Skip to content

Commit

Permalink
Added chart versions:
Browse files Browse the repository at this point in the history
  airlock/microgateway:
    - 4.3.4
  airlock/microgateway-cni:
    - 4.3.4
  codefresh/cf-runtime:
    - 6.4.6
  loft/loft:
    - 4.0.0
  • Loading branch information
github-actions[bot] committed Oct 18, 2024
1 parent f834e44 commit 7b6abcd
Show file tree
Hide file tree
Showing 178 changed files with 20,877 additions and 1 deletion.
Binary file added assets/airlock/microgateway-4.3.4.tgz
Binary file not shown.
Binary file added assets/airlock/microgateway-cni-4.3.4.tgz
Binary file not shown.
Binary file added assets/codefresh/cf-runtime-6.4.6.tgz
Binary file not shown.
Binary file added assets/loft/loft-4.0.0.tgz
Binary file not shown.
27 changes: 27 additions & 0 deletions charts/airlock/microgateway-cni/4.3.4/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

# Helm unit tests
/tests
/validation
43 changes: 43 additions & 0 deletions charts/airlock/microgateway-cni/4.3.4/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
annotations:
artifacthub.io/category: security
artifacthub.io/license: MIT
artifacthub.io/links: |
- name: Airlock Microgateway Documentation
url: https://docs.airlock.com/microgateway/4.3/
- name: Airlock Microgateway Labs
url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Airlock Microgateway CNI
catalog.cattle.io/kube-version: '>=1.25.0-0'
catalog.cattle.io/release-name: microgateway-cni
charts.openshift.io/name: Airlock Microgateway CNI
apiVersion: v2
appVersion: 4.3.4
description: A Helm chart for deploying the Airlock Microgateway CNI plugin
home: https://www.airlock.com/en/microgateway
icon: file://assets/icons/microgateway-cni.svg
keywords:
- WAF
- Web Application Firewall
- WAAP
- Web Application and API protection
- OWASP
- Airlock
- Microgateway
- Security
- Filtering
- DevSecOps
- shift left
- CNI
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
name: microgateway-cni
sources:
- https://github.com/airlock/microgateway
type: application
version: 4.3.4
137 changes: 137 additions & 0 deletions charts/airlock/microgateway-cni/4.3.4/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
# Airlock Microgateway CNI

![Version: 4.3.4](https://img.shields.io/badge/Version-4.3.4-informational?style=flat-square) ![AppVersion: 4.3.4](https://img.shields.io/badge/AppVersion-4.3.4-informational?style=flat-square)

*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*

<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight_Negative.svg">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg">
<img alt="Microgateway" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg" align="right" width="250">
</picture>

Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.3.4).__

### Features
* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
* Content security filters for protecting against known attacks (OWASP Top 10)
* Access control using OpenID Connect to allow only authenticated users to access the protected services
* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation

For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.

## Documentation and links

Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.

* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [GitHub](https://github.com/airlock/microgateway)

# Quick start guide

The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.

## Prerequisites
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)

## Deploy Airlock Microgateway CNI
1. Install the CNI Plugin with Helm.
> **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
```bash
# Standard setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4'
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# GKE setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.4/deploy/charts/airlock-microgateway-cni/gke-values.yaml
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# OpenShift setup
helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.4/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
**Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).

2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
# Standard and GKE setup
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4'
helm test airlock-microgateway-cni -n kube-system --logs
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4'
```
```bash
# OpenShift setup
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4'
helm test airlock-microgateway-cni -n openshift-operators --logs
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4'
```

Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.

## Support

### Premium support
If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).

### Community support
For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
## Values

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. |
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. |
| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. |
| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
| image.digest | string | `"sha256:1e01310b3ad8566e9b39ee539ed5c959049aadda1a18c1a534e96d8865e20172"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
| image.tag | string | `"4.3.4"` | Image tag to pull. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |
| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". |
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. |
| podAnnotations | object | `{}` | Annotations to add to all Pods. |
| podLabels | object | `{}` | Labels to add to all Pods. |
| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). |
| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. |
| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. |
| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. |
| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |

## License
View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
* Decompiling or reverse engineering is not permitted.
* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.

