andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added chart versions: 

airlock/microgateway:
    - 4.4.1
  airlock/microgateway-cni:
    - 4.4.1
  kasten/k10:
    - 7.0.14
  kuma/kuma:
    - 2.9.1
  netscaler/netscaler-cpx-with-ingress-controller:
    - 2.2.10
  netscaler/netscaler-ingress-controller:
    - 2.2.10
  trilio/k8s-triliovault-operator:
    - 5.0.0
pull/1090/head
github-actions[bot] 2024-11-16 00:07:05 +00:00
parent 125172edac
commit 24ee7c8281
881 changed files with 97624 additions and 44362 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/airlock/microgateway-4.4.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/airlock/microgateway-cni-4.4.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/kasten/k10-7.0.1401.tgz Normal file
View File

Binary file not shown.

BIN
assets/kuma/kuma-2.9.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/netscaler/netscaler-cpx-with-ingress-controller-2.2.10.tgz Normal file
View File

Binary file not shown.

BIN
assets/netscaler/netscaler-ingress-controller-2.2.10.tgz Normal file
View File

Binary file not shown.

BIN
assets/trilio/k8s-triliovault-operator-5.0.0.tgz Normal file
View File

Binary file not shown.

27
charts/airlock/microgateway-cni/4.4.1/.helmignore Normal file
View File

@ -0,0 +1,27 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# Helm unit tests
/tests
/validation

43
charts/airlock/microgateway-cni/4.4.1/Chart.yaml Normal file
View File

@ -0,0 +1,43 @@
annotations:
artifacthub.io/category: security
artifacthub.io/license: MIT
artifacthub.io/links: |
- name: Airlock Microgateway Documentation
url: https://docs.airlock.com/microgateway/4.4/
- name: Airlock Microgateway Labs
url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Airlock Microgateway CNI
catalog.cattle.io/kube-version: '>=1.25.0-0'
catalog.cattle.io/release-name: ""
charts.openshift.io/name: Airlock Microgateway CNI
apiVersion: v2
appVersion: 4.4.1
description: A Helm chart for deploying the Airlock Microgateway CNI plugin
home: https://www.airlock.com/en/microgateway
icon: file://assets/icons/microgateway-cni.svg
keywords:
- WAF
- Web Application Firewall
- WAAP
- Web Application and API protection
- OWASP
- Airlock
- Microgateway
- Security
- Filtering
- DevSecOps
- shift left
- CNI
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
name: microgateway-cni
sources:
- https://github.com/airlock/microgateway
type: application
version: 4.4.1

137
charts/airlock/microgateway-cni/4.4.1/README.md Normal file
View File

@ -0,0 +1,137 @@
# Airlock Microgateway CNI
![Version: 4.4.1](https://img.shields.io/badge/Version-4.4.1-informational?style=flat-square) ![AppVersion: 4.4.1](https://img.shields.io/badge/AppVersion-4.4.1-informational?style=flat-square)
*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight_Negative.svg">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg">
<img alt="Microgateway" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg" align="right" width="250">
</picture>
Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.4.1).__
### Features
* Kubernetes native integration with sidecar injection and Gateway API support
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control using OpenID Connect to allow only authenticated users to access the protected services
* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation
For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
## Documentation and links
Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)
# Quick start guide
The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
## Prerequisites
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
## Deploy Airlock Microgateway CNI
1. Install the CNI Plugin with Helm.
> **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
```bash
# Standard setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# GKE setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.1/deploy/charts/airlock-microgateway-cni/gke-values.yaml
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# OpenShift setup
helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.1/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
> **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
# Standard and GKE setup
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
helm test airlock-microgateway-cni -n kube-system --logs
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
```
```bash
# OpenShift setup
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
helm test airlock-microgateway-cni -n openshift-operators --logs
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
```
Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.
## Support
### Premium support
If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).
### Community support
For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. |
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. |
| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. |
| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
| image.digest | string | `"sha256:fa2f5d8587024f0d0b29505204c964002cfd7facf79748ccc98b8caf1a70f0d8"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
| image.tag | string | `"4.4.1"` | Image tag to pull. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". |
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. |
| podAnnotations | object | `{}` | Annotations to add to all Pods. |
| podLabels | object | `{}` | Labels to add to all Pods. |
| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). |
| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. |
| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. |
| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. |
| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
## License
View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
* Decompiling or reverse engineering is not permitted.
* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
Airlock<sup>&#174;</sup> is a security innovation by [ergon](https://www.ergon.ch/en)
<!-- Airlock SAH Logo (different image for light/dark mode) -->
<a href="https://www.airlock.com/en/secure-access-hub/">
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo_Negative.png">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png">
<img alt="Airlock Secure Access Hub" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png" width="150">
</picture>
</a>

4
charts/airlock/microgateway-cni/4.4.1/gke-values.yaml Normal file
View File

@ -0,0 +1,4 @@
# values for deploying on GKE
config:
cniBinDir: "/home/kubernetes/bin"

15
charts/airlock/microgateway-cni/4.4.1/openshift-values.yaml Normal file
View File

@ -0,0 +1,15 @@
# values for deploying on OpenShift
rbac:
createSCCRole: true
privileged: true
multusNetworkAttachmentDefinition:
create: true
namespace: default
config:
installMode: "standalone"
cniNetDir: "/etc/cni/multus/net.d"
cniBinDir: "/var/lib/cni/bin"

18
charts/airlock/microgateway-cni/4.4.1/questions.yml Normal file
View File

@ -0,0 +1,18 @@
questions:
- variable: config.cniNetDir
required: true
type: string
label: CNI Network Configuration Directory
group: "CNI Settings"
description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host."
- variable: config.cniBinDir
required: true
type: string
label: CNI Plugin Binaries Directory
group: "CNI Settings"
description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host."
- variable: config.installMode
required: true
label: CNI Plugin Installation Mode
group: "CNI Settings"
description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment."

15
charts/airlock/microgateway-cni/4.4.1/templates/NOTES.txt Normal file
View File

@ -0,0 +1,15 @@
Thank you for installing Airlock Microgateway CNI.
Please ensure that the helm values'.config.cniNetDir' and '.config.cniBinDir' are configured for your Kubernetes distribution.
For further information, consider our manual https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}.
The chapter 'Setup > Installation' describes how to set those settings correctly.
Further information:
* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}
* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm
Next steps:
* Install Airlock Microgateway (if not done already)
https://artifacthub.io/packages/helm/airlock-microgateway/microgateway
Your release version is {{ .Chart.Version }}.

101
charts/airlock/microgateway-cni/4.4.1/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,101 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "airlock-microgateway-cni.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Convert an image configuration object into an image ref string.
*/}}
{{- define "airlock-microgateway-cni.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
{{- printf "%s:%s" .repository .tag -}}
{{- else -}}
{{- printf "%s" .repository -}}
{{- end -}}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest suffix is 13 characters.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "airlock-microgateway-cni.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "airlock-microgateway-cni.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "airlock-microgateway-cni.labels" -}}
helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }}
{{ include "airlock-microgateway-cni.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
Common labels without component
*/}}
{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}}
{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}}
{{ unset $labels "app.kubernetes.io/component" | toYaml }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "airlock-microgateway-cni.selectorLabels" -}}
app.kubernetes.io/component: cni-plugin-installer
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }}
{{- end }}
{{/*
Create the name of the service account to use for the CNI Plugin
*/}}
{{- define "airlock-microgateway-cni.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "airlock-microgateway-cni.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}
{{- define "airlock-microgateway-cni.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}
{{- print "latest" -}}
{{- end -}}
{{- end -}}

22
charts/airlock/microgateway-cni/4.4.1/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- patch
{{- end -}}

20
charts/airlock/microgateway-cni/4.4.1/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "airlock-microgateway-cni.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

22
charts/airlock/microgateway-cni/4.4.1/templates/configmap.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
plugin-conf.json: |-
{
"type": "{{ include "airlock-microgateway-cni.fullname" . }}",
"debug": {{ eq .Values.config.logLevel "debug" }},
"logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log",
"kubernetes": {
"kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig",
"excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }}
}
}

136
charts/airlock/microgateway-cni/4.4.1/templates/daemonset.yaml Normal file
View File

@ -0,0 +1,136 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
kubectl.kubernetes.io/default-container: cni-installer
{{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- args:
- --log-level
- "{{ .Values.config.logLevel }}"
env:
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
key: plugin-conf.json
name: {{ include "airlock-microgateway-cni.fullname" . }}
- name: CNI_BIN_DIR
value: /host/opt/cni/bin
- name: CNI_NET_DIR
value: /host/etc/cni/net.d
- name: KUBECONFIG_FILE_NAME
value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig"
- name: INSTALL_MODE
value: {{ .Values.config.installMode }}
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: {{ include "airlock-microgateway-cni.image" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: cni-installer
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
startupProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 5
initialDelaySeconds: 3
periodSeconds: 3
timeoutSeconds: 3
readinessProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 1
periodSeconds: 60
timeoutSeconds: 3
securityContext:
allowPrivilegeEscalation: {{ .Values.privileged }}
capabilities:
drop:
- ALL
privileged: {{ .Values.privileged }}
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /run/cni-installer
name: cni-installer-status
hostNetwork: true
priorityClassName: system-node-critical
restartPolicy: Always
securityContext:
fsGroup: 0
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
terminationGracePeriodSeconds: 5
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
- effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- hostPath:
path: "{{ .Values.config.cniBinDir }}"
type: Directory
name: cni-bin-dir
- hostPath:
path: "{{ .Values.config.cniNetDir }}"
type: Directory
name: cni-net-dir
- emptyDir: {}
name: cni-installer-status

13
charts/airlock/microgateway-cni/4.4.1/templates/network-attachment-definition.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.multusNetworkAttachmentDefinition.create -}}
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

22
charts/airlock/microgateway-cni/4.4.1/templates/scc-role.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.createSCCRole -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
{{- end -}}

20
charts/airlock/microgateway-cni/4.4.1/templates/scc-rolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.createSCCRole -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
{{- end -}}

13
charts/airlock/microgateway-cni/4.4.1/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

64
charts/airlock/microgateway-cni/4.4.1/templates/tests/rbac.yaml Normal file
View File

@ -0,0 +1,64 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
subjects:
- kind: ServiceAccount
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
rules:
- apiGroups:
- "apps"
resources:
- daemonsets
resourceNames:
- {{ include "airlock-microgateway-cni.fullname" . }}
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
{{- if .Values.rbac.createSCCRole }}
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
{{- end -}}
{{- end -}}

103
charts/airlock/microgateway-cni/4.4.1/templates/tests/test-install.yaml Normal file
View File

@ -0,0 +1,103 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: test-install
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: before-hook-creation
spec:
restartPolicy: Never
containers:
- name: test
image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
securityContext:
allowPrivilegeEscalation: {{ .Values.privileged }}
capabilities:
drop:
- ALL
privileged: {{ .Values.privileged }}
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
readOnly: true
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
readOnly: true
command:
- sh
- -c
- |
set -eu
fail() {
echo "Error: ${1}"
echo ""
echo 'CNI installer logs:'
kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer
exit 1
}
containsMGWCNIConf() {
cat "${1}" | grep -qe '"type":.*"{{ include "airlock-microgateway-cni.fullname" . }}"'
}
if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then
fail 'CNI DaemonSet rollout did not complete within timeout'
fi
echo "Checking whether CNI binary was installed"
if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then
fail 'CNI binary was not installed'
fi
echo "Checking whether CNI kubeconfig was installed"
if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then
fail 'CNI kubeconfig was not created'
fi
echo "Checking whether CNI configuration was written"
case {{ .Values.config.installMode }} in
"chained")
for file in "/host/etc/cni/net.d/"*.conflist; do
if containsMGWCNIConf "${file}"; then
echo "Success"
exit 0
fi
done
;;
"standalone")
if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then
echo "Success"
exit 0
fi
;;
"manual")
echo "- Skipping because we are in 'manual' install mode"
echo "Success"
exit 0
;;
esac
fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found'
serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
volumes:
- hostPath:
path: "{{ .Values.config.cniBinDir }}"
type: Directory
name: cni-bin-dir
- hostPath:
path: "{{ .Values.config.cniNetDir }}"
type: Directory
name: cni-net-dir
{{- end -}}

225
charts/airlock/microgateway-cni/4.4.1/values.schema.json Normal file
View File

@ -0,0 +1,225 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"type": "object",
"properties": {
"nameOverride": {
"type": "string"
},
"fullnameOverride": {
"type": "string"
},
"commonLabels": {
"$ref": "#/definitions/StringMap"
},
"commonAnnotations": {
"$ref": "#/definitions/StringMap"
},
"imagePullSecrets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"minLength": 1
}
},
"required": [
"name"
],
"additionalProperties": true
}
},
"image": {
"$ref": "#/definitions/Image"
},
"podAnnotations": {
"$ref": "#/definitions/StringMap"
},
"podLabels": {
"$ref": "#/definitions/StringMap"
},
"resources": {
"type": "object"
},
"nodeSelector": {
"$ref": "#/definitions/StringMap"
},
"affinity": {
"type": "object"
},
"rbac": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"createSCCRole": {
"type": "boolean"
}
},
"required": [
"create",
"createSCCRole"
],
"additionalProperties": false
},
"privileged": {
"type": "boolean"
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"annotations": {
"$ref": "#/definitions/StringMap"
},
"name": {
"type": "string"
}
},
"required": [
"annotations",
"create",
"name"
],
"additionalProperties": false
},
"multusNetworkAttachmentDefinition": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"namespace": {
"type": "string"
}
},
"required": [
"create",
"namespace"
],
"additionalProperties": false
},
"config": {
"type": "object",
"properties": {
"installMode": {
"type": "string",
"enum": [
"chained",
"standalone",
"manual"
]
},
"logLevel": {
"type": "string",
"enum": [
"debug",
"info",
"warn",
"error"
]
},
"cniNetDir": {
"type": "string",
"minLength": 1
},
"cniBinDir": {
"type": "string",
"minLength": 1
},
"excludeNamespaces": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"cniBinDir",
"cniNetDir",
"excludeNamespaces",
"installMode",
"logLevel"
],
"additionalProperties": false
},
"tests": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
},
"required": [
"enabled"
],
"additionalProperties": false
},
"global": {
"type": "object"
}
},
"required": [
"affinity",
"commonAnnotations",
"commonLabels",
"config",
"fullnameOverride",
"image",
"imagePullSecrets",
"multusNetworkAttachmentDefinition",
"nameOverride",
"nodeSelector",
"podAnnotations",
"podLabels",
"privileged",
"rbac",
"resources",
"serviceAccount",
"tests"
],
"additionalProperties": false,
"definitions": {
"StringMap": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"Image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"minLength": 1
},
"tag": {
"type": "string"
},
"digest": {
"type": "string",
"pattern": "^$|^sha256:[a-f0-9]{64}$"
},
"pullPolicy": {
"type": "string",
"enum": [
"Always",
"IfNotPresent",
"Never"
]
}
},
"required": [
"digest",
"pullPolicy",
"repository",
"tag"
],
"additionalProperties": false
}
}
}

85
charts/airlock/microgateway-cni/4.4.1/values.yaml Normal file
View File

@ -0,0 +1,85 @@
# -- Allows overriding the name to use instead of "microgateway-cni".
nameOverride: ""
# -- Allows overriding the name to use as full name of resources.
fullnameOverride: ""
# -- Labels to add to all resources.
commonLabels: {}
# -- Annotations to add to all resources.
commonAnnotations: {}
# -- ImagePullSecrets to use when pulling images.
imagePullSecrets: []
# - name: myRegistryKeySecretName
# Specifies the Airlock Microgateway CNI image.
image:
# -- Image repository from which to pull the Airlock Microgateway CNI image.
repository: "quay.io/airlock/microgateway-cni"
# -- Image tag to pull.
tag: "4.4.1"
# -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a").
# Overrides tag when specified.
digest: "sha256:fa2f5d8587024f0d0b29505204c964002cfd7facf79748ccc98b8caf1a70f0d8"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Annotations to add to all Pods.
podAnnotations: {}
# -- Labels to add to all Pods.
podLabels: {}
# -- Resource restrictions to apply to the CNI installer container.
resources:
requests:
cpu: 10m
memory: 100Mi
# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes.
nodeSelector:
kubernetes.io/os: linux
# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes.
affinity: {}
# Configures the generation of RBAC Roles and RoleBindings.
rbac:
# -- Whether to create RBAC resources which are required for the CNI plugin to function.
create: true
# -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint.
createSCCRole: false
# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift).
privileged: false
# Configures the generation of the ServiceAccount.
serviceAccount:
# -- Whether a ServiceAccount should be created.
create: true
# -- Annotations to add to the ServiceAccount.
annotations: {}
# -- Name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift)
multusNetworkAttachmentDefinition:
# -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods.
create: false
# -- Namespace in which the NetworkAttachmentDefinition is deployed.
# Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces
# may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation
namespace: default
# Parameters for the CNI installer configuration.
config:
# -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers),
# as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift)
# or in `manual` mode, where no CNI network configuration is written.
installMode: "chained"
# -- Log level for the CNI installer and plugin.
logLevel: info
# -- Directory where the CNI config files reside on the host.
# This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
# It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node.
cniNetDir: "/etc/cni/net.d"
# -- Directory where the CNI plugin binaries reside on the host.
# This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
# It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node.
cniBinDir: "/opt/cni/bin"
# -- Namespaces for which this CNI plugin should not apply any modifications.
excludeNamespaces:
- kube-system
tests:
# -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
# If set to false, `helm test` will not run any tests.
enabled: false

