Merge remote-tracking branch 'origin/dev' into dev-mf-docu

Author: TheophileDiot

CLAUDE.md

@@ -4,7 +4,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ## Project Overview
 
-BunkerWeb Helm chart — deploys BunkerWeb (open-source WAF/reverse proxy) on Kubernetes. Chart version 1.0.14, app version 1.6.9. Helm 3, API v2.
+BunkerWeb Helm chart — deploys BunkerWeb (open-source WAF/reverse proxy) on Kubernetes. Chart version 1.0.17, app version 1.6.10. Helm 3, API v2.
 
 ## Repository Layout
 

README.md

@@ -1,7 +1,7 @@
 # BunkerWeb Kubernetes Helm Chart
 
-![Version](https://img.shields.io/badge/version-1.0.2-blue)
-![AppVersion](https://img.shields.io/badge/app%20version-1.6.4-green)
+![Version](https://img.shields.io/badge/version-1.0.19-blue)
+![AppVersion](https://img.shields.io/badge/app%20version-1.6.10-green)
 
 Official [Helm chart](https://helm.sh/docs/) to deploy [BunkerWeb](https://www.bunkerweb.io/?utm_campaign=self&utm_source=github) on Kubernetes - A next-generation, open-source **web application firewall (WAF)** and reverse proxy.
 

charts/bunkerweb/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.16
+version: 1.0.19
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.6.9"
+appVersion: "1.6.10"

charts/bunkerweb/templates/NOTES.txt

@@ -1,5 +1,48 @@
 BunkerWeb has been successfully deployed!
 
+{{- if and .Release.IsUpgrade (ne (include "bunkerweb.apiEnabled" .) "true") }}
+
+================================================================================
+                       UPGRADE NOTICE (chart 1.0.19)
+================================================================================
+
+The external API is now DISABLED by default (was enabled in <= 1.0.18, where
+it crash-looped without authentication). If you previously relied on the
+default-on API, set api.enabled=true AND configure authentication
+(settings.api.useBearerToken / useUserPass / apiAclBootstrapFile).
+{{- end }}
+
+{{- if and .Release.IsUpgrade .Values.redis.enabled .Values.redis.useConfigFile }}
+
+================================================================================
+                       UPGRADE NOTICE (chart 1.0.17 / app 1.6.10)
+================================================================================
+
+Redis default eviction policy changed: allkeys-lru -> volatile-lru.
+The bundled redis.conf now also uses `save 60 1000` instead of `save ""`.
+
+Why: BunkerWeb 1.6.10 Redis Best Practices recommend volatile-lru so that
+keys WITH a TTL (rate-limit counters, bad-behavior windows, sessions) are
+evicted first, while keys WITHOUT a TTL (permanent bans) are preserved
+under memory pressure.
+
+Impact: keys without TTL accumulate. Under sustained pressure with
+non-TTL writers, Redis will OOM on writes instead of evicting LRU keys.
+
+If you store non-TTL keys in this Redis instance, override the policy:
+
+   redis:
+     config:
+       file: |
+         appendonly yes
+         save 60 1000
+         loglevel verbose
+         maxmemory 512mb
+         maxmemory-policy allkeys-lru   # previous default
+
+Reference: https://docs.bunkerweb.io/1.6.10/features/#redis-best-practices
+{{- end }}
+
 ================================================================================
                            DEPLOYMENT INFORMATION
 ================================================================================

charts/bunkerweb/templates/_helpers.tpl

@@ -130,6 +130,30 @@ REDIS settings
 {{- end }}
 {{- end }}
 
+{{/*
+Whether the external API component must run.
+True when the API is explicitly enabled, or when MCP is enabled and points at
+the internal API (mcp.config.bunkerwebBaseUrl empty) — MCP depends on it.
+*/}}
+{{- define "bunkerweb.apiEnabled" -}}
+{{- if or .Values.api.enabled (and .Values.mcp.enabled (empty .Values.mcp.config.bunkerwebBaseUrl)) -}}
+true
+{{- end -}}
+{{- end -}}
+
+{{/*
+Whether any API authentication method is configured.
+*/}}
+{{- define "bunkerweb.apiAuthConfigured" -}}
+{{- $s := .Values.settings.api -}}
+{{- $hasToken := or (and $s.useBearerToken.fromExistingSecret (not (empty .Values.settings.existingSecret))) (and (not $s.useBearerToken.fromExistingSecret) (not (empty $s.useBearerToken.token))) -}}
+{{- $hasUserPass := or (and $s.useUserPass.fromExistingSecret (not (empty .Values.settings.existingSecret))) (and (not $s.useUserPass.fromExistingSecret) (not (empty $s.useUserPass.apiUsername)) (not (empty $s.useUserPass.apiPassword))) -}}
+{{- $hasAcl := not (empty $s.apiAclBootstrapFile) -}}
+{{- if or $hasToken $hasUserPass $hasAcl -}}
+true
+{{- end -}}
+{{- end -}}
+
 {{/*
 Generate BunkerWeb feature environment variables
 */}}
@@ -150,6 +174,14 @@ Generate BunkerWeb feature environment variables
 - name: DISABLE_DEFAULT_SERVER_STRICT_SNI
   value: {{ .global.disableDefaultServerStrictSni | quote }}
 {{- end }}
+{{- if and .global.maxHeaders (ne .global.maxHeaders "") }}
+- name: MAX_HEADERS
+  value: {{ .global.maxHeaders | quote }}
+{{- end }}
+{{- if and .global.workerShutdownTimeout (ne .global.workerShutdownTimeout "") }}
+- name: WORKER_SHUTDOWN_TIMEOUT
+  value: {{ .global.workerShutdownTimeout | quote }}
+{{- end }}
 
