Threat client helm chart

charts/akto-threat-client/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/akto-threat-client/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: akto-threat-client
+description: Helm chart for installing Akto
+type: application
+version: 0.2.3
+appVersion: "0.2.3"
+home: https://www.akto.io
+icon: https://akto-setup.s3.amazonaws.com/templates/128x128.png
+sources:
+  - https://github.com/akto-api-security/helm-charts/tree/master/charts/threat-client
+keywords:
+  - akto
+  - api
+  - api security
+  - dast
+maintainers:
+  - name: Ankush Jain
+    email: [email protected]

charts/akto-threat-client/README.md

@@ -0,0 +1,63 @@
+# Akto setup
+
+You can install Akto via Helm charts. 
+
+## Resources
+Akto's Helm chart repo is on GitHub [here](https://github.com/akto-api-security/helm-charts).
+You can also find Akto on Helm.sh [here](https://artifacthub.io/packages/helm/akto/akto).
+
+## Prerequisites
+Please ensure you have the following -
+1. A Kubernetes cluster where you have deploy permissions
+2. `helm` command installed. Check [here](https://helm.sh/docs/intro/install/)
+
+## Steps 
+Here are the steps to install Akto via Helm charts - 
+
+1. Prepare Mongo Connection string
+2. Install Akto via Helm
+3. Verify Installation and harden security
+
+### Create Mongo instance
+Akto Helm setup needs a Mongo connection string as input. It can come from either of the following -
+1. **Your own Mongo**
+   Ensure your machine where you setup Mongo is NOT exposed to public internet. It shouldn't have a public IP. You can setup Mongo by running the following commands.
+   ```
+   sudo yum update -y
+   sudo yum install -y docker
+   sudo dockerd&
+   docker run --name mongo --restart always -v ./data:/data/db -p 27017:27017 mongo
+   sudo systemctl enable /usr/lib/systemd/system/docker.service
+   ```
+   <img width="1161" alt="AWS EC2 Mongo" src="https://github.com/akto-api-security/Documentation/assets/91221068/0b6b87e8-9797-4729-ab01-fd48f99efbd3">
+
+   The connection string would then be `mongodb://<YOUR_INSTANCE_PRIVATE_IP>:27017/admini`
+2. **Mongo Atlas**
+   You can use Mongo Atlas connection as well
+   1. Go to `Database Deployments` page for your project
+   2. Click on `Connect` button
+   3. Choose `Connect your application` option
+   4. Copy the connection string. It should look like `mongodb://....`
+      <img width="567" alt="Mongo Atlas" src="https://github.com/akto-api-security/Documentation/assets/91221068/1128e098-3618-4d19-b9c3-2c7482b4714e">
+
+3. **AWS Document DB**
+   If you are on AWS, you can use AWS Document DB too. You can find the connection string on the Cluster page itself.
+   <img width="1399" alt="AWS DocDB" src="https://github.com/akto-api-security/Documentation/assets/91221068/4ce4d84d-6e8a-4d4d-bc0b-e5d03e3f824a">
+
+Note: Please ensure your K8S cluster has connectivity to Mongo. 
+
+### Install Akto via Helm
+
+1. Add Akto repo
+   ```helm repo add  akto https://akto-api-security.github.io/helm-charts```
+2. Install Akto via helm
+   ```helm install akto akto/akto -n dev --set mongo.aktoMongoConn="<AKTO_CONNECTION_STRING>"```
+3. Run `kubectl get pods -n <NAMESPACE>` and verify you can see 4 pods
+   <img width="862" alt="Screenshot 2023-11-16 at 10 08 23 AM" src="https://github.com/akto-api-security/Documentation/assets/91221068/3a5a4d26-3305-4eb2-94f9-ae598817252d">
+
+### Verify Installation and harden security
+
+1. Run the following to get Akto dashboard url
+   ```kubectl get services/akto-dashboard -n dev | awk -F " " '{print $4;}'```
+2. Open Akto dashboard on port 8080. eg `http://a54b36c1f4asdaasdfbd06a259de2-acf687643f6fe4eb.elb.ap-south-1.amazonaws.com:8080/`
+3. For good security measures, you should enable HTTPS by adding a certificate and put it behind a VPN. If you are on AWS, follow the guide [here](https://docs.akto.io/getting-started/aws-ssl).

charts/akto-threat-client/templates/NOTES.txt

@@ -0,0 +1,8 @@
+Thank you for installing {{ .Chart.Name }}.
+
+Your release is named {{ .Release.Name }}.
