mirror of
https://github.com/openappsec/openappsec.git
synced 2025-06-28 16:41:02 +03:00
443 lines
17 KiB
YAML
443 lines
17 KiB
YAML
{{- if and (not (eq .Values.kind "Vanilla")) (or .Values.deployment.kong.enabled .Values.ingressController.enabled) }}
|
|
apiVersion: apps/v1
|
|
{{- if (eq .Values.kind "AppSec") }}
|
|
{{- if .Values.deployment.daemonset }}
|
|
kind: DaemonSet
|
|
{{- else }}
|
|
kind: Deployment
|
|
{{- end }}
|
|
{{- else if eq .Values.kind "AppSecStateful" }}
|
|
kind: StatefulSet
|
|
{{- end }}
|
|
metadata:
|
|
name: {{ template "kong.fullname" . }}
|
|
namespace: {{ template "kong.namespace" . }}
|
|
labels:
|
|
{{- include "kong.metaLabels" . | nindent 4 }}
|
|
app.kubernetes.io/component: app
|
|
{{- if .Values.deploymentAnnotations }}
|
|
annotations:
|
|
{{- range $key, $value := .Values.deploymentAnnotations }}
|
|
{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
|
|
{{- end }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if not .Values.autoscaling.enabled }}
|
|
{{- if eq .Values.kind "AppSecStateful" }}
|
|
serviceName: "open-appsec-stateful-set"
|
|
{{- end }}
|
|
{{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }}
|
|
replicas: {{ .Values.replicaCount }}
|
|
{{- end }}
|
|
{{- end }}
|
|
selector:
|
|
matchLabels:
|
|
{{- include "kong.selectorLabels" . | nindent 6 }}
|
|
{{- if .Values.updateStrategy }}
|
|
{{- if .Values.deployment.daemonset }}
|
|
updateStrategy:
|
|
{{- else }}
|
|
strategy:
|
|
{{- end }}
|
|
{{ toYaml .Values.updateStrategy | indent 4 }}
|
|
{{- end }}
|
|
{{- if .Values.deployment.minReadySeconds }}
|
|
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
|
|
{{- end }}
|
|
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
|
|
kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
|
|
{{- end }}
|
|
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
|
|
{{- if .Values.dblessConfig.config }}
|
|
checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.podAnnotations }}
|
|
{{- range $key, $value := .Values.podAnnotations }}
|
|
{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
|
|
{{- end }}
|
|
{{- end }}
|
|
labels:
|
|
{{- include "kong.metaLabels" . | nindent 8 }}
|
|
app.kubernetes.io/component: app
|
|
app: {{ template "kong.fullname" . }}
|
|
version: {{ .Chart.AppVersion | quote }}
|
|
{{- if .Values.podLabels }}
|
|
{{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if .Values.deployment.hostname }}
|
|
hostname: {{ .Values.deployment.hostname }}
|
|
{{- end }}
|
|
{{- if .Values.deployment.hostNetwork }}
|
|
hostNetwork: true
|
|
{{- end }}
|
|
{{- if .Values.priorityClassName }}
|
|
priorityClassName: "{{ .Values.priorityClassName }}"
|
|
{{- end }}
|
|
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
|
|
serviceAccountName: {{ template "kong.serviceAccountName" . }}
|
|
{{- end }}
|
|
{{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
|
|
automountServiceAccountToken: true
|
|
{{- else }}
|
|
automountServiceAccountToken: false
|
|
{{ end }}
|
|
{{- if .Values.image.pullSecrets }}
|
|
imagePullSecrets:
|
|
{{- range .Values.image.pullSecrets }}
|
|
- name: {{ . }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.deployment.kong.enabled }}
|
|
initContainers:
|
|
- name: clear-stale-pid
|
|
image: {{ include "kong.getRepoTag" .Values.image }}
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
securityContext:
|
|
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
|
|
resources:
|
|
{{ toYaml .Values.resources | indent 10 }}
|
|
command:
|
|
- "rm"
|
|
- "-vrf"
|
|
