bunkerity
diff --git a/‎CLAUDE.md‎
Lines changed: 86 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 37 additions & 1 deletion b/‎README.md‎
Lines changed: 37 additions & 1 deletion
diff --git a/‎charts/bunkerweb/Chart.yaml‎
Lines changed: 2 additions & 2 deletions b/‎charts/bunkerweb/Chart.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎charts/bunkerweb/templates/_helpers.tpl‎
Lines changed: 184 additions & 0 deletions b/‎charts/bunkerweb/templates/_helpers.tpl‎
Lines changed: 184 additions & 0 deletions
@@ -0,0 +1,86 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+BunkerWeb Helm chart — deploys BunkerWeb (open-source WAF/reverse proxy) on Kubernetes. Chart version 1.0.14, app version 1.6.9. Helm 3, API v2.
+
+## Repository Layout
+
+- `charts/bunkerweb/` — the Helm chart (Chart.yaml, values.yaml, templates/)
+- `scripts/` — `validate-chart.sh` (chart validation + lint + template rendering tests), `generate-docs.py` (auto-generate docs from values.yaml)
+- `examples/` — example values files (all-in-one, minimal, high-availability, logging, secrets)
+- `docs/` — user documentation (`values.md` is the comprehensive guide, `values-reference.md` is auto-generated)
+
+## Common Commands
+
+```bash
+# Validate chart (runs helm lint + template rendering with 20+ scenarios)
+./scripts/validate-chart.sh
+
+# Lint only
+helm lint charts/bunkerweb/
+
+# Render templates with default values
+helm template test charts/bunkerweb/
+
+# Render with a specific values file
+helm template test charts/bunkerweb/ -f examples/all-in-one.yaml
+
+# Render with value overrides (useful for testing specific template paths)
+helm template test charts/bunkerweb/ --set bunkerweb.kind=DaemonSet
+helm template test charts/bunkerweb/ --set bunkerweb.kind=StatefulSet
+helm template test charts/bunkerweb/ --set bunkerweb.hpa.enabled=true
+helm template test charts/bunkerweb/ --set controller.enabled=true
+
+# Generate documentation from values.yaml
+python3 scripts/generate-docs.py
+```
+
+## Architecture
+
+BunkerWeb deploys as a multi-component system:
+
+- **BunkerWeb** (`bunkerweb-*.yaml`) — the core WAF/reverse proxy. Supports three deployment kinds: Deployment (default), DaemonSet, or StatefulSet. Has both an external service (user traffic) and internal service (inter-component communication).
+- **Scheduler** (`scheduler-deployment.yaml`) — manages configuration distribution and coordination across BunkerWeb instances.
+- **Controller** (`controller-deployment.yaml`) — watches Kubernetes Ingress and Gateway API resources, translates them to BunkerWeb config. Optional, enabled via `controller.enabled`.
+- **UI** (`ui-*.yaml`) — web management interface with syslog sidecar for log collection. Optional, enabled via `ui.enabled`.
+- **API** (`api-*.yaml`) — external REST API. Optional, enabled via `api.enabled`.
+- **MariaDB/Redis/Prometheus/Grafana** — optional infrastructure components, each with their own deployment + service + PVC templates.
+
+## Key Template Patterns
+
+**`_helpers.tpl`** (829 lines) contains critical helper functions:
+- `bunkerweb.databaseUri` — builds the database connection string dynamically (internal MariaDB vs external)
+- `bunkerweb.featureEnvs` — generates environment variables from the large `scheduler.features` section in values.yaml. This is the most complex helper and maps feature config to BunkerWeb env vars.
+- `bunkerweb.redisEnv` — generates Redis connection env vars with auth support
+- `bunkerweb.syslogAddress` — resolves syslog address for UI log forwarding
+
+**Conditional rendering**: Most components are gated by `.Values.<component>.enabled`. BunkerWeb kind selection uses three separate template files (`bunkerweb-deployment.yaml`, `bunkerweb-daemonset.yaml`, `bunkerweb-statefulset.yaml`) each guarded by `if eq .Values.bunkerweb.kind "<Kind>"`.
+
+**Secret management**: The chart supports an `existingSecret` pattern — users reference a pre-created Kubernetes Secret rather than putting credentials in values.yaml. Sensitive values (DB URI, Redis password, admin creds, API keys) are injected via `secretKeyRef`.
+
+## Values Structure
+
+`values.yaml` (1,521 lines) has these major sections:
+- **`settings`** — BunkerWeb configuration: `kubernetes` (namespace, ingressClass), `misc` (databaseUri, DNS), `redis`, `ui`, `api`, `scheduler.features` (800+ lines of WAF feature toggles like ModSecurity, antibot, rate limiting, geo-blocking, etc.)
+- **`service`** — Kubernetes Service config (type, externalTrafficPolicy)
+- **`bunkerweb`** — core component config (kind, replicas, HPA, PDB, resources, probes, volumes, affinity)
+- **`scheduler`**, `controller`, `ui`, `api` — per-component deployment config
+- **`mariadb`**, `redis`, `prometheus`, `grafana` — optional infrastructure
+- **`ingressClass`**, `gatewayClass`** — Kubernetes integration resources
+- **`networkPolicy`** — network segmentation (disabled by default)
+
+## CI/CD
+
+Two GitHub Actions workflows:
+- `.github/workflows/dev.yml` — on push to `dev` branch (charts/** changes): validate → package → upload to dev Helm repo via SSH
+- `.github/workflows/prod.yml` — on push to `main` branch: same pipeline but uploads to production Helm repo
+
+## Development Notes
+
+- Gateway API support is experimental (disabled by default via `gatewayClass.enabled: false`)
+- The `KUBERNETES_REVERSE_PROXY_SUFFIX_START` env var is set to `"0"` (string) on the controller to avoid issues with UI/API templates
+- When adding new BunkerWeb features, update both `values.yaml` (under `scheduler.features`) and the `bunkerweb.featureEnvs` helper in `_helpers.tpl`
+- Always run `./scripts/validate-chart.sh` before committing — it tests template rendering across many configuration combinations
@@ -11,6 +11,7 @@ Official [Helm chart](https://helm.sh/docs/) to deploy [BunkerWeb](https://www.b
 - **High Availability**: Support for DaemonSet and Deployment modes
 - **Monitoring**: Built-in Prometheus metrics and Grafana dashboards
 - **Management UI**: Web interface for configuration and monitoring
+- **AI Integration**: MCP server for AI assistants (Claude Code, etc.)
 - **Auto-scaling**: Kubernetes-native scaling capabilities
 - **Secret Management**: Integration with Kubernetes secrets
 
