andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added chart versions: 

airlock/microgateway:
    - 4.4.0
  airlock/microgateway-cni:
    - 4.4.0
  buoyant/linkerd-control-plane:
    - 2024.10.4
  buoyant/linkerd-crds:
    - 2024.10.4
  dynatrace/dynatrace-operator:
    - 1.3.2
  f5/f5-bigip-ctlr:
    - 0.0.33
  percona/pxc-db:
    - 1.15.1
  percona/pxc-operator:
    - 1.15.1
pull/1085/head
github-actions[bot] 2024-10-25 00:41:45 +00:00
parent 7d3fdd0efb
commit b51aa4ed4e
254 changed files with 60611 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/airlock/microgateway-4.4.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/airlock/microgateway-cni-4.4.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/buoyant/linkerd-control-plane-2024.10.3.tgz
View File

Binary file not shown.

BIN
assets/buoyant/linkerd-control-plane-2024.10.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/buoyant/linkerd-crds-2024.10.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/dynatrace/dynatrace-operator-1.3.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/f5/f5-bigip-ctlr-0.0.3301.tgz Normal file
View File

Binary file not shown.

BIN
assets/percona/pxc-db-1.15.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/percona/pxc-operator-1.15.1.tgz Normal file
View File

Binary file not shown.

27
charts/airlock/microgateway-cni/4.4.0/.helmignore Normal file
View File

@ -0,0 +1,27 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# Helm unit tests
/tests
/validation

43
charts/airlock/microgateway-cni/4.4.0/Chart.yaml Normal file
View File

@ -0,0 +1,43 @@
annotations:
artifacthub.io/category: security
artifacthub.io/license: MIT
artifacthub.io/links: |
- name: Airlock Microgateway Documentation
url: https://docs.airlock.com/microgateway/4.4/
- name: Airlock Microgateway Labs
url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Airlock Microgateway CNI
catalog.cattle.io/kube-version: '>=1.25.0-0'
catalog.cattle.io/release-name: microgateway-cni
charts.openshift.io/name: Airlock Microgateway CNI
apiVersion: v2
appVersion: 4.4.0
description: A Helm chart for deploying the Airlock Microgateway CNI plugin
home: https://www.airlock.com/en/microgateway
icon: file://assets/icons/microgateway-cni.svg
keywords:
- WAF
- Web Application Firewall
- WAAP
- Web Application and API protection
- OWASP
- Airlock
- Microgateway
- Security
- Filtering
- DevSecOps
- shift left
- CNI
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
name: microgateway-cni
sources:
- https://github.com/airlock/microgateway
type: application
version: 4.4.0

137
charts/airlock/microgateway-cni/4.4.0/README.md Normal file
View File

@ -0,0 +1,137 @@
# Airlock Microgateway CNI
![Version: 4.4.0](https://img.shields.io/badge/Version-4.4.0-informational?style=flat-square) ![AppVersion: 4.4.0](https://img.shields.io/badge/AppVersion-4.4.0-informational?style=flat-square)
*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight_Negative.svg">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg">
<img alt="Microgateway" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg" align="right" width="250">
</picture>
Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.4.0).__
### Features
* Kubernetes native integration with sidecar injection and Gateway API support
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control using OpenID Connect to allow only authenticated users to access the protected services
* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation
For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
## Documentation and links
Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)
# Quick start guide
The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
## Prerequisites
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
## Deploy Airlock Microgateway CNI
1. Install the CNI Plugin with Helm.
> **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
```bash
# Standard setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.0'
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# GKE setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.0' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.0/deploy/charts/airlock-microgateway-cni/gke-values.yaml
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# OpenShift setup
helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.4.0' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.0/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
> **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
# Standard and GKE setup
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.0'
helm test airlock-microgateway-cni -n kube-system --logs
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.0'
```
```bash
# OpenShift setup
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.0'
helm test airlock-microgateway-cni -n openshift-operators --logs
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.0'
```
Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.
## Support
### Premium support
If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).
### Community support
For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. |
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. |
| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. |
| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
| image.digest | string | `"sha256:e9d711dfe75d515ad8bc5ba5e668e7a26c063bd6a291305aac458c2cbd3945f2"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
| image.tag | string | `"4.4.0"` | Image tag to pull. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". |
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. |
| podAnnotations | object | `{}` | Annotations to add to all Pods. |
| podLabels | object | `{}` | Labels to add to all Pods. |
| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). |
| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. |
| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. |
| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. |
| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
## License
View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
* Decompiling or reverse engineering is not permitted.
* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
Airlock<sup>&#174;</sup> is a security innovation by [ergon](https://www.ergon.ch/en)
<!-- Airlock SAH Logo (different image for light/dark mode) -->
<a href="https://www.airlock.com/en/secure-access-hub/">
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo_Negative.png">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png">
<img alt="Airlock Secure Access Hub" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png" width="150">
</picture>
</a>

4
charts/airlock/microgateway-cni/4.4.0/gke-values.yaml Normal file
View File

@ -0,0 +1,4 @@
# values for deploying on GKE
config:
cniBinDir: "/home/kubernetes/bin"

15
charts/airlock/microgateway-cni/4.4.0/openshift-values.yaml Normal file
View File

@ -0,0 +1,15 @@
# values for deploying on OpenShift
rbac:
createSCCRole: true
privileged: true
multusNetworkAttachmentDefinition:
create: true
namespace: default
config:
installMode: "standalone"
cniNetDir: "/etc/cni/multus/net.d"
cniBinDir: "/var/lib/cni/bin"

18
charts/airlock/microgateway-cni/4.4.0/questions.yml Normal file
View File

@ -0,0 +1,18 @@
questions:
- variable: config.cniNetDir
required: true
type: string
label: CNI Network Configuration Directory
group: "CNI Settings"
description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host."
- variable: config.cniBinDir
required: true
type: string
label: CNI Plugin Binaries Directory
group: "CNI Settings"
description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host."
- variable: config.installMode
required: true
label: CNI Plugin Installation Mode
group: "CNI Settings"
description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment."

15
charts/airlock/microgateway-cni/4.4.0/templates/NOTES.txt Normal file
View File

@ -0,0 +1,15 @@
Thank you for installing Airlock Microgateway CNI.
Please ensure that the helm values'.config.cniNetDir' and '.config.cniBinDir' are configured for your Kubernetes distribution.
For further information, consider our manual https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}.
The chapter 'Setup > Installation' describes how to set those settings correctly.
Further information:
* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}
* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm
Next steps:
* Install Airlock Microgateway (if not done already)
https://artifacthub.io/packages/helm/airlock-microgateway/microgateway
Your release version is {{ .Chart.Version }}.

101
charts/airlock/microgateway-cni/4.4.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,101 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "airlock-microgateway-cni.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Convert an image configuration object into an image ref string.
*/}}
{{- define "airlock-microgateway-cni.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
{{- printf "%s:%s" .repository .tag -}}
{{- else -}}
{{- printf "%s" .repository -}}
{{- end -}}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest suffix is 13 characters.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "airlock-microgateway-cni.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "airlock-microgateway-cni.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "airlock-microgateway-cni.labels" -}}
helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }}
{{ include "airlock-microgateway-cni.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
Common labels without component
*/}}
{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}}
{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}}
{{ unset $labels "app.kubernetes.io/component" | toYaml }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "airlock-microgateway-cni.selectorLabels" -}}
app.kubernetes.io/component: cni-plugin-installer
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }}
{{- end }}
{{/*
Create the name of the service account to use for the CNI Plugin
*/}}
{{- define "airlock-microgateway-cni.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "airlock-microgateway-cni.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}
{{- define "airlock-microgateway-cni.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}
{{- print "latest" -}}
{{- end -}}
{{- end -}}

22
charts/airlock/microgateway-cni/4.4.0/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- patch
{{- end -}}

20
charts/airlock/microgateway-cni/4.4.0/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "airlock-microgateway-cni.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

22
charts/airlock/microgateway-cni/4.4.0/templates/configmap.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
plugin-conf.json: |-
{
"type": "{{ include "airlock-microgateway-cni.fullname" . }}",
"debug": {{ eq .Values.config.logLevel "debug" }},
"logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log",
"kubernetes": {
"kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig",
"excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }}
}
}

136
charts/airlock/microgateway-cni/4.4.0/templates/daemonset.yaml Normal file
View File

@ -0,0 +1,136 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
kubectl.kubernetes.io/default-container: cni-installer
{{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- args:
- --log-level
- "{{ .Values.config.logLevel }}"
env:
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
key: plugin-conf.json
name: {{ include "airlock-microgateway-cni.fullname" . }}
- name: CNI_BIN_DIR
value: /host/opt/cni/bin
- name: CNI_NET_DIR
value: /host/etc/cni/net.d
- name: KUBECONFIG_FILE_NAME
value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig"
- name: INSTALL_MODE
value: {{ .Values.config.installMode }}
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: {{ include "airlock-microgateway-cni.image" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: cni-installer
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
startupProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 5
initialDelaySeconds: 3
periodSeconds: 3
timeoutSeconds: 3
readinessProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 1
periodSeconds: 60
timeoutSeconds: 3
securityContext:
allowPrivilegeEscalation: {{ .Values.privileged }}
capabilities:
drop:
- ALL
privileged: {{ .Values.privileged }}
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /run/cni-installer
name: cni-installer-status
hostNetwork: true
priorityClassName: system-node-critical
restartPolicy: Always
securityContext:
fsGroup: 0
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
terminationGracePeriodSeconds: 5
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
- effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- hostPath:
path: "{{ .Values.config.cniBinDir }}"
type: Directory
name: cni-bin-dir
- hostPath:
path: "{{ .Values.config.cniNetDir }}"
type: Directory
name: cni-net-dir
- emptyDir: {}
name: cni-installer-status

13
charts/airlock/microgateway-cni/4.4.0/templates/network-attachment-definition.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.multusNetworkAttachmentDefinition.create -}}
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

22
charts/airlock/microgateway-cni/4.4.0/templates/scc-role.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.createSCCRole -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
{{- end -}}

20
charts/airlock/microgateway-cni/4.4.0/templates/scc-rolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.createSCCRole -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
{{- end -}}

13
charts/airlock/microgateway-cni/4.4.0/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

64
charts/airlock/microgateway-cni/4.4.0/templates/tests/rbac.yaml Normal file
View File

@ -0,0 +1,64 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
subjects:
- kind: ServiceAccount
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
rules:
- apiGroups:
- "apps"
resources:
- daemonsets
resourceNames:
- {{ include "airlock-microgateway-cni.fullname" . }}
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
{{- if .Values.rbac.createSCCRole }}
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
{{- end -}}
{{- end -}}

103
charts/airlock/microgateway-cni/4.4.0/templates/tests/test-install.yaml Normal file
View File

@ -0,0 +1,103 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: test-install
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: before-hook-creation
spec:
restartPolicy: Never
containers:
- name: test
image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
securityContext:
allowPrivilegeEscalation: {{ .Values.privileged }}
capabilities:
drop:
- ALL
privileged: {{ .Values.privileged }}
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
readOnly: true
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
readOnly: true
command:
- sh
- -c
- |
set -eu
fail() {
echo "Error: ${1}"
echo ""
echo 'CNI installer logs:'
kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer
exit 1
}
containsMGWCNIConf() {
cat "${1}" | grep -qe '"type":.*"{{ include "airlock-microgateway-cni.fullname" . }}"'
}
if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then
fail 'CNI DaemonSet rollout did not complete within timeout'
fi
echo "Checking whether CNI binary was installed"
if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then
fail 'CNI binary was not installed'
fi
echo "Checking whether CNI kubeconfig was installed"
if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then
fail 'CNI kubeconfig was not created'
fi
echo "Checking whether CNI configuration was written"
case {{ .Values.config.installMode }} in
"chained")
for file in "/host/etc/cni/net.d/"*.conflist; do
if containsMGWCNIConf "${file}"; then
echo "Success"
exit 0
fi
done
;;
"standalone")
if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then
echo "Success"
exit 0
fi
;;
"manual")
echo "- Skipping because we are in 'manual' install mode"
echo "Success"
exit 0
;;
esac
fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found'
serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
volumes:
- hostPath:
path: "{{ .Values.config.cniBinDir }}"
type: Directory
name: cni-bin-dir
- hostPath:
path: "{{ .Values.config.cniNetDir }}"
type: Directory
name: cni-net-dir
{{- end -}}

225
charts/airlock/microgateway-cni/4.4.0/values.schema.json Normal file
View File

@ -0,0 +1,225 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"type": "object",
"properties": {
"nameOverride": {
"type": "string"
},
"fullnameOverride": {
"type": "string"
},
"commonLabels": {
"$ref": "#/definitions/StringMap"
},
"commonAnnotations": {
"$ref": "#/definitions/StringMap"
},
"imagePullSecrets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"minLength": 1
}
},
"required": [
"name"
],
"additionalProperties": true
}
},
"image": {
"$ref": "#/definitions/Image"
},
"podAnnotations": {
"$ref": "#/definitions/StringMap"
},
"podLabels": {
"$ref": "#/definitions/StringMap"
},
"resources": {
"type": "object"
},
"nodeSelector": {
"$ref": "#/definitions/StringMap"
},
"affinity": {
"type": "object"
},
"rbac": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"createSCCRole": {
"type": "boolean"
}
},
"required": [
"create",
"createSCCRole"
],
"additionalProperties": false
},
"privileged": {
"type": "boolean"
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"annotations": {
"$ref": "#/definitions/StringMap"
},
"name": {
"type": "string"
}
},
"required": [
"annotations",
"create",
"name"
],
"additionalProperties": false
},
"multusNetworkAttachmentDefinition": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"namespace": {
"type": "string"
}
},
"required": [
"create",
"namespace"
],
"additionalProperties": false
},
"config": {
"type": "object",
"properties": {
"installMode": {
"type": "string",
"enum": [
"chained",
"standalone",
"manual"
]
},
"logLevel": {
"type": "string",
"enum": [
"debug",
"info",
"warn",
"error"
]
},
"cniNetDir": {
"type": "string",
"minLength": 1
},
"cniBinDir": {
"type": "string",
"minLength": 1
},
"excludeNamespaces": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"cniBinDir",
"cniNetDir",
"excludeNamespaces",
"installMode",
"logLevel"
],
"additionalProperties": false
},
"tests": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
},
"required": [
"enabled"
],
"additionalProperties": false
},
"global": {
"type": "object"
}
},
"required": [
"affinity",
"commonAnnotations",
"commonLabels",
"config",
"fullnameOverride",
"image",
"imagePullSecrets",
"multusNetworkAttachmentDefinition",
"nameOverride",
"nodeSelector",
"podAnnotations",
"podLabels",
"privileged",
"rbac",
"resources",
"serviceAccount",
"tests"
],
"additionalProperties": false,
"definitions": {
"StringMap": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"Image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"minLength": 1
},
"tag": {
"type": "string"
},
"digest": {
"type": "string",
"pattern": "^$|^sha256:[a-f0-9]{64}$"
},
"pullPolicy": {
"type": "string",
"enum": [
"Always",
"IfNotPresent",
"Never"
]
}
},
"required": [
"digest",
"pullPolicy",
"repository",
"tag"
],
"additionalProperties": false
}
}
}

85
charts/airlock/microgateway-cni/4.4.0/values.yaml Normal file
View File

@ -0,0 +1,85 @@
# -- Allows overriding the name to use instead of "microgateway-cni".
nameOverride: ""
# -- Allows overriding the name to use as full name of resources.
fullnameOverride: ""
# -- Labels to add to all resources.
commonLabels: {}
# -- Annotations to add to all resources.
commonAnnotations: {}
# -- ImagePullSecrets to use when pulling images.
imagePullSecrets: []
# - name: myRegistryKeySecretName
# Specifies the Airlock Microgateway CNI image.
image:
# -- Image repository from which to pull the Airlock Microgateway CNI image.
repository: "quay.io/airlock/microgateway-cni"
# -- Image tag to pull.
tag: "4.4.0"
# -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a").
# Overrides tag when specified.
digest: "sha256:e9d711dfe75d515ad8bc5ba5e668e7a26c063bd6a291305aac458c2cbd3945f2"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Annotations to add to all Pods.
podAnnotations: {}
# -- Labels to add to all Pods.
podLabels: {}
# -- Resource restrictions to apply to the CNI installer container.
resources:
requests:
cpu: 10m
memory: 100Mi
# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes.
nodeSelector:
kubernetes.io/os: linux
# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes.
affinity: {}
# Configures the generation of RBAC Roles and RoleBindings.
rbac:
# -- Whether to create RBAC resources which are required for the CNI plugin to function.
create: true
# -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint.
createSCCRole: false
# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift).
privileged: false
# Configures the generation of the ServiceAccount.
serviceAccount:
# -- Whether a ServiceAccount should be created.
create: true
# -- Annotations to add to the ServiceAccount.
annotations: {}
# -- Name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift)
multusNetworkAttachmentDefinition:
# -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods.
create: false
# -- Namespace in which the NetworkAttachmentDefinition is deployed.
# Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces
# may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation
namespace: default
# Parameters for the CNI installer configuration.
config:
# -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers),
# as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift)
# or in `manual` mode, where no CNI network configuration is written.
installMode: "chained"
# -- Log level for the CNI installer and plugin.
logLevel: info
# -- Directory where the CNI config files reside on the host.
# This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
# It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node.
cniNetDir: "/etc/cni/net.d"
# -- Directory where the CNI plugin binaries reside on the host.
# This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
# It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node.
cniBinDir: "/opt/cni/bin"
# -- Namespaces for which this CNI plugin should not apply any modifications.
excludeNamespaces:
- kube-system
tests:
# -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
# If set to false, `helm test` will not run any tests.
enabled: false

28
charts/airlock/microgateway/4.4.0/.helmignore Normal file
View File

@ -0,0 +1,28 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# CRDs kustomization.yaml
/crds/kustomization.yaml
# Helm unit tests
/tests
/validation

44
charts/airlock/microgateway/4.4.0/Chart.yaml Normal file
View File

@ -0,0 +1,44 @@
annotations:
artifacthub.io/category: security
artifacthub.io/license: MIT
artifacthub.io/links: |
- name: Airlock Microgateway Documentation
url: https://docs.airlock.com/microgateway/4.4/
- name: Airlock Microgateway Labs
url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Airlock Microgateway
catalog.cattle.io/kube-version: '>=1.25.0-0'
catalog.cattle.io/release-name: microgateway
charts.openshift.io/name: Airlock Microgateway
apiVersion: v2
appVersion: 4.4.0
description: A Helm chart for deploying the Airlock Microgateway
home: https://www.airlock.com/en/microgateway
icon: file://assets/icons/microgateway.svg
keywords:
- WAF
- Web Application Firewall
- WAAP
- Web Application and API protection
- OWASP
- Airlock
- Microgateway
- Security
- Filtering
- DevSecOps
- shift left
- control plane
- Operator
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
name: microgateway
sources:
- https://github.com/airlock/microgateway
type: application
version: 4.4.0

