mozilla · grahamalama · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 26, 2026
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.6.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -26,5 +26,5 @@ appVersion: 0.4.2
 
 dependencies:
   - name: mozcloud-gateway-lib
-    version: 0.5.0
+    version: 0.6.0
     repository: file://../library
@@ -1,6 +1,6 @@
 # mozcloud-gateway
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart that creates gateways and supporting Gateway API resources
 
@@ -19,7 +19,7 @@ version: 0.1.0
 type: application
 dependencies:
   - name: mozcloud-gateway
-    version: ~0.5.0
+    version: ~0.6.0
     repository: oci://us-west1-docker.pkg.dev/moz-fx-platform-artifacts/mozcloud-charts
 ```
 
@@ -34,7 +34,7 @@ Next, update your tenant's values. Shared charts are meant to be self-documented
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://../library | mozcloud-gateway-lib | 0.5.0 |
+| file://../library | mozcloud-gateway-lib | 0.6.0 |
 
 ## Values
 

@@ -33,6 +33,8 @@ tests:
       - equal:
           path: spec.targetRef.name
           value: test-service
+      - notExists:
+          path: spec.default.securityPolicy
   - it: External gateway is configured correctly
     template: gateway.yaml
     documentSelector:

@@ -0,0 +1,23 @@
+---
+suite: "mozcloud-gateway: Security policy configuration"
+release:
+  name: mozcloud-test
+  namespace: mozcloud-test-dev
+chart:
+  version: 1.0.0
+values:
+  - values/globals.yaml
+  - values/security-policy-configuration.yaml
+tests:
+  - it: Ensure no failures occur
+    asserts:
+      - notFailedTemplate: {}
+  - it: GCP backend policy includes securityPolicy
+    template: backendpolicy.yaml
+    documentSelector:
+      path: $[?(@.kind == "GCPBackendPolicy")].metadata.name
+      value: test-service
+    asserts:
+      - equal:
+          path: spec.default.securityPolicy
+          value: my-app-cloud-armor-policy
@@ -0,0 +1,26 @@
+---
+backends:
+  test-service:
+    service:
+      port: 8080
+backendPolicy:
+  securityPolicy: my-app-cloud-armor-policy
+gateway:
+  gateways:
+    test-gateway:
+      addresses:
+        - mozcloud-test-dev-ip-v4
+      tls:
+        certs:
+          - mozcloud-test-nonprod-dev
+        type: certmap
+httpRoute:
+  httpRoutes:
+    test-httproute:
+      gatewayRefs:
+        - name: test-gateway
+          section: https
+      rules:
+        - backendRefs:
+            - name: test-service
+              port: 8080
@@ -189,6 +189,10 @@
         },
         "timeoutSec": {
           "type": "integer"
+        },
+        "securityPolicy": {
+          "type": "string",
+          "description": "Cloud Armor security policy name to attach to the load balancer backend. For migration of existing applications only — new applications should use Fastly for WAF instead."
         }
       }
     },

@@ -47,6 +47,14 @@ backendPolicy:
   # Backend service timeout period in seconds.
   #timeoutSec: 30
 
+  # Cloud Armor security policy to attach to the load balancer backend. This
+  # should match the name of an existing Cloud Armor policy in GCP.
+  #
+  # NOTE: This option exists only to support migration of existing applications
+  # that already use Cloud Armor. New applications should NOT use this — use
+  # Fastly for WAF instead.
+  #securityPolicy:
+
 # Defines the backend services to create, backend policies, and healthchecks.
 backends:
   # The name of your backend and all related components. Use any name other

@@ -16,7 +16,7 @@ type: library
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.6.0
 
 dependencies:
   - name: mozcloud-labels-lib

@@ -1,6 +1,6 @@
 # mozcloud-gateway-lib
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square)
 
 A library chart that creates gateways and supporting Gateway API resources
 
@@ -19,7 +19,7 @@ version: 0.1.0
 type: application
 dependencies:
   - name: mozcloud-gateway-lib
-    version: ~0.5.0
+    version: ~0.6.0
     repository: oci://us-west1-docker.pkg.dev/moz-fx-platform-artifacts/mozcloud-charts
 ```
 