 # =============================================================================
 # NGINX TIMEOUTS
@@ -238,9 +270,17 @@ Generate BunkerWeb feature environment variables
 - name: MODSECURITY_CRS_PLUGINS
   value: {{ .modsecurity.modsecurityCrsPlugins | quote }}
 {{- end }}
+{{- if and .modsecurity .modsecurity.modsecuritySecRequestBodyLimit (ne .modsecurity.modsecuritySecRequestBodyLimit "") }}
+- name: MODSECURITY_SEC_REQUEST_BODY_LIMIT
+  value: {{ .modsecurity.modsecuritySecRequestBodyLimit | quote }}
+{{- end }}
+{{- if and .modsecurity .modsecurity.modsecuritySecRequestBodyLimitAction (ne .modsecurity.modsecuritySecRequestBodyLimitAction "") }}
+- name: MODSECURITY_SEC_REQUEST_BODY_LIMIT_ACTION
+  value: {{ .modsecurity.modsecuritySecRequestBodyLimitAction | quote }}
+{{- end }}
 
 # =============================================================================
-# ANTIBOT PROTECTION  
+# ANTIBOT PROTECTION
 # =============================================================================
 {{- if and .antibot .antibot.useAntibot (ne .antibot.useAntibot "") }}
 - name: USE_ANTIBOT
@@ -270,6 +310,10 @@ Generate BunkerWeb feature environment variables
 - name: ANTIBOT_RECAPTCHA_CLASSIC
   value: {{ .antibot.antibotRecaptchaClassic | quote }}
 {{- end }}
+{{- if and .antibot .antibot.antibotRdnsGlobal (ne .antibot.antibotRdnsGlobal "") }}
+- name: ANTIBOT_RDNS_GLOBAL
+  value: {{ .antibot.antibotRdnsGlobal | quote }}
+{{- end }}
 
 # =============================================================================
 # RATE LIMITING
@@ -445,6 +489,10 @@ Generate BunkerWeb feature environment variables
 - name: LETS_ENCRYPT_ZEROSSL_API_RETRY_DELAY
   value: {{ .letsEncrypt.letsEncryptZerosslApiRetryDelay | quote }}
 {{- end }}
+{{- if and .letsEncrypt .letsEncrypt.letsEncryptMaxLogBackups (ne .letsEncrypt.letsEncryptMaxLogBackups "") }}
+- name: LETS_ENCRYPT_MAX_LOG_BACKUPS
+  value: {{ .letsEncrypt.letsEncryptMaxLogBackups | quote }}
+{{- end }}
 
 # Custom SSL certificate
 {{- if and .customSsl .customSsl.useCustomSsl (ne .customSsl.useCustomSsl "") }}
@@ -537,6 +585,18 @@ Generate BunkerWeb feature environment variables
 - name: REVERSE_PROXY_READ_TIMEOUT
   value: {{ .reverseProxy.reverseProxyReadTimeout | quote }}
 {{- end }}
+{{- if and .reverseProxy .reverseProxy.reverseProxyKeepalive (ne .reverseProxy.reverseProxyKeepalive "") }}
+- name: REVERSE_PROXY_KEEPALIVE
+  value: {{ .reverseProxy.reverseProxyKeepalive | quote }}
+{{- end }}
+{{- if and .reverseProxy .reverseProxy.reverseProxyHttpVersion (ne .reverseProxy.reverseProxyHttpVersion "") }}
+- name: REVERSE_PROXY_HTTP_VERSION
+  value: {{ .reverseProxy.reverseProxyHttpVersion | quote }}
+{{- end }}
+{{- if and .reverseProxy .reverseProxy.reverseProxyModsecurity (ne .reverseProxy.reverseProxyModsecurity "") }}
+- name: REVERSE_PROXY_MODSECURITY
+  value: {{ .reverseProxy.reverseProxyModsecurity | quote }}
+{{- end }}
 