186
charts/airlock/microgateway/4.4.0/README.md Normal file
View File

@ -0,0 +1,186 @@
# Airlock Microgateway
![Version: 4.4.0](https://img.shields.io/badge/Version-4.4.0-informational?style=flat-square) ![AppVersion: 4.4.0](https://img.shields.io/badge/AppVersion-4.4.0-informational?style=flat-square)
*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight_Negative.svg">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg">
<img alt="Microgateway" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg" align="right" width="250">
</picture>
Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.4.0).__
### Features
* Kubernetes native integration with sidecar injection and Gateway API support
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control using OpenID Connect to allow only authenticated users to access the protected services
* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation
For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
## Documentation and links
Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)
# Quick start guide
The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
## Prerequisites
* (Recommended) [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Required for [data plane mode sidecar](https://docs.airlock.com/microgateway/latest/?topic=MGW-00000137))
* [Airlock Microgateway License](#obtain-airlock-microgateway-license)
* [cert-manager](https://cert-manager.io/)
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license.
For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
### Obtain Airlock Microgateway License
1. Either request a community or premium license
* Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community)
* Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium)
2. Check your inbox and save the license file microgateway-license.txt locally.
> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type.
### Deploy cert-manager
```bash
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager --version 'v1.16.1' -n cert-manager --create-namespace --set crds.enabled=true --wait
```
## Deploy Airlock Microgateway Operator
> This guide assumes a microgateway-license.txt file is present in the working directory.
1. Install CRDs and Operator.
```bash
# Create namespace
kubectl create namespace airlock-microgateway-system
# Install License
kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
# Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.4.0' --wait
```
2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.0'
helm test airlock-microgateway -n airlock-microgateway-system --logs
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.0'
```
### Upgrading CRDs
The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster.
CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
```bash
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.4.0 --server-side --force-conflicts
```
**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.
## Support
### Premium support
If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).
### Community support
For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". |
| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. |
| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. |
| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. |
| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. |
| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. |
| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. |
| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. |
| dashboards.instances.headerLogs.create | bool | `true` | Whether to create the header rewrite logs dashboard. |
| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. |
| dashboards.instances.logOnlyLogs.create | bool | `true` | Whether to create the log only logs dashboard. |
| dashboards.instances.logOnlyMetrics.create | bool | `true` | Whether to create the log only metrics dashboard |
| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. |
| engine.image.digest | string | `"sha256:c29adf07e7536b72447ea694d0e19fe19235306c26d412a9abc43e4dd99b84c8"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. |
| engine.image.tag | string | `"4.4.0"` | Image tag to pull. |
| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. |
| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. |
| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". |
| networkValidator.image.digest | string | `"sha256:05585644690678ae6453ab12e3a5f899e7be5ab70f56c6bf1c4484d3b53587d2"` | SHA256 image digest to pull (in the format "sha256:05585644690678ae6453ab12e3a5f899e7be5ab70f56c6bf1c4484d3b53587d2"). Overrides tag when specified. |
| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| networkValidator.image.repository | string | `"cgr.dev/chainguard/netcat"` | Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. |
| networkValidator.image.tag | string | `""` | Image tag to pull. |
| networkValidator.resources | object | `{"limits":{"cpu":"25m","memory":"12Mi"},"requests":{"cpu":"5m","memory":"1Mi"}}` | Resource restrictions to apply to the Airlock Microgateway Network Validator init-container. |
| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. |
| operator.config.logLevel | string | `"info"` | Operator application log level. |
| operator.gatewayAPI.controllerName | string | `"microgateway.airlock.com/gatewayclass-controller"` | Controller name referred in the GatewayClasses managed by this operator. The value must be a path prefixed by the domain `microgateway.airlock.com`. |
| operator.gatewayAPI.enabled | bool | `false` | Whether to enable the Kubernetes Gateway API related controllers. Requires that the gateway.networking.k8s.io/v1 resources are installed on the cluster. |
| operator.image.digest | string | `"sha256:80cbae58ad9badd9395fa09a7b0576561821121b8353146bbd6efa2240ab5d97"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. |
| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. |
| operator.image.tag | string | `"4.4.0"` | Image tag to pull. |
| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. |
| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. |
| operator.podLabels | object | `{}` | Labels to add to all Pods. |
| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. |
| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. |
| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. |
| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. |
| operator.serviceLabels | object | `{}` | Labels to add to the Service. |
| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. |
| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. |
| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. |
| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. |
| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. |
| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. |
| sessionAgent.image.digest | string | `"sha256:fbb90f2a52bb1b19cca6c5c133e80331153c019ec905db052c250fedbb09c3bc"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. |
| sessionAgent.image.tag | string | `"4.4.0"` | Image tag to pull. |
| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
## License
View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
* Decompiling or reverse engineering is not permitted.
* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
Airlock<sup>&#174;</sup> is a security innovation by [ergon](https://www.ergon.ch/en)
<!-- Airlock SAH Logo (different image for light/dark mode) -->
<a href="https://www.airlock.com/en/secure-access-hub/">
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo_Negative.png">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png">
<img alt="Airlock Secure Access Hub" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png" width="150">
</picture>
</a>

28
charts/airlock/microgateway/4.4.0/app-readme.md Normal file
View File

@ -0,0 +1,28 @@
# Airlock Microgateway
*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
## Features
* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control to allow only authenticated users to access the protected services
* API security features like JSON parsing or OpenAPI specification enforcement
For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
## Requirements
* [Airlock Microgateway CNI Helm Chart](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Also available as Rancher Chart)
* [Airlock Microgateway License](https://github.com/airlock/microgateway?tab=readme-ov-file#obtain-airlock-microgateway-license) (After obtaining the license install it according to the [documentation](https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-operator))
* [cert-manager](https://cert-manager.io/docs/installation/)
## Documentation and links
Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)

501
charts/airlock/microgateway/4.4.0/crds/accesscontrols.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,501 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: accesscontrols.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: AccessControl
listKind: AccessControlList
plural: accesscontrols
singular: accesscontrol
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: AccessControl specifies the options to perform access control with a Microgateway Engine container.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specifies how the Airlock Microgateway Engine performs access control.
properties:
policies:
description: Policies configures access control policies. The first matching policy (from top to bottom) applies.
items:
properties:
authorization:
description: Authorization configures how requests are authorized. An empty object value {} disables authorization.
properties:
authentication:
description: Authentication specifies that clients need to be authenticated with the provided method.
properties:
oidc:
description: OIDC configures client authentication using OpenID Connect.
properties:
oidcRelyingPartyRef:
description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- oidcRelyingPartyRef
type: object
type: object
deny:
description: Deny specifies to deny access for all requests matching this policy.
type: object
requireAll:
description: RequireAll specifies conditions which must all be satisfied for the request to be authorized.
items:
properties:
oidc:
description: OIDC specifies a condition on the result of an OpenID Connect flow.
properties:
claim:
description: Claim specifies a condition on a JWT claim.
properties:
name:
description: Name of the claim.
minLength: 1
type: string
value:
description: |-
Value of the claim. If not specified, only existence of the claim is checked (any value is allowed).
Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives.
In case of a non-string value, the match will be performed against the stringified value.
If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
required:
- name
type: object
required:
- claim
type: object
required:
- oidc
type: object
minItems: 1
type: array
requireAny:
description: RequireAny specifies conditions of which at least one must be satisfied for the request to be authorized.
items:
properties:
oidc:
description: OIDC specifies a condition on the result of an OpenID Connect flow.
properties:
claim:
description: Claim specifies a condition on a JWT claim.
properties:
name:
description: Name of the claim.
minLength: 1
type: string
value:
description: |-
Value of the claim. If not specified, only existence of the claim is checked (any value is allowed).
Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives.
In case of a non-string value, the match will be performed against the stringified value.
If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
required:
- name
type: object
required:
- claim
type: object
required:
- oidc
type: object
minItems: 1
type: array
type: object
identityPropagation:
description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application.
properties:
actions:
description: Actions specifies the propagation actions.
items:
properties:
identityPropagationRef:
description: IdentityPropagationRef selects an IdentityPropagation to apply.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- identityPropagationRef
type: object
type: array
onFailure:
description: |-
OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values:
_Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations.
enum:
- Pass
type: string
required:
- actions
- onFailure
type: object
requestConditions:
description: |-
RequestConditions defines additional request properties which must be matched in order for this policy to apply. A policy without request conditions will always match.
WARNING: There is currently a limitation that if `authentication.oidc` is configured for this policy, you must ensure that the request condition also matches logout requests and callback redirects from the OIDC Provider as configured in the OIDCRelyingParty (`pathMapping.logoutPath` / `pathMapping.redirectPath`).
properties:
header:
description: Header defines the matching headers of a request.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
invert:
default: false
description: Invert indicates whether the request condition should be inverted.
type: boolean
mediaType:
description: MediaType defines the matching media type from the content-type header of a request.
properties:
matcher:
description: |-
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
method:
description: Method defines the matching methods of a request.
items:
description: Method defines common HTTP methods.
enum:
- GET
- HEAD
- POST
- PUT
- PATCH
- DELETE
- CONNECT
- OPTIONS
- TRACE
type: string
type: array
path:
description: Path defines the matching path of a request.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
remoteIP:
description: RemoteIP defines the matching remote IPs of a request.
properties:
cidrRanges:
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
items:
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
format: cidr
type: string
minItems: 1
type: array
invert:
default: false
description: Invert indicates whether the match should be inverted.
type: boolean
required:
- cidrRanges
type: object
type: object
required:
- authorization
type: object
minItems: 1
type: array
required:
- policies
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

139
charts/airlock/microgateway/4.4.0/crds/contentsecurities.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,139 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: contentsecurities.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: ContentSecurity
listKind: ContentSecurityList
plural: contentsecurities
singular: contentsecurity
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ContentSecurity specifies the options to secure an upstream web application with a Microgateway Engine container.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specifies the options to secure an upstream web application with a Microgateway Engine container.
properties:
apiProtection:
description: |-
APIProtection defines the relevant configurations to protect APIs.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
graphQLRef:
description: |-
GraphQLRef selects the relevant GraphQL configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
openAPIRef:
description: |-
OpenAPIRef selects the relevant OpenAPI configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
filter:
description: |-
Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests
to protect against various attack patterns.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
denyRulesRef:
description: |-
DenyRulesRef selects the relevant DenyRules configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
headerRewritesRef:
description: |-
HeaderRewritesRef selects the relevant HeaderRewrites.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
limitsRef:
description: |-
LimitsRef selects the relevant Limits configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
parserRef:
description: |-
ParserRef selects the relevant Parser configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
type: object
served: true
storage: true
subresources: {}

476
charts/airlock/microgateway/4.4.0/crds/contentsecuritypolicies.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,476 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
gateway.networking.k8s.io/policy: direct
name: contentsecuritypolicies.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: ContentSecurityPolicy
listKind: ContentSecurityPolicyList
plural: contentsecuritypolicies
singular: contentsecuritypolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ContentSecurityPolicy is a Direct Attached Policy for the Kubernetes Gateway API. It specifies the options to secure an upstream web application with a Microgateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of ContentSecurityPolicy.
properties:
secured:
description: Secured enables WAF processing for the routes attached to this policy.
properties:
apiProtection:
description: |-
APIProtection defines the relevant configurations to protect APIs.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
graphQLRef:
description: |-
GraphQLRef selects the relevant GraphQL configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
openAPIRef:
description: |-
OpenAPIRef selects the relevant OpenAPI configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
filter:
description: |-
Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests
to protect against various attack patterns.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
denyRulesRef:
description: |-
DenyRulesRef selects the relevant DenyRules configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
limitsRef:
description: |-
LimitsRef selects the relevant Limits configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
parserRef:
description: |-
ParserRef selects the relevant Parser configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
targetRefs:
description: |-
TargetRefs are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy.
Support: HTTPRoute.
items:
description: |-
LocalPolicyTargetReference identifies an API object to apply a direct or
inherited policy to. This should be used as part of Policy resources
that can target Gateway API resources. For more information on how this
policy attachment model works, and a sample Policy resource, refer to
the policy attachment documentation for Gateway API.
properties:
group:
description: Group is the group of the target resource.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the target resource.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the target resource.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
maxItems: 16
minItems: 1
type: array
x-kubernetes-validations:
- message: 'TargetRef Kind must be: HTTPRoute'
rule: self.all(t, t.kind=='HTTPRoute')
- message: TargetRef Group must be gateway.networking.k8s.io.
rule: self.all(t, t.group=='gateway.networking.k8s.io')
unsecured:
description: |-
Unsecured disables all WAF functionality and therefore protection for the routes attached to this policy.
WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
type: object
required:
- targetRefs
type: object
status:
description: Status defines the state of the ContentSecurityPolicy.
properties:
ancestors:
description: |-
Ancestors is a list of ancestor resources (usually Gateways) that are
associated with the policy, and the status of the policy with respect to
each ancestor. When this policy attaches to a parent, the controller that
manages the parent and the ancestors MUST add an entry to this list when
the controller first sees the policy and SHOULD update the entry as
appropriate when the relevant ancestor is modified.
Note that choosing the relevant ancestor is left to the Policy designers;
an important part of Policy design is designing the right object level at
which to namespace this status.
Note also that implementations MUST ONLY populate ancestor status for
the Ancestor resources they are responsible for. Implementations MUST
use the ControllerName field to uniquely identify the entries in this list
that they are responsible for.
Note that to achieve this, the list of PolicyAncestorStatus structs
MUST be treated as a map with a composite key, made up of the AncestorRef
and ControllerName fields combined.
A maximum of 16 ancestors will be represented in this list. An empty list
means the Policy is not relevant for any ancestors.
If this slice is full, implementations MUST NOT add further entries.
Instead they MUST consider the policy unimplementable and signal that
on any related resources such as the ancestor that would be referenced
here. For example, if this list was full on BackendTLSPolicy, no
additional Gateways would be able to reference the Service targeted by
the BackendTLSPolicy.
items:
description: |-
PolicyAncestorStatus describes the status of a route with respect to an
associated Ancestor.
Ancestors refer to objects that are either the Target of a policy or above it
in terms of object hierarchy. For example, if a policy targets a Service, the
Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
useful object to place Policy status on, so we recommend that implementations
SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
have a _very_ good reason otherwise.
In the context of policy attachment, the Ancestor is used to distinguish which
resource results in a distinct application of this policy. For example, if a policy
targets a Service, it may have a distinct result per attached Gateway.
Policies targeting the same resource may have different effects depending on the
ancestors of those resources. For example, different Gateways targeting the same
Service may have different capabilities, especially if they have different underlying
implementations.
For example, in BackendTLSPolicy, the Policy attaches to a Service that is
used as a backend in a HTTPRoute that is itself attached to a Gateway.
In this case, the relevant object for status is the Gateway, and that is the
ancestor object referred to in this status.
Note that a parent is also an ancestor, so for objects where the parent is the
relevant object for status, this struct SHOULD still be used.
This struct is intended to be used in a slice that's effectively a map,
with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
description: |-
AncestorRef corresponds with a ParentRef in the spec that this
PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: |-
Group is the group of the referent.
When unspecified, "gateway.networking.k8s.io" is inferred.
To set the core API group (such as for a "Service" kind referent),
Group must be explicitly set to "" (empty string).
Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: |-
Kind is kind of the referent.
There are two kinds of parent resources with "Core" support:
* Gateway (Gateway conformance profile)
* Service (Mesh conformance profile, ClusterIP Services only)
Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: |-
Name is the name of the referent.
Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referent. When unspecified, this refers
to the local namespace of the Route.
Note that there are specific rules for ParentRefs which cross namespace
boundaries. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example:
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
<gateway:experimental:description>
ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.
</gateway:experimental:description>
Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: |-
Port is the network port this Route targets. It can be interpreted
differently based on the type of parent resource.
When the parent resource is a Gateway, this targets all listeners
listening on the specified port that also support this kind of Route(and
select this Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to a specific port
as opposed to a listener(s) whose port(s) may be changed. When both Port
and SectionName are specified, the name and port of the selected listener
must match both specified values.
<gateway:experimental:description>
When the parent resource is a Service, this targets a specific port in the
Service spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified values.
</gateway:experimental:description>
Implementations MAY choose to support other parent resources.
Implementations supporting other types of parent resources MUST clearly
document how/if Port is interpreted.
For the purpose of status, an attachment is considered successful as
long as the parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: |-
SectionName is the name of a section within the target resource. In the
following resources, SectionName is interpreted as the following:
* Gateway: Listener name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
* Service: Port name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
Implementations MAY choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName is
interpreted.
When unspecified (empty string), this will reference the entire resource.
For the purpose of status, an attachment is considered successful if at
least one section in the parent resource accepts it. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route, the
Route MUST be considered detached from the Gateway.
Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
conditions:
description: Conditions describes the status of the Policy with respect to the given Ancestor.
items:
description: Condition contains details for one aspect of the current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: |-
ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
controllerName field on GatewayClass.
Example: "example.net/gateway-controller".
The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
valid Kubernetes names
(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
Controllers MUST populate this field when writing status. Controllers should ensure that
entries to status populated with their ControllerName are cleaned up when they are no
longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
required:
- ancestorRef
- controllerName
type: object
maxItems: 16
type: array
required:
- ancestors
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

1812
charts/airlock/microgateway/4.4.0/crds/denyrules.microgateway.airlock.com.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

58
charts/airlock/microgateway/4.4.0/crds/envoyclusters.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,58 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: envoyclusters.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyCluster
listKind: EnvoyClusterList
plural: envoyclusters
singular: envoycluster
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired additional Envoy cluster.
properties:
value:
description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources: {}

185
charts/airlock/microgateway/4.4.0/crds/envoyconfigurations.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,185 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: envoyconfigurations.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyConfiguration
listKind: EnvoyConfigurationList
plural: envoyconfigurations
singular: envoyconfiguration
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
EnvoyConfiguration is the Schema for the envoyconfigurations API
{{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration
properties:
envoyResources:
properties:
clusters:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
endpoints:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
extensions:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
listeners:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
routes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
runtimes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
scopedRoutes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
secrets:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
envoyResourcesRaw:
description: |-