@@ -55,6 +56,8 @@ helm install mybunkerweb bunkerweb/bunkerweb -n bunkerweb --create-namespace
 | **Scheduler** | Configuration management | Required |
 | **Controller** | Kubernetes integration | Enabled |
 | **UI** | Web management interface | Enabled |
+| **API** | External REST API for automation | Enabled |
+| **MCP** | Model Context Protocol server for AI assistants | Enabled |
 | **MariaDB** | Database backend | Enabled |
 | **Redis** | Caching and persistence | Enabled |
 | **Prometheus** | Metrics collection | Disabled |
@@ -109,6 +112,36 @@ service:
   externalTrafficPolicy: Local
 ```
 
+### MCP Server (AI Assistant Integration)
+
+The MCP (Model Context Protocol) server enables AI assistants like Claude Code to manage BunkerWeb configuration.
+
+```yaml
+mcp:
+  enabled: true
+  # API credentials (must match settings.api configuration)
+  secrets:
+    bunkerwebApiToken: "your-api-token"
+
+  # Expose via Ingress (legacy)
+  ingress:
+    enabled: true
+    serverName: "mcp.example.com"
+    annotations:
+      bunkerweb.io/USE_WHITELIST: "yes"
+      bunkerweb.io/WHITELIST_IP: "YOUR_IP/32"
+
+  # Or expose via Gateway API (modern)
+  httpRoutes:
+    enabled: true
+    serverName: "mcp.example.com"
+    extraAnnotations:
+      bunkerweb.io/USE_WHITELIST: "yes"
+      bunkerweb.io/WHITELIST_IP: "YOUR_IP/32"
+```
+
+> **Security Warning**: The MCP server has no built-in authentication for the `/mcp` endpoint. Always use IP whitelisting or network policies to restrict access.
+
 ### Secret Management
 
 ```yaml
@@ -186,6 +219,7 @@ The chart includes pre-configured Grafana dashboards for:
 3. **Network Policies**: Enable network policies for production environments
 4. **Resource Limits**: Set appropriate CPU/memory limits
 5. **Pod Security**: Review and adjust security contexts
+6. **MCP Access Control**: Always configure IP whitelisting when exposing the MCP server
 