3
charts/airlock/microgateway/4.2.3/.helmignore
View File

@ -21,8 +21,7 @@
.idea/
*.tmproj
.vscode/
# CRDs kustomization.yaml
/crds/kustomization.yaml
# Helm unit tests
/tests
/validation

15
charts/airlock/microgateway/4.2.3/Chart.yaml
View File

@ -9,15 +9,15 @@ annotations:
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Airlock Microgateway
catalog.cattle.io/display-name: Airlock Microgateway CNI
catalog.cattle.io/kube-version: '>=1.25.0-0'
catalog.cattle.io/release-name: microgateway
charts.openshift.io/name: Airlock Microgateway
catalog.cattle.io/release-name: microgateway-cni
charts.openshift.io/name: Airlock Microgateway CNI
apiVersion: v2
appVersion: 4.2.3
description: A Helm chart for deploying the Airlock Microgateway
description: A Helm chart for deploying the Airlock Microgateway CNI plugin
home: https://www.airlock.com/en/microgateway
icon: file://assets/icons/microgateway.svg
icon: file://assets/icons/microgateway-cni.svg
keywords:
- WAF
- Web Application Firewall
@ -30,14 +30,13 @@ keywords:
- Filtering
- DevSecOps
- shift left
- control plane
- Operator
- CNI
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
name: microgateway
name: microgateway-cni
sources:
- https://github.com/airlock/microgateway
type: application

134
charts/airlock/microgateway/4.2.3/README.md
View File

@ -1,4 +1,4 @@
# Airlock Microgateway
# Airlock Microgateway CNI
![Version: 4.2.3](https://img.shields.io/badge/Version-4.2.3-informational?style=flat-square) ![AppVersion: 4.2.3](https://img.shields.io/badge/AppVersion-4.2.3-informational?style=flat-square)
@ -40,61 +40,43 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co
The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
## Prerequisites
* [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni)
* [Airlock Microgateway License](#obtain-airlock-microgateway-license)
* [cert-manager](https://cert-manager.io/)
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license.
For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
### Obtain Airlock Microgateway License
1. Either request a community or premium license
* Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community)
* Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium)
2. Check your inbox and save the license file microgateway-license.txt locally.
> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type.
### Deploy cert-manager
```bash
# Install cert-manager
kubectl apply -k https://github.com/airlock/microgateway/examples/utilities/cert-manager/?ref=4.2.3
# Wait for the cert-manager to be up and running
kubectl -n cert-manager wait --for=condition=ready --timeout=600s pod -l app.kubernetes.io/instance=cert-manager
```
## Deploy Airlock Microgateway Operator
> This guide assumes a microgateway-license.txt file is present in the working directory.
1. Install CRDs and Operator.
## Deploy Airlock Microgateway CNI
1. Install the CNI Plugin with Helm.
> **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
```bash
# Create namespace
kubectl create namespace airlock-microgateway-system
# Install License
kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
# Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.2.3' --wait
# Standard setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3'
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# GKE setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3' -f https://raw.githubusercontent.com/airlock/microgateway/4.2.3/deploy/charts/airlock-microgateway-cni/gke-values.yaml
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# OpenShift setup
helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3' -f https://raw.githubusercontent.com/airlock/microgateway/4.2.3/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
**Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.2.3'
helm test airlock-microgateway -n airlock-microgateway-system --logs
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.2.3'
# Standard and GKE setup
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3'
helm test airlock-microgateway-cni -n kube-system --logs
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3'
```
```bash
# OpenShift setup
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3'
helm test airlock-microgateway-cni -n openshift-operators --logs
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3'
```
### Upgrading CRDs
The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster.
CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
```bash
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.2.3 --server-side --force-conflicts
```
**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.
Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.
## Support
@ -107,45 +89,33 @@ For the community edition, check our **[Airlock community forum](https://forum.a
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. |
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". |
| engine.image.digest | string | `"sha256:9b0debeef611172aa5ca79c6b8cd045e56a3c883763ec62c0fa211bb86d35304"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. |
| engine.image.tag | string | `"4.2.3"` | Image tag to pull. |
| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. |
| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. |
| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. |
| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. |
| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. |
| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
| image.digest | string | `"sha256:82b5924866840f783cce2e9b4095b7710a0e1cbf555498e8723ca811ca916290"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
| image.tag | string | `"4.2.3"` | Image tag to pull. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". |
| networkValidator.image.digest | string | `"sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0"` | SHA256 image digest to pull (in the format "sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0"). Overrides tag when specified. |
| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| networkValidator.image.repository | string | `"cgr.dev/chainguard/busybox"` | Image repository from which to pull the busybox image for the Airlock Microgateway Network Validator init-container. |
| networkValidator.image.tag | string | `""` | Image tag to pull. |
| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. |
| operator.config.logLevel | string | `"info"` | Operator application log level. |
| operator.image.digest | string | `"sha256:a429dfdb636e76bfbee7c59cfbe53d5f396c1f5603d5cb187f6283301ba4d7ba"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. |
| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. |
| operator.image.tag | string | `"4.2.3"` | Image tag to pull. |
| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. |
| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. |
| operator.podLabels | object | `{}` | Labels to add to all Pods. |
| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. |
| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. |
| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. |
| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. |
| operator.serviceLabels | object | `{}` | Labels to add to the Service. |
| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. |
| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. |
| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. |
| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. |
| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". |
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. |
| podAnnotations | object | `{}` | Annotations to add to all Pods. |
| podLabels | object | `{}` | Labels to add to all Pods. |
| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). |
| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. |
| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. |
| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. |
| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
## License

124
charts/airlock/microgateway/4.2.3/crds/accesscontrols.microgateway.airlock.com.yaml
View File

@ -1,124 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: accesscontrols.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: AccessControl
listKind: AccessControlList
plural: accesscontrols
singular: accesscontrol
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: AccessControl specifies the options to perform access control with a Microgateway Engine container.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specifies how the Airlock Microgateway Engine performs access control.
properties:
policies:
description: Policies configures access control policies.
items:
properties:
authorization:
description: Authorization configures how requests are authorized. An empty object value {} disables authorization.
properties:
authentication:
description: Authentication specifies that clients need to be authenticated with the provided method.
properties:
oidc:
description: OIDC configures client authentication using OpenID Connect.
properties:
oidcRelyingPartyRef:
description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- oidcRelyingPartyRef
type: object
type: object
type: object
identityPropagation:
description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application.
properties:
actions:
description: Actions specifies the propagation actions.
items:
properties:
identityPropagationRef:
description: IdentityPropagationRef selects an IdentityPropagation to apply.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- identityPropagationRef
type: object
type: array
onFailure:
description: |-
OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values:
_Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations.
enum:
- Pass
type: string
required:
- actions
- onFailure
type: object
required:
- authorization
type: object
maxItems: 1
minItems: 1
type: array
required:
- policies
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

127
charts/airlock/microgateway/4.2.3/crds/contentsecurities.microgateway.airlock.com.yaml
View File

@ -1,127 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: contentsecurities.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: ContentSecurity
listKind: ContentSecurityList
plural: contentsecurities
singular: contentsecurity
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ContentSecurity specifies the options to secure an upstream web application with a Microgateway Engine container.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specifies the options to secure an upstream web application with a Microgateway Engine container.
properties:
apiProtection:
description: |-
APIProtection defines the relevant configurations to protect APIs.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
openAPIRef:
description: |-
OpenAPIRef selects the relevant OpenAPI configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
filter:
description: |-
Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests
to protect against various attack patterns.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
denyRulesRef:
description: |-
DenyRulesRef selects the relevant DenyRules configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
headerRewritesRef:
description: |-
HeaderRewritesRef selects the relevant HeaderRewrites.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
limitsRef:
description: |-
LimitsRef selects the relevant Limits configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
parserRef:
description: |-
ParserRef selects the relevant Parser configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
type: object
served: true
storage: true
subresources: {}

1508
charts/airlock/microgateway/4.2.3/crds/denyrules.microgateway.airlock.com.yaml
View File

File diff suppressed because it is too large Load Diff

58
charts/airlock/microgateway/4.2.3/crds/envoyclusters.microgateway.airlock.com.yaml
View File

@ -1,58 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: envoyclusters.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyCluster
listKind: EnvoyClusterList
plural: envoyclusters
singular: envoycluster
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired additional Envoy cluster.
properties:
value:
description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources: {}

182
charts/airlock/microgateway/4.2.3/crds/envoyconfigurations.microgateway.airlock.com.yaml
View File

@ -1,182 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: envoyconfigurations.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyConfiguration
listKind: EnvoyConfigurationList
plural: envoyconfigurations
singular: envoyconfiguration
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
EnvoyConfiguration is the Schema for the envoyconfigurations API
{{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration
properties:
envoyResources:
description: EnvoyResources defines the desired state for each resource type.
properties:
clusters:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
endpoints:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
extensions:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
listeners:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
routes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
runtimes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
scopedRoutes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
secrets:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
nodeID:
description: NodeID defines the ID of the envoy node
type: string
required:
- nodeID
type: object
status:
description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human-readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of EnvoyConfiguration condition.
type: string
required:
- status
- type
type: object
type: array
status:
type: string
xds:
properties:
resourceTypes:
additionalProperties:
description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type
properties:
errorMessage:
description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client.
type: string
resources:
additionalProperties:
description: XdsResourceStatus defines the status of xDS for a specific resource
properties:
version:
description: Version defines the version which is currently served for this resource.
type: string
required:
- version
type: object
description: Resources defines the resources which are currently served for this resource type.
type: object
status:
description: Status defines the current sync status of this resource type.
type: string
version:
description: Version defines the version which is currently served for this resource type.
type: string
required:
- resources
- status
- version
type: object
description: ResourceTypes defines the sync statuses for each resource type.
type: object
version:
description: Version defines the version of the underlying xDS snapshot.
type: integer
required:
- version
type: object
required:
- status
- xds
type: object
type: object
served: true
storage: true
subresources:
status: {}

759
charts/airlock/microgateway/4.2.3/crds/headerrewrites.microgateway.airlock.com.yaml
View File

@ -1,759 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: headerrewrites.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: HeaderRewrites
listKind: HeaderRewritesList
plural: headerrewrites
singular: headerrewrites
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: HeaderRewrites is the Schema for the headerrewrites API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired header rewriting behavior.
properties:
request:
description: Request defines manipulations on upstream request headers.
properties:
add:
description: Add defines which request headers will be added before forwarding to the upstream.
properties:
custom:
description: |-
Custom allows configuring additional upstream request headers.
Add selected headers.
items:
properties:
headers:
description: Headers to add.
items:
description: HeaderRewritesHeader specifies a header with a particular value
properties:
name:
description: Name defines the name of a header.
minLength: 1
type: string
value:
description: Value defines the value of a header.
type: string
required:
- name
- value
type: object
minItems: 1
type: array
mode:
default: AddIfAbsent
description: Mode defines the header addition strategy.
enum:
- AddIfAbsent
- OverwriteOrAdd
type: string
name:
description: Name describing the configured operation.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
allow:
description: |-
Allow defines which request headers will be forwarded to the upstream.
This can either be allHeaders or matchingHeaders.
Default: matchingHeaders: {...}
properties:
allHeaders:
description: AllHeaders specifies that all request headers should be forwarded.
type: object
matchingHeaders:
description: MatchingHeaders specifies which request headers should be forwarded.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream request headers.
properties:
standardHeaders:
default: true
description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream request headers.
items:
properties:
headers:
description: Headers to allow.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
remove:
description: Remove defines which request headers will be removed before forwarding to the upstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream request headers.
properties:
alternativeForwardedHeaders:
default: true
description: |-
AlternativeForwardedHeaders removes downstream request headers which could potentially
be abused to alter the upstream's view of the remote connection.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream request headers.
items:
properties:
headers:
description: Headers to remove.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
response:
description: Response defines manipulations on upstream response headers.
properties:
add:
description: Add defines which response headers will be added before forwarding to the downstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response headers.
properties:
csp:
default: true
description: |-
CSP sets a content security policy which allows only same-origin requests except for images
if the 'Content-Security-Policy' header is not set by the upstream.
type: boolean
featurePolicy:
default: false
description: |-
FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features
if the 'Feature-Policy' header is not set by the upstream.
**Deprecated:** Use permissionsPolicy instead.
type: boolean
hsts:
default: true
description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream.
type: boolean
hstsPreload:
default: false
description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload.
type: boolean
permissionsPolicy:
default: true
description: |-
PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features
if the 'Permissions-Policy' header is not set by the upstream.
type: boolean
referrerPolicy:
default: true
description: |-
ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests
if the 'Referrer-Policy' header is not set by the upstream.
type: boolean
xContentTypeOptions:
default: true
description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream.
type: boolean
xFrameOptions:
default: true
description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to add.
items:
description: HeaderRewritesHeader specifies a header with a particular value
properties:
name:
description: Name defines the name of a header.
minLength: 1
type: string
value:
description: Value defines the value of a header.
type: string
required:
- name
- value
type: object
minItems: 1
type: array
mode:
default: AddIfAbsent
description: Mode defines the header addition strategy.
enum:
- AddIfAbsent
- OverwriteOrAdd
type: string
name:
description: Name describing the configured operation.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
allow:
description: |-
Allow defines which response headers will be forwarded to the downstream.
This can either be allHeaders or matchingHeaders.
Default: allHeaders: {}
properties:
allHeaders:
description: AllHeaders specifies that all response headers should be forwarded.
type: object
matchingHeaders:
description: MatchingHeaders specifies which response headers should be forwarded.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response header.
properties:
standardHeaders:
default: false
description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to allow.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
remove:
description: Remove defines which response headers will be removed before forwarding to the downstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response headers.
properties:
auth:
description: Auth defines the categories of headers concerning authentication.
properties:
basic:
default: false
description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication.
type: boolean
negotiate:
default: true
description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate.
type: boolean
ntlm:
default: true
description: |-
NTLM removes upstream response headers that advise clients to authenticate with NTLM.
By default, these headers are removed, because NTLM pass-through is not supported.
type: boolean
type: object
informationLeakage:
description: InformationLeakage defines the categories of headers concerning information leakage.
properties:
application:
default: true
description: Application removes upstream response headers that leak information about the deployed software.
type: boolean
server:
default: true
description: Server removes upstream response headers that leak information about the server.
type: boolean
type: object
permissiveCors:
default: true
description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to remove.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured remove operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
settings:
description: Settings configures the HeaderRewrites filter.
properties:
operationalMode:
default: Production
description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses.
enum:
- Production
- Integration
type: string
type: object
type: object
type: object
served: true
storage: true

108
charts/airlock/microgateway/4.2.3/crds/identitypropagations.microgateway.airlock.com.yaml
View File

@ -1,108 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: identitypropagations.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: IdentityPropagation
listKind: IdentityPropagationList
plural: identitypropagations
singular: identitypropagation
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: IdentityPropagation specifies the desired identity propagation.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired identity propagation.
properties:
header:
description: Header configures identity propagation via a request header.
properties:
name:
description: Name of the header to set.
minLength: 1
type: string
value:
description: Value to propagate to the application.
properties:
source:
description: Source from which to extract the value.
properties:
metadata:
description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key.
properties:
key:
description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`.
minLength: 1
type: string
namespace:
description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`.
minLength: 1
type: string
required:
- key
- namespace
type: object
oidc:
description: OIDC specifies to extract a value from the result of an OpenID Connect flow.
properties:
idToken:
description: IDToken specifies to extract the value from the OpenID Connect ID Token.
properties:
claim:
description: Claim selects the JWT claim from which to extract the value.
minLength: 1
type: string
required:
- claim
type: object
required:
- idToken
type: object
type: object
required:
- source
type: object
required:
- name
- value
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

453
charts/airlock/microgateway/4.2.3/crds/limits.microgateway.airlock.com.yaml
View File

