Update docker-compose.yaml

2025-06-28 16:41:02 +03:00 · 2025-01-13 14:13:53 +02:00 · 2025-01-13 14:13:53 +02:00 · 63541a4c3c
commit 63541a4c3c
parent d14fa7a468
1 changed files with 124 additions and 46 deletions
--- a/deployment/kong/docker-compose.yaml
+++ b/deployment/kong/docker-compose.yaml
@ -1,57 +1,135 @@
-## .env file for docker-compose deployments of open-appsec integrated with Kong
-## for more info see https://docs.openappsec.io
+# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.

-APPSEC_VERSION=latest
-APPSEC_CONFIG=./appsec-config
-APPSEC_DATA=./appsec-data
-APPSEC_LOGS=./appsec-logs
-APPSEC_LOCALCONFIG=./appsec-localconfig
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may obtain a copy of the License at

-## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
-## open-appsec configuration via open-appsec Web UI.
-## You can optionally set it to true when using local, declarative management for open-appsec,
-## declarative configuration will then get applied automatically when changed.
-APPSEC_AUTO_POLICY_LOAD=false
+#     http://www.apache.org/licenses/LICENSE-2.0

-## Example for configuring HTTPS Proxy:
-## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
-APPSEC_HTTPS_PROXY=
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

-APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
-APPSEC_USER_EMAIL=user@email.com
-APPSEC_DB_PASSWORD=pass
-APPSEC_DB_USER=postgres
-APPSEC_DB_HOST=appsec-db
-APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+##
+## Docker compose file for open-appsec integrated with Kong
+##

-## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
-## For deployment of a simple lab testing environment, you can deploy the example configuration provided
-## for the vulnerable juice-shop container, see instructions further below.
-KONG_CONFIG=./kong-config
+version: "3.9"
+services:
+  appsec-agent:
+    image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
+    container_name: appsec-agent
+    environment:
+      - SHARED_STORAGE_HOST=appsec-shared-storage
+      - LEARNING_HOST=appsec-smartsync
+      - TUNING_HOST=appsec-tuning-svc
+      - https_proxy=${APPSEC_HTTPS_PROXY}
+      - user_email=${APPSEC_USER_EMAIL}
+      - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
+      - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
+      - registered_server=Kong Server
+    ipc: shareable
+    restart: unless-stopped
+    volumes:
+      - ${APPSEC_CONFIG}:/etc/cp/conf
+      - ${APPSEC_DATA}:/etc/cp/data
+      - ${APPSEC_LOGS}:/var/log/nano_agent
+      - ${APPSEC_LOCALCONFIG}:/ext/appsec
+    command: /cp-nano-agent

-## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment
-KONG_IMAGE=kong-attachment
+  appsec-kong:
+    image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION}
+    container_name: appsec-kong
+    ipc: service:appsec-agent
+## This docker compose deploys Kong in DB-less mode with declarative Kong configuration
+## please make sure to have a valid config present in {KONG_CONFIG}:
+    environment:
+      - KONG_DATABASE=off
+      - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml
+    volumes:
+      - ${KONG_CONFIG}:/opt/kong
+    restart: unless-stopped
+    ports:
+      - "8000:8000"
+      - "8443:8443"
+      - "127.0.0.1:8001:8001"
+      - "127.0.0.1:8444:8444"

-## To connect your deployment to central open-appsec WebUI provide the token for a profile
-## which you created in open-appsec WebUI at https://my.openappsec.io
-## Example: APPSEC_AGENT_TOKEN=111-22222-111
-APPSEC_AGENT_TOKEN=
+  appsec-smartsync:
+    profiles:
+      - standalone
+    image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
+    container_name: appsec-smartsync
+    environment:
+      - SHARED_STORAGE_HOST=appsec-shared-storage
+    restart: unless-stopped
+    depends_on:
+      - appsec-shared-storage

-## Important: When not providing token for connection to central WebUI:
-## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
-## sharing of learning between processes and allow you to perform tuning locally on CLI
-COMPOSE_PROFILES=
+  appsec-shared-storage:
+    profiles:
+      - standalone
+    image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
+    container_name: appsec-shared-storage
+    ipc: service:appsec-agent
+    restart: unless-stopped
+## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
+## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
+    user: root
+    volumes:
+      - ${APPSEC_SMART_SYNC_STORAGE}:/db:z
+## instead of using local storage for local learning (see line above)
+## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
+## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) 
+#     - learning_nfs:/db:z

-## JUICE SHOP DEMO CONTAINER:
-## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
-## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
+  appsec-tuning-svc:
+    profiles:
+      - standalone
+    image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
+    container_name: appsec-tuning-svc
+    environment:
+      - SHARED_STORAGE_HOST=appsec-shared-storage
+      - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
+      - QUERY_DB_HOST=${APPSEC_DB_HOST}
+      - QUERY_DB_USER=${APPSEC_DB_USER}
+## only relevant when deploying own DB 
+#     - SSLMODE:
+    restart: unless-stopped
+    volumes:
+      - ${APPSEC_CONFIG}:/etc/cp/conf
+    depends_on:
+      - appsec-shared-storage
+      - appsec-db
+      
+  appsec-db:
+    profiles:
+      - standalone
+    image: postgres
+    container_name: appsec-db
+    restart: unless-stopped
+    environment:
+      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
+      - POSTGRES_USER=${APPSEC_DB_USER} 
+    volumes:
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data

-## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder
-## to include service and route configuration for forwarding external traffic to the juiceshop-backend container
-## (kong listens by default for HTTP/HTTPS on port 8000/8443) 
-## you can use the example file available here:
-## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml
-## note that juiceshop container listens on HTTP port 3000 by default