andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added chart versions: 

airlock/microgateway:
    - 4.3.2
  airlock/microgateway-cni:
    - 4.3.2
  kong/kong:
    - 2.41.0
  linkerd/linkerd-control-plane:
    - 2024.8.3
  linkerd/linkerd-crds:
    - 2024.8.3
  redpanda/redpanda:
    - 5.9.2
pull/1059/head
github-actions[bot] 2024-08-30 00:54:54 +00:00
parent 8da9db9f73
commit bbe16ac3c4
401 changed files with 143140 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/airlock/microgateway-4.3.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/airlock/microgateway-cni-4.3.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/kong/kong-2.41.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-control-plane-2024.8.2.tgz
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-control-plane-2024.8.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-crds-2024.8.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/redpanda/redpanda-5.9.2.tgz Normal file
View File

Binary file not shown.

27
charts/airlock/microgateway-cni/4.3.2/.helmignore Normal file
View File

@ -0,0 +1,27 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# Helm unit tests
/tests
/validation

43
charts/airlock/microgateway-cni/4.3.2/Chart.yaml Normal file
View File

@ -0,0 +1,43 @@
annotations:
artifacthub.io/category: security
artifacthub.io/license: MIT
artifacthub.io/links: |
- name: Airlock Microgateway Documentation
url: https://docs.airlock.com/microgateway/4.3/
- name: Airlock Microgateway Labs
url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Airlock Microgateway CNI
catalog.cattle.io/kube-version: '>=1.25.0-0'
catalog.cattle.io/release-name: microgateway-cni
charts.openshift.io/name: Airlock Microgateway CNI
apiVersion: v2
appVersion: 4.3.2
description: A Helm chart for deploying the Airlock Microgateway CNI plugin
home: https://www.airlock.com/en/microgateway
icon: file://assets/icons/microgateway-cni.svg
keywords:
- WAF
- Web Application Firewall
- WAAP
- Web Application and API protection
- OWASP
- Airlock
- Microgateway
- Security
- Filtering
- DevSecOps
- shift left
- CNI
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
name: microgateway-cni
sources:
- https://github.com/airlock/microgateway
type: application
version: 4.3.2

137
charts/airlock/microgateway-cni/4.3.2/README.md Normal file
View File

@ -0,0 +1,137 @@
# Airlock Microgateway CNI
![Version: 4.3.2](https://img.shields.io/badge/Version-4.3.2-informational?style=flat-square) ![AppVersion: 4.3.2](https://img.shields.io/badge/AppVersion-4.3.2-informational?style=flat-square)
*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight_Negative.svg">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg">
<img alt="Microgateway" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg" align="right" width="250">
</picture>
Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.3.2).__
### Features
* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control using OpenID Connect to allow only authenticated users to access the protected services
* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation
For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
## Documentation and links
Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)
# Quick start guide
The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
## Prerequisites
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
## Deploy Airlock Microgateway CNI
1. Install the CNI Plugin with Helm.
> **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
```bash
# Standard setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2'
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# GKE setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.2/deploy/charts/airlock-microgateway-cni/gke-values.yaml
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# OpenShift setup
helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.2/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
**Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
# Standard and GKE setup
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2'
helm test airlock-microgateway-cni -n kube-system --logs
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2'
```
```bash
# OpenShift setup
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2'
helm test airlock-microgateway-cni -n openshift-operators --logs
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2'
```
Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.
## Support
### Premium support
If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).
### Community support
For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. |
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. |
| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. |
| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
| image.digest | string | `"sha256:ed5ec546a65f0ae0bc3e058aafc1d2aa4848996b9f415fe6232486934443b460"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
| image.tag | string | `"4.3.2"` | Image tag to pull. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". |
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. |
| podAnnotations | object | `{}` | Annotations to add to all Pods. |
| podLabels | object | `{}` | Labels to add to all Pods. |
| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). |
| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. |
| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. |
| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. |
| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
## License
View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
* Decompiling or reverse engineering is not permitted.
* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
Airlock<sup>&#174;</sup> is a security innovation by [ergon](https://www.ergon.ch/en)
<!-- Airlock SAH Logo (different image for light/dark mode) -->
<a href="https://www.airlock.com/en/secure-access-hub/">
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo_Negative.png">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png">
<img alt="Airlock Secure Access Hub" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png" width="150">
</picture>
</a>

4
charts/airlock/microgateway-cni/4.3.2/gke-values.yaml Normal file
View File

@ -0,0 +1,4 @@
# values for deploying on GKE
config:
cniBinDir: "/home/kubernetes/bin"

15
charts/airlock/microgateway-cni/4.3.2/openshift-values.yaml Normal file
View File

@ -0,0 +1,15 @@
# values for deploying on OpenShift
rbac:
createSCCRole: true
privileged: true
multusNetworkAttachmentDefinition:
create: true
namespace: default
config:
installMode: "standalone"
cniNetDir: "/etc/cni/multus/net.d"
cniBinDir: "/var/lib/cni/bin"

18
charts/airlock/microgateway-cni/4.3.2/questions.yml Normal file
View File

@ -0,0 +1,18 @@
questions:
- variable: config.cniNetDir
required: true
type: string
label: CNI Network Configuration Directory
group: "CNI Settings"
description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host."
- variable: config.cniBinDir
required: true
type: string
label: CNI Plugin Binaries Directory
group: "CNI Settings"
description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host."
- variable: config.installMode
required: true
label: CNI Plugin Installation Mode
group: "CNI Settings"
description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment."

15
charts/airlock/microgateway-cni/4.3.2/templates/NOTES.txt Normal file
View File

@ -0,0 +1,15 @@
Thank you for installing Airlock Microgateway CNI.
Please ensure that the helm values'.config.cniNetDir' and '.config.cniBinDir' are configured for your Kubernetes distribution.
For further information, consider our manual https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}.
The chapter 'Setup > Installation' describes how to set those settings correctly.
Further information:
* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}
* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm
Next steps:
* Install Airlock Microgateway (if not done already)
https://artifacthub.io/packages/helm/airlock-microgateway/microgateway
Your release version is {{ .Chart.Version }}.

101
charts/airlock/microgateway-cni/4.3.2/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,101 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "airlock-microgateway-cni.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Convert an image configuration object into an image ref string.
*/}}
{{- define "airlock-microgateway-cni.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
{{- printf "%s:%s" .repository .tag -}}
{{- else -}}
{{- printf "%s" .repository -}}
{{- end -}}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest suffix is 13 characters.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "airlock-microgateway-cni.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "airlock-microgateway-cni.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "airlock-microgateway-cni.labels" -}}
helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }}
{{ include "airlock-microgateway-cni.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
Common labels without component
*/}}
{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}}
{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}}
{{ unset $labels "app.kubernetes.io/component" | toYaml }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "airlock-microgateway-cni.selectorLabels" -}}
app.kubernetes.io/component: cni-plugin-installer
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }}
{{- end }}
{{/*
Create the name of the service account to use for the CNI Plugin
*/}}
{{- define "airlock-microgateway-cni.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "airlock-microgateway-cni.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}
{{- define "airlock-microgateway-cni.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}
{{- print "latest" -}}
{{- end -}}
{{- end -}}

22
charts/airlock/microgateway-cni/4.3.2/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- patch
{{- end -}}

20
charts/airlock/microgateway-cni/4.3.2/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "airlock-microgateway-cni.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

22
charts/airlock/microgateway-cni/4.3.2/templates/configmap.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
plugin-conf.json: |-
{
"type": "{{ include "airlock-microgateway-cni.fullname" . }}",
"debug": {{ eq .Values.config.logLevel "debug" }},
"logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log",
"kubernetes": {
"kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig",
"excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }}
}
}

136
charts/airlock/microgateway-cni/4.3.2/templates/daemonset.yaml Normal file
View File

@ -0,0 +1,136 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
kubectl.kubernetes.io/default-container: cni-installer
{{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- args:
- --log-level
- "{{ .Values.config.logLevel }}"
env:
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
key: plugin-conf.json
name: {{ include "airlock-microgateway-cni.fullname" . }}
- name: CNI_BIN_DIR
value: /host/opt/cni/bin
- name: CNI_NET_DIR
value: /host/etc/cni/net.d
- name: KUBECONFIG_FILE_NAME
value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig"
- name: INSTALL_MODE
value: {{ .Values.config.installMode }}
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: {{ include "airlock-microgateway-cni.image" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: cni-installer
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
startupProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 5
initialDelaySeconds: 3
periodSeconds: 3
timeoutSeconds: 3
readinessProbe:
exec:
command:
- /cni-installer
- probe
failureThreshold: 1
periodSeconds: 60
timeoutSeconds: 3
securityContext:
allowPrivilegeEscalation: {{ .Values.privileged }}
capabilities:
drop:
- ALL
privileged: {{ .Values.privileged }}
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /run/cni-installer
name: cni-installer-status
hostNetwork: true
priorityClassName: system-node-critical
restartPolicy: Always
securityContext:
fsGroup: 0
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
terminationGracePeriodSeconds: 5
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
- effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- hostPath:
path: "{{ .Values.config.cniBinDir }}"
type: Directory
name: cni-bin-dir
- hostPath:
path: "{{ .Values.config.cniNetDir }}"
type: Directory
name: cni-net-dir
- emptyDir: {}
name: cni-installer-status

13
charts/airlock/microgateway-cni/4.3.2/templates/network-attachment-definition.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.multusNetworkAttachmentDefinition.create -}}
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

22
charts/airlock/microgateway-cni/4.3.2/templates/scc-role.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.createSCCRole -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
{{- end -}}

20
charts/airlock/microgateway-cni/4.3.2/templates/scc-rolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.createSCCRole -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
{{- end -}}

13
charts/airlock/microgateway-cni/4.3.2/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

64
charts/airlock/microgateway-cni/4.3.2/templates/tests/rbac.yaml Normal file
View File

@ -0,0 +1,64 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
subjects:
- kind: ServiceAccount
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
rules:
- apiGroups:
- "apps"
resources:
- daemonsets
resourceNames:
- {{ include "airlock-microgateway-cni.fullname" . }}
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
{{- if .Values.rbac.createSCCRole }}
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
{{- end -}}
{{- end -}}

103
charts/airlock/microgateway-cni/4.3.2/templates/tests/test-install.yaml Normal file
View File

@ -0,0 +1,103 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install"
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: test-install
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: before-hook-creation
spec:
restartPolicy: Never
containers:
- name: test
image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
securityContext:
allowPrivilegeEscalation: {{ .Values.privileged }}
capabilities:
drop:
- ALL
privileged: {{ .Values.privileged }}
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
readOnly: true
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
readOnly: true
command:
- sh
- -c
- |
set -eu
fail() {
echo "Error: ${1}"
echo ""
echo 'CNI installer logs:'
kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer
exit 1
}
containsMGWCNIConf() {
cat "${1}" | grep -qe '"type":.*"{{ include "airlock-microgateway-cni.fullname" . }}"'
}
if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then
fail 'CNI DaemonSet rollout did not complete within timeout'
fi
echo "Checking whether CNI binary was installed"
if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then
fail 'CNI binary was not installed'
fi
echo "Checking whether CNI kubeconfig was installed"
if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then
fail 'CNI kubeconfig was not created'
fi
echo "Checking whether CNI configuration was written"
case {{ .Values.config.installMode }} in
"chained")
for file in "/host/etc/cni/net.d/"*.conflist; do
if containsMGWCNIConf "${file}"; then
echo "Success"
exit 0
fi
done
;;
"standalone")
if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then
echo "Success"
exit 0
fi
;;
"manual")
echo "- Skipping because we are in 'manual' install mode"
echo "Success"
exit 0
;;
esac
fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found'
serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
volumes:
- hostPath:
path: "{{ .Values.config.cniBinDir }}"
type: Directory
name: cni-bin-dir
- hostPath:
path: "{{ .Values.config.cniNetDir }}"
type: Directory
name: cni-net-dir
{{- end -}}

225
charts/airlock/microgateway-cni/4.3.2/values.schema.json Normal file
View File

@ -0,0 +1,225 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"type": "object",
"properties": {
"nameOverride": {
"type": "string"
},
"fullnameOverride": {
"type": "string"
},
"commonLabels": {
"$ref": "#/definitions/StringMap"
},
"commonAnnotations": {
"$ref": "#/definitions/StringMap"
},
"imagePullSecrets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"minLength": 1
}
},
"required": [
"name"
],
"additionalProperties": true
}
},
"image": {
"$ref": "#/definitions/Image"
},
"podAnnotations": {
"$ref": "#/definitions/StringMap"
},
"podLabels": {
"$ref": "#/definitions/StringMap"
},
"resources": {
"type": "object"
},
"nodeSelector": {
"$ref": "#/definitions/StringMap"
},
"affinity": {
"type": "object"
},
"rbac": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"createSCCRole": {
"type": "boolean"
}
},
"required": [
"create",
"createSCCRole"
],
"additionalProperties": false
},
"privileged": {
"type": "boolean"
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"annotations": {
"$ref": "#/definitions/StringMap"
},
"name": {
"type": "string"
}
},
"required": [
"annotations",
"create",
"name"
],
"additionalProperties": false
},
"multusNetworkAttachmentDefinition": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"namespace": {
"type": "string"
}
},
"required": [
"create",
"namespace"
],
"additionalProperties": false
},
"config": {
"type": "object",
"properties": {
"installMode": {
"type": "string",
"enum": [
"chained",
"standalone",
"manual"
]
},
"logLevel": {
"type": "string",
"enum": [
"debug",
"info",
"warn",
"error"
]
},
"cniNetDir": {
"type": "string",
"minLength": 1
},
"cniBinDir": {
"type": "string",
"minLength": 1
},
"excludeNamespaces": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"cniBinDir",
"cniNetDir",
"excludeNamespaces",
"installMode",
"logLevel"
],
"additionalProperties": false
},
"tests": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
},
"required": [
"enabled"
],
"additionalProperties": false
},
"global": {
"type": "object"
}
},
"required": [
"affinity",
"commonAnnotations",
"commonLabels",
"config",
"fullnameOverride",
"image",
"imagePullSecrets",
"multusNetworkAttachmentDefinition",
"nameOverride",
"nodeSelector",
"podAnnotations",
"podLabels",
"privileged",
"rbac",
"resources",
"serviceAccount",
"tests"
],
"additionalProperties": false,
"definitions": {
"StringMap": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"Image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"minLength": 1
},
"tag": {
"type": "string"
},
"digest": {
"type": "string",
"pattern": "^$|^sha256:[a-f0-9]{64}$"
},
"pullPolicy": {
"type": "string",
"enum": [
"Always",
"IfNotPresent",
"Never"
]
}
},
"required": [
"digest",
"pullPolicy",
"repository",
"tag"
],
"additionalProperties": false
}
}
}

85
charts/airlock/microgateway-cni/4.3.2/values.yaml Normal file
View File

@ -0,0 +1,85 @@
# -- Allows overriding the name to use instead of "microgateway-cni".
nameOverride: ""
# -- Allows overriding the name to use as full name of resources.
fullnameOverride: ""
# -- Labels to add to all resources.
commonLabels: {}
# -- Annotations to add to all resources.
commonAnnotations: {}
# -- ImagePullSecrets to use when pulling images.
imagePullSecrets: []
# - name: myRegistryKeySecretName
# Specifies the Airlock Microgateway CNI image.
image:
# -- Image repository from which to pull the Airlock Microgateway CNI image.
repository: "quay.io/airlock/microgateway-cni"
# -- Image tag to pull.
tag: "4.3.2"
# -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a").
# Overrides tag when specified.
digest: "sha256:ed5ec546a65f0ae0bc3e058aafc1d2aa4848996b9f415fe6232486934443b460"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Annotations to add to all Pods.
podAnnotations: {}
# -- Labels to add to all Pods.
podLabels: {}
# -- Resource restrictions to apply to the CNI installer container.
resources:
requests:
cpu: 10m
memory: 100Mi
# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes.
nodeSelector:
kubernetes.io/os: linux
# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes.
affinity: {}
# Configures the generation of RBAC Roles and RoleBindings.
rbac:
# -- Whether to create RBAC resources which are required for the CNI plugin to function.
create: true
# -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint.
createSCCRole: false
# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift).
privileged: false
# Configures the generation of the ServiceAccount.
serviceAccount:
# -- Whether a ServiceAccount should be created.
create: true
# -- Annotations to add to the ServiceAccount.
annotations: {}
# -- Name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift)
multusNetworkAttachmentDefinition:
# -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods.
create: false
# -- Namespace in which the NetworkAttachmentDefinition is deployed.
# Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces
# may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation
namespace: default
# Parameters for the CNI installer configuration.
config:
# -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers),
# as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift)
# or in `manual` mode, where no CNI network configuration is written.
installMode: "chained"
# -- Log level for the CNI installer and plugin.
logLevel: info
# -- Directory where the CNI config files reside on the host.
# This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
# It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node.
cniNetDir: "/etc/cni/net.d"
# -- Directory where the CNI plugin binaries reside on the host.
# This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
# It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node.
cniBinDir: "/opt/cni/bin"
# -- Namespaces for which this CNI plugin should not apply any modifications.
excludeNamespaces:
- kube-system
tests:
# -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
# If set to false, `helm test` will not run any tests.
enabled: false

28
charts/airlock/microgateway/4.3.2/.helmignore Normal file
View File

@ -0,0 +1,28 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# CRDs kustomization.yaml
/crds/kustomization.yaml
# Helm unit tests
/tests
/validation

44
charts/airlock/microgateway/4.3.2/Chart.yaml Normal file
View File

@ -0,0 +1,44 @@
annotations:
artifacthub.io/category: security
artifacthub.io/license: MIT
artifacthub.io/links: |
- name: Airlock Microgateway Documentation
url: https://docs.airlock.com/microgateway/4.3/
- name: Airlock Microgateway Labs
url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Airlock Microgateway
catalog.cattle.io/kube-version: '>=1.25.0-0'
catalog.cattle.io/release-name: microgateway
charts.openshift.io/name: Airlock Microgateway
apiVersion: v2
appVersion: 4.3.2
description: A Helm chart for deploying the Airlock Microgateway
home: https://www.airlock.com/en/microgateway
icon: file://assets/icons/microgateway.svg
keywords:
- WAF
- Web Application Firewall
- WAAP
- Web Application and API protection
- OWASP
- Airlock
- Microgateway
- Security
- Filtering
- DevSecOps
- shift left
- control plane
- Operator
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
name: microgateway
sources:
- https://github.com/airlock/microgateway
type: application
version: 4.3.2