+
+To learn more about the release, try:
+
+  $ helm status {{ .Release.Name }}
+  $ helm get all {{ .Release.Name }}

charts/akto-threat-client/templates/_helpers.tpl

@@ -0,0 +1,61 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "akto.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "akto.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "akto.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "akto.labels" -}}
+helm.sh/chart: {{ include "akto.chart" . }}
+{{ include "akto.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "akto.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "akto.name" . }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "akto.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "akto.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/akto-threat-client/templates/deployment.yaml

@@ -0,0 +1,207 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "akto.fullname" . }}-threat-client
+  {{ if .Values.keel.keel.enabled }}
+  annotations:
+    keel.sh/policy: force
+    keel.sh/trigger: poll
+    keel.sh/pollSchedule: "@every 60m"
+  {{ end }}
+  labels:
+  {{- include "akto.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.threat_client.replicas }}
+  selector:
+    matchLabels:
+      app: {{ include "akto.fullname" . }}-threat-client
+    {{- include "akto.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "akto.fullname" . }}-threat-client
+      {{- include "akto.selectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+      - env:  
+        - name: RUNTIME_MODE
+          value: "hybrid"
+        - name: AKTO_THREAT_DETECTION_POSTGRES
+          value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.postgresUrl }}
+        - name: AKTO_THREAT_DETECTION_POSTGRES_USER
+          value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.postgresUser }}
+        - name: AKTO_THREAT_DETECTION_POSTGRES_PASSWORD
+          value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.postgresPassword
+            }}
+        - name: AKTO_TRAFFIC_KAFKA_BOOTSTRAP_SERVER
+          value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.aktoKafkaTrafficBrokerUrl
+            }}
+        - name: AKTO_INTERNAL_KAFKA_BOOTSTRAP_SERVER
+          value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.aktoKafkaBrokerUrl
+            }}
+        - name: AKTO_THREAT_DETECTION_LOCAL_REDIS_URI
+          value: "redis://{{ include "akto.fullname" . }}-redis:6379"
+
+        - name: AKTO_THREAT_PROTECTION_BACKEND_TOKEN
+          value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.backendToken
+            }}
+        - name: DATABASE_ABSTRACTOR_SERVICE_TOKEN
+          value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.backendToken
+            }}
+        - name: AKTO_MONGO_CONN
+          value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.mongoUrl
+            }}
+        - name: AKTO_LOG_LEVEL
+          value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.aktoLogLevel }}
+        - name: AKTO_THREAT_PROTECTION_BACKEND_URL
+          value: {{ quote .Values.threat_client.aktoApiSecurityThreatClient.env.backendUrl }}
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: {{ quote .Values.kubernetesClusterDomain }}
+        image: {{ .Values.threat_client.aktoApiSecurityThreatClient.image.repository }}:{{ .Values.threat_client.aktoApiSecurityThreatClient.image.tag
+          | default .Chart.AppVersion }}
+        imagePullPolicy: {{ .Values.threat_client.aktoApiSecurityThreatClient.imagePullPolicy }}
+        name: akto-api-security-threat-client
+        resources: {{- toYaml .Values.threat_client.aktoApiSecurityThreatClient.resources |  nindent 10 }}
+      - env:
+        - name: ZOOKEEPER_CLIENT_PORT
+          value: {{ quote .Values.threat_client.zoo1.env.zookeeperClientPort }}
+        - name: ZOOKEEPER_SERVERS
+          value: {{ quote .Values.threat_client.zoo1.env.zookeeperServers }}
+        - name: ZOOKEEPER_SERVER_ID
+          value: {{ quote .Values.threat_client.zoo1.env.zookeeperServerId }}
+        - name: KAFKA_OPTS
+          value: {{ quote .Values.threat_client.zoo1.env.kafkaOpts }}
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: {{ quote .Values.kubernetesClusterDomain }}
+        image: {{ .Values.threat_client.zoo1.image.repository }}:{{ .Values.threat_client.zoo1.image.tag
+          | default .Chart.AppVersion }}
+        name: zoo1
+        ports:
+        - containerPort: 2181
+        resources: {{- toYaml .Values.threat_client.zoo1.resources | nindent 10 }}
+      - env:
+        - name: MY_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: KAFKA_ADVERTISED_LISTENERS
+            {{- if .Values.threat_client.kafka1.env.kafkaAdvertisedListeners }}
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaAdvertisedListeners }}
+            {{- else}}
+          value: "LISTENER_DOCKER_EXTERNAL_LOCALHOST://localhost:29092, LISTENER_DOCKER_EXTERNAL_DIFFHOST://{{.Release.Name}}-threat-client.{{.Release.Namespace}}.svc.cluster.local:9092"
