
-  {{- if .Values.controller.minAvailable }}
+  {{- if and .Values.controller.minAvailable (not (hasKey .Values.controller "maxUnavailable")) }}
  minAvailable: {{ .Values.controller.minAvailable }}
  {{- else if .Values.controller.maxUnavailable }}
  maxUnavailable: {{ .Values.controller.maxUnavailable }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml
@@ -28,6 +28,9 @@ spec:
 {{- if .Values.controller.service.loadBalancerSourceRanges }}
  loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }}
 {{- end }}
 {{- if .Values.controller.service.loadBalancerClass }}
  loadBalancerClass: {{ .Values.controller.service.loadBalancerClass }}
 {{- end }}
 {{- if .Values.controller.service.externalTrafficPolicy }}
  externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml
@@ -1,37 +1,40 @@
 {{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }}
-apiVersion: {{ .Values.defaultBackend.autoscaling.apiVersion }}
+apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }}
 kind: HorizontalPodAutoscaler
 metadata:
  {{- with .Values.defaultBackend.autoscaling.annotations }}
  annotations: {{ toYaml . | nindent 4 }}
  {{- end }}
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: default-backend
    {{- with .Values.defaultBackend.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
-  name: {{ template "ingress-nginx.defaultBackend.fullname" . }}
+  name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
-    name: {{ template "ingress-nginx.defaultBackend.fullname" . }}
+    name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
  minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }}
  maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }}
  metrics:
-{{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }}
+  {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }}
-    - type: Resource
+  - type: Resource
-      resource:
+    resource:
-        name: cpu
+      name: cpu
-        target:
+      target:
-          type: Utilization
+        type: Utilization
-          averageUtilization: {{ . }}
+        averageUtilization: {{ . }}
-{{- end }}
+  {{- end }}
-{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }}
+  {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }}
-    - type: Resource
+  - type: Resource
-      resource:
+    resource:
-        name: memory
+      name: memory
-        target:
+      target:
-          type: Utilization
+        type: Utilization
-          averageUtilization: {{ . }}
+        averageUtilization: {{ . }}
-{{- end }}
+  {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-deployment.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-deployment.yaml
@@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
 apiVersion: apps/v1
 kind: Deployment
@@ -137,3 +138,4 @@ spec:
            claimName: {{ .Values.appsec.name }}-storage
      {{- end }}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-services.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-services.yaml
@@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
 apiVersion: v1
 kind: Service
@@ -31,3 +32,4 @@ spec:
  selector:
    app: {{ .Values.appsec.storage.name }}-lbl
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml
@@ -18,14 +18,14 @@ controller:
  image:
    ## Keep false as default for now!
    chroot: false
-    registry: ghcr.io/openappsec
+    registry: registry.k8s.io
-    image: nginx-ingress-attachment
+    image: ingress-nginx/controller
    ## for backwards compatibility consider setting the full image url via the repository value below
    ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
    ## repository:
-    tag: latest
+    tag: "v1.8.1"
-    digest: 
+    digest: sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd
-    digestChroot: sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988
+    digestChroot: sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627
    pullPolicy: IfNotPresent
    # www-data -> uid 101
    runAsUser: 101
@@ -55,7 +55,7 @@ controller:
  # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.
  dnsPolicy: ClusterFirst
  # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
-  # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
+  # Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
  reportNodeInternalIp: false
  # -- Process Ingress objects without ingressClass annotation/ingressClassName field
  # Overrides value for --watch-ingress-without-class flag of the controller binary
@@ -150,7 +150,7 @@ controller:
  # -- Maxmind license key to download GeoLite2 Databases.
  ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
  maxmindLicenseKey: ""
-  # -- Additional command line arguments to pass to nginx-ingress-controller
+  # -- Additional command line arguments to pass to Ingress-Nginx Controller
  # E.g. to specify the default SSL certificate you can use
  extraArgs: {}
  ## extraArgs:
@@ -166,7 +166,7 @@ controller:
  #         name: secret-resource
  # -- Use a `DaemonSet` or `Deployment`
-  kind: StatefulSet
+  kind: Deployment
  # -- Annotations to be added to the controller Deployment or DaemonSet
  ##
  annotations: {}
@@ -257,7 +257,7 @@ controller:
  ##
  terminationGracePeriodSeconds: 300
  # -- Node labels for controller pod assignment
-  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  ##
  nodeSelector:
    kubernetes.io/os: linux
@@ -302,15 +302,16 @@ controller:
  healthCheckPath: "/healthz"
  # -- Address to bind the health check endpoint.
  # It is better to set this option to the internal node address
-  # if the ingress nginx controller is running in the `hostNetwork: true` mode.
+  # if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode.
  healthCheckHost: ""
  # -- Annotations to be added to controller pods
  ##
  podAnnotations: {}
  replicaCount: 1
-  # -- Define either 'minAvailable' or 'maxUnavailable', never both.
+  # -- Minimum available pods set in PodDisruptionBudget.
  # Define either 'minAvailable' or 'maxUnavailable', never both.
  minAvailable: 1
-  # -- Define either 'minAvailable' or 'maxUnavailable', never both.
+  # -- Maximum unavalaile pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
  # maxUnavailable: 1
  ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
@@ -326,7 +327,6 @@ controller:
      memory: 90Mi
  # Mutually exclusive with keda autoscaling
  autoscaling:
    apiVersion: autoscaling/v2
    enabled: false
    annotations: {}
    minReplicas: 1
@@ -368,6 +368,9 @@ controller:
    maxReplicas: 11
    pollingInterval: 30
    cooldownPeriod: 300
    # fallback:
    #   failureThreshold: 3
    #   replicas: 11
    restoreToOriginalReplicaCount: false
    scaledObject:
      annotations: {}
@@ -417,12 +420,14 @@ controller:
    # clusterIP: ""
    # -- List of IP addresses at which the controller services are available
-    ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+    ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
    ##
    externalIPs: []
    # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
    loadBalancerIP: ""
    loadBalancerSourceRanges: []
    # -- Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
    loadBalancerClass: ""
    enableHttp: true
    enableHttps: true
    ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it.
@@ -473,8 +478,8 @@ controller:
      enabled: false
      # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
      annotations: {}
-      # loadBalancerIP: ""
+      # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS.
-
+      loadBalancerIP: ""
      # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
      loadBalancerSourceRanges: []
      ## Set external traffic policy to: "Local" to preserve source IP on
@@ -547,7 +552,7 @@ controller:
  opentelemetry:
    enabled: false
-    image: registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f
+    image: registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0
    containerSecurityContext:
      allowPrivilegeEscalation: false
  admissionWebhooks:
@@ -609,8 +614,8 @@ controller:
        ## for backwards compatibility consider setting the full image url via the repository value below
        ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
        ## repository:
-        tag: v20230312-helm-chart-4.5.2-28-g66a760794
+        tag: v20230407
-        digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        digest: sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
        pullPolicy: IfNotPresent
      # -- Provide a priority class name to the webhook patching job
      ##
@@ -652,7 +657,7 @@ controller:
      # clusterIP: ""
      # -- List of IP addresses at which the stats-exporter service is available
-      ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+      ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
      ##
      externalIPs: []
      # loadBalancerIP: ""
@@ -810,7 +815,7 @@ defaultBackend:
  #  key: value
  # -- Node labels for default backend pod assignment
-  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  ##
  nodeSelector:
    kubernetes.io/os: linux
@@ -838,7 +843,6 @@ defaultBackend:
  #    emptyDir: {}
  autoscaling:
    apiVersion: autoscaling/v2
    annotations: {}
    enabled: false
    minReplicas: 1
@@ -850,7 +854,7 @@ defaultBackend:
    # clusterIP: ""
    # -- List of IP addresses at which the default backend service is available
-    ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+    ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
    ##
    externalIPs: []
    # loadBalancerIP: ""
@@ -907,7 +911,7 @@ appsec:
    repository: ghcr.io/openappsec
    image: agent
    tag: latest
-    pullPolicy: IfNotPresent
+    pullPolicy: Always
    securityContext: {}
      # capabilities:
@@ -916,7 +920,26 @@ appsec:
      # readOnlyRootFilesystem: true
      # runAsNonRoot: true
      # runAsUser: 1000
-  
+  nginx:
    image:
      repository: "ghcr.io/openappsec/nginx-ingress-attachment"
      tag: "latest"
  configMapName: appsec-settings-configmap
  configMapContent:
    crowdsec:
      enabled: false
      mode: prevent
      logging: enabled
      api:
        url: http://crowdsec-service:8080/v1/decisions/stream
      auth:
        method: apikey
  secretName: appsec-settings-secret
  # If you would like to use your own secret with CrowdSec authentication data, please remove the following block
  secretContent:
    crowdsec:
      auth:
        data: "00000000000000000000000000000000"
  resources:
  #  limits:
  #    cpu: 100m
@@ -980,3 +1003,8 @@ appsec:
      image: smartsync-shared-files
      tag: latest
 # -- For nginx vanilla installation use kind Vanilla (no appsec components).
 # -- For nginx with appsec installation use kind AppSec (default: nginx + appsec without state).
 # -- For nginx with appsec (statefulset) installation use kind AppSecStateful.
 kind: AppSec
--- a/build_system/charts/open-appsec-kong/CHANGELOG.md
+++ b/build_system/charts/open-appsec-kong/CHANGELOG.md
@@ -1,6 +1,46 @@
 # Changelog
-## Unreleased
+## 2.25.0
 - Generate the `adminApiService.name` value from `.Release.Name` rather than
  hardcoding to `kong`
  [#839](https://github.com/Kong/charts/pull/839)
 ## 2.24.0
 ### Improvements
 * Running `tpl` against user-supplied labels and annotations used in Deployment
  [#814](https://github.com/Kong/charts/pull/814)
  Example:
  ```yaml
  podLabels:
    version: "{{ .Values.image.tag }}"  # Will render dynamically when overridden downstream
  ```
 * Fail to render templates when PodSecurityPolicy was requested but cluster doesn't
  serve its API.
  [#823](https://github.com/Kong/charts/pull/823)
 * Add support for multiple hosts and tls configurations for Kong proxy `Ingress`.
  [#813](https://github.com/Kong/charts/pull/813)
 * Bump postgres default tag to `13.11.0-debian-11-r20` which includes arm64 images.
  [#834](https://github.com/Kong/charts/pull/834)
 ### Fixed
 * Fix Ingress and HPA API versions during capabilities checking
  [#827](https://github.com/Kong/charts/pull/827)
 ## 2.23.0
 ### Improvements
 * Add custom label configuration option for Kong proxy `Ingress`.
  [#812](https://github.com/Kong/charts/pull/812)
 * Bump default `kong/kubernetes-ingress-controller` image tag to 2.10.
  Bump default `kong` image tag to 3.3.
  [#815](https://github.com/Kong/charts/pull/815)
 ## 2.22.0
@@ -30,7 +70,7 @@
 ## 2.20.2
-### Fixed 
+### Fixed
 * Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode
  is disabled by default.
--- a/build_system/charts/open-appsec-kong/Chart.yaml
+++ b/build_system/charts/open-appsec-kong/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "3.2"
+appVersion: "3.3"
 dependencies:
 - condition: postgresql.enabled
  name: postgresql
@@ -16,4 +16,4 @@ maintainers:
 name: open-appsec-kong
 sources:
 - https://github.com/Kong/charts/tree/main/charts/kong
-version: 2.22.0
+version: 2.25.0
--- a/build_system/charts/open-appsec-kong/README.md
+++ b/build_system/charts/open-appsec-kong/README.md
@@ -679,11 +679,13 @@ or `ingress` sections, as it is used only for stream listens.
 | SVC.externalTrafficPolicy          | k8s service's externalTrafficPolicy. Options: Cluster, Local                          |                          |
 | SVC.ingress.enabled                | Enable ingress resource creation (works with SVC.type=ClusterIP)                      | `false`                  |
 | SVC.ingress.ingressClassName       | Set the ingressClassName to associate this Ingress with an IngressClass               |                          |
 | SVC.ingress.tls                    | Name of secret resource, containing TLS secret                                        |                          |
 | SVC.ingress.hostname               | Ingress hostname                                                                      | `""`                     |
 | SVC.ingress.path                   | Ingress path.                                                                         | `/`                      |
 | SVC.ingress.pathType               | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix`                | `ImplementationSpecific` |
 | SVC.ingress.hosts                  | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys       | `[]`                     |
 | SVC.ingress.tls                    | Name of secret resource or slice of `secretName` and `hosts` keys                     |                          |
 | SVC.ingress.annotations            | Ingress annotations. See documentation for your ingress controller for details        | `{}`                     |
 | SVC.ingress.labels                 | Ingress labels. Additional custom labels to add to the ingress.                       | `{}`                     |
 | SVC.annotations                    | Service annotations                                                                   | `{}`                     |
 | SVC.labels                         | Service labels                                                                        | `{}`                     |
@@ -744,6 +746,7 @@ section of `values.yaml` file:
 | userDefinedVolumeMounts                    | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts                                                                        |                                    |
 | terminationGracePeriodSeconds              | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30                                 |
 | gatewayDiscovery.enabled                   | Enables Kong instance service discovery (for more details see [gatewayDiscovery section][gd_section])                                                    | false                              |
 | gatewayDiscovery.generateAdminApiService   | Generate the admin API service name based on the release name (for more details see [gatewayDiscovery section][gd_section])                                                    | false                              |
 | gatewayDiscovery.adminApiService.namespace | The namespace of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section])                                                | `.Release.Namespace`               |
 | gatewayDiscovery.adminApiService.name      | The name of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section])                                                     | ""                                 |
 | konnect.enabled                            | Enable synchronisation of data plane configuration with Konnect Runtime Group                                                                            | false                              |
@@ -796,12 +799,16 @@ You'll be able to configure this feature through configuration section under
  service.
  (provided under the hood via `CONTROLLER_KONG_ADMIN_SVC` environment variable).
-  The following admin API Service flags have to be provided in order for gateway
+  The following admin API Service flags have to be present in order for gateway
  discovery to work:
  - `ingressController.gatewayDiscovery.adminApiService.name`
  - `ingressController.gatewayDiscovery.adminApiService.namespace`
  If you set `ingressController.gatewayDiscovery.generateAdminApiService` to `true`,
  the chart will generate values for `name` and `namespace` based on the current release name and
  namespace. This is useful when consuming the `kong` chart as a subchart.
 Using this feature requires a split release installation of Gateways and Ingress Controller.
 For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
--- a/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml
+++ b/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml
@@ -0,0 +1,6 @@
 admin:
  enabled: true
  type: ClusterIP
 ingressController:
  enabled: false
--- a/build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml
+++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml
@@ -0,0 +1,16 @@
 # CI test for empty hostname including tls secret using string
 proxy:
  type: NodePort
  ingress:
    enabled: true
    tls: "kong.proxy.example.secret"
 extraObjects:
 - apiVersion: v1
  data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
  kind: Secret
  metadata:
    name: kong.proxy.example.secret
  type: kubernetes.io/tls
--- a/build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml
+++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml
@@ -0,0 +1,17 @@
 # CI test for hostname including tls secret using string
 proxy:
  type: NodePort
  ingress:
    enabled: true
    hostname: "proxy.kong.example"
    tls: "kong.proxy.example.secret"
 extraObjects:
 - apiVersion: v1
  data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
  kind: Secret
  metadata:
    name: kong.proxy.example.secret
  type: kubernetes.io/tls
--- a/build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml
+++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml
@@ -0,0 +1,10 @@
 # CI test for using ingress hosts configuration
 proxy:
  type: NodePort
  ingress:
    enabled: true
    hosts:
    - host: proxy.kong.example
      paths:
      - path: /
        pathType: ImplementationSpecific
--- a/build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml
+++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml
@@ -0,0 +1,43 @@
 # CI test for testing combined ingress hostname and hosts configuration including tls configuraion using slice
 proxy:
  type: NodePort
  ingress:
    enabled: true
    hostname: "proxy.kong.example"
    hosts:
    - host: "proxy2.kong.example"
      paths:
        - path: /foo
          pathType: Prefix
        - path: /bar
          pathType: Prefix
    - host: "proxy3.kong.example"
      paths:
        - path: /baz
          pathType: Prefix
    tls:
    - hosts:
        - "proxy.kong.example"
      secretName: "proxy.kong.example.secret"
    - hosts:
        - "proxy2.kong.example"
        - "proxy3.kong.example"
      secretName: "proxy.kong.example.secret2"
 extraObjects:
 - apiVersion: v1
  data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
  kind: Secret
  metadata:
    name: kong.proxy.example.secret
  type: kubernetes.io/tls
 - apiVersion: v1
  data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmakNDQW1ZQ0NRREVtWjF0cnJwaURqQU5CZ2txaGtpRzl3MEJBUXNGQURDQmdERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhGekFWCkJnTlZCQU1NRGlvdWEyOXVaeTVsZUdGdGNHeGxNQjRYRFRJek1EWXlPVEE0TVRjek4xb1hEVE16TURZeU5qQTQKTVRjek4xb3dnWUF4Q3pBSkJnTlZCQVlUQWxoWU1SSXdFQVlEVlFRSURBbFRkR0YwWlU1aGJXVXhFVEFQQmdOVgpCQWNNQ0VOcGRIbE9ZVzFsTVJRd0VnWURWUVFLREF0RGIyMXdZVzU1VG1GdFpURWJNQmtHQTFVRUN3d1NRMjl0CmNHRnVlVk5sWTNScGIyNU9ZVzFsTVJjd0ZRWURWUVFEREE0cUxtdHZibWN1WlhoaGJYQnNaVENDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlSR1g1VytsRW8wcGg2eTJqeHN6TGZOcjMvNlpFOQpPR0pPMGl1WmpwRml2dHBya24ydDlqYTRaNUdYOGh4NUczS1FsRkhrVFBmV01BWmUzdldINTF0alZzYjZwY2UwCjlkMUo4WXNxWkh5RHVlUzBrS3RUbEFmc0F5MnVjL3ZvUUdmOTdZeUI2TlJ4TEJmNHBnSVJ4eHpGM3o0Q1ZOSTgKTzE5Ym1PYVo1Vkk1QWZpbENSMUI1ekxuN2VoeEJHOHhTQmRtQUg0eWFob2t5RXk2a0ZtRzJCaEtJWjdsL1BZYQpqbU1yQ3cwekRVampvblBublZTWTkxL0EwNUJVTVk5OEZsME00QVV5T1V3enBaajhqMXhLMTNqUVlGeXJwUHQwCklHNUdLR044akVCcnRkdGVlcGZIdFZuekFWYnhoT0hkcXZoUWhrSDJDSGVwOStIQkNIL25VL1VDQXdFQUFUQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQkcxVVYyUFRJekhrNEt4cjBHT0NXalhjTTdKUU9hbUJQM3dZSCswRgpyc09YUG9IOHVLV25XYjhSSGE1MDhMenU4MGNzS1lYcnZ4SEhDcmcxdXJjRnl3bnNMaUtMNGhsQklTd2ZMNzFFClVXODhQdGYyWTdjTnJZRzNLc2MvMWVpait1RWd5bVdCbjkraVYzbzE5VERwRjlZZWZwYzNUUDJqMGhNUHcwMlgKa1gzSlh3b250NnBQaDhlQjhXRU1OZkF5NzZmb0lMcytVd0Fjck56QkpjSVZSTERoZWFNMFNFd0xCNUpuaWZ5ZwplRE1aSE56MkhLais0NU1wTzFOSDBtd3ZJRTRLQjNITUNSSlMybmZFbWVMcFdCMWpmZTV6T2o1bWhTeS82M0RVCldDQll1aUhtelFWaGxJS21lQzBlVmd3bGtkMTFrUDRNM1hoWnB6V09aQ1BoaGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQy9VUmwrVnZwUktOS1kKZXN0bzhiTXkzemE5LyttUlBUaGlUdElybVk2UllyN2FhNUo5cmZZMnVHZVJsL0ljZVJ0eWtKUlI1RXozMWpBRwpYdDcxaCtkYlkxYkcrcVhIdFBYZFNmR0xLbVI4Zzdua3RKQ3JVNVFIN0FNdHJuUDc2RUJuL2UyTWdlalVjU3dYCitLWUNFY2NjeGQ4K0FsVFNQRHRmVzVqbW1lVlNPUUg0cFFrZFFlY3k1KzNvY1FSdk1VZ1haZ0IrTW1vYUpNaE0KdXBCWmh0Z1lTaUdlNWZ6MkdvNWpLd3NOTXcxSTQ2Sno1NTFVbVBkZndOT1FWREdQZkJaZERPQUZNamxNTTZXWQovSTljU3RkNDBHQmNxNlQ3ZENCdVJpaGpmSXhBYTdYYlhucVh4N1ZaOHdGVzhZVGgzYXI0VUlaQjlnaDNxZmZoCndRaC81MVAxQWdNQkFBRUNnZ0VCQUlCZ0l3TXJ5ZnY3c0pTd2tSMXlVaFNvdzByckZnZG5WUlppWFpUMERUNXgKVEMrMFR6QVdNMGkwcElxRnN1aDRPM3E4bVVuNkw4dDk1ZXZnYlN2RWJmSmN6alhtcXFjL1BsdW02blcvbEg0WQp4Znc1VFhvcE13Tzkwc1FzYzVkdFdRcHUwWitlN0dUaEsvMUowOXMvb3FRa0FwRFJiNmxDMFhSRE9tNUNoaWFNCi95Z2M2dGUzUHkrRXpzSmRMRm9YWndFQnVQWTB2KzlBclhpNmlUMllaN1ZacE9iZzQxcm1ocHNObTFLNmdJajUKZFZKNGZYa2Z5V0hsSmJBYzVTRDkrVWMrTGFjUEcxSjVJUWx6eTM0WlM0ZG9VQ2lmODZuVHFzSnFVTU1sNXYxcAp3SFFUZFI2MkdnWnRPM1grOU4vdHE3SExqU0tHY0JEd3E4bEM4QXZ0VHdFQ2dZRUErWWpVdzI1em42aWhjaXFpCmo3dDJiQVdLdzdlbng1RXFzU25ZOG1PYzR2TDdNa1YyN2ZhYXp1cW8wUEtOeWJOa1grUlhIMDN4S0NDd0x0N0UKLzRDUlFHMGNkQmhBQ2szMkpadllrQmxESUZ3VmtnMHVnNGk4Snp6VjVCT2hEeWdwZUhJTDVVTkx2eGJDbVh6MAo1bXNYRktPYW1HYkFCbE9KTEZsR1R4WWdzeWtDZ1lFQXhFWWI0dFVmRmhiTmpJTUMyd1hFRXdWZkJYOFJqNzVqCjN6SkwxV3o4YWxUQmxFemZYOTZiNmg3VjFNT1NHcmlabFJ1cGpEaUFsUkhPZytDSXlPbmdISFkwd2xTaHNmemQKSDluL2dOdUZsanFuQkF3OVpaSW9hbE1zUVVER3RLSnVIejhEYzlVNzRFMGM3WldQWk1Ub0pNdFV2Zkl5T0pZSgpQODh1YnYvam4rMENnWUJaNmpzNFhKRmZRNFZCUFNtc2Z4RXg1V0ZXR3RSakxlVGpSNy83djNjbHRBWmQyL2Y1CjBUV0JQNzhxNDJ2QjlWbEMwR1d3U3dhTnZoR2VJZmw4VTVpRFRZM0dLNExQODcyeFdaSFVnclhVY0RuNWtiUmsKQXg1QlNVT05WcUZmYzhwVnMwcWtCdmJCV1hNdm1YNHBsUWNSRWM3QUFhNUoyVW9CWi8zVXU1VjIyUUtCZ0ZnVQpKanQ2N0lKYkpVN2pGQXI1NFcydndWNlVFV3R5UXh0TVZOK29FdlljcHVwSVBRMm10azB3SFVGbnFrODNmQ1IvCnoyeFBodFJlczFCWEdNc2d1U1BNb0F4OU1qclBnT1BrVGxhakxLV29HSDhtaHY3bndoOUV4OTFZbGxORmVTbW8KZTRJbHRNTUpsK3UrYkNVS2dDclMzR3FKSDZScElDbDBiaC85MFVaWkFvR0FaUEsrdldLQ0N6aHNhSnVWak1VSQpiTEJlMi9CM0xxTVBhakFLTjVTNU9GYlpBZm5NeE9BT1lnd25iWmdpZGVkcVk2QkIyLytVVGt4MW1IUjhKcmpGCnRyN20wS2VvRFY4dmQxSENvSkF3b2hqQ1B6SkJhSW9WYWNkRFNsMDNIOVFEck4yd0RFYUxoWFBlVkRoNGZ2NmQKa3d6V3FZWUlETzRKQlp5L21Wa0t4NFU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
