diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..afa5625
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 airlock
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..5d1c3e1
--- /dev/null
+++ b/README.md
@@ -0,0 +1,75 @@
+# Airlock Microgateway
+
+Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.
+
+## Documentation
+
+Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or follow one of these links:
+* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
+* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
+* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
+
+## What is Airlock Microgateway?
+
+Modern application security is embedded in the development workflow and follows DevSecOps paradigms. The Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance and can be used in Kubernetes environments. Airlock Microgateway enables you to protect your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
+
+More information: **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**
+
+### Features
+* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
+* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
+* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
+* Content security filters for protecting against known attacks (OWASP Top 10)
+* Access control to allow only authenticated users to access the protected services
+* API security features like JSON parsing or OpenAPI specification enforcement
+
+For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
+
+# Quick start guide
+
+The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
+
+## Prerequisites
+
+For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
+
+### Deploy the cert-manager
+```
+kubectl apply -k https://github.com/airlock/microgateway/examples/utilities/cert-manager/
+```
+
+Wait for the cert-manager to be up and running
+```
+kubectl -n cert-manager wait --for=condition=ready --timeout=600s pod -l app.kubernetes.io/instance=cert-manager
+```
+
+## Deploy Airlock Microgateway
+Install the Custom Resource Definitions, the CRD RBAC manifests and the deployment of the Airlock Microgateway Operator.
+```
+kubectl apply -k https://github.com/airlock/microgateway/deploy/crds/
+kubectl apply -k https://github.com/airlock/microgateway/deploy/crd-rbac/
+kubectl apply -k https://github.com/airlock/microgateway/deploy/deployment/
+```
+
+Wait for the airlock-microgateway-operator deployment to be ready
+```
+kubectl -n airlock-microgateway-system wait --for=condition=Available deployments.app/airlock-microgateway-operator-controller-manager --timeout=2m
+```
+
+> The minimum supported Kustomize version is [v4.5.3](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.5.3).
+
+
+## How to get help
+
+### Community edition
+For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
+
+### Premium edition
+If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).
+
+## License
+View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
+* Decompiling or reverse engineering is not permitted.
+* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
+
+
\ No newline at end of file
diff --git a/deploy/README.md b/deploy/README.md
new file mode 100644
index 0000000..298e904
--- /dev/null
+++ b/deploy/README.md
@@ -0,0 +1,6 @@
+# Description
+The following folder contain the Kubernetes manifest files needed to deploy the Airlock Microgateway.
+* `crd-rbac`: Contains the Kubernetes ClusterRoles
+* `crds`: Contains the Airlock Microgateway CustomResourceDefinitions
+* `deployment`: Contains the Kubernetes manifest files to deploy and run the Airlock Microgateway Operator
+* `operator-installation`: Contains a kustomization file to easily deploy all the previously mentioned resources files at once
\ No newline at end of file
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-contentsecurity-editor.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-contentsecurity-editor.yaml
new file mode 100644
index 0000000..ae80d38
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-contentsecurity-editor.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-contentsecurity-editor
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - contentsecurities
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-contentsecurity-viewer.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-contentsecurity-viewer.yaml
new file mode 100644
index 0000000..56aaa01
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-contentsecurity-viewer.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-contentsecurity-viewer
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - contentsecurities
+ verbs:
+ - get
+ - list
+ - watch
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-denyrules-editor.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-denyrules-editor.yaml
new file mode 100644
index 0000000..db96503
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-denyrules-editor.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-denyrules-editor
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - denyrules
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-denyrules-viewer.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-denyrules-viewer.yaml
new file mode 100644
index 0000000..2ae2df7
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-denyrules-viewer.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-denyrules-viewer
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - denyrules
+ verbs:
+ - get
+ - list
+ - watch
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoycluster-editor.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoycluster-editor.yaml
new file mode 100644
index 0000000..33113b8
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoycluster-editor.yaml
@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-envoycluster-editor
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyclusters
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyclusters/status
+ verbs:
+ - get
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoycluster-viewer.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoycluster-viewer.yaml
new file mode 100644
index 0000000..50930f3
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoycluster-viewer.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-envoycluster-viewer
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyclusters
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyclusters/status
+ verbs:
+ - get
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoyconfiguration-viewer.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoyconfiguration-viewer.yaml
new file mode 100644
index 0000000..4a5ff71
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoyconfiguration-viewer.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-envoyconfiguration-viewer
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyconfigurations
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyconfigurations/status
+ verbs:
+ - get
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoyhttpfilter-editor.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoyhttpfilter-editor.yaml
new file mode 100644
index 0000000..d59865c
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoyhttpfilter-editor.yaml
@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-envoyhttpfilter-editor
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyhttpfilters
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyhttpfilters/status
+ verbs:
+ - get
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoyhttpfilter-viewer.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoyhttpfilter-viewer.yaml
new file mode 100644
index 0000000..e2ca26f
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-envoyhttpfilter-viewer.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-envoyhttpfilter-viewer
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyhttpfilters
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyhttpfilters/status
+ verbs:
+ - get
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-headerrewrites-editor.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-headerrewrites-editor.yaml
new file mode 100644
index 0000000..b0a62b8
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-headerrewrites-editor.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-headerrewrites-editor
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - headerrewrites
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-headerrewrites-viewer.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-headerrewrites-viewer.yaml
new file mode 100644
index 0000000..df65658
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-headerrewrites-viewer.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-headerrewrites-viewer
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - headerrewrites
+ verbs:
+ - get
+ - list
+ - watch
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-limits-editor.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-limits-editor.yaml
new file mode 100644
index 0000000..87a1445
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-limits-editor.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-limits-editor
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - limits
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-limits-viewer.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-limits-viewer.yaml
new file mode 100644
index 0000000..1fcd3e3
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-limits-viewer.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-limits-viewer
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - limits
+ verbs:
+ - get
+ - list
+ - watch
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-parser-editor.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-parser-editor.yaml
new file mode 100644
index 0000000..24927ec
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-parser-editor.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-parser-editor
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - parsers
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-parser-viewer.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-parser-viewer.yaml
new file mode 100644
index 0000000..0be7368
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-parser-viewer.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-parser-viewer
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - parsers
+ verbs:
+ - get
+ - list
+ - watch
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-sidecargateway-editor.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-sidecargateway-editor.yaml
new file mode 100644
index 0000000..1ed7665
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-sidecargateway-editor.yaml
@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-sidecargateway-editor
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways/status
+ verbs:
+ - get
diff --git a/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-sidecargateway-viewer.yaml b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-sidecargateway-viewer.yaml
new file mode 100644
index 0000000..6a2232d
--- /dev/null
+++ b/deploy/crd-rbac/ClusterRole_airlock-microgateway-operator-sidecargateway-viewer.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-sidecargateway-viewer
+rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways/status
+ verbs:
+ - get
diff --git a/deploy/crd-rbac/kustomization.yaml b/deploy/crd-rbac/kustomization.yaml
new file mode 100644
index 0000000..d648011
--- /dev/null
+++ b/deploy/crd-rbac/kustomization.yaml
@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - ClusterRole_airlock-microgateway-operator-contentsecurity-editor.yaml
+ - ClusterRole_airlock-microgateway-operator-contentsecurity-viewer.yaml
+ - ClusterRole_airlock-microgateway-operator-denyrules-editor.yaml
+ - ClusterRole_airlock-microgateway-operator-denyrules-viewer.yaml
+ - ClusterRole_airlock-microgateway-operator-envoycluster-editor.yaml
+ - ClusterRole_airlock-microgateway-operator-envoycluster-viewer.yaml
+ - ClusterRole_airlock-microgateway-operator-envoyconfiguration-viewer.yaml
+ - ClusterRole_airlock-microgateway-operator-envoyhttpfilter-editor.yaml
+ - ClusterRole_airlock-microgateway-operator-envoyhttpfilter-viewer.yaml
+ - ClusterRole_airlock-microgateway-operator-headerrewrites-editor.yaml
+ - ClusterRole_airlock-microgateway-operator-headerrewrites-viewer.yaml
+ - ClusterRole_airlock-microgateway-operator-limits-editor.yaml
+ - ClusterRole_airlock-microgateway-operator-limits-viewer.yaml
+ - ClusterRole_airlock-microgateway-operator-parser-editor.yaml
+ - ClusterRole_airlock-microgateway-operator-parser-viewer.yaml
+ - ClusterRole_airlock-microgateway-operator-sidecargateway-editor.yaml
+ - ClusterRole_airlock-microgateway-operator-sidecargateway-viewer.yaml
diff --git a/deploy/crds/CustomResourceDefinition_contentsecurity.yaml b/deploy/crds/CustomResourceDefinition_contentsecurity.yaml
new file mode 100644
index 0000000..237b0fa
--- /dev/null
+++ b/deploy/crds/CustomResourceDefinition_contentsecurity.yaml
@@ -0,0 +1,91 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.11.3
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: contentsecurities.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: ContentSecurity
+ listKind: ContentSecurityList
+ plural: contentsecurities
+ singular: contentsecurity
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ContentSecurity is the Schema for the contentsecurities API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired content security behavior.
+ properties:
+ filter:
+ description: Filter defines various filters which will be applied to downstream requests.
+ properties:
+ denyRulesRef:
+ description: DenyRulesRef selects the applied DenyRules configuration resource.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ headerRewritesRef:
+ description: HeaderRewritesRef selects the applied HeaderRewrites configuration resource.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ limitsRef:
+ description: LimitsRef selects the applied limits configuration resource.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ parserRef:
+ description: ParserRef selects the applied Parser configuration resource.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/deploy/crds/CustomResourceDefinition_denyrules.yaml b/deploy/crds/CustomResourceDefinition_denyrules.yaml
new file mode 100644
index 0000000..9af936c
--- /dev/null
+++ b/deploy/crds/CustomResourceDefinition_denyrules.yaml
@@ -0,0 +1,1072 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.11.3
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: denyrules.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: DenyRules
+ listKind: DenyRulesList
+ plural: denyrules
+ singular: denyrules
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: DenyRules is the Schema for the denyrules API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired deny rules behavior.
+ properties:
+ request:
+ description: Request configures deny rules for downstream requests.
+ properties:
+ builtIn:
+ description: BuiltIn configures the built-in deny rules.
+ properties:
+ exceptions:
+ description: Exceptions allows to define exceptions for specific requests and deny rules.
+ items:
+ description: 'DenyRulesException defines an exception for deny rules. Exceptions may be defined by any or a combination of the following elements: blockedData (the request data causing a block) or requestConditions (properties of a request without taking into consideration the reason why a request has been blocked). At least one of blockedData and requestConditions must be set.'
+ properties:
+ blockedData:
+ description: BlockedData defines an exception based on the request data causing the block. This can either be a parameter, header, path or JSON property.
+ properties:
+ header:
+ description: Header defines an exception based on a blocked header. Only one of parameter, header, path or json can be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ json:
+ description: JSON defines an exception based on a blocked JSON property. Only one of parameter, header, path or json can be set.
+ properties:
+ jsonPath:
+ description: JSONPath defines the JSONPath pattern to match the path within the JSON.
+ minLength: 1
+ type: string
+ key:
+ description: Key defines the key of the JSON property.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of the JSON property.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ parameter:
+ description: Parameter defines an exception based on a blocked parameter. Only one of parameter, header, path or json can be set.
