andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Charts CI 

```
Added:
  airlock/microgateway:
    - 4.2.3
  airlock/microgateway-cni:
    - 4.2.3

Updated:
  gluu/gluu:
    - 5.1.3
  jenkins/jenkins:
    - 5.4.1
  new-relic/nri-bundle:
    - 5.0.85
  redpanda/redpanda:
    - 5.8.12
  speedscale/speedscale-operator:
    - 2.2.134
  trilio/k8s-triliovault-operator:
    - 4.0.4
```
pull/1052/head
github-actions[bot] 2024-07-11 21:50:47 +00:00
parent aa4cbe5703
commit 3a72642ba1
1126 changed files with 130453 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/airlock/microgateway-4.2.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/airlock/microgateway-cni-4.2.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/gluu/gluu-5.1.2.tgz
View File

Binary file not shown.

BIN
assets/gluu/gluu-5.1.3.tgz Normal file
View File

Binary file not shown.

15
assets/icons/microgateway-cni.svg Normal file
View File

@ -0,0 +1,15 @@
<svg width="100" height="100" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
<circle cx="50" cy="50" r="35" fill="#ADCC14"/>
<path d="M50 15C45.4037 15 40.8525 15.9053 36.6061 17.6642C32.3597 19.4231 28.5013 22.0012 25.2513 25.2513C22.0012 28.5013 19.4231 32.3597 17.6642 36.6061C15.9053 40.8525 15 45.4037 15 50L50 50L50 15Z" fill="url(#paint0_radial)"/>
<path d="M50 85C54.5963 85 59.1475 84.0947 63.3939 82.3358C67.6403 80.5769 71.4987 77.9988 74.7487 74.7487C77.9988 71.4987 80.5769 67.6403 82.3358 63.3939C84.0947 59.1475 85 54.5963 85 50L50 50L50 85Z" fill="url(#paint1_radial)"/>
<defs>
<radialGradient id="paint0_radial" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(50 50) rotate(90) scale(35)">
<stop stop-color="#70991F"/>
<stop offset="1" stop-color="#384D0F"/>
</radialGradient>
<radialGradient id="paint1_radial" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(50 50) rotate(90) scale(35)">
<stop stop-color="#70991F"/>
<stop offset="1" stop-color="#384D0F"/>
</radialGradient>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

15
assets/icons/microgateway.svg Normal file
View File

@ -0,0 +1,15 @@
<svg width="100" height="100" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
<circle cx="50" cy="50" r="35" fill="#ADCC14"/>
<path d="M50 15C45.4037 15 40.8525 15.9053 36.6061 17.6642C32.3597 19.4231 28.5013 22.0012 25.2513 25.2513C22.0012 28.5013 19.4231 32.3597 17.6642 36.6061C15.9053 40.8525 15 45.4037 15 50L50 50L50 15Z" fill="url(#paint0_radial)"/>
<path d="M50 85C54.5963 85 59.1475 84.0947 63.3939 82.3358C67.6403 80.5769 71.4987 77.9988 74.7487 74.7487C77.9988 71.4987 80.5769 67.6403 82.3358 63.3939C84.0947 59.1475 85 54.5963 85 50L50 50L50 85Z" fill="url(#paint1_radial)"/>
<defs>
<radialGradient id="paint0_radial" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(50 50) rotate(90) scale(35)">
<stop stop-color="#70991F"/>
<stop offset="1" stop-color="#384D0F"/>
</radialGradient>
<radialGradient id="paint1_radial" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(50 50) rotate(90) scale(35)">
<stop stop-color="#70991F"/>
<stop offset="1" stop-color="#384D0F"/>
</radialGradient>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
assets/jenkins/jenkins-5.4.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/new-relic/nri-bundle-5.0.85.tgz Normal file
View File

Binary file not shown.

BIN
assets/redpanda/redpanda-5.8.12.tgz Normal file
View File

Binary file not shown.

BIN
assets/speedscale/speedscale-operator-2.2.134.tgz Normal file
View File

Binary file not shown.

BIN
assets/trilio/k8s-triliovault-operator-4.0.4.tgz Normal file
View File

Binary file not shown.

27
charts/airlock/microgateway-cni/4.2.3/.helmignore Normal file
View File

@ -0,0 +1,27 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# Helm unit tests
/tests
/validation

43
charts/airlock/microgateway-cni/4.2.3/Chart.yaml Normal file
View File

@ -0,0 +1,43 @@
annotations:
artifacthub.io/category: security
artifacthub.io/license: MIT
artifacthub.io/links: |
- name: Airlock Microgateway Documentation
url: https://docs.airlock.com/microgateway/4.2/
- name: Airlock Microgateway Labs
url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Airlock Microgateway CNI
catalog.cattle.io/kube-version: '>=1.25.0-0'
catalog.cattle.io/release-name: microgateway-cni
charts.openshift.io/name: Airlock Microgateway CNI
apiVersion: v2
appVersion: 4.2.3
description: A Helm chart for deploying the Airlock Microgateway CNI plugin
home: https://www.airlock.com/en/microgateway
icon: file://assets/icons/microgateway-cni.svg
keywords:
- WAF
- Web Application Firewall
- WAAP
- Web Application and API protection
- OWASP
- Airlock
- Microgateway
- Security
- Filtering
- DevSecOps
- shift left
- CNI
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
name: microgateway-cni
sources:
- https://github.com/airlock/microgateway
type: application
version: 4.2.3

137
charts/airlock/microgateway-cni/4.2.3/README.md Normal file
View File

@ -0,0 +1,137 @@
# Airlock Microgateway CNI
![Version: 4.2.3](https://img.shields.io/badge/Version-4.2.3-informational?style=flat-square) ![AppVersion: 4.2.3](https://img.shields.io/badge/AppVersion-4.2.3-informational?style=flat-square)
*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight_Negative.svg">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg">
<img alt="Microgateway" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg" align="right" width="250">
</picture>
Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.2.3).__
### Features
* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control to allow only authenticated users to access the protected services
* API security features like JSON parsing or OpenAPI specification enforcement
For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
## Documentation and links
Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)
# Quick start guide
The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
## Prerequisites
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
## Deploy Airlock Microgateway CNI
1. Install the CNI Plugin with Helm.
> **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
```bash
# Standard setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3'
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# GKE setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3' -f https://raw.githubusercontent.com/airlock/microgateway/4.2.3/deploy/charts/airlock-microgateway-cni/gke-values.yaml
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# OpenShift setup
helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3' -f https://raw.githubusercontent.com/airlock/microgateway/4.2.3/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
**Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
# Standard and GKE setup
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3'
helm test airlock-microgateway-cni -n kube-system --logs
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3'
```
```bash
# OpenShift setup
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3'
helm test airlock-microgateway-cni -n openshift-operators --logs
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3'
```
Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.
## Support
### Premium support
If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).
### Community support
For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. |
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. |
| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. |
| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
| image.digest | string | `"sha256:82b5924866840f783cce2e9b4095b7710a0e1cbf555498e8723ca811ca916290"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
| image.tag | string | `"4.2.3"` | Image tag to pull. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". |
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. |
| podAnnotations | object | `{}` | Annotations to add to all Pods. |
| podLabels | object | `{}` | Labels to add to all Pods. |
| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). |
| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. |
| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. |
| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. |
| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
## License
View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
* Decompiling or reverse engineering is not permitted.
* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
Airlock<sup>&#174;</sup> is a security innovation by [ergon](https://www.ergon.ch/en)
<!-- Airlock SAH Logo (different image for light/dark mode) -->
<a href="https://www.airlock.com/en/secure-access-hub/">
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo_Negative.png">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png">
<img alt="Airlock Secure Access Hub" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png" width="150">
</picture>
</a>

4
charts/airlock/microgateway-cni/4.2.3/gke-values.yaml Normal file
View File

@ -0,0 +1,4 @@
# values for deploying on GKE
config:
cniBinDir: "/home/kubernetes/bin"

15
charts/airlock/microgateway-cni/4.2.3/openshift-values.yaml Normal file
View File

@ -0,0 +1,15 @@
# values for deploying on OpenShift
rbac:
createSCCRole: true
privileged: true
multusNetworkAttachmentDefinition:
create: true
namespace: default
config:
installMode: "standalone"
cniNetDir: "/etc/cni/multus/net.d"
cniBinDir: "/var/lib/cni/bin"

18
charts/airlock/microgateway-cni/4.2.3/questions.yml Normal file
View File

@ -0,0 +1,18 @@
questions:
- variable: config.cniNetDir
required: true
type: string
label: CNI Network Configuration Directory
group: "CNI Settings"
description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host."
- variable: config.cniBinDir
required: true
type: string
label: CNI Plugin Binaries Directory
group: "CNI Settings"
description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host."
- variable: config.installMode
required: true
label: CNI Plugin Installation Mode
group: "CNI Settings"
description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment."

3
charts/airlock/microgateway-cni/4.2.3/templates/NOTES.txt Normal file
View File

@ -0,0 +1,3 @@
Thank you for installing Airlock Microgateway CNI.
For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" .}}.

101
charts/airlock/microgateway-cni/4.2.3/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,101 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "airlock-microgateway-cni.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Convert an image configuration object into an image ref string.
*/}}
{{- define "airlock-microgateway-cni.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
{{- printf "%s:%s" .repository .tag -}}
{{- else -}}
{{- printf "%s" .repository -}}
{{- end -}}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest suffix is 13 characters.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "airlock-microgateway-cni.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "airlock-microgateway-cni.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "airlock-microgateway-cni.labels" -}}
helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }}
{{ include "airlock-microgateway-cni.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
Common labels without component
*/}}
{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}}
{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}}
{{ unset $labels "app.kubernetes.io/component" | toYaml }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "airlock-microgateway-cni.selectorLabels" -}}
app.kubernetes.io/component: cni-plugin-installer
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }}
{{- end }}
{{/*
Create the name of the service account to use for the CNI Plugin
*/}}
{{- define "airlock-microgateway-cni.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "airlock-microgateway-cni.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}
{{- define "airlock-microgateway-cni.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}
{{- print "latest" -}}
{{- end -}}
{{- end -}}

22
charts/airlock/microgateway-cni/4.2.3/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- patch
{{- end -}}

20
charts/airlock/microgateway-cni/4.2.3/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "airlock-microgateway-cni.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

22
charts/airlock/microgateway-cni/4.2.3/templates/configmap.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
plugin-conf.json: |-
{
"type": "{{ include "airlock-microgateway-cni.fullname" . }}",
"debug": {{ eq .Values.config.logLevel "debug" }},
"logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log",
"kubernetes": {
"kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig",
"excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }}
}
}

136
charts/airlock/microgateway-cni/4.2.3/templates/daemonset.yaml Normal file
View File

@ -0,0 +1,136 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
kubectl.kubernetes.io/default-container: cni-installer
{{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- args:
- --log-level
- "{{ .Values.config.logLevel }}"
env:
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
key: plugin-conf.json
name: {{ include "airlock-microgateway-cni.fullname" . }}
- name: CNI_BIN_DIR
value: /host/opt/cni/bin
- name: CNI_NET_DIR
value: /host/etc/cni/net.d
- name: KUBECONFIG_FILE_NAME
value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig"
- name: INSTALL_MODE
value: {{ .Values.config.installMode }}
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: {{ include "airlock-microgateway-cni.image" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: cni-installer
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
startupProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 5
initialDelaySeconds: 3
periodSeconds: 3
timeoutSeconds: 3
readinessProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 1
periodSeconds: 60
timeoutSeconds: 3
securityContext:
allowPrivilegeEscalation: {{ .Values.privileged }}
capabilities:
drop:
- ALL
privileged: {{ .Values.privileged }}
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /run/cni-installer
name: cni-installer-status
hostNetwork: true
priorityClassName: system-node-critical
restartPolicy: Always
securityContext:
fsGroup: 0
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
terminationGracePeriodSeconds: 5
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
- effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- hostPath:
path: "{{ .Values.config.cniBinDir }}"
type: Directory
name: cni-bin-dir
- hostPath:
path: "{{ .Values.config.cniNetDir }}"
type: Directory
name: cni-net-dir
- emptyDir: {}
name: cni-installer-status

13
charts/airlock/microgateway-cni/4.2.3/templates/network-attachment-definition.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.multusNetworkAttachmentDefinition.create -}}
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

22
charts/airlock/microgateway-cni/4.2.3/templates/scc-role.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.createSCCRole -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
{{- end -}}

20
charts/airlock/microgateway-cni/4.2.3/templates/scc-rolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.createSCCRole -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
{{- end -}}

13
charts/airlock/microgateway-cni/4.2.3/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

64
charts/airlock/microgateway-cni/4.2.3/templates/tests/rbac.yaml Normal file
View File

@ -0,0 +1,64 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
subjects:
- kind: ServiceAccount
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
rules:
- apiGroups:
- "apps"
resources:
- daemonsets
resourceNames:
- {{ include "airlock-microgateway-cni.fullname" . }}
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
{{- if .Values.rbac.createSCCRole }}
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
{{- end -}}
{{- end -}}

103
charts/airlock/microgateway-cni/4.2.3/templates/tests/test-install.yaml Normal file
View File

@ -0,0 +1,103 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: test-install
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: before-hook-creation
spec:
restartPolicy: Never
containers:
- name: test
image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
securityContext:
allowPrivilegeEscalation: {{ .Values.privileged }}
capabilities:
drop:
- ALL
privileged: {{ .Values.privileged }}
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
readOnly: true
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
readOnly: true
command:
- sh
- -c
- |
set -eu
fail() {
echo "Error: ${1}"
echo ""
echo 'CNI installer logs:'
kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer
exit 1
}
containsMGWCNIConf() {
cat "${1}" | grep -qe '"type":.*"{{ include "airlock-microgateway-cni.fullname" . }}"'
}
if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then
fail 'CNI DaemonSet rollout did not complete within timeout'
fi
echo "Checking whether CNI binary was installed"
if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then
fail 'CNI binary was not installed'
fi
echo "Checking whether CNI kubeconfig was installed"
if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then
fail 'CNI kubeconfig was not created'
fi
echo "Checking whether CNI configuration was written"
case {{ .Values.config.installMode }} in
"chained")
for file in "/host/etc/cni/net.d/"*.conflist; do
if containsMGWCNIConf "${file}"; then
echo "Success"
exit 0
fi
done
;;
"standalone")
if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then
echo "Success"
exit 0
fi
;;
"manual")
echo "- Skipping because we are in 'manual' install mode"
echo "Success"
exit 0
;;
esac
fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found'
serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
volumes:
- hostPath:
path: "{{ .Values.config.cniBinDir }}"
type: Directory
name: cni-bin-dir
- hostPath:
path: "{{ .Values.config.cniNetDir }}"
type: Directory
name: cni-net-dir
{{- end -}}