180
charts/airlock/microgateway/4.3.2/README.md Normal file
View File

@ -0,0 +1,180 @@
# Airlock Microgateway
![Version: 4.3.2](https://img.shields.io/badge/Version-4.3.2-informational?style=flat-square) ![AppVersion: 4.3.2](https://img.shields.io/badge/AppVersion-4.3.2-informational?style=flat-square)
*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight_Negative.svg">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg">
<img alt="Microgateway" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg" align="right" width="250">
</picture>
Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.3.2).__
### Features
* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control using OpenID Connect to allow only authenticated users to access the protected services
* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation
For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
## Documentation and links
Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)
# Quick start guide
The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
## Prerequisites
* [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni)
* [Airlock Microgateway License](#obtain-airlock-microgateway-license)
* [cert-manager](https://cert-manager.io/)
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license.
For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
### Obtain Airlock Microgateway License
1. Either request a community or premium license
* Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community)
* Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium)
2. Check your inbox and save the license file microgateway-license.txt locally.
> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type.
### Deploy cert-manager
```bash
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager --version '1.15.1' -n cert-manager --create-namespace --set crds.enabled=true --wait
```
## Deploy Airlock Microgateway Operator
> This guide assumes a microgateway-license.txt file is present in the working directory.
1. Install CRDs and Operator.
```bash
# Create namespace
kubectl create namespace airlock-microgateway-system
# Install License
kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
# Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.3.2' --wait
```
2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.2'
helm test airlock-microgateway -n airlock-microgateway-system --logs
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.2'
```
### Upgrading CRDs
The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster.
CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
```bash
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.3.2 --server-side --force-conflicts
```
**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.
## Support
### Premium support
If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).
### Community support
For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". |
| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. |
| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. |
| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. |
| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. |
| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. |
| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. |
| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. |
| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. |
| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. |
| engine.image.digest | string | `"sha256:8d42759d999e6b69efa9ef1ecfdc84dc1f8f6f1ca822c8d2d3ef8ff1e335b9c9"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. |
| engine.image.tag | string | `"4.3.2"` | Image tag to pull. |
| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. |
| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. |
| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". |
| networkValidator.image.digest | string | `"sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd"` | SHA256 image digest to pull (in the format "sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd"). Overrides tag when specified. |
| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| networkValidator.image.repository | string | `"cgr.dev/chainguard/netcat"` | Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. |
| networkValidator.image.tag | string | `""` | Image tag to pull. |
| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. |
| operator.config.logLevel | string | `"info"` | Operator application log level. |
| operator.image.digest | string | `"sha256:d22f2ca35603b805caa67dd07aba524c3e4d68c3b59f7ddfc0e22e7fc09a200c"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. |
| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. |
| operator.image.tag | string | `"4.3.2"` | Image tag to pull. |
| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. |
| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. |
| operator.podLabels | object | `{}` | Labels to add to all Pods. |
| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. |
| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. |
| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. |
| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. |
| operator.serviceLabels | object | `{}` | Labels to add to the Service. |
| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. |
| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. |
| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. |
| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. |
| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. |
| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. |
| sessionAgent.image.digest | string | `"sha256:d487f4099c267310debffe5d5cac168deeddf6082dafbee352550f2792b9609c"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. |
| sessionAgent.image.tag | string | `"4.3.2"` | Image tag to pull. |
| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
## License
View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
* Decompiling or reverse engineering is not permitted.
* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
Airlock<sup>&#174;</sup> is a security innovation by [ergon](https://www.ergon.ch/en)
<!-- Airlock SAH Logo (different image for light/dark mode) -->
<a href="https://www.airlock.com/en/secure-access-hub/">
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo_Negative.png">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png">
<img alt="Airlock Secure Access Hub" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png" width="150">
</picture>
</a>

28
charts/airlock/microgateway/4.3.2/app-readme.md Normal file
View File

@ -0,0 +1,28 @@
# Airlock Microgateway
*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
## Features
* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control to allow only authenticated users to access the protected services
* API security features like JSON parsing or OpenAPI specification enforcement
For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
## Requirements
* [Airlock Microgateway CNI Helm Chart](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Also available as Rancher Chart)
* [Airlock Microgateway License](https://github.com/airlock/microgateway?tab=readme-ov-file#obtain-airlock-microgateway-license) (After obtaining the license install it according to the [documentation](https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-operator))
* [cert-manager](https://cert-manager.io/docs/installation/)
## Documentation and links
Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)

124
charts/airlock/microgateway/4.3.2/crds/accesscontrols.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,124 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: accesscontrols.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: AccessControl
listKind: AccessControlList
plural: accesscontrols
singular: accesscontrol
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: AccessControl specifies the options to perform access control with a Microgateway Engine container.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specifies how the Airlock Microgateway Engine performs access control.
properties:
policies:
description: Policies configures access control policies.
items:
properties:
authorization:
description: Authorization configures how requests are authorized. An empty object value {} disables authorization.
properties:
authentication:
description: Authentication specifies that clients need to be authenticated with the provided method.
properties:
oidc:
description: OIDC configures client authentication using OpenID Connect.
properties:
oidcRelyingPartyRef:
description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- oidcRelyingPartyRef
type: object
type: object
type: object
identityPropagation:
description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application.
properties:
actions:
description: Actions specifies the propagation actions.
items:
properties:
identityPropagationRef:
description: IdentityPropagationRef selects an IdentityPropagation to apply.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- identityPropagationRef
type: object
type: array
onFailure:
description: |-
OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values:
_Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations.
enum:
- Pass
type: string
required:
- actions
- onFailure
type: object
required:
- authorization
type: object
maxItems: 1
minItems: 1
type: array
required:
- policies
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

139
charts/airlock/microgateway/4.3.2/crds/contentsecurities.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,139 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: contentsecurities.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: ContentSecurity
listKind: ContentSecurityList
plural: contentsecurities
singular: contentsecurity
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ContentSecurity specifies the options to secure an upstream web application with a Microgateway Engine container.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specifies the options to secure an upstream web application with a Microgateway Engine container.
properties:
apiProtection:
description: |-
APIProtection defines the relevant configurations to protect APIs.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
graphQLRef:
description: |-
GraphQLRef selects the relevant GraphQL configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
openAPIRef:
description: |-
OpenAPIRef selects the relevant OpenAPI configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
filter:
description: |-
Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests
to protect against various attack patterns.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
denyRulesRef:
description: |-
DenyRulesRef selects the relevant DenyRules configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
headerRewritesRef:
description: |-
HeaderRewritesRef selects the relevant HeaderRewrites.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
limitsRef:
description: |-
LimitsRef selects the relevant Limits configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
parserRef:
description: |-
ParserRef selects the relevant Parser configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
type: object
served: true
storage: true
subresources: {}

1804
charts/airlock/microgateway/4.3.2/crds/denyrules.microgateway.airlock.com.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

58
charts/airlock/microgateway/4.3.2/crds/envoyclusters.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,58 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: envoyclusters.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyCluster
listKind: EnvoyClusterList
plural: envoyclusters
singular: envoycluster
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired additional Envoy cluster.
properties:
value:
description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources: {}

185
charts/airlock/microgateway/4.3.2/crds/envoyconfigurations.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,185 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: envoyconfigurations.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyConfiguration
listKind: EnvoyConfigurationList
plural: envoyconfigurations
singular: envoyconfiguration
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
EnvoyConfiguration is the Schema for the envoyconfigurations API
{{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration
properties:
envoyResources:
properties:
clusters:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
endpoints:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
extensions:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
listeners:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
routes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
runtimes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
scopedRoutes:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
secrets:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
envoyResourcesRaw:
description: |-
EnvoyResourcesRaw defines the desired state for each resource type. The resources are stored as zstd compressed JSON bytes.
For debugging purposes, the resources can be inspected with the following command: `kubectl get envoyconfiguration <name> -ojsonpath='{.spec.envoyResourcesRaw}' | base64 -d | zstd -d | jq`
format: byte
type: string
nodeID:
description: '**Deprecated:** This field is now ignored as NodeID is always derived from the resource name.'
type: string
type: object
status:
description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human-readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of EnvoyConfiguration condition.
type: string
required:
- status
- type
type: object
type: array
status:
type: string
xds:
properties:
resourceTypes:
additionalProperties:
description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type
properties:
errorMessage:
description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client.
type: string
resources:
additionalProperties:
description: XdsResourceStatus defines the status of xDS for a specific resource
properties:
version:
description: Version defines the version which is currently served for this resource.
type: string
required:
- version
type: object
description: Resources defines the resources which are currently served for this resource type.
type: object
status:
description: Status defines the current sync status of this resource type.
type: string
version:
description: Version defines the version which is currently served for this resource type.
type: string
required:
- resources
- status
- version
type: object
description: ResourceTypes defines the sync statuses for each resource type.
type: object
version:
description: Version defines the version of the underlying xDS snapshot.
type: integer
required:
- version
type: object
required:
- status
- xds
type: object
type: object
served: true
storage: true
subresources:
status: {}

58
charts/airlock/microgateway/4.3.2/crds/envoyhttpfilters.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,58 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: envoyhttpfilters.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: EnvoyHTTPFilter
listKind: EnvoyHTTPFilterList
plural: envoyhttpfilters
singular: envoyhttpfilter
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource which is added to those defined by the Airlock Microgateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired additional Envoy HTTP filter.
properties:
value:
description: Value defines the HTTP filter which is added to those configured by the Airlock Microgateway.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources: {}

88
charts/airlock/microgateway/4.3.2/crds/graphqls.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,88 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: graphqls.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: GraphQL
listKind: GraphQLList
plural: graphqls
singular: graphql
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: GraphQL contains the configuration for the GraphQL specification.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired GraphQL specification.
properties:
settings:
description: Settings defines the settings to configure GraphQL.
properties:
allowIntrospection:
default: true
description: AllowIntrospection specifies if the introspection system is exposed.
type: boolean
allowMutations:
default: true
description: AllowMutations specifies if mutations are allowed.
type: boolean
schema:
description: Specifies the GraphQL schema.
properties:
source:
description: Source specifies the GraphQL schema to be enforced.
properties:
configMapRef:
description: ConfigMapRef references the configmap by its name containing the well-known key 'schema.graphql'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
required:
- source
type: object
threatHandlingMode:
default: Block
description: ThreatHandlingMode specifies how threats should be handled.
enum:
- Block
- LogOnly
type: string
type: object
type: object
type: object
served: true
storage: true

759
charts/airlock/microgateway/4.3.2/crds/headerrewrites.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,759 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: headerrewrites.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: HeaderRewrites
listKind: HeaderRewritesList
plural: headerrewrites
singular: headerrewrites
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: HeaderRewrites is the Schema for the headerrewrites API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired header rewriting behavior.
properties:
request:
description: Request defines manipulations on upstream request headers.
properties:
add:
description: Add defines which request headers will be added before forwarding to the upstream.
properties:
custom:
description: |-
Custom allows configuring additional upstream request headers.
Add selected headers.
items:
properties:
headers:
description: Headers to add.
items:
description: HeaderRewritesHeader specifies a header with a particular value
properties:
name:
description: Name defines the name of a header.
minLength: 1
type: string
value:
description: Value defines the value of a header.
type: string
required:
- name
- value
type: object
minItems: 1
type: array
mode:
default: AddIfAbsent
description: Mode defines the header addition strategy.
enum:
- AddIfAbsent
- OverwriteOrAdd
type: string
name:
description: Name describing the configured operation.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
allow:
description: |-
Allow defines which request headers will be forwarded to the upstream.
This can either be allHeaders or matchingHeaders.
Default: matchingHeaders: {...}
properties:
allHeaders:
description: AllHeaders specifies that all request headers should be forwarded.
type: object
matchingHeaders:
description: MatchingHeaders specifies which request headers should be forwarded.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream request headers.
properties:
standardHeaders:
default: true
description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream request headers.
items:
properties:
headers:
description: Headers to allow.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
remove:
description: Remove defines which request headers will be removed before forwarding to the upstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream request headers.
properties:
alternativeForwardedHeaders:
default: true
description: |-
AlternativeForwardedHeaders removes downstream request headers which could potentially
be abused to alter the upstream's view of the remote connection.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream request headers.
items:
properties:
headers:
description: Headers to remove.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
response:
description: Response defines manipulations on upstream response headers.
properties:
add:
description: Add defines which response headers will be added before forwarding to the downstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response headers.
properties:
csp:
default: true
description: |-
CSP sets a content security policy which allows only same-origin requests except for images
if the 'Content-Security-Policy' header is not set by the upstream.
type: boolean
featurePolicy:
default: false
description: |-
FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features
if the 'Feature-Policy' header is not set by the upstream.
**Deprecated:** Use permissionsPolicy instead.
type: boolean
hsts:
default: true
description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream.
type: boolean
hstsPreload:
default: false
description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload.
type: boolean
permissionsPolicy:
default: true
description: |-
PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features
if the 'Permissions-Policy' header is not set by the upstream.
type: boolean
referrerPolicy:
default: true
description: |-
ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests
if the 'Referrer-Policy' header is not set by the upstream.
type: boolean
xContentTypeOptions:
default: true
description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream.
type: boolean
xFrameOptions:
default: true
description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to add.
items:
description: HeaderRewritesHeader specifies a header with a particular value
properties:
name:
description: Name defines the name of a header.
minLength: 1
type: string
value:
description: Value defines the value of a header.
type: string
required:
- name
- value
type: object
minItems: 1
type: array
mode:
default: AddIfAbsent
description: Mode defines the header addition strategy.
enum:
- AddIfAbsent
- OverwriteOrAdd
type: string
name:
description: Name describing the configured operation.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
allow:
description: |-
Allow defines which response headers will be forwarded to the downstream.
This can either be allHeaders or matchingHeaders.
Default: allHeaders: {}
properties:
allHeaders:
description: AllHeaders specifies that all response headers should be forwarded.
type: object
matchingHeaders:
description: MatchingHeaders specifies which response headers should be forwarded.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response header.
properties:
standardHeaders:
default: false
description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to allow.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
remove:
description: Remove defines which response headers will be removed before forwarding to the downstream.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined upstream response headers.
properties:
auth:
description: Auth defines the categories of headers concerning authentication.
properties:
basic:
default: false
description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication.
type: boolean
negotiate:
default: true
description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate.
type: boolean
ntlm:
default: true
description: |-
NTLM removes upstream response headers that advise clients to authenticate with NTLM.
By default, these headers are removed, because NTLM pass-through is not supported.
type: boolean
type: object
informationLeakage:
description: InformationLeakage defines the categories of headers concerning information leakage.
properties:
application:
default: true
description: Application removes upstream response headers that leak information about the deployed software.
type: boolean
server:
default: true
description: Server removes upstream response headers that leak information about the server.
type: boolean
type: object
permissiveCors:
default: true
description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security.
type: boolean
type: object
custom:
description: Custom allows configuring additional upstream response headers.
items:
properties:
headers:
description: Headers to remove.
items:
description: |-
HeaderMatcher defines a matcher for an HTTP header.
At least one of name and value must be set.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
minItems: 1
type: array
name:
description: Name describing the configured remove operation. Must be unique.
minLength: 1
type: string
required:
- headers
- name
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
settings:
description: Settings configures the HeaderRewrites filter.
properties:
operationalMode:
default: Production
description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses.
enum:
- Production
- Integration
type: string
type: object
type: object
type: object
served: true
storage: true

108
charts/airlock/microgateway/4.3.2/crds/identitypropagations.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,108 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: identitypropagations.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: IdentityPropagation
listKind: IdentityPropagationList
plural: identitypropagations
singular: identitypropagation
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: IdentityPropagation specifies the desired identity propagation.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired identity propagation.
properties:
header:
description: Header configures identity propagation via a request header.
properties:
name:
description: Name of the header to set.
minLength: 1
type: string
value:
description: Value to propagate to the application.
properties:
source:
description: Source from which to extract the value.
properties:
metadata:
description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key.
properties:
key:
description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`.
minLength: 1
type: string
namespace:
description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`.
minLength: 1
type: string
required:
- key
- namespace
type: object
oidc:
description: OIDC specifies to extract a value from the result of an OpenID Connect flow.
properties:
idToken:
description: IDToken specifies to extract the value from the OpenID Connect ID Token.
properties:
claim:
description: Claim selects the JWT claim from which to extract the value.
minLength: 1
type: string
required:
- claim
type: object
required:
- idToken
type: object
type: object
required:
- source
type: object
required:
- name
- value
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

651
charts/airlock/microgateway/4.3.2/crds/limits.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,651 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: limits.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Limits
listKind: LimitsList
plural: limits
singular: limits
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Limits contains the configuration for limits.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired limits behavior.
properties:
request:
description: Request defines the limits for requests.
properties:
limited:
description: Limited enables limits on request scope.
properties:
exceptions:
description: Exceptions defines limit exceptions.
items:
description: LimitsException defines an exception for limits.
properties:
length:
description: Length defines an exception for length limits based on the data element exceeding the limit.
properties:
graphQL:
description: GraphQL defines a field, argument or value length limit exception for a GraphQL query.
properties:
argument:
description: |-
Argument restricts the exception to GraphQL queries with a matching argument of a field.
At least one of field, argument and value must be set.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
field:
description: |-
Field restricts the exception to GraphQL queries with a matching field.
At least one of field, argument and value must be set.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: |-
Value restricts the exception to GraphQL queries with a matching argument value.
At least one of field, argument and value must be set.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
json:
description: JSON defines a key and value length limit exception for a JSON property.
properties:
jsonPath:
description: |-
JSONPath restricts the exception to JSON properties with a matching JSONPath.
Expressions in JSONPath i.e. `?(expr)` are not supported.
minLength: 1
type: string
required:
- jsonPath
type: object
parameter:
description: Parameter defines a name and value length limit exception for a parameter.
properties:
name:
description: Name restricts the exception to parameters with a matching name.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
source:
default: Any
description: Source restricts the exception to parameters of this kind.
enum:
- Query
- Post
- Any
type: string
required:
- name
type: object
type: object
requestConditions:
description: RequestConditions defines additional request properties which must be matched in order for this exception to apply.
properties:
header:
description: Header defines the matching headers of a request.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
invert:
default: false
description: Invert indicates whether the request condition should be inverted.
type: boolean
mediaType:
description: MediaType defines the matching media type from the content-type header of a request.
properties:
matcher:
description: |-
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
method:
description: Method defines the matching methods of a request.
items:
description: Method defines common HTTP methods.
enum:
- GET
- HEAD
- POST
- PUT
- PATCH
- DELETE
- CONNECT
- OPTIONS
- TRACE
type: string
type: array
path:
description: Path defines the matching path of a request.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
remoteIP:
description: RemoteIP defines the matching remote IPs of a request.
properties:
cidrRanges:
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
items:
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
format: cidr
type: string
minItems: 1
type: array
invert:
default: false
description: Invert indicates whether the match should be inverted.
type: boolean
required:
- cidrRanges
type: object
type: object
type: object
type: array
general:
description: General defines general request limits.
properties:
bodySize:
anyOf:
- type: integer
- type: string
default: 100Mi
description: BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective for any request not processed by one of the content parsers (e.g. json) as configured in the Parser CRD. **Note** This limit does not apply to WebSocket or gRPC traffic.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
pathLength:
anyOf:
- type: integer
- type: string
default: 1Ki
description: PathLength defines the maximum path length for all requests (parsed and unparsed).
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
graphQL:
description: GraphQL defines the limits for GraphQL requests.
properties:
nestingDepth:
default: 10
description: NestingDepth defines the maximum depth of nesting for GraphQL objects.
format: int64
type: integer
querySize:
anyOf:
- type: integer
- type: string
default: 1Ki
description: QuerySize defines the maximum size for GraphQL queries.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
valueLength:
anyOf:
- type: integer
- type: string
default: "256"
description: ValueLength defines the maximum length for GraphQL values.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
json:
description: JSON defines the limits for JSON requests.
properties:
bodySize:
anyOf:
- type: integer
- type: string
default: 100Ki
description: BodySize limits the total size of the JSON request body. It specifies the number of bytes (0 = unlimited).
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
elementCount:
default: 10000
description: ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive).
format: int64
type: integer
keyCount:
default: 250
description: KeyCount defines the maximum number of keys of a single JSON object (non-recursive).
format: int64
type: integer
keyLength:
anyOf:
- type: integer
- type: string
default: "128"
description: KeyLength defines the maximum length for JSON keys.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
nestingDepth:
default: 100
description: NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays.
format: int64
type: integer
valueLength:
anyOf:
- type: integer
- type: string
default: 8Ki
description: ValueLength defines the maximum length for JSON values.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
multipart:
description: Multipart defines the limits for Multipart requests.
properties:
bodySize:
anyOf:
- type: integer
- type: string
default: 100Mi
description: BodySize limits the total size of the Multipart request body. It specifies the number of bytes (0 = unlimited).
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
parameter:
description: Parameter defines the limits for request parameters.
properties:
bodySize:
anyOf:
- type: integer
- type: string
default: 100Ki
description: BodySize limits the total size of the form data body. It specifies the number of bytes (0 = unlimited).
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
count:
default: 128
description: Count defines the maximum number of request parameters.
format: int64
type: integer
nameLength:
anyOf:
- type: integer
- type: string
default: "128"
description: NameLength defines the maximum length for parameter names.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
valueLength:
anyOf:
- type: integer
- type: string
default: 8Ki
description: ValueLength defines the maximum length for parameter values.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
unlimited:
description: Unlimited disables all limits on request scope.
type: object
type: object
settings:
description: Settings configures the limits filter.
properties:
threatHandlingMode:
default: Block