  kind: Secret
  metadata:
    name: kong.proxy.example.secret2
  type: kubernetes.io/tls
--- a/build_system/charts/open-appsec-kong/ci/test1-values.yaml
+++ b/build_system/charts/open-appsec-kong/ci/test1-values.yaml
@@ -28,9 +28,6 @@ ingressController:
 podLabels:
  app: kong
  environment: test
 # - podSecurityPolicies are enabled
 podSecurityPolicy:
  enabled: true
 # - ingress resources are created with hosts
 admin:
  type: NodePort
--- a/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml
@@ -146,7 +146,7 @@ extraLabels:
  konghq.com/component: quickstart
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 ingressController:
  enabled: true
  env:
@@ -162,7 +162,7 @@ ingressController:
    publish_service: kong/quickstart-kong-proxy
  image:
    repository: docker.io/kong/kubernetes-ingress-controller
-    tag: "2.8"
+    tag: "2.10"
  ingressClass: default
  installCRDs: false
 manager:
@@ -278,8 +278,4 @@ status:
  tls:
    containerPort: 8543
    enabled: false
-updateStrategy:
+
  rollingUpdate:
    maxSurge: 100%
    maxUnavailable: 100%
  type: RollingUpdate
--- a/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml
@@ -12,7 +12,7 @@
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 env:
  prefix: /kong_prefix/
--- a/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml
@@ -9,7 +9,7 @@
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 admin:
  enabled: true
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml
@@ -2,7 +2,7 @@
 image:
  repository: kong
-  tag: "3.2"
+  tag: "3.3"
 env:
  prefix: /kong_prefix/
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml
@@ -4,7 +4,7 @@
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 enterprise:
  enabled: true
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml
@@ -14,7 +14,7 @@
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 env:
  database: postgres
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml
@@ -12,7 +12,7 @@
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 env:
  role: data_plane
@@ -43,4 +43,3 @@ portal:
 portalapi:
  enabled: false
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml
@@ -6,7 +6,7 @@
 image:
  repository: kong
-  tag: "3.2"
+  tag: "3.3"
 env:
  prefix: /kong_prefix/
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml
@@ -11,7 +11,7 @@
 image:
  repository: kong
-  tag: "3.2"
+  tag: "3.3"
 env:
  prefix: /kong_prefix/
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml
@@ -6,7 +6,7 @@
 image:
  repository: kong
-  tag: "3.2"
+  tag: "3.3"
 env:
  prefix: /kong_prefix/
--- a/build_system/charts/open-appsec-kong/templates/_helpers.tpl
+++ b/build_system/charts/open-appsec-kong/templates/_helpers.tpl
@@ -32,7 +32,7 @@ app.kubernetes.io/instance: "{{ .Release.Name }}"
 app.kubernetes.io/managed-by: "{{ .Release.Service }}"
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- range $key, $value := .Values.extraLabels }}
-{{ $key }}: {{ $value | quote }}
+{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
 {{- end }}
 {{- end -}}
@@ -78,13 +78,16 @@ Create Ingress resource for a Kong service
 {{- $path := .ingress.path -}}
 {{- $hostname := .ingress.hostname -}}
 {{- $pathType := .ingress.pathType -}}
-apiVersion: {{ .ingressVersion }}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ .fullName }}-{{ .serviceName }}
  namespace: {{ .namespace }}
  labels:
  {{- .metaLabels | nindent 4 }}
  {{- range $key, $value := .ingress.labels }}
    {{- $key | nindent 4 }}: {{ $value | quote }}
  {{- end }}
  {{- if .ingress.annotations }}
  annotations:
    {{- range $key, $value := .ingress.annotations }}
@@ -92,33 +95,74 @@ metadata:
    {{- end }}
  {{- end }}
 spec:
-{{- if (and (not (eq .ingressVersion "extensions/v1beta1")) .ingress.ingressClassName) }}
+{{- if .ingress.ingressClassName }}
  ingressClassName: {{ .ingress.ingressClassName }}
 {{- end }}
  rules:
-  - host: {{ $hostname | quote }}
+  {{- if ( not (or $hostname .ingress.hosts)) }}
-    http:
+  - http:
      paths:
        - backend:
          {{- if (not (eq .ingressVersion "networking.k8s.io/v1")) }}
            serviceName: {{ .fullName }}-{{ .serviceName }}
            servicePort: {{ $servicePort }}
          {{- else }}
            service:
              name: {{ .fullName }}-{{ .serviceName }}
              port:
                number: {{ $servicePort }}
            {{- end }}
          path: {{ $path }}
          {{- if (not (eq .ingressVersion "extensions/v1beta1")) }}
          pathType: {{ $pathType }}
  {{- else if $hostname }}
  - host: {{ $hostname | quote }}
    http:
      paths:
        - backend:
            service:
              name: {{ .fullName }}-{{ .serviceName }}
              port:
                number: {{ $servicePort }}
          path: {{ $path }}
          pathType: {{ $pathType }}
  {{- end }}
  {{- range .ingress.hosts }}
  - host: {{ .host | quote }}
    http:
      paths:
        {{- range .paths }}
        - backend:
          {{- if .backend -}}
            {{ .backend | toYaml | nindent 12 }}
          {{- else }}
            service:
              name: {{ $.fullName }}-{{ $.serviceName }}
              port:
                number: {{ $servicePort }}
          {{- end }}
          {{- if (and $hostname (and (eq $path .path))) }}
          {{- fail "duplication of specified ingress path" }}
          {{- end }}
          path: {{ .path }}
          pathType: {{ .pathType }}
        {{- end }}
  {{- end }}
  {{- if (hasKey .ingress "tls") }}
  tls:
-  - hosts:
+  {{- if (kindIs "string" .ingress.tls) }}
-    - {{ $hostname | quote }}
+    - hosts:
-    secretName: {{ .ingress.tls }}
+      {{- range .ingress.hosts }}
-  {{- end -}}
+        - {{ .host | quote }}
      {{- end }}
      {{- if $hostname }}
        - {{ $hostname | quote }}
      {{- end }}
      secretName: {{ .ingress.tls }}
  {{- else if (kindIs "slice" .ingress.tls) }}
    {{- range .ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  {{- end }}
 {{- end -}}
 {{/*
@@ -326,7 +370,18 @@ Return the admin API service name for service discovery
 {{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}}
 {{- if $gatewayDiscovery.enabled -}}
  {{- $adminApiService := $gatewayDiscovery.adminApiService -}}
-  {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true"  $adminApiService -}}
+  {{- $adminApiServiceName := $gatewayDiscovery.adminApiService.name -}}
  {{- $generateAdminApiService := $gatewayDiscovery.generateAdminApiService -}}
  {{- if and $generateAdminApiService $adminApiService.name -}}
    {{- fail (printf ".Values.ingressController.gatewayDiscovery.adminApiService and .Values.ingressController.gatewayDiscovery.generateAdminApiService must not be provided at the same time")  -}}
  {{- end -}}
  {{- if $generateAdminApiService -}}
    {{- $adminApiServiceName = (printf "%s-%s" .Release.Name "gateway-admin") -}}
  {{- else }}
    {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true"  $adminApiServiceName -}}
  {{- end }}
  {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
  {{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
@@ -337,9 +392,7 @@ Return the admin API service name for service discovery
  {{- end }}
  {{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}}
-  {{- $name := $adminApiService.name -}}
+  {{- printf "%s/%s" $namespace $adminApiServiceName -}}
  {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true"  $name -}}
  {{- printf "%s/%s" $namespace $name -}}
 {{- else -}}
  {{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}}
 {{- end -}}
@@ -1526,22 +1579,44 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration.
  - watch
 {{- end -}}
 {{- define "kong.ingressVersion" -}}
 {{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") -}}
 networking.k8s.io/v1
 {{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress") -}}
 networking.k8s.io/v1beta1
 {{- else -}}
 extensions/v1beta1
 {{- end -}}
 {{- end -}}
 {{- define "kong.autoscalingVersion" -}}
-{{- if (.Capabilities.APIVersions.Has "autoscaling/v2/HorizontalPodAutoscaler") -}}
+{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}}
 autoscaling/v2
-{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2/HorizontalPodAutoscaler") -}}
+{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}}
 autoscaling/v2beta2
 {{- else -}}
 autoscaling/v1
 {{- end -}}
 {{- end -}}
 {{- define "kong.policyVersion" -}}
 {{- if (.Capabilities.APIVersions.Has "policy/v1beta1" ) -}}
 policy/v1beta1
 {{- else -}}
 {{- fail (printf "Cluster doesn't have policy/v1beta1 API." ) }}
 {{- end -}}
 {{- end -}}
 {{- define "kong.renderTpl" -}}
    {{- if typeIs "string" .value }}
 {{- tpl .value .context }}
    {{- else }}
 {{- tpl (.value | toYaml) .context }}
    {{- end }}
 {{- end -}}
 {{- define "kong.ingressVersion" -}}
 {{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1") -}}
 networking.k8s.io/v1
 {{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") -}}
 networking.k8s.io/v1beta1
 {{- else -}}
 extensions/v1beta1
 {{- end -}}
 {{- end -}}
 {{/*
 appsec labels
 */}}
 {{- define "appsec.labels" -}}
 {{- end -}}
--- a/build_system/charts/open-appsec-kong/templates/appsec-learning-pvc.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec-learning-pvc.yaml
@@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}}
 kind: PersistentVolumeClaim
 apiVersion: v1
@@ -18,3 +19,4 @@ spec:
  storageClassName: {{ required "A storage class for learning data is required" .Values.appsec.persistence.learning.storageClass.name }}
 {{- end -}}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-kong/templates/appsec-pvc.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec-pvc.yaml
@@ -1,4 +1,4 @@
-{{- if (eq .Values.kind "AppSecStateful") -}}
+{{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
--- a/build_system/charts/open-appsec-kong/templates/appsec-settings-configmap.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec-settings-configmap.yaml
@@ -0,0 +1,32 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if .Values.appsec.configMapContent }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" | quote }}
 data:
  {{- if .Values.appsec.configMapContent.crowdsec }}
  CROWDSEC_ENABLED: {{ .Values.appsec.configMapContent.crowdsec.enabled | default "false"  | quote }}
  {{- if .Values.appsec.configMapContent.crowdsec.api }}
  CROWDSEC_API_URL: {{ .Values.appsec.configMapContent.crowdsec.api.url | default "http://crowdsec-service:8080/v1/decisions/stream" }}
  {{- else }}
  CROWDSEC_API_URL: "http://crowdsec-service:8080/v1/decisions/stream"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.auth }}
  CROWDSEC_AUTH_METHOD: {{ .Values.appsec.configMapContent.crowdsec.auth.method | default "apikey" }}
  {{- else }}
  CROWDSEC_AUTH_METHOD: "apikey"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.mode }}
  CROWDSEC_MODE: {{ .Values.appsec.configMapContent.crowdsec.mode | default "prevent" }}
  {{- else }}
  CROWDSEC_MODE: "prevent"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.logging }}
  CROWDSEC_LOGGING: {{ .Values.appsec.configMapContent.crowdsec.logging | default "enabled" }}
  {{- else }}
  CROWDSEC_LOGGING: "enabled"
  {{- end }}
  {{- end }}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-kong/templates/appsec-settings-secret.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec-settings-secret.yaml
@@ -0,0 +1,12 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{ if .Values.appsec.secretContent }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ .Values.appsec.secretName | default "appsec-settings-secret" | quote }}
 data:
  {{- if and .Values.appsec.secretContent.crowdsec .Values.appsec.secretContent.crowdsec.auth }}
  CROWDSEC_AUTH_DATA: {{ .Values.appsec.secretContent.crowdsec.auth.data | b64enc }}
  {{- end }}
 {{ end }}
 {{ end }}
--- a/build_system/charts/open-appsec-kong/templates/appsec.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec.yaml
@@ -8,7 +8,7 @@ kind: Deployment
 {{- end }}
 {{- else if eq .Values.kind "AppSecStateful" }}
 kind: StatefulSet
-{{- end }} 
+{{- end }}
 metadata:
  name: {{ template "kong.fullname" . }}
  namespace:  {{ template "kong.namespace" . }}
@@ -18,13 +18,13 @@ metadata:
  {{- if .Values.deploymentAnnotations }}
  annotations:
  {{- range $key, $value := .Values.deploymentAnnotations }}
-    {{ $key }}: {{ $value | quote }}
+    {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
  {{- end }}
  {{- end }}
 spec:
  {{- if not .Values.autoscaling.enabled }}
  {{- if eq .Values.kind "AppSecStateful" }}
-  serviceName: "cp-appsec-stateful-set"
+  serviceName: "open-appsec-stateful-set"
  {{- end }}
  {{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }}
  replicas: {{ .Values.replicaCount }}
@@ -58,7 +58,7 @@ spec:
        {{- end }}
        {{- if .Values.podAnnotations }}
        {{- range $key, $value := .Values.podAnnotations }}
-        {{ $key }}: {{ $value | quote }}
+        {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
        {{- end }}
        {{- end }}
      labels:
@@ -67,7 +67,7 @@ spec:
        app: {{ template "kong.fullname" . }}
        version: {{ .Chart.AppVersion | quote }}
        {{- if .Values.podLabels }}
-        {{ toYaml .Values.podLabels | nindent 8 }}
+        {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
        {{- end }}
    spec:
      {{- if .Values.deployment.hostNetwork }}
@@ -90,6 +90,7 @@ spec:
        - name: {{ . }}
      {{- end }}
      {{- end }}
      {{- if .Values.deployment.kong.enabled }}
      initContainers:
      - name: clear-stale-pid
        image: {{ include "kong.getRepoTag" .Values.image }}
@@ -112,6 +113,7 @@ spec:
        {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
        {{- include "kong.wait-for-db" . | nindent 6 }}
        {{- end }}
      {{- end }}
      {{- if .Values.deployment.hostAliases }}
      hostAliases:
        {{- toYaml .Values.deployment.hostAliases | nindent 6 }}
@@ -137,6 +139,10 @@ spec:
            successThreshold: 1
        securityContext:
          {{ toYaml .Values.appsec.securityContext | nindent 12 }}
        {{- $tag := .Values.appsec.image.tag }}
        {{- if .Values.appsec.configMapContent.crowdsec.enabled }}
        {{- $tag = "crowdsec-1.2314-rc1" }}
        {{- end }}
        {{- with .Values.appsec.image }}
        image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
        {{- end }}
@@ -162,6 +168,15 @@ spec:
      {{- end }}
        imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
        env:
          - name: registered_server
            value: "Kong Server"
      {{- if .Values.appsec.userEmail }}
        {{- if eq .Values.appsec.userEmail "PROVIDE-EMAIL-HERE" }}
          {{- fail "Please replace PROVIDE-EMAIL-HERE with an email address" }}
        {{- end }}
          - name: user_email
            value: {{ .Values.appsec.userEmail }}
      {{- end }}
      {{- if eq .Values.appsec.playground false }}
          - name: SHARED_STORAGE_HOST
            value: {{ .Values.appsec.storage.name }}-svc
@@ -171,17 +186,22 @@ spec:
          - name: PLAYGROUND
            value: "true"
      {{- end }}
        envFrom:
        - configMapRef:
            name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" }}
        - secretRef:
            name: {{ .Values.appsec.secretName | default "appsec-settings-secret" }}
        resources:
          {{ toYaml .Values.resources | nindent 12 }}
        {{- if eq .Values.kind "AppSecStateful" }}
        volumeMounts:
        - name: advanced-model
          mountPath: /advanced-model
        {{- if (eq .Values.appsec.persistence.enabled true) }}
        - name: appsec-conf
          mountPath: /etc/cp/conf
        - name: appsec-data
          mountPath: /etc/cp/data
-        {{- end }} 
+        {{- end }}
      {{- if .Values.ingressController.enabled }}
      {{- include "kong.controller-container" . | nindent 6 }}
      {{ end }}
@@ -190,6 +210,10 @@ spec:
      {{- end }}
      {{- if .Values.deployment.kong.enabled }}
      - name: "proxy"
          {{- $tag := .Values.appsec.kong.image.tag }}
          {{- if .Values.appsec.configMapContent.crowdsec.enabled }}
          {{- $tag = "1.2303.1-rc1-v1.3.0" }}
          {{- end }}
        {{- with .Values.appsec.kong.image }}
        image: "{{ .repository }}:{{ .tag }}"
        {{- end }}
@@ -338,6 +362,10 @@ spec:
 {{ toYaml .Values.readinessProbe | indent 10 }}
        livenessProbe:
 {{ toYaml .Values.livenessProbe | indent 10 }}
        {{- if .Values.startupProbe }}
        startupProbe:
 {{ toYaml .Values.startupProbe | indent 10 }}
        {{- end }}
        resources:
 {{ toYaml .Values.resources | indent 10 }}
        {{- end }} {{/* End of Kong container spec */}}
@@ -365,6 +393,14 @@ spec:
          configMap:
            name: advanced-model-config
            optional: true
      {{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }}
        - name: appsec-conf
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-conf
        - name: appsec-data
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-data
      {{- end }}
      {{- include "kong.volumes" . | nindent 8 -}}
      {{- include "kong.userDefinedVolumes" . | nindent 8 -}}
      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
@@ -400,9 +436,9 @@ spec:
              path: ca.crt
            - key: namespace
              path: namespace
-          {{- end -}}
+          {{- end }}
      {{- end }}
-  {{- if eq .Values.kind "AppSecStateful" }}
+  {{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }}
  volumeClaimTemplates:
  - metadata:
      name: appsec-conf
--- a/build_system/charts/open-appsec-kong/templates/deployment.yaml
+++ b/build_system/charts/open-appsec-kong/templates/deployment.yaml
@@ -14,7 +14,7 @@ metadata:
  {{- if .Values.deploymentAnnotations }}
  annotations:
  {{- range $key, $value := .Values.deploymentAnnotations }}
-    {{ $key }}: {{ $value | quote }}
+    {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
  {{- end }}
  {{- end }}
 spec:
@@ -51,7 +51,7 @@ spec:
        {{- end }}
        {{- if .Values.podAnnotations }}
        {{- range $key, $value := .Values.podAnnotations }}
-        {{ $key }}: {{ $value | quote }}
+        {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
        {{- end }}
        {{- end }}
      labels:
@@ -60,7 +60,7 @@ spec:
        app: {{ template "kong.fullname" . }}
        version: {{ .Chart.AppVersion | quote }}
        {{- if .Values.podLabels }}
-        {{ toYaml .Values.podLabels | nindent 8 }}
+        {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
        {{- end }}
    spec:
      {{- if .Values.deployment.hostNetwork }}
--- a/build_system/charts/open-appsec-kong/templates/ingress-class.yaml
+++ b/build_system/charts/open-appsec-kong/templates/ingress-class.yaml
@@ -1,6 +1,6 @@
 {{/* Default to not managing if unsupported or created outside this chart */}}
 {{- $includeIngressClass := false -}}
-{{- if (and .Values.ingressController.enabled (not (eq (include "kong.ingressVersion" .) "extensions/v1beta1"))) -}}
+{{- if .Values.ingressController.enabled -}}
  {{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") -}}
    {{- with (lookup "networking.k8s.io/v1" "IngressClass" "" .Values.ingressController.ingressClass) -}}
      {{- if (hasKey .metadata "annotations") -}}
--- a/build_system/charts/open-appsec-kong/templates/learning-deployment.yaml
+++ b/build_system/charts/open-appsec-kong/templates/learning-deployment.yaml
@@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
 apiVersion: apps/v1
 kind: Deployment
@@ -139,3 +140,4 @@ spec:
            claimName: {{ .Values.appsec.name }}-storage
      {{- end }}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-kong/templates/learning-services.yaml
+++ b/build_system/charts/open-appsec-kong/templates/learning-services.yaml
@@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
 apiVersion: v1
 kind: Service
@@ -31,3 +32,4 @@ spec:
  selector:
    app: {{ .Values.appsec.storage.name }}-lbl
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-kong/templates/psp.yaml
+++ b/build_system/charts/open-appsec-kong/templates/psp.yaml
@@ -1,5 +1,5 @@
-{{- if and (.Values.podSecurityPolicy.enabled) (.Capabilities.APIVersions.Has "policy/v1beta1") }}
+{{- if and (.Values.podSecurityPolicy.enabled) }}
-apiVersion: policy/v1beta1
+apiVersion: {{ include "kong.policyVersion" . }}
 kind: PodSecurityPolicy
 metadata:
  name: {{ template "kong.serviceAccountName" . }}-psp
--- a/build_system/charts/open-appsec-kong/templates/service-kong-proxy.yaml
+++ b/build_system/charts/open-appsec-kong/templates/service-kong-proxy.yaml
@@ -2,7 +2,6 @@
 {{- if and .Values.proxy.enabled (or .Values.proxy.http.enabled .Values.proxy.tls.enabled) -}}
 {{- $serviceConfig := dict -}}
 {{- $serviceConfig := merge $serviceConfig .Values.proxy -}}
 {{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
 {{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
 {{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
 {{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
--- a/build_system/charts/open-appsec-kong/values.yaml
+++ b/build_system/charts/open-appsec-kong/values.yaml
@@ -121,10 +121,10 @@ extraLabels: {}
 # Specify Kong's Docker image and repository details here
 image:
  repository: kong
-  tag: "3.2"
+  tag: "3.3"
  # Kong Enterprise
  # repository: kong/kong-gateway
-  # tag: "3.2"
+  # tag: "3.3"