- "$KONG_PREFIX/pids"
|
|
env:
|
|
{{- include "kong.env" . | nindent 8 }}
|
|
volumeMounts:
|
|
{{- include "kong.volumeMounts" . | nindent 8 }}
|
|
{{- if .Values.deployment.initContainers }}
|
|
{{- toYaml .Values.deployment.initContainers | nindent 6 }}
|
|
{{- end }}
|
|
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
|
|
{{- include "kong.wait-for-db" . | nindent 6 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.deployment.hostAliases }}
|
|
hostAliases:
|
|
{{- toYaml .Values.deployment.hostAliases | nindent 6 }}
|
|
{{- end}}
|
|
{{- if .Values.dnsPolicy }}
|
|
dnsPolicy: {{ .Values.dnsPolicy | quote }}
|
|
{{- end }}
|
|
{{- if .Values.dnsConfig }}
|
|
dnsConfig:
|
|
{{ toYaml .Values.dnsConfig | indent 8 }}
|
|
{{- end }}
|
|
containers:
|
|
- name: {{ .Values.appsec.name }}
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- sh
|
|
- -c
|
|
- '[ -f /etc/cp/HttpTransactionHandler/cp-nano-http-transaction-handler ] && exit 0 || exit 1'
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 5
|
|
failureThreshold: 120
|
|
successThreshold: 1
|
|
securityContext:
|
|
{{ toYaml .Values.appsec.securityContext | nindent 12 }}
|
|
{{- $tag := .Values.appsec.image.tag }}
|
|
{{- if .Values.appsec.configMapContent.crowdsec.enabled }}
|
|
{{- $tag = "crowdsec-1.2314-rc1" }}
|
|
{{- end }}
|
|
{{- with .Values.appsec.image }}
|
|
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
|
|
{{- end }}
|
|
command:
|
|
- {{ .Values.appsec.command }}
|
|
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
|
|
args:
|
|
{{- if (eq "standalone" .Values.appsec.mode) }}
|
|
- --hybrid-mode
|
|
- --token
|
|
- cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
|
|
{{- else }}
|
|
- --token
|
|
- {{ .Values.appsec.agentToken }}
|
|
{{- end }}
|
|
{{- if .Values.appsec.customFog.enabled }}
|
|
- --fog
|
|
- {{ .Values.appsec.customFog.fogAddress }}
|
|
{{- end }}
|
|
{{- if .Values.appsec.proxy }}
|
|
- --proxy
|
|
- {{ .Values.appsec.proxy }}
|
|
{{- end }}
|
|
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
|
|
env:
|
|
- name: registered_server
|
|
value: "Kong Server"
|
|
{{- if .Values.appsec.userEmail }}
|
|
{{- if eq .Values.appsec.userEmail "PROVIDE-EMAIL-HERE" }}
|
|
{{- fail "Please replace PROVIDE-EMAIL-HERE with an email address" }}
|
|
{{- end }}
|
|
- name: user_email
|
|
value: {{ .Values.appsec.userEmail }}
|
|
{{- end }}
|
|
{{- if eq .Values.appsec.playground false }}
|
|
- name: SHARED_STORAGE_HOST
|
|
value: {{ .Values.appsec.storage.name }}-svc
|
|
- name: LEARNING_HOST
|
|
value: {{ .Values.appsec.learning.name }}-svc
|
|
{{- else }}
|
|
- name: PLAYGROUND
|
|
value: "true"
|
|
{{- end }}
|
|
envFrom:
|
|
- configMapRef:
|
|
name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" }}
|
|
- secretRef:
|
|
name: {{ .Values.appsec.secretName | default "appsec-settings-secret" }}
|
|
resources:
|
|
{{ toYaml .Values.resources | nindent 12 }}
|
|
volumeMounts:
|
|
- name: advanced-model
|
|
mountPath: /advanced-model
|
|
{{- if (eq .Values.appsec.persistence.enabled true) }}
|
|
- name: appsec-conf
|
|
mountPath: /etc/cp/conf
|
|
- name: appsec-data
|
|
mountPath: /etc/cp/data
|
|
{{- end }}
|
|
{{- if .Values.ingressController.enabled }}
|
|
{{- include "kong.controller-container" . | nindent 6 }}
|
|
{{ end }}
|
|
{{- if .Values.deployment.sidecarContainers }}
|
|
{{- toYaml .Values.deployment.sidecarContainers | nindent 6 }}
|
|
{{- end }}
|
|
{{- if .Values.deployment.kong.enabled }}
|
|
- name: "proxy"
|
|
{{- $tag := .Values.appsec.kong.image.tag }}
|
|