@ -1,453 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: limits.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Limits
listKind: LimitsList
plural: limits
singular: limits
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Limits contains the configuration for limits.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired limits behavior.
properties:
request:
description: Request defines the limits for requests.
properties:
limited:
description: Limited enables limits on request scope.
properties:
exceptions:
description: Exceptions defines limit exceptions.
items:
description: LimitsException defines an exception for limits.
properties:
length:
description: Length defines an exception for length limits based on the data element exceeding the limit.
properties:
json:
description: JSON defines a key and value length limit exception for a JSON property.
properties:
jsonPath:
description: |-
JSONPath restricts the exception to JSON properties with a matching JSONPath.
Expressions in JSONPath i.e. `?(expr)` are not supported.
minLength: 1
type: string
required:
- jsonPath
type: object
parameter:
description: Parameter defines a name and value length limit exception for a parameter.
properties:
name:
description: Name restricts the exception to parameters with a matching name.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
source:
default: Any
description: Source restricts the exception to parameters of this kind.
enum:
- Query
- Post
- Any
type: string
required:
- name
type: object
type: object
requestConditions:
description: RequestConditions defines additional request properties which must be matched in order for this exception to apply.
properties:
header:
description: Header defines the matching headers of a request.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
invert:
default: false
description: Invert indicates whether the request condition should be inverted.
type: boolean
mediaType:
description: MediaType defines the matching media type from the content-type header of a request.
properties:
matcher:
description: |-
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
method:
description: Method defines the matching methods of a request.
items:
description: Method defines common HTTP methods.
enum:
- GET
- HEAD
- POST
- PUT
- PATCH
- DELETE
- CONNECT
- OPTIONS
- TRACE
type: string
type: array
path:
description: Path defines the matching path of a request.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
remoteIP:
description: RemoteIP defines the matching remote IPs of a request.
properties:
cidrRanges:
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
items:
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
format: cidr
type: string
minItems: 1
type: array
invert:
default: false
description: Invert indicates whether the match should be inverted.
type: boolean
required:
- cidrRanges
type: object
type: object
type: object
type: array
general:
description: General defines general request limits.
properties:
bodySize:
anyOf:
- type: integer
- type: string
default: 100Ki
description: BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective only for requests that are parsed (e.g. JSON data). File uploads are not affected by this limit.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
pathLength:
anyOf:
- type: integer
- type: string
default: 1Ki
description: PathLength defines the maximum path length for requests.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
json:
description: JSON defines the limits for JSON requests.
properties:
elementCount:
default: 10000
description: ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive).
format: int64
type: integer
keyCount:
default: 250
description: KeyCount defines the maximum number of keys of a single JSON object (non-recursive).
format: int64
type: integer
keyLength:
anyOf:
- type: integer
- type: string
default: "128"
description: KeyLength defines the maximum length for JSON keys.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
nestingDepth:
default: 100
description: NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays.
format: int64
type: integer
valueLength:
anyOf:
- type: integer
- type: string
default: 8Ki
description: ValueLength defines the maximum length for JSON values.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
parameter:
description: Parameter defines the limits for request parameters.
properties:
count:
default: 128
description: Count defines the maximum number of request parameters.
format: int64
type: integer
nameLength:
anyOf:
- type: integer
- type: string
default: "128"
description: NameLength defines the maximum length for parameter names.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
valueLength:
anyOf:
- type: integer
- type: string
default: 8Ki
description: ValueLength defines the maximum length for parameter values.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
unlimited:
description: Unlimited disables all limits on request scope.
type: object
type: object
settings:
description: Settings configures the limits filter.
properties:
threatHandlingMode:
default: Block
description: ThreatHandlingMode specifies how threats should be handled when a limit hits.
enum:
- Block
- LogOnly
type: string
type: object
type: object
type: object
served: true
storage: true

301
charts/airlock/microgateway/4.2.3/crds/oidcproviders.microgateway.airlock.com.yaml
View File

@ -1,301 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: oidcproviders.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OIDCProvider
listKind: OIDCProviderList
plural: oidcproviders
singular: oidcprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
OIDCProvider specifies an OpenID Provider (OP).
{{% notice warning %}} The OIDC feature is currently in an experimental state.
We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
- The state parameter is guessable.
- ID token and access token are stored in cookies and are thus sent to the accessing client.
{{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of an OpenID Provider.
properties:
static:
description: Static configures an OpenID Provider by explicitly specifying all endpoints.
properties:
endpoints:
description: Endpoints specifies the OpenID Provider endpoints.
properties:
authorization:
description: Authorization specifies the endpoint to which the authorization request is sent.
properties:
uri:
description: URI specifies the endpoint address.
format: uri
minLength: 1
pattern: ^(http|https)://.*$
type: string
required:
- uri
type: object
token:
description: Token configures the endpoint from which the access, ID and refresh tokens are obtained.
properties:
tls:
description: TLS defines TLS settings.
properties:
certificateVerification:
description: CertificateVerification specifies how the certificate presented by the server is verified.
properties:
custom:
description: |-
Custom explicitly specifies how the server certificate should be verified.
Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
properties:
allowedSANs:
description: |-
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
items:
description: |-
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers.
properties:
matcher:
description: Matcher defines the string matcher for the SAN value.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
sanType:
description: SanType defines the type of SAN matcher.
enum:
- DNS
- Email
- URI
- IPAddress
type: string
required:
- matcher
- sanType
type: object
minItems: 1
type: array
certificatePinning:
description: |-
CertificatePinning defines constraints the presented certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
properties:
allowedHashes:
description: |-
AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
allowedSPKIs:
description: |-
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
type: object
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
type: object
disabled:
description: |-
Disabled specifies to trust any certificate without verification.
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
type: object
publicCAs:
description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image.
type: object
type: object
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
type: object
uri:
description: URI specifies the endpoint address.
format: uri
minLength: 1
pattern: ^(http|https)://.*$
type: string
required:
- uri
type: object
required:
- authorization
- token
type: object
required:
- endpoints
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

219
charts/airlock/microgateway/4.2.3/crds/oidcrelyingparties.microgateway.airlock.com.yaml
View File

@ -1,219 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: oidcrelyingparties.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OIDCRelyingParty
listKind: OIDCRelyingPartyList
plural: oidcrelyingparties
singular: oidcrelyingparty
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP).
{{% notice warning %}} The OIDC feature is currently in an experimental state.
We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
- The state parameter is guessable.
- ID token and access token are stored in cookies and are thus sent to the accessing client.
{{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the OIDC Relying Party configuration.
properties:
clientID:
description: ClientID specifies the OIDCRelyingParty "client_id".
minLength: 1
type: string
credentials:
description: Credentials used for client authentication on the back-channel with the authorization server.
properties:
clientSecret:
description: ClientSecret authenticates with the client password issued by the OpenID Provider (OP).
properties:
method:
default: BasicAuth
description: Method specifies in which format the client secret is sent with the authorization request.
enum:
- BasicAuth
- FormURLEncoded
type: string
secretRef:
description: SecretRef specifies the kubernetes secret containing the client password with key "client.secret".
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
required:
- clientSecret
type: object
oidcProviderRef:
description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
pathMapping:
description: PathMapping configures the action matching.
properties:
logoutPath:
description: LogoutPath specifies which request paths should initiate a logout.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
redirectPath:
description: RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
required:
- logoutPath
- redirectPath
type: object
redirectURI:
description: |-
RedirectURI configures the "redirect_uri" parameter included in the authorization request.
May contain envoy command operators, e.g. '%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback'.
minLength: 1
type: string
required:
- clientID
- credentials
- oidcProviderRef
- pathMapping
- redirectURI
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

167
charts/airlock/microgateway/4.2.3/crds/openapis.microgateway.airlock.com.yaml
View File

@ -1,167 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: openapis.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OpenAPI
listKind: OpenAPIList
plural: openapis
singular: openapi
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: OpenAPI contains the configuration for the OpenAPI specification.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired OpenAPI specification.
properties:
response:
description: Response defines the validation behaviour for responses.
properties:
secured:
description: Secured enables response checking.
properties:
validation:
default: Lax
description: Validation defines the validation mode for responses.
enum:
- Lax
- Strict
type: string
type: object
unsecured:
description: Unsecured disables response checking.
type: object
type: object
settings:
description: Settings defines the settings to configure OpenAPI specification enforcement.
properties:
logging:
description: Logging specifies the access log behavior.
properties:
maxFailedSubvalidations:
default: 10
description: MaxFailedSubvalidations defines the maximum number of failed subvalidations being logged.
format: int64
type: integer
type: object
schema:
description: Schema configures the OpenAPI specification.
properties:
source:
description: Source specifies the OpenAPI specification to be enforced.
properties:
configMapRef:
description: ConfigMapRef references the configmap by its name containing the well-known key 'openapi.json'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
required:
- source
type: object
threatHandlingMode:
default: Block
description: ThreatHandlingMode specifies how threats should be handled.
enum:
- Block
- LogOnly
type: string
validation:
description: Validation specifies the patterns for the validation behavior.
properties:
authentication:
description: Authentication defines the settings for the authentication scheme.
properties:
oAuth2:
description: OAuth2 specifies the OAuth2 parameters.
properties:
allowedParameters:
description: AllowedParameters specifies the allowed parameters for the authentication scheme.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined allowed parameters.
properties:
standardParameters:
default: true
description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters.
type: boolean
type: object
custom:
description: Custom allows configuring additional allowed parameters.
items:
minLength: 1
type: string
minItems: 1
type: array
type: object
type: object
oidc:
description: Oidc specifies the OIDC parameters.
properties:
allowedParameters:
description: AllowedParameters specifies the allowed parameters for the authentication scheme.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined allowed parameters.
properties:
standardParameters:
default: true
description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters.
type: boolean
type: object
custom:
description: Custom allows configuring additional allowed parameters.
items:
minLength: 1
type: string
minItems: 1
type: array
type: object
type: object
type: object
type: object
required:
- schema
type: object
required:
- settings
type: object
required:
- spec
type: object
served: true
storage: true

358
charts/airlock/microgateway/4.2.3/crds/parsers.microgateway.airlock.com.yaml
View File

@ -1,358 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: parsers.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Parser
listKind: ParserList
plural: parsers
singular: parser
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Parser contains the configuration for content parsers (default and custom).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired parser behavior.
properties:
request:
description: Request defines the parsing for downstream requests.
properties:
custom:
description: Custom allows configuring additional rules for parser selection.
properties:
rules:
description: |-
Rules defines a custom set prepended before built-in rules of enabled request parsers.
Disable all built-in parsers to overrule them completely.
items:
properties:
action:
description: |-
Action specifies what should happen when a request condition matches.
Only one of parse or skip can be set.
properties:
parse:
description: Parse activates the configured parser.
properties:
form:
description: Form activates the Form parser.
type: object
json:
description: JSON activates the JSON parser.
type: object
multipart:
description: Multipart activates the multipart parser.
type: object
type: object
skip:
description: Skip disables any content parsing
type: object
type: object
requestConditions:
description: RequestConditions defines additional request properties which must be matched in order for this rule to apply.
properties:
header:
description: Header defines the matching headers of a request.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
invert:
default: false
description: Invert indicates whether the request condition should be inverted.
type: boolean
mediaType:
description: MediaType defines the matching media type from the content-type header of a request.
properties:
matcher:
description: |-
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
method:
description: Method defines the matching methods of a request.
items:
description: Method defines common HTTP methods.
enum:
- GET
- HEAD
- POST
- PUT
- PATCH
- DELETE
- CONNECT
- OPTIONS
- TRACE
type: string
type: array
path:
description: Path defines the matching path of a request.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
remoteIP:
description: RemoteIP defines the matching remote IPs of a request.
properties:
cidrRanges:
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
items:
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
format: cidr
type: string
minItems: 1
type: array
invert:
default: false
description: Invert indicates whether the match should be inverted.
type: boolean
required:
- cidrRanges
type: object
type: object
required:
- action
- requestConditions
type: object
type: array
type: object
defaultContentType:
default: application/x-www-form-urlencoded
description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body.
minLength: 1
type: string
parsers:
description: Parsers defines the configuration for the available content parsers.
properties:
form:
description: Form defines the configuration for the form parser.
properties:
enable:
default: true
description: Enable defines whether form payloads are inspected.
type: boolean
mediaTypePattern:
default: .*urlencoded.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments.
minLength: 1
type: string
type: object
json:
description: JSON defines the configuration for the JSON parser.
properties:
enable:
default: true
description: Enable defines whether json payloads are inspected.
type: boolean
mediaTypePattern:
default: .*json.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON.
minLength: 1
type: string
type: object
multipart:
description: Multipart defines the configuration for the multipart parser.
properties:
enable:
default: true
description: Enable defines whether multipart payloads are inspected.
type: boolean
mediaTypePattern:
default: .*multipart.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as a multipart payload.
minLength: 1
type: string
type: object
type: object
type: object
type: object
type: object
served: true
storage: true

731
charts/airlock/microgateway/4.2.3/crds/sidecargateways.microgateway.airlock.com.yaml
View File

@ -1,731 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: sidecargateways.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: SidecarGateway
listKind: SidecarGatewayList
plural: sidecargateways
singular: sidecargateway
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired sidecar gateway behavior.
properties:
applications:
description: Applications defines applications which run on different ports.
items:
properties:
containerPort:
default: 8080
description: |-
ContainerPort refers to the container port.
This must be a valid port number, 0 < x < 65536.
format: int32
maximum: 65535
minimum: 1
type: integer
downstream:
description: Downstream defines the downstream configuration for this application
properties:
protocol:
description: |-
Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies that the protocol should be inferred.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies that the client is assumed to speak HTTP/1.1.
type: object
http2:
description: HTTP2 specifies that the client is assumed to speak HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
remoteIP:
description: |-
RemoteIP defines how the remote IP of a client is propagated.
Default: xff: {...}
properties:
connectionIP:
description: ConnectionIP configures to use the source IP address of the direct downstream connection.
type: object
customHeader:
description: CustomHeader specifies to use a custom header for remote IP extraction.
properties:
headerName:
description: HeaderName specifies the name of the custom header containing the remote IP.
minLength: 1
type: string
required:
default: true
description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403.
type: boolean
required:
- headerName
type: object
xff:
description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction.
properties:
numTrustedHops:
default: 1
description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry.
format: int32
minimum: 1
type: integer
type: object
type: object
requestNormalizations:
description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching.
properties:
mergeSlashes:
default: true
description: MergeSlashes ensures that adjacent slashes in the path are merged into one.
type: boolean
normalizePath:
default: true
description: NormalizePath ensures normalization according to RFC 3986 without case normalization.
type: boolean
type: object
restrictions:
description: Restrictions defines restrictions for downstream.
properties:
http:
description: HTTP defines limits for the HTTP protocol.
properties:
headersLength:
anyOf:
- type: integer
- type: string
default: 60Ki
description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
timeouts:
description: Timeouts defines timeouts for downstream
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
default: 5m
description: |-
Idle defines the settings for the idle timeout when no data is sent or received.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
maxDuration:
default: 5m
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
requestHeaders:
default: 10s
description: |-
RequestHeaders defines the duration before all request headers must be received.
A value of 0 will completely disable the timeout.
Default: 10s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
clientCertificate:
description: |-
ClientCertificate defines the TLS settings for verification of client certificates.
At most one of ignored, optional and required can be set.
Default: ignored: {}
properties:
ignored:
description: Ignored disables verification of the client certificate.
type: object
optional:
description: |-
Optional enables verification of the client certificate if one is presented.
In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate.
properties:
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
required:
- trustedCA
type: object
required:
description: |-
Required contains settings for client certificate verification. A client must present a valid certificate.
At least one of trustedCA and certificatePinning must be set.
properties:
allowedSANs:
description: |-
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
items:
description: |-
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers.
properties:
matcher:
description: Matcher defines the string matcher for the SAN value.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
sanType:
description: SanType defines the type of SAN matcher.
enum:
- DNS
- Email
- URI
- IPAddress
type: string
required:
- matcher
- sanType
type: object
minItems: 1
type: array
certificatePinning:
description: |-
CertificatePinning defines the constraints a client certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
properties:
allowedHashes:
description: |-
AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
allowedSPKIs:
description: |-
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
type: object
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
type: object
type: object
enable:
default: false
description: Enable defines if the downstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
secretRef:
description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls).
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
xfcc:
description: |-
XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values:
_Sanitize_: Do not send the XFCC header to the next hop. This is the default value.
_ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.
_AppendAndForward_: When the client connection is mTLS, append the client certificate information to the requests XFCC header and forward it.
_SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.
_AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.
Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http)
enum:
- Sanitize
- ForwardOnly
- AppendAndForward
- SanitizeAndSet
- AlwaysForwardOnly
type: string
type: object
type: object
envoyHTTPFilterRefs:
description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters.
properties:
prepend:
description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
type: object
routes:
description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies.
items:
description: |-
SidecarGatewayApplicationRoute defines the security configurations for different paths.
At most one of secured and unsecured can be set.
Default: secured: {...}
properties:
pathPrefix:
default: /
description: PathPrefix defines the path prefix used during route selection.
minLength: 1
type: string
secured:
description: Secured enables WAF processing for this route.
properties:
accessControlRef:
description: |-
AccessControlRef selects the relevant AccessControl configuration resource.
If undefined, Airlock Microgateway does not perform any access control.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
contentSecurityRef:
description: |-
ContentSecurityRef selects the relevant ContentSecurity configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
unsecured:
description: |-
Unsecured disables all WAF functionality and therefore protection for this route.
WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
type: object
type: object
type: array
x-kubernetes-list-map-keys:
- pathPrefix
x-kubernetes-list-type: map
telemetryRef:
description: |-
TelemetryRef selects the relevant Telemetry configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
upstream:
description: Upstream defines the upstream configuration for this application
properties:
protocol:
description: |-
Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies to use the protocol negotiated via TLS ALPN (if supported) or HTTP/1.1 as fallback.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies to use HTTP/1.1.
type: object
http2:
description: HTTP2 specifies to use HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
timeouts:
description: Timeouts defines the timeout settings.
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
description: |-
Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited.
A value of 0 will completely disable the timeout.
type: string
maxDuration:
default: 15s
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
Default: 15s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
enable:
default: false
description: Enable defines if the upstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
type: object
type: object
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- containerPort
x-kubernetes-list-type: map
envoyClusterRefs:
description: EnvoyClusterRefs selects the relevant EnvoyClusters.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
podSelector:
description: PodSelector defines to which Pods the configuration will be applied to.
properties:
matchLabels:
additionalProperties:
type: string
description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels.
type: object
type: object
required:
- applications
type: object
status:
description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date.
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human-readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of SidecarGateway condition.
type: string
required:
- status
- type
type: object
type: array
pods:
items:
properties:
envoyConfig:
description: EnvoyConfig indicates the name of the EnvoyConfig CR which references the SidecarGateway.
type: string
name:
description: Name indicates the name of the Pod which references the SidecarGateway.
type: string
required:
- name
type: object
type: array
status:
type: string
required:
- status
type: object
type: object
served: true
storage: true
subresources:
status: {}

81
charts/airlock/microgateway/4.2.3/crds/telemetries.microgateway.airlock.com.yaml
View File

@ -1,81 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: telemetries.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Telemetry
listKind: TelemetryList
plural: telemetries
singular: telemetry
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Telemetry contains the configuration for telemetry (logging, metrics & tracing).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired telemetry behavior.
properties:
correlation:
description: Correlation defines the correlation aspects of Telemetry.
properties:
request:
description: Request defines the request related correlation settings of Telemetry.
properties:
allowDownstreamRequestID:
default: true
description: AllowDownstreamRequestID defines whether trace sampling will consider a provided x-request-id.
type: boolean
alterRequestID:
default: true
description: AlterRequestID defines whether to alter the UUID to reflect the trace sampling decision. If disabled no modification to the UUID will be performed, this may break tracing in the upstream.
type: boolean
type: object
type: object
logging:
description: Logging defines the logging aspects of Telemetry.
properties:
accessLog:
description: AccessLog defines the access log settings of Telemetry.
properties:
format:
description: Format defines the Access Log format of the sidecar.
properties:
json:
description: JSON defines the Access Log format as JSON.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
type: object
type: object
served: true
storage: true

4
charts/airlock/microgateway/4.2.3/gke-values.yaml Normal file
View File

@ -0,0 +1,4 @@
# values for deploying on GKE
config:
cniBinDir: "/home/kubernetes/bin"

15
charts/airlock/microgateway/4.2.3/openshift-values.yaml Normal file
View File

@ -0,0 +1,15 @@
# values for deploying on OpenShift
rbac:
createSCCRole: true
privileged: true
multusNetworkAttachmentDefinition:
create: true
namespace: default
config:
installMode: "standalone"
cniNetDir: "/etc/cni/multus/net.d"
cniBinDir: "/var/lib/cni/bin"

18
charts/airlock/microgateway/4.2.3/questions.yml Normal file
View File

@ -0,0 +1,18 @@
questions:
- variable: config.cniNetDir
required: true
type: string
label: CNI Network Configuration Directory
group: "CNI Settings"
description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host."
- variable: config.cniBinDir
required: true
type: string
label: CNI Plugin Binaries Directory
group: "CNI Settings"
description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host."
- variable: config.installMode
required: true
label: CNI Plugin Installation Mode
group: "CNI Settings"
description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment."