description: ThreatHandlingMode specifies how threats should be handled when a limit hits.
enum:
- Block
- LogOnly
type: string
type: object
type: object
type: object
served: true
storage: true

305
charts/airlock/microgateway/4.3.2/crds/oidcproviders.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,305 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: oidcproviders.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OIDCProvider
listKind: OIDCProviderList
plural: oidcproviders
singular: oidcprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
OIDCProvider specifies an OpenID Provider (OP).
{{% notice warning %}} The OIDC feature is currently in an experimental state.
We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
- The state parameter is guessable.
- Sessions are always shared across all Microgateway Engines using the same Redis instance.
I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A
may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs.
{{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of an OpenID Provider.
properties:
static:
description: Static configures an OpenID Provider by explicitly specifying all endpoints.
properties:
endpoints:
description: Endpoints specifies the OpenID Provider endpoints.
properties:
authorization:
description: Authorization specifies the endpoint to which the authorization request is sent.
properties:
uri:
description: URI specifies the endpoint address.
format: uri
minLength: 1
pattern: ^(http|https)://.*$
type: string
required:
- uri
type: object
token:
description: Token configures the endpoint from which the access, ID and refresh tokens are obtained.
properties:
tls:
description: TLS defines TLS settings.
properties:
certificateVerification:
description: CertificateVerification specifies how the certificate presented by the server is verified.
properties:
custom:
description: |-
Custom explicitly specifies how the server certificate should be verified.
Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
properties:
allowedSANs:
description: |-
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
items:
description: |-
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers.
properties:
matcher:
description: Matcher defines the string matcher for the SAN value.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
sanType:
description: SanType defines the type of SAN matcher.
enum:
- DNS
- Email
- URI
- IPAddress
type: string
required:
- matcher
- sanType
type: object
minItems: 1
type: array
certificatePinning:
description: |-
CertificatePinning defines constraints the presented certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
properties:
allowedHashes:
description: |-
AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
allowedSPKIs:
description: |-
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
type: object
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
type: object
disabled:
description: |-
Disabled specifies to trust any certificate without verification.
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
type: object
publicCAs:
description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image.
type: object
type: object
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
type: object
uri:
description: URI specifies the endpoint address.
format: uri
minLength: 1
pattern: ^(http|https)://.*$
type: string
required:
- uri
type: object
required:
- authorization
- token
type: object
required:
- endpoints
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

224
charts/airlock/microgateway/4.3.2/crds/oidcrelyingparties.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,224 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: oidcrelyingparties.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OIDCRelyingParty
listKind: OIDCRelyingPartyList
plural: oidcrelyingparties
singular: oidcrelyingparty
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP).
{{% notice warning %}} The OIDC feature is currently in an experimental state.
We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
- The state parameter is guessable.
- Sessions are always shared across all Microgateway Engines using the same Redis instance.
I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A
may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs.
{{% /notice %}}
{{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the OIDC Relying Party configuration.
properties:
clientID:
description: ClientID specifies the OIDCRelyingParty "client_id".
minLength: 1
type: string
credentials:
description: Credentials used for client authentication on the back-channel with the authorization server.
properties:
clientSecret:
description: ClientSecret authenticates with the client password issued by the OpenID Provider (OP).
properties:
method:
default: BasicAuth
description: Method specifies in which format the client secret is sent with the authorization request.
enum:
- BasicAuth
- FormURLEncoded
type: string
secretRef:
description: SecretRef specifies the kubernetes secret containing the client password with key "client.secret".
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
required:
- clientSecret
type: object
oidcProviderRef:
description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
pathMapping:
description: PathMapping configures the action matching.
properties:
logoutPath:
description: LogoutPath specifies which request paths should initiate a logout.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
redirectPath:
description: RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
required:
- logoutPath
- redirectPath
type: object
redirectURI:
description: |-
RedirectURI configures the "redirect_uri" parameter included in the authorization request.
May contain envoy command operators, e.g. '%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback'.
minLength: 1
type: string
required:
- clientID
- credentials
- oidcProviderRef
- pathMapping
- redirectURI
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

167
charts/airlock/microgateway/4.3.2/crds/openapis.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,167 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: openapis.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OpenAPI
listKind: OpenAPIList
plural: openapis
singular: openapi
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: OpenAPI contains the configuration for the OpenAPI specification.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired OpenAPI specification.
properties:
response:
description: Response defines the validation behaviour for responses.
properties:
secured:
description: Secured enables response checking.
properties:
validation:
default: Lax
description: Validation defines the validation mode for responses.
enum:
- Lax
- Strict
type: string
type: object
unsecured:
description: Unsecured disables response checking.
type: object
type: object
settings:
description: Settings defines the settings to configure OpenAPI specification enforcement.
properties:
logging:
description: Logging specifies the access log behavior.
properties:
maxFailedSubvalidations:
default: 10
description: MaxFailedSubvalidations defines the maximum number of failed subvalidations being logged.
format: int64
type: integer
type: object
schema:
description: Schema configures the OpenAPI specification.
properties:
source:
description: Source specifies the OpenAPI specification to be enforced.
properties:
configMapRef:
description: ConfigMapRef references the configmap by its name containing the well-known key 'openapi.json'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
required:
- source
type: object
threatHandlingMode:
default: Block
description: ThreatHandlingMode specifies how threats should be handled.
enum:
- Block
- LogOnly
type: string
validation:
description: Validation specifies the patterns for the validation behavior.
properties:
authentication:
description: Authentication defines the settings for the authentication scheme.
properties:
oAuth2:
description: OAuth2 specifies the OAuth2 parameters.
properties:
allowedParameters:
description: AllowedParameters specifies the allowed parameters for the authentication scheme.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined allowed parameters.
properties:
standardParameters:
default: true
description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters.
type: boolean
type: object
custom:
description: Custom allows configuring additional allowed parameters.
items:
minLength: 1
type: string
minItems: 1
type: array
type: object
type: object
oidc:
description: Oidc specifies the OIDC parameters.
properties:
allowedParameters:
description: AllowedParameters specifies the allowed parameters for the authentication scheme.
properties:
builtIn:
description: BuiltIn allows configuring a set of predefined allowed parameters.
properties:
standardParameters:
default: true
description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters.
type: boolean
type: object
custom:
description: Custom allows configuring additional allowed parameters.
items:
minLength: 1
type: string
minItems: 1
type: array
type: object
type: object
type: object
type: object
required:
- schema
type: object
required:
- settings
type: object
required:
- spec
type: object
served: true
storage: true

358
charts/airlock/microgateway/4.3.2/crds/parsers.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,358 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: parsers.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Parser
listKind: ParserList
plural: parsers
singular: parser
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Parser contains the configuration for content parsers (default and custom).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired parser behavior.
properties:
request:
description: Request defines the parsing for downstream requests.
properties:
custom:
description: Custom allows configuring additional rules for parser selection.
properties:
rules:
description: |-
Rules defines a custom set prepended before built-in rules of enabled request parsers.
Disable all built-in parsers to overrule them completely.
items:
properties:
action:
description: |-
Action specifies what should happen when a request condition matches.
Only one of parse or skip can be set.
properties:
parse:
description: Parse activates the configured parser.
properties:
form:
description: Form activates the Form parser.
type: object
json:
description: JSON activates the JSON parser.
type: object
multipart:
description: Multipart activates the multipart parser.
type: object
type: object
skip:
description: Skip disables any content parsing
type: object
type: object
requestConditions:
description: RequestConditions defines additional request properties which must be matched in order for this rule to apply.
properties:
header:
description: Header defines the matching headers of a request.
properties:
name:
description: Name defines the name of a header.
properties:
matcher:
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
value:
description: Value defines the value of a header.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
type: object
invert:
default: false
description: Invert indicates whether the request condition should be inverted.
type: boolean
mediaType:
description: MediaType defines the matching media type from the content-type header of a request.
properties:
matcher:
description: |-
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
method:
description: Method defines the matching methods of a request.
items:
description: Method defines common HTTP methods.
enum:
- GET
- HEAD
- POST
- PUT
- PATCH
- DELETE
- CONNECT
- OPTIONS
- TRACE
type: string
type: array
path:
description: Path defines the matching path of a request.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
remoteIP:
description: RemoteIP defines the matching remote IPs of a request.
properties:
cidrRanges:
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
items:
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
format: cidr
type: string
minItems: 1
type: array
invert:
default: false
description: Invert indicates whether the match should be inverted.
type: boolean
required:
- cidrRanges
type: object
type: object
required:
- action
- requestConditions
type: object
type: array
type: object
defaultContentType:
default: application/x-www-form-urlencoded
description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body.
minLength: 1
type: string
parsers:
description: Parsers defines the configuration for the available content parsers.
properties:
form:
description: Form defines the configuration for the form parser.
properties:
enable:
default: true
description: Enable defines whether form payloads are inspected.
type: boolean
mediaTypePattern:
default: .*urlencoded.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments.
minLength: 1
type: string
type: object
json:
description: JSON defines the configuration for the JSON parser.
properties:
enable:
default: true
description: Enable defines whether json payloads are inspected.
type: boolean
mediaTypePattern:
default: .*json.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON.
minLength: 1
type: string
type: object
multipart:
description: Multipart defines the configuration for the multipart parser.
properties:
enable:
default: true
description: Enable defines whether multipart payloads are inspected.
type: boolean
mediaTypePattern:
default: .*multipart.*
description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as a multipart payload.
minLength: 1
type: string
type: object
type: object
type: object
type: object
type: object
served: true
storage: true

159
charts/airlock/microgateway/4.3.2/crds/redisproviders.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,159 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: redisproviders.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: RedisProvider
listKind: RedisProviderList
plural: redisproviders
singular: redisprovider
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: RedisProvider contains a client configuration for connecting to a Redis database.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of a Redis database client configuration.
properties:
auth:
description: Auth specifies the Redis credentials.
properties:
password:
description: Password specifies the Redis password.
properties:
secretRef:
description: SecretRef selects the secret containing the Redis password under the key 'redis.password'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
username:
default: default
description: Username specifies the Redis username to authenticate with.
minLength: 1
pattern: ^[^\s]+$
type: string
required:
- password
type: object
mode:
description: Mode configures the redis deployment mode.
properties:
standalone:
description: Standalone specifies the standalone Redis instance to connect to.
properties:
host:
description: Host specifies the IP or hostname.
minLength: 1
pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$
type: string
port:
default: 6379
description: Port specifies the port.
maximum: 65535
minimum: 1
type: integer
required:
- host
type: object
type: object
timeouts:
description: Timeouts specifies the timeouts when interacting with the Redis endpoint.
properties:
connect:
default: 5s
description: Connect specifies the timeout for establishing a connection.
type: string
maxDuration:
default: 2s
description: MaxDuration specifies the response timeout.
type: string
type: object
tls:
description: TLS defines TLS settings. If not specified, TLS is disabled i.e. unencrypted TCP is used when connecting to the Redis instance.
properties:
certificateVerification:
description: CertificateVerification specifies how the certificate presented by the server is verified.
properties:
custom:
description: Custom explicitly specifies how the server certificate should be verified.
properties:
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
required:
- certificates
type: object
required:
- trustedCA
type: object
disabled:
description: 'Disabled specifies to trust any certificate without verification. THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. Note: This setting currently also disables TLS SNI.'
type: object
publicCAs:
description: PublicCAs specifies to only accept certificates with a SAN matching the host and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Session Agents base image.
type: object
type: object
type: object
required:
- mode
type: object
required:
- spec
type: object
served: true
storage: true

77
charts/airlock/microgateway/4.3.2/crds/sessionhandlings.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,77 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: sessionhandlings.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: SessionHandling
listKind: SessionHandlingList
plural: sessionhandlings
singular: sessionhandling
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
SessionHandling contains the configuration for session handling.
{{% notice warning %}} The Session Handling feature (required for OIDC) is currently in an experimental state.
We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as high-availability Redis configurations (e.g. Sentinel/Cluster) are not yet supported.
{{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired session handling behavior.
properties:
persistence:
description: Persistence configures where to store the session state.
properties:
redisProviderRef:
description: RedisProviderRef specifies to cache session information in the provided Redis instance.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- redisProviderRef
type: object
required:
- persistence
type: object
required:
- spec
type: object
served: true
storage: true

758
charts/airlock/microgateway/4.3.2/crds/sidecargateways.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,758 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: sidecargateways.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: SidecarGateway
listKind: SidecarGatewayList
plural: sidecargateways
singular: sidecargateway
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired sidecar gateway behavior.
properties:
applications:
description: Applications defines applications which run on different ports.
items:
properties:
containerPort:
default: 8080
description: |-
ContainerPort refers to the container port.
This must be a valid port number, 0 < x < 65536.
format: int32
maximum: 65535
minimum: 1
type: integer
downstream:
description: Downstream defines the downstream configuration for this application
properties:
protocol:
description: |-
Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies that the protocol should be inferred.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies that the client is assumed to speak HTTP/1.1.
type: object
http2:
description: HTTP2 specifies that the client is assumed to speak HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
remoteIP:
description: |-
RemoteIP defines how the remote IP of a client is propagated.
Default: xff: {...}
properties:
connectionIP:
description: ConnectionIP configures to use the source IP address of the direct downstream connection.
type: object
customHeader:
description: CustomHeader specifies to use a custom header for remote IP extraction.
properties:
headerName:
description: HeaderName specifies the name of the custom header containing the remote IP.
minLength: 1
type: string
required:
default: true
description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403.
type: boolean
required:
- headerName
type: object
xff:
description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction.
properties:
numTrustedHops:
default: 1
description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry.
format: int32
minimum: 1
type: integer
type: object
type: object
requestNormalizations:
description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching.
properties:
mergeSlashes:
default: true
description: MergeSlashes ensures that adjacent slashes in the path are merged into one.
type: boolean
normalizePath:
default: true
description: NormalizePath ensures normalization according to RFC 3986 without case normalization.
type: boolean
type: object
restrictions:
description: Restrictions defines restrictions for downstream.
properties:
http:
description: HTTP defines limits for the HTTP protocol.
properties:
headersLength:
anyOf:
- type: integer
- type: string
default: 60Ki
description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
timeouts:
description: Timeouts defines timeouts for downstream
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
default: 5m
description: |-
Idle defines the settings for the idle timeout when no data is sent or received.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
maxDuration:
default: 5m
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
requestHeaders:
default: 10s
description: |-
RequestHeaders defines the duration before all request headers must be received.
A value of 0 will completely disable the timeout.
Default: 10s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
clientCertificate:
description: |-
ClientCertificate defines the TLS settings for verification of client certificates.
At most one of ignored, optional and required can be set.
Default: ignored: {}
properties:
ignored:
description: Ignored disables verification of the client certificate.
type: object
optional:
description: |-
Optional enables verification of the client certificate if one is presented.
In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate.
properties:
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
required:
- trustedCA
type: object
required:
description: |-
Required contains settings for client certificate verification. A client must present a valid certificate.
At least one of trustedCA and certificatePinning must be set.
properties:
allowedSANs:
description: |-
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
items:
description: |-
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers.
properties:
matcher:
description: Matcher defines the string matcher for the SAN value.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
sanType:
description: SanType defines the type of SAN matcher.
enum:
- DNS
- Email
- URI
- IPAddress
type: string
required:
- matcher
- sanType
type: object
minItems: 1
type: array
certificatePinning:
description: |-
CertificatePinning defines the constraints a client certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
properties:
allowedHashes:
description: |-
AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
allowedSPKIs:
description: |-
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
type: object
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
type: object
type: object
enable:
default: false
description: Enable defines if the downstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
secretRef:
description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls).
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
xfcc:
description: |-
XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values:
_Sanitize_: Do not send the XFCC header to the next hop. This is the default value.
_ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.
_AppendAndForward_: When the client connection is mTLS, append the client certificate information to the requests XFCC header and forward it.
_SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.
_AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.
Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http)
enum:
- Sanitize
- ForwardOnly
- AppendAndForward
- SanitizeAndSet
- AlwaysForwardOnly
type: string
type: object
type: object
envoyHTTPFilterRefs:
description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters.
properties:
prepend:
description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
type: object
routes:
description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies.
items:
description: |-
SidecarGatewayApplicationRoute defines the security configurations for different paths.
At most one of secured and unsecured can be set.
Default: secured: {...}
properties:
pathPrefix:
default: /
description: PathPrefix defines the path prefix used during route selection.
minLength: 1
type: string
secured:
description: Secured enables WAF processing for this route.
properties:
accessControlRef:
description: |-
AccessControlRef selects the relevant AccessControl configuration resource.
If undefined, Airlock Microgateway does not perform any access control.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
contentSecurityRef:
description: |-
ContentSecurityRef selects the relevant ContentSecurity configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
unsecured:
description: |-
Unsecured disables all WAF functionality and therefore protection for this route.
WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
type: object
type: object
type: array
x-kubernetes-list-map-keys:
- pathPrefix
x-kubernetes-list-type: map
telemetryRef:
description: |-
TelemetryRef selects the relevant Telemetry configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
upstream:
description: Upstream defines the upstream configuration for this application
properties:
protocol:
description: |-
Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies to negotiate the protocol with TLS ALPN (if TLS is enabled) or, as a fallback, use the same protocol that is used by the downstream connection.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies to use HTTP/1.1.
type: object
http2:
description: HTTP2 specifies to use HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
timeouts:
description: Timeouts defines the timeout settings.
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
description: |-
Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited.
A value of 0 will completely disable the timeout.
type: string
maxDuration:
default: 15s
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
Default: 15s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
enable:
default: false
description: Enable defines if the upstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
type: object
type: object
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- containerPort
x-kubernetes-list-type: map
envoyClusterRefs:
description: EnvoyClusterRefs selects the relevant EnvoyClusters.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
podSelector:
description: PodSelector defines to which Pods the configuration will be applied to.
properties:
matchLabels:
additionalProperties:
type: string
description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels.
type: object
type: object
sessionHandlingRef:
description: SessionHandlingRef selects the SessionHandling configuration to apply.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- applications
type: object
status:
description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date.
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human-readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of SidecarGateway condition.
type: string
required:
- status
- type
type: object
type: array
pods:
items:
properties:
envoyConfig:
description: EnvoyConfig indicates the name of the EnvoyConfig CR for the Pod.
type: string
name:
description: Name indicates the name of a Pod selected by the SidecarGateway.
type: string
sessionAgentSecret:
type: string
required:
- name
type: object
type: array
status:
type: string
unmanagedPods:
items:
properties:
managedBy:
description: ManagedBy indicates the Airlock Microgateway Operator instance which manages this Pod.
type: string
name:
description: Name indicates the name of a Pod selected by the SidecarGateway.
type: string
sessionAgentSecret:
type: string
required:
- name
type: object
type: array
required:
- status
type: object
type: object
served: true
storage: true
subresources:
status: {}

96
charts/airlock/microgateway/4.3.2/crds/telemetries.microgateway.airlock.com.yaml Normal file
View File

@ -0,0 +1,96 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.2
name: telemetries.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: Telemetry
listKind: TelemetryList
plural: telemetries
singular: telemetry
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Telemetry contains the configuration for telemetry (logging, metrics & tracing).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired telemetry behavior.
properties:
correlation:
description: Correlation defines the correlation aspects of Telemetry.
properties:
idSource:
description: IDSource specifies how an external correlation ID should be obtained for a request. If not specified, no correlation ID will be logged.
properties:
header:
description: Header specifies to extract the correlation ID from a request header. If the header is absent from a request, no correlation ID will be logged.
properties:
name:
default: X-Correlation-Id
description: Name of the header (case-insensitive) from which to extract the correlation ID.
minLength: 1
type: string
type: object
required:
- header
type: object
request:
description: Request defines the request related correlation settings of Telemetry.
properties:
allowDownstreamRequestID:
default: true
description: AllowDownstreamRequestID defines whether trace sampling will consider a provided x-request-id.
type: boolean
alterRequestID:
default: true
description: AlterRequestID defines whether to alter the UUID to reflect the trace sampling decision. If disabled no modification to the UUID will be performed, this may break tracing in the upstream.
type: boolean
type: object
type: object
logging:
description: Logging defines the logging aspects of Telemetry.
properties:
accessLog:
description: AccessLog defines the access log settings of Telemetry.
properties:
format:
description: Format defines the Access Log format of the sidecar.
properties:
json:
description: JSON defines the Access Log format as JSON.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
type: object
type: object
served: true
storage: true

510
charts/airlock/microgateway/4.3.2/dashboards/blockLogs.json Normal file
View File

@ -0,0 +1,510 @@
{
"__inputs": [
{
"name": "DS_LOKI",
"label": "Loki",
"description": "",
"type": "datasource",
"pluginId": "loki",
"pluginName": "Loki"
},
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__elements": {},
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.2.0"
},
{
"type": "datasource",
"id": "loki",
"name": "Loki",
"version": "1.0.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "table",
"name": "Table",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Blocked requests by Airlock Microgateway retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace and block type. Column filters on the table allow for even a more granular filtering of the logs.",
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [
{
"asDropdown": true,
"icon": "external link",
"includeVars": true,
"keepTime": true,
"tags": [
"airlock-microgateway"
],
"targetBlank": true,
"title": "Airlock Microgateway",
"tooltip": "",
"type": "dashboards",
"url": ""
}
],
"panels": [
{
"datasource": {
"type": "loki",
"uid": "${DS_LOKI}"
},
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true,
"inspect": true
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "Namespace"
},
"properties": [
{
"id": "custom.width",
"value": 221
},
{
"id": "custom.filterable"
}
]
},
{
"matcher": {
"id": "byName",
"options": "Timestamp"
},
"properties": [
{
"id": "custom.width",
"value": 214
},
{
"id": "unit",
"value": "dateTimeAsIso"
},
{
"id": "custom.filterable"
}
]
},
{
"matcher": {
"id": "byName",
"options": "Method"
},
"properties": [
{
"id": "custom.width",
"value": 89
}
]
},
{
"matcher": {
"id": "byName",
"options": "Client IP"
},
"properties": [
{
"id": "custom.width",
"value": 138
}
]
},
{
"matcher": {
"id": "byName",
"options": "Request ID"
},
"properties": [
{
"id": "custom.width",
"value": 328
}
]
},
{
"matcher": {
"id": "byName",
"options": "Block Type"
},
"properties": [
{
"id": "custom.width",
"value": 116
},
{
"id": "custom.filterable",
"value": false
}
]
},
{
"matcher": {
"id": "byName",
"options": "Request Size"
},
"properties": [
{
"id": "custom.width",
"value": 126
},
{
"id": "unit",
"value": "bytes"
},
{
"id": "custom.align",
"value": "right"
}
]
},
{
"matcher": {
"id": "byName",
"options": "Attack Type"
},
"properties": [
{
"id": "custom.width",
"value": 217
}
]
},
{
"matcher": {
"id": "byName",
"options": "Application"
},
"properties": [
{
"id": "custom.width",
"value": 207
}
]
}
]
},
"gridPos": {
"h": 27,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"enablePagination": true,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"showHeader": true,
"sortBy": []
},
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "${DS_LOKI}"
},
"editorMode": "code",
"expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_deny_rule\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.deny_rules.matches\"\n| label_format block_type=\"deny_rules\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule_key }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"",
"hide": false,
"queryType": "range",
"refId": "Deny Rule Blocks"
},
{
"datasource": {
"type": "loki",
"uid": "${DS_LOKI}"
},
"editorMode": "code",
"expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_limit\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.limits.matches\"\n| label_format block_type=\"limits\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"",
"hide": false,
"queryType": "range",
"refId": "Limit Blocks"
},
{
"datasource": {
"type": "loki",
"uid": "${DS_LOKI}"
},
"editorMode": "code",
"expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_openapi\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.openapi.reference\", constraint=\"airlock.openapi.request.failed_validation.constraint\", position=\"airlock.openapi.request.failed_validation.position\", message=\"airlock.openapi.request.failed_validation.message\"\n| label_format block_type=\"openapi\", attack_type=\"openapi\", details=`{{.reference }}: {{.constraint }} at {{ .position }} ({{ .message }})` | block_type=~\"${blockType:regex}\"",
"hide": false,
"queryType": "range",
"refId": "OpenAPI Blocks"
},
{
"datasource": {
"type": "loki",
"uid": "${DS_LOKI}"
},
"editorMode": "code",
"expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_parser\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", attack_type=\"airlock.parser\", failed_check=\"airlock.parser.matches[0].failed_check\", message=\"airlock.parser.matches[0].message\"\n| label_format block_type=\"parsing\", attack_type=\"parsing\", details=`{{.failed_check}}: {{.message}}` | block_type=~\"${blockType:regex}\"",
"hide": false,
"queryType": "range",
"refId": "Parser Blocks"
},
{
"datasource": {
"type": "loki",
"uid": "${DS_LOKI}"
},
"editorMode": "code",
"expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_graphql\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.graphql.reference\", message=\"airlock.graphql.request.failed_validation.message\"\n| label_format block_type=\"graphql\", attack_type=\"graphql\", details=`{{ .reference }}: {{ .message }}` | block_type=~\"${blockType:regex}\"",
"hide": false,
"queryType": "range",
"refId": "GraphQL Blocks"
}
],
"title": "Blocked Request logs",
"transformations": [
{
"id": "merge",
"options": {}
},
{
"id": "extractFields",
"options": {
"format": "json",
"source": "labels"
}
},
{
"id": "filterFieldsByName",
"options": {
"byVariable": false,
"include": {
"names": [
"Time",
"attack_type",
"block_type",
"client_ip",
"details",
"http_method",
"namespace",
"request_id",
"request_size",
"url",
"pod"
]
}
}
},
{
"id": "organize",
"options": {
"excludeByName": {
"Line": true,
"id": true,
"labelTypes": true,
"labels": true,
"tsNs": false
},
"includeByName": {},
"indexByName": {
"Time": 0,
"attack_type": 7,
"block_type": 6,
"client_ip": 9,
"details": 8,
"http_method": 3,
"namespace": 1,
"pod": 2,
"request_id": 10,
"request_size": 5,
"url": 4
},
"renameByName": {
"Time": "Timestamp",
"attack_type": "Attack Type",
"block_type": "Block Type",
"client_ip": "Client IP",
"details": "Details",
"http_method": "Method",
"namespace": "Namespace",
"pod": "Pod",
"request_id": "Request ID",
"request_size": "Request Size",
"tsNs": "",
"url": "Path"
}
}
}
],
"type": "table"
}
],
"schemaVersion": 39,
"tags": [
"airlock-microgateway"
],
"templating": {
"list": [
{
"current": {
"selected": false,
"text": "Loki",
"value": "P8E80F9AEF21F6940"
},
"hide": 2,
"includeAll": false,
"label": "DS_LOKI",
"multi": false,
"name": "DS_LOKI",
"options": [],
"query": "loki",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_http_rq_total,namespace)",
"hide": 0,
"includeAll": true,
"label": "Application Namespace",
"multi": true,
"name": "namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_http_rq_total,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
"hide": 0,
"includeAll": true,
"label": "Block Type",
"multi": true,
"name": "blockType",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
},
{
"current": {
"selected": false,
"text": "Prometheus",
"value": "PBFA97CFB590B2093"
},
"hide": 2,
"includeAll": false,
"label": "DS_PROMETHEUS",
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
}
]
},
"time": {
"from": "now-15m",
"to": "now"
},
"timeRangeUpdatedDuringEditOrView": false,
"timepicker": {},
"timezone": "browser",
"title": "Airlock Microgateway Blocked Request Logs",
"uid": "adnyzcvwnyadcc",
"version": 3,
"weekStart": ""
}

758
charts/airlock/microgateway/4.3.2/dashboards/blockMetrics.json Normal file
View File

@ -0,0 +1,758 @@
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__elements": {},
"__requires": [
{
"type": "panel",
"id": "barchart",
"name": "Bar chart",
"version": ""
},
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.2.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "stat",
"name": "Stat",
"version": ""
},
{
"type": "panel",
"id": "timeseries",
"name": "Time series",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Metrics on requests blocked by Airlock Microgateway.\n\nDashboard can be filtered by namespaces as well as block types.",
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [
{
"asDropdown": true,
"icon": "external link",
"includeVars": true,
"keepTime": true,
"tags": [
"airlock-microgateway"
],
"targetBlank": true,
"title": "Airlock Microgateway",
"tooltip": "",
"type": "dashboards",
"url": ""
}
],
"panels": [
{
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"id": 6,
"title": "Airlock Microgateway Block Metrics",
"type": "row"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Total number of requests processed by Airlock Microgateway.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 0,
"y": 1
},
"id": 1,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "code",
"exemplar": false,
"expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
"format": "time_series",
"fullMetaSearch": false,
"hide": false,
"includeNullMetadata": true,
"instant": true,
"legendFormat": "Processed Requests",
"range": false,
"refId": "A",
"useBackend": false
}
],
"title": "Requests",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"mappings": [
{
"options": {
"match": "nan",
"result": {
"index": 0,
"text": "n/a"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "percentunit"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 4,
"y": 1
},
"id": 2,
"options": {
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"last"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "code",
"exemplar": false,
"expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"instant": true,
"legendFormat": "Blocked Requests (%)",
"range": false,
"refId": "A",
"useBackend": false
}
],
"title": "% Blocked Requests",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "blue",
"mode": "fixed"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "left",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "blue",
"value": null
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "% Blocks"
},
"properties": [
{
"id": "custom.axisPlacement",
"value": "right"
},
{
"id": "unit",
"value": "percentunit"
},
{
"id": "color",
"value": {
"fixedColor": "orange",
"mode": "fixed"
}
},
{
"id": "max",
"value": 1
}
]
},
{
"matcher": {
"id": "byName",
"options": "Requests per second"
},
"properties": [
{
"id": "unit",
"value": "short"
},
{
"id": "custom.fillOpacity",
"value": 25
}
]
}
]
},
"gridPos": {
"h": 10,
"w": 20,
"x": 0,
"y": 5
},
"id": 3,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"timezone": [
""
],
"tooltip": {
"maxHeight": 600,
"mode": "single",
"sort": "none"
}
},
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))",
"instant": false,
"legendFormat": "Requests per second",
"range": true,
"refId": "Requests per Second"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))",
"hide": false,
"instant": false,
"legendFormat": "% Blocks",
"range": true,
"refId": "Blocks"
}
],
"title": "Requests vs. % Blocks",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Blocked requests by block type.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "super-light-orange",
"mode": "fixed"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisGridShow": true,
"axisLabel": "",
"axisPlacement": "auto",
"fillOpacity": 80,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"lineWidth": 0,
"scaleDistribution": {
"type": "linear"
},
"thresholdsStyle": {
"mode": "off"
}
},
"fieldMinMax": false,
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "none"
},
"overrides": []
},
"gridPos": {
"h": 11,
"w": 10,
"x": 0,
"y": 15
},
"id": 4,
"options": {
"barRadius": 0,
"barWidth": 0.8,
"fullHighlight": false,
"groupWidth": 0.7,
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": false
},
"orientation": "horizontal",
"showValue": "never",
"stacking": "none",
"tooltip": {
"maxHeight": 600,
"mode": "single",
"sort": "asc"
},
"xField": "block_type",
"xTickLabelRotation": 0,
"xTickLabelSpacing": 0
},
"pluginVersion": "10.4.3",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
"format": "time_series",
"instant": true,
"legendFormat": "__auto",
"range": false,
"refId": "A"
}
],
"title": "Block Type",
"transformations": [
{
"id": "reduce",
"options": {
"includeTimeField": false,
"labelsToFields": true,
"mode": "seriesToRows",
"reducers": [
"sum"
]
}
}
],
"type": "barchart"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Blocked requests by attack type, which are subsets of the various block types.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "light-orange",
"mode": "fixed"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"fillOpacity": 80,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"lineWidth": 1,
"scaleDistribution": {
"type": "linear"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 11,
"w": 10,
"x": 10,
"y": 15
},
"id": 5,
"options": {
"barRadius": 0,
"barWidth": 0.8,
"fullHighlight": false,
"groupWidth": 0.7,
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": false
},
"orientation": "horizontal",
"showValue": "never",
"stacking": "none",
"tooltip": {
"maxHeight": 600,
"mode": "single",
"sort": "none"
},
"xField": "attack_type",
"xTickLabelRotation": 0,
"xTickLabelSpacing": 0
},
"pluginVersion": "10.4.3",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "round(sum by (attack_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
"instant": true,
"legendFormat": "__auto",
"range": false,
"refId": "A"
}
],
"title": "Attack Type",
"transformations": [
{
"id": "reduce",
"options": {
"labelsToFields": true,
"reducers": [
"sum"
]
}
}
],
"type": "barchart"
}
],
"refresh": "",
"schemaVersion": 39,
"tags": [
"airlock-microgateway"
],
"templating": {
"list": [
{
"current": {
"selected": false,
"text": "Prometheus",
"value": "PBFA97CFB590B2093"
},
"hide": 2,
"includeAll": false,
"label": "Datasource Prometheus",
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"current": {
"selected": false,
"text": "Loki",
"value": "P8E80F9AEF21F6940"
},
"hide": 2,
"includeAll": false,
"label": "DS_LOKI",
"multi": false,
"name": "DS_LOKI",
"options": [],
"query": "loki",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_valid,namespace)",
"hide": 0,
"includeAll": true,
"label": "Operator Namespace",
"multi": true,
"name": "operator_namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_valid,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": ".*",
"skipUrlSync": false,
"sort": 0,
"type": "query"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_http_rq_total,namespace)",
"hide": 0,
"includeAll": true,
"label": "Application Namespace",
"multi": true,
"name": "namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_http_rq_total,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
"hide": 0,
"includeAll": true,
"label": "Block Type",
"multi": true,
"name": "blockType",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 5,
"type": "query"
}
]
},
"time": {
"from": "now-24h",
"to": "now"
},
"timeRangeUpdatedDuringEditOrView": false,
"timepicker": {
"hidden": false
},
"timezone": "browser",
"title": "Airlock Microgateway Block Metrics",
"uid": "ddnqoczu7qvb4cdd3dd",
"version": 3,
"weekStart": ""
}

521
charts/airlock/microgateway/4.3.2/dashboards/license.json Normal file
View File

@ -0,0 +1,521 @@
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__elements": {},
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.2.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "stat",
"name": "Stat",
"version": ""
},
{
"type": "panel",
"id": "timeseries",
"name": "Time series",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [
{
"asDropdown": true,
"icon": "external link",
"includeVars": true,
"keepTime": true,
"tags": [
"airlock-microgateway"
],
"targetBlank": true,
"title": "Airlock Microgateway",
"tooltip": "",
"type": "dashboards",
"url": ""
}
],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "License status of Airlock Microgateway.",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"0": {
"color": "red",
"index": 1,
"text": "Invalid"
},
"1": {
"color": "green",
"index": 0,
"text": "Valid"
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 3,
"x": 0,
"y": 0
},
"id": 1,
"options": {
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})",
"instant": true,
"legendFormat": "License Status",
"range": false,
"refId": "Licenses"
}
],
"title": "License Status",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Expiry date of the Airlock Microgateway license associated with the selected operator.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "time: L"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 3,
"y": 0
},
"id": 4,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "min(microgateway_license_expiry_timestamp_seconds{namespace=~\"${operator_namespace.regex}\"})*1000",
"instant": true,
"legendFormat": "Expiry Date (MM/DD/YYYY)",
"range": false,
"refId": "A"
}
],
"title": "License Expiry Date",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Number of licensed requests for applications protected by Airlock Microgateway.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 7,
"y": 0
},
"id": 6,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "sum(microgateway_license_max_rq_count_per_month{namespace=~\"${operator_namespace.regex}\"})",
"instant": true,
"legendFormat": "Licensed Requests",
"range": false,
"refId": "A"
}
],
"title": "Licensed Requests",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Estimated number of requests protected by Airlock Microgateway over 30 days based on the last 7 days.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "text",
"mode": "fixed"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 5,
"x": 11,
"y": 0
},
"id": 2,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showPercentChange": false,
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"exemplar": false,
"expr": "sum(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d]))/7*30",
"instant": true,
"legendFormat": "Estimated Requests",
"range": false,
"refId": "A"
}
],
"title": "Requests over 30 days (estimated)",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "Number of requests per week processed by Airlock Microgateway.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "blue",
"mode": "fixed"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 12,
"w": 16,
"x": 0,
"y": 4
},
"id": 5,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"maxHeight": 600,
"mode": "single",
"sort": "none"
}
},
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"expr": "sum(avg_over_time(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d])[2m:30s]))",
"instant": false,
"legendFormat": "# Requests per week",
"range": true,
"refId": "A"
}
],
"title": "Processed Requests per week",
"type": "timeseries"
}
],
"schemaVersion": 39,
"tags": [
"airlock-microgateway"
],
"templating": {
"list": [
{
"current": {
"selected": false,
"text": "Prometheus",
"value": "PBFA97CFB590B2093"
},
"hide": 2,
"includeAll": false,
"label": "DS_PROMETHEUS",
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": ".*",
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"definition": "label_values(microgateway_license_valid,namespace)",
"description": "",
"hide": 0,
"includeAll": false,
"label": "Operator Namespace",
"multi": false,
"name": "operator_namespace",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(microgateway_license_valid,namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"type": "query"
}
]
},
"time": {
"from": "now-7d",
"to": "now"
},
"timeRangeUpdatedDuringEditOrView": false,
"timepicker": {},
"timezone": "browser",
"title": "Airlock Microgateway License",
"uid": "cdpq79bzrr01se",
"version": 2,
"weekStart": ""
}

1138
charts/airlock/microgateway/4.3.2/dashboards/overview.json Normal file
View File

File diff suppressed because it is too large Load Diff

47
charts/airlock/microgateway/4.3.2/templates/NOTES.txt Normal file
View File

@ -0,0 +1,47 @@
Thank you for installing Airlock Microgateway.
Please ensure the following prerequisites are fulfilled:
* Cert-Manager is installed.
https://cert-manager.io/docs/installation/helm/
* Airlock Microgateway CNI is also installed on the cluster.
https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni
* A valid Airlock Microgateway license is deployed in the Kubernetes secret 'airlock-microgateway-license'.
* Get a free Community license: https://airlock.com/en/microgateway-community
* Order a Premium license: https://airlock.com/en/microgateway-premium
Further information:
* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}
* CRD API reference documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/api/crds
* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm
{{- if .Values.crds.skipVersionCheck }}
Warning: CRD version check skipped
{{- else -}}
{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}}
{{- if $outdatedCRDs -}}
{{- fail (printf `
Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'.
Therefore, the CRDs must be manually upgraded with the following command before deploying this chart:
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts
If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.`
.Chart.AppVersion)
-}}
{{- end -}}
{{- end -}}
{{- if .Values.tests.enabled -}}
{{- if .Values.operator.watchNamespaces -}}
{{- if not (has .Release.Namespace .Values.operator.watchNamespaces) -}}
{{- fail (printf `
To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values.
`
.Release.Namespace)
-}}
{{- end -}}
{{- end -}}
{{- end }}
Your release version is {{ .Chart.Version }}.

153
charts/airlock/microgateway/4.3.2/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,153 @@
{{/*
Expand the name of the chart.
We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest explicit suffix is 14 characters.
*/}}
{{- define "airlock-microgateway.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }}
{{- end }}
{{/*
Convert an image configuration object into an image ref string.
*/}}
{{- define "airlock-microgateway.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
{{- printf "%s:%s" .repository .tag -}}
{{- else -}}
{{- printf "%s" .repository -}}
{{- end -}}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest implicit suffix is 27 characters.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "airlock-microgateway.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 36 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "airlock-microgateway.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "airlock-microgateway.sharedLabels" -}}
helm.sh/chart: {{ include "airlock-microgateway.chart" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: {{ .Chart.Name }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
Common Selector labels
*/}}
{{- define "airlock-microgateway.sharedSelectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Restricted Container Security Context
*/}}
{{- define "airlock-microgateway.restrictedSecurityContext" -}}
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
{{- end }}
{{/* Precondition: May only be used if AppVersion is isSemver */}}
{{- define "airlock-microgateway.supportedCRDVersionPattern" -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- if $version.Prerelease -}}
>= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }}
{{- else -}}
>= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0
{{- end -}}
{{- end -}}
{{- define "airlock-microgateway.outdatedCRDs" -}}
{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}}
{{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}}
{{- range $path, $_ := .Files.Glob "crds/*.yaml" -}}
{{- $api := ($.Files.Get $path | fromYaml).metadata.name -}}
{{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}}
{{- $isOutdated := false -}}
{{- if $crd -}}
{{/* If CRD is already present in the cluster, it must have the minimum supported version */}}
{{- $isOutdated = true -}}
{{- if hasKey $crd.metadata "labels" -}}
{{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}}
{{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}}
{{- if (semverCompare $supportedVersion $crdVersion) }}
{{- $isOutdated = false -}}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if $isOutdated }}
{{ base $path }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "airlock-microgateway.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}
{{- define "airlock-microgateway.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}
{{- print "latest" -}}
{{- end -}}
{{- end -}}
{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}}
{{- $list := list -}}
{{- with .matchLabels -}}
{{- range $key, $value := . -}}
{{- $list = append $list (printf "%s=%s" $key $value) -}}
{{- end -}}
{{- end -}}
{{- with .matchExpressions -}}
{{- range . -}}
{{- if has .operator (list "In" "NotIn") -}}
{{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}}
{{- else if eq .operator "Exists" -}}
{{- $list = append $list .key -}}
{{- else if eq .operator "DoesNotExist" -}}
{{- $list = append $list (printf "!%s" .key) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- join "," $list -}}
{{- end -}}

42
charts/airlock/microgateway/4.3.2/templates/operator/_operator_helpers.tpl Normal file
View File

@ -0,0 +1,42 @@
{{/*
Create a default fully qualified name for operator components.
*/}}
{{- define "airlock-microgateway.operator.fullname" -}}
{{ include "airlock-microgateway.fullname" . }}-operator
{{- end }}
{{/*
Common operator labels
*/}}
{{- define "airlock-microgateway.operator.labels" -}}
{{ include "airlock-microgateway.sharedLabels" . }}
{{ include "airlock-microgateway.operator.selectorLabels" . }}
{{- end }}
{{/*
Operator Selector labels
*/}}
{{- define "airlock-microgateway.operator.selectorLabels" -}}
{{ include "airlock-microgateway.sharedSelectorLabels" . }}
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-operator
app.kubernetes.io/component: controller
{{- end }}
{{/*
Create the name of the service account to use for the operator
*/}}
{{- define "airlock-microgateway.operator.serviceAccountName" -}}
{{- if .Values.operator.serviceAccount.create }}
{{- default (include "airlock-microgateway.operator.fullname" .) .Values.operator.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.operator.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
ServiceMonitor metrics regex pattern for leader only metrics
*/}}
{{- define "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" -}}
^(microgateway_license|microgateway_sidecars).*$
{{- end }}

237
charts/airlock/microgateway/4.3.2/templates/operator/_rbac.gen.tpl Normal file
View File

@ -0,0 +1,237 @@
{{/* AUTOGENERATED FILE DO NOT EDIT */}}
{{/*
Operator rbac permission rules
*/}}
{{- define "airlock-microgateway-operator.rbacRules" -}}
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- accesscontrols
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- contentsecurities
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- denyrules
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- envoyclusters
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- envoyconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- envoyconfigurations/status
verbs:
- get
- patch
- update
- apiGroups:
- microgateway.airlock.com
resources:
- envoyhttpfilters
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- graphqls
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- headerrewrites
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- identitypropagations
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- limits
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- oidcproviders
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- oidcrelyingparties
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- openapis
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- parsers
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- redisproviders
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- sessionhandlings
verbs:
- get
- list
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways/finalizers
verbs:
- update
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways/status
verbs:
- get
- patch
- update
- apiGroups:
- microgateway.airlock.com
resources:
- telemetries
verbs:
- get
- list
- watch
{{- end }}

339
charts/airlock/microgateway/4.3.2/templates/operator/_webhooks.gen.tpl Normal file
View File

@ -0,0 +1,339 @@
{{/* AUTOGENERATED FILE DO NOT EDIT */}}
{{/*
Operator mutating webhooks
*/}}
{{- define "airlock-microgateway-operator.mutatingWebhooks" -}}
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /mutate-v1-pod
failurePolicy: Fail
name: mutate-pod.microgateway.airlock.com
reinvocationPolicy: IfNeeded
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
objectSelector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
{{- end }}
{{/*
Operator validating webhooks
*/}}
{{- define "airlock-microgateway-operator.validatingWebhooks" -}}
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-v1-pod
failurePolicy: Fail
name: validate-pod.microgateway.airlock.com
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
sideEffects: None
objectSelector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol
failurePolicy: Fail
name: validate-accesscontrol.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- accesscontrols
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-denyrules
failurePolicy: Fail
name: validate-denyrules.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- denyrules
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-envoycluster
failurePolicy: Fail
name: validate-envoycluster.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- envoyclusters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter
failurePolicy: Fail
name: validate-envoyhttpfilter.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- envoyhttpfilters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-graphql
failurePolicy: Fail
name: validate-graphql.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- graphqls
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites
failurePolicy: Fail
name: validate-headerrewrites.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- headerrewrites
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation
failurePolicy: Fail
name: validate-identitypropagation.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- identitypropagations
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-limits
failurePolicy: Fail
name: validate-limits.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- limits
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider
failurePolicy: Fail
name: validate-oidcprovider.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- oidcproviders
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty
failurePolicy: Fail
name: validate-oidcrelyingparty.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- oidcrelyingparties
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-openapi
failurePolicy: Fail
name: validate-openapi.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- openapis
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-parser
failurePolicy: Fail
name: validate-parser.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- parsers
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-redisprovider
failurePolicy: Fail
name: validate-redisprovider.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- redisproviders
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: airlock-microgateway-operator-webhook
namespace: '{{ .Release.Namespace }}'
path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway
failurePolicy: Fail
name: validate-sidecargateway.microgateway.airlock.com
rules:
- apiGroups:
- microgateway.airlock.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- sidecargateways
sideEffects: None
{{- end }}

394
charts/airlock/microgateway/4.3.2/templates/operator/configmap.yaml Normal file
View File

@ -0,0 +1,394 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
engine_bootstrap_config_template.yaml: |
# Base configuration, admin interface on port 19000
admin:
address:
socket_address:
address: 127.0.0.1
port_value: 19000
dynamic_resources:
cds_config:
initial_fetch_timeout: 10s
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
# Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
rate_limit_settings:
max_tokens: 5
fill_rate: 0.2
lds_config:
resource_api_version: V3
initial_fetch_timeout: 10s
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
# Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
rate_limit_settings:
max_tokens: 5
fill_rate: 0.2
static_resources:
listeners:
- name: probe
address:
socket_address:
address: 0.0.0.0
port_value: 19001
filter_chains:
- filters:
- name: http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: probe
codec_type: AUTO
http2_protocol_options:
initial_connection_window_size: 1048576
initial_stream_window_size: 65536
max_concurrent_streams: 100
route_config:
name: probe
virtual_hosts:
- name: probe
domains:
- '*'
routes:
- name: ready
match:
path: /ready
headers:
- name: ':method'
string_match:
exact: 'GET'
route:
cluster: airlock_microgateway_engine_admin
http_filters:
- name: envoy.filters.http.router
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- name: metrics
address:
socket_address:
address: 0.0.0.0
port_value: 19002
filter_chains:
- filters:
- name: http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: metrics
codec_type: AUTO
http2_protocol_options:
initial_connection_window_size: 1048576
initial_stream_window_size: 65536
max_concurrent_streams: 100
route_config:
name: metrics
virtual_hosts:
- name: metrics
domains:
- '*'
routes:
- name: metrics
match:
path: /metrics
headers:
- name: ':method'
string_match:
exact: 'GET'
route:
prefix_rewrite: '/stats/prometheus'
cluster: airlock_microgateway_engine_admin
http_filters:
- name: envoy.filters.http.router
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: xds_cluster
connect_timeout: 1s
type: STRICT_DNS
load_assignment:
cluster_name: xds_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local
port_value: 13377
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
'@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 360s
timeout: 5s
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_params:
tls_minimum_protocol_version: TLSv1_3
tls_maximum_protocol_version: TLSv1_3
validation_context_sds_secret_config:
name: validation_context_sds
sds_config:
resource_api_version: V3
path_config_source:
path: /etc/envoy/validation_context_sds_secret.yaml
watched_directory:
path: /etc/envoy/
tls_certificate_sds_secret_configs:
- name: tls_certificate_sds
sds_config:
resource_api_version: V3
path_config_source:
path: /etc/envoy/tls_certificate_sds_secret.yaml
watched_directory:
path: /etc/envoy/
- name: airlock_microgateway_engine_admin
connect_timeout: 1s
type: STATIC
load_assignment:
cluster_name: airlock_microgateway_engine_admin
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 19000
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
'@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 360s
timeout: 5s
stats_config:
stats_tags:
- tag_name: "block_type"
regex: "\\.(block_type\\.([^.]+))"
- tag_name: "attack_type"
regex: "\\.(attack_type\\.([^.]+))"
- tag_name: "envoy_cluster_name"
regex: "\\.(cluster\\.([^.]+))"
- tag_name: "version"
regex: "\\.(version\\.([^.]+))"
use_all_default_tags: true
overload_manager:
resource_monitors:
- name: "envoy.resource_monitors.global_downstream_max_connections"
typed_config:
"@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
max_active_downstream_connections: 50000
bootstrap_extensions:
- name: airlock.bootstrap.engine_build_info
typed_config:
'@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats
application_log_config:
log_format:
text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}'
engine_container_template.yaml: |
name: "$(ENGINE_NAME)"
image: "$(ENGINE_IMAGE)"
imagePullPolicy: {{ .Values.engine.image.pullPolicy }}
args:
- "--config-path"
- "/etc/envoy/bootstrap_config.yaml"
- "--base-id"
- "$(BASE_ID)"
- "--file-flush-interval-msec"
- '1000'
- "--drain-time-s"
- '60'
- "--service-node"
- "$(POD_NAME).$(POD_NAMESPACE)"
- "--service-cluster"
- "$(APP_NAME).$(POD_NAMESPACE)"
- "--log-path"
- "/dev/stdout"
- "--log-level"
- "$(LOG_LEVEL)"
volumeMounts:
- name: airlock-microgateway-bootstrap-secret-volume
mountPath: /etc/envoy
readOnly: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
ports:
- containerPort: 13378
protocol: TCP
- containerPort: 19001
protocol: TCP
- containerPort: 19002
protocol: TCP
livenessProbe:
httpGet:
path: /ready
port: 19001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 5
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
httpGet:
path: /ready
port: 19001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
successThreshold: 1
timeoutSeconds: 1
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
{{- with .Values.engine.resources }}
resources:
{{- toYaml . | nindent 6 }}
{{- end }}
session_agent_container_template.yaml: |
name: "$(SESSION_AGENT_NAME)"
image: "$(SESSION_AGENT_IMAGE)"
imagePullPolicy: {{ .Values.sessionAgent.image.pullPolicy }}
args:
- "--port"
- "19004"
- "--config-path"
- "/etc/microgateway-session-agent/config.json"
volumeMounts:
- name: airlock-microgateway-session-agent-volume
mountPath: /etc/microgateway-session-agent
readOnly: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
ports:
- containerPort: 19004
livenessProbe:
{{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}}
grpc:
port: 19004
{{- else }}
tcpSocket:
port: 19004
{{- end }}
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 5
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
{{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}}
grpc:
port: 19004
{{- else }}
tcpSocket:
port: 19004
{{- end }}
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
successThreshold: 1