{{- if .Values.appsec.configMapContent.crowdsec.enabled }}
|
|
{{- $tag = "1.2303.1-rc1-v1.3.0" }}
|
|
{{- end }}
|
|
{{- with .Values.appsec.kong.image }}
|
|
image: "{{ .repository }}:{{ .tag }}"
|
|
{{- end }}
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
securityContext:
|
|
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
|
|
env:
|
|
{{- include "kong.no_daemon_env" . | nindent 8 }}
|
|
lifecycle:
|
|
{{- toYaml .Values.lifecycle | nindent 10 }}
|
|
ports:
|
|
{{- if (and .Values.admin.http.enabled .Values.admin.enabled) }}
|
|
- name: admin
|
|
containerPort: {{ .Values.admin.http.containerPort }}
|
|
{{- if .Values.admin.http.hostPort }}
|
|
hostPort: {{ .Values.admin.http.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }}
|
|
- name: admin-tls
|
|
containerPort: {{ .Values.admin.tls.containerPort }}
|
|
{{- if .Values.admin.tls.hostPort }}
|
|
hostPort: {{ .Values.admin.tls.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }}
|
|
- name: proxy
|
|
containerPort: {{ .Values.proxy.http.containerPort }}
|
|
{{- if .Values.proxy.http.hostPort }}
|
|
hostPort: {{ .Values.proxy.http.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}}
|
|
- name: proxy-tls
|
|
containerPort: {{ .Values.proxy.tls.containerPort }}
|
|
{{- if .Values.proxy.tls.hostPort }}
|
|
hostPort: {{ .Values.proxy.tls.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- range .Values.proxy.stream }}
|
|
- name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
|
|
containerPort: {{ .containerPort }}
|
|
{{- if .hostPort }}
|
|
hostPort: {{ .hostPort }}
|
|
{{- end}}
|
|
protocol: {{ .protocol }}
|
|
{{- end }}
|
|
{{- range .Values.udpProxy.stream }}
|
|
- name: streamudp-{{ .containerPort }}
|
|
containerPort: {{ .containerPort }}
|
|
{{- if .hostPort }}
|
|
hostPort: {{ .hostPort }}
|
|
{{- end}}
|
|
protocol: {{ .protocol }}
|
|
{{- end }}
|
|
{{- if (and .Values.status.http.enabled .Values.status.enabled)}}
|
|
- name: status
|
|
containerPort: {{ .Values.status.http.containerPort }}
|
|
{{- if .Values.status.http.hostPort }}
|
|
hostPort: {{ .Values.status.http.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (and .Values.status.tls.enabled .Values.status.enabled) }}
|
|
- name: status-tls
|
|
containerPort: {{ .Values.status.tls.containerPort }}
|
|
{{- if .Values.status.tls.hostPort }}
|
|
hostPort: {{ .Values.status.tls.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }}
|
|
- name: cluster-tls
|
|
containerPort: {{ .Values.cluster.tls.containerPort }}
|
|
{{- if .Values.cluster.tls.hostPort }}
|
|
hostPort: {{ .Values.cluster.tls.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if .Values.enterprise.enabled }}
|
|
{{- if (and .Values.manager.http.enabled .Values.manager.enabled) }}
|
|
- name: manager
|
|
containerPort: {{ .Values.manager.http.containerPort }}
|
|
{{- if .Values.manager.http.hostPort }}
|
|
hostPort: {{ .Values.manager.http.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }}
|
|
- name: manager-tls
|
|
containerPort: {{ .Values.manager.tls.containerPort }}
|
|
{{- if .Values.manager.tls.hostPort }}
|
|
hostPort: {{ .Values.manager.tls.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (and .Values.portal.http.enabled .Values.portal.enabled) }}
|
|
- name: portal
|
|
containerPort: {{ .Values.portal.http.containerPort }}
|
|
{{- if .Values.portal.http.hostPort }}
|
|
hostPort: {{ .Values.portal.http.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }}
|
|
- name: portal-tls
|
|
containerPort: {{ .Values.portal.tls.containerPort }}
|
|