  pullPolicy: IfNotPresent
  ## Optionally specify an array of imagePullSecrets.
@@ -334,16 +334,46 @@ proxy:
    # Enable/disable exposure using ingress.
    enabled: false
    ingressClassName:
-    # Ingress hostname
+    # To specify annotations or labels for the ingress, add them to the respective
-    # TLS secret name.
+    # "annotations" or "labels" dictionaries below.
    # tls: kong-proxy.example.com-tls
    hostname:
    # Map of ingress annotations.
    annotations: {}
-    # Ingress path.
+    labels: {}
    # Ingress hostname
    hostname:
    # Ingress path (when used with hostname above).
    path: /
-    # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
+    # Each path in an Ingress is required to have a corresponding path type (when used with hostname above). (ImplementationSpecific/Exact/Prefix)
    pathType: ImplementationSpecific
    # Ingress hosts. Use this instead of or in combination with hostname to specify multiple ingress host configurations
    hosts: []
    # - host: kong-proxy.example.com
    #   paths:
    #   # Ingress path.
    #   - path: /*
    #   # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    #     pathType: ImplementationSpecific
    # - host: kong-proxy-other.example.com
    #   paths:
    #   # Ingress path.
    #   - path: /other
    #   # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    #     pathType: ImplementationSpecific
    #     backend:
    #       service:
    #         name: kong-other-proxy
    #         port:
    #           number: 80
    #
    # TLS secret(s)
    # tls: kong-proxy.example.com-tls
    # Or if multiple hosts/secrets needs to be configured:
    # tls:
    # - secretName: kong-proxy.example.com-tls
    #   hosts:
    #   - kong-proxy.example.com
    # - secretName: kong-proxy-other.example.com-tls
    #   hosts:
    #   - kong-proxy-other.example.com
  # Optionally specify a static load balancer IP.
  # loadBalancerIP:
@@ -484,7 +514,7 @@ ingressController:
  enabled: true
  image:
    repository: kong/kubernetes-ingress-controller
-    tag: "2.9"
+    tag: "2.10"
    # Optionally set a semantic version for version-gated features. This can normally
    # be left unset. You only need to set this if your tag is not a semver string,
    # such as when you are using a "next" tag. Set this to the effective semantic
@@ -495,6 +525,7 @@ ingressController:
  gatewayDiscovery:
    enabled: false
    generateAdminApiService: false
    adminApiService:
      namespace: ""
      name: ""
@@ -661,7 +692,7 @@ postgresql:
  image:
    # use postgres < 14 until is https://github.com/Kong/kong/issues/8533 resolved and released
    # enterprise (kong-gateway) supports postgres 14
-    tag: 13.6.0-debian-10-r52
+    tag: 13.11.0-debian-11-r20
  service:
    ports:
      postgresql: "5432"
@@ -1200,7 +1231,7 @@ appsec:
    repository: ghcr.io/openappsec
    image: agent
    tag: latest
-    pullPolicy: IfNotPresent
+    pullPolicy: Always
    securityContext:
      {}
@@ -1214,6 +1245,22 @@ appsec:
    image:
      repository: "ghcr.io/openappsec/kong-gateway-attachment"
      tag: "latest"
  configMapName: appsec-settings-configmap
  configMapContent:
    crowdsec:
      enabled: false
      mode: prevent
      logging: enabled
      api:
        url: http://crowdsec-service:8080/v1/decisions/stream
      auth:
        method: apikey
  secretName: appsec-settings-secret
  # If you would like to use your own secret with CrowdSec authentication data, please remove the following block
  secretContent:
    crowdsec:
      auth:
        data: "00000000000000000000000000000000"
  resources:
    #  limits:
    #    cpu: 100m
--- a/components/CMakeLists.txt
+++ b/components/CMakeLists.txt
@@ -5,7 +5,6 @@ add_subdirectory(signal_handler)
 add_subdirectory(gradual_deployment)
 add_subdirectory(packet)
 add_subdirectory(pending_key)
 add_subdirectory(messaging_downloader)
 add_subdirectory(health_check_manager)
 add_subdirectory(utils)
--- a/components/attachment-intakers/nginx_attachment/nginx_attachment.cc
+++ b/components/attachment-intakers/nginx_attachment/nginx_attachment.cc
@@ -1762,8 +1762,8 @@ private:
            &did_fail_on_purpose
        )) {
            return genError(
-                "Failed to read the attachment's User ID or Group ID" +
+                string("Failed to read the attachment's User ID or Group ID") +
-                did_fail_on_purpose ? "[Intentional Failure]" : ""
+                (did_fail_on_purpose ? "[Intentional Failure]" : "")
            );
        }
--- a/components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.cc
+++ b/components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.cc
@@ -52,14 +52,14 @@ NginxAttachmentOpaque::NginxAttachmentOpaque(HttpTransactionData _transaction_da
    ctx.registerValue("eventReferenceId", uuid, EnvKeyAttr::LogSection::DATA);
    ctx.registerValue<string>(HttpTransactionData::http_proto_ctx, transaction_data.getHttpProtocol());
    ctx.registerValue<string>(HttpTransactionData::method_ctx, transaction_data.getHttpMethod());
-    ctx.registerValue<string>(HttpTransactionData::host_name_ctx, transaction_data.getDestinationHost());
+    ctx.registerValue<string>(HttpTransactionData::host_name_ctx, transaction_data.getParsedHost());
    ctx.registerValue<uint16_t>(HttpTransactionData::listening_port_ctx, transaction_data.getListeningPort());
    ctx.registerValue<IPAddr>(HttpTransactionData::listening_ip_ctx, transaction_data.getListeningIP());
    ctx.registerValue<IPAddr>(HttpTransactionData::client_ip_ctx, transaction_data.getSourceIP());
    ctx.registerValue<uint16_t>(HttpTransactionData::client_port_ctx, transaction_data.getSourcePort());
    ctx.registerFunc<string>(HttpTransactionData::source_identifier, [this](){ return source_identifier; });
-    ctx.registerValue<string>(HttpTransactionData::uri_ctx, transaction_data.getURI());
+    ctx.registerValue<string>(HttpTransactionData::uri_ctx, transaction_data.getParsedURI());
    auto decoder = makeVirtualContainer<HexDecoder<'%'>>(transaction_data.getURI());
    string decoded_url(decoder.begin(), decoder.end());
    auto question_mark_location = decoded_url.find('?');
--- a/components/generic_rulebase/zone.cc
+++ b/components/generic_rulebase/zone.cc
@@ -156,7 +156,7 @@ Zone::contains(const Asset &asset)
 {
    QueryRequest request;
-    for (const pair<Context::MetaDataType, string> &main_attr : asset.getAttrs()) {
+    for (const auto &main_attr : asset.getAttrs()) {
        request.addCondition(Condition::EQUALS, contextKeyToString(main_attr.first), main_attr.second);
    }
--- a/components/health_check_manager/health_check_manager.cc
+++ b/components/health_check_manager/health_check_manager.cc
@@ -83,13 +83,13 @@ public:
            :
        status(raw_status)
    {
-        for (const pair<string, HealthCheckStatusReply> &single_stat : descriptions) {
+        for (const auto &single_stat : descriptions) {
            if (single_stat.second.getStatus() == HealthCheckStatus::HEALTHY) {
                dbgTrace(D_HEALTH_CHECK_MANAGER) << "Ignoring healthy status reply. Comp name: " << single_stat.first;
                continue;
            }
-            for (const pair<string, string> &status : single_stat.second.getExtendedStatus()) {
+            for (const auto &status : single_stat.second.getExtendedStatus()) {
                errors.push_back(HealthCheckError(single_stat.first + " " + status.first, status.second));
            }
        }
@@ -190,7 +190,7 @@ private:
    {
        general_health_aggregated_status = HealthCheckStatus::HEALTHY;
-        for (const pair<string, HealthCheckStatusReply> &reply : all_comps_health_status) {
+        for (const auto &reply : all_comps_health_status) {
            HealthCheckStatus status = reply.second.getStatus();
            dbgTrace(D_HEALTH_CHECK_MANAGER)
--- a/components/http_manager/http_manager_opaque.cc
+++ b/components/http_manager/http_manager_opaque.cc
@@ -48,7 +48,7 @@ HttpManagerOpaque::getCurrVerdict() const
    uint accepted_apps = 0;
    ngx_http_cp_verdict_e verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT;
-    for (const pair<string, ngx_http_cp_verdict_e> &app_verdic_pair : applications_verdicts) {
+    for (const auto &app_verdic_pair : applications_verdicts) {
        switch (app_verdic_pair.second) {
            case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP:
                return app_verdic_pair.second;
--- a/components/include/generic_rulebase/triggers_config.h
+++ b/components/include/generic_rulebase/triggers_config.h
@@ -11,52 +11,108 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 /// \file triggers_config.h
 /// \brief Declaration of classes WebTriggerConf and LogTriggerConf, and related functions.
 /// \author Check Point Software Technologies Ltd.
 /// \date 2022
 #ifndef __TRIGGERS_CONFIG_H__
 #define __TRIGGERS_CONFIG_H__
 #include <vector>
 #include <string>
 #include <vector>
-#include "environment/evaluator_templates.h"
+#include "cereal/archives/json.hpp"
 #include "cereal/types/string.hpp"
 #include "cereal/types/vector.hpp"
-#include "cereal/archives/json.hpp"
+#include "config.h"
 #include "environment/evaluator_templates.h"
 #include "generic_rulebase_utils.h"
 #include "i_environment.h"
 #include "i_logging.h"
 #include "singleton.h"
 #include "maybe_res.h"
 #include "config.h"
 #include "log_generator.h"
-#include "generic_rulebase_utils.h"
+#include "maybe_res.h"
 #include "singleton.h"
 /// \class WebTriggerConf
 /// \brief Represents the configuration for a web trigger.
 class WebTriggerConf
 {
 public:
    /// \brief Default constructor for WebTriggerConf.
    WebTriggerConf();
    /// \brief Constructor for WebTriggerConf.
    /// \param title The title of the trigger.
    /// \param body The body of the trigger.
    /// \param code The response code for the trigger.
    WebTriggerConf(const std::string &title, const std::string &body, uint code);
    /// \brief Preload function to register expected configuration.
    static void
    preload()
    {
        registerExpectedConfiguration<WebTriggerConf>("rulebase", "webUserResponse");
    }
    /// \brief Load function to deserialize configuration from JSONInputArchive.
    /// \param archive_in The JSON input archive.
    void load(cereal::JSONInputArchive &archive_in);
    /// \brief Equality operator for WebTriggerConf.
    /// \param other The WebTriggerConf to compare.
    /// \return True if the two WebTriggerConf objects are equal, otherwise false.
    bool operator==(const WebTriggerConf &other) const;
-    uint getResponseCode() const { return response_code; }
+    /// \brief Get the response code for the trigger.
    /// \return The response code.
    uint
    getResponseCode() const
    {
        return response_code;
    }
-    const std::string & getResponseTitle() const { return response_title; }
+    /// \brief Get the response title for the trigger.
    /// \return The response title.
    const std::string &
    getResponseTitle() const
    {
        return response_title;
    }
-    const std::string & getResponseBody() const { return response_body; }
+    /// \brief Get the response body for the trigger.
    /// \return The response body.
    const std::string &
    getResponseBody() const
    {
        return response_body;
    }
-    const std::string & getDetailsLevel() const { return details_level; }
+    /// \brief Get the details level for the trigger.
    /// \return The details level.
    const std::string &
    getDetailsLevel() const
    {
        return details_level;
    }
-    const std::string & getRedirectURL() const { return redirect_url; }
+    /// \brief Get the redirect URL for the trigger.
    /// \return The redirect URL.
    const std::string &
    getRedirectURL() const
    {
        return redirect_url;
    }
-    bool getAddEventId() const { return add_event_id_to_header; }
+    /// \brief Check if the trigger should add an event ID to the header.
    /// \return True if the trigger should add an event ID, otherwise false.
    bool
    getAddEventId() const
    {
        return add_event_id_to_header;
    }
    /// \brief Default trigger configuration for WebTriggerConf.
    static WebTriggerConf default_trigger_conf;
 private:
@@ -64,17 +120,38 @@ private:
    std::string details_level;
    std::string response_body;
    std::string redirect_url;
-    uint        response_code;
+    uint response_code;
-    bool        add_event_id_to_header = false;
+    bool add_event_id_to_header = false;
 };
 /// \class LogTriggerConf
 /// \brief Represents the configuration for a log trigger.
 class LogTriggerConf : Singleton::Consume<I_Logging>
 {
 public:
-    enum class SecurityType { AccessControl, ThreatPrevention, Compliance, COUNT };
+    /// \enum SecurityType
-    enum class extendLoggingSeverity { None, High, Critical };
+    /// \brief Enumerates the security types for LogTriggerConf.
    enum class SecurityType
    {
        AccessControl,
        ThreatPrevention,
        Compliance,
        COUNT
    };
-    enum class WebLogFields {
+    /// \enum extendLoggingSeverity
    /// \brief Enumerates the extended logging severity for LogTriggerConf.
    enum class extendLoggingSeverity
    {
        None,
        High,
        Critical
    };
    /// \enum WebLogFields
    /// \brief Enumerates the web log fields for LogTriggerConf.
    enum class WebLogFields
    {
        webBody,
        webHeaders,
        webRequests,
@@ -85,17 +162,31 @@ public:
        COUNT
    };
    /// \brief Default constructor for LogTriggerConf.
    LogTriggerConf() {}
    /// \brief Constructor for LogTriggerConf.
    /// \param trigger_name The name of the trigger.
    /// \param log_detect Flag indicating whether to log on detect.
    /// \param log_prevent Flag indicating whether to log on prevent.
    LogTriggerConf(std::string trigger_name, bool log_detect, bool log_prevent);
    /// \brief Preload function to register expected configuration.
    static void
    preload()
    {
        registerExpectedConfiguration<LogTriggerConf>("rulebase", "log");
    }
-    template <typename ...Tags>
+    /// \brief LogGen operator for LogTriggerConf.
    /// \param title The title of the log.
    /// \param security The security type of the log.
    /// \param severity The severity of the log.
    /// \param priority The priority of the log.
    /// \param is_action_drop_or_prevent Flag indicating if the action is drop or prevent.
    /// \param tags Tags for the log.
    /// \return The LogGen object.
    template <typename... Tags>
    LogGen
    operator()(
        const std::string &title,
@@ -103,7 +194,8 @@ public:
        ReportIS::Severity severity,
        ReportIS::Priority priority,
        bool is_action_drop_or_prevent,
-        Tags ...tags) const
+        Tags... tags
    ) const
    {
        return LogGen(
            title,
@@ -117,11 +209,17 @@ public:
        );
    }
-    template <typename ...Tags>
+    /// \brief LogGen operator for LogTriggerConf.
    /// \param title The title of the log.
    /// \param security The security type of the log.
    /// \param is_action_drop_or_prevent Flag indicating if the action is drop or prevent.
    /// \param tags Tags for the log.
    /// \return The LogGen object.
    template <typename... Tags>
    LogGen
-    operator()(const std::string &title, SecurityType security, bool is_action_drop_or_prevent, Tags ...tags) const
+    operator()(const std::string &title, SecurityType security, bool is_action_drop_or_prevent, Tags... tags) const
    {
-        return (*this)(
+        return operator()(
            title,
            security,
            getSeverity(is_action_drop_or_prevent),
@@ -131,30 +229,98 @@ public:
        );
    }
    /// \brief Load function to deserialize configuration from JSONInputArchive.
    /// \param archive_in The JSON input archive.
    void load(cereal::JSONInputArchive &archive_in);
-    bool isWebLogFieldActive(WebLogFields log_field) const { return log_web_fields.isSet(log_field); }
+    /// \brief Check if the web log field is active for the trigger.
    /// \param log_field The web log field to check.
    /// \return True if the web log field is active, otherwise false.
    bool
    isWebLogFieldActive(WebLogFields log_field) const
    {
        return log_web_fields.isSet(log_field);
    }
-    bool isLogStreamActive(ReportIS::StreamType stream_type) const { return active_streams.isSet(stream_type); }
+    /// \brief Check if the log stream is active for the trigger.
    /// \param stream_type The log stream type to check.
    /// \return True if the log stream is active, otherwise false.
    bool
    isLogStreamActive(ReportIS::StreamType stream_type) const
    {
        return active_streams.isSet(stream_type);
    }
-    bool isPreventLogActive(SecurityType security_type) const { return should_log_on_prevent.isSet(security_type); }
+    /// \brief Check if the log is active on prevent for the given security type.
    /// \param security_type The security type to check.
    /// \return True if the log is active on prevent, otherwise false.
    bool
    isPreventLogActive(SecurityType security_type) const
    {
        return should_log_on_prevent.isSet(security_type);
    }
-    bool isDetectLogActive(SecurityType security_type) const { return should_log_on_detect.isSet(security_type); }
+    /// \brief Check if the log is active on detect for the given security type.
    /// \param security_type The security type to check.
    /// \return True if the log is active on detect, otherwise false.
    bool
    isDetectLogActive(SecurityType security_type) const
    {
        return should_log_on_detect.isSet(security_type);
    }
-    bool isLogGeoLocationActive(SecurityType security_type) const { return log_geo_location.isSet(security_type); }
+    /// \brief Check if the geo-location log is active for the given security type.
    /// \param security_type The security type to check.
    /// \return True if the geo-location log is active, otherwise false.
    bool
    isLogGeoLocationActive(SecurityType security_type) const
    {
        return log_geo_location.isSet(security_type);
    }
-    extendLoggingSeverity getExtendLoggingSeverity() const { return extend_logging_severity; }
+    /// \brief Get the extended logging severity.
    /// \return The extended logging severity.
    extendLoggingSeverity
    getExtendLoggingSeverity() const
    {
        return extend_logging_severity;
    }
-    const std::string & getVerbosity() const { return verbosity; }
+    /// \brief Get the verbosity.
-    const std::string & getName() const { return name; }
+    /// \return The verbosity.
    const std::string &
    getVerbosity() const
    {
        return verbosity;
    }
-    const std::string & getUrlForSyslog() const { return url_for_syslog; }
+    /// \brief Get the name.