timeoutSeconds: 5
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
{{- with .Values.sessionAgent.resources }}
resources:
{{- toYaml . | nindent 6 }}
{{- end }}
network_validator_container_template.yaml: |
name: "$(NETWORK_VALIDATOR_NAME)"
image: "$(NETWORK_VALIDATOR_IMAGE)"
imagePullPolicy: {{ .Values.networkValidator.image.pullPolicy }}
command: ["/bin/sh", "-c"]
args:
- |-
echo 'pong' | nc -v -l 127.0.0.1 13378 &
for i in 1 2 3; do
sleep 1s
if r=$(echo 'ping' | nc -v -q 0 127.0.0.1 19003) && [ $r == pong ]; then
echo -n 'Traffic redirection to Airlock Microgateway Engine is working.' > /dev/termination-log
exit 0
fi
done
echo -en 'Traffic redirection to Airlock Microgateway Engine is not working.\nRestart the pod after ensuring that hostNetwork is disabled and a compatible Airlock Microgateway CNI version is installed on the node.\nCertain environments may also require additional configuration (see docs.airlock.com for more information).' > /dev/termination-log
exit 1
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
runAsUser: $(SECURITYCONTEXT_UID)
operator_config.yaml: |
apiVersion: config.airlock.com/v1alpha1
kind: OperatorConfig
health:
healthProbeBindAddress: :8081
metrics:
bindAddress: 0.0.0.0:8080
webhook:
port: 9443
deployment:
sidecar:
engineContainerTemplate: "/sidecar/engine_container_template.yaml"
networkValidatorContainerTemplate: "/sidecar/network_validator_container_template.yaml"
sessionAgentContainerTemplate: "/sidecar/session_agent_container_template.yaml"
engine:
bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml"
log:
level: {{ .Values.operator.config.logLevel }}
{{- with $.Values.operator.watchNamespaceSelector }}
namespaces:
selector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.operator.watchNamespaces }}
namespaces:
list:
{{- toYaml . | nindent 8 }}
{{- end }}

28
charts/airlock/microgateway/4.3.2/templates/operator/dashboard-configmap.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- if .Values.dashboards.create -}}
{{- range $instance := (keys .Values.dashboards.instances | sortAlpha) -}}
{{- $dashboard := get $.Values.dashboards.instances $instance -}}
{{- if $dashboard.create }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "airlock-microgateway.fullname" $ }}-dashboard-{{ $instance | lower }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" $ | nindent 4 }}
{{- with $.Values.dashboards.config.grafana.dashboardLabel -}}
{{- .name | nindent 4 -}}: {{ .value | quote }}
{{- end }}
annotations:
{{- with $.Values.dashboards.config.grafana.folderAnnotation -}}
{{- .name | nindent 4 -}}: {{ .value | quote }}
{{- end }}
{{- with $.Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
data:
{{- printf "%s.json" $instance | nindent 2 }}: |-
{{- ($.Files.Get (printf "dashboards/%s.json" $instance)) | nindent 4 -}}
{{- end -}}
{{- end -}}
{{- end -}}

143
charts/airlock/microgateway/4.3.2/templates/operator/deployment.yaml Normal file
View File

@ -0,0 +1,143 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.operator.replicaCount }}
{{- with .Values.operator.updateStrategy }}
strategy:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/operator/configmap.yaml") . | sha256sum }}
kubectl.kubernetes.io/default-container: manager
{{- with mustMerge .Values.operator.podAnnotations .Values.commonAnnotations}}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 8 }}
{{- with .Values.operator.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
containers:
- args:
- --config=operator_config.yaml
env:
- name: ENGINE_IMAGE
value: {{ include "airlock-microgateway.image" .Values.engine.image }}
- name: NETWORK_VALIDATOR_IMAGE
value: {{ include "airlock-microgateway.image" .Values.networkValidator.image }}
- name: SESSION_AGENT_IMAGE
value: {{ include "airlock-microgateway.image" .Values.sessionAgent.image }}
- name: OPERATOR_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: {{ include "airlock-microgateway.image" .Values.operator.image }}
imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
timeoutSeconds: 5
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 13377
name: xds-server
protocol: TCP
- containerPort: 8080
protocol: TCP
- containerPort: 8081
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
{{- with .Values.operator.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 10 }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- mountPath: /opt/airlock/license/
name: airlock-microgateway-license
readOnly: true
- mountPath: /operator_config.yaml
name: operator-config
subPath: operator_config.yaml
- mountPath: /sidecar/engine_container_template.yaml
name: operator-config
subPath: engine_container_template.yaml
- mountPath: /sidecar/network_validator_container_template.yaml
name: operator-config
subPath: network_validator_container_template.yaml
- mountPath: /sidecar/session_agent_container_template.yaml
name: operator-config
subPath: session_agent_container_template.yaml
- mountPath: /engine_bootstrap_config_template.yaml
name: operator-config
subPath: engine_bootstrap_config_template.yaml
securityContext:
runAsNonRoot: true
serviceAccountName: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
terminationGracePeriodSeconds: 10
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert
- name: airlock-microgateway-license
secret:
defaultMode: 292
optional: true
secretName: {{ .Values.license.secretName }}
- configMap:
name: {{ include "airlock-microgateway.operator.fullname" . }}-config
name: operator-config

33
charts/airlock/microgateway/4.3.2/templates/operator/manager-role.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if .Values.operator.rbac.create }}
{{- if empty .Values.operator.watchNamespaces }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{ include "airlock-microgateway-operator.rbacRules" . -}}
{{- else }}
{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager
namespace: {{ $namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" $ | nindent 4 }}
{{- with $.Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{ include "airlock-microgateway-operator.rbacRules" $ }}
---
{{- end -}}
{{- end -}}
{{- end -}}

45
charts/airlock/microgateway/4.3.2/templates/operator/manager-rolebinding.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if .Values.operator.rbac.create }}
{{- if empty .Values.operator.watchNamespaces }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- else }}
{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager
namespace: {{ $namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" $ | nindent 4 }}
{{- with $.Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway.operator.serviceAccountName" $ }}
namespace: {{ $.Release.Namespace }}
---
{{- end -}}
{{- end -}}
{{- end -}}

47
charts/airlock/microgateway/4.3.2/templates/operator/metrics-service.yaml Normal file
View File

@ -0,0 +1,47 @@
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-metrics
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: http
name: metrics
port: 8080
protocol: TCP
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
---
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-leader-metrics
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
operator.microgateway.airlock.com/isLeader: "true"
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: http
name: metrics
port: 8080
protocol: TCP
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
operator.microgateway.airlock.com/isLeader: "true"

28
charts/airlock/microgateway/4.3.2/templates/operator/mutating-webhook.yaml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{- range $webhook := (include "airlock-microgateway-operator.mutatingWebhooks" .) | fromYamlArray }}
- {{ toYaml $webhook | indent 2 | trim }}
{{- with $.Values.operator.watchNamespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $.Values.operator.watchNamespaces }}
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}

27
charts/airlock/microgateway/4.3.2/templates/operator/podmonitor.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if .Values.engine.sidecar.podMonitor.create }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ include "airlock-microgateway.fullname" . }}-engine
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.engine.sidecar.podMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
namespaceSelector:
any: true
selector:
matchLabels:
sidecar.microgateway.airlock.com/inject: "true"
microgateway.airlock.com/managedBy: {{ .Release.Namespace }}
podMetricsEndpoints:
- targetPort: 19002
path: /metrics
scheme: http
{{- end -}}

45
charts/airlock/microgateway/4.3.2/templates/operator/role.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if .Values.operator.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
{{- end -}}

20
charts/airlock/microgateway/4.3.2/templates/operator/rolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.operator.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
subjects:
- kind: ServiceAccount
name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
{{- end -}}

13
charts/airlock/microgateway/4.3.2/templates/operator/selfsigned-issuer.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selfSigned: {}

13
charts/airlock/microgateway/4.3.2/templates/operator/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.operator.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with mustMerge .Values.operator.serviceAccount.annotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

60
charts/airlock/microgateway/4.3.2/templates/operator/servicemonitor.yaml Normal file
View File

@ -0,0 +1,60 @@
{{- if .Values.operator.serviceMonitor.create }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
matchExpressions:
- { key: "operator.microgateway.airlock.com/isLeader", operator: DoesNotExist }
endpoints:
- path: /metrics
port: metrics
scheme: http
metricRelabelings:
- sourceLabels:
- __name__
regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }}
action: drop
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-leader
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
operator.microgateway.airlock.com/isLeader: "true"
endpoints:
- path: /metrics
port: metrics
scheme: http
metricRelabelings:
- sourceLabels:
- __name__
regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }}
action: keep
{{- end -}}

19
charts/airlock/microgateway/4.3.2/templates/operator/serving-certificate.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
dnsNames:
- airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc
- airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc.cluster.local
issuerRef:
kind: Issuer
name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer
secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert

28
charts/airlock/microgateway/4.3.2/templates/operator/validating-webhook.yaml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{- range $webhook := (include "airlock-microgateway-operator.validatingWebhooks" .) | fromYamlArray }}
- {{ toYaml $webhook | indent 2 | trim }}
{{- with $.Values.operator.watchNamespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $.Values.operator.watchNamespaces }}
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}

23
charts/airlock/microgateway/4.3.2/templates/operator/webhook-service.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: https
name: webhook
port: 443
protocol: TCP
targetPort: 9443
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}

24
charts/airlock/microgateway/4.3.2/templates/operator/xds-service.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
name: airlock-microgateway-operator-xds
namespace: {{ .Release.Namespace }}
labels:
{{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- appProtocol: grpc
name: xds
port: 13377
protocol: TCP
targetPort: 13377
selector:
{{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
operator.microgateway.airlock.com/isLeader: "true"

143
charts/airlock/microgateway/4.3.2/templates/tests/rbac.yaml Normal file
View File

@ -0,0 +1,143 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
subjects:
- kind: ServiceAccount
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway"
verbs:
- get
- list
- watch
- delete
- apiGroups:
- microgateway.airlock.com
resources:
- sidecargateways
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- list
- apiGroups:
- "apps"
resources:
- deployments
resourceNames:
- "{{ include "airlock-microgateway.operator.fullname" . }}"
verbs:
- get
- list
- watch
- apiGroups:
- "apps"
resources:
- statefulsets
- statefulsets/scale
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-backend"
verbs:
- get
- list
- watch
- patch
- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/status
- pods/attach
resourceNames:
- "{{ include "airlock-microgateway.fullname" . }}-test-backend-0"
- "{{ include "airlock-microgateway.fullname" . }}-test-valid-request"
- "{{ include "airlock-microgateway.fullname" . }}-test-injection-request"
verbs:
- get
- list
- create
- watch
- delete
- apiGroups:
- ""
resources:
- pods
verbs:
- create
{{- if .Values.operator.watchNamespaceSelector }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
subjects:
- kind: ServiceAccount
name: "{{ include "airlock-microgateway.fullname" . }}-tests"
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: tests
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
{{- end }}
{{- end -}}

23
charts/airlock/microgateway/4.3.2/templates/tests/service.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-service"
namespace: {{ .Release.Namespace }}
labels:
app: test-service
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
spec:
selector:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
ports:
- name: http
port: 8080
targetPort: 8080
{{- end -}}

56
charts/airlock/microgateway/4.3.2/templates/tests/statefulset.yaml Normal file
View File

@ -0,0 +1,56 @@
{{- if .Values.tests.enabled -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
spec:
serviceName: nginx
replicas: 0
selector:
matchLabels:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
k8s.v1.cni.cncf.io/networks: default/airlock-microgateway-cni
labels:
sidecar.microgateway.airlock.com/inject: "true"
sidecar.istio.io/inject: "false"
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedLabels" . | nindent 8 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 8 }}
spec:
containers:
- image: cgr.dev/chainguard/nginx
name: nginx
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /var/lib/nginx/tmp/
name: nginx-tmp
- mountPath: /var/run
name: nginx-run
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 12 }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- emptyDir: {}
name: nginx-tmp
- emptyDir: {}
name: nginx-run
{{- end -}}

227
charts/airlock/microgateway/4.3.2/templates/tests/test-install.yaml Normal file
View File

@ -0,0 +1,227 @@
{{- if .Values.tests.enabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-install"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: test-install
app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
sidecar.istio.io/inject: "false"
{{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: before-hook-creation
spec:
restartPolicy: Never
containers:
- name: test
image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
securityContext:
{{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
command:
- sh
- -c
- |
set -eu
clean_up() {
echo ""
echo "### Clean up test resources"
kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
echo ""
echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'"
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=60s
sleep 3s
echo ""
}
fail() {
echo ""
echo "### Error: ${1}"
echo ""
if kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway >/dev/null 2>&1; then
echo ""
echo 'Microgateway Sidecargateway status:'
kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true
echo ""
echo ""
fi
if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 >/dev/null 2>&1; then
echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':"
kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true
echo ""
echo ""
echo 'Logs of Nginx container:'
kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true
echo ""
echo ""
# Wait for engine logs
sleep 10s
echo 'Logs of Microgateway Engine container:'
kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true
fi
exit 1
}
create_sidecargateway() {
# create SidecarGateway resource for testing purposes
kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
kubectl apply -f - <<EOF
apiVersion: microgateway.airlock.com/v1alpha1
kind: SidecarGateway
metadata:
name: "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: test-install
{{- include "airlock-microgateway.sharedLabels" . | nindent 12 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 12 }}
spec:
podSelector:
matchLabels:
app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
{{- include "airlock-microgateway.sharedLabels" . | nindent 14 }}
{{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 14 }}
applications:
- containerPort: 8080
EOF
}
curl() {
kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
kubectl -n {{ .Release.Namespace }} run {{ include "airlock-microgateway.fullname" . }}-test-valid-request --restart=Never --image=cgr.dev/chainguard/curl \
--override-type=strategic \
--overrides='
{
"apiVersion": "v1",
"metadata": {
"labels": {
"sidecar.istio.io/inject": "false"
}
},
"spec": {
"containers": [
{
"name": "{{ include "airlock-microgateway.fullname" . }}-test-valid-request",
"securityContext": {{ include "airlock-microgateway.restrictedSecurityContext" . | fromYaml | toJson }}
}
]
}
}' \
-- "$@"
local i=0
while [ $i -lt 90 ] && ! kubectl logs -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request >/dev/null 2>&1; do sleep 1s; i=$((i+1)); done
kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
}
{{- if .Values.operator.watchNamespaceSelector }}
echo "### Verify that Namespace Selector matches Namespace '{{ .Release.Namespace }}'"
if ! kubectl get namespace -l '{{ include "airlock-microgateway.watchNamespaceSelector.labelQuery" .Values.operator.watchNamespaceSelector }}' | grep -q {{ .Release.Namespace }}; then
labels=$(kubectl get namespace {{ .Release.Namespace }} -o jsonpath={.metadata.labels} | jq | awk '{print " " $0}')
fail {{printf `"Operator namespace '%s' is not part of the operator's watch scope. To execute 'helm test', the selector configured in the helm value 'operator.watchNamespaceSelector' must match the namespace's labels:\n* Current selector:\n%s\n\n* Current labels:\n$labels\n###"`
.Release.Namespace
(replace "\"" "\\\"" (replace "\n" "\\n" (.Values.operator.watchNamespaceSelector | toPrettyJson | indent 2)))
}}
fi
echo ""
{{- end }}
trap clean_up EXIT
echo ""
echo "### Waiting for Microgateway Operator Deployments to be ready"
if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \
deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then
fail 'Timout occurred'
fi
echo ""
echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica"
# scale to zero replicas to ensure no pods are present from previous runs
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s
kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s
echo ""
echo "### Waiting for backend pod"
i=0
while true; do
if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then
break
elif [ $i -gt 3 ]; then
fail 'Pod not ready'
fi
sleep 2s
i=$((i+1))
done
echo "### Checking Microgateway Engine sidecar container was injected"
if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then
fail 'Microgateway Engine sidecar container not injected'
fi
echo "True"
echo ""
echo "### Checking for valid license"
i=0
while true; do
if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then
break
elif [ $i -gt 30 ]; then
fail 'Microgateway license is missing or invalid'
fi
sleep 2s
i=$((i+1))
done
echo "True"
echo ""
echo "### Create SidecarGateway resource for testing"
if ! create_sidecargateway ; then
fail 'Creation of SidecarGateway resource failed'
fi
echo ""
echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready"
if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then
fail 'Timout occurred'
fi
echo ""
echo "### Waiting for 'engine-config-valid' condition"
if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then
fail 'Configuration was never accepted by the Microgateway Engine'
fi
sleep 5s
echo ""
echo ""
echo "### Checking whether a valid request is successful and returns HTTP status code '200'"
out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true)
echo "Response:"
echo "${out}"
if ! echo "${out}" | grep -q "200 OK"; then
fail 'A valid request was not successful'
fi
echo ""
echo ""
echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'"
out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true)
echo "Response:"
echo "${out}"
if ! echo "${out}" | grep -q "400 Bad Request"; then
fail 'A malicious request was not blocked'
fi
echo ""
echo ""
echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded"
exit 0
serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests"
{{- end -}}

540
charts/airlock/microgateway/4.3.2/values.schema.json Normal file
View File

@ -0,0 +1,540 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"type": "object",
"properties": {
"nameOverride": {
"type": "string"
},
"fullnameOverride": {
"type": "string"
},
"commonLabels": {
"$ref": "#/definitions/StringMap"
},
"commonAnnotations": {
"$ref": "#/definitions/StringMap"
},
"crds": {
"type": "object",
"properties": {
"skipVersionCheck": {
"type": "boolean"
}
},
"additionalProperties": false
},
"imagePullSecrets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"minLength": 1
}
},
"required": [
"name"
],
"additionalProperties": true
}
},
"operator": {
"type": "object",
"properties": {
"replicaCount": {
"type": "integer",
"minimum": 0
},
"updateStrategy": {
"$ref": "#/definitions/UpdateStrategy"
},
"image": {
"$ref": "#/definitions/Image"
},
"podAnnotations": {
"$ref": "#/definitions/StringMap"
},
"podLabels": {
"$ref": "#/definitions/StringMap"
},
"serviceAnnotations": {
"$ref": "#/definitions/StringMap"
},
"serviceLabels": {
"$ref": "#/definitions/StringMap"
},
"resources": {
"type": "object"
},
"nodeSelector": {
"$ref": "#/definitions/StringMap"
},
"tolerations": {
"type": "array",
"items": {
"type": "object"
}
},
"affinity": {
"type": "object"
},
"config": {
"type": "object",
"properties": {
"logLevel": {
"type": "string",
"enum": [
"debug",
"info",
"warn",
"error"
]
}
},
"required": [
"logLevel"
],
"additionalProperties": false
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"annotations": {
"$ref": "#/definitions/StringMap"
},
"name": {
"type": "string"
}
},
"required": [
"annotations",
"create",
"name"
],
"additionalProperties": false
},
"watchNamespaces": {
"type": "array",
"items": {
"type": "string"
}
},
"watchNamespaceSelector": {
"$ref": "#/definitions/LabelSelector"
},
"rbac": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
}
},
"required": [
"create"
],
"additionalProperties": false
},
"serviceMonitor": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"labels": {
"$ref": "#/definitions/StringMap"
}
},
"required": [
"create"
],
"additionalProperties": false
}
},
"oneOf": [
{
"properties": {
"watchNamespaces": {
"minItems": 1
},
"watchNamespaceSelector": {
"additionalProperties": false
}
}
},
{
"properties": {
"watchNamespaces": {
"maxItems": 0
},
"watchNamespaceSelector": {
"$ref": "#/definitions/LabelSelector"
}
}
}
],
"required": [
"affinity",
"config",
"image",
"updateStrategy",
"nodeSelector",
"podAnnotations",
"podLabels",
"rbac",
"replicaCount",
"resources",
"serviceAccount",
"serviceAnnotations",
"serviceLabels",
"serviceMonitor",
"tolerations"
],
"additionalProperties": false
},
"engine": {
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/Image"
},
"resources": {
"type": "object"
},
"sidecar": {
"type": "object",
"properties":{
"podMonitor": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"labels": {
"$ref": "#/definitions/StringMap"
}
},
"required": [
"create"
],
"additionalProperties": false
}
},
"required": [
"podMonitor"
],
"additionalProperties": false
}
},
"required": [
"image",
"resources",
"sidecar"
],
"additionalProperties": false
},
"networkValidator": {
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/Image"
}
},
"required": [
"image"
],
"additionalProperties": false
},
"sessionAgent": {
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/Image"
},
"resources": {
"type": "object"
}
},
"required": [
"image",
"resources"
],
"additionalProperties": false
},
"license": {
"type": "object",
"properties": {
"secretName": {
"type": "string",
"minLength": 1
}
},
"required": [
"secretName"
],
"additionalProperties": false
},
"dashboards": {
"type": "object",
"properties" : {
"create": {
"type": "boolean"
},
"config": {
"type": "object",
"properties": {
"grafana": {
"type": "object",
"properties": {
"folderAnnotation": {
"$ref": "#/definitions/NameValuePair"
},
"dashboardLabel": {
"$ref": "#/definitions/NameValuePair"
}
},
"required": [
"folderAnnotation",
"dashboardLabel"
],
"additionalProperties": false
}
},
"required": [
"grafana"
],
"additionalProperties": false
},
"instances": {
"type": "object",
"properties": {
"overview": {
"$ref": "#/definitions/DashboardInstance"
},
"license" : {
"$ref": "#/definitions/DashboardInstance"
},
"blockMetrics" : {
"$ref": "#/definitions/DashboardInstance"
},
"blockLogs" : {
"$ref": "#/definitions/DashboardInstance"
}
},
"required": [
"overview",
"license",
"blockMetrics",
"blockLogs"
],
"additionalProperties": false
}
},
"required": [
"create",
"config",
"instances"
],
"additionalProperties": false
},
"tests": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
},
"required": [
"enabled"
],
"additionalProperties": false
},
"global": {
"type": "object"
}
},
"required": [
"commonAnnotations",
"commonLabels",
"crds",
"engine",
"fullnameOverride",
"imagePullSecrets",
"license",
"nameOverride",
"operator",
"networkValidator",
"sessionAgent",
"dashboards",
"tests"
],
"additionalProperties": false,
"definitions": {
"StringMap": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"Image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"minLength": 1
},
"tag": {
"type": "string"
},
"digest": {
"type": "string",
"pattern": "^$|^sha256:[a-f0-9]{64}$"
},
"pullPolicy": {
"type": "string",
"enum": [
"Always",
"IfNotPresent",
"Never"
]
}
},
"required": [
"digest",
"pullPolicy",
"repository",
"tag"
],
"additionalProperties": false
},
"LabelSelector": {
"type": "object",
"properties": {
"matchExpressions": {
"type": "array",
"items": {
"type": "object",
"required": [
"key",
"operator"
],
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
},
"values": {
"type": "array",
"items": {
"type": "string"
}
}
},
"additionalProperties": false
}
},
"matchLabels": {
"$ref": "#/definitions/StringMap"
}
},
"additionalProperties": false
},
"UpdateStrategy": {
"type": "object",
"oneOf" : [
{
"properties": {
"type": {
"$ref": "#/definitions/RecreateType"
}
},
"required": [
"type"
],
"additionalProperties": false
},
{
"properties": {
"type": {
"$ref": "#/definitions/RollingUpdateType"
},
"rollingUpdate": {
"$ref": "#/definitions/RollingUpdate"
}
},
"required": [
"type"
],
"additionalProperties": false
}
]
},
"RecreateType": {
"type": "string",
"enum": [
"Recreate"
]
},
"RollingUpdateType": {
"type": "string",
"enum": [
"RollingUpdate"
]
},
"RollingUpdate": {
"type": "object",
"properties": {
"maxSurge": {
"type": ["integer", "string"],
"minimum": 0,
"pattern": "^\\d+%?$"
},
"maxUnavailable": {
"type": ["integer", "string"],
"minimum": 0,
"pattern": "^\\d+%?$"
}
},
"anyOf": [
{"required": ["maxSurge"]},
{"required": ["maxUnavailable"]}
],
"additionalProperties": false
},
"DashboardInstance" : {
"type" : "object",
"properties" : {
"create" : {
"type" : "boolean"
}
},
"required" : [
"create"
],
"additionalProperties": false
},
"NameValuePair" : {
"type" : "object",
"properties" : {
"name" : {
"type": "string",
"minLength": 1
},
"value" : {
"type" : "string",
"minLength": 1
}
},
"required" : [
"name",
"value"
],
"additionalProperties": false
}
}
}

213
charts/airlock/microgateway/4.3.2/values.yaml Normal file
View File

@ -0,0 +1,213 @@
# -- Allows overriding the name to use instead of "microgateway".
nameOverride: ""
# -- Allows overriding the name to use as full name of resources.
fullnameOverride: ""
# -- Labels to add to all resources.
commonLabels: {}
# -- Annotations to add to all resources.
commonAnnotations: {}
# -- ImagePullSecrets to use when pulling images.
imagePullSecrets: []
# - name: myRegistryKeySecretName
crds:
# -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs.
# The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster
# when performing a "helm install/upgrade".
skipVersionCheck: false
operator:
# -- Number of replicas for the operator Deployment.
replicaCount: 2
# -- Specifies the operator update strategy.
updateStrategy:
type: RollingUpdate
# Specifies the Airlock Microgateway Operator image.
image:
# -- Image repository from which to pull the Airlock Microgateway Operator image.
repository: "quay.io/airlock/microgateway-operator"
# -- Image tag to pull.
tag: "4.3.2"
# -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63").
# Overrides tag when specified.
digest: "sha256:d22f2ca35603b805caa67dd07aba524c3e4d68c3b59f7ddfc0e22e7fc09a200c"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Annotations to add to all Pods.
podAnnotations: {}
# -- Labels to add to all Pods.
podLabels: {}
# -- Annotations to add to the Service.
serviceAnnotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: "8080"
# -- Labels to add to the Service.
serviceLabels: {}
# -- Resource restrictions to apply to the operator container.
resources: {}
# We recommend at least the following resource specification.
# limits:
# cpu: 1000m
# memory: 512Mi
# requests:
# cpu: 100m
# memory: 512Mi
# -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes.
nodeSelector: {}
# -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes.
tolerations: []
# -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling.
affinity: {}
# Parameters for the operator configuration.
config:
# -- Operator application log level.
logLevel: "info"
# Configures the generation of the ServiceAccount.
serviceAccount:
# -- Whether a ServiceAccount should be created.
create: true
# -- Annotations to add to the ServiceAccount.
annotations: {}
# -- Name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
# -- Allows to restrict the operator to specific namespaces, depending on your needs.
# For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`).
# In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace.
# For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`.
# An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty.
# Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces.
# Please note that this feature requires a Premium license.
watchNamespaces: []
# -- Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector.
# It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator.
# This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings).
# An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty.
# Please note that this feature requires a Premium license.
watchNamespaceSelector: {}
# For further examples, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements.
# matchLabels:
# microgateway.airlock.com/enable: "true"
# matchExpressions:
# - { key: environment, operator: NotIn, values: [dev] }
# Configures the generation of Role and RoleBinding as well as ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above.
rbac:
# -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function.
create: true
# Configures the generation of a Prometheus Operator ServiceMonitor.
serviceMonitor:
# -- Whether to create a ServiceMonitor resource for monitoring.
create: false
# -- Labels to add to the ServiceMonitor.
labels: {}
# release: "<prometheus-operator-release>"
engine:
# Specifies the Airlock Microgateway Engine image.
image:
# -- Image repository from which to pull the Airlock Microgateway Engine image.
repository: "quay.io/airlock/microgateway-engine"
# -- Image tag to pull.
tag: "4.3.2"
# -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
# Overrides tag when specified.
digest: "sha256:8d42759d999e6b69efa9ef1ecfdc84dc1f8f6f1ca822c8d2d3ef8ff1e335b9c9"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Resource restrictions to apply to the Airlock Microgateway Engine container.
resources: {}
# We recommend at least the following resource specification.
# limits:
# cpu: 500m
# memory: 128Mi
# requests:
# cpu: 10m
# memory: 40Mi
# Additional configuration when deployed as a sidecar.
sidecar:
# Configures the generation of a Prometheus Operator PodMonitor.
podMonitor:
# -- Whether to create a PodMonitor resource for monitoring.
create: false
# -- Labels to add to the PodMonitor.
labels: {}
# release: "<prometheus-operator-release>"
networkValidator:
# Specifies the Airlock Microgateway Network Validator image to be injected as an init-container.
image:
# -- Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container.
repository: "cgr.dev/chainguard/netcat"
# -- Image tag to pull.
tag: ""
# -- SHA256 image digest to pull (in the format "sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd").
# Overrides tag when specified.
digest: "sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
sessionAgent:
# Specifies the Airlock Microgateway Session Agent image.
image:
# -- Image repository from which to pull the Airlock Microgateway Session Agent image.
repository: "quay.io/airlock/microgateway-session-agent"
# -- Image tag to pull.
tag: "4.3.2"
# -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
# Overrides tag when specified.
digest: "sha256:d487f4099c267310debffe5d5cac168deeddf6082dafbee352550f2792b9609c"
# -- Pull policy for this image.
pullPolicy: IfNotPresent
# -- Resource restrictions to apply to the Airlock Microgateway Session Agent container.
resources: {}
