diff --git a/charts/mini-testing/.helmignore b/charts/mini-testing/.helmignore new file mode 100644 index 0000000..691fa13 --- /dev/null +++ b/charts/mini-testing/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ \ No newline at end of file diff --git a/charts/mini-testing/CHANGELOG.md b/charts/mini-testing/CHANGELOG.md new file mode 100644 index 0000000..825c32f --- /dev/null +++ b/charts/mini-testing/CHANGELOG.md @@ -0,0 +1 @@ +# Changelog diff --git a/charts/mini-testing/Chart.yaml b/charts/mini-testing/Chart.yaml new file mode 100644 index 0000000..a5ea046 --- /dev/null +++ b/charts/mini-testing/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: akto-mini-testing +description: Helm chart for installing Akto +type: application +version: 1.41.18 +appVersion: "1.41.18" +home: https://www.akto.io +icon: https://akto-setup.s3.amazonaws.com/templates/128x128.png +sources: + - https://github.com/akto-api-security/helm-charts/tree/master/charts/mini-testing +keywords: + - akto + - api + - api security + - dast +maintainers: + - name: Ankush Jain + email: ankush@akto.io diff --git a/charts/mini-testing/README.md b/charts/mini-testing/README.md new file mode 100644 index 0000000..10ddc5e --- /dev/null +++ b/charts/mini-testing/README.md @@ -0,0 +1,33 @@ +# Akto setup + +You can install Akto via Helm charts. + +## Resources +Akto's Helm chart repo is on GitHub [here](https://github.com/akto-api-security/helm-charts). +You can also find Akto on Helm.sh [here](https://artifacthub.io/packages/helm/akto/akto-hybrid-redact). + +## Prerequisites +Please ensure you have the following - +1. A Kubernetes cluster where you have deploy permissions +2. `helm` command installed. Check [here](https://helm.sh/docs/intro/install/) + +## Steps +Here are the steps to install Akto via Helm charts - + +### Collect the env variables needed to install hybrid-redact mini-runtime + +1. AKTO_TOKEN : You'll find this token in akto saas dashboard under quick start > hybrid saas . To see the complete docs, visit https://docs.akto.io/traffic-connections/traffic-data-sources/hybrid-saas . +2. PROXY_URI, NO_PROXY_URLS: Proxy variables to be used if internet connectivity is behind a proxy, skip these variables. + +### Install Akto via Helm + +1. Add Akto repo + ```helm repo add akto https://akto-api-security.github.io/helm-charts``` +2. Install Akto via helm + ```bash + helm install akto-mini-testing akto/akto-mini-testing -n \ + --set tokens.env.databaseAbstractorToken="" \ + --set tokens.env.proxyUri="" \ + --set tokens.env.noProxy="" + ``` +3. Run `kubectl get pods -n ` and verify you can see 2 pods diff --git a/charts/mini-testing/templates/NOTES.txt b/charts/mini-testing/templates/NOTES.txt new file mode 100644 index 0000000..6f54f18 --- /dev/null +++ b/charts/mini-testing/templates/NOTES.txt @@ -0,0 +1,8 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + +To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} diff --git a/charts/mini-testing/templates/_helpers.tpl b/charts/mini-testing/templates/_helpers.tpl new file mode 100644 index 0000000..7b23748 --- /dev/null +++ b/charts/mini-testing/templates/_helpers.tpl @@ -0,0 +1,61 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "akto.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "akto.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "akto.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "akto.labels" -}} +helm.sh/chart: {{ include "akto.chart" . }} +{{ include "akto.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "akto.selectorLabels" -}} +app.kubernetes.io/name: {{ include "akto.name" . }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "akto.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "akto.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/mini-testing/templates/deployment.yaml b/charts/mini-testing/templates/deployment.yaml new file mode 100644 index 0000000..5409b19 --- /dev/null +++ b/charts/mini-testing/templates/deployment.yaml @@ -0,0 +1,142 @@ +{{ if .Values.keel.keel.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "akto.fullname" . }}-keel + labels: + app: keel + {{- include "akto.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.keel.replicas }} + selector: + matchLabels: + app: {{ include "akto.fullname" . }}-keel + {{- include "akto.