diff --git a/charts/akto-threat-client/.helmignore b/charts/akto-threat-client/.helmignore new file mode 100644 index 0000000..691fa13 --- /dev/null +++ b/charts/akto-threat-client/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ \ No newline at end of file diff --git a/charts/akto-threat-client/Chart.yaml b/charts/akto-threat-client/Chart.yaml new file mode 100644 index 0000000..37f84eb --- /dev/null +++ b/charts/akto-threat-client/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: akto-threat-client +description: Helm chart for installing Akto +type: application +version: 0.2.3 +appVersion: "0.2.3" +home: https://www.akto.io +icon: https://akto-setup.s3.amazonaws.com/templates/128x128.png +sources: + - https://github.com/akto-api-security/helm-charts/tree/master/charts/threat-client +keywords: + - akto + - api + - api security + - dast +maintainers: + - name: Ankush Jain + email: ankush@akto.io diff --git a/charts/akto-threat-client/README.md b/charts/akto-threat-client/README.md new file mode 100644 index 0000000..9f3c84a --- /dev/null +++ b/charts/akto-threat-client/README.md @@ -0,0 +1,63 @@ +# Akto setup + +You can install Akto via Helm charts. + +## Resources +Akto's Helm chart repo is on GitHub [here](https://github.com/akto-api-security/helm-charts). +You can also find Akto on Helm.sh [here](https://artifacthub.io/packages/helm/akto/akto). + +## Prerequisites +Please ensure you have the following - +1. A Kubernetes cluster where you have deploy permissions +2. `helm` command installed. Check [here](https://helm.sh/docs/intro/install/) + +## Steps +Here are the steps to install Akto via Helm charts - + +1. Prepare Mongo Connection string +2. Install Akto via Helm +3. Verify Installation and harden security + +### Create Mongo instance +Akto Helm setup needs a Mongo connection string as input. It can come from either of the following - +1. **Your own Mongo** + Ensure your machine where you setup Mongo is NOT exposed to public internet. It shouldn't have a public IP. You can setup Mongo by running the following commands. + ``` + sudo yum update -y + sudo yum install -y docker + sudo dockerd& + docker run --name mongo --restart always -v ./data:/data/db -p 27017:27017 mongo + sudo systemctl enable /usr/lib/systemd/system/docker.service + ``` + AWS EC2 Mongo + + The connection string would then be `mongodb://:27017/admini` +2. **Mongo Atlas** + You can use Mongo Atlas connection as well + 1. Go to `Database Deployments` page for your project + 2. Click on `Connect` button + 3. Choose `Connect your application` option + 4. Copy the connection string. It should look like `mongodb://....` + Mongo Atlas + +3. **AWS Document DB** + If you are on AWS, you can use AWS Document DB too. You can find the connection string on the Cluster page itself. + AWS DocDB + +Note: Please ensure your K8S cluster has connectivity to Mongo. + +### Install Akto via Helm + +1. Add Akto repo + ```helm repo add akto https://akto-api-security.github.io/helm-charts``` +2. Install Akto via helm + ```helm install akto akto/akto -n dev --set mongo.aktoMongoConn=""``` +3. Run `kubectl get pods -n ` and verify you can see 4 pods + Screenshot 2023-11-16 at 10 08 23 AM + +### Verify Installation and harden security + +1. Run the following to get Akto dashboard url + ```kubectl get services/akto-dashboard -n dev | awk -F " " '{print $4;}'``` +2. Open Akto dashboard on port 8080. eg `http://a54b36c1f4asdaasdfbd06a259de2-acf687643f6fe4eb.elb.ap-south-1.amazonaws.com:8080/` +3. For good security measures, you should enable HTTPS by adding a certificate and put it behind a VPN. If you are on AWS, follow the guide [here](https://docs.akto.io/getting-started/aws-ssl). \ No newline at end of file diff --git a/charts/akto-threat-client/templates/NOTES.txt b/charts/akto-threat-client/templates/NOTES.txt new file mode 100644 index 0000000..6f54f18 --- /dev/null +++ b/charts/akto-threat-client/templates/NOTES.txt @@ -0,0 +1,8 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + +To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} diff --git a/charts/akto-threat-client/templates/_helpers.tpl b/charts/akto-threat-client/templates/_helpers.tpl new file mode 100644 index 0000000..7b23748 --- /dev/null +++ b/charts/akto-threat-client/templates/_helpers.tpl @@ -0,0 +1,61 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "akto.