225
charts/airlock/microgateway-cni/4.2.3/values.schema.json Normal file
View File

@ -0,0 +1,225 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"type": "object",
"properties": {
"nameOverride": {
"type": "string"
},
"fullnameOverride": {
"type": "string"
},
"commonLabels": {
"$ref": "#/definitions/StringMap"
},
"commonAnnotations": {
"$ref": "#/definitions/StringMap"
},
"imagePullSecrets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"minLength": 1
}
},
"required": [
"name"
],
"additionalProperties": true
}
},
"image": {
"$ref": "#/definitions/Image"
},
"podAnnotations": {
"$ref": "#/definitions/StringMap"
},
"podLabels": {
"$ref": "#/definitions/StringMap"
},
"resources": {
"type": "object"
},
"nodeSelector": {
"$ref": "#/definitions/StringMap"
},
"affinity": {
"type": "object"
},
"rbac": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"createSCCRole": {
"type": "boolean"
}
},
"required": [
"create",
"createSCCRole"
],
"additionalProperties": false
},
"privileged": {
"type": "boolean"
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"annotations": {
"$ref": "#/definitions/StringMap"
},
"name": {
"type": "string"
}
},
"required": [
"annotations",
"create",
"name"
],
"additionalProperties": false
},
"multusNetworkAttachmentDefinition": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"namespace": {
"type": "string"
}
},
"required": [
"create",
"namespace"
],
"additionalProperties": false
},
"config": {
"type": "object",
"properties": {
"installMode": {
"type": "string",
"enum": [
"chained",
"standalone",
"manual"
]
},
"logLevel": {
"type": "string",
"enum": [
"debug",
"info",
"warn",
"error"
]
},
"cniNetDir": {
"type": "string",
"minLength": 1
},
"cniBinDir": {
"type": "string",
"minLength": 1
},
"excludeNamespaces": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"cniBinDir",
"cniNetDir",
"excludeNamespaces",
"installMode",
"logLevel"
],
"additionalProperties": false
},
"tests": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
},
"required": [
"enabled"
],
"additionalProperties": false
},
"global": {
"type": "object"
}
},
"required": [
"affinity",
"commonAnnotations",
"commonLabels",
"config",
"fullnameOverride",
"image",
"imagePullSecrets",
"multusNetworkAttachmentDefinition",
"nameOverride",
"nodeSelector",
"podAnnotations",
"podLabels",
"privileged",
"rbac",
"resources",
"serviceAccount",
"tests"
],
"additionalProperties": false,
"definitions": {
"StringMap": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"Image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"minLength": 1
},
"tag": {
"type": "string"
},
"digest": {
"type": "string",
"pattern": "^$|^sha256:[a-f0-9]{64}$"
},
"pullPolicy": {
"type": "string",
"enum": [
"Always",
"IfNotPresent",
"Never"
]
}
},
"required": [
"digest",
"pullPolicy",
"repository",
"tag"
],
"additionalProperties": false
}
}
}

81
charts/airlock/microgateway-cni/4.2.3/values.yaml Normal file
View File

@ -0,0 +1,81 @@
# -- Allows overriding the name to use instead of "microgateway-cni".
nameOverride: ""
# -- Allows overriding the name to use as full name of resources.
fullnameOverride: ""
# -- Labels to add to all resources.
commonLabels: {}
# -- Annotations to add to all resources.
commonAnnotations: {}
# -- ImagePullSecrets to use when pulling images.
imagePullSecrets: []
# - name: myRegistryKeySecretName
# Specifies the Airlock Microgateway CNI image.
image:
# -- Image repository from which to pull the Airlock Microgateway CNI image.
repository: "quay.io/airlock/microgateway-cni"
# -- Image tag to pull.
tag: "4.2.3"
# -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a").
# Overrides tag when specified.
digest: "sha256:82b5924866840f783cce2e9b4095b7710a0e1cbf555498e8723ca811ca916290"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Annotations to add to all Pods.
podAnnotations: {}
# -- Labels to add to all Pods.
podLabels: {}
# -- Resource restrictions to apply to the CNI installer container.
resources:
requests:
cpu: 10m
memory: 100Mi
# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes.
nodeSelector:
kubernetes.io/os: linux
# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes.
affinity: {}
# Configures the generation of RBAC Roles and RoleBindings.
rbac:
# -- Whether to create RBAC resources which are required for the CNI plugin to function.
create: true
# -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint.
createSCCRole: false
# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift).
privileged: false
# Configures the generation of the ServiceAccount.
serviceAccount:
# -- Whether a ServiceAccount should be created.
create: true
# -- Annotations to add to the ServiceAccount.
annotations: {}
# -- Name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift)
multusNetworkAttachmentDefinition:
# -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods.
create: false
# -- Namespace in which the NetworkAttachmentDefinition is deployed.
# Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces
# may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation
namespace: default
# Parameters for the CNI installer configuration.
config:
# -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers),
# as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift)
# or in `manual` mode, where no CNI network configuration is written.
installMode: "chained"
# -- Log level for the CNI installer and plugin.
logLevel: info
# -- Directory where the CNI config files reside on the host.
cniNetDir: "/etc/cni/net.d"
# -- Directory where the CNI plugin binaries reside on the host.
cniBinDir: "/opt/cni/bin"
# -- Namespaces for which this CNI plugin should not apply any modifications.
excludeNamespaces:
- kube-system
tests:
# -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
# If set to false, `helm test` will not run any tests.
enabled: false

28
charts/airlock/microgateway/4.2.3/.helmignore Normal file
View File

@ -0,0 +1,28 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# CRDs kustomization.yaml
/crds/kustomization.yaml
# Helm unit tests
/tests
/validation

44
charts/airlock/microgateway/4.2.3/Chart.yaml Normal file
View File

@ -0,0 +1,44 @@
annotations:
artifacthub.io/category: security
artifacthub.io/license: MIT
artifacthub.io/links: |
- name: Airlock Microgateway Documentation
url: https://docs.airlock.com/microgateway/4.2/
- name: Airlock Microgateway Labs
url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Airlock Microgateway
catalog.cattle.io/kube-version: '>=1.25.0-0'
catalog.cattle.io/release-name: microgateway
charts.openshift.io/name: Airlock Microgateway
apiVersion: v2
appVersion: 4.2.3
description: A Helm chart for deploying the Airlock Microgateway
home: https://www.airlock.com/en/microgateway
icon: file://assets/icons/microgateway.svg
keywords:
- WAF
- Web Application Firewall
- WAAP
- Web Application and API protection
- OWASP
- Airlock
- Microgateway
- Security
- Filtering
- DevSecOps
- shift left
- control plane
- Operator
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
name: microgateway
sources:
- https://github.com/airlock/microgateway
type: application
version: 4.2.3