23
charts/airlock/microgateway/4.2.3/templates/NOTES.txt
View File

@ -1,22 +1,3 @@
Thank you for installing Airlock Microgateway.
If you have not already done so, make sure that Airlock Microgateway CNI is also installed on the cluster.
Thank you for installing Airlock Microgateway CNI.
For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}.
Detailed CRD API reference documentation is also available at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}/api/crds.
{{ if .Values.crds.skipVersionCheck }}
- CRD version check skipped
{{- else }}
{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}}
{{- if $outdatedCRDs -}}
{{- fail (printf `
Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'.
Therefore, the CRDs must be manually upgraded with the following command before deploying this chart:
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts
If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.`
.Chart.AppVersion)
-}}
{{- end -}}
{{- end -}}
For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" .}}.

101
charts/airlock/microgateway/4.2.3/templates/_helpers.tpl
View File

@ -1,16 +1,14 @@
{{/*
Expand the name of the chart.
We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest explicit suffix is 14 characters.
*/}}
{{- define "airlock-microgateway.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }}
{{- define "airlock-microgateway-cni.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Convert an image configuration object into an image ref string.
*/}}
{{- define "airlock-microgateway.image" -}}
{{- define "airlock-microgateway-cni.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
@ -22,19 +20,19 @@ Convert an image configuration object into an image ref string.
{{/*
Create a default fully qualified app name.
We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest implicit suffix is 27 characters.
We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest suffix is 13 characters.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "airlock-microgateway.fullname" -}}
{{- define "airlock-microgateway-cni.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }}
{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 36 | trimSuffix "-" }}
{{- .Release.Name | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }}
{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
@ -42,88 +40,59 @@ If release name contains chart name it will be used as a full name.
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "airlock-microgateway.chart" -}}
{{- define "airlock-microgateway-cni.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "airlock-microgateway.sharedLabels" -}}
helm.sh/chart: {{ include "airlock-microgateway.chart" . }}
{{- define "airlock-microgateway-cni.labels" -}}
helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }}
{{ include "airlock-microgateway-cni.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: {{ .Chart.Name }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
Common Selector labels
Common labels without component
*/}}
{{- define "airlock-microgateway.sharedSelectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}}
{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}}
{{ unset $labels "app.kubernetes.io/component" | toYaml }}
{{- end }}
{{/*
Restricted Container Security Context
Selector labels
*/}}
{{- define "airlock-microgateway.restrictedSecurityContext" -}}
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
{{- define "airlock-microgateway-cni.selectorLabels" -}}
app.kubernetes.io/component: cni-plugin-installer
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }}
{{- end }}
{{/* Precondition: May only be used if AppVersion is isSemver */}}
{{- define "airlock-microgateway.supportedCRDVersionPattern" -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- if $version.Prerelease -}}
>= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }}
{{- else -}}
>= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use for the CNI Plugin
*/}}
{{- define "airlock-microgateway-cni.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "airlock-microgateway.outdatedCRDs" -}}
{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}}
{{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}}
{{- range $path, $_ := .Files.Glob "crds/*.yaml" -}}
{{- $api := ($.Files.Get $path | fromYaml).metadata.name -}}
{{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}}
{{- $isOutdated := false -}}
{{- if $crd -}}
{{/* If CRD is already present in the cluster, it must have the minimum supported version */}}
{{- $isOutdated = true -}}
{{- if hasKey $crd.metadata "labels" -}}
{{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}}
{{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}}
{{- if (semverCompare $supportedVersion $crdVersion) }}
{{- $isOutdated = false -}}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if $isOutdated }}
{{ base $path }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "airlock-microgateway.isSemver" -}}
{{- define "airlock-microgateway-cni.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}
{{- define "airlock-microgateway.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- define "airlock-microgateway-cni.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}

22
charts/airlock/microgateway/4.2.3/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- patch
{{- end -}}

20
charts/airlock/microgateway/4.2.3/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "airlock-microgateway-cni.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

22
charts/airlock/microgateway/4.2.3/templates/configmap.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
plugin-conf.json: |-
{
"type": "{{ include "airlock-microgateway-cni.fullname" . }}",
"debug": {{ eq .Values.config.logLevel "debug" }},
"logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log",
"kubernetes": {
"kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig",
"excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }}
}
}

136
charts/airlock/microgateway/4.2.3/templates/daemonset.yaml Normal file
View File

@ -0,0 +1,136 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
kubectl.kubernetes.io/default-container: cni-installer
{{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- args:
- --log-level
- "{{ .Values.config.logLevel }}"
env:
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
key: plugin-conf.json
name: {{ include "airlock-microgateway-cni.fullname" . }}
- name: CNI_BIN_DIR
value: /host/opt/cni/bin
- name: CNI_NET_DIR
value: /host/etc/cni/net.d
- name: KUBECONFIG_FILE_NAME
value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig"
- name: INSTALL_MODE
value: {{ .Values.config.installMode }}
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: {{ include "airlock-microgateway-cni.image" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: cni-installer
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
startupProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 5
initialDelaySeconds: 3
periodSeconds: 3
timeoutSeconds: 3
readinessProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 1
periodSeconds: 60
timeoutSeconds: 3
securityContext:
allowPrivilegeEscalation: {{ .Values.privileged }}
capabilities:
drop:
- ALL
privileged: {{ .Values.privileged }}
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /run/cni-installer
name: cni-installer-status
hostNetwork: true
priorityClassName: system-node-critical
restartPolicy: Always
securityContext:
fsGroup: 0
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
terminationGracePeriodSeconds: 5
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
- effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- hostPath:
path: "{{ .Values.config.cniBinDir }}"
type: Directory
name: cni-bin-dir
- hostPath:
path: "{{ .Values.config.cniNetDir }}"
type: Directory
name: cni-net-dir
- emptyDir: {}
name: cni-installer-status

13
charts/airlock/microgateway/4.2.3/templates/network-attachment-definition.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.multusNetworkAttachmentDefinition.create -}}
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

299
charts/airlock/microgateway/4.2.3/templates/operator/_webhooks.gen.tpl
View File

@ -1,299 +0,0 @@
{{/* AUTOGENERATED FILE DO NOT EDIT */}}
{{/*
Operator mutating webhooks
*/}}
{{- define "airlock-microgateway-operator.mutatingWebhooks" -}}
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /mutate-v1-pod
failurePolicy: Fail
name: mutate-pod.microgateway.airlock.com
reinvocationPolicy: IfNeeded
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
objectSelector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
{{- end }}
{{/*
Operator validating webhooks
*/}}
{{- define "airlock-microgateway-operator.validatingWebhooks" -}}
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol
failurePolicy: Fail
name: validate-accesscontrol.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- accesscontrols
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-denyrules
failurePolicy: Fail
name: validate-denyrules.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- denyrules
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-envoycluster
failurePolicy: Fail
name: validate-envoycluster.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- envoyclusters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter
failurePolicy: Fail
name: validate-envoyhttpfilter.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- envoyhttpfilters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites
failurePolicy: Fail
name: validate-headerrewrites.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- headerrewrites
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation
failurePolicy: Fail
name: validate-identitypropagation.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- identitypropagations
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-limits
failurePolicy: Fail
name: validate-limits.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- limits
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider
failurePolicy: Fail
name: validate-oidcprovider.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- oidcproviders
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty
failurePolicy: Fail
name: validate-oidcrelyingparty.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- oidcrelyingparties
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-openapi
failurePolicy: Fail
name: validate-openapi.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- openapis
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-parser
failurePolicy: Fail
name: validate-parser.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- parsers
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway
failurePolicy: Fail
name: validate-sidecargateway.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- sidecargateways
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-v1-pod
failurePolicy: Fail
name: validate-pod.microgateway.airlock.com
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
sideEffects: None
objectSelector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
{{- end }}

322
charts/airlock/microgateway/4.2.3/templates/operator/configmap.yaml
View File

@ -1,322 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
engine_bootstrap_config_template.yaml: |
# Base configuration, admin interface on port 19000
admin:
address:
socket_address:
address: 127.0.0.1
port_value: 19000
dynamic_resources:
cds_config:
initial_fetch_timeout: 10s
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
# Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
rate_limit_settings:
max_tokens: 5
fill_rate: 0.2
lds_config:
resource_api_version: V3
initial_fetch_timeout: 10s
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
# Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
rate_limit_settings:
max_tokens: 5
fill_rate: 0.2
static_resources:
listeners:
- name: probe
address:
socket_address:
address: 0.0.0.0
port_value: 19001
filter_chains:
- filters:
- name: http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: http
codec_type: AUTO
http2_protocol_options:
initial_connection_window_size: 1048576
initial_stream_window_size: 65536
max_concurrent_streams: 100
route_config:
name: probe
virtual_hosts:
- name: probe
domains:
- '*'
routes:
- name: ready
match:
path: /ready
headers:
- name: ':method'
string_match:
exact: 'GET'
route:
cluster: airlock_microgateway_engine_admin
http_filters:
- name: envoy.filters.http.router
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- name: metrics
address:
socket_address:
address: 0.0.0.0
port_value: 19002
filter_chains:
- filters:
- name: http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: http
codec_type: AUTO
http2_protocol_options:
initial_connection_window_size: 1048576
initial_stream_window_size: 65536
max_concurrent_streams: 100
route_config:
name: metrics
virtual_hosts:
- name: metrics
domains:
- '*'
routes:
- name: metrics
match:
path: /metrics
headers:
- name: ':method'
string_match:
exact: 'GET'
route:
prefix_rewrite: '/stats/prometheus'
cluster: airlock_microgateway_engine_admin
http_filters:
- name: envoy.filters.http.router
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: xds_cluster
connect_timeout: 1s
type: STRICT_DNS
load_assignment:
cluster_name: xds_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local
port_value: 13377
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
'@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 360s
timeout: 5s
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_params:
tls_minimum_protocol_version: TLSv1_3
tls_maximum_protocol_version: TLSv1_3
validation_context_sds_secret_config:
name: validation_context_sds
sds_config:
resource_api_version: V3
path_config_source:
path: /etc/envoy/validation_context_sds_secret.yaml
watched_directory:
path: /etc/envoy/
tls_certificate_sds_secret_configs:
- name: tls_certificate_sds
sds_config:
resource_api_version: V3
path_config_source:
path: /etc/envoy/tls_certificate_sds_secret.yaml
watched_directory:
path: /etc/envoy/
- name: airlock_microgateway_engine_admin
connect_timeout: 1s
type: STATIC
load_assignment:
cluster_name: airlock_microgateway_engine_admin
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 19000
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
'@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 360s
timeout: 5s
stats_config:
stats_tags:
- tag_name: "category"
regex: "\\.(category\\.([^.]+))"
- tag_name: "rule_name"
regex: "\\.(rule\\.([^.]+))"
- tag_name: "limit_name"
regex: "\\.(limit\\.([^.]+))"
- tag_name: "threat_handling_mode"
regex: "\\.(threat_handling_mode\\.([^.]+))"
- tag_name: "envoy_cluster_name"
regex: "\\.(cluster\\.([^.]+))"
- tag_name: "version"
regex: "\\.(version\\.([^.]+))"
use_all_default_tags: true
bootstrap_extensions:
- name: airlock.bootstrap.engine_build_info
typed_config:
'@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats
application_log_config:
log_format:
text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}'
engine_container_template.yaml: |
name: "$(ENGINE_NAME)"
image: "$(ENGINE_IMAGE)"
imagePullPolicy: {{ .Values.engine.image.pullPolicy }}
args:
- "--config-path"
- "/etc/envoy/bootstrap_config.yaml"
- "--base-id"
- "$(BASE_ID)"
- "--file-flush-interval-msec"
- '1000'
- "--drain-time-s"
- '60'
- "--service-node"
- "$(POD_NAME).$(POD_NAMESPACE)"
- "--service-cluster"
- "$(APP_NAME).$(POD_NAMESPACE)"
- "--log-path"
- "/dev/stdout"
- "--log-level"
- "$(LOG_LEVEL)"
volumeMounts:
- name: airlock-microgateway-bootstrap-secret-volume
mountPath: /etc/envoy
readOnly: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
ports:
- containerPort: 13378
protocol: TCP
- containerPort: 19001
protocol: TCP
- containerPort: 19002
protocol: TCP
livenessProbe:
httpGet:
path: /ready
port: 19001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 5
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
httpGet:
path: /ready
port: 19001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
successThreshold: 1
timeoutSeconds: 1
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
{{- with .Values.engine.resources }}
resources:
{{- toYaml . | nindent 6 }}
{{- end }}
network_validator_container_template.yaml: |
name: "$(NETWORK_VALIDATOR_NAME)"
image: "$(NETWORK_VALIDATOR_IMAGE)"
imagePullPolicy: {{ .Values.networkValidator.image.pullPolicy }}
command: ["/bin/sh", "-c"]
args:
- |-
echo 'pong' | nc -v -l 127.0.0.1 -p 13378 &
for i in 1 2 3; do
sleep 1s
if r=$(echo 'ping' | nc 127.0.0.1 19003) && [ $r == pong ]; then
echo -n 'Traffic redirection to Airlock Microgateway Engine is working.' > /dev/termination-log
exit 0
fi
done
echo -en 'Traffic redirection to Airlock Microgateway Engine is not working.\nRestart the pod after ensuring that hostNetwork is disabled and a compatible Airlock Microgateway CNI version is installed on the node.\nCertain environments may also require additional configuration (see docs.airlock.com for more information).' > /dev/termination-log
exit 1
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
operator_config.yaml: |
apiVersion: config.airlock.com/v1alpha1
kind: OperatorConfig
health:
healthProbeBindAddress: :8081
metrics:
bindAddress: 0.0.0.0:8080
webhook:
port: 9443
deployment:
sidecar:
engineContainerTemplate: "/sidecar/engine_container_template.yaml"
networkValidatorContainerTemplate: "/sidecar/network_validator_container_template.yaml"
engine:
bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml"
log:
level: {{ .Values.operator.config.logLevel }}

138
charts/airlock/microgateway/4.2.3/templates/operator/deployment.yaml
View File

@ -1,138 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.operator.replicaCount }}
{{- with .Values.operator.updateStrategy }}
strategy:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/operator/configmap.yaml") . | sha256sum }}
kubectl.kubernetes.io/default-container: manager
{{- with mustMerge .Values.operator.podAnnotations .Values.commonAnnotations}}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 8 }}
{{- with .Values.operator.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
containers:
- args:
- --config=operator_config.yaml
env:
- name: ENGINE_IMAGE
value: {{ include "airlock-microgateway.image" .Values.engine.image }}
- name: NETWORK_VALIDATOR_IMAGE
value: {{ include "airlock-microgateway.image" .Values.networkValidator.image }}
- name: OPERATOR_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: {{ include "airlock-microgateway.image" .Values.operator.image }}
imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
timeoutSeconds: 5
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 13377
name: xds-server
protocol: TCP
- containerPort: 8080
protocol: TCP
- containerPort: 8081
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
{{- with .Values.operator.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 10 }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- mountPath: /opt/airlock/license/
name: airlock-microgateway-license
readOnly: true
- mountPath: /operator_config.yaml
name: operator-config
subPath: operator_config.yaml
- mountPath: /sidecar/engine_container_template.yaml
name: operator-config
subPath: engine_container_template.yaml
- mountPath: /sidecar/network_validator_container_template.yaml
name: operator-config
subPath: network_validator_container_template.yaml
- mountPath: /engine_bootstrap_config_template.yaml
name: operator-config
subPath: engine_bootstrap_config_template.yaml
securityContext:
runAsNonRoot: true
serviceAccountName: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
terminationGracePeriodSeconds: 10
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert
- name: airlock-microgateway-license
secret:
defaultMode: 292
optional: true
secretName: {{ .Values.license.secretName }}
- configMap:
name: {{ include "airlock-microgateway.operator.fullname" . }}-config
name: operator-config