+ properties:
+ name:
+ description: Name defines the name of a parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ source:
+ default: any
+ description: Source defines the source of the parameter. Defaults to any.
+ enum:
+ - query
+ - post
+ - any
+ type: string
+ value:
+ description: Value defines the value of a parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ path:
+ description: Path defines an exception based on the blocked path. Only one of parameter, header, path or json can be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ requestConditions:
+ description: RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked.
+ properties:
+ header:
+ description: Header defines the matching headers of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media type from the content-type header of a request.
+ properties:
+ matcher:
+ description: NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: RemoteIP defines the matching remote IPs of a request.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
+ items:
+ description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ ruleKeys:
+ description: RuleKeys restricts the exception to a set of deny rules.
+ items:
+ description: 'A deny rule name can be any of the following values: SCANNING | IDOR | ENCODING | HTML | HPP | EXPLOIT | LDAP | NOSQL | OGNL | PHP | PROTOCOL | SANITY | SQL | TEMPLATE | UNIXCMD | WINCMD | XSS'
+ enum:
+ - SCANNING
+ - IDOR
+ - ENCODING
+ - HTML
+ - HPP
+ - EXPLOIT
+ - LDAP
+ - NOSQL
+ - OGNL
+ - PHP
+ - PROTOCOL
+ - SANITY
+ - SQL
+ - TEMPLATE
+ - UNIXCMD
+ - WINCMD
+ - XSS
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ type: array
+ overrides:
+ description: Overrides allows to override the builtIn settings for specific deny rules.
+ items:
+ description: DenyRulesOverride allows to override the builtIn settings for specific deny rules.
+ properties:
+ conditions:
+ description: Conditions select which built-in deny rules' settings will be adjusted.
+ properties:
+ ruleKeys:
+ description: RuleKeys is a list of built-in deny rule names.
+ items:
+ description: 'A deny rule name can be any of the following values: SCANNING | IDOR | ENCODING | HTML | HPP | EXPLOIT | LDAP | NOSQL | OGNL | PHP | PROTOCOL | SANITY | SQL | TEMPLATE | UNIXCMD | WINCMD | XSS'
+ enum:
+ - SCANNING
+ - IDOR
+ - ENCODING
+ - HTML
+ - HPP
+ - EXPLOIT
+ - LDAP
+ - NOSQL
+ - OGNL
+ - PHP
+ - PROTOCOL
+ - SANITY
+ - SQL
+ - TEMPLATE
+ - UNIXCMD
+ - WINCMD
+ - XSS
+ type: string
+ minItems: 1
+ type: array
+ types:
+ description: Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules.
+ items:
+ description: 'A deny rule override type name can be any of the following values: header | parameter | path | json'
+ enum:
+ - header
+ - parameter
+ - path
+ - json
+ type: string
+ minItems: 0
+ type: array
+ type: object
+ settings:
+ description: Settings override the corresponding properties for the selected rules.
+ properties:
+ level:
+ description: Level specifies the filter strength.
+ enum:
+ - unfiltered
+ - basic
+ - standard
+ - strict
+ type: string
+ threatHandlingMode:
+ description: ThreatHandlingMode specifies how threats should be handled.
+ enum:
+ - block
+ - logOnly
+ type: string
+ type: object
+ type: object
+ type: array
+ settings:
+ description: Settings contains the keys which will be adjusted.
+ properties:
+ level:
+ default: standard
+ description: Level represents a set of deny rules with different filter strengths.
+ enum:
+ - unfiltered
+ - basic
+ - standard
+ - strict
+ type: string
+ threatHandlingMode:
+ default: block
+ description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches.
+ enum:
+ - block
+ - logOnly
+ type: string
+ type: object
+ type: object
+ custom:
+ description: Custom allows configuring additional deny rules.
+ properties:
+ rules:
+ description: Rules defines list of additional deny rules.
+ items:
+ properties:
+ blockData:
+ description: BlockData specifies the request data which should cause a block.
+ properties:
+ header:
+ description: Header specifies to block requests containing a matching header. Only one of parameter, path, header or json can be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ json:
+ description: JSON specifies to block requests containing a matching JSON property in the body. Only one of parameter, path, header or json can be set.
+ properties:
+ key:
+ description: Key defines the key of a JSON object.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a JSON object.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ parameter:
+ description: Parameter specifies to block requests containing a matching parameter. Only one of parameter, path, header or json can be set.
+ properties:
+ name:
+ description: Name defines the name of a parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ path:
+ description: Path specifies to block requests with a matching path. Only one of parameter, path, header or json can be set.
+ properties:
+ matcher:
+ description: Matcher specifies which path to block.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ requestConditions:
+ description: RequestConditions defines additional request properties which must be matched in order for this rule to apply.
+ properties:
+ header:
+ description: Header defines the matching headers of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media type from the content-type header of a request.
+ properties:
+ matcher:
+ description: NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: RemoteIP defines the matching remote IPs of a request.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
+ items:
+ description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ ruleKey:
+ description: RuleKey defines a technical key for the deny rule. Must be unique.
+ minLength: 1
+ pattern: ^[A-Z][A-Z0-9_]*$
+ type: string
+ threatHandlingMode:
+ default: block
+ description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches.
+ enum:
+ - block
+ - logOnly
+ type: string
+ required:
+ - blockData
+ - ruleKey
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - ruleKey
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ settings:
+ description: Settings configures the DenyRules filter.
+ properties:
+ operationalMode:
+ default: production
+ description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses.
+ enum:
+ - production
+ - integration
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/deploy/crds/CustomResourceDefinition_envoycluster.yaml b/deploy/crds/CustomResourceDefinition_envoycluster.yaml
new file mode 100644
index 0000000..f5691b1
--- /dev/null
+++ b/deploy/crds/CustomResourceDefinition_envoycluster.yaml
@@ -0,0 +1,51 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.11.3
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: envoyclusters.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: EnvoyCluster
+ listKind: EnvoyClusterList
+ plural: envoyclusters
+ singular: envoycluster
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired additional Envoy cluster.
+ properties:
+ value:
+ description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/deploy/crds/CustomResourceDefinition_envoyconfiguration.yaml b/deploy/crds/CustomResourceDefinition_envoyconfiguration.yaml
new file mode 100644
index 0000000..37eb92a
--- /dev/null
+++ b/deploy/crds/CustomResourceDefinition_envoyconfiguration.yaml
@@ -0,0 +1,173 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.11.3
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: envoyconfigurations.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: EnvoyConfiguration
+ listKind: EnvoyConfigurationList
+ plural: envoyconfigurations
+ singular: envoyconfiguration
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.status
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: EnvoyConfiguration is the Schema for the envoyconfigurations API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration
+ properties:
+ envoyResources:
+ description: EnvoyResources defines the desired state for each resource type.
+ properties:
+ clusters:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ endpoints:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ extensions:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ listeners:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ routes:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ runtimes:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ scopedRoutes:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ secrets:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ type: object
+ nodeID:
+ description: NodeID defines the ID of the envoy node
+ type: string
+ required:
+ - nodeID
+ type: object
+ status:
+ description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status to another.
+ format: date-time
+ type: string
+ message:
+ description: A human-readable message indicating details about the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of EnvoyConfiguration condition.
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ status:
+ type: string
+ xds:
+ properties:
+ resourceTypes:
+ additionalProperties:
+ description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type
+ properties:
+ errorMessage:
+ description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client.
+ type: string
+ resources:
+ additionalProperties:
+ description: XdsResourceStatus defines the status of xDS for a specific resource
+ properties:
+ version:
+ description: Version defines the version which is currently served for this resource.
+ type: string
+ required:
+ - version
+ type: object
+ description: Resources defines the resources which are currently served for this resource type.
+ type: object
+ status:
+ description: Status defines the current sync status of this resource type.
+ type: string
+ version:
+ description: Version defines the version which is currently served for this resource type.
+ type: string
+ required:
+ - resources
+ - status
+ - version
+ type: object
+ description: ResourceTypes defines the sync statuses for each resource type.
+ type: object
+ version:
+ description: Version defines the version of the underlying xDS snapshot.
+ type: integer
+ required:
+ - version
+ type: object
+ required:
+ - status
+ - xds
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/deploy/crds/CustomResourceDefinition_envoyhttpfilter.yaml b/deploy/crds/CustomResourceDefinition_envoyhttpfilter.yaml
new file mode 100644
index 0000000..8d3f6d7
--- /dev/null
+++ b/deploy/crds/CustomResourceDefinition_envoyhttpfilter.yaml
@@ -0,0 +1,51 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.11.3
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: envoyhttpfilters.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: EnvoyHTTPFilter
+ listKind: EnvoyHTTPFilterList
+ plural: envoyhttpfilters
+ singular: envoyhttpfilter
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource which is added to those defined by the Airlock Microgateway.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired additional Envoy HTTP filter.
+ properties:
+ value:
+ description: Value defines the HTTP filter which is added to those configured by the Airlock Microgateway.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/deploy/crds/CustomResourceDefinition_headerrewrites.yaml b/deploy/crds/CustomResourceDefinition_headerrewrites.yaml
new file mode 100644
index 0000000..5a5ae7f
--- /dev/null
+++ b/deploy/crds/CustomResourceDefinition_headerrewrites.yaml
@@ -0,0 +1,631 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.11.3
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: headerrewrites.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: HeaderRewrites
+ listKind: HeaderRewritesList
+ plural: headerrewrites
+ singular: headerrewrites
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: HeaderRewrites is the Schema for the headerrewrites API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired header rewriting behavior.
+ properties:
+ request:
+ description: Request defines manipulations on upstream request headers.
+ properties:
+ add:
+ description: Add defines which request headers will be added before forwarding to the upstream.
+ properties:
+ custom:
+ description: Custom allows configuring additional upstream request headers. Add selected headers.
+ items:
+ properties:
+ headers:
+ description: Headers to add.
+ items:
+ description: HeaderRewritesHeader specifies a header with a particular value
+ properties:
+ name:
+ description: Name defines the name of a header.
+ minLength: 1
+ type: string
+ value:
+ description: Value defines the value of a header.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ minItems: 1
+ type: array
+ mode:
+ default: addIfAbsent
+ description: Mode defines the header addition strategy.
+ enum:
+ - addIfAbsent
+ - overwriteOrAdd
+ type: string
+ name:
+ description: Name describing the configured operation.
+ minLength: 1
+ type: string
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ allow:
+ description: 'Allow defines which request headers will be forwarded to the upstream. This can either be allHeaders or matchingHeaders. Default: matchingHeaders: {...}'
+ properties:
+ allHeaders:
+ description: AllHeaders specifies that all request headers should be forwarded.
+ type: object
+ matchingHeaders:
+ description: MatchingHeaders specifies which request headers should be forwarded.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined upstream request headers.
+ properties:
+ standardHeaders:
+ default: true
+ description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream request headers.
+ items:
+ properties:
+ headers:
+ description: Headers to allow.
+ items:
+ description: HeaderMatcher defines a matcher for an HTTP header. At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured operation. Must be unique.
+ minLength: 1
+ type: string
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ remove:
+ description: Remove defines which request headers will be removed before forwarding to the upstream.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined upstream request headers.
+ properties:
+ alternativeForwardedHeaders:
+ default: true
+ description: 'AlternativeForwardedHeaders removes downstream request headers which could potentially be abused to alter the upstream''s view of the remote connection: Front-End-Https.'
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream request headers.