EnvoyResourcesRaw defines the desired state for each resource type. The resources are stored as zstd compressed JSON bytes.
For debugging purposes, the resources can be inspected with the following command: `kubectl get envoyconfiguration <name> -ojsonpath='{.spec.envoyResourcesRaw}' | base64 -d | zstd -d | jq`
format: byte
type: string
nodeID:
description: '**Deprecated:** This field is now ignored as NodeID is always derived from the resource name.'
type: string
type: object
status:
description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human-readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of EnvoyConfiguration condition.
type: string
required:
- status
- type
type: object
type: array
status:
type: string
xds:
properties:
resourceTypes:
additionalProperties:
description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type
properties:
errorMessage:
description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client.
type: string
resources:
additionalProperties:
description: XdsResourceStatus defines the status of xDS for a specific resource
properties:
version:
description: Version defines the version which is currently served for this resource.
type: string
required:
- version
type: object
description: Resources defines the resources which are currently served for this resource type.
type: object
status:
description: Status defines the current sync status of this resource type.
type: string
version:
description: Version defines the version which is currently served for this resource type.
type: string
required:
- resources
- status
- version
type: object
description: ResourceTypes defines the sync statuses for each resource type.
type: object
version:
description: Version defines the version of the underlying xDS snapshot.
type: integer
required:
- version
type: object
required:
- status
- xds
type: object
type: object
served: true
storage: true
subresources:
status: {}

58
charts/airlock/microgateway/4.4.0/crds/envoyhttpfilters.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,58 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: envoyhttpfilters.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyHTTPFilter
listKind: EnvoyHTTPFilterList
plural: envoyhttpfilters
singular: envoyhttpfilter
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource which is added to those defined by the Airlock Microgateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired additional Envoy HTTP filter.
properties:
value:
description: Value defines the HTTP filter which is added to those configured by the Airlock Microgateway.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources: {}

88
charts/airlock/microgateway/4.4.0/crds/graphqls.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,88 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: graphqls.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: GraphQL
listKind: GraphQLList
plural: graphqls
singular: graphql
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: GraphQL contains the configuration for the GraphQL specification.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired GraphQL specification.
properties:
settings:
description: Settings defines the settings to configure GraphQL.
properties:
allowIntrospection:
default: true
description: AllowIntrospection specifies if the introspection system is exposed.
type: boolean
allowMutations:
default: true
description: AllowMutations specifies if mutations are allowed.
type: boolean
schema:
description: Specifies the GraphQL schema.
properties:
source:
description: Source specifies the GraphQL schema to be enforced.
properties:
configMapRef:
description: ConfigMapRef references the configmap by its name containing the well-known key 'schema.graphql'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
required:
- source
type: object
threatHandlingMode:
default: Block
description: ThreatHandlingMode specifies how threats should be handled.
enum:
- Block
- LogOnly
type: string
type: object
type: object
type: object
served: true
storage: true

2083
charts/airlock/microgateway/4.4.0/crds/headerrewrites.microgateway.airlock.com.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

151
charts/airlock/microgateway/4.4.0/crds/identitypropagations.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,151 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: identitypropagations.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: IdentityPropagation
listKind: IdentityPropagationList
plural: identitypropagations
singular: identitypropagation
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: IdentityPropagation specifies the desired identity propagation.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired identity propagation.
properties:
bearerToken:
description: BearerToken configures identity propagation via an authorization header containing a bearer token.
properties:
source:
description: Source from which to extract the token.
properties:
metadata:
description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key.
properties:
key:
description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`.
minLength: 1
type: string
namespace:
description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`.
minLength: 1
type: string
required:
- key
- namespace
type: object
oidc:
description: OIDC specifies to extract a value from the result of an OpenID Connect flow.
properties:
accessToken:
description: AccessToken specifies to extract the value from the OpenID Connect Access Token.
type: object
idToken:
description: IDToken specifies to extract the value from the OpenID Connect ID Token.
properties:
claim:
description: Claim selects the JWT claim from which to extract the value.
minLength: 1
type: string
required:
- claim
type: object
type: object
type: object
required:
- source
type: object
header:
description: Header configures identity propagation via a request header.
properties:
name:
description: Name of the header to set.
minLength: 1
type: string
value:
description: Value to propagate to the application.
properties:
source:
description: Source from which to extract the value.
properties:
metadata:
description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key.
properties:
key:
description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`.
minLength: 1
type: string
namespace:
description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`.
minLength: 1
type: string
required:
- key
- namespace
type: object
oidc:
description: OIDC specifies to extract a value from the result of an OpenID Connect flow.
properties:
accessToken:
description: AccessToken specifies to extract the value from the OpenID Connect Access Token.
type: object
idToken:
description: IDToken specifies to extract the value from the OpenID Connect ID Token.
properties:
claim:
description: Claim selects the JWT claim from which to extract the value.
minLength: 1
type: string
required:
- claim
type: object
type: object
type: object
required:
- source
type: object
required:
- name
- value
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

294
charts/airlock/microgateway/4.4.0/crds/jwks.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,294 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: jwks.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: JWKS
listKind: JWKSList
plural: jwks
singular: jwks
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: JWKS provides a JSON Web Key Set.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the JWKS.
properties:
provider:
description: Provider configures the source from which to retrieve the JWKS.
properties:
local:
description: Local specifies to retrieve the JWKS from a local secret.
properties:
secretRef:
description: SecretRef selects the secret containing the JWKS under the key 'jwks.json'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
remote:
description: Remote specifies to retrieve the JWKS from a remote endpoint.
properties:
timeouts:
description: Timeouts specifies the timeouts when interacting with the Token endpoint.
properties:
connect:
default: 5s
description: Connect specifies the timeout for establishing a connection.
type: string
maxDuration:
default: 15s
description: MaxDuration specifies the response timeout.
type: string
type: object
tls:
description: TLS defines TLS settings.
properties:
certificateVerification:
description: CertificateVerification specifies how the certificate presented by the server is verified.
properties:
custom:
description: |-
Custom explicitly specifies how the server certificate should be verified.
Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
properties:
allowedSANs:
description: |-
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
items:
description: |-
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers.
properties:
matcher:
description: Matcher defines the string matcher for the SAN value.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
sanType:
description: SanType defines the type of SAN matcher.
enum:
- DNS
- Email
- URI
- IPAddress
type: string
required:
- matcher
- sanType
type: object
minItems: 1
type: array
certificatePinning:
description: |-
CertificatePinning defines constraints the presented certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
properties:
allowedHashes:
description: |-
AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
allowedSPKIs:
description: |-
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
type: object
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
type: object
disabled:
description: |-
Disabled specifies to trust any certificate without verification.
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
type: object
publicCAs:
description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image.
type: object
type: object
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
type: object
uri:
description: URI specifies the endpoint address.
format: uri
minLength: 1
pattern: ^(http|https)://.*$
type: string
required:
- uri
type: object
type: object
required:
- provider
type: object
required:
- spec
type: object
served: true
storage: true

651
charts/airlock/microgateway/4.4.0/crds/limits.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,651 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: limits.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Limits
listKind: LimitsList
plural: limits
singular: limits
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Limits contains the configuration for limits.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired limits behavior.
properties:
request:
description: Request defines the limits for requests.
properties:
limited:
description: Limited enables limits on request scope.
properties:
exceptions:
description: Exceptions defines limit exceptions.
items:
description: LimitsException defines an exception for limits.
properties:
length:
description: Length defines an exception for length limits based on the data element exceeding the limit.
properties:
graphQL:
description: GraphQL defines a field, argument or value length limit exception for a GraphQL query.
properties:
argument:
description: |-
Argument restricts the exception to GraphQL queries with a matching argument of a field.
At least one of field, argument and value must be set.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
field:
description: |-
Field restricts the exception to GraphQL queries with a matching field.
At least one of field, argument and value must be set.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: |-
Value restricts the exception to GraphQL queries with a matching argument value.
At least one of field, argument and value must be set.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
json:
description: JSON defines a key and value length limit exception for a JSON property.
properties:
jsonPath:
description: |-
JSONPath restricts the exception to JSON properties with a matching JSONPath.
Expressions in JSONPath i.e. `?(expr)` are not supported.
minLength: 1
type: string
required:
- jsonPath
type: object
parameter:
description: Parameter defines a name and value length limit exception for a parameter.
properties:
name:
description: Name restricts the exception to parameters with a matching name.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
source:
default: Any
description: Source restricts the exception to parameters of this kind.
enum:
- Query
- Post
- Any
type: string
required:
- name
type: object
type: object
requestConditions:
description: RequestConditions defines additional request properties which must be matched in order for this exception to apply.
properties:
header:
description: Header defines the matching headers of a request.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
invert:
default: false
description: Invert indicates whether the request condition should be inverted.
type: boolean
mediaType:
description: MediaType defines the matching media type from the content-type header of a request.
properties:
matcher:
description: |-
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
method:
description: Method defines the matching methods of a request.
items:
description: Method defines common HTTP methods.
enum:
- GET
- HEAD
- POST
- PUT
- PATCH
- DELETE
- CONNECT
- OPTIONS
- TRACE
type: string
type: array
path:
description: Path defines the matching path of a request.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
remoteIP:
description: RemoteIP defines the matching remote IPs of a request.
properties:
cidrRanges:
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
items:
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
format: cidr
type: string
minItems: 1
type: array
invert:
default: false
description: Invert indicates whether the match should be inverted.
type: boolean
required:
- cidrRanges
type: object
type: object
type: object
type: array
general:
description: General defines general request limits.
properties:
bodySize:
anyOf:
- type: integer
- type: string
default: 100Mi
description: BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective for any request not processed by one of the content parsers (e.g. json) as configured in the Parser CRD. **Note** This limit does not apply to WebSocket or gRPC traffic.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
pathLength:
anyOf:
- type: integer
- type: string
default: 1Ki
description: PathLength defines the maximum path length for all requests (parsed and unparsed).
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
graphQL:
description: GraphQL defines the limits for GraphQL requests.
properties:
nestingDepth:
default: 10
description: NestingDepth defines the maximum depth of nesting for GraphQL objects.
format: int64
type: integer
querySize:
anyOf:
- type: integer
- type: string
default: 1Ki
description: QuerySize defines the maximum size for GraphQL queries.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
valueLength:
anyOf:
- type: integer
- type: string
default: "256"
description: ValueLength defines the maximum length for GraphQL values.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
json:
description: JSON defines the limits for JSON requests.
properties:
bodySize:
anyOf:
- type: integer
- type: string
default: 100Ki
description: BodySize limits the total size of the JSON request body. It specifies the number of bytes (0 = unlimited).
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
elementCount:
default: 10000
description: ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive).
format: int64
type: integer
keyCount:
default: 250
description: KeyCount defines the maximum number of keys of a single JSON object (non-recursive).
format: int64
type: integer
keyLength:
anyOf:
- type: integer
- type: string
default: "128"
description: KeyLength defines the maximum length for JSON keys.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
nestingDepth:
default: 100
description: NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays.
format: int64
type: integer
valueLength:
anyOf:
- type: integer
- type: string
default: 8Ki
description: ValueLength defines the maximum length for JSON values.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
multipart:
description: Multipart defines the limits for Multipart requests.
properties:
bodySize:
anyOf:
- type: integer
- type: string
default: 100Mi
description: BodySize limits the total size of the Multipart request body. It specifies the number of bytes (0 = unlimited).
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
parameter:
description: Parameter defines the limits for request parameters.
properties:
bodySize:
anyOf:
- type: integer
- type: string
default: 100Ki
description: BodySize limits the total size of the form data body. It specifies the number of bytes (0 = unlimited).
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
count:
default: 128
description: Count defines the maximum number of request parameters.
format: int64
type: integer
nameLength:
anyOf:
- type: integer
- type: string
default: "128"
description: NameLength defines the maximum length for parameter names.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
valueLength:
anyOf:
- type: integer
- type: string
default: 8Ki
description: ValueLength defines the maximum length for parameter values.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
unlimited:
description: Unlimited disables all limits on request scope.
type: object
type: object
settings:
description: Settings configures the limits filter.
properties:
threatHandlingMode:
default: Block
description: ThreatHandlingMode specifies how threats should be handled when a limit hits.
enum:
- Block
- LogOnly
type: string
type: object
type: object
type: object
served: true
storage: true

342
charts/airlock/microgateway/4.4.0/crds/oidcproviders.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,342 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: oidcproviders.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OIDCProvider
listKind: OIDCProviderList
plural: oidcproviders
singular: oidcprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
OIDCProvider specifies an OpenID Provider (OP).
{{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of an OpenID Provider.
properties:
static:
description: Static configures an OpenID Provider by explicitly specifying all endpoints.
properties:
endpoints:
description: Endpoints specifies the OpenID Provider endpoints.
properties:
authorization:
description: Authorization specifies the endpoint to which the authorization request is sent.
properties:
uri:
description: URI specifies the endpoint address.
format: uri
minLength: 1
pattern: ^(http|https)://.*$
type: string
required:
- uri
type: object
token:
description: Token configures the endpoint from which the access, ID and refresh tokens are obtained.
properties:
timeouts:
description: Timeouts specifies the timeouts when interacting with the Token endpoint.
properties:
connect:
default: 5s
description: Connect specifies the timeout for establishing a connection.
type: string
maxDuration:
default: 15s
description: MaxDuration specifies the response timeout.
type: string
type: object
tls:
description: TLS defines TLS settings.
properties:
certificateVerification:
description: CertificateVerification specifies how the certificate presented by the server is verified.
properties:
custom:
description: |-
Custom explicitly specifies how the server certificate should be verified.
Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
properties:
allowedSANs:
description: |-
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
items:
description: |-
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers.
properties:
matcher:
description: Matcher defines the string matcher for the SAN value.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
sanType:
description: SanType defines the type of SAN matcher.
enum:
- DNS
- Email
- URI
- IPAddress
type: string
required:
- matcher
- sanType
type: object
minItems: 1
type: array
certificatePinning:
description: |-
CertificatePinning defines constraints the presented certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
properties:
allowedHashes:
description: |-
AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
allowedSPKIs:
description: |-
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
type: object
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
type: object
disabled:
description: |-
Disabled specifies to trust any certificate without verification.
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
type: object
publicCAs:
description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image.
type: object
type: object
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
type: object
uri:
description: URI specifies the endpoint address.
format: uri
minLength: 1
pattern: ^(http|https)://.*$
type: string
required:
- uri
type: object
required:
- authorization
- token
type: object
issuer:
description: Issuer specifies the unique identifier of the OIDC Provider, which is used e.g. for signature verification.
format: uri
minLength: 1
pattern: ^(http|https)://.*$
type: string
tokenValidation:
description: TokenValidation configures token validation.
properties:
idToken:
description: IDToken configures validation for the OIDC ID Token.
properties:
signatureVerification:
description: SignatureVerification specifies how to verify the ID Token signature.
properties:
disabled:
description: Disabled specifies to skip verification of the JWT signature. Not recommended for production environments.
type: object
jwksRef:
description: JwksRef specifies the JWKS to use for verifying the JWT signature (usually provided by the OpenID Provider).
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
required:
- signatureVerification
type: object
required:
- idToken
type: object
required:
- endpoints
- issuer
- tokenValidation
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

235
charts/airlock/microgateway/4.4.0/crds/oidcrelyingparties.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,235 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: oidcrelyingparties.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OIDCRelyingParty
listKind: OIDCRelyingPartyList
plural: oidcrelyingparties
singular: oidcrelyingparty
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP).
{{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the OIDC Relying Party configuration.
properties:
clientID:
description: ClientID specifies the OIDCRelyingParty "client_id".
minLength: 1
type: string
credentials:
description: Credentials used for client authentication on the back-channel with the authorization server.
properties:
clientSecret:
description: ClientSecret authenticates with the client password issued by the OpenID Provider (OP).
properties:
method:
default: BasicAuth
description: Method specifies in which format the client secret is sent with the authorization request.
enum:
- BasicAuth
- FormURLEncoded
type: string
secretRef:
description: SecretRef specifies the kubernetes secret containing the client password with key "client.secret".
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
required:
- clientSecret
type: object
flowTimeout:
default: 5m
description: FlowTimeout specifies the time window within which an initiated OIDC flow can be completed by the client.
type: string
oidcProviderRef:
description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
pathMapping:
description: PathMapping configures the action matching.
properties:
logoutPath:
description: |-
LogoutPath specifies which request paths should initiate a logout.
WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these logout requests.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
redirectPath:
description: |-
RedirectPath specifies which request paths should be interpreted as a callback redirect from the authorization endpoint.
WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these callback redirect requests.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
required:
- logoutPath
- redirectPath
type: object
redirectURI:
description: |-
RedirectURI configures the "redirect_uri" parameter included in the authorization request.
May contain envoy command operators, e.g.: `%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback`
WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently
ensure that it also matches requests to this URI.
minLength: 1
type: string
scopes:
description: |-
Scopes specifies the scopes to request during the OIDC flow.
The mandatory `openid` scope is implicitly added to the list if not already present.
Default: `['openid', 'profile']`
Note: Different OIDCRelyingParties which use the same OIDC Provider and Client ID must request the same scopes for now.
items:
minLength: 1
type: string
type: array
required:
- clientID
- credentials
- oidcProviderRef
- pathMapping
- redirectURI
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

167
charts/airlock/microgateway/4.4.0/crds/openapis.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,167 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: openapis.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OpenAPI
listKind: OpenAPIList
plural: openapis
singular: openapi
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: OpenAPI contains the configuration for the OpenAPI specification.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired OpenAPI specification.
properties:
response:
description: Response defines the validation behaviour for responses.
properties:
secured:
description: Secured enables response checking.
properties:
validation:
default: Lax
description: Validation defines the validation mode for responses.
enum:
- Lax
- Strict
type: string
type: object
unsecured:
description: Unsecured disables response checking.
type: object
type: object
settings:
description: Settings defines the settings to configure OpenAPI specification enforcement.
properties:
logging:
description: Logging specifies the access log behavior.
properties:
maxFailedSubvalidations:
default: 10
description: MaxFailedSubvalidations defines the maximum number of failed subvalidations being logged.
format: int64
type: integer
type: object
schema:
description: Schema configures the OpenAPI specification.
properties:
source:
description: Source specifies the OpenAPI specification to be enforced.
properties:
configMapRef:
description: ConfigMapRef references the configmap by its name containing the well-known key 'openapi.json'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
required:
- source
type: object
threatHandlingMode:
default: Block
description: ThreatHandlingMode specifies how threats should be handled.
enum:
- Block
- LogOnly
type: string
validation:
description: Validation specifies the patterns for the validation behavior.
properties:
authentication:
description: Authentication defines the settings for the authentication scheme.
properties:
oAuth2:
description: OAuth2 specifies the OAuth2 parameters.
properties:
allowedParameters:
description: AllowedParameters specifies the allowed parameters for the authentication scheme.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined allowed parameters.
properties:
standardParameters:
default: true
description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters.
type: boolean
type: object
custom:
description: Custom allows configuring additional allowed parameters.
items:
minLength: 1
type: string
minItems: 1
type: array
type: object
type: object
oidc:
description: Oidc specifies the OIDC parameters.
properties:
allowedParameters:
description: AllowedParameters specifies the allowed parameters for the authentication scheme.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined allowed parameters.
properties:
standardParameters:
default: true
description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters.
type: boolean
type: object
custom:
description: Custom allows configuring additional allowed parameters.
items:
minLength: 1
type: string
minItems: 1
type: array
type: object
type: object
type: object
type: object
required:
- schema
type: object
required:
- settings
type: object
required:
- spec
type: object
served: true
storage: true

358
charts/airlock/microgateway/4.4.0/crds/parsers.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,358 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: parsers.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Parser
listKind: ParserList
plural: parsers
singular: parser
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Parser contains the configuration for content parsers (default and custom).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired parser behavior.
properties:
request:
description: Request defines the parsing for downstream requests.
properties:
custom:
description: Custom allows configuring additional rules for parser selection.
properties:
rules:
description: |-
Rules defines a custom set prepended before built-in rules of enabled request parsers.
Disable all built-in parsers to overrule them completely.
items:
properties:
action:
description: |-
Action specifies what should happen when a request condition matches.
Only one of parse or skip can be set.
properties:
parse:
description: Parse activates the configured parser.
properties:
form:
description: Form activates the Form parser.
type: object
json:
description: JSON activates the JSON parser.
type: object
multipart:
description: Multipart activates the multipart parser.
type: object
type: object
skip:
description: Skip disables any content parsing
type: object
type: object
requestConditions:
description: RequestConditions defines additional request properties which must be matched in order for this rule to apply.
properties:
header:
description: Header defines the matching headers of a request.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
invert:
default: false
description: Invert indicates whether the request condition should be inverted.
type: boolean
mediaType:
description: MediaType defines the matching media type from the content-type header of a request.
properties:
matcher:
description: |-
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
method:
description: Method defines the matching methods of a request.
items:
description: Method defines common HTTP methods.
enum:
- GET
- HEAD
- POST
- PUT
- PATCH
- DELETE
- CONNECT
- OPTIONS
- TRACE
type: string
type: array
path:
description: Path defines the matching path of a request.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
remoteIP:
description: RemoteIP defines the matching remote IPs of a request.
properties:
cidrRanges:
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
items:
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
format: cidr
type: string
minItems: 1
type: array
invert:
default: false
description: Invert indicates whether the match should be inverted.
type: boolean
required:
- cidrRanges
type: object
type: object
required:
- action
- requestConditions
type: object
type: array
type: object
defaultContentType:
default: application/x-www-form-urlencoded
description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body.
minLength: 1
type: string
parsers:
description: Parsers defines the configuration for the available content parsers.
properties:
form:
description: Form defines the configuration for the form parser.
properties:
enable:
default: true
description: Enable defines whether form payloads are inspected.
type: boolean
mediaTypePattern:
default: .*urlencoded.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments.
minLength: 1
type: string
type: object
json:
description: JSON defines the configuration for the JSON parser.
properties:
enable:
default: true
description: Enable defines whether json payloads are inspected.
type: boolean
mediaTypePattern:
default: .*json.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON.
minLength: 1
type: string
type: object
multipart:
description: Multipart defines the configuration for the multipart parser.
properties:
enable:
default: true
description: Enable defines whether multipart payloads are inspected.
type: boolean
mediaTypePattern:
default: .*multipart.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as a multipart payload.
minLength: 1
type: string
type: object
type: object
type: object
type: object
type: object
served: true
storage: true

232
charts/airlock/microgateway/4.4.0/crds/redisproviders.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,232 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: redisproviders.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: RedisProvider
listKind: RedisProviderList
plural: redisproviders
singular: redisprovider
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: RedisProvider contains a client configuration for connecting to a Redis database.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of a Redis database client configuration.
properties:
auth:
description: Auth specifies the Redis credentials.
properties:
password:
description: Password specifies the Redis password.
properties:
secretRef:
description: SecretRef selects the secret containing the Redis password under the key 'redis.password'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
username:
default: default
description: Username specifies the Redis username to authenticate with.
minLength: 1
pattern: ^[^\s]+$
type: string
required:
- password
type: object
mode:
description: Mode configures the redis deployment mode.
properties:
cluster:
description: Cluster specifies the Redis Cluster to connect to.
properties:
nodes:
description: Nodes specifies the Cluster nodes.
items:
properties:
host:
description: Host specifies the IP or hostname.
minLength: 1
pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$
type: string
port:
default: 6379
description: Port specifies the port.
maximum: 65535
minimum: 1
type: integer
required:
- host
type: object
minItems: 1
type: array
required:
- nodes
type: object
sentinel:
description: Sentinel specifies the Redis Sentinels to connect to.
properties:
masterName:
description: MasterName specifies the master name.
minLength: 1
type: string
nodes:
description: Nodes specifies the Sentinel nodes.
items:
properties:
host:
description: Host specifies the IP or hostname.
minLength: 1
pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$
type: string
port:
default: 6379
description: Port specifies the port.
maximum: 65535
minimum: 1
type: integer
required:
- host
type: object
minItems: 1
type: array
required:
- masterName
- nodes
type: object
standalone:
description: Standalone specifies the standalone Redis instance to connect to.
properties:
host:
description: Host specifies the IP or hostname.
minLength: 1
pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$
type: string
port:
default: 6379
description: Port specifies the port.
maximum: 65535
minimum: 1
type: integer
required:
- host
type: object
type: object
timeouts:
description: Timeouts specifies the timeouts when interacting with the Redis endpoint.
properties:
connect:
default: 5s
description: Connect specifies the timeout for establishing a connection.
type: string
maxDuration:
default: 2s
description: MaxDuration specifies the response timeout.
type: string
type: object
tls:
description: TLS defines TLS settings. If not specified, TLS is disabled i.e. unencrypted TCP is used when connecting to the Redis instance.
properties:
certificateVerification:
description: CertificateVerification specifies how the certificate presented by the server is verified.
properties:
custom:
description: Custom explicitly specifies how the server certificate should be verified.
properties:
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
required:
- certificates
type: object
required:
- trustedCA
type: object
disabled:
description: 'Disabled specifies to trust any certificate without verification. THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. Note: This setting currently also disables TLS SNI.'
type: object
publicCAs:
description: PublicCAs specifies to only accept certificates with a SAN matching the host and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Session Agents base image.
type: object
type: object
clientCertificate:
description: ClientCertificate configures client certificate authentication. If not specified, TLS-based client authentication is disabled.
properties:
secretRef:
description: SecretRef specifies the client certificate to use (secret of type kubernetes.io/tls).
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
type: object
required:
- mode
type: object
required:
- spec
type: object
served: true
storage: true

89
charts/airlock/microgateway/4.4.0/crds/sessionhandlings.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,89 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: sessionhandlings.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: SessionHandling
listKind: SessionHandlingList
plural: sessionhandlings
singular: sessionhandling
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: SessionHandling contains the configuration for session handling.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired session handling behavior.
properties:
defaultTimeouts:
description: DefaultTimeouts specifies the session timeouts to apply when not provided by the authentication method.
properties:
lifetime:
default: 12h
description: Lifetime specifies the maximum duration a session can exist.
type: string
type: object
persistence:
description: Persistence configures where to store the session state.
properties:
redisProviderRef:
description: RedisProviderRef specifies to cache session information in the provided Redis instance.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- redisProviderRef
type: object
prefix:
description: |-
Prefix specifies the prefix under which the sessions should be stored in the persistence layer.
If not specified, an automatic prefix derived from the namespaced SessionHandling CR name is used, which ensures that sessions will always be isolated on Microgateways configured with different SessionHandling CRs, even if they share the same persistence backend.
To allow session sharing between different Microgateway deployments, ensure that the prefix and persistence backend is the same across all corresponding SessionHandling CRs.
Note: Session cookies are currently never shared across different fully qualified domain names (FQDNs) and authentication via different OIDC Relying Parties generates different session cookies. Clients will therefore only able to transparently reuse session cookies for connecting to different Microgateway deployments if those are a) exposed under the same FQDN and b) handle authentication via the same OIDC Relying Party.
maxLength: 64
minLength: 1
pattern: ^[a-zA-Z][a-zA-Z0-9_]*$
type: string
required:
- persistence
type: object
required:
- spec
type: object
served: true
storage: true

758
charts/airlock/microgateway/4.4.0/crds/sidecargateways.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,758 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: sidecargateways.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: SidecarGateway
listKind: SidecarGatewayList
plural: sidecargateways
singular: sidecargateway
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired sidecar gateway behavior.
properties:
applications:
description: Applications defines applications which run on different ports.
items:
properties:
containerPort:
default: 8080
description: |-
ContainerPort refers to the container port.
This must be a valid port number, 0 < x < 65536.
format: int32
maximum: 65535
minimum: 1
type: integer
downstream:
description: Downstream defines the downstream configuration for this application
properties:
protocol:
description: |-
Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies that the protocol should be inferred.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies that the client is assumed to speak HTTP/1.1.
type: object
http2:
description: HTTP2 specifies that the client is assumed to speak HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
remoteIP:
description: |-
RemoteIP defines how the remote IP of a client is propagated.
Default: xff: {...}
properties:
connectionIP:
description: ConnectionIP configures to use the source IP address of the direct downstream connection.
type: object
customHeader:
description: CustomHeader specifies to use a custom header for remote IP extraction.
properties:
headerName:
description: HeaderName specifies the name of the custom header containing the remote IP.
minLength: 1
type: string
required:
default: true
description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403.
type: boolean
required:
- headerName
type: object
xff:
description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction.
properties:
numTrustedHops:
default: 1
description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry.
format: int32
minimum: 1
type: integer
type: object
type: object
requestNormalizations:
description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching.
properties:
mergeSlashes:
default: true
description: MergeSlashes ensures that adjacent slashes in the path are merged into one.
type: boolean
normalizePath:
default: true
description: NormalizePath ensures normalization according to RFC 3986 without case normalization.
type: boolean
type: object
restrictions:
description: Restrictions defines restrictions for downstream.
properties:
http:
description: HTTP defines limits for the HTTP protocol.
properties:
headersLength:
anyOf:
- type: integer
- type: string
default: 60Ki
description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
timeouts:
description: Timeouts defines timeouts for downstream
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
default: 5m
description: |-
Idle defines the settings for the idle timeout when no data is sent or received.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
maxDuration:
default: 5m
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
requestHeaders:
default: 10s
description: |-
RequestHeaders defines the duration before all request headers must be received.
A value of 0 will completely disable the timeout.
Default: 10s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
clientCertificate:
description: |-
ClientCertificate defines the TLS settings for verification of client certificates.
At most one of ignored, optional and required can be set.
Default: ignored: {}
properties:
ignored:
description: Ignored disables verification of the client certificate.
type: object
optional:
description: |-
Optional enables verification of the client certificate if one is presented.
In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate.
properties:
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
required:
- trustedCA
type: object
required:
description: |-
Required contains settings for client certificate verification. A client must present a valid certificate.
At least one of trustedCA and certificatePinning must be set.
properties:
allowedSANs:
description: |-
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
items:
description: |-
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers.
properties:
matcher:
description: Matcher defines the string matcher for the SAN value.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
sanType:
description: SanType defines the type of SAN matcher.
enum:
- DNS
- Email
- URI
- IPAddress
type: string
required:
- matcher
- sanType
type: object
minItems: 1
type: array
certificatePinning:
description: |-
CertificatePinning defines the constraints a client certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
properties:
allowedHashes:
description: |-
AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
allowedSPKIs:
description: |-
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
type: object
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
type: object
type: object
enable:
default: false
description: Enable defines if the downstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
secretRef:
description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls).
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
xfcc:
description: |-
XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values:
_Sanitize_: Do not send the XFCC header to the next hop. This is the default value.
_ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.
_AppendAndForward_: When the client connection is mTLS, append the client certificate information to the requests XFCC header and forward it.
_SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.
_AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.
Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http)
enum:
- Sanitize
- ForwardOnly
- AppendAndForward
- SanitizeAndSet
- AlwaysForwardOnly
type: string
type: object
type: object
envoyHTTPFilterRefs:
description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters.
properties:
prepend:
description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
type: object
routes:
description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies.
items:
description: |-
SidecarGatewayApplicationRoute defines the security configurations for different paths.
At most one of secured and unsecured can be set.
Default: secured: {...}
properties:
pathPrefix:
default: /
description: PathPrefix defines the path prefix used during route selection.
minLength: 1
type: string
secured:
description: Secured enables WAF processing for this route.
properties:
accessControlRef:
description: |-
AccessControlRef selects the relevant AccessControl configuration resource.
If undefined, Airlock Microgateway does not perform any access control.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
contentSecurityRef:
description: |-
ContentSecurityRef selects the relevant ContentSecurity configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
unsecured:
description: |-
Unsecured disables all WAF functionality and therefore protection for this route.
WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
type: object
type: object
type: array
x-kubernetes-list-map-keys:
- pathPrefix
x-kubernetes-list-type: map
telemetryRef:
description: |-
TelemetryRef selects the relevant Telemetry configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
upstream:
description: Upstream defines the upstream configuration for this application
properties:
protocol:
description: |-
Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies to negotiate the protocol with TLS ALPN (if TLS is enabled) or, as a fallback, use the same protocol that is used by the downstream connection.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies to use HTTP/1.1.
type: object
http2:
description: HTTP2 specifies to use HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
timeouts:
description: Timeouts defines the timeout settings.
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
description: |-
Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited.
A value of 0 will completely disable the timeout.
type: string
maxDuration:
default: 15s
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
Default: 15s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
enable:
default: false
description: Enable defines if the upstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
type: object
type: object
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- containerPort
x-kubernetes-list-type: map
envoyClusterRefs:
description: EnvoyClusterRefs selects the relevant EnvoyClusters.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
podSelector:
description: PodSelector defines to which Pods the configuration will be applied to.
properties:
matchLabels:
additionalProperties:
type: string
description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels.
type: object
type: object
sessionHandlingRef:
description: SessionHandlingRef selects the SessionHandling configuration to apply.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- applications
type: object
status:
description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date.
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human-readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of SidecarGateway condition.
type: string
required:
- status
- type
type: object
type: array
pods:
items:
properties:
envoyConfig:
description: EnvoyConfig indicates the name of the EnvoyConfig CR for the Pod.
type: string
name:
description: Name indicates the name of a Pod selected by the SidecarGateway.
type: string
sessionAgentSecret:
type: string
required:
- name
type: object
type: array
status:
type: string
unmanagedPods:
items:
properties:
managedBy:
description: ManagedBy indicates the Airlock Microgateway Operator instance which manages this Pod.
type: string
name:
description: Name indicates the name of a Pod selected by the SidecarGateway.
type: string
sessionAgentSecret:
type: string
required:
- name
type: object
type: array
required:
- status
type: object
type: object
served: true
storage: true
subresources:
status: {}

96
charts/airlock/microgateway/4.4.0/crds/telemetries.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,96 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.4.0
name: telemetries.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Telemetry
listKind: TelemetryList
plural: telemetries
singular: telemetry
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Telemetry contains the configuration for telemetry (logging, metrics & tracing).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired telemetry behavior.
properties:
correlation:
description: Correlation defines the correlation aspects of Telemetry.
properties:
idSource:
description: IDSource specifies how an external correlation ID should be obtained for a request. If not specified, no correlation ID will be logged.
properties:
header:
description: Header specifies to extract the correlation ID from a request header. If the header is absent from a request, no correlation ID will be logged.
properties:
name:
default: X-Correlation-Id
description: Name of the header (case-insensitive) from which to extract the correlation ID.
minLength: 1
type: string
type: object
required:
- header
type: object
request:
description: Request defines the request related correlation settings of Telemetry.
properties:
allowDownstreamRequestID:
default: true
description: AllowDownstreamRequestID defines whether trace sampling will consider a provided x-request-id.
type: boolean
alterRequestID:
default: true
description: AlterRequestID defines whether to alter the UUID to reflect the trace sampling decision. If disabled no modification to the UUID will be performed, this may break tracing in the upstream.
type: boolean
type: object
type: object
logging:
description: Logging defines the logging aspects of Telemetry.
properties:
accessLog:
description: AccessLog defines the access log settings of Telemetry.
properties:
format:
description: Format defines the Access Log format of the sidecar.
properties:
json:
description: JSON defines the Access Log format as JSON.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
type: object
type: object
served: true
storage: true

441
charts/airlock/microgateway/4.4.0/dashboards/blockLogs.json Normal file
View File

@ -0,0 +1,441 @@
{
"__inputs": [
{
"name": "DS_LOKI",
"label": "Loki",
"description": "",
"type": "datasource",
"pluginId": "loki",
"pluginName": "Loki"
},
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__elements": {},
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.2.0"
},
{
"type": "datasource",
"id": "loki",
"name": "Loki",
"version": "1.0.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "table",
"name": "Table",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Log entries of threats blocked by Airlock Microgateway.\n\nThe dashboard can be filtered by namespace and block type. Column filters on the table allow for an even more granular filtering of the logs.",
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [
{
"asDropdown": true,
"icon": "external link",
"includeVars": true,
"keepTime": true,
"tags": [
"airlock-microgateway"
],
"targetBlank": true,
"title": "Airlock Microgateway",
"tooltip": "",
"type": "dashboards",
"url": ""
}
],
"panels": [
{
"datasource": {
"type": "loki",
"uid": "${DS_LOKI}"
},
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true,
"inspect": true
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "Namespace"
},
"properties": [
{
"id": "custom.width",
"value": 221
},
{
"id": "custom.filterable"
}
]
},
{
"matcher": {
"id": "byName",
"options": "Timestamp"
},
"properties": [
{
"id": "custom.width",
"value": 214
},
{
"id": "unit",
"value": "time: YYYY-MM-DD HH:mm:ss.SSS"
},
{
"id": "custom.filterable"
}
]
},
{
"matcher": {
"id": "byName",
"options": "HTTP Method"
},
"properties": [
{
"id": "custom.width",
"value": 140
}
]
},
{
"matcher": {
"id": "byName",
"options": "Client IP"
},
"properties": [
{
"id": "custom.width",
"value": 138
}
]
},
{
"matcher": {
"id": "byName",
"options": "Request ID"
},
"properties": [
{
"id": "custom.width",
"value": 328
}
]
},
{
"matcher": {
"id": "byName",
"options": "Block Type"
},
"properties": [
{
"id": "custom.width",
"value": 116
},
{
"id": "custom.filterable",
"value": false
}
]
},
{
"matcher": {
"id": "byName",
"options": "Request Size"
},
"properties": [
{
"id": "custom.width",
"value": 126
},
{
"id": "unit",
"value": "bytes"
},
{
"id": "custom.align",
"value": "right"
}
]
},
{
"matcher": {
"id": "byName",
"options": "Block Subtype"
},
"properties": [
{
"id": "custom.width",
"value": 217
}
]
}
]
},
"gridPos": {
"h": 27,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"enablePagination": true,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"showHeader": true,
"sortBy": []
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "${DS_LOKI}"
},
"editorMode": "code",
"expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.actions.block.details\", block_type=\"airlock.actions.block.block_type\", block_subtype=\"airlock.actions.block.block_subtype\"\n| block_type=~\"${blockType:regex}\"",
"hide": false,
"queryType": "range",
"refId": "Blocks"
}
],
"title": "Blocked Request logs",
"transformations": [
{
"id": "extractFields",
"options": {
"format": "json",
"source": "labels"
}
},
{
"id": "filterFieldsByName",
"options": {
"byVariable": false,
"include": {
"names": [
"Time",
"block_subtype",
"block_type",
"client_ip",
"details",
"domain",
"http_method",
"namespace",
"request_id",
"request_size",
"url"
]
}
}
},
{
"id": "organize",
"options": {
"excludeByName": {
"Line": true,
"id": true,
"labelTypes": true,
"labels": true,
"tsNs": false
},
"includeByName": {},
"indexByName": {
"Time": 0,
"block_subtype": 7,
"block_type": 6,
"client_ip": 9,
"details": 8,
"domain": 2,
"http_method": 3,
"namespace": 1,
"request_id": 10,
"request_size": 5,
"url": 4
},
"renameByName": {
"Time": "Timestamp",
"block_subtype": "Block Subtype",
"block_type": "Block Type",
"client_ip": "Client IP",
"details": "Details",
"domain": "URL Domain",
"http_method": "HTTP Method",
"namespace": "Namespace",
"request_id": "Request ID",
"request_size": "Request Size",
"url": "URL Path"
}
}
}
],
"type": "table"
}
],
"schemaVersion": 39,
"tags": [
"airlock-microgateway"
],
"templating": {
"list": [
{
"current": {},
"hide": 2,
"includeAll": false,
"label": "DS_LOKI",
"multi": false,
"name": "DS_LOKI",
"options": [],
"query": "loki",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_http_rq_total,namespace)",
"hide": 0,
"includeAll": true,
"label": "Application Namespace",
"multi": true,
"name": "namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_http_rq_total,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
"hide": 0,
"includeAll": true,
"label": "Block Type",
"multi": true,
"name": "blockType",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
},
{
"current": {},
"hide": 2,
"includeAll": false,
"label": "DS_PROMETHEUS",