14
charts/airlock/microgateway/4.2.3/templates/operator/manager-clusterrole.yaml
View File

@ -1,14 +0,0 @@
{{- if .Values.operator.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{ include "airlock-microgateway-operator.rbacRules" . -}}
{{- end -}}

20
charts/airlock/microgateway/4.2.3/templates/operator/manager-clusterrolebinding.yaml
View File

@ -1,20 +0,0 @@
{{- if .Values.operator.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

14
charts/airlock/microgateway/4.2.3/templates/operator/mutating-webhook.yaml
View File

@ -1,14 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{ include "airlock-microgateway-operator.mutatingWebhooks" . -}}

26
charts/airlock/microgateway/4.2.3/templates/operator/podmonitor.yaml
View File

@ -1,26 +0,0 @@
{{- if .Values.engine.sidecar.podMonitor.create }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ include "airlock-microgateway.fullname" . }}-engine
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.engine.sidecar.podMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
namespaceSelector:
any: true
selector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
podMetricsEndpoints:
- targetPort: 19002
path: /metrics
scheme: http
{{- end -}}

14
charts/airlock/microgateway/4.2.3/templates/operator/validating-webhook.yaml
View File

@ -1,14 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{ include "airlock-microgateway-operator.validatingWebhooks" . -}}

22
charts/airlock/microgateway/4.2.3/templates/scc-role.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.createSCCRole -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
{{- end -}}

20
charts/airlock/microgateway/4.2.3/templates/scc-rolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.createSCCRole -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
{{- end -}}

13
charts/airlock/microgateway/4.2.3/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

105
charts/airlock/microgateway/4.2.3/templates/tests/rbac.yaml
View File

@ -2,106 +2,63 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
subjects:
- kind: ServiceAccount
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
rules:
- apiGroups:
- microgateway.airlock.com
- "apps"
resources:
- sidecargateways
- daemonsets
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway"
- {{ include "airlock-microgateway-cni.fullname" . }}
verbs:
- get
- list
- watch
- delete
- get
- watch
- list
- apiGroups:
- microgateway.airlock.com
- ""
resources:
- sidecargateways
- pods
- pods/log
verbs:
- create
- get
- list
{{- if .Values.rbac.createSCCRole }}
- apiGroups:
- ""
resources:
- events
verbs:
- list
- apiGroups:
- "apps"
resources:
- deployments
- security.openshift.io
resourceNames:
- "{{ include "airlock-microgateway.operator.fullname" . }}"
verbs:
- get
- list
- watch
- apiGroups:
- "apps"
- privileged
resources:
- statefulsets
- statefulsets/scale
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-backend"
- securitycontextconstraints
verbs:
- get
- list
- watch
- patch
- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/status
- pods/attach
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-backend-0"
- "{{ include "airlock-microgateway.fullname" . }}-test-valid-request"
- "{{ include "airlock-microgateway.fullname" . }}-test-injection-request"
verbs:
- get
- list
- create
- watch
- delete
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- use
{{- end -}}
{{- end -}}

229
charts/airlock/microgateway/4.2.3/templates/tests/test-install.yaml
View File

@ -2,13 +2,11 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-install"
name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: before-hook-creation
@ -18,183 +16,88 @@ spec:
- name: test
image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
allowPrivilegeEscalation: {{ .Values.privileged }}
capabilities:
drop:
- ALL
privileged: {{ .Values.privileged }}
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
readOnly: true
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
readOnly: true
command:
- sh
- -c
- |
set -eu
clean_up() {
echo ""
echo "### Clean up test resources"
kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
echo ""
echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'"
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=30s
sleep 3s
echo ""
}
fail() {
echo "Error: ${1}"
echo ""
echo "### Error: ${1}"
echo ""
echo 'Microgateway Sidecargateway status:'
kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true
echo ""
echo ""
echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':"
kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true
echo ""
echo ""
echo 'Logs of Nginx container:'
kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true
echo ""
echo ""
# Wait for engine logs
sleep 10s
echo 'Logs of Microgateway Engine container:'
kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true
echo 'CNI installer logs:'
kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer
exit 1
}
create_sidecargateway() {
# create SidecarGateway resource for testing purposes
kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
kubectl apply -f - <<EOF
apiVersion: microgateway.airlock.com/v1alpha1
kind: SidecarGateway
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: test-install
{{- include "airlock-microgateway.sharedLabels" . | nindent 12 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 12 }}
spec:
podSelector:
matchLabels:
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedLabels" . | nindent 14 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 14 }}
applications:
- containerPort: 8080
EOF
containsMGWCNIConf() {
cat "${1}" | grep -qe '"type":.*"{{ include "airlock-microgateway-cni.fullname" . }}"'
}
curl() {
kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
kubectl -n {{ .Release.Namespace }} run {{ include "airlock-microgateway.fullname" . }}-test-valid-request --restart=Never --image=cgr.dev/chainguard/curl \
--override-type=strategic \
--overrides='
{
"apiVersion": "v1",
"spec": {
"containers": [
{
"name": "{{ include "airlock-microgateway.fullname" . }}-test-valid-request",
"securityContext": {{ include "airlock-microgateway.restrictedSecurityContext" . | fromYaml | toJson }}
}
]
}
}' \
-- "$@"
local i=0
while [ $i -lt 90 ] && ! kubectl logs -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request >/dev/null 2>&1; do sleep 1s; i=$((i+1)); done
kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
}
trap clean_up EXIT
echo "### Waiting for Microgateway Deployments to be ready"
if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \
deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then
fail 'Timout occurred'
if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then
fail 'CNI DaemonSet rollout did not complete within timeout'
fi
echo ""
echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica"
# scale to zero replicas to ensure no pods are present from previous runs
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s
echo ""
echo "### Waiting for backend pod"
i=0
while true; do
if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then
break
elif [ $i -gt 3 ]; then
fail 'Pod not ready'
fi
sleep 2s
i=$((i+1))
done
echo "### Checking Microgateway Engine sidecar container was injected"
if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then
fail 'Microgateway Engine sidecar container not injected'
echo "Checking whether CNI binary was installed"
if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then
fail 'CNI binary was not installed'
fi
echo "True"
echo ""
echo "### Checking for valid license"
i=0
while true; do
if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then
break
elif [ $i -gt 30 ]; then
fail 'Microgateway license is missing or invalid'
fi
sleep 2s
i=$((i+1))
done
echo "True"
echo ""
echo "### Create SidecarGateway resource for testing"
if ! create_sidecargateway ; then
fail 'Creation of SidecarGateway resource failed'
echo "Checking whether CNI kubeconfig was installed"
if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then
fail 'CNI kubeconfig was not created'
fi
echo ""
echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready"
if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then
fail 'Timout occurred'
fi
echo ""
echo "Checking whether CNI configuration was written"
case {{ .Values.config.installMode }} in
"chained")
for file in "/host/etc/cni/net.d/"*.conflist; do
if containsMGWCNIConf "${file}"; then
echo "Success"
exit 0
fi
done
;;
"standalone")
if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then
echo "Success"
exit 0
fi
;;
"manual")
echo "- Skipping because we are in 'manual' install mode"
echo "Success"
exit 0
;;
esac
echo "### Waiting for 'engine-config-valid' condition"
if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then
fail 'Configuration was never accepted by the Microgateway Engine'
fi
sleep 5s
echo ""
echo ""
echo "### Checking whether a valid request is successful and returns HTTP status code '200'"
out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true)
echo "Response:"
echo "${out}"
if ! echo "${out}" | grep -q "200 OK"; then
fail 'A valid request was not successful'
fi
echo ""
echo ""
echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'"
out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true)
echo "Response:"
echo "${out}"
if ! echo "${out}" | grep -q "400 Bad Request"; then
fail 'A malicious request was not blocked'
fi
echo ""
echo ""
echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded"
exit 0
serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests"
fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found'
serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
volumes:
- hostPath:
path: "{{ .Values.config.cniBinDir }}"
type: Directory
name: cni-bin-dir
- hostPath:
path: "{{ .Values.config.cniNetDir }}"
type: Directory
name: cni-net-dir
{{- end -}}

321
charts/airlock/microgateway/4.2.3/values.schema.json
View File

@ -14,15 +14,6 @@
"commonAnnotations": {
"$ref": "#/definitions/StringMap"
},
"crds": {
"type": "object",
"properties": {
"skipVersionCheck": {
"type": "boolean"
}
},
"additionalProperties": false
},
"imagePullSecrets": {
"type": "array",
"items": {
@ -39,194 +30,120 @@
"additionalProperties": true
}
},
"operator": {
"image": {
"$ref": "#/definitions/Image"
},
"podAnnotations": {
"$ref": "#/definitions/StringMap"
},
"podLabels": {
"$ref": "#/definitions/StringMap"
},
"resources": {
"type": "object"
},
"nodeSelector": {
"$ref": "#/definitions/StringMap"
},
"affinity": {
"type": "object"
},
"rbac": {
"type": "object",
"properties": {
"replicaCount": {
"type": "integer",
"minimum": 0
"create": {
"type": "boolean"
},
"updateStrategy": {
"$ref": "#/definitions/UpdateStrategy"
},
"image": {
"$ref": "#/definitions/Image"
},
"podAnnotations": {
"$ref": "#/definitions/StringMap"
},
"podLabels": {
"$ref": "#/definitions/StringMap"
},
"serviceAnnotations": {
"$ref": "#/definitions/StringMap"
},
"serviceLabels": {
"$ref": "#/definitions/StringMap"
},
"resources": {
"type": "object"
},
"nodeSelector": {
"$ref": "#/definitions/StringMap"
},
"tolerations": {
"type": "array",
"items": {
"type": "object"
}
},
"affinity": {
"type": "object"
},
"config": {
"type": "object",
"properties": {
"logLevel": {
"type": "string",
"enum": [
"debug",
"info",
"warn",
"error"
]
}
},
"required": [
"logLevel"
],
"additionalProperties": false
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"annotations": {
"$ref": "#/definitions/StringMap"
},
"name": {
"type": "string"
}
},
"required": [
"annotations",
"create",
"name"
],
"additionalProperties": false
},
"rbac": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
}
},
"required": [
"create"
],
"additionalProperties": false
},
"serviceMonitor": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"labels": {
"$ref": "#/definitions/StringMap"
}
},
"required": [
"create"
],
"additionalProperties": false
"createSCCRole": {
"type": "boolean"
}
},
"required": [
"affinity",
"config",
"image",
"updateStrategy",
"nodeSelector",
"podAnnotations",
"podLabels",
"rbac",
"replicaCount",
"resources",
"serviceAccount",
"serviceAnnotations",
"serviceLabels",
"serviceMonitor",
"tolerations"
"create",
"createSCCRole"
],
"additionalProperties": false
},
"engine": {
"privileged": {
"type": "boolean"
},
"serviceAccount": {
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/Image"
"create": {
"type": "boolean"
},
"resources": {
"type": "object"
"annotations": {
"$ref": "#/definitions/StringMap"
},
"sidecar": {
"type": "object",
"properties":{
"podMonitor": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"labels": {
"$ref": "#/definitions/StringMap"
}
},
"required": [
"create"
],
"additionalProperties": false
}
},
"required": [
"podMonitor"
],
"additionalProperties": false
"name": {
"type": "string"
}
},
"required": [
"image",
"resources",
"sidecar"
"annotations",
"create",
"name"
],
"additionalProperties": false
},
"networkValidator": {
"multusNetworkAttachmentDefinition": {
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/Image"
"create": {
"type": "boolean"
},
"namespace": {
"type": "string"
}
},
"required": [
"image"
"create",
"namespace"
],
"additionalProperties": false
},
"license": {
"config": {
"type": "object",
"properties": {
"secretName": {
"installMode": {
"type": "string",
"enum": [
"chained",
"standalone",
"manual"
]
},
"logLevel": {
"type": "string",
"enum": [
"debug",
"info",
"warn",
"error"
]
},
"cniNetDir": {
"type": "string",
"minLength": 1
},
"cniBinDir": {
"type": "string",
"minLength": 1
},
"excludeNamespaces": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"secretName"
"cniBinDir",
"cniNetDir",
"excludeNamespaces",
"installMode",
"logLevel"
],
"additionalProperties": false
},
@ -247,16 +164,22 @@
}
},
"required": [
"affinity",
"commonAnnotations",
"commonLabels",
"crds",
"engine",
"config",
"fullnameOverride",
"image",
"imagePullSecrets",
"license",
"multusNetworkAttachmentDefinition",
"nameOverride",
"operator",
"networkValidator",
"nodeSelector",
"podAnnotations",
"podLabels",
"privileged",
"rbac",
"resources",
"serviceAccount",
"tests"
],
"additionalProperties": false,
@ -297,68 +220,6 @@
"tag"
],
"additionalProperties": false
},
"UpdateStrategy": {
"type": "object",
"oneOf" : [
{
"properties": {
"type": {
"$ref": "#/definitions/RecreateType"
}
},
"required": [
"type"
],
"additionalProperties": false
},
{
"properties": {
"type": {
"$ref": "#/definitions/RollingUpdateType"
},
"rollingUpdate": {
"$ref": "#/definitions/RollingUpdate"
}
},
"required": [
"type"
],
"additionalProperties": false
}
]
},
"RecreateType": {
"type": "string",
"enum": [
"Recreate"
]
},
"RollingUpdateType": {
"type": "string",
"enum": [
"RollingUpdate"
]
},
"RollingUpdate": {
"type": "object",
"properties": {
"maxSurge": {
"type": ["integer", "string"],
"minimum": 0,
"pattern": "^\\d+%?$"
},
"maxUnavailable": {
"type": ["integer", "string"],
"minimum": 0,
"pattern": "^\\d+%?$"
}
},
"anyOf": [
{"required": ["maxSurge"]},
{"required": ["maxUnavailable"]}
],
"additionalProperties": false
}
}
}

188
charts/airlock/microgateway/4.2.3/values.yaml
View File

@ -1,4 +1,4 @@
# -- Allows overriding the name to use instead of "microgateway".
# -- Allows overriding the name to use instead of "microgateway-cni".
nameOverride: ""
# -- Allows overriding the name to use as full name of resources.
fullnameOverride: ""
@ -10,127 +10,71 @@ commonAnnotations: {}
imagePullSecrets: []
# - name: myRegistryKeySecretName
crds:
# -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs.
# The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster
# when performing a "helm install/upgrade".
skipVersionCheck: false
operator:
# -- Number of replicas for the operator Deployment.
replicaCount: 2
# -- Specifies the operator update strategy.
updateStrategy:
type: RollingUpdate
# Specifies the Airlock Microgateway Operator image.
image:
# -- Image repository from which to pull the Airlock Microgateway Operator image.
repository: "quay.io/airlock/microgateway-operator"
# -- Image tag to pull.
tag: "4.2.3"
# -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63").
# Overrides tag when specified.
digest: "sha256:a429dfdb636e76bfbee7c59cfbe53d5f396c1f5603d5cb187f6283301ba4d7ba"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Annotations to add to all Pods.
podAnnotations: {}
# -- Labels to add to all Pods.
podLabels: {}
# -- Annotations to add to the Service.
serviceAnnotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: "8080"
# -- Labels to add to the Service.
serviceLabels: {}
# -- Resource restrictions to apply to the operator container.
resources: {}
# We recommend at least the following resource specification.
# limits:
# cpu: 1000m
# memory: 512Mi
# requests:
# cpu: 100m
# memory: 512Mi
# -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes.
nodeSelector: {}
# -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes.
tolerations: []
# -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling.
affinity: {}
# Parameters for the operator configuration.
config:
# -- Operator application log level.
logLevel: "info"
# Configures the generation of the ServiceAccount.
serviceAccount:
# -- Whether a ServiceAccount should be created.
create: true
# -- Annotations to add to the ServiceAccount.
annotations: {}
# -- Name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
# Configures the generation of Role and RoleBinding as well ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above.
rbac:
# -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function.
create: true
# Configures the generation of a Prometheus Operator ServiceMonitor.
serviceMonitor:
# -- Whether to create a ServiceMonitor resource for monitoring.
create: false
# -- Labels to add to the ServiceMonitor.
labels: {}
# release: "<prometheus-operator-release>"
engine:
# Specifies the Airlock Microgateway Engine image.
image:
# -- Image repository from which to pull the Airlock Microgateway Engine image.
repository: "quay.io/airlock/microgateway-engine"
# -- Image tag to pull.
tag: "4.2.3"
# -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
# Overrides tag when specified.
digest: "sha256:9b0debeef611172aa5ca79c6b8cd045e56a3c883763ec62c0fa211bb86d35304"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Resource restrictions to apply to the Airlock Microgateway Engine container.
resources: {}
# We recommend at least the following resource specification.
# limits:
# cpu: 500m
# memory: 128Mi
# requests:
# cpu: 10m
# memory: 40Mi
# Additional configuration when deployed as a sidecar.
sidecar:
# Configures the generation of a Prometheus Operator PodMonitor.
podMonitor:
# -- Whether to create a PodMonitor resource for monitoring.
create: false
# -- Labels to add to the PodMonitor.
labels: {}
# release: "<prometheus-operator-release>"
networkValidator:
# Specifies the Airlock Microgateway Network Validator image to be injected as an init-container.
image:
# -- Image repository from which to pull the busybox image for the Airlock Microgateway Network Validator init-container.
repository: "cgr.dev/chainguard/busybox"
# -- Image tag to pull.
tag: ""
# -- SHA256 image digest to pull (in the format "sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0").
# Overrides tag when specified.
digest: "sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
license:
# -- Name of the secret containing the "microgateway-license.txt" key.
secretName: "airlock-microgateway-license"
# Check whether the installation of the Airlock Microgateway Helm Chart was successful.
# Requires a secret with a valid Airlock Microgateway license key already to be present.
# Specifies the Airlock Microgateway CNI image.
image:
# -- Image repository from which to pull the Airlock Microgateway CNI image.
repository: "quay.io/airlock/microgateway-cni"
# -- Image tag to pull.
tag: "4.2.3"
# -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a").
# Overrides tag when specified.
digest: "sha256:82b5924866840f783cce2e9b4095b7710a0e1cbf555498e8723ca811ca916290"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Annotations to add to all Pods.
podAnnotations: {}
# -- Labels to add to all Pods.
podLabels: {}
# -- Resource restrictions to apply to the CNI installer container.
resources:
requests:
cpu: 10m
memory: 100Mi
# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes.
nodeSelector:
kubernetes.io/os: linux
# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes.
affinity: {}
# Configures the generation of RBAC Roles and RoleBindings.
rbac:
# -- Whether to create RBAC resources which are required for the CNI plugin to function.
create: true
# -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint.
createSCCRole: false
# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift).
privileged: false
# Configures the generation of the ServiceAccount.
serviceAccount:
# -- Whether a ServiceAccount should be created.
create: true
# -- Annotations to add to the ServiceAccount.
annotations: {}
# -- Name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift)
multusNetworkAttachmentDefinition:
# -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods.
create: false
# -- Namespace in which the NetworkAttachmentDefinition is deployed.
# Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces
# may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation
namespace: default
# Parameters for the CNI installer configuration.
config:
# -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers),
# as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift)
# or in `manual` mode, where no CNI network configuration is written.
installMode: "chained"
# -- Log level for the CNI installer and plugin.
logLevel: info
# -- Directory where the CNI config files reside on the host.
cniNetDir: "/etc/cni/net.d"
# -- Directory where the CNI plugin binaries reside on the host.
cniBinDir: "/opt/cni/bin"
# -- Namespaces for which this CNI plugin should not apply any modifications.
excludeNamespaces:
- kube-system
tests:
# -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
# If set to false, `helm test` will not run any tests.

