CHG: Sync Artifacts - 4.4.2

README.md

@@ -36,7 +36,7 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co
 
 * [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
 * [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
-* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
+* [Installation](https://docs.airlock.com/microgateway/latest/?topic=MGW-00000138)
 * [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
 * [GitHub](https://github.com/airlock/microgateway)
 
@@ -72,36 +72,36 @@ helm install cert-manager jetstack/cert-manager --version 'v1.16.1' -n cert-mana
    > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
    ```bash
    # Standard setup
-   helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+   helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
    ```
    ```bash
    # GKE setup
-   helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.1/deploy/charts/airlock-microgateway-cni/gke-values.yaml
+   helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.2/deploy/charts/airlock-microgateway-cni/gke-values.yaml
    kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
    ```
    ```bash
    # OpenShift setup
-   helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.1/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
+   helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.2/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
    kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
    ```
    > **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
 
 2. (Recommended) You can verify the correctness of the installation with `helm test`.
    ```bash
    # Standard and GKE setup
-   helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+   helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    helm test airlock-microgateway-cni -n kube-system --logs
-   helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+   helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    ```
    ```bash
    # OpenShift setup
-   helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+   helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    helm test airlock-microgateway-cni -n openshift-operators --logs
-   helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+   helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    ```
 
-   Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.
+   Consult our [documentation](https://docs.airlock.com/microgateway/latest/?topic=MGW-00000139) in case of any installation error.
 
 ## Deploy Airlock Microgateway Operator
 
@@ -116,22 +116,22 @@ helm install cert-manager jetstack/cert-manager --version 'v1.16.1' -n cert-mana
    kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
 
    # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
-   helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.4.1' --wait
+   helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.4.2' --wait
    ```
 
 2. (Recommended) You can verify the correctness of the installation with `helm test`.
    ```bash
-   helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.1'
+   helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.2'
    helm test airlock-microgateway -n airlock-microgateway-system --logs
-   helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.1'
+   helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.2'
    ```
 
 ### Upgrading CRDs
 
 The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster.
 CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
 ```bash
-kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.4.1 --server-side --force-conflicts
+kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.4.2 --server-side --force-conflicts
 ```
 
 **Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.

deploy/charts/airlock-microgateway-cni/Chart.yaml

@@ -3,8 +3,8 @@ name: microgateway-cni
 description: A Helm chart for deploying the Airlock Microgateway CNI plugin
 type: application
 home: https://www.airlock.com/en/microgateway
-version: "4.4.1"
-appVersion: "4.4.1"
+version: "4.4.2"
+appVersion: "4.4.2"
 annotations:
   charts.openshift.io/name: Airlock Microgateway CNI
   artifacthub.io/category: security

deploy/charts/airlock-microgateway-cni/README.md

@@ -1,6 +1,6 @@
 # Airlock Microgateway CNI
 
-![Version: 4.4.1](https://img.shields.io/badge/Version-4.4.1-informational?style=flat-square) ![AppVersion: 4.4.1](https://img.shields.io/badge/AppVersion-4.4.1-informational?style=flat-square)
+![Version: 4.4.2](https://img.shields.io/badge/Version-4.4.2-informational?style=flat-square) ![AppVersion: 4.4.2](https://img.shields.io/badge/AppVersion-4.4.2-informational?style=flat-square)
 
 *Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
 
@@ -13,7 +13,7 @@
 </picture>
 
 Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
-__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.4.1).__
+__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.4.2).__
 
 ### Features
 * Kubernetes native integration with sidecar injection and Gateway API support
@@ -31,7 +31,7 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co
 
 * [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
 * [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
-* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
+* [Installation](https://docs.airlock.com/microgateway/latest/?topic=MGW-00000138)
 * [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
 * [GitHub](https://github.com/airlock/microgateway)
 
@@ -47,36 +47,36 @@ The instructions below provide a quick start guide. Detailed information are pro
    > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
    ```bash
    # Standard setup
-   helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+   helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
    ```
    ```bash
    # GKE setup
-   helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.1/deploy/charts/airlock-microgateway-cni/gke-values.yaml
+   helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.2/deploy/charts/airlock-microgateway-cni/gke-values.yaml
    kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
    ```
    ```bash
    # OpenShift setup
-   helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.1/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
+   helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.2/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
    kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
    ```
    > **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
 
 2. (Recommended) You can verify the correctness of the installation with `helm test`.
    ```bash
    # Standard and GKE setup
-   helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+   helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    helm test airlock-microgateway-cni -n kube-system --logs
-   helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+   helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    ```
    ```bash
    # OpenShift setup
-   helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+   helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    helm test airlock-microgateway-cni -n openshift-operators --logs
-   helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+   helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    ```
 
-   Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.
+   Consult our [documentation](https://docs.airlock.com/microgateway/latest/?topic=MGW-00000139) in case of any installation error.
 