# We recommend at least the following resource specification.
# limits:
# cpu: 150m
# memory: 32Mi
# requests:
# cpu: 10m
# memory: 8Mi
license:
# -- Name of the secret containing the "microgateway-license.txt" key.
secretName: "airlock-microgateway-license"
# Creates dashboards in the form of ConfigMaps that can be imported
# by Grafana using its sidecar setup.
dashboards:
# -- Whether to create any ConfigMaps containing Grafana dashboards to import.
create: false
config:
# Configures the necessary label and annotations along with their values
# to enable Grafana to correctly identify the ConfigMaps containing
# dashboards and file them within a dedicated folder in the dashboard overview.
# These settings need to match the Grafana sidecar configuration.
grafana:
folderAnnotation:
# -- Name of the annotation containing the folder name to file dashboards into.
name: "grafana_folder"
# -- Name of the folder dashboards are filed into within the Grafana UI.
value: "Airlock Microgateway"
dashboardLabel:
# -- Name of the label that lets Grafana identify ConfigMaps that represent dashboards.
name: "grafana_dashboard"
# -- Value of the label that lets Grafana identify ConfigMaps that represent dashboards.
value: "1"
instances:
# Available dashboard instances that can be individually created/deployed.
overview:
# -- Whether to create the overview dashboard.
create: true
license:
# -- Whether to create the license dashboard.
create: true
blockMetrics:
# -- Whether to create the block metrics dashboard.
create: true
blockLogs:
# -- Whether to create the block logs dashboard.
create: true
# Check whether the installation of the Airlock Microgateway Helm Chart was successful.
# Requires a secret with a valid Airlock Microgateway license key already to be present.
tests:
# -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
# If set to false, `helm test` will not run any tests.
enabled: false

1932
charts/kong/kong/2.41.0/CHANGELOG.md Normal file
View File

File diff suppressed because it is too large Load Diff

6
charts/kong/kong/2.41.0/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 11.9.13
digest: sha256:051285066cef2799e39e2953c4abd405c36510a09e9e1bd1833a29224daffddb
generated: "2022-12-19T11:56:46.951582785-08:00"

21
charts/kong/kong/2.41.0/Chart.yaml Normal file
View File

@ -0,0 +1,21 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Kong Gateway
catalog.cattle.io/release-name: kong
apiVersion: v2
appVersion: "3.6"
dependencies:
- condition: postgresql.enabled
name: postgresql
repository: file://./charts/postgresql
version: 11.9.13
description: The Cloud-Native Ingress and API-management
home: https://konghq.com/
icon: file://assets/icons/kong.png
maintainers:
- email: team-k8s@konghq.com
name: team-k8s-bot
name: kong
sources:
- https://github.com/Kong/charts/tree/main/charts/kong
version: 2.41.0

139
charts/kong/kong/2.41.0/FAQs.md Normal file
View File

@ -0,0 +1,139 @@
# Frequently Asked Questions (FAQs)
Despite the title, this is more a list of common problems.
#### Kong cannot connect to a fresh Postgres install and fails to start
If Kong is reporting that it cannot connect to Postgres because of an invalid
password on a fresh install, you likely have a leftover PersistentVolume from a
previous install using the same name. You should delete your install, delete
the associated PersistentVolumeClaim, and install again.
Postgres PVCs [are not deleted when the chart install is
deleted](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-helm-chart-issues/#persistence-volumes-pvs-retained-from-previous-releases),
and will be reused by subsequent installs if still present. Since the `kong`
user password is written to disk during database initialization only, that old
user's password is expected, not the new user's.
PVC names use the pattern `data-<release name>-postgresql-<replica index>`. If
you named your install `foo` and did not increase the Postgres replica count,
you will have a single `data-foo-postgresql-0` PVC that needs to be deleted:
```
kubectl delete pvc data-foo-postgresql-0
```
If you use a workflow that frequently deletes and re-creates installs, you
should make sure to delete PVCs when you delete the release:
```
helm delete foo; kubectl delete pvc data-foo-postgresql-0
```
#### Upgrading a release fails due to missing ServiceAccount
When upgrading a release, some configuration changes result in this error:
```
Error creating: pods "releasename-kong-pre-upgrade-migrations-" is forbidden: error looking up service account releasename-kong: serviceaccount "releasename-kong" not found
```
Enabling the ingress controller or PodSecurityPolicy requires that the Kong
chart also create a ServiceAccount. When upgrading from a configuration that
previously had neither of these features enabled, the pre-upgrade-migrations
Job attempts to use this ServiceAccount before it is created. It is [not
possible to easily handle this case automatically](https://github.com/Kong/charts/pull/31).
Users encountering this issue should temporarily modify their
[pre-upgrade-migrations template](https://github.com/Kong/charts/blob/main/charts/kong/templates/migrations-pre-upgrade.yaml),
adding the following at the bottom:
```
{{ if or .Values.podSecurityPolicy.enabled (and .Values.ingressController.enabled .Values.ingressController.serviceAccount.create) -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kong.serviceAccountName" . }}
namespace: {{ template "kong.namespace" . }}
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
{{- end -}}
```
Upgrading with this in place will create a temporary service account before
creating the actual service account. After this initial upgrade, users must
revert to the original pre-upgrade migrations template, as leaving the
temporary ServiceAccount template in place will [cause permissions issues on
subsequent upgrades](https://github.com/Kong/charts/issues/30).
#### Running "helm upgrade" fails because of old init-migrations Job
When running `helm upgrade`, the upgrade fails and Helm reports an error
similar to the following:
```
Error: UPGRADE FAILED: cannot patch "RELEASE-NAME-kong-init-migrations" with
kind Job: Job.batch "RELEASE-NAME-kong-init-migrations" is invalid ... field
is immutable
```
This occurs if a `RELEASE-NAME-kong-init-migrations` Job is left over from a
previous `helm install` or `helm upgrade`. Deleting it with
`kubectl delete job RELEASE-NAME-kong-init-migrations` will allow the upgrade
to proceed. Chart versions greater than 1.5.0 delete the job automatically.
#### DB-backed instances do not start when deployed within a service mesh
Service meshes, such as Istio and Kuma, if deployed in a mode that injects
a sidecar to Kong, don't make the mesh available to `InitContainer`s,
because the sidecar starts _after_ all `InitContainer`s finish.
By default, this chart uses init containers to ensure that the database is
online and has migrations applied before starting Kong. This provides for a
smoother startup, but isn't compatible with service mesh sidecar requirements
if Kong is to access the database through the mesh.
Setting `waitImage.enabled=false` in values.yaml disables these init containers
and resolves this issue. However, during the initial install, your Kong
Deployment will enter the CrashLoopBackOff state while waiting for migrations
to complete. It will eventually exit this state and enter Running as long as
there are no issues finishing migrations, usually within 2 minutes.
If your Deployment is stuck in CrashLoopBackoff for longer, check the init
migrations Job logs to see if it is unable to connect to the database or unable
to complete migrations for some other reason. Resolve any issues you find,
delete the release, and attempt to install again.
#### Kong fails to start after `helm upgrade` when Postgres is used
As of Kong chart 2.8, this issue is no longer present. 2.8 updates the Postgres
sub-chart to a version that checks for existing password Secrets and leaves
them as-is rather than overwriting them.
You may be running into this issue: https://github.com/helm/charts/issues/12575.
This issue is caused due to: https://github.com/helm/helm/issues/3053.
The problem that happens is that Postgres database has the old password but
the new secret has a different password, which is used by Kong, and password
based authentication fails.
The solution to the problem is to specify a password to the `postgresql` chart.
This is to ensure that the password is not generated randomly but is set to
the same one that is user-provided on each upgrade.
The Postgres chart provides [two options](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#postgresql-common-parameters)
for setting a password:
- `auth.password` sets a password directly in values.yaml, in cleartext. This
is fine if you are using the instance for testing and have no security
concerns.
- `auth.existingSecret` specifies a Secret that contains [specific keys](https://github.com/bitnami/charts/blob/a6146a1ed392c8683c30b21e3fef905d86b0d2d6/bitnami/postgresql/values.yaml#L134-L143).
This should be used if you need to properly secure the Postgres instance.
If you have already upgraded, the old password is lost. You will need to
delete the Helm release and the Postgres PersistentVolumeClaim before
re-installing with a non-random password.

1240
charts/kong/kong/2.41.0/README.md Normal file
View File

File diff suppressed because it is too large Load Diff

807
charts/kong/kong/2.41.0/UPGRADE.md Normal file
View File

@ -0,0 +1,807 @@
# Upgrade considerations
New versions of the Kong chart may add significant new functionality or
deprecate/entirely remove old functionality. This document covers how and why
users should update their chart configuration to take advantage of new features
or migrate away from deprecated features.
In general, breaking changes deprecate their old features before removing them
entirely. While support for the old functionality remains, the chart will show
a warning about the outdated configuration when running `helm
install/status/upgrade`.
Note that not all versions contain breaking changes. If a version is not
present in the table of contents, it requires no version-specific changes when
upgrading from a previous version.
## Table of contents
- [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions)
- [2.26.0](#2260)
- [2.19.0](#2190)
- [2.13.0](#2130)
- [2.8.0](#280)
- [2.7.0](#270)
- [2.4.0](#240)
- [2.3.0](#230)
- [2.2.0](#220)
- [2.1.0](#210)
- [2.0.0](#200)
- [1.14.0](#1140)
- [1.11.0](#1110)
- [1.10.0](#1100)
- [1.9.0](#190)
- [1.6.0](#160)
- [1.5.0](#150)
- [1.4.0](#140)
- [1.3.0](#130)
## Upgrade considerations for all versions
The chart automates the
[upgrade migration process](https://github.com/Kong/kong/blob/master/UPGRADE.md).
When running `helm upgrade`, the chart spawns an initial job to run `kong
migrations up` and then spawns new Kong pods with the updated version. Once
these pods become ready, they begin processing traffic and old pods are
terminated. Once this is complete, the chart spawns another job to run `kong
migrations finish`.
If you split your Kong deployment across multiple Helm releases (to create
proxy-only and admin-only nodes, for example), you must
[set which migration jobs run based on your upgrade order](https://github.com/Kong/charts/blob/main/charts/kong/README.md#separate-admin-and-proxy-nodes).
However, this does not apply to hybrid mode, which can run both migrations but
requires [upgrading the control plane version
first](https://docs.konghq.com/gateway/latest/plan-and-deploy/hybrid-mode/#version-compatibility).
While the migrations themselves are automated, the chart does not automatically
ensure that you follow the recommended upgrade path. If you are upgrading from
more than one minor Kong version back, check the [upgrade path
recommendations for Kong open source](https://github.com/Kong/kong/blob/master/UPGRADE.md#3-suggested-upgrade-path)
or [Kong Enterprise](https://docs.konghq.com/enterprise/latest/deployment/migrations/).
Although not required, users should upgrade their chart version and Kong
version indepedently. In the even of any issues, this will help clarify whether
the issue stems from changes in Kubernetes resources or changes in Kong.
Users may encounter an error when upgrading which displays a large block of
text ending with `field is immutable`. This is typically due to a bug with the
`init-migrations` job, which was not removed automatically prior to 1.5.0.
If you encounter this error, deleting any existing `init-migrations` jobs will
clear it.
### Updates to CRDs
Helm installs CRDs at initial install but [does not update them
after](https://github.com/helm/community/blob/main/hips/hip-0011.md). Some
chart releases include updates to CRDs that must be applied to successfully
upgrade. Because Helm does not handle these updates, you must manually apply
them before upgrading your release.
``` kubectl apply -f
https://raw.githubusercontent.com/Kong/charts/kong-<version>/charts/kong/crds/custom-resource-definitions.yaml
```
For example, if your release is 2.6.4, you would apply
`https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml`.
## 2.26.0
If you are using controller version 2.10 or lower and proxy version 3.3 or
higher in separate Deployments (such as when using the `ingress` chart), proxy
Pods will not become ready unless you override the default readiness endpoint:
```
readinessProbe:
httpGet:
path: /status
```
This section goes under the `gateway` section when using the `ingress` chart.
2.26 changes the default proxy readiness endpoint to the `/status/ready`
endpoint introduced in Kong 3.3. This endpoint reports true when Kong has
configuration available, whereas the previous `/status` endpoint returned true
immediately after start, and could result in proxy instances attempting to
serve requests before they had configuration.
The chart has logic to fall back to the older endpoint if the proxy and
controller versions do not work well with the new endpoint. However, the chart
detection cannot determine the controller version when the controller is in a
separate Deployment, and will always use the new endpoint if the Kong image
version is 3.3 or higher.
Kong recommends Kong 3.3 and higher users update to controller 2.11 at their
earliest convenience to take advantage of the improved readiness behavior.
## 2.19.0
2.19 sets a default [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
that declares a read-only root filesystem for Kong containers. The base Kong and KIC
images are compatible with this setting. The chart mounts temporary writeable
emptyDir filesystems for locations that require writeable files (`/tmp` and
`/kong_prefix/`).
This setting limit attack surface and should be compatible with most
installations. However, if you use custom plugins that write to disk, you must
either mount a writeable emptyDir for them or override the new defaults by
setting:
```
containerSecurityContext:
readOnlyRootFilesystem: false
```
in your values.yaml.
## 2.13.0
2.13.0 includes updated CRDs. You must [apply these manually](#updates-to-crds)
before upgrading an existing release.
2.13 changes the default Kong tag to 3.0 and the default KIC tag to 2.6. We
recommend that you set these versions (`image.tag` and
`ingressController.image.tag`) in your values.yaml to allow updating the chart
without also updating the container versions. If you do update to these
container image versions, you should first review the Kong 3.0 breaking changes
(see the [open
source](https://github.com/Kong/kong/blob/master/CHANGELOG.md#300) and
[Enterprise](https://docs.konghq.com/gateway/changelog/#3000) Kong changelogs)
and the [ingress controller upgrade guide for Kong
3.x](https://docs.konghq.com/kubernetes-ingress-controller/2.6.x/guides/upgrade-kong-3x).
Kong 3.0 requires KIC version 2.6 at minimum. It will not work with any
previous versions. Changes to regular expression paths in Kong 3.x furthermore
require changes to Ingresses that use regular expression paths in rules.
## 2.8.0
### IngressClass controller name change requires manual delete
2.8 updates the chart-managed IngressClass's controller name to match the
controller name used elsewhere in Kong's documenation. Controller names are
immutable, so Helm cannot actually update existing IngressClass resources.
Prior to your upgrade, you must delete the existing IngressClass. Helm will
create a new IngressClass with the new controller name during the upgrade:
```
kubectl delete ingressclass <class name, "kong" by default>
helm upgrade RELEASE_NAME kong/kong ...
```
Removing the IngressClass will not affect configuration: the controller
IngressClass implementation is still in progress, and it will still ingest
resources whose `ingress.class` annotation or `ingressClassName` value matches
the the `CONTROLLER_INGRESS_CLASS` value in the controller environment even if
no matching IngressClass exists.
### Postgres subchart version update
2.8 updates the Postgres subchart version from 8.6.8 to 11.1.15. This changes
a number of values.yaml keys and the default Postgres version. The previous
default Postgres version was [11.7.0-debian-10-r37](https://github.com/bitnami/charts/blob/590c6b0f4e07161614453b12efe71f22e0c00a46/bitnami/postgresql/values.yaml#L18).
To use the new version on an existing install, you should [follow Bitnami's
instructions for updating values.yaml keys and upgrading their chart]() as well
as [the Postgres upgrade instructions](https://www.postgresql.org/docs/current/upgrading.html).
You can alternately use the new chart without upgrading Postgres by setting
`postgresql.image.tag=11.7.0-debian-10-r37` or use the old version of the
chart. Helm documentation is unclear on whether ignoring a subchart version
change for a release is possible, so we recommend [dumping the
database](https://www.postgresql.org/docs/current/backup-dump.html) and
creating a separate release if you wish to continue using 8.6.8:
```
helm install my-release -f values.yaml --version 8.6.8 bitnami/postgresql
```
Afterwords, you will upgrade your Kong chart release with
`postgresql.enabled=false` and `env.pg_host` and `env.pg_password` set to the
appropriate hostname and Secret reference for your new release (these are set
automatically when the subchart is enabled, but will not be set automatically
with a separate release).
## 2.7.0
2.7 updates CRDs to the version released in KIC 2.1.0. Helm does not upgrade
CRDs automatically; you must `kubectl apply -f https://raw.githubusercontent.com/Kong/charts/kong-2.7.0/charts/kong/crds/custom-resource-definitions.yaml`
manually before upgrading.
You should not apply the updated CRDs until you are prepared to upgrade to KIC
2.1 or higher, and [must have first upgraded to 2.0](https://github.com/Kong/kubernetes-ingress-controller/blob/v2.1.1/CHANGELOG.md#breaking-changes)
and applied the [previous version of the CRDs](https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml).
## 2.4.0
### Disable ingress controller prior to 2.x upgrade when using PostgreSQL
Chart version 2.4 is the first Kong chart version that defaults to the 2.x
series of ingress controller releases. 2.x uses a different leader election
system than 1.x. If both versions are running simultaneously, both controller
versions will attempt to interact with the admin API, potentially setting
inconsistent configuration in the database when PostgreSQL is the backend.
If you are configured with the following:
- ingressController.enabled=true
- postgresql.enabled=true
and do not override the ingress controller version, you must perform the
upgrade in multiple steps:
First, pin the controller version and upgrade to chart 2.4.0:
```console
helm upgrade --wait \
--set ingressController.image.tag=<CURRENT_CONTROLLER_VERSION> \
--version 2.4.0 \
--namespace <YOUR_RELEASE_NAMESPACE> \
<YOUR_RELEASE_NAME> kong/kong
```
Second, temporarily disable the ingress controller:
```console
helm upgrade --wait \
--set ingressController.enabled=false \
--set deployment.serviceaccount.create=true \
--version 2.4.0 \
--namespace <YOUR_RELEASE_NAMESPACE> \
<YOUR_RELEASE_NAME> kong/kong
```
Finally, re-enable the ingress controller at the new version:
```console
helm upgrade --wait \
--set ingressController.enabled=true \
--set ingressController.image.tag=<NEW_CONTROLLER_VERSION> \
--version 2.4.0 \
--namespace <YOUR_RELEASE_NAMESPACE> \
<YOUR_RELEASE_NAME> kong/kong
```
While the controller is disabled, changes to Kubernetes configuration (Ingress
resources, KongPlugin resources, Service Endpoints, etc.) will not update Kong
proxy configuration. We recommend you establish an active maintenance window
under which to perform this upgrade and inform users and stakeholders so as to
avoid unexpected disruption.
### Changed ServiceAccount configuration location
2.4.0 moved ServiceAccount configuration from
`ingressController.serviceAccount` to `deployment.serviceAccount` to accomodate
configurations that required a ServiceAccount but did not use the controller.
The chart now creates a ServiceAccount by default. When enabled, upgrade
migration hooks require the ServiceAccount, but Helm will not create it before
the hooks run, and the migration jobs will fail. To avoid this, first perform
an initial chart upgrade that does not update the Kong image version and sets
`migrations.preUpgrade=false` and `migrations.postUpgrade=false`. This will
create the account for future upgrades, and you can re-enable migrations and
upgrade your Kong version after.
If you disable ServiceAccount or override its name, you must move your
configuration under `deployment.serviceAccount`. The chart will warn you if it
detects non-default configuration in the original location when you upgrade.
You can use `helm upgrade --dry-run` to see if you are affected before actually
upgrading.
## 2.3.0
### Updated CRDs and CRD API version
2.3.0 adds new and updated CRDs for KIC 2.x. These CRDs are compatible with
KIC 1.x also. The CRD API version is now v1, replacing the deprecated v1beta1,
to support Kubernetes 1.22 and onward. API version v1 requires Kubernetes 1.16
and newer.
Helm 2-style CRD management will upgrade CRDs automatically. You can check to
see if you are using Helm 2-style management by running:
```
kubectl get crd kongconsumers.configuration.konghq.com -o yaml | grep "meta.helm.sh/release-name"
```
If you see output, you are using Helm 2-style CRD management.
Helm 3-style CRD management (the default) does not upgrade CRDs automatically.
You must apply the changes manually by running:
```
kubectl apply -f https://raw.githubusercontent.com/Kong/charts/kong-2.2.0/charts/kong/crds/custom-resource-definitions.yaml
```
Although not recommended, you can remain on an older Kubernetes version and not
upgrade your CRDs if you are using Helm 3-style CRD management. However, you
will not be able to run KIC 2.x, and these configurations are considered
unsupported.
### Ingress controller feature detection
2.3.0 includes some features that are enabled by default, but require KIC 2.x.
KIC 2.x is not yet the default ingress controller version because there are
currently only preview releases for it. To maintain compatibility with KIC 1.x,
the chart automatically detects the KIC image version and disables incompatible
features. This feature detection requires a semver image tag, and the chart
cannot render successfully if the image tag is not semver-compliant.
Standard KIC images do use semver-compliant tags, and you do not need to make
any configuration changes if you use one. If you use a non-semver tag, such as
`next`, you must set the new `ingressController.image.effectiveSemver` field to
your approximate semver version. For example, if your `next` tag is for an
unreleased `2.1.0` KIC version, you should set `effectiveSemver: 2.1.0`.
## 2.2.0
### Changes to pod disruption budget defaults
Prior to 2.2.0, the default values.yaml included
`podDisruptionBudget.maxUnavailable: 50%`. This prevented setting
`podDisruptionBudget.minUnavailable` at all. To allow use of
`podDisruptionBudget.minUnavailable`, we have removed the
`podDisruptionBudget.maxUnavailable` default. If you previously relied on this
default (you set `podDisruptionBudget.enabled: true` but did not set
`podDisruptionBudget.maxUnavailable`), you now must explicitly set
`podDisruptionBudget.maxUnavailable: 50%` in your values.yaml.
## 2.1.0
### Migration off Bintray
Bintray, the Docker registry previously used for several images used by this
chart, is [sunsetting May 1,
2021](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/).
The chart default `values.yaml` now uses the new Docker Hub repositories for all
affected images. You should check your release `values.yaml` files to confirm that
they do not still reference Bintray repositories. If they do, update them to
use the Docker Hub repositories now in the default `values.yaml`.
## 2.0.0
### Support for Helm 2 dropped
2.0.0 takes advantage of template functionality that is only available in Helm
3 and reworks values defaults to target Helm 3 CRD handling, and requires Helm
3 as such. If you are not already using Helm 3, you must migrate to it before
updating to 2.0.0 or later:
https://helm.sh/docs/topics/v2_v3_migration/
If desired, you can migrate your Kong chart releases without migrating charts'
releases.
### Support for deprecated 1.x features removed
Several previous 1.x chart releases reworked sections of values.yaml while
maintaining support for the older version of those settings. 2.x drops support
for the older versions of these settings entirely:
* [Portal auth settings](#removal-of-dedicated-portal-authentication-configuration-parameters)
* [The `runMigrations` setting](#changes-to-migration-job-configuration)
* [Single-stack admin API Service configuration](#changes-to-kong-service-configuration)
* [Multi-host proxy configuration](#removal-of-multi-host-proxy-ingress)
Each deprecated setting is accompanied by a warning that appears at the end of
`helm upgrade` output on a 1.x release:
```
WARNING: You are currently using legacy ...
```
If you do not see any such warnings when upgrading a release using chart
1.15.0, you are not using deprecated configuration and are ready to upgrade to
2.0.0. If you do see these warnings, follow the linked instructions to migrate
to the current settings format.
## 1.14.0
### Removal of multi-host proxy Ingress
Most of the chart's Ingress templates support a single hostname and TLS Secret.
The proxy Ingress template originally differed, and allowed multiple hostnames
and TLS configurations. As of chart 1.14.0, we have deprecated the unique proxy
Ingress configuration; it is now identical to all other Kong services. If you
do not need to configure multiple Ingress rules for your proxy, you will
change:
```yaml
ingress:
hosts: ["proxy.kong.example"]
tls:
- hosts:
- proxy.kong.example
secretName: example-tls-secret
path: /
```
to:
```yaml
ingress:
tls: example-tls-secret
hostname: proxy.kong.example
path: /
```
We plan to remove support for the multi-host configuration entirely in version
2.0 of the chart. If you currently use multiple hosts, we recommend that you
either:
- Define Ingresses for each application, e.g. if you proxy applicationA at
`foo.kong.example` and applicationB at `bar.kong.example`, you deploy those
applications with their own Ingress resources that target the proxy.
- Define a multi-host Ingress manually. Before upgrading, save your current
proxy Ingress, delete labels from the saved copy, and set
`proxy.ingress.enabled=false`. After upgrading, create your Ingress from the
saved copy and edit it directly to add new rules.
We expect that most users do not need a built-in multi-host proxy Ingress or
even a proxy Ingress at all: the old configuration predates the Kong Ingress
Controller and is most useful if you place Kong behind some other controller.
If you are interested in preserving this functionality, please [discuss your
use case with us](https://github.com/Kong/charts/issues/73). If there is
sufficient interest, we will explore options for continuing to support the
original proxy Ingress configuration format.
### Default custom server block replaced with status listen
Earlier versions of the chart included [a custom server block](https://github.com/Kong/charts/blob/kong-1.13.0/charts/kong/templates/config-custom-server-blocks.yaml)
to provide `/status` and `/metrics` endpoints. This server block simplified
RBAC-enabled Enterprise deployments by providing access to these endpoints
outside the (protected) admin API.
Current versions (Kong 1.4.0+ and Kong Enterprise 1.5.0+) have a built-in
status listen that provides the same functionality, and chart 1.14.0 uses it
for readiness/liveness probes and the Prometheus service monitor.
If you are using a version that supports the new status endpoint, you do not
need to make any changes to your values unless you include `readinessProbe` and
`livenessProbe` in them. If you do, you must change the port from `metrics` to
`status`.
If you are using an older version that does not support the status listen, you
will need to:
- Create the server block ConfigMap independent of the chart. You will need to
set the ConfigMap name and namespace manually and remove the labels block.
- Add an `extraConfigMaps` values entry for your ConfigMap.
- Set `env.nginx_http_include` to `/path/to/your/mount/servers.conf`.
- Add the [old readiness/liveness probe blocks](https://github.com/Kong/charts/blob/kong-1.13.0/charts/kong/values.yaml#L437-L458)
to your values.yaml.
- If you use the Prometheus service monitor, edit it after installing the chart
and set `targetPort` to `9542`. This cannot be set from values.yaml, but Helm
3 will preserve the change on subsequent upgrades.
## 1.11.0
### `KongCredential` custom resources no longer supported
1.11.0 updates the default Kong Ingress Controller version to 1.0. Controller
1.0 removes support for the deprecated KongCredential resource. Before
upgrading to chart 1.11.0, you must convert existing KongCredential resources
to [credential Secrets](https://github.com/Kong/kubernetes-ingress-controller/blob/next/docs/guides/using-consumer-credential-resource.md#provision-a-consumer).
Custom resource management varies depending on your exact chart configuration.
By default, Helm 3 only creates CRDs in the `crds` directory if they are not
already present, and does not modify or remove them after. If you use this
management method, you should create a manifest file that contains [only the
KongCredential CRD](https://github.com/Kong/charts/blob/kong-1.10.0/charts/kong/crds/custom-resource-definitions.yaml#L35-L68)
and then [delete it](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#delete-a-customresourcedefinition).
Helm 2 and Helm 3 both allow managing CRDs via the chart. In Helm 2, this is
required; in Helm 3, it is optional. When using this method, only a single
release will actually manage the CRD. Check to see which release has
`ingressController.installCRDs: true` to determine which does so if you have
multiple releases. When using this management method, upgrading a release to
chart 1.11.0 will delete the KongCredential CRD during the upgrade, which will
_delete any existing KongCredential resources_. To avoid losing configuration,
check to see if your CRD is managed:
```
kubectl get crd kongcredentials.configuration.konghq.com -o yaml | grep "app.kubernetes.io/managed-by: Helm"
```
If that command returns output, your CRD is managed and you must convert to
credential Secrets before upgrading (you should do so regardless, but are not
at risk of losing data, and can downgrade to an older chart version if you have
issues).
### Changes to CRDs
Controller 1.0 [introduces a status field](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#added)
for its custom resources. By default, Helm 3 does not apply updates to custom
resource definitions if those definitions are already present on the Kubernetes
API server (and they will be if you are upgrading a release from a previous
chart version). To update your custom resources:
```
kubectl apply -f https://raw.githubusercontent.com/Kong/charts/main/charts/kong/crds/custom-resource-definitions.yaml
```
### Deprecated controller flags/environment variables and annotations removed
Kong Ingress Controller 0.x versions had a number of deprecated
flags/environment variables and annotations. Version 1.0 removes support for
these, and you must update your configuration to use their modern equivalents
before upgrading to chart 1.11.0.
The [controller changelog](https://github.com/Kong/kubernetes-ingress-controller/blob/master/CHANGELOG.md#breaking-changes)
provides links to lists of deprecated configuration and their replacements.
## 1.10.0
### `KongClusterPlugin` replaces global `KongPlugin`s
Kong Ingress Controller 0.10.0 no longer supports `KongPlugin`s with a `global: true` label. See the [KIC changelog for 0.10.0](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#0100---20200915) for migration hints.
### Dropping support for resources not specifying an ingress class
Kong Ingress Controller 0.10.0 drops support for certain kinds of resources without a `kubernetes.io/ingress.class` annotation. See the [KIC changelog for 0.10.0](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#0100---20200915) for the exact list of those kinds, and for possible migration paths.
## 1.9.0
### New image for Enterprise controller-managed DB-less deployments
As of Kong Enterprise 2.1.3.0, there is no longer a separate image
(`kong-enterprise-k8s`) for controller-managed DB-less deployments. All Kong
Enterprise deployments now use the `kong-enterprise-edition` image.
Existing users of the `kong-enterprise-k8s` image can use the latest
`kong-enterprise-edition` image as a drop-in replacement for the
`kong-enterprise-k8s` image. You will also need to [create a Docker registry