Airlock<sup>&#174;</sup> is a security innovation by [ergon](https://www.ergon.ch/en)

<!-- Airlock SAH Logo (different image for light/dark mode) -->
<a href="https://www.airlock.com/en/secure-access-hub/">
<picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo_Negative.png">
<source media="(prefers-color-scheme: light)"
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png">
<img alt="Airlock Secure Access Hub" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png" width="150">
</picture>
</a>
4 changes: 4 additions & 0 deletions charts/airlock/microgateway-cni/4.3.4/gke-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# values for deploying on GKE

config:
cniBinDir: "/home/kubernetes/bin"
15 changes: 15 additions & 0 deletions charts/airlock/microgateway-cni/4.3.4/openshift-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# values for deploying on OpenShift

rbac:
createSCCRole: true

privileged: true

multusNetworkAttachmentDefinition:
create: true
namespace: default

config:
installMode: "standalone"
cniNetDir: "/etc/cni/multus/net.d"
cniBinDir: "/var/lib/cni/bin"
18 changes: 18 additions & 0 deletions charts/airlock/microgateway-cni/4.3.4/questions.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
questions:
- variable: config.cniNetDir
required: true
type: string
label: CNI Network Configuration Directory
group: "CNI Settings"
description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host."
- variable: config.cniBinDir
required: true
type: string
label: CNI Plugin Binaries Directory
group: "CNI Settings"
description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host."
- variable: config.installMode
required: true
label: CNI Plugin Installation Mode
group: "CNI Settings"
description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment."
15 changes: 15 additions & 0 deletions charts/airlock/microgateway-cni/4.3.4/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
Thank you for installing Airlock Microgateway CNI.

Please ensure that the helm values'.config.cniNetDir' and '.config.cniBinDir' are configured for your Kubernetes distribution.
For further information, consider our manual https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}.
The chapter 'Setup > Installation' describes how to set those settings correctly.

Further information:
* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}
* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm

Next steps:
* Install Airlock Microgateway (if not done already)
https://artifacthub.io/packages/helm/airlock-microgateway/microgateway

Your release version is {{ .Chart.Version }}.
101 changes: 101 additions & 0 deletions charts/airlock/microgateway-cni/4.3.4/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "airlock-microgateway-cni.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Convert an image configuration object into an image ref string.
*/}}
{{- define "airlock-microgateway-cni.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
{{- printf "%s:%s" .repository .tag -}}
{{- else -}}
{{- printf "%s" .repository -}}
{{- end -}}
{{- end }}

{{/*
Create a default fully qualified app name.
We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
and the longest suffix is 13 characters.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "airlock-microgateway-cni.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "airlock-microgateway-cni.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "airlock-microgateway-cni.labels" -}}
helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }}
{{ include "airlock-microgateway-cni.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}

{{/*
Common labels without component
*/}}
{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}}
{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}}
{{ unset $labels "app.kubernetes.io/component" | toYaml }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "airlock-microgateway-cni.selectorLabels" -}}
app.kubernetes.io/component: cni-plugin-installer
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }}
{{- end }}

{{/*
Create the name of the service account to use for the CNI Plugin
*/}}
{{- define "airlock-microgateway-cni.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

{{- define "airlock-microgateway-cni.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}

{{- define "airlock-microgateway-cni.docsVersion" -}}
{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}
{{- print "latest" -}}
{{- end -}}
{{- end -}}
22 changes: 22 additions & 0 deletions charts/airlock/microgateway-cni/4.3.4/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "airlock-microgateway-cni.fullname" . }}
labels:
{{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- patch
{{- end -}}
Loading

0 comments on commit 7b6abcd

Please sign in to comment.