diff --git a/Makefile b/Makefile index 2b2b53d..c6e9749 100644 --- a/Makefile +++ b/Makefile @@ -10,10 +10,10 @@ CONTROLLER_IMAGE = $(IMAGE):$(TAG) ### For embedding into the chart ### -SIDECAR_IMAGE := wallarm/sidecar:4.6.3-2 -TARANTOOL_IMAGE := wallarm/ingress-tarantool:4.6.4-1 -RUBY_IMAGE := wallarm/ingress-ruby:4.6.4-1 -PYTHON_IMAGE := wallarm/ingress-python:4.6.4-1 +SIDECAR_IMAGE := wallarm/sidecar:4.8.0-1 +TARANTOOL_IMAGE := wallarm/ingress-tarantool:4.8.0-1 +RUBY_IMAGE := wallarm/ingress-ruby:4.8.0-1 +PYTHON_IMAGE := wallarm/ingress-python:4.8.0-1 ### Contribution routines ### diff --git a/files/template.yaml.tpl b/files/template.yaml.tpl index c969633..f8bd27c 100644 --- a/files/template.yaml.tpl +++ b/files/template.yaml.tpl @@ -57,6 +57,8 @@ volumes: value: "{{ getAnnotation .ObjectMeta (withAP `wallarm-parse-websocket`) .Config.wallarm.parseWebsocket }}" - name: WALLARM_UNPACK_RESPONSE value: "{{ getAnnotation .ObjectMeta (withAP `wallarm-unpack-response`) .Config.wallarm.unpackResponse }}" + - name: WALLARM_ACL_EXPORT_ENABLE + value: "{{ getAnnotation .ObjectMeta (withAP `wallarm-acl-export-enable`) .Config.wallarm.aclExportEnable }}" - name: WALLARM_TARANTOOL_HOST value: "{{ .Config.tarantool.host }}" - name: WALLARM_TARANTOOL_PORT @@ -270,6 +272,8 @@ volumes: value: "{{ .Config.wallarm.api.useSSL }}" - name: WALLARM_API_CA_VERIFY value: "{{ .Config.wallarm.api.caVerify }}" + - name: WALLARM_LABELS + value: "group={{ getAnnotation .ObjectMeta (withAP `wallarm-node-group`) .Config.wallarm.api.nodeGroup }}" {{- end }} {{- define "wallarmVersion" }} diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 06f9c4d..31e6e45 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: wallarm-sidecar -version: 4.6.5 -appVersion: 4.6.3 +version: 4.8.0 +appVersion: 4.8.0-1 description: Sidecar controller for Kubernetes. Injects sidecar proxy based on NGINX with Wallarm module and helper services. home: https://github.com/wallarm/sidecar icon: https://static.wallarm.com/wallarm-logo.svg @@ -21,12 +21,12 @@ kubeVersion: ">=1.19.16-0" annotations: artifacthub.io/images: | - name: sidecar - image: wallarm/sidecar:4.6.3-2 + image: wallarm/sidecar:4.8.0-1 - name: sidecar-controller image: wallarm/sidecar-controller:1.3.2 - name: ingress-ruby - image: wallarm/ingress-ruby:4.6.4-1 + image: wallarm/ingress-ruby:4.8.0-1 - name: ingress-python - image: wallarm/ingress-python:4.6.4-1 + image: wallarm/ingress-python:4.8.0-1 - name: ingress-tarantool - image: wallarm/ingress-tarantool:4.6.4-1 + image: wallarm/ingress-tarantool:4.8.0-1 diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index 8080c2f..5a6e1d4 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -126,6 +126,11 @@ Gives name of image to use secretKeyRef: key: WALLARM_API_CA_VERIFY name: {{ template "wallarm-sidecar.fullname" . }}-credentials +- name: WALLARM_LABELS + valueFrom: + secretKeyRef: + key: WALLARM_LABELS + name: {{ template "wallarm-sidecar.fullname" . }}-credentials - name: WALLARM_API_TOKEN valueFrom: secretKeyRef: diff --git a/helm/templates/postanalytics-configmap.yaml b/helm/templates/postanalytics-configmap.yaml index d7a154c..f62be7d 100644 --- a/helm/templates/postanalytics-configmap.yaml +++ b/helm/templates/postanalytics-configmap.yaml @@ -16,7 +16,7 @@ metadata: {{- end }} data: crontab: |- - ### Postanalytics service crontab + ### Post-analytics service crontab ### {{- range $k, $v := .Values.postanalytics.cron.config }} {{- $timeout := " " }} diff --git a/helm/templates/postanalytics-deployment.yaml b/helm/templates/postanalytics-deployment.yaml index 7d54f9c..33ea2f2 100644 --- a/helm/templates/postanalytics-deployment.yaml +++ b/helm/templates/postanalytics-deployment.yaml @@ -70,10 +70,8 @@ spec: - sh - -c - > - /opt/wallarm/ruby/usr/share/wallarm-common/synccloud --one-time && - /opt/wallarm/ruby/usr/share/wallarm-common/sync-ip-lists --one-time -l STDOUT && - /opt/wallarm/ruby/usr/share/wallarm-common/sync-ip-lists-source --one-time -l STDOUT {{- if eq .Values.config.wallarm.fallback "on" }} || true {{- end }}; - timeout 10m /opt/wallarm/ruby/usr/share/wallarm-common/export-environment -l STDOUT || true + /opt/wallarm/ruby/usr/share/wallarm-common/register-node --force --batch --no-export-env {{- if eq .Values.config.wallarm.fallback "on" }} || true {{- end }}; + /opt/wallarm/ruby/usr/share/wallarm-common/export-environment -l STDOUT || true env: {{- include "wallarm-sidecar.credentials" . | nindent 10 }} {{- include "wallarm-sidecar.version" . | nindent 10 }} diff --git a/helm/templates/shared-secret.yaml b/helm/templates/shared-secret.yaml index e9b0d42..1ef5bb6 100644 --- a/helm/templates/shared-secret.yaml +++ b/helm/templates/shared-secret.yaml @@ -13,3 +13,4 @@ data: WALLARM_API_PORT: {{ .Values.config.wallarm.api.port | toString | b64enc | quote }} WALLARM_API_USE_SSL: {{ .Values.config.wallarm.api.useSSL | toString | b64enc | quote }} WALLARM_API_CA_VERIFY: {{ .Values.config.wallarm.api.caVerify | toString | b64enc | quote }} + WALLARM_LABELS: {{ printf "group=%s" .Values.config.wallarm.api.nodeGroup | b64enc | quote }} diff --git a/helm/values.yaml b/helm/values.yaml index 96d6bab..dae5066 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -26,6 +26,10 @@ config: ### Verify CA during connecting to Wallarm API service: `true` or `false` ### caVerify: true + ## The name of Node group, required if API token is used to register the Node + ## https://docs.wallarm.com/user-guides/nodes/nodes/#api-and-node-tokens-for-node-creation + ## + nodeGroup: "defaultSidecarGroup" ### Existing secret feature allows to pull Wallarm API token from existing Kubernetes secret ### existingSecret: @@ -60,6 +64,10 @@ config: ### https://docs.wallarm.com/admin-en/configure-parameters-en/#wallarm_parse_response ### parseResponse: "on" + ### Whether to export statistics on blocked request: `on` or `off` + ### https://docs.wallarm.com/admin-en/configure-parameters-en/#wallarm_acl_export_enable + ### + aclExportEnable: "on" ### Whether to analyze WebSocket's messages for attacks: `on` or `off` ### https://docs.wallarm.com/admin-en/configure-parameters-en/#wallarm_parse_websocket ### @@ -191,7 +199,7 @@ config: image: registry: docker.io image: wallarm/sidecar - tag: "4.6.3-2" + tag: "4.8.0-1" pullPolicy: IfNotPresent ### Shared security context for all (init and regular) containers in sidecar schema except `iptables` container. ### For `iptables` container it is described in `sidecar.initContainers.iptables.securityContext` value @@ -467,7 +475,7 @@ postanalytics: image: registry: docker.io image: wallarm/ingress-ruby - tag: "4.6.4-1" + tag: "4.8.0-1" pullPolicy: IfNotPresent ### Additional environment variables to pass to the container ### @@ -542,11 +550,15 @@ postanalytics: "sync-node": schedule: "*/2 * * * *" command: "/opt/wallarm/ruby/usr/share/wallarm-common/syncnode -f -p -r 120 -l STDOUT -L DEBUG" + "export-blocked-stats": + schedule: "* * * * *" + command: "/opt/wallarm/ruby/usr/share/wallarm-common/export-blocked-stats -l STDOUT -L DEBUG" + timeout: 24h image: registry: docker.io image: wallarm/ingress-ruby - tag: "4.6.4-1" + tag: "4.8.0-1" pullPolicy: IfNotPresent ### Additional environment variables to pass to the container ### @@ -599,7 +611,7 @@ postanalytics: image: registry: docker.io image: wallarm/ingress-tarantool - tag: "4.6.4-1" + tag: "4.8.0-1" pullPolicy: IfNotPresent ### Additional environment variables to pass to the container ### @@ -655,7 +667,7 @@ postanalytics: image: registry: docker.io image: wallarm/ingress-python - tag: "4.6.4-1" + tag: "4.8.0-1" pullPolicy: IfNotPresent ### Additional environment variables to pass to the container ### @@ -703,7 +715,7 @@ postanalytics: image: registry: docker.io image: wallarm/ingress-python - tag: "4.6.4-1" + tag: "4.8.0-1" pullPolicy: IfNotPresent ### Additional environment variables to pass to the container ###