github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-11-15 17:02:15 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github_mirrors:workflow-08_05
Branches Tags
github_mirrors:main github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc
...
compare: github_mirrors:Jul_06_2023-Dev
Branches Tags
github_mirrors:fix-entry-file-token-arg github_mirrors:main github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc

18 Commits
workflow-0 ... Jul_06_202

Author SHA1 Message Date
Ned Wright
01b6544ca5 Fix manifest handling 2023-07-16 12:51:20 +00:00
Ned Wright
c89001b6e0 Change library locating 2023-07-06 09:34:00 +00:00
Ned Wright
a59f079ef7 Jul 5th update 2023-07-05 23:32:39 +00:00
orianelou
22f1a984aa Merge pull request #32 from openappsec/orianelou-patch-1 
Update README.md
 2023-07-02 11:03:32 +03:00
orianelou
7c98ba9834 Update README.md 
replaced --hybrid-mode with --standalone
 2023-07-02 10:48:23 +03:00
Ned Wright
5192380549 Ignoring null packages list 2023-06-20 09:31:14 +00:00
Ned Wright
a270456278 Ignoring null packages list 2023-06-19 10:46:52 +00:00
Ned Wright
795d07bd41 Updating Kong helm chart 2023-06-01 16:15:31 +00:00
Ned Wright
45e51ddbf7 Adding an example of local policy yml file 2023-05-29 17:15:02 +00:00
Ned Wright
36f65b9b1f Updating the NGINX Ingress helm chart 2023-05-29 16:30:53 +00:00
orianelou
dfcc71c8c2 Update CONTRIBUTING.md 2023-05-25 11:19:29 +03:00
orianelou
1e8540f166 Create CONTRIBUTING.md 
added contrib file and updated CONTRIBUTING.md
 2023-05-25 11:18:55 +03:00
WrightNed
a754082405 Merge pull request #24 from openappsec/May_11_2023-Dev 
My 11th 2023 update
 2023-05-14 21:53:29 +03:00
Ned Wright
3aa0885f74 Merge branch 'main' into May_11_2023-Dev 2023-05-14 18:52:57 +00:00
WrightNed
3b49cfec54 Merge pull request #23 from openappsec/crowdsec 
Crowdsec
 2023-05-14 21:46:58 +03:00
Ned Wright
d7494b1bbc Adding crowdsec auxilary to monitored processes 2023-05-14 17:29:44 +00:00
Ned Wright
29bd82d125 My 11th 2023 update 2023-05-11 18:54:44 +00:00
Ned Wright
c49debe5d9 Enabling crowdsec 2023-05-11 10:40:06 +00:00
266 changed files with 94289 additions and 3844 deletions
Expand all files Collapse all files

2
.gitattributes vendored Normal file
View File

@@ -0,0 +1,2 @@
build_system/docker/install-cp-agent-intelligence-service.sh binary
build_system/docker/install-cp-crowdsec-aux.sh binary

1
CMakeLists.txt
View File

@@ -28,6 +28,7 @@ include_directories(core/include/services_sdk/interfaces)
include_directories(core/include/services_sdk/resources)
include_directories(core/include/services_sdk/utilities)
include_directories(core/include/attachments)
include_directories(events/include)
include_directories(components/include)
add_subdirectory(build_system)

53
CONTRIBUTING.md
View File

@@ -1,37 +1,64 @@
# open-appsec Contributing Guide
Thank you for your interest in open-appsec. We welcome everyone that wishes to share their knowledge and expertise to enhance and expand the project.
# open-appsec Contributing Guide🌴
Read our [Code of Conduct](./CODE_OF_CONDUCT.md) to keep our community approachable and respectable.
Thank you for your interest in open-appsec. We welcome contributions of all kinds, there is no need to do code to be helpful! All of the following tasks are noble and worthy contributions that you can make without coding:
In this guide we will provide an overview of the various contribution options' guidelines - from reporting or fixing a bug, to suggesting an enhancement.
- Reporting security vulnerabilities
- Reporting a bug
- Helping a member of the community
- Notes about our documentation
- Providing feedback and feature requests
Before making any kind of contribution, read our [Code of Conduct](./CODE_OF_CONDUCT.md) to keep our community approachable and respectable.
This guide will provide an overview of the various contribution options' guidelines - from reporting or fixing a bug to suggesting an enhancement.
## Reporting security vulnerabilities
If you've found a vulnerability or a potential vulnerability in open-appsec please let us know at [security-alert@openappsec.io](mailto:security-alert@openappsec.io). We'll send a confirmation email to acknowledge your report within 24 hours, and we'll send an additional email when we've identified the issue positively or negatively.
If you've found a vulnerability or a potential vulnerability in open-appsec please let us know at [security-alert@openappsec.io](mailto:security-alert@openappsec.io). We'll send a confirmation email to acknowledge your report within 24 hours and send an additional email when we've identified the issue positively or negatively.
An internal process will be activated upon determining the validity of a reported security vulnerability, which will end with releasing a fix and deciding on the applicable disclosure actions. The reporter of the issue will receive updates of this process' progress.
An internal process will be activated upon determining the validity of a reported security vulnerability, which will end with releasing a fix and deciding on the appropriate disclosure actions. The reporter of the issue will receive updates on this process' progress.
## Reporting a bug
**Important - If the bug you wish to report regards a suspicion of a security vulnerability, please refer to the "Reporting security vulnerability" section**
**Important - If the bug you wish to report regards a suspicion of a security vulnerability, please refer to the [Reporting security vulnerability](#Reporting-security-vulnerabilities) section**
To report a bug, you can either open a new issue using a relevant [issue form](https://github.com/github/docs/issues/new/choose), or, alternatively, [contact us via our open-appsec open source distribution list](mailto:opensource@openappsec.io).
To report a bug, you can either open a new issue using a relevant [issue form](https://github.com/github/docs/issues/new/choose) or, [contact us via our open-appsec open source distribution list](mailto:opensource@openappsec.io).
Be sure to include a **title and clear description**, as much relevant information as possible, and a **code sample** or an **executable test case** demonstrating the expected behavior that is not occurring.
## Contributing a fix to a bug
Please [contact us via our open-appsec open source distribution list](mailto:opensource@openappsec.io) before writing your code. We will want to make sure we understand the boundaries of the proposed fix, that the relevant coding style is clear for the proposed fix's location in the code, and that the proposed contribution is relevant and eligible.
Please [contact us via our open-appsec open source distribution list](mailto:opensource@openappsec.io) before writing your code. We will want to make sure we understand the boundaries of the proposed fix, that the relevant coding style is clear for the proposed fix's location in the code, and that the suggested contribution is relevant and eligible.
Once you've received our confirmation follow the next steps:
1. Fork the repository to your GitHub account.
2. Clone your forked repository to your local machine.
3. Add your contributions to relevant locations in the local copy of the codebase.
4. Push your changes back to your forked repository.
5. Open a pull request (PR) against the main branch of the original repository.
## Contributing code-independent enhancements
For any code-independent enhancements (such as docker-compose files, or instructions on how to compile on different OSs) please follow the next steps:
1. [suggest your change via our open-appsec open-source distribution list](mailto:opensource@openappsec.io) to inform us about your possible contribution and wait for our confirmation.
2. Fork the repository to your GitHub account.
3. Clone your forked repository to your local machine.
4. Add your contributions to the "contrib" Folder in the local copy of the codebase.
5. Push your changes back to your forked repository.
6. Open a pull request (PR) against the main branch of the original repository.
Please note that during the PR review we might adjust the location of the contributions.
## Proposing an enhancement
Please [suggest your change via our open-appsec open source distribution list](mailto:opensource@openappsec.io) before writing your code. We will contact you to make sure we understand the boundaries of the proposed fix, that the relevant coding style is clear for the proposed fix's location in the code, and that the proposed contribution is relevant and eligible. There may be additional considerations that we would like to discuss with you before implementing the enhancement.
Please [suggest your change via our open-appsec open-source distribution list](mailto:opensource@openappsec.io) before writing your code. We will contact you to make sure we understand the boundaries of the proposed fix, that the relevant coding style is clear for the proposed fix's location in the code, and that the suggested contribution is relevant and eligible. There may be additional considerations that we would like to discuss with you before implementing the enhancement.
## Open Source documentation issues
For reporting or suggesting a change, of any issue detected in the documentation files of our open source repositories, please use the same guidelines as bug reports/fixes.
to propose changes to our [documentation](https://docs.openappsec.io/?utm_medium=web&utm_source=wix&utm_content=top_menu) you can either open a new issue using a relevant [issue form](https://github.com/github/docs/issues/new/choose) or, [contact us via our open-appsec open source distribution list](mailto:opensource@openappsec.io).
# Final Thanks
We value all efforts to read, suggest changes and/or contribute to our open source files. Thank you for your time and efforts.
# Final thanks
We value all efforts to read, suggest changes, and/or contribute to our open-source files. Thank you for your time and efforts.
The open-appsec Team

6
README.md
View File

@@ -130,17 +130,17 @@ To run a Nano-Agent as a container the following steps are required:
2. If you are planning to manage the agent using the open-appsec UI, then make sure to obtain an agent token from the Management Portal and Enforce.
3. Run the agent with the following command (where -e https_proxy parameter is optional):
`docker run -d --name=agent-container --ipc=host -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent -e https_proxy=<user:password@Proxy address:port> -it <agent-image> /cp-nano-agent [--token <token> | --hybrid-mode]`
`docker run -d --name=agent-container --ipc=host -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent -e https_proxy=<user:password@Proxy address:port> -it <agent-image> /cp-nano-agent [--token <token> | --standalone]`
Example:
```bash
$ docker run -d --name=agent-container --ipc=host -v=/home/admin/agent/conf:/etc/cp/conf -v=/home/admin/agent/data:/etc/cp/data -v=/home/admin/agent/logs:/var/log/nano_agent e https_proxy=user:password@1.2.3.4:8080 -it agent-docker /cp-nano-agent --hybrid-mode
$ docker run -d --name=agent-container --ipc=host -v=/home/admin/agent/conf:/etc/cp/conf -v=/home/admin/agent/data:/etc/cp/data -v=/home/admin/agent/logs:/var/log/nano_agent e https_proxy=user:password@1.2.3.4:8080 -it agent-docker /cp-nano-agent --standalone
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1e67f2abbfd4 agent-docker "/cp-nano-agent --hybrid-mode" 1 minute ago Up 1 minute agent-container
```
Note that you are not required to use a token from the Management Portal if you are managing your security policy locally. However, you are required to use the --hybrid-mode flag in such cases. In addition, the volumes in the command are mandatory only if you wish to have persistency upon restart/upgrade/crash of the agent and its re-execution.
Note that you are not required to use a token from the Management Portal if you are managing your security policy locally. However, you are required to use the --standalone flag in such cases. In addition, the volumes in the command are mandatory only if you wish to have persistency upon restart/upgrade/crash of the agent and its re-execution.
Lastly, --ipc=host argument is mandatory in order for the agent to have access to shared memory with a protected attachment (NGINX server).
4. Create or replace the NGINX container using the [Attachment Repository](https://github.com/openappsec/attachment).

1
attachments/kernel_modules/core/include/common_is/kdebug_flags.h
View File

@@ -31,5 +31,6 @@ DEFINE_KDEBUG_FLAG(statefulValidation)
DEFINE_KDEBUG_FLAG(statelessValidation)
DEFINE_KDEBUG_FLAG(kernelMetric)
DEFINE_KDEBUG_FLAG(tproxy)
DEFINE_KDEBUG_FLAG(tenantStats)
#endif // DEFINE_KDEBUG_FLAG