@@ -34,6 +34,9 @@ spec:
     {{- if $config.timeoutSec }}
     timeoutSec: {{ $config.timeoutSec }}
     {{- end }}
+    {{- if $config.securityPolicy }}
+    securityPolicy: {{ $config.securityPolicy }}
+    {{- end }}
   targetRef:
   {{- if $backend_policy.config.targetRef  }}
     {{- $backend_policy.config.targetRef | toYaml | nindent 4 }}

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.8.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

@@ -1,6 +1,6 @@
 # mozcloud-ingress
 
-![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart that creates ingress and supporting resources
 
@@ -19,7 +19,7 @@ version: 0.1.0
 type: application
 dependencies:
   - name: mozcloud-ingress
-    version: ~0.7.0
+    version: ~0.8.0
     repository: oci://us-west1-docker.pkg.dev/moz-fx-platform-artifacts/mozcloud-charts
 ```
 

@@ -30,6 +30,8 @@ tests:
             logging:
               enable: true
               sampleRate: 0.1
+      - notExists:
+          path: spec.securityPolicy
   - it: Frontend is configured correctly
     template: frontendconfig.yaml
     documentSelector:

@@ -0,0 +1,24 @@
+---
+suite: "mozcloud-ingress: Security policy configuration"
+release:
+  name: mozcloud-test
+  namespace: mozcloud-test-dev
+chart:
+  version: 1.0.0
+values:
+  - values/globals.yaml
+  - values/security-policy-configuration.yaml
+tests:
+  - it: Ensure no failures occur
+    asserts:
+      - notFailedTemplate: {}
+  - it: BackendConfig includes securityPolicy as an object
+    template: backendconfig.yaml
+    documentSelector:
+      path: $[?(@.kind == "BackendConfig")].metadata.name
+      value: test-ingress
+    asserts:
+      - equal:
+          path: spec.securityPolicy
+          value:
+            name: my-app-cloud-armor-policy
@@ -0,0 +1,14 @@
+---
+backendConfig:
+  securityPolicy: my-app-cloud-armor-policy
+ingresses:
+  test-ingress:
+    staticIpName: mozcloud-test-dev-ip-v4
+    hosts:
+      - domains:
+          - test-service.dev.test-domain.com
+        paths:
+          - path: /
+            backend:
+              service:
+                port: 8080
@@ -285,7 +285,8 @@
           "$ref": "#/$defs/logging"
         },
         "securityPolicy": {
-          "type": "string"
+          "type": "string",
+          "description": "Cloud Armor security policy name to attach to the load balancer backend. For migration of existing applications only — new applications should use Fastly for WAF instead."
         },
         "sessionAffinity": {
           "type": "object",

@@ -100,8 +100,12 @@ backendConfig:
     # Ranges from 0.0 (0%) to 1.0 (100%).
     sampleRate: 0.1
 
-  # Security policy to use with the GCLB. This should match the name of a rule
-  # in CloudArmor. Defaults to: {{ $.Values.app_code }}-policy
+  # Cloud Armor security policy to attach to the load balancer backend. This
+  # should match the name of an existing Cloud Armor policy in GCP.
+  #
+  # NOTE: This option exists only to support migration of existing applications
+  # that already use Cloud Armor. New applications should NOT use this — use
+  # Fastly for WAF instead.
   #securityPolicy:
 
   # Optionally configures generated cookie affinity.

@@ -103,6 +103,9 @@ BackendConfig template helpers
   {{- range $host := $ingress.hosts -}}
     {{- range $path := $host.paths -}}
       {{- $backend := mergeOverwrite $defaults (default (dict) $path.backend.config) -}}
+      {{- if kindIs "string" $backend.securityPolicy -}}
+        {{- $_ := set $backend "securityPolicy" (dict "name" $backend.securityPolicy) -}}
+      {{- end -}}
       {{/* If a backend name is not specified, use the service name for the backend */}}
       {{- $params := mergeOverwrite $context (dict "backendConfig" $backend "ingressConfig" $ingress "backendService" $path.backend.service) -}}
       {{- if $name_override -}}

@@ -2,11 +2,11 @@ apiVersion: v2
 name: mozcloud
 description: Opinionated application chart used to deploy MozCloud Kubernetes 
   resources supporting resources
-version: 0.15.0
+version: 0.16.0
 type: application
 dependencies:
   - name: mozcloud-gateway-lib
-    version: 0.5.0
+    version: 0.6.0
     repository: file://../../mozcloud-gateway/library
   - name: mozcloud-ingress-lib
     version: 0.7.0

@@ -1,6 +1,6 @@
 # mozcloud
 
-![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Opinionated application chart used to deploy MozCloud Kubernetes resources supporting resources
 
@@ -19,7 +19,7 @@ version: 0.1.0
 type: application
 dependencies:
   - name: mozcloud
-    version: ~0.15.0
+    version: ~0.16.0
     repository: oci://us-west1-docker.pkg.dev/moz-fx-platform-artifacts/mozcloud-charts
 ```
 