 ## Support
 
@@ -97,11 +97,12 @@ For the community edition, check our **[Airlock community forum](https://forum.a
 | config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
 | config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
 | config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
+| config.repairMode | string | `"none"` | Specifies the repair mode There is a race condition regarding the installation of the CNI Plugin and creation of Pods when starting a Node. This would cause Pods to be unprotected, because the CNI did not reconfigure the Pod's network. The Airlock Microgateway Network Validator prevents this and causes the Pod to fail on purpose. Pods can be repaired by choosing the appropriate repair mode. Available options are: `deletePods` will delete failing Pods, such that the CNI Plugin can correctly configure them `none` will not perform any action for failing Pods |
 | fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
-| image.digest | string | `"sha256:fa2f5d8587024f0d0b29505204c964002cfd7facf79748ccc98b8caf1a70f0d8"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
+| image.digest | string | `"sha256:160407ca4790555afc8ea706f51bc0729c1a79862c295ad9df68999692b932a5"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
 | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
 | image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
-| image.tag | string | `"4.4.1"` | Image tag to pull. |
+| image.tag | string | `"4.4.2"` | Image tag to pull. |
 | imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
 | multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
 | multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |

deploy/charts/airlock-microgateway-cni/templates/clusterrole.yaml

@@ -19,4 +19,7 @@ rules:
       - list
       - watch
       - patch
+    {{- if eq .Values.config.repairMode "deletePods" }}
+      - delete
+    {{- end }}
 {{- end -}}

deploy/charts/airlock-microgateway-cni/templates/daemonset.yaml

@@ -49,6 +49,8 @@ spec:
               value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig"
             - name: INSTALL_MODE
               value: {{ .Values.config.installMode }}
+            - name: REPAIR_MODE
+              value: {{ .Values.config.repairMode }}
             - name: KUBERNETES_NODE_NAME
               valueFrom:
                 fieldRef:

deploy/charts/airlock-microgateway-cni/tests/daemonset_test.yaml

@@ -317,6 +317,8 @@ tests:
               value: RELEASE-NAME-microgateway-cni-kubeconfig
             - name: INSTALL_MODE
               value: chained
+            - name: REPAIR_MODE
+              value: none
             - name: KUBERNETES_NODE_NAME
               valueFrom:
                 fieldRef:
@@ -327,6 +329,7 @@ tests:
       name: cni-release
     set:
       config.installMode: manual
+      config.repairMode: deletePods
     templates:
       - daemonset.yaml
     asserts:
@@ -346,6 +349,8 @@ tests:
               value: cni-release-microgateway-cni-kubeconfig
             - name: INSTALL_MODE
               value: manual
+            - name: REPAIR_MODE
+              value: deletePods
             - name: KUBERNETES_NODE_NAME
               valueFrom:
                 fieldRef:

deploy/charts/airlock-microgateway-cni/values.schema.json

@@ -114,6 +114,13 @@
             "manual"
           ]
         },
+        "repairMode": {
+          "type": "string",
+          "enum": [
+            "deletePods",
+            "none"
+          ]
+        },
         "logLevel": {
           "type": "string",
           "enum": [
@@ -143,6 +150,7 @@
         "cniNetDir",
         "excludeNamespaces",
         "installMode",
+        "repairMode",
         "logLevel"
       ],
       "additionalProperties": false

deploy/charts/airlock-microgateway-cni/values.yaml

@@ -15,10 +15,10 @@ image:
   # -- Image repository from which to pull the Airlock Microgateway CNI image.
   repository: "quay.io/airlock/microgateway-cni"
   # -- Image tag to pull.
-  tag: "4.4.1"
+  tag: "4.4.2"
   # -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a").
   # Overrides tag when specified.
-  digest: "sha256:fa2f5d8587024f0d0b29505204c964002cfd7facf79748ccc98b8caf1a70f0d8"
+  digest: "sha256:160407ca4790555afc8ea706f51bc0729c1a79862c295ad9df68999692b932a5"
   # -- Pull policy for this image.
   pullPolicy: IfNotPresent
 # -- Annotations to add to all Pods.
@@ -66,6 +66,15 @@ config:
   # as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift)
   # or in `manual` mode, where no CNI network configuration is written.
   installMode: "chained"
+  # -- Specifies the repair mode
+  # There is a race condition regarding the installation of the CNI Plugin and creation of Pods when starting a Node.
+  # This would cause Pods to be unprotected, because the CNI did not reconfigure the Pod's network.
+  # The Airlock Microgateway Network Validator prevents this and causes the Pod to fail on purpose.
+  # Pods can be repaired by choosing the appropriate repair mode.
+  # Available options are:
+  # `deletePods` will delete failing Pods, such that the CNI Plugin can correctly configure them
+  # `none` will not perform any action for failing Pods
+  repairMode: "none"
   # -- Log level for the CNI installer and plugin.
   logLevel: info
   # -- Directory where the CNI config files reside on the host.

deploy/charts/airlock-microgateway/Chart.yaml

@@ -3,8 +3,8 @@ name: microgateway
 description: A Helm chart for deploying the Airlock Microgateway
 type: application
 home: https://www.airlock.com/en/microgateway
-version: "4.4.1"
-appVersion: "4.4.1"
+version: "4.4.2"
+appVersion: "4.4.2"
 annotations:
   charts.openshift.io/name: Airlock Microgateway
   artifacthub.io/category: security