-    const std::string & getUrlForCef() const { return url_for_cef; }
+    /// \return The name.
    const std::string &
    getName() const
    {
        return name;
    }
    /// \brief Get the URL for syslog.
    /// \return The URL for syslog.
    const std::string &
    getUrlForSyslog() const
    {
        return url_for_syslog;
    }
    /// \brief Get the URL for CEF.
    /// \return The URL for CEF.
    const std::string &
    getUrlForCef() const
    {
        return url_for_cef;
    }
 private:
    ReportIS::Severity getSeverity(bool is_action_drop_or_prevent) const;
    ReportIS::Priority getPriority(bool is_action_drop_or_prevent) const;
    Flags<ReportIS::StreamType> getStreams(SecurityType security_type, bool is_action_drop_or_prevent) const;
    Flags<ReportIS::Enreachments> getEnrechments(SecurityType security_type) const;
--- a/components/include/health_checker.h
+++ b/components/include/health_checker.h
@@ -18,6 +18,7 @@
 #include "i_mainloop.h"
 #include "i_socket_is.h"
 #include "i_health_check_manager.h"
 #include "i_shell_cmd.h"
 #include "component.h"
 class HealthChecker
@@ -25,7 +26,8 @@ class HealthChecker
    public Component,
    Singleton::Consume<I_MainLoop>,
    Singleton::Consume<I_Socket>,
-    Singleton::Consume<I_Health_Check_Manager>
+    Singleton::Consume<I_Health_Check_Manager>,
    Singleton::Consume<I_ShellCmd>
 {
 public:
    HealthChecker();
--- a/components/include/http_transaction_data.h
+++ b/components/include/http_transaction_data.h
@@ -43,6 +43,19 @@ public:
        uint16_t client_port
    );
    HttpTransactionData (
        std::string http_proto,
        std::string method,
        std::string host_name,
        std::string parsed_host,
        IPAddr listening_ip,
        uint16_t listening_port,
        std::string uri,
        std::string parsed_uri,
        IPAddr client_ip,
        uint16_t client_port
    );
 // LCOV_EXCL_START - sync functions, can only be tested once the sync module exists
    template <class Archive>
    void
@@ -52,9 +65,11 @@ public:
            http_proto,
            method,
            host_name,
            parsed_host,
            listening_ip,
            listening_port,
            uri,
            parsed_uri,
            client_ip,
            client_port,
            response_content_encoding
@@ -69,9 +84,11 @@ public:
            http_proto,
            method,
            host_name,
            parsed_host,
            listening_ip,
            listening_port,
            uri,
            parsed_uri,
            client_ip,
            client_port,
            response_content_encoding
@@ -86,8 +103,10 @@ public:
    const IPAddr & getListeningIP() const { return listening_ip; }
    uint16_t getListeningPort() const { return listening_port; }
    const std::string & getDestinationHost() const { return host_name; }
    const std::string & getParsedHost() const { return parsed_host; }
    const std::string & getHttpProtocol() const { return http_proto; }
    const std::string & getURI() const { return uri; }
    const std::string & getParsedURI() const { return parsed_uri; }
    const std::string & getHttpMethod() const { return method; }
    void print(std::ostream &out_stream) const;
@@ -124,9 +143,11 @@ private:
    std::string http_proto;
    std::string method = "GET";
    std::string host_name;
    std::string parsed_host;
    IPAddr listening_ip;
    uint16_t listening_port;
    std::string uri;
    std::string parsed_uri;
    IPAddr client_ip;
    uint16_t client_port;
    bool is_request;
--- a/components/include/i_orchestration_tools.h
+++ b/components/include/i_orchestration_tools.h
@@ -109,6 +109,11 @@ public:
    virtual Maybe<std::string> readFile(const std::string &path) const = 0;
    virtual bool writeFile(const std::string &text, const std::string &path) const = 0;
    virtual bool removeFile(const std::string &path) const = 0;
    virtual bool removeDirectory(const std::string &path, bool delete_content) const = 0;
    virtual void deleteVirtualTenantProfileFiles(
        const std::string &tenant_id,
        const std::string &profile_id,
        const std::string &conf_path) const = 0;
    virtual bool copyFile(const std::string &src_path, const std::string &dst_path) const = 0;
    virtual bool doesFileExist(const std::string &file_path) const = 0;
    virtual void fillKeyInJson(
@@ -118,6 +123,7 @@ public:
    virtual bool createDirectory(const std::string &directory_path) const = 0;
    virtual bool doesDirectoryExist(const std::string &dir_path) const = 0;
    virtual bool executeCmd(const std::string &cmd) const = 0;
    virtual void loadTenantsFromDir(const std::string &dir_path) const = 0;
    virtual std::string base64Encode(const std::string &input) const = 0;
    virtual std::string base64Decode(const std::string &input) const = 0;
--- a/components/include/i_service_controller.h
+++ b/components/include/i_service_controller.h
@@ -19,6 +19,7 @@
 #include <map>
 #include "connkey.h"
 #include "maybe_res.h"
 #include "rest.h"
 enum class ReconfStatus { SUCCEEDED, IN_PROGRESS, FAILED, INACTIVE };
@@ -27,6 +28,7 @@ class I_ServiceController
 {
 public:
    virtual void refreshPendingServices() = 0;
    virtual const std::string & getPolicyVersions() const = 0;
    virtual const std::string & getPolicyVersion() const = 0;
    virtual const std::string & getUpdatePolicyVersion() const = 0;
    virtual void updateReconfStatus(int id, ReconfStatus status) = 0;
@@ -37,13 +39,13 @@ public:
        const std::string &service_id
    ) = 0;
-    virtual bool
+    virtual Maybe<void>
    updateServiceConfiguration(
        const std::string &new_policy_path,
        const std::string &new_settings_path,
        const std::vector<std::string> &new_data_files = {},
-        const std::string &tenant_id = "",
+        const std::string &child_tenant_id = "",
-        const std::string &profile_id = "",
+        const std::string &child_profile_id = "",
        const bool last_iteration = false
    ) = 0;
@@ -51,6 +53,8 @@ public:
    virtual void clearFailedServices() = 0;
    virtual std::set<std::string> && moveChangedPolicies() = 0;
    virtual bool isServiceInstalled(const std::string &service_name) = 0;
    virtual void registerServiceConfig(
--- a/components/include/i_update_communication.h
+++ b/components/include/i_update_communication.h
@@ -26,9 +26,12 @@ using OrchData      = Maybe<std::string>;
 class I_UpdateCommunication
 {
 public:
    virtual Maybe<void> sendPolicyVersion(
        const std::string &policy_version,
        const std::string &policy_versions
    ) const = 0;
    virtual Maybe<void> authenticateAgent() = 0;
    virtual Maybe<void> getUpdate(CheckUpdateRequest &request) = 0;
    virtual Maybe<void> sendPolicyVersion(const std::string &policy_version) const = 0;
    virtual Maybe<std::string> downloadAttributeFile(const GetResourceFile &resourse_file) = 0;
    virtual void setAddressExtenesion(const std::string &extension) = 0;
 };
--- a/components/include/orchestration_comp.h
+++ b/components/include/orchestration_comp.h
@@ -14,7 +14,6 @@
 #ifndef __ORCHESTRATION_COMP_H__
 #define __ORCHESTRATION_COMP_H__
 #include "i_messaging_downloader.h"
 #include "i_messaging.h"
 #include "i_mainloop.h"
 #include "i_shell_cmd.h"
@@ -49,7 +48,6 @@ class OrchestrationComp
    Singleton::Consume<I_DetailsResolver>,
    Singleton::Consume<I_RestApi>,
    Singleton::Consume<I_TenantManager>,
    Singleton::Consume<I_MessagingDownloader>,
    Singleton::Consume<I_PackageHandler>,
    Singleton::Consume<I_ServiceController>,
    Singleton::Consume<I_UpdateCommunication>,
--- a/components/include/orchestration_tools.h
+++ b/components/include/orchestration_tools.h
@@ -17,9 +17,16 @@
 #include <fstream>
 #include "i_orchestration_tools.h"
 #include "i_shell_cmd.h"
 #include "i_tenant_manager.h"
 #include "component.h"
-class OrchestrationTools : public Component, Singleton::Provide<I_OrchestrationTools>
+class OrchestrationTools
        :
    public Component,
    Singleton::Provide<I_OrchestrationTools>,
    Singleton::Consume<I_ShellCmd>,
    Singleton::Consume<I_TenantManager>
 {
 public:
    OrchestrationTools();
--- a/components/include/orchestrator/rest_api/orchestration_check_update.h
+++ b/components/include/orchestrator/rest_api/orchestration_check_update.h
@@ -106,6 +106,42 @@ public:
        BOTH_LABEL_OPTIONAL_PARAM(TenantError, error, "error");
    };
    class UpgradeSchedule : public ClientRest
    {
    public:
        UpgradeSchedule() = default;
        void init(const std::string &_upgrade_mode) { mode = _upgrade_mode; }
        void
        init(
            const std::string &_upgrade_mode,
            const std::string &_upgrade_time,
            const uint &_upgrade_duration_hours)
        {
            init(_upgrade_mode);
            time = _upgrade_time;
            duration_hours = _upgrade_duration_hours;
        }
        void
        init(
            const std::string &_upgrade_mode,
            const std::string &_upgrade_time,
            const uint &_upgrade_duration_hours,
            const std::vector<std::string> &_upgrade_days)
        {
            init(_upgrade_mode, _upgrade_time, _upgrade_duration_hours);
            days = _upgrade_days;
        }
    private:
        C2S_LABEL_PARAM(std::string, mode, "upgradeMode");
        C2S_LABEL_OPTIONAL_PARAM(std::string, time, "upgradeTime");
        C2S_LABEL_OPTIONAL_PARAM(uint, duration_hours, "upgradeDurationHours");
        C2S_LABEL_OPTIONAL_PARAM(std::vector<std::string>, days, "upgradeDay");
    };
    CheckUpdateRequest(
        const std::string &_manifest,
        const std::string &_policy,
@@ -185,6 +221,28 @@ public:
    void setGreedyMode() { check_all_tenants = true; }
    void
    setUpgradeFields(const std::string &_upgrade_mode)
    {
        upgrade_schedule.setActive(true);
        upgrade_schedule.get().init(_upgrade_mode);
    }
    void
    setUpgradeFields(
        const std::string &_upgrade_mode,
        const std::string &_upgrade_time,
        const uint &_upgrade_duration_hours,
        const std::vector<std::string> &_upgrade_days)
    {
        upgrade_schedule.setActive(true);
        if (!_upgrade_days.empty()) {
            upgrade_schedule.get().init(_upgrade_mode, _upgrade_time, _upgrade_duration_hours, _upgrade_days);
            return;
        }
        upgrade_schedule.get().init(_upgrade_mode, _upgrade_time, _upgrade_duration_hours);
    }
 private:
    class VirtualConfig : public ClientRest
    {
@@ -239,6 +297,8 @@ private:
    C2S_LABEL_PARAM(std::string, checksum_type,  "checksum-type");
    C2S_LABEL_PARAM(std::string, policy_version, "policyVersion");
    C2S_LABEL_OPTIONAL_PARAM(UpgradeSchedule, upgrade_schedule, "upgradeSchedule");
    S2C_LABEL_OPTIONAL_PARAM(VirtualConfig, in_virtual_policy,    "virtualPolicy");
    S2C_LABEL_OPTIONAL_PARAM(VirtualConfig, in_virtual_settings,  "virtualSettings");
 };
--- a/components/messaging_downloader/CMakeLists.txt
+++ b/components/messaging_downloader/CMakeLists.txt
@@ -1,4 +0,0 @@
 add_library(messaging_downloader_server messaging_downloader_server.cc)
 add_library(messaging_downloader_client messaging_downloader_client.cc)
 add_subdirectory(messaging_downloader_ut)
--- a/components/messaging_downloader/messaging_downloader_client.cc
+++ b/components/messaging_downloader/messaging_downloader_client.cc
@@ -1,230 +0,0 @@
 // Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
 // Licensed under the Apache License, Version 2.0 (the "License");
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 #include <unordered_map>
 #include "messaging_downloader_client.h"
 #include "i_messaging.h"
 #include "config.h"
 #include "rest.h"
 USE_DEBUG_FLAG(D_COMMUNICATION);
 using namespace std;
 class MessagingDownloaderClientRequest : public ClientRest
 {
 public:
    MessagingDownloaderClientRequest()
    {
        file_name = "";
        url = "";
        port = 80;
        response_port = 0;
        status = false;
    }
    MessagingDownloaderClientRequest(
        const string &_file_name,
        const string &_url,
        const unsigned int _port,
        const unsigned int _response_port
    ) :
        file_name(_file_name),
        url(_url),
        port(_port),
        response_port(_response_port),
        status(false)
    {}
    bool getStatus() const { return status.get(); }
    const string & getUuid() const { return uuid.get(); }
    C2S_PARAM(string, file_name);
    C2S_PARAM(string, url);
    C2S_PARAM(unsigned int, port);
    C2S_PARAM(unsigned int, response_port);
    S2C_PARAM(string, uuid);
    S2C_PARAM(bool, status);
 };
 class DownloaderCbHandler
 {
 public:
    void
    addCallback(const string &uuid, I_MessagingDownloader::OnCompleteCB &cb)
    {
        DownloaderCbHandler::uuid_to_cb[uuid] = cb;
    }
    static void
    handleDownloadCB(const string &uuid, Maybe<string> &downloaded_file)
    {
        dbgTrace(D_COMMUNICATION) << "Handling downloading complete callback. UUID: " << uuid;
        if(DownloaderCbHandler::uuid_to_cb.find(uuid) == DownloaderCbHandler::uuid_to_cb.end()) {
            dbgWarning(D_COMMUNICATION) << "Failed to execute download completion callback.";
            return;
        }
        if (DownloaderCbHandler::uuid_to_cb.at(uuid) != nullptr) {
            DownloaderCbHandler::uuid_to_cb.at(uuid)(downloaded_file);
            DownloaderCbHandler::uuid_to_cb.erase(uuid);
        } else {
            string curr_status;
            if (downloaded_file.ok()) {
                curr_status = ". File path: " + downloaded_file.unpack();
            } else {
                curr_status = ". Error: " + downloaded_file.getErr();
            }
            dbgWarning(D_COMMUNICATION)
                << "Illegal download completion callback for downloading process with UUID: "
                << uuid
                << curr_status;
        }
        dbgTrace(D_COMMUNICATION) << "Successfully handled the downloading complete callback. UUID: " << uuid;
    }
    static unordered_map<string, I_MessagingDownloader::OnCompleteCB> uuid_to_cb;
 };
 unordered_map<string, I_MessagingDownloader::OnCompleteCB> DownloaderCbHandler::uuid_to_cb;
 class MessagingDownloaderClientRes : public ServerRest
 {
 public:
    void
    doCall() override
    {
        dbgTrace(D_COMMUNICATION) << "Received response from the downloading server.";
        if (status.get() && filepath.isActive()) {
            Maybe<string> response(filepath.get());
            DownloaderCbHandler::handleDownloadCB(uuid.get(), response);
        } else {
            if (!error.isActive()) error = "unknown error";
            dbgWarning(D_COMMUNICATION) << "Failed to download. Error: " << error.get();
            Maybe<string> response = genError(error.get());
            DownloaderCbHandler::handleDownloadCB(uuid.get(), response);
        }
    }
    C2S_PARAM(string, uuid);
    C2S_PARAM(bool, status);
    C2S_OPTIONAL_PARAM(string, filepath);
    C2S_OPTIONAL_PARAM(string, error);
 };
 class MessagingDownloaderClient::Impl : Singleton::Provide<I_MessagingDownloader>::From<MessagingDownloaderClient>
 {
 public:
    void
    init()
    {
        i_msg = Singleton::Consume<I_Messaging>::by<MessagingDownloaderClient>();
        Singleton::Consume<I_RestApi>::by<MessagingDownloaderClient>()->addRestCall<MessagingDownloaderClientRes>(
            RestAction::SHOW,
            "download-status"
        );
    }
    void
    fini()
    {
        i_msg = nullptr;
    }
    bool
    downloadFile(
        const string &file_name,
        const string &url,
        I_MessagingDownloader::OnCompleteCB cb = nullptr,
        const unsigned int port = 0
    ) override
    {
        dbgTrace(D_COMMUNICATION)
            << "Processing new download request."