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "akto.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "akto.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "akto.labels" -}} +helm.sh/chart: {{ include "akto.chart" . }} +{{ include "akto.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "akto.selectorLabels" -}} +app.kubernetes.io/name: {{ include "akto.name" . }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "akto.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "akto.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/akto-threat-client/templates/deployment.yaml b/charts/akto-threat-client/templates/deployment.yaml new file mode 100644 index 0000000..1c88fcb --- /dev/null +++ b/charts/akto-threat-client/templates/deployment.yaml @@ -0,0 +1,207 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "akto.fullname" . }}-threat-client + {{ if .Values.keel.keel.enabled }} + annotations: + keel.sh/policy: force + keel.sh/trigger: poll + keel.sh/pollSchedule: "@every 60m" + {{ end }} + labels: + {{- include "akto.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.threat_client.replicas }} + selector: + matchLabels: + app: {{ include "akto.fullname" . }}-threat-client + {{- include "akto.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ include "akto.fullname" . }}-threat-client + {{- include "akto.selectorLabels" . | nindent 8 }} + spec: + containers: + - env: + - name: RUNTIME_MODE + value: "hybrid" + - name: AKTO_THREAT_DETECTION_POSTGRES + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.postgresUrl }} + - name: AKTO_THREAT_DETECTION_POSTGRES_USER + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.postgresUser }} + - name: AKTO_THREAT_DETECTION_POSTGRES_PASSWORD + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.postgresPassword + }} + - name: AKTO_TRAFFIC_KAFKA_BOOTSTRAP_SERVER + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.aktoKafkaTrafficBrokerUrl + }} + - name: AKTO_INTERNAL_KAFKA_BOOTSTRAP_SERVER + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.aktoKafkaBrokerUrl + }} + - name: AKTO_THREAT_DETECTION_LOCAL_REDIS_URI + value: "redis://{{ include "akto.fullname" . }}-redis:6379" + + - name: AKTO_THREAT_PROTECTION_BACKEND_TOKEN + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.backendToken + }} + - name: DATABASE_ABSTRACTOR_SERVICE_TOKEN + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.backendToken + }} + - name: AKTO_MONGO_CONN + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.mongoUrl + }} + - name: AKTO_LOG_LEVEL + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.aktoLogLevel }} + - name: AKTO_THREAT_PROTECTION_BACKEND_URL + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.backendUrl }} + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.threat_client.aktoApiSecurityThreatClient.image.repository }}:{{ .Values.threat_client.aktoApiSecurityThreatClient.image.tag + | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.threat_client.aktoApiSecurityThreatClient.imagePullPolicy }} + name: akto-api-security-threat-client + resources: {{- toYaml .Values.threat_client.aktoApiSecurityThreatClient.resources | nindent 10 }} + - env: + - name: ZOOKEEPER_CLIENT_PORT + value: {{ quote .Values.threat_client.zoo1.env.zookeeperClientPort }} + - name: ZOOKEEPER_SERVERS + value: {{ quote .Values.threat_client.zoo1.env.zookeeperServers }} + - name: ZOOKEEPER_SERVER_ID + value: {{ quote .Values.threat_client.zoo1.env.zookeeperServerId }} + - name: KAFKA_OPTS + value: {{ quote .Values.threat_client.zoo1.env.kafkaOpts }} + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.threat_client.zoo1.image.repository }}:{{ .Values.threat_client.zoo1.image.tag + | default .Chart.AppVersion }} + name: zoo1 + ports: + - containerPort: 2181 + resources: {{- toYaml .Values.threat_client.zoo1.resources | nindent 10 }} + - env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KAFKA_ADVERTISED_LISTENERS + {{- if .Values.threat_client.kafka1.env.kafkaAdvertisedListeners }} + value: {{ quote .Values.threat_client.kafka1.env.kafkaAdvertisedListeners }} + {{- else}} + value: "LISTENER_DOCKER_EXTERNAL_LOCALHOST://localhost:29092, LISTENER_DOCKER_EXTERNAL_DIFFHOST://{{.Release.Name}}-threat-client.