3
charts/airlock/microgateway/4.3.0/.helmignore
View File

@ -21,8 +21,7 @@
.idea/
*.tmproj
.vscode/
# CRDs kustomization.yaml
/crds/kustomization.yaml
# Helm unit tests
/tests
/validation

15
charts/airlock/microgateway/4.3.0/Chart.yaml
View File

@ -9,15 +9,15 @@ annotations:
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Airlock Microgateway
catalog.cattle.io/display-name: Airlock Microgateway CNI
catalog.cattle.io/kube-version: '>=1.25.0-0'
catalog.cattle.io/release-name: microgateway
charts.openshift.io/name: Airlock Microgateway
catalog.cattle.io/release-name: microgateway-cni
charts.openshift.io/name: Airlock Microgateway CNI
apiVersion: v2
appVersion: 4.3.0
description: A Helm chart for deploying the Airlock Microgateway
description: A Helm chart for deploying the Airlock Microgateway CNI plugin
home: https://www.airlock.com/en/microgateway
icon: file://assets/icons/microgateway.svg
icon: file://assets/icons/microgateway-cni.svg
keywords:
- WAF
- Web Application Firewall
@ -30,14 +30,13 @@ keywords:
- Filtering
- DevSecOps
- shift left
- control plane
- Operator
- CNI
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
name: microgateway
name: microgateway-cni
sources:
- https://github.com/airlock/microgateway
type: application

147
charts/airlock/microgateway/4.3.0/README.md
View File

@ -1,4 +1,4 @@
# Airlock Microgateway
# Airlock Microgateway CNI
![Version: 4.3.0](https://img.shields.io/badge/Version-4.3.0-informational?style=flat-square) ![AppVersion: 4.3.0](https://img.shields.io/badge/AppVersion-4.3.0-informational?style=flat-square)
@ -40,58 +40,43 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co
The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
## Prerequisites
* [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni)
* [Airlock Microgateway License](#obtain-airlock-microgateway-license)
* [cert-manager](https://cert-manager.io/)
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license.
For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
### Obtain Airlock Microgateway License
1. Either request a community or premium license
* Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community)
* Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium)
2. Check your inbox and save the license file microgateway-license.txt locally.
> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type.
### Deploy cert-manager
```bash
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager --version '1.15.1' -n cert-manager --create-namespace --set crds.enabled=true --wait
```
## Deploy Airlock Microgateway Operator
> This guide assumes a microgateway-license.txt file is present in the working directory.
1. Install CRDs and Operator.
## Deploy Airlock Microgateway CNI
1. Install the CNI Plugin with Helm.
> **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
```bash
# Create namespace
kubectl create namespace airlock-microgateway-system
# Install License
kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
# Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.3.0' --wait
# Standard setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# GKE setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.0/deploy/charts/airlock-microgateway-cni/gke-values.yaml
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# OpenShift setup
helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.0/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
**Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.0'
helm test airlock-microgateway -n airlock-microgateway-system --logs
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.0'
# Standard and GKE setup
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
helm test airlock-microgateway-cni -n kube-system --logs
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
```
```bash
# OpenShift setup
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
helm test airlock-microgateway-cni -n openshift-operators --logs
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
```
### Upgrading CRDs
The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster.
CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
```bash
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.3.0 --server-side --force-conflicts
```
**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.
Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.
## Support
@ -104,61 +89,33 @@ For the community edition, check our **[Airlock community forum](https://forum.a
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. |
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". |
| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. |
| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. |
| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. |
| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. |
| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. |
| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. |
| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. |
| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. |
| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. |
| engine.image.digest | string | `"sha256:f442143294f3138965c9fa2734cafd39ebebe8e289600332b12f8a59c23dd9ef"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. |
| engine.image.tag | string | `"4.3.0"` | Image tag to pull. |
| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. |
| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. |
| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. |
| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. |
| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. |
| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
| image.digest | string | `"sha256:cb165e34a1ab1a903a9f38b741a7d78946470a118640310a41d2af8153d6e409"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
| image.tag | string | `"4.3.0"` | Image tag to pull. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". |
| networkValidator.image.digest | string | `"sha256:7d87405b123c89058a0b64ca9393c45a1366a6a580aced1def900a812beb29f6"` | SHA256 image digest to pull (in the format "sha256:7d87405b123c89058a0b64ca9393c45a1366a6a580aced1def900a812beb29f6"). Overrides tag when specified. |
| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| networkValidator.image.repository | string | `"cgr.dev/chainguard/busybox"` | Image repository from which to pull the busybox image for the Airlock Microgateway Network Validator init-container. |
| networkValidator.image.tag | string | `""` | Image tag to pull. |
| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. |
| operator.config.logLevel | string | `"info"` | Operator application log level. |
| operator.image.digest | string | `"sha256:dc6f0f9a11d0336c10f6b8a5c7f64d98ac91bd90c49aa1dc4fe7b68cfdea8217"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. |
| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. |
| operator.image.tag | string | `"4.3.0"` | Image tag to pull. |
| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. |
| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. |
| operator.podLabels | object | `{}` | Labels to add to all Pods. |
| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. |
| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. |
| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. |
| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. |
| operator.serviceLabels | object | `{}` | Labels to add to the Service. |
| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. |
| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. |
| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. |
| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. |
| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. |
| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. |
| sessionAgent.image.digest | string | `"sha256:579dfded99145f9c2c1491ff1aeccb08721d63239a8b7f61bb9f455e17e968b2"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. |
| sessionAgent.image.tag | string | `"4.3.0"` | Image tag to pull. |
| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. |
| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". |
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. |
| podAnnotations | object | `{}` | Annotations to add to all Pods. |
| podLabels | object | `{}` | Labels to add to all Pods. |
| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). |
| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. |
| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. |
| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. |
| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
## License

28
charts/airlock/microgateway/4.3.0/app-readme.md
View File

@ -1,28 +0,0 @@
# Airlock Microgateway
*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
## Features
* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control to allow only authenticated users to access the protected services
* API security features like JSON parsing or OpenAPI specification enforcement
For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
## Requirements
* [Airlock Microgateway CNI Helm Chart](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Also available as Rancher Chart)
* [Airlock Microgateway License](https://github.com/airlock/microgateway?tab=readme-ov-file#obtain-airlock-microgateway-license) (After obtaining the license install it according to the [documentation](https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-operator))
* [cert-manager](https://cert-manager.io/docs/installation/)
## Documentation and links
Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)

124
charts/airlock/microgateway/4.3.0/crds/accesscontrols.microgateway.airlock.com.yaml
View File

@ -1,124 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.0
name: accesscontrols.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: AccessControl
listKind: AccessControlList
plural: accesscontrols
singular: accesscontrol
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: AccessControl specifies the options to perform access control with a Microgateway Engine container.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specifies how the Airlock Microgateway Engine performs access control.
properties:
policies:
description: Policies configures access control policies.
items:
properties:
authorization:
description: Authorization configures how requests are authorized. An empty object value {} disables authorization.
properties:
authentication:
description: Authentication specifies that clients need to be authenticated with the provided method.
properties:
oidc:
description: OIDC configures client authentication using OpenID Connect.
properties:
oidcRelyingPartyRef:
description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- oidcRelyingPartyRef
type: object
type: object
type: object
identityPropagation:
description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application.
properties:
actions:
description: Actions specifies the propagation actions.
items:
properties:
identityPropagationRef:
description: IdentityPropagationRef selects an IdentityPropagation to apply.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- identityPropagationRef
type: object
type: array
onFailure:
description: |-
OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values:
_Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations.
enum:
- Pass
type: string
required:
- actions
- onFailure
type: object
required:
- authorization
type: object
maxItems: 1
minItems: 1
type: array
required:
- policies
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

58
charts/airlock/microgateway/4.3.0/crds/envoyclusters.microgateway.airlock.com.yaml
View File

@ -1,58 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.0
name: envoyclusters.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyCluster
listKind: EnvoyClusterList
plural: envoyclusters
singular: envoycluster
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired additional Envoy cluster.
properties:
value:
description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources: {}

185
charts/airlock/microgateway/4.3.0/crds/envoyconfigurations.microgateway.airlock.com.yaml
View File

@ -1,185 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.0
name: envoyconfigurations.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyConfiguration
listKind: EnvoyConfigurationList
plural: envoyconfigurations
singular: envoyconfiguration
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
EnvoyConfiguration is the Schema for the envoyconfigurations API
{{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration
properties:
envoyResources:
properties:
clusters:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
endpoints:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
extensions:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
listeners:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
routes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
runtimes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
scopedRoutes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
secrets:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
envoyResourcesRaw:
description: |-
EnvoyResourcesRaw defines the desired state for each resource type. The resources are stored as zstd compressed JSON bytes.
For debugging purposes, the resources can be inspected with the following command: `kubectl get envoyconfiguration <name> -ojsonpath='{.spec.envoyResourcesRaw}' | base64 -d | zstd -d | jq`
format: byte
type: string
nodeID:
description: '**Deprecated:** This field is now ignored as NodeID is always derived from the resource name.'
type: string
type: object
status:
description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human-readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of EnvoyConfiguration condition.
type: string
required:
- status
- type
type: object
type: array
status:
type: string
xds:
properties:
resourceTypes:
additionalProperties:
description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type
properties:
errorMessage:
description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client.
type: string
resources:
additionalProperties:
description: XdsResourceStatus defines the status of xDS for a specific resource
properties:
version:
description: Version defines the version which is currently served for this resource.
type: string
required:
- version
type: object
description: Resources defines the resources which are currently served for this resource type.
type: object
status:
description: Status defines the current sync status of this resource type.
type: string
version:
description: Version defines the version which is currently served for this resource type.
type: string
required:
- resources
- status
- version
type: object
description: ResourceTypes defines the sync statuses for each resource type.
type: object
version:
description: Version defines the version of the underlying xDS snapshot.
type: integer
required:
- version
type: object
required:
- status
- xds
type: object
type: object
served: true
storage: true
subresources:
status: {}

58
charts/airlock/microgateway/4.3.0/crds/envoyhttpfilters.microgateway.airlock.com.yaml
View File

@ -1,58 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.0
name: envoyhttpfilters.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyHTTPFilter
listKind: EnvoyHTTPFilterList
plural: envoyhttpfilters
singular: envoyhttpfilter
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource which is added to those defined by the Airlock Microgateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired additional Envoy HTTP filter.
properties:
value:
description: Value defines the HTTP filter which is added to those configured by the Airlock Microgateway.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources: {}

88
charts/airlock/microgateway/4.3.0/crds/graphqls.microgateway.airlock.com.yaml
View File

@ -1,88 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.0
name: graphqls.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: GraphQL
listKind: GraphQLList
plural: graphqls
singular: graphql
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: GraphQL contains the configuration for the GraphQL specification.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired GraphQL specification.
properties:
settings:
description: Settings defines the settings to configure GraphQL.
properties:
allowIntrospection:
default: true
description: AllowIntrospection specifies if the introspection system is exposed.
type: boolean
allowMutations:
default: true
description: AllowMutations specifies if mutations are allowed.
type: boolean
schema:
description: Specifies the GraphQL schema.
properties:
source:
description: Source specifies the GraphQL schema to be enforced.
properties:
configMapRef:
description: ConfigMapRef references the configmap by its name containing the well-known key 'schema.graphql'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
required:
- source
type: object
threatHandlingMode:
default: Block
description: ThreatHandlingMode specifies how threats should be handled.
enum:
- Block
- LogOnly
type: string
type: object
type: object
type: object
served: true
storage: true

759
charts/airlock/microgateway/4.3.0/crds/headerrewrites.microgateway.airlock.com.yaml
View File

@ -1,759 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.0
name: headerrewrites.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: HeaderRewrites
listKind: HeaderRewritesList
plural: headerrewrites
singular: headerrewrites
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: HeaderRewrites is the Schema for the headerrewrites API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired header rewriting behavior.
properties:
request:
description: Request defines manipulations on upstream request headers.
properties:
add:
description: Add defines which request headers will be added before forwarding to the upstream.
properties:
custom:
description: |-
Custom allows configuring additional upstream request headers.
Add selected headers.
items:
properties:
headers:
description: Headers to add.
items:
description: HeaderRewritesHeader specifies a header with a particular value
properties:
name:
description: Name defines the name of a header.
minLength: 1
type: string
value:
description: Value defines the value of a header.
type: string
required:
- name
- value
type: object
minItems: 1
type: array
mode:
default: AddIfAbsent
description: Mode defines the header addition strategy.
enum:
- AddIfAbsent
- OverwriteOrAdd
type: string
name:
description: Name describing the configured operation.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
allow:
description: |-
Allow defines which request headers will be forwarded to the upstream.
This can either be allHeaders or matchingHeaders.
Default: matchingHeaders: {...}
properties:
allHeaders:
description: AllHeaders specifies that all request headers should be forwarded.
type: object
matchingHeaders:
description: MatchingHeaders specifies which request headers should be forwarded.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream request headers.
properties:
standardHeaders:
default: true
description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream request headers.
items:
properties:
headers:
description: Headers to allow.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
remove:
description: Remove defines which request headers will be removed before forwarding to the upstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream request headers.
properties:
alternativeForwardedHeaders:
default: true
description: |-
AlternativeForwardedHeaders removes downstream request headers which could potentially
be abused to alter the upstream's view of the remote connection.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream request headers.
items:
properties:
headers:
description: Headers to remove.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
response:
description: Response defines manipulations on upstream response headers.
properties:
add:
description: Add defines which response headers will be added before forwarding to the downstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response headers.
properties:
csp:
default: true
description: |-
CSP sets a content security policy which allows only same-origin requests except for images
if the 'Content-Security-Policy' header is not set by the upstream.
type: boolean
featurePolicy:
default: false
description: |-
FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features
if the 'Feature-Policy' header is not set by the upstream.
**Deprecated:** Use permissionsPolicy instead.
type: boolean
hsts:
default: true
description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream.
type: boolean
hstsPreload:
default: false
description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload.
type: boolean
permissionsPolicy:
default: true
description: |-
PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features
if the 'Permissions-Policy' header is not set by the upstream.
type: boolean
referrerPolicy:
default: true
description: |-
ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests
if the 'Referrer-Policy' header is not set by the upstream.
type: boolean
xContentTypeOptions:
default: true
description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream.
type: boolean
xFrameOptions:
default: true
description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to add.
items:
description: HeaderRewritesHeader specifies a header with a particular value
properties:
name:
description: Name defines the name of a header.
minLength: 1
type: string
value:
description: Value defines the value of a header.
type: string
required:
- name
- value
type: object
minItems: 1
type: array
mode:
default: AddIfAbsent
description: Mode defines the header addition strategy.
enum:
- AddIfAbsent
- OverwriteOrAdd
type: string
name:
description: Name describing the configured operation.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
allow:
description: |-
Allow defines which response headers will be forwarded to the downstream.
This can either be allHeaders or matchingHeaders.
Default: allHeaders: {}
properties:
allHeaders:
description: AllHeaders specifies that all response headers should be forwarded.
type: object
matchingHeaders:
description: MatchingHeaders specifies which response headers should be forwarded.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response header.
properties:
standardHeaders:
default: false
description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to allow.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
remove:
description: Remove defines which response headers will be removed before forwarding to the downstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response headers.
properties:
auth:
description: Auth defines the categories of headers concerning authentication.
properties:
basic:
default: false
description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication.
type: boolean
negotiate:
default: true
description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate.
type: boolean
ntlm:
default: true
description: |-
NTLM removes upstream response headers that advise clients to authenticate with NTLM.
By default, these headers are removed, because NTLM pass-through is not supported.
type: boolean
type: object
informationLeakage:
description: InformationLeakage defines the categories of headers concerning information leakage.
properties:
application:
default: true
description: Application removes upstream response headers that leak information about the deployed software.
type: boolean
server:
default: true
description: Server removes upstream response headers that leak information about the server.
type: boolean
type: object
permissiveCors:
default: true
description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to remove.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured remove operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
settings:
description: Settings configures the HeaderRewrites filter.
properties:
operationalMode:
default: Production
description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses.
enum:
- Production
- Integration
type: string
type: object
type: object
type: object
served: true
storage: true