            << "File name: "
            << file_name
            << "URL: "
            << url;
        auto response_port = Singleton::Consume<I_Environment>::by<MessagingDownloaderClient>()->get<int>(
            "Listening Port"
        );
        if (!response_port.ok()) {
            dbgWarning(D_COMMUNICATION) << "Failed to get the service listening port.";
            return false;
        }
        vector<int> download_ports = {
            getConfigurationWithDefault(8164, "Downloader", "Downloader Primary Port"),
            getConfigurationWithDefault(8167, "Downloader", "Downloader Secondary Port")
        };
        MessagingDownloaderClientRequest download_obj(
            file_name,
            url,
            port,
            response_port.unpack()
        );
        Flags<MessageConnConfig> conn_flags;
        conn_flags.setFlag(MessageConnConfig::EXPECT_REPLY);
        if (i_msg != nullptr) {
            dbgTrace(D_COMMUNICATION) << "Sending request to the downloading service.";
            bool res = false;
            for (int port: download_ports) {
                dbgTrace(D_COMMUNICATION) << "Trying to request downloading with downloading service port " << port;
                res = i_msg->sendObject(
                    download_obj,
                    I_Messaging::Method::POST,
                    "127.0.0.1",
                    port,
                    conn_flags,
                    "/add-download-file"
                );
                if (res) break;
            }
            if (!res) {
                dbgInfo(D_COMMUNICATION) << "Failed to request for file downloading";
                return false;
            }
            dbgTrace(D_COMMUNICATION) << "Successfully requested for downloading.";
            cb_handler.addCallback(download_obj.getUuid(), cb);
        } else {
            dbgDebug(D_COMMUNICATION) << "Failed to request downloading. Illegal messaging infrastructure.";
        }
        return download_obj.getStatus();
    }
 private:
    I_Messaging *i_msg;
    DownloaderCbHandler cb_handler;
 };
 MessagingDownloaderClient::MessagingDownloaderClient()
        :
    Component("MessagingDownloaderClient"),
    pimpl(make_unique<Impl>())
 {}
 MessagingDownloaderClient::~MessagingDownloaderClient() {}
 void MessagingDownloaderClient::init() { pimpl->init(); }
 void MessagingDownloaderClient::fini() { pimpl->fini(); }
 void
 MessagingDownloaderClient::preload()
 {
    registerExpectedConfiguration<int>("Downloader", "Downloader Primary Port");
    registerExpectedConfiguration<int>("Downloader", "Downloader Secondary Port");
 };
--- a/components/messaging_downloader/messaging_downloader_server.cc
+++ b/components/messaging_downloader/messaging_downloader_server.cc
@@ -1,375 +0,0 @@
 // Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
 // Licensed under the Apache License, Version 2.0 (the "License");
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 #include "messaging_downloader_server.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <boost/uuid/uuid.hpp>
 #include <boost/uuid/uuid_generators.hpp>
 #include <boost/uuid/uuid_io.hpp>
 #include <sstream>
 #include <set>
 #include "i_messaging.h"
 #include "rest.h"
 #include "config.h"
 #include "url_parser.h"
 #include "agent_core_utilities.h"
 USE_DEBUG_FLAG(D_COMMUNICATION);
 using namespace std;
 class MessagingDownloaderResponser : public ClientRest
 {
 public:
    MessagingDownloaderResponser()=delete;
    MessagingDownloaderResponser(string &_uuid, const Maybe<string> &_filepath)
            :
        uuid(_uuid),
        status(_filepath.ok())
    {
        if (_filepath.ok()) {
            filepath = _filepath.unpack();
        } else {
            error = _filepath.getErr();
        }
    }
    C2S_PARAM(string, uuid);
    C2S_PARAM(bool, status);
    C2S_OPTIONAL_PARAM(string, filepath)
    C2S_OPTIONAL_PARAM(string, error)
 };
 class MessagingDownloaderReceiver : public ServerRest
 {
 public:
    void
    doCall() override
    {
        dbgTrace(D_COMMUNICATION) << "Received new downloading request.";
        stringstream uuid_ss;
        uuid_ss << boost::uuids::random_generator()();
        uuid = uuid_ss.str();
        if (!port.isActive()) {
            dbgTrace(D_COMMUNICATION) << "Request does not contain explicit port.";
            port = 0;
        }
        dbgInfo(D_COMMUNICATION)
            << "Downloading a file and using the next parameters: "
            << "file_name: "
            << file_name.get()
            << ", url: "
            << url.get()
            << ", uuid: "
            << uuid.get()
            << ", port: "
            << port.get()
            << ", notification port: "
            << response_port.get();
        unsigned int response_port_cap = response_port.get();
        string uuid_capture = uuid.get();
        status = Singleton::Consume<I_MessagingDownloader>::from<MessagingDownloaderServer>()->downloadFile(
            file_name.get(),
            url.get(),
            [uuid_capture, response_port_cap](const Maybe<string> &downloaded_file) mutable
            {
                Flags<MessageConnConfig> conn_flags;
                MessagingDownloaderResponser res(uuid_capture, downloaded_file);
                dbgTrace(D_COMMUNICATION) << "Sending the download status to the client.";
                bool res_status = Singleton::Consume<I_Messaging>::by<MessagingDownloaderServer>()->sendNoReplyObject(
                    res,
                    I_Messaging::Method::POST,
                    "127.0.0.1",
                    response_port_cap,
                    conn_flags,
                    "/show-download-status"
                );
                if (!res_status) {
                    dbgInfo(D_COMMUNICATION) << "Failed to send the download status.";
                } else {
                    dbgDebug(D_COMMUNICATION)
                        << "Successfully sent the download status. Notification port: "
                        << response_port_cap
                        << ", Status: "
                        << downloaded_file.ok();
                }
            },
            port.get()
        );
    }
    C2S_PARAM(string, file_name);
    C2S_PARAM(string, url);
    C2S_PARAM(int, response_port);
    C2S_PARAM(int, port);
    S2C_PARAM(string, uuid);
    S2C_PARAM(bool, status);
 };
 class DownloadingInstance
 {
 public:
    DownloadingInstance()=default;
    DownloadingInstance(
        const string &_file_name,
        const string &_url,
        const unsigned int _port
    ) :
        file_name(_file_name),
        url(_url),
        port(_port),
        url_parser(_url)
    {
        parseURL();
    }
    Maybe<string>
    genJson() const
    {
        return string("");
    }
    bool
    loadJson(const string &_body)
    {
        body = vector<char>(_body.begin(), _body.end());
        return true;
    }
    const vector<char> &
    getResponse() const
    {
        return body;
    }
    bool
    operator==(const DownloadingInstance &other) const
    {
        return file_name == other.file_name &&
            host == other.host &&
            url == other.url &&
            port == other.port &&
            is_secure == other.is_secure &&
            origin_is_fog == other.origin_is_fog;
    }
    bool
    operator<(const DownloadingInstance &other) const
    {
        return file_name < other.file_name ||
            host < other.host ||
            url < other.url ||
            port < other.port ||
            is_secure < other.is_secure ||
            origin_is_fog < other.origin_is_fog;
    }
    const string & getFileName() const { return file_name; }
    const string & getHost() const { return host; }
    const string & getUrl() const { return url; }
    unsigned int getPort() const { return port; }
    bool getIsSecure() const { return is_secure; }
    bool getIsFogOrigin() const { return origin_is_fog; }
 private:
    void
    parseURL()
    {
        dbgTrace(D_COMMUNICATION) << "Parsing the URL to extract the relevant info. URL: " << url;
        origin_is_fog = false;
        auto maybe_host = url_parser.getBaseURL();
        if (!maybe_host.ok()) {
            dbgWarning(D_COMMUNICATION) << "Failed to parse the URL";
            return;
        }
        host = maybe_host.unpack();
        is_secure = url_parser.isOverSSL();
        if (port == 0 && url_parser.getPort() != "") {
            try {
                port = stoi(url_parser.getPort());
            } catch (exception &e) {
                port = 443;
                dbgInfo(D_COMMUNICATION)
                    << "Failed to parse the port for the downloading request. Error "
                    << e.what()
                    << ". Using the default port "
                    << port;
            }
        } else {
            dbgTrace(D_COMMUNICATION) << "Using explicitly defined port. Port: " << port;
        }
        I_AgentDetails *agent_details = Singleton::Consume<I_AgentDetails>::by<MessagingDownloaderServer>();
        if (agent_details->getFogDomain().ok()) {
            string fog_domain = agent_details->getFogDomain().unpack();
            if (host.find(fog_domain) != string::npos) {
                origin_is_fog = true;
            }
        } else {
            dbgTrace(D_COMMUNICATION) << "Failed to receive fog domain.";
        }
    }
    string file_name = "";
    string url = "";
    unsigned int port = 0;
    URLParser url_parser;
    vector<char> body = {};
    string host = "";
    bool is_secure = true;
    bool origin_is_fog = true;
 };
 class MessagingDownloaderServer::Impl : Singleton::Provide<I_MessagingDownloader>::From<MessagingDownloaderServer>
 {
 public:
    void
    init()
    {
        i_msg = Singleton::Consume<I_Messaging>::by<MessagingDownloaderServer>();
        i_mainloop = Singleton::Consume<I_MainLoop>::by<MessagingDownloaderServer>();
        auto rest = Singleton::Consume<I_RestApi>::by<MessagingDownloaderServer>();
        rest->addRestCall<MessagingDownloaderReceiver>(RestAction::ADD, "download-file");
        string default_downloading_dir = "/tmp/cp_nano_downloader/";
        download_dir = getConfigurationWithDefault(
            default_downloading_dir,
            "Downloader",
            "Downloading Directory"
        );
        NGEN::Filesystem::makeDirRecursive(download_dir);
    }
    void
    fini()
    {
        i_msg = nullptr;
        i_mainloop = nullptr;
    }
    bool
    downloadFile(
        const string &file_name,
        const string &url,
        OnCompleteCB on_complete_func = nullptr,
        const unsigned int port = 443
    ) override
    {
        dbgTrace(D_COMMUNICATION) << "Handling new download request. URL: " << url << ". File name: " << file_name;
        DownloadingInstance req(file_name, url, port);
        if (downloading_queue.find(req) != downloading_queue.end()) {
            dbgInfo(D_COMMUNICATION) << "Failed to download the file. Similar download request already exists.";
            return false;
        }
        if (!isValidPath(file_name)) {
            dbgInfo(D_COMMUNICATION) << "Failed to validate the download path. Path: " << download_dir + file_name;
            return false;
        }
        downloading_queue.insert(req);
        i_mainloop->addOneTimeRoutine(
            I_MainLoop::RoutineType::RealTime,
            [this, req, on_complete_func]() mutable
            {
                Flags<MessageConnConfig> conn_flags;
                if (req.getIsSecure()) conn_flags.setFlag(MessageConnConfig::SECURE_CONN);
                if (!req.getIsFogOrigin()) conn_flags.setFlag(MessageConnConfig::EXTERNAL);
                auto on_exit = make_scope_exit([this, &req]() { downloading_queue.erase(req); } );
                bool response = i_msg->sendObject(
                    req,
                    I_Messaging::Method::GET,
                    req.getHost(),
                    req.getPort(),
                    conn_flags,
                    req.getUrl()
                );
                if (response) {
                    dbgTrace(D_COMMUNICATION) << "Successfully received a response from the downloading file host.";
                    std::ofstream downloaded_file;
                    downloaded_file.open(download_dir + req.getFileName());
                    if (!downloaded_file.is_open()) {
                        dbgInfo(D_COMMUNICATION)
                            << "Failed to download file. Error: Failed to open the file "
                            << req.getFileName();
                        Maybe<string> err = genError("Failed to open the file");
                        on_complete_func(err);
                        if (i_mainloop != nullptr) i_mainloop->yield(true);
                    }
                    auto &res_body = req.getResponse();
                    downloaded_file.write(res_body.data(), res_body.size());
                    downloaded_file.close();
                    dbgInfo(D_COMMUNICATION) << "Successfully downloaded the file. File name: " << req.getFileName();
                    Maybe<string> filepath = download_dir + req.getFileName();
                    on_complete_func(filepath);
                } else {
                    dbgInfo(D_COMMUNICATION) << "Failed to download file. File name: " << req.getFileName();
                    Maybe<string> err = genError("Failed during the downloading process.");
                    on_complete_func(err);
                }
            },
            "Download file routine for '" + file_name + "'",
            false
        );
        return true;
    }
 private:
    bool
    isValidPath(const string &file_name)
    {
        struct stat info;
        string file_to_download = download_dir + file_name;
        dbgTrace(D_COMMUNICATION) << "Validating the downloading file path. Path: " << file_to_download;
        if (stat(download_dir.c_str(), &info) != 0) {
            dbgDebug(D_COMMUNICATION) << "Failed to access the downloading directory";
            return false;
        }
        if (stat(file_to_download.c_str(), &info) == 0) {
            dbgDebug(D_COMMUNICATION)
                << "The file with the name '"
                << file_name
                << "' is already exist in the downloading directory";
            return false;
        }
        return true;
    }
    I_Messaging *i_msg;
    I_MainLoop *i_mainloop;
    string download_dir;
    set<DownloadingInstance> downloading_queue;
 };
 MessagingDownloaderServer::MessagingDownloaderServer()
        :
    Component("MessagingDownloaderServer"),
    pimpl(make_unique<Impl>())
 {}
 MessagingDownloaderServer::~MessagingDownloaderServer() {}
 void MessagingDownloaderServer::init() { pimpl->init(); }
 void MessagingDownloaderServer::fini() { pimpl->fini(); }
 void
 MessagingDownloaderServer::preload()
 {
    registerExpectedConfiguration<string>("Downloader", "Downloading Directory");
 };
--- a/components/messaging_downloader/messaging_downloader_ut/CMakeLists.txt
+++ b/components/messaging_downloader/messaging_downloader_ut/CMakeLists.txt
@@ -1,2 +0,0 @@
 add_subdirectory(downloader_server_ut)
 add_subdirectory(downloader_client_ut)
--- a/components/messaging_downloader/messaging_downloader_ut/downloader_client_ut/CMakeLists.txt
+++ b/components/messaging_downloader/messaging_downloader_ut/downloader_client_ut/CMakeLists.txt
@@ -1,9 +0,0 @@
 link_directories(${BOOST_ROOT}/lib)
 include_directories(${CMAKE_SOURCE_DIR}/core/include)
 link_directories(${CMAKE_BINARY_DIR}/core/include)
 add_unit_test(
    downloader_client_ut
    "downloader_client_ut.cc" 
    "singleton;messaging_downloader_client;time_proxy;mainloop;rest;metric;event_is;message;-lboost_context;agent_core_utilities;orchestration_modules;connkey;-lboost_regex;-lboost_filesystem;-lboost_system"
 )
--- a/components/messaging_downloader/messaging_downloader_ut/downloader_client_ut/downloader_client_ut.cc
+++ b/components/messaging_downloader/messaging_downloader_ut/downloader_client_ut/downloader_client_ut.cc
@@ -1,113 +0,0 @@
 #include "messaging_downloader_client.h"
 #include <boost/filesystem.hpp>
 #include "environment.h"
 #include "singleton.h"
 #include "config.h"
 #include "config_component.h"
 #include "mainloop.h"
 #include "cptest.h"
 #include "mock/mock_mainloop.h"
 #include "mock/mock_messaging.h"
 #include "mock/mock_rest_api.h"
 #include "mock/mock_agent_details.h"
 #include "mock/mock_time_get.h"
 using namespace std;
 using namespace testing;
 class MessagingDownloaderClientTest : public Test
 {
 public:
    MessagingDownloaderClientTest()
    {
        EXPECT_CALL(
            rest,
            mockRestCall(RestAction::SHOW, "download-status", _)
        ).WillOnce(WithArg<2>(Invoke(this, &MessagingDownloaderClientTest::restHandler)));
        EXPECT_CALL(rest, mockRestCall(RestAction::ADD, "declare-boolean-variable", _)).WillOnce(Return(true));
        Debug::setUnitTestFlag(D_COMMUNICATION, Debug::DebugLevel::TRACE);
        Debug::setNewDefaultStdout(&capture_debug);
        messaging_downloader.preload();
        env.preload();
        env.init();
        messaging_downloader.init();
    }
    ~MessagingDownloaderClientTest()
    {
        boost::filesystem::remove_all("/tmp/test_download_dir/");
        messaging_downloader.fini();
    }
    bool
    restHandler(const unique_ptr<RestInit> &rest_ptr)
    {
        rest_handler = rest_ptr->getRest();
        return true;
    }
    unique_ptr<ServerRest> rest_handler;
    ostringstream capture_debug;
    I_MainLoop::Routine downloading_routine;
    MessagingDownloaderClient messaging_downloader;
    NiceMock<MockTimeGet> mock_time;
    NiceMock<MockAgentDetails> mock_agent_details;
    StrictMock<MockMessaging> mock_msg;
    StrictMock<MockRestApi> rest;
    StrictMock<MockMainLoop> mock_ml;
    ::Environment env;
    ConfigComponent conf;
 };
 TEST_F(MessagingDownloaderClientTest, do_nothing)
 {
 }
 TEST_F(MessagingDownloaderClientTest, request_download)
 {
    string file_name = "test_file";
    string url = "https://download_test.com/test_download";
    Singleton::Consume<I_Environment>::by<MessagingDownloaderClient>()->registerValue<int>("Listening Port", 6464);
    stringstream ss;
    ss << "{\n    \"file_name\": \"" << file_name << "\","
        << "\n    \"url\": \"" << url << "\","
        << "\n    \"port\": 0,\n    \"response_port\": 6464\n}";
    EXPECT_CALL(mock_msg, sendMessage(
        true,
        ss.str(),
        I_Messaging::Method::POST,
        "127.0.0.1",
        8164,
        _,
        "/add-download-file",
        _,
        _,
        _
    )).WillOnce(Return(Maybe<string>(string("{\"uuid\": \"111\", \"status\": true}"))));
    bool is_cb_run = false;
    bool res = Singleton::Consume<I_MessagingDownloader>::from<MessagingDownloaderClient>()->downloadFile(
        file_name,
        url,
        [&is_cb_run](const Maybe<string>& filepath)
        {
            is_cb_run = true;
            EXPECT_TRUE(filepath.ok());
            EXPECT_EQ(filepath.unpack(), "/tmp/test_download_dir/test_file");
        }
    );
    EXPECT_TRUE(res);
    stringstream is;
    is << "{\"uuid\": \"111\", \"status\": true, \"filepath\": \"/tmp/test_download_dir/test_file\"}";
    EXPECT_FALSE(is_cb_run);
    rest_handler->performRestCall(is);
    EXPECT_TRUE(is_cb_run);
 }
--- a/components/messaging_downloader/messaging_downloader_ut/downloader_server_ut/CMakeLists.txt
+++ b/components/messaging_downloader/messaging_downloader_ut/downloader_server_ut/CMakeLists.txt
@@ -1,9 +0,0 @@
 link_directories(${BOOST_ROOT}/lib)
 include_directories(${CMAKE_SOURCE_DIR}/core/include)
 link_directories(${CMAKE_BINARY_DIR}/core/include)
 add_unit_test(
    downloader_server_ut
    "downloader_server_ut.cc" 
    "singleton;messaging_downloader_server;time_proxy;mainloop;rest;metric;event_is;message;-lboost_context;agent_core_utilities;orchestration_modules;agent_details;connkey;-lboost_regex;-lboost_filesystem;-lboost_system"
 )
--- a/components/messaging_downloader/messaging_downloader_ut/downloader_server_ut/downloader_server_ut.cc
+++ b/components/messaging_downloader/messaging_downloader_ut/downloader_server_ut/downloader_server_ut.cc
@@ -1,304 +0,0 @@
 #include "messaging_downloader_server.h"
 #include <boost/filesystem.hpp>
 #include "environment.h"
 #include "singleton.h"
 #include "config.h"
 #include "config_component.h"
 #include "mainloop.h"
 #include "cptest.h"
 #include "mock/mock_mainloop.h"
 #include "mock/mock_messaging.h"
 #include "mock/mock_rest_api.h"
 #include "mock/mock_agent_details.h"
 #include "mock/mock_time_get.h"
 using namespace std;
 using namespace testing;
 class MessagingDownloaderServerTest : public Test
 {
 public:
    MessagingDownloaderServerTest()
    {
        setConfiguration(string("/tmp/test_download_dir/"), "Downloader", "Downloading Directory");
        EXPECT_CALL(
            rest,
            mockRestCall(RestAction::ADD, "download-file", _)
        ).WillOnce(WithArg<2>(Invoke(this, &MessagingDownloaderServerTest::restHandler)));
        Maybe<string> fog_addr(string("test.fog.com"));
        EXPECT_CALL(
            mock_agent_details,
            getFogDomain()
        ).WillRepeatedly(Return(fog_addr));
        Debug::setUnitTestFlag(D_COMMUNICATION, Debug::DebugLevel::TRACE);
        Debug::setNewDefaultStdout(&capture_debug);
        messaging_downloader.preload();
        messaging_downloader.init();
    }
    ~MessagingDownloaderServerTest()
    {
        boost::filesystem::remove_all("/tmp/test_download_dir/");
        messaging_downloader.fini();
    }
    bool
    restHandler(const unique_ptr<RestInit> &rest_ptr)
    {
        rest_handler = rest_ptr->getRest();
        return true;
    }
    void
    expectRequestSuccess(
        string &test_file_name,
        string &host,
        string &url,
        string &uuid,
        unsigned int port,
        unsigned int response_port,
        string &success_msg
    )
    {
        EXPECT_CALL(
            mock_ml,
            addOneTimeRoutine(I_MainLoop::RoutineType::RealTime, _, _, false)
        ).WillOnce(DoAll(SaveArg<1>(&downloading_routine), Return(0)));
        EXPECT_CALL(
            mock_msg,
            sendMessage(true, "", I_Messaging::Method::GET, host, port, _, url, _, _, _)
        ).WillOnce(Return(Maybe<string>(string("test_body"))));
        stringstream expected_response;
        expected_response
            << "\n    \"status\": true,"
            << "\n    \"filepath\": \"/tmp/test_download_dir/" << test_file_name << "\"\n}";
        string saved_response;
        EXPECT_CALL(mock_msg, sendMessage(
            false,
            _,
            I_Messaging::Method::POST,
            "127.0.0.1",
            response_port,
            _,
            "/show-download-status",
            _,
            _,
            _
        )).WillOnce(DoAll(SaveArg<1>(&saved_response), Return(Maybe<string>(string()))));
        stringstream is;
        is << "{\"file_name\": \"" <<  test_file_name << "\","
            << "\"response_port\": " << response_port << ","
            << "\"url\": \"" << url << "\","
            << "\"port\": " << port << ","
            << "\"uuid\": \"" << uuid << "\"}";
        rest_handler->performRestCall(is);
        downloading_routine();
        EXPECT_THAT(saved_response, HasSubstr(expected_response.str()));
        EXPECT_THAT(capture_debug.str(), HasSubstr(success_msg));
    }
    unique_ptr<ServerRest> rest_handler;
    ostringstream capture_debug;
    I_MainLoop::Routine downloading_routine;
    MessagingDownloaderServer messaging_downloader;
    NiceMock<MockTimeGet> mock_time;
    StrictMock<MockAgentDetails> mock_agent_details;
    StrictMock<MockMessaging> mock_msg;
    StrictMock<MockRestApi> rest;
    StrictMock<MockMainLoop> mock_ml;
    ::Environment env;
    ConfigComponent conf;
 };
 TEST_F(MessagingDownloaderServerTest, do_nothing)
 {
 }
 TEST_F(MessagingDownloaderServerTest, add_one_secured_request)
 {
    string test_file_name = "test_file_name";
    string host = "test_host";
    string url = "https://test_host/test_url";
    string uuid = "111";
    string success_msg = "Successfully downloaded the file. File name: " + test_file_name;
    unsigned int port = 443;
    unsigned int response_port = 123;
    expectRequestSuccess(test_file_name, host, url, uuid, port, response_port, success_msg);
 }
 TEST_F(MessagingDownloaderServerTest, add_one_non_secured_request)
 {
    string test_file_name = "test_file_name";
    string host = "test_host";
    string url = "http://test_host/test_url";
    string uuid = "111";
    string success_msg = "Successfully downloaded the file. File name: " + test_file_name;
    unsigned int port = 80;
    unsigned int response_port = 123;
    expectRequestSuccess(test_file_name, host, url, uuid, port, response_port, success_msg);
 }
 TEST_F(MessagingDownloaderServerTest, add_multiple_requests)
 {
    string test_file_name1 = "test_file_name1";
    string test_file_name2 = "test_file_name2";
    string host = "test_host";
    string url = "https://test_host/test_url";
    string uuid = "111";
    string success_msg1 = "Successfully downloaded the file. File name: " + test_file_name1;
    string success_msg2 = "Successfully downloaded the file. File name: " + test_file_name2;
    unsigned int port = 443;
    unsigned int response_port = 123;
    expectRequestSuccess(test_file_name1, host, url, uuid, port, response_port, success_msg1);
    expectRequestSuccess(test_file_name2, host, url, uuid, port, response_port, success_msg2);
 }
 TEST_F(MessagingDownloaderServerTest, add_same_request_twice)
 {
    string test_file_name = "test_file_name";
    string host = "test_host";
    string url = "https://test_host/test_url";
    string uuid = "111";
    unsigned int response_port = 123;
    EXPECT_CALL(
        mock_ml,
        addOneTimeRoutine(I_MainLoop::RoutineType::RealTime, _, _, false)
    ).WillOnce(DoAll(SaveArg<1>(&downloading_routine), Return(0)));
    EXPECT_CALL(
        mock_msg,
        sendMessage(true, "", I_Messaging::Method::GET, host, 442, _, url, _, _, _)
    ).WillOnce(Return(Maybe<string>(string("test_body"))));
    stringstream expected_response;
    expected_response
        << "\n    \"status\": true,"
        << "\n    \"filepath\": \"/tmp/test_download_dir/" << test_file_name << "\"\n}";
    string saved_response;
    EXPECT_CALL(mock_msg, sendMessage(
        false,
        _,
        I_Messaging::Method::POST,
        "127.0.0.1",
        response_port,
        _,
        "/show-download-status",
        _,
        _,
        _
    )).WillOnce(DoAll(SaveArg<1>(&saved_response), Return(Maybe<string>(string()))));
    stringstream is;
    is
        << "{\"file_name\": \"" <<  test_file_name << "\","
        << "\"response_port\": " << response_port << ","
        << "\"uuid\": \"" << uuid << "\","
        << "\"port\": 442,"
        << "\"url\": \"" << url << "\"}";
    rest_handler->performRestCall(is);
    rest_handler->doCall();
    downloading_routine();
    EXPECT_THAT(saved_response, HasSubstr(expected_response.str()));
    EXPECT_THAT(
        capture_debug.str(),
        HasSubstr("Failed to download the file. Similar download request already exists.")
