Chart Values
Global Settings
The global settings are used to set certain configuration settings globally.
For example:
global:
# Override image-related settings for this chart
image:
# Override registry for all images
registry: "myregistry.local:8085"
# Override repository for all images
repository: "myrepository"
service:
annotations:
foo: "bar"
bar: "foo"
imagePullSecretsList:
- secret1
- secret2
| Name | Type | Default | Description |
|---|---|---|---|
| global.image.registry | string | Override registry for all images | |
| global.image.repository | string | Override repository for all images | |
| global.service.annotations | map | {} | Configure annotations to be used for all services. For example:foo: "bar" |
| global.logging.verbose | string | false | Enable or disable verbose logging for pods |
| global.imagePullSecretsList | array | [] | Use imagePullSecretsList to provide your own image pull secrets without specifying them in override files |
Registry Secrets
Note that for operational reasons, when overriding the default values, registrySecrets are often placed in a separate YAML file from the rest of the overrides. This allows the configuration of the chart to be separated from the registry and/or authentication tokens used, for example different deployments of the same configuration may use different local artifactories or use different credentials.
| Name | Type | Default | Description |
|---|---|---|---|
| registrySecrets.registry | string | The registry to pull images from | |
| registrySecrets.email | string | An email to provide to the registry | |
| registrySecrets.username | string | A username to use to authenticate to the registry | |
| registrySecrets.password | string | A password to use to authenticate to the registry |
Images Settings
The settings for pulling images can be overridden, however it is strongly recommended not to do this unless Open-Xchange Support or Professional Services have advised to do so, as the Helm Charts are tested against specific versions of the images, and changing them may cause unforeseen errors or issues.
For example to change the pullPolicy for all images:
images:
wforce:
pullPolicy: Always
agent:
pullPolicy: Always
init:
pullPolicy: Always
replfwd:
pullPolicy: Always
| Name | Type | Default | Description |
|---|---|---|---|
| images.wforce.registry | string | registry.open-xchange.com | The registry to pull the wforce image from |
| images.wforce.repository | string | abuseshield | The repository to pull the wforce image from |
| images.wforce.name | string | wforce | The name of the wforce image |
| images.wforce.tag | string | v2.10.0 | The tag of the wforce image |
| images.wforce.pullPolicy | string | IfNotPresent | The wforce image pullPolicy |
| images.agent.registry | string | registry.open-xchange.com | The registry to pull the wforce-agent image from |
| images.agent.repository | string | abuseshield | The repository to pull the wforce-agent image from |
| images.agent.name | string | wforce-agent | The name of the wforce-agent image |
| images.agent.tag | string | The tag of the wforce-agent image | |
| images.agent.pullPolicy | string | IfNotPresent | The wforce-agent image pullPolicy |
| images.init.registry | string | registry.open-xchange.com | The registry to pull the init image from |
| images.init.repository | string | cc-utils | The repository to pull the init image from |
| images.init.name | string | gomplate | The name of the wforce init image |
| images.init.tag | string | v3.11.4 | The tag of the wforce init image |
| images.init.pullPolicy | string | IfNotPresent | The init image pullPolicy |
| images.replfwd.registry | string | registry.open-xchange.com | The registry to pull the replfwd image from |
| images.replfwd.repository | string | abuseshield | The repository to pull the replfwd image from |
| images.replfwd.name | string | replfwd | The name of the replfwd image |
| images.replfwd.tag | string | v2.10.0 | The tag of the replfwd image |
| images.replfwd.pullPolicy | string | IfNotPresent | The replfwd image pullPolicy |
Service Account Settings
The service account used by OX Abuse Shield can be configured using the following keys:
| Name | Type | Default | Description |
|---|---|---|---|
| serviceAccount.annotations | map | {} | Annotations to add to the service account. For example:foo: "bar"bar: "foo" |
| serviceAccount.name | string | The name of the service account |
Ingress Settings
An ingress can be configured to access the wforce pods using the REST API; this is configured using
the ingress map.