159
build_system/charts/open-appsec-k8s-nginx-ingress/CHANGELOG.md
View File

@@ -2,39 +2,124 @@
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.4.0
* Adding support for disabling liveness and readiness probes to the Helm chart by @njegosrailic in https://github.com/kubernetes/ingress-nginx/pull/9238
* add:(admission-webhooks) ability to set securityContext by @ybelMekk in https://github.com/kubernetes/ingress-nginx/pull/9186
* #7652 - Updated Helm chart to use the fullname for the electionID if not specified. by @FutureMatt in https://github.com/kubernetes/ingress-nginx/pull/9133
* Rename controller-wehbooks-networkpolicy.yaml. by @Gacko in https://github.com/kubernetes/ingress-nginx/pull/9123
### 4.3.0
- Support for Kubernetes v.1.25.0 was added and support for endpoint slices
- Support for Kubernetes v1.20.0 and v1.21.0 was removed
- [8890](https://github.com/kubernetes/ingress-nginx/pull/8890) migrate to endpointslices
- [9059](https://github.com/kubernetes/ingress-nginx/pull/9059) kubewebhookcertgen sha change after go1191
- [9046](https://github.com/kubernetes/ingress-nginx/pull/9046) Parameterize metrics port name
- [9104](https://github.com/kubernetes/ingress-nginx/pull/9104) Fix yaml formatting error with multiple annotations
### 4.2.1
- The sha of kube-webhook-certgen image & the opentelemetry image, in values file, was changed to new images built on alpine-v3.16.1
- "[8896](https://github.com/kubernetes/ingress-nginx/pull/8896) updated to new images built today"
### 4.2.0
- Support for Kubernetes v1.19.0 was removed
- "[8810](https://github.com/kubernetes/ingress-nginx/pull/8810) Prepare for v1.3.0"
- "[8808](https://github.com/kubernetes/ingress-nginx/pull/8808) revert arch var name"
- "[8805](https://github.com/kubernetes/ingress-nginx/pull/8805) Bump k8s.io/klog/v2 from 2.60.1 to 2.70.1"
- "[8803](https://github.com/kubernetes/ingress-nginx/pull/8803) Update to nginx base with alpine v3.16"
- "[8802](https://github.com/kubernetes/ingress-nginx/pull/8802) chore: start v1.3.0 release process"
- "[8798](https://github.com/kubernetes/ingress-nginx/pull/8798) Add v1.24.0 to test matrix"
- "[8796](https://github.com/kubernetes/ingress-nginx/pull/8796) fix: add MAC_OS variable for static-check"
- "[8793](https://github.com/kubernetes/ingress-nginx/pull/8793) changed to alpine-v3.16"
- "[8781](https://github.com/kubernetes/ingress-nginx/pull/8781) Bump github.com/stretchr/testify from 1.7.5 to 1.8.0"
- "[8778](https://github.com/kubernetes/ingress-nginx/pull/8778) chore: remove stable.txt from release process"
- "[8775](https://github.com/kubernetes/ingress-nginx/pull/8775) Remove stable"
- "[8773](https://github.com/kubernetes/ingress-nginx/pull/8773) Bump github/codeql-action from 2.1.14 to 2.1.15"
- "[8772](https://github.com/kubernetes/ingress-nginx/pull/8772) Bump ossf/scorecard-action from 1.1.1 to 1.1.2"
- "[8771](https://github.com/kubernetes/ingress-nginx/pull/8771) fix bullet md format"
- "[8770](https://github.com/kubernetes/ingress-nginx/pull/8770) Add condition for monitoring.coreos.com/v1 API"
- "[8769](https://github.com/kubernetes/ingress-nginx/pull/8769) Fix typos and add links to developer guide"
- "[8767](https://github.com/kubernetes/ingress-nginx/pull/8767) change v1.2.0 to v1.2.1 in deploy doc URLs"
- "[8765](https://github.com/kubernetes/ingress-nginx/pull/8765) Bump github/codeql-action from 1.0.26 to 2.1.14"
- "[8752](https://github.com/kubernetes/ingress-nginx/pull/8752) Bump github.com/spf13/cobra from 1.4.0 to 1.5.0"
- "[8751](https://github.com/kubernetes/ingress-nginx/pull/8751) Bump github.com/stretchr/testify from 1.7.2 to 1.7.5"
- "[8750](https://github.com/kubernetes/ingress-nginx/pull/8750) added announcement"
- "[8740](https://github.com/kubernetes/ingress-nginx/pull/8740) change sha e2etestrunner and echoserver"
- "[8738](https://github.com/kubernetes/ingress-nginx/pull/8738) Update docs to make it easier for noobs to follow step by step"
- "[8737](https://github.com/kubernetes/ingress-nginx/pull/8737) updated baseimage sha"
- "[8736](https://github.com/kubernetes/ingress-nginx/pull/8736) set ld-musl-path"
- "[8733](https://github.com/kubernetes/ingress-nginx/pull/8733) feat: migrate leaderelection lock to leases"
- "[8726](https://github.com/kubernetes/ingress-nginx/pull/8726) prometheus metric: upstream_latency_seconds"
- "[8720](https://github.com/kubernetes/ingress-nginx/pull/8720) Ci pin deps"
- "[8719](https://github.com/kubernetes/ingress-nginx/pull/8719) Working OpenTelemetry sidecar (base nginx image)"
- "[8714](https://github.com/kubernetes/ingress-nginx/pull/8714) Create Openssf scorecard"
- "[8708](https://github.com/kubernetes/ingress-nginx/pull/8708) Bump github.com/prometheus/common from 0.34.0 to 0.35.0"
- "[8703](https://github.com/kubernetes/ingress-nginx/pull/8703) Bump actions/dependency-review-action from 1 to 2"
- "[8701](https://github.com/kubernetes/ingress-nginx/pull/8701) Fix several typos"
- "[8699](https://github.com/kubernetes/ingress-nginx/pull/8699) fix the gosec test and a make target for it"
- "[8698](https://github.com/kubernetes/ingress-nginx/pull/8698) Bump actions/upload-artifact from 2.3.1 to 3.1.0"
- "[8697](https://github.com/kubernetes/ingress-nginx/pull/8697) Bump actions/setup-go from 2.2.0 to 3.2.0"
- "[8695](https://github.com/kubernetes/ingress-nginx/pull/8695) Bump actions/download-artifact from 2 to 3"
- "[8694](https://github.com/kubernetes/ingress-nginx/pull/8694) Bump crazy-max/ghaction-docker-buildx from 1.6.2 to 3.3.1"
### 4.1.2
- "[8587](https://github.com/kubernetes/ingress-nginx/pull/8587) Add CAP_SYS_CHROOT to DS/PSP when needed"
- "[8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePreffix Helm chart parameter"
- "[8522](https://github.com/kubernetes/ingress-nginx/pull/8522) Add documentation for controller.service.loadBalancerIP in Helm chart"
### 4.1.0
- "[8481](https://github.com/kubernetes/ingress-nginx/pull/8481) Fix log creation in chroot script"
- "[8479](https://github.com/kubernetes/ingress-nginx/pull/8479) changed nginx base img tag to img built with alpine3.14.6"
- "[8478](https://github.com/kubernetes/ingress-nginx/pull/8478) update base images and protobuf gomod"
- "[8468](https://github.com/kubernetes/ingress-nginx/pull/8468) Fallback to ngx.var.scheme for redirectScheme with use-forward-headers when X-Forwarded-Proto is empty"
- "[8456](https://github.com/kubernetes/ingress-nginx/pull/8456) Implement object deep inspector"
- "[8455](https://github.com/kubernetes/ingress-nginx/pull/8455) Update dependencies"
- "[8454](https://github.com/kubernetes/ingress-nginx/pull/8454) Update index.md"
- "[8447](https://github.com/kubernetes/ingress-nginx/pull/8447) typo fixing"
- "[8446](https://github.com/kubernetes/ingress-nginx/pull/8446) Fix suggested annotation-value-word-blocklist"
- "[8444](https://github.com/kubernetes/ingress-nginx/pull/8444) replace deprecated topology key in example with current one"
- "[8443](https://github.com/kubernetes/ingress-nginx/pull/8443) Add dependency review enforcement"
- "[8434](https://github.com/kubernetes/ingress-nginx/pull/8434) added new auth-tls-match-cn annotation"
- "[8426](https://github.com/kubernetes/ingress-nginx/pull/8426) Bump github.com/prometheus/common from 0.32.1 to 0.33.0"
### 4.0.18
"[8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build"
"[8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build"
"[8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge"
"[8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241"
"[8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts"
"[8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error"
"[8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation"
"[8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric"
"[8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code."
"[8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image"
"[8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests"
"[8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint"
"[8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1"
"[8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0"
"[8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint"
"[8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial"
"[8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera"
"[8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment"
"[8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation"
"[8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell"
"[8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor"
"[8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations"
"[8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0"
"[8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account"
"[8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description"
"[8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests"
"[8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values"
"[8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1"
"[8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs"
"[8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits"
"[8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations"
"[8126](https://github.com/kubernetes/ingress-nginx/pull/8126) Example for JWT"
- "[8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build"
- "[8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build"
- "[8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge"
- "[8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241"
- "[8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts"
- "[8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error"
- "[8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation"
- "[8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric"
- "[8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code."
- "[8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image"
- "[8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests"
- "[8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint"
- "[8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1"
- "[8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0"
- "[8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint"
- "[8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial"
- "[8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera"
- "[8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment"
- "[8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation"
- "[8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell"
- "[8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor"
- "[8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations"
- "[8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0"
- "[8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account"
- "[8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description"
- "[8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests"
- "[8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values"
- "[8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1"
- "[8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs"
- "[8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits"
- "[8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations"
- "[8126](https://github.com/kubernetes/ingress-nginx/pull/8126) Example for JWT"
### 4.0.15
@@ -44,7 +129,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku
- [8118] https://github.com/kubernetes/ingress-nginx/pull/8118 Remove deprecated libraries, update other libs
- [8117] https://github.com/kubernetes/ingress-nginx/pull/8117 Fix codegen errors
- [8115] https://github.com/kubernetes/ingress-nginx/pull/8115 chart/ghaction: set the correct permission to have access to push a release
- [8098] https://github.com/kubernetes/ingress-nginx/pull/8098 generating SHA for CA only certs in backend_ssl.go + comparision of P…
- [8098] https://github.com/kubernetes/ingress-nginx/pull/8098 generating SHA for CA only certs in backend_ssl.go + comparison of P…
- [8088] https://github.com/kubernetes/ingress-nginx/pull/8088 Fix Edit this page link to use main branch
- [8072] https://github.com/kubernetes/ingress-nginx/pull/8072 Expose GeoIP2 Continent code as variable
- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 docs(charts): using helm-docs for chart
@@ -54,7 +139,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku
- [8046] https://github.com/kubernetes/ingress-nginx/pull/8046 Report expired certificates (#8045)
- [8044] https://github.com/kubernetes/ingress-nginx/pull/8044 remove G109 check till gosec resolves issues
- [8042] https://github.com/kubernetes/ingress-nginx/pull/8042 docs_multiple_instances_one_cluster_ticket_7543
- [8041] https://github.com/kubernetes/ingress-nginx/pull/8041 docs: fix typo'd executible name
- [8041] https://github.com/kubernetes/ingress-nginx/pull/8041 docs: fix typo'd executable name
- [8035] https://github.com/kubernetes/ingress-nginx/pull/8035 Comment busy owners
- [8029] https://github.com/kubernetes/ingress-nginx/pull/8029 Add stream-snippet as a ConfigMap and Annotation option
- [8023] https://github.com/kubernetes/ingress-nginx/pull/8023 fix nginx compilation flags
@@ -71,7 +156,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku
- [7996] https://github.com/kubernetes/ingress-nginx/pull/7996 doc: improvement
- [7983] https://github.com/kubernetes/ingress-nginx/pull/7983 Fix a couple of misspellings in the annotations documentation.
- [7979] https://github.com/kubernetes/ingress-nginx/pull/7979 allow set annotations for admission Jobs
- [7977] https://github.com/kubernetes/ingress-nginx/pull/7977 Add ssl_reject_handshake to defaul server
- [7977] https://github.com/kubernetes/ingress-nginx/pull/7977 Add ssl_reject_handshake to default server
- [7975] https://github.com/kubernetes/ingress-nginx/pull/7975 add legacy version update v0.50.0 to main changelog
- [7972] https://github.com/kubernetes/ingress-nginx/pull/7972 updated service upstream definition
@@ -119,11 +204,11 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku
- [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx
### 4.0.2
### 4.0.2
- [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx
### 4.0.1
### 4.0.1
- [7535] https://github.com/kubernetes/ingress-nginx/pull/7535 Release v1.0.0 ingress-nginx

18
build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml
View File

@@ -1,22 +1,16 @@
annotations:
artifacthub.io/changes: |
- "[8459](https://github.com/kubernetes/ingress-nginx/pull/8459) Update default allowed CORS headers"
- "[8202](https://github.com/kubernetes/ingress-nginx/pull/8202) disable modsecurity on error page"
- "[8178](https://github.com/kubernetes/ingress-nginx/pull/8178) Add header Host into mirror annotations"
- "[8213](https://github.com/kubernetes/ingress-nginx/pull/8213) feat: always set auth cookie"
- "[8548](https://github.com/kubernetes/ingress-nginx/pull/8548) Implement reporting status classes in metrics"
- "[8612](https://github.com/kubernetes/ingress-nginx/pull/8612) move so files under /etc/nginx/modules"
- "[8624](https://github.com/kubernetes/ingress-nginx/pull/8624) Add patch to remove root and alias directives"
- "[8623](https://github.com/kubernetes/ingress-nginx/pull/8623) Improve path rule"
- "[helm] Support custom port configuration for internal service (#9846)"
- "Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)"
- "Update Ingress-Nginx version controller-v1.7.1"
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 1.2.1
appVersion: 1.7.1
keywords:
- ingress
- nginx
kubeVersion: '>=1.19.0-0'
kubeVersion: '>=1.20.0-0'
name: open-appsec-k8s-nginx-ingress
sources:
- https://github.com/kubernetes/ingress-nginx
type: application
version: 4.1.4
version: 4.6.1

164
build_system/charts/open-appsec-k8s-nginx-ingress/README.md
View File

@@ -2,16 +2,15 @@
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
![Version: 4.0.19](https://img.shields.io/badge/Version-4.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.3](https://img.shields.io/badge/AppVersion-1.1.3-informational?style=flat-square)
![Version: 4.6.1](https://img.shields.io/badge/Version-4.6.1-informational?style=flat-square) ![AppVersion: 1.7.1](https://img.shields.io/badge/AppVersion-1.7.1-informational?style=flat-square)
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Prerequisites
## Requirements
- Chart version 3.x.x: Kubernetes v1.16+
- Chart version 4.x.x and above: Kubernetes v1.19+
Kubernetes: `>=1.20.0-0`
## Get Repo Info
@@ -52,10 +51,6 @@ helm upgrade [RELEASE_NAME] [CHART] --install
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
### Upgrading With Zero Downtime in Production
By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8).
### Migrating from stable/nginx-ingress
There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
@@ -66,7 +61,6 @@ There are two main ways to migrate a release from `stable/nginx-ingress` to `ing
1. Redirect your DNS traffic from the old controller to the new controller
1. Log traffic from both controllers during this changeover
1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production)
Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.
@@ -100,7 +94,7 @@ Previous versions of this chart had a `controller.stats.*` configuration block,
### ExternalDNS Service Configuration
Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service:
Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service:
```yaml
controller:
@@ -111,7 +105,7 @@ controller:
### AWS L7 ELB with SSL Termination
Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/main/deploy/aws/l7/service-l7.yaml):
Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/ab3a789caae65eec4ad6e3b46b19750b481b6bce/deploy/aws/l7/service-l7.yaml):
```yaml
controller:
@@ -126,19 +120,6 @@ controller:
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
```
### AWS route53-mapper
To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label:
```yaml
controller:
service:
labels:
dns: "route53"
annotations:
domainName: "kubernetes-example.com"
```
### Additional Internal Load Balancer
This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
@@ -175,7 +156,7 @@ controller:
internal:
enabled: true
annotations:
# Create internal LB. More informations: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
# Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
# For GKE versions 1.17 and later
networking.gke.io/load-balancer-type: "Internal"
# For earlier versions
@@ -217,6 +198,21 @@ With nginx-ingress-controller version 0.25+, the nginx ingress controller pod ex
With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
#### How the Chart Configures the Hooks
A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate.
3. Validating and Mutating webhook configurations are created in the cluster.
4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
#### Alternatives
It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required.
You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true.
Please ensure that cert-manager is correctly installed and configured.
### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""
If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
@@ -229,10 +225,6 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
## Requirements
Kubernetes: `>=1.19.0-0`
## Values
| Key | Type | Default | Description |
@@ -240,38 +232,48 @@ Kubernetes: `>=1.19.0-0`
| commonLabels | object | `{}` | |
| controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers |
| controller.admissionWebhooks.annotations | object | `{}` | |
| controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | |
| controller.admissionWebhooks.certManager.enabled | bool | `false` | |
| controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | |
| controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | |
| controller.admissionWebhooks.createSecretJob.resources | object | `{}` | |
| controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.admissionWebhooks.enabled | bool | `true` | |
| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | |
| controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
| controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | |
| controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
| controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.networkPolicyEnabled | bool | `false` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.fsGroup | int | `2000` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660"` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f"` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.admissionWebhooks.patch.image.registry | string | `"k8s.gcr.io"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v1.1.1"` | |
| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v20230312-helm-chart-4.5.2-28-g66a760794"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
| controller.admissionWebhooks.patch.podAnnotations | object | `{}` | |
| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job |
| controller.admissionWebhooks.patch.runAsUser | int | `2000` | |
| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
| controller.admissionWebhooks.patch.securityContext.fsGroup | int | `2000` | |
| controller.admissionWebhooks.patch.securityContext.runAsNonRoot | bool | `true` | |
| controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` | |
| controller.admissionWebhooks.patch.tolerations | list | `[]` | |
| controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | |
| controller.admissionWebhooks.patchWebhookJob.securityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.admissionWebhooks.port | int | `8443` | |
| controller.admissionWebhooks.service.annotations | object | `{}` | |
| controller.admissionWebhooks.service.externalIPs | list | `[]` | |
| controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` | |
| controller.admissionWebhooks.service.servicePort | int | `443` | |
| controller.admissionWebhooks.service.type | string | `"ClusterIP"` | |
| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes |
| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
| controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet |
| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
| controller.autoscaling.annotations | object | `{}` | |
| controller.autoscaling.apiVersion | string | `"autoscaling/v2"` | |
| controller.autoscaling.behavior | object | `{}` | |
| controller.autoscaling.enabled | bool | `false` | |
| controller.autoscaling.maxReplicas | int | `11` | |
@@ -288,14 +290,15 @@ Kubernetes: `>=1.19.0-0`
| controller.customTemplate.configMapName | string | `""` | |
| controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
| controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
| controller.electionID | string | `"ingress-controller-leader"` | Election ID to use for status update |
| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. |
| controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false |
| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.extraArgs | object | `{}` | Additional command line arguments to pass to nginx-ingress-controller E.g. to specify the default SSL certificate you can use |
| controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
| controller.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
| controller.extraModules | list | `[]` | |
| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module |
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
| controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. |
@@ -306,12 +309,14 @@ Kubernetes: `>=1.19.0-0`
| controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `true` | |
| controller.image.digest | string | `"sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2"` | |
| controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407"` | |
| controller.image.digestChroot | string | `"sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.image.registry | string | `"k8s.gcr.io"` | |
| controller.image.registry | string | `"registry.k8s.io"` | |
| controller.image.runAsUser | int | `101` | |
| controller.image.tag | string | `"v1.1.3"` | |
| controller.image.tag | string | `"v1.7.1"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
@@ -330,8 +335,8 @@ Kubernetes: `>=1.19.0-0`
| controller.keda.scaledObject.annotations | object | `{}` | |
| controller.keda.triggers | list | `[]` | |
| controller.kind | string | `"Deployment"` | Use a `DaemonSet` or `Deployment` |
| controller.labels | object | `{}` | Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels |
| controller.lifecycle | object | `{"preStop":{"exec":{"command":["/wait-shutdown"]}}}` | Improve connection draining when ingress controller pod is deleted using a lifecycle hook: With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds to 300, allowing the draining of connections up to five minutes. If the active connections end before that, the pod will terminate gracefully at that time. To effectively take advantage of this feature, the Configmap feature worker-shutdown-timeout new value is 240s instead of 10s. |
| controller.labels | object | `{}` | Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels # |
| controller.lifecycle | object | `{"preStop":{"exec":{"command":["/wait-shutdown"]}}}` | Improve connection draining when ingress controller pod is deleted using a lifecycle hook: With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds to 300, allowing the draining of connections up to five minutes. If the active connections end before that, the pod will terminate gracefully at that time. To effectively take advantage of this feature, the Configmap feature worker-shutdown-timeout new value is 240s instead of 10s. # |
| controller.livenessProbe.failureThreshold | int | `5` | |
| controller.livenessProbe.httpGet.path | string | `"/healthz"` | |
| controller.livenessProbe.httpGet.port | int | `10254` | |
@@ -340,14 +345,16 @@ Kubernetes: `>=1.19.0-0`
| controller.livenessProbe.periodSeconds | int | `10` | |
| controller.livenessProbe.successThreshold | int | `1` | |
| controller.livenessProbe.timeoutSeconds | int | `1` | |
| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. |
| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases |
| controller.metrics.enabled | bool | `false` | |
| controller.metrics.port | int | `10254` | |
| controller.metrics.portName | string | `"metrics"` | |
| controller.metrics.prometheusRule.additionalLabels | object | `{}` | |
| controller.metrics.prometheusRule.enabled | bool | `false` | |
| controller.metrics.prometheusRule.rules | list | `[]` | |
| controller.metrics.service.annotations | object | `{}` | |
| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available |
| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
| controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
| controller.metrics.service.loadBalancerSourceRanges | list | `[]` | |
| controller.metrics.service.servicePort | int | `10254` | |
| controller.metrics.service.type | string | `"ClusterIP"` | |
@@ -359,11 +366,14 @@ Kubernetes: `>=1.19.0-0`
| controller.metrics.serviceMonitor.relabelings | list | `[]` | |
| controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | |
| controller.metrics.serviceMonitor.targetLabels | list | `[]` | |
| controller.minAvailable | int | `1` | |
| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready |
| controller.minAvailable | int | `1` | Define either 'minAvailable' or 'maxUnavailable', never both. |
| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| controller.name | string | `"controller"` | |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment |
| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # |
| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.opentelemetry.enabled | bool | `false` | |
| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f"` | |
| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
| controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
| controller.podSecurityContext | object | `{}` | Security Context policies for controller pods |
| controller.priorityClassName | string | `""` | |
@@ -387,18 +397,21 @@ Kubernetes: `>=1.19.0-0`
| controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) |
| controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. |
| controller.service.annotations | object | `{}` | |
| controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 |
| controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # |
| controller.service.enableHttp | bool | `true` | |
| controller.service.enableHttps | bool | `true` | |
| controller.service.enabled | bool | `true` | |
| controller.service.external.enabled | bool | `true` | |
| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available |
| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. |
| controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. |
| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. |
| controller.service.internal.ports | object | `{}` | Custom port mapping for internal service |
| controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service |
| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
| controller.service.labels | object | `{}` | |
| controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
| controller.service.loadBalancerSourceRanges | list | `[]` | |
| controller.service.nodePorts.http | string | `""` | |
| controller.service.nodePorts.https | string | `""` | |
@@ -409,25 +422,26 @@ Kubernetes: `>=1.19.0-0`
| controller.service.targetPorts.http | string | `"http"` | |
| controller.service.targetPorts.https | string | `"https"` | |
| controller.service.type | string | `"LoadBalancer"` | |
| controller.shareProcessNamespace | bool | `false` | This can be used for example to signal log rotation using `kill -USR1` from a sidecar. |
| controller.shareProcessNamespace | bool | `false` | |
| controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
| controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
| controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready |
| controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints |
| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. |
| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # |
| controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # |
| controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap |
| controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet |
| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
| defaultBackend.affinity | object | `{}` | |
| defaultBackend.autoscaling.annotations | object | `{}` | |
| defaultBackend.autoscaling.apiVersion | string | `"autoscaling/v2"` | |
| defaultBackend.autoscaling.enabled | bool | `false` | |
| defaultBackend.autoscaling.maxReplicas | int | `2` | |
| defaultBackend.autoscaling.minReplicas | int | `1` | |
| defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` | |
| defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
| defaultBackend.enabled | bool | `false` | |
| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| defaultBackend.extraArgs | object | `{}` | |
@@ -438,7 +452,7 @@ Kubernetes: `>=1.19.0-0`
| defaultBackend.image.image | string | `"defaultbackend-amd64"` | |
| defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | |
| defaultBackend.image.readOnlyRootFilesystem | bool | `true` | |
| defaultBackend.image.registry | string | `"k8s.gcr.io"` | |
| defaultBackend.image.registry | string | `"registry.k8s.io"` | |
| defaultBackend.image.runAsNonRoot | bool | `true` | |
| defaultBackend.image.runAsUser | int | `65534` | |
| defaultBackend.image.tag | string | `"1.5"` | |
@@ -449,11 +463,12 @@ Kubernetes: `>=1.19.0-0`
| defaultBackend.livenessProbe.successThreshold | int | `1` | |
| defaultBackend.livenessProbe.timeoutSeconds | int | `5` | |
| defaultBackend.minAvailable | int | `1` | |
| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| defaultBackend.name | string | `"defaultbackend"` | |
| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment |
| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods |
| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # |
| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
| defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
| defaultBackend.port | int | `8080` | |
| defaultBackend.priorityClassName | string | `""` | |
| defaultBackend.readinessProbe.failureThreshold | int | `6` | |
@@ -464,24 +479,25 @@ Kubernetes: `>=1.19.0-0`
| defaultBackend.replicaCount | int | `1` | |
| defaultBackend.resources | object | `{}` | |
| defaultBackend.service.annotations | object | `{}` | |
| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available |
| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
| defaultBackend.service.loadBalancerSourceRanges | list | `[]` | |
| defaultBackend.service.servicePort | int | `80` | |
| defaultBackend.service.type | string | `"ClusterIP"` | |
| defaultBackend.serviceAccount.automountServiceAccountToken | bool | `true` | |
| defaultBackend.serviceAccount.create | bool | `true` | |
| defaultBackend.serviceAccount.name | string | `""` | |
| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints |
| dhParam | string | `nil` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` |
| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials |
| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| podSecurityPolicy.enabled | bool | `false` | |
| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
| rbac.create | bool | `true` | |
| rbac.scope | bool | `false` | |
| revisionHistoryLimit | int | `10` | Rollback limit |
| revisionHistoryLimit | int | `10` | Rollback limit # |
| serviceAccount.annotations | object | `{}` | Annotations for the controller service account |
| serviceAccount.automountServiceAccountToken | bool | `true` | |
| serviceAccount.create | bool | `true` | |
| serviceAccount.name | string | `""` | |
| tcp | object | `{}` | TCP service key:value pairs |
| udp | object | `{}` | UDP service key:value pairs |
| tcp | object | `{}` | TCP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # |
| udp | object | `{}` | UDP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # |

48
build_system/charts/open-appsec-k8s-nginx-ingress/README.md.gotmpl
View File

@@ -7,10 +7,7 @@ To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.c
This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Prerequisites
- Chart version 3.x.x: Kubernetes v1.16+
- Chart version 4.x.x and above: Kubernetes v1.19+
{{ template "chart.requirementsSection" . }}
## Get Repo Info
@@ -51,10 +48,6 @@ helm upgrade [RELEASE_NAME] [CHART] --install
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
### Upgrading With Zero Downtime in Production
By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8).
### Migrating from stable/nginx-ingress
There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
@@ -65,7 +58,6 @@ There are two main ways to migrate a release from `stable/nginx-ingress` to `ing
1. Redirect your DNS traffic from the old controller to the new controller
1. Log traffic from both controllers during this changeover
1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production)
Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.
@@ -99,7 +91,7 @@ Previous versions of this chart had a `controller.stats.*` configuration block,
### ExternalDNS Service Configuration
Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service:
Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service:
```yaml
controller:
@@ -110,7 +102,7 @@ controller:
### AWS L7 ELB with SSL Termination
Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/main/deploy/aws/l7/service-l7.yaml):
Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/ab3a789caae65eec4ad6e3b46b19750b481b6bce/deploy/aws/l7/service-l7.yaml):
```yaml
controller:
@@ -125,19 +117,6 @@ controller:
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
```
### AWS route53-mapper
To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label:
```yaml
controller:
service:
labels:
dns: "route53"
annotations:
domainName: "kubernetes-example.com"
```
### Additional Internal Load Balancer
This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
@@ -174,7 +153,7 @@ controller:
internal:
enabled: true
annotations:
# Create internal LB. More informations: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
# Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
# For GKE versions 1.17 and later
networking.gke.io/load-balancer-type: "Internal"
# For earlier versions
@@ -216,6 +195,21 @@ With nginx-ingress-controller version 0.25+, the nginx ingress controller pod ex
With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
#### How the Chart Configures the Hooks
A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate.
3. Validating and Mutating webhook configurations are created in the cluster.
4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
#### Alternatives
It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required.
You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true.
Please ensure that cert-manager is correctly installed and configured.
### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""
If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
@@ -228,8 +222,4 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
{{ template "helm-docs.versionFooter" . }}