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ include "akto.fullname" . }}-keel + {{- include "akto.selectorLabels" . | nindent 8 }} + spec: + containers: + - command: + - /bin/keel + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: AWS_ACCESS_KEY_ID + value: {{ quote .Values.keel.keel.env.awsAccessKeyId }} + - name: AWS_SECRET_ACCESS_KEY + value: {{ quote .Values.keel.keel.env.awsSecretAccessKey }} + - name: AWS_REGION + value: {{ quote .Values.keel.keel.env.awsRegion }} + - name: WEBHOOK_ENDPOINT + value: {{ quote .Values.keel.keel.env.webhookEndpoint }} + - name: MATTERMOST_ENDPOINT + value: {{ quote .Values.keel.keel.env.mattermostEndpoint }} + - name: HIPCHAT_TOKEN + value: {{ quote .Values.keel.keel.env.hipchatToken }} + - name: HIPCHAT_CHANNELS + value: {{ quote .Values.keel.keel.env.hipchatChannels }} + - name: HIPCHAT_APPROVALS_CHANNEL + value: {{ quote .Values.keel.keel.env.hipchatApprovalsChannel }} + - name: HIPCHAT_APPROVALS_BOT_NAME + value: {{ quote .Values.keel.keel.env.hipchatApprovalsBotName }} + - name: HIPCHAT_APPROVALS_USER_NAME + value: {{ quote .Values.keel.keel.env.hipchatApprovalsUserName }} + - name: HIPCHAT_APPROVALS_PASSWORT + value: {{ quote .Values.keel.keel.env.hipchatApprovalsPasswort }} + - name: NOTIFICATION_LEVEL + value: {{ quote .Values.keel.keel.env.notificationLevel }} + - name: INSECURE_REGISTRY + value: {{ quote .Values.keel.keel.env.insecureRegistry }} + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.keel.keel.image.repository }}:{{ .Values.keel.keel.image.tag + | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.keel.keel.imagePullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 9300 + initialDelaySeconds: 30 + timeoutSeconds: 10 + name: keel + ports: + - containerPort: 9300 + resources: {{- toYaml .Values.keel.keel.resources | nindent 10 }} + serviceAccountName: {{ include "akto.fullname" . }}-keel +{{ end }} +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "akto.fullname" . }}-core + {{ if .Values.keel.keel.enabled }} + annotations: + keel.sh/policy: force + keel.sh/trigger: poll + keel.sh/match-tag: "true" + keel.sh/pollSchedule: "@every 60m" + {{ end }} + labels: + {{- include "akto.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.testing.replicas }} + selector: + matchLabels: + app: {{ include "akto.fullname" . }}-core + {{- include "akto.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ include "akto.fullname" . }}-core + {{- include "akto.selectorLabels" . | nindent 8 }} + spec: + containers: + - env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: AKTO_ACCOUNT_NAME + value: {{ quote .Values.testing.aktoApiSecurityTesting.env.aktoAccountName }} + - name: IS_KUBERNETES + value: "true" + - name: RUNTIME_MODE + value: "hybrid" + - name: AKTO_CONFIG_NAME + value: {{ quote .Values.testing.aktoApiSecurityTesting.env.aktoConfigName }} + - name: DATABASE_ABSTRACTOR_SERVICE_URL + value: {{ quote .Values.testing.aktoApiSecurityTesting.env.databaseAbstractorUrl}} + - name: DATABASE_ABSTRACTOR_SERVICE_TOKEN + value: {{ quote .Values.tokens.env.databaseAbstractorToken}} + - name: POSTGRES_URL + value: {{ quote .Values.tokens.env.postgresUrl}} + - name: POSTGRES_USER + value: {{ quote .Values.tokens.env.postgresUser}} + - name: POSTGRES_PASSWORD + value: {{ quote .Values.tokens.env.postgresPassword}} + - name: PROXY_URI + value: {{ quote .Values.tokens.env.proxyUri}} + - name: NO_PROXY + value: {{ quote .Values.tokens.env.noProxy}} + - name: PUPPETEER_REPLAY_SERVICE_URL + value: {{ quote .Values.testing.aktoApiSecurityTesting.env.puppeteerReplayServiceUrl + }} + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.testing.aktoApiSecurityTesting.image.repository }}:{{ .Values.testing.aktoApiSecurityTesting.image.tag + | default .Chart.AppVersion }} + name: akto-api-security-testing + resources: {{- toYaml .Values.testing.aktoApiSecurityTesting.resources | nindent 10 }} + - name: akto-api-security-puppeteer-replay + image: {{ .Values.testing.aktoApiSecurityPuppeteerReplay.image.repository }}:{{ .Values.testing.aktoApiSecurityPuppeteerReplay.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.testing.aktoApiSecurityPuppeteerReplay.imagePullPolicy }} + ports: + - containerPort: 3000 + resources: {{- toYaml .Values.testing.aktoApiSecurityPuppeteerReplay.resources | nindent 10 }} + restartPolicy: Always \ No newline at end of file diff --git a/charts/mini-testing/templates/keel-rbac-binding.yaml b/charts/mini-testing/templates/keel-rbac-binding.yaml new file mode 100644 index 0000000..67bf45f --- /dev/null +++ b/charts/mini-testing/templates/keel-rbac-binding.yaml @@ -0,0 +1,16 @@ +{{ if .Values.keel.keel.