An example ingress configuration might be:
ingress:
enabled: true
className: "nginx-example"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
| Name | Type | Default | Description |
|---|---|---|---|
| ingress.enabled | boolean | false | Enable or disable the ingress |
| ingress.className | string | Use this to choose the ingress controller | |
| ingress.annotations | map | {} | Annotations to add to the ingress. For example:foo: "bar"bar: "foo" |
| ingress.hosts | array | Configuration for hosts | |
| ingress.hosts[].host | string | Hostname to match the HTTP Host header | |
| ingress.hosts[].paths | array | Path configuration | |
| ingress.hosts[].paths[].path | string | The path to match | |
| ingress.hosts[].paths[].pathType | string | The path type, e.g. Prefix, Exact etc. | |
| ingress.tls | array | TLS configuration | |
| ingress.tls[].secretName | string | The name of a secret resource containing the certificate and key | |
| ingress.tls[].hosts | array | ||
| ingress.tls[].hosts[] | string | Hostname, which must match the one of the hostnames specified in ingress.hosts |
Resources Settings
By default there are no limits on pod resources, which means that pods can run on very resource-constrained hardware, however it also means that pods can use potentially large amounts of CPU and RAM. Note that this is somewhat limited by the default settings for threads and DB size etc. The resource settings allow the resources used by all the different containers used in the deployment to be constrained using the normal Kubernetes resources limits/requests mechanism.
An example setting resource limits for the wforce pod is as follows:
resources:
wforce:
limits:
cpu: 100m
memory: 128Mi
Wforce Settings
The configuration settings for wforce are configured under the wforce key, including almost all the settings
that would previously have been set from Lua. Exceptions to this include any configuration which is related to
policy, such as configuration of stats DBs; such configuration is loaded using the wforce.luaConfig key, using the
--set-file helm flag.
The following example configures a webserver password and enables the syncDB functionality, as well as setting the replica count to 3. It creates a webhook which runs on report events. It also allows Prometheus metrics to be retrieved without a password,:
wforce:
replicaCount: 3
configSecrets:
webserver:
password: "secret"
config:
syncDB:
enabled: true
minUptimeSecs: 600
webhooks:
- events:
- report
config:
url: http://test.service.local/webhook
basic-auth: "username:password"
metricsNoPassword: true
| Name | Type | Default | Description |
|---|---|---|---|
| wforce.podAnnotations | map | {} | Add annotations for the pod |
| wforce.defaultPodSecurityContext | map | Used for keys relating to the securityContext of the pod. | |
| wforce.defaultPodSecurityContext.runAsNotRoot | boolean | true | Restricts containers in the pod from running as root. There should be very little reason to change this, as wforce does not need to run as root. |
| wforce.defaultPodSecurityContext.runAsUser | integer | 1000 | Run all containers as this user |
| wforce.podSecurityContext | map | Empty | If this field exists, it overrides the default pod security context entirely |
| wforce.defaultContainerSecurityContext | map | Used for keys relating to the default securityContext of containers in the pod | |
| wforce.defaultContainerSecurityContext.capabilities.drop[] | array | ALL | Drops all capabilities |
| wforce.defaultContainerSecurityContext.readOnlyRootFilesystem | boolean | true | Makes the root filesystem read-only, for security |
| wforce.defaultContainerSecurityContext.allowPrivilegeEscalation | boolean | false | Disallow privilege escalation |
| wforce.initContainer | map | {} | Used to store overrides for the init container |
| wforce.initContainer.containerSecurityContext | map | Empty | If this field exists, it will override the default container security context entirely |
| wforce.agentContainer.containerSecurityContext | map | Empty | If this field exists, it will override the default container security context entirely |
| wforce.wforceContainer.containerSecurityContext | map | Empty | If this field exists, it will override the default container security context entirely |
| wforce.livenessProbe.initialDelaySeconds | integer | 30 | The time to wait before making the first liveness probe |
| wforce.service.type | string | ClusterIP | The type of the service that is used to access the wforce pods |
| wforce.service.port | integer | 80 | Port number of the wforce service |