 ## Troubleshooting
 
@@ -247,8 +281,10 @@ kubectl delete namespace bunkerweb
 ### Key Configuration Areas
 
 - **Global Settings**: Common configuration across all components
-- **BunkerWeb**: Main reverse proxy configuration  
+- **BunkerWeb**: Main reverse proxy configuration
 - **UI**: Web interface settings
+- **API**: External REST API for automation and integrations
+- **MCP**: AI assistant integration (Claude Code, etc.)
 - **Database**: MariaDB configuration
 - **Monitoring**: Prometheus and Grafana setup
 - **Security**: Network policies and access control
 
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.14
+version: 1.0.15
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.6.8"
+appVersion: "1.6.9"
@@ -151,6 +151,66 @@ Generate BunkerWeb feature environment variables
   value: {{ .global.disableDefaultServerStrictSni | quote }}
 {{- end }}
 
+# =============================================================================
+# NGINX TIMEOUTS
+# =============================================================================
+{{- if and .timeouts .timeouts.clientBodyTimeout (ne .timeouts.clientBodyTimeout "") }}
+- name: CLIENT_BODY_TIMEOUT
+  value: {{ .timeouts.clientBodyTimeout | quote }}
+{{- end }}
+{{- if and .timeouts .timeouts.clientHeaderTimeout (ne .timeouts.clientHeaderTimeout "") }}
+- name: CLIENT_HEADER_TIMEOUT
+  value: {{ .timeouts.clientHeaderTimeout | quote }}
+{{- end }}
+{{- if and .timeouts .timeouts.keepaliveTimeout (ne .timeouts.keepaliveTimeout "") }}
+- name: KEEPALIVE_TIMEOUT
+  value: {{ .timeouts.keepaliveTimeout | quote }}
+{{- end }}
+{{- if and .timeouts .timeouts.sendTimeout (ne .timeouts.sendTimeout "") }}
+- name: SEND_TIMEOUT
+  value: {{ .timeouts.sendTimeout | quote }}
+{{- end }}
+
+# =============================================================================
+# DATABASE CONNECTION POOL
+# =============================================================================
+{{- if and .databasePool .databasePool.databasePoolSize (ne .databasePool.databasePoolSize "") }}
+- name: DATABASE_POOL_SIZE
+  value: {{ .databasePool.databasePoolSize | quote }}
+{{- end }}
+{{- if and .databasePool .databasePool.databasePoolMaxOverflow (ne .databasePool.databasePoolMaxOverflow "") }}
+- name: DATABASE_POOL_MAX_OVERFLOW
+  value: {{ .databasePool.databasePoolMaxOverflow | quote }}
+{{- end }}
+{{- if and .databasePool .databasePool.databasePoolTimeout (ne .databasePool.databasePoolTimeout "") }}
+- name: DATABASE_POOL_TIMEOUT
+  value: {{ .databasePool.databasePoolTimeout | quote }}
+{{- end }}
+{{- if and .databasePool .databasePool.databasePoolRecycle (ne .databasePool.databasePoolRecycle "") }}
+- name: DATABASE_POOL_RECYCLE
+  value: {{ .databasePool.databasePoolRecycle | quote }}
+{{- end }}
+{{- if and .databasePool .databasePool.databasePoolPrePing (ne .databasePool.databasePoolPrePing "") }}
+- name: DATABASE_POOL_PRE_PING
+  value: {{ .databasePool.databasePoolPrePing | quote }}
+{{- end }}
+{{- if and .databasePool .databasePool.databasePoolResetOnReturn (ne .databasePool.databasePoolResetOnReturn "") }}
+- name: DATABASE_POOL_RESET_ON_RETURN
+  value: {{ .databasePool.databasePoolResetOnReturn | quote }}
+{{- end }}
+{{- if and .databasePool .databasePool.databaseRetryTimeout (ne .databasePool.databaseRetryTimeout "") }}
+- name: DATABASE_RETRY_TIMEOUT
+  value: {{ .databasePool.databaseRetryTimeout | quote }}
+{{- end }}
+{{- if and .databasePool .databasePool.databaseRequestRetryAttempts (ne .databasePool.databaseRequestRetryAttempts "") }}
+- name: DATABASE_REQUEST_RETRY_ATTEMPTS
+  value: {{ .databasePool.databaseRequestRetryAttempts | quote }}
+{{- end }}
+{{- if and .databasePool .databasePool.databaseRequestRetryDelay (ne .databasePool.databaseRequestRetryDelay "") }}
+- name: DATABASE_REQUEST_RETRY_DELAY
+  value: {{ .databasePool.databaseRequestRetryDelay | quote }}
+{{- end }}
+
 # =============================================================================
 # MODSECURITY WAF
 # =============================================================================
@@ -206,6 +266,10 @@ Generate BunkerWeb feature environment variables
 - name: ANTIBOT_IGNORE_URI
   value: {{ .antibot.antibotIgnoreUri | quote }}
 {{- end }}
+{{- if and .antibot .antibot.antibotRecaptchaClassic (ne .antibot.antibotRecaptchaClassic "") }}
+- name: ANTIBOT_RECAPTCHA_CLASSIC
+  value: {{ .antibot.antibotRecaptchaClassic | quote }}
+{{- end }}
 