9
build_system/charts/open-appsec-k8s-nginx-ingress/changelog.md.gotmpl Normal file
View File

@@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### {{ .NewHelmChartVersion }}
{{ with .HelmUpdates }}
{{ range . }}* {{ . }}
{{ end }}{{ end }}
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-{{ .PreviousHelmChartVersion }}...helm-chart-{{ .NewHelmChartVersion }}

0
build_system/charts/open-appsec-k8s-nginx-ingress/changelog/.gitkeep Normal file
View File

13
build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.5.2.md Normal file
View File

@@ -0,0 +1,13 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.5.2
* add lint on chart before release (#9570)
* ci: remove setup-helm step (#9404)
* feat(helm): Optionally use cert-manager instead admission patch (#9279)
* run helm release on main only and when the chart/value changes only (#9290)
* Update Ingress-Nginx version controller-v1.6.4
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.3...helm-chart-4.5.2

24
build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.6.0.md Normal file
View File

@@ -0,0 +1,24 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.5.3
* docs(helm): fix value key in readme for enabling certManager (#9640)
* Upgrade alpine 3.17.2
* Upgrade golang 1.20
* Drop testing/support for Kubernetes 1.23
* docs(helm): fix value key in readme for enabling certManager (#9640)
* Update Ingress-Nginx version controller-v1.7.0
* feat: OpenTelemetry module integration (#9062)
* canary-weight-total annotation ignored in rule backends (#9729)
* fix controller psp's volume config (#9740)
* Fix several Helm YAML issues with extraModules and extraInitContainers (#9709)
* Chart: Drop `controller.headers`, rework DH param secret. (#9659)
* Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732)
* HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731)
* Fix incorrect annotation name in upstream hashing configuration (#9617)
* Update Ingress-Nginx version controller-v1.7.0
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.5.2...helm-chart-4.6.0

11
build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.6.1.md Normal file
View File

@@ -0,0 +1,11 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.6.1
* [helm] Support custom port configuration for internal service (#9846)
* Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)
* Update Ingress-Nginx version controller-v1.7.1
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.0...helm-chart-4.6.1

6
build_system/charts/open-appsec-k8s-nginx-ingress/ci/controller-admission-tls-cert-manager-values.yaml Normal file
View File

@@ -0,0 +1,6 @@
controller:
admissionWebhooks:
certManager:
enabled: true
service:
type: ClusterIP

8
build_system/charts/open-appsec-k8s-nginx-ingress/ci/deployment-extra-modules-default-container-sec-context.yaml Normal file
View File

@@ -0,0 +1,8 @@
controller:
service:
type: ClusterIP
containerSecurityContext:
allowPrivilegeEscalation: false
extraModules:
- name: opentelemetry
image: busybox

8
build_system/charts/open-appsec-k8s-nginx-ingress/ci/deployment-extra-modules-specific-container-sec-context.yaml Normal file
View File

@@ -0,0 +1,8 @@
controller:
service:
type: ClusterIP
extraModules:
- name: opentelemetry
image: busybox
containerSecurityContext:
allowPrivilegeEscalation: false

6
build_system/charts/open-appsec-k8s-nginx-ingress/ci/deployment-internal-lb-values.yaml
View File

@@ -7,3 +7,9 @@ controller:
enabled: true
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
ports:
http: 443
https: 80
targetPorts:
http: 443
https: 80

12
build_system/charts/open-appsec-k8s-nginx-ingress/ci/deployment-webhook-extraEnvs-values.yaml Normal file
View File

@@ -0,0 +1,12 @@
controller:
service:
type: ClusterIP
admissionWebhooks:
enabled: true
extraEnvs:
- name: FOO
value: foo
- name: TEST
value: test
patch:
enabled: true

2
build_system/charts/open-appsec-k8s-nginx-ingress/crds/crd-openappsec-practice.yaml
View File

@@ -109,7 +109,7 @@ spec:
configmap:
type: array
items:
type: string
type: string
openapi-schema-validation:
type: object
properties:

80
build_system/charts/open-appsec-k8s-nginx-ingress/crds/crd-openappsec-sources-identifier.yaml
View File

@@ -1,40 +1,40 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : sourcesidentifiers.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: array
items:
type: object
properties:
sourceIdentifier:
type: string
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
value:
type: array
items:
type: string
scope: Cluster
names:
plural: sourcesidentifiers
singular: sourcesidentifier
kind: SourcesIdentifier
shortNames:
- sourcesidentifier
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : sourcesidentifiers.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: array
items:
type: object
properties:
sourceIdentifier:
type: string
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
value:
type: array
items:
type: string
scope: Cluster
names:
plural: sourcesidentifiers
singular: sourcesidentifier
kind: SourcesIdentifier
shortNames:
- sourcesidentifier

64
build_system/charts/open-appsec-k8s-nginx-ingress/crds/crd-openappsec-trusted-sources.yaml
View File

@@ -1,32 +1,32 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : trustedsources.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
minNumOfSources:
type: integer
sourcesIdentifiers:
type: array
items:
type: string
scope: Cluster
names:
plural: trustedsources
singular: trustedsource
kind: TrustedSource
shortNames:
- trustedsource
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : trustedsources.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
minNumOfSources:
type: integer
sourcesIdentifiers:
type: array
items:
type: string
scope: Cluster
names:
plural: trustedsources
singular: trustedsource
kind: TrustedSource
shortNames:
- trustedsource

27
build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl
View File

@@ -85,6 +85,16 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Construct a unique electionID.
Users can provide an override for an explicit electionID if they want via `.Values.controller.electionID`
*/}}
{{- define "ingress-nginx.controller.electionID" -}}
{{- $defElectionID := printf "%s-leader" (include "ingress-nginx.fullname" .) -}}
{{- $electionID := default $defElectionID .Values.controller.electionID -}}
{{- print $electionID -}}
{{- end -}}
{{/*
Construct the path for the publish-service.
@@ -183,3 +193,20 @@ IngressClass parameters.
{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}}
{{ end }}
{{- end -}}
{{/*
Extra modules.
*/}}
{{- define "extraModules" -}}
- name: {{ .name }}
image: {{ .image }}
command: ['sh', '-c', '/usr/local/bin/init_module.sh']
{{- if (.containerSecurityContext) }}
securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }}
{{- end }}
volumeMounts:
- name: {{ toYaml "modules"}}
mountPath: {{ toYaml "/modules_mount"}}
{{- end -}}

5
build_system/charts/open-appsec-k8s-nginx-ingress/templates/_params.tpl
View File

@@ -10,7 +10,7 @@
- --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}-internal
{{- end }}
{{- end }}
- --election-id={{ .Values.controller.electionID }}
- --election-id={{ include "ingress-nginx.controller.electionID" . }}
- --controller-class={{ .Values.controller.ingressClassResource.controllerValue }}
{{- if .Values.controller.ingressClass }}
- --ingress-class={{ .Values.controller.ingressClass }}
@@ -51,6 +51,9 @@
{{- if .Values.controller.watchIngressWithoutClass }}
- --watch-ingress-without-class=true
{{- end }}
{{- if .Values.controller.enableTopologyAwareRouting }}
- --enable-topology-aware-routing=true
{{- end }}
{{- range $key, $value := .Values.controller.extraArgs }}
{{- /* Accept keys without values or with false as value */}}
{{- if eq ($value | quote | len) 2 }}

63
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/cert-manager.yaml Normal file
View File

@@ -0,0 +1,63 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.certManager.enabled -}}
{{- if not .Values.controller.admissionWebhooks.certManager.issuerRef -}}
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer
namespace: {{ .Release.Namespace }}
spec:
selfSigned: {}
---
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "ingress-nginx.fullname" . }}-root-cert
namespace: {{ .Release.Namespace }}
spec:
secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }}
issuerRef:
name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer
commonName: "ca.webhook.ingress-nginx"
isCA: true
subject:
organizations:
- ingress-nginx
---
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "ingress-nginx.fullname" . }}-root-issuer
namespace: {{ .Release.Namespace }}
spec:
ca:
secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
{{- end }}
---
# generate a server certificate for the apiservices to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
spec:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
issuerRef:
{{- if .Values.controller.admissionWebhooks.certManager.issuerRef }}
{{- toYaml .Values.controller.admissionWebhooks.certManager.issuerRef | nindent 4 }}
{{- else }}
name: {{ include "ingress-nginx.fullname" . }}-root-issuer
{{- end }}
dnsNames:
- {{ include "ingress-nginx.controller.fullname" . }}-admission
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc
subject:
organizations:
- ingress-nginx-admission
{{- end -}}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/clusterrole.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
View File

@@ -1,8 +1,8 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.fullname" . }}-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

16
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: batch/v1
kind: Job
metadata:
@@ -56,8 +56,12 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
{{- if .Values.controller.admissionWebhooks.extraEnvs }}
{{- toYaml .Values.controller.admissionWebhooks.extraEnvs | nindent 12 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.createSecretJob.securityContext }}
securityContext: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.securityContext | nindent 12 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
{{- end }}
@@ -69,8 +73,8 @@ spec:
{{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.patch.securityContext }}
securityContext:
runAsNonRoot: true
runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
{{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
{{- end }}
{{- end }}

16
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: batch/v1
kind: Job
metadata:
@@ -58,8 +58,12 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
{{- if .Values.controller.admissionWebhooks.extraEnvs }}
{{- toYaml .Values.controller.admissionWebhooks.extraEnvs | nindent 12 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.patchWebhookJob.securityContext }}
securityContext: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.securityContext | nindent 12 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }}
resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
{{- end }}
@@ -71,8 +75,8 @@ spec:
{{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.patch.securityContext }}
securityContext:
runAsNonRoot: true
runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
{{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
{{- end }}
{{- end }}

26
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.networkPolicyEnabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
{{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
{{- include "ingress-nginx.labels" . | nindent 6 }}
app.kubernetes.io/component: admission-webhook
policyTypes:
- Ingress
- Egress
egress:
- {}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/psp.yaml
View File

@@ -1,3 +1,4 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
@@ -37,3 +38,4 @@ spec:
- secret
- downwardAPI
{{- end }}
{{- end }}

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/role.yaml
View File

@@ -1,8 +1,8 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: v1
kind: ServiceAccount
metadata:

7
build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/validating-webhook.yaml
View File

@@ -4,8 +4,13 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.annotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
{{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-learning-pvc.yaml
View File

@@ -1,4 +1,4 @@
{{- if and (eq "stand-alone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}}
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
@@ -17,4 +17,4 @@ spec:
{{- else }}
storageClassName: {{ required "A storage class for learning data is required" .Values.appsec.persistence.learning.storageClass.name }}
{{- end -}}
{{- end }}
{{- end }}

15
build_system/charts/open-appsec-k8s-nginx-ingress/templates/clusterrole.yaml
View File

@@ -29,6 +29,13 @@ rules:
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
{{- if and .Values.controller.scope.enabled .Values.controller.scope.namespace }}
- apiGroups:
- ""
@@ -82,6 +89,14 @@ rules:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
- apiGroups:
- openappsec.io
resources:

9
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap-proxyheaders.yaml
View File

@@ -1,4 +1,4 @@
{{- if or .Values.controller.proxySetHeaders .Values.controller.headers -}}
{{- if .Values.controller.proxySetHeaders -}}
apiVersion: v1
kind: ConfigMap
metadata:
@@ -10,10 +10,5 @@ metadata:
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
namespace: {{ .Release.Namespace }}
data:
{{- if .Values.controller.proxySetHeaders }}
{{ toYaml .Values.controller.proxySetHeaders | indent 2 }}
{{ else if and .Values.controller.headers (not .Values.controller.proxySetHeaders) }}
{{ toYaml .Values.controller.headers | indent 2 }}
{{- end }}
data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }}
{{- end }}