@@ -34,7 +34,7 @@ Next, update your tenant's values. Shared charts are meant to be self-documented
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://../../mozcloud-gateway/library | mozcloud-gateway-lib | 0.5.0 |
+| file://../../mozcloud-gateway/library | mozcloud-gateway-lib | 0.6.0 |
 | file://../../mozcloud-ingress/library | mozcloud-ingress-lib | 0.7.0 |
 | file://../../mozcloud-labels/library | mozcloud-labels-lib | 0.3.16 |
 

@@ -93,6 +93,9 @@ backends:
       {{- if ($hostConfig.options).timeoutSec }}
       timeoutSec: {{ $hostConfig.options.timeoutSec | int }}
       {{- end }}
+      {{- if ($hostConfig.options).securityPolicy }}
+      securityPolicy: {{ $hostConfig.options.securityPolicy }}
+      {{- end }}
     healthCheck:
       {{- if (($hostConfig.options).healthCheck).host }}
       host: {{ $hostConfig.options.healthCheck.host }}

@@ -39,6 +39,8 @@ tests:
       - equal:
           path: spec.targetRef.name
           value: test-service
+      - notExists:
+          path: spec.default.securityPolicy
   - it: External gateway is configured correctly
     template: gateway/gateway.yaml
     documentSelector:

@@ -0,0 +1,26 @@
+---
+suite: "mozcloud: Security policy configuration"
+release:
+  name: mozcloud-test
+  namespace: mozcloud-test-dev
+chart:
+  version: 1.0.0
+values:
+  - values/globals.yaml
+  - values/security-policy-configuration.yaml
+templates:
+  - gateway/backend.yaml
+  - gke/backend.yaml
+tests:
+  - it: Ensure no failures occur
+    asserts:
+      - notFailedTemplate: {}
+  - it: GCP backend policy includes securityPolicy
+    template: gke/backend.yaml
+    documentSelector:
+      path: $[?(@.kind == "GCPBackendPolicy")].metadata.name
+      value: test-service
+    asserts:
+      - equal:
+          path: spec.default.securityPolicy
+          value: my-app-cloud-armor-policy
@@ -0,0 +1,15 @@
+---
+workloads:
+  test-service:
+    component: web
+    containers:
+      app:
+        image:
+          repository: test-repo/test-image
+          tag: 1.0.0
+    hosts:
+      test-service:
+        domains:
+          - test-service.dev.test-domain.com
+        options:
+          securityPolicy: my-app-cloud-armor-policy
@@ -858,6 +858,10 @@
                       ],
                       "default": 10
                     },
+                    "securityPolicy": {
+                      "type": "string",
+                      "description": "Cloud Armor security policy name to attach to the load balancer backend. For migration of existing applications only — new applications should use Fastly for WAF instead."
+                    },
                     "timeoutSec": {
                       "type": "integer",
                       "minimum": 0,