secret](https://github.com/Kong/charts/blob/main/charts/kong/README.md#kong-enterprise-docker-registry-access)
for the `kong-enterprise-edition` registry and add it to `image.pullSecrets` in
values.yaml if you do not have one already.
### Changes to wait-for-postgres image
Prior to 1.9.0, the chart launched a busybox initContainer for migration Pods
to check Postgres' reachability [using
netcat](https://github.com/Kong/charts/blob/kong-1.8.0/charts/kong/templates/_helpers.tpl#L626).
As of 1.9.0, the chart uses a [bash
script](https://github.com/Kong/charts/blob/kong-1.9.0/charts/kong/templates/wait-for-postgres-script.yaml)
to perform the same connectivity check. The default `waitImage.repository`
value is now `bash` rather than `busybox`. Double-check your values.yaml to
confirm that you do not set `waitImage.repository` and `waitImage.tag` to the
old defaults: if you do, remove that configuration before upgrading.
The Helm upgrade cycle requires this script be available for upgrade jobs. On
existing installations, you must first perform an initial `helm upgrade --set
migrations.preUpgrade=false --migrations.postUpgrade=false` to chart 1.9.0.
Perform this initial upgrade without making changes to your Kong image version:
if you are upgrading Kong along with the chart, perform a separate upgrade
after with the migration jobs re-enabled.
If you do not override `waitImage.repository` in your releases, you do not need
to make any other configuration changes when upgrading to 1.9.0.
If you do override `waitImage.repository` to use a custom image, you must
switch to a custom image that provides a `bash` executable. Note that busybox
images, or images derived from it, do _not_ include a `bash` executable. We
recommend switching to an image derived from the public bash Docker image or a
base operating system image that provides a `bash` executable.
## 1.6.0
### Changes to Custom Resource Definitions
The KongPlugin and KongClusterPlugin resources have changed. Helm 3's CRD
management system does not modify CRDs during `helm upgrade`, and these must be
updated manually:
```
kubectl apply -f https://raw.githubusercontent.com/Kong/charts/kong-1.6.0/charts/kong/crds/custom-resource-definitions.yaml
```
Existing plugin resources do not require changes; the CRD update only adds new
fields.
### Removal of default security context UID setting
Versions of Kong prior to 2.0 and Kong Enterprise prior to 1.3 use Docker
images that required setting a UID via Kubernetes in some environments
(primarily OpenShift). This is no longer necessary with modern Docker images
and can cause issues depending on other environment settings, so it was
removed.
Most users should not need to take any action, but if you encounter permissions
errors when upgrading (`kubectl describe pod PODNAME` should contain any), you
can restore it by adding the following to your values.yaml:
```
securityContext:
runAsUser: 1000
```
## 1.5.0
### PodSecurityPolicy defaults to read-only root filesystem
1.5.0 defaults to using a read-only root container filesystem if
`podSecurityPolicy.enabled: true` is set in values.yaml. This improves
security, but is incompatible with Kong Enterprise versions prior to 1.5. If
you use an older version and enable PodSecurityPolicy, you must set
`podSecurityPolicy.spec.readOnlyRootFilesystem: false`.
Kong open-source and Kong for Kubernetes Enterprise are compatible with a
read-only root filesystem on all versions.
### Changes to migration job configuration
Previously, all migration jobs were enabled/disabled through a single
`runMigrations` setting. 1.5.0 splits these into toggles for each of the
individual upgrade migrations:
```
migrations:
preUpgrade: true
postUpgrade: true
```
Initial migration jobs are now only run during `helm install` and are deleted
automatically when users first run `helm upgrade`.
Users should replace `runMigrations` with the above block from the latest
values.yaml.
The new format addresses several needs:
* The initial migrations job are only created during the initial install,
preventing [conflicts on upgrades](https://github.com/Kong/charts/blob/main/charts/kong/FAQs.md#running-helm-upgrade-fails-because-of-old-init-migrations-job).
* The upgrade migrations jobs can be disabled as need for managing
[multi-release clusters](https://github.com/Kong/charts/blob/main/charts/kong/README.md#separate-admin-and-proxy-nodes).
This enables management of clusters that have nodes with different roles,
e.g. nodes that only run the proxy and nodes that only run the admin API.
* Migration jobs now allow specifying annotations, and provide a default set
of annotations that disable some service mesh sidecars. Because sidecar
containers do not terminate, they [prevent the jobs from completing](https://github.com/kubernetes/kubernetes/issues/25908).
## 1.4.0
### Changes to default Postgres permissions
The [Postgres sub-chart](https://github.com/bitnami/charts/tree/master/bitnami/postgresql)
used by this chart has modified the way their chart handles file permissions.
This is not an issue for new installations, but prevents Postgres from starting
if its PVC was created with an older version. If affected, your Postgres pod
logs will show:
```
postgresql 19:16:04.03 INFO ==> ** Starting PostgreSQL **
2020-03-27 19:16:04.053 GMT [1] FATAL: data directory "/bitnami/postgresql/data" has group or world access
2020-03-27 19:16:04.053 GMT [1] DETAIL: Permissions should be u=rwx (0700).
```
You can restore the old permission handling behavior by adding two settings to
the `postgresql` block in values.yaml:
```yaml
postgresql:
enabled: true
postgresqlDataDir: /bitnami/postgresql/data
volumePermissions:
enabled: true
```
For background, see https://github.com/helm/charts/issues/13651
### `strip_path` now defaults to `false` for controller-managed routes
1.4.0 defaults to version 0.8 of the ingress controller, which changes the
default value of the `strip_path` route setting from `true` to `false`. To
understand how this works in practice, compare the upstream path for these
requests when `strip_path` is toggled:
| Ingress path | `strip_path` | Request path | Upstream path |
|--------------|--------------|--------------|---------------|
| /foo/bar | true | /foo/bar/baz | /baz |
| /foo/bar | false | /foo/bar/baz | /foo/bar/baz |
This change brings the controller in line with the Kubernetes Ingress
specification, which expects that controllers will not modify the request
before passing it upstream unless explicitly configured to do so.
To preserve your existing route handling, you should add this annotation to
your ingress resources:
```
konghq.com/strip-path: "true"
```
This is a new annotation that is equivalent to the `route.strip_path` setting
in KongIngress resources. Note that if you have already set this to `false`,
you should leave it as-is and not add an annotation to the ingress.
### Changes to Kong service configuration
1.4.0 reworks the templates and configuration used to generate Kong
configuration and Kuberenetes resources for Kong's services (the admin API,
proxy, Developer Portal, etc.). For the admin API, this requires breaking
changes to the configuration format in values.yaml. Prior to 1.4.0, the admin
API allowed a single listen only, which could be toggled between HTTPS and
HTTP:
```yaml
admin:
enabled: false # create Service
useTLS: true
servicePort: 8444
containerPort: 8444
```
In 1.4.0+, the admin API allows enabling or disabling the HTTP and TLS listens
independently. The equivalent of the above configuration is:
```yaml
admin:
enabled: false # create Service
http:
enabled: false # create HTTP listen
servicePort: 8001
containerPort: 8001
parameters: []
tls:
enabled: true # create HTTPS listen
servicePort: 8444
containerPort: 8444
parameters:
- http2
```
All Kong services now support `SERVICE.enabled` parameters: these allow
disabling the creation of a Kubernetes Service resource for that Kong service,
which is useful in configurations where nodes have different roles, e.g. where
some nodes only handle proxy traffic and some only handle admin API traffic. To
disable a Kong service completely, you should also set `SERVICE.http.enabled:
false` and `SERVICE.tls.enabled: false`. Disabling creation of the Service
resource only leaves the Kong service enabled, but only accessible within its
pod. The admin API is configured with only Service creation disabled to allow
the ingress controller to access it without allowing access from other pods.
Services now also include a new `parameters` section that allows setting
additional listen options, e.g. the `reuseport` and `backlog=16384` parameters
from the [default 2.0.0 proxy
listen](https://github.com/Kong/kong/blob/2.0.0/kong.conf.default#L186). For
compatibility with older Kong versions, the chart defaults do not enable most
of the newer parameters, only HTTP/2 support. Users of versions 1.3.0 and newer
can safely add the new parameters.
## 1.3.0
### Removal of dedicated Portal authentication configuration parameters
1.3.0 deprecates the `enterprise.portal.portal_auth` and
`enterprise.portal.session_conf_secret` settings in values.yaml in favor of
placing equivalent configuration under `env`. These settings are less important
in Kong Enterprise 0.36+, as they can both be set per workspace in Kong
Manager.
These settings provide the default settings for Portal instances: when the
"Authentication plugin" and "Session Config" dropdowns at
https://manager.kong.example/WORKSPACE/portal/settings/ are set to "Default",
the settings from `KONG_PORTAL_AUTH` and `KONG_PORTAL_SESSION_CONF` are used.
If these environment variables are not set, the defaults are to use
`basic-auth` and `{}` (which applies the [session plugin default
configuration](https://docs.konghq.com/hub/kong-inc/session/)).
If you set nonstandard defaults and wish to keep using these settings, or use
Kong Enterprise 0.35 (which did not provide a means to set per-workspace
session configuration) you should convert them to environment variables. For
example, if you currently have:
```yaml
portal:
enabled: true
portal_auth: basic-auth
session_conf_secret: portal-session
```
You should remove the `portal_auth` and `session_conf_secret` entries and
replace them with their equivalents under the `env` block:
```yaml
env:
portal_auth: basic-auth
portal_session_conf:
valueFrom:
secretKeyRef:
name: portal-session
key: portal_session_conf
```

7
charts/kong/kong/2.41.0/app-readme.md Normal file
View File

@ -0,0 +1,7 @@
# Kong for Kubernetes
[Kong](https://konghq.com) makes connecting APIs and microservices across hybrid or multi-cloud environments easier and faster than ever. We power trillions of API transactions for leading organizations globally through our end-to-end API platform.
Kong Gateway is the worlds most popular open source API gateway, built for multi-cloud and hybrid, and optimized for microservices and distributed architectures. It is built on top of a lightweight proxy to deliver unparalleled latency, performance and scalability for all your microservice applications regardless of where they run. It allows you to exercise granular control over your traffic with Kongs plugin architecture
The Kong Enterprise Service Control Platform brokers an organizations information across all services. Built on top of Kongs battle-tested open source core, Kong Enterprise enables customers to simplify management of APIs and microservices across hybrid-cloud and multi-cloud deployments. With Kong Enterprise, customers can proactively identify anomalies and threats, automate tasks, and improve visibility across their entire organization.

21
charts/kong/kong/2.41.0/charts/postgresql/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

6
charts/kong/kong/2.41.0/charts/postgresql/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 2.0.4
digest: sha256:ec5726c5d8f1e474cc6c9ca90c18efc35f4dbd15ccaf2df148764947d5ad6a6c
generated: "2022-10-25T14:40:27.273494162Z"

30
charts/kong/kong/2.41.0/charts/postgresql/Chart.yaml Normal file
View File

@ -0,0 +1,30 @@
annotations:
category: Database
apiVersion: v2
appVersion: 14.5.0
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
tags:
- bitnami-common
version: 2.x.x
description: PostgreSQL (Postgres) is an open source object-relational database known
for reliability and data integrity. ACID-compliant, it supports foreign keys, joins,
views, triggers and stored procedures.
home: https://github.com/bitnami/charts/tree/main/bitnami/postgresql
icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png
keywords:
- postgresql
- postgres
- database
- sql
- replication
- cluster
maintainers:
- name: Bitnami
url: https://github.com/bitnami/charts
name: postgresql
sources:
- https://github.com/bitnami/containers/tree/main/bitnami/postgresql
- https://www.postgresql.org/
version: 11.9.13

683
charts/kong/kong/2.41.0/charts/postgresql/README.md Normal file
View File

@ -0,0 +1,683 @@
<!--- app-name: PostgreSQL -->
# PostgreSQL packaged by Bitnami
PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures.
[Overview of PostgreSQL](http://www.postgresql.org)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
```bash
helm repo add my-repo https://charts.bitnami.com/bitnami
helm install my-release my-repo/postgresql
```
## Introduction
This chart bootstraps a [PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
For HA, please see [this repo](https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha)
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
To install the chart with the release name `my-release`:
```bash
helm install my-release my-repo/postgresql
```
The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
helm delete my-release
```
The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release.
To delete the PVC's associated with `my-release`:
```bash
kubectl delete pvc -l release=my-release
```
> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it.
## Parameters
### Global parameters
| Name | Description | Value |
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` |
| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` |
| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` |
| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` |
| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` |
| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` |
### Common parameters
| Name | Description | Value |
| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- |
| `kubeVersion` | Override Kubernetes version | `""` |
| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` |
| `commonLabels` | Add labels to all the deployed resources | `{}` |
| `commonAnnotations` | Add annotations to all the deployed resources | `{}` |
| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
| `diagnosticMode.command` | Command to override all containers in the statefulset | `["sleep"]` |
| `diagnosticMode.args` | Args to override all containers in the statefulset | `["infinity"]` |
### PostgreSQL common parameters
| Name | Description | Value |
| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `image.registry` | PostgreSQL image registry | `docker.io` |
| `image.repository` | PostgreSQL image repository | `bitnami/postgresql` |
| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `14.5.0-debian-11-r35` |
| `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify image pull secrets | `[]` |
| `image.debug` | Specify if debug values should be set | `false` |
| `auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` |
| `auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided | `""` |
| `auth.username` | Name for a custom user to create | `""` |
| `auth.password` | Password for the custom user to create. Ignored if `auth.existingSecret` with key `password` is provided | `""` |
| `auth.database` | Name for a custom database to create | `""` |
| `auth.replicationUsername` | Name of the replication user | `repl_user` |
| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` with key `replication-password` is provided | `""` |
| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` |
| `auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `postgres-password` |
| `auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` |
| `auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `replication-password` |
| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` |
| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |
| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. | `0` |
| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` |
| `containerPorts.postgresql` | PostgreSQL container port | `5432` |
| `audit.logHostname` | Log client hostnames | `false` |
| `audit.logConnections` | Add client log-in operations to the log file | `false` |
| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` |
| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` |
| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` |
| `audit.clientMinMessages` | Message log level to share with the user | `error` |
| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` |
| `audit.logTimezone` | Timezone for the log timestamps | `""` |
| `ldap.enabled` | Enable LDAP support | `false` |
| `ldap.server` | IP address or name of the LDAP server. | `""` |
| `ldap.port` | Port number on the LDAP server to connect to | `""` |
| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` |
| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` |
| `ldap.basedn` | Root DN to begin the search for the user in | `""` |
| `ldap.binddn` | DN of user to bind to LDAP | `""` |
| `ldap.bindpw` | Password for the user to bind to LDAP | `""` |
| `ldap.searchAttribute` | Attribute to match against the user name in the search | `""` |
| `ldap.searchFilter` | The search filter to use when doing search+bind authentication | `""` |
| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` |
| `ldap.tls.enabled` | Se to true to enable TLS encryption | `false` |
| `ldap.uri` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. | `""` |
| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` |
| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` |
| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) | `true` |
| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs | `""` |
| `tls.enabled` | Enable TLS traffic support | `false` |
| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` |
| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` |
| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` |
| `tls.certFilename` | Certificate filename | `""` |
| `tls.certKeyFilename` | Certificate key filename | `""` |
| `tls.certCAFilename` | CA Certificate filename | `""` |
| `tls.crlFilename` | File containing a Certificate Revocation List | `""` |
### PostgreSQL Primary parameters
| Name | Description | Value |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` |
| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` |
| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` |
| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` |
| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` |
| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` |
| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` |
| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` |
| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` |
| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` |
| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` |
| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` |
| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` |
| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` |
| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` |
| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` |
| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` |
| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` |
| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` |
| `primary.command` | Override default container command (useful when using custom images) | `[]` |
| `primary.args` | Override default container args (useful when using custom images) | `[]` |
| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` |
| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` |
| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` |
| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` |
| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` |
| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` |
| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` |
| `primary.podSecurityContext.enabled` | Enable security context | `true` |
| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` |
| `primary.containerSecurityContext.enabled` | Enable container security context | `true` |
| `primary.containerSecurityContext.runAsUser` | User ID for the container | `1001` |
| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` |
| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` |
| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` |
| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` |
| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` |
| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` |
| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` |
| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` |
| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` |
| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` |
| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` |
| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` |
| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` |
| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` |
| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` |
| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` |
| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` |
| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` |
| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` |
| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` |
| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` |
| `primary.service.type` | Kubernetes Service type | `ClusterIP` |
| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` |
| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` |
| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` |
| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` |
| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` |
| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` |
| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` |
| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` |
| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` |
| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` |
| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
| `primary.persistence.annotations` | Annotations for the PVC | `{}` |
| `primary.persistence.labels` | Labels for the PVC | `{}` |
| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
| `primary.persistence.dataSource` | Custom PVC data source | `{}` |
### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
| Name | Description | Value |
| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` |
| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` |
| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` |
| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` |
| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` |
| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` |
| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` |
| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` |
| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` |
| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` |
| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` |
| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` |
| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` |
| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` |
| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` |
| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` |
| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` |
| `readReplicas.containerSecurityContext.enabled` | Enable container security context | `true` |
| `readReplicas.containerSecurityContext.runAsUser` | User ID for the container | `1001` |
| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` |
| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` |
| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` |
| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` |
| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` |
| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` |
| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` |
| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` |
| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` |
| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` |
| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` |
| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` |
| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` |
| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` |
| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` |
| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` |
| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` |
| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` |
| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` |
| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` |
| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` |
| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` |
| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` |
| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` |
| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` |
| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` |
| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` |
| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` |
| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` |
| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` |
| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` |
| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` |
| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` |
| `readReplicas.persistence.labels` | Labels for the PVC | `{}` |
| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` |
### NetworkPolicy parameters
| Name | Description | Value |
| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `networkPolicy.enabled` | Enable network policies | `false` |
| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` |
| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` |
| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `{}` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `{}` |
| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` |
| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` |
### Volume Permissions parameters
| Name | Description | Value |
| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r45` |
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` |
| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` |
### Other Parameters
| Name | Description | Value |
| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `false` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` |
| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` |
| `rbac.rules` | Custom RBAC rules to set | `[]` |
| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
### Metrics Parameters
| Name | Description | Value |
| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------------- |
| `metrics.enabled` | Start a prometheus exporter | `false` |
| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` |
| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` |
| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.11.1-debian-11-r22` |
| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` |
| `metrics.customMetrics` | Define additional custom metrics | `{}` |
| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` |
| `metrics.containerSecurityContext.enabled` | Enable PostgreSQL Prometheus exporter containers' Security Context | `true` |
| `metrics.containerSecurityContext.runAsUser` | Set PostgreSQL Prometheus exporter containers' Security Context runAsUser | `1001` |
| `metrics.containerSecurityContext.runAsNonRoot` | Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot | `true` |
| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` |
| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` |
| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` |
| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` |
| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` |
| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` |
| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` |
| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` |
| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` |
| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` |
| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` |
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` |
| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` |
| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` |
| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` |
| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` |
| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` |
| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```bash
$ helm install my-release \
--set auth.postgresPassword=secretpassword
my-repo/postgresql
```
The above command sets the PostgreSQL `postgres` account password to `secretpassword`.
> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.
> **Warning** Setting a password will be ignored on new installation in case when previous Posgresql release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
helm install my-release -f values.yaml my-repo/postgresql
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Customizing primary and read replica services in a replicated configuration
At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object.
### Use a different PostgreSQL version
To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/).
### postgresql.conf / pg_hba.conf files as configMap
This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`.
You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter.
In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options.
### Initialize a fresh instance
The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string.
In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter.
The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
### Securing traffic using TLS
TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart:
- `tls.enabled`: Enable TLS support. Defaults to `false`
- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults.
- `tls.certFilename`: Certificate filename. No defaults.
- `tls.certKeyFilename`: Certificate key filename. No defaults.
For example:
- First, create the secret with the cetificates files:
```console
kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt
```
- Then, use the following parameters:
```console
volumePermissions.enabled=true
tls.enabled=true
tls.certificatesSecret="certificates-tls-secret"
tls.certFilename="cert.crt"
tls.certKeyFilename="cert.key"
```
> Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected.
### Sidecars
If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
```yaml
# For the PostgreSQL primary
primary:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
# For the PostgreSQL replicas
readReplicas:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
### Metrics
The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml).
The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details.
### Use of global variables
In more complex scenarios, we may have the following tree of dependencies
```
+--------------+
| |
+------------+ Chart 1 +-----------+
| | | |
| --------+------+ |
| | |
| | |
| | |
| | |
v v v
+-------+------+ +--------+------+ +--------+------+
| | | | | |
| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 |
| | | | | |
+--------------+ +---------------+ +---------------+
```
The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters:
```
postgresql.auth.username=testuser
subchart1.postgresql.auth.username=testuser
subchart2.postgresql.auth.username=testuser
postgresql.auth.password=testpass
subchart1.postgresql.auth.password=testpass
subchart2.postgresql.auth.password=testpass
postgresql.auth.database=testdb
subchart1.postgresql.auth.database=testdb
subchart2.postgresql.auth.database=testdb
```
If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows:
```
global.postgresql.auth.username=testuser
global.postgresql.auth.password=testpass
global.postgresql.auth.database=testdb
```
This way, the credentials will be available in all of the subcharts.
## Persistence
The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container.
Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished.
## NetworkPolicy
To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`.
For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace:
```bash
kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
```
With NetworkPolicy enabled, traffic will be limited to just port 5432.
For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL.
This label will be displayed in the output of a successful install.
## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image
- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image.
- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift.
- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,containerSecurityContext.enabled=false,shmVolume.chmod.enabled=false
### Setting Pod's affinity
This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters.
## Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## Upgrading
Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/).
## License
Copyright &copy; 2022 Bitnami
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