7
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-configmap.yaml
View File

@@ -17,13 +17,12 @@ data:
{{- if .Values.controller.addHeaders }}
add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
{{- end }}
{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }}
{{- if .Values.controller.proxySetHeaders }}
proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
{{- end }}
{{- if .Values.dhParam }}
ssl-dh-param: {{ printf "%s/%s" .Release.Namespace (include "ingress-nginx.controller.fullname" .) }}
ssl-dh-param: {{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }}
{{- end }}
{{- range $key, $value := .Values.controller.config }}
{{- $key | nindent 2 }}: {{ $value | quote }}
{{- $key | nindent 2 }}: {{ $value | quote }}
{{- end }}

28
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml
View File

@@ -33,7 +33,7 @@ spec:
{{- end }}
{{- end }}
labels:
{{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
{{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 8 }}
@@ -102,8 +102,12 @@ spec:
{{- if .Values.controller.startupProbe }}
startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }}
{{- end }}
{{- if .Values.controller.livenessProbe }}
livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }}
{{- end }}
{{- if .Values.controller.readinessProbe }}
readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
@@ -114,7 +118,7 @@ spec:
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
- name: metrics
- name: {{ .Values.controller.metrics.portName }}
containerPort: {{ .Values.controller.metrics.port }}
protocol: TCP
{{- end }}
@@ -174,11 +178,14 @@ spec:
{{- end }}
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
- name: {{ .Name }}
image: {{ .Image }}
command: ['sh', '-c', '/usr/local/bin/init_module.sh']
{{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled}}
{{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
{{- end}}
{{- end }}
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
@@ -197,9 +204,9 @@ spec:
{{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
volumes:
{{- if .Values.controller.extraModules }}
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
- name: modules
emptyDir: {}
{{- end }}
@@ -215,6 +222,13 @@ spec:
- name: webhook-cert
secret:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
items:
- key: tls.crt
path: cert
- key: tls.key
path: key
{{- end }}
{{- end }}
{{- if .Values.controller.extraVolumes }}
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}

122
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml
View File

@@ -37,7 +37,7 @@ spec:
{{- end }}
{{- end }}
labels:
{{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
{{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 8 }}
@@ -76,9 +76,59 @@ spec:
shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
{{- end }}
containers:
- name: {{ .Values.appsec.name }}
securityContext:
{{ toYaml .Values.appsec.securityContext | nindent 12 }}
{{- with .Values.appsec.image }}
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
{{- end }}
command:
- {{ .Values.appsec.command }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
args:
{{- if (eq "standalone" .Values.appsec.mode) }}
- --hybrid-mode
- --token
- cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
{{- else }}
- --token
- {{ .Values.appsec.agentToken }}
{{- end -}}
{{- if .Values.appsec.customFog.enabled }}
- --fog
- {{ .Values.appsec.customFog.fogAddress }}
{{- end }}
{{- if .Values.appsec.proxy }}
- --proxy
- {{ .Values.appsec.proxy }}
{{- end }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
env:
- name: user_email
value: {{ .Values.appsec.userEmail }}
{{- if eq .Values.appsec.playground false }}
- name: SHARED_STORAGE_HOST
value: {{ .Values.appsec.storage.name }}-svc
- name: LEARNING_HOST
value: {{ .Values.appsec.learning.name }}-svc
{{- else }}
- name: PLAYGROUND
value: "true"
{{- end }}
resources:
{{ toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: advanced-model
mountPath: /advanced-model
{{- if .Values.appsec.persistence.enabled }}
- name: appsec-conf
mountPath: /etc/cp/conf
- name: appsec-data
mountPath: /etc/cp/data
{{- end }}
- name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }}
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}{{- if .tag }}:{{ .tag }}{{- end -}}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
@@ -106,8 +156,12 @@ spec:
{{- if .Values.controller.startupProbe }}
startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }}
{{- end }}
{{- if .Values.controller.livenessProbe }}
livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }}
{{- end }}
{{- if .Values.controller.readinessProbe }}
readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
@@ -118,7 +172,7 @@ spec:
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
- name: metrics
- name: {{ .Values.controller.metrics.portName }}
containerPort: {{ .Values.controller.metrics.port }}
protocol: TCP
{{- end }}
@@ -143,11 +197,15 @@ spec:
hostPort: {{ $key }}
{{- end }}
{{- end }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
volumeMounts:
{{- if .Values.controller.extraModules }}
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
- name: modules
{{ if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount
{{ else }}
mountPath: /modules_mount
{{ end }}
{{- end }}
{{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template
@@ -166,51 +224,24 @@ spec:
{{- if .Values.controller.resources }}
resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }}
- name: {{ .Values.appsec.name }}
securityContext:
{{ toYaml .Values.appsec.securityContext | nindent 12 }}
{{- with .Values.appsec.image }}
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
{{- end }}
args:
- --token
- {{ .Values.appsec.agentToken }}
{{- if .Values.appsec.customFog.enabled }}
- --fog
- {{ .Values.appsec.customFog.fogAddress }}
{{- end }}
{{- if .Values.appsec.proxy }}
- --proxy
- {{ .Values.appsec.proxy }}
{{- end }}
command:
- {{ .Values.appsec.command }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
resources:
{{ toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: appsec-conf
mountPath: /etc/cp/conf
- name: appsec-data
mountPath: /etc/cp/data
{{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
initContainers:
{{- if .Values.controller.extraInitContainers }}
{{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
- name: {{ .name }}
image: {{ .image }}
command: ['sh', '-c', '/usr/local/bin/init_module.sh']
volumeMounts:
- name: modules
mountPath: /modules_mount
{{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled}}
{{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
{{- end}}
{{- end }}
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
@@ -234,10 +265,10 @@ spec:
persistentVolumeClaim:
claimName: {{ .Values.appsec.name }}-conf
- name: appsec-data
persistentVolumeClaim:
persistentVolumeClaim:
claimName: {{ .Values.appsec.name }}-data
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
{{- if .Values.controller.extraModules }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
- name: modules
emptyDir: {}
{{- end }}
@@ -253,6 +284,13 @@ spec:
- name: webhook-cert
secret:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
items:
- key: tls.crt
path: cert
- key: tls.key
path: key
{{- end }}
{{- end }}
{{- if .Values.controller.extraVolumes }}
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml
View File

@@ -1,7 +1,7 @@
{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
{{- if not .Values.controller.keda.enabled }}
apiVersion: autoscaling/v2beta2
apiVersion: {{ .Values.controller.autoscaling.apiVersion }}
kind: HorizontalPodAutoscaler
metadata:
annotations:

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml
View File

@@ -15,5 +15,9 @@ spec:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
{{- if .Values.controller.minAvailable }}
minAvailable: {{ .Values.controller.minAvailable }}
{{- else if .Values.controller.maxUnavailable }}
maxUnavailable: {{ .Values.controller.maxUnavailable }}
{{- end }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-prometheusrules.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}}
{{- if and ( .Values.controller.metrics.enabled ) ( .Values.controller.metrics.prometheusRule.enabled ) ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) -}}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:

6
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-psp.yaml
View File

@@ -1,3 +1,4 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
@@ -27,9 +28,9 @@ spec:
volumes:
- 'configMap'
- 'emptyDir'
#- 'projected'
- 'projected'
- 'secret'
#- 'downwardAPI'
- 'downwardAPI'
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
@@ -90,3 +91,4 @@ spec:
seLinux:
rule: 'RunAsAny'
{{- end }}
{{- end }}

18
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-role.yaml
View File

@@ -59,18 +59,18 @@ rules:
- list
- watch
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
resourceNames:
- {{ .Values.controller.electionID }}
- {{ include "ingress-nginx.controller.electionID" . }}
verbs:
- get
- update
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- create
- apiGroups:
@@ -80,6 +80,14 @@ rules:
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
- apiGroups:
- openappsec.io
resources:

15
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-secret.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.dhParam -}}
apiVersion: v1
kind: Secret
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
data:
dhparam.pem: {{ .Values.dhParam }}
{{- end }}

8
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml
View File

@@ -29,9 +29,9 @@ spec:
{{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }}
{{- if .Values.controller.service.enableHttp }}
- name: http
port: {{ .Values.controller.service.ports.http }}
port: {{ .Values.controller.service.internal.ports.http | default .Values.controller.service.ports.http }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.http }}
targetPort: {{ .Values.controller.service.internal.targetPorts.http | default .Values.controller.service.targetPorts.http }}
{{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
appProtocol: http
{{- end }}
@@ -41,9 +41,9 @@ spec:
{{- end }}
{{- if .Values.controller.service.enableHttps }}
- name: https
port: {{ .Values.controller.service.ports.https }}
port: {{ .Values.controller.service.internal.ports.https | default .Values.controller.service.ports.https }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.https }}
targetPort: {{ .Values.controller.service.internal.targetPorts.https | default .Values.controller.service.targetPorts.https }}
{{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
appProtocol: https
{{- end }}

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-metrics.yaml
View File

@@ -31,10 +31,10 @@ spec:
externalTrafficPolicy: {{ .Values.controller.metrics.service.externalTrafficPolicy }}
{{- end }}
ports:
- name: metrics
- name: {{ .Values.controller.metrics.portName }}
port: {{ .Values.controller.metrics.service.servicePort }}
protocol: TCP
targetPort: metrics
targetPort: {{ .Values.controller.metrics.portName }}
{{- $setNodePorts := (or (eq .Values.controller.metrics.service.type "NodePort") (eq .Values.controller.metrics.service.type "LoadBalancer")) }}
{{- if (and $setNodePorts (not (empty .Values.controller.metrics.service.nodePort))) }}
nodePort: {{ .Values.controller.metrics.service.nodePort }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml
View File

@@ -12,7 +12,7 @@ metadata:
namespace: {{ .Release.Namespace }}
{{- if .Values.serviceAccount.annotations }}
annotations:
{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
{{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml
View File

@@ -14,7 +14,7 @@ metadata:
{{- end }}
spec:
endpoints:
- port: metrics
- port: {{ .Values.controller.metrics.portName }}
interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
{{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
honorLabels: true

57
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-statefulset.yaml
View File

@@ -37,7 +37,7 @@ spec:
{{- end }}
{{- end }}
labels:
{{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
{{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 8 }}
@@ -85,8 +85,8 @@ spec:
command:
- {{ .Values.appsec.command }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
args:
{{- if (eq "stand-alone" .Values.appsec.mode) }}
args:
{{- if (eq "standalone" .Values.appsec.mode) }}
- --hybrid-mode
- --token
- cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
@@ -101,9 +101,11 @@ spec:
{{- if .Values.appsec.proxy }}
- --proxy
- {{ .Values.appsec.proxy }}
{{- end }}
{{- end }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
env:
- name: user_email
value: {{ .Values.appsec.userEmail }}
{{- if eq .Values.appsec.playground false }}
- name: SHARED_STORAGE_HOST
value: {{ .Values.appsec.storage.name }}-svc
@@ -122,8 +124,8 @@ spec:
- name: appsec-conf
mountPath: /etc/cp/conf
- name: appsec-data
mountPath: /etc/cp/data
{{- end }}
mountPath: /etc/cp/data
{{- end }}
- name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }}
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
@@ -132,7 +134,7 @@ spec:
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }}
args:
args:
{{- include "ingress-nginx.params" . | nindent 12 }}
securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
env:
@@ -150,12 +152,16 @@ spec:
{{- end }}
{{- if .Values.controller.extraEnvs }}
{{- toYaml .Values.controller.extraEnvs | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.controller.startupProbe }}
startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }}
{{- end }}
{{- if .Values.controller.livenessProbe }}
livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }}
{{- end }}
{{- if .Values.controller.readinessProbe }}
readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
@@ -166,7 +172,7 @@ spec:
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
- name: metrics
- name: {{ .Values.controller.metrics.portName }}
containerPort: {{ .Values.controller.metrics.port }}
protocol: TCP
{{- end }}
@@ -191,11 +197,15 @@ spec:
hostPort: {{ $key }}
{{- end }}
{{- end }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
volumeMounts:
{{- if .Values.controller.extraModules }}
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
- name: modules
{{ if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount
{{ else }}
mountPath: /modules_mount
{{ end }}
{{- end }}
{{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template
@@ -217,21 +227,21 @@ spec:
{{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
initContainers:
{{- if .Values.controller.extraInitContainers }}
{{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
- name: {{ .name }}
image: {{ .image }}
command: ['sh', '-c', '/usr/local/bin/init_module.sh']
volumeMounts:
- name: modules
mountPath: /modules_mount
{{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled}}
{{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
{{- end}}
{{- end }}
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
@@ -250,13 +260,13 @@ spec:
{{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
volumes:
- name: advanced-model
configMap:
name: advanced-model-config
optional: true
{{- if .Values.controller.extraModules }}
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
- name: modules
emptyDir: {}
{{- end }}
@@ -272,6 +282,13 @@ spec:
- name: webhook-cert
secret:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
items:
- key: tls.crt
path: cert
- key: tls.key
path: key
{{- end }}
{{- end }}
{{- if .Values.controller.extraVolumes }}
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}

19
build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-webhooks-networkpolicy.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.controller.admissionWebhooks.enabled }}
{{- if .Values.controller.admissionWebhooks.networkPolicyEnabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-webhooks-allow
namespace: {{ .Release.Namespace }}
spec:
ingress:
- {}
podSelector:
matchLabels:
app.kubernetes.io/name: {{ include "ingress-nginx.name" . }}
policyTypes:
- Ingress
{{- end }}
{{- end }}

5
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-deployment.yaml
View File

@@ -19,6 +19,11 @@ spec:
replicas: {{ .Values.defaultBackend.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- if .Values.defaultBackend.updateStrategy }}
strategy:
{{ toYaml .Values.defaultBackend.updateStrategy | nindent 4 }}
{{- end }}
minReadySeconds: {{ .Values.defaultBackend.minReadySeconds }}
template:
metadata:
{{- if .Values.defaultBackend.podAnnotations }}

10
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml
View File

@@ -1,5 +1,5 @@
{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
apiVersion: {{ .Values.defaultBackend.autoscaling.apiVersion }}
kind: HorizontalPodAutoscaler
metadata:
labels:
@@ -22,12 +22,16 @@ spec:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ . }}
target:
type: Utilization
averageUtilization: {{ . }}
{{- end }}
{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ . }}
target:
type: Utilization
averageUtilization: {{ . }}
{{- end }}
{{- end }}

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-psp.yaml
View File

@@ -1,3 +1,4 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
@@ -34,3 +35,4 @@ spec:
- secret
- downwardAPI
{{- end }}
{{- end }}

10
build_system/charts/open-appsec-k8s-nginx-ingress/templates/dh-param-secret.yaml
View File

@@ -1,10 +0,0 @@
{{- with .Values.dhParam -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ingress-nginx.controller.fullname" $ }}
labels:
{{- include "ingress-nginx.labels" $ | nindent 4 }}
data:
dhparam.pem: {{ . }}
{{- end }}

4
build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-deployment.yaml
View File

@@ -1,4 +1,4 @@
{{- if and (eq "stand-alone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -53,7 +53,7 @@ spec:
timeoutSeconds: 10
env:
- name: APPSEC_MODE
value: {{ .Values.appsec.mode }}
value: stand-alone
- name: RP_BASEURL
value: http://{{ .Values.appsec.storage.name }}-svc/api
- name: K8S_NAMESPACE

2
build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-services.yaml
View File

@@ -1,4 +1,4 @@
{{- if and (eq "stand-alone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
apiVersion: v1
kind: Service
metadata:

1799
build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml
View File

File diff suppressed because it is too large Load Diff

152
build_system/charts/open-appsec-kong/CHANGELOG.md
View File

@@ -1,8 +1,158 @@
# Changelog
## Unreleased
## 2.22.0
### Improvements
* Removed redundant RBAC permissions for non-existing subresources `secrets/status`
and `endpoints/status`.
[#798](https://github.com/Kong/charts/pull/798)
* For Kong Ingress Controller in version >= 2.10, RBAC permissions for `Endpoints`
are not configured anymore (because it uses `EndpointSlices`).
[#798](https://github.com/Kong/charts/pull/798)
* Added support for setting `certificates.cluster.commonName`. This allows a custom
certificate `CommonName` to be provided when deploying Kong Gateway in hybrid
mode using Cert Manager [#804](https://github.com/Kong/charts/pull/804)
## 2.21.0
### Improvements
* Added support for `startupProbe` on Kong pods. This can be configured via
`.Values.startupProbe`. To maintain backward compatibility, it is disabled by default.
[#792](https://github.com/Kong/charts/pull/792)
* Customize Admission Webhook namespaceSelectors and compose them from values.
[#794](https://github.com/Kong/charts/pull/794)
* Added `CustomResourceDefinition` `list` and `watch` permissions to controller's ClusterRole.
[#796](https://github.com/Kong/charts/pull/796)
## 2.20.2
### Fixed
* Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode
is disabled by default.
To enable it, set `.Values.ingressController.konnect.license.enabled=true`.
[#793](https://github.com/Kong/charts/pull/793)
## 2.20.1
### Fixed
* Fix correct timestamp format and remove `isCA` in certificates
[#791](https://github.com/Kong/charts/pull/791)
## 2.20.0
### Improvements
* Added support for automatic license provisioning for Gateways managed by
Ingress Controllers in Konnect mode (`.Values.ingressController.konnect.enabled=true`).
[#787](https://github.com/Kong/charts/pull/787)
## 2.19.1
### Fixed
* Fix `webhook-cert` being mounted regardless if `.Values.ingressController.enabled`
is set.
[#779](https://github.com/Kong/charts/pull/779)
## 2.19.0
### Improvements
* Security context enforces read-only root filesystem by default. This is not
expected to affect most configurations, but [will affect custom plugins that
write to the container filesystem](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2170).
[#770](https://github.com/Kong/charts/pull/770)
## 2.18.0
### Improvements
* Added support for the Admin API service TLS client verification.
[#780](https://github.com/Kong/charts/pull/780
## 2.17.1
### Fixed
* The `-redhat` suffix on official KIC images is no longer considered part of
the semver string for version checks.
[#779](https://github.com/Kong/charts/pull/779)
## 2.17.0
### Improvements
* Added support for controller's gateway discovery.
With `ingressController.gatewayDiscovery.enabled` set to `true` Kong Ingress Controller
will enable gateway discovery using an Admin API service.
For more information on this please see [the corresponding README.md section][kic_gateway_discovery_readme].
This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher.
[#747](https://github.com/Kong/charts/pull/747)
* Added experimental support for the ingress controller's Konnect sync feature via `ingressController.konnect.*` values.
This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher and
requires `ingressController.gatewayDiscovery.enabled` set to `true`.
[#746](https://github.com/Kong/charts/pull/746)
* Added support for annotations on the admission webhook ValidatingWebhookConfiguration.
[#760](https://github.com/Kong/charts/pull/760)
* Added support for `subject` and `privateKey` properties on certificates.
[#762](https://github.com/Kong/charts/pull/762)
* Added support for loadBalancerClass in LoadBalancer type services.
[#767](https://github.com/Kong/charts/pull/767)
* Added support for `GRPCRoute`s.
[#772](https://github.com/Kong/charts/pull/772)
* Default Kong version is bumped to 3.2.
[#773](https://github.com/Kong/charts/pull/773)
* Added support for admissionhook to include labels.
[#768](https://github.com/Kong/charts/pull/768)
### Under the hood
* Add kube-linter to the CI pipeline to ensure produced manifests comply
with community best practices.
[#751](https://github.com/Kong/charts/pull/751)
[kic_gateway_discovery_readme]: ./README.md#the-gatewaydiscovery-section
## 2.16.5
### Fixed
* Fix autoscaling version detection.
[#752](https://github.com/Kong/charts/pull/752)
* Don't include a clear-stale-pid initContainer when kong gateway is not
enabled in the deployment.
[#749](https://github.com/Kong/charts/pull/749)
## 2.16.4
### Fixed
* HorizontalPodAutoscaler's API version is detected properly.
[#744](https://github.com/Kong/charts/pull/744)
## 2.16.3
### Fixed
* Fix template issue preventing custom dblessconfig volume from being mounted.
[#741](https://github.com/Kong/charts/pull/741)
## 2.16.2
### Fixed
* The admission webhook is disabled when the ingress controller is disabled, as
the admission webhook requires a service provided by the ingress controller.
## 2.16.1
### Fixed
### Fixed
* serviceAccount projected volume is properly provisioned for GKE clusters >= 1.20.
[#735](https://github.com/Kong/charts/pull/735)

4
build_system/charts/open-appsec-kong/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: "3.1"
appVersion: "3.2"
dependencies:
- condition: postgresql.enabled
name: postgresql
@@ -16,4 +16,4 @@ maintainers:
name: open-appsec-kong
sources:
- https://github.com/Kong/charts/tree/main/charts/kong
version: 2.16.1
version: 2.22.0

127
build_system/charts/open-appsec-kong/README.md
View File

@@ -52,6 +52,7 @@ $ helm install kong/kong --generate-name
- [Configuration](#configuration)
- [Kong parameters](#kong-parameters)
- [Kong Service Parameters](#kong-service-parameters)
- [Admin Service mTLS](#admin-service-mtls)
- [Stream listens](#stream-listens)
- [Ingress Controller Parameters](#ingress-controller-parameters)
- [The `env` section](#the-env-section)
@@ -335,6 +336,9 @@ first and then upgrade the data plane release](https://docs.konghq.com/gateway/l
#### Certificates
> This example shows how to use Kong Hybrid mode with `cluster_mtls: shared`.
> For an example of `cluster_mtls: pki` see the [hybrid-cert-manager example](https://github.com/Kong/charts/blob/main/charts/kong/example-values/hybrid-cert-manager/)
Hybrid mode uses TLS to secure the CP/DP node communication channel, and
requires certificates for it. You can generate these either using `kong hybrid
gen_cert` on a local Kong installation or using OpenSSL:
@@ -431,7 +435,7 @@ admin:
```yaml
env:
role: data_plane
database: off
database: "off"
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt
@@ -462,7 +466,7 @@ should, however, migrate to an issuer using a CA your clients trust for actual
usage.
The `proxy`, `admin`, `portal`, and `cluster` subsections under `certificates`
let you choose hostnames or override issuers on a per-certificate basis for the
let you choose hostnames, override issuers, set `subject` or set `privateKey` on a per-certificate basis for the
proxy, admin API and Manager, Portal and Portal API, and hybrid mode mTLS
services, respectively.
@@ -668,6 +672,7 @@ or `ingress` sections, as it is used only for stream listens.
| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` |
| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | |
| SVC.clusterIP | k8s service clusterIP | |
| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | |
| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | |
| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` |
@@ -682,6 +687,17 @@ or `ingress` sections, as it is used only for stream listens.
| SVC.annotations | Service annotations | `{}` |
| SVC.labels | Service labels | `{}` |
#### Admin Service mTLS
On top of the common parameters listed above, the `admin` service supports parameters for mTLS client verification.
If any of `admin.tls.client.caBundle` or `admin.tls.client.secretName` are set, the admin service will be configured to
require mTLS client verification. If both are set, `admin.tls.client.caBundle` will take precedence.
| Parameter | Description | Default |
|-----------------------------|---------------------------------------------------------------------------------------------|---------|
| admin.tls.client.caBundle | CA certificate to use for TLS verification of the Admin API client (PEM-encoded). | `""` |
| admin.tls.client.secretName | CA certificate secret name - must contain a `tls.crt` key with the PEM-encoded certificate. | `""` |
#### Stream listens
The proxy configuration additionally supports creating stream listens. These
@@ -701,30 +717,46 @@ are configured using an array of objects under `proxy.stream` and `udpProxy.stre
All of the following properties are nested under the `ingressController`
section of `values.yaml` file:
| Parameter | Description | Default |
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
| enabled | Deploy the ingress controller, rbac and crd | true |
| image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller |
| image.tag | Version of the ingress controller | 2.0 |
| image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | |
| readinessProbe | Kong ingress controllers readiness probe | |
| livenessProbe | Kong ingress controllers liveness probe | |
| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false |
| env | Specify Kong Ingress Controller configuration via environment variables | |
| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | |
| ingressClass | The name of this controller's ingressClass | kong |
| ingressClassAnnotations | The ingress-class value for controller | kong |
| args | List of ingress-controller cli arguments | [] |
| watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] |
| admissionWebhook.enabled | Whether to enable the validating admission webhook | true |
| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore |
| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 |
| admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false |
| admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | |
| admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | |
| deployment.userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | |
| deployment.userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | |
| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 |
| Parameter | Description | Default |
|--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
| enabled | Deploy the ingress controller, rbac and crd | true |
| image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller |
| image.tag | Version of the ingress controller | 2.0 |
| image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | |
| readinessProbe | Kong ingress controllers readiness probe | |
| livenessProbe | Kong ingress controllers liveness probe | |
| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false |
| env | Specify Kong Ingress Controller configuration via environment variables | |
| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | |
| ingressClass | The name of this controller's ingressClass | kong |
| ingressClassAnnotations | The ingress-class value for controller | kong |
| args | List of ingress-controller cli arguments | [] |
| watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] |
| admissionWebhook.enabled | Whether to enable the validating admission webhook | true |
| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore |
| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 |
| admissionWebhook.annotations | Annotations for the Validation Webhook Configuration | |
| admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false |
| admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | |
| admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | |
| admissionWebhook.namespaceSelector | Add namespaceSelector to the webhook. Please go to [Kubernetes doc for the specs](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) | |
| userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | |
| userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | |
| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 |
| gatewayDiscovery.enabled | Enables Kong instance service discovery (for more details see [gatewayDiscovery section][gd_section]) | false |
| gatewayDiscovery.adminApiService.namespace | The namespace of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | `.Release.Namespace` |
| gatewayDiscovery.adminApiService.name | The name of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | "" |
| konnect.enabled | Enable synchronisation of data plane configuration with Konnect Runtime Group | false |
| konnect.runtimeGroupID | Konnect Runtime Group's unique identifier. | |
| konnect.apiHostname | Konnect API hostname. Defaults to a production US-region. | us.kic.api.konghq.com |
| konnect.tlsClientCertSecretName | Name of the secret that contains Konnect Runtime Group's client TLS certificate. | konnect-client-tls |
| konnect.license.enabled | Enable automatic license provisioning for Gateways managed by Ingress Controller in Konnect mode. | false |
| adminApi.tls.client.enabled | Enable TLS client verification for the Admin API. By default, Helm will generate certificates automatically. | false |
| adminApi.tls.client.certProvided | Use user-provided certificates. If set to false, Helm will generate certificates. | false |
| adminApi.tls.client.secretName | Client TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" |
| adminApi.tls.client.caSecretName | CA TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" |
[gd_section]: #the-gatewayDiscovery-section
#### The `env` section
For a complete list of all configuration values you can set in the
@@ -746,6 +778,46 @@ kong:
TZ: "Europe/Berlin"
```
#### The `gatewayDiscovery` section
Kong Ingress Controller v2.9 has introduced gateway discovery which allows
the controller to discover Gateway instances that it should configure using
an Admin API Kubernetes service.
You'll be able to configure this feature through configuration section under
`ingressController.gatewayDiscovery`:
- If `ingressController.gatewayDiscovery.enabled` is set to `false`: the ingress controller
will control a pre-determined set of Gateway instances based on Admin API URLs
(provided under the hood via `CONTROLLER_KONG_ADMIN_URL` environment variable).
- If `ingressController.gatewayDiscovery.enabled` is set to `true`: the ingress controller
will dynamically locate Gateway instances by watching the specified Kubernetes
service.
(provided under the hood via `CONTROLLER_KONG_ADMIN_SVC` environment variable).
The following admin API Service flags have to be provided in order for gateway
discovery to work:
- `ingressController.gatewayDiscovery.adminApiService.name`
- `ingressController.gatewayDiscovery.adminApiService.namespace`
Using this feature requires a split release installation of Gateways and Ingress Controller.
For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
When using `gatewayDiscovery`, you should consider configuring the Admin service to use mTLS client verification to make
this interface secure. Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway
instances.
On the controller release side, that can be achieved by setting `ingressController.adminApi.tls.client.enabled` to `true`.
By default, Helm will generate a certificate Secret named `<release name>-admin-api-keypair` and
a CA Secret named `<release name>-admin-api-ca-keypair` for you.
To provide your own cert, set `ingressController.adminApi.tls.client.certProvided` to
`true`, `ingressController.adminApi.tls.client.secretName` to the name of the Secret containing your client cert, and `ingressController.adminApi.tls.client.caSecretName` to the name of the Secret containing your CA cert.
On the Gateway release side, set either `admin.tls.client.secretName` to the name of your CA Secret or set `admin.tls.client.caBundle` to the CA certificate string.
### General Parameters
| Parameter | Description | Default |
@@ -772,6 +844,7 @@ kong:
| updateStrategy | update strategy for deployment | `{}` |
| readinessProbe | Kong readiness probe | |
| livenessProbe | Kong liveness probe | |
| startupProbe | Kong startup probe | |
| lifecycle | Proxy container lifecycle hooks | see `values.yaml` |
| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pods | 30 |
| affinity | Node/pod affinities | |
@@ -794,7 +867,7 @@ kong:
| priorityClassName | Set pod scheduling priority class for Kong pods | `""` |
| secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` |
| securityContext | Set the securityContext for Kong Pods | `{}` |
| containerSecurityContext | Set the securityContext for Containers | `{}` |
| containerSecurityContext | Set the securityContext for Containers | `{"readOnlyRootFilesystem": true}` |
| serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | `false` |
| serviceMonitor.interval | Scraping interval | `30s` |
| serviceMonitor.namespace | Where to create ServiceMonitor | |

21
build_system/charts/open-appsec-kong/UPGRADE.md
View File

@@ -17,6 +17,7 @@ upgrading from a previous version.
## Table of contents
- [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions)
- [2.17.0](#2170)
- [2.13.0](#2130)
- [2.8.0](#280)
- [2.7.0](#270)
@@ -82,6 +83,26 @@ https://raw.githubusercontent.com/Kong/charts/kong-<version>/charts/kong/crds/cu
For example, if your release is 2.6.4, you would apply
`https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml`.
## 2.19.0
2.19 sets a default [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
that declares a read-only root filesystem for Kong containers. The base Kong and KIC
images are compatible with this setting. The chart mounts temporary writeable
emptyDir filesystems for locations that require writeable files (`/tmp` and
`/kong_prefix/`).
This setting limit attack surface and should be compatible with most
installations. However, if you use custom plugins that write to disk, you must
either mount a writeable emptyDir for them or override the new defaults by
setting:
```
containerSecurityContext:
readOnlyRootFilesystem: false
```
in your values.yaml.
## 2.13.0
2.13.0 includes updated CRDs. You must [apply these manually](#updates-to-crds)

2
build_system/charts/open-appsec-kong/crds/crd-openappsec-practice.yaml
View File

@@ -109,7 +109,7 @@ spec:
configmap:
type: array
items:
type: string
type: string
openapi-schema-validation:
type: object
properties:

80
build_system/charts/open-appsec-kong/crds/crd-openappsec-sources-identifier.yaml
View File

@@ -1,40 +1,40 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : sourcesidentifiers.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: array
items:
type: object
properties:
sourceIdentifier:
type: string
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
value:
type: array
items:
type: string
scope: Cluster
names:
plural: sourcesidentifiers
singular: sourcesidentifier
kind: SourcesIdentifier
shortNames:
- sourcesidentifier
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : sourcesidentifiers.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: array
items:
type: object
properties:
sourceIdentifier:
type: string
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
value:
type: array
items:
type: string
scope: Cluster
names:
plural: sourcesidentifiers
singular: sourcesidentifier
kind: SourcesIdentifier
shortNames:
- sourcesidentifier

64
build_system/charts/open-appsec-kong/crds/crd-openappsec-trusted-sources.yaml
View File

@@ -1,32 +1,32 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : trustedsources.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
minNumOfSources:
type: integer
sourcesIdentifiers:
type: array
items:
type: string
scope: Cluster
names:
plural: trustedsources
singular: trustedsource
kind: TrustedSource
shortNames:
- trustedsource
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : trustedsources.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
minNumOfSources:
type: integer
sourcesIdentifiers:
type: array
items:
type: string
scope: Cluster
names:
plural: trustedsources
singular: trustedsource
kind: TrustedSource
shortNames:
- trustedsource

4
build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml
View File

@@ -448,8 +448,8 @@ spec:
type: object
upstream:
description: Upstream represents a virtual hostname and can be used to
loadbalance incoming requests over multiple targets (e.g. Kubernetes
`Services` can be a target, OR `Endpoints` can be targets).
load balance incoming requests over multiple targets (e.g. Kubernetes
Services can be a target, or URLs can be targets).
properties:
algorithm:
description: Algorithm is the load balancing algorithm to use.

16
build_system/charts/open-appsec-kong/example-values/README.md
View File

@@ -52,5 +52,21 @@ common Kong deployment scenarios on Kubernetes.
restarts them, so starting control planes second, but around the same time
will usually work), but is the smoothest option.
* [minimal-kong-gd-controller.yaml](minimal-kong-gd-controller.yaml) and
[minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a
single controller and cluster of gateway instances. The controller release
configuration must specify the names of the gateway proxy and admin
Services. The examples use `gw` as the gateway release name. If you wish to
use another name, set the controller configuration to match. For example, if
you use `hydrogen` as your gateway release name, set
`proxy.nameOverride=hydrogen-kong-proxy` and
`ingressController.adminApiService.name=hydrogen-kong-admin`.
* [minimal-kong-gd-controller-konnect.yaml](minimal-kong-gd-controller-konnect.yaml) and
[minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a single Ingress
Controller with Kong's Konnect sync feature enabled and a cluster of gateway instances.
In order to make it work, `ingressController.konnect.runtimeGroupID` has to be
supplied and a `konnect-client-tls` secret has to be created upfront.
All Enterprise examples require some level of additional user configuration to
install properly. Read the comments at the top of each file for instructions.