    );
 }
 TEST_F(MessagingDownloaderServerTest, add_request_that_fails)
 {
    string test_file_name = "test_file_name";
    string host = "test_host";
    string url = "https://test_host/test_url";
    string uuid = "111";
    unsigned int response_port = 123;
    unsigned int additional_port_test = 123;
    Maybe<string> err = genError("no");
    EXPECT_CALL(
        mock_ml,
        addOneTimeRoutine(I_MainLoop::RoutineType::RealTime, _, _, false)
    ).WillOnce(DoAll(SaveArg<1>(&downloading_routine), Return(0)));
    EXPECT_CALL(
        mock_msg,
        sendMessage(true, "", I_Messaging::Method::GET, host, additional_port_test, _, url, _, _, _)
    ).WillOnce(Return(err));
    stringstream expected_response;
    expected_response
        << "\n    \"status\": false,"
        << "\n    \"error\": \"Failed during the downloading process.\"\n}";
    string saved_response;
    EXPECT_CALL(mock_msg, sendMessage(
        false,
        _,
        I_Messaging::Method::POST,
        "127.0.0.1",
        response_port,
        _,
        "/show-download-status",
        _,
        _,
        _
    )).WillOnce(DoAll(SaveArg<1>(&saved_response), Return(Maybe<string>(string()))));
    stringstream is;
    is
        << "{\"file_name\": \"" <<  test_file_name << "\","
        << "\"response_port\": " << response_port << ","
        << "\"url\": \"" << url << "\","
        << "\"port\": " << additional_port_test << ","
        << "\"uuid\": \"" << uuid << "\"}";
    rest_handler->performRestCall(is);
    downloading_routine();
    EXPECT_THAT(saved_response, HasSubstr(expected_response.str()));
    EXPECT_THAT(capture_debug.str(), HasSubstr("Failed to download file. File name: test_file_name"));
 }
 TEST_F(MessagingDownloaderServerTest, download_with_same_filename)
 {
    string test_file_name = "test_file_name";
    string host = "test_host";
    string url1 = "https://test_host/test_url1";
    string url2 = "https://test_host/test_url2";
    string uuid = "111";
    unsigned int port = 443;
    string success_msg = "Successfully downloaded the file. File name: " + test_file_name;
    unsigned int response_port = 123;
    expectRequestSuccess(test_file_name, host, url1, uuid, port, response_port, success_msg);
    stringstream is;
    is
        << "{\"file_name\": \"" <<  test_file_name << "\","
        << "\"response_port\": " << response_port << ","
        << "\"port\": " << port << ","
        << "\"url\": \"" << url2 << "\"}";
    rest_handler->performRestCall(is);
    EXPECT_THAT(
        capture_debug.str(),
        HasSubstr("The file with the name 'test_file_name' is already exist in the downloading directory")
    );
 }
--- a/components/security_apps/ips/helper_open_source.cc
+++ b/components/security_apps/ips/helper_open_source.cc
@@ -7,6 +7,14 @@ using namespace std;
 namespace IPSHelper
 {
 bool has_deobfuscation = false;
 bool
 hasDeobfuscation()
 {
    return has_deobfuscation;
 }
 string
 deobfuscateString(const string &str)
 {
--- a/components/security_apps/ips/include/helper.h
+++ b/components/security_apps/ips/include/helper.h
@@ -6,6 +6,7 @@
 namespace IPSHelper
 {
 bool hasDeobfuscation();
 std::string deobfuscateString(const std::string &str);
 std::string deobfuscateKeyword(const std::string &str);
--- a/components/security_apps/ips/include/ips_signatures.h
+++ b/components/security_apps/ips/include/ips_signatures.h
@@ -1,54 +1,176 @@
 // Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
 // Licensed under the Apache License, Version 2.0 (the "License");
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 /// \file ips_signatures.h
 /// \brief Declaration of classes IPSSignatureSubTypes, IPSSignaturesPerContext, IPSSignatures, SnortSignatures, and
 /// related functions. \author Check Point Software Technologies Ltd. \date 2022
 #ifndef __IPS_SIGNATURES_H__
 #define __IPS_SIGNATURES_H__
 #include <vector>
 #include "config.h"
 #include "parsed_context.h"
 #include "log_generator.h"
 #include "pm_hook.h"
 #include "ips_enums.h"
 #include "ips_entry.h"
 #include "i_first_tier_agg.h"
 #include "ips_entry.h"
 #include "ips_enums.h"
 #include "log_generator.h"
 #include "parsed_context.h"
 #include "pm_hook.h"
 /// \namespace IPSSignatureSubTypes
 /// \brief Namespace containing subtypes for IPS signatures.
 namespace IPSSignatureSubTypes
 {
 using ActionResults = std::tuple<IPSSignatureSubTypes::SignatureAction, std::string, std::vector<std::string>>;
 /// \class BaseSignature
 /// \brief Represents the base signature class.
 class BaseSignature
 {
 public:
-    enum class MatchType { NO_MATCH, CACHE_MATCH, MATCH };
+    /// \enum MatchType
    /// \brief Enumerates the types of matches for BaseSignature.
    enum class MatchType
    {
        NO_MATCH,
        CACHE_MATCH,
        MATCH
    };
-    virtual const std::string & getSigId() const = 0;
+    /// \brief Get the ID of the signature.
    virtual const std::string &getSigId() const = 0;
    /// \brief Get the match type for the signature.
    /// \param matched The set of patterns that matched.
    virtual MatchType getMatch(const std::set<PMPattern> &matched) const = 0;
    /// \brief Get the set of patterns in the signature.
    virtual std::set<PMPattern> patternsInSignature() const = 0;
-    virtual const std::vector<std::string> & getContext() const = 0;
+
    /// \brief Get the context of the signature.
    virtual const std::vector<std::string> &getContext() const = 0;
 };
 /// \class IPSSignatureMetaData
 /// \brief Represents the metadata for an IPS signature.
 class IPSSignatureMetaData
 {
 public:
    /// \brief Load the metadata from a JSON archive.
    /// \param ar The JSON input archive.
    void load(cereal::JSONInputArchive &ar);
    /// \brief Set the indicators for the metadata.
    /// \param source The source indicator.
    /// \param version The version indicator.
    void setIndicators(const std::string &source, const std::string &version);
-    const std::string & getId()                   const { return protection_id; }
+    /// \brief Get the ID of the signature.
-    const std::string & getName()                 const { return sig_name; }
+    const std::string &
-    const std::string & getUpdateVersion()        const { return update; }
+    getId() const
-    const std::string & getLogTitle()             const { return event_log; }
+    {
-    const std::string & getSource()               const { return source; }
+        return protection_id;
-    const std::string & getFeedVersion()          const { return version; }
+    }
-    const std::vector<std::string> & getCveList() const { return cve_list; }
+
-    IPSLevel getSeverity()                        const { return severity; }
+    /// \brief Get the name of the signature.
-    std::string getSeverityString()               const;
+    const std::string &
-    IPSLevel getConfidence()                      const { return confidence; }
+    getName() const
-    std::string getConfidenceString()             const;
+    {
-    IPSLevel getPerformance()                     const { return performance; }
+        return sig_name;
-    std::string getPerformanceString()            const;
+    }
-    bool isSilent()                               const { return is_silent; }
+
-    std::string getIncidentType()                 const;
+    /// \brief Get the update version of the signature.
-    bool isYearAtLeast(const Maybe<int> &year)    const;
+    const std::string &
-    Maybe<int> getYear()                          const;
+    getUpdateVersion() const
    {
        return update;
    }
    /// \brief Get the log title of the signature.
    const std::string &
    getLogTitle() const
    {
        return event_log;
    }
    /// \brief Get the source indicator of the signature.
    const std::string &
    getSource() const
    {
        return source;
    }
    /// \brief Get the feed version of the signature.
    const std::string &
    getFeedVersion() const
    {
        return version;
    }
    /// \brief Get the CVE list of the signature.
    const std::vector<std::string> &
    getCveList() const
    {
        return cve_list;
    }
    /// \brief Get the severity level of the signature.
    IPSLevel
    getSeverity() const
    {
        return severity;
    }
    /// \brief Get the severity level as a string of the signature.
    std::string getSeverityString() const;
    /// \brief Get the confidence level of the signature.
    IPSLevel
    getConfidence() const
    {
        return confidence;
    }
    /// \brief Get the confidence level as a string of the signature.
    std::string getConfidenceString() const;
    /// \brief Get the performance level of the signature.
    IPSLevel
    getPerformance() const
    {
        return performance;
    }
    /// \brief Get the performance level as a string of the signature.
    std::string getPerformanceString() const;
    /// \brief Check if the signature is silent.
    bool
    isSilent() const
    {
        return is_silent;
    }
    /// \brief Get the incident type of the signature.
    std::string getIncidentType() const;
    /// \brief Check if the signature is from a specific year or later.
    /// \param year The year to compare with.
    bool isYearAtLeast(const Maybe<int> &year) const;
    /// \brief Get the year of the signature.
    Maybe<int> getYear() const;
 private:
    std::string protection_id;
@@ -65,69 +187,224 @@ private:
    bool is_silent = false;
 };
 /// \class CompleteSignature
 /// \brief Represents a complete signature.
 class CompleteSignature
 {
 public:
    /// \brief Load the complete signature from a JSON archive.
    /// \param ar The JSON input archive.
    void load(cereal::JSONInputArchive &ar);
    /// \brief Get the match type for the signature.
    /// \param matches The set of patterns that matched.
    BaseSignature::MatchType getMatch(const std::set<PMPattern> &matches) const;
    /// \brief Get the set of patterns in the signature.
    std::set<PMPattern> patternsInSignature() const;
    /// \brief Set the indicators for the complete signature.
    /// \param source The source indicator.
    /// \param version The version indicator.
    void setIndicators(const std::string &source, const std::string &version);
-    const std::vector<std::string> & getContext() const { return rule->getContext(); }
+    /// \brief Get the context of the signature.
-    const std::string & getId()                   const { return metadata.getId(); }
+    const std::vector<std::string> &
-    const std::string & getLogTitle()             const { return metadata.getLogTitle(); }
+    getContext() const
-    const std::string & getName()                 const { return metadata.getName(); }
+    {
-    const std::string & getUpdateVersion()        const { return metadata.getUpdateVersion(); }
+        return rule->getContext();
-    const std::string & getSource()               const { return metadata.getSource(); }
+    }
    const std::string & getFeedVersion()          const { return metadata.getFeedVersion(); }
    const std::vector<std::string> & getCveList() const { return metadata.getCveList(); }
    IPSLevel getSeverity()                        const { return metadata.getSeverity(); }
    std::string getSeverityString()               const { return metadata.getSeverityString(); }
    IPSLevel getConfidence()                      const { return metadata.getConfidence(); }
    std::string getConfidenceString()             const { return metadata.getConfidenceString(); }
    IPSLevel getPerformance()                     const { return metadata.getPerformance(); }
    std::string getPerformanceString()            const { return metadata.getPerformanceString(); }
    bool isSilent()                               const { return metadata.isSilent(); }
    std::string getIncidentType()                 const { return metadata.getIncidentType(); }
-    bool isYearAtLeast(const Maybe<int> &year)    const { return metadata.isYearAtLeast(year); }
+    /// \brief Get the ID of the signature.
-    Maybe<int> getYear()                          const { return metadata.getYear(); }
+    const std::string &
    getId() const
    {
        return metadata.getId();
    }
    /// \brief Get the log title of the signature.
    const std::string &
    getLogTitle() const
    {
        return metadata.getLogTitle();
    }
    /// \brief Get the name of the signature.
    const std::string &
    getName() const
    {
        return metadata.getName();
    }
    /// \brief Get the update version of the signature.
    const std::string &
    getUpdateVersion() const
    {
        return metadata.getUpdateVersion();
    }
    /// \brief Get the source indicator of the signature.
    const std::string &
    getSource() const
    {
        return metadata.getSource();
    }
    /// \brief Get the feed version of the signature.
    const std::string &
    getFeedVersion() const
    {
        return metadata.getFeedVersion();
    }
    /// \brief Get the CVE list of the signature.
    const std::vector<std::string> &
    getCveList() const
    {
        return metadata.getCveList();
    }
    /// \brief Get the severity level of the signature.
    IPSLevel
    getSeverity() const
    {
        return metadata.getSeverity();
    }
    /// \brief Get the severity level as a string of the signature.
    std::string
    getSeverityString() const
    {
        return metadata.getSeverityString();
    }
    /// \brief Get the confidence level of the signature.
    IPSLevel
    getConfidence() const
    {
        return metadata.getConfidence();
    }
    /// \brief Get the confidence level as a string of the signature.
    std::string
    getConfidenceString() const
    {
        return metadata.getConfidenceString();
    }
    /// \brief Get the performance level of the signature.
    IPSLevel
    getPerformance() const
    {
        return metadata.getPerformance();
    }
    /// \brief Get the performance level as a string of the signature.
    std::string
    getPerformanceString() const
    {
        return metadata.getPerformanceString();
    }
    /// \brief Check if the signature is silent.
    bool
    isSilent() const
    {
        return metadata.isSilent();
    }
    /// \brief Get the incident type of the signature.
    std::string
    getIncidentType() const
    {
        return metadata.getIncidentType();
    }
    /// \brief Check if the signature is from a specific year or later.
    /// \param year The year to compare with.
    bool
    isYearAtLeast(const Maybe<int> &year) const
    {
        return metadata.isYearAtLeast(year);
    }
    /// \brief Get the year of the signature.
    Maybe<int>
    getYear() const
    {
        return metadata.getYear();
    }
 private:
    IPSSignatureMetaData metadata;
    std::shared_ptr<BaseSignature> rule;
 };
 /// \class SignatureAndAction
 /// \brief Represents a signature and its associated action.
 class SignatureAndAction
 {
 public:
-    SignatureAndAction(std::shared_ptr<CompleteSignature> _signature, SignatureAction _action)
+    /// \brief Construct a SignatureAndAction object.
-            :
+    /// \param _signature The complete signature.
-        signature(_signature),
+    /// \param _action The signature action.
-        action(_action)
+    SignatureAndAction(std::shared_ptr<CompleteSignature> _signature, SignatureAction _action) :
        signature(_signature), action(_action)
    {}
    /// \brief Check if the signature is matched for prevention.
    /// \param context_buffer The context buffer.
    /// \param pattern The set of patterns to match.
    bool isMatchedPrevent(const Buffer &context_buffer, const std::set<PMPattern> &pattern) const;
    /// \brief Check if the signature is matched silently.
    /// \param context_buffer The context buffer.
    bool matchSilent(const Buffer &context_buffer) const;
    /// \brief Get the set of patterns in the signature.
    std::set<PMPattern>
    patternsInSignature() const
    {
        return signature->patternsInSignature();
    }
-    bool isMatchedPrevent(const Buffer &context_buffer, const std::set<PMPattern> &pattern) const;
+    /// \brief Get the context of the signature.
-    bool matchSilent(const Buffer &context_buffer) const;
+    const std::vector<std::string> &
-    std::set<PMPattern> patternsInSignature() const { return signature->patternsInSignature(); }
+    getContext() const
-    const std::vector<std::string> & getContext() const { return signature->getContext(); }
+    {
        return signature->getContext();
    }
 private:
    /// \brief Get the action results for the IPS state.
    /// \param ips_state The IPS entry.
    ActionResults getAction(const IPSEntry &ips_state) const;
    std::shared_ptr<CompleteSignature> signature;
    SignatureAction action;
 };
-} // IPSSignatureSubTypes
+} // namespace IPSSignatureSubTypes
 /// \class IPSSignaturesPerContext
 /// \brief Represents IPS signatures per context.
 class IPSSignaturesPerContext : public Singleton::Consume<I_FirstTierAgg>
 {
 public:
    /// \brief Add a signature to the context.
    /// \param sig The signature and its associated action.
    void addSignature(const IPSSignatureSubTypes::SignatureAndAction &sig);
    /// \brief Check if the context is matched for prevention.
    /// \param context_buffer The context buffer.
    bool isMatchedPrevent(const Buffer &context_buffer) const;
    /// \brief Calculate the first tier for the given context name.
    /// \param ctx_name The context name.
    void calcFirstTier(const std::string &ctx_name);
 private:
    /// \brief Get the first tier matches for the buffer.
    /// \param buffer The buffer to match.
    std::set<PMPattern> getFirstTierMatches(const Buffer &buffer) const;
    std::map<PMPattern, std::vector<IPSSignatureSubTypes::SignatureAndAction>> signatures_per_lss;
@@ -135,11 +412,17 @@ private:
    std::shared_ptr<PMHook> first_tier;
 };
 /// \class IPSSignaturesResource
 /// \brief Represents IPS signatures resource.
 class IPSSignaturesResource
 {
 public:
    /// \brief Load the IPS signatures resource from a JSON archive.
    /// \param ar The JSON input archive.
    void load(cereal::JSONInputArchive &ar);
    /// \brief Get all the signatures.
    /// \return A vector of shared pointers to CompleteSignature.
    const std::vector<std::shared_ptr<IPSSignatureSubTypes::CompleteSignature>> &
    getSignatures() const
    {
@@ -150,11 +433,26 @@ private:
    std::vector<std::shared_ptr<IPSSignatureSubTypes::CompleteSignature>> all_signatures;
 };
 /// \class SnortSignaturesResourceFile
 /// \brief Represents Snort signatures resource file.
 class SnortSignaturesResourceFile
 {
 public:
    /// \brief Load the Snort signatures resource file from a JSON archive.
    /// \param ar The JSON input archive.
    void load(cereal::JSONInputArchive &ar);
-    bool isFile(const std::string &file_name) const { return file_name == name; }
+
    /// \brief Check if the file name matches.
    /// \param file_name The name of the file.
    /// \return True if the file name matches, otherwise false.
    bool
    isFile(const std::string &file_name) const
    {
        return file_name == name;
    }
    /// \brief Get all the signatures.
    /// \return A vector of shared pointers to CompleteSignature.
    const std::vector<std::shared_ptr<IPSSignatureSubTypes::CompleteSignature>> &
    getSignatures() const
    {
@@ -166,11 +464,18 @@ private:
    std::vector<std::shared_ptr<IPSSignatureSubTypes::CompleteSignature>> all_signatures;
 };
 /// \class SnortSignaturesResource
 /// \brief Represents Snort signatures resource.
 class SnortSignaturesResource
 {
 public:
    /// \brief Load the Snort signatures resource from a JSON archive.
    /// \param ar The JSON input archive.
    void load(cereal::JSONInputArchive &ar);
    /// \brief Get all the signatures for the given file name.
    /// \param file_name The name of the file.
    /// \return A vector of shared pointers to CompleteSignature.
    const std::vector<std::shared_ptr<IPSSignatureSubTypes::CompleteSignature>> &
    getSignatures(const std::string &file_name) const
    {
@@ -185,21 +490,74 @@ private:
    std::vector<SnortSignaturesResourceFile> files;
 };
 /// \class IPSSignatures
 /// \brief Represents IPS signatures.
 class IPSSignatures
 {
    std::set<PMPattern> getFirstTier(const ParsedContext &context);
 public:
    /// \brief Load the IPS signatures from a JSON archive.
    /// \param ar The JSON input archive.
    void load(cereal::JSONInputArchive &ar);
    /// \brief Check if the context is matched for prevention.
    /// \param context_name The name of the context.
    /// \param context_buffer The context buffer.
    bool isMatchedPrevent(const std::string &context_name, const Buffer &context_buffer) const;
-    bool isEmpty() const { return signatures_per_context.empty(); }
+
    /// \brief Check if the IPS signatures are empty.
    /// \return True if the signatures are empty, otherwise false.
    bool
    isEmpty() const
    {
        return signatures_per_context.empty();
    }
    /// \brief Check if the IPS signatures for the given context are empty.
    /// \param context The name of the context.
    /// \return True if the signatures for the context are empty, otherwise false.
    bool isEmpty(const std::string &context) const;
-    const std::string & getAsset() const { return asset_name; }
+    /// \brief Get the asset name.
-    const std::string & getAssetId() const { return asset_id; }
+    /// \return The asset name.
-    const std::string & getPractice() const { return practice_name; }
+    const std::string &
-    const std::string & getPracticeId() const { return practice_id; }
+    getAsset() const
-    const std::string & getSourceIdentifier() const { return source_id; }
+    {
        return asset_name;
    }
    /// \brief Get the asset ID.
    /// \return The asset ID.
    const std::string &
    getAssetId() const
    {
        return asset_id;
    }
    /// \brief Get the practice name.
    /// \return The practice name.
    const std::string &
    getPractice() const
    {
        return practice_name;
    }
    /// \brief Get the practice ID.
    /// \return The practice ID.
    const std::string &
    getPracticeId() const
    {
        return practice_id;
    }
    /// \brief Get the source identifier.
    /// \return The source identifier.
    const std::string &
    getSourceIdentifier() const
    {
        return source_id;
    }
 private:
    std::map<std::string, IPSSignaturesPerContext> signatures_per_context;
@@ -210,21 +568,74 @@ private:
    std::string source_id;
 };
 /// \class SnortSignatures
 /// \brief Represents Snort signatures.
 class SnortSignatures
 {
    std::set<PMPattern> getFirstTier(const ParsedContext &context);
 public:
    /// \brief Load the Snort signatures from a JSON archive.