 # =============================================================================
 # RATE LIMITING
@@ -349,6 +413,38 @@ Generate BunkerWeb feature environment variables
 - name: USE_LETS_ENCRYPT_WILDCARD
   value: {{ .letsEncrypt.useLetsEncryptWildcard | quote }}
 {{- end }}
+{{- if and .letsEncrypt .letsEncrypt.letsEncryptServer (ne .letsEncrypt.letsEncryptServer "") }}
+- name: LETS_ENCRYPT_SERVER
+  value: {{ .letsEncrypt.letsEncryptServer | quote }}
+{{- end }}
+{{- if and .letsEncrypt .letsEncrypt.letsEncryptProfile (ne .letsEncrypt.letsEncryptProfile "") }}
+- name: LETS_ENCRYPT_PROFILE
+  value: {{ .letsEncrypt.letsEncryptProfile | quote }}
+{{- end }}
+{{- if and .letsEncrypt .letsEncrypt.letsEncryptCustomProfile (ne .letsEncrypt.letsEncryptCustomProfile "") }}
+- name: LETS_ENCRYPT_CUSTOM_PROFILE
+  value: {{ .letsEncrypt.letsEncryptCustomProfile | quote }}
+{{- end }}
+{{- if and .letsEncrypt .letsEncrypt.letsEncryptZerosslApiKey (ne .letsEncrypt.letsEncryptZerosslApiKey "") }}
+- name: LETS_ENCRYPT_ZEROSSL_API_KEY
+  value: {{ .letsEncrypt.letsEncryptZerosslApiKey | quote }}
+{{- end }}
+{{- if and .letsEncrypt .letsEncrypt.letsEncryptZerosslApiConnectTimeout (ne .letsEncrypt.letsEncryptZerosslApiConnectTimeout "") }}
+- name: LETS_ENCRYPT_ZEROSSL_API_CONNECT_TIMEOUT
+  value: {{ .letsEncrypt.letsEncryptZerosslApiConnectTimeout | quote }}
+{{- end }}
+{{- if and .letsEncrypt .letsEncrypt.letsEncryptZerosslApiMaxTime (ne .letsEncrypt.letsEncryptZerosslApiMaxTime "") }}
+- name: LETS_ENCRYPT_ZEROSSL_API_MAX_TIME
+  value: {{ .letsEncrypt.letsEncryptZerosslApiMaxTime | quote }}
+{{- end }}
+{{- if and .letsEncrypt .letsEncrypt.letsEncryptZerosslApiRetry (ne .letsEncrypt.letsEncryptZerosslApiRetry "") }}
+- name: LETS_ENCRYPT_ZEROSSL_API_RETRY
+  value: {{ .letsEncrypt.letsEncryptZerosslApiRetry | quote }}
+{{- end }}
+{{- if and .letsEncrypt .letsEncrypt.letsEncryptZerosslApiRetryDelay (ne .letsEncrypt.letsEncryptZerosslApiRetryDelay "") }}
+- name: LETS_ENCRYPT_ZEROSSL_API_RETRY_DELAY
+  value: {{ .letsEncrypt.letsEncryptZerosslApiRetryDelay | quote }}
+{{- end }}
 
 # Custom SSL certificate
 {{- if and .customSsl .customSsl.useCustomSsl (ne .customSsl.useCustomSsl "") }}
@@ -442,6 +538,78 @@ Generate BunkerWeb feature environment variables
   value: {{ .reverseProxy.reverseProxyReadTimeout | quote }}
 {{- end }}
 