167
charts/airlock/microgateway/4.2.3/README.md Normal file
View File

@ -0,0 +1,167 @@
# Airlock Microgateway
![Version: 4.2.3](https://img.shields.io/badge/Version-4.2.3-informational?style=flat-square) ![AppVersion: 4.2.3](https://img.shields.io/badge/AppVersion-4.2.3-informational?style=flat-square)
*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight_Negative.svg">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg">
<img alt="Microgateway" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg" align="right" width="250">
</picture>
Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.2.3).__
### Features
* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control to allow only authenticated users to access the protected services
* API security features like JSON parsing or OpenAPI specification enforcement
For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
## Documentation and links
Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)
# Quick start guide
The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
## Prerequisites
* [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni)
* [Airlock Microgateway License](#obtain-airlock-microgateway-license)
* [cert-manager](https://cert-manager.io/)
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license.
For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
### Obtain Airlock Microgateway License
1. Either request a community or premium license
* Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community)
* Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium)
2. Check your inbox and save the license file microgateway-license.txt locally.
> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type.
### Deploy cert-manager
```bash
# Install cert-manager
kubectl apply -k https://github.com/airlock/microgateway/examples/utilities/cert-manager/?ref=4.2.3
# Wait for the cert-manager to be up and running
kubectl -n cert-manager wait --for=condition=ready --timeout=600s pod -l app.kubernetes.io/instance=cert-manager
```
## Deploy Airlock Microgateway Operator
> This guide assumes a microgateway-license.txt file is present in the working directory.
1. Install CRDs and Operator.
```bash
# Create namespace
kubectl create namespace airlock-microgateway-system
# Install License
kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
# Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.2.3' --wait
```
2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.2.3'
helm test airlock-microgateway -n airlock-microgateway-system --logs
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.2.3'
```
### Upgrading CRDs
The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster.
CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
```bash
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.2.3 --server-side --force-conflicts
```
**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.
## Support
### Premium support
If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).
### Community support
For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". |
| engine.image.digest | string | `"sha256:9b0debeef611172aa5ca79c6b8cd045e56a3c883763ec62c0fa211bb86d35304"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. |
| engine.image.tag | string | `"4.2.3"` | Image tag to pull. |
| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. |
| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. |
| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". |
| networkValidator.image.digest | string | `"sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0"` | SHA256 image digest to pull (in the format "sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0"). Overrides tag when specified. |
| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| networkValidator.image.repository | string | `"cgr.dev/chainguard/busybox"` | Image repository from which to pull the busybox image for the Airlock Microgateway Network Validator init-container. |
| networkValidator.image.tag | string | `""` | Image tag to pull. |
| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. |
| operator.config.logLevel | string | `"info"` | Operator application log level. |
| operator.image.digest | string | `"sha256:a429dfdb636e76bfbee7c59cfbe53d5f396c1f5603d5cb187f6283301ba4d7ba"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. |
| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. |
| operator.image.tag | string | `"4.2.3"` | Image tag to pull. |
| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. |
| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. |
| operator.podLabels | object | `{}` | Labels to add to all Pods. |
| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. |
| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. |
| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. |
| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. |
| operator.serviceLabels | object | `{}` | Labels to add to the Service. |
| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. |
| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. |
| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. |
| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
## License
View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
* Decompiling or reverse engineering is not permitted.
* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
Airlock<sup>&#174;</sup> is a security innovation by [ergon](https://www.ergon.ch/en)
<!-- Airlock SAH Logo (different image for light/dark mode) -->
<a href="https://www.airlock.com/en/secure-access-hub/">
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo_Negative.png">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png">
<img alt="Airlock Secure Access Hub" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png" width="150">
</picture>
</a>

28
charts/airlock/microgateway/4.2.3/app-readme.md Normal file
View File

@ -0,0 +1,28 @@
# Airlock Microgateway
*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
## Features
* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control to allow only authenticated users to access the protected services
* API security features like JSON parsing or OpenAPI specification enforcement
For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
## Requirements
* [Airlock Microgateway CNI Helm Chart](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Also available as Rancher Chart)
* [Airlock Microgateway License](https://github.com/airlock/microgateway?tab=readme-ov-file#obtain-airlock-microgateway-license) (After obtaining the license install it according to the [documentation](https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-operator))
* [cert-manager](https://cert-manager.io/docs/installation/)
## Documentation and links
Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)

124
charts/airlock/microgateway/4.2.3/crds/accesscontrols.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,124 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: accesscontrols.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: AccessControl
listKind: AccessControlList
plural: accesscontrols
singular: accesscontrol
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: AccessControl specifies the options to perform access control with a Microgateway Engine container.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specifies how the Airlock Microgateway Engine performs access control.
properties:
policies:
description: Policies configures access control policies.
items:
properties:
authorization:
description: Authorization configures how requests are authorized. An empty object value {} disables authorization.
properties:
authentication:
description: Authentication specifies that clients need to be authenticated with the provided method.
properties:
oidc:
description: OIDC configures client authentication using OpenID Connect.
properties:
oidcRelyingPartyRef:
description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- oidcRelyingPartyRef
type: object
type: object
type: object
identityPropagation:
description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application.
properties:
actions:
description: Actions specifies the propagation actions.
items:
properties:
identityPropagationRef:
description: IdentityPropagationRef selects an IdentityPropagation to apply.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- identityPropagationRef
type: object
type: array
onFailure:
description: |-
OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values:
_Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations.
enum:
- Pass
type: string
required:
- actions
- onFailure
type: object
required:
- authorization
type: object
maxItems: 1
minItems: 1
type: array
required:
- policies
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

127
charts/airlock/microgateway/4.2.3/crds/contentsecurities.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,127 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: contentsecurities.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: ContentSecurity
listKind: ContentSecurityList
plural: contentsecurities
singular: contentsecurity
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ContentSecurity specifies the options to secure an upstream web application with a Microgateway Engine container.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specifies the options to secure an upstream web application with a Microgateway Engine container.
properties:
apiProtection:
description: |-
APIProtection defines the relevant configurations to protect APIs.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
openAPIRef:
description: |-
OpenAPIRef selects the relevant OpenAPI configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
filter:
description: |-
Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests
to protect against various attack patterns.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
denyRulesRef:
description: |-
DenyRulesRef selects the relevant DenyRules configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
headerRewritesRef:
description: |-
HeaderRewritesRef selects the relevant HeaderRewrites.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
limitsRef:
description: |-
LimitsRef selects the relevant Limits configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
parserRef:
description: |-
ParserRef selects the relevant Parser configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
type: object
served: true
storage: true
subresources: {}

1508
charts/airlock/microgateway/4.2.3/crds/denyrules.microgateway.airlock.com.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

58
charts/airlock/microgateway/4.2.3/crds/envoyclusters.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,58 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: envoyclusters.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyCluster
listKind: EnvoyClusterList
plural: envoyclusters
singular: envoycluster
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired additional Envoy cluster.
properties:
value:
description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources: {}

182
charts/airlock/microgateway/4.2.3/crds/envoyconfigurations.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,182 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: envoyconfigurations.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyConfiguration
listKind: EnvoyConfigurationList
plural: envoyconfigurations
singular: envoyconfiguration
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
EnvoyConfiguration is the Schema for the envoyconfigurations API
{{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration
properties:
envoyResources:
description: EnvoyResources defines the desired state for each resource type.
properties:
clusters:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
endpoints:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
extensions:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
listeners:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
routes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
runtimes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
scopedRoutes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
secrets:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
nodeID:
description: NodeID defines the ID of the envoy node
type: string
required:
- nodeID
type: object
status:
description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human-readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of EnvoyConfiguration condition.
type: string
required:
- status
- type
type: object
type: array
status:
type: string
xds:
properties:
resourceTypes:
additionalProperties:
description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type
properties:
errorMessage:
description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client.
type: string
resources:
additionalProperties:
description: XdsResourceStatus defines the status of xDS for a specific resource
properties:
version:
description: Version defines the version which is currently served for this resource.
type: string
required:
- version
type: object
description: Resources defines the resources which are currently served for this resource type.
type: object
status:
description: Status defines the current sync status of this resource type.
type: string
version:
description: Version defines the version which is currently served for this resource type.
type: string
required:
- resources
- status
- version
type: object
description: ResourceTypes defines the sync statuses for each resource type.
type: object
version:
description: Version defines the version of the underlying xDS snapshot.
type: integer
required:
- version
type: object
required:
- status
- xds
type: object
type: object
served: true
storage: true
subresources:
status: {}

58
charts/airlock/microgateway/4.2.3/crds/envoyhttpfilters.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,58 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: envoyhttpfilters.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyHTTPFilter
listKind: EnvoyHTTPFilterList
plural: envoyhttpfilters
singular: envoyhttpfilter
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource which is added to those defined by the Airlock Microgateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired additional Envoy HTTP filter.
properties:
value:
description: Value defines the HTTP filter which is added to those configured by the Airlock Microgateway.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources: {}

759
charts/airlock/microgateway/4.2.3/crds/headerrewrites.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,759 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: headerrewrites.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: HeaderRewrites
listKind: HeaderRewritesList
plural: headerrewrites
singular: headerrewrites
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: HeaderRewrites is the Schema for the headerrewrites API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired header rewriting behavior.
properties:
request:
description: Request defines manipulations on upstream request headers.
properties:
add:
description: Add defines which request headers will be added before forwarding to the upstream.
properties:
custom:
description: |-
Custom allows configuring additional upstream request headers.
Add selected headers.
items:
properties:
headers:
description: Headers to add.
items:
description: HeaderRewritesHeader specifies a header with a particular value
properties:
name:
description: Name defines the name of a header.
minLength: 1
type: string
value:
description: Value defines the value of a header.
type: string
required:
- name
- value
type: object
minItems: 1
type: array
mode:
default: AddIfAbsent
description: Mode defines the header addition strategy.
enum:
- AddIfAbsent
- OverwriteOrAdd
type: string
name:
description: Name describing the configured operation.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
allow:
description: |-
Allow defines which request headers will be forwarded to the upstream.
This can either be allHeaders or matchingHeaders.
Default: matchingHeaders: {...}
properties:
allHeaders:
description: AllHeaders specifies that all request headers should be forwarded.
type: object
matchingHeaders:
description: MatchingHeaders specifies which request headers should be forwarded.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream request headers.
properties:
standardHeaders:
default: true
description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream request headers.
items:
properties:
headers:
description: Headers to allow.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
remove:
description: Remove defines which request headers will be removed before forwarding to the upstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream request headers.
properties:
alternativeForwardedHeaders:
default: true
description: |-
AlternativeForwardedHeaders removes downstream request headers which could potentially
be abused to alter the upstream's view of the remote connection.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream request headers.
items:
properties:
headers:
description: Headers to remove.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
response:
description: Response defines manipulations on upstream response headers.
properties:
add:
description: Add defines which response headers will be added before forwarding to the downstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response headers.
properties:
csp:
default: true
description: |-
CSP sets a content security policy which allows only same-origin requests except for images
if the 'Content-Security-Policy' header is not set by the upstream.
type: boolean
featurePolicy:
default: false
description: |-
FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features
if the 'Feature-Policy' header is not set by the upstream.
**Deprecated:** Use permissionsPolicy instead.
type: boolean
hsts:
default: true
description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream.
type: boolean
hstsPreload:
default: false
description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload.
type: boolean
permissionsPolicy:
default: true
description: |-
PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features
if the 'Permissions-Policy' header is not set by the upstream.
type: boolean
referrerPolicy:
default: true
description: |-
ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests
if the 'Referrer-Policy' header is not set by the upstream.
type: boolean
xContentTypeOptions:
default: true
description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream.
type: boolean
xFrameOptions:
default: true
description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to add.
items:
description: HeaderRewritesHeader specifies a header with a particular value
properties:
name:
description: Name defines the name of a header.
minLength: 1
type: string
value:
description: Value defines the value of a header.
type: string
required:
- name
- value
type: object
minItems: 1
type: array
mode:
default: AddIfAbsent
description: Mode defines the header addition strategy.
enum:
- AddIfAbsent
- OverwriteOrAdd
type: string
name:
description: Name describing the configured operation.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
allow:
description: |-
Allow defines which response headers will be forwarded to the downstream.
This can either be allHeaders or matchingHeaders.
Default: allHeaders: {}
properties:
allHeaders:
description: AllHeaders specifies that all response headers should be forwarded.
type: object
matchingHeaders:
description: MatchingHeaders specifies which response headers should be forwarded.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response header.
properties:
standardHeaders:
default: false
description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to allow.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
remove:
description: Remove defines which response headers will be removed before forwarding to the downstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response headers.
properties:
auth:
description: Auth defines the categories of headers concerning authentication.
properties:
basic:
default: false
description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication.
type: boolean
negotiate:
default: true
description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate.
type: boolean
ntlm:
default: true
description: |-
NTLM removes upstream response headers that advise clients to authenticate with NTLM.
By default, these headers are removed, because NTLM pass-through is not supported.
type: boolean
type: object
informationLeakage:
description: InformationLeakage defines the categories of headers concerning information leakage.