    /// \param ar The JSON input archive.
    void load(cereal::JSONInputArchive &ar);
    /// \brief Check if the context is matched for prevention.
    /// \param context_name The name of the context.
    /// \param context_buffer The context buffer.
    bool isMatchedPrevent(const std::string &context_name, const Buffer &context_buffer) const;
-    bool isEmpty() const { return signatures_per_context.empty(); }
+
    /// \brief Check if the Snort signatures are empty.
    /// \return True if the signatures are empty, otherwise false.
    bool
    isEmpty() const
    {
        return signatures_per_context.empty();
    }
    /// \brief Check if the Snort signatures for the given context are empty.
    /// \param context The name of the context.
    /// \return True if the signatures for the context are empty, otherwise false.
    bool isEmpty(const std::string &context) const;
-    const std::string & getAsset() const { return asset_name; }
+    /// \brief Get the asset name.
-    const std::string & getAssetId() const { return asset_id; }
+    /// \return The asset name.
-    const std::string & getPractice() const { return practice_name; }
+    const std::string &
-    const std::string & getPracticeId() const { return practice_id; }
+    getAsset() const
-    const std::string & getSourceIdentifier() const { return source_id; }
+    {
        return asset_name;
    }
    /// \brief Get the asset ID.
    /// \return The asset ID.
    const std::string &
    getAssetId() const
    {
        return asset_id;
    }
    /// \brief Get the practice name.
    /// \return The practice name.
    const std::string &
    getPractice() const
    {
        return practice_name;
    }
    /// \brief Get the practice ID.
    /// \return The practice ID.
    const std::string &
    getPracticeId() const
    {
        return practice_id;
    }
    /// \brief Get the source identifier.
    /// \return The source identifier.
    const std::string &
    getSourceIdentifier() const
    {
        return source_id;
    }
 private:
    std::map<std::string, IPSSignaturesPerContext> signatures_per_context;
--- a/components/security_apps/ips/ips_basic_policy.cc
+++ b/components/security_apps/ips/ips_basic_policy.cc
@@ -25,6 +25,8 @@ RuleSelector::selectSignatures() const
 {
    vector<IPSSignatureSubTypes::SignatureAndAction> res;
    if (!IPSHelper::hasDeobfuscation()) return res;
    auto all_signatures = getResource<IPSSignaturesResource>("IPS", "protections");
    if (!all_signatures.ok()) return res;
    auto signatures_version = getResourceWithDefault<string>("", "IPS", "VersionId");
--- a/components/security_apps/ips/ips_signatures.cc
+++ b/components/security_apps/ips/ips_signatures.cc
@@ -23,6 +23,8 @@ using namespace ReportIS;
 using namespace std;
 using MatchType = BaseSignature::MatchType;
 static const LogTriggerConf default_triger;
 static const map<IPSLevel, Severity> severities = {
    { IPSLevel::CRITICAL,   Severity::CRITICAL },
    { IPSLevel::HIGH,        Severity::HIGH },
@@ -396,7 +398,7 @@ SignatureAndAction::isMatchedPrevent(const Buffer &context_buffer, const set<PMP
    dbgDebug(D_IPS) << "Signature matched - sending log";
-    auto &trigger = getConfigurationWithDefault(LogTriggerConf(), "rulebase", "log");
+    auto &trigger = getConfigurationWithDefault(default_triger, "rulebase", "log");
    bool is_prevent = get<0>(override_action) == IPSSignatureSubTypes::SignatureAction::PREVENT;
    auto severity = signature->getSeverity() < IPSLevel::HIGH ? Severity::HIGH : Severity::CRITICAL;
@@ -505,6 +507,8 @@ SignatureAndAction::isMatchedPrevent(const Buffer &context_buffer, const set<PMP
 void
 IPSSignaturesResource::load(cereal::JSONInputArchive &ar)
 {
    if (!IPSHelper::hasDeobfuscation()) return;
    vector<CompleteSignature> sigs;
    cereal::load(ar, sigs);
--- a/components/security_apps/ips/ips_ut/signatures_ut.cc
+++ b/components/security_apps/ips/ips_ut/signatures_ut.cc
@@ -23,6 +23,11 @@
 using namespace testing;
 using namespace std;
 namespace IPSHelper
 {
 extern bool has_deobfuscation;
 } // namespace IPSHelper
 MATCHER_P(IsLog, IteratableFields, "")
 {
    stringstream ss;
@@ -53,6 +58,7 @@ class SignatureTest : public Test
 public:
    SignatureTest()
    {
        IPSHelper::has_deobfuscation = true;
        generic_rulebase.preload();
        EXPECT_CALL(logs, getCurrentLogId()).Times(AnyNumber());
        ON_CALL(table, getState(_)).WillByDefault(Return(&ips_state));
--- a/components/security_apps/layer_7_access_control/layer_7_access_control.cc
+++ b/components/security_apps/layer_7_access_control/layer_7_access_control.cc
@@ -278,7 +278,8 @@ Layer7AccessControl::Impl::generateLog(const string &source_ip, const Intelligen
        << genLogIPField("destinationIP", HttpTransactionData::listening_ip_ctx)
        << LogField("securityAction", security_action)
        << LogField("sourceIP", source_ip)
-        << LogField("externalVendorName", "crowdsec")
+        << LogField("externalVendorName", "CrowdSec")
        << LogField("waapIncidentType", "CrowdSec")
        << ip_reputation.getCrowdsecEventId()
        << ip_reputation.getType()
        << ip_reputation.getOrigin()
--- a/components/security_apps/layer_7_access_control/layer_7_access_control_ut/layer_7_access_control_ut.cc
+++ b/components/security_apps/layer_7_access_control/layer_7_access_control_ut/layer_7_access_control_ut.cc
@@ -7,6 +7,7 @@
 #include "mock/mock_http_manager.h"
 #include "mock/mock_logging.h"
 #include "mock/mock_messaging.h"
 #include "mock/mock_rest_api.h"
 #include "intelligence_comp_v2.h"
 #include "agent_details.h"
@@ -27,6 +28,7 @@ public:
        EXPECT_CALL(mock_time, getMonotonicTime()).WillRepeatedly(Return(chrono::seconds(60)));
        EXPECT_CALL(mock_ml, doesRoutineExist(_)).WillRepeatedly(Return(true));
        EXPECT_CALL(mock_ml, stop(_)).WillRepeatedly(Return());
        EXPECT_CALL(mock_ml, addRecurringRoutine(_, _, _, "Sending intelligence invalidation", _));
        env.preload();
        env.init();
        config.preload();
@@ -57,6 +59,7 @@ public:
    StrictMock<MockTimeGet>     mock_time;
    StrictMock<MockMainLoop>    mock_ml;
    StrictMock<MockMessaging>   messaging_mock;
    NiceMock<MockRestApi>       mock_rest;
    AgentDetails                agent_details;
    IntelligenceComponentV2     intelligence_comp;
    Context ctx;
@@ -243,7 +246,8 @@ Layer7AccessControlTest::verifyReport(
    EXPECT_THAT(log, HasSubstr("\"httpMethod\": \"POST\""));
    EXPECT_THAT(log, HasSubstr("\"ipProtocol\": \"http\""));
    EXPECT_THAT(log, HasSubstr("\"destinationIP\": \"5.6.7.8\""));
-    EXPECT_THAT(log, HasSubstr("\"externalVendorName\": \"crowdsec\""));
+    EXPECT_THAT(log, HasSubstr("\"externalVendorName\": \"CrowdSec\""));
    EXPECT_THAT(log, HasSubstr("\"waapIncidentType\": \"CrowdSec\""));
    EXPECT_THAT(log, HasSubstr("\"externalVendorRecommendationId\": 2253734"));
    EXPECT_THAT(log, HasSubstr("\"externalVendorRecommendedAction\": \"ban\""));
    EXPECT_THAT(log, HasSubstr("\"externalVendorRecommendationOrigin\": \"cscli\""));
--- a/components/security_apps/orchestration/CMakeLists.txt
+++ b/components/security_apps/orchestration/CMakeLists.txt
@@ -15,4 +15,4 @@ add_subdirectory(health_check)
 add_subdirectory(local_policy_mgmt_gen)
 add_subdirectory(env_details)
-add_subdirectory(orchestration_ut)
+#add_subdirectory(orchestration_ut)
--- a/components/security_apps/orchestration/details_resolver/details_resolver.cc
+++ b/components/security_apps/orchestration/details_resolver/details_resolver.cc
@@ -131,7 +131,7 @@ DetailsResolver::Impl::isReverseProxy()
        return is_reverse_proxy.unpack().front() == '1';
    }
 #endif
-    return false;
+    return getenv("DOCKER_RPM_ENABLED") && getenv("DOCKER_RPM_ENABLED") == string("true");
 }
 bool
--- a/components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h
+++ b/components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h
@@ -70,6 +70,14 @@ checkHasSDWan(const string &command_output)
    return genError("Current host does not have SDWAN capability");
 }
 Maybe<string>
 checkCanUpdateSDWanData(const string &command_output)
 {
    if (command_output == "true" || command_output == "false") return command_output;
    return string("true");
 }
 Maybe<string>
 getMgmtObjType(const string &command_output)
 {
@@ -117,44 +125,62 @@ getMgmtObjName(shared_ptr<istream> file_stream)
 }
 Maybe<string>
-getGWIPAddress(shared_ptr<istream> file_stream)
+getGWHardware(const string &command_output)
 {
-    return getMgmtObjAttr(file_stream, "ipaddr ");
+    if (!command_output.empty()) {
-}
+        if (command_output == "software") return string("Open server");
-
+        if (command_output == "Maestro Gateway") return string("Maestro");
-Maybe<string>
+        return string(command_output);
 getGWHardware(shared_ptr<istream> file_stream)
 {
    Maybe<string> val = getMgmtObjAttr(file_stream, "appliance_type ");
    if(val.ok()) {
        if (val == string("software")) return string("Open server");
        if (val == string("Maestro Gateway")) return string("Maestro");
    }
-    return val;
+    return genError("GW Hardware was not found");
 }
 Maybe<string>
-getGWApplicationControlBlade(shared_ptr<istream> file_stream)
+getAttr(const string &command_output, const string &error)
 {
-    return getMgmtObjAttr(file_stream, "application_firewall_blade ");
+    if (!command_output.empty()) {
        return string(command_output);
    }
    return genError(error);
 }
 Maybe<string>
-getGWURLFilteringBlade(shared_ptr<istream> file_stream)
+getGWApplicationControlBlade(const string &command_output)
 {
-    return getMgmtObjAttr(file_stream, "advanced_uf_blade ");
+    return getAttr(command_output, "Application Control Blade was not found");
 }
 Maybe<string>
-getGWIPSecVPNBlade(shared_ptr<istream> file_stream)
+getGWURLFilteringBlade(const string &command_output)
 {
-    return getMgmtObjAttr(file_stream, "VPN_1 ");
+    return getAttr(command_output, "URL Filtering Blade was not found");
 }
 Maybe<string>
-getGWVersion(shared_ptr<istream> file_stream)
+getGWIPSecVPNBlade(const string &command_output)
 {
-    return getMgmtObjAttr(file_stream, "svn_version_name ");
+    return getAttr(command_output, "IPSec VPN Blade was not found");
 }
 Maybe<string>
 getGWIPAddress(const string &command_output)
 {
    return getAttr(command_output, "IP Address was not found");
 }
 Maybe<string>
 getGWVersion(const string &command_output)
 {
    return getAttr(command_output, "GW Version was not found");
 }
 Maybe<string>
 checkIfSdwanRunning(const string &command_output)
 {
    if (command_output == "true" || command_output == "false") return command_output;
    return genError("Could not determine if sd-wan is running or not");
 }
 Maybe<string>
@@ -174,6 +200,33 @@ getSmbObjectName(const string &command_output)
    return getMgmtObjAttr(ifs, "name ");
 }
 Maybe<string>
 getSmbBlade(const string &command_output, const string &error)
 {
    if (command_output.front() == '1') return string("installed");
    if (command_output.front() == '0') return string("not-installed");
    return genError(error);
 }
 Maybe<string>
 getSmbGWApplicationControlBlade(const string &command_output)
 {
    return getSmbBlade(command_output, "Application Control Blade was not found");
 }
 Maybe<string>
 getSmbGWURLFilteringBlade(const string &command_output)
 {
    return getSmbBlade(command_output, "URL Filterin Blade was not found");
 }
 Maybe<string>
 getSmbGWIPSecVPNBlade(const string &command_output)
 {
    return getSmbBlade(command_output, "IPSec VPN Blade was not found");
 }
 Maybe<string>
 getMgmtParentObjAttr(shared_ptr<istream> file_stream, const string &parent_obj, const string &attr)
 {
--- a/components/security_apps/orchestration/details_resolver/details_resolver_handlers/details_resolver_impl.h
+++ b/components/security_apps/orchestration/details_resolver/details_resolver_handlers/details_resolver_impl.h
@@ -31,11 +31,50 @@
 #if defined(gaia) || defined(smb)
 SHELL_CMD_HANDLER("cpProductIntegrationMgmtObjectType", "cpprod_util CPPROD_IsMgmtMachine", getMgmtObjType)
 SHELL_CMD_HANDLER("hasSDWan", "[ -f $FWDIR/bin/sdwan_steering ] && echo '1' || echo '0'", checkHasSDWan)
 SHELL_CMD_HANDLER(
    "canUpdateSDWanData",
    "CPSDWAN_NOLOGS=1 cpsdwan get_data -f can_update_sdwan_data | jq -r .can_update_sdwan_data",
    checkCanUpdateSDWanData
 )
 SHELL_CMD_HANDLER(
    "isSdwanRunning",
    "[ -v $(pidof cp-nano-sdwan) ] && echo 'false' || echo 'true'",
    checkIfSdwanRunning)
 SHELL_CMD_HANDLER(
    "IP Address",
    "cpsdwan get_data | jq -r .main_ip",
    getGWIPAddress
 )
 SHELL_CMD_HANDLER(
    "Version",
    "cat /etc/cp-release | grep -oE 'R[0-9]+(\\.[0-9]+)?'",
    getGWVersion
 )
 #endif //gaia || smb
 #if defined(gaia)
 SHELL_CMD_HANDLER("hasSupportedBlade", "enabled_blades", checkHasSupportedBlade)
 SHELL_CMD_HANDLER("hasSamlPortal", "mpclient status saml-vpn", checkSamlPortal)
 SHELL_CMD_HANDLER(
    "Hardware",
    "cat $FWDIR/database/myself_objects.C | awk -F '[:()]' '/:appliance_type/ {print $3}' | head -n 1",
    getGWHardware
 )
 SHELL_CMD_HANDLER(
    "Application Control",
    "cat $FWDIR/database/myself_objects.C | awk -F '[:()]' '/:application_firewall_blade/ {print $3}' | head -n 1",
    getGWApplicationControlBlade
 )
 SHELL_CMD_HANDLER(
    "URL Filtering",
    "cat $FWDIR/database/myself_objects.C | awk -F '[:()]' '/:advanced_uf_blade/ {print $3}' | head -n 1",
    getGWURLFilteringBlade
 )
 SHELL_CMD_HANDLER(
    "IPSec VPN",
    "cat $FWDIR/database/myself_objects.C | awk -F '[:()]' '/:VPN_1/ {print $3}' | head -n 1",
    getGWIPSecVPNBlade
 )
 #endif //gaia
 #if defined(smb)
@@ -54,6 +93,21 @@ SHELL_CMD_HANDLER(
    "cpprod_util FwIsLocalMgmt",
    getSmbObjectName
 )
 SHELL_CMD_HANDLER(
    "Application Control",
    "cat $FWDIR/conf/active_blades.txt | grep -o 'APCL [01]' | cut -d ' ' -f2",
    getSmbGWApplicationControlBlade
 )
 SHELL_CMD_HANDLER(
    "URL Filtering",
    "cat $FWDIR/conf/active_blades.txt | grep -o 'URLF [01]' | cut -d ' ' -f2",
    getSmbGWURLFilteringBlade
 )
 SHELL_CMD_HANDLER(
    "IPSec VPN",
    "cat $FWDIR/conf/active_blades.txt | grep -o 'IPS [01]' | cut -d ' ' -f2",
    getSmbGWIPSecVPNBlade
 )
 #endif//smb
 SHELL_CMD_OUTPUT("kernel_version", "uname -r")
@@ -68,17 +122,6 @@ SHELL_CMD_OUTPUT("helloWorld", "cat /tmp/agentHelloWorld 2>/dev/null")
 #if defined(gaia)
 FILE_CONTENT_HANDLER("hasIdpConfigured", "/opt/CPSamlPortal/phpincs/spPortal/idpPolicy.xml", checkIDP)
 FILE_CONTENT_HANDLER(
    "cpProductIntegrationMgmtParentObjectUid",
    (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
    getMgmtParentObjUid
 )
 FILE_CONTENT_HANDLER(
    "cpProductIntegrationMgmtParentObjectName",
    (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
    getMgmtParentObjName
 )
 FILE_CONTENT_HANDLER(
    "cpProductIntegrationMgmtObjectName",
    (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C",
@@ -96,37 +139,6 @@ FILE_CONTENT_HANDLER(
    (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C",
    getMgmtObjUid
 )
 FILE_CONTENT_HANDLER(
    "IP Address",
    (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
    getGWIPAddress
 )
 FILE_CONTENT_HANDLER(
    "Hardware",
    (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
    getGWHardware
 )
 FILE_CONTENT_HANDLER(
    "Application Control",
    (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
    getGWApplicationControlBlade
 )
 FILE_CONTENT_HANDLER(
    "URL Filtering",
    (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
    getGWURLFilteringBlade
 )
 FILE_CONTENT_HANDLER(
    "IPSec VPN",
    (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
    getGWIPSecVPNBlade
 )
 FILE_CONTENT_HANDLER(
    "Version",
    (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
    getGWVersion
 )
 #else // !(gaia || smb)
 FILE_CONTENT_HANDLER("os_release", "/etc/os-release", getOsRelease)
 #endif // gaia || smb
--- a/components/security_apps/orchestration/downloader/CMakeLists.txt
+++ b/components/security_apps/orchestration/downloader/CMakeLists.txt
@@ -2,4 +2,4 @@ ADD_DEFINITIONS(-Wno-deprecated-declarations -Dalpine)
 add_library(orchestration_downloader curl_client.cc downloader.cc http_client.cc https_client.cc)
-add_subdirectory(downloader_ut)
+#add_subdirectory(downloader_ut)
--- a/components/security_apps/orchestration/downloader/http_client.cc
+++ b/components/security_apps/orchestration/downloader/http_client.cc
@@ -179,14 +179,13 @@ private:
 Maybe<void>
 HTTPClient::getFile(const URLParser &url, ofstream &out_file, bool auth_required)
 {
-    auto message = Singleton::Consume<I_Messaging>::by<HTTPClient>();
+    auto proxy_config = Singleton::Consume<I_ProxyConfiguration>::by<HTTPClient>();
-    auto load_env_proxy = message->loadProxy();
+    auto load_env_proxy = proxy_config->loadProxy();
    if (!load_env_proxy.ok()) return load_env_proxy;
    string token = "";
    if (auth_required) {
-        auto message = Singleton::Consume<I_Messaging>::by<HTTPClient>();
+        token = Singleton::Consume<I_AgentDetails>::by<HTTPClient>()->getAccessToken();
        token = message->getAccessToken();
    }
    if (url.isOverSSL()) {
@@ -214,15 +213,15 @@ Maybe<void>
 HTTPClient::curlGetFileOverHttp(const URLParser &url, ofstream &out_file, const string &token)
 {
    try {
-        auto message = Singleton::Consume<I_Messaging>::by<HTTPClient>();
+        auto proxy_config = Singleton::Consume<I_ProxyConfiguration>::by<HTTPClient>();
        HttpCurl http_curl_client(
            url,
            out_file,
            token,
-            message->getProxyDomain(ProxyProtocol::HTTPS),
+            proxy_config->getProxyDomain(ProxyProtocol::HTTPS),
-            message->getProxyPort(ProxyProtocol::HTTPS),
+            proxy_config->getProxyPort(ProxyProtocol::HTTPS),
-            message->getProxyCredentials(ProxyProtocol::HTTPS));
+            proxy_config->getProxyCredentials(ProxyProtocol::HTTPS));
        http_curl_client.setCurlOpts();
        bool connection_ok = http_curl_client.connect();
@@ -247,12 +246,12 @@ Maybe<void>
 HTTPClient::getFileHttp(const URLParser &url, ofstream &out_file, const string &token)
 {
    try {
-        auto message = Singleton::Consume<I_Messaging>::by<HTTPClient>();
+        auto proxy_config = Singleton::Consume<I_ProxyConfiguration>::by<HTTPClient>();
        ClientConnection client_connection(
            url,
-            message->getProxyDomain(ProxyProtocol::HTTP),
+            proxy_config->getProxyDomain(ProxyProtocol::HTTP),
-            message->getProxyPort(ProxyProtocol::HTTP),
+            proxy_config->getProxyPort(ProxyProtocol::HTTP),
-            message->getProxyCredentials(ProxyProtocol::HTTP),
+            proxy_config->getProxyCredentials(ProxyProtocol::HTTP),
            token
        );
        auto handle_connect_res = client_connection.handleConnect();
--- a/components/security_apps/orchestration/downloader/http_client.h
+++ b/components/security_apps/orchestration/downloader/http_client.h
@@ -18,9 +18,15 @@
 #include "maybe_res.h"
 #include "url_parser.h"
 #include "i_messaging.h"
 #include "i_agent_details.h"
 #include "i_proxy_configuration.h"
 // LCOV_EXCL_START Reason: Depends on real download server.