+ items:
+ properties:
+ headers:
+ description: Headers to remove.
+ items:
+ description: HeaderMatcher defines a matcher for an HTTP header. At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured operation. Must be unique.
+ minLength: 1
+ type: string
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ response:
+ description: Response defines manipulations on upstream response headers.
+ properties:
+ add:
+ description: Add defines which response headers will be added before forwarding to the downstream.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined upstream response headers.
+ properties:
+ csp:
+ default: true
+ description: CSP sets a content security policy which allows only same-origin requests except for images if the 'Content-Security-Policy' header is not set by the upstream.
+ type: boolean
+ featurePolicy:
+ default: true
+ description: FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features if the 'Feature-Policy' header is not set by the upstream.
+ type: boolean
+ hsts:
+ default: true
+ description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream.
+ type: boolean
+ hstsPreload:
+ default: false
+ description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload.
+ type: boolean
+ referrerPolicy:
+ default: true
+ description: ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests if the 'Referrer-Policy' header is not set by the upstream.
+ type: boolean
+ xContentTypeOptions:
+ default: true
+ description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream.
+ type: boolean
+ xFrameOptions:
+ default: true
+ description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream response headers.
+ items:
+ properties:
+ headers:
+ description: Headers to add.
+ items:
+ description: HeaderRewritesHeader specifies a header with a particular value
+ properties:
+ name:
+ description: Name defines the name of a header.
+ minLength: 1
+ type: string
+ value:
+ description: Value defines the value of a header.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ minItems: 1
+ type: array
+ mode:
+ default: addIfAbsent
+ description: Mode defines the header addition strategy.
+ enum:
+ - addIfAbsent
+ - overwriteOrAdd
+ type: string
+ name:
+ description: Name describing the configured operation.
+ minLength: 1
+ type: string
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ allow:
+ description: 'Allow defines which response headers will be forwarded to the downstream. This can either be allHeaders or matchingHeaders. Default: allHeaders: {}'
+ properties:
+ allHeaders:
+ description: AllHeaders specifies that all response headers should be forwarded.
+ type: object
+ matchingHeaders:
+ description: MatchingHeaders specifies which response headers should be forwarded.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined upstream response header.
+ properties:
+ standardHeaders:
+ default: false
+ description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream response headers.
+ items:
+ properties:
+ headers:
+ description: Headers to allow.
+ items:
+ description: HeaderMatcher defines a matcher for an HTTP header. At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured operation. Must be unique.
+ minLength: 1
+ type: string
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ remove:
+ description: Remove defines which response headers will be removed before forwarding to the downstream.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined upstream response headers.
+ properties:
+ auth:
+ description: Auth defines the categories of headers concerning authentication.
+ properties:
+ basic:
+ default: false
+ description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication.
+ type: boolean
+ negotiate:
+ default: true
+ description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate.
+ type: boolean
+ ntlm:
+ default: true
+ description: NTLM removes upstream response headers that advise clients to authenticate with NTLM. By default, these headers are removed, because NTLM pass-through is not supported.
+ type: boolean
+ type: object
+ informationLeakage:
+ description: InformationLeakage defines the categories of headers concerning information leakage.
+ properties:
+ application:
+ default: true
+ description: 'Application removes upstream response headers that leak information about the deployed software: X-AspNet-Version, X-AspNetMvc-Version, X-Generator, X-Powered-By.'
+ type: boolean
+ server:
+ default: true
+ description: 'Server removes upstream response headers that leak information about the server: Age, Link, P3P, Proxy-Authenticate, Server, Via.'
+ type: boolean
+ type: object
+ permissiveCors:
+ default: true
+ description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream response headers.
+ items:
+ properties:
+ headers:
+ description: Headers to remove.
+ items:
+ description: HeaderMatcher defines a matcher for an HTTP header. At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured remove operation. Must be unique.
+ minLength: 1
+ type: string
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ settings:
+ description: Settings configures the HeaderRewrites filter.
+ properties:
+ operationalMode:
+ default: production
+ description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses.
+ enum:
+ - production
+ - integration
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/deploy/crds/CustomResourceDefinition_limits.yaml b/deploy/crds/CustomResourceDefinition_limits.yaml
new file mode 100644
index 0000000..d2be2da
--- /dev/null
+++ b/deploy/crds/CustomResourceDefinition_limits.yaml
@@ -0,0 +1,151 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.11.3
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: limits.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: Limits
+ listKind: LimitsList
+ plural: limits
+ singular: limits
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: Limits contains the configuration for limits.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired limits behavior.
+ properties:
+ request:
+ description: Request defines the limits for requests.
+ properties:
+ limited:
+ description: Limited enables limits on request scope.
+ properties:
+ general:
+ description: General defines general request limits.
+ properties:
+ bodySize:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 100Mi
+ description: BodySize limits the total size of the request body. It specifies the number of bytes from 0 (unlimited) to 2145483647 (2GB). To restrict the size of file uploades, set this limit to the maximum combined size of all files uploaded at once.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ pathLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 1Ki
+ description: PathLength defines the maximum path length for requests.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ json:
+ description: JSON defines the limits for JSON requests.
+ properties:
+ elementCount:
+ default: 150000
+ description: ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive).
+ format: int64
+ type: integer
+ keyCount:
+ default: 250
+ description: KeyCount defines the maximum number of keys of a single JSON object (non-recursive).
+ format: int64
+ type: integer
+ keyLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: "128"
+ description: KeyLength defines the maximum length for JSON keys.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ nestingDepth:
+ default: 100
+ description: NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays.
+ format: int64
+ type: integer
+ valueLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 1Ki
+ description: ValueLength defines the maximum length for JSON values.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ parameter:
+ description: Parameter defines the limits for request parameters.
+ properties:
+ count:
+ default: 128
+ description: Count defines the maximum number of request parameters.
+ format: int64
+ type: integer
+ nameLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: "128"
+ description: NameLength defines the maximum length for parameter names.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ valueLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 1Ki
+ description: ValueLength defines the maximum length for parameter values.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ unlimited:
+ description: Unlimited disables all limits on request scope.
+ type: object
+ type: object
+ settings:
+ description: Settings configures the limits filter.
+ properties:
+ operationalMode:
+ default: production
+ description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses.
+ enum:
+ - production
+ - integration
+ type: string
+ threatHandlingMode:
+ default: block
+ description: ThreatHandlingMode specifies how threats should be handled when a limit hits.
+ enum:
+ - block
+ - logOnly
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/deploy/crds/CustomResourceDefinition_parser.yaml b/deploy/crds/CustomResourceDefinition_parser.yaml
new file mode 100644
index 0000000..9ad109a
--- /dev/null
+++ b/deploy/crds/CustomResourceDefinition_parser.yaml
@@ -0,0 +1,81 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.11.3
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: parsers.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: Parser
+ listKind: ParserList
+ plural: parsers
+ singular: parser
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: Parser contains the configuration for content parsers (default and custom).
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired parser behavior.
+ properties:
+ request:
+ description: Request defines the parsing for downstream requests.
+ properties:
+ defaultContentType:
+ default: application/x-www-form-urlencoded
+ description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body.
+ minLength: 1
+ type: string
+ parsers:
+ description: Parsers defines the configuration for the available content parsers.
+ properties:
+ form:
+ description: Form defines the configuration for the form parser.
+ properties:
+ enable:
+ default: true
+ description: Enable defines whether form payloads are inspected.
+ type: boolean
+ mediaTypePattern:
+ default: .*urlencoded.*
+ description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments.
+ minLength: 1
+ type: string
+ type: object
+ json:
+ description: JSON defines the configuration for the JSON parser
+ properties:
+ enable:
+ default: true
+ description: Enable defines whether json payloads are inspected.
+ type: boolean
+ mediaTypePattern:
+ default: .*json.*
+ description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON.
+ minLength: 1
+ type: string
+ type: object
+ type: object
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/deploy/crds/CustomResourceDefinition_sidecargateway.yaml b/deploy/crds/CustomResourceDefinition_sidecargateway.yaml
new file mode 100644
index 0000000..447c444
--- /dev/null
+++ b/deploy/crds/CustomResourceDefinition_sidecargateway.yaml
@@ -0,0 +1,562 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.11.3
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: sidecargateways.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: SidecarGateway
+ listKind: SidecarGatewayList
+ plural: sidecargateways
+ singular: sidecargateway
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.status
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired sidecar gateway behavior.
+ properties:
+ applications:
+ description: Applications defines applications which run on different ports.
+ items:
+ properties:
+ containerPort:
+ default: 8080
+ description: ContainerPort refers to the container port. This must be a valid port number, 0 < x < 65536.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ downstream:
+ description: Downstream defines the downstream configuration for this application
+ properties:
+ protocol:
+ description: Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set. Defaults to auto.
+ properties:
+ auto:
+ description: Auto specifies that the protocol should be inferred.
+ type: object
+ http1:
+ description: HTTP1 specifies that the client is assumed to speak HTTP/1.1.
+ type: object
+ http2:
+ description: HTTP2 specifies that the client is assumed to speak HTTP/2.
+ type: object
+ type: object
+ remoteIP:
+ description: RemoteIP defines how the remote IP of a client is propagated. Default is XFF.
+ properties:
+ connectionIP:
+ description: ConnectionIP configures to use the source IP address of the direct downstream connection.
+ type: object
+ customHeader:
+ description: CustomHeader specifies to use a custom header for remote IP extraction.
+ properties:
+ headerName:
+ description: HeaderName specifies the name of the custom header containing the remote IP.
+ minLength: 1
+ type: string
+ required:
+ default: true
+ description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403.
+ type: boolean
+ required:
+ - headerName
+ type: object
+ xff:
+ description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction.
+ properties:
+ numTrustedHops:
+ default: 1
+ description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry.
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
+ type: object
+ requestNormalizations:
+ description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching.
+ properties:
+ mergeSlashes:
+ default: true
+ description: MergeSlashes ensures that adjacent slashes in the path are merged into one.
+ type: boolean
+ normalizePath:
+ default: true
+ description: NormalizePath ensures normalization according to RFC 3986 without case normalization.
+ type: boolean
+ type: object
+ restrictions:
+ description: Restrictions defines restrictions for downstream.
+ properties:
+ http:
+ description: HTTP defines limits for the HTTP protocol.
+ properties:
+ headersLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 60Ki
+ description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ tls:
+ description: TLS defines the TLS settings.
+ properties:
+ ciphers:
+ description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ clientCertificate:
+ description: 'ClientCertificate defines the TLS settings for verification of client certificates. At most one of ignored, optional and required can be set. Default: ignored'
+ properties:
+ ignored:
+ description: Ignored disables verification of the client certificate.
+ type: object
+ optional:
+ description: Optional enables verification of the client certificate if one is presented. In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate.
+ properties:
+ crl:
+ description: CRL defines the Certificate Revocation List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: verifyChain
+ description: 'ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. Default: verifyChain'
+ enum:
+ - verifyLeafCertOnly
+ - verifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA certificates are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the list of secretRefs containing trusted CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: VerificationDepth specifies the hops in the certificate chain at which validation is performed. 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ type: object
+ type: object
+ required:
+ description: Required contains settings for client certificate verification. A client must present a valid certificate.
+ properties:
+ allowedSANs:
+ description: AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, that is to say, the SAN is verified if at least one matcher is matched.