properties:
application:
default: true
description: Application removes upstream response headers that leak information about the deployed software.
type: boolean
server:
default: true
description: Server removes upstream response headers that leak information about the server.
type: boolean
type: object
permissiveCors:
default: true
description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to remove.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured remove operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
settings:
description: Settings configures the HeaderRewrites filter.
properties:
operationalMode:
default: Production
description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses.
enum:
- Production
- Integration
type: string
type: object
type: object
type: object
served: true
storage: true

108
charts/airlock/microgateway/4.2.3/crds/identitypropagations.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,108 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: identitypropagations.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: IdentityPropagation
listKind: IdentityPropagationList
plural: identitypropagations
singular: identitypropagation
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: IdentityPropagation specifies the desired identity propagation.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired identity propagation.
properties:
header:
description: Header configures identity propagation via a request header.
properties:
name:
description: Name of the header to set.
minLength: 1
type: string
value:
description: Value to propagate to the application.
properties:
source:
description: Source from which to extract the value.
properties:
metadata:
description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key.
properties:
key:
description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`.
minLength: 1
type: string
namespace:
description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`.
minLength: 1
type: string
required:
- key
- namespace
type: object
oidc:
description: OIDC specifies to extract a value from the result of an OpenID Connect flow.
properties:
idToken:
description: IDToken specifies to extract the value from the OpenID Connect ID Token.
properties:
claim:
description: Claim selects the JWT claim from which to extract the value.
minLength: 1
type: string
required:
- claim
type: object
required:
- idToken
type: object
type: object
required:
- source
type: object
required:
- name
- value
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

453
charts/airlock/microgateway/4.2.3/crds/limits.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,453 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: limits.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Limits
listKind: LimitsList
plural: limits
singular: limits
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Limits contains the configuration for limits.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired limits behavior.
properties:
request:
description: Request defines the limits for requests.
properties:
limited:
description: Limited enables limits on request scope.
properties:
exceptions:
description: Exceptions defines limit exceptions.
items:
description: LimitsException defines an exception for limits.
properties:
length:
description: Length defines an exception for length limits based on the data element exceeding the limit.
properties:
json:
description: JSON defines a key and value length limit exception for a JSON property.
properties:
jsonPath:
description: |-
JSONPath restricts the exception to JSON properties with a matching JSONPath.
Expressions in JSONPath i.e. `?(expr)` are not supported.
minLength: 1
type: string
required:
- jsonPath
type: object
parameter:
description: Parameter defines a name and value length limit exception for a parameter.
properties:
name:
description: Name restricts the exception to parameters with a matching name.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
source:
default: Any
description: Source restricts the exception to parameters of this kind.
enum:
- Query
- Post
- Any
type: string
required:
- name
type: object
type: object
requestConditions:
description: RequestConditions defines additional request properties which must be matched in order for this exception to apply.
properties:
header:
description: Header defines the matching headers of a request.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
invert:
default: false
description: Invert indicates whether the request condition should be inverted.
type: boolean
mediaType:
description: MediaType defines the matching media type from the content-type header of a request.
properties:
matcher:
description: |-
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
method:
description: Method defines the matching methods of a request.
items:
description: Method defines common HTTP methods.
enum:
- GET
- HEAD
- POST
- PUT
- PATCH
- DELETE
- CONNECT
- OPTIONS
- TRACE
type: string
type: array
path:
description: Path defines the matching path of a request.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
remoteIP:
description: RemoteIP defines the matching remote IPs of a request.
properties:
cidrRanges:
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
items:
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
format: cidr
type: string
minItems: 1
type: array
invert:
default: false
description: Invert indicates whether the match should be inverted.
type: boolean
required:
- cidrRanges
type: object
type: object
type: object
type: array
general:
description: General defines general request limits.
properties:
bodySize:
anyOf:
- type: integer
- type: string
default: 100Ki
description: BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective only for requests that are parsed (e.g. JSON data). File uploads are not affected by this limit.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
pathLength:
anyOf:
- type: integer
- type: string
default: 1Ki
description: PathLength defines the maximum path length for requests.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
json:
description: JSON defines the limits for JSON requests.
properties:
elementCount:
default: 10000
description: ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive).
format: int64
type: integer
keyCount:
default: 250
description: KeyCount defines the maximum number of keys of a single JSON object (non-recursive).
format: int64
type: integer
keyLength:
anyOf:
- type: integer
- type: string
default: "128"
description: KeyLength defines the maximum length for JSON keys.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
nestingDepth:
default: 100
description: NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays.
format: int64
type: integer
valueLength:
anyOf:
- type: integer
- type: string
default: 8Ki
description: ValueLength defines the maximum length for JSON values.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
parameter:
description: Parameter defines the limits for request parameters.
properties:
count:
default: 128
description: Count defines the maximum number of request parameters.
format: int64
type: integer
nameLength:
anyOf:
- type: integer
- type: string
default: "128"
description: NameLength defines the maximum length for parameter names.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
valueLength:
anyOf:
- type: integer
- type: string
default: 8Ki
description: ValueLength defines the maximum length for parameter values.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
unlimited:
description: Unlimited disables all limits on request scope.
type: object
type: object
settings:
description: Settings configures the limits filter.
properties:
threatHandlingMode:
default: Block
description: ThreatHandlingMode specifies how threats should be handled when a limit hits.
enum:
- Block
- LogOnly
type: string
type: object
type: object
type: object
served: true
storage: true

301
charts/airlock/microgateway/4.2.3/crds/oidcproviders.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,301 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: oidcproviders.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OIDCProvider
listKind: OIDCProviderList
plural: oidcproviders
singular: oidcprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
OIDCProvider specifies an OpenID Provider (OP).
{{% notice warning %}} The OIDC feature is currently in an experimental state.
We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
- The state parameter is guessable.
- ID token and access token are stored in cookies and are thus sent to the accessing client.
{{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of an OpenID Provider.
properties:
static:
description: Static configures an OpenID Provider by explicitly specifying all endpoints.
properties:
endpoints:
description: Endpoints specifies the OpenID Provider endpoints.
properties:
authorization:
description: Authorization specifies the endpoint to which the authorization request is sent.
properties:
uri:
description: URI specifies the endpoint address.
format: uri
minLength: 1
pattern: ^(http|https)://.*$
type: string
required:
- uri
type: object
token:
description: Token configures the endpoint from which the access, ID and refresh tokens are obtained.
properties:
tls:
description: TLS defines TLS settings.
properties:
certificateVerification:
description: CertificateVerification specifies how the certificate presented by the server is verified.
properties:
custom:
description: |-
Custom explicitly specifies how the server certificate should be verified.
Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
properties:
allowedSANs:
description: |-
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
items:
description: |-
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers.
properties:
matcher:
description: Matcher defines the string matcher for the SAN value.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
sanType:
description: SanType defines the type of SAN matcher.
enum:
- DNS
- Email
- URI
- IPAddress
type: string
required:
- matcher
- sanType
type: object
minItems: 1
type: array
certificatePinning:
description: |-
CertificatePinning defines constraints the presented certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
properties:
allowedHashes:
description: |-
AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
allowedSPKIs:
description: |-
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
type: object
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
type: object
disabled:
description: |-
Disabled specifies to trust any certificate without verification.
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
type: object
publicCAs:
description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image.
type: object
type: object
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
type: object
uri:
description: URI specifies the endpoint address.
format: uri
minLength: 1
pattern: ^(http|https)://.*$
type: string
required:
- uri
type: object
required:
- authorization
- token
type: object
required:
- endpoints
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

219
charts/airlock/microgateway/4.2.3/crds/oidcrelyingparties.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,219 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: oidcrelyingparties.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OIDCRelyingParty
listKind: OIDCRelyingPartyList
plural: oidcrelyingparties
singular: oidcrelyingparty
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP).
{{% notice warning %}} The OIDC feature is currently in an experimental state.
We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
- The state parameter is guessable.
- ID token and access token are stored in cookies and are thus sent to the accessing client.
{{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the OIDC Relying Party configuration.
properties:
clientID:
description: ClientID specifies the OIDCRelyingParty "client_id".
minLength: 1
type: string
credentials:
description: Credentials used for client authentication on the back-channel with the authorization server.
properties:
clientSecret:
description: ClientSecret authenticates with the client password issued by the OpenID Provider (OP).
properties:
method:
default: BasicAuth
description: Method specifies in which format the client secret is sent with the authorization request.
enum:
- BasicAuth
- FormURLEncoded
type: string
secretRef:
description: SecretRef specifies the kubernetes secret containing the client password with key "client.secret".
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
required:
- clientSecret
type: object
oidcProviderRef:
description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
pathMapping:
description: PathMapping configures the action matching.
properties:
logoutPath:
description: LogoutPath specifies which request paths should initiate a logout.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
redirectPath:
description: RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
required:
- logoutPath
- redirectPath
type: object
redirectURI:
description: |-
RedirectURI configures the "redirect_uri" parameter included in the authorization request.
May contain envoy command operators, e.g. '%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback'.
minLength: 1
type: string
required:
- clientID
- credentials
- oidcProviderRef
- pathMapping
- redirectURI
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

167
charts/airlock/microgateway/4.2.3/crds/openapis.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,167 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: openapis.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OpenAPI
listKind: OpenAPIList
plural: openapis
singular: openapi
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: OpenAPI contains the configuration for the OpenAPI specification.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired OpenAPI specification.
properties:
response:
description: Response defines the validation behaviour for responses.
properties:
secured:
description: Secured enables response checking.
properties:
validation:
default: Lax
description: Validation defines the validation mode for responses.
enum:
- Lax
- Strict
type: string
type: object
unsecured:
description: Unsecured disables response checking.
type: object
type: object
settings:
description: Settings defines the settings to configure OpenAPI specification enforcement.
properties:
logging:
description: Logging specifies the access log behavior.
properties:
maxFailedSubvalidations:
default: 10
description: MaxFailedSubvalidations defines the maximum number of failed subvalidations being logged.
format: int64
type: integer
type: object
schema:
description: Schema configures the OpenAPI specification.
properties:
source:
description: Source specifies the OpenAPI specification to be enforced.
properties:
configMapRef:
description: ConfigMapRef references the configmap by its name containing the well-known key 'openapi.json'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
required:
- source
type: object
threatHandlingMode:
default: Block
description: ThreatHandlingMode specifies how threats should be handled.
enum:
- Block
- LogOnly
type: string
validation:
description: Validation specifies the patterns for the validation behavior.
properties:
authentication:
description: Authentication defines the settings for the authentication scheme.
properties:
oAuth2:
description: OAuth2 specifies the OAuth2 parameters.
properties:
allowedParameters:
description: AllowedParameters specifies the allowed parameters for the authentication scheme.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined allowed parameters.
properties:
standardParameters:
default: true
description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters.
type: boolean
type: object
custom:
description: Custom allows configuring additional allowed parameters.
items:
minLength: 1
type: string
minItems: 1
type: array
type: object
type: object
oidc:
description: Oidc specifies the OIDC parameters.
properties:
allowedParameters:
description: AllowedParameters specifies the allowed parameters for the authentication scheme.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined allowed parameters.
properties:
standardParameters:
default: true
description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters.
type: boolean
type: object
custom:
description: Custom allows configuring additional allowed parameters.
items:
minLength: 1
type: string
minItems: 1
type: array
type: object
type: object
type: object
type: object
required:
- schema
type: object
required:
- settings
type: object
required:
- spec
type: object
served: true
storage: true

358
charts/airlock/microgateway/4.2.3/crds/parsers.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,358 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: parsers.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Parser
listKind: ParserList
plural: parsers
singular: parser
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Parser contains the configuration for content parsers (default and custom).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired parser behavior.
properties:
request:
description: Request defines the parsing for downstream requests.
properties:
custom:
description: Custom allows configuring additional rules for parser selection.
properties:
rules:
description: |-
Rules defines a custom set prepended before built-in rules of enabled request parsers.
Disable all built-in parsers to overrule them completely.
items:
properties:
action:
description: |-
Action specifies what should happen when a request condition matches.
Only one of parse or skip can be set.
properties:
parse:
description: Parse activates the configured parser.
properties:
form:
description: Form activates the Form parser.
type: object
json:
description: JSON activates the JSON parser.
type: object
multipart:
description: Multipart activates the multipart parser.
type: object
type: object
skip:
description: Skip disables any content parsing
type: object
type: object
requestConditions:
description: RequestConditions defines additional request properties which must be matched in order for this rule to apply.
properties:
header:
description: Header defines the matching headers of a request.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
invert:
default: false
description: Invert indicates whether the request condition should be inverted.
type: boolean
mediaType:
description: MediaType defines the matching media type from the content-type header of a request.
properties:
matcher:
description: |-
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
method:
description: Method defines the matching methods of a request.
items:
description: Method defines common HTTP methods.
enum:
- GET
- HEAD
- POST
- PUT
- PATCH
- DELETE
- CONNECT
- OPTIONS
- TRACE
type: string
type: array
path:
description: Path defines the matching path of a request.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
remoteIP:
description: RemoteIP defines the matching remote IPs of a request.
properties:
cidrRanges:
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
items:
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
format: cidr
type: string
minItems: 1
type: array
invert:
default: false
description: Invert indicates whether the match should be inverted.
type: boolean
required:
- cidrRanges
type: object
type: object
required:
- action
- requestConditions
type: object
type: array
type: object
defaultContentType:
default: application/x-www-form-urlencoded
description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body.
minLength: 1
type: string
parsers:
description: Parsers defines the configuration for the available content parsers.
properties:
form:
description: Form defines the configuration for the form parser.
properties:
enable:
default: true
description: Enable defines whether form payloads are inspected.
type: boolean
mediaTypePattern:
default: .*urlencoded.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments.
minLength: 1
type: string
type: object
json:
description: JSON defines the configuration for the JSON parser.
properties:
enable:
default: true
description: Enable defines whether json payloads are inspected.
type: boolean
mediaTypePattern:
default: .*json.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON.
minLength: 1
type: string
type: object
multipart:
description: Multipart defines the configuration for the multipart parser.
properties:
enable:
default: true
description: Enable defines whether multipart payloads are inspected.
type: boolean
mediaTypePattern:
default: .*multipart.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as a multipart payload.