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "akto.fullname" . }}-keel + labels: + {{- include "akto.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "akto.fullname" . }}-keel' +subjects: +- kind: ServiceAccount + name: '{{ include "akto.fullname" . }}-keel' + namespace: '{{ .Release.Namespace }}' +{{ end }} \ No newline at end of file diff --git a/charts/mini-testing/templates/keel-rbac.yaml b/charts/mini-testing/templates/keel-rbac.yaml new file mode 100644 index 0000000..2434767 --- /dev/null +++ b/charts/mini-testing/templates/keel-rbac.yaml @@ -0,0 +1,53 @@ +{{ if .Values.keel.keel.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "akto.fullname" . }}-keel + labels: + {{- include "akto.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - watch + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - "" + - extensions + - apps + - batch + resources: + - pods + - replicasets + - replicationcontrollers + - statefulsets + - deployments + - daemonsets + - jobs + - cronjobs + verbs: + - get + - delete + - watch + - list + - update +- apiGroups: + - "" + resources: + - configmaps + - pods/portforward + verbs: + - get + - create + - update +{{ end }} \ No newline at end of file diff --git a/charts/mini-testing/templates/keel.yaml b/charts/mini-testing/templates/keel.yaml new file mode 100644 index 0000000..a563cbf --- /dev/null +++ b/charts/mini-testing/templates/keel.yaml @@ -0,0 +1,16 @@ +{{ if .Values.keel.keel.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "akto.fullname" . }}-keel + labels: + app: keel + {{- include "akto.labels" . | nindent 4 }} +spec: + type: {{ .Values.keel.type }} + selector: + app: {{ include "akto.fullname" . }}-keel + {{- include "akto.selectorLabels" . | nindent 4 }} + ports: + {{- .Values.keel.ports | toYaml | nindent 2 -}} +{{ end }} \ No newline at end of file diff --git a/charts/mini-testing/templates/serviceaccount.yaml b/charts/mini-testing/templates/serviceaccount.yaml new file mode 100644 index 0000000..66c258a --- /dev/null +++ b/charts/mini-testing/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{ if .Values.keel.keel.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "akto.fullname" . }}-keel + labels: + app: {{ include "akto.fullname" . }}-keel + {{- include "akto.labels" . | nindent 4 }} + annotations: + {{- toYaml .Values.keel.serviceAccount.annotations | nindent 4 }} +{{ end }} \ No newline at end of file diff --git a/charts/mini-testing/values.yaml b/charts/mini-testing/values.yaml new file mode 100644 index 0000000..33e98f6 --- /dev/null +++ b/charts/mini-testing/values.yaml @@ -0,0 +1,79 @@ +tokens: + env: + databaseAbstractorToken: "" + postgresUrl: "" + postgresUser: "postgres" + postgresPassword: "securePassword" + proxyUri: "" + noProxy: "" + +testing: + aktoApiSecurityTesting: + env: + aktoAccountName: Helios + aktoConfigName: staging + puppeteerReplayServiceUrl: http://localhost:3000 + databaseAbstractorUrl: https://cyborg.akto.io + image: + repository: public.ecr.aws/aktosecurity/akto-api-security-mini-testing + tag: latest + resources: + requests: + cpu: "200m" + memory: "500Mi" + limits: + cpu: 2 + memory: "8Gi" + aktoApiSecurityPuppeteerReplay: + image: + repository: aktosecurity/akto-puppeteer-replay + tag: latest + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 1 + memory: "2Gi" + limits: + cpu: 1 + memory: "4Gi" + replicas: 1 + +keel: + keel: + env: + awsAccessKeyId: "" + awsRegion: "" + awsSecretAccessKey: "" + hipchatApprovalsBotName: "" + hipchatApprovalsChannel: "" + hipchatApprovalsPasswort: "" + hipchatApprovalsUserName: "" + hipchatChannels: "" + hipchatToken: "" + insecureRegistry: "true" + mattermostEndpoint: "" + notificationLevel: info + webhookEndpoint: "" + image: + repository: keelhq/keel + tag: latest + imagePullPolicy: Always + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + enabled: true + maxUnavailable: 1 + ports: + - name: keel + port: 9300 + protocol: TCP + targetPort: 9300 + replicas: 1 + serviceAccount: + annotations: {} + type: LoadBalancer +kubernetesClusterDomain: cluster.local \ No newline at end of file