+ items:
+ description: TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers.
+ properties:
+ matcher:
+ description: Matcher defines the string matcher for the SAN value.
+ properties:
+ contains:
+ description: Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: Regex defines a regex match on the regular expression specified here. Google's RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ sanType:
+ description: SanType defines the type of SAN matcher. Allowed values are DNS, EMAIL, URI, IP_ADDRESS.
+ enum:
+ - DNS
+ - EMAIL
+ - URI
+ - IP_ADDRESS
+ type: string
+ required:
+ - matcher
+ - sanType
+ type: object
+ minItems: 1
+ type: array
+ certificatePinning:
+ description: CertificatePinning defines the constraints a client certificate must fulfill. If more than one constraint is configured only one must be satisfied.
+ properties:
+ allowedHashes:
+ description: AllowedHashes is a list of hex-encoded SHA-256 hashes. If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ allowedSPKIs:
+ description: AllowedSPKIs is a list of base64-encoded SHA-256 hashes. If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ crl:
+ description: CRL defines the Certificate Revocation List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: verifyChain
+ description: 'ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. Default: verifyChain'
+ enum:
+ - verifyLeafCertOnly
+ - verifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA certificates are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the list of secretRefs containing trusted CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: VerificationDepth specifies the hops in the certificate chain at which validation is performed. 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ type: object
+ type: object
+ type: object
+ enable:
+ default: false
+ description: Enable defines if the downstream connection is encrypted.
+ type: boolean
+ protocol:
+ description: Protocol defines the supported TLS protocol versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ secretRef:
+ description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls).
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ type: object
+ envoyHTTPFilterRefs:
+ description: EnvoyHTTPFilterRefs defines which EnvoyHTTPFilter references will be applied.
+ properties:
+ prepend:
+ description: Prepend defines the referenced Envoy HTTP filters which are added before those configured by the Airlock Microgateway.
+ items:
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ routes:
+ description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies.
+ items:
+ description: SidecarGatewayApplicationRoute defines the security configurations for different paths. At most one of secured and unsecured can be set. Defaults to secured if not specified.
+ properties:
+ pathPrefix:
+ default: /
+ description: PathPrefix defines the path prefix used during route selection.
+ minLength: 1
+ type: string
+ secured:
+ description: 'Secured enables WAF processing for this route. At most one of secured and unsecured can be set (Default: secured: {...})'
+ properties:
+ contentSecurityRef:
+ description: ContentSecurityRef selects the applied ContentSecurity configuration resource.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ unsecured:
+ description: 'Unsecured disables all WAF functionality and therefore protection for this route. WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged. At most one of secured and unsecured can be set (Default: secured: {...})'
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - pathPrefix
+ x-kubernetes-list-type: map
+ telemetryRef:
+ description: TelemetryRef selects the applied Telemetry configuration resource.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ upstream:
+ description: Upstream defines the upstream configuration for this application
+ properties:
+ protocol:
+ description: Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set. Defaults to auto.
+ properties:
+ auto:
+ description: Auto specifies to use the protocol negotiated via TLS ALPN (if supported) or HTTP/1.1 as fallback.
+ type: object
+ http1:
+ description: HTTP1 specifies to use HTTP/1.1.
+ type: object
+ http2:
+ description: HTTP2 specifies to use HTTP/2.
+ type: object
+ type: object
+ tls:
+ description: TLS defines the TLS settings.
+ properties:
+ ciphers:
+ description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ enable:
+ default: false
+ description: Enable defines if the upstream connection is encrypted.
+ type: boolean
+ protocol:
+ description: Protocol defines the supported TLS protocol versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ type: object
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - containerPort
+ x-kubernetes-list-type: map
+ envoyClusterRefs:
+ description: EnvoyClusterRefs defines a list of references to EnvoyClusters which are added to the envoy configuration.
+ items:
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ podSelector:
+ description: PodSelector defines to which Pods the configuration will be applied to.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels.
+ type: object
+ type: object
+ required:
+ - applications
+ type: object
+ status:
+ description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date.
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status to another.
+ format: date-time
+ type: string
+ message:
+ description: A human-readable message indicating details about the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of SidecarGateway condition.
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ pods:
+ items:
+ properties:
+ envoyConfig:
+ description: EnvoyConfig indicates the name of the EnvoyConfig CR which references the SidecarGateway.
+ type: string
+ name:
+ description: Name indicates the name of the Pod which references the SidecarGateway.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ status:
+ type: string
+ required:
+ - status
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/deploy/crds/CustomResourceDefinition_telemetry.yaml b/deploy/crds/CustomResourceDefinition_telemetry.yaml
new file mode 100644
index 0000000..44260ee
--- /dev/null
+++ b/deploy/crds/CustomResourceDefinition_telemetry.yaml
@@ -0,0 +1,58 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.11.3
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: telemetries.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: Telemetry
+ listKind: TelemetryList
+ plural: telemetries
+ singular: telemetry
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: Telemetry contains the configuration for telemetry (logging, metrics & tracing).
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired telemetry behavior.
+ properties:
+ logging:
+ description: Logging defines the logging aspects of Telemetry.
+ properties:
+ accessLog:
+ description: AccessLog defines the access log settings of Telemetry.
+ properties:
+ format:
+ description: Format defines the Access Log format of the sidecar.
+ properties:
+ json:
+ description: JSON defines the Access Log format as JSON.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/deploy/crds/kustomization.yaml b/deploy/crds/kustomization.yaml
new file mode 100644
index 0000000..97981b8
--- /dev/null
+++ b/deploy/crds/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - CustomResourceDefinition_contentsecurity.yaml
+ - CustomResourceDefinition_denyrules.yaml
+ - CustomResourceDefinition_envoycluster.yaml
+ - CustomResourceDefinition_envoyconfiguration.yaml
+ - CustomResourceDefinition_envoyhttpfilter.yaml
+ - CustomResourceDefinition_headerrewrites.yaml
+ - CustomResourceDefinition_limits.yaml
+ - CustomResourceDefinition_parser.yaml
+ - CustomResourceDefinition_sidecargateway.yaml
+ - CustomResourceDefinition_telemetry.yaml
diff --git a/deploy/deployment/Certificate_airlock-microgateway-operator-serving-cert.yaml b/deploy/deployment/Certificate_airlock-microgateway-operator-serving-cert.yaml
new file mode 100644
index 0000000..79b3692
--- /dev/null
+++ b/deploy/deployment/Certificate_airlock-microgateway-operator-serving-cert.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-serving-cert
+spec:
+ dnsNames:
+ - airlock-microgateway-operator-webhook.OPERATOR_NAMESPACE.svc
+ - airlock-microgateway-operator-webhook.OPERATOR_NAMESPACE.svc.cluster.local
+ issuerRef:
+ kind: Issuer
+ name: airlock-microgateway-operator-selfsigned-issuer
+ secretName: webhook-server-cert
diff --git a/deploy/deployment/ClusterRoleBinding_airlock-microgateway-operator-manager-ns.yaml b/deploy/deployment/ClusterRoleBinding_airlock-microgateway-operator-manager-ns.yaml
new file mode 100644
index 0000000..cbcb54f
--- /dev/null
+++ b/deploy/deployment/ClusterRoleBinding_airlock-microgateway-operator-manager-ns.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-manager-ns
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: airlock-microgateway-operator-manager-ns
+subjects:
+ - kind: ServiceAccount
+ name: airlock-microgateway-operator-controller-manager
diff --git a/deploy/deployment/ClusterRoleBinding_airlock-microgateway-operator-proxy-ns.yaml b/deploy/deployment/ClusterRoleBinding_airlock-microgateway-operator-proxy-ns.yaml
new file mode 100644
index 0000000..9771e68
--- /dev/null
+++ b/deploy/deployment/ClusterRoleBinding_airlock-microgateway-operator-proxy-ns.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: airlock-microgateway-operator-proxy-ns
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: airlock-microgateway-operator-proxy-ns
+subjects:
+ - kind: ServiceAccount
+ name: airlock-microgateway-operator-controller-manager
diff --git a/deploy/deployment/ClusterRole_airlock-microgateway-operator-manager-ns.yaml b/deploy/deployment/ClusterRole_airlock-microgateway-operator-manager-ns.yaml
new file mode 100644
index 0000000..24752d7
--- /dev/null
+++ b/deploy/deployment/ClusterRole_airlock-microgateway-operator-manager-ns.yaml
@@ -0,0 +1,166 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-manager-ns
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - delete
+ - get
+ - list
+ - update
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - pods/finalizers
+ verbs:
+ - update
+ - apiGroups:
+ - ""
+ resources:
+ - pods/status
+ verbs:
+ - patch
+ - update
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - update
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - contentsecurities
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - denyrules
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyclusters
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyconfigurations
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyconfigurations/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyhttpfilters
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - headerrewrites
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - limits
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - parsers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways
+ verbs:
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways/finalizers
+ verbs:
+ - update
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - telemetries
+ verbs:
+ - get
+ - list
+ - watch
diff --git a/deploy/deployment/ClusterRole_airlock-microgateway-operator-proxy-ns.yaml b/deploy/deployment/ClusterRole_airlock-microgateway-operator-proxy-ns.yaml
new file mode 100644
index 0000000..98cf856
--- /dev/null
+++ b/deploy/deployment/ClusterRole_airlock-microgateway-operator-proxy-ns.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: airlock-microgateway-operator-proxy-ns
+rules:
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
diff --git a/deploy/deployment/ConfigMap_airlock-microgateway-operator-operator-config.yaml b/deploy/deployment/ConfigMap_airlock-microgateway-operator-operator-config.yaml
new file mode 100644
index 0000000..e27e94f
--- /dev/null
+++ b/deploy/deployment/ConfigMap_airlock-microgateway-operator-operator-config.yaml
@@ -0,0 +1,300 @@