minLength: 1
type: string
type: object
type: object
type: object
type: object
type: object
served: true
storage: true

731
charts/airlock/microgateway/4.2.3/crds/sidecargateways.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,731 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: sidecargateways.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: SidecarGateway
listKind: SidecarGatewayList
plural: sidecargateways
singular: sidecargateway
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired sidecar gateway behavior.
properties:
applications:
description: Applications defines applications which run on different ports.
items:
properties:
containerPort:
default: 8080
description: |-
ContainerPort refers to the container port.
This must be a valid port number, 0 < x < 65536.
format: int32
maximum: 65535
minimum: 1
type: integer
downstream:
description: Downstream defines the downstream configuration for this application
properties:
protocol:
description: |-
Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies that the protocol should be inferred.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies that the client is assumed to speak HTTP/1.1.
type: object
http2:
description: HTTP2 specifies that the client is assumed to speak HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
remoteIP:
description: |-
RemoteIP defines how the remote IP of a client is propagated.
Default: xff: {...}
properties:
connectionIP:
description: ConnectionIP configures to use the source IP address of the direct downstream connection.
type: object
customHeader:
description: CustomHeader specifies to use a custom header for remote IP extraction.
properties:
headerName:
description: HeaderName specifies the name of the custom header containing the remote IP.
minLength: 1
type: string
required:
default: true
description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403.
type: boolean
required:
- headerName
type: object
xff:
description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction.
properties:
numTrustedHops:
default: 1
description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry.
format: int32
minimum: 1
type: integer
type: object
type: object
requestNormalizations:
description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching.
properties:
mergeSlashes:
default: true
description: MergeSlashes ensures that adjacent slashes in the path are merged into one.
type: boolean
normalizePath:
default: true
description: NormalizePath ensures normalization according to RFC 3986 without case normalization.
type: boolean
type: object
restrictions:
description: Restrictions defines restrictions for downstream.
properties:
http:
description: HTTP defines limits for the HTTP protocol.
properties:
headersLength:
anyOf:
- type: integer
- type: string
default: 60Ki
description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
timeouts:
description: Timeouts defines timeouts for downstream
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
default: 5m
description: |-
Idle defines the settings for the idle timeout when no data is sent or received.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
maxDuration:
default: 5m
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
requestHeaders:
default: 10s
description: |-
RequestHeaders defines the duration before all request headers must be received.
A value of 0 will completely disable the timeout.
Default: 10s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
clientCertificate:
description: |-
ClientCertificate defines the TLS settings for verification of client certificates.
At most one of ignored, optional and required can be set.
Default: ignored: {}
properties:
ignored:
description: Ignored disables verification of the client certificate.
type: object
optional:
description: |-
Optional enables verification of the client certificate if one is presented.
In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate.
properties:
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
required:
- trustedCA
type: object
required:
description: |-
Required contains settings for client certificate verification. A client must present a valid certificate.
At least one of trustedCA and certificatePinning must be set.
properties:
allowedSANs:
description: |-
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
items:
description: |-
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers.
properties:
matcher:
description: Matcher defines the string matcher for the SAN value.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
sanType:
description: SanType defines the type of SAN matcher.
enum:
- DNS
- Email
- URI
- IPAddress
type: string
required:
- matcher
- sanType
type: object
minItems: 1
type: array
certificatePinning:
description: |-
CertificatePinning defines the constraints a client certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
properties:
allowedHashes:
description: |-
AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
allowedSPKIs:
description: |-
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
type: object
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
type: object
type: object
enable:
default: false
description: Enable defines if the downstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
secretRef:
description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls).
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
xfcc:
description: |-
XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values:
_Sanitize_: Do not send the XFCC header to the next hop. This is the default value.
_ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.
_AppendAndForward_: When the client connection is mTLS, append the client certificate information to the requests XFCC header and forward it.
_SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.
_AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.
Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http)
enum:
- Sanitize
- ForwardOnly
- AppendAndForward
- SanitizeAndSet
- AlwaysForwardOnly
type: string
type: object
type: object
envoyHTTPFilterRefs:
description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters.
properties:
prepend:
description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
type: object
routes:
description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies.
items:
description: |-
SidecarGatewayApplicationRoute defines the security configurations for different paths.
At most one of secured and unsecured can be set.
Default: secured: {...}
properties:
pathPrefix:
default: /
description: PathPrefix defines the path prefix used during route selection.
minLength: 1
type: string
secured:
description: Secured enables WAF processing for this route.
properties:
accessControlRef:
description: |-
AccessControlRef selects the relevant AccessControl configuration resource.
If undefined, Airlock Microgateway does not perform any access control.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
contentSecurityRef:
description: |-
ContentSecurityRef selects the relevant ContentSecurity configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
unsecured:
description: |-
Unsecured disables all WAF functionality and therefore protection for this route.
WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
type: object
type: object
type: array
x-kubernetes-list-map-keys:
- pathPrefix
x-kubernetes-list-type: map
telemetryRef:
description: |-
TelemetryRef selects the relevant Telemetry configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
upstream:
description: Upstream defines the upstream configuration for this application
properties:
protocol:
description: |-
Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies to use the protocol negotiated via TLS ALPN (if supported) or HTTP/1.1 as fallback.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies to use HTTP/1.1.
type: object
http2:
description: HTTP2 specifies to use HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
timeouts:
description: Timeouts defines the timeout settings.
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
description: |-
Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited.
A value of 0 will completely disable the timeout.
type: string
maxDuration:
default: 15s
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
Default: 15s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
enable:
default: false
description: Enable defines if the upstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
type: object
type: object
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- containerPort
x-kubernetes-list-type: map
envoyClusterRefs:
description: EnvoyClusterRefs selects the relevant EnvoyClusters.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
podSelector:
description: PodSelector defines to which Pods the configuration will be applied to.
properties:
matchLabels:
additionalProperties:
type: string
description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels.
type: object
type: object
required:
- applications
type: object
status:
description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date.
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human-readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of SidecarGateway condition.
type: string
required:
- status
- type
type: object
type: array
pods:
items:
properties:
envoyConfig:
description: EnvoyConfig indicates the name of the EnvoyConfig CR which references the SidecarGateway.
type: string
name:
description: Name indicates the name of the Pod which references the SidecarGateway.
type: string
required:
- name
type: object
type: array
status:
type: string
required:
- status
type: object
type: object
served: true
storage: true
subresources:
status: {}

81
charts/airlock/microgateway/4.2.3/crds/telemetries.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,81 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.2.3
name: telemetries.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Telemetry
listKind: TelemetryList
plural: telemetries
singular: telemetry
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Telemetry contains the configuration for telemetry (logging, metrics & tracing).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired telemetry behavior.
properties:
correlation:
description: Correlation defines the correlation aspects of Telemetry.
properties:
request:
description: Request defines the request related correlation settings of Telemetry.
properties:
allowDownstreamRequestID:
default: true
description: AllowDownstreamRequestID defines whether trace sampling will consider a provided x-request-id.
type: boolean
alterRequestID:
default: true
description: AlterRequestID defines whether to alter the UUID to reflect the trace sampling decision. If disabled no modification to the UUID will be performed, this may break tracing in the upstream.
type: boolean
type: object
type: object
logging:
description: Logging defines the logging aspects of Telemetry.
properties:
accessLog:
description: AccessLog defines the access log settings of Telemetry.
properties:
format:
description: Format defines the Access Log format of the sidecar.
properties:
json:
description: JSON defines the Access Log format as JSON.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
type: object
type: object
served: true
storage: true

22
charts/airlock/microgateway/4.2.3/templates/NOTES.txt Normal file
View File

@ -0,0 +1,22 @@
Thank you for installing Airlock Microgateway.
If you have not already done so, make sure that Airlock Microgateway CNI is also installed on the cluster.
For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}.
Detailed CRD API reference documentation is also available at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}/api/crds.
{{ if .Values.crds.skipVersionCheck }}
- CRD version check skipped
{{- else }}
{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}}
{{- if $outdatedCRDs -}}
{{- fail (printf `
Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'.
Therefore, the CRDs must be manually upgraded with the following command before deploying this chart:
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts
If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.`
.Chart.AppVersion)
-}}
{{- end -}}
{{- end -}}

132
charts/airlock/microgateway/4.2.3/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,132 @@
{{/*
Expand the name of the chart.
We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest explicit suffix is 14 characters.
*/}}
{{- define "airlock-microgateway.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }}
{{- end }}
{{/*
Convert an image configuration object into an image ref string.
*/}}
{{- define "airlock-microgateway.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
{{- printf "%s:%s" .repository .tag -}}
{{- else -}}
{{- printf "%s" .repository -}}
{{- end -}}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest implicit suffix is 27 characters.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "airlock-microgateway.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 36 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "airlock-microgateway.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "airlock-microgateway.sharedLabels" -}}
helm.sh/chart: {{ include "airlock-microgateway.chart" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: {{ .Chart.Name }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
Common Selector labels
*/}}
{{- define "airlock-microgateway.sharedSelectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Restricted Container Security Context
*/}}
{{- define "airlock-microgateway.restrictedSecurityContext" -}}
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
{{- end }}
{{/* Precondition: May only be used if AppVersion is isSemver */}}
{{- define "airlock-microgateway.supportedCRDVersionPattern" -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- if $version.Prerelease -}}
>= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }}
{{- else -}}
>= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0
{{- end -}}
{{- end -}}
{{- define "airlock-microgateway.outdatedCRDs" -}}
{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}}
{{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}}
{{- range $path, $_ := .Files.Glob "crds/*.yaml" -}}
{{- $api := ($.Files.Get $path | fromYaml).metadata.name -}}
{{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}}
{{- $isOutdated := false -}}
{{- if $crd -}}
{{/* If CRD is already present in the cluster, it must have the minimum supported version */}}
{{- $isOutdated = true -}}
{{- if hasKey $crd.metadata "labels" -}}
{{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}}
{{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}}
{{- if (semverCompare $supportedVersion $crdVersion) }}
{{- $isOutdated = false -}}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if $isOutdated }}
{{ base $path }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "airlock-microgateway.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}
{{- define "airlock-microgateway.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}
{{- print "latest" -}}
{{- end -}}
{{- end -}}

42
charts/airlock/microgateway/4.2.3/templates/operator/_operator_helpers.tpl Normal file
View File

@ -0,0 +1,42 @@
{{/*
Create a default fully qualified name for operator components.
*/}}
{{- define "airlock-microgateway.operator.fullname" -}}
{{ include "airlock-microgateway.fullname" . }}-operator
{{- end }}
{{/*
Common operator labels
*/}}
{{- define "airlock-microgateway.operator.labels" -}}
{{ include "airlock-microgateway.sharedLabels" . }}
{{ include "airlock-microgateway.operator.selectorLabels" . }}
{{- end }}
{{/*
Operator Selector labels
*/}}
{{- define "airlock-microgateway.operator.selectorLabels" -}}
{{ include "airlock-microgateway.sharedSelectorLabels" . }}
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-operator
app.kubernetes.io/component: controller
{{- end }}
{{/*
Create the name of the service account to use for the operator
*/}}
{{- define "airlock-microgateway.operator.serviceAccountName" -}}
{{- if .Values.operator.serviceAccount.create }}
{{- default (include "airlock-microgateway.operator.fullname" .) .Values.operator.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.operator.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
ServiceMonitor metrics regex pattern for leader only metrics
*/}}
{{- define "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" -}}
^(microgateway_license|microgateway_sidecars).*$
{{- end }}

205
charts/airlock/microgateway/4.2.3/templates/operator/_rbac.gen.tpl Normal file
View File

@ -0,0 +1,205 @@
{{/* AUTOGENERATED FILE DO NOT EDIT */}}
{{/*
Operator rbac permission rules
*/}}
{{- define "airlock-microgateway-operator.rbacRules" -}}
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- accesscontrols
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- contentsecurities
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- denyrules
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- envoyclusters
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- envoyconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- envoyconfigurations/status
verbs:
- get
- patch
- update
- apiGroups:
- microgateway.airlock.com
resources:
- envoyhttpfilters
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- headerrewrites
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- identitypropagations
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- limits
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- oidcproviders
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- oidcrelyingparties
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- openapis
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- parsers
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways/finalizers
verbs:
- update
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways/status
verbs:
- get
- patch
- update
- apiGroups:
- microgateway.airlock.com
resources:
- telemetries
verbs:
- get
- list
- watch
{{- end }}

299
charts/airlock/microgateway/4.2.3/templates/operator/_webhooks.gen.tpl Normal file
View File

@ -0,0 +1,299 @@
{{/* AUTOGENERATED FILE DO NOT EDIT */}}
{{/*
Operator mutating webhooks
*/}}
{{- define "airlock-microgateway-operator.mutatingWebhooks" -}}
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /mutate-v1-pod
failurePolicy: Fail
name: mutate-pod.microgateway.airlock.com
reinvocationPolicy: IfNeeded
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
objectSelector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
{{- end }}
{{/*
Operator validating webhooks
*/}}
{{- define "airlock-microgateway-operator.validatingWebhooks" -}}
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol
failurePolicy: Fail
name: validate-accesscontrol.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- accesscontrols
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-denyrules
failurePolicy: Fail
name: validate-denyrules.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- denyrules
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-envoycluster
failurePolicy: Fail
name: validate-envoycluster.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- envoyclusters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter
failurePolicy: Fail
name: validate-envoyhttpfilter.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- envoyhttpfilters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites
failurePolicy: Fail
name: validate-headerrewrites.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- headerrewrites
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation
failurePolicy: Fail
name: validate-identitypropagation.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- identitypropagations
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-limits
failurePolicy: Fail
name: validate-limits.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- limits
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider
failurePolicy: Fail
name: validate-oidcprovider.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- oidcproviders
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty
failurePolicy: Fail
name: validate-oidcrelyingparty.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- oidcrelyingparties
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-openapi
failurePolicy: Fail
name: validate-openapi.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- openapis
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-parser
failurePolicy: Fail
name: validate-parser.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- parsers
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway
failurePolicy: Fail
name: validate-sidecargateway.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- sidecargateways