+# =============================================================================
+# GRPC REVERSE PROXY
+# =============================================================================
+{{- if and .grpc .grpc.useGrpc (ne .grpc.useGrpc "") }}
+- name: USE_GRPC
+  value: {{ .grpc.useGrpc | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcUrl (ne .grpc.grpcUrl "") }}
+- name: GRPC_URL
+  value: {{ .grpc.grpcUrl | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcHost (ne .grpc.grpcHost "") }}
+- name: GRPC_HOST
+  value: {{ .grpc.grpcHost | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcConnectTimeout (ne .grpc.grpcConnectTimeout "") }}
+- name: GRPC_CONNECT_TIMEOUT
+  value: {{ .grpc.grpcConnectTimeout | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcReadTimeout (ne .grpc.grpcReadTimeout "") }}
+- name: GRPC_READ_TIMEOUT
+  value: {{ .grpc.grpcReadTimeout | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcSendTimeout (ne .grpc.grpcSendTimeout "") }}
+- name: GRPC_SEND_TIMEOUT
+  value: {{ .grpc.grpcSendTimeout | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcCustomHost (ne .grpc.grpcCustomHost "") }}
+- name: GRPC_CUSTOM_HOST
+  value: {{ .grpc.grpcCustomHost | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcHeaders (ne .grpc.grpcHeaders "") }}
+- name: GRPC_HEADERS
+  value: {{ .grpc.grpcHeaders | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcHideHeaders (ne .grpc.grpcHideHeaders "") }}
+- name: GRPC_HIDE_HEADERS
+  value: {{ .grpc.grpcHideHeaders | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcInterceptErrors (ne .grpc.grpcInterceptErrors "") }}
+- name: GRPC_INTERCEPT_ERRORS
+  value: {{ .grpc.grpcInterceptErrors | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcSocketKeepalive (ne .grpc.grpcSocketKeepalive "") }}
+- name: GRPC_SOCKET_KEEPALIVE
+  value: {{ .grpc.grpcSocketKeepalive | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcSslSni (ne .grpc.grpcSslSni "") }}
+- name: GRPC_SSL_SNI
+  value: {{ .grpc.grpcSslSni | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcSslSniName (ne .grpc.grpcSslSniName "") }}
+- name: GRPC_SSL_SNI_NAME
+  value: {{ .grpc.grpcSslSniName | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcNextUpstream (ne .grpc.grpcNextUpstream "") }}
+- name: GRPC_NEXT_UPSTREAM
+  value: {{ .grpc.grpcNextUpstream | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcNextUpstreamTimeout (ne .grpc.grpcNextUpstreamTimeout "") }}
+- name: GRPC_NEXT_UPSTREAM_TIMEOUT
+  value: {{ .grpc.grpcNextUpstreamTimeout | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcNextUpstreamTries (ne .grpc.grpcNextUpstreamTries "") }}
+- name: GRPC_NEXT_UPSTREAM_TRIES
+  value: {{ .grpc.grpcNextUpstreamTries | quote }}
+{{- end }}
+{{- if and .grpc .grpc.grpcIncludes (ne .grpc.grpcIncludes "") }}
+- name: GRPC_INCLUDES
+  value: {{ .grpc.grpcIncludes | quote }}
+{{- end }}
+
 # =============================================================================
 # REAL IP DETECTION
 # =============================================================================
@@ -813,6 +981,22 @@ Generate BunkerWeb feature environment variables
 - name: BACKUP_DIRECTORY
   value: {{ .backup.backupDirectory | quote }}
 {{- end }}
+
+# =============================================================================
+# STREAM/PASSTHROUGH
+# =============================================================================
+{{- if and .stream .stream.listenStream (ne .stream.listenStream "") }}
+- name: LISTEN_STREAM
+  value: {{ .stream.listenStream | quote }}
+{{- end }}
+{{- if and .stream .stream.listenStreamPort (ne .stream.listenStreamPort "") }}
+- name: LISTEN_STREAM_PORT
+  value: {{ .stream.listenStreamPort | quote }}
+{{- end }}
+{{- if and .stream .stream.listenStreamPortSsl (ne .stream.listenStreamPortSsl "") }}
+- name: LISTEN_STREAM_PORT_SSL
+  value: {{ .stream.listenStreamPortSsl | quote }}
+{{- end }}
 {{- end }}
 {{- end }}