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
}
]
},
"time": {
"from": "now-15m",
"to": "now"
},
"timeRangeUpdatedDuringEditOrView": false,
"timepicker": {},
"timezone": "browser",
"title": "Airlock Microgateway Threats Block - Logs",
"uid": "adnyzcvwnyadcc",
"version": 3,
"weekStart": ""
}

751
charts/airlock/microgateway/4.4.0/dashboards/blockMetrics.json Normal file
View File

@ -0,0 +1,751 @@
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__elements": {},
"__requires": [
{
"type": "panel",
"id": "barchart",
"name": "Bar chart",
"version": ""
},
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.2.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "stat",
"name": "Stat",
"version": ""
},
{
"type": "panel",
"id": "timeseries",
"name": "Time series",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Metrics on threats blocked by Airlock Microgateway.\n\nDashboard can be filtered by namespaces as well as block types.",
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [
{
"asDropdown": true,
"icon": "external link",
"includeVars": true,
"keepTime": true,
"tags": [
"airlock-microgateway"
],
"targetBlank": true,
"title": "Airlock Microgateway",
"tooltip": "",
"type": "dashboards",
"url": ""
}
],
"panels": [
{
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"id": 6,
"title": "Airlock Microgateway Threats Block - Metrics",
"type": "row"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Total number of requests processed by Airlock Microgateway.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 0,
"y": 1
},
"id": 1,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "code",
"exemplar": false,
"expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
"format": "time_series",
"fullMetaSearch": false,
"hide": false,
"includeNullMetadata": true,
"instant": true,
"legendFormat": "Processed Requests",
"range": false,
"refId": "A",
"useBackend": false
}
],
"title": "Requests",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"mappings": [
{
"options": {
"match": "nan",
"result": {
"index": 0,
"text": "n/a"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "percentunit"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 4,
"y": 1
},
"id": 2,
"options": {
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"last"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "code",
"exemplar": false,
"expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"instant": true,
"legendFormat": "Blocked Requests (%)",
"range": false,
"refId": "A",
"useBackend": false
}
],
"title": "% Blocked Requests",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "blue",
"mode": "fixed"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "left",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "blue",
"value": null
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "% Blocks"
},
"properties": [
{
"id": "custom.axisPlacement",
"value": "right"
},
{
"id": "unit",
"value": "percentunit"
},
{
"id": "color",
"value": {
"fixedColor": "orange",
"mode": "fixed"
}
},
{
"id": "max",
"value": 1
}
]
},
{
"matcher": {
"id": "byName",
"options": "Requests per second"
},
"properties": [
{
"id": "unit",
"value": "short"
},
{
"id": "custom.fillOpacity",
"value": 25
}
]
}
]
},
"gridPos": {
"h": 10,
"w": 20,
"x": 0,
"y": 5
},
"id": 3,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"timezone": [
""
],
"tooltip": {
"maxHeight": 600,
"mode": "single",
"sort": "none"
}
},
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))",
"instant": false,
"legendFormat": "Requests per second",
"range": true,
"refId": "Requests per Second"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))",
"hide": false,
"instant": false,
"legendFormat": "% Blocks",
"range": true,
"refId": "Blocks"
}
],
"title": "Requests vs. % Blocks",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Blocked threats by block type.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "super-light-orange",
"mode": "fixed"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisGridShow": true,
"axisLabel": "",
"axisPlacement": "auto",
"fillOpacity": 80,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"lineWidth": 0,
"scaleDistribution": {
"type": "linear"
},
"thresholdsStyle": {
"mode": "off"
}
},
"fieldMinMax": false,
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 11,
"w": 10,
"x": 0,
"y": 15
},
"id": 4,
"options": {
"barRadius": 0,
"barWidth": 0.8,
"fullHighlight": false,
"groupWidth": 0.7,
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": false
},
"orientation": "horizontal",
"showValue": "never",
"stacking": "none",
"tooltip": {
"maxHeight": 600,
"mode": "single",
"sort": "asc"
},
"xField": "block_type",
"xTickLabelRotation": 0,
"xTickLabelSpacing": 0
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
"format": "time_series",
"instant": true,
"legendFormat": "__auto",
"range": false,
"refId": "A"
}
],
"title": "Block Type",
"transformations": [
{
"id": "reduce",
"options": {
"includeTimeField": false,
"labelsToFields": true,
"mode": "seriesToRows",
"reducers": [
"sum"
]
}
}
],
"type": "barchart"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Blocked threats by block subtype, which are subsets of the various block types.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "light-orange",
"mode": "fixed"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"fillOpacity": 80,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"lineWidth": 1,
"scaleDistribution": {
"type": "linear"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 11,
"w": 10,
"x": 10,
"y": 15
},
"id": 5,
"options": {
"barRadius": 0,
"barWidth": 0.8,
"fullHighlight": false,
"groupWidth": 0.7,
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": false
},
"orientation": "horizontal",
"showValue": "never",
"stacking": "none",
"tooltip": {
"maxHeight": 600,
"mode": "single",
"sort": "none"
},
"xField": "block_subtype",
"xTickLabelRotation": 0,
"xTickLabelSpacing": 0
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "round(sum by (block_subtype) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
"instant": true,
"legendFormat": "__auto",
"range": false,
"refId": "A"
}
],
"title": "Block Subtype",
"transformations": [
{
"id": "reduce",
"options": {
"labelsToFields": true,
"reducers": [
"sum"
]
}
}
],
"type": "barchart"
}
],
"refresh": "",
"schemaVersion": 39,
"tags": [
"airlock-microgateway"
],
"templating": {
"list": [
{
"current": {},
"hide": 2,
"includeAll": false,
"label": "Datasource Prometheus",
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"current": {},
"hide": 2,
"includeAll": false,
"label": "DS_LOKI",
"multi": false,
"name": "DS_LOKI",
"options": [],
"query": "loki",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_valid,namespace)",
"hide": 0,
"includeAll": true,
"label": "Operator Namespace",
"multi": true,
"name": "operator_namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_valid,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": ".*",
"skipUrlSync": false,
"sort": 0,
"type": "query"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_http_rq_total,namespace)",
"hide": 0,
"includeAll": true,
"label": "Application Namespace",
"multi": true,
"name": "namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_http_rq_total,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
"hide": 0,
"includeAll": true,
"label": "Block Type",
"multi": true,
"name": "blockType",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
}
]
},
"time": {
"from": "now-24h",
"to": "now"
},
"timeRangeUpdatedDuringEditOrView": false,
"timepicker": {
"hidden": false
},
"timezone": "browser",
"title": "Airlock Microgateway Threats Block - Metrics",
"uid": "ddnqoczu7qvb4cdd3dd",
"version": 3,
"weekStart": ""
}

378
charts/airlock/microgateway/4.4.0/dashboards/headerLogs.json Normal file
View File

@ -0,0 +1,378 @@
{
"__inputs": [
{
"name": "DS_LOKI",
"label": "Loki",
"description": "",
"type": "datasource",
"pluginId": "loki",
"pluginName": "Loki"
}
],
"__elements": {},
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.2.0"
},
{
"type": "datasource",
"id": "loki",
"name": "Loki",
"version": "1.0.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "table",
"name": "Table",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Logs for header rewrites by Airlock Microgateway, retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.",
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [
{
"asDropdown": true,
"icon": "external link",
"includeVars": true,
"keepTime": true,
"tags": [
"airlock-microgateway"
],
"targetBlank": true,
"title": "Airlock Microgateway",
"tooltip": "",
"type": "dashboards",
"url": ""
}
],
"panels": [
{
"datasource": {
"default": false,
"type": "loki",
"uid": "${DS_LOKI}"
},
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true,
"inspect": true
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "Namespace"
},
"properties": [
{
"id": "custom.width",
"value": 221
},
{
"id": "custom.filterable"
}
]
},
{
"matcher": {
"id": "byName",
"options": "Timestamp"
},
"properties": [
{
"id": "custom.width",
"value": 214
},
{
"id": "unit",
"value": "time: YYYY-MM-DD HH:mm:ss.SSS"
},
{
"id": "custom.filterable"
}
]
},
{
"matcher": {
"id": "byName",
"options": "HTTP Method"
},
"properties": [
{
"id": "custom.width",
"value": 140
}
]
},
{
"matcher": {
"id": "byName",
"options": "Client IP"
},
"properties": [
{
"id": "custom.width",
"value": 138
}
]
},
{
"matcher": {
"id": "byName",
"options": "Request ID"
},
"properties": [
{
"id": "custom.width",
"value": 328
}
]
},
{
"matcher": {
"id": "byName",
"options": "Request Size"
},
"properties": [
{
"id": "custom.width",
"value": 126
},
{
"id": "unit",
"value": "bytes"
},
{
"id": "custom.align",
"value": "right"
}
]
}
]
},
"gridPos": {
"h": 27,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"enablePagination": true,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"showHeader": true,
"sortBy": []
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "${DS_LOKI}"
},
"editorMode": "code",
"expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"header_rewrites\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", header_request_details=\"airlock.actions.header_rewrites.request\", header_response_details=\"airlock.actions.header_rewrites.response\", log_type=\"event.dataset\" | log_type = `envoy.access`",
"hide": false,
"queryType": "range",
"refId": "Header Rewrites"
}
],
"title": "Header Rewrite Logs",
"transformations": [
{
"id": "extractFields",
"options": {
"format": "json",
"source": "labels"
}
},
{
"id": "filterFieldsByName",
"options": {
"byVariable": false,
"include": {
"names": [
"Time",
"client_ip",
"domain",
"header_request_details",
"header_response_details",
"http_method",
"namespace",
"request_id",
"request_size",
"url"
]
}
}
},
{
"id": "organize",
"options": {
"excludeByName": {
"Line": true,
"id": true,
"labelTypes": true,
"labels": true,
"tsNs": false
},
"includeByName": {},
"indexByName": {
"Time": 0,
"client_ip": 8,
"domain": 2,
"header_request_details": 6,
"header_response_details": 7,
"http_method": 3,
"namespace": 1,
"request_id": 9,
"request_size": 5,
"url": 4
},
"renameByName": {
"Time": "Timestamp",
"client_ip": "Client IP",
"details": "Details",
"domain": "URL Domain",
"header_request_details": "Request Header Actions",
"header_response_details": "Response Header Actions",
"http_method": "HTTP Method",
"namespace": "Namespace",
"request_id": "Request ID",
"request_size": "Request Size",
"url": "URL Path"
}
}
}
],
"type": "table"
}
],
"schemaVersion": 39,
"tags": [
"airlock-microgateway"
],
"templating": {
"list": [
{
"current": {},
"hide": 2,
"includeAll": false,
"label": "DS_LOKI",
"multi": false,
"name": "DS_LOKI",
"options": [],
"query": "loki",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_http_rq_total,namespace)",
"hide": 0,
"includeAll": true,
"label": "Application Namespace",
"multi": true,
"name": "namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_http_rq_total,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
},
{
"current": {},
"hide": 2,
"includeAll": false,
"label": "DS_PROMETHEUS",
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
}
]
},
"time": {
"from": "now-15m",
"to": "now"
},
"timepicker": {},
"timezone": "browser",
"title": "Airlock Microgateway Header Rewrites - Logs",
"uid": "adnydadenyadcc",
"version": 1,
"weekStart": ""
}

1063
charts/airlock/microgateway/4.4.0/dashboards/license.json Normal file
View File

File diff suppressed because it is too large Load Diff

382
charts/airlock/microgateway/4.4.0/dashboards/logOnlyLogs.json Normal file
View File

@ -0,0 +1,382 @@
{
"__inputs": [
{
"name": "DS_LOKI",
"label": "Loki",
"description": "",
"type": "datasource",
"pluginId": "loki",
"pluginName": "Loki"
},
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__elements": {},
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.2.0"
},
{
"type": "datasource",
"id": "loki",
"name": "Loki",
"version": "1.0.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "table",
"name": "Table",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Log entries of threats logged in log-only mode by Airlock Microgateway.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.",
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [
{
"asDropdown": true,
"icon": "external link",
"includeVars": true,
"keepTime": true,
"tags": [
"airlock-microgateway"
],
"targetBlank": true,
"title": "Airlock Microgateway",
"tooltip": "",
"type": "dashboards",
"url": ""
}
],
"panels": [
{
"datasource": {
"default": false,
"type": "loki",
"uid": "${DS_LOKI}"
},
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true,
"inspect": true
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "Namespace"
},
"properties": [
{
"id": "custom.width",
"value": 328
},
{
"id": "custom.filterable"
}
]
},
{
"matcher": {
"id": "byName",
"options": "Timestamp"
},
"properties": [
{
"id": "custom.width",
"value": 176
},
{
"id": "unit",
"value": "time: YYYY-MM-DD HH:mm:ss.SSS"
},
{
"id": "custom.filterable"
}
]
},
{
"matcher": {
"id": "byName",
"options": "HTTP Method"
},
"properties": [
{
"id": "custom.width",
"value": 132
}
]
},
{
"matcher": {
"id": "byName",
"options": "Client IP"
},
"properties": [
{
"id": "custom.width",
"value": 137
}
]
},
{
"matcher": {
"id": "byName",
"options": "Request ID"
},
"properties": [
{
"id": "custom.width",
"value": 328
}
]
},
{
"matcher": {
"id": "byName",
"options": "Request Size"
},
"properties": [
{
"id": "custom.width",
"value": 126
},
{
"id": "unit",
"value": "bytes"
},
{
"id": "custom.align",
"value": "right"
}
]
}
]
},
"gridPos": {
"h": 27,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"enablePagination": true,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"showHeader": true,
"sortBy": []
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "${DS_LOKI}"
},
"editorMode": "code",
"expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= `log_only` |= `envoy.access` | json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.actions.log_only\", log_type=\"event.dataset\" | label_format log_count=`{{ len (fromJson .details) }}` | log_type = `envoy.access` | log_count > 0",
"hide": false,
"queryType": "range",
"refId": "Log Only Logs"
}
],
"title": "Threats Logs Log-Only",
"transformations": [
{
"id": "extractFields",
"options": {
"format": "json",
"source": "labels"
}
},
{
"id": "filterFieldsByName",
"options": {
"byVariable": false,
"include": {
"names": [
"Time",
"client_ip",
"details",
"domain",
"http_method",
"namespace",
"request_id",
"request_size",
"url"
]
}
}
},
{
"id": "organize",
"options": {
"excludeByName": {
"Line": true,
"id": true,
"labelTypes": true,
"labels": true,
"tsNs": false
},
"includeByName": {},
"indexByName": {
"Time": 0,
"client_ip": 8,
"details": 7,
"domain": 2,
"http_method": 4,
"namespace": 1,
"request_id": 9,
"request_size": 6,
"url": 5
},
"renameByName": {
"Time": "Timestamp",
"client_ip": "Client IP",
"details": "Details",
"domain": "URL Domain",
"http_method": "HTTP Method",
"namespace": "Namespace",
"request_id": "Request ID",
"request_size": "Request Size",
"url": "URL Path"
}
}
}
],
"type": "table"
}
],
"schemaVersion": 39,
"tags": [
"airlock-microgateway"
],
"templating": {
"list": [
{
"current": {},
"hide": 2,
"includeAll": false,
"label": "DS_LOKI",
"multi": false,
"name": "DS_LOKI",
"options": [],
"query": "loki",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_http_rq_total,namespace)",
"hide": 0,
"includeAll": true,
"label": "Application Namespace",
"multi": true,
"name": "namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_http_rq_total,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
},
{
"current": {},
"hide": 2,
"includeAll": false,
"label": "DS_PROMETHEUS",
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
}
]
},
"time": {
"from": "now-15m",
"to": "now"
},
"timepicker": {},
"timezone": "browser",
"title": "Airlock Microgateway Threats LogOnly - Logs",
"uid": "adnasdfdwnyadcc",
"version": 7,
"weekStart": ""
}

621
charts/airlock/microgateway/4.4.0/dashboards/logOnlyMetrics.json Normal file
View File

@ -0,0 +1,621 @@
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__elements": {},
"__requires": [
{
"type": "panel",
"id": "barchart",
"name": "Bar chart",
"version": ""
},
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.2.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "stat",
"name": "Stat",
"version": ""
},
{
"type": "panel",
"id": "timeseries",
"name": "Time series",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Metrics on threats logged by Airlock Microgateway in threat handling mode LogOnly.\n\nDashboard can be filtered by namespaces as well as block types.",
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [
{
"asDropdown": true,
"icon": "external link",
"includeVars": true,
"keepTime": true,
"tags": [
"airlock-microgateway"
],
"targetBlank": true,
"title": "Airlock Microgateway",
"tooltip": "",
"type": "dashboards",
"url": ""
}
],
"panels": [
{
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"id": 6,
"title": "Airlock Microgateway Threats LogOnly - Metrics",
"type": "row"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Number of threats logged by Airlock Microgateway in threat handling mode LogOnly.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"mappings": [
{
"options": {
"match": "nan",
"result": {
"index": 0,
"text": "n/a"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 0,
"y": 1
},
"id": 2,
"options": {
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "auto",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"last"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "code",
"exemplar": false,
"expr": "round(sum(increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"instant": true,
"legendFormat": "Logged threats in LogOnly mode",
"range": false,
"refId": "A",
"useBackend": false
}
],
"title": "Threats - LogOnly",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Number of threats per second handled in LogOnly mode.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "orange",
"mode": "fixed"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "left",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 25,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "blue",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 20,
"x": 0,
"y": 5
},
"id": 3,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"timezone": [
""
],
"tooltip": {
"maxHeight": 600,
"mode": "single",
"sort": "none"
}
},
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "sum(rate(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))",
"instant": false,
"legendFormat": "Number of threats per second",
"range": true,
"refId": "LogOnly Events"
}
],
"title": "Threats - LogOnly",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Number of threats in LogOnly mode by block type.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "super-light-orange",
"mode": "fixed"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisGridShow": true,
"axisLabel": "",
"axisPlacement": "auto",
"fillOpacity": 80,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"lineWidth": 0,
"scaleDistribution": {
"type": "linear"
},
"thresholdsStyle": {
"mode": "off"
}
},
"fieldMinMax": false,
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 11,
"w": 10,
"x": 0,
"y": 15
},
"id": 4,
"options": {
"barRadius": 0,
"barWidth": 0.8,
"fullHighlight": false,
"groupWidth": 0.7,
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": false
},
"orientation": "horizontal",
"showValue": "never",
"stacking": "none",
"tooltip": {
"maxHeight": 600,
"mode": "single",
"sort": "asc"
},
"xField": "block_type",
"xTickLabelRotation": 0,
"xTickLabelSpacing": 0
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
"format": "time_series",
"instant": true,
"legendFormat": "__auto",
"range": false,
"refId": "A"
}
],
"title": "Block Type",
"transformations": [
{
"id": "reduce",
"options": {
"includeTimeField": false,
"labelsToFields": true,
"mode": "seriesToRows",
"reducers": [
"sum"
]
}
}
],
"type": "barchart"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Number of threats in LogOnly mode by block subtype, which are subsets of the various block types.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "light-orange",
"mode": "fixed"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"fillOpacity": 80,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"lineWidth": 1,
"scaleDistribution": {
"type": "linear"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 11,
"w": 10,
"x": 10,
"y": 15
},
"id": 5,
"options": {
"barRadius": 0,
"barWidth": 0.8,
"fullHighlight": false,
"groupWidth": 0.7,
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": false
},
"orientation": "horizontal",
"showValue": "never",
"stacking": "none",
"tooltip": {
"maxHeight": 600,
"mode": "single",
"sort": "none"
},
"xField": "block_subtype",
"xTickLabelRotation": 0,
"xTickLabelSpacing": 0
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "round(sum by (block_subtype) (increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
"instant": true,
"legendFormat": "__auto",
"range": false,
"refId": "A"
}
],
"title": "Block Subtype",
"transformations": [
{
"id": "reduce",
"options": {
"labelsToFields": true,
"reducers": [
"sum"
]
}
}
],
"type": "barchart"
}
],
"refresh": "",
"schemaVersion": 39,
"tags": [
"airlock-microgateway"
],
"templating": {
"list": [
{
"current": {},
"hide": 2,
"includeAll": false,
"label": "Datasource Prometheus",
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"current": {},
"hide": 2,
"includeAll": false,
"label": "DS_LOKI",
"multi": false,
"name": "DS_LOKI",
"options": [],
"query": "loki",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_valid,namespace)",
"hide": 0,
"includeAll": true,
"label": "Operator Namespace",
"multi": true,
"name": "operator_namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_valid,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": ".*",
"skipUrlSync": false,
"sort": 0,
"type": "query"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_http_rq_total,namespace)",
"hide": 0,
"includeAll": true,
"label": "Application Namespace",
"multi": true,
"name": "namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_http_rq_total,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_http_downstream_rq_threats_logged_total,block_type)",
"hide": 0,
"includeAll": true,
"label": "Block Type",
"multi": true,
"name": "blockType",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_http_downstream_rq_threats_logged_total,block_type)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
}
]
},
"time": {
"from": "now-24h",
"to": "now"
},
"timepicker": {
"hidden": false
},
"timezone": "browser",
"title": "Airlock Microgateway Threats LogOnly - Metrics",
"uid": "ddnqoczu7qv2mfmsd3dd",
"version": 1,
"weekStart": ""
}

1134
charts/airlock/microgateway/4.4.0/dashboards/overview.json Normal file
View File

File diff suppressed because it is too large Load Diff

61
charts/airlock/microgateway/4.4.0/templates/NOTES.txt Normal file
View File

@ -0,0 +1,61 @@
Thank you for installing Airlock Microgateway.
{{- if .Values.operator.gatewayAPI.enabled }}
K8s Gateway API support enabled.
Note that the K8s Gateway API support is an incubating Airlock Microgateway feature. We encourage you to try the installation and configuration for testing and evaluation. Your feedback is welcome.
{{- if or .Values.operator.watchNamespaces .Values.operator.watchNamespaceSelector -}}
{{- fail `
K8s Gateway API is only supported using the 'AllNamespaces' installation mode type, ensure that 'operator.watchNamespaces' and 'operator.watchNamespaceSelector' are not configured.
`
-}}
{{- end -}}
{{- end }}
Please ensure the following prerequisites are fulfilled:
* cert-manager is installed.
https://cert-manager.io/docs/installation/helm/
* A valid Airlock Microgateway license is deployed in the Kubernetes secret '{{ .Release.Namespace }}/{{ .Values.license.secretName }}'
* Get a free Community license: https://airlock.com/en/microgateway-community
* Order a Premium license: https://airlock.com/en/microgateway-premium
* Airlock Microgateway CNI is installed on the cluster, when running data plane mode sidecar
https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni.
For more information about data plane modes, see https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/#data/1660804709650.html
Further information:
* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}
* CRD API reference documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/api/crds
* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm
{{- if .Values.crds.skipVersionCheck }}
Warning: CRD version check skipped
{{- else -}}
{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}}
{{- if $outdatedCRDs -}}
{{- fail (printf `
Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'.
Therefore, the CRDs must be manually upgraded with the following command before deploying this chart:
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts
If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.`
.Chart.AppVersion)
-}}
{{- end -}}
{{- end -}}
{{- if .Values.tests.enabled -}}
{{- if .Values.operator.watchNamespaces -}}
{{- if not (has .Release.Namespace .Values.operator.watchNamespaces) -}}
{{- fail (printf `
To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values.
`
.Release.Namespace)
-}}
{{- end -}}
{{- end -}}
{{- end }}
Your release version is {{ .Chart.Version }}.

153
charts/airlock/microgateway/4.4.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,153 @@
{{/*
Expand the name of the chart.
We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest explicit suffix is 14 characters.
*/}}
{{- define "airlock-microgateway.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }}
{{- end }}
{{/*
Convert an image configuration object into an image ref string.
*/}}
{{- define "airlock-microgateway.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
{{- printf "%s:%s" .repository .tag -}}
{{- else -}}
{{- printf "%s" .repository -}}
{{- end -}}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest implicit suffix is 27 characters.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "airlock-microgateway.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 36 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "airlock-microgateway.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "airlock-microgateway.sharedLabels" -}}
helm.sh/chart: {{ include "airlock-microgateway.chart" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: {{ .Chart.Name }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
Common Selector labels
*/}}
{{- define "airlock-microgateway.sharedSelectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Restricted Container Security Context
*/}}
{{- define "airlock-microgateway.restrictedSecurityContext" -}}
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
{{- end }}
{{/* Precondition: May only be used if AppVersion is isSemver */}}
{{- define "airlock-microgateway.supportedCRDVersionPattern" -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- if $version.Prerelease -}}
>= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }}
{{- else -}}
>= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0
{{- end -}}
{{- end -}}
{{- define "airlock-microgateway.outdatedCRDs" -}}
{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}}
{{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}}
{{- range $path, $_ := .Files.Glob "crds/*.yaml" -}}
{{- $api := ($.Files.Get $path | fromYaml).metadata.name -}}
{{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}}
{{- $isOutdated := false -}}
{{- if $crd -}}
{{/* If CRD is already present in the cluster, it must have the minimum supported version */}}
{{- $isOutdated = true -}}
{{- if hasKey $crd.metadata "labels" -}}
{{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}}
{{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}}
{{- if (semverCompare $supportedVersion $crdVersion) }}
{{- $isOutdated = false -}}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if $isOutdated }}
{{ base $path }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "airlock-microgateway.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}
{{- define "airlock-microgateway.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}
{{- print "latest" -}}
{{- end -}}
{{- end -}}
{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}}
{{- $list := list -}}
{{- with .matchLabels -}}
{{- range $key, $value := . -}}
{{- $list = append $list (printf "%s=%s" $key $value) -}}
{{- end -}}
{{- end -}}
{{- with .matchExpressions -}}
{{- range . -}}
{{- if has .operator (list "In" "NotIn") -}}
{{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}}
{{- else if eq .operator "Exists" -}}
{{- $list = append $list .key -}}
{{- else if eq .operator "DoesNotExist" -}}
{{- $list = append $list (printf "!%s" .key) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- join "," $list -}}
{{- end -}}

42
charts/airlock/microgateway/4.4.0/templates/operator/_operator_helpers.tpl Normal file
View File

@ -0,0 +1,42 @@
{{/*
Create a default fully qualified name for operator components.
*/}}
{{- define "airlock-microgateway.operator.fullname" -}}
{{ include "airlock-microgateway.fullname" . }}-operator
{{- end }}
{{/*
Common operator labels
*/}}
{{- define "airlock-microgateway.operator.labels" -}}
{{ include "airlock-microgateway.sharedLabels" . }}
{{ include "airlock-microgateway.operator.selectorLabels" . }}
{{- end }}
{{/*
Operator Selector labels
*/}}
{{- define "airlock-microgateway.operator.selectorLabels" -}}
{{ include "airlock-microgateway.sharedSelectorLabels" . }}
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-operator
app.kubernetes.io/component: controller
{{- end }}
{{/*
Create the name of the service account to use for the operator
*/}}
{{- define "airlock-microgateway.operator.serviceAccountName" -}}
{{- if .Values.operator.serviceAccount.create }}
{{- default (include "airlock-microgateway.operator.fullname" .) .Values.operator.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.operator.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
ServiceMonitor metrics regex pattern for leader only metrics
*/}}
{{- define "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" -}}
^(microgateway_license|microgateway_sidecars).*$
{{- end }}

206
charts/airlock/microgateway/4.4.0/templates/operator/_rbac.gen.tpl Normal file
View File

@ -0,0 +1,206 @@
{{/* AUTOGENERATED FILE DO NOT EDIT */}}
{{/*
Operator rbac permission rules
*/}}
{{- define "airlock-microgateway-operator.rbacRules" -}}
- apiGroups:
- ""
resources:
- configmaps
- namespaces
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- replicasets/finalizers
verbs:
- patch
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
verbs:
- get
- list
- patch
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/finalizers
- gatewayclasses/status
- gateways/finalizers
- gateways/status
- httproutes/status
verbs:
- patch
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gateways
- httproutes
- referencegrants
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- accesscontrols
- contentsecurities
- contentsecuritypolicies
- denyrules
- envoyclusters
- envoyhttpfilters
- graphqls
- headerrewrites
- identitypropagations
- jwks
- limits
- oidcproviders
- oidcrelyingparties
- openapis
- parsers
- redisproviders
- sessionhandlings
- telemetries
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- contentsecuritypolicies/status
verbs:
- patch
- update
- apiGroups:
- microgateway.airlock.com
resources:
- envoyconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- envoyconfigurations/status
- sidecargateways/status
verbs:
- get
- patch
- update
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways/finalizers
verbs:
- update
{{- end }}

399
charts/airlock/microgateway/4.4.0/templates/operator/_webhooks.gen.tpl Normal file
View File

@ -0,0 +1,399 @@
{{/* AUTOGENERATED FILE DO NOT EDIT */}}
{{/*
Operator mutating webhooks
*/}}
{{- define "airlock-microgateway-operator.mutatingWebhooks" -}}
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /mutate-v1-pod
failurePolicy: Fail
name: mutate-pod.microgateway.airlock.com
reinvocationPolicy: IfNeeded
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
objectSelector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
{{- end }}
{{/*
Operator validating webhooks
*/}}
{{- define "airlock-microgateway-operator.validatingWebhooks" -}}
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-v1-pod
failurePolicy: Fail
name: validate-pod.microgateway.airlock.com
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
sideEffects: None
objectSelector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol
failurePolicy: Fail
name: validate-accesscontrol.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- accesscontrols
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-contentsecuritypolicy
failurePolicy: Fail
name: validate-contentsecuritypolicy.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- contentsecuritypolicies
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-denyrules
failurePolicy: Fail
name: validate-denyrules.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- denyrules
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-envoycluster
failurePolicy: Fail
name: validate-envoycluster.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- envoyclusters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter
failurePolicy: Fail
name: validate-envoyhttpfilter.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- envoyhttpfilters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-graphql
failurePolicy: Fail
name: validate-graphql.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- graphqls
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites
failurePolicy: Fail
name: validate-headerrewrites.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- headerrewrites
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation
failurePolicy: Fail
name: validate-identitypropagation.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- identitypropagations
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-jwks
failurePolicy: Fail
name: validate-jwks.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- jwks
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-limits
failurePolicy: Fail
name: validate-limits.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- limits
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider
failurePolicy: Fail
name: validate-oidcprovider.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- oidcproviders
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty
failurePolicy: Fail
name: validate-oidcrelyingparty.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- oidcrelyingparties
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-openapi
failurePolicy: Fail
name: validate-openapi.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- openapis
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-parser
failurePolicy: Fail
name: validate-parser.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- parsers
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-redisprovider
failurePolicy: Fail
name: validate-redisprovider.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- redisproviders
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-sessionhandling
failurePolicy: Fail
name: validate-sessionhandling.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- sessionhandlings
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway
failurePolicy: Fail
name: validate-sidecargateway.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- sidecargateways
sideEffects: None
{{- end }}

405
charts/airlock/microgateway/4.4.0/templates/operator/configmap.yaml Normal file
View File

@ -0,0 +1,405 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
engine_bootstrap_config_template.yaml: |
# Base configuration, admin interface on port 19000
admin:
address:
socket_address:
address: 127.0.0.1
port_value: 19000
dynamic_resources:
cds_config:
initial_fetch_timeout: 10s
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
# Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
rate_limit_settings:
max_tokens: 5
fill_rate: 0.2
lds_config:
resource_api_version: V3
initial_fetch_timeout: 10s
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
# Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
rate_limit_settings:
max_tokens: 5
fill_rate: 0.2
static_resources:
listeners:
- name: probe
address:
socket_address:
address: 0.0.0.0
port_value: 19001
filter_chains:
- filters:
- name: http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: probe
codec_type: AUTO
http2_protocol_options:
initial_connection_window_size: 1048576
initial_stream_window_size: 65536
max_concurrent_streams: 100
route_config:
name: probe
virtual_hosts:
- name: probe
domains:
- '*'
routes:
- name: ready
match:
path: /ready
headers:
- name: ':method'
string_match:
exact: 'GET'
route:
cluster: airlock_microgateway_engine_admin
http_filters:
- name: envoy.filters.http.router
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- name: metrics
address:
socket_address:
address: 0.0.0.0
port_value: 19002
filter_chains:
- filters:
- name: http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: metrics
codec_type: AUTO
http2_protocol_options:
initial_connection_window_size: 1048576
initial_stream_window_size: 65536
max_concurrent_streams: 100
route_config:
name: metrics
virtual_hosts:
- name: metrics
domains:
- '*'
routes:
- name: metrics
match:
path: /metrics
headers:
- name: ':method'
string_match:
exact: 'GET'
route:
prefix_rewrite: '/stats/prometheus'
cluster: airlock_microgateway_engine_admin
http_filters:
- name: envoy.filters.http.router
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: xds_cluster
connect_timeout: 1s
type: STRICT_DNS
load_assignment:
cluster_name: xds_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local
port_value: 13377
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
'@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 360s
timeout: 5s
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_params:
tls_minimum_protocol_version: TLSv1_3
tls_maximum_protocol_version: TLSv1_3
validation_context_sds_secret_config:
name: validation_context_sds
sds_config:
resource_api_version: V3
path_config_source:
path: /etc/envoy/validation_context_sds_secret.yaml
watched_directory:
path: /etc/envoy/
tls_certificate_sds_secret_configs:
- name: tls_certificate_sds
sds_config:
resource_api_version: V3
path_config_source:
path: /etc/envoy/tls_certificate_sds_secret.yaml
watched_directory:
path: /etc/envoy/
- name: airlock_microgateway_engine_admin
connect_timeout: 1s
type: STATIC
load_assignment:
cluster_name: airlock_microgateway_engine_admin
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 19000
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
'@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 360s
timeout: 5s
stats_config:
stats_tags:
- tag_name: "block_type"
regex: "\\.(block_type\\.([^.]+))"
- tag_name: "block_subtype"
regex: "\\.(block_subtype\\.([^.]+))"
- tag_name: "envoy_cluster_name"
regex: "\\.(cluster\\.([^.]+))"
- tag_name: "version"
regex: "\\.(version\\.([^.]+))"
use_all_default_tags: true
overload_manager:
resource_monitors:
- name: "envoy.resource_monitors.global_downstream_max_connections"
typed_config:
"@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
max_active_downstream_connections: 50000
bootstrap_extensions:
- name: airlock.bootstrap.engine_build_info
typed_config:
'@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats
application_log_config:
log_format:
text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}'
engine_container_template.yaml: |
name: "$(ENGINE_NAME)"
image: "$(ENGINE_IMAGE)"
imagePullPolicy: {{ .Values.engine.image.pullPolicy }}
args:
- "--config-path"
- "/etc/envoy/bootstrap_config.yaml"
- "--base-id"
- "$(BASE_ID)"
- "--file-flush-interval-msec"
- '1000'
- "--drain-time-s"
- '60'
- "--service-node"
- "$(POD_NAME).$(POD_NAMESPACE)"
- "--service-cluster"
- "$(APP_NAME).$(POD_NAMESPACE)"
- "--log-path"
- "/dev/stdout"
- "--log-level"
- "$(LOG_LEVEL)"
volumeMounts:
- name: airlock-microgateway-bootstrap-secret-volume
mountPath: /etc/envoy
readOnly: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
ports:
- containerPort: 13378
protocol: TCP
- containerPort: 19001
protocol: TCP
- containerPort: 19002
protocol: TCP
livenessProbe:
httpGet:
path: /ready
port: 19001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 5
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
httpGet:
path: /ready
port: 19001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
successThreshold: 1
timeoutSeconds: 1
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
{{- with .Values.engine.resources }}
resources:
{{- toYaml . | nindent 6 }}
{{- end }}
session_agent_container_template.yaml: |
name: "$(SESSION_AGENT_NAME)"
image: "$(SESSION_AGENT_IMAGE)"
imagePullPolicy: {{ .Values.sessionAgent.image.pullPolicy }}
args:
- "--port"
- "19004"
- "--config-path"
- "/etc/microgateway-session-agent/config.json"
volumeMounts:
- name: airlock-microgateway-session-agent-volume
mountPath: /etc/microgateway-session-agent
readOnly: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
ports:
- containerPort: 19004
livenessProbe:
{{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}}
grpc:
port: 19004
{{- else }}
tcpSocket:
port: 19004
{{- end }}
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 5
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
{{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}}
grpc:
port: 19004
{{- else }}
tcpSocket:
port: 19004
{{- end }}
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
successThreshold: 1
timeoutSeconds: 5
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
{{- with .Values.sessionAgent.resources }}
resources:
{{- toYaml . | nindent 6 }}
{{- end }}
network_validator_container_template.yaml: |
name: "$(NETWORK_VALIDATOR_NAME)"
image: "$(NETWORK_VALIDATOR_IMAGE)"
imagePullPolicy: {{ .Values.networkValidator.image.pullPolicy }}
command: ["/bin/sh", "-c"]
args:
- |-
echo 'pong' | nc -v -l 127.0.0.1 13378 &
for i in 1 2 3; do
sleep 1s
if r=$(echo 'ping' | nc -v -q 0 127.0.0.1 19003) && [ $r == pong ]; then
echo -n 'Traffic redirection to Airlock Microgateway Engine is working.' > /dev/termination-log
exit 0
fi
done
echo -en 'Traffic redirection to Airlock Microgateway Engine is not working.\nRestart the pod after ensuring that hostNetwork is disabled and a compatible Airlock Microgateway CNI version is installed on the node.\nCertain environments may also require additional configuration (see docs.airlock.com for more information).' > /dev/termination-log
exit 1
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
{{- with .Values.networkValidator.resources }}
resources:
{{- toYaml . | nindent 6 }}
{{- end }}
operator_config.yaml: |
apiVersion: config.airlock.com/v1alpha1
kind: OperatorConfig
health:
healthProbeBindAddress: :8081
metrics:
bindAddress: 0.0.0.0:8080
webhook:
port: 9443
deployment:
sidecar:
engineContainerTemplate: "/sidecar/engine_container_template.yaml"
networkValidatorContainerTemplate: "/sidecar/network_validator_container_template.yaml"
sessionAgentContainerTemplate: "/sidecar/session_agent_container_template.yaml"
engine:
bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml"
log:
level: {{ .Values.operator.config.logLevel }}
{{- with $.Values.operator.watchNamespaceSelector }}
namespaces:
selector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.operator.watchNamespaces }}
namespaces:
list:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.operator.gatewayAPI }}
gatewayAPI:
enabled: {{ .enabled }}
{{- if .controllerName }}
controllerName: {{ .controllerName }}
{{- end }}
{{- end }}

28
charts/airlock/microgateway/4.4.0/templates/operator/dashboard-configmap.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- if .Values.dashboards.create -}}
{{- range $instance := (keys .Values.dashboards.instances | sortAlpha) -}}
{{- $dashboard := get $.Values.dashboards.instances $instance -}}
{{- if $dashboard.create }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway.fullname" $ }}-dashboard-{{ $instance | lower }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" $ | nindent 4 }}
{{- with $.Values.dashboards.config.grafana.dashboardLabel -}}
{{- .name | nindent 4 -}}: {{ .value | quote }}
{{- end }}
annotations:
{{- with $.Values.dashboards.config.grafana.folderAnnotation -}}
{{- .name | nindent 4 -}}: {{ .value | quote }}
{{- end }}
{{- with $.Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
data:
{{- printf "%s.json" $instance | nindent 2 }}: |-
{{- ($.Files.Get (printf "dashboards/%s.json" $instance)) | nindent 4 -}}
{{- end -}}
{{- end -}}
{{- end -}}

143
charts/airlock/microgateway/4.4.0/templates/operator/deployment.yaml Normal file
View File

@ -0,0 +1,143 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.operator.replicaCount }}
{{- with .Values.operator.updateStrategy }}
strategy:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/operator/configmap.yaml") . | sha256sum }}
kubectl.kubernetes.io/default-container: manager
{{- with mustMerge .Values.operator.podAnnotations .Values.commonAnnotations}}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 8 }}
{{- with .Values.operator.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
containers:
- args:
- --config=operator_config.yaml
env:
- name: ENGINE_IMAGE
value: {{ include "airlock-microgateway.image" .Values.engine.image }}
- name: NETWORK_VALIDATOR_IMAGE
value: {{ include "airlock-microgateway.image" .Values.networkValidator.image }}
- name: SESSION_AGENT_IMAGE
value: {{ include "airlock-microgateway.image" .Values.sessionAgent.image }}
- name: OPERATOR_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: {{ include "airlock-microgateway.image" .Values.operator.image }}
imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
timeoutSeconds: 5
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 13377
name: xds-server
protocol: TCP
- containerPort: 8080
protocol: TCP
- containerPort: 8081
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
{{- with .Values.operator.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 10 }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- mountPath: /opt/airlock/license/
name: airlock-microgateway-license
readOnly: true
- mountPath: /operator_config.yaml
name: operator-config
subPath: operator_config.yaml
- mountPath: /sidecar/engine_container_template.yaml
name: operator-config
subPath: engine_container_template.yaml
- mountPath: /sidecar/network_validator_container_template.yaml
name: operator-config
subPath: network_validator_container_template.yaml
- mountPath: /sidecar/session_agent_container_template.yaml
name: operator-config
subPath: session_agent_container_template.yaml
- mountPath: /engine_bootstrap_config_template.yaml
name: operator-config
subPath: engine_bootstrap_config_template.yaml
securityContext:
runAsNonRoot: true
serviceAccountName: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
terminationGracePeriodSeconds: 10
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert
- name: airlock-microgateway-license
secret:
defaultMode: 292
optional: true
secretName: {{ .Values.license.secretName }}
- configMap:
name: {{ include "airlock-microgateway.operator.fullname" . }}-config
name: operator-config

33
charts/airlock/microgateway/4.4.0/templates/operator/manager-role.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if .Values.operator.rbac.create }}
{{- if empty .Values.operator.watchNamespaces }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{ include "airlock-microgateway-operator.rbacRules" . -}}
{{- else }}
{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager
namespace: {{ $namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" $ | nindent 4 }}
{{- with $.Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{ include "airlock-microgateway-operator.rbacRules" $ }}
---
{{- end -}}
{{- end -}}
{{- end -}}

45
charts/airlock/microgateway/4.4.0/templates/operator/manager-rolebinding.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if .Values.operator.rbac.create }}
{{- if empty .Values.operator.watchNamespaces }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- else }}
{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager
namespace: {{ $namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" $ | nindent 4 }}
{{- with $.Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway.operator.serviceAccountName" $ }}
namespace: {{ $.Release.Namespace }}
---
{{- end -}}
{{- end -}}
{{- end -}}

47
charts/airlock/microgateway/4.4.0/templates/operator/metrics-service.yaml Normal file
View File

@ -0,0 +1,47 @@
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-metrics
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: http
name: metrics
port: 8080
protocol: TCP
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
---
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-leader-metrics
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
operator.microgateway.airlock.com/isLeader: "true"
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: http
name: metrics
port: 8080
protocol: TCP
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
operator.microgateway.airlock.com/isLeader: "true"

28
charts/airlock/microgateway/4.4.0/templates/operator/mutating-webhook.yaml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{- range $webhook := (include "airlock-microgateway-operator.mutatingWebhooks" .) | fromYamlArray }}
- {{ toYaml $webhook | indent 2 | trim }}
{{- with $.Values.operator.watchNamespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $.Values.operator.watchNamespaces }}
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}

27
charts/airlock/microgateway/4.4.0/templates/operator/podmonitor.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if .Values.engine.sidecar.podMonitor.create }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ include "airlock-microgateway.fullname" . }}-engine
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.engine.sidecar.podMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
namespaceSelector:
any: true
selector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
microgateway.airlock.com/managedBy: {{ .Release.Namespace }}
podMetricsEndpoints:
- targetPort: 19002
path: /metrics
scheme: http
{{- end -}}

45
charts/airlock/microgateway/4.4.0/templates/operator/role.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if .Values.operator.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
{{- end -}}

20
charts/airlock/microgateway/4.4.0/templates/operator/rolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.operator.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
{{- end -}}

13
charts/airlock/microgateway/4.4.0/templates/operator/selfsigned-issuer.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selfSigned: {}

13
charts/airlock/microgateway/4.4.0/templates/operator/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.operator.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with mustMerge .Values.operator.serviceAccount.annotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

60
charts/airlock/microgateway/4.4.0/templates/operator/servicemonitor.yaml Normal file
View File

@ -0,0 +1,60 @@
{{- if .Values.operator.serviceMonitor.create }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
matchExpressions:
- { key: "operator.microgateway.airlock.com/isLeader", operator: DoesNotExist }
endpoints:
- path: /metrics
port: metrics
scheme: http
metricRelabelings:
- sourceLabels:
- __name__
regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }}
action: drop
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
operator.microgateway.airlock.com/isLeader: "true"
endpoints:
- path: /metrics
port: metrics
scheme: http
metricRelabelings:
- sourceLabels:
- __name__
regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }}
action: keep
{{- end -}}

19
charts/airlock/microgateway/4.4.0/templates/operator/serving-certificate.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
dnsNames:
- airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc
- airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc.cluster.local
issuerRef:
kind: Issuer
name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer
secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert

28
charts/airlock/microgateway/4.4.0/templates/operator/validating-webhook.yaml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{- range $webhook := (include "airlock-microgateway-operator.validatingWebhooks" .) | fromYamlArray }}
- {{ toYaml $webhook | indent 2 | trim }}
{{- with $.Values.operator.watchNamespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $.Values.operator.watchNamespaces }}
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}

23
charts/airlock/microgateway/4.4.0/templates/operator/webhook-service.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: https
name: webhook
port: 443
protocol: TCP
targetPort: 9443
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}

24
charts/airlock/microgateway/4.4.0/templates/operator/xds-service.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-xds
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: grpc
name: xds
port: 13377
protocol: TCP
targetPort: 13377
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
operator.microgateway.airlock.com/isLeader: "true"

143
charts/airlock/microgateway/4.4.0/templates/tests/rbac.yaml Normal file
View File

@ -0,0 +1,143 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
subjects:
- kind: ServiceAccount
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway"
verbs:
- get
- list
- watch
- delete
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- list
- apiGroups:
- "apps"
resources:
- deployments
resourceNames:
- "{{ include "airlock-microgateway.operator.fullname" . }}"
verbs:
- get
- list
- watch
- apiGroups:
- "apps"
resources:
- statefulsets
- statefulsets/scale
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-backend"
verbs:
- get
- list
- watch
- patch
- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/status
- pods/attach
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-backend-0"
- "{{ include "airlock-microgateway.fullname" . }}-test-valid-request"
- "{{ include "airlock-microgateway.fullname" . }}-test-injection-request"
verbs:
- get
- list
- create
- watch
- delete
- apiGroups:
- ""
resources:
- pods
verbs:
- create
{{- if .Values.operator.watchNamespaceSelector }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
subjects:
- kind: ServiceAccount
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
{{- end }}
{{- end -}}

23
charts/airlock/microgateway/4.4.0/templates/tests/service.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-service"
namespace: {{ .Release.Namespace }}
labels:
app: test-service