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-v1-pod
failurePolicy: Fail
name: validate-pod.microgateway.airlock.com
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
sideEffects: None
objectSelector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
{{- end }}

322
charts/airlock/microgateway/4.2.3/templates/operator/configmap.yaml Normal file
View File

@ -0,0 +1,322 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
engine_bootstrap_config_template.yaml: |
# Base configuration, admin interface on port 19000
admin:
address:
socket_address:
address: 127.0.0.1
port_value: 19000
dynamic_resources:
cds_config:
initial_fetch_timeout: 10s
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
# Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
rate_limit_settings:
max_tokens: 5
fill_rate: 0.2
lds_config:
resource_api_version: V3
initial_fetch_timeout: 10s
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
# Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
rate_limit_settings:
max_tokens: 5
fill_rate: 0.2
static_resources:
listeners:
- name: probe
address:
socket_address:
address: 0.0.0.0
port_value: 19001
filter_chains:
- filters:
- name: http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: http
codec_type: AUTO
http2_protocol_options:
initial_connection_window_size: 1048576
initial_stream_window_size: 65536
max_concurrent_streams: 100
route_config:
name: probe
virtual_hosts:
- name: probe
domains:
- '*'
routes:
- name: ready
match:
path: /ready
headers:
- name: ':method'
string_match:
exact: 'GET'
route:
cluster: airlock_microgateway_engine_admin
http_filters:
- name: envoy.filters.http.router
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- name: metrics
address:
socket_address:
address: 0.0.0.0
port_value: 19002
filter_chains:
- filters:
- name: http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: http
codec_type: AUTO
http2_protocol_options:
initial_connection_window_size: 1048576
initial_stream_window_size: 65536
max_concurrent_streams: 100
route_config:
name: metrics
virtual_hosts:
- name: metrics
domains:
- '*'
routes:
- name: metrics
match:
path: /metrics
headers:
- name: ':method'
string_match:
exact: 'GET'
route:
prefix_rewrite: '/stats/prometheus'
cluster: airlock_microgateway_engine_admin
http_filters:
- name: envoy.filters.http.router
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: xds_cluster
connect_timeout: 1s
type: STRICT_DNS
load_assignment:
cluster_name: xds_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local
port_value: 13377
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
'@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 360s
timeout: 5s
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_params:
tls_minimum_protocol_version: TLSv1_3
tls_maximum_protocol_version: TLSv1_3
validation_context_sds_secret_config:
name: validation_context_sds
sds_config:
resource_api_version: V3
path_config_source:
path: /etc/envoy/validation_context_sds_secret.yaml
watched_directory:
path: /etc/envoy/
tls_certificate_sds_secret_configs:
- name: tls_certificate_sds
sds_config:
resource_api_version: V3
path_config_source:
path: /etc/envoy/tls_certificate_sds_secret.yaml
watched_directory:
path: /etc/envoy/
- name: airlock_microgateway_engine_admin
connect_timeout: 1s
type: STATIC
load_assignment:
cluster_name: airlock_microgateway_engine_admin
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 19000
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
'@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 360s
timeout: 5s
stats_config:
stats_tags:
- tag_name: "category"
regex: "\\.(category\\.([^.]+))"
- tag_name: "rule_name"
regex: "\\.(rule\\.([^.]+))"
- tag_name: "limit_name"
regex: "\\.(limit\\.([^.]+))"
- tag_name: "threat_handling_mode"
regex: "\\.(threat_handling_mode\\.([^.]+))"
- tag_name: "envoy_cluster_name"
regex: "\\.(cluster\\.([^.]+))"
- tag_name: "version"
regex: "\\.(version\\.([^.]+))"
use_all_default_tags: true
bootstrap_extensions:
- name: airlock.bootstrap.engine_build_info
typed_config:
'@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats
application_log_config:
log_format:
text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}'
engine_container_template.yaml: |
name: "$(ENGINE_NAME)"
image: "$(ENGINE_IMAGE)"
imagePullPolicy: {{ .Values.engine.image.pullPolicy }}
args:
- "--config-path"
- "/etc/envoy/bootstrap_config.yaml"
- "--base-id"
- "$(BASE_ID)"
- "--file-flush-interval-msec"
- '1000'
- "--drain-time-s"
- '60'
- "--service-node"
- "$(POD_NAME).$(POD_NAMESPACE)"
- "--service-cluster"
- "$(APP_NAME).$(POD_NAMESPACE)"
- "--log-path"
- "/dev/stdout"
- "--log-level"
- "$(LOG_LEVEL)"
volumeMounts:
- name: airlock-microgateway-bootstrap-secret-volume
mountPath: /etc/envoy
readOnly: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
ports:
- containerPort: 13378
protocol: TCP
- containerPort: 19001
protocol: TCP
- containerPort: 19002
protocol: TCP
livenessProbe:
httpGet:
path: /ready
port: 19001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 5
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
httpGet:
path: /ready
port: 19001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
successThreshold: 1
timeoutSeconds: 1
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
{{- with .Values.engine.resources }}
resources:
{{- toYaml . | nindent 6 }}
{{- end }}
network_validator_container_template.yaml: |
name: "$(NETWORK_VALIDATOR_NAME)"
image: "$(NETWORK_VALIDATOR_IMAGE)"
imagePullPolicy: {{ .Values.networkValidator.image.pullPolicy }}
command: ["/bin/sh", "-c"]
args:
- |-
echo 'pong' | nc -v -l 127.0.0.1 -p 13378 &
for i in 1 2 3; do
sleep 1s
if r=$(echo 'ping' | nc 127.0.0.1 19003) && [ $r == pong ]; then
echo -n 'Traffic redirection to Airlock Microgateway Engine is working.' > /dev/termination-log
exit 0
fi
done
echo -en 'Traffic redirection to Airlock Microgateway Engine is not working.\nRestart the pod after ensuring that hostNetwork is disabled and a compatible Airlock Microgateway CNI version is installed on the node.\nCertain environments may also require additional configuration (see docs.airlock.com for more information).' > /dev/termination-log
exit 1
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
operator_config.yaml: |
apiVersion: config.airlock.com/v1alpha1
kind: OperatorConfig
health:
healthProbeBindAddress: :8081
metrics:
bindAddress: 0.0.0.0:8080
webhook:
port: 9443
deployment:
sidecar:
engineContainerTemplate: "/sidecar/engine_container_template.yaml"
networkValidatorContainerTemplate: "/sidecar/network_validator_container_template.yaml"
engine:
bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml"
log:
level: {{ .Values.operator.config.logLevel }}

138
charts/airlock/microgateway/4.2.3/templates/operator/deployment.yaml Normal file
View File

@ -0,0 +1,138 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.operator.replicaCount }}
{{- with .Values.operator.updateStrategy }}
strategy:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/operator/configmap.yaml") . | sha256sum }}
kubectl.kubernetes.io/default-container: manager
{{- with mustMerge .Values.operator.podAnnotations .Values.commonAnnotations}}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 8 }}
{{- with .Values.operator.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
containers:
- args:
- --config=operator_config.yaml
env:
- name: ENGINE_IMAGE
value: {{ include "airlock-microgateway.image" .Values.engine.image }}
- name: NETWORK_VALIDATOR_IMAGE
value: {{ include "airlock-microgateway.image" .Values.networkValidator.image }}
- name: OPERATOR_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: {{ include "airlock-microgateway.image" .Values.operator.image }}
imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
timeoutSeconds: 5
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 13377
name: xds-server
protocol: TCP
- containerPort: 8080
protocol: TCP
- containerPort: 8081
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
{{- with .Values.operator.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 10 }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- mountPath: /opt/airlock/license/
name: airlock-microgateway-license
readOnly: true
- mountPath: /operator_config.yaml
name: operator-config
subPath: operator_config.yaml
- mountPath: /sidecar/engine_container_template.yaml
name: operator-config
subPath: engine_container_template.yaml
- mountPath: /sidecar/network_validator_container_template.yaml
name: operator-config
subPath: network_validator_container_template.yaml
- mountPath: /engine_bootstrap_config_template.yaml
name: operator-config
subPath: engine_bootstrap_config_template.yaml
securityContext:
runAsNonRoot: true
serviceAccountName: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
terminationGracePeriodSeconds: 10
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert
- name: airlock-microgateway-license
secret:
defaultMode: 292
optional: true
secretName: {{ .Values.license.secretName }}
- configMap:
name: {{ include "airlock-microgateway.operator.fullname" . }}-config
name: operator-config

14
charts/airlock/microgateway/4.2.3/templates/operator/manager-clusterrole.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.operator.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{ include "airlock-microgateway-operator.rbacRules" . -}}
{{- end -}}

20
charts/airlock/microgateway/4.2.3/templates/operator/manager-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.operator.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

47
charts/airlock/microgateway/4.2.3/templates/operator/metrics-service.yaml Normal file
View File

@ -0,0 +1,47 @@
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-metrics
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: http
name: metrics
port: 8080
protocol: TCP
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
---
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-leader-metrics
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
operator.microgateway.airlock.com/isLeader: "true"
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: http
name: metrics
port: 8080
protocol: TCP
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
operator.microgateway.airlock.com/isLeader: "true"

14
charts/airlock/microgateway/4.2.3/templates/operator/mutating-webhook.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{ include "airlock-microgateway-operator.mutatingWebhooks" . -}}

26
charts/airlock/microgateway/4.2.3/templates/operator/podmonitor.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Values.engine.sidecar.podMonitor.create }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ include "airlock-microgateway.fullname" . }}-engine
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.engine.sidecar.podMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
namespaceSelector:
any: true
selector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
podMetricsEndpoints:
- targetPort: 19002
path: /metrics
scheme: http
{{- end -}}

45
charts/airlock/microgateway/4.2.3/templates/operator/role.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if .Values.operator.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
{{- end -}}

20
charts/airlock/microgateway/4.2.3/templates/operator/rolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.operator.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
{{- end -}}

13
charts/airlock/microgateway/4.2.3/templates/operator/selfsigned-issuer.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selfSigned: {}

13
charts/airlock/microgateway/4.2.3/templates/operator/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.operator.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with mustMerge .Values.operator.serviceAccount.annotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

60
charts/airlock/microgateway/4.2.3/templates/operator/servicemonitor.yaml Normal file
View File

@ -0,0 +1,60 @@
{{- if .Values.operator.serviceMonitor.create }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
matchExpressions:
- { key: "operator.microgateway.airlock.com/isLeader", operator: DoesNotExist }
endpoints:
- path: /metrics
port: metrics
scheme: http
metricRelabelings:
- sourceLabels:
- __name__
regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }}
action: drop
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
operator.microgateway.airlock.com/isLeader: "true"
endpoints:
- path: /metrics
port: metrics
scheme: http
metricRelabelings:
- sourceLabels:
- __name__
regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }}
action: keep
{{- end -}}

19
charts/airlock/microgateway/4.2.3/templates/operator/serving-certificate.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
dnsNames:
- airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc
- airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc.cluster.local
issuerRef:
kind: Issuer
name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer
secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert

14
charts/airlock/microgateway/4.2.3/templates/operator/validating-webhook.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{ include "airlock-microgateway-operator.validatingWebhooks" . -}}

23
charts/airlock/microgateway/4.2.3/templates/operator/webhook-service.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: https
name: webhook
port: 443
protocol: TCP
targetPort: 9443
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}

24
charts/airlock/microgateway/4.2.3/templates/operator/xds-service.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-xds
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: grpc
name: xds
port: 13377
protocol: TCP
targetPort: 13377
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
operator.microgateway.airlock.com/isLeader: "true"

107
charts/airlock/microgateway/4.2.3/templates/tests/rbac.yaml Normal file
View File

@ -0,0 +1,107 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
subjects:
- kind: ServiceAccount
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway"
verbs:
- get
- list
- watch
- delete
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- list
- apiGroups:
- "apps"
resources:
- deployments
resourceNames:
- "{{ include "airlock-microgateway.operator.fullname" . }}"
verbs:
- get
- list
- watch
- apiGroups:
- "apps"
resources:
- statefulsets
- statefulsets/scale
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-backend"
verbs:
- get
- list
- watch
- patch
- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/status
- pods/attach
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-backend-0"
- "{{ include "airlock-microgateway.fullname" . }}-test-valid-request"
- "{{ include "airlock-microgateway.fullname" . }}-test-injection-request"
verbs:
- get
- list
- create
- watch
- delete
- apiGroups:
- ""
resources:
- pods
verbs:
- create
{{- end -}}

23
charts/airlock/microgateway/4.2.3/templates/tests/service.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-service"
namespace: {{ .Release.Namespace }}
labels:
app: test-service
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
spec:
selector:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
ports:
- name: http
port: 8080
targetPort: 8080
{{- end -}}

56
charts/airlock/microgateway/4.2.3/templates/tests/statefulset.yaml Normal file
View File

@ -0,0 +1,56 @@
{{- if .Values.tests.enabled -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
spec:
serviceName: nginx
replicas: 0
selector:
matchLabels:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
k8s.v1.cni.cncf.io/networks: default/airlock-microgateway-cni
labels:
sidecar.microgateway.airlock.com/inject: "true"
sidecar.istio.io/inject: "false"
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedLabels" . | nindent 8 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 8 }}
spec:
containers:
- image: cgr.dev/chainguard/nginx
name: nginx
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /var/lib/nginx/tmp/
name: nginx-tmp
- mountPath: /var/run
name: nginx-run
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 12 }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- emptyDir: {}
name: nginx-tmp
- emptyDir: {}
name: nginx-run
{{- end -}}

200
charts/airlock/microgateway/4.2.3/templates/tests/test-install.yaml Normal file
View File

@ -0,0 +1,200 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-install"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: before-hook-creation
spec:
restartPolicy: Never
containers:
- name: test
image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
command:
- sh
- -c
- |
set -eu
clean_up() {
echo ""
echo "### Clean up test resources"
kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
echo ""
echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'"
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=30s
sleep 3s
echo ""
}
fail() {
echo ""
echo "### Error: ${1}"
echo ""
echo 'Microgateway Sidecargateway status:'
kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true
echo ""
echo ""
echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':"
kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true
echo ""
echo ""
echo 'Logs of Nginx container:'
kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true
echo ""
echo ""
# Wait for engine logs
sleep 10s
echo 'Logs of Microgateway Engine container:'
kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true
exit 1
}
create_sidecargateway() {
# create SidecarGateway resource for testing purposes
kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
kubectl apply -f - <<EOF
apiVersion: microgateway.airlock.com/v1alpha1
kind: SidecarGateway
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: test-install
{{- include "airlock-microgateway.sharedLabels" . | nindent 12 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 12 }}
spec:
podSelector:
matchLabels:
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedLabels" . | nindent 14 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 14 }}
applications:
- containerPort: 8080
EOF
}
curl() {
kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
kubectl -n {{ .Release.Namespace }} run {{ include "airlock-microgateway.fullname" . }}-test-valid-request --restart=Never --image=cgr.dev/chainguard/curl \
--override-type=strategic \
--overrides='
{
"apiVersion": "v1",
"spec": {
"containers": [
{
"name": "{{ include "airlock-microgateway.fullname" . }}-test-valid-request",
"securityContext": {{ include "airlock-microgateway.restrictedSecurityContext" . | fromYaml | toJson }}
}
]
}
}' \
-- "$@"
local i=0
while [ $i -lt 90 ] && ! kubectl logs -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request >/dev/null 2>&1; do sleep 1s; i=$((i+1)); done
kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
}
trap clean_up EXIT
echo "### Waiting for Microgateway Deployments to be ready"
if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \
deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then
fail 'Timout occurred'
fi
echo ""
echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica"
# scale to zero replicas to ensure no pods are present from previous runs
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s
echo ""
echo "### Waiting for backend pod"
i=0
while true; do
if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then
break
elif [ $i -gt 3 ]; then
fail 'Pod not ready'
fi
sleep 2s
i=$((i+1))
done
echo "### Checking Microgateway Engine sidecar container was injected"
if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then
fail 'Microgateway Engine sidecar container not injected'
fi
echo "True"
echo ""
echo "### Checking for valid license"
i=0
while true; do
if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then
break
elif [ $i -gt 30 ]; then
fail 'Microgateway license is missing or invalid'
fi
sleep 2s
i=$((i+1))
done
echo "True"
echo ""
echo "### Create SidecarGateway resource for testing"
if ! create_sidecargateway ; then
fail 'Creation of SidecarGateway resource failed'
fi
echo ""
echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready"
if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then
fail 'Timout occurred'
fi
echo ""
echo "### Waiting for 'engine-config-valid' condition"
if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then
fail 'Configuration was never accepted by the Microgateway Engine'
fi
sleep 5s
echo ""
echo ""
echo "### Checking whether a valid request is successful and returns HTTP status code '200'"
out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true)
echo "Response:"
echo "${out}"
if ! echo "${out}" | grep -q "200 OK"; then
fail 'A valid request was not successful'
fi
echo ""
echo ""
echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'"
out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true)
echo "Response:"
echo "${out}"
if ! echo "${out}" | grep -q "400 Bad Request"; then