22
charts/kong/kong/2.41.0/charts/postgresql/charts/common/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

23
charts/kong/kong/2.41.0/charts/postgresql/charts/common/Chart.yaml Normal file
View File

@ -0,0 +1,23 @@
annotations:
category: Infrastructure
apiVersion: v2
appVersion: 2.0.4
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: https://github.com/bitnami/charts/tree/main/bitnami/common
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
keywords:
- common
- helper
- template
- function
- bitnami
maintainers:
- name: Bitnami
url: https://github.com/bitnami/charts
name: common
sources:
- https://github.com/bitnami/charts
- https://www.bitnami.com/
type: library
version: 2.0.4

350
charts/kong/kong/2.41.0/charts/postgresql/charts/common/README.md Normal file
View File

@ -0,0 +1,350 @@
# Bitnami Common Library Chart
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts.
## TL;DR
```yaml
dependencies:
- name: common
version: 1.x.x
repository: https://charts.bitnami.com/bitnami
```
```bash
$ helm dependency update
```
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "common.names.fullname" . }}
data:
myvalue: "Hello World"
```
## Introduction
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
## Parameters
The following table lists the helpers available in the library which are scoped in different sections.
### Affinities
| Helper identifier | Description | Expected Input |
|-------------------------------|------------------------------------------------------|------------------------------------------------|
| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
### Capabilities
| Helper identifier | Description | Expected Input |
|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------|
| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context |
| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context |
| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context |
| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context |
| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context |
| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context |
| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context |
| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context |
| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context |
| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context |
### Errors
| Helper identifier | Description | Expected Input |
|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|
| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` |
### Images
| Helper identifier | Description | Expected Input |
|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` |
| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` |
### Ingress
| Helper identifier | Description | Expected Input |
|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences |
| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context |
| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context |
| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` |
### Labels
| Helper identifier | Description | Expected Input |
|-----------------------------|-----------------------------------------------------------------------------|-------------------|
| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context |
| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context |
### Names
| Helper identifier | Description | Expected Input |
|-----------------------------------|-----------------------------------------------------------------------|-------------------|
| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context |
| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context |
| `common.names.chart` | Chart name plus version | `.` Chart context |
### Secrets
| Helper identifier | Description | Expected Input |
|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. |
| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` |
### Storage
| Helper identifier | Description | Expected Input |
|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. |
### TplValues
| Helper identifier | Description | Expected Input |
|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` |
### Utils
| Helper identifier | Description | Expected Input |
|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------|
| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` |
| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` |
| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` |
| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` |
### Validations
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) |
| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) |
| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. |
| `common.validations.values.mysql.passwords` | This helper will ensure required password for MySQL are not empty. It returns a shared error for all the values. | `dict "secret" "mysql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mysql chart and the helper. |
| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. |
| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis&reg; are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. |
| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. |
| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB&reg; are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. |
### Warnings
| Helper identifier | Description | Expected Input |
|------------------------------|----------------------------------|------------------------------------------------------------|
| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
## Special input schemas
### ImageRoot
```yaml
registry:
type: string
description: Docker registry where the image is located
example: docker.io
repository:
type: string
description: Repository and image name
example: bitnami/nginx
tag:
type: string
description: image tag
example: 1.16.1-debian-10-r63
pullPolicy:
type: string
description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
pullSecrets:
type: array
items:
type: string
description: Optionally specify an array of imagePullSecrets (evaluated as templates).
debug:
type: boolean
description: Set to true if you would like to see extra information on logs
example: false
## An instance would be:
# registry: docker.io
# repository: bitnami/nginx
# tag: 1.16.1-debian-10-r63
# pullPolicy: IfNotPresent
# debug: false
```
### Persistence
```yaml
enabled:
type: boolean
description: Whether enable persistence.
example: true
storageClass:
type: string
description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
example: "-"
accessMode:
type: string
description: Access mode for the Persistent Volume Storage.
example: ReadWriteOnce
size:
type: string
description: Size the Persistent Volume Storage.
example: 8Gi
path:
type: string
description: Path to be persisted.
example: /bitnami
## An instance would be:
# enabled: true
# storageClass: "-"
# accessMode: ReadWriteOnce
# size: 8Gi
# path: /bitnami
```
### ExistingSecret
```yaml
name:
type: string
description: Name of the existing secret.
example: mySecret
keyMapping:
description: Mapping between the expected key name and the name of the key in the existing secret.
type: object
## An instance would be:
# name: mySecret
# keyMapping:
# password: myPasswordKey
```
#### Example of use
When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets.
```yaml
# templates/secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
labels:
app: {{ include "common.names.fullname" . }}
type: Opaque
data:
password: {{ .Values.password | b64enc | quote }}
# templates/dpl.yaml
---
...
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
...
# values.yaml
---
name: mySecret
keyMapping:
password: myPasswordKey
```
### ValidateValue
#### NOTES.txt
```console
{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
```
If we force those values to be empty we will see some alerts
```console
$ helm install test mychart --set path.to.value00="",path.to.value01=""
'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d)
'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d)
```
## Upgrading
### To 1.0.0
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
**What changes were introduced in this major version?**
- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information.
- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
**Considerations when upgrading to this version**
- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
**Useful links**
- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/
- https://helm.sh/docs/topics/v2_v3_migration/
- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/
## License
Copyright &copy; 2022 Bitnami
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

102
charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_affinities.tpl Normal file
View File

@ -0,0 +1,102 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return a soft nodeAffinity definition
{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.soft" -}}
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . | quote }}
{{- end }}
weight: 1
{{- end -}}
{{/*
Return a hard nodeAffinity definition
{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.hard" -}}
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . | quote }}
{{- end }}
{{- end -}}
{{/*
Return a nodeAffinity definition
{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.nodes.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.nodes.hard" . -}}
{{- end -}}
{{- end -}}
{{/*
Return a soft podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}}
*/}}
{{- define "common.affinities.pods.soft" -}}
{{- $component := default "" .component -}}
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
{{- range $key, $value := $extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
namespaces:
- {{ include "common.names.namespace" .context | quote }}
topologyKey: kubernetes.io/hostname
weight: 1
{{- end -}}
{{/*
Return a hard podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}}
*/}}
{{- define "common.affinities.pods.hard" -}}
{{- $component := default "" .component -}}
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
{{- range $key, $value := $extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
namespaces:
- {{ include "common.names.namespace" .context | quote }}
topologyKey: kubernetes.io/hostname
{{- end -}}
{{/*
Return a podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.pods" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.pods.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.pods.hard" . -}}
{{- end -}}
{{- end -}}

154
charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_capabilities.tpl Normal file
View File

@ -0,0 +1,154 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the target Kubernetes version
*/}}
{{- define "common.capabilities.kubeVersion" -}}
{{- if .Values.global }}
{{- if .Values.global.kubeVersion }}
{{- .Values.global.kubeVersion -}}
{{- else }}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{- else }}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for poddisruptionbudget.
*/}}
{{- define "common.capabilities.policy.apiVersion" -}}
{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "policy/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "common.capabilities.networkPolicy.apiVersion" -}}
{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for cronjob.
*/}}
{{- define "common.capabilities.cronjob.apiVersion" -}}
{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "batch/v1beta1" -}}
{{- else -}}
{{- print "batch/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "common.capabilities.deployment.apiVersion" -}}
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "common.capabilities.statefulset.apiVersion" -}}
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "common.capabilities.ingress.apiVersion" -}}
{{- if .Values.ingress -}}
{{- if .Values.ingress.apiVersion -}}
{{- .Values.ingress.apiVersion -}}
{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end }}
{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for RBAC resources.
*/}}
{{- define "common.capabilities.rbac.apiVersion" -}}
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "rbac.authorization.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "rbac.authorization.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for CRDs.
*/}}
{{- define "common.capabilities.crd.apiVersion" -}}
{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apiextensions.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiextensions.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for APIService.
*/}}
{{- define "common.capabilities.apiService.apiVersion" -}}
{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apiregistration.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiregistration.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for Horizontal Pod Autoscaler.
*/}}
{{- define "common.capabilities.hpa.apiVersion" -}}
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
{{- if .beta2 -}}
{{- print "autoscaling/v2beta2" -}}
{{- else -}}
{{- print "autoscaling/v2beta1" -}}
{{- end -}}
{{- else -}}
{{- print "autoscaling/v2" -}}
{{- end -}}
{{- end -}}
{{/*
Returns true if the used Helm version is 3.3+.
A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure.
This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error.
**To be removed when the catalog's minimun Helm version is 3.3**
*/}}
{{- define "common.capabilities.supportsHelmVersion" -}}
{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }}
{{- true -}}
{{- end -}}
{{- end -}}

23
charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_errors.tpl Normal file
View File

@ -0,0 +1,23 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Through error when upgrading using empty passwords values that must not be empty.
Usage:
{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
Required password params:
- validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
- context - Context - Required. Parent context.
*/}}
{{- define "common.errors.upgrade.passwords.empty" -}}
{{- $validationErrors := join "" .validationErrors -}}
{{- if and $validationErrors .context.Release.IsUpgrade -}}
{{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}}
{{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}}
{{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}}
{{- $errorString = print $errorString "\n%s" -}}
{{- printf $errorString $validationErrors | fail -}}
{{- end -}}
{{- end -}}

76
charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_images.tpl Normal file
View File

@ -0,0 +1,76 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper image name
{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }}
*/}}
{{- define "common.images.image" -}}
{{- $registryName := .imageRoot.registry -}}
{{- $repositoryName := .imageRoot.repository -}}
{{- $separator := ":" -}}
{{- $termination := .imageRoot.tag | toString -}}
{{- if .global }}
{{- if .global.imageRegistry }}
{{- $registryName = .global.imageRegistry -}}
{{- end -}}
{{- end -}}
{{- if .imageRoot.digest }}
{{- $separator = "@" -}}
{{- $termination = .imageRoot.digest | toString -}}
{{- end -}}
{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead)
{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
*/}}
{{- define "common.images.pullSecrets" -}}
{{- $pullSecrets := list }}
{{- if .global }}
{{- range .global.imagePullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- if (not (empty $pullSecrets)) }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names evaluating values as templates
{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }}
*/}}
{{- define "common.images.renderPullSecrets" -}}
{{- $pullSecrets := list }}
{{- $context := .context }}
{{- if $context.Values.global }}
{{- range $context.Values.global.imagePullSecrets -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- end -}}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- end -}}
{{- end -}}
{{- if (not (empty $pullSecrets)) }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}

68
charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_ingress.tpl Normal file
View File

@ -0,0 +1,68 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Generate backend entry that is compatible with all Kubernetes API versions.
Usage:
{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}
Params:
- serviceName - String. Name of an existing service backend
- servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer.
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.ingress.backend" -}}
{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
serviceName: {{ .serviceName }}
servicePort: {{ .servicePort }}
{{- else -}}
service:
name: {{ .serviceName }}
port:
{{- if typeIs "string" .servicePort }}
name: {{ .servicePort }}
{{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }}
number: {{ .servicePort | int }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Print "true" if the API pathType field is supported
Usage:
{{ include "common.ingress.supportsPathType" . }}
*/}}
{{- define "common.ingress.supportsPathType" -}}
{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Returns true if the ingressClassname field is supported
Usage:
{{ include "common.ingress.supportsIngressClassname" . }}
*/}}
{{- define "common.ingress.supportsIngressClassname" -}}
{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if cert-manager required annotations for TLS signed
certificates are set in the Ingress annotations
Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
Usage:
{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }}
*/}}
{{- define "common.ingress.certManagerRequest" -}}
{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }}
{{- true -}}
{{- end -}}
{{- end -}}

Some files were not shown because too many files have changed in this diff Show More