From 8875f5daf35a49790aba0e4c2db14f6b848e2fdb Mon Sep 17 00:00:00 2001 From: nginx-bot Date: Wed, 26 Jun 2024 10:37:25 +0000 Subject: [PATCH 1/3] Update NGINX Ingress Controller to 3.6.0 --- ...ngress-operator.clusterserviceversion.yaml | 2 +- .../samples/charts_v1alpha1_nginxingress.yaml | 2 +- docs/nginx-ingress-controller.md | 2 +- .../nginx-ingress-controller.yaml | 2 +- .../nginx-ingress-controller.yaml | 2 +- helm-charts/nginx-ingress/Chart.yaml | 8 +- helm-charts/nginx-ingress/README.md | 37 +- .../crds/appprotect.f5.com_aplogconfs.yaml | 133 +- .../crds/appprotect.f5.com_appolicies.yaml | 3974 +++++++++-------- .../crds/appprotect.f5.com_apusersigs.yaml | 151 +- .../crds/k8s.nginx.org_policies.yaml | 21 + .../k8s.nginx.org_virtualserverroutes.yaml | 40 + .../crds/k8s.nginx.org_virtualservers.yaml | 40 + .../nginx-ingress/templates/_helpers.tpl | 71 +- ...olebiding.yaml => clusterrolebinding.yaml} | 0 .../templates/controller-daemonset.yaml | 3 + .../templates/controller-deployment.yaml | 3 + helm-charts/nginx-ingress/values-icp.yaml | 2 +- helm-charts/nginx-ingress/values-plus.yaml | 2 +- helm-charts/nginx-ingress/values.schema.json | 308 +- helm-charts/nginx-ingress/values.yaml | 75 +- 21 files changed, 2676 insertions(+), 2202 deletions(-) rename helm-charts/nginx-ingress/templates/{clusterrolebiding.yaml => clusterrolebinding.yaml} (100%) diff --git a/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml b/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml index e4ffae41..40b58dcb 100644 --- a/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml +++ b/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml @@ -77,7 +77,7 @@ metadata: "image": { "pullPolicy": "IfNotPresent", "repository": "nginx/nginx-ingress", - "tag": "3.5.2-ubi" + "tag": "3.6.0-ubi" }, "includeYear": false, "ingressClass": { diff --git a/config/samples/charts_v1alpha1_nginxingress.yaml b/config/samples/charts_v1alpha1_nginxingress.yaml index ce678ab4..379e3a0f 100644 --- a/config/samples/charts_v1alpha1_nginxingress.yaml +++ b/config/samples/charts_v1alpha1_nginxingress.yaml @@ -35,7 +35,7 @@ spec: customPorts: [] image: repository: nginx/nginx-ingress - tag: "3.5.2-ubi" + tag: "3.6.0-ubi" # digest: "sha256:CHANGEME" pullPolicy: IfNotPresent lifecycle: {} diff --git a/docs/nginx-ingress-controller.md b/docs/nginx-ingress-controller.md index b1f3aa83..cb80dbe4 100644 --- a/docs/nginx-ingress-controller.md +++ b/docs/nginx-ingress-controller.md @@ -47,7 +47,7 @@ spec: customPorts: [] image: repository: nginx/nginx-ingress - tag: "3.5.2-ubi" + tag: "3.6.0-ubi" # digest: "sha256:CHANGEME" pullPolicy: IfNotPresent lifecycle: {} diff --git a/examples/deployment-oss-min/nginx-ingress-controller.yaml b/examples/deployment-oss-min/nginx-ingress-controller.yaml index a38dfbf1..f94a359d 100644 --- a/examples/deployment-oss-min/nginx-ingress-controller.yaml +++ b/examples/deployment-oss-min/nginx-ingress-controller.yaml @@ -11,7 +11,7 @@ spec: image: pullPolicy: IfNotPresent repository: nginx/nginx-ingress - tag: 3.5.2-ubi + tag: 3.6.0-ubi ingressClass: name: nginx kind: deployment diff --git a/examples/deployment-plus-min/nginx-ingress-controller.yaml b/examples/deployment-plus-min/nginx-ingress-controller.yaml index 633178c0..ab93c75e 100644 --- a/examples/deployment-plus-min/nginx-ingress-controller.yaml +++ b/examples/deployment-plus-min/nginx-ingress-controller.yaml @@ -11,7 +11,7 @@ spec: image: pullPolicy: IfNotPresent repository: nginx/nginx-ingress - tag: 3.5.2-ubi + tag: 3.6.0-ubi ingressClass: name: nginx kind: deployment diff --git a/helm-charts/nginx-ingress/Chart.yaml b/helm-charts/nginx-ingress/Chart.yaml index 4ebc197b..223ec130 100644 --- a/helm-charts/nginx-ingress/Chart.yaml +++ b/helm-charts/nginx-ingress/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 3.5.2 +appVersion: 3.6.0 description: NGINX Ingress Controller home: https://github.com/nginxinc/kubernetes-ingress -icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/charts/nginx-ingress/chart-icon.png +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/charts/nginx-ingress/chart-icon.png keywords: - ingress - nginx @@ -12,6 +12,6 @@ maintainers: name: nginxinc name: nginx-ingress sources: -- https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/charts/nginx-ingress +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/charts/nginx-ingress type: application -version: 1.2.2 +version: 1.3.0 diff --git a/helm-charts/nginx-ingress/README.md b/helm-charts/nginx-ingress/README.md index df8acd89..36ecbbdd 100644 --- a/helm-charts/nginx-ingress/README.md +++ b/helm-charts/nginx-ingress/README.md @@ -2,7 +2,7 @@ ## Introduction -This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. +This chart deploys NGINX Ingress Controller in your Kubernetes cluster. ## Prerequisites @@ -51,10 +51,10 @@ kubectl apply -f crds/ Alternatively, CRDs can be upgraded without pulling the chart by running: ```console -kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds.yaml +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds.yaml ``` -In the above command, `v3.5.2` represents the version of NGINX Ingress Controller release rather than the Helm chart version. +In the above command, `v3.6.0` represents the version of NGINX Ingress Controller release rather than the Helm chart version. > **Note** > @@ -87,14 +87,14 @@ To install the chart with the release name my-release (my-release is the name th For NGINX: ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 ``` For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to @@ -109,7 +109,7 @@ CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 ``` ### Uninstalling the Chart @@ -150,7 +150,7 @@ upgrading/deleting the CRDs. 1. Pull the chart sources: ```console - helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.2.2 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.3.0 ``` 2. Change your working directory to nginx-ingress: @@ -236,7 +236,7 @@ The steps you should follow depend on the Helm release name: Selector: app=nginx-ingress-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.5.2` +2. Checkout the latest available tag using `git checkout v3.6.0` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -288,7 +288,7 @@ reviewing its events: Selector: app=-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.5.2` +2. Checkout the latest available tag using `git checkout v3.6.0` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -355,7 +355,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.logLevel` | The log level of the Ingress Controller. | 1 | |`controller.image.digest` | The image digest of the Ingress Controller. | None | |`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | -|`controller.image.tag` | The tag of the Ingress Controller image. | 3.5.2 | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.6.0 | |`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | |`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | |`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | @@ -386,7 +386,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi | |`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | |`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | -|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.5.2, do not set the value to false. | true | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.6.0, do not set the value to false. | true | |`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | |`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | |`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | @@ -443,6 +443,20 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} | |`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} | |`controller.appprotect.enable` | Enables the App Protect WAF module in the Ingress Controller. | false | +|`controller.appprotect.v5` | Enables App Protect WAF v5. | false | +|`controller.appprotect.volumes` | Volumes for App Protect WAF v5. | [{"name": "app-protect-bd-config", "emptyDir": {}},{"name": "app-protect-config", "emptyDir": {}},{"name": "app-protect-bundles", "emptyDir": {}}] | +|`controller.appprotect.enforcer.host` | Host that the App Protect WAF v5 Enforcer runs on. | "127.0.0.1" | +|`controller.appprotect.enforcer.port` | Port that the App Protect WAF v5 Enforcer runs on. | 50000 | +|`controller.appprotect.enforcer.image` | The image repository of the App Protect WAF v5 Enforcer. | private-registry.nginx.com/nap/waf-enforcer | +|`controller.appprotect.enforcer.tag` | The tag of the App Protect WAF v5 Enforcer. | "5.2.0" | +|`controller.appprotect.enforcer.digest` | The digest of the App Protect WAF v5 Enforcer. Takes precedence over tag if set. | "5.2.0" | +|`controller.appprotect.enforcer.pullPolicy` | The pull policy for the App Protect WAF v5 Enforcer image. | "5.2.0" | +|`controller.appprotect.enforcer.securityContext` | The security context for App Protect WAF v5 Enforcer container. | {} | +|`controller.appprotect.configManager.image` | The image repository of the App Protect WAF v5 Configuration Manager. | private-registry.nginx.com/nap/waf-config-mgr | +|`controller.appprotect.configManager.tag` | The tag of the App Protect WAF v5 Configuration Manager. | "5.2.0" | +|`controller.appprotect.configManager.digest` | The digest of the App Protect WAF v5 Configuration Manager. Takes precedence over tag if set. | "5.2.0" | +|`controller.appprotect.configManager.pullPolicy` | The pull policy for the App Protect WAF v5 Configuration Manager image. | "5.2.0" | +|`controller.appprotect.configManager.securityContext` | The security context for App Protect WAF v5 Configuration Manager container. | {"allowPrivilegeEscalation":false,"runAsUser":101,"runAsNonRoot":true,"capabilities":{"drop":["all"]}} | |`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false | |`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false | |`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 | @@ -473,6 +487,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.telemetryReporting.enable` | Enable telemetry reporting. | true | |`controller.enableWeightChangesDynamicReload` | Enable weight changes without reloading the NGINX configuration. May require increasing `map_hash_bucket_size`, `map_hash_max_size`, `variable_hash_bucket_size`, and `variable_hash_max_size` in the [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) if there are many two-way splits. Requires `controller.nginxplus` | false | |`rbac.create` | Configures RBAC. | true | +|`rbac.clusterrole.create` | Configures creation of ClusterRole. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true | |`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | |`prometheus.port` | Configures the port to scrape the metrics. | 9113 | |`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | diff --git a/helm-charts/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml b/helm-charts/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml index 53b7fb40..8aacce99 100644 --- a/helm-charts/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml +++ b/helm-charts/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: aplogconfs.appprotect.f5.com spec: group: appprotect.f5.com @@ -15,66 +14,70 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APLogConf is the Schema for the APLogConfs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APLogConfSpec defines the desired state of APLogConf - properties: - content: - properties: - escaping_characters: - items: - properties: - from: - type: string - to: - type: string - type: object - type: array - format: - enum: - - splunk - - arcsight - - default - - user-defined - - grpc - type: string - format_string: - type: string - list_delimiter: - type: string - list_prefix: - type: string - list_suffix: - type: string - max_message_size: - pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ - type: string - max_request_size: - pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ - type: string - type: object - filter: - properties: - request_type: - enum: - - all - - illegal - - blocked - type: string - type: object - type: object - type: object - served: true - storage: true + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|[1-9][0-9]{3}|10[0-2][0-9][0-9]|[1-9]k|10k|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/helm-charts/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml b/helm-charts/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml index 0ca4649c..4929c962 100644 --- a/helm-charts/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml +++ b/helm-charts/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: appolicies.appprotect.f5.com spec: group: appprotect.f5.com @@ -15,1515 +14,1192 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APPolicyConfig is the Schema for the APPolicyconfigs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APPolicySpec defines the desired state of APPolicy - properties: - modifications: - items: - properties: - action: - type: string - description: - type: string - entity: - properties: - name: - type: string - type: object - entityChanges: - properties: - type: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - modificationsReference: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: properties: - link: - pattern: ^http + action: type: string - type: object - policy: - description: Defines the App Protect policy - properties: - applicationLanguage: - enum: - - iso-8859-10 - - iso-8859-6 - - windows-1255 - - auto-detect - - koi8-r - - gb18030 - - iso-8859-8 - - windows-1250 - - iso-8859-9 - - windows-1252 - - iso-8859-16 - - gb2312 - - iso-8859-2 - - iso-8859-5 - - windows-1257 - - windows-1256 - - iso-8859-13 - - windows-874 - - windows-1253 - - iso-8859-3 - - euc-jp - - utf-8 - - gbk - - windows-1251 - - big5 - - iso-8859-1 - - shift_jis - - euc-kr - - iso-8859-4 - - iso-8859-7 - - iso-8859-15 + description: type: string - blocking-settings: + entity: properties: - evasions: - items: - properties: - description: - enum: - - '%u decoding' - - Apache whitespace - - Bad unescape - - Bare byte decoding - - Directory traversals - - IIS backslashes - - IIS Unicode codepoints - - Multiple decoding - - Multiple slashes - - Semicolon path parameters - - Trailing dot - - Trailing slash - type: string - enabled: - type: boolean - maxDecodingPasses: - type: integer - type: object - type: array - http-protocols: - items: - properties: - description: - enum: - - Unescaped space in URL - - Unparsable request content - - Several Content-Length headers - - 'POST request with Content-Length: 0' - - Null in request - - No Host header in HTTP/1.1 request - - Multiple host headers - - Host header contains IP address - - High ASCII characters in headers - - Header name with no header value - - CRLF characters before request start - - Content length should be a positive number - - Chunked request with Content-Length header - - Check maximum number of cookies - - Check maximum number of parameters - - Check maximum number of headers - - Body in GET or HEAD requests - - Bad multipart/form-data request parsing - - Bad multipart parameters parsing - - Bad HTTP version - - Bad host header value - type: string - enabled: - type: boolean - maxCookies: - maximum: 100 - minimum: 1 - type: integer - maxHeaders: - maximum: 150 - minimum: 1 - type: integer - maxParams: - maximum: 5000 - minimum: 1 - type: integer - type: object - type: array - violations: - items: - properties: - alarm: - type: boolean - block: - type: boolean - description: - type: string - name: - enum: - - "VIOL_ACCESS_INVALID" - - "VIOL_ACCESS_MALFORMED" - - "VIOL_ACCESS_MISSING" - - "VIOL_ASM_COOKIE_HIJACKING" - - "VIOL_ASM_COOKIE_MODIFIED" - - "VIOL_BLACKLISTED_IP" - - "VIOL_COOKIE_EXPIRED" - - "VIOL_COOKIE_LENGTH" - - "VIOL_COOKIE_MALFORMED" - - "VIOL_COOKIE_MODIFIED" - - "VIOL_CSRF" - - "VIOL_DATA_GUARD" - - "VIOL_ENCODING" - - "VIOL_EVASION" - - "VIOL_FILETYPE" - - "VIOL_FILE_UPLOAD" - - "VIOL_FILE_UPLOAD_IN_BODY" - - "VIOL_GRAPHQL_ERROR_RESPONSE" - - "VIOL_GRAPHQL_FORMAT" - - "VIOL_GRAPHQL_INTROSPECTION_QUERY" - - "VIOL_GRAPHQL_MALFORMED" - - "VIOL_GRPC_FORMAT" - - "VIOL_GRPC_MALFORMED" - - "VIOL_GRPC_METHOD" - - "VIOL_HEADER_LENGTH" - - "VIOL_HEADER_METACHAR" - - "VIOL_HEADER_REPEATED" - - "VIOL_HTTP_PROTOCOL" - - "VIOL_HTTP_RESPONSE_STATUS" - - "VIOL_JSON_FORMAT" - - "VIOL_JSON_MALFORMED" - - "VIOL_JSON_SCHEMA" - - "VIOL_MANDATORY_HEADER" - - "VIOL_MANDATORY_PARAMETER" - - "VIOL_MANDATORY_REQUEST_BODY" - - "VIOL_METHOD" - - "VIOL_PARAMETER" - - "VIOL_PARAMETER_ARRAY_VALUE" - - "VIOL_PARAMETER_DATA_TYPE" - - "VIOL_PARAMETER_EMPTY_VALUE" - - "VIOL_PARAMETER_LOCATION" - - "VIOL_PARAMETER_MULTIPART_NULL_VALUE" - - "VIOL_PARAMETER_NAME_METACHAR" - - "VIOL_PARAMETER_NUMERIC_VALUE" - - "VIOL_PARAMETER_REPEATED" - - "VIOL_PARAMETER_STATIC_VALUE" - - "VIOL_PARAMETER_VALUE_BASE64" - - "VIOL_PARAMETER_VALUE_LENGTH" - - "VIOL_PARAMETER_VALUE_METACHAR" - - "VIOL_PARAMETER_VALUE_REGEXP" - - "VIOL_POST_DATA_LENGTH" - - "VIOL_QUERY_STRING_LENGTH" - - "VIOL_RATING_NEED_EXAMINATION" - - "VIOL_RATING_THREAT" - - "VIOL_REQUEST_LENGTH" - - "VIOL_REQUEST_MAX_LENGTH" - - "VIOL_THREAT_CAMPAIGN" - - "VIOL_URL" - - "VIOL_URL_CONTENT_TYPE" - - "VIOL_URL_LENGTH" - - "VIOL_URL_METACHAR" - - "VIOL_XML_FORMAT" - - "VIOL_XML_MALFORMED" - type: string - type: object - type: array + name: + type: string type: object - blockingSettingReference: + entityChanges: properties: - link: - pattern: ^http + type: type: string type: object - bot-defense: - properties: - mitigations: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: properties: - anomalies: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - default - - detect - - ignore - type: string - name: - type: string - scoreThreshold: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: array - browsers: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - detect - type: string - maxVersion: - maximum: 2147483647 - minimum: 0 - type: integer - minVersion: - maximum: 2147483647 - minimum: 0 - type: integer - name: - type: string - type: object - type: array - classes: - items: - properties: - action: - enum: - - alarm - - block - - detect - - ignore - type: string - name: - enum: - - browser - - malicious-bot - - suspicious-browser - - trusted-bot - - unknown - - untrusted-bot - type: string - type: object - type: array - signatures: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - detect - - ignore - type: string - name: - type: string - type: object - type: array + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + - Multiple slashes + - Semicolon path parameters + - Trailing dot + - Trailing slash + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of cookies + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxCookies: + maximum: 100 + minimum: 1 + type: integer + maxHeaders: + maximum: 150 + minimum: 1 + type: integer + maxParams: + maximum: 5000 + minimum: 1 + type: integer type: object - settings: + type: array + violations: + items: properties: - caseSensitiveHttpHeaders: + alarm: type: boolean - isEnabled: + block: type: boolean + description: + type: string + name: + enum: + - VIOL_ACCESS_INVALID + - VIOL_ACCESS_MALFORMED + - VIOL_ACCESS_MISSING + - VIOL_ACCESS_UNAUTHORIZED + - VIOL_ASM_COOKIE_HIJACKING + - VIOL_ASM_COOKIE_MODIFIED + - VIOL_BLACKLISTED_IP + - VIOL_COOKIE_EXPIRED + - VIOL_COOKIE_LENGTH + - VIOL_COOKIE_MALFORMED + - VIOL_COOKIE_MODIFIED + - VIOL_CSRF + - VIOL_DATA_GUARD + - VIOL_ENCODING + - VIOL_EVASION + - VIOL_FILE_UPLOAD + - VIOL_FILE_UPLOAD_IN_BODY + - VIOL_FILETYPE + - VIOL_GRAPHQL_ERROR_RESPONSE + - VIOL_GRAPHQL_FORMAT + - VIOL_GRAPHQL_INTROSPECTION_QUERY + - VIOL_GRAPHQL_MALFORMED + - VIOL_GRPC_FORMAT + - VIOL_GRPC_MALFORMED + - VIOL_GRPC_METHOD + - VIOL_HEADER_LENGTH + - VIOL_HEADER_METACHAR + - VIOL_HEADER_REPEATED + - VIOL_HTTP_PROTOCOL + - VIOL_HTTP_RESPONSE_STATUS + - VIOL_JSON_FORMAT + - VIOL_JSON_MALFORMED + - VIOL_JSON_SCHEMA + - VIOL_MANDATORY_HEADER + - VIOL_MANDATORY_PARAMETER + - VIOL_MANDATORY_REQUEST_BODY + - VIOL_METHOD + - VIOL_PARAMETER + - VIOL_PARAMETER_ARRAY_VALUE + - VIOL_PARAMETER_DATA_TYPE + - VIOL_PARAMETER_EMPTY_VALUE + - VIOL_PARAMETER_LOCATION + - VIOL_PARAMETER_MULTIPART_NULL_VALUE + - VIOL_PARAMETER_NAME_METACHAR + - VIOL_PARAMETER_NUMERIC_VALUE + - VIOL_PARAMETER_REPEATED + - VIOL_PARAMETER_STATIC_VALUE + - VIOL_PARAMETER_VALUE_BASE64 + - VIOL_PARAMETER_VALUE_LENGTH + - VIOL_PARAMETER_VALUE_METACHAR + - VIOL_PARAMETER_VALUE_REGEXP + - VIOL_POST_DATA_LENGTH + - VIOL_QUERY_STRING_LENGTH + - VIOL_RATING_NEED_EXAMINATION + - VIOL_RATING_THREAT + - VIOL_REQUEST_LENGTH + - VIOL_REQUEST_MAX_LENGTH + - VIOL_THREAT_CAMPAIGN + - VIOL_URL + - VIOL_URL_CONTENT_TYPE + - VIOL_URL_LENGTH + - VIOL_URL_METACHAR + - VIOL_XML_FORMAT + - VIOL_XML_MALFORMED + type: string type: object - type: object - browser-definitions: - items: - properties: - $action: - enum: - - delete - type: string - isUserDefined: - type: boolean - matchRegex: - type: string - matchString: - type: string - name: - type: string - type: object - type: array - caseInsensitive: - type: boolean - character-sets: - items: + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: properties: - characterSet: + anomalies: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: array + browsers: items: properties: - isAllowed: - type: boolean - metachar: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: type: string type: object type: array - characterSetType: - enum: - - gwt-content - - header - - json-content - - parameter-name - - parameter-value - - plain-text-content - - url - - xml-content - type: string - type: object - type: array - characterSetReference: - properties: - link: - pattern: ^http - type: string - type: object - cookie-settings: - properties: - maximumCookieHeaderLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - cookieReference: - properties: - link: - pattern: ^http - type: string - type: object - cookieSettingsReference: - properties: - link: - pattern: ^http - type: string - type: object - cookies: - items: - properties: - $action: - enum: - - delete - type: string - accessibleOnlyThroughTheHttpProtocol: - type: boolean - attackSignaturesCheck: - type: boolean - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - enforcementType: - type: string - insertSameSiteAttribute: - enum: - - lax - - none - - none-value - - strict - type: string - maskValueInLogs: - type: boolean - name: - type: string - securedOverHttpsConnection: - type: boolean - signatureOverrides: + classes: items: properties: - enabled: - type: boolean + action: + enum: + - alarm + - block + - detect + - ignore + type: string name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot type: string - signatureId: - type: integer - tag: + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: type: string type: object type: array - type: - enum: - - explicit - - wildcard - type: string - wildcardOrder: - type: integer type: object - type: array - csrf-protection: - properties: - enabled: - type: boolean - expirationTimeInSeconds: - pattern: disabled|\d+ - type: string - sslOnly: - type: boolean - type: object - csrf-urls: - items: + settings: properties: - $action: - enum: - - delete - type: string - enforcementAction: - enum: - - verify-origin - - none - type: string - method: - enum: - - GET - - POST - - any - type: string - url: - type: string - wildcardOrder: - type: integer + caseSensitiveHttpHeaders: + type: boolean + isEnabled: + type: boolean type: object - type: array - data-guard: + type: object + browser-definitions: + items: properties: - creditCardNumbers: - type: boolean - enabled: - type: boolean - enforcementMode: + $action: enum: - - ignore-urls-in-list - - enforce-urls-in-list + - delete type: string - enforcementUrls: - items: - type: string - type: array - lastCcnDigitsToExpose: - type: integer - lastSsnDigitsToExpose: - type: integer - maskData: + isUserDefined: type: boolean - usSocialSecurityNumbers: - type: boolean - type: object - dataGuardReference: - properties: - link: - pattern: ^http + matchRegex: + type: string + matchString: + type: string + name: type: string type: object - description: - type: string - enablePassiveMode: - type: boolean - enforcementMode: - enum: - - transparent - - blocking - type: string - enforcer-settings: - properties: - enforcerStateCookies: - properties: - httpOnlyAttribute: - type: boolean - sameSiteAttribute: - enum: - - lax - - none - - none-value - - strict - type: string - secureAttribute: - enum: - - always - - never - type: string - type: object - type: object - filetypeReference: + type: array + caseInsensitive: + type: boolean + character-sets: + items: properties: - link: - pattern: ^http + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content type: string type: object - filetypes: - items: - properties: - $action: - enum: - - delete - type: string - allowed: - type: boolean - checkPostDataLength: - type: boolean - checkQueryStringLength: - type: boolean - checkRequestLength: - type: boolean - checkUrlLength: - type: boolean - name: - type: string - postDataLength: - type: integer - queryStringLength: - type: integer - requestLength: - type: integer - responseCheck: - type: boolean - type: - enum: - - explicit - - wildcard - type: string - urlLength: - type: integer - wildcardOrder: - type: integer - type: object - type: array - fullPath: - type: string - general: + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: properties: - allowedResponseCodes: - items: - format: int32 - maximum: 999 - minimum: 100 - type: integer - type: array - customXffHeaders: - items: - type: string - type: array - maskCreditCardNumbersInRequest: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: type: boolean - trustXff: + attackSignaturesCheck: type: boolean - type: object - generalReference: - properties: - link: - pattern: ^http + decodeValueAsBase64: + enum: + - enabled + - disabled + - required type: string - type: object - grpc-profiles: - items: - properties: - $action: - enum: - - delete - type: string - associateUrls: - type: boolean - attackSignaturesCheck: - type: boolean - metacharCheck: - type: boolean - decodeStringValuesAsBase64: - enum: - - disabled - - enabled - type: string - defenseAttributes: + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + maskValueInLogs: + type: boolean + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: properties: - allowUnknownFields: + enabled: type: boolean - maximumDataLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true + name: + type: string + signatureId: + type: integer + tag: + type: string type: object - description: - type: string - hasIdlFiles: - type: boolean - idlFiles: - items: - properties: - idlFile: - properties: - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - importUrl: - type: string - isPrimary: - type: boolean - primaryIdlFileName: - type: string - type: object - type: array - metacharElementCheck: - type: boolean - name: - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: object - type: array - header-settings: - properties: - maximumHttpHeaderLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - headerReference: - properties: - link: - pattern: ^http + type: array + type: + enum: + - explicit + - wildcard type: string + wildcardOrder: + type: integer type: object - headerSettingsReference: + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: properties: - link: - pattern: ^http + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer type: object - headers: - items: - properties: - $action: - enum: - - delete - type: string - allowRepeatedOccurrences: - type: boolean - base64Decoding: - type: boolean - checkSignatures: - type: boolean - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - htmlNormalization: - type: boolean - mandatory: - type: boolean - maskValueInLogs: - type: boolean - name: - type: string - normalizationViolations: - type: boolean - percentDecoding: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: - enum: - - explicit - - wildcard - type: string - urlNormalization: - type: boolean - wildcardOrder: - type: integer - type: object - type: array - host-names: - items: - properties: - $action: - enum: - - delete - type: string - includeSubdomains: - type: boolean - name: - type: string - type: object - type: array - idl-files: - items: + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + customPatterns: + type: boolean + customPatternsList: + items: + type: string + type: array + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + firstCustomCharactersToExpose: + type: integer + lastCcnDigitsToExpose: + type: integer + lastCustomCharactersToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: properties: - contents: - type: string - fileName: - type: string - isBase64: + httpOnlyAttribute: type: boolean - type: object - type: array - json-profiles: - items: - properties: - $action: + sameSiteAttribute: enum: - - delete - type: string - attackSignaturesCheck: - type: boolean - defenseAttributes: - properties: - maximumArrayLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumStructureDepth: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumTotalLengthOfJSONData: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumValueLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - tolerateJSONParsingWarnings: - type: boolean - type: object - description: - type: string - handleJsonValuesAsParameters: - type: boolean - hasValidationFiles: - type: boolean - metacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - name: + - lax + - none + - none-value + - strict type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - validationFiles: - items: - properties: - importUrl: - type: string - isPrimary: - type: boolean - jsonValidationFile: - properties: - $action: - enum: - - delete - type: string - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: object - type: array - type: object - type: array - json-validation-files: - items: - properties: - $action: + secureAttribute: enum: - - delete - type: string - contents: + - always + - never type: string - fileName: - type: string - isBase64: - type: boolean type: object - type: array - jsonProfileReference: + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: properties: - link: - pattern: ^http + $action: + enum: + - delete type: string - type: object - jsonValidationFileReference: - properties: - link: - pattern: ^http + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: type: string - type: object - methodReference: - properties: - link: - pattern: ^http + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard type: string + urlLength: + type: integer + wildcardOrder: + type: integer type: object - methods: - items: - properties: - $action: - enum: - - delete - type: string - name: - type: string - type: object - type: array - name: - type: string - open-api-files: - items: - properties: - link: - pattern: ^http - type: string - type: object - type: array - parameterReference: + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + graphql-profiles: + items: properties: - link: - pattern: ^http + $action: + enum: + - delete type: string - type: object - parameters: - items: - properties: - $action: - enum: - - delete - type: string - allowEmptyValue: - type: boolean - allowRepeatedParameterName: - type: boolean - arraySerializationFormat: - enum: - - csv - - form - - label - - matrix - - multi - - multipart - - pipe - - ssv - - tsv - type: string - attackSignaturesCheck: - type: boolean - checkMaxValue: - type: boolean - checkMaxValueLength: - type: boolean - checkMetachars: - type: boolean - checkMinValue: - type: boolean - checkMinValueLength: - type: boolean - checkMultipleOfValue: - type: boolean - contentProfile: + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowIntrospectionQueries: + type: boolean + maximumBatchedQueries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumQueryCost: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateParsingWarnings: + type: boolean + type: object + description: + type: string + metacharElementCheck: + type: boolean + metacharOverrides: + items: properties: - name: + isAllowed: + type: boolean + metachar: type: string type: object - dataType: - enum: - - alpha-numeric - - binary - - boolean - - decimal - - email - - integer - - none - - phone - type: string - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - disallowFileUploadOfExecutables: - type: boolean - enableRegularExpression: - type: boolean - exclusiveMax: - type: boolean - exclusiveMin: - type: boolean - isBase64: - type: boolean - isCookie: - type: boolean - isHeader: - type: boolean - level: - enum: - - global - - url - type: string - mandatory: - type: boolean - maximumLength: - type: integer - maximumValue: - type: integer - metacharsOnParameterValueCheck: - type: boolean - minimumLength: - type: integer - minimumValue: - type: integer - multipleOf: - type: integer - name: - type: string - nameMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - objectSerializationStyle: - type: string - parameterEnumValues: - items: - type: string - type: array - parameterLocation: - enum: - - any - - cookie - - form-data - - header - - path - - query - type: string - regularExpression: - type: string - sensitiveParameter: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - staticValues: - type: string - type: - enum: - - explicit - - wildcard - type: string - url: + type: array + name: + type: string + responseEnforcement: + properties: + blockDisallowedPatterns: + type: boolean + disallowedPatterns: + items: + type: string + type: array + type: object + sensitiveData: + items: properties: - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - - '*' + parameterName: type: string + type: object + type: array + signatureOverrides: + items: + properties: + enabled: + type: boolean name: type: string - protocol: - enum: - - http - - https - type: string - type: - enum: - - explicit - - wildcard + signatureId: + type: integer + tag: type: string type: object - valueMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - valueType: - enum: - - array - - auto-detect - - dynamic-content - - dynamic-parameter-name - - ignore - - json - - object - - openapi-array - - static-content - - user-input - - xml - type: string - wildcardOrder: - type: integer - type: object - type: array - response-pages: - items: - properties: - ajaxActionType: - enum: - - alert-popup - - custom - - redirect - type: string - ajaxCustomContent: - type: string - ajaxEnabled: - type: boolean - ajaxPopupMessage: - type: string - ajaxRedirectUrl: - type: string - grpcStatusCode: - pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ - type: string - grpcStatusMessage: - type: string - responseActionType: - enum: - - custom - - default - - erase-cookies - - redirect - - soap-fault - type: string - responseContent: - type: string - responseHeader: - type: string - responsePageType: - enum: - - ajax - - ajax-login - - captcha - - captcha-fail - - default - - failed-login-honeypot - - failed-login-honeypot-ajax - - hijack - - leaked-credentials - - leaked-credentials-ajax - - mobile - - persistent-flow - - xml - - grpc - type: string - responseRedirectUrl: - type: string - type: object - type: array - responsePageReference: - properties: - link: - pattern: ^http - type: string + type: array type: object - sensitive-parameters: - items: - properties: - $action: - enum: - - delete - type: string - name: - type: string - type: object - type: array - sensitiveParameterReference: + type: array + grpc-profiles: + items: properties: - link: - pattern: ^http + $action: + enum: + - delete type: string - type: object - server-technologies: - items: - properties: - $action: - enum: - - delete - type: string - serverTechnologyName: - enum: - - Jenkins - - SharePoint - - Oracle Application Server - - Python - - Oracle Identity Manager - - Spring Boot - - CouchDB - - SQLite - - Handlebars - - Mustache - - Prototype - - Zend - - Redis - - Underscore.js - - Ember.js - - ZURB Foundation - - ef.js - - Vue.js - - UIKit - - TYPO3 CMS - - RequireJS - - React - - MooTools - - Laravel - - GraphQL - - Google Web Toolkit - - Express.js - - CodeIgniter - - Backbone.js - - AngularJS - - JavaScript - - Nginx - - Jetty - - Joomla - - JavaServer Faces (JSF) - - Ruby - - MongoDB - - Django - - Node.js - - Citrix - - JBoss - - Elasticsearch - - Apache Struts - - XML - - PostgreSQL - - IBM DB2 - - Sybase/ASE - - CGI - - Proxy Servers - - SSI (Server Side Includes) - - Cisco - - Novell - - Macromedia JRun - - BEA Systems WebLogic Server - - Lotus Domino - - MySQL - - Oracle - - Microsoft SQL Server - - PHP - - Outlook Web Access - - Apache/NCSA HTTP Server - - Apache Tomcat - - WordPress - - Macromedia ColdFusion - - Unix/Linux - - Microsoft Windows - - ASP.NET - - Front Page Server Extensions (FPSE) - - IIS - - WebDAV - - ASP - - Java Servlets/JSP - - jQuery - type: string - type: object - type: array - serverTechnologyReference: - properties: - link: - pattern: ^http + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + decodeStringValuesAsBase64: + enum: + - disabled + - enabled + type: string + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharCheck: + type: boolean + metacharElementCheck: + type: boolean + name: type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array type: object - signature-requirements: - items: - properties: - $action: - enum: - - delete - type: string - tag: - type: string - type: object - type: array - signature-sets: - items: - properties: - $action: - enum: - - delete - type: string - alarm: - type: boolean - block: - type: boolean - name: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - signature-settings: + type: array + header-settings: + properties: + maximumHttpHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: properties: - attackSignatureFalsePositiveMode: + $action: enum: - - detect - - detect-and-allow - - disabled + - delete type: string - minimumAccuracyForAutoAddedSignatures: + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: enum: - - high - - low - - medium + - enabled + - disabled + - required type: string - type: object - signatureReference: - properties: - link: - pattern: ^http + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: type: string - type: object - signatureSetReference: - properties: - link: - pattern: ^http + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer type: object - signatureSettingReference: + type: array + host-names: + items: properties: - link: - pattern: ^http + $action: + enum: + - delete type: string - type: object - signatures: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - softwareVersion: - type: string - template: - properties: + includeSubdomains: + type: boolean name: type: string type: object - threat-campaigns: - items: - properties: - isEnabled: - type: boolean - name: - type: string - type: object - type: array - threatCampaignReference: + type: array + idl-files: + items: properties: - link: - pattern: ^http + contents: type: string + fileName: + type: string + isBase64: + type: boolean type: object - urlReference: + type: array + json-profiles: + items: properties: - link: - pattern: ^http + $action: + enum: + - delete type: string - type: object - urls: - items: - properties: - $action: - enum: - - delete - type: string - allowRenderingInFrames: - enum: - - never - - only-same - type: string - allowRenderingInFramesOnlyFrom: - type: string - attackSignaturesCheck: - type: boolean - clickjackingProtection: - type: boolean - description: - type: string - disallowFileUploadOfExecutables: - type: boolean - html5CrossOriginRequestsEnforcement: + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLengthOfJSONData: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: properties: - allowOriginsEnforcementMode: - enum: - - replace-with - - unmodified - type: string - checkAllowedMethods: + isAllowed: type: boolean - crossDomainAllowedOrigin: - items: - properties: - includeSubDomains: - type: boolean - originName: - type: string - originPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - originProtocol: - enum: - - http - - http/https - - https - type: string - type: object - type: array - enforcementMode: - enum: - - disabled - - enforce + metachar: type: string type: object - isAllowed: - type: boolean - mandatoryBody: - type: boolean - metacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - metacharsOnUrlCheck: - type: boolean - method: - enum: + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: - ACL - BCOPY - BDELETE @@ -1564,595 +1240,933 @@ spec: - VERSION_CONTROL - X-MS-ENUMATTS - '*' - type: string - methodOverrides: - items: - properties: - allowed: - type: boolean - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - type: string - type: object - type: array - methodsOverrideOnUrlCheck: - type: boolean - name: - type: string - operationId: - type: string - positionalParameters: - items: - properties: - parameter: - properties: - $action: - enum: - - delete - type: string - allowEmptyValue: - type: boolean - allowRepeatedParameterName: - type: boolean - arraySerializationFormat: - enum: - - csv - - form - - label - - matrix - - multi - - multipart - - pipe - - ssv - - tsv - type: string - attackSignaturesCheck: - type: boolean - checkMaxValue: - type: boolean - checkMaxValueLength: - type: boolean - checkMetachars: - type: boolean - checkMinValue: - type: boolean - checkMinValueLength: - type: boolean - checkMultipleOfValue: - type: boolean - contentProfile: - properties: - name: - type: string - type: object - dataType: - enum: - - alpha-numeric - - binary - - boolean - - decimal - - email - - integer - - none - - phone - type: string - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - disallowFileUploadOfExecutables: - type: boolean - enableRegularExpression: - type: boolean - exclusiveMax: - type: boolean - exclusiveMin: - type: boolean - isBase64: - type: boolean - isCookie: - type: boolean - isHeader: - type: boolean - level: - enum: - - global - - url - type: string - mandatory: - type: boolean - maximumLength: - type: integer - maximumValue: - type: integer - metacharsOnParameterValueCheck: - type: boolean - minimumLength: - type: integer - minimumValue: - type: integer - multipleOf: - type: integer - name: - type: string - nameMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - objectSerializationStyle: - type: string - parameterEnumValues: - items: - type: string - type: array - parameterLocation: - enum: - - any - - cookie - - form-data - - header - - path - - query - type: string - regularExpression: - type: string - sensitiveParameter: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - staticValues: - type: string - type: - enum: - - explicit - - wildcard - type: string - url: - properties: - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - - '*' - type: string - name: - type: string - protocol: - enum: - - http - - https - type: string - type: - enum: - - explicit - - wildcard - type: string - type: object - valueMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - valueType: - enum: - - array - - auto-detect - - dynamic-content - - dynamic-parameter-name - - ignore - - json - - object - - openapi-array - - static-content - - user-input - - xml - type: string - wildcardOrder: - type: integer - type: object - urlSegmentIndex: - type: integer - type: object - type: array - protocol: - enum: + type: string + name: + type: string + protocol: + enum: - http - https - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: - enum: + type: string + type: + enum: - explicit - wildcard - type: string - urlContentProfiles: - items: - properties: - contentProfile: - properties: - name: - type: string - type: object - headerName: - type: string - headerOrder: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - headerValue: - type: string - name: - type: string - type: - enum: - - apply-content-signatures - - apply-value-and-content-signatures - - disallow - - do-nothing - - form-data - - gwt - - json - - xml - - grpc - type: string - type: object - type: array - wildcardOrder: - type: integer - type: object - type: array - whitelist-ips: - items: - properties: - $action: - enum: - - delete - type: string - blockRequests: - enum: - - always - - never - - policy-default - type: string - ipAddress: - pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' - type: string - ipMask: - pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' - type: string - neverLogRequests: - type: boolean - type: object - type: array - whitelistIpReference: + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: properties: - link: - pattern: ^http + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: type: string type: object - xml-profiles: - items: - properties: - $action: - enum: - - delete - type: string - attackSignaturesCheck: - type: boolean - defenseAttributes: + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: properties: - allowCDATA: + isAllowed: type: boolean - allowDTDs: - type: boolean - allowExternalReferences: + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: type: boolean - allowProcessingInstructions: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer + type: object + type: array + protocol: + enum: + - http + - https + type: string + signatureOverrides: + items: + properties: + enabled: type: boolean - maximumAttributeValueLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumAttributesPerElement: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumChildrenPerElement: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumDocumentDepth: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumDocumentSize: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumElements: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumNSDeclarations: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumNameLength: + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: anyOf: - - type: integer - - type: string + - type: integer + - type: string x-kubernetes-int-or-string: true - maximumNamespaceLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - tolerateCloseTagShorthand: - type: boolean - tolerateLeadingWhiteSpace: - type: boolean - tolerateNumericNames: - type: boolean + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string type: object - description: - type: string - enableWss: - type: boolean - followSchemaLinks: - type: boolean - name: - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - useXmlResponsePage: - type: boolean - type: object - type: array - xml-validation-files: - items: - properties: - $action: - enum: - - delete - type: string - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: array - xmlProfileReference: + type: array + wildcardOrder: + type: integer + type: object + type: array + whitelist-ips: + items: properties: - link: - pattern: ^http + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' type: string + neverLogRequests: + type: boolean type: object - xmlValidationFileReference: + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: properties: - link: - pattern: ^http + $action: + enum: + - delete type: string - type: object - graphql-profiles: - items: - properties: - $action: - enum: - - delete - type: string - attackSignaturesCheck: - type: boolean - defenseAttributes: - properties: - allowIntrospectionQueries: - type: boolean - maximumBatchedQueries: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumQueryCost: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumStructureDepth: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumTotalLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumValueLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - tolerateParsingWarnings: - type: boolean - type: object - description: - type: string - metacharElementCheck: - type: boolean - metacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - responseEnforcement: + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumAttributesPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumChildrenPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentSize: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumElements: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNSDeclarations: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNameLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNamespaceLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: properties: - blockDisallowedPatterns: + enabled: type: boolean - disallowedPatterns: - items: - type: string - type: array + name: + type: string + signatureId: + type: integer + tag: + type: string type: object - sensetiveData: - items: - properties: - parameterName: - type: string - type: object - type: array - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - name: - type: string - type: object - type: array - type: object - type: object - type: object - served: true - storage: true + type: array + useXmlResponsePage: + type: boolean + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + type: object + type: object + type: object + served: true + storage: true diff --git a/helm-charts/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml b/helm-charts/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml index 34eb0784..6d71ed63 100644 --- a/helm-charts/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml +++ b/helm-charts/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: apusersigs.appprotect.f5.com spec: group: appprotect.f5.com @@ -15,79 +14,85 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APUserSig is the Schema for the apusersigs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APUserSigSpec defines the desired state of APUserSig + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: properties: - properties: - type: string - signatures: - items: - properties: - accuracy: - enum: - - high - - medium - - low - type: string - attackType: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: properties: name: type: string type: object - description: - type: string - name: - type: string - references: - properties: - type: - enum: - - bugtraq - - cve - - nessus - - url - type: string - value: - type: string - type: object - risk: - enum: - - high - - medium - - low - type: string - rule: - type: string - signatureType: - enum: - - request - - response - type: string - systems: - items: - properties: - name: - type: string - type: object - type: array - type: object - type: array - tag: - type: string - type: object - type: object - served: true - storage: true + type: array + type: object + type: array + softwareVersion: + type: string + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/helm-charts/nginx-ingress/crds/k8s.nginx.org_policies.yaml b/helm-charts/nginx-ingress/crds/k8s.nginx.org_policies.yaml index de6bef32..f275d3a4 100644 --- a/helm-charts/nginx-ingress/crds/k8s.nginx.org_policies.yaml +++ b/helm-charts/nginx-ingress/crds/k8s.nginx.org_policies.yaml @@ -67,6 +67,25 @@ spec: type: string type: array type: object + apiKey: + description: APIKey defines an API Key policy. + properties: + clientSecret: + type: string + suppliedIn: + description: SuppliedIn defines the locations API Key should be + supplied in. + properties: + header: + items: + type: string + type: array + query: + items: + type: string + type: array + type: object + type: object basicAuth: description: |- BasicAuth holds HTTP Basic authentication configuration @@ -172,6 +191,8 @@ spec: type: string rejectCode: type: integer + scale: + type: boolean zoneSize: type: string type: object diff --git a/helm-charts/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml b/helm-charts/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml index 7fde72e8..0125eef8 100644 --- a/helm-charts/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml +++ b/helm-charts/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -148,6 +148,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -276,6 +286,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -383,6 +403,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -489,6 +519,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object diff --git a/helm-charts/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml b/helm-charts/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml index 1c28ddec..774449f8 100644 --- a/helm-charts/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml +++ b/helm-charts/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml @@ -210,6 +210,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -338,6 +348,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -445,6 +465,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -551,6 +581,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object diff --git a/helm-charts/nginx-ingress/templates/_helpers.tpl b/helm-charts/nginx-ingress/templates/_helpers.tpl index 497e1f6c..051cd17b 100644 --- a/helm-charts/nginx-ingress/templates/_helpers.tpl +++ b/helm-charts/nginx-ingress/templates/_helpers.tpl @@ -152,10 +152,27 @@ Expand wildcard TLS name. Expand image name. */}} {{- define "nginx-ingress.image" -}} -{{- if .Values.controller.image.digest -}} -{{- printf "%s@%s" .Values.controller.image.repository .Values.controller.image.digest -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{- define "nap-enforcer.image" -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.enforcer.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{- define "nap-config-manager.image" -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.configManager.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{/* +Accepts an image struct like .Values.controller.image along with a default value to use +if the digest or tag is not set. Can be called like: +include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion +*/}} +{{- define "nginx-ingress.image-digest-or-tag" -}} +{{- if .image.digest -}} +{{- printf "%s@%s" .image.repository .image.digest -}} {{- else -}} -{{- printf "%s:%s" .Values.controller.image.repository (include "nginx-ingress.tag" .) -}} +{{- printf "%s:%s" .image.repository (default .default .image.tag) -}} {{- end -}} {{- end -}} @@ -198,6 +215,9 @@ Build the args for the service binary. {{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} {{ end }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.v5 }} +- -app-protect-enforcer-address="{{ .Values.controller.appprotect.enforcer.host | default "127.0.0.1" }}:{{ .Values.controller.appprotect.enforcer.port | default 50000 }}" +{{- end }} - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} {{- if .Values.controller.appprotectdos.enable }} - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} @@ -312,6 +332,9 @@ List of volumes for controller. - name: nginx-log emptyDir: {} {{- end }} +{{- if .Values.controller.appprotect.v5 }} +{{- toYaml .Values.controller.appprotect.volumes }} +{{- end }} {{- if .Values.controller.volumes }} {{ toYaml .Values.controller.volumes }} {{- end }} @@ -361,6 +384,16 @@ volumeMounts: - mountPath: /var/log/nginx name: nginx-log {{- end }} +{{- if .Values.controller.appprotect.v5 }} +- name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config +- name: app-protect-config + mountPath: /opt/app_protect/config + # app-protect-bundles is mounted so that Ingress Controller + # can verify that referenced bundles are present +- name: app-protect-bundles + mountPath: /etc/app_protect/bundles +{{- end }} {{- if .Values.controller.volumeMounts }} {{ toYaml .Values.controller.volumeMounts }} {{- end }} @@ -378,6 +411,38 @@ volumeMounts: {{- end -}} {{- end -}} +{{- define "nginx-ingress.appprotect.v5" -}} +{{- if .Values.controller.appprotect.v5}} +- name: waf-enforcer + image: {{ include "nap-enforcer.image" . }} + imagePullPolicy: "{{ .Values.controller.appprotect.enforcer.image.pullPolicy }}" +{{- if .Values.controller.appprotect.enforcer.securityContext }} + securityContext: +{{ toYaml .Values.controller.appprotect.enforcer.securityContext | nindent 6 }} +{{- end }} + env: + - name: ENFORCER_PORT + value: "{{ .Values.controller.appprotect.enforcer.port | default 50000 }}" + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config +- name: waf-config-mgr + image: {{ include "nap-config-manager.image" . }} + imagePullPolicy: "{{ .Values.controller.appprotect.configManager.image.pullPolicy }}" +{{- if .Values.controller.appprotect.configManager.securityContext }} + securityContext: +{{ toYaml .Values.controller.appprotect.configManager.