fail 'A malicious request was not blocked'
fi
echo ""
echo ""
echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded"
exit 0
serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests"
{{- end -}}

364
charts/airlock/microgateway/4.2.3/values.schema.json Normal file
View File

@ -0,0 +1,364 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"type": "object",
"properties": {
"nameOverride": {
"type": "string"
},
"fullnameOverride": {
"type": "string"
},
"commonLabels": {
"$ref": "#/definitions/StringMap"
},
"commonAnnotations": {
"$ref": "#/definitions/StringMap"
},
"crds": {
"type": "object",
"properties": {
"skipVersionCheck": {
"type": "boolean"
}
},
"additionalProperties": false
},
"imagePullSecrets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"minLength": 1
}
},
"required": [
"name"
],
"additionalProperties": true
}
},
"operator": {
"type": "object",
"properties": {
"replicaCount": {
"type": "integer",
"minimum": 0
},
"updateStrategy": {
"$ref": "#/definitions/UpdateStrategy"
},
"image": {
"$ref": "#/definitions/Image"
},
"podAnnotations": {
"$ref": "#/definitions/StringMap"
},
"podLabels": {
"$ref": "#/definitions/StringMap"
},
"serviceAnnotations": {
"$ref": "#/definitions/StringMap"
},
"serviceLabels": {
"$ref": "#/definitions/StringMap"
},
"resources": {
"type": "object"
},
"nodeSelector": {
"$ref": "#/definitions/StringMap"
},
"tolerations": {
"type": "array",
"items": {
"type": "object"
}
},
"affinity": {
"type": "object"
},
"config": {
"type": "object",
"properties": {
"logLevel": {
"type": "string",
"enum": [
"debug",
"info",
"warn",
"error"
]
}
},
"required": [
"logLevel"
],
"additionalProperties": false
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"annotations": {
"$ref": "#/definitions/StringMap"
},
"name": {
"type": "string"
}
},
"required": [
"annotations",
"create",
"name"
],
"additionalProperties": false
},
"rbac": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
}
},
"required": [
"create"
],
"additionalProperties": false
},
"serviceMonitor": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"labels": {
"$ref": "#/definitions/StringMap"
}
},
"required": [
"create"
],
"additionalProperties": false
}
},
"required": [
"affinity",
"config",
"image",
"updateStrategy",
"nodeSelector",
"podAnnotations",
"podLabels",
"rbac",
"replicaCount",
"resources",
"serviceAccount",
"serviceAnnotations",
"serviceLabels",
"serviceMonitor",
"tolerations"
],
"additionalProperties": false
},
"engine": {
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/Image"
},
"resources": {
"type": "object"
},
"sidecar": {
"type": "object",
"properties":{
"podMonitor": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"labels": {
"$ref": "#/definitions/StringMap"
}
},
"required": [
"create"
],
"additionalProperties": false
}
},
"required": [
"podMonitor"
],
"additionalProperties": false
}
},
"required": [
"image",
"resources",
"sidecar"
],
"additionalProperties": false
},
"networkValidator": {
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/Image"
}
},
"required": [
"image"
],
"additionalProperties": false
},
"license": {
"type": "object",
"properties": {
"secretName": {
"type": "string",
"minLength": 1
}
},
"required": [
"secretName"
],
"additionalProperties": false
},
"tests": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
},
"required": [
"enabled"
],
"additionalProperties": false
},
"global": {
"type": "object"
}
},
"required": [
"commonAnnotations",
"commonLabels",
"crds",
"engine",
"fullnameOverride",
"imagePullSecrets",
"license",
"nameOverride",
"operator",
"networkValidator",
"tests"
],
"additionalProperties": false,
"definitions": {
"StringMap": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"Image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"minLength": 1
},
"tag": {
"type": "string"
},
"digest": {
"type": "string",
"pattern": "^$|^sha256:[a-f0-9]{64}$"
},
"pullPolicy": {
"type": "string",
"enum": [
"Always",
"IfNotPresent",
"Never"
]
}
},
"required": [
"digest",
"pullPolicy",
"repository",
"tag"
],
"additionalProperties": false
},
"UpdateStrategy": {
"type": "object",
"oneOf" : [
{
"properties": {
"type": {
"$ref": "#/definitions/RecreateType"
}
},
"required": [
"type"
],
"additionalProperties": false
},
{
"properties": {
"type": {
"$ref": "#/definitions/RollingUpdateType"
},
"rollingUpdate": {
"$ref": "#/definitions/RollingUpdate"
}
},
"required": [
"type"
],
"additionalProperties": false
}
]
},
"RecreateType": {
"type": "string",
"enum": [
"Recreate"
]
},
"RollingUpdateType": {
"type": "string",
"enum": [
"RollingUpdate"
]
},
"RollingUpdate": {
"type": "object",
"properties": {
"maxSurge": {
"type": ["integer", "string"],
"minimum": 0,
"pattern": "^\\d+%?$"
},
"maxUnavailable": {
"type": ["integer", "string"],
"minimum": 0,
"pattern": "^\\d+%?$"
}
},
"anyOf": [
{"required": ["maxSurge"]},
{"required": ["maxUnavailable"]}
],
"additionalProperties": false
}
}
}

137
charts/airlock/microgateway/4.2.3/values.yaml Normal file
View File

@ -0,0 +1,137 @@
# -- Allows overriding the name to use instead of "microgateway".
nameOverride: ""
# -- Allows overriding the name to use as full name of resources.
fullnameOverride: ""
# -- Labels to add to all resources.
commonLabels: {}
# -- Annotations to add to all resources.
commonAnnotations: {}
# -- ImagePullSecrets to use when pulling images.
imagePullSecrets: []
# - name: myRegistryKeySecretName
crds:
# -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs.
# The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster
# when performing a "helm install/upgrade".
skipVersionCheck: false
operator:
# -- Number of replicas for the operator Deployment.
replicaCount: 2
# -- Specifies the operator update strategy.
updateStrategy:
type: RollingUpdate
# Specifies the Airlock Microgateway Operator image.
image:
# -- Image repository from which to pull the Airlock Microgateway Operator image.
repository: "quay.io/airlock/microgateway-operator"
# -- Image tag to pull.
tag: "4.2.3"
# -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63").
# Overrides tag when specified.
digest: "sha256:a429dfdb636e76bfbee7c59cfbe53d5f396c1f5603d5cb187f6283301ba4d7ba"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Annotations to add to all Pods.
podAnnotations: {}
# -- Labels to add to all Pods.
podLabels: {}
# -- Annotations to add to the Service.
serviceAnnotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: "8080"
# -- Labels to add to the Service.
serviceLabels: {}
# -- Resource restrictions to apply to the operator container.
resources: {}
# We recommend at least the following resource specification.
# limits:
# cpu: 1000m
# memory: 512Mi
# requests:
# cpu: 100m
# memory: 512Mi
# -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes.
nodeSelector: {}
# -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes.
tolerations: []
# -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling.
affinity: {}
# Parameters for the operator configuration.
config:
# -- Operator application log level.
logLevel: "info"
# Configures the generation of the ServiceAccount.
serviceAccount:
# -- Whether a ServiceAccount should be created.
create: true
# -- Annotations to add to the ServiceAccount.
annotations: {}
# -- Name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
# Configures the generation of Role and RoleBinding as well ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above.
rbac:
# -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function.
create: true
# Configures the generation of a Prometheus Operator ServiceMonitor.
serviceMonitor:
# -- Whether to create a ServiceMonitor resource for monitoring.
create: false
# -- Labels to add to the ServiceMonitor.
labels: {}
# release: "<prometheus-operator-release>"
engine:
# Specifies the Airlock Microgateway Engine image.
image:
# -- Image repository from which to pull the Airlock Microgateway Engine image.
repository: "quay.io/airlock/microgateway-engine"
# -- Image tag to pull.
tag: "4.2.3"
# -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
# Overrides tag when specified.
digest: "sha256:9b0debeef611172aa5ca79c6b8cd045e56a3c883763ec62c0fa211bb86d35304"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Resource restrictions to apply to the Airlock Microgateway Engine container.
resources: {}
# We recommend at least the following resource specification.
# limits:
# cpu: 500m
# memory: 128Mi
# requests:
# cpu: 10m
# memory: 40Mi
# Additional configuration when deployed as a sidecar.
sidecar:
# Configures the generation of a Prometheus Operator PodMonitor.
podMonitor:
# -- Whether to create a PodMonitor resource for monitoring.
create: false
# -- Labels to add to the PodMonitor.
labels: {}
# release: "<prometheus-operator-release>"
networkValidator:
# Specifies the Airlock Microgateway Network Validator image to be injected as an init-container.
image:
# -- Image repository from which to pull the busybox image for the Airlock Microgateway Network Validator init-container.
repository: "cgr.dev/chainguard/busybox"
# -- Image tag to pull.
tag: ""
# -- SHA256 image digest to pull (in the format "sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0").
# Overrides tag when specified.
digest: "sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
license:
# -- Name of the secret containing the "microgateway-license.txt" key.
secretName: "airlock-microgateway-license"
# Check whether the installation of the Airlock Microgateway Helm Chart was successful.
# Requires a secret with a valid Airlock Microgateway license key already to be present.
tests:
# -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
# If set to false, `helm test` will not run any tests.
enabled: false

1
charts/gluu/gluu/5.1.2/Chart.yaml
View File

@ -28,7 +28,6 @@ annotations:
artifacthub.io/license: Apache-2.0
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management
catalog.cattle.io/featured: "4"
catalog.cattle.io/kube-version: '>=v1.21.0-0'
catalog.cattle.io/release-name: gluu
apiVersion: v2

107
charts/gluu/gluu/5.1.3/Chart.yaml Normal file
View File

@ -0,0 +1,107 @@
annotations:
artifacthub.io/containsSecurityUpdates: "true"
artifacthub.io/images: |
- name: auth-server
image: ghcr.io/janssenproject/jans/auth-server:1.1.3-1
- name: auth-server-key-rotation
image: ghcr.io/janssenproject/jans/certmanager:1.1.3-1
- name: configuration-manager
image: ghcr.io/janssenproject/jans/configurator:1.1.3-1
- name: config-api
image: ghcr.io/janssenproject/jans/config-api:1.1.3-1
- name: fido2
image: ghcr.io/janssenproject/jans/fido2:1.1.3-1
- name: persistence
image: ghcr.io/janssenproject/jans/persistence-loader:1.1.3-1
- name: scim
image: ghcr.io/janssenproject/jans/scim:1.1.3-1
- name: casa
image: ghcr.io/janssenproject/jans/casa:1.1.3-1
- name: admin-ui
image: ghcr.io/gluufederation/flex/admin-ui:5.1.3-1
- name: link
image: ghcr.io/janssenproject/jans/link:1.1.3-1
- name: saml
image: ghcr.io/janssenproject/jans/saml:1.1.3-1
- name: kc-scheduler
image: ghcr.io/janssenproject/jans/kc-scheduler:1.1.3-1
artifacthub.io/license: Apache-2.0
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management
catalog.cattle.io/featured: "4"
catalog.cattle.io/kube-version: '>=v1.21.0-0'
catalog.cattle.io/release-name: gluu
apiVersion: v2
appVersion: 5.1.3
dependencies:
- condition: global.config.enabled
name: config
repository: file://./charts/config
version: 1.1.3
- condition: global.config-api.enabled
name: config-api
repository: file://./charts/config-api
version: 1.1.3
- condition: global.opendj.enabled
name: opendj
repository: file://./charts/opendj
version: 5.1.3
- condition: global.auth-server.enabled
name: auth-server
repository: file://./charts/auth-server
version: 1.1.3
- condition: global.admin-ui.enabled
name: admin-ui
repository: file://./charts/admin-ui
version: 5.1.3
- condition: global.fido2.enabled
name: fido2
repository: file://./charts/fido2
version: 1.1.3
- condition: global.scim.enabled
name: scim
repository: file://./charts/scim
version: 1.1.3
- condition: global.nginx-ingress.enabled
name: nginx-ingress
repository: file://./charts/nginx-ingress
version: 5.1.3
- condition: global.casa.enabled
name: casa
repository: file://./charts/casa
version: 1.1.3
- condition: global.auth-server-key-rotation.enabled
name: auth-server-key-rotation
repository: file://./charts/auth-server-key-rotation
version: 1.1.3
- condition: global.persistence.enabled
name: persistence
repository: file://./charts/persistence
version: 1.1.3
- condition: global.istio.ingress
name: cn-istio-ingress
repository: file://./charts/cn-istio-ingress
version: 5.1.3
- condition: global.link.enabled
name: link
repository: file://./charts/link
version: 1.1.3
- condition: global.saml.enabled
name: saml
repository: file://./charts/saml
version: 1.1.3
- condition: global.kc-scheduler.enabled
name: kc-scheduler
repository: file://./charts/kc-scheduler
version: 1.1.3
description: Gluu Access and Identity Management
home: https://www.gluu.org
icon: file://assets/icons/gluu.ico
kubeVersion: '>=v1.21.0-0'
maintainers:
- email: team@gluu.org
name: moabu
name: gluu
sources:
- https://docs.gluu.org
version: 5.1.3

699
charts/gluu/gluu/5.1.3/README.md Normal file
View File

File diff suppressed because one or more lines are too long

38
charts/gluu/gluu/5.1.3/app-readme.md Normal file
View File

@ -0,0 +1,38 @@
## Tutorial
For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/).
## Introduction
The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions.
Common use cases include:
- Single sign-on (SSO)
- Mobile authentication
- API access management
- Two-factor authentication (2FA)
- Customer identity and access management (CIAM)
- Identity federation
### Free Open Source Software
The Gluu Server is a FOSS platform for IAM.
### Open Web Standards
The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management:
- OAuth 2.0
- OpenID Connect
- User Managed Access 2.0 (UMA)
- System for Cross-domain Identity Management (SCIM)
- FIDO Universal 2nd Factor (U2F)
- FIDO 2.0 / WebAuthn
- Lightweight Directory Access Protocol (LDAP)
- Remote Authentication Dial-In User Service (RADIUS)
### Important notes for installation:
- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image.
### Quick install on Rancher UI with Docker single node
- Install the nginx-ingress-controller chart.
- Install the OpenEBS chart.
- Install Gluu chart and specify your persistence as ldap.

21
charts/gluu/gluu/5.1.3/charts/admin-ui/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

20
charts/gluu/gluu/5.1.3/charts/admin-ui/Chart.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v2
appVersion: 5.1.3
description: Admin GUI. Requires license.
home: https://docs.gluu.org
icon: https://gluu.org/docs/gluu-server/favicon.ico
keywords:
- Authorization
- OpenID
- GUI
kubeVersion: '>=v1.21.0-0'
maintainers:
- email: team@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: admin-ui
sources:
- https://github.com/GluuFederation/docker-gluu-admin-ui
- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/admin-ui
type: application
version: 5.1.3

60
charts/gluu/gluu/5.1.3/charts/admin-ui/README.md Normal file
View File

@ -0,0 +1,60 @@
# admin-ui
![Version: 5.1.3](https://img.shields.io/badge/Version-5.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.3](https://img.shields.io/badge/AppVersion-5.1.3-informational?style=flat-square)
Admin GUI. Requires license.
**Homepage:** <https://docs.gluu.org>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | <team@gluu.org> | <https://github.com/moabu> |
## Source Code
* <https://github.com/GluuFederation/docker-gluu-admin-ui>
* <https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/admin-ui>
## Requirements
Kubernetes: `>=v1.21.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken |
| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} |
| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh |
| dnsConfig | object | `{}` | Add custom dns config |
| dnsPolicy | string | `""` | Add custom dns policy |
| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| hpa.behavior | object | `{}` | Scaling Policies |
| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| image.pullSecrets | list | `[]` | Image Pull Secrets |
| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. |
| image.tag | string | `"5.1.3-1"` | Image tag to use for deploying. |
| lifecycle | object | `{}` | |
| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. |
| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. |
| replicas | int | `1` | Service replica number. |
| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. |
| resources.limits.cpu | string | `"2500m"` | CPU limit. |
| resources.limits.memory | string | `"2500Mi"` | Memory limit. |
| resources.requests.cpu | string | `"2500m"` | CPU request. |
| resources.requests.memory | string | `"2500Mi"` | Memory request. |
| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. |
| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. |
| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP |
| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP |
| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| volumes | list | `[]` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

98
charts/gluu/gluu/5.1.3/charts/admin-ui/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,98 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "admin-ui.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "admin-ui.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "admin-ui.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "admin-ui.labels" -}}
app: {{ .Release.Name }}-{{ include "admin-ui.name" . }}
helm.sh/chart: {{ include "admin-ui.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create user custom defined envs
*/}}
{{- define "admin-ui.usr-envs"}}
{{- range $key, $val := .Values.usrEnvs.normal }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
{{- end }}
{{/*
Create user custom defined secret envs
*/}}
{{- define "admin-ui.usr-secret-envs"}}
{{- range $key, $val := .Values.usrEnvs.secret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs
key: {{ $key | quote }}
{{- end }}
{{- end }}
{{/*
Create topologySpreadConstraints lists
*/}}
{{- define "admin-ui.topology-spread-constraints"}}
{{- range $key, $val := .Values.topologySpreadConstraints }}
- maxSkew: {{ $val.maxSkew }}
{{- if $val.minDomains }}
minDomains: {{ $val.minDomains }} # optional; beta since v1.25
{{- end}}
{{- if $val.topologyKey }}
topologyKey: {{ $val.topologyKey }}
{{- end}}
{{- if $val.whenUnsatisfiable }}
whenUnsatisfiable: {{ $val.whenUnsatisfiable }}
{{- end}}
labelSelector:
matchLabels:
app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }}
{{- if $val.matchLabelKeys }}
matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25
{{- end}}
{{- if $val.nodeAffinityPolicy }}
nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25
{{- end}}
{{- if $val.nodeTaintsPolicy }}
nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25
{{- end}}
{{- end }}
{{- end }}

27
charts/gluu/gluu/5.1.3/charts/admin-ui/templates/admin-ui-destination-rules.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if .Values.global.istio.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: {{ .Release.Name }}-admin-ui-mtls
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: admin-ui
{{ include "admin-ui.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "destinationRule") }}
annotations:
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
{{- if index .Values.global "admin-ui" "customAnnotations" "destinationRule" }}
{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "destinationRule") | indent 4 }}
{{- end }}
{{- end }}
spec:
host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
{{- end }}

26
charts/gluu/gluu/5.1.3/charts/admin-ui/templates/admin-ui-pdb.yaml Normal file
View File

@ -0,0 +1,26 @@
{{ if .Values.pdb.enabled -}}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "admin-ui.fullname" . }}
labels:
APP_NAME: admin-ui
{{ include "admin-ui.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "podDisruptionBudget") }}
annotations:
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
{{- if index .Values.global "admin-ui" "customAnnotations" "podDisruptionBudget" }}
{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "podDisruptionBudget") | indent 4 }}
{{- end }}
{{- end }}
spec:
maxUnavailable: {{ .Values.pdb.maxUnavailable }}
selector:
matchLabels:
app: {{ .Release.Name }}-{{ include "admin-ui.name" . }}
{{- end }}

42
charts/gluu/gluu/5.1.3/charts/admin-ui/templates/admin-ui-virtual-services.yaml Normal file
View File

@ -0,0 +1,42 @@
{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }}
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: {{ .Release.Name }}-istio-admin-ui
namespace: {{.Release.Namespace}}
labels:
APP_NAME: admin-ui
{{ include "admin-ui.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "virtualService") }}