358
charts/airlock/microgateway/4.3.0/crds/parsers.microgateway.airlock.com.yaml
View File

@ -1,358 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.0
name: parsers.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Parser
listKind: ParserList
plural: parsers
singular: parser
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Parser contains the configuration for content parsers (default and custom).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired parser behavior.
properties:
request:
description: Request defines the parsing for downstream requests.
properties:
custom:
description: Custom allows configuring additional rules for parser selection.
properties:
rules:
description: |-
Rules defines a custom set prepended before built-in rules of enabled request parsers.
Disable all built-in parsers to overrule them completely.
items:
properties:
action:
description: |-
Action specifies what should happen when a request condition matches.
Only one of parse or skip can be set.
properties:
parse:
description: Parse activates the configured parser.
properties:
form:
description: Form activates the Form parser.
type: object
json:
description: JSON activates the JSON parser.
type: object
multipart:
description: Multipart activates the multipart parser.
type: object
type: object
skip:
description: Skip disables any content parsing
type: object
type: object
requestConditions:
description: RequestConditions defines additional request properties which must be matched in order for this rule to apply.
properties:
header:
description: Header defines the matching headers of a request.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
invert:
default: false
description: Invert indicates whether the request condition should be inverted.
type: boolean
mediaType:
description: MediaType defines the matching media type from the content-type header of a request.
properties:
matcher:
description: |-
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
method:
description: Method defines the matching methods of a request.
items:
description: Method defines common HTTP methods.
enum:
- GET
- HEAD
- POST
- PUT
- PATCH
- DELETE
- CONNECT
- OPTIONS
- TRACE
type: string
type: array
path:
description: Path defines the matching path of a request.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
remoteIP:
description: RemoteIP defines the matching remote IPs of a request.
properties:
cidrRanges:
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
items:
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
format: cidr
type: string
minItems: 1
type: array
invert:
default: false
description: Invert indicates whether the match should be inverted.
type: boolean
required:
- cidrRanges
type: object
type: object
required:
- action
- requestConditions
type: object
type: array
type: object
defaultContentType:
default: application/x-www-form-urlencoded
description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body.
minLength: 1
type: string
parsers:
description: Parsers defines the configuration for the available content parsers.
properties:
form:
description: Form defines the configuration for the form parser.
properties:
enable:
default: true
description: Enable defines whether form payloads are inspected.
type: boolean
mediaTypePattern:
default: .*urlencoded.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments.
minLength: 1
type: string
type: object
json:
description: JSON defines the configuration for the JSON parser.
properties:
enable:
default: true
description: Enable defines whether json payloads are inspected.
type: boolean
mediaTypePattern:
default: .*json.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON.
minLength: 1
type: string
type: object
multipart:
description: Multipart defines the configuration for the multipart parser.
properties:
enable:
default: true
description: Enable defines whether multipart payloads are inspected.
type: boolean
mediaTypePattern:
default: .*multipart.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as a multipart payload.
minLength: 1
type: string
type: object
type: object
type: object
type: object
type: object
served: true
storage: true

758
charts/airlock/microgateway/4.3.0/crds/sidecargateways.microgateway.airlock.com.yaml
View File

@ -1,758 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.0
name: sidecargateways.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: SidecarGateway
listKind: SidecarGatewayList
plural: sidecargateways
singular: sidecargateway
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired sidecar gateway behavior.
properties:
applications:
description: Applications defines applications which run on different ports.
items:
properties:
containerPort:
default: 8080
description: |-
ContainerPort refers to the container port.
This must be a valid port number, 0 < x < 65536.
format: int32
maximum: 65535
minimum: 1
type: integer
downstream:
description: Downstream defines the downstream configuration for this application
properties:
protocol:
description: |-
Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies that the protocol should be inferred.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies that the client is assumed to speak HTTP/1.1.
type: object
http2:
description: HTTP2 specifies that the client is assumed to speak HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
remoteIP:
description: |-
RemoteIP defines how the remote IP of a client is propagated.
Default: xff: {...}
properties:
connectionIP:
description: ConnectionIP configures to use the source IP address of the direct downstream connection.
type: object
customHeader:
description: CustomHeader specifies to use a custom header for remote IP extraction.
properties:
headerName:
description: HeaderName specifies the name of the custom header containing the remote IP.
minLength: 1
type: string
required:
default: true
description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403.
type: boolean
required:
- headerName
type: object
xff:
description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction.
properties:
numTrustedHops:
default: 1
description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry.
format: int32
minimum: 1
type: integer
type: object
type: object
requestNormalizations:
description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching.
properties:
mergeSlashes:
default: true
description: MergeSlashes ensures that adjacent slashes in the path are merged into one.
type: boolean
normalizePath:
default: true
description: NormalizePath ensures normalization according to RFC 3986 without case normalization.
type: boolean
type: object
restrictions:
description: Restrictions defines restrictions for downstream.
properties:
http:
description: HTTP defines limits for the HTTP protocol.
properties:
headersLength:
anyOf:
- type: integer
- type: string
default: 60Ki
description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
timeouts:
description: Timeouts defines timeouts for downstream
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
default: 5m
description: |-
Idle defines the settings for the idle timeout when no data is sent or received.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
maxDuration:
default: 5m
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
requestHeaders:
default: 10s
description: |-
RequestHeaders defines the duration before all request headers must be received.
A value of 0 will completely disable the timeout.
Default: 10s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
clientCertificate:
description: |-
ClientCertificate defines the TLS settings for verification of client certificates.
At most one of ignored, optional and required can be set.
Default: ignored: {}
properties:
ignored:
description: Ignored disables verification of the client certificate.
type: object
optional:
description: |-
Optional enables verification of the client certificate if one is presented.
In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate.
properties:
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
required:
- trustedCA
type: object
required:
description: |-
Required contains settings for client certificate verification. A client must present a valid certificate.
At least one of trustedCA and certificatePinning must be set.
properties:
allowedSANs:
description: |-
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
items:
description: |-
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers.
properties:
matcher:
description: Matcher defines the string matcher for the SAN value.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
sanType:
description: SanType defines the type of SAN matcher.
enum:
- DNS
- Email
- URI
- IPAddress
type: string
required:
- matcher
- sanType
type: object
minItems: 1
type: array
certificatePinning:
description: |-
CertificatePinning defines the constraints a client certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
properties:
allowedHashes:
description: |-
AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
allowedSPKIs:
description: |-
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
type: object
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
type: object
type: object
enable:
default: false
description: Enable defines if the downstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
secretRef:
description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls).
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
xfcc:
description: |-
XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values:
_Sanitize_: Do not send the XFCC header to the next hop. This is the default value.
_ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.
_AppendAndForward_: When the client connection is mTLS, append the client certificate information to the requests XFCC header and forward it.
_SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.
_AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.
Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http)
enum:
- Sanitize
- ForwardOnly
- AppendAndForward
- SanitizeAndSet
- AlwaysForwardOnly
type: string
type: object
type: object
envoyHTTPFilterRefs:
description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters.
properties:
prepend:
description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
type: object
routes:
description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies.
items:
description: |-
SidecarGatewayApplicationRoute defines the security configurations for different paths.
At most one of secured and unsecured can be set.
Default: secured: {...}
properties:
pathPrefix:
default: /
description: PathPrefix defines the path prefix used during route selection.
minLength: 1
type: string
secured:
description: Secured enables WAF processing for this route.
properties:
accessControlRef:
description: |-
AccessControlRef selects the relevant AccessControl configuration resource.
If undefined, Airlock Microgateway does not perform any access control.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
contentSecurityRef:
description: |-
ContentSecurityRef selects the relevant ContentSecurity configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
unsecured:
description: |-
Unsecured disables all WAF functionality and therefore protection for this route.
WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
type: object
type: object
type: array
x-kubernetes-list-map-keys:
- pathPrefix
x-kubernetes-list-type: map
telemetryRef:
description: |-
TelemetryRef selects the relevant Telemetry configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
upstream:
description: Upstream defines the upstream configuration for this application
properties:
protocol:
description: |-
Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies to negotiate the protocol with TLS ALPN (if TLS is enabled) or, as a fallback, use the same protocol that is used by the downstream connection.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies to use HTTP/1.1.
type: object
http2:
description: HTTP2 specifies to use HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
timeouts:
description: Timeouts defines the timeout settings.
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
description: |-
Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited.
A value of 0 will completely disable the timeout.
type: string
maxDuration:
default: 15s
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
Default: 15s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
enable:
default: false
description: Enable defines if the upstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
type: object
type: object
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- containerPort
x-kubernetes-list-type: map
envoyClusterRefs:
description: EnvoyClusterRefs selects the relevant EnvoyClusters.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
podSelector:
description: PodSelector defines to which Pods the configuration will be applied to.
properties:
matchLabels:
additionalProperties:
type: string
description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels.
type: object
type: object
sessionHandlingRef:
description: SessionHandlingRef selects the SessionHandling configuration to apply.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- applications
type: object
status:
description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date.
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human-readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of SidecarGateway condition.
type: string
required:
- status
- type
type: object
type: array
pods:
items:
properties:
envoyConfig:
description: EnvoyConfig indicates the name of the EnvoyConfig CR for the Pod.
type: string
name:
description: Name indicates the name of a Pod selected by the SidecarGateway.
type: string
sessionAgentSecret:
type: string
required:
- name
type: object
type: array
status:
type: string
unmanagedPods:
items:
properties:
managedBy:
description: ManagedBy indicates the Airlock Microgateway Operator instance which manages this Pod.
type: string
name:
description: Name indicates the name of a Pod selected by the SidecarGateway.
type: string
sessionAgentSecret:
type: string
required:
- name
type: object
type: array
required:
- status
type: object
type: object
served: true
storage: true
subresources:
status: {}

521
charts/airlock/microgateway/4.3.0/dashboards/license.json
View File

@ -1,521 +0,0 @@
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__elements": {},
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.2.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "stat",
"name": "Stat",
"version": ""
},
{
"type": "panel",
"id": "timeseries",
"name": "Time series",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [
{
"asDropdown": true,
"icon": "external link",
"includeVars": true,
"keepTime": true,
"tags": [
"airlock-microgateway"
],
"targetBlank": true,
"title": "Airlock Microgateway",
"tooltip": "",
"type": "dashboards",
"url": ""
}
],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "License status of Airlock Microgateway.",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"0": {
"color": "red",
"index": 1,
"text": "Invalid"
},
"1": {
"color": "green",
"index": 0,
"text": "Valid"
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 3,
"x": 0,
"y": 0
},
"id": 1,
"options": {
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})",
"instant": true,
"legendFormat": "License Status",
"range": false,
"refId": "Licenses"
}
],
"title": "License Status",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Expiry date of the Airlock Microgateway license associated with the selected operator.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "time: L"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 3,
"y": 0
},
"id": 4,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "min(microgateway_license_expiry_timestamp_seconds{namespace=~\"${operator_namespace.regex}\"})*1000",
"instant": true,
"legendFormat": "Expiry Date (MM/DD/YYYY)",
"range": false,
"refId": "A"
}
],
"title": "License Expiry Date",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Number of licensed requests for applications protected by Airlock Microgateway.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 7,
"y": 0
},
"id": 6,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "sum(microgateway_license_max_rq_count_per_month{namespace=~\"${operator_namespace.regex}\"})",
"instant": true,
"legendFormat": "Licensed Requests",
"range": false,
"refId": "A"
}
],
"title": "Licensed Requests",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Estimated number of requests protected by Airlock Microgateway over 30 days based on the last 7 days.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 5,
"x": 11,
"y": 0
},
"id": 2,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "sum(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d]))/7*30",
"instant": true,
"legendFormat": "Estimated Requests",
"range": false,
"refId": "A"
}
],
"title": "Requests over 30 days (estimated)",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Number of requests per week processed by Airlock Microgateway.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "blue",
"mode": "fixed"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 12,
"w": 16,
"x": 0,
"y": 4
},
"id": 5,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"maxHeight": 600,
"mode": "single",
"sort": "none"
}
},
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"expr": "sum(avg_over_time(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d])[2m:30s]))",
"instant": false,
"legendFormat": "# Requests per week",
"range": true,
"refId": "A"
}
],
"title": "Processed Requests per week",
"type": "timeseries"
}
],
"schemaVersion": 39,
"tags": [
"airlock-microgateway"
],
"templating": {
"list": [
{
"current": {
"selected": false,
"text": "Prometheus",
"value": "PBFA97CFB590B2093"
},
"hide": 2,
"includeAll": false,
"label": "DS_PROMETHEUS",
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_valid,namespace)",
"description": "",
"hide": 0,
"includeAll": false,
"label": "Operator Namespace",
"multi": false,
"name": "operator_namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_valid,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"type": "query"
}
]
},
"time": {
"from": "now-7d",
"to": "now"
},
"timeRangeUpdatedDuringEditOrView": false,
"timepicker": {},
"timezone": "browser",
"title": "Airlock Microgateway License",
"uid": "cdpq79bzrr01se",
"version": 2,
"weekStart": ""
}

1138
charts/airlock/microgateway/4.3.0/dashboards/overview.json
View File

File diff suppressed because it is too large Load Diff

4
charts/airlock/microgateway/4.3.0/gke-values.yaml Normal file
View File

@ -0,0 +1,4 @@
# values for deploying on GKE
config:
cniBinDir: "/home/kubernetes/bin"

15
charts/airlock/microgateway/4.3.0/openshift-values.yaml Normal file
View File

@ -0,0 +1,15 @@
# values for deploying on OpenShift
rbac:
createSCCRole: true
privileged: true
multusNetworkAttachmentDefinition:
create: true
namespace: default
config:
installMode: "standalone"
cniNetDir: "/etc/cni/multus/net.d"
cniBinDir: "/var/lib/cni/bin"

18
charts/airlock/microgateway/4.3.0/questions.yml Normal file
View File

@ -0,0 +1,18 @@
questions:
- variable: config.cniNetDir
required: true
type: string
label: CNI Network Configuration Directory
group: "CNI Settings"
description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host."
- variable: config.cniBinDir
required: true
type: string
label: CNI Plugin Binaries Directory
group: "CNI Settings"
description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host."
- variable: config.installMode
required: true
label: CNI Plugin Installation Mode
group: "CNI Settings"
description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment."

35
charts/airlock/microgateway/4.3.0/templates/NOTES.txt
View File

@ -1,34 +1,3 @@
Thank you for installing Airlock Microgateway.
If you have not already done so, make sure that Airlock Microgateway CNI is also installed on the cluster.
Thank you for installing Airlock Microgateway CNI.
For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}.
Detailed CRD API reference documentation is also available at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}/api/crds.
{{ if .Values.crds.skipVersionCheck }}
- CRD version check skipped
{{- else }}
{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}}
{{- if $outdatedCRDs -}}
{{- fail (printf `
Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'.
Therefore, the CRDs must be manually upgraded with the following command before deploying this chart:
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts
If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.`
.Chart.AppVersion)
-}}
{{- end -}}
{{- end -}}
{{- if .Values.tests.enabled }}
{{- if .Values.operator.watchNamespaces -}}
{{- if not (has .Release.Namespace .Values.operator.watchNamespaces) }}
{{- fail (printf `
To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values.
`
.Release.Namespace)
-}}
{{- end -}}
{{- end -}}
{{- end }}
For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" .}}.