{{.Release.Namespace}}.svc.cluster.local:9092" + {{- end }} + - name: KAFKA_BROKER_ID + value: {{ quote .Values.threat_client.kafka1.env.kafkaBrokerId }} + - name: KAFKA_CLEANUP_POLICY + value: {{ quote .Values.threat_client.kafka1.env.kafkaCleanupPolicy }} + - name: KAFKA_CREATE_TOPICS + value: {{ quote .Values.threat_client.kafka1.env.kafkaCreateTopics }} + - name: KAFKA_INTER_BROKER_LISTENER_NAME + value: {{ quote .Values.threat_client.kafka1.env.kafkaInterBrokerListenerName }} + - name: KAFKA_LISTENER_SECURITY_PROTOCOL_MAP + value: {{ quote .Values.threat_client.kafka1.env.kafkaListenerSecurityProtocolMap }} + - name: KAFKA_LOG_CLEANER_ENABLE + value: {{ quote .Values.threat_client.kafka1.env.kafkaLogCleanerEnable }} + - name: KAFKA_LOG_RETENTION_BYTES + value: {{ quote .Values.threat_client.kafka1.env.kafkaLogRetentionBytes }} + - name: KAFKA_LOG_RETENTION_CHECK_INTERVAL_MS + value: {{ quote .Values.threat_client.kafka1.env.kafkaLogRetentionCheckIntervalMs }} + - name: KAFKA_LOG_RETENTION_HOURS + value: {{ quote .Values.threat_client.kafka1.env.kafkaLogRetentionHours }} + - name: KAFKA_LOG_SEGMENT_BYTES + value: {{ quote .Values.threat_client.kafka1.env.kafkaLogSegmentBytes }} + - name: KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR + value: {{ quote .Values.threat_client.kafka1.env.kafkaOffsetsTopicReplicationFactor + }} + - name: KAFKA_TRANSACTION_STATE_LOG_MIN_ISR + value: {{ quote .Values.threat_client.kafka1.env.kafkaTransactionStateLogMinIsr }} + - name: KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR + value: {{ quote .Values.threat_client.kafka1.env.kafkaTransactionStateLogReplicationFactor + }} + - name: KAFKA_ZOOKEEPER_CONNECT + value: {{ quote .Values.threat_client.kafka1.env.kafkaZookeeperConnect }} + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.threat_client.kafka1.image.repository }}:{{ .Values.threat_client.kafka1.image.tag + | default .Chart.AppVersion }} + name: kafka1 + ports: + - containerPort: 9092 + - containerPort: 19092 + - containerPort: 29092 + - containerPort: 9999 + resources: {{- toYaml .Values.threat_client.kafka1.resources | nindent 10 }} + restartPolicy: Always + +--- +{{ if .Values.keel.keel.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "akto.fullname" . }}-keel + labels: + app: keel + {{- include "akto.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.keel.replicas }} + selector: + matchLabels: + app: {{ include "akto.fullname" . }}-keel + {{- include "akto.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ include "akto.fullname" . }}-keel + {{- include "akto.selectorLabels" . | nindent 8 }} + spec: + containers: + - command: + - /bin/keel + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: AWS_ACCESS_KEY_ID + value: {{ quote .Values.keel.keel.env.awsAccessKeyId }} + - name: AWS_SECRET_ACCESS_KEY + value: {{ quote .Values.keel.keel.env.awsSecretAccessKey }} + - name: AWS_REGION + value: {{ quote .Values.keel.keel.env.awsRegion }} + - name: WEBHOOK_ENDPOINT + value: {{ quote .Values.keel.keel.env.webhookEndpoint }} + - name: MATTERMOST_ENDPOINT + value: {{ quote .Values.keel.keel.env.mattermostEndpoint }} + - name: HIPCHAT_TOKEN + value: {{ quote .Values.keel.keel.env.hipchatToken }} + - name: HIPCHAT_CHANNELS + value: {{ quote .Values.keel.keel.env.hipchatChannels }} + - name: HIPCHAT_APPROVALS_CHANNEL + value: {{ quote .Values.keel.keel.env.hipchatApprovalsChannel }} + - name: HIPCHAT_APPROVALS_BOT_NAME + value: {{ quote .Values.keel.keel.env.hipchatApprovalsBotName }} + - name: HIPCHAT_APPROVALS_USER_NAME + value: {{ quote .Values.keel.keel.env.hipchatApprovalsUserName }} + - name: HIPCHAT_APPROVALS_PASSWORT + value: {{ quote .Values.keel.keel.env.hipchatApprovalsPasswort }} + - name: NOTIFICATION_LEVEL + value: {{ quote .Values.keel.keel.env.notificationLevel }} + - name: INSECURE_REGISTRY + value: {{ quote .Values.keel.keel.env.insecureRegistry }} + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.keel.keel.image.repository }}:{{ .Values.keel.keel.image.tag + | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.keel.keel.imagePullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 9300 + initialDelaySeconds: 30 + timeoutSeconds: 10 + name: keel + ports: + - containerPort: 9300 + resources: {{- toYaml .Values.keel.keel.resources | nindent 10 }} + serviceAccountName: {{ include "akto.fullname" . }}-keel +{{ end }} \ No newline at end of file diff --git a/charts/akto-threat-client/templates/hpa.yaml b/charts/akto-threat-client/templates/hpa.yaml new file mode 100644 index 0000000..b2ea7e5 --- /dev/null +++ b/charts/akto-threat-client/templates/hpa.yaml @@ -0,0 +1,14 @@ +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "akto.fullname" . }}-threat-client + labels: + {{- include "akto.labels" . | nindent 4 }} +spec: + maxReplicas: 2 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "akto.fullname" . }}-threat-client + targetCPUUtilizationPercentage: 80 \ No newline at end of file diff --git a/charts/akto-threat-client/templates/keel-rbac-binding.yaml b/charts/akto-threat-client/templates/keel-rbac-binding.yaml new file mode 100644 index 0000000..67bf45f --- /dev/null +++ b/charts/akto-threat-client/templates/keel-rbac-binding.yaml @@ -0,0 +1,16 @@ +{{ if .Values.keel.keel.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "akto.fullname" . }}-keel + labels: + {{- include "akto.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "akto.fullname" . }}-keel' +subjects: +- kind: ServiceAccount + name: '{{ include "akto.fullname" . }}-keel' + namespace: '{{ .Release.Namespace }}' +{{ end }} \ No newline at end of file diff --git a/charts/akto-threat-client/templates/keel-rbac.yaml b/charts/akto-threat-client/templates/keel-rbac.yaml new file mode 100644 index 0000000..2434767 --- /dev/null +++ b/charts/akto-threat-client/templates/keel-rbac.yaml @@ -0,0 +1,53 @@ +{{ if .Values.keel.keel.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "akto.fullname" . }}-keel + labels: + {{- include "akto.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - watch + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - "" + - extensions + - apps + - batch + resources: + - pods + - replicasets + - replicationcontrollers + - statefulsets + - deployments + - daemonsets + - jobs + - cronjobs + verbs: + - get + - delete + - watch + - list + - update +- apiGroups: + - "" + resources: + - configmaps + - pods/portforward + verbs: + - get + - create + - update +{{ end }} \ No newline at end of file diff --git a/charts/akto-threat-client/templates/keel.yaml b/charts/akto-threat-client/templates/keel.yaml new file mode 100644 index 0000000..a563cbf --- /dev/null +++ b/charts/akto-threat-client/templates/keel.yaml @@ -0,0 +1,16 @@ +{{ if .Values.keel.keel.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "akto.fullname" . }}-keel + labels: + app: keel + {{- include "akto.labels" . | nindent 4 }} +spec: + type: {{ .Values.keel.type }} + selector: + app: {{ include "akto.fullname" . }}-keel + {{- include "akto.selectorLabels" . | nindent 4 }} + ports: + {{- .Values.keel.ports | toYaml | nindent 2 -}} +{{ end }} \ No newline at end of file diff --git a/charts/akto-threat-client/templates/redis-deployment.yaml b/charts/akto-threat-client/templates/redis-deployment.yaml new file mode 100644 index 0000000..c0455cf --- /dev/null +++ b/charts/akto-threat-client/templates/redis-deployment.yaml @@ -0,0 +1,80 @@ +{{- if .Values.redis.persistence.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "akto.fullname" . }}-redis-pvc + labels: + {{- include "akto.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.redis.persistence.size | quote }} + {{- if .Values.redis.persistence.storageClass }} + storageClassName: {{ .Values.redis.persistence.storageClass }} + {{- end }} +--- +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "akto.fullname" . }}-redis + labels: + {{- include "akto.