+apiVersion: v1
+data:
+ engine_bootstrap_config_template.yaml: |-
+ # Base config for a split xDS management server on 18000, admin port on 19000
+ admin:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ dynamic_resources:
+ cds_config:
+ initial_fetch_timeout: 10s
+ resource_api_version: V3
+ api_config_source:
+ api_type: GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
+ rate_limit_settings:
+ max_tokens: 5
+ fill_rate: 0.2
+ lds_config:
+ resource_api_version: V3
+ initial_fetch_timeout: 10s
+ api_config_source:
+ api_type: GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
+ rate_limit_settings:
+ max_tokens: 5
+ fill_rate: 0.2
+ static_resources:
+ listeners:
+ - name: probe
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ filter_chains:
+ - filters:
+ - name: http_connection_manager
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: http
+ codec_type: AUTO
+ route_config:
+ name: probe
+ virtual_hosts:
+ - name: probe
+ domains:
+ - '*'
+ routes:
+ - name: ready
+ match:
+ path: /ready
+ headers:
+ - name: ':method'
+ string_match:
+ exact: 'GET'
+ ignore_case: true
+ route:
+ cluster: airlock_microgateway_engine_admin
+ http_filters:
+ - name: envoy.filters.http.router
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ - name: metrics
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19002
+ filter_chains:
+ - filters:
+ - name: http_connection_manager
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: http
+ codec_type: AUTO
+ route_config:
+ name: metrics
+ virtual_hosts:
+ - name: metrics
+ domains:
+ - '*'
+ routes:
+ - name: metrics
+ match:
+ path: /metrics
+ headers:
+ - name: ':method'
+ string_match:
+ exact: 'GET'
+ ignore_case: true
+ route:
+ prefix_rewrite: '/stats/prometheus'
+ cluster: airlock_microgateway_engine_admin
+ http_filters:
+ - name: envoy.filters.http.router
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: xds_cluster
+ connect_timeout: 1s
+ type: STRICT_DNS
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local
+ port_value: 13377
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 360s
+ timeout: 5s
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_minimum_protocol_version: TLSv1_3
+ tls_maximum_protocol_version: TLSv1_3
+ validation_context_sds_secret_config:
+ name: validation_context_sds
+ sds_config:
+ path_config_source:
+ path: /etc/envoy/validation_context_sds_secret.yaml
+ watched_directory:
+ path: /etc/envoy/
+ - name: airlock_microgateway_engine_admin
+ connect_timeout: 1s
+ type: LOGICAL_DNS
+ load_assignment:
+ cluster_name: airlock_microgateway_engine_admin
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 360s
+ timeout: 5s
+ engine_container_template.yaml: |
+ name: "$(ENGINE_NAME)"
+ image: "$(ENGINE_IMAGE)"
+ imagePullPolicy: IfNotPresent
+ args:
+ - "--config-yaml"
+ - "$(BOOTSTRAP_CONFIG)"
+ - "--base-id"
+ - "$(BASE_ID)"
+ - "--drain-time-s"
+ - '60'
+ - "--service-node"
+ - "$(POD_NAME).$(POD_NAMESPACE)"
+ - "--service-cluster"
+ - "$(APP_NAME).$(POD_NAMESPACE)"
+ - "--log-level"
+ - "$(LOG_LEVEL)"
+ - "--log-format"
+ - '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}'
+ volumeMounts:
+ - name: airlock-microgateway-bootstrap-secret-volume
+ mountPath: /etc/envoy
+ readOnly: true
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ ports:
+ - containerPort: 13378
+ name: http
+ protocol: TCP
+ - containerPort: 19001
+ name: probe
+ protocol: TCP
+ - containerPort: 19002
+ name: metrics
+ protocol: TCP
+ livenessProbe:
+ httpGet:
+ path: /ready
+ port: probe
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ failureThreshold: 3
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: probe
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ failureThreshold: 4
+ successThreshold: 1
+ timeoutSeconds: 1
+ securityContext:
+ runAsUser: $(SECURITYCONTEXT_UID)
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ privileged: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop: ["ALL"]
+ resources:
+ limits:
+ cpu: "2"
+ memory: "1Gi"
+ requests:
+ cpu: "10m"
+ memory: "40Mi"
+ network_manager_container_template.yaml: |-
+ name: "$(NETWORK_MANAGER_NAME)"
+ image: "$(NETWORK_MANAGER_IMAGE)"
+ imagePullPolicy: IfNotPresent
+ args:
+ - '--engine-port=13378'
+ - '--exclude-inbound-ports=19000,19001,19002,$(EXCLUDE_INBOUND_PORTS)'
+ - "--service-mesh=$(SERVICE_MESH)"
+ - "--service-mesh-proxy-uid=$(SERVICE_MESH_PROXY_UID)"
+ - "--log-level=$(LOG_LEVEL)"
+ env:
+ - name: IPTABLES
+ value: "legacy"
+ securityContext:
+ privileged: true
+ capabilities:
+ drop: ["ALL"]
+ add:
+ - NET_ADMIN
+ resources:
+ requests:
+ cpu: "10m"
+ memory: "40Mi"
+ limits:
+ cpu: "200m"
+ memory: "256Mi"
+ operator_config.yaml: |-
+ apiVersion: config.airlock.com/v1alpha1
+ kind: OperatorConfig
+ health:
+ healthProbeBindAddress: :8081
+ metrics:
+ bindAddress: 127.0.0.1:8080
+ webhook:
+ port: 9443
+ leaderElection:
+ leaderElect: true
+ resourceName: leader.airlock.com
+ deployment:
+ sidecar:
+ engineContainerTemplate: "/sidecar/engine_container_template.yaml"
+ networkManagerContainerTemplate: "/sidecar/network_manager_container_template.yaml"
+ engine:
+ bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml"
+ log:
+ level: info
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-operator-config
diff --git a/deploy/deployment/Deployment_airlock-microgateway-operator-controller-manager.yaml b/deploy/deployment/Deployment_airlock-microgateway-operator-controller-manager.yaml
new file mode 100644
index 0000000..06e7c81
--- /dev/null
+++ b/deploy/deployment/Deployment_airlock-microgateway-operator-controller-manager.yaml
@@ -0,0 +1,139 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ control-plane: airlock-microgateway-operator
+ name: airlock-microgateway-operator-controller-manager
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ control-plane: airlock-microgateway-operator
+ template:
+ metadata:
+ annotations:
+ kubectl.kubernetes.io/default-container: manager
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ control-plane: airlock-microgateway-operator
+ spec:
+ containers:
+ - args:
+ - --secure-listen-address=0.0.0.0:8443
+ - --upstream=http://127.0.0.1:8080/
+ - --logtostderr=true
+ - --v=10
+ image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
+ name: kube-rbac-proxy
+ ports:
+ - containerPort: 8443
+ name: https
+ protocol: TCP
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ - args:
+ - --config=operator_config.yaml
+ command:
+ - /manager
+ env:
+ - name: NETWORK_MANAGER_IMAGE
+ value: docker.io/ergon/airlock-microgateway-network-manager:4.0.0-beta1@sha256:05cd4474ab5fef6d9106efc665f5c0476e7486496b39bc10daec9476c2087ff6
+ - name: ENGINE_IMAGE
+ value: docker.io/ergon/airlock-microgateway-engine:4.0.0-beta1@sha256:d280af64fcb047c8d932fdbb211b46cc46b0b7f2cd88a289fe63f86dd53174d3
+ - name: OPERATOR_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: WATCH_NAMESPACE
+ value: ""
+ image: docker.io/ergon/airlock-microgateway-operator:4.0.0-beta1@sha256:970bee29eebac12c9bf0b65bf768c7a81fa1521e17911b56872eb64020935403
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8081
+ initialDelaySeconds: 15
+ periodSeconds: 20
+ timeoutSeconds: 5
+ name: manager
+ ports:
+ - containerPort: 9443
+ name: webhook-server
+ protocol: TCP
+ - containerPort: 13377
+ name: xds-server
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8081
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ resources:
+ limits:
+ cpu: 500m
+ memory: 128Mi
+ requests:
+ cpu: 10m
+ memory: 64Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: FallbackToLogsOnError
+ volumeMounts:
+ - mountPath: /tmp/k8s-webhook-server/serving-certs
+ name: cert
+ readOnly: true
+ - mountPath: /opt/airlock/license/
+ name: airlock-microgateway-license
+ readOnly: true
+ - mountPath: /operator_config.yaml
+ name: operator-config
+ subPath: operator_config.yaml
+ - mountPath: /sidecar/engine_container_template.yaml
+ name: operator-config
+ subPath: engine_container_template.yaml
+ - mountPath: /sidecar/network_manager_container_template.yaml
+ name: operator-config
+ subPath: network_manager_container_template.yaml
+ - mountPath: /engine_bootstrap_config_template.yaml
+ name: operator-config
+ subPath: engine_bootstrap_config_template.yaml
+ securityContext:
+ runAsNonRoot: true
+ serviceAccountName: airlock-microgateway-operator-controller-manager
+ terminationGracePeriodSeconds: 10
+ volumes:
+ - name: cert
+ secret:
+ defaultMode: 420
+ secretName: webhook-server-cert
+ - name: airlock-microgateway-license
+ secret:
+ defaultMode: 292
+ optional: true
+ secretName: airlock-microgateway-license
+ - configMap:
+ name: airlock-microgateway-operator-operator-config
+ name: operator-config
diff --git a/deploy/deployment/Issuer_airlock-microgateway-operator-selfsigned-issuer.yaml b/deploy/deployment/Issuer_airlock-microgateway-operator-selfsigned-issuer.yaml
new file mode 100644
index 0000000..e419c79
--- /dev/null
+++ b/deploy/deployment/Issuer_airlock-microgateway-operator-selfsigned-issuer.yaml
@@ -0,0 +1,10 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-selfsigned-issuer
+spec:
+ selfSigned: {}
diff --git a/deploy/deployment/MutatingWebhookConfiguration_airlock-microgateway-operator-webhook-ns.yaml b/deploy/deployment/MutatingWebhookConfiguration_airlock-microgateway-operator-webhook-ns.yaml
new file mode 100644
index 0000000..4cc48e3
--- /dev/null
+++ b/deploy/deployment/MutatingWebhookConfiguration_airlock-microgateway-operator-webhook-ns.yaml
@@ -0,0 +1,37 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: OPERATOR_NAMESPACE/airlock-microgateway-operator-serving-cert
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-webhook-ns
+webhooks:
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: system
+ path: /mutate-v1-pod
+ failurePolicy: Fail
+ name: mutate-pod.microgateway.airlock.com
+ namespaceSelector:
+ matchExpressions:
+ - key: control-plane
+ operator: NotIn
+ values:
+ - airlock-microgateway-operator
+ reinvocationPolicy: IfNeeded
+ rules:
+ - apiGroups:
+ - ""
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ resources:
+ - pods
+ sideEffects: None
diff --git a/deploy/deployment/Namespace_airlock-microgateway-system.yaml b/deploy/deployment/Namespace_airlock-microgateway-system.yaml
new file mode 100644
index 0000000..61e7906
--- /dev/null
+++ b/deploy/deployment/Namespace_airlock-microgateway-system.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ control-plane: airlock-microgateway-operator
+ name: airlock-microgateway-system
diff --git a/deploy/deployment/RoleBinding_airlock-microgateway-operator-leader-election.yaml b/deploy/deployment/RoleBinding_airlock-microgateway-operator-leader-election.yaml
new file mode 100644
index 0000000..42535c3
--- /dev/null
+++ b/deploy/deployment/RoleBinding_airlock-microgateway-operator-leader-election.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-leader-election
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: airlock-microgateway-operator-leader-election
+subjects:
+ - kind: ServiceAccount
+ name: airlock-microgateway-operator-controller-manager
diff --git a/deploy/deployment/Role_airlock-microgateway-operator-leader-election.yaml b/deploy/deployment/Role_airlock-microgateway-operator-leader-election.yaml
new file mode 100644
index 0000000..4bb66d7
--- /dev/null
+++ b/deploy/deployment/Role_airlock-microgateway-operator-leader-election.yaml
@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-leader-election
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
diff --git a/deploy/deployment/ServiceAccount_airlock-microgateway-operator-controller-manager.yaml b/deploy/deployment/ServiceAccount_airlock-microgateway-operator-controller-manager.yaml
new file mode 100644
index 0000000..d7cb931
--- /dev/null
+++ b/deploy/deployment/ServiceAccount_airlock-microgateway-operator-controller-manager.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-controller-manager