 # =============================================================================
 # GRPC REVERSE PROXY
@@ -749,6 +809,10 @@ Generate BunkerWeb feature environment variables
 - name: SESSIONS_CHECK_USER_AGENT
   value: {{ .sessions.sessionsCheckUserAgent | quote }}
 {{- end }}
+{{- if and .sessions .sessions.sessionsDomain (ne .sessions.sessionsDomain "") }}
+- name: SESSIONS_DOMAIN
+  value: {{ .sessions.sessionsDomain | quote }}
+{{- end }}
 
 # =============================================================================
 # METRICS AND MONITORING
@@ -765,10 +829,22 @@ Generate BunkerWeb feature environment variables
 - name: METRICS_MAX_BLOCKED_REQUESTS
   value: {{ .metrics.metricsMaxBlockedRequests | quote }}
 {{- end }}
+{{- if and .metrics .metrics.metricsMaxBlockedRequestsRedis (ne .metrics.metricsMaxBlockedRequestsRedis "") }}
+- name: METRICS_MAX_BLOCKED_REQUESTS_REDIS
+  value: {{ .metrics.metricsMaxBlockedRequestsRedis | quote }}
+{{- end }}
 {{- if and .metrics .metrics.metricsSaveToRedis (ne .metrics.metricsSaveToRedis "") }}
 - name: METRICS_SAVE_TO_REDIS
   value: {{ .metrics.metricsSaveToRedis | quote }}
 {{- end }}
+{{- if and .metrics .metrics.maxLruHistory (ne .metrics.maxLruHistory "") }}
+- name: MAX_LRU_HISTORY
+  value: {{ .metrics.maxLruHistory | quote }}
+{{- end }}
+{{- if and .metrics .metrics.datastoreLruSize (ne .metrics.datastoreLruSize "") }}
+- name: DATASTORE_LRU_SIZE
+  value: {{ .metrics.datastoreLruSize | quote }}
+{{- end }}
 
 # =============================================================================
 # AUTH BASIC

charts/bunkerweb/templates/api-deployment.yaml

@@ -1,4 +1,7 @@
-{{- if .Values.api.enabled -}}
+{{- if eq (include "bunkerweb.apiEnabled" .) "true" -}}
+{{- if ne (include "bunkerweb.apiAuthConfigured" .) "true" }}
+{{- fail "The external API is enabled (api.enabled=true, or mcp.enabled uses the internal API) but no authentication is configured. The BunkerWeb API refuses to start without auth and will CrashLoopBackOff. Set one of: settings.api.useBearerToken.token (or .fromExistingSecret), settings.api.useUserPass.apiUsername+apiPassword (or .fromExistingSecret), or settings.api.apiAclBootstrapFile. Otherwise set api.enabled=false." }}
+{{- end }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -122,7 +125,7 @@ spec:
           - name: api-acl-bootstrap
             mountPath: /var/lib/bunkerweb/api_acl_bootstrap.json
           {{- end }}
-      {{- if .Values.settings.api.apiAclBootstrapFile }}        
+      {{- if .Values.settings.api.apiAclBootstrapFile }}
       volumes:
       - name: api-acl-bootstrap
         configMap:

charts/bunkerweb/templates/api-httproute.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.settings.api.httpRoutes.enabled -}}
+{{- if and (eq (include "bunkerweb.apiEnabled" .) "true") .Values.settings.api.httpRoutes.enabled -}}
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:

charts/bunkerweb/templates/api-ingress.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.settings.api.ingress.enabled -}}
+{{- if and (eq (include "bunkerweb.apiEnabled" .) "true") .Values.settings.api.ingress.enabled -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:

charts/bunkerweb/templates/api-service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.api.enabled -}}
+{{- if eq (include "bunkerweb.apiEnabled" .) "true" -}}
 apiVersion: v1
 kind: Service
 metadata:

charts/bunkerweb/templates/clusterrole.yaml

@@ -6,7 +6,7 @@ metadata:
     {{- include "bunkerweb.labels" . | nindent 4 }}
 rules:
   - apiGroups: [""]
-    resources: ["services", "pods", "configmaps", "secrets"]
+    resources: ["nodes", "services", "pods", "configmaps", "secrets"]
     verbs: ["get", "watch", "list"]
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]
@@ -31,4 +31,4 @@ rules:
       - grpcroutes
       - grpcroutes/status
       - referencegrants
-    verbs: ["get", "watch", "list", "patch", "update"]
+    verbs: ["get", "watch", "list", "patch", "update"]