+            {{- end }}
+        - name: KAFKA_BROKER_ID
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaBrokerId }}
+        - name: KAFKA_CLEANUP_POLICY
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaCleanupPolicy }}
+        - name: KAFKA_CREATE_TOPICS
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaCreateTopics }}
+        - name: KAFKA_INTER_BROKER_LISTENER_NAME
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaInterBrokerListenerName }}
+        - name: KAFKA_LISTENER_SECURITY_PROTOCOL_MAP
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaListenerSecurityProtocolMap }}
+        - name: KAFKA_LOG_CLEANER_ENABLE
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaLogCleanerEnable }}
+        - name: KAFKA_LOG_RETENTION_BYTES
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaLogRetentionBytes }}
+        - name: KAFKA_LOG_RETENTION_CHECK_INTERVAL_MS
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaLogRetentionCheckIntervalMs }}
+        - name: KAFKA_LOG_RETENTION_HOURS
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaLogRetentionHours }}
+        - name: KAFKA_LOG_SEGMENT_BYTES
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaLogSegmentBytes }}
+        - name: KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaOffsetsTopicReplicationFactor
+            }}
+        - name: KAFKA_TRANSACTION_STATE_LOG_MIN_ISR
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaTransactionStateLogMinIsr }}
+        - name: KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaTransactionStateLogReplicationFactor
+            }}
+        - name: KAFKA_ZOOKEEPER_CONNECT
+          value: {{ quote .Values.threat_client.kafka1.env.kafkaZookeeperConnect }}
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: {{ quote .Values.kubernetesClusterDomain }}
+        image: {{ .Values.threat_client.kafka1.image.repository }}:{{ .Values.threat_client.kafka1.image.tag
+          | default .Chart.AppVersion }}
+        name: kafka1
+        ports:
+        - containerPort: 9092
+        - containerPort: 19092
+        - containerPort: 29092
+        - containerPort: 9999
+        resources: {{- toYaml .Values.threat_client.kafka1.resources | nindent 10 }}
+      restartPolicy: Always
+
+---
+{{ if .Values.keel.keel.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "akto.fullname" . }}-keel
+  labels:
+    app: keel
+  {{- include "akto.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.keel.replicas }}
+  selector:
+    matchLabels:
+      app: {{ include "akto.fullname" . }}-keel
+    {{- include "akto.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "akto.fullname" . }}-keel
+      {{- include "akto.selectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+      - command:
+        - /bin/keel
+        env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: AWS_ACCESS_KEY_ID
+          value: {{ quote .Values.keel.keel.env.awsAccessKeyId }}
+        - name: AWS_SECRET_ACCESS_KEY
+          value: {{ quote .Values.keel.keel.env.awsSecretAccessKey }}
+        - name: AWS_REGION
+          value: {{ quote .Values.keel.keel.env.awsRegion }}
+        - name: WEBHOOK_ENDPOINT
+          value: {{ quote .Values.keel.keel.env.webhookEndpoint }}
+        - name: MATTERMOST_ENDPOINT
+          value: {{ quote .Values.keel.keel.env.mattermostEndpoint }}
+        - name: HIPCHAT_TOKEN
+          value: {{ quote .Values.keel.keel.env.hipchatToken }}
+        - name: HIPCHAT_CHANNELS
+          value: {{ quote .Values.keel.keel.env.hipchatChannels }}
+        - name: HIPCHAT_APPROVALS_CHANNEL
+          value: {{ quote .Values.keel.keel.env.hipchatApprovalsChannel }}
+        - name: HIPCHAT_APPROVALS_BOT_NAME
+          value: {{ quote .Values.keel.keel.env.hipchatApprovalsBotName }}
+        - name: HIPCHAT_APPROVALS_USER_NAME
+          value: {{ quote .Values.keel.keel.env.hipchatApprovalsUserName }}
+        - name: HIPCHAT_APPROVALS_PASSWORT
+          value: {{ quote .Values.keel.keel.env.hipchatApprovalsPasswort }}
+        - name: NOTIFICATION_LEVEL
+          value: {{ quote .Values.keel.keel.env.notificationLevel }}
+        - name: INSECURE_REGISTRY
+          value: {{ quote .Values.keel.keel.env.insecureRegistry }}
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: {{ quote .Values.kubernetesClusterDomain }}
+        image: {{ .Values.keel.keel.image.repository }}:{{ .Values.keel.keel.image.tag
+          | default .Chart.AppVersion }}
+        imagePullPolicy: {{ .Values.keel.keel.imagePullPolicy }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 9300
+          initialDelaySeconds: 30
+          timeoutSeconds: 10
+        name: keel
+        ports:
+        - containerPort: 9300
+        resources: {{- toYaml .Values.keel.keel.resources | nindent 10 }}
+      serviceAccountName: {{ include "akto.fullname" . }}-keel
+{{ end }}