diff --git a/deploy/deployment/Service_airlock-microgateway-operator-metrics.yaml b/deploy/deployment/Service_airlock-microgateway-operator-metrics.yaml
new file mode 100644
index 0000000..e39a081
--- /dev/null
+++ b/deploy/deployment/Service_airlock-microgateway-operator-metrics.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ control-plane: airlock-microgateway-operator
+ name: airlock-microgateway-operator-metrics
+spec:
+ ports:
+ - name: https
+ port: 8443
+ protocol: TCP
+ targetPort: https
+ selector:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ control-plane: airlock-microgateway-operator
diff --git a/deploy/deployment/Service_airlock-microgateway-operator-webhook.yaml b/deploy/deployment/Service_airlock-microgateway-operator-webhook.yaml
new file mode 100644
index 0000000..f09eb3e
--- /dev/null
+++ b/deploy/deployment/Service_airlock-microgateway-operator-webhook.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-webhook
+spec:
+ ports:
+ - appProtocol: https
+ name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: 9443
+ selector:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ control-plane: airlock-microgateway-operator
diff --git a/deploy/deployment/Service_airlock-microgateway-operator-xds.yaml b/deploy/deployment/Service_airlock-microgateway-operator-xds.yaml
new file mode 100644
index 0000000..af903f1
--- /dev/null
+++ b/deploy/deployment/Service_airlock-microgateway-operator-xds.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-xds
+spec:
+ ports:
+ - appProtocol: grpc
+ name: xds
+ port: 13377
+ protocol: TCP
+ targetPort: 13377
+ selector:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ control-plane: airlock-microgateway-operator
diff --git a/deploy/deployment/ValidatingWebhookConfiguration_airlock-microgateway-operator-webhook-ns.yaml b/deploy/deployment/ValidatingWebhookConfiguration_airlock-microgateway-operator-webhook-ns.yaml
new file mode 100644
index 0000000..5e8fbca
--- /dev/null
+++ b/deploy/deployment/ValidatingWebhookConfiguration_airlock-microgateway-operator-webhook-ns.yaml
@@ -0,0 +1,218 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: OPERATOR_NAMESPACE/airlock-microgateway-operator-serving-cert
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.0.0-beta1
+ name: airlock-microgateway-operator-webhook-ns
+webhooks:
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: system
+ path: /validate-microgateway-airlock-com-v1alpha1-envoycluster
+ failurePolicy: Fail
+ name: validate-envoycluster.microgateway.airlock.com
+ namespaceSelector:
+ matchExpressions:
+ - key: control-plane
+ operator: NotIn
+ values:
+ - airlock-microgateway-operator
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - envoyclusters
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: system
+ path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter
+ failurePolicy: Fail
+ name: validate-envoyhttpfilter.microgateway.airlock.com
+ namespaceSelector:
+ matchExpressions:
+ - key: control-plane
+ operator: NotIn
+ values:
+ - airlock-microgateway-operator
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - envoyhttpfilters
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: system
+ path: /validate-microgateway-airlock-com-v1alpha1-denyrules
+ failurePolicy: Fail
+ name: validate-denyrules.microgateway.airlock.com
+ namespaceSelector:
+ matchExpressions:
+ - key: control-plane
+ operator: NotIn
+ values:
+ - airlock-microgateway-operator
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - denyrules
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: system
+ path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites
+ failurePolicy: Fail
+ name: validate-headerrewrites.microgateway.airlock.com
+ namespaceSelector:
+ matchExpressions:
+ - key: control-plane
+ operator: NotIn
+ values:
+ - airlock-microgateway-operator
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - headerrewrites
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: system
+ path: /validate-microgateway-airlock-com-v1alpha1-parser
+ failurePolicy: Fail
+ name: validate-parser.microgateway.airlock.com
+ namespaceSelector:
+ matchExpressions:
+ - key: control-plane
+ operator: NotIn
+ values:
+ - airlock-microgateway-operator
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - parsers
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: system
+ path: /validate-microgateway-airlock-com-v1alpha1-limits
+ failurePolicy: Fail
+ name: validate-limits.microgateway.airlock.com
+ namespaceSelector:
+ matchExpressions:
+ - key: control-plane
+ operator: NotIn
+ values:
+ - airlock-microgateway-operator
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - limits
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: system
+ path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway
+ failurePolicy: Fail
+ name: validate-sidecargateway.microgateway.airlock.com
+ namespaceSelector:
+ matchExpressions:
+ - key: control-plane
+ operator: NotIn
+ values:
+ - airlock-microgateway-operator
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - sidecargateways
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: system
+ path: /validate-v1-pod
+ failurePolicy: Fail
+ name: validate-pod.microgateway.airlock.com
+ namespaceSelector:
+ matchExpressions:
+ - key: control-plane
+ operator: NotIn
+ values:
+ - airlock-microgateway-operator
+ rules:
+ - apiGroups:
+ - ""
+ apiVersions:
+ - v1
+ operations:
+ - UPDATE
+ resources:
+ - pods
+ sideEffects: None
diff --git a/deploy/deployment/kustomization.yaml b/deploy/deployment/kustomization.yaml
new file mode 100644
index 0000000..5fc5d71
--- /dev/null
+++ b/deploy/deployment/kustomization.yaml
@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: airlock-microgateway-system
+resources:
+ - Certificate_airlock-microgateway-operator-serving-cert.yaml
+ - ClusterRoleBinding_airlock-microgateway-operator-manager-ns.yaml
+ - ClusterRoleBinding_airlock-microgateway-operator-proxy-ns.yaml
+ - ClusterRole_airlock-microgateway-operator-manager-ns.yaml
+ - ClusterRole_airlock-microgateway-operator-proxy-ns.yaml
+ - ConfigMap_airlock-microgateway-operator-operator-config.yaml
+ - Deployment_airlock-microgateway-operator-controller-manager.yaml
+ - Issuer_airlock-microgateway-operator-selfsigned-issuer.yaml
+ - MutatingWebhookConfiguration_airlock-microgateway-operator-webhook-ns.yaml
+ - Namespace_airlock-microgateway-system.yaml
+ - RoleBinding_airlock-microgateway-operator-leader-election.yaml
+ - Role_airlock-microgateway-operator-leader-election.yaml
+ - ServiceAccount_airlock-microgateway-operator-controller-manager.yaml
+ - Service_airlock-microgateway-operator-metrics.yaml
+ - Service_airlock-microgateway-operator-webhook.yaml
+ - Service_airlock-microgateway-operator-xds.yaml
+ - ValidatingWebhookConfiguration_airlock-microgateway-operator-webhook-ns.yaml
+replacements:
+ - path: replacement_operator_namespace.yaml
diff --git a/deploy/deployment/replacement_operator_namespace.yaml b/deploy/deployment/replacement_operator_namespace.yaml
new file mode 100644
index 0000000..863447b
--- /dev/null
+++ b/deploy/deployment/replacement_operator_namespace.yaml
@@ -0,0 +1,81 @@
+source:
+ kind: Namespace
+ fieldPath: metadata.name
+targets:
+ - select:
+ kind: Certificate
+ name: airlock-microgateway-operator-serving-cert
+ fieldPaths:
+ - spec.dnsNames.0
+ - spec.dnsNames.1
+ options:
+ delimiter: '.'
+ index: 1
+ - select:
+ kind: ValidatingWebhookConfiguration
+ fieldPaths:
+ - metadata.annotations.[cert-manager.io/inject-ca-from]
+ options:
+ delimiter: '/'
+ index: 0
+ - select:
+ kind: ValidatingWebhookConfiguration
+ fieldPaths:
+ - metadata.name
+ options:
+ delimiter: '-'
+ index: 4
+ - select:
+ kind: ValidatingWebhookConfiguration
+ fieldPaths:
+ - webhooks.*.clientConfig.service.namespace
+ - select:
+ kind: MutatingWebhookConfiguration
+ fieldPaths:
+ - metadata.annotations.[cert-manager.io/inject-ca-from]
+ options:
+ delimiter: '/'
+ index: 0
+ - select:
+ kind: MutatingWebhookConfiguration
+ fieldPaths:
+ - metadata.name
+ options:
+ delimiter: '-'
+ index: 4
+ - select:
+ kind: MutatingWebhookConfiguration
+ fieldPaths:
+ - webhooks.*.clientConfig.service.namespace
+ - select:
+ kind: ClusterRole
+ name: airlock-microgateway-operator-manager-ns
+ fieldPaths:
+ - metadata.name
+ options:
+ delimiter: '-'
+ index: 4
+ - select:
+ kind: ClusterRoleBinding
+ name: airlock-microgateway-operator-manager-ns
+ fieldPaths:
+ - metadata.name
+ options:
+ delimiter: '-'
+ index: 4
+ - select:
+ kind: ClusterRole
+ name: airlock-microgateway-operator-proxy-ns
+ fieldPaths:
+ - metadata.name
+ options:
+ delimiter: '-'
+ index: 4
+ - select:
+ kind: ClusterRoleBinding
+ name: airlock-microgateway-operator-proxy-ns
+ fieldPaths:
+ - metadata.name
+ options:
+ delimiter: '-'
+ index: 4
diff --git a/deploy/operator-installation/kustomization.yaml b/deploy/operator-installation/kustomization.yaml
new file mode 100644
index 0000000..2ad543d
--- /dev/null
+++ b/deploy/operator-installation/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - ../crds
+ - ../crd-rbac
+ - ../deployment
diff --git a/examples/README.md b/examples/README.md
new file mode 100644
index 0000000..f34c035
--- /dev/null
+++ b/examples/README.md
@@ -0,0 +1,4 @@
+# Description
+The following folders contain example configurations and utility manifest files. This should help to get started with Airlock Microgateway.
+* `configurations`: Folder that contains examples on how to protect an application with Airlock Microgateway.
+* `utilities`: Contains utility manifests, like backends and prerequisites for the Airlock Microgateway Operator Deployment.
\ No newline at end of file
diff --git a/examples/configurations/basic/README.md b/examples/configurations/basic/README.md
new file mode 100644
index 0000000..ad40588
--- /dev/null
+++ b/examples/configurations/basic/README.md
@@ -0,0 +1,43 @@
+# Description
+This folder contains the most basic example to get started with an almost empty `SidecarGateway` CR that will protect the `nginx` backend. The backend is defined in `examples/utilities/backends/nginx-protected`.
+
+* Execute
+ ```
+ kubectl apply -k https://github.com/airlock/microgateway/examples/configurations/basic/
+ ```
+ to deploy the application.
+
+
+* Perform a test call
+
+ *Request*
+ ```
+ kubectl run test-caller --image=curlimages/curl --rm --restart=Never -i --tty --command -- curl -v "http://nginx:8080/"
+ ```
+
+ *Output*
+ ```
+
+
+
+ Welcome to nginx!
+
+
+
+ Welcome to nginx!
+ If you see this page, the nginx web server is successfully installed and
+ working. Further configuration is required.
+
+ For online documentation and support please refer to
+ nginx.org.
+ Commercial support is available at
+ nginx.com.
+
+ Thank you for using nginx.
+
+
+ ```
\ No newline at end of file
diff --git a/examples/configurations/basic/kustomization.yaml b/examples/configurations/basic/kustomization.yaml
new file mode 100644
index 0000000..1737f3f
--- /dev/null
+++ b/examples/configurations/basic/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ../../utilities/backends/nginx-protected
+ - sidecargateway.yaml
diff --git a/examples/configurations/basic/sidecargateway.yaml b/examples/configurations/basic/sidecargateway.yaml
new file mode 100644
index 0000000..5138779
--- /dev/null
+++ b/examples/configurations/basic/sidecargateway.yaml
@@ -0,0 +1,10 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: SidecarGateway
+metadata:
+ name: basic
+spec:
+ podSelector:
+ matchLabels:
+ app: nginx
+ applications:
+ - containerPort: 8080
\ No newline at end of file
diff --git a/examples/configurations/policy/README.md b/examples/configurations/policy/README.md
new file mode 100644
index 0000000..e94cebf
--- /dev/null
+++ b/examples/configurations/policy/README.md
@@ -0,0 +1,59 @@
+# Description
+There are different tools available to enforce policies for Kubernetes resources. The most famous ones are Open Policy Agent Gatekeeper, Kyverno or Kubewarden. They allow enforcing constraints on Kubernetes resources which includes the Microgateway CRDs.