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles +{{- end}} +{{- end -}} + {{- define "nginx-ingress.agentConfiguration" -}} log: level: {{ .Values.nginxAgent.logLevel }} diff --git a/helm-charts/nginx-ingress/templates/clusterrolebiding.yaml b/helm-charts/nginx-ingress/templates/clusterrolebinding.yaml similarity index 100% rename from helm-charts/nginx-ingress/templates/clusterrolebiding.yaml rename to helm-charts/nginx-ingress/templates/clusterrolebinding.yaml diff --git a/helm-charts/nginx-ingress/templates/controller-daemonset.yaml b/helm-charts/nginx-ingress/templates/controller-daemonset.yaml index 8da65c46..268f127f 100644 --- a/helm-charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/helm-charts/nginx-ingress/templates/controller-daemonset.yaml @@ -134,6 +134,9 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} + +{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }} + {{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} initContainers: {{- end }} diff --git a/helm-charts/nginx-ingress/templates/controller-deployment.yaml b/helm-charts/nginx-ingress/templates/controller-deployment.yaml index c8bc8f83..95bf3bb1 100644 --- a/helm-charts/nginx-ingress/templates/controller-deployment.yaml +++ b/helm-charts/nginx-ingress/templates/controller-deployment.yaml @@ -141,6 +141,9 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} + +{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }} + {{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} initContainers: {{- end }} diff --git a/helm-charts/nginx-ingress/values-icp.yaml b/helm-charts/nginx-ingress/values-icp.yaml index 404bbe6f..d973006e 100644 --- a/helm-charts/nginx-ingress/values-icp.yaml +++ b/helm-charts/nginx-ingress/values-icp.yaml @@ -4,7 +4,7 @@ controller: nginxplus: true image: repository: mycluster.icp:8500/kube-system/nginx-plus-ingress - tag: "3.5.2" + tag: "3.6.0" nodeSelector: beta.kubernetes.io/arch: "amd64" proxy: true diff --git a/helm-charts/nginx-ingress/values-plus.yaml b/helm-charts/nginx-ingress/values-plus.yaml index c5d24f9a..f51a2347 100644 --- a/helm-charts/nginx-ingress/values-plus.yaml +++ b/helm-charts/nginx-ingress/values-plus.yaml @@ -3,4 +3,4 @@ controller: nginxplus: true image: repository: nginx-plus-ingress - tag: "3.5.2" + tag: "3.6.0" diff --git a/helm-charts/nginx-ingress/values.schema.json b/helm-charts/nginx-ingress/values.schema.json index ad2b0436..6c53cfe6 100644 --- a/helm-charts/nginx-ingress/values.schema.json +++ b/helm-charts/nginx-ingress/values.schema.json @@ -46,13 +46,13 @@ "type": "object", "default": {}, "title": "The selectorLabels Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" }, "annotations": { "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "nginxplus": { "type": "boolean", @@ -119,6 +119,15 @@ true ] }, + "v5": { + "type": "boolean", + "default": false, + "title": "Enables App Protect WAF v5.", + "examples": [ + false, + true + ] + }, "logLevel": { "type": "string", "default": "", @@ -139,6 +148,201 @@ "debug", "trace" ] + }, + "volumes": { + "type": "array", + "default": [ + { + "name": "app-protect-bd-config", + "emptyDir": {} + }, + { + "name": "app-protect-config", + "emptyDir": {} + }, + { + "name": "app-protect-bundles", + "emptyDir": {} + } + ], + "title": "Volumes for App Protect WAF v5", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "enforcer": { + "type": "object", + "properties": { + "host": { + "type": "string", + "default": "127.0.0.1", + "title": "Port which the App Protect WAF v5 Enforcer process runs on", + "examples": [ + "127.0.0.1" + ] + }, + "port": { + "type": "integer", + "default": 50000, + "title": "Port which the App Protect WAF v5 Enforcer process runs on", + "examples": [ + 50000 + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "private-registry.nginx.com/nap/waf-enforcer", + "title": "The repository of the App Protect WAF v5 Enforcer image", + "examples": [ + "private-registry.nginx.com/nap/waf-enforcer" + ] + }, + "tag": { + "type": "string", + "default": "5.2.0", + "title": "The tag of the App Protect WAF v5 Enforcer image", + "examples": [ + "5.2.0" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the App Protect WAF v5 Enforcer image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the App Protect WAF v5 Enforcer image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "private-registry.nginx.com/nap/waf-enforcer", + "tag": "5.2.0", + "pullPolicy": "IfNotPresent" + } + ] + }, + "securityContext": { + "type": "object", + "default": {}, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + } + } + }, + "configManager": { + "type": "object", + "properties": { + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "private-registry.nginx.com/nap/waf-config-mgr", + "title": "The repository of the App Protect WAF v5 Config Manager image", + "examples": [ + "private-registry.nginx.com/nap/waf-config-mgr" + ] + }, + "tag": { + "type": "string", + "default": "5.2.0", + "title": "The tag of the App Protect WAF v5 Config Manager image", + "examples": [ + "5.2.0" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the App Protect WAF v5 Config Manager image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the App Protect WAF v5 Config Manager image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "private-registry.nginx.com/nap/waf-config-mgr", + "tag": "5.2.0", + "pullPolicy": "IfNotPresent" + } + ] + }, + "securityContext": { + "type": "object", + "default": { + "allowPrivilegeEscalation": false, + "runAsUser": 101, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "all" + ] + } + }, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + } + } } }, "examples": [ @@ -226,7 +430,7 @@ "^.*$": { "anyOf": [ { - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" }, { "type": "boolean" @@ -242,7 +446,7 @@ "title": "The containerPort Schema", "patternProperties": { "^.*$": { - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" } }, "additionalProperties": false @@ -251,7 +455,7 @@ "type": "string", "allOf": [ { - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" }, { "enum": [ @@ -301,7 +505,7 @@ "title": "The customPorts to expose on the NGINX Ingress Controller pod", "items": { "type": "object", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" }, "examples": [ [ @@ -336,10 +540,10 @@ }, "tag": { "type": "string", - "default": "3.5.2", + "default": "3.6.0", "title": "The tag of the Ingress Controller image", "examples": [ - "3.5.2" + "3.6.0" ] }, "digest": { @@ -356,7 +560,7 @@ "title": "The pullPolicy for the Ingress Controller image", "allOf": [ { - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" }, { "enum": [ @@ -376,7 +580,7 @@ "examples": [ { "repository": "nginx/nginx-ingress", - "tag": "3.5.2", + "tag": "3.6.0", "pullPolicy": "IfNotPresent" } ] @@ -385,7 +589,7 @@ "type": "object", "default": {}, "title": "The lifecycle Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" }, "customConfigMap": { "type": "string", @@ -413,7 +617,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "entries": { "type": "object", @@ -500,43 +704,43 @@ "type": "object", "default": {}, "title": "The nodeSelector Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" }, "terminationGracePeriodSeconds": { "type": "integer", "default": 30, "title": "The terminationGracePeriodSeconds Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" }, "podSecurityContext": { "type": "object", "default": {}, "title": "The podSecurityContext Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" }, "securityContext": { "type": "object", "default": {}, "title": "The securityContext Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" }, "initContainerSecurityContext": { "type": "object", "default": {}, "title": "The initContainerSecurityContext Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" }, "resources": { "type": "object", "default": {}, "title": "The resources Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" }, "initContainerResources": { "type": "object", "default": {}, "title": "The resources Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" }, "tolerations": { "type": "array", @@ -544,20 +748,20 @@ "title": "The tolerations Schema", "items": { "type": "object", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" } }, "affinity": { "type": "object", "default": {}, "title": "The affinity Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" }, "topologySpreadConstraints": { "type": "object", "default": {}, "title": "The topologySpreadConstraints Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" }, "env": { "type": "array", @@ -565,7 +769,7 @@ "title": "The env Schema", "items": { "type": "object", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" } }, "volumes": { @@ -574,7 +778,7 @@ "title": "The volumes Schema", "items": { "type": "object", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" } }, "volumeMounts": { @@ -583,7 +787,7 @@ "title": "The volumeMounts Schema", "items": { "type": "object", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" } }, "initContainers": { @@ -592,14 +796,14 @@ "title": "The initContainers Schema", "items": { "type": "object", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" } }, "minReadySeconds": { "type": "integer", "default": 0, "title": "The minReadySeconds Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" }, "strategy": { "type": "object", @@ -607,7 +811,7 @@ "title": "The strategy Schema", "allOf": [ { - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" }, { "properties": { @@ -629,7 +833,7 @@ "title": "The extraContainers Schema", "items": { "type": "object", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" } }, "replicaCount": { @@ -897,19 +1101,19 @@ "type": "string", "default": "", "title": "The type", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" }, "externalTrafficPolicy": { "type": "string", "default": "", "title": "The externalTrafficPolicy", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" }, "annotations": { "type": "object", "default": {}, "title": "The annotations", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "extraLabels": { "type": "object", @@ -925,13 +1129,13 @@ "type": "string", "default": "", "title": "The loadBalancerIP", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" }, "externalIPs": { "type": "array", "default": [], "title": "The externalIPs", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" }, "loadBalancerSourceRanges": { "type": "array", @@ -946,13 +1150,13 @@ "type": "boolean", "default": false, "title": "The allocateLoadBalancerNodePorts Schema", - "ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" }, "ipFamilyPolicy": { "type": "string", "default": "", "title": "The ipFamilyPolicy Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", "examples": [ "" ] @@ -961,7 +1165,7 @@ "type": "array", "default": [], "title": "The ipFamilies Schema", - "ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" }, "httpPort": { "type": "object", @@ -1065,7 +1269,7 @@ "title": "The customPorts", "items": { "type": "object", - "ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" } } }, @@ -1107,7 +1311,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "name": { "type": "string", @@ -1252,7 +1456,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" } }, "examples": [ @@ -1276,13 +1480,13 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "extraLabels": { "type": "object", "default": {}, "title": "The extraLabels Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" } }, "examples": [ @@ -1296,7 +1500,7 @@ "type": "string", "default": "", "title": "The priorityClassName", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" }, "podDisruptionBudget": { "type": "object", @@ -1313,13 +1517,13 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "minAvailable": { - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" }, "maxUnavailable": { - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" } }, "examples": [ @@ -1358,7 +1562,7 @@ "initialDelaySeconds": { "type": "integer", "default": 0, - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" } }, "examples": [ @@ -1466,7 +1670,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.5.2", + "tag": "3.6.0", "digest": "", "pullPolicy": "IfNotPresent" }, @@ -1681,7 +1885,7 @@ "type": "object", "default": {}, "title": "The labels Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" } } }, @@ -1703,13 +1907,13 @@ "type": "object", "default": {}, "title": "The labels Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" }, "selectorMatchLabels": { "type": "object", "default": {}, "title": "The selectorMatchLabels Schema", - "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" }, "endpoints": { "type": "array", @@ -2007,7 +2211,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.5.2", + "tag": "3.6.0", "digest": "", "pullPolicy": "IfNotPresent" }, diff --git a/helm-charts/nginx-ingress/values.yaml b/helm-charts/nginx-ingress/values.yaml index 8b8ff0c1..a3b888ab 100644 --- a/helm-charts/nginx-ingress/values.yaml +++ b/helm-charts/nginx-ingress/values.yaml @@ -21,9 +21,65 @@ controller: appprotect: ## Enable the App Protect WAF module in the Ingress Controller. enable: false + ## Enables App Protect WAF v5. + v5: false ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace # logLevel: fatal + # Volumes for App Protect WAF v5 + # Required volumes are: app-protect-bd-config, app-protect-config, and app-protect-bundles + volumes: + - name: app-protect-bd-config + emptyDir: {} + - name: app-protect-config + emptyDir: {} + - name: app-protect-bundles + emptyDir: {} + + ## Configuration for App Protect WAF v5 Enforcer + enforcer: + # Host that the App Protect WAF v5 Enforcer runs on. + # This will normally be "127.0.0.1" as the Enforcer container + # will run in the same pod as the Ingress Controller container. + host: "127.0.0.1" + # Port that the App Protect WAF v5 Enforcer runs on. + port: 50000 + image: + ## The image repository of the App Protect WAF v5 Enforcer. + repository: private-registry.nginx.com/nap/waf-enforcer + + ## The tag of the App Protect WAF v5 Enforcer image. + tag: "5.2.0" + ## The digest of the App Protect WAF v5 Enforcer image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the App Protect WAF v5 Enforcer image. + pullPolicy: IfNotPresent + securityContext: {} + + ## Configuration for App Protect WAF v5 Configuration Manager + configManager: + image: + ## The image repository of the App Protect WAF v5 Configuration Manager. + repository: private-registry.nginx.com/nap/waf-config-mgr + + ## The tag of the App Protect WAF v5 Configuration Manager image. + tag: "5.2.0" + ## The digest of the App Protect WAF v5 Configuration Manager image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the App Protect WAF v5 Configuration Manager image. + pullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - all + ## Support for App Protect DoS appprotectdos: ## Enable the App Protect DoS module in the Ingress Controller. @@ -78,7 +134,7 @@ controller: repository: nginx/nginx-ingress ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. - # tag: "3.5.2" + # tag: "3.6.0" ## The digest of the Ingress Controller image. ## If digest is specified it has precedence over tag and will be used instead # digest: "sha256:CHANGEME" @@ -173,7 +229,8 @@ controller: type: RuntimeDefault ## The security context for the Ingress Controller containers. - securityContext: {} # Remove curly brackets before adding values + securityContext: + {} # Remove curly brackets before adding values # allowPrivilegeEscalation: true # readOnlyRootFilesystem: true # runAsUser: 101 #nginx @@ -265,19 +322,19 @@ controller: ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. name: nginx - ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. + ## Creates a new IngressClass object with the name "controller.ingressClass.name". To use an existing IngressClass with the same name, set this value to false. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. create: true ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". setAsDefaultIngress: false - ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". + ## Comma separated list of namespaces to watch for Ingress resources. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". watchNamespace: "" - ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". + ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". watchNamespaceLabel: "" - ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces. + ## Comma separated list of namespaces to watch for Secret resources. By default, the Ingress Controller watches all namespaces. watchSecretNamespace: "" ## Enable the custom resources. @@ -286,7 +343,7 @@ controller: ## Enable OIDC policies. enableOIDC: false - ## Include year in log header. This parameter will be removed in release 2.7 and the year will be included by default. + ## Include year in log header. This parameter will be removed in release 3.7 and the year will be included by default. includeYear: false ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. @@ -501,6 +558,10 @@ rbac: ## Configures RBAC. create: true + clusterrole: + ## Create ClusterRole + create: true + prometheus: ## Expose NGINX or NGINX Plus metrics in the Prometheus format. create: true From 013d8644b19e72ca53bfdbb885c8cd50ec35012f Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 26 Jun 2024 11:44:40 +0100 Subject: [PATCH 2/3] update versions for release 2.3.0 --- .github/workflows/delete-operator-branch.yml | 2 +- Makefile | 2 +- README.md | 3 ++- ...in_rbac.authorization.k8s.io_v1_clusterrole.yaml | 13 ------------- ...ginx-ingress-operator.clusterserviceversion.yaml | 10 +++++----- config/manager/kustomization.yaml | 2 +- ...ginx-ingress-operator.clusterserviceversion.yaml | 6 +++--- docs/manual-installation.md | 8 ++++---- docs/openshift-installation.md | 4 ++-- 9 files changed, 19 insertions(+), 31 deletions(-) diff --git a/.github/workflows/delete-operator-branch.yml b/.github/workflows/delete-operator-branch.yml index 2e3f6a92..a18786b4 100644 --- a/.github/workflows/delete-operator-branch.yml +++ b/.github/workflows/delete-operator-branch.yml @@ -5,7 +5,7 @@ on: inputs: branch: description: "Operator Branch to delete" - default: "update-nginx-ingress-operator-to-v2.2.2" + default: "update-nginx-ingress-operator-to-v2.3.0" permissions: contents: read diff --git a/Makefile b/Makefile index ab17ef7c..43b9f208 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # To re-generate a bundle for another specific version without changing the standard setup, you can: # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) -VERSION ?= 2.2.2 +VERSION ?= 2.3.0 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") diff --git a/README.md b/README.md index 92457479..4a1376cb 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ The following table shows the relation between the versions of the two projects: | NGINX Ingress Controller | NGINX Ingress Operator | | ------------------------ | ---------------------- | +| 3.6.x | 2.3.0 | | 3.5.x | 2.2.2 | | 3.4.x | 2.1.2 | | 3.3.x | 2.0.2 | @@ -74,7 +75,7 @@ See [upgrade docs](./docs/upgrades.md) We publish NGINX Ingress Operator releases on GitHub. See our [releases page](https://github.com/nginxinc/nginx-ingress-helm-operator/releases). -The latest stable release is [2.2.2](https://github.com/nginxinc/nginx-ingress-helm-operator/releases/tag/v2.2.2). For production use, we recommend that you choose the latest stable release. +The latest stable release is [2.3.0](https://github.com/nginxinc/nginx-ingress-helm-operator/releases/tag/v2.3.0). For production use, we recommend that you choose the latest stable release. ## Development diff --git a/bundle/manifests/nginx-ingress-operator-nginx-ingress-admin_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/nginx-ingress-operator-nginx-ingress-admin_rbac.authorization.k8s.io_v1_clusterrole.yaml index 173ad0e6..bc777cfd 100644 --- a/bundle/manifests/nginx-ingress-operator-nginx-ingress-admin_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ b/bundle/manifests/nginx-ingress-operator-nginx-ingress-admin_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -83,19 +83,6 @@ rules: - get - list - watch -- apiGroups: - - "apps" - resources: - - replicasets - - daemonset - verbs: - - get -- apiGroups: - - "" - resources: - - nodes - verbs: - - list - apiGroups: - "" resources: diff --git a/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml b/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml index 40b58dcb..e5373397 100644 --- a/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml +++ b/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml @@ -220,8 +220,8 @@ metadata: capabilities: Basic Install categories: Monitoring, Networking certified: "true" - containerImage: quay.io/nginx/nginx-ingress-operator:2.2.2 - createdAt: "2024-05-31T15:17:34Z" + containerImage: quay.io/nginx/nginx-ingress-operator:2.3.0 + createdAt: "2024-06-26T10:41:53Z" description: The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers features.operators.openshift.io/cnf: "false" @@ -244,7 +244,7 @@ metadata: operatorframework.io/arch.arm64: supported operatorframework.io/arch.ppc64le: supported operatorframework.io/arch.s390x: supported - name: nginx-ingress-operator.v2.2.2 + name: nginx-ingress-operator.v2.3.0 namespace: placeholder spec: apiservicedefinitions: {} @@ -448,7 +448,7 @@ spec: - --metrics-bind-address=127.0.0.1:8080 - --leader-elect - --leader-election-id=nginx-ingress-operator - image: quay.io/nginx/nginx-ingress-operator:2.2.2 + image: quay.io/nginx/nginx-ingress-operator:2.3.0 livenessProbe: httpGet: path: /healthz @@ -539,4 +539,4 @@ spec: minKubeVersion: 1.23.0 provider: name: NGINX Inc - version: 2.2.2 + version: 2.3.0 diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 9dce370c..154fb3e1 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -5,4 +5,4 @@ kind: Kustomization images: - name: controller newName: quay.io/nginx/nginx-ingress-operator - newTag: 2.2.2 + newTag: 2.3.0 diff --git a/config/manifests/bases/nginx-ingress-operator.clusterserviceversion.yaml b/config/manifests/bases/nginx-ingress-operator.clusterserviceversion.yaml index 3a5d7ee6..21425673 100644 --- a/config/manifests/bases/nginx-ingress-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/nginx-ingress-operator.clusterserviceversion.yaml @@ -6,7 +6,7 @@ metadata: capabilities: Basic Install categories: Monitoring, Networking certified: "true" - containerImage: quay.io/nginx/nginx-ingress-operator:2.2.2 + containerImage: quay.io/nginx/nginx-ingress-operator:2.3.0 createdAt: placeholder description: The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers @@ -185,7 +185,7 @@ spec: - --metrics-bind-address=127.0.0.1:8080 - --leader-elect - --leader-election-id=nginx-ingress-operator - image: quay.io/nginx/nginx-ingress-operator:2.2.2 + image: quay.io/nginx/nginx-ingress-operator:2.3.0 livenessProbe: httpGet: path: /healthz @@ -291,4 +291,4 @@ spec: minKubeVersion: 1.23.0 provider: name: NGINX Inc - version: 2.2.2 + version: 2.3.0 diff --git a/docs/manual-installation.md b/docs/manual-installation.md index 0a1f7a29..0d9921a6 100644 --- a/docs/manual-installation.md +++ b/docs/manual-installation.md @@ -7,14 +7,14 @@ This will deploy the operator in the `nginx-ingress-operator-system` namespace. 