2
build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml
View File

@@ -146,7 +146,7 @@ extraLabels:
konghq.com/component: quickstart
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
ingressController:
enabled: true
env:

2
build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml
View File

@@ -12,7 +12,7 @@
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
env:
prefix: /kong_prefix/

83
build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/README.md Normal file
View File

@@ -0,0 +1,83 @@
This README explains how to install Kong in DB-backed mode with Postgres and Cert Manager
# Install Postgres
Use the bitnami chart to install Postgres. Read the output to understand how to connect to the database.
```bash
helm install postgres oci://registry-1.docker.io/bitnamicharts/postgresql -n db --create-namespace
```
Once connected, create a postgres user and database:
```sql
CREATE USER kong WITH PASSWORD 'super_secret'; CREATE DATABASE kong OWNER kong;
```
# Cert Manager
Install Cert Manager in to your cluster:
```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.11.0
```
Create a self signed CA + Issuer for future use:
```yaml
echo "
apiVersion: v1
kind: Namespace
metadata:
name: kong
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-selfsigned-ca
namespace: kong
spec:
isCA: true
commonName: my-selfsigned-ca
secretName: root-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: my-ca-issuer
namespace: kong
spec:
ca:
secretName: root-secret
" | kubectl apply -f -
```
# Kong
Deploy Kong using the `cp-values.yaml` and `dp-values.yaml` in this folder:
```bash
helm install kong-cp kong/kong -n kong --values cp-values.yaml
helm install kong-dp kong/kong -n kong --values dp-values.yaml
```
You should now have Kong running in hybrid mode

25
build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/cp-values.yaml Normal file
View File

@@ -0,0 +1,25 @@
env:
role: control_plane
database: postgres
pg_host: postgres-postgresql.db.svc.cluster.local
pg_user: kong
pg_password: super_secret
cluster:
enabled: true
tls:
enabled: true
certificates:
enabled: true
issuer: my-ca-issuer
cluster:
enabled: true
commonName: custom.example.com
proxy:
enabled: false
ingressController:
env:
publish_service: kong/kong-cp-kong-proxy

22
build_system/charts/open-appsec-kong/example-values/hybrid-cert-manager/dp-values.yaml Normal file
View File

@@ -0,0 +1,22 @@
env:
role: data_plane
database: "off"
cluster_control_plane: kong-cp-kong-cluster.kong.svc.cluster.local:8005
cluster:
enabled: true
tls:
enabled: true
certificates:
enabled: true
issuer: my-ca-issuer
cluster:
enabled: true
commonName: custom.example.com
admin:
enabled: false
ingressController:
enabled: false

2
build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml
View File

@@ -9,7 +9,7 @@
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
admin:
enabled: true

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml
View File

@@ -2,7 +2,7 @@
image:
repository: kong
tag: "3.1"
tag: "3.2"
env:
prefix: /kong_prefix/

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml
View File

@@ -4,7 +4,7 @@
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
enterprise:
enabled: true

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml
View File

@@ -14,7 +14,7 @@
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
env:
database: postgres

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml
View File

@@ -12,7 +12,7 @@
image:
repository: kong/kong-gateway
tag: "3.1"
tag: "3.2"
env:
role: data_plane

24
build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller-konnect.yaml Normal file
View File

@@ -0,0 +1,24 @@
deployment:
kong:
enabled: false
proxy:
## This must match the gateway release's proxy Service name.
## The Service name uses the pattern "<release name>-kong-proxy".
## In this example, the companion gateway release is named "gw"
nameOverride: gw-kong-proxy
ingressController:
enabled: true
gatewayDiscovery:
enabled: true
adminApiService:
## This must match the gateway release's admin Service name.
## The Service name uses the pattern "<release name>-kong-admin".
## In this example, the companion gateway release is named "gw"
name: gw-kong-admin
konnect:
enabled: true
runtimeGroupID: "00000000-0000-0000-0000-000000000000" # CHANGEME

33
build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-controller.yaml Normal file
View File

@@ -0,0 +1,33 @@
deployment:
kong:
enabled: false
proxy:
## This must match the gateway release's proxy Service name.
## The Service name uses the pattern "<release name>-kong-proxy".
## In this example, the companion gateway release is named "gw"
nameOverride: gw-kong-proxy
ingressController:
enabled: true
gatewayDiscovery:
enabled: true
adminApiService:
## This must match the gateway release's admin Service name.
## The Service name uses the pattern "<release name>-kong-admin".
## In this example, the companion gateway release is named "gw"
name: gw-kong-admin
adminApi:
tls:
client:
# Enable TLS client authentication for the Admin API.
enabled: true
# We're specifying the name of the secret to have a static name that we
# will use in the gateway release.
caSecretName: "admin-api-ca-cert"
env:
# This must match the gateway release's proxy Service HTTPs port name.
kong_admin_svc_port_names: "kong-admin-tls"

17
build_system/charts/open-appsec-kong/example-values/minimal-kong-gd-gateway.yaml Normal file
View File

@@ -0,0 +1,17 @@
admin:
enabled: true
type: ClusterIP
clusterIP: None
tls:
client:
secretName: "admin-api-ca-cert"
ingressController:
enabled: false
replicaCount: 3
## This example creates a static 3-Pod Kong gateway Deployment.
## To use autoscaling instead, comment the above replicaCount and uncomment
## the autoscaling section below.
# autoscaling:
# enabled: true

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml
View File

@@ -6,7 +6,7 @@
image:
repository: kong
tag: "3.1"
tag: "3.2"
env:
prefix: /kong_prefix/

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml
View File

@@ -11,7 +11,7 @@
image:
repository: kong
tag: "3.1"
tag: "3.2"
env:
prefix: /kong_prefix/

2
build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml
View File

@@ -6,7 +6,7 @@
image:
repository: kong
tag: "3.1"
tag: "3.2"
env:
prefix: /kong_prefix/

210
build_system/charts/open-appsec-kong/templates/_helpers.tpl
View File

@@ -153,6 +153,9 @@ spec:
- {{ $cidr }}
{{- end }}
{{- end }}
{{- if .loadBalancerClass }}
loadBalancerClass: {{ .loadBalancerClass }}
{{- end }}
{{- end }}
{{- if .externalIPs }}
externalIPs:
@@ -316,6 +319,32 @@ Create a single listen (IP+port+parameter combo)
{{- $listen | join " " -}}
{{- end -}}
{{/*
Return the admin API service name for service discovery
*/}}
{{- define "kong.adminSvc" -}}
{{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}}
{{- if $gatewayDiscovery.enabled -}}
{{- $adminApiService := $gatewayDiscovery.adminApiService -}}
{{- $_ := required ".ingressController.gatewayDiscovery.adminApiService has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiService -}}
{{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
{{- fail "deployment.kong.enabled and ingressController.gatewayDiscovery.enabled are mutually exclusive and cannot be enabled at once. Gateway discovery requires a split release installation of Gateways and Ingress Controller." }}
{{- end }}
{{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}}
{{- $name := $adminApiService.name -}}
{{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $name -}}
{{- printf "%s/%s" $namespace $name -}}
{{- else -}}
{{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}}
{{- end -}}
{{- end -}}
{{/*
Return the local admin API URL, preferring HTTPS if available
*/}}
@@ -370,16 +399,61 @@ The name of the service used for the ingress controller's validation webhook
*/}}
{{- $autoEnv := dict -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s-proxy" ( include "kong.namespace" . ) (include "kong.fullname" .)) -}}
{{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
{{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}}
{{- if .Values.ingressController.admissionWebhook.enabled }}
{{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}}
{{- end }}
{{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }}
{{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" (printf "%s/%s" ( include "kong.namespace" . ) ( .Values.proxy.nameOverride | default ( printf "%s-proxy" (include "kong.fullname" . )))) -}}
{{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
{{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
{{- if .Values.ingressController.admissionWebhook.enabled }}
{{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}}
{{- end }}
{{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }}
{{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}}
{{- end }}
{{/*
====== ADMIN API CONFIGURATION ======
*/}}
{{- if .Values.ingressController.gatewayDiscovery.enabled -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (include "kong.adminSvc" . ) -}}
{{- else -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}}
{{- end -}}
{{- if .Values.ingressController.adminApi.tls.client.enabled }}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_CERT_FILE" "/etc/secrets/admin-api-cert/tls.crt" -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_KEY_FILE" "/etc/secrets/admin-api-cert/tls.key" -}}
{{- end }}
{{/*
====== KONNECT ENVIRONMENT VARIABLES ======
*/}}
{{- if .Values.ingressController.konnect.enabled }}
{{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- fail (printf "Konnect sync is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
{{- end }}
{{- if not .Values.ingressController.gatewayDiscovery.enabled }}
{{- fail "ingressController.gatewayDiscovery.enabled has to be true when ingressController.konnect.enabled"}}
{{- end }}
{{- $konnect := .Values.ingressController.konnect -}}
{{- $_ := required "ingressController.konnect.runtimeGroupID is required when ingressController.konnect.enabled" $konnect.runtimeGroupID -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_SYNC_ENABLED" true -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_RUNTIME_GROUP_ID" $konnect.runtimeGroupID -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_ADDRESS" (printf "https://%s" .Values.ingressController.konnect.apiHostname) -}}
{{- $tlsCert := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.crt") -}}
{{- $tlsKey := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.key") -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_CERT" $tlsCert -}}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_KEY" $tlsKey -}}
{{- if $konnect.license.enabled }}
{{- $_ = set $autoEnv "CONTROLLER_KONNECT_LICENSING_ENABLED" true -}}
{{- end }}
{{- end }}
{{/*
@@ -420,10 +494,10 @@ The name of the service used for the ingress controller's validation webhook
{{- define "kong.volumes" -}}
- name: {{ template "kong.fullname" . }}-prefix-dir
emptyDir:
emptyDir:
sizeLimit: {{ .Values.deployment.prefixDir.sizeLimit }}
- name: {{ template "kong.fullname" . }}-tmp
emptyDir:
emptyDir:
sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }}
{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
{{- if .Values.certificates.cluster.enabled }}
@@ -478,8 +552,9 @@ The name of the service used for the ingress controller's validation webhook
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
{{- if gt $dblessSourceCount 1 -}}
{{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}}
{{- if gt $dblessSourceCount 1 -}}
{{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}}
{{- else if eq $dblessSourceCount 1 }}
- name: kong-custom-dbless-config-volume
{{- if .Values.dblessConfig.configMap }}
configMap:
@@ -494,7 +569,7 @@ The name of the service used for the ingress controller's validation webhook
{{- end }}
{{- end }}
{{- if .Values.ingressController.admissionWebhook.enabled }}
{{- if and .Values.ingressController.enabled .Values.ingressController.admissionWebhook.enabled }}
- name: webhook-cert
secret:
{{- if .Values.ingressController.admissionWebhook.certificate.provided }}
@@ -503,6 +578,11 @@ The name of the service used for the ingress controller's validation webhook
secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair
{{- end }}
{{- end }}
{{- if or $.Values.admin.tls.client.secretName $.Values.admin.tls.client.caBundle }}
- name: admin-client-ca
configMap:
name: {{ template "kong.fullname" . }}-admin-client-ca
{{- end -}}
{{- range $secretVolume := .Values.secretVolumes }}
- name: {{ . }}
secret:
@@ -518,6 +598,19 @@ The name of the service used for the ingress controller's validation webhook
secret:
secretName: {{ .name }}
{{- end }}
{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
- name: admin-api-cert
secret:
secretName: {{ template "adminApiService.certSecretName" . }}
{{- end }}
{{- end -}}
{{- define "controller.adminApiCertVolumeMount" -}}
{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
- name: admin-api-cert
mountPath: /etc/secrets/admin-api-cert
readOnly: true
{{- end -}}
{{- end -}}
{{- define "kong.userDefinedVolumeMounts" -}}
@@ -552,12 +645,17 @@ The name of the service used for the ingress controller's validation webhook
{{- end }}
{{- end }}
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
{{- if gt $dblessSourceCount 1 -}}
{{- if eq $dblessSourceCount 1 -}}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- name: kong-custom-dbless-config-volume
mountPath: /kong_dbless/
{{- end }}
{{- end }}
{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }}
- name: admin-client-ca
mountPath: /etc/admin-client-ca/
readOnly: true
{{- end -}}
{{- range .Values.secretVolumes }}
- name: {{ . }}
mountPath: /etc/secrets/{{ . }}
@@ -638,7 +736,7 @@ The name of the service used for the ingress controller's validation webhook
{{- if .effectiveSemver -}}
{{- .effectiveSemver -}}
{{- else -}}
{{- .tag -}}
{{- (trimSuffix "-redhat" .tag) -}}
{{- end -}}
{{- end -}}
@@ -702,6 +800,7 @@ The name of the service used for the ingress controller's validation webhook
readOnly: true
{{- end }}
{{- include "kong.userDefinedVolumeMounts" .Values.ingressController | nindent 2 }}
{{- include "controller.adminApiCertVolumeMount" . | nindent 2 }}
{{- end -}}
{{- define "secretkeyref" -}}
@@ -758,10 +857,18 @@ the template that it itself is using form the above sections.
{{- $listenConfig := merge $listenConfig . -}}
{{- $_ := set $listenConfig "address" $address -}}
{{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}}
{{- if or .tls.client.secretName .tls.client.caBundle -}}
{{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}}
{{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}}
{{- end -}}
{{- end -}}
{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
{{- if (and .Values.certificates.cluster.enabled .Values.cluster.enabled) -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_MTLS" "pki" -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_SERVER_NAME" .Values.certificates.cluster.commonName -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_CA_CERT" "/etc/cert-manager/cluster/ca.crt" -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_CERT" "/etc/cert-manager/cluster/tls.crt" -}}
{{- $_ := set $autoEnv "KONG_CLUSTER_CERT_KEY" "/etc/cert-manager/cluster/tls.key" -}}
@@ -914,7 +1021,7 @@ the template that it itself is using form the above sections.
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
{{- if gt $dblessSourceCount 1 -}}
{{- if eq $dblessSourceCount 1 -}}
{{- $_ := set $autoEnv "KONG_DECLARATIVE_CONFIG" "/kong_dbless/kong.yml" -}}
{{- end }}
{{- end }}
@@ -1037,6 +1144,13 @@ role sets used in the charts. Updating these requires separating out cluster
resource roles into their separate templates.
*/}}
{{- define "kong.kubernetesRBACRules" -}}
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- ""
resources:
@@ -1044,20 +1158,7 @@ resource roles into their separate templates.
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- apiGroups:
- ""
resources:
- endpoints/status
verbs:
- get
- patch
- update
{{- end }}
- apiGroups:
- ""
resources:
@@ -1087,14 +1188,6 @@ resource roles into their separate templates.
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- secrets/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
@@ -1306,6 +1399,22 @@ resource roles into their separate templates.
verbs:
- get
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- grpcroutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- grpcroutes/status
verbs:
- get
- patch
- update
{{- end }}
{{- if (.Capabilities.APIVersions.Has "networking.internal.knative.dev/v1alpha1") }}
- apiGroups:
@@ -1341,6 +1450,14 @@ resource roles into their separate templates.
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
{{- end -}}
{{/*
@@ -1373,6 +1490,15 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration.
- get
- patch
- update
{{- if (semverCompare ">= 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
{{- end }}
{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") }}
- apiGroups:
- gateway.networking.k8s.io
@@ -1411,9 +1537,9 @@ extensions/v1beta1
{{- end -}}
{{- define "kong.autoscalingVersion" -}}
{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}}
{{- if (.Capabilities.APIVersions.Has "autoscaling/v2/HorizontalPodAutoscaler") -}}
autoscaling/v2
{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}}
{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2/HorizontalPodAutoscaler") -}}
autoscaling/v2beta2
{{- else -}}
autoscaling/v1

15
build_system/charts/open-appsec-kong/templates/admission-webhook.yaml
View File

@@ -1,4 +1,4 @@
{{- if .Values.ingressController.admissionWebhook.enabled }}
{{- if (and .Values.ingressController.admissionWebhook.enabled .Values.ingressController.enabled) }}
{{- $certCert := "" -}}
{{- $certKey := "" -}}
{{- $caCert := "" -}}
@@ -34,8 +34,18 @@ metadata:
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
{{- if .Values.ingressController.admissionWebhook.annotations }}
annotations:
{{- range $key, $value := .Values.ingressController.admissionWebhook.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
webhooks:
- name: validations.kong.konghq.com
{{- with .Values.ingressController.admissionWebhook.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
objectSelector:
matchExpressions:
- key: owner
@@ -89,6 +99,9 @@ metadata:
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
{{- if .Values.ingressController.admissionWebhook.service.labels }}
{{- toYaml .Values.ingressController.admissionWebhook.service.labels | nindent 4 }}
{{- end }}
spec:
ports:
- name: webhook