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ include "akto.fullname" . }}-redis + {{- include "akto.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ include "akto.fullname" . }}-redis + {{- include "akto.selectorLabels" . | nindent 8 }} + spec: + containers: + - name: redis + image: {{ .Values.redis.image.repository | default "redis" }}:{{ .Values.redis.image.tag | default "7.0" }} + imagePullPolicy: {{ .Values.redis.imagePullPolicy | default "IfNotPresent" }} + command: + - redis-server + - --appendonly + - "yes" + - --save + - "" + - --dir + - /data/ + ports: + - containerPort: 6379 + name: redis + volumeMounts: + {{- if .Values.redis.persistence.enabled }} + - name: redis-data + mountPath: /data + {{- end }} + resources: + {{- toYaml .Values.redis.resources | nindent 10 }} + volumes: + {{- if .Values.redis.persistence.enabled }} + - name: redis-data + persistentVolumeClaim: + claimName: {{ include "akto.fullname" . }}-redis-pvc + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "akto.fullname" . }}-redis + labels: + {{- include "akto.labels" . | nindent 4 }} +spec: + ports: + - port: 6379 + targetPort: redis + protocol: TCP + name: redis + selector: + app: {{ include "akto.fullname" . }}-redis + type: ClusterIP \ No newline at end of file diff --git a/charts/akto-threat-client/templates/serviceaccount.yaml b/charts/akto-threat-client/templates/serviceaccount.yaml new file mode 100644 index 0000000..66c258a --- /dev/null +++ b/charts/akto-threat-client/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{ if .Values.keel.keel.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "akto.fullname" . }}-keel + labels: + app: {{ include "akto.fullname" . }}-keel + {{- include "akto.labels" . | nindent 4 }} + annotations: + {{- toYaml .Values.keel.serviceAccount.annotations | nindent 4 }} +{{ end }} \ No newline at end of file diff --git a/charts/akto-threat-client/templates/threat-client.yaml b/charts/akto-threat-client/templates/threat-client.yaml new file mode 100644 index 0000000..626eb40 --- /dev/null +++ b/charts/akto-threat-client/templates/threat-client.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "akto.fullname" . }}-threat-client + labels: + {{- include "akto.labels" . | nindent 4 }} +spec: + type: {{ .Values.threat_client.type }} + selector: + app: {{ include "akto.fullname" . }}-threat-client + {{- include "akto.selectorLabels" . | nindent 4 }} + ports: + {{- .Values.threat_client.ports | toYaml | nindent 2 -}} \ No newline at end of file diff --git a/charts/akto-threat-client/values.yaml b/charts/akto-threat-client/values.yaml new file mode 100644 index 0000000..28cb5b1 --- /dev/null +++ b/charts/akto-threat-client/values.yaml @@ -0,0 +1,136 @@ +mongo: + aktoMongoConn: "" + +kubernetesClusterDomain: cluster.local +threat_client: + aktoApiSecurityThreatClient: + env: + postgresUrl: jdbc:postgresql://postgres.default.svc.cluster.local:5432/akto + postgresUser: akto + postgresPassword: akto + aktoAccountName: Helios + aktoConfigName: staging + aktoInstanceType: DASHBOARD + aktoKafkaTrafficBrokerUrl: 192.168.1.19:29093 + aktoKafkaBrokerUrl: 127.0.0.1:29092 + backendToken: + backendUrl: https://tbs.akto.io + aktoLogLevel: WARN + useHostName: true + image: + repository: aktosecurity/akto-threat-detection + tag: 1.0.6 + imagePullPolicy: Always + resources: + requests: + cpu: 2 + memory: "2Gi" + limits: + cpu: 3 + memory: "4Gi" + kafka1: + env: + # add advertised listeners if you want to override the default listeners + kafkaAdvertisedListeners: "" + kafkaBrokerId: "1" + kafkaCleanupPolicy: delete + kafkaCreateTopics: akto.api.logs:3:3 + kafkaInterBrokerListenerName: LISTENER_DOCKER_EXTERNAL_LOCALHOST + kafkaListenerSecurityProtocolMap: LISTENER_DOCKER_EXTERNAL_LOCALHOST:PLAINTEXT, + LISTENER_DOCKER_EXTERNAL_DIFFHOST:PLAINTEXT + kafkaLogCleanerEnable: "true" + kafkaLogRetentionBytes: "10737418240" + kafkaLogRetentionCheckIntervalMs: "60000" + kafkaLogRetentionHours: "5" + kafkaLogSegmentBytes: "104857600" + kafkaOffsetsTopicReplicationFactor: "1" + kafkaTransactionStateLogMinIsr: "1" + kafkaTransactionStateLogReplicationFactor: "1" + kafkaZookeeperConnect: 127.0.0.1:2181 + image: + repository: confluentinc/cp-kafka + tag: 7.8.0-3-ubi8 + resources: + requests: + cpu: 1 + memory: "1Gi" + limits: + cpu: 2 + memory: "2Gi" + ports: + - port: 9092 + targetPort: 9092 + replicas: 1 + type: ClusterIP + zoo1: + env: + kafkaOpts: -Dzookeeper.admin.enableServer=false + zookeeperClientPort: "2181" + zookeeperServerId: "1" + zookeeperServers: zoo1:2888:3888 + image: + repository: confluentinc/cp-zookeeper + tag: 7.8.0-3-ubi8 + resources: + requests: + cpu: 400m + memory: "400Mi" + limits: + cpu: 800m + memory: "800Mi" + +redis: + image: + repository: redis + tag: "7.0" + pullPolicy: IfNotPresent + resources: + requests: + cpu: "500m" + memory: "1Gi" + limits: + cpu: "900m" + memory: "2Gi" + persistence: + enabled: true + size: "2Gi" + storageClass: "" + +keel: + keel: + env: + awsAccessKeyId: "" + awsRegion: "" + awsSecretAccessKey: "" + hipchatApprovalsBotName: "" + hipchatApprovalsChannel: "" + hipchatApprovalsPasswort: "" + hipchatApprovalsUserName: "" + hipchatChannels: "" + hipchatToken: "" + insecureRegistry: "true" + mattermostEndpoint: "" + notificationLevel: info + webhookEndpoint: "" + image: + repository: keelhq/keel + tag: latest + imagePullPolicy: Always + enabled: true + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + maxUnavailable: 1 + ports: + - name: keel + port: 9300 + protocol: TCP + targetPort: 9300 + replicas: 1 + serviceAccount: + annotations: {} + type: LoadBalancer diff --git a/charts/mini-runtime/templates/deployment.yaml b/charts/mini-runtime/templates/deployment.yaml index 95f40cd..577f0ce 100644 --- a/charts/mini-runtime/templates/deployment.yaml +++ b/charts/mini-runtime/templates/deployment.yaml @@ -99,6 +99,39 @@ spec: ports: - containerPort: 2181 resources: {{- toYaml .Values.mini_runtime.zoo1.resources | nindent 10 }} + + - env: + - name: RUNTIME_MODE + value: "hybrid" + - name: AKTO_TRAFFIC_KAFKA_BOOTSTRAP_SERVER + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.aktoKafkaTrafficBrokerUrl + }} + - name: AKTO_INTERNAL_KAFKA_BOOTSTRAP_SERVER + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.aktoKafkaBrokerUrl + }} + + - name: AKTO_THREAT_PROTECTION_BACKEND_TOKEN + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.backendToken + }} + - name: DATABASE_ABSTRACTOR_SERVICE_TOKEN + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.backendToken + }} + - name: AKTO_LOG_LEVEL + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.aktoLogLevel }} + - name: AKTO_THREAT_PROTECTION_BACKEND_URL + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.backendUrl }} + - name: IS_TESTING_CONTEXT + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.isTestingContext }} + - name: AGGREGATION_RULES_ENABLED + value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.aggregationRulesEnabled }} + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.threat_client.aktoApiSecurityThreatClient.image.repository }}:{{ .Values.threat_client.aktoApiSecurityThreatClient.image.tag + | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.threat_client.aktoApiSecurityThreatClient.imagePullPolicy }} + name: akto-api-security-threat-client + resources: {{- toYaml .Values.threat_client.aktoApiSecurityThreatClient.resources | nindent 10 }} + - env: - name: MY_POD_NAMESPACE valueFrom: diff --git a/charts/mini-runtime/values.yaml b/charts/mini-runtime/values.yaml index e0d66df..53205dc 100644 --- a/charts/mini-runtime/values.yaml +++ b/charts/mini-runtime/values.yaml @@ -86,10 +86,39 @@ mini_runtime: resources: requests: cpu: 1 + memory: "1Gi" + limits: + cpu: 2 memory: "2Gi" + +threat_client: + aktoApiSecurityThreatClient: + env: + postgresUrl: jdbc:postgresql://postgres.default.svc.cluster.local:5432/akto + postgresUser: akto + postgresPassword: akto + aktoAccountName: Helios + aktoConfigName: staging + aktoInstanceType: DASHBOARD + aktoKafkaTrafficBrokerUrl: 127.0.0.1:29092 + aktoKafkaBrokerUrl: 127.0.0.1:29092 + backendToken: + backendUrl: https://tbs.akto.io + aktoLogLevel: WARN + useHostName: true + isTestingContext: false + aggregationRulesEnabled: false + image: + repository: aktosecurity/akto-threat-detection + tag: 1.0.8 + imagePullPolicy: Always + resources: + requests: + cpu: 1 + memory: "1Gi" limits: cpu: 2 - memory: "4Gi" + memory: "2Gi" keel: keel: diff --git a/charts/postgres/all.yaml b/charts/postgres/all.yaml new file mode 100644 index 0000000..cee985a --- /dev/null +++ b/charts/postgres/all.