+
+Basically, the mentioned tools do the same but in detail, they differ in their policy language, Kubernetes-native integration, possibility to use outside Kubernetes, and integration in CI/CD pipeline. This is why you should check which of them suits best for you and whether you use already one of them.
+
+## Examples
+### Prerequisites
+First install the Kyverno operator:
+```
+kubectl apply --server-side=true -k https://github.com/airlock/microgateway/examples/utilities/kyverno/
+```
+
+Apply the Kyverno policy:
+```
+kubectl apply -k https://github.com/airlock/microgateway/examples/configurations/policy
+```
+
+
+### Allowed Example
+The following example shows a policy with Kyverno which allows secure deny rules settings.
+
+```
+kubectl apply -k https://github.com/airlock/microgateway/examples/configurations/policy/allowed
+```
+
+Output
+```
+denyrules.microgateway.airlock.com/denyrule1-ok created
+denyrules.microgateway.airlock.com/denyrule2-ok created
+```
+
+### Denied Example
+This following example shows a policy with Kyverno which denies insecure deny rules settings.
+
+```
+kubectl apply -k https://github.com/airlock/microgateway/examples/configurations/policy/denied
+```
+
+Output
+```
+Error from server: error when creating "https://github.com/airlock/microgateway/examples/configurations/policy/denied/denyrules-1.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
+
+resource DenyRules/default/denyrule1-nok was blocked due to the following policies
+
+disallow-insecure-denyrules:
+ disallow-insecure-threatHandlingMode: 'DenyRules with ''threatHandlingMode'' other
+ than ''block'' is not allowed. '
+
+Error from server: error when creating "https://github.com/airlock/microgateway/examples/configurations/policy/denied/denyrules-2.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
+
+resource DenyRules/default/denyrule2-nok was blocked due to the following policies
+
+disallow-insecure-denyrules:
+ disallow-denyRules-with-insecure-security-level: 'DenyRules with ''level'' other
+ than ''standard'' or ''strict'' is not allowed. '
+
+```
+
+For detailed information consult the [documentation](https://docs.airlock.com/microgateway/nightly/#data/1668421866273.html).
\ No newline at end of file
diff --git a/examples/configurations/policy/allowed/denyrules-1.yaml b/examples/configurations/policy/allowed/denyrules-1.yaml
new file mode 100644
index 0000000..69bcbfc
--- /dev/null
+++ b/examples/configurations/policy/allowed/denyrules-1.yaml
@@ -0,0 +1,11 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: DenyRules
+metadata:
+ annotations:
+ name: denyrule1-ok
+spec:
+ request:
+ builtIn:
+ settings:
+ level: strict
+ threatHandlingMode: block
diff --git a/examples/configurations/policy/allowed/denyrules-2.yaml b/examples/configurations/policy/allowed/denyrules-2.yaml
new file mode 100644
index 0000000..fdc9175
--- /dev/null
+++ b/examples/configurations/policy/allowed/denyrules-2.yaml
@@ -0,0 +1,10 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: DenyRules
+metadata:
+ annotations:
+ name: denyrule2-ok
+spec:
+ request:
+ builtIn:
+ settings:
+ threatHandlingMode: block
diff --git a/examples/configurations/policy/allowed/kustomization.yaml b/examples/configurations/policy/allowed/kustomization.yaml
new file mode 100644
index 0000000..f315f93
--- /dev/null
+++ b/examples/configurations/policy/allowed/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - denyrules-1.yaml
+ - denyrules-2.yaml
diff --git a/examples/configurations/policy/denied/denyrules-1.yaml b/examples/configurations/policy/denied/denyrules-1.yaml
new file mode 100644
index 0000000..dbbe74c
--- /dev/null
+++ b/examples/configurations/policy/denied/denyrules-1.yaml
@@ -0,0 +1,11 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: DenyRules
+metadata:
+ annotations:
+ name: denyrule1-nok
+spec:
+ request:
+ builtIn:
+ settings:
+ level: strict
+ threatHandlingMode: logOnly
diff --git a/examples/configurations/policy/denied/denyrules-2.yaml b/examples/configurations/policy/denied/denyrules-2.yaml
new file mode 100644
index 0000000..e1341a6
--- /dev/null
+++ b/examples/configurations/policy/denied/denyrules-2.yaml
@@ -0,0 +1,11 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: DenyRules
+metadata:
+ annotations:
+ name: denyrule2-nok
+spec:
+ request:
+ builtIn:
+ settings:
+ level: basic
+ threatHandlingMode: block
diff --git a/examples/configurations/policy/denied/kustomization.yaml b/examples/configurations/policy/denied/kustomization.yaml
new file mode 100644
index 0000000..f315f93
--- /dev/null
+++ b/examples/configurations/policy/denied/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - denyrules-1.yaml
+ - denyrules-2.yaml
diff --git a/examples/configurations/policy/kustomization.yaml b/examples/configurations/policy/kustomization.yaml
new file mode 100644
index 0000000..5ab8995
--- /dev/null
+++ b/examples/configurations/policy/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - kyverno-policy.yaml
diff --git a/examples/configurations/policy/kyverno-policy.yaml b/examples/configurations/policy/kyverno-policy.yaml
new file mode 100644
index 0000000..38fecfa
--- /dev/null
+++ b/examples/configurations/policy/kyverno-policy.yaml
@@ -0,0 +1,62 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: disallow-insecure-denyrules
+ annotations:
+ policies.kyverno.io/title: Disallow insecure DenyRules
+ policies.kyverno.io/category: Security
+ policies.kyverno.io/severity: high
+ kyverno.io/kyverno-version: 1.6.0
+ policies.kyverno.io/minversion: 1.6.0
+ kyverno.io/kubernetes-version: "1.20"
+ policies.kyverno.io/subject: DenyRules
+ policies.kyverno.io/description: >-
+ Description: Disallow insecure DenyRules settings for 'threatHandlingMode', security 'level', ...
+ Contact: security@company.com
+spec:
+ validationFailureAction: Enforce
+ background: true
+ rules:
+ - name: disallow-insecure-threatHandlingMode
+ match:
+ any:
+ - resources:
+ kinds:
+ - microgateway.airlock.com/v1alpha1/DenyRules
+ preconditions:
+ all:
+ - key: "{{ request.operation || 'BACKGROUND' }}"
+ operator: NotEquals
+ value: DELETE
+ validate:
+ message: >-
+ DenyRules with 'threatHandlingMode' other than 'block' is not allowed.
+ deny:
+ conditions:
+ all:
+ - key: "{{ request.object.spec.request.builtIn.settings.threatHandlingMode }}"
+ operator: AnyNotIn
+ value:
+ - block
+ - name: disallow-denyRules-with-insecure-security-level
+ match:
+ any:
+ - resources:
+ kinds:
+ - microgateway.airlock.com/v1alpha1/DenyRules
+ preconditions:
+ all:
+ - key: "{{ request.operation || 'BACKGROUND' }}"
+ operator: NotEquals
+ value: DELETE
+ validate:
+ message: >-
+ DenyRules with 'level' other than 'standard' or 'strict' is not allowed.
+ deny:
+ conditions:
+ all:
+ - key: "{{ request.object.spec.request.builtIn.settings.level }}"
+ operator: AnyNotIn
+ value:
+ - standard
+ - strict
diff --git a/examples/configurations/templating/README.md b/examples/configurations/templating/README.md
new file mode 100644
index 0000000..b780540
--- /dev/null
+++ b/examples/configurations/templating/README.md
@@ -0,0 +1,17 @@
+# Description
+This folder contains example manifest files to be used with kustomize for the templating use-case. With this use-case one defines a base template (analogous to the `templates` folder) that contains the base configuration,
+which can be reused by a varity of application deployments. To override configuration elements of the template, apply a kustomization manifest file on top of the template (See [kustomize](https://kustomize.io/) for more information).
+The folder `templates` contains the template manifest files that are referenced in the `kustomization.yaml` file which applies various patches to the resources. Instead of a folder it is possible to reference a git repository which contains the templates. To use a remote target change the `resources` in the kustomization file as follows:
+
+local folder
+```yaml
+resources:
+ - templates
+```
+remote target
+```yaml
+resources:
+ - https://github.com/your-organisation/repository/templates/
+```
+
+For detailed information consult the [documentation](https://docs.airlock.com/microgateway/latest/#data/1668421864983.html).