| wforce.service.annotations | map | {} | Add annotations for the wforce service |
| wforce.service.labels | map | {} | Add labels for the wforce service |
| wforce.autoscaling.enabled | boolean | false | Enables horizontal pod autoscaling |
| wforce.autoscaling.minReplicas | integer | 2 | Minimum number of replicas |
| wforce.autoscaling.maxReplicas | integer | 100 | Maximum number of replicas |
| wforce.autoscaling.targetCPUUtilizationPercentage | integer | 65 | The target CPU utilization before a replica is considered too busy |
| wforce.autoscaling.targetMemoryUtilizationPercentage | integer | - | The target memory utilization before a replica is considered too busy |
| wforce.nodeSelector | map | {} | Add nodeSelectors for the pods |
| wforce.tolerations | array | [] | Add tolerations for the pods |
| wforce.affinity | map | {} | Specify node or pod affinity rules |
| wforce.replicaCount | integer | 1 | The number of replicas |
| wforce.configSecrets.webserver.passwordSecret | string | - | The name of a Kubernetes Secret containing the webserver password. Overrides the password field if both are specified. The secret must have a webserver-password data item |
| wforce.configSecrets.webserver.password | string | - | The webserver password. If left blank a password will be automatically generated |
| wforce.configSecrets.webserver.tlsSecret | string | - | The name of a Kubernetes Secret containing the cert and key. Overrides the cert and key fields if both are specified. The secret must have tls.cert and tls.key data items |
| wforce.configSecrets.webserver.cert | string | - | The certificate for the webserver to use to provide TLS service (in base64 without the BEGIN and END lines). Typically TLS would be provided through an ingress so use of this key is not recommended. |
| wforce.configSecrets.webserver.key | string | - | The private key for the webserver to use to provide TLS service (in base64 without the BEGIN and END lines). Typically TLS would be provided through an ingress so use of this key is not recommended. |
| wforce.config.syncDB.enabled | boolean | false | Enable syncDB replicas and functionality |
| wforce.config.syncDB.minUptimeSecs | integer | 600 | Minimum seconds that a syncDB replica must have been up before it will be used |
| wforce.config.webserver.port | integer | 80 | The port number that wforce will listen on |
| wforce.config.webserver.ACL | array | [] | A list of v4 and v6 ranges that are allowed to access the webserver. By default all RFC 1918 addresses are allowed. |
| wforce.config.webserver.TLSEnabled | boolean | false | Enable TLS. This is not recommended in kubernetes - use an ingress instead. |
| wforce.config.webserver.TLSOptions | string | "" | A list of TLS options separated by commas |
| wforce.config.webhooks | array | Configuration for webhooks | |
| wforce.config.webhooks[].events | array | A list of events for which the webhook will be sent | |
| wforce.config.webhooks[].config | map | Configuration for the webhook | |
| wforce.config.webhooks[].config.url | string | The url to send the webhook to | |
| wforce.config.webhooks[].config.secret | string | The seed to generate the X-Wforce-Signature header | |
| wforce.config.webhooks[].config.basic-auth | string | The string to use in the Authorization header (pre-Base64 encoding) | |
| wforce.config.webhooks[].config.api-key | string | The string to use in the X-API-Key header | |
| wforce.config.webhooks[].config.kafka | boolean | When this is set to "true" then the webhook will be sent with a Content-Type of application/vnd.kafka.json.v2+json and the json will be wrapped according to the Kafka REST Proxy requirements (https://docs.confluent.io/current/kafka-rest/api.html). The webhook url config key should be set to the correct topic, e.g. http://kafka-rest:8082/topics/foo for the topic named foo. |
|
| wforce.config.webhooks[].config.allow_filter | string | Set a filter on the allow response status. Only applies to events of type allow | |
| wforce.config.customWebhooks | array | Configuration for custom webooks | |
| wforce.config.customWebhooks[].name | string | The name of a custom webhook | |
| wforce.config.customWebhooks[].config | map | Configuration for the custom webhook. All keys are the same as for webhooks, except the allow_filter key, which is not relevant | |
| wforce.config.customStats | array | An array of custom statistic names (strings) | |
| wforce.config.replication.port | integer | 4001 | The port used for replication |