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
spec:
selector:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
ports:
- name: http
port: 8080
targetPort: 8080
{{- end -}}

56
charts/airlock/microgateway/4.4.0/templates/tests/statefulset.yaml Normal file
View File

@ -0,0 +1,56 @@
{{- if .Values.tests.enabled -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
spec:
serviceName: nginx
replicas: 0
selector:
matchLabels:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
k8s.v1.cni.cncf.io/networks: default/airlock-microgateway-cni
labels:
sidecar.microgateway.airlock.com/inject: "true"
sidecar.istio.io/inject: "false"
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedLabels" . | nindent 8 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 8 }}
spec:
containers:
- image: cgr.dev/chainguard/nginx
name: nginx
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /var/lib/nginx/tmp/
name: nginx-tmp
- mountPath: /var/run
name: nginx-run
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 12 }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- emptyDir: {}
name: nginx-tmp
- emptyDir: {}
name: nginx-run
{{- end -}}

227
charts/airlock/microgateway/4.4.0/templates/tests/test-install.yaml Normal file
View File

@ -0,0 +1,227 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-install"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
sidecar.istio.io/inject: "false"
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: before-hook-creation
spec:
restartPolicy: Never
containers:
- name: test
image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
command:
- sh
- -c
- |
set -eu
clean_up() {
echo ""
echo "### Clean up test resources"
kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
echo ""
echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'"
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=60s
sleep 3s
echo ""
}
fail() {
echo ""
echo "### Error: ${1}"
echo ""
if kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway >/dev/null 2>&1; then
echo ""
echo 'Microgateway Sidecargateway status:'
kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true
echo ""
echo ""
fi
if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 >/dev/null 2>&1; then
echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':"
kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true
echo ""
echo ""
echo 'Logs of Nginx container:'
kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true
echo ""
echo ""
# Wait for engine logs
sleep 10s
echo 'Logs of Microgateway Engine container:'
kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true
fi
exit 1
}
create_sidecargateway() {
# create SidecarGateway resource for testing purposes
kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
kubectl apply -f - <<EOF
apiVersion: microgateway.airlock.com/v1alpha1
kind: SidecarGateway
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: test-install
{{- include "airlock-microgateway.sharedLabels" . | nindent 12 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 12 }}
spec:
podSelector:
matchLabels:
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedLabels" . | nindent 14 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 14 }}
applications:
- containerPort: 8080
EOF
}
curl() {
kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
kubectl -n {{ .Release.Namespace }} run {{ include "airlock-microgateway.fullname" . }}-test-valid-request --restart=Never --image=cgr.dev/chainguard/curl \
--override-type=strategic \
--overrides='
{
"apiVersion": "v1",
"metadata": {
"labels": {
"sidecar.istio.io/inject": "false"
}
},
"spec": {
"containers": [
{
"name": "{{ include "airlock-microgateway.fullname" . }}-test-valid-request",
"securityContext": {{ include "airlock-microgateway.restrictedSecurityContext" . | fromYaml | toJson }}
}
]
}
}' \
-- "$@"
local i=0
while [ $i -lt 90 ] && ! kubectl logs -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request >/dev/null 2>&1; do sleep 1s; i=$((i+1)); done
kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
}
{{- if .Values.operator.watchNamespaceSelector }}
echo "### Verify that Namespace Selector matches Namespace '{{ .Release.Namespace }}'"
if ! kubectl get namespace -l '{{ include "airlock-microgateway.watchNamespaceSelector.labelQuery" .Values.operator.watchNamespaceSelector }}' | grep -q {{ .Release.Namespace }}; then
labels=$(kubectl get namespace {{ .Release.Namespace }} -o jsonpath={.metadata.labels} | jq | awk '{print " " $0}')
fail {{printf `"Operator namespace '%s' is not part of the operator's watch scope. To execute 'helm test', the selector configured in the helm value 'operator.watchNamespaceSelector' must match the namespace's labels:\n* Current selector:\n%s\n\n* Current labels:\n$labels\n###"`
.Release.Namespace
(replace "\"" "\\\"" (replace "\n" "\\n" (.Values.operator.watchNamespaceSelector | toPrettyJson | indent 2)))
}}
fi
echo ""
{{- end }}
trap clean_up EXIT
echo ""
echo "### Waiting for Microgateway Operator Deployments to be ready"
if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \
deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then
fail 'Timeout occurred'
fi
echo ""
echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica"
# scale to zero replicas to ensure no pods are present from previous runs
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s
echo ""
echo "### Waiting for backend pod"
i=0
while true; do
if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then
break
elif [ $i -gt 3 ]; then
fail 'Pod not ready'
fi
sleep 2s
i=$((i+1))
done
echo "### Checking Microgateway Engine sidecar container was injected"
if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then
fail 'Microgateway Engine sidecar container not injected'
fi
echo "True"
echo ""
echo "### Checking for valid license"
i=0
while true; do
if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then
break
elif [ $i -gt 30 ]; then
fail 'Microgateway license is missing or invalid'
fi
sleep 2s
i=$((i+1))
done
echo "True"
echo ""
echo "### Create SidecarGateway resource for testing"
if ! create_sidecargateway ; then
fail 'Creation of SidecarGateway resource failed'
fi
echo ""
echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready"
if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then
fail 'Timeout occurred'
fi
echo ""
echo "### Waiting for 'engine-config-valid' condition"
if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then
fail 'Configuration was never accepted by the Microgateway Engine'
fi
sleep 5s
echo ""
echo ""
echo "### Checking whether a valid request is successful and returns HTTP status code '200'"
out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true)
echo "Response:"
echo "${out}"
if ! echo "${out}" | grep -q "200 OK"; then
fail 'A valid request was not successful'
fi
echo ""
echo ""
echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'"
out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true)
echo "Response:"
echo "${out}"
if ! echo "${out}" | grep -q "400 Bad Request"; then
fail 'A malicious request was not blocked'
fi
echo ""
echo ""
echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded"
exit 0
serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests"
{{- end -}}

572
charts/airlock/microgateway/4.4.0/values.schema.json Normal file
View File

@ -0,0 +1,572 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"type": "object",
"properties": {
"nameOverride": {
"type": "string"
},
"fullnameOverride": {
"type": "string"
},
"commonLabels": {
"$ref": "#/definitions/StringMap"
},
"commonAnnotations": {
"$ref": "#/definitions/StringMap"
},
"crds": {
"type": "object",
"properties": {
"skipVersionCheck": {
"type": "boolean"
}
},
"additionalProperties": false
},
"imagePullSecrets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"minLength": 1
}
},
"required": [
"name"
],
"additionalProperties": true
}
},
"operator": {
"type": "object",
"properties": {
"replicaCount": {
"type": "integer",
"minimum": 0
},
"updateStrategy": {
"$ref": "#/definitions/UpdateStrategy"
},
"image": {
"$ref": "#/definitions/Image"
},
"podAnnotations": {
"$ref": "#/definitions/StringMap"
},
"podLabels": {
"$ref": "#/definitions/StringMap"
},
"serviceAnnotations": {
"$ref": "#/definitions/StringMap"
},
"serviceLabels": {
"$ref": "#/definitions/StringMap"
},
"resources": {
"type": "object"
},
"nodeSelector": {
"$ref": "#/definitions/StringMap"
},
"tolerations": {
"type": "array",
"items": {
"type": "object"
}
},
"affinity": {
"type": "object"
},
"config": {
"type": "object",
"properties": {
"logLevel": {
"type": "string",
"enum": [
"debug",
"info",
"warn",
"error"
]
}
},
"required": [
"logLevel"
],
"additionalProperties": false
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"annotations": {
"$ref": "#/definitions/StringMap"
},
"name": {
"type": "string"
}
},
"required": [
"annotations",
"create",
"name"
],
"additionalProperties": false
},
"watchNamespaces": {
"type": "array",
"items": {
"type": "string"
}
},
"watchNamespaceSelector": {
"$ref": "#/definitions/LabelSelector"
},
"rbac": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
}
},
"required": [
"create"
],
"additionalProperties": false
},
"serviceMonitor": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"labels": {
"$ref": "#/definitions/StringMap"
}
},
"required": [
"create"
],
"additionalProperties": false
},
"gatewayAPI": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"controllerName" : {
"type": "string",
"pattern": "^microgateway\\.airlock\\.com\/[A-Za-z0-9\/\\-._~%!$&'()*+,;=:]+$"
}
},
"required": [
"enabled"
],
"additionalProperties": false
}
},
"oneOf": [
{
"properties": {
"watchNamespaces": {
"minItems": 1
},
"watchNamespaceSelector": {
"additionalProperties": false
}
}
},
{
"properties": {
"watchNamespaces": {
"maxItems": 0
},
"watchNamespaceSelector": {
"$ref": "#/definitions/LabelSelector"
}
}
}
],
"required": [
"affinity",
"config",
"image",
"updateStrategy",
"nodeSelector",
"podAnnotations",
"podLabels",
"rbac",
"replicaCount",
"resources",
"serviceAccount",
"serviceAnnotations",
"serviceLabels",
"serviceMonitor",
"tolerations"
],
"additionalProperties": false
},
"engine": {
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/Image"
},
"resources": {
"type": "object"
},
"sidecar": {
"type": "object",
"properties":{
"podMonitor": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"labels": {
"$ref": "#/definitions/StringMap"
}
},
"required": [
"create"
],
"additionalProperties": false
}
},
"required": [
"podMonitor"
],
"additionalProperties": false
}
},
"required": [
"image",
"resources",
"sidecar"
],
"additionalProperties": false
},
"networkValidator": {
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/Image"
},
"resources": {
"type": "object"
}
},
"required": [
"image",
"resources"
],
"additionalProperties": false
},
"sessionAgent": {
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/Image"
},
"resources": {
"type": "object"
}
},
"required": [
"image",
"resources"
],
"additionalProperties": false
},
"license": {
"type": "object",
"properties": {
"secretName": {
"type": "string",
"minLength": 1
}
},
"required": [
"secretName"
],
"additionalProperties": false
},
"dashboards": {
"type": "object",
"properties" : {
"create": {
"type": "boolean"
},
"config": {
"type": "object",
"properties": {
"grafana": {
"type": "object",
"properties": {
"folderAnnotation": {
"$ref": "#/definitions/NameValuePair"
},
"dashboardLabel": {
"$ref": "#/definitions/NameValuePair"
}
},
"required": [
"folderAnnotation",
"dashboardLabel"
],
"additionalProperties": false
}
},
"required": [
"grafana"
],
"additionalProperties": false
},
"instances": {
"type": "object",
"properties": {
"overview": {
"$ref": "#/definitions/DashboardInstance"
},
"license" : {
"$ref": "#/definitions/DashboardInstance"
},
"blockMetrics" : {
"$ref": "#/definitions/DashboardInstance"
},
"blockLogs" : {
"$ref": "#/definitions/DashboardInstance"
},
"headerLogs" : {
"$ref": "#/definitions/DashboardInstance"
},
"logOnlyMetrics" : {
"$ref": "#/definitions/DashboardInstance"
},
"logOnlyLogs" : {
"$ref": "#/definitions/DashboardInstance"
}
},
"required": [
"overview",
"license",
"blockMetrics",
"blockLogs",
"headerLogs",
"logOnlyMetrics",
"logOnlyLogs"
],
"additionalProperties": false
}
},
"required": [
"create",
"config",
"instances"
],
"additionalProperties": false
},
"tests": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
},
"required": [
"enabled"
],
"additionalProperties": false
},
"global": {
"type": "object"
}
},
"required": [
"commonAnnotations",
"commonLabels",
"crds",
"engine",
"fullnameOverride",
"imagePullSecrets",
"license",
"nameOverride",
"operator",
"networkValidator",
"sessionAgent",
"dashboards",
"tests"
],
"additionalProperties": false,
"definitions": {
"StringMap": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"Image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"minLength": 1
},
"tag": {
"type": "string"
},
"digest": {
"type": "string",
"pattern": "^$|^sha256:[a-f0-9]{64}$"
},
"pullPolicy": {
"type": "string",
"enum": [
"Always",
"IfNotPresent",
"Never"
]
}
},
"required": [
"digest",
"pullPolicy",
"repository",
"tag"
],
"additionalProperties": false
},
"LabelSelector": {
"type": "object",
"properties": {
"matchExpressions": {
"type": "array",
"items": {
"type": "object",
"required": [
"key",
"operator"
],
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
},
"values": {
"type": "array",
"items": {
"type": "string"
}
}
},
"additionalProperties": false
}
},
"matchLabels": {
"$ref": "#/definitions/StringMap"
}
},
"additionalProperties": false
},
"UpdateStrategy": {
"type": "object",
"oneOf" : [
{
"properties": {
"type": {
"$ref": "#/definitions/RecreateType"
}
},
"required": [
"type"
],
"additionalProperties": false
},
{
"properties": {
"type": {
"$ref": "#/definitions/RollingUpdateType"
},
"rollingUpdate": {
"$ref": "#/definitions/RollingUpdate"
}
},
"required": [
"type"
],
"additionalProperties": false
}
]
},
"RecreateType": {
"type": "string",
"enum": [
"Recreate"
]
},
"RollingUpdateType": {
"type": "string",
"enum": [
"RollingUpdate"
]
},
"RollingUpdate": {
"type": "object",
"properties": {
"maxSurge": {
"type": ["integer", "string"],
"minimum": 0,
"pattern": "^\\d+%?$"
},
"maxUnavailable": {
"type": ["integer", "string"],
"minimum": 0,
"pattern": "^\\d+%?$"
}
},
"anyOf": [
{"required": ["maxSurge"]},
{"required": ["maxUnavailable"]}
],
"additionalProperties": false
},
"DashboardInstance" : {
"type" : "object",
"properties" : {
"create" : {
"type" : "boolean"
}
},
"required" : [
"create"
],
"additionalProperties": false
},
"NameValuePair" : {
"type" : "object",
"properties" : {
"name" : {
"type": "string",
"minLength": 1
},
"value" : {
"type" : "string",
"minLength": 1
}
},
"required" : [
"name",
"value"
],
"additionalProperties": false
}
}
}

237
charts/airlock/microgateway/4.4.0/values.yaml Normal file
View File

@ -0,0 +1,237 @@
# -- Allows overriding the name to use instead of "microgateway".
nameOverride: ""
# -- Allows overriding the name to use as full name of resources.
fullnameOverride: ""
# -- Labels to add to all resources.
commonLabels: {}
# -- Annotations to add to all resources.
commonAnnotations: {}
# -- ImagePullSecrets to use when pulling images.
imagePullSecrets: []
# - name: myRegistryKeySecretName
crds:
# -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs.
# The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster
# when performing a "helm install/upgrade".
skipVersionCheck: false
operator:
# -- Number of replicas for the operator Deployment.
replicaCount: 2
# -- Specifies the operator update strategy.
updateStrategy:
type: RollingUpdate
# Specifies the Airlock Microgateway Operator image.
image:
# -- Image repository from which to pull the Airlock Microgateway Operator image.
repository: "quay.io/airlock/microgateway-operator"
# -- Image tag to pull.
tag: "4.4.0"
# -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63").
# Overrides tag when specified.
digest: "sha256:80cbae58ad9badd9395fa09a7b0576561821121b8353146bbd6efa2240ab5d97"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Annotations to add to all Pods.
podAnnotations: {}
# -- Labels to add to all Pods.
podLabels: {}
# -- Annotations to add to the Service.
serviceAnnotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: "8080"
# -- Labels to add to the Service.
serviceLabels: {}
# -- Resource restrictions to apply to the operator container.
resources: {}
# We recommend at least the following resource specification.
# limits:
# cpu: 1000m
# memory: 512Mi
# requests:
# cpu: 100m
# memory: 512Mi
# -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes.
nodeSelector: {}
# -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes.
tolerations: []
# -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling.
affinity: {}
# Parameters for the operator configuration.
config:
# -- Operator application log level.
logLevel: "info"
# Configures the generation of the ServiceAccount.
serviceAccount:
# -- Whether a ServiceAccount should be created.
create: true
# -- Annotations to add to the ServiceAccount.
annotations: {}
# -- Name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
# -- Allows to restrict the operator to specific namespaces, depending on your needs.
# For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`).
# In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace.
# For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`.
# An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty.
# Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces.
# Please note that this feature requires a Premium license.
watchNamespaces: []
# -- Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector.
# It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator.
# This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings).
# An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty.
# Please note that this feature requires a Premium license.
watchNamespaceSelector: {}
# For further examples, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements.
# matchLabels:
# microgateway.airlock.com/enable: "true"
# matchExpressions:
# - { key: environment, operator: NotIn, values: [dev] }
# Configures the generation of Role and RoleBinding as well as ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above.
rbac:
# -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function.
create: true
# Configures the generation of a Prometheus Operator ServiceMonitor.
serviceMonitor:
# -- Whether to create a ServiceMonitor resource for monitoring.
create: false
# -- Labels to add to the ServiceMonitor.
labels: {}
# release: "<prometheus-operator-release>"
# Configures the Kubernetes Gateway API integration.
gatewayAPI:
# -- Whether to enable the Kubernetes Gateway API related controllers.
# Requires that the gateway.networking.k8s.io/v1 resources are installed on the cluster.
enabled: false
# -- Controller name referred in the GatewayClasses managed by this operator. The value must be a path prefixed by the domain `microgateway.airlock.com`.
controllerName: microgateway.airlock.com/gatewayclass-controller
engine:
# Specifies the Airlock Microgateway Engine image.
image:
# -- Image repository from which to pull the Airlock Microgateway Engine image.
repository: "quay.io/airlock/microgateway-engine"
# -- Image tag to pull.
tag: "4.4.0"
# -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
# Overrides tag when specified.
digest: "sha256:c29adf07e7536b72447ea694d0e19fe19235306c26d412a9abc43e4dd99b84c8"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Resource restrictions to apply to the Airlock Microgateway Engine container.
resources: {}
# We recommend at least the following resource specification.
# limits:
# cpu: 500m
# memory: 128Mi
# requests:
# cpu: 10m
# memory: 40Mi
# Additional configuration when deployed as a sidecar.
sidecar:
# Configures the generation of a Prometheus Operator PodMonitor.
podMonitor:
# -- Whether to create a PodMonitor resource for monitoring.
create: false
# -- Labels to add to the PodMonitor.
labels: {}
# release: "<prometheus-operator-release>"
networkValidator:
# Specifies the Airlock Microgateway Network Validator image to be injected as an init-container.
image:
# -- Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container.
repository: "cgr.dev/chainguard/netcat"
# -- Image tag to pull.
tag: ""
# -- SHA256 image digest to pull (in the format "sha256:05585644690678ae6453ab12e3a5f899e7be5ab70f56c6bf1c4484d3b53587d2").
# Overrides tag when specified.
digest: "sha256:05585644690678ae6453ab12e3a5f899e7be5ab70f56c6bf1c4484d3b53587d2"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Resource restrictions to apply to the Airlock Microgateway Network Validator init-container.
resources:
limits:
cpu: 25m
memory: 12Mi
requests:
cpu: 5m
memory: 1Mi
sessionAgent:
# Specifies the Airlock Microgateway Session Agent image.
image:
# -- Image repository from which to pull the Airlock Microgateway Session Agent image.
repository: "quay.io/airlock/microgateway-session-agent"
# -- Image tag to pull.
tag: "4.4.0"
# -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
# Overrides tag when specified.
digest: "sha256:fbb90f2a52bb1b19cca6c5c133e80331153c019ec905db052c250fedbb09c3bc"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Resource restrictions to apply to the Airlock Microgateway Session Agent container.
resources: {}
# We recommend at least the following resource specification.
# limits:
# cpu: 150m
# memory: 32Mi
# requests:
# cpu: 10m
# memory: 8Mi
license:
# -- Name of the secret containing the "microgateway-license.txt" key.
secretName: "airlock-microgateway-license"
# Creates dashboards in the form of ConfigMaps that can be imported
# by Grafana using its sidecar setup.
dashboards:
# -- Whether to create any ConfigMaps containing Grafana dashboards to import.
create: false
config:
# Configures the necessary label and annotations along with their values
# to enable Grafana to correctly identify the ConfigMaps containing
# dashboards and file them within a dedicated folder in the dashboard overview.
# These settings need to match the Grafana sidecar configuration.
grafana:
folderAnnotation:
# -- Name of the annotation containing the folder name to file dashboards into.
name: "grafana_folder"
# -- Name of the folder dashboards are filed into within the Grafana UI.
value: "Airlock Microgateway"
dashboardLabel:
# -- Name of the label that lets Grafana identify ConfigMaps that represent dashboards.
name: "grafana_dashboard"
# -- Value of the label that lets Grafana identify ConfigMaps that represent dashboards.
value: "1"
instances:
# Available dashboard instances that can be individually created/deployed.
overview:
# -- Whether to create the overview dashboard.
create: true
license:
# -- Whether to create the license dashboard.
create: true
blockMetrics:
# -- Whether to create the block metrics dashboard.
create: true
blockLogs:
# -- Whether to create the block logs dashboard.
create: true
headerLogs:
# -- Whether to create the header rewrite logs dashboard.
create: true
logOnlyMetrics:
# -- Whether to create the log only metrics dashboard
create: true
logOnlyLogs:
# -- Whether to create the log only logs dashboard.
create: true
# Check whether the installation of the Airlock Microgateway Helm Chart was successful.
# Requires a secret with a valid Airlock Microgateway license key already to be present.
tests:
# -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
# If set to false, `helm test` will not run any tests.
enabled: false

1
charts/buoyant/linkerd-control-plane/2024.10.3/Chart.yaml
View File

@ -2,7 +2,6 @@ annotations:
catalog.cattle.io/auto-install: linkerd-crds
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Linkerd Control Plane
catalog.cattle.io/featured: "5"
catalog.cattle.io/kube-version: '>=1.22.0-0'
catalog.cattle.io/release-name: linkerd-control-plane
apiVersion: v2

22
charts/buoyant/linkerd-control-plane/2024.10.4/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
OWNERS
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

6
charts/buoyant/linkerd-control-plane/2024.10.4/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: partials
repository: file://../partials
version: 0.1.0
digest: sha256:8e42f9c9d4a2dc883f17f94d6044c97518ced19ad0922f47b8760e47135369ba
generated: "2021-12-06T11:42:50.784240359-05:00"

29
charts/buoyant/linkerd-control-plane/2024.10.4/Chart.yaml Normal file
View File

@ -0,0 +1,29 @@
annotations:
catalog.cattle.io/auto-install: linkerd-crds
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Linkerd Control Plane
catalog.cattle.io/featured: "5"
catalog.cattle.io/kube-version: '>=1.22.0-0'
catalog.cattle.io/release-name: linkerd-control-plane
apiVersion: v2
appVersion: edge-24.10.4
dependencies:
- name: partials
repository: file://../partials
version: 0.1.0
description: 'Linkerd gives you observability, reliability, and security for your
microservices — with no code change required. '
home: https://linkerd.io
icon: file://assets/icons/linkerd-control-plane.png
keywords:
- service-mesh
kubeVersion: '>=1.22.0-0'
maintainers:
- email: cncf-linkerd-dev@lists.cncf.io
name: Linkerd authors
url: https://linkerd.io/
name: linkerd-control-plane
sources:
- https://github.com/linkerd/linkerd2/
type: application
version: 2024.10.4

321
charts/buoyant/linkerd-control-plane/2024.10.4/README.md Normal file
View File

@ -0,0 +1,321 @@
# linkerd-control-plane
Linkerd gives you observability, reliability, and security
for your microservices — with no code change required.
![Version: 2024.10.4](https://img.shields.io/badge/Version-2024.10.4-informational?style=flat-square)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)
**Homepage:** <https://linkerd.io>
## Quickstart and documentation
You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the
[Linkerd Getting Started Guide][getting-started] for how.
For more comprehensive documentation, start with the [Linkerd
docs][linkerd-docs].
## Prerequisite: linkerd-crds chart
Before installing this chart, please install the `linkerd-crds` chart, which
creates all the CRDs that the components from the current chart require.
## Prerequisite: identity certificates
The identity component of Linkerd requires setting up a trust anchor
certificate, and an issuer certificate with its key. These need to be provided
to Helm by the user (unlike when using the `linkerd install` CLI which can
generate these automatically). You can provide your own, or follow [these
instructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new
ones.
Alternatively, both trust anchor and identity issuer certificates may be
derived from in-cluster resources. Existing CA (trust anchor) certificates
**must** live in a `ConfigMap` resource named `linkerd-identity-trust-roots`.
Issuer certificates **must** live in a `Secret` named
`linkerd-identity-issuer`. Both resources should exist in the control-plane's
install namespace. In order to use an existing CA, Linkerd needs to be
installed with `identity.externalCA=true`. To use an existing issuer
certificate, Linkerd should be installed with
`identity.issuer.scheme=kubernetes.io/tls`.
A more comprehensive description is in the [automatic certificate rotation
guide](https://linkerd.io/2.12/tasks/automatically-rotating-control-plane-tls-credentials/#a-note-on-third-party-cert-management-solutions).
Note that the provided certificates must be ECDSA certificates.
## Adding Linkerd's Helm repository
Included here for completeness-sake, but should have already been added when
`linkerd-base` was installed.
```bash
# To add the repo for Linkerd edge releases:
helm repo add linkerd https://helm.linkerd.io/edge
```
## Installing the chart
You must provide the certificates and keys described in the preceding section,
and the same expiration date you used to generate the Issuer certificate.
```bash
helm install linkerd-control-plane -n linkerd \
--set-file identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
linkerd/linkerd-control-plane
```