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: postgres + namespace: default +spec: + serviceName: postgres + selector: + matchLabels: + app: postgres + replicas: 1 + template: + metadata: + labels: + app: postgres + spec: + containers: + - name: postgres + image: postgres:14 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 5432 + envFrom: + - configMapRef: + name: postgres-config + volumeMounts: + - name: postgres-data + mountPath: /var/lib/postgresql/data + volumeClaimTemplates: + - metadata: + name: postgres-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 4Gi + storageClassName: standard + +--- +apiVersion: v1 +kind: Service +metadata: + name: postgres + labels: + app: postgres +spec: + type: LoadBalancer + selector: + app: postgres + ports: + - protocol: TCP + name: https + port: 5432 + targetPort: 5432 \ No newline at end of file diff --git a/charts/postgres/config.yml b/charts/postgres/config.yml new file mode 100644 index 0000000..17f92c4 --- /dev/null +++ b/charts/postgres/config.yml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgres-config + labels: + app: postgres +data: + POSTGRES_DB: akto + POSTGRES_USER: akto + POSTGRES_PASSWORD: akto \ No newline at end of file diff --git a/charts/postgres/dep.yml b/charts/postgres/dep.yml new file mode 100644 index 0000000..3905307 --- /dev/null +++ b/charts/postgres/dep.yml @@ -0,0 +1,52 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgres +spec: + replicas: 1 + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + spec: + containers: + - name: postgres + image: 'postgres:14' + imagePullPolicy: IfNotPresent + ports: + - containerPort: 5432 + envFrom: + - configMapRef: + name: postgres-secret + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: postgresdata + volumes: + - name: postgresdata + persistentVolumeClaim: + claimName: postgres-volume-claim +--- +# kind: Pod +# apiVersion: v1 +# metadata: +# name: postgres +# spec: +# containers: +# - name: postgres +# image: 'postgres:14' +# imagePullPolicy: IfNotPresent +# ports: +# - containerPort: 5432 +# envFrom: +# - configMapRef: +# name: postgres-secret +# volumeMounts: +# - mountPath: /var/lib/postgresql/data +# name: postgresdata +# volumes: +# - name: postgresdata +# persistentVolumeClaim: +# claimName: postgres-volume-claim \ No newline at end of file diff --git a/charts/postgres/postgres-config.yml b/charts/postgres/postgres-config.yml new file mode 100644 index 0000000..e69de29 diff --git a/charts/postgres/pv.yml b/charts/postgres/pv.yml new file mode 100644 index 0000000..1685684 --- /dev/null +++ b/charts/postgres/pv.yml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: postgres-volume + labels: + type: local + app: postgres +spec: + storageClassName: default + capacity: + storage: 2Gi + accessModes: + - ReadWriteOnce + hostPath: + path: /data/postgresql4 \ No newline at end of file diff --git a/charts/postgres/pvc.yml b/charts/postgres/pvc.yml new file mode 100644 index 0000000..52138f0 --- /dev/null +++ b/charts/postgres/pvc.yml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: azure-managed-disk-pvc + labels: + app: postgres +spec: + storageClassName: azurefile + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi \ No newline at end of file diff --git a/charts/postgres/svc.yml b/charts/postgres/svc.yml new file mode 100644 index 0000000..901a21e --- /dev/null +++ b/charts/postgres/svc.yml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: postgres + labels: + app: postgres +spec: + type: NodePort + ports: + - port: 5432 + selector: + app: postgres \ No newline at end of file