| wforce.config.replication.protocol | string | udp | The protocol used for replication. Can be udp or tcp |
| wforce.config.replication.connectTimeout | integer | 5000 | The connect timeout in milliseconds |
| wforce.config.replication.queueSize | integer | 5000 | The size of the send and receive queues for replication messages. Increase if you see messages in the logs about replication messages being dropped |
| wforce.config.replication.numThreads | integer | 2 | Number of replication threads |
| wforce.config.numWebhookThreads | integer | 2 | Number of threads used for webhooks |
| wforce.config.maxWebhookConnsPerThread | integer | 10 | The max number of connections each webhook thread will open |
| wforce.config.webhookQueueSize | integer | 50000 | The size of the queue used to process webhook events |
| wforce.config.webhookTimeoutSecs | integer | 2 | The number of seconds that webhooks will wait for a response from an HTTP server |
| wforce.config.webhookDisablePeerVerify | boolean | false | Disable checking whether the server certificate is authentic. Note this is used for webhooks and also for internal communication such as syncDB signalling |
| wforce.config.webhookDisableHostVerify | boolean | false | Disable verification that the server cert is for the server the webhook is trying to connect to in the URL. |
| wforce.config.webhookCAs | string | Use this to add any custom CAs that you want the webhooks to be able to communicate with. Note that since webhooks are used for internal communication, you may want to add the CA signing the certificate used for the webserver if you have enabled TLS. | |
| wforce.config.persistBLRedis.enabled | boolean | false | Enable persistent redis blocklists |
| wforce.config.persistBLRedis.host | string | Hostname or IP address of a redis server or service | |
| wforce.config.persistBLRedis.port | integer | 6379 | Port of the redis service |
| wforce.config.persistBLRedis.username | string | Optional username to use to authenticate to redis | |
| wforce.config.persistBLRedis.password | string | Optional password to use to authenticate to redis | |
| wforce.config.persistBLRedis.connectTimeoutSecs | integer | 2 | Number of seconds before timing out on connection to the redis server |
| wforce.config.persistBLRedis.readWriteTimeout.secs | integer | 0 | Number of seconds to timeout when reading/writing from/to redis |
| wforce.config.persistBLRedis.readWriteTimeout.usecs | integer | 50000 | Number of microseconds to timeout when reading/writing from/to redis |
| wforce.config.blocklist.IPRetMsg | string | The message to return when a client is blocked due to their source IP | |
| wforce.config.blocklist.LoginMsg | string | The message to return when a client is blocked due to their login | |
| wforce.config.blocklist.IPLoginMsg | string | The message to return when a client is blocked due to their login and source IP | |
| wforce.config.persistALRedis.enabled | boolean | false | Enable persistent redis allowlists |
| wforce.config.persistALRedis.host | string | Hostname or IP address of a redis server or service | |
| wforce.config.persistALRedis.port | integer | 6379 | Port of the redis service |
| wforce.config.persistALRedis.username | string | Optional username to use to authenticate to redis | |
| wforce.config.persistALRedis.password | string | Optional password to use to authenticate to redis | |
| wforce.config.persistALRedis.connectTimeoutSecs | integer | 2 | Number of seconds before timing out on connection to the redis server |
| wforce.config.persistALRedis.readWriteTimeout.secs | integer | 0 | Number of seconds to timeout when reading/writing from/to redis |
| wforce.config.persistALRedis.readWriteTimeout.usecs | integer | 50000 | Number of microseconds to timeout when reading/writing from/to redis |
| wforce.config.numLuaStates | integer | 10 | Number of Lua states |
| wforce.config.numWorkerThreads | integer | 4 | Number of worker threads |
| wforce.config.metricsNoPassword | boolean | false | If true, enables metrics to be accessed without a password |
| wforce.luaConfig | string | Used to provide the Lua policy, using helm --set-file flag as --set-file "wforce.luaConfig=wforce.conf" |
SyncDB Settings
The settings for the SyncDB pods are mainly limited to configuring how the pods will run in Kubernetes;
since the SyncDB pods are special instances of wforce, any configuration is inherited
from the wforce configuration. For example if wforce.config.metricsNoPassword is set to true then
no password will be required for the syncDB pods metrics either.