\ No newline at end of file
diff --git a/examples/configurations/templating/kustomization.yaml b/examples/configurations/templating/kustomization.yaml
new file mode 100644
index 0000000..3c7b7a3
--- /dev/null
+++ b/examples/configurations/templating/kustomization.yaml
@@ -0,0 +1,79 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - templates
+
+commonAnnotations:
+ mycompany.com/owner: "Project X"
+ mycompany.com/contact: "+41 00 123 45 67"
+
+commonLabels:
+ app.kubernetes.io/name: my-application
+ app.kubernetes.io/part-of: my-application-i-belong-too
+
+patchesJSON6902:
+ - target:
+ group: microgateway.airlock.com
+ version: v1alpha1
+ kind: SidecarGateway
+ name: template
+ patch: |-
+ - op: replace
+ path: /metadata/name
+ value: my-app
+ - op: replace
+ path: /spec/podSelector/matchLabels/app
+ value: my-app-label
+ - op: replace
+ path: /spec/applications
+ value:
+ - containerPort: 8080
+ routes:
+ - pathPrefix: /
+ secured:
+ contentSecurityRef:
+ name: my-app
+ - target:
+ group: microgateway.airlock.com
+ version: v1alpha1
+ kind: ContentSecurity
+ name: template
+ patch: |-
+ - op: replace
+ path: /metadata/name
+ value: my-app
+ - op: replace
+ path: /spec/filter/denyRulesRef/name
+ value: my-app
+ - op: replace
+ path: /spec/headerRewritesRef/name
+ value: my-app
+ - target:
+ group: microgateway.airlock.com
+ version: v1alpha1
+ kind: DenyRules
+ name: template
+ patch: |-
+ - op: replace
+ path: /metadata/name
+ value: my-app
+ - op: add
+ path: /spec/request/builtIn/exceptions
+ value:
+ - blockedData:
+ header:
+ name:
+ matcher:
+ exact: User-Agent
+ ruleKeys:
+ - XSS
+ - target:
+ group: microgateway.airlock.com
+ version: v1alpha1
+ kind: HeaderRewrites
+ name: template
+ patch: |-
+ - op: replace
+ path: /metadata/name
+ value: my-app
\ No newline at end of file
diff --git a/examples/configurations/templating/templates/contentsecurity.yaml b/examples/configurations/templating/templates/contentsecurity.yaml
new file mode 100644
index 0000000..49160be
--- /dev/null
+++ b/examples/configurations/templating/templates/contentsecurity.yaml
@@ -0,0 +1,10 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: ContentSecurity
+metadata:
+ name: template
+spec:
+ filter:
+ denyRulesRef:
+ name: template
+ headerRewritesRef:
+ name: template
\ No newline at end of file
diff --git a/examples/configurations/templating/templates/denyrules.yaml b/examples/configurations/templating/templates/denyrules.yaml
new file mode 100644
index 0000000..7e4c793
--- /dev/null
+++ b/examples/configurations/templating/templates/denyrules.yaml
@@ -0,0 +1,10 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: DenyRules
+metadata:
+ name: template
+spec:
+ request:
+ builtIn:
+ settings:
+ level: standard
+ threatHandlingMode: block
\ No newline at end of file
diff --git a/examples/configurations/templating/templates/headerrewrites.yaml b/examples/configurations/templating/templates/headerrewrites.yaml
new file mode 100644
index 0000000..91666a7
--- /dev/null
+++ b/examples/configurations/templating/templates/headerrewrites.yaml
@@ -0,0 +1,82 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: HeaderRewrites
+metadata:
+ name: template
+spec:
+ request:
+ allow:
+ matchingHeaders:
+ builtIn:
+ standardHeaders: true
+ custom:
+ - name: Allow additional request header
+ headers:
+ - name:
+ matcher:
+ exact: Accept-Auth
+ - name:
+ matcher:
+ exact: Depth
+ - name:
+ matcher:
+ exact: Destination
+ - name:
+ matcher:
+ exact: If
+ - name:
+ matcher:
+ exact: Lock-Token
+ - name:
+ matcher:
+ exact: Overwrite
+ - name:
+ matcher:
+ exact: Timeout
+ - name:
+ matcher:
+ exact: translate
+ - name:
+ matcher:
+ exact: X-FeatureVersion
+ - name:
+ matcher:
+ exact: X-IDCRL_ACCEPTED
+ - name:
+ matcher:
+ exact: X-IDCRL_OPTIONS
+ - name:
+ matcher:
+ exact: X-MSGETWEBURL
+ - name:
+ matcher:
+ exact: X-MS-CookieUri-Requested
+ - name:
+ matcher:
+ exact: X-Office-Major-Version
+ - name:
+ matcher:
+ exact: Content-Length
+ remove:
+ builtIn:
+ alternativeForwardedHeaders: true
+ response:
+ add:
+ builtIn:
+ csp: true
+ featurePolicy: true
+ hsts: true
+ hstsPreload: false
+ referrerPolicy: true
+ xContentTypeOptions: true
+ xFrameOptions: true
+ allow:
+ matchingHeaders:
+ builtIn:
+ standardHeaders: false
+ remove:
+ builtIn:
+ auth:
+ basic: false
+ negotiate: true
+ ntlm: true
+ permissiveCors: true
\ No newline at end of file
diff --git a/examples/configurations/templating/templates/kustomization.yaml b/examples/configurations/templating/templates/kustomization.yaml
new file mode 100644
index 0000000..1f43e61
--- /dev/null
+++ b/examples/configurations/templating/templates/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - sidecargateway.yaml
+ - contentsecurity.yaml
+ - headerrewrites.yaml
+ - denyrules.yaml
+
+commonLabels:
+ app.kubernetes.io/template-version: 1.0.1
+ app.kubernetes.io/version: 4.0.0
+ app.kubernetes.io/component: airlock-microgateway
\ No newline at end of file
diff --git a/examples/configurations/templating/templates/sidecargateway.yaml b/examples/configurations/templating/templates/sidecargateway.yaml
new file mode 100644
index 0000000..311d8a9
--- /dev/null
+++ b/examples/configurations/templating/templates/sidecargateway.yaml
@@ -0,0 +1,15 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: SidecarGateway
+metadata:
+ name: template
+spec:
+ podSelector:
+ matchLabels:
+ app:
+ applications:
+ - containerPort:
+ routes:
+ - pathPrefix: /
+ secured:
+ contentSecurityRef:
+ name: template
\ No newline at end of file
diff --git a/examples/utilities/backends/README.md b/examples/utilities/backends/README.md
new file mode 100644
index 0000000..a318afb
--- /dev/null
+++ b/examples/utilities/backends/README.md
@@ -0,0 +1,5 @@
+# Description
+This folder contains example backends which can be deployed and protected by Airlock Microgateway.
+
+The folder with the '-protected' suffix already contains the required Kubernetes annotation in order to be protected by Airlock Microgateway.
+Please note that additional configuration like CustomResources SidecarGateway are required. Please consult the [documentation](https://docs.airlock.com/microgateway/latest/) for detailed instructions.
diff --git a/examples/utilities/backends/nginx-protected/deployment_airlock_injection_patch.yaml b/examples/utilities/backends/nginx-protected/deployment_airlock_injection_patch.yaml
new file mode 100644
index 0000000..ab46204
--- /dev/null
+++ b/examples/utilities/backends/nginx-protected/deployment_airlock_injection_patch.yaml
@@ -0,0 +1,10 @@
+# This patch injects the 'sidecar.microgateway.airlock.com/inject: "true"' annotation into the deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nginx
+spec:
+ template:
+ metadata:
+ annotations:
+ sidecar.microgateway.airlock.com/inject: "true"
diff --git a/examples/utilities/backends/nginx-protected/kustomization.yaml b/examples/utilities/backends/nginx-protected/kustomization.yaml
new file mode 100644
index 0000000..f9c21e6
--- /dev/null
+++ b/examples/utilities/backends/nginx-protected/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+- ../nginx
+
+patches:
+ - path: deployment_airlock_injection_patch.yaml
diff --git a/examples/utilities/backends/nginx/deployment.yaml b/examples/utilities/backends/nginx/deployment.yaml
new file mode 100644
index 0000000..5da3a0d
--- /dev/null
+++ b/examples/utilities/backends/nginx/deployment.yaml
@@ -0,0 +1,31 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: nginx
+ name: nginx
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx
+ template:
+ metadata:
+ labels:
+ app: nginx
+ spec:
+ volumes:
+ - name: config-volume
+ configMap:
+ name: nginx-config
+ containers:
+ - image: nginxinc/nginx-unprivileged:1.23-alpine
+ name: nginx
+ ports:
+ - containerPort: 8080
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/nginx/nginx.conf
+ subPath: nginx.conf
+ imagePullSecrets:
+ - name: registry-credentials
diff --git a/examples/utilities/backends/nginx/kustomization.yaml b/examples/utilities/backends/nginx/kustomization.yaml
new file mode 100644
index 0000000..0ef41a5
--- /dev/null
+++ b/examples/utilities/backends/nginx/kustomization.yaml
@@ -0,0 +1,11 @@
+resources:
+- deployment.yaml
+- service.yaml
+
+configMapGenerator:
+- name: nginx-config
+ files:
+ - nginx.conf
+
+generatorOptions:
+ disableNameSuffixHash: true
diff --git a/examples/utilities/backends/nginx/nginx.conf b/examples/utilities/backends/nginx/nginx.conf
new file mode 100644
index 0000000..1a167fd
--- /dev/null
+++ b/examples/utilities/backends/nginx/nginx.conf
@@ -0,0 +1,64 @@
+# Patched Parts
+# * error_log
+# * access_log
+# * http.log_format
+worker_processes auto;
+
+error_log /dev/stderr debug;
+pid /tmp/nginx.pid;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+
+ log_format main escape=json '{'
+ '"timestamp": "$time_iso8601", '
+ '"req_id": "$request_id", '
+ '"upstream_status": "$upstream_status", '
+ '"upstream_addr": "$upstream_addr", '
+ '"http_req":{ '
+ ' "http_method": "$request_method", '
+ ' "entry_url": "$scheme://$host$request_uri", '
+ ' "entry_path": "$request_uri", '
+ ' "entry_query": "$query_string", '
+ ' "http_status": $status, '
+ ' "vhost_proto":"$scheme", '
+ ' "vhost_proto_vers": "$server_protocol", '
+ ' "http_user_agent": "$http_user_agent", '
+ ' "http_referrer": "$http_referer", '
+ ' "http_content_type": "$content_type", '
+ ' "http_host": "$host", '
+ ' "http_x_request_id": "$http_x_request_id", '
+ ' "req_size": "$request_length", '
+ ' "resp_size": "$upstream_response_length", '
+ ' "time_resp": "$upstream_response_time s", '
+ ' "client_ip": "$remote_addr", '
+ ' "front_src_ip": "$http_x_forwarded_for", '
+ ' "front_src_port": "$remote_port", '
+ ' "front_dst_port": "$server_port", '
+ ' "front_tls_proto": "$ssl_protocol", '
+ ' "front_tls_cipher": "$ssl_cipher" '
+ '}}';
+
+ proxy_temp_path /tmp/proxy_temp;
+ client_body_temp_path /tmp/client_temp;
+ fastcgi_temp_path /tmp/fastcgi_temp;
+ uwsgi_temp_path /tmp/uwsgi_temp;
+ scgi_temp_path /tmp/scgi_temp;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ access_log /dev/stdout main;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ #gzip on;
+
+ include /etc/nginx/conf.d/*.conf;
+}
\ No newline at end of file
diff --git a/examples/utilities/backends/nginx/service.yaml b/examples/utilities/backends/nginx/service.yaml
new file mode 100644
index 0000000..2f0d44c
--- /dev/null
+++ b/examples/utilities/backends/nginx/service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: nginx
+ name: nginx
+spec:
+ ports:
+ - name: http
+ port: 8080
+ protocol: TCP
+ selector:
+ app: nginx
+ type: NodePort
diff --git a/examples/utilities/cert-manager/README.md b/examples/utilities/cert-manager/README.md
new file mode 100644
index 0000000..26fc7c5
--- /dev/null
+++ b/examples/utilities/cert-manager/README.md
@@ -0,0 +1,8 @@
+# Description
+Airlock Microgateway requires [cert-manager](https://cert-manager.io/).
+
+For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
+
+```
+kubectl apply -k https://github.com/airlock/microgateway/examples/utilities/cert-manager
+```
\ No newline at end of file
diff --git a/examples/utilities/cert-manager/kustomization.yaml b/examples/utilities/cert-manager/kustomization.yaml
new file mode 100644
index 0000000..caae527
--- /dev/null
+++ b/examples/utilities/cert-manager/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
\ No newline at end of file
diff --git a/examples/utilities/kyverno/README.md b/examples/utilities/kyverno/README.md
new file mode 100644
index 0000000..f8023d3
--- /dev/null
+++ b/examples/utilities/kyverno/README.md
@@ -0,0 +1,10 @@
+# Description
+Airlock Microgateway can be used together with [kyverno](https://kyverno.io/).
+
+For an easy start in non-production environments, you may deploy the same kyverno operator we are using internally for testing.
+
+```
+kubectl apply --server-side=true -k https://github.com/airlock/microgateway/examples/utilities/kyverno
+```
+
+The `--server-side` flag is required in order to overcome the annotation limit, which is exceeded with the `kubectl.kubernetes.io/last-applied-configuration`. One could also first use `kubectl create` and then `kubectl apply` for each subsequent change.
\ No newline at end of file
diff --git a/examples/utilities/kyverno/kustomization.yaml b/examples/utilities/kyverno/kustomization.yaml
new file mode 100644
index 0000000..ec071b5
--- /dev/null
+++ b/examples/utilities/kyverno/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - https://github.com/kyverno/kyverno/releases/download/v1.9.0/install.yaml
\ No newline at end of file