885
build_system/charts/open-appsec-kong/templates/appsec.yaml
View File

@@ -1,447 +1,438 @@
{{- if and (not (eq .Values.kind "Vanilla")) (or .Values.deployment.kong.enabled .Values.ingressController.enabled) }}
apiVersion: apps/v1
{{- if (eq .Values.kind "AppSec") }}
{{- if .Values.deployment.daemonset }}
kind: DaemonSet
{{- else }}
kind: Deployment
{{- end }}
{{- else if eq .Values.kind "AppSecStateful" }}
kind: StatefulSet
{{- end }}
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: app
{{- if .Values.deploymentAnnotations }}
annotations:
{{- range $key, $value := .Values.deploymentAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
{{- if eq .Values.kind "AppSecStateful" }}
serviceName: "cp-appsec-stateful-set"
{{- end }}
{{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{- include "kong.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
{{- if .Values.deployment.daemonset }}
updateStrategy:
{{- else }}
strategy:
{{- end }}
{{ toYaml .Values.updateStrategy | indent 4 }}
{{- end }}
{{- if .Values.deployment.minReadySeconds }}
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- end }}
template:
metadata:
annotations:
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
{{- end }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
{{- if .Values.dblessConfig.config }}
checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }}
{{- end }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- range $key, $value := .Values.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: app
app: {{ template "kong.fullname" . }}
version: {{ .Chart.AppVersion | quote }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | nindent 8 }}
{{- end }}
spec:
{{- if .Values.deployment.hostNetwork }}
hostNetwork: true
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
automountServiceAccountToken: true
{{- else }}
automountServiceAccountToken: false
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
initContainers:
- name: clear-stale-pid
image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
command:
- "rm"
- "-vrf"
- "$KONG_PREFIX/pids"
env:
{{- include "kong.env" . | nindent 8 }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
{{- if .Values.deployment.initContainers }}
{{- toYaml .Values.deployment.initContainers | nindent 6 }}
{{- end }}
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-db" . | nindent 6 }}
{{- end }}
{{- if .Values.deployment.hostAliases }}
hostAliases:
{{- toYaml .Values.deployment.hostAliases | nindent 6 }}
{{- end}}
{{- if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- end }}
{{- if .Values.dnsConfig }}
dnsConfig:
{{ toYaml .Values.dnsConfig | indent 8 }}
{{- end }}
containers:
- name: {{ .Values.appsec.name }}
readinessProbe:
exec:
command:
- sh
- -c
- '[ -f /etc/cp/HttpTransactionHandler/cp-nano-http-transaction-handler ] && exit 0 || exit 1'
initialDelaySeconds: 30
periodSeconds: 5
failureThreshold: 120
successThreshold: 1
securityContext:
{{ toYaml .Values.appsec.securityContext | nindent 12 }}
{{- with .Values.appsec.image }}
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
{{- end }}
command:
- {{ .Values.appsec.command }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
args:
{{- if (eq "standalone" .Values.appsec.mode) }}
- --hybrid-mode
- --token
- cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
{{- else }}
- --token
- {{ .Values.appsec.agentToken }}
{{- end }}
{{- if .Values.appsec.customFog.enabled }}
- --fog
- {{ .Values.appsec.customFog.fogAddress }}
{{- end }}
{{- if .Values.appsec.proxy }}
- --proxy
- {{ .Values.appsec.proxy }}
{{- end }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
env:
{{- if eq .Values.appsec.playground false }}
- name: SHARED_STORAGE_HOST
value: {{ .Values.appsec.storage.name }}-svc
- name: LEARNING_HOST
value: {{ .Values.appsec.learning.name }}-svc
{{- else }}
- name: PLAYGROUND
value: "true"
{{- end }}
{{- if .Values.appsec.email }}
{{- if eq .Values.appsec.email "STUB" }}
{{- fail "Please replace STUB with an email address" }}
{{- end }}
- name: user_email
value: {{ .Values.appsec.email }}
{{- end }}
- name: registered_server
value: "Kong Server"
resources:
{{ toYaml .Values.resources | nindent 12 }}
{{- if eq .Values.kind "AppSecStateful" }}
volumeMounts:
- name: advanced-model
mountPath: /advanced-model
- name: appsec-conf
mountPath: /etc/cp/conf
- name: appsec-data
mountPath: /etc/cp/data
{{- end }}
{{- if .Values.ingressController.enabled }}
{{- include "kong.controller-container" . | nindent 6 }}
{{ end }}
{{- if .Values.deployment.sidecarContainers }}
{{- toYaml .Values.deployment.sidecarContainers | nindent 6 }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
- name: "proxy"
{{- with .Values.appsec.kong.image }}
image: "{{ .repository }}:{{ .tag }}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
lifecycle:
{{- toYaml .Values.lifecycle | nindent 10 }}
ports:
{{- if (and .Values.admin.http.enabled .Values.admin.enabled) }}
- name: admin
containerPort: {{ .Values.admin.http.containerPort }}
{{- if .Values.admin.http.hostPort }}
hostPort: {{ .Values.admin.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }}
- name: admin-tls
containerPort: {{ .Values.admin.tls.containerPort }}
{{- if .Values.admin.tls.hostPort }}
hostPort: {{ .Values.admin.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }}
- name: proxy
containerPort: {{ .Values.proxy.http.containerPort }}
{{- if .Values.proxy.http.hostPort }}
hostPort: {{ .Values.proxy.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}}
- name: proxy-tls
containerPort: {{ .Values.proxy.tls.containerPort }}
{{- if .Values.proxy.tls.hostPort }}
hostPort: {{ .Values.proxy.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- range .Values.proxy.stream }}
- name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- range .Values.udpProxy.stream }}
- name: streamudp-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- if (and .Values.status.http.enabled .Values.status.enabled)}}
- name: status
containerPort: {{ .Values.status.http.containerPort }}
{{- if .Values.status.http.hostPort }}
hostPort: {{ .Values.status.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.status.tls.enabled .Values.status.enabled) }}
- name: status-tls
containerPort: {{ .Values.status.tls.containerPort }}
{{- if .Values.status.tls.hostPort }}
hostPort: {{ .Values.status.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }}
- name: cluster-tls
containerPort: {{ .Values.cluster.tls.containerPort }}
{{- if .Values.cluster.tls.hostPort }}
hostPort: {{ .Values.cluster.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if .Values.enterprise.enabled }}
{{- if (and .Values.manager.http.enabled .Values.manager.enabled) }}
- name: manager
containerPort: {{ .Values.manager.http.containerPort }}
{{- if .Values.manager.http.hostPort }}
hostPort: {{ .Values.manager.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }}
- name: manager-tls
containerPort: {{ .Values.manager.tls.containerPort }}
{{- if .Values.manager.tls.hostPort }}
hostPort: {{ .Values.manager.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.http.enabled .Values.portal.enabled) }}
- name: portal
containerPort: {{ .Values.portal.http.containerPort }}
{{- if .Values.portal.http.hostPort }}
hostPort: {{ .Values.portal.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }}
- name: portal-tls
containerPort: {{ .Values.portal.tls.containerPort }}
{{- if .Values.portal.tls.hostPort }}
hostPort: {{ .Values.portal.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }}
- name: portalapi
containerPort: {{ .Values.portalapi.http.containerPort }}
{{- if .Values.portalapi.http.hostPort }}
hostPort: {{ .Values.portalapi.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }}
- name: portalapi-tls
containerPort: {{ .Values.portalapi.tls.containerPort }}
{{- if .Values.portalapi.tls.hostPort }}
hostPort: {{ .Values.portalapi.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }}
- name: clustert-tls
containerPort: {{ .Values.clustertelemetry.tls.containerPort }}
{{- if .Values.clustertelemetry.tls.hostPort }}
hostPort: {{ .Values.clustertelemetry.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- end }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 10 }}
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- end }} {{/* End of Kong container spec */}}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
{{- end }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
volumes:
- name: advanced-model
configMap:
name: advanced-model-config
optional: true
{{- include "kong.volumes" . | nindent 8 -}}
{{- include "kong.userDefinedVolumes" . | nindent 8 -}}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
- name: {{ template "kong.serviceAccountTokenName" . }}
{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
See the related documentation of semver module that Helm depends on for semverCompare:
https://github.com/Masterminds/semver#working-with-prerelease-versions
Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- else }}
secret:
secretName: {{ template "kong.serviceAccountTokenName" . }}
items:
- key: token
path: token
- key: ca.crt
path: ca.crt
- key: namespace
path: namespace
{{- end -}}
{{- end }}
{{- if eq .Values.kind "AppSecStateful" }}
volumeClaimTemplates:
- metadata:
name: appsec-conf
spec:
accessModes: [ "ReadWriteOnce" ]
# Need to create a storage class resource.
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
resources:
requests:
storage: {{ .Values.appsec.persistence.conf.size | quote }}
- metadata:
name: appsec-data
spec:
accessModes: [ "ReadWriteOnce" ]
# Need to create a storage class resource.
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
resources:
requests:
storage: {{ .Values.appsec.persistence.data.size | quote }}
{{- end }}
{{- end }}
{{- if and (not (eq .Values.kind "Vanilla")) (or .Values.deployment.kong.enabled .Values.ingressController.enabled) }}
apiVersion: apps/v1
{{- if (eq .Values.kind "AppSec") }}
{{- if .Values.deployment.daemonset }}
kind: DaemonSet
{{- else }}
kind: Deployment
{{- end }}
{{- else if eq .Values.kind "AppSecStateful" }}
kind: StatefulSet
{{- end }}
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: app
{{- if .Values.deploymentAnnotations }}
annotations:
{{- range $key, $value := .Values.deploymentAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
{{- if eq .Values.kind "AppSecStateful" }}
serviceName: "cp-appsec-stateful-set"
{{- end }}
{{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{- include "kong.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
{{- if .Values.deployment.daemonset }}
updateStrategy:
{{- else }}
strategy:
{{- end }}
{{ toYaml .Values.updateStrategy | indent 4 }}
{{- end }}
{{- if .Values.deployment.minReadySeconds }}
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- end }}
template:
metadata:
annotations:
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
{{- end }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
{{- if .Values.dblessConfig.config }}
checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }}
{{- end }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- range $key, $value := .Values.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: app
app: {{ template "kong.fullname" . }}
version: {{ .Chart.AppVersion | quote }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | nindent 8 }}
{{- end }}
spec:
{{- if .Values.deployment.hostNetwork }}
hostNetwork: true
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
automountServiceAccountToken: true
{{- else }}
automountServiceAccountToken: false
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
initContainers:
- name: clear-stale-pid
image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
command:
- "rm"
- "-vrf"
- "$KONG_PREFIX/pids"
env:
{{- include "kong.env" . | nindent 8 }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
{{- if .Values.deployment.initContainers }}
{{- toYaml .Values.deployment.initContainers | nindent 6 }}
{{- end }}
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-db" . | nindent 6 }}
{{- end }}
{{- if .Values.deployment.hostAliases }}
hostAliases:
{{- toYaml .Values.deployment.hostAliases | nindent 6 }}
{{- end}}
{{- if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- end }}
{{- if .Values.dnsConfig }}
dnsConfig:
{{ toYaml .Values.dnsConfig | indent 8 }}
{{- end }}
containers:
- name: {{ .Values.appsec.name }}
readinessProbe:
exec:
command:
- sh
- -c
- '[ -f /etc/cp/HttpTransactionHandler/cp-nano-http-transaction-handler ] && exit 0 || exit 1'
initialDelaySeconds: 30
periodSeconds: 5
failureThreshold: 120
successThreshold: 1
securityContext:
{{ toYaml .Values.appsec.securityContext | nindent 12 }}
{{- with .Values.appsec.image }}
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
{{- end }}
command:
- {{ .Values.appsec.command }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
args:
{{- if (eq "standalone" .Values.appsec.mode) }}
- --hybrid-mode
- --token
- cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
{{- else }}
- --token
- {{ .Values.appsec.agentToken }}
{{- end }}
{{- if .Values.appsec.customFog.enabled }}
- --fog
- {{ .Values.appsec.customFog.fogAddress }}
{{- end }}
{{- if .Values.appsec.proxy }}
- --proxy
- {{ .Values.appsec.proxy }}
{{- end }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
env:
{{- if eq .Values.appsec.playground false }}
- name: SHARED_STORAGE_HOST
value: {{ .Values.appsec.storage.name }}-svc
- name: LEARNING_HOST
value: {{ .Values.appsec.learning.name }}-svc
{{- else }}
- name: PLAYGROUND
value: "true"
{{- end }}
resources:
{{ toYaml .Values.resources | nindent 12 }}
{{- if eq .Values.kind "AppSecStateful" }}
volumeMounts:
- name: advanced-model
mountPath: /advanced-model
- name: appsec-conf
mountPath: /etc/cp/conf
- name: appsec-data
mountPath: /etc/cp/data
{{- end }}
{{- if .Values.ingressController.enabled }}
{{- include "kong.controller-container" . | nindent 6 }}
{{ end }}
{{- if .Values.deployment.sidecarContainers }}
{{- toYaml .Values.deployment.sidecarContainers | nindent 6 }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
- name: "proxy"
{{- with .Values.appsec.kong.image }}
image: "{{ .repository }}:{{ .tag }}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
lifecycle:
{{- toYaml .Values.lifecycle | nindent 10 }}
ports:
{{- if (and .Values.admin.http.enabled .Values.admin.enabled) }}
- name: admin
containerPort: {{ .Values.admin.http.containerPort }}
{{- if .Values.admin.http.hostPort }}
hostPort: {{ .Values.admin.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }}
- name: admin-tls
containerPort: {{ .Values.admin.tls.containerPort }}
{{- if .Values.admin.tls.hostPort }}
hostPort: {{ .Values.admin.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }}
- name: proxy
containerPort: {{ .Values.proxy.http.containerPort }}
{{- if .Values.proxy.http.hostPort }}
hostPort: {{ .Values.proxy.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}}
- name: proxy-tls
containerPort: {{ .Values.proxy.tls.containerPort }}
{{- if .Values.proxy.tls.hostPort }}
hostPort: {{ .Values.proxy.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- range .Values.proxy.stream }}
- name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- range .Values.udpProxy.stream }}
- name: streamudp-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- if (and .Values.status.http.enabled .Values.status.enabled)}}
- name: status
containerPort: {{ .Values.status.http.containerPort }}
{{- if .Values.status.http.hostPort }}
hostPort: {{ .Values.status.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.status.tls.enabled .Values.status.enabled) }}
- name: status-tls
containerPort: {{ .Values.status.tls.containerPort }}
{{- if .Values.status.tls.hostPort }}
hostPort: {{ .Values.status.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }}
- name: cluster-tls
containerPort: {{ .Values.cluster.tls.containerPort }}
{{- if .Values.cluster.tls.hostPort }}
hostPort: {{ .Values.cluster.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if .Values.enterprise.enabled }}
{{- if (and .Values.manager.http.enabled .Values.manager.enabled) }}
- name: manager
containerPort: {{ .Values.manager.http.containerPort }}
{{- if .Values.manager.http.hostPort }}
hostPort: {{ .Values.manager.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }}
- name: manager-tls
containerPort: {{ .Values.manager.tls.containerPort }}
{{- if .Values.manager.tls.hostPort }}
hostPort: {{ .Values.manager.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.http.enabled .Values.portal.enabled) }}
- name: portal
containerPort: {{ .Values.portal.http.containerPort }}
{{- if .Values.portal.http.hostPort }}
hostPort: {{ .Values.portal.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }}
- name: portal-tls
containerPort: {{ .Values.portal.tls.containerPort }}
{{- if .Values.portal.tls.hostPort }}
hostPort: {{ .Values.portal.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }}
- name: portalapi
containerPort: {{ .Values.portalapi.http.containerPort }}
{{- if .Values.portalapi.http.hostPort }}
hostPort: {{ .Values.portalapi.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }}
- name: portalapi-tls
containerPort: {{ .Values.portalapi.tls.containerPort }}
{{- if .Values.portalapi.tls.hostPort }}
hostPort: {{ .Values.portalapi.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }}
- name: clustert-tls
containerPort: {{ .Values.clustertelemetry.tls.containerPort }}
{{- if .Values.clustertelemetry.tls.hostPort }}
hostPort: {{ .Values.clustertelemetry.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- end }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 10 }}
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- end }} {{/* End of Kong container spec */}}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
{{- end }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
volumes:
- name: advanced-model
configMap:
name: advanced-model-config
optional: true
{{- include "kong.volumes" . | nindent 8 -}}
{{- include "kong.userDefinedVolumes" . | nindent 8 -}}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
- name: {{ template "kong.serviceAccountTokenName" . }}
{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
See the related documentation of semver module that Helm depends on for semverCompare:
https://github.com/Masterminds/semver#working-with-prerelease-versions
Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- else }}
secret:
secretName: {{ template "kong.serviceAccountTokenName" . }}
items:
- key: token
path: token
- key: ca.crt
path: ca.crt
- key: namespace
path: namespace
{{- end -}}
{{- end }}
{{- if eq .Values.kind "AppSecStateful" }}
volumeClaimTemplates:
- metadata:
name: appsec-conf
spec:
accessModes: [ "ReadWriteOnce" ]
# Need to create a storage class resource.
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
resources:
requests:
storage: {{ .Values.appsec.persistence.conf.size | quote }}
- metadata:
name: appsec-data
spec:
accessModes: [ "ReadWriteOnce" ]
# Need to create a storage class resource.
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
resources:
requests:
storage: {{ .Values.appsec.persistence.data.size | quote }}
{{- end }}
{{- end }}

26
build_system/charts/open-appsec-kong/templates/certificate.yaml
View File

@@ -6,6 +6,8 @@
{{- $_ := set $genericCertificateConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $genericCertificateConfig "globalIssuer" .Values.certificates.issuer -}}
{{- $_ := set $genericCertificateConfig "globalClusterIssuer" .Values.certificates.clusterIssuer -}}
{{- $_ := set $genericCertificateConfig "globalSubject" .Values.certificates.subject -}}
{{- $_ := set $genericCertificateConfig "globalPrivateKey" .Values.certificates.privateKey -}}
{{- $_ := set $genericCertificateConfig "defaultIssuer" (printf "%s-%s-%s" .Release.Name .Chart.Name "selfsigned-issuer") -}}
{{- if .Values.certificates.admin.enabled }}
@@ -28,10 +30,7 @@
{{- if .Values.certificates.cluster.enabled }}
{{- $certificateConfig := dict -}}
{{- $certificateConfig = mustMerge (mustDeepCopy $genericCertificateConfig) $certificateConfig -}}
{{- $_ := set $certificateConfig "dnsNames" (list) -}}
{{- $_ := set $certificateConfig "commonName" "kong_cluster" -}}
{{- $certificateConfig = (mustMerge $certificateConfig .Values.certificates.cluster) -}}
{{- $certificateConfig = mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.cluster -}}
{{- $_ := set $certificateConfig "serviceName" "cluster" -}}
{{- include "kong.certificate" $certificateConfig -}}
{{- end }}
@@ -54,9 +53,22 @@ spec:
{{- range (append .dnsNames .commonName) }}
- {{ . | quote }}
{{- end }}
renewBefore: 360h
duration: 2160h
isCA: false
renewBefore: 360h0m0s
duration: 2160h0m0s
{{ if .subject -}}
subject:
{{- toYaml .subject | nindent 4 }}
{{ else if .globalSubject -}}
subject:
{{- toYaml .globalSubject | nindent 4 }}
{{- end }}
{{ if .privateKey -}}
privateKey:
{{- toYaml .privateKey | nindent 4 }}
{{ else if .globalPrivateKey -}}
privateKey:
{{- toYaml .globalPrivateKey | nindent 4 }}
{{- end }}
{{ if .clusterIssuer -}}
issuerRef:
name: {{ .clusterIssuer }}