{{- if .Values.portal.tls.hostPort }}
|
|
hostPort: {{ .Values.portal.tls.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }}
|
|
- name: portalapi
|
|
containerPort: {{ .Values.portalapi.http.containerPort }}
|
|
{{- if .Values.portalapi.http.hostPort }}
|
|
hostPort: {{ .Values.portalapi.http.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }}
|
|
- name: portalapi-tls
|
|
containerPort: {{ .Values.portalapi.tls.containerPort }}
|
|
{{- if .Values.portalapi.tls.hostPort }}
|
|
hostPort: {{ .Values.portalapi.tls.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }}
|
|
- name: clustert-tls
|
|
containerPort: {{ .Values.clustertelemetry.tls.containerPort }}
|
|
{{- if .Values.clustertelemetry.tls.hostPort }}
|
|
hostPort: {{ .Values.clustertelemetry.tls.hostPort }}
|
|
{{- end}}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- end }}
|
|
volumeMounts:
|
|
{{- include "kong.volumeMounts" . | nindent 10 }}
|
|
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
|
|
readinessProbe:
|
|
{{ include "kong.proxy.compatibleReadiness" . | indent 10 }}
|
|
livenessProbe:
|
|
{{ toYaml .Values.livenessProbe | indent 10 }}
|
|
{{- if .Values.startupProbe }}
|
|
startupProbe:
|
|
{{ toYaml .Values.startupProbe | indent 10 }}
|
|
{{- end }}
|
|
resources:
|
|
{{ toYaml .Values.resources | indent 10 }}
|
|
{{- end }} {{/* End of Kong container spec */}}
|
|
{{- if .Values.affinity }}
|
|
affinity:
|
|
{{ toYaml .Values.affinity | indent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.topologySpreadConstraints }}
|
|
topologySpreadConstraints:
|
|
{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
|
|
{{- end }}
|
|
securityContext:
|
|
{{- include "kong.podsecuritycontext" . | nindent 8 }}
|
|
{{- if .Values.nodeSelector }}
|
|
nodeSelector:
|
|
{{ toYaml .Values.nodeSelector | indent 8 }}
|
|
{{- end }}
|
|
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
|
|
{{- if .Values.tolerations }}
|
|
tolerations:
|
|
{{ toYaml .Values.tolerations | indent 8 }}
|
|
{{- end }}
|
|
volumes:
|
|
- name: advanced-model
|
|
configMap:
|
|
name: advanced-model-config
|
|
optional: true
|
|
{{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }}
|
|
- name: appsec-conf
|
|
persistentVolumeClaim:
|
|
claimName: {{ .Values.appsec.name }}-conf
|
|
- name: appsec-data
|
|
persistentVolumeClaim:
|
|
claimName: {{ .Values.appsec.name }}-data
|
|
{{- end }}
|
|
{{- include "kong.volumes" . | nindent 8 -}}
|
|
{{- include "kong.userDefinedVolumes" . | nindent 8 -}}
|
|
{{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }}
|
|
volumeClaimTemplates:
|
|
- metadata:
|
|
name: appsec-conf
|
|
spec:
|
|
accessModes: [ "ReadWriteOnce" ]
|
|
# Need to create a storage class resource.
|
|
{{- if .Values.appsec.persistence.storageClass }}
|
|
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
|
|
storageClassName: ""
|
|
{{- else }}
|
|
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
|
|
{{- end -}}
|
|
{{- end }}
|
|
resources:
|
|
requests:
|
|
storage: {{ .Values.appsec.persistence.conf.size | quote }}
|
|
- metadata:
|
|
name: appsec-data
|
|
spec:
|
|
accessModes: [ "ReadWriteOnce" ]
|
|
# Need to create a storage class resource.
|
|
{{- if .Values.appsec.persistence.storageClass }}
|
|
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
|
|
storageClassName: ""
|
|
{{- else }}
|
|
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
|
|
{{- end -}}
|
|
{{- end }}
|
|
resources:
|
|
requests:
|
|
storage: {{ .Values.appsec.persistence.data.size | quote }}
|
|
{{- end }}
|
|
{{- end }}
|