The following example shows a syncDB service that is configured with a customized service, that is
exposed via a NodePort on a specified port, and with custom labels and annotations. The livenessProbe.initialDelaySeconds
value has been extended to give the pods more time to start up, and the nodeSelector is
used to restrict the pods to nodes which have the worker: true label. Finally the number of replicas is
increased to 3 from the default of 1:
syncDB:
service:
type: NodePort
nodePort: 30008
port: 8081
annotations:
foo: bar
bar: foo
labels:
environment: production
livenessProbe:
initialDelaySeconds: 30
nodeSelector:
worker: true
replicaCount: 3
The following table shows the possible and default settings for syncDB:
| Name | Type | Default | Description |
|---|---|---|---|
| syncDB.service.type | string | ClusterIP | The type of service that is exposed to access the syncDB http server. Note this is mainly for prometheus metrics, since the syncDB pods should not be used for other purposes. |
| syncDB.service.port | integer | 80 | The port number of the SyncDB service |
| syncDB.service.nodePort | integer | If the type of the service is NodePort then you can optionally set this key. Otherwise kubernetes will choose a nodePort from the assigned range for you. |
|
| syncDB.service.annotations | map | {} | Service annotations |
| syncDB.service.labels | map | {} | Service labels |
| syncDB.podAnnotations | map | {} | Pod annotations |
| syncDB.defaultPodSecurityContext | map | Used for keys relating to the securityContext of the pod. | |
| syncDB.defaultPodSecurityContext.runAsNotRoot | boolean | true | Restricts containers in the pod from running as root. There should be very little reason to change this, as wforce does not need to run as root. |
| syncDB.defaultPodSecurityContext.runAsUser | integer | 1000 | Run all containers as this user |
| syncDB.podSecurityContext | map | Empty | If this field exists, it overrides the default pod security context entirely |
| syncDB.defaultContainerSecurityContext | map | Used for keys relating to the default securityContext of containers in the pod | |
| syncDB.defaultContainerSecurityContext.capabilities.drop[] | array | ALL | Drops all capabilities |
| syncDB.defaultContainerSecurityContext.readOnlyRootFilesystem | boolean | true | Makes the root filesystem read-only, for security |
| syncDB.defaultContainerSecurityContext.allowPrivilegeEscalation | boolean | false | Disallow privilege escalation |
| syncDB.initContainer | map | {} | Used to store overrides for the init container |
| syncDB.initContainer.containerSecurityContext | map | Empty | If this field exists, it will override the default container security context entirely |
| syncDB.agentContainer.containerSecurityContext | map | Empty | If this field exists, it will override the default container security context entirely |
| syncDB.wforceContainer.containerSecurityContext | map | Empty | If this field exists, it will override the default container security context entirely |
| syncDB.livenessProbe.initialDelaySeconds | integer | 10 | The time to wait before making the first liveness probe |
| syncDB.nodeSelector | map | {} | Add nodeSelectors for the pods |
| syncDB.tolerations | array | [] | Add tolerations for the pods |
| syncDB.affinity | map | {} | Specify node or pod affinity rules |
| syncDB.replicaCount | integer | 1 | The number of replicas |
Replfwd Settings
The replfwd deployment is fairly simple, and the settings are correspondingly simple. For the required communication/replication to/from the wforce cluster, the replfwd deployment reads the settings from the wforce deployment and so automatically configures itself. Configuration is mainly about the forwarding destinations and sources, as well as the service and pod settings that are identical to those for the wforce and SyncDB deployments.
A replfwd service that is configured to forward to and receive from two other clusters is shown in the following example:
replfwd:
config:
enabled: true
numThreads: 2
forwarderDests:
- dst: 128.243.21.1:4001
key: Sk9mMFo0QzNvTXZQMVBMdGNiVHdyTmdnQ1I4Y00ydHg=
statsdb: true
blal: true
- dst: [2a00:23c7:1a00:d101:ad13:654c:4f17:5620]:4001
key: dFFRTzBMTkNzZFJtOXdOcE1tcFp5MGFuckRQZ1N5c0U=
statsdb: true
blal: true
forwarderSrcs:
- src: 128.243.21.1
- src: 2a00:23c7:1a00:d101:ad13:654c:4f17:5620
Note that there is no way to configure more than one replica for the replfwd service, because this would cause duplicate replication messages to be sent.