-class HTTPClient : public Singleton::Consume<I_Messaging>
+class HTTPClient
        :
    public Singleton::Consume<I_Messaging>,
    public Singleton::Consume<I_AgentDetails>,
    public Singleton::Consume<I_ProxyConfiguration>
 {
 public:
    HTTPClient() = default;
--- a/components/security_apps/orchestration/downloader/https_client.cc
+++ b/components/security_apps/orchestration/downloader/https_client.cc
@@ -535,16 +535,16 @@ HTTPClient::getFileSSL(const URLParser &url, ofstream &out_file, const string &t
            }
        }
        boost::asio::io_service io_service;
-        auto message = Singleton::Consume<I_Messaging>::by<HTTPClient>();
+        auto proxy_config = Singleton::Consume<I_ProxyConfiguration>::by<HTTPClient>();
        Client client(
            out_file,
            io_service,
            ctx,
            url,
-            message->getProxyDomain(ProxyProtocol::HTTPS),
+            proxy_config->getProxyDomain(ProxyProtocol::HTTPS),
-            message->getProxyPort(ProxyProtocol::HTTPS),
+            proxy_config->getProxyPort(ProxyProtocol::HTTPS),
-            message->getProxyCredentials(ProxyProtocol::HTTPS),
+            proxy_config->getProxyCredentials(ProxyProtocol::HTTPS),
            token
        );
@@ -581,15 +581,15 @@ HTTPClient::curlGetFileOverSSL(const URLParser &url, ofstream &out_file, const s
            );
        }
-        auto message = Singleton::Consume<I_Messaging>::by<HTTPClient>();
+        auto proxy_config = Singleton::Consume<I_ProxyConfiguration>::by<HTTPClient>();
        HttpsCurl ssl_curl_client(
            url,
            out_file,
            token,
-            message->getProxyDomain(ProxyProtocol::HTTPS),
+            proxy_config->getProxyDomain(ProxyProtocol::HTTPS),
-            message->getProxyPort(ProxyProtocol::HTTPS),
+            proxy_config->getProxyPort(ProxyProtocol::HTTPS),
-            message->getProxyCredentials(ProxyProtocol::HTTPS),
+            proxy_config->getProxyCredentials(ProxyProtocol::HTTPS),
            cert_file_path);
        ssl_curl_client.setCurlOpts();
--- a/components/security_apps/orchestration/health_check/health_check.cc
+++ b/components/security_apps/orchestration/health_check/health_check.cc
@@ -247,6 +247,33 @@ private:
        );
    }
    bool
    nginxContainerIsRunning()
    {
        static const string nginx_container_name = "cp_nginx_gaia";
        static const string cmd_running =
            "docker ps --filter name=" + nginx_container_name + " --filter status=running";
        dbgTrace(D_HEALTH_CHECK) << "Checking if the container is running with the commmand: " << cmd_running;
        auto maybe_result = Singleton::Consume<I_ShellCmd>::by<HealthChecker>()->getExecOutput(cmd_running);
        if (!maybe_result.ok()) {
            dbgWarning(D_HEALTH_CHECK)
                << "Unable to get status of nginx container. return false and failing health check.";
            return false;
        }
        return (*maybe_result).find(nginx_container_name) != string::npos;
    }
    void
    closeCurrentSocket(I_Socket::socketFd fd, I_MainLoop::RoutineID curr_routine) {
        dbgDebug(D_HEALTH_CHECK) << "Connection with client closed, client fd: " << fd;
        open_connections_counter--;
        i_socket->closeSocket(fd);
        client_sockets_routines.erase(curr_routine);
    }
    void
    handleConnection()
    {
@@ -254,7 +281,7 @@ private:
            dbgDebug(D_HEALTH_CHECK)
                << "Cannot serve new client, reached maximun open connections bound which is:"
                << open_connections_counter
-                << "maximun allowed: "
+                << "maximum allowed: "
                << max_connections;
            return;
        }
@@ -276,21 +303,48 @@ private:
        dbgDebug(D_HEALTH_CHECK) << "Successfully accepted client, client fd: " << new_client_socket;
        open_connections_counter++;
-        auto curr_routine = i_mainloop->addFileRoutine(
+        auto curr_routine = i_mainloop->addOneTimeRoutine(
            I_MainLoop::RoutineType::RealTime,
            new_client_socket,
            [this] ()
            {
                auto curr_routine_id = i_mainloop->getCurrentRoutineId().unpack();
                auto curr_client_socket = client_sockets_routines[curr_routine_id];
                auto data_recieved = i_socket->receiveData(curr_client_socket, sizeof(uint8_t), false);
                if (!data_recieved.ok()) {
-                    dbgDebug(D_HEALTH_CHECK) << "Connection with client closed, client fd: " << curr_client_socket;
+                    closeCurrentSocket(curr_client_socket, curr_routine_id);
                    open_connections_counter--;
                    i_socket->closeSocket(curr_client_socket);
                    client_sockets_routines.erase(curr_routine_id);
                    i_mainloop->stop();
                }
                static const string success_response =
                    "HTTP/1.1 200 OK\r\n"
                    "Content-Length: 25\r\n"
                    "Content-Type: text/plain\r\n"
                    "\r\n"
                    "health check successful\r\n";
                static const vector<char> success_response_buffer(success_response.begin(), success_response.end());
                static const string failure_response =
                    "HTTP/1.1 500 Internal Server Error\r\n"
                    "Content-Length: 21\r\n"
                    "Content-Type: text/plain\r\n"
                    "\r\n"
                    "health check failed\r\n";
                static const vector<char> failure_response_buffer(failure_response.begin(), failure_response.end());
                if (nginxContainerIsRunning()) {
                    dbgDebug(D_HEALTH_CHECK)
                    << "nginx conatiner is running, returning the following response: "
                    << success_response;
                    i_socket->writeData(curr_client_socket, success_response_buffer);
                    closeCurrentSocket(curr_client_socket, curr_routine_id);
                    return;
                }
                dbgDebug(D_HEALTH_CHECK)
                    << "nginx conatiner is not running, returning the following response: "
                    << failure_response;
                i_socket->writeData(curr_client_socket, failure_response_buffer);
                closeCurrentSocket(curr_client_socket, curr_routine_id);
            },
            "Health check probe connection handler",
            true
--- a/components/security_apps/orchestration/health_check/health_check_ut/health_check_ut.cc
+++ b/components/security_apps/orchestration/health_check/health_check_ut/health_check_ut.cc
@@ -6,6 +6,7 @@
 #include "mock/mock_time_get.h"
 #include "mock/mock_socket_is.h"
 #include "mock/mock_mainloop.h"
 #include "mock/mock_shell_cmd.h"
 #include "health_check_manager.h"
 #include "config.h"
@@ -18,6 +19,22 @@ using namespace testing;
 USE_DEBUG_FLAG(D_HEALTH_CHECK);
 static const string response =
    "HTTP/1.1 200 OK\r\n"
    "Content-Length: 25\r\n"
    "Content-Type: text/plain\r\n"
    "\r\n"
    "health check successful\r\n";
 static const vector<char> response_buffer(response.begin(), response.end());
 static const string failure_response =
                    "HTTP/1.1 500 Internal Server Error\r\n"
                    "Content-Length: 21\r\n"
                    "Content-Type: text/plain\r\n"
                    "\r\n"
                    "health check failed\r\n";
 static const vector<char> failure_response_buffer(failure_response.begin(), failure_response.end());
 class HealthCheckerTest : public testing::Test
 {
 public:
@@ -47,6 +64,7 @@ public:
    NiceMock<MockLogging>               mock_log;
    AgentDetails                        agent_details;
    StrictMock<MockSocketIS>            mock_socket;
    NiceMock<MockShellCmd>              mock_shell_cmd;
    I_Socket::socketFd                  server_socket = -1;
    Context                             ctx;
    ConfigComponent                     config;
@@ -82,7 +100,7 @@ TEST_F(HealthCheckerTest, clientConnection)
    EXPECT_CALL(
        mock_mainloop,
-        addOneTimeRoutine(I_MainLoop::RoutineType::System, _, _, false)
+        addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Health check probe listener startup", false)
    ).WillOnce(DoAll(SaveArg<1>(&handle_probe_routine), Return(0)));
    EXPECT_CALL(
@@ -95,11 +113,19 @@ TEST_F(HealthCheckerTest, clientConnection)
        addFileRoutine(I_MainLoop::RoutineType::RealTime, _, _, _, true)
    ).WillRepeatedly(DoAll(SaveArg<2>(&connection_handler_routine), Return(0)));
    EXPECT_CALL(
        mock_mainloop,
        addOneTimeRoutine(I_MainLoop::RoutineType::RealTime, _, "Health check probe connection handler", true)
    ).WillOnce(DoAll(SaveArg<1>(&connection_handler_routine), Return(0)));
    int socket = 1;
    EXPECT_CALL(mock_socket, acceptSocket(1, false, ip)).WillOnce(Return(socket));
    EXPECT_CALL(mock_mainloop, getCurrentRoutineId()).WillRepeatedly(Return(0));
    EXPECT_CALL(mock_socket, receiveData(_, 1, false)).WillOnce(Return(vector<char>()));
    EXPECT_CALL(mock_shell_cmd, getExecOutput(_, _, _)).WillRepeatedly(Return(string("cp_nginx_gaia")));
    EXPECT_CALL(mock_socket, writeData(_, response_buffer)).WillOnce(Return(true));
    EXPECT_CALL(mock_socket, closeSocket(socket)).Times(2);
    health_checker.init();
    handle_probe_routine();
    connection_handler_routine();
@@ -194,10 +220,17 @@ TEST_F(HealthCheckerTest, disablingAfterEnabled)
        addFileRoutine(I_MainLoop::RoutineType::RealTime, _, _, _, true)
    ).WillRepeatedly(DoAll(SaveArg<2>(&connection_handler_routine), Return(0)));
    EXPECT_CALL(
        mock_mainloop,
        addOneTimeRoutine(I_MainLoop::RoutineType::RealTime, _, "Health check probe connection handler", true)
    ).WillOnce(DoAll(SaveArg<1>(&connection_handler_routine), Return(0)));
    int socket = 1;
    EXPECT_CALL(mock_socket, acceptSocket(1, false, ip)).WillOnce(Return(socket));
    EXPECT_CALL(mock_mainloop, getCurrentRoutineId()).WillRepeatedly(Return(0));
    EXPECT_CALL(mock_socket, receiveData(_, 1, false)).WillOnce(Return(vector<char>()));
    EXPECT_CALL(mock_shell_cmd, getExecOutput(_, _, _)).WillOnce(Return(string("cp_nginx_gaia")));
    EXPECT_CALL(mock_socket, writeData(_, response_buffer)).WillOnce(Return(true));
    EXPECT_CALL(mock_socket, closeSocket(socket)).Times(2);
    health_checker.init();
    handle_probe_routine();
@@ -242,11 +275,20 @@ TEST_F(HealthCheckerTest, changePortIpConfig)
        addFileRoutine(I_MainLoop::RoutineType::RealTime, _, _, _, true)
    ).WillRepeatedly(DoAll(SaveArg<2>(&connection_handler_routine), Return(0)));
    EXPECT_CALL(
        mock_mainloop,
        addOneTimeRoutine(I_MainLoop::RoutineType::RealTime, _, "Health check probe connection handler", true)
    ).WillOnce(DoAll(SaveArg<1>(&connection_handler_routine), Return(0)));
    int socket = 1;
    int socket2 = 0;
    EXPECT_CALL(mock_socket, acceptSocket(1, false, ip)).WillOnce(Return(socket));
    EXPECT_CALL(mock_mainloop, getCurrentRoutineId()).WillRepeatedly(Return(0));
    EXPECT_CALL(mock_socket, receiveData(_, 1, false)).Times(2).WillRepeatedly(Return(vector<char>()));
    EXPECT_CALL(mock_shell_cmd, getExecOutput(_, _, _)).Times(2).WillRepeatedly(Return(string("cp_nginx_gaia")));
    EXPECT_CALL(mock_socket, writeData(_, response_buffer)).Times(2).WillRepeatedly(Return(true));
    EXPECT_CALL(mock_socket, closeSocket(socket)).Times(2);
    EXPECT_CALL(mock_socket, closeSocket(socket2));
    health_checker.init();
    handle_probe_routine();
    connection_handler_routine();
@@ -258,3 +300,44 @@ TEST_F(HealthCheckerTest, changePortIpConfig)
    setConfiguration(new_port, "Health Check", "Probe port");
    connection_handler_routine();
 }
 TEST_F(HealthCheckerTest, FailedHealthCheck)
 {
    string ip = "1.2.3.4";
    setConfiguration(ip, "Health Check", "Probe IP");
    uint port = 11600;
    setConfiguration(port, "Health Check", "Probe port");
    EXPECT_CALL(
        mock_mainloop,
        addOneTimeRoutine(I_MainLoop::RoutineType::System, _, _, false)
    ).WillOnce(DoAll(SaveArg<1>(&handle_probe_routine), Return(0)));
    EXPECT_CALL(
        mock_socket,
        genSocket(I_Socket::SocketType::TCP, false, true, _)
    ).WillRepeatedly(Return(1));
    EXPECT_CALL(
        mock_mainloop,
        addFileRoutine(I_MainLoop::RoutineType::RealTime, _, _, _, true)
    ).WillRepeatedly(DoAll(SaveArg<2>(&connection_handler_routine), Return(0)));
    EXPECT_CALL(
        mock_mainloop,
        addOneTimeRoutine(I_MainLoop::RoutineType::RealTime, _, "Health check probe connection handler", true)
    ).WillOnce(DoAll(SaveArg<1>(&connection_handler_routine), Return(0)));
    int socket = 1;
    EXPECT_CALL(mock_socket, acceptSocket(1, false, ip)).WillOnce(Return(socket));
    EXPECT_CALL(mock_mainloop, getCurrentRoutineId()).WillRepeatedly(Return(0));
    EXPECT_CALL(mock_socket, receiveData(_, 1, false)).WillOnce(Return(vector<char>()));
    EXPECT_CALL(mock_shell_cmd, getExecOutput(_, _, _)).WillOnce(Return(string("")));
    EXPECT_CALL(mock_socket, writeData(_, failure_response_buffer)).WillOnce(Return(true));
    EXPECT_CALL(mock_socket, closeSocket(socket)).Times(2);
    health_checker.init();
    handle_probe_routine();
    connection_handler_routine();
    connection_handler_routine();
    setConfiguration(false, "Health Check", "Probe enabled");
 }
--- a/components/security_apps/orchestration/hybrid_mode_telemetry.cc
+++ b/components/security_apps/orchestration/hybrid_mode_telemetry.cc
@@ -24,8 +24,8 @@ USE_DEBUG_FLAG(D_ORCHESTRATOR);
 static inline string &
 trim(string &in)
 {
-    in.erase(in.begin(), find_if(in.begin(), in.end(), not1(ptr_fun<int, int>(isspace))));
+    in.erase(in.begin(), find_if(in.begin(), in.end(), [] (char c) { return !isspace(c); }));
-    in.erase(find_if(in.rbegin(), in.rend(), not1(ptr_fun<int, int>(isspace))).base(), in.end());
+    in.erase(find_if(in.rbegin(), in.rend(), [] (char c) { return !isspace(c); }).base(), in.end());
    return in;
 }
--- a/components/security_apps/orchestration/include/fog_authenticator.h
+++ b/components/security_apps/orchestration/include/fog_authenticator.h
@@ -266,17 +266,25 @@ private:
    S2C_PARAM(std::string, agentId);
 };
-class PolicyVersionPatchRequest : public ClientRest
+class PolicyVersionPatchRequest
 {
 public:
-    PolicyVersionPatchRequest(const std::string &_policy_version)
+    PolicyVersionPatchRequest(const std::string &_policy_version, const std::string &_policy_versions)
            :
-        policy_version(_policy_version)
+        policy_version(_policy_version),
        policy_versions(_policy_versions)
    {
    }
    Maybe<std::string>
    genJson() const
    {
        return "{ \"policyVersion\" :\"" + policy_version + "\", \"versions\": " + policy_versions + "}";
    }
 private:
-    C2S_LABEL_PARAM(std::string, policy_version, "policyVersion");
+    std::string policy_version;
    std::string policy_versions;
 };
 class TokenRequest : public ClientRest
--- a/components/security_apps/orchestration/include/fog_communication.h
+++ b/components/security_apps/orchestration/include/fog_communication.h
@@ -41,7 +41,10 @@ public:
    void init() override;
    Maybe<void> getUpdate(CheckUpdateRequest &request) override;
    Maybe<std::string> downloadAttributeFile(const GetResourceFile &resourse_file) override;
-    Maybe<void> sendPolicyVersion(const std::string &policy_version) const override;
+    Maybe<void> sendPolicyVersion(
        const std::string &policy_version,
        const std::string &policy_versions
    ) const override;
 private:
    DeclarativePolicyUtils declarative_policy_utils;
--- a/components/security_apps/orchestration/include/get_status_rest.h
+++ b/components/security_apps/orchestration/include/get_status_rest.h
@@ -14,7 +14,6 @@
 #ifndef __GET_STATUS_RES_H__
 #define __GET_STATUS_RES_H__
 #include "i_messaging_downloader.h"
 #include "i_messaging.h"
 #include "i_mainloop.h"
 #include "i_shell_cmd.h"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
WrightNed	4038c18bda	Update CMakeLists.txt	2023-08-24 20:26:18 +03:00
WrightNed	a9b6d2e715	Merge pull request #47 from openappsec/Aug_23_2023-Dev Aug 23 2023 dev	2023-08-24 15:10:14 +03:00
Ned Wright	81c75495cc	temporarily disabling some unit-tests	2023-08-24 11:56:16 +00:00
WrightNed	5505022f47	Update cp-nano-package-list	2023-08-23 20:46:45 +03:00
Ned Wright	b25fd8def5	Aug_23_2023-Dev	2023-08-23 14:15:32 +00:00
Ned Wright	702c1184ea	Merge branch 'main' of https://github.com/openappsec/openappsec	2023-08-17 17:40:54 +00:00
Ned Wright	b3cfd7e9d8	Check /etc/environment exists before using it	2023-08-17 17:40:22 +00:00
WrightNed	e36b990161	Merge pull request #43 from openappsec/changing_socket_readiness_testing Change socket readiness testing	2023-08-10 00:22:37 +03:00
NedWright	09868e6d7c	Change socket readiness testing	2023-08-09 20:59:26 +00:00
bilbogh	e25f517c19	Update README.md	2023-08-06 18:22:31 +02:00
Ned Wright	42a31e37b1	Add check if obfuscation is enabled	2023-07-28 15:46:08 +00:00
Ned Wright	abe275c828	Add check if obfuscation is enabled	2023-07-27 15:41:41 +00:00
WrightNed	71d198f41a	Merge pull request #40 from openappsec/support-advance-model support-advanced-model in all flavors	2023-07-25 14:31:40 +03:00
WrightNed	3ed569fe35	Merge pull request #41 from openappsec/Jul_24_23_chart_update Update charts	2023-07-25 13:51:59 +03:00
roybarda	c7cb494e2b	support-advanced-model in all flavors	2023-07-25 10:06:48 +03:00
noam	edd357f297	Update charts	2023-07-24 17:24:40 +03:00
Ned Wright	08583fdb4c	Create log_utils.h	2023-07-19 11:22:06 +00:00
Ned Wright	e5ef6c5ad4	Create log_utils.h	2023-07-19 11:16:19 +00:00
WrightNed	3c24666643	Update CMakeLists.txt	2023-07-19 14:03:40 +03:00
WrightNed	19e8906704	Merge pull request #37 from openappsec/Jul_06_2023-Dev Jul 06 2023 dev	2023-07-16 15:53:39 +03:00
Ned Wright	01b6544ca5	Fix manifest handling	2023-07-16 12:51:20 +00:00
WrightNed	ebc2b2be0d	Merge pull request #36 from openappsec/WrightNed-patch-1 Update cp-agent-info.sh	2023-07-12 19:04:46 +03:00
WrightNed	fc6355a3b2	Update cp-agent-info.sh Better checks which tar options exists	2023-07-12 18:02:52 +03:00
Ned Wright	c89001b6e0	Change library locating	2023-07-06 09:34:00 +00:00
Ned Wright	a59f079ef7	Jul 5th update	2023-07-05 23:32:39 +00:00
orianelou	22f1a984aa	Merge pull request #32 from openappsec/orianelou-patch-1 Update README.md	2023-07-02 11:03:32 +03:00
		`@@ -1,2 +0,0 @@`
			`add_subdirectory(downloader_server_ut)`
			`add_subdirectory(downloader_client_ut)`
`@@ -2,4 +2,4 @@ ADD_DEFINITIONS(-Wno-deprecated-declarations -Dalpine)`

	`add_library(orchestration_downloader curl_client.cc downloader.cc http_client.cc https_client.cc)`	`add_library(orchestration_downloader curl_client.cc downloader.cc http_client.cc https_client.cc)`

	`add_subdirectory(downloader_ut)`	`#add_subdirectory(downloader_ut)`