Charts CI

```
Added:
  cerbos/cerbos:
    - 0.37.0

Updated:
  airlock/microgateway:
    - 4.3.0
  airlock/microgateway-cni:
    - 4.3.0
  jenkins/jenkins:
    - 5.4.2
```

charts/airlock/microgateway-cni/4.3.0/.helmignore

@@ -0,0 +1,27 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+# Helm unit tests
+/tests
+/validation

charts/airlock/microgateway-cni/4.3.0/Chart.yaml

@@ -0,0 +1,43 @@
+annotations:
+  artifacthub.io/category: security
+  artifacthub.io/license: MIT
+  artifacthub.io/links: |
+    - name: Airlock Microgateway Documentation
+      url: https://docs.airlock.com/microgateway/4.3/
+    - name: Airlock Microgateway Labs
+      url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
+    - name: Airlock Microgateway Forum
+      url: https://forum.airlock.com/
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Airlock Microgateway CNI
+  catalog.cattle.io/kube-version: '>=1.25.0-0'
+  catalog.cattle.io/release-name: microgateway-cni
+  charts.openshift.io/name: Airlock Microgateway CNI
+apiVersion: v2
+appVersion: 4.3.0
+description: A Helm chart for deploying the Airlock Microgateway CNI plugin
+home: https://www.airlock.com/en/microgateway
+icon: file://assets/icons/microgateway-cni.svg
+keywords:
+- WAF
+- Web Application Firewall
+- WAAP
+- Web Application and API protection
+- OWASP
+- Airlock
+- Microgateway
+- Security
+- Filtering
+- DevSecOps
+- shift left
+- CNI
+kubeVersion: '>=1.25.0-0'
+maintainers:
+- email: support@airlock.com
+  name: Airlock
+  url: https://www.airlock.com/
+name: microgateway-cni
+sources:
+- https://github.com/airlock/microgateway
+type: application
+version: 4.3.0

charts/airlock/microgateway-cni/4.3.0/README.md

@@ -0,0 +1,137 @@
+# Airlock Microgateway CNI
+
+![Version: 4.3.0](https://img.shields.io/badge/Version-4.3.0-informational?style=flat-square) ![AppVersion: 4.3.0](https://img.shields.io/badge/AppVersion-4.3.0-informational?style=flat-square)
+
+*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
+
+<picture>
+  <source media="(prefers-color-scheme: dark)"
+          srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight_Negative.svg">
+  <source media="(prefers-color-scheme: light)"
+          srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg">
+  <img alt="Microgateway" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg" align="right" width="250">
+</picture>
+
+Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
+__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.3.0).__
+
+### Features
+* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
+* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
+* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
+* Content security filters for protecting against known attacks (OWASP Top 10)
+* Access control to allow only authenticated users to access the protected services
+* API security features like JSON parsing or OpenAPI specification enforcement
+
+For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
+
+## Documentation and links
+
+Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
+
+* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
+* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
+* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
+* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
+* [GitHub](https://github.com/airlock/microgateway)
+
+# Quick start guide
+
+The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
+
+## Prerequisites
+* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
+
+## Deploy Airlock Microgateway CNI
+1. Install the CNI Plugin with Helm.
+   > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
+   ```bash
+   # Standard setup
+   helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
+   kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
+   ```
+   ```bash
+   # GKE setup
+   helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.0/deploy/charts/airlock-microgateway-cni/gke-values.yaml
+   kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
+   ```
+   ```bash
+   # OpenShift setup
+   helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.0/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
+   kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
+   ```
+   **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
+
+2. (Recommended) You can verify the correctness of the installation with `helm test`.
+   ```bash
+   # Standard and GKE setup
+   helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
+   helm test airlock-microgateway-cni -n kube-system --logs
+   helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
+   ```
+   ```bash
+   # OpenShift setup
+   helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
+   helm test airlock-microgateway-cni -n openshift-operators --logs
+   helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
+   ```
+
+   Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.
+
+## Support
+
+### Premium support
+If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).
+
+### Community support
+For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. |
+| commonAnnotations | object | `{}` | Annotations to add to all resources. |
+| commonLabels | object | `{}` | Labels to add to all resources. |
+| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. |
+| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. |
+| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
+| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
+| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
+| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
+| image.digest | string | `"sha256:cb165e34a1ab1a903a9f38b741a7d78946470a118640310a41d2af8153d6e409"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
+| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
+| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
+| image.tag | string | `"4.3.0"` | Image tag to pull. |
+| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
+| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
+| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |
+| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". |
+| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. |
+| podAnnotations | object | `{}` | Annotations to add to all Pods. |
+| podLabels | object | `{}` | Labels to add to all Pods. |
+| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). |
+| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. |
+| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. |
+| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
+| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
+| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
+| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
+
+## License
+View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
+* Decompiling or reverse engineering is not permitted.
+* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
+
+Airlock<sup>&#174;</sup> is a security innovation by [ergon](https://www.ergon.ch/en)
+
+<!-- Airlock SAH Logo (different image for light/dark mode) -->
+<a href="https://www.airlock.com/en/secure-access-hub/">
+<picture>
+    <source media="(prefers-color-scheme: dark)"
+        srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo_Negative.png">
+    <source media="(prefers-color-scheme: light)"
+        srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png">
+    <img alt="Airlock Secure Access Hub" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png" width="150">
+</picture>
+</a>