A reminder that the way to get the replication key from a wforce service is to use the following command (where
kubectl get secret wforce-replication-key -n <namespace> -o jsonpath="{.data.replication-key"}
The table below shows the possible and default settings for the replfwd service:
| Name | Type | Default | Description |
|---|---|---|---|
| replfwd.service.type | string | ClusterIP | The type of service that is exposed to access the replfwd http server. Note this is mainly for prometheus metrics, since the syncDB pods should not be used for other purposes. |
| replfwd.service.http.port | integer | 80 | The port number of the replfwd http service |
| replfwd.service.http.nodePort | integer | If the type of the service is NodePort then you can optionally set this key. Otherwise kubernetes will choose a nodePort from the assigned range for you. |
|
| replfwd.service.replication.port | integer | 4001 | The port number of the replfwd replication service |
| replfwd.service.replication.nodePort | integer | If the type of the service is NodePort then you can optionally set this key. Otherwise kubernetes will choose a nodePort from the assigned range for you. |
|
| replfwd.service.annotations | map | {} | Service annotations |
| replfwd.service.labels | map | {} | Service labels |
| replfwd.podAnnotations | map | {} | Pod annotations |
| replfwd.defaultPodSecurityContext | map | Used for keys relating to the securityContext of the pod. | |
| replfwd.defaultPodSecurityContext.runAsNotRoot | boolean | true | Restricts containers in the pod from running as root. There should be very little reason to change this, as wforce does not need to run as root. |
| replfwd.defaultPodSecurityContext.runAsUser | integer | 1000 | Run all containers as this user |
| replfwd.podSecurityContext | map | Empty | If this field exists, it overrides the default pod security context entirely |
| replfwd.defaultContainerSecurityContext | map | Used for keys relating to the default securityContext of containers in the pod | |
| replfwd.defaultContainerSecurityContext.capabilities.drop[] | array | ALL | Drops all capabilities |
| replfwd.defaultContainerSecurityContext.readOnlyRootFilesystem | boolean | true | Makes the root filesystem read-only, for security |
| replfwd.defaultContainerSecurityContext.allowPrivilegeEscalation | boolean | false | Disallow privilege escalation |
| replfwd.initContainer | map | {} | Used to store overrides for the init container |
| replfwd.initContainer.containerSecurityContext | map | Empty | If this field exists, it will override the default container security context entirely |
| replfwd.agentContainer.containerSecurityContext | map | Empty | If this field exists, it will override the default container security context entirely |
| replfwd.replfwdContainer.containerSecurityContext | map | Empty | If this field exists, it will override the default container security context entirely |
| replfwd.livenessProbe.initialDelaySeconds | integer | 10 | The time to wait before making the first liveness probe |
| replfwd.nodeSelector | map | {} | Add nodeSelectors for the pods |
| replfwd.tolerations | array | [] | Add tolerations for the pods |
| replfwd.affinity | map | {} | Specify node or pod affinity rules |
| replfwd.replicaCount | integer | 1 | The number of replicas |
| replfwd.config.enabled | boolean | false | Enable the replfwd service |
| replfwd.config.numThreads | integer | 2 | The number of worker threads used by the replfwd pod |
| replfwd.config.forwarderDsts | array | [] | An array of forwarder destinations |
| replfwd.config.forwarderDsts[].dst | string | [] for IPv6 addresses. |
|
| replfwd.config.forwarderDsts[].key | string | Base64 encoded key used to encode/decode messages for this destination | |
| replfwd.config.forwarderDsts[].statsdb | boolean | Whether to forward the statsdb information or not | |
| replfwd.config.forwarderDsts[].blal | boolean | Whether to forward the blocklist/allowlist information or not | |
| replfwd.config.forwarderSrcs[] | array | An array of forwarder sources - only messages received from these sources will be accepted | |
| replfwd.config.forwarderSrcs[].src | string | A forwarder source, either IPv6 or IPv4 addresses |