122
charts/airlock/microgateway/4.3.0/templates/_helpers.tpl
View File

@ -1,16 +1,14 @@
{{/*
Expand the name of the chart.
We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest explicit suffix is 14 characters.
*/}}
{{- define "airlock-microgateway.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }}
{{- define "airlock-microgateway-cni.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Convert an image configuration object into an image ref string.
*/}}
{{- define "airlock-microgateway.image" -}}
{{- define "airlock-microgateway-cni.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
@ -22,19 +20,19 @@ Convert an image configuration object into an image ref string.
{{/*
Create a default fully qualified app name.
We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest implicit suffix is 27 characters.
We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest suffix is 13 characters.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "airlock-microgateway.fullname" -}}
{{- define "airlock-microgateway-cni.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }}
{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 36 | trimSuffix "-" }}
{{- .Release.Name | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }}
{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
@ -42,112 +40,62 @@ If release name contains chart name it will be used as a full name.
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "airlock-microgateway.chart" -}}
{{- define "airlock-microgateway-cni.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "airlock-microgateway.sharedLabels" -}}
helm.sh/chart: {{ include "airlock-microgateway.chart" . }}
{{- define "airlock-microgateway-cni.labels" -}}
helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }}
{{ include "airlock-microgateway-cni.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: {{ .Chart.Name }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
Common Selector labels
Common labels without component
*/}}
{{- define "airlock-microgateway.sharedSelectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}}
{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}}
{{ unset $labels "app.kubernetes.io/component" | toYaml }}
{{- end }}
{{/*
Restricted Container Security Context
Selector labels
*/}}
{{- define "airlock-microgateway.restrictedSecurityContext" -}}
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
{{- define "airlock-microgateway-cni.selectorLabels" -}}
app.kubernetes.io/component: cni-plugin-installer
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }}
{{- end }}
{{/* Precondition: May only be used if AppVersion is isSemver */}}
{{- define "airlock-microgateway.supportedCRDVersionPattern" -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- if $version.Prerelease -}}
>= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }}
{{- else -}}
>= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use for the CNI Plugin
*/}}
{{- define "airlock-microgateway-cni.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "airlock-microgateway.outdatedCRDs" -}}
{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}}
{{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}}
{{- range $path, $_ := .Files.Glob "crds/*.yaml" -}}
{{- $api := ($.Files.Get $path | fromYaml).metadata.name -}}
{{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}}
{{- $isOutdated := false -}}
{{- if $crd -}}
{{/* If CRD is already present in the cluster, it must have the minimum supported version */}}
{{- $isOutdated = true -}}
{{- if hasKey $crd.metadata "labels" -}}
{{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}}
{{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}}
{{- if (semverCompare $supportedVersion $crdVersion) }}
{{- $isOutdated = false -}}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if $isOutdated }}
{{ base $path }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "airlock-microgateway.isSemver" -}}
{{- define "airlock-microgateway-cni.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}
{{- define "airlock-microgateway.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- define "airlock-microgateway-cni.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}
{{- print "latest" -}}
{{- end -}}
{{- end -}}
{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}}
{{- $list := list -}}
{{- with .matchLabels -}}
{{- range $key, $value := . -}}
{{- $list = append $list (printf "%s=%s" $key $value) -}}
{{- end -}}
{{- end -}}
{{- with .matchExpressions -}}
{{- range . -}}
{{- if has .operator (list "In" "NotIn") -}}
{{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}}
{{- else if eq .operator "Exists" -}}
{{- $list = append $list .key -}}
{{- else if eq .operator "DoesNotExist" -}}
{{- $list = append $list (printf "!%s" .key) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- join "," $list -}}
{{- end -}}

22
charts/airlock/microgateway/4.3.0/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- patch
{{- end -}}

20
charts/airlock/microgateway/4.3.0/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "airlock-microgateway-cni.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

22
charts/airlock/microgateway/4.3.0/templates/configmap.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
plugin-conf.json: |-
{
"type": "{{ include "airlock-microgateway-cni.fullname" . }}",
"debug": {{ eq .Values.config.logLevel "debug" }},
"logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log",
"kubernetes": {
"kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig",
"excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }}
}
}

136
charts/airlock/microgateway/4.3.0/templates/daemonset.yaml Normal file
View File

@ -0,0 +1,136 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
kubectl.kubernetes.io/default-container: cni-installer
{{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- args:
- --log-level
- "{{ .Values.config.logLevel }}"
env:
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
key: plugin-conf.json
name: {{ include "airlock-microgateway-cni.fullname" . }}
- name: CNI_BIN_DIR
value: /host/opt/cni/bin
- name: CNI_NET_DIR
value: /host/etc/cni/net.d
- name: KUBECONFIG_FILE_NAME
value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig"
- name: INSTALL_MODE
value: {{ .Values.config.installMode }}
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: {{ include "airlock-microgateway-cni.image" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: cni-installer
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
startupProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 5
initialDelaySeconds: 3
periodSeconds: 3
timeoutSeconds: 3
readinessProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 1
periodSeconds: 60
timeoutSeconds: 3
securityContext:
allowPrivilegeEscalation: {{ .Values.privileged }}
capabilities:
drop:
- ALL
privileged: {{ .Values.privileged }}
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /run/cni-installer
name: cni-installer-status
hostNetwork: true
priorityClassName: system-node-critical
restartPolicy: Always
securityContext:
fsGroup: 0
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
terminationGracePeriodSeconds: 5
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
- effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- hostPath:
path: "{{ .Values.config.cniBinDir }}"
type: Directory
name: cni-bin-dir
- hostPath:
path: "{{ .Values.config.cniNetDir }}"
type: Directory
name: cni-net-dir
- emptyDir: {}
name: cni-installer-status

13
charts/airlock/microgateway/4.3.0/templates/network-attachment-definition.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.multusNetworkAttachmentDefinition.create -}}
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

42
charts/airlock/microgateway/4.3.0/templates/operator/_operator_helpers.tpl
View File

@ -1,42 +0,0 @@
{{/*
Create a default fully qualified name for operator components.
*/}}
{{- define "airlock-microgateway.operator.fullname" -}}
{{ include "airlock-microgateway.fullname" . }}-operator
{{- end }}
{{/*
Common operator labels
*/}}
{{- define "airlock-microgateway.operator.labels" -}}
{{ include "airlock-microgateway.sharedLabels" . }}
{{ include "airlock-microgateway.operator.selectorLabels" . }}
{{- end }}
{{/*
Operator Selector labels
*/}}
{{- define "airlock-microgateway.operator.selectorLabels" -}}
{{ include "airlock-microgateway.sharedSelectorLabels" . }}
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-operator
app.kubernetes.io/component: controller
{{- end }}
{{/*
Create the name of the service account to use for the operator
*/}}
{{- define "airlock-microgateway.operator.serviceAccountName" -}}
{{- if .Values.operator.serviceAccount.create }}
{{- default (include "airlock-microgateway.operator.fullname" .) .Values.operator.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.operator.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
ServiceMonitor metrics regex pattern for leader only metrics
*/}}
{{- define "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" -}}
^(microgateway_license|microgateway_sidecars).*$
{{- end }}

237
charts/airlock/microgateway/4.3.0/templates/operator/_rbac.gen.tpl
View File

@ -1,237 +0,0 @@
{{/* AUTOGENERATED FILE DO NOT EDIT */}}
{{/*
Operator rbac permission rules
*/}}
{{- define "airlock-microgateway-operator.rbacRules" -}}
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- accesscontrols
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- contentsecurities
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- denyrules
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- envoyclusters
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- envoyconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- envoyconfigurations/status
verbs:
- get
- patch
- update
- apiGroups:
- microgateway.airlock.com
resources:
- envoyhttpfilters
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- graphqls
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- headerrewrites
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- identitypropagations
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- limits
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- oidcproviders
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- oidcrelyingparties
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- openapis
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- parsers
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- redisproviders
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- sessionhandlings
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways/finalizers
verbs:
- update
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways/status
verbs:
- get
- patch
- update
- apiGroups:
- microgateway.airlock.com
resources:
- telemetries
verbs:
- get
- list
- watch
{{- end }}

339
charts/airlock/microgateway/4.3.0/templates/operator/_webhooks.gen.tpl
View File

@ -1,339 +0,0 @@
{{/* AUTOGENERATED FILE DO NOT EDIT */}}
{{/*
Operator mutating webhooks
*/}}
{{- define "airlock-microgateway-operator.mutatingWebhooks" -}}
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /mutate-v1-pod
failurePolicy: Fail
name: mutate-pod.microgateway.airlock.com
reinvocationPolicy: IfNeeded
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
objectSelector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
{{- end }}
{{/*
Operator validating webhooks
*/}}
{{- define "airlock-microgateway-operator.validatingWebhooks" -}}
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-v1-pod
failurePolicy: Fail
name: validate-pod.microgateway.airlock.com
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
sideEffects: None
objectSelector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol
failurePolicy: Fail
name: validate-accesscontrol.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- accesscontrols
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-denyrules
failurePolicy: Fail
name: validate-denyrules.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- denyrules
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-envoycluster
failurePolicy: Fail
name: validate-envoycluster.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- envoyclusters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter
failurePolicy: Fail
name: validate-envoyhttpfilter.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- envoyhttpfilters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-graphql
failurePolicy: Fail
name: validate-graphql.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- graphqls
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites
failurePolicy: Fail
name: validate-headerrewrites.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- headerrewrites
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation
failurePolicy: Fail
name: validate-identitypropagation.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- identitypropagations
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-limits
failurePolicy: Fail
name: validate-limits.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- limits
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider
failurePolicy: Fail
name: validate-oidcprovider.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- oidcproviders
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty
failurePolicy: Fail
name: validate-oidcrelyingparty.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- oidcrelyingparties
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-openapi
failurePolicy: Fail
name: validate-openapi.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- openapis
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-parser
failurePolicy: Fail
name: validate-parser.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- parsers
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-redisprovider
failurePolicy: Fail
name: validate-redisprovider.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- redisproviders
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway
failurePolicy: Fail
name: validate-sidecargateway.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- sidecargateways
sideEffects: None
{{- end }}

394
charts/airlock/microgateway/4.3.0/templates/operator/configmap.yaml
View File

@ -1,394 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
engine_bootstrap_config_template.yaml: |
# Base configuration, admin interface on port 19000
admin:
address:
socket_address:
address: 127.0.0.1
port_value: 19000
dynamic_resources:
cds_config:
initial_fetch_timeout: 10s
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
# Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
rate_limit_settings:
max_tokens: 5
fill_rate: 0.2
lds_config:
resource_api_version: V3
initial_fetch_timeout: 10s
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
# Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
rate_limit_settings:
max_tokens: 5
fill_rate: 0.2
static_resources:
listeners:
- name: probe
address:
socket_address:
address: 0.0.0.0
port_value: 19001
filter_chains:
- filters:
- name: http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: probe
codec_type: AUTO
http2_protocol_options:
initial_connection_window_size: 1048576
initial_stream_window_size: 65536
max_concurrent_streams: 100
route_config:
name: probe
virtual_hosts:
- name: probe
domains:
- '*'
routes:
- name: ready
match:
path: /ready
headers:
- name: ':method'
string_match:
exact: 'GET'
route:
cluster: airlock_microgateway_engine_admin
http_filters:
- name: envoy.filters.http.router
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- name: metrics
address:
socket_address:
address: 0.0.0.0
port_value: 19002
filter_chains:
- filters:
- name: http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: metrics
codec_type: AUTO
http2_protocol_options:
initial_connection_window_size: 1048576
initial_stream_window_size: 65536
max_concurrent_streams: 100
route_config:
name: metrics
virtual_hosts:
- name: metrics
domains:
- '*'
routes:
- name: metrics
match:
path: /metrics
headers:
- name: ':method'
string_match:
exact: 'GET'
route:
prefix_rewrite: '/stats/prometheus'
cluster: airlock_microgateway_engine_admin
http_filters:
- name: envoy.filters.http.router
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: xds_cluster
connect_timeout: 1s
type: STRICT_DNS
load_assignment:
cluster_name: xds_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local
port_value: 13377
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
'@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 360s
timeout: 5s
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_params:
tls_minimum_protocol_version: TLSv1_3
tls_maximum_protocol_version: TLSv1_3
validation_context_sds_secret_config:
name: validation_context_sds
sds_config:
resource_api_version: V3
path_config_source:
path: /etc/envoy/validation_context_sds_secret.yaml
watched_directory:
path: /etc/envoy/
tls_certificate_sds_secret_configs:
- name: tls_certificate_sds
sds_config:
resource_api_version: V3
path_config_source:
path: /etc/envoy/tls_certificate_sds_secret.yaml
watched_directory:
path: /etc/envoy/
- name: airlock_microgateway_engine_admin
connect_timeout: 1s
type: STATIC
load_assignment:
cluster_name: airlock_microgateway_engine_admin
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 19000
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
'@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 360s
timeout: 5s
stats_config:
stats_tags:
- tag_name: "block_type"
regex: "\\.(block_type\\.([^.]+))"
- tag_name: "attack_type"
regex: "\\.(attack_type\\.([^.]+))"
- tag_name: "envoy_cluster_name"
regex: "\\.(cluster\\.([^.]+))"
- tag_name: "version"
regex: "\\.(version\\.([^.]+))"
use_all_default_tags: true
overload_manager:
resource_monitors:
- name: "envoy.resource_monitors.global_downstream_max_connections"
typed_config:
"@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
max_active_downstream_connections: 50000
bootstrap_extensions:
- name: airlock.bootstrap.engine_build_info
typed_config:
'@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats
application_log_config:
log_format:
text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}'
engine_container_template.yaml: |
name: "$(ENGINE_NAME)"
image: "$(ENGINE_IMAGE)"
imagePullPolicy: {{ .Values.engine.image.pullPolicy }}
args:
- "--config-path"
- "/etc/envoy/bootstrap_config.yaml"
- "--base-id"
- "$(BASE_ID)"
- "--file-flush-interval-msec"
- '1000'
- "--drain-time-s"
- '60'
- "--service-node"
- "$(POD_NAME).$(POD_NAMESPACE)"
- "--service-cluster"
- "$(APP_NAME).$(POD_NAMESPACE)"
- "--log-path"
- "/dev/stdout"
- "--log-level"
- "$(LOG_LEVEL)"
volumeMounts:
- name: airlock-microgateway-bootstrap-secret-volume
mountPath: /etc/envoy
readOnly: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
ports:
- containerPort: 13378
protocol: TCP
- containerPort: 19001
protocol: TCP
- containerPort: 19002
protocol: TCP
livenessProbe:
httpGet:
path: /ready
port: 19001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 5
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
httpGet:
path: /ready
port: 19001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
successThreshold: 1
timeoutSeconds: 1
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
{{- with .Values.engine.resources }}
resources:
{{- toYaml . | nindent 6 }}
{{- end }}
session_agent_container_template.yaml: |
name: "$(SESSION_AGENT_NAME)"
image: "$(SESSION_AGENT_IMAGE)"
imagePullPolicy: {{ .Values.sessionAgent.image.pullPolicy }}
args:
- "--port"
- "19004"
- "--config-path"
- "/etc/microgateway-session-agent/config.json"
volumeMounts:
- name: airlock-microgateway-session-agent-volume
mountPath: /etc/microgateway-session-agent
readOnly: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
ports:
- containerPort: 19004
livenessProbe:
{{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}}
grpc:
port: 19004
{{- else }}
tcpSocket:
port: 19004
{{- end }}
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 5
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
{{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}}
grpc:
port: 19004
{{- else }}
tcpSocket:
port: 19004
{{- end }}
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
successThreshold: 1
timeoutSeconds: 5
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
{{- with .Values.sessionAgent.resources }}
resources:
{{- toYaml . | nindent 6 }}
{{- end }}
network_validator_container_template.yaml: |
name: "$(NETWORK_VALIDATOR_NAME)"
image: "$(NETWORK_VALIDATOR_IMAGE)"
imagePullPolicy: {{ .Values.networkValidator.image.pullPolicy }}
command: ["/bin/sh", "-c"]
args:
- |-
echo 'pong' | nc -v -l 127.0.0.1 -p 13378 &
for i in 1 2 3; do
sleep 1s
if r=$(echo 'ping' | nc 127.0.0.1 19003) && [ $r == pong ]; then
echo -n 'Traffic redirection to Airlock Microgateway Engine is working.' > /dev/termination-log
exit 0
fi
done
echo -en 'Traffic redirection to Airlock Microgateway Engine is not working.\nRestart the pod after ensuring that hostNetwork is disabled and a compatible Airlock Microgateway CNI version is installed on the node.\nCertain environments may also require additional configuration (see docs.airlock.com for more information).' > /dev/termination-log
exit 1
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
operator_config.yaml: |
apiVersion: config.airlock.com/v1alpha1
kind: OperatorConfig
health:
healthProbeBindAddress: :8081
metrics:
bindAddress: 0.0.0.0:8080
webhook:
port: 9443
deployment:
sidecar:
engineContainerTemplate: "/sidecar/engine_container_template.yaml"
networkValidatorContainerTemplate: "/sidecar/network_validator_container_template.yaml"
sessionAgentContainerTemplate: "/sidecar/session_agent_container_template.yaml"
engine:
bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml"
log:
level: {{ .Values.operator.config.logLevel }}
{{- with $.Values.operator.watchNamespaceSelector }}
namespaces:
selector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.operator.watchNamespaces }}
namespaces:
list:
{{- toYaml . | nindent 8 }}
{{- end }}

47
charts/airlock/microgateway/4.3.0/templates/operator/metrics-service.yaml
View File

@ -1,47 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-metrics
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: http
name: metrics
port: 8080
protocol: TCP
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
---
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-leader-metrics
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
operator.microgateway.airlock.com/isLeader: "true"
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: http
name: metrics
port: 8080
protocol: TCP
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
operator.microgateway.airlock.com/isLeader: "true"

45
charts/airlock/microgateway/4.3.0/templates/operator/role.yaml
View File

@ -1,45 +0,0 @@
{{- if .Values.operator.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
{{- end -}}

20
charts/airlock/microgateway/4.3.0/templates/operator/rolebinding.yaml
View File

@ -1,20 +0,0 @@
{{- if .Values.operator.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
{{- end -}}

Some files were not shown because too many files have changed in this diff Show More