3
build_system/charts/open-appsec-kong/templates/controller-rbac-resources.yaml
View File

@@ -35,12 +35,14 @@ rules:
- configmaps
verbs:
- create
{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
{{- end }}
# Begin KIC 2.x leader permissions
- apiGroups:
- ""
@@ -67,7 +69,6 @@ rules:
- ""
resources:
- services
- endpoints
verbs:
- get
---

6
build_system/charts/open-appsec-kong/templates/deployment.yaml
View File

@@ -83,6 +83,7 @@ spec:
- name: {{ . }}
{{- end }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
initContainers:
- name: clear-stale-pid
image: {{ include "kong.getRepoTag" .Values.image }}
@@ -105,6 +106,7 @@ spec:
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-db" . | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.deployment.hostAliases }}
hostAliases:
{{- toYaml .Values.deployment.hostAliases | nindent 6 }}
@@ -271,6 +273,10 @@ spec:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
{{- if .Values.startupProbe }}
startupProbe:
{{ toYaml .Values.startupProbe | indent 10 }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- end }} {{/* End of Kong container spec */}}

6
build_system/charts/open-appsec-kong/templates/hpa.yaml
View File

@@ -17,10 +17,10 @@ spec:
behavior:
{{- toYaml .Values.autoscaling.behavior | nindent 4 }}
{{- end }}
{{- if not (.Capabilities.APIVersions.Has "autoscaling/v2beta2") }}
targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 80 }}
{{- else }}
{{- if contains "autoscaling/v2" (include "kong.autoscalingVersion" . ) }}
metrics:
{{- toYaml .Values.autoscaling.metrics | nindent 4 }}
{{- else }}
targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 80 }}
{{- end }}
{{- end }}

2
build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml
View File

@@ -59,7 +59,7 @@ spec:
{{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
{{- end }}
- name: {{ template "kong.name" . }}-post-upgrade-migrations
{{- if eq .Values.kind "Vanilla" }}
{{- if eq .Values.kind "Vanilla" }}
image: {{ include "kong.getRepoTag" .Values.image }}
{{- else }}
image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }}

2
build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml
View File

@@ -59,7 +59,7 @@ spec:
{{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
{{- end }}
- name: {{ template "kong.name" . }}-upgrade-migrations
{{- if eq .Values.kind "Vanilla" }}
{{- if eq .Values.kind "Vanilla" }}
image: {{ include "kong.getRepoTag" .Values.image }}
{{- else }}
image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }}

96
build_system/charts/open-appsec-kong/templates/service-kong-admin.yaml
View File

@@ -15,3 +15,99 @@
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "adminApiService.certSecretName" -}}
{{- default (printf "%s-admin-api-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.secretName -}}
{{- end -}}
{{- define "adminApiService.caSecretName" -}}
{{- default (printf "%s-admin-api-ca-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.caSecretName -}}
{{- end -}}
{{- $clientVerifyEnabled := .Values.ingressController.adminApi.tls.client.enabled -}}
{{- $clientCertProvided := .Values.ingressController.adminApi.tls.client.certProvided -}}
{{/* If the client verification is enabled but no secret was provided by the user, let's generate certificates. */ -}}
{{- if and $clientVerifyEnabled (not $clientCertProvided) }}
{{- $certCert := "" -}}
{{- $certKey := "" -}}
{{- $cn := printf "admin.%s.svc" ( include "kong.namespace" . ) -}}
{{- $ca := genCA "admin-api-ca" 3650 -}}
{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
{{- $certCert = $cert.Cert -}}
{{- $certKey = $cert.Key -}}
{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */}}
{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.certSecretName" .)) -}}
{{- if $certSecret }}
{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
{{- end }}
{{- $caCert := $ca.Cert -}}
{{- $caKey := $ca.Key -}}
{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */ -}}
{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.caSecretName" .))}}
{{- if $caSecret }}
{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "adminApiService.certSecretName" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ b64enc $certCert }}
tls.key: {{ b64enc $certKey }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "adminApiService.caSecretName" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ b64enc $caCert }}
tls.key: {{ b64enc $caKey }}
{{- end }}
{{- /* Create a CA ConfigMap for Kong. */ -}}
{{- $secretProvided := $.Values.admin.tls.client.secretName -}}
{{- $bundleProvided := $.Values.admin.tls.client.caBundle -}}
{{- if or $secretProvided $bundleProvided -}}
{{- $cert := "" -}}
{{- if $secretProvided -}}
{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
{{- if $certSecret }}
{{- $cert = (b64dec (get $certSecret.data "tls.crt")) -}}
{{- else -}}
{{- fail (printf "%s/%s secret not found" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
{{- end }}
{{- end }}
{{- if $bundleProvided -}}
{{- $cert = $.Values.admin.tls.client.caBundle -}}
{{- end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kong.fullname" . }}-admin-client-ca
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
data:
tls.crt: {{ $cert | quote }}
{{- end -}}

148
build_system/charts/open-appsec-kong/values.yaml
View File

@@ -1,5 +1,3 @@
--- # -----------------------------------------------------------------------------
# Default values for Kong's Helm Chart.
# Declare variables to be passed into your templates.
#
@@ -13,6 +11,8 @@
# -----------------------------------------------------------------------------
# Deployment parameters
# -----------------------------------------------------------------------------
deployment:
kong:
# Enable or disable Kong itself
@@ -121,10 +121,10 @@ extraLabels: {}
# Specify Kong's Docker image and repository details here
image:
repository: kong
tag: "3.1"
tag: "3.2"
# Kong Enterprise
# repository: kong/kong-gateway
# tag: "3.1"
# tag: "3.2"
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@@ -141,6 +141,7 @@ admin:
# Enterprise users that wish to use Kong Manager with the controller should enable this
enabled: false
type: NodePort
loadBalancerClass:
# To specify annotations or labels for the admin service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@@ -170,7 +171,15 @@ admin:
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
- http2
# Specify the CA certificate to use for TLS verification of the Admin API client by:
# - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate.
# - caBundle (PEM-encoded certificate string).
# If both are set, caBundle takes precedence.
client:
caBundle: ""
secretName: ""
# Kong admin ingress settings. Useful if you want to expose the Admin
# API of Kong outside the k8s cluster.
@@ -235,6 +244,7 @@ cluster:
parameters: []
type: ClusterIP
loadBalancerClass:
# Kong cluster ingress settings. Useful if you want to split CP and DP
# in different clusters.
@@ -258,6 +268,9 @@ proxy:
# Enable creating a Kubernetes service for the proxy
enabled: true
type: LoadBalancer
loadBalancerClass:
# Override proxy Service name
nameOverride: ""
# To specify annotations or labels for the proxy service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@@ -291,18 +304,17 @@ proxy:
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
- http2
# Define stream (TCP) listen
# To enable, remove "[]", uncomment the section below, and select your desired
# ports and parameters. Listens are dynamically named after their servicePort,
# ports and parameters. Listens are dynamically named after their containerPort,
# e.g. "stream-9000" for the below.
# Note: although you can select the protocol here, you cannot set UDP if you
# use a LoadBalancer Service due to limitations in current Kubernetes versions.
# To proxy both TCP and UDP with LoadBalancers, you must enable the udpProxy Service
# in the next section and place all UDP stream listen configuration under it.
stream:
[]
stream: []
# # Set the container (internal) and service (external) ports for this listen.
# # These values should normally be the same. If your environment requires they
# # differ, note that Kong will match routes based on the containerPort only.
@@ -345,6 +357,7 @@ udpProxy:
# Enable creating a Kubernetes service for UDP proxying
enabled: false
type: LoadBalancer
loadBalancerClass:
# To specify annotations or labels for the proxy service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@@ -357,8 +370,7 @@ udpProxy:
# To enable, remove "[]", uncomment the section below, and select your desired
# ports and parameters. Listens are dynamically named after their servicePort,
# e.g. "stream-9000" for the below.
stream:
[]
stream: []
# # Set the container (internal) and service (external) ports for this listen.
# # These values should normally be the same. If your environment requires they
# # differ, note that Kong will match routes based on the containerPort only.
@@ -381,8 +393,7 @@ udpProxy:
# Subdirectories (which are optional) require separate ConfigMaps/Secrets.
# "path" indicates their directory under the main plugin directory: the example
# below will mount the contents of kong-plugin-rewriter-migrations at "/opt/kong/rewriter/migrations".
plugins:
{}
plugins: {}
# configMaps:
# - pluginName: rewriter
# name: kong-plugin-rewriter
@@ -473,7 +484,7 @@ ingressController:
enabled: true
image:
repository: kong/kubernetes-ingress-controller
tag: "2.8"
tag: "2.9"
# Optionally set a semantic version for version-gated features. This can normally
# be left unset. You only need to set this if your tag is not a semver string,
# such as when you are using a "next" tag. Set this to the effective semantic
@@ -482,6 +493,12 @@ ingressController:
effectiveSemver:
args: []
gatewayDiscovery:
enabled: false
adminApiService:
namespace: ""
name: ""
# Specify individual namespaces to watch for ingress configuration. By default,
# when no namespaces are set, the controller watches all namespaces and uses a
# ClusterRole to grant access to Kubernetes resources. When you list specific
@@ -516,12 +533,16 @@ ingressController:
port: 8080
certificate:
provided: false
namespaceSelector: {}
# Specifiy the secretName when the certificate is provided via a TLS secret
# secretName: ""
# Specifiy the CA bundle of the provided certificate.
# This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used.
# caBundle:
# | Add the CA bundle content here.
service:
# Specify custom labels for the validation webhook service.
labels: {}
ingressClass: kong
# annotations for IngressClass resource (Kubernetes 1.18+)
@@ -568,6 +589,46 @@ ingressController:
# cpu: 50m
# memory: 128Mi
konnect:
enabled: false
# Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to.
runtimeGroupID: ""
# Specifies a Konnect API hostname that the controller will use to push its data-plane config to.
# By default, this is set to US region's production API hostname.
# If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com").
apiHostname: "us.kic.api.konghq.com"
# Specifies a secret that contains a client TLS certificate that the controller
# will use to authenticate against Konnect APIs.
tlsClientCertSecretName: "konnect-client-tls"
license:
# Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways.
enabled: false
adminApi:
tls:
client:
# Enable TLS client authentication for the Admin API.
enabled: false
# If set to false, Helm will generate certificates for you.
# If set to true, you are expected to provide your own secret (see secretName, caSecretName).
certProvided: false
# Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
secretName: ""
# CA TLS certificate/key pair secret name that the client TLS certificate is signed by.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
caSecretName: ""
# -----------------------------------------------------------------------------
# Postgres sub-chart parameters
# -----------------------------------------------------------------------------
@@ -667,8 +728,8 @@ certificates:
# Issuers used by the control and data plane releases must match for this certificate.
issuer: ""
clusterIssuer: ""
# commonName: "kong_cluster"
# dnsNames: []
commonName: "kong_clustering"
dnsNames: []
# -----------------------------------------------------------------------------
# Miscellaneous parameters
@@ -689,8 +750,7 @@ waitImage:
pullPolicy: IfNotPresent
# update strategy
updateStrategy:
{}
updateStrategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: "100%"
@@ -698,8 +758,7 @@ updateStrategy:
# If you want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
resources:
{}
resources: {}
# limits:
# cpu: 1
# memory: 2G
@@ -731,6 +790,18 @@ livenessProbe:
successThreshold: 1
failureThreshold: 3
# startupProbe for Kong pods
# startupProbe:
# httpGet:
# path: "/status"
# port: status
# scheme: HTTP
# initialDelaySeconds: 5
# timeoutSeconds: 5
# periodSeconds: 2
# successThreshold: 1
# failureThreshold: 40
# Proxy container lifecycle hooks
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
lifecycle:
@@ -741,7 +812,7 @@ lifecycle:
command:
- kong
- quit
- "--wait=15"
- '--wait=15'
# Sets the termination grace period for pods spawned by the Kubernetes Deployment.
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
@@ -821,10 +892,10 @@ podSecurityPolicy:
supplementalGroups:
rule: RunAsAny
volumes:
- "configMap"
- "secret"
- "emptyDir"
- "projected"
- 'configMap'
- 'secret'
- 'emptyDir'
- 'projected'
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
@@ -833,13 +904,15 @@ podSecurityPolicy:
# If you use Kong Enterprise <1.5, this must be set to false.
readOnlyRootFilesystem: true
priorityClassName: ""
# securityContext for Kong pods.
securityContext: {}
# securityContext for containers.
containerSecurityContext: {}
containerSecurityContext:
readOnlyRootFilesystem: true
## Optional DNS configuration for Kong pods
# dnsPolicy: ClusterFirst
@@ -911,7 +984,7 @@ enterprise:
smtp_admin_emails: none@example.com
smtp_host: smtp.example.com
smtp_port: 587
smtp_auth_type: ""
smtp_auth_type: ''
smtp_ssl: nil
smtp_starttls: true
auth:
@@ -919,13 +992,14 @@ enterprise:
# be left as-is. If smtp_username is set to anything other than an empty
# string, you must create a Secret with an smtp_password key containing
# your SMTP password and specify its name here.
smtp_username: "" # e.g. postmaster@example.com
smtp_username: '' # e.g. postmaster@example.com
smtp_password_secret: CHANGEME-smtp-password
manager:
# Enable creating a Kubernetes service for Kong Manager
enabled: true
type: NodePort
loadBalancerClass:
# To specify annotations or labels for the Manager service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@@ -951,7 +1025,7 @@ manager:
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
- http2
ingress:
# Enable/disable exposure using ingress.
@@ -972,6 +1046,7 @@ portal:
# Enable creating a Kubernetes service for the Developer Portal
enabled: true
type: NodePort
loadBalancerClass:
# To specify annotations or labels for the Portal service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@@ -997,7 +1072,7 @@ portal:
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
- http2
ingress:
# Enable/disable exposure using ingress.
@@ -1018,6 +1093,7 @@ portalapi:
# Enable creating a Kubernetes service for the Developer Portal API
enabled: true
type: NodePort
loadBalancerClass:
# To specify annotations or labels for the Portal API service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
@@ -1043,7 +1119,7 @@ portalapi:
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
- http2
ingress:
# Enable/disable exposure using ingress.
@@ -1075,6 +1151,7 @@ clustertelemetry:
parameters: []
type: ClusterIP
loadBalancerClass:
# Kong clustertelemetry ingress settings. Useful if you want to split
# CP and DP in different clusters.
@@ -1116,9 +1193,10 @@ extraObjects: []
# plugin: prometheus
appsec:
mode: managed
mode: managed
name: open-appsec
image:
#registry:
repository: ghcr.io/openappsec
image: agent
tag: latest
@@ -1134,12 +1212,8 @@ appsec:
# runAsUser: 1000
kong:
image:
repository: "ghcr.io/openappsec/kong-attachment"
repository: "ghcr.io/openappsec/kong-gateway-attachment"
tag: "latest"
# Kong Enterprise with open-appsec attachment
# repository: "ghcr.io/openappsec/kong-gateway-attachment"
# tag: "latest"
resources:
# limits:
# cpu: 100m

2
build_system/docker/CMakeLists.txt
View File

@@ -1,4 +1,4 @@
install(FILES Dockerfile entry.sh DESTINATION .)
install(FILES Dockerfile entry.sh install-cp-agent-intelligence-service.sh install-cp-crowdsec-aux.sh DESTINATION .)
add_custom_command(
OUTPUT ${CMAKE_INSTALL_PREFIX}/agent-docker.img

10
build_system/docker/entry.sh
View File

@@ -1,5 +1,7 @@
#!/bin/bash
INTELLIGENCE_INSTALLATION_SCRIPT="install-cp-agent-intelligence-service.sh"
CROWDSEC_INSTALLATION_SCRIPT="install-cp-crowdsec-aux.sh"
HTTP_TRANSACTION_HANDLER_SERVICE="install-cp-nano-service-http-transaction-handler.sh"
ATTACHMENT_REGISTRATION_SERVICE="install-cp-nano-attachment-registration-manager.sh"
ORCHESTRATION_INSTALLATION_SCRIPT="install-cp-nano-agent.sh"
@@ -29,6 +31,9 @@ while true; do
elif [ "$1" == "--token" ]; then
shift
var_token="$1"
elif [ "$1" == "--standalone" ]; then
var_mode="--hybrid_mode"
var_token="cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0"
fi
shift
done
@@ -56,6 +61,11 @@ fi
/nano-service-installers/$ATTACHMENT_REGISTRATION_SERVICE --install
/nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install
if [ ! -z $CROWDSEC_ENABLED ]; then
/nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install
/nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install
fi
# use advanced model if exist as data for agent
FILE=/advanced-model/open-appsec-advanced-model.tgz
if [ -f "$FILE" ]; then

63280
build_system/docker/install-cp-agent-intelligence-service.sh Normal file
View File

File diff suppressed because one or more lines are too long

15804
build_system/docker/install-cp-crowdsec-aux.sh Normal file
View File

File diff suppressed because one or more lines are too long

Some files were not shown because too many files have changed in this diff Show More