Note that you require to install this chart in the same namespace you installed
the `linkerd-base` chart.
## Setting High-Availability
Besides the default `values.yaml` file, the chart provides a `values-ha.yaml`
file that overrides some default values as to set things up under a
high-availability scenario, analogous to the `--ha` option in `linkerd install`.
Values such as higher number of replicas, higher memory/cpu limits and
affinities are specified in that file.
You can get ahold of `values-ha.yaml` by fetching the chart files:
```bash
helm fetch --untar linkerd/linkerd-control-plane
```
Then use the `-f` flag to provide the override file, for example:
```bash
helm install linkerd-control-plane -n linkerd \
--set-file identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
-f linkerd2/values-ha.yaml
linkerd/linkerd-control-plane
```
## Get involved
* Check out Linkerd's source code at [GitHub][linkerd2].
* Join Linkerd's [user mailing list][linkerd-users], [developer mailing
list][linkerd-dev], and [announcements mailing list][linkerd-announce].
* Follow [@linkerd][twitter] on Twitter.
* Join the [Linkerd Slack][slack].
[getting-started]: https://linkerd.io/2/getting-started/
[linkerd2]: https://github.com/linkerd/linkerd2
[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce
[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev
[linkerd-docs]: https://linkerd.io/2/overview/
[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users
[slack]: http://slack.linkerd.io
[twitter]: https://twitter.com/linkerd
## Extensions for Linkerd
The current chart installs the core Linkerd components, which grant you
reliability and security features. Other functionality is available through
extensions. Check the corresponding docs for each one of the following
extensions:
* Observability:
[Linkerd-viz](https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/README.md)
* Multicluster:
[Linkerd-multicluster](https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/README.md)
* Tracing:
[Linkerd-jaeger](https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/README.md)
## Requirements
Kubernetes: `>=1.22.0-0`
| Repository | Name | Version |
|------------|------|---------|
| file://../partials | partials | 0.1.0 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use |
| clusterNetworks | string | `"10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"` | The cluster networks for which service discovery is performed. This should include the pod and service networks, but need not include the node network. By default, all IPv4 private networks and all accepted IPv6 ULAs are specified so that resolution works in typical Kubernetes environments. |
| cniEnabled | bool | `false` | enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed |
| commonLabels | object | `{}` | Labels to apply to all resources |
| controlPlaneTracing | bool | `false` | enables control plane tracing |
| controlPlaneTracingNamespace | string | `"linkerd-jaeger"` | namespace to send control plane traces to |
| controller.podDisruptionBudget | object | `{"maxUnavailable":1}` | sets pod disruption budget parameter for all deployments |
| controller.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number of pods that can be unavailable during disruption |
| controllerGID | int | `-1` | Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0) |
| controllerImage | string | `"cr.l5d.io/linkerd/controller"` | Docker image for the destination and identity components |
| controllerImageVersion | string | `""` | Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. |
| controllerLogFormat | string | `"plain"` | Log format for the control plane components |
| controllerLogLevel | string | `"info"` | Log level for the control plane components |
| controllerReplicas | int | `1` | Number of replicas for each control plane pod |
| controllerUID | int | `2103` | User ID for the control plane components |
| debugContainer.image.name | string | `"cr.l5d.io/linkerd/debug"` | Docker image for the debug container |
| debugContainer.image.pullPolicy | string | imagePullPolicy | Pull policy for the debug container image |
| debugContainer.image.version | string | linkerdVersion | Tag for the debug container image |
| deploymentStrategy | object | `{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"}}` | default kubernetes deployment strategy |
| destinationController.livenessProbe.timeoutSeconds | int | `1` | |
| destinationController.meshedHttp2ClientProtobuf.keep_alive.interval.seconds | int | `10` | |
| destinationController.meshedHttp2ClientProtobuf.keep_alive.timeout.seconds | int | `3` | |
| destinationController.meshedHttp2ClientProtobuf.keep_alive.while_idle | bool | `true` | |
| destinationController.readinessProbe.timeoutSeconds | int | `1` | |
| disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob |
| disableIPv6 | bool | `true` | disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0) |
| enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on |
| enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading |
| enablePSP | bool | `false` | Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21 |
| enablePodAntiAffinity | bool | `false` | enables pod anti affinity creation on deployments for high availability |
| enablePodDisruptionBudget | bool | `false` | enables the creation of pod disruption budgets for control plane components |
| enablePprof | bool | `false` | enables the use of pprof endpoints on control plane component's admin servers |
| identity.externalCA | bool | `false` | If the linkerd-identity-trust-roots ConfigMap has already been created |
| identity.issuer.clockSkewAllowance | string | `"20s"` | Amount of time to allow for clock skew within a Linkerd cluster |
| identity.issuer.issuanceLifetime | string | `"24h0m0s"` | Amount of time for which the Identity issuer should certify identity |
| identity.issuer.scheme | string | `"linkerd.io/tls"` | |
| identity.issuer.tls | object | `{"crtPEM":"","keyPEM":""}` | Which scheme is used for the identity issuer secret format |
| identity.issuer.tls.crtPEM | string | `""` | Issuer certificate (ECDSA). It must be provided during install. |
| identity.issuer.tls.keyPEM | string | `""` | Key for the issuer certificate (ECDSA). It must be provided during install |
| identity.kubeAPI.clientBurst | int | `200` | Burst value over clientQPS |
| identity.kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) |
| identity.livenessProbe.timeoutSeconds | int | `1` | |
| identity.readinessProbe.timeoutSeconds | int | `1` | |
| identity.serviceAccountTokenProjection | bool | `true` | Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token |
| identityTrustAnchorsPEM | string | `""` | Trust root certificate (ECDSA). It must be provided during install. |
| identityTrustDomain | string | clusterDomain | Trust domain used for identity |
| imagePullPolicy | string | `"IfNotPresent"` | Docker image pull policy |
| imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts |
| kubeAPI.clientBurst | int | `200` | Burst value over clientQPS |
| kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) |
| linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version |
| networkValidator.connectAddr | string | `""` | Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively. |
| networkValidator.enableSecurityContext | bool | `true` | Include a securityContext in the network-validator pod spec |
| networkValidator.listenAddr | string | `""` | Address to which network-validator listens to requests from itself. If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively. |
| networkValidator.logFormat | string | plain | Log format (`plain` or `json`) for network-validator |
| networkValidator.logLevel | string | debug | Log level for the network-validator |
| networkValidator.timeout | string | `"10s"` | Timeout before network-validator fails to validate the pod's network connectivity |
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information |
| podAnnotations | object | `{}` | Additional annotations to add to all pods |
| podLabels | object | `{}` | Additional labels to add to all pods |
| podMonitor.controller.enabled | bool | `true` | Enables the creation of PodMonitor for the control-plane |
| podMonitor.controller.namespaceSelector | string | `"matchNames:\n - {{ .Release.Namespace }}\n - linkerd-viz\n - linkerd-jaeger\n"` | Selector to select which namespaces the Endpoints objects are discovered from |
| podMonitor.enabled | bool | `false` | Enables the creation of Prometheus Operator [PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor) |
| podMonitor.labels | object | `{}` | Labels to apply to all pod Monitors |
| podMonitor.proxy.enabled | bool | `true` | Enables the creation of PodMonitor for the data-plane |
| podMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped |
| podMonitor.scrapeTimeout | string | `"10s"` | Iimeout after which the scrape is ended |
| podMonitor.serviceMirror.enabled | bool | `true` | Enables the creation of PodMonitor for the Service Mirror component |
| policyController.image.name | string | `"cr.l5d.io/linkerd/policy-controller"` | Docker image for the policy controller |
| policyController.image.pullPolicy | string | imagePullPolicy | Pull policy for the policy controller container image |
| policyController.image.version | string | linkerdVersion | Tag for the policy controller container image |
| policyController.livenessProbe.timeoutSeconds | int | `1` | |
| policyController.logLevel | string | `"info"` | Log level for the policy controller |
| policyController.probeNetworks | list | `["0.0.0.0/0","::/0"]` | The networks from which probes are performed. By default, all networks are allowed so that all probes are authorized. |
| policyController.readinessProbe.timeoutSeconds | int | `1` | |
| policyController.resources | object | `{"cpu":{"limit":"","request":""},"ephemeral-storage":{"limit":"","request":""},"memory":{"limit":"","request":""}}` | policy controller resource requests & limits |
| policyController.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the policy controller can use |
| policyController.resources.cpu.request | string | `""` | Amount of CPU units that the policy controller requests |
| policyController.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the policy controller can use |
| policyController.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the policy controller requests |
| policyController.resources.memory.limit | string | `""` | Maximum amount of memory that the policy controller can use |
| policyController.resources.memory.request | string | `""` | Maximum amount of memory that the policy controller requests |
| policyValidator.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `policyValidator.crtPEM`. If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. |
| policyValidator.crtPEM | string | `""` | Certificate for the policy validator. If not provided and not using an external secret then Helm will generate one. |
| policyValidator.externalSecret | bool | `false` | Do not create a secret resource for the policyValidator webhook. If this is set to `true`, the value `policyValidator.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below). |
| policyValidator.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. |
| policyValidator.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. |
| policyValidator.keyPEM | string | `""` | Certificate key for the policy validator. If not provided and not using an external secret then Helm will generate one. |
| policyValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook |
| priorityClassName | string | `""` | Kubernetes priorityClassName for the Linkerd Pods |
| profileValidator.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `profileValidator.crtPEM`. If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. |
| profileValidator.crtPEM | string | `""` | Certificate for the service profile validator. If not provided and not using an external secret then Helm will generate one. |
| profileValidator.externalSecret | bool | `false` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). |
| profileValidator.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. |
| profileValidator.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. |
| profileValidator.keyPEM | string | `""` | Certificate key for the service profile validator. If not provided and not using an external secret then Helm will generate one. |
| profileValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook |
| prometheusUrl | string | `""` | url of external prometheus instance (used for the heartbeat) |
| proxy.await | bool | `true` | If set, the application container will not start until the proxy is ready |
| proxy.control.streams.idleTimeout | string | `"5m"` | The timeout between consecutive updates from the control plane. |
| proxy.control.streams.initialTimeout | string | `"3s"` | The timeout for the first update from the control plane. |
| proxy.control.streams.lifetime | string | `"1h"` | The maximum duration for a response stream (i.e. before it will be reinitialized). |
| proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. |
| proxy.defaultInboundPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny", "audit" |
| proxy.disableInboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value |
| proxy.disableOutboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value |
| proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services |
| proxy.enableShutdownEndpoint | bool | `false` | Enables the proxy's /shutdown admin endpoint |
| proxy.gid | int | `-1` | Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0) |
| proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy |
| proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container image |
| proxy.image.version | string | linkerdVersion | Tag for the proxy container image |
| proxy.inbound.server.http2.keepAliveInterval | string | `"10s"` | The interval at which PINGs are issued to remote HTTP/2 clients. |
| proxy.inbound.server.http2.keepAliveTimeout | string | `"3s"` | The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections. |
| proxy.inboundConnectTimeout | string | `"100ms"` | Maximum time allowed for the proxy to establish an inbound TCP connection |
| proxy.inboundDiscoveryCacheUnusedTimeout | string | `"90s"` | Maximum time allowed before an unused inbound discovery result is evicted from the cache |
| proxy.livenessProbe | object | `{"initialDelaySeconds":10,"timeoutSeconds":1}` | LivenessProbe timeout and delay configuration |
| proxy.logFormat | string | `"plain"` | Log format (`plain` or `json`) for the proxy |
| proxy.logHTTPHeaders | `off` or `insecure` | `"off"` | If set to `off`, will prevent the proxy from logging HTTP headers. If set to `insecure`, HTTP headers may be logged verbatim. Note that setting this to `insecure` is not alone sufficient to log HTTP headers; the proxy logLevel must also be set to debug. |
| proxy.logLevel | string | `"warn,linkerd=info,hickory=error"` | Log level for the proxy |
| proxy.nativeSidecar | bool | `false` | Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used. |
| proxy.opaquePorts | string | `"25,587,3306,4444,5432,6379,9300,11211"` | Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection |
| proxy.outbound.server.http2.keepAliveInterval | string | `"10s"` | The interval at which PINGs are issued to local application HTTP/2 clients. |
| proxy.outbound.server.http2.keepAliveTimeout | string | `"3s"` | The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections. |
| proxy.outboundConnectTimeout | string | `"1000ms"` | Maximum time allowed for the proxy to establish an outbound TCP connection |
| proxy.outboundDiscoveryCacheUnusedTimeout | string | `"5s"` | Maximum time allowed before an unused outbound discovery result is evicted from the cache |
| proxy.ports.admin | int | `4191` | Admin port for the proxy container |
| proxy.ports.control | int | `4190` | Control port for the proxy container |
| proxy.ports.inbound | int | `4143` | Inbound port for the proxy container |
| proxy.ports.outbound | int | `4140` | Outbound port for the proxy container |
| proxy.readinessProbe | object | `{"initialDelaySeconds":2,"timeoutSeconds":1}` | ReadinessProbe timeout and delay configuration |
| proxy.requireIdentityOnInboundPorts | string | `""` | |
| proxy.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the proxy can use |
| proxy.resources.cpu.request | string | `""` | Amount of CPU units that the proxy requests |
| proxy.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the proxy can use |
| proxy.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the proxy requests |
| proxy.resources.memory.limit | string | `""` | Maximum amount of memory that the proxy can use |
| proxy.resources.memory.request | string | `""` | Maximum amount of memory that the proxy requests |
| proxy.shutdownGracePeriod | string | `""` | Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections. |
| proxy.startupProbe.failureThreshold | int | `120` | |
| proxy.startupProbe.initialDelaySeconds | int | `0` | |
| proxy.startupProbe.periodSeconds | int | `1` | |
| proxy.uid | int | `2102` | User id under which the proxy runs |
| proxy.waitBeforeExitSeconds | int | `0` | If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`. See [Lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) for more info on container lifecycle hooks. |
| proxyInit.closeWaitTimeoutSecs | int | `0` | |
| proxyInit.ignoreInboundPorts | string | `"4567,4568"` | Default set of inbound ports to skip via iptables - Galera (4567,4568) |
| proxyInit.ignoreOutboundPorts | string | `"4567,4568"` | Default set of outbound ports to skip via iptables - Galera (4567,4568) |
| proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container |
| proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container image |
| proxyInit.image.version | string | `"v2.4.1"` | Tag for the proxy-init container image |
| proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used |
| proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server |
| proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init |
| proxyInit.logLevel | string | info | Log level for the proxy-init |
| proxyInit.privileged | bool | false | Privileged mode allows the container processes to inherit all security capabilities and bypass any security limitations enforced by the kubelet. When used with 'runAsRoot: true', the container will behave exactly as if it was running as root on the host. May escape cgroup limits and see other processes and devices on the host. |
| proxyInit.runAsGroup | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsGroup will be 0 |
| proxyInit.runAsRoot | bool | `false` | Allow overriding the runAsNonRoot behaviour (<https://github.com/linkerd/linkerd2/issues/7308>) |
| proxyInit.runAsUser | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsUser will be 0 |
| proxyInit.skipSubnets | string | `""` | Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy |
| proxyInit.xtMountPath.mountPath | string | `"/run"` | |
| proxyInit.xtMountPath.name | string | `"linkerd-proxy-init-xtables-lock"` | |
| proxyInjector.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. |
| proxyInjector.crtPEM | string | `""` | Certificate for the proxy injector. If not provided and not using an external secret then Helm will generate one. |
| proxyInjector.externalSecret | bool | `false` | Do not create a secret resource for the proxyInjector webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). |
| proxyInjector.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. |
| proxyInjector.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. |
| proxyInjector.keyPEM | string | `""` | Certificate key for the proxy injector. If not provided and not using an external secret then Helm will generate one. |
| proxyInjector.livenessProbe.timeoutSeconds | int | `1` | |
| proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","cert-manager"]}]}` | Namespace selector used by admission webhook. |
| proxyInjector.objectSelector | object | `{"matchExpressions":[{"key":"linkerd.io/control-plane-component","operator":"DoesNotExist"},{"key":"linkerd.io/cni-resource","operator":"DoesNotExist"}]}` | Object selector used by admission webhook. |
| proxyInjector.readinessProbe.timeoutSeconds | int | `1` | |
| proxyInjector.timeoutSeconds | int | `10` | Timeout in seconds before the API Server cancels a request to the proxy injector. If timeout is exceeded, the webhookfailurePolicy is used. |
| revisionHistoryLimit | int | `10` | Specifies the number of old ReplicaSets to retain to allow rollback. |
| runtimeClassName | string | `""` | Runtime Class Name for all the pods |
| spValidator | object | `{"livenessProbe":{"timeoutSeconds":1},"readinessProbe":{"timeoutSeconds":1}}` | SP validator configuration |
| webhookFailurePolicy | string | `"Ignore"` | Failure policy for the proxy injector |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)

133
charts/buoyant/linkerd-control-plane/2024.10.4/README.md.gotmpl Normal file
View File

@ -0,0 +1,133 @@
{{ template "chart.header" . }}
{{ template "chart.description" . }}
{{ template "chart.versionBadge" . }}
{{ template "chart.typeBadge" . }}
{{ template "chart.appVersionBadge" . }}
{{ template "chart.homepageLine" . }}
## Quickstart and documentation
You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the
[Linkerd Getting Started Guide][getting-started] for how.
For more comprehensive documentation, start with the [Linkerd
docs][linkerd-docs].
## Prerequisite: linkerd-crds chart
Before installing this chart, please install the `linkerd-crds` chart, which
creates all the CRDs that the components from the current chart require.
## Prerequisite: identity certificates
The identity component of Linkerd requires setting up a trust anchor
certificate, and an issuer certificate with its key. These need to be provided
to Helm by the user (unlike when using the `linkerd install` CLI which can
generate these automatically). You can provide your own, or follow [these
instructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new
ones.
Alternatively, both trust anchor and identity issuer certificates may be
derived from in-cluster resources. Existing CA (trust anchor) certificates
**must** live in a `ConfigMap` resource named `linkerd-identity-trust-roots`.
Issuer certificates **must** live in a `Secret` named
`linkerd-identity-issuer`. Both resources should exist in the control-plane's
install namespace. In order to use an existing CA, Linkerd needs to be
installed with `identity.externalCA=true`. To use an existing issuer
certificate, Linkerd should be installed with
`identity.issuer.scheme=kubernetes.io/tls`.
A more comprehensive description is in the [automatic certificate rotation
guide](https://linkerd.io/2.12/tasks/automatically-rotating-control-plane-tls-credentials/#a-note-on-third-party-cert-management-solutions).
Note that the provided certificates must be ECDSA certificates.
## Adding Linkerd's Helm repository
Included here for completeness-sake, but should have already been added when
`linkerd-base` was installed.
```bash
# To add the repo for Linkerd edge releases:
helm repo add linkerd https://helm.linkerd.io/edge
```
## Installing the chart
You must provide the certificates and keys described in the preceding section,
and the same expiration date you used to generate the Issuer certificate.
```bash
helm install linkerd-control-plane -n linkerd \
--set-file identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
linkerd/linkerd-control-plane
```
Note that you require to install this chart in the same namespace you installed
the `linkerd-base` chart.
## Setting High-Availability
Besides the default `values.yaml` file, the chart provides a `values-ha.yaml`
file that overrides some default values as to set things up under a
high-availability scenario, analogous to the `--ha` option in `linkerd install`.
Values such as higher number of replicas, higher memory/cpu limits and
affinities are specified in that file.
You can get ahold of `values-ha.yaml` by fetching the chart files:
```bash
helm fetch --untar linkerd/linkerd-control-plane
```
Then use the `-f` flag to provide the override file, for example:
```bash
helm install linkerd-control-plane -n linkerd \
--set-file identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
-f linkerd2/values-ha.yaml
linkerd/linkerd-control-plane
```
## Get involved
* Check out Linkerd's source code at [GitHub][linkerd2].
* Join Linkerd's [user mailing list][linkerd-users], [developer mailing
list][linkerd-dev], and [announcements mailing list][linkerd-announce].
* Follow [@linkerd][twitter] on Twitter.
* Join the [Linkerd Slack][slack].
[getting-started]: https://linkerd.io/2/getting-started/
[linkerd2]: https://github.com/linkerd/linkerd2
[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce
[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev
[linkerd-docs]: https://linkerd.io/2/overview/
[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users
[slack]: http://slack.linkerd.io
[twitter]: https://twitter.com/linkerd
## Extensions for Linkerd
The current chart installs the core Linkerd components, which grant you
reliability and security features. Other functionality is available through
extensions. Check the corresponding docs for each one of the following
extensions:
* Observability:
[Linkerd-viz](https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/README.md)
* Multicluster:
[Linkerd-multicluster](https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/README.md)
* Tracing:
[Linkerd-jaeger](https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/README.md)
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
{{ template "helm-docs.versionFooter" . }}

14
charts/buoyant/linkerd-control-plane/2024.10.4/app-readme.md Normal file
View File

@ -0,0 +1,14 @@
# Linkerd 2 Chart
Linkerd is an ultra light, ultra simple, ultra powerful service mesh. Linkerd
adds security, observability, and reliability to Kubernetes, without the
complexity.
This particular Helm chart only installs the control plane core. You will also need to install the
linkerd-crds chart. This chart should be automatically installed along with any other dependencies.
If it is not installed as a dependency, install it first.
To gain access to the observability features, please install the linkerd-viz chart.
Other extensions are available (multicluster, jaeger) under the linkerd Helm repo.
Full documentation available at: https://linkerd.io/2/overview/

21
charts/buoyant/linkerd-control-plane/2024.10.4/charts/partials/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

5
charts/buoyant/linkerd-control-plane/2024.10.4/charts/partials/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
description: 'A Helm chart containing Linkerd partial templates, depended by the ''linkerd''
and ''patch'' charts. '
name: partials
version: 0.1.0

9
charts/buoyant/linkerd-control-plane/2024.10.4/charts/partials/README.md Normal file
View File

@ -0,0 +1,9 @@
# partials
A Helm chart containing Linkerd partial templates,
depended by the 'linkerd' and 'patch' charts.
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square)
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)

14
charts/buoyant/linkerd-control-plane/2024.10.4/charts/partials/README.md.gotmpl Normal file
View File

@ -0,0 +1,14 @@
{{ template "chart.header" . }}
{{ template "chart.description" . }}
{{ template "chart.versionBadge" . }}
{{ template "chart.typeBadge" . }}
{{ template "chart.appVersionBadge" . }}
{{ template "chart.homepageLine" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
{{ template "helm-docs.versionFooter" . }}

0
charts/buoyant/linkerd-control-plane/2024.10.4/charts/partials/templates/NOTES.txt Normal file
View File

Some files were not shown because too many files have changed in this diff Show More