charts/airlock/microgateway-cni/4.3.0/gke-values.yaml

@@ -0,0 +1,4 @@
+# values for deploying on GKE
+
+config:
+  cniBinDir: "/home/kubernetes/bin"

charts/airlock/microgateway-cni/4.3.0/openshift-values.yaml

@@ -0,0 +1,15 @@
+# values for deploying on OpenShift
+
+rbac:
+  createSCCRole: true
+
+privileged: true
+
+multusNetworkAttachmentDefinition:
+  create: true
+  namespace: default
+
+config:
+  installMode: "standalone"
+  cniNetDir: "/etc/cni/multus/net.d"
+  cniBinDir: "/var/lib/cni/bin"

charts/airlock/microgateway-cni/4.3.0/questions.yml

@@ -0,0 +1,18 @@
+questions:
+  - variable: config.cniNetDir
+    required: true
+    type: string
+    label: CNI Network Configuration Directory
+    group: "CNI Settings"
+    description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host."
+  - variable: config.cniBinDir
+    required: true
+    type: string
+    label: CNI Plugin Binaries Directory
+    group: "CNI Settings"
+    description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host."
+  - variable: config.installMode
+    required: true
+    label: CNI Plugin Installation Mode
+    group: "CNI Settings"
+    description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment."

charts/airlock/microgateway-cni/4.3.0/templates/NOTES.txt

@@ -0,0 +1,3 @@
+Thank you for installing Airlock Microgateway CNI.
+
+For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" .}}.

charts/airlock/microgateway-cni/4.3.0/templates/_helpers.tpl

@@ -0,0 +1,101 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "airlock-microgateway-cni.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Convert an image configuration object into an image ref string.
+*/}}
+{{- define "airlock-microgateway-cni.image" -}}
+    {{- if .digest -}}
+        {{- printf "%s@%s" .repository .digest -}}
+    {{- else if .tag -}}
+        {{- printf "%s:%s" .repository .tag -}}
+    {{- else -}}
+        {{- printf "%s" .repository -}}
+    {{- end -}}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
+and the longest suffix is 13 characters.
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "airlock-microgateway-cni.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 50 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "airlock-microgateway-cni.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "airlock-microgateway-cni.labels" -}}
+helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }}
+{{ include "airlock-microgateway-cni.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml .}}
+{{- end }}
+{{- end }}
+
+{{/*
+Common labels without component
+*/}}
+{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}}
+{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}}
+{{ unset $labels "app.kubernetes.io/component" | toYaml }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "airlock-microgateway-cni.selectorLabels" -}}
+app.kubernetes.io/component: cni-plugin-installer
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use for the CNI Plugin
+*/}}
+{{- define "airlock-microgateway-cni.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "airlock-microgateway-cni.isSemver" -}}
+{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
+{{- end -}}
+
+{{- define "airlock-microgateway-cni.docsVersion" -}}
+{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
+    {{- $version := (semver .Chart.AppVersion) -}}
+    {{- $version.Major }}.{{ $version.Minor -}}
+{{- else -}}
+    {{- print "latest" -}}
+{{- end -}}
+{{- end -}}

charts/airlock/microgateway-cni/4.3.0/templates/clusterrole.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "airlock-microgateway-cni.fullname" . }}
+  labels:
+    {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+{{- end -}}

charts/airlock/microgateway-cni/4.3.0/templates/clusterrolebinding.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "airlock-microgateway-cni.fullname" . }}
+  labels:
+    {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "airlock-microgateway-cni.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}