1. Clone the `nginx-ingress-operator` repo: ```shell - git clone https://github.com/nginxinc/nginx-ingress-helm-operator/ --branch v2.2.2 + git clone https://github.com/nginxinc/nginx-ingress-helm-operator/ --branch v2.3.0 cd nginx-ingress-helm-operator/ ``` 2. To deploy the Operator and associated resources to all environments, run: ```shell - make deploy IMG=nginx/nginx-ingress-operator:2.2.2 + make deploy IMG=nginx/nginx-ingress-operator:2.3.0 ``` 2. Check that the Operator is running: @@ -30,11 +30,11 @@ This will deploy the operator in the `nginx-ingress-operator-system` namespace. In order to deploy NGINX Ingress Controller instances into OpenShift environments, a new SCC is required to be created on the cluster which will be used to bind the specific required capabilities to the NGINX Ingress service account(s). To do so for NIC deployments, please run the following command (assuming you are logged in with administrator access to the cluster): -`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v2.2.2/resources/scc.yaml` +`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v2.3.0/resources/scc.yaml` Alternatively, to create an SCC for NIC daemonsets, please run this command: -`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v2.2.2/resources/scc-daemonset.yaml` +`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v2.3.0/resources/scc-daemonset.yaml` You can now deploy the NGINX Ingress Controller instances. diff --git a/docs/openshift-installation.md b/docs/openshift-installation.md index 43df7d8b..80bbac8e 100644 --- a/docs/openshift-installation.md +++ b/docs/openshift-installation.md @@ -23,10 +23,10 @@ Additional steps: In order to deploy NGINX Ingress Controller instances into OpenShift environments, a new SCC is required to be created on the cluster which will be used to bind the specific required capabilities to the NGINX Ingress service account(s). To do so for NIC deployments, please run the following command (assuming you are logged in with administrator access to the cluster): -`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v2.2.2/resources/scc.yaml` +`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v2.3.0/resources/scc.yaml` Alternatively, to create an SCC for NIC daemonsets, please run this command: -`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v2.2.2/resources/scc-daemonset.yaml` +`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v2.3.0/resources/scc-daemonset.yaml` You can now deploy the NGINX Ingress Controller instances. From d1d1d3c02e1d2c31f26427c09fe36589eca60e11 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 26 Jun 2024 11:48:52 +0100 Subject: [PATCH 3/3] update schema ref --- helm-charts/nginx-ingress/values.schema.json | 104 +++++++++---------- 1 file changed, 52 insertions(+), 52 deletions(-) diff --git a/helm-charts/nginx-ingress/values.schema.json b/helm-charts/nginx-ingress/values.schema.json index 6c53cfe6..2e729404 100644 --- a/helm-charts/nginx-ingress/values.schema.json +++ b/helm-charts/nginx-ingress/values.schema.json @@ -46,13 +46,13 @@ "type": "object", "default": {}, "title": "The selectorLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" }, "annotations": { "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "nginxplus": { "type": "boolean", @@ -168,7 +168,7 @@ "title": "Volumes for App Protect WAF v5", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" } }, "enforcer": { @@ -228,7 +228,7 @@ "title": "The pullPolicy for the App Protect WAF v5 Enforcer image", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" }, { "enum": [ @@ -257,7 +257,7 @@ "type": "object", "default": {}, "title": "The securityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" } } }, @@ -302,7 +302,7 @@ "title": "The pullPolicy for the App Protect WAF v5 Config Manager image", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" }, { "enum": [ @@ -340,7 +340,7 @@ } }, "title": "The securityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" } } } @@ -430,7 +430,7 @@ "^.*$": { "anyOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" }, { "type": "boolean" @@ -446,7 +446,7 @@ "title": "The containerPort Schema", "patternProperties": { "^.*$": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" } }, "additionalProperties": false @@ -455,7 +455,7 @@ "type": "string", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" }, { "enum": [ @@ -505,7 +505,7 @@ "title": "The customPorts to expose on the NGINX Ingress Controller pod", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" }, "examples": [ [ @@ -560,7 +560,7 @@ "title": "The pullPolicy for the Ingress Controller image", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" }, { "enum": [ @@ -589,7 +589,7 @@ "type": "object", "default": {}, "title": "The lifecycle Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" }, "customConfigMap": { "type": "string", @@ -617,7 +617,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "entries": { "type": "object", @@ -704,43 +704,43 @@ "type": "object", "default": {}, "title": "The nodeSelector Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" }, "terminationGracePeriodSeconds": { "type": "integer", "default": 30, "title": "The terminationGracePeriodSeconds Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" }, "podSecurityContext": { "type": "object", "default": {}, "title": "The podSecurityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" }, "securityContext": { "type": "object", "default": {}, "title": "The securityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" }, "initContainerSecurityContext": { "type": "object", "default": {}, "title": "The initContainerSecurityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" }, "resources": { "type": "object", "default": {}, "title": "The resources Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" }, "initContainerResources": { "type": "object", "default": {}, "title": "The resources Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" }, "tolerations": { "type": "array", @@ -748,20 +748,20 @@ "title": "The tolerations Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" } }, "affinity": { "type": "object", "default": {}, "title": "The affinity Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" }, "topologySpreadConstraints": { "type": "object", "default": {}, "title": "The topologySpreadConstraints Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" }, "env": { "type": "array", @@ -769,7 +769,7 @@ "title": "The env Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" } }, "volumes": { @@ -778,7 +778,7 @@ "title": "The volumes Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" } }, "volumeMounts": { @@ -787,7 +787,7 @@ "title": "The volumeMounts Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" } }, "initContainers": { @@ -796,14 +796,14 @@ "title": "The initContainers Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" } }, "minReadySeconds": { "type": "integer", "default": 0, "title": "The minReadySeconds Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" }, "strategy": { "type": "object", @@ -811,7 +811,7 @@ "title": "The strategy Schema", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" }, { "properties": { @@ -833,7 +833,7 @@ "title": "The extraContainers Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" } }, "replicaCount": { @@ -1101,19 +1101,19 @@ "type": "string", "default": "", "title": "The type", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" }, "externalTrafficPolicy": { "type": "string", "default": "", "title": "The externalTrafficPolicy", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" }, "annotations": { "type": "object", "default": {}, "title": "The annotations", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "extraLabels": { "type": "object", @@ -1129,13 +1129,13 @@ "type": "string", "default": "", "title": "The loadBalancerIP", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" }, "externalIPs": { "type": "array", "default": [], "title": "The externalIPs", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" }, "loadBalancerSourceRanges": { "type": "array", @@ -1150,13 +1150,13 @@ "type": "boolean", "default": false, "title": "The allocateLoadBalancerNodePorts Schema", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + "ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" }, "ipFamilyPolicy": { "type": "string", "default": "", "title": "The ipFamilyPolicy Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", "examples": [ "" ] @@ -1165,7 +1165,7 @@ "type": "array", "default": [], "title": "The ipFamilies Schema", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + "ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" }, "httpPort": { "type": "object", @@ -1269,7 +1269,7 @@ "title": "The customPorts", "items": { "type": "object", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + "ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" } } }, @@ -1311,7 +1311,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "name": { "type": "string", @@ -1456,7 +1456,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" } }, "examples": [ @@ -1480,13 +1480,13 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "extraLabels": { "type": "object", "default": {}, "title": "The extraLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" } }, "examples": [ @@ -1500,7 +1500,7 @@ "type": "string", "default": "", "title": "The priorityClassName", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" }, "podDisruptionBudget": { "type": "object", @@ -1517,13 +1517,13 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "minAvailable": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" }, "maxUnavailable": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" } }, "examples": [ @@ -1562,7 +1562,7 @@ "initialDelaySeconds": { "type": "integer", "default": 0, - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" } }, "examples": [ @@ -1885,7 +1885,7 @@ "type": "object", "default": {}, "title": "The labels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" } } }, @@ -1907,13 +1907,13 @@ "type": "object", "default": {}, "title": "The labels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" }, "selectorMatchLabels": { "type": "object", "default": {}, "title": "The selectorMatchLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + "$ref": "file://./helm-charts/nginx-ingress/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" }, "endpoints": { "type": "array",