annotations:
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
{{- if index .Values.global "admin-ui" "customAnnotations" "virtualService" }}
{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "virtualService") | indent 4 }}
{{- end }}
{{- end }}
spec:
hosts:
- {{ .Values.global.fqdn }}
{{- if .Values.global.istio.gateways }}
gateways:
{{ toYaml .Values.global.istio.gateways | indent 2 }}
{{- else }}
gateways:
- {{ .Release.Name }}-global-gtw
{{- end }}
http:
- name: "{{ .Release.Name }}-istio-cn"
match:
- uri:
prefix: "/admin"
route:
- destination:
host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 8080
{{- end }}

234
charts/gluu/gluu/5.1.3/charts/admin-ui/templates/deployment.yml Normal file
View File

@ -0,0 +1,234 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "admin-ui.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: admin-ui
{{ include "admin-ui.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "deployment") }}
annotations:
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
{{- if index .Values.global "admin-ui" "customAnnotations" "deployment" }}
{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "deployment") | indent 4 }}
{{- end }}
{{- end }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app: {{ .Release.Name }}-{{ include "admin-ui.name" . }}
template:
metadata:
labels:
APP_NAME: admin-ui
app: {{ .Release.Name }}-{{ include "admin-ui.name" . }}
{{- if .Values.global.istio.ingress }}
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "true"
{{- end }}
spec:
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- include "admin-ui.topology-spread-constraints" . | indent 8 }}
{{- end }}
serviceAccountName: {{ .Values.global.serviceAccountName }}
containers:
- name: {{ include "admin-ui.name" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
env:
{{- include "admin-ui.usr-envs" . | indent 12 }}
{{- include "admin-ui.usr-secret-envs" . | indent 12 }}
securityContext:
runAsUser: 1000
runAsNonRoot: true
{{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }}
command:
- /bin/sh
- -c
- |
{{- with .Values.customScripts }}
{{- toYaml . | replace "- " "" | nindent 14}}
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
/usr/bin/python3 /scripts/updatelbip.py &
{{- end}}
{{- end}}
ports:
- name: {{ .Values.service.name }}
containerPort: {{ .Values.service.port }}
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
{{ if .Values.global.usrEnvs.secret }}
- secretRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{ if .Values.global.usrEnvs.normal }}
- configMapRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
lifecycle:
{{- toYaml .Values.lifecycle | nindent 10 }}
volumeMounts:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
name: aws-shared-credential-file
subPath: aws_shared_credential_file
- mountPath: {{ .Values.global.cnAwsConfigFile }}
name: aws-config-file
subPath: aws_config_file
- mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
name: aws-secrets-replica-regions
subPath: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
subPath: google-credentials.json
{{- end }}
{{ if eq .Values.global.configSecretAdapter "vault" }}
- name: vault
mountPath: /etc/certs/vault_role_id
subPath: vault_role_id
- name: vault
mountPath: /etc/certs/vault_secret_id
subPath: vault_secret_id
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "admin-ui.fullname" .}}-updatelbip
mountPath: "/scripts"
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
{{- end }}
- name: cb-pass
mountPath: {{ .Values.global.cnCouchbasePasswordFile }}
subPath: couchbase_password
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: sql-pass
mountPath: {{ .Values.global.cnSqlPasswordFile }}
subPath: sql_password
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: ldap-pass
mountPath: {{ .Values.global.cnLdapPasswordFile }}
subPath: ldap_password
- name: ldap-pass
mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }}
subPath: ldap_truststore_password
{{- end }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 10 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 10 }}
{{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }}
resources: {}
{{- else if .Values.global.cloud.testEnviroment }}
resources: {}
{{- else }}
resources:
{{- toYaml .Values.resources | nindent 10 }}
{{- end }}
{{- if not .Values.global.isFqdnRegistered }}
hostAliases:
- ip: {{ .Values.global.lbIp }}
hostnames:
- {{ .Values.global.fqdn }}
{{- end }}
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- name: aws-shared-credential-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_shared_credential_file
path: aws_shared_credential_file
- name: aws-config-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_config_file
path: aws_config_file
- name: aws-secrets-replica-regions
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_secrets_replica_regions
path: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
{{ if eq .Values.global.configSecretAdapter "vault" }}
- name: vault
secret:
secretName: {{ .Release.Name }}-vault
items:
- key: vault_role_id
path: vault_role_id
- key: vault_secret_id
path: vault_secret_id
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
secret:
secretName: {{ .Release.Name }}-cb-crt
{{- end }}
- name: cb-pass
secret:
secretName: {{ .Release.Name }}-cb-pass
items:
# we mostly need non-superuser couchbase password file here
- key: couchbase_password
path: couchbase_password
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "admin-ui.fullname" . }}-updatelbip
configMap:
name: {{ .Release.Name }}-updatelbip
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: sql-pass
secret:
secretName: {{ .Release.Name }}-sql-pass
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: ldap-pass
secret:
secretName: {{ .Release.Name }}-ldap-pass
items:
- key: ldap_password
path: ldap_password
- key: ldap_truststore_password
path: ldap_truststore_password
{{- end }}

42
charts/gluu/gluu/5.1.3/charts/admin-ui/templates/hpa.yaml Normal file
View File

@ -0,0 +1,42 @@
{{ if .Values.hpa.enabled -}}
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "admin-ui.fullname" . }}
labels:
APP_NAME: admin-ui
{{ include "admin-ui.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "horizontalPodAutoscaler") }}
annotations:
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
{{- if index .Values.global "admin-ui" "customAnnotations" "horizontalPodAutoscaler" }}
{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "horizontalPodAutoscaler") | indent 4 }}
{{- end }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "admin-ui.fullname" . }}
minReplicas: {{ .Values.hpa.minReplicas }}
maxReplicas: {{ .Values.hpa.maxReplicas }}
{{- if .Values.hpa.targetCPUUtilizationPercentage }}
targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }}
{{- else if .Values.hpa.metrics }}
metrics:
{{- with .Values.hpa.metrics }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.hpa.behavior }}
behavior:
{{- with .Values.hpa.behavior }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

34
charts/gluu/gluu/5.1.3/charts/admin-ui/templates/service.yml Normal file
View File

@ -0,0 +1,34 @@
apiVersion: v1
kind: Service
metadata:
name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: admin-ui
{{ include "admin-ui.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "service") }}
annotations:
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
{{- if index .Values.global "admin-ui" "customAnnotations" "service" }}
{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "service") | indent 4 }}
{{- end }}
{{- end }}
spec:
{{- if .Values.global.alb.ingress }}
type: NodePort
{{- end }}
ports:
- port: {{ .Values.service.port }}
name: {{ .Values.service.name }}
selector:
app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui
sessionAffinity: {{ .Values.service.sessionAffinity }}
{{- with .Values.service.sessionAffinityConfig }}
sessionAffinityConfig:
{{ toYaml . | indent 4 }}
{{- end }}

26
charts/gluu/gluu/5.1.3/charts/admin-ui/templates/user-custom-secret-envs.yaml Normal file
View File

@ -0,0 +1,26 @@
{{ if .Values.usrEnvs.secret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs
labels:
APP_NAME: admin-ui
{{ include "admin-ui.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "secret") }}
annotations:
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
{{- if index .Values.global "admin-ui" "customAnnotations" "secret" }}
{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "secret") | indent 4 }}
{{- end }}
{{- end }}
type: Opaque
data:
{{- range $key, $val := .Values.usrEnvs.secret }}
{{ $key }}: {{ $val | b64enc }}
{{- end}}
{{- end}}

92
charts/gluu/gluu/5.1.3/charts/admin-ui/values.yaml Normal file
View File

@ -0,0 +1,92 @@
# -- Admin GUI. Requires license.
# -- Configure the HorizontalPodAutoscaler
hpa:
enabled: true
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 50
# -- metrics if targetCPUUtilizationPercentage is not set
metrics: []
# -- Scaling Policies
behavior: {}
# -- Add custom normal and secret envs to the service
usrEnvs:
# -- Add custom normal envs to the service
# variable1: value1
normal: {}
# -- Add custom secret envs to the service
# variable1: value1
secret: {}
# -- Add custom dns policy
dnsPolicy: ""
# -- Add custom dns config
dnsConfig: {}
image:
# -- Image pullPolicy to use for deploying.
pullPolicy: IfNotPresent
# -- Image to use for deploying.
repository: gluufederation/admin-ui
# -- Image tag to use for deploying.
tag: 5.1.3-1
# -- Image Pull Secrets
pullSecrets: [ ]
# -- Service replica number.
replicas: 1
# -- Resource specs.
resources:
limits:
# -- CPU limit.
cpu: 2500m
# -- Memory limit.
memory: 2500Mi
requests:
# -- CPU request.
cpu: 2500m
# -- Memory request.
memory: 2500Mi
service:
# -- The name of the admin ui port within the admin service. Please keep it as default.
name: http-admin-ui
# -- Port of the admin ui service. Please keep it as default.
port: 8080
# -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP
sessionAffinity: None
# -- the maximum session sticky time if sessionAffinity is ClientIP
sessionAffinityConfig:
clientIP:
timeoutSeconds: 10800
# -- Configure the liveness healthcheck for the admin ui if needed.
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 5
periodSeconds: 25
failureThreshold: 20
# -- Configure the readiness healthcheck for the admin ui if needed.
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 5
periodSeconds: 25
failureThreshold: 20
volumes: []
# -- Configure any additional volumesMounts that need to be attached to the containers
volumeMounts: []
# Actions on lifecycle events such as postStart and preStop
# Example
# lifecycle:
# postStart:
# exec:
# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"]
lifecycle: {}
# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"}
additionalLabels: { }
# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken
additionalAnnotations: { }
# -- Add custom scripts that have been mounted to run before the entrypoint.
# - /tmp/custom.sh
# - /tmp/custom2.sh
customScripts: [ ]

21
charts/gluu/gluu/5.1.3/charts/auth-server-key-rotation/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

18
charts/gluu/gluu/5.1.3/charts/auth-server-key-rotation/Chart.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v2
appVersion: 5.1.3
description: Responsible for regenerating auth-keys per x hours
home: https://docs.gluu.org
icon: https://gluu.org/docs/gluu-server/favicon.ico
keywords:
- Auth keys Rotation
kubeVersion: '>=v1.21.0-0'
maintainers:
- email: team@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: auth-server-key-rotation
sources:
- https://github.com/JanssenProject/docker-jans-certmanager
- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server-key-rotation
type: application
version: 1.1.3

53
charts/gluu/gluu/5.1.3/charts/auth-server-key-rotation/README.md Normal file
View File

@ -0,0 +1,53 @@
# auth-server-key-rotation
![Version: 1.1.3](https://img.shields.io/badge/Version-1.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.3](https://img.shields.io/badge/AppVersion-5.1.3-informational?style=flat-square)
Responsible for regenerating auth-keys per x hours
**Homepage:** <https://docs.gluu.org>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | <team@gluu.org> | <https://github.com/moabu> |
## Source Code
* <https://github.com/JanssenProject/docker-jans-certmanager>
* <https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server-key-rotation>
## Requirements
Kubernetes: `>=v1.21.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken |
| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} |
| affinity | object | `{}` | |
| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. |
| dnsConfig | object | `{}` | Add custom dns config |
| dnsPolicy | string | `""` | Add custom dns policy |
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| image.pullSecrets | list | `[]` | Image Pull Secrets |
| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. |
| image.tag | string | `"1.1.3-1"` | Image tag to use for deploying. |
| keysLife | int | `48` | Auth server key rotation keys life in hours |
| keysPushDelay | int | `0` | Delay (in seconds) before pushing private keys to Auth server |
| keysPushStrategy | string | `"NEWER"` | Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) |
| keysStrategy | string | `"NEWER"` | Set key selection strategy used by Auth server |
| lifecycle | object | `{}` | |
| nodeSelector | object | `{}` | |
| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. |
| tolerations | list | `[]` | |
| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

68
charts/gluu/gluu/5.1.3/charts/auth-server-key-rotation/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,68 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "auth-server-key-rotation.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "auth-server-key-rotation.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "auth-server-key-rotation.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "auth-server-key-rotation.labels" -}}
app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }}
helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create user custom defined envs
*/}}
{{- define "auth-server-key-rotation.usr-envs"}}
{{- range $key, $val := .Values.usrEnvs.normal }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
{{- end }}
{{/*
Create user custom defined secret envs
*/}}
{{- define "auth-server-key-rotation.usr-secret-envs"}}
{{- range $key, $val := .Values.usrEnvs.secret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs
key: {{ $key | quote }}
{{- end }}
{{- end }}

195
charts/gluu/gluu/5.1.3/charts/auth-server-key-rotation/templates/cronjobs.yaml Normal file
View File

@ -0,0 +1,195 @@
kind: CronJob
apiVersion: batch/v1
metadata:
name: {{ include "auth-server-key-rotation.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: auth-server-key-rotation
release: {{ .Release.Name }}
{{ include "auth-server-key-rotation.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server-key-rotation" "customAnnotations" "cronjob") }}
annotations:
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
{{- if index .Values.global "auth-server-key-rotation" "customAnnotations" "cronjob" }}
{{ toYaml (index .Values.global "auth-server-key-rotation" "customAnnotations" "cronjob") | indent 4 }}
{{- end }}
{{- end }}
spec:
schedule: "@every {{ .Values.keysLife }}h"
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
spec:
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{ toYaml . | indent 12 }}
{{- end }}
serviceAccountName: {{ .Values.global.serviceAccountName }}
containers:
- name: {{ include "auth-server-key-rotation.name" . }}
{{- if .Values.customScripts }}
command:
- /bin/sh
- -c
- |
{{- with .Values.customScripts }}
{{- toYaml . | replace "- " "" | nindent 20}}
{{- end }}
/app/scripts/entrypoint.sh
{{- end}}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
env:
{{- include "auth-server-key-rotation.usr-envs" . | indent 16 }}
{{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
lifecycle:
{{- toYaml .Values.lifecycle | nindent 16 }}
volumeMounts:
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
name: aws-shared-credential-file
subPath: aws_shared_credential_file
- mountPath: {{ .Values.global.cnAwsConfigFile }}
name: aws-config-file
subPath: aws_config_file
- mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
name: aws-secrets-replica-regions
subPath: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
subPath: google-credentials.json
{{- end }}
{{ if eq .Values.global.configSecretAdapter "vault" }}
- name: vault
mountPath: /etc/certs/vault_role_id
subPath: vault_role_id
- name: vault
mountPath: /etc/certs/vault_secret_id
subPath: vault_secret_id
{{- end }}
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 16 }}
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
{{- end }}
- name: cb-pass
mountPath: {{ .Values.global.cnCouchbasePasswordFile }}
subPath: couchbase_password
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: sql-pass
mountPath: {{ .Values.global.cnSqlPasswordFile }}
subPath: sql_password
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: ldap-pass
mountPath: {{ .Values.global.cnLdapPasswordFile }}
subPath: ldap_password
{{- end }}
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
{{ if .Values.global.usrEnvs.secret }}
- secretRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{ if .Values.global.usrEnvs.normal }}
- configMapRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }}
resources: {}
{{- else if .Values.global.cloud.testEnviroment }}
resources: {}
{{- else }}
resources:
{{- toYaml .Values.resources | nindent 16 }}
{{- end }}
args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}", "--opts", "key-strategy:{{ .Values.keysStrategy }}", "--opts", "privkey-push-delay:{{ .Values.keysPushDelay }}", "--opts", "privkey-push-strategy:{{ .Values.keysPushStrategy }}"]
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- name: aws-shared-credential-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_shared_credential_file
path: aws_shared_credential_file
- name: aws-config-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_config_file
path: aws_config_file
- name: aws-secrets-replica-regions
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_secrets_replica_regions
path: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
{{ if eq .Values.global.configSecretAdapter "vault" }}
- name: vault
secret:
secretName: {{ .Release.Name }}-vault
items:
- key: vault_role_id
path: vault_role_id
- key: vault_secret_id
path: vault_secret_id
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
secret:
secretName: {{ .Release.Name }}-cb-crt
{{- end }}
- name: cb-pass
secret:
secretName: {{ .Release.Name }}-cb-pass
items:
# we mostly need non-superuser couchbase password file here
- key: couchbase_password
path: couchbase_password
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: sql-pass
secret:
secretName: {{ .Release.Name }}-sql-pass
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: ldap-pass
secret:
secretName: {{ .Release.Name }}-ldap-pass
items:
- key: ldap_password
path: ldap_password
{{- end }}
restartPolicy: Never

30
charts/gluu/gluu/5.1.3/charts/auth-server-key-rotation/templates/service.yaml Normal file
View File

@ -0,0 +1,30 @@
{{- if .Values.global.istio.enabled }}
# License terms and conditions:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Service
metadata:
name: {{ include "auth-server-key-rotation.fullname" . }}
labels:
{{ include "auth-server-key-rotation.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server-key-rotation" "customAnnotations" "service") }}
annotations:
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
{{- if index .Values.global "auth-server-key-rotation" "customAnnotations" "service" }}
{{ toYaml (index .Values.global "auth-server-key-rotation" "customAnnotations" "service") | indent 4 }}
{{- end }}
{{- end }}
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }}
type: ClusterIP
{{- end }}

25
charts/gluu/gluu/5.1.3/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml Normal file
View File

@ -0,0 +1,25 @@
{{ if .Values.usrEnvs.secret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs
labels:
{{ include "auth-server-key-rotation.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server-key-rotation" "customAnnotations" "secret") }}
annotations:
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
{{- if index .Values.global "auth-server-key-rotation" "customAnnotations" "secret" }}
{{ toYaml (index .Values.global "auth-server-key-rotation" "customAnnotations" "secret") | indent 4 }}
{{- end }}
{{- end }}
type: Opaque
data:
{{- range $key, $val := .Values.usrEnvs.secret }}
{{ $key }}: {{ $val | b64enc }}
{{- end}}
{{- end}}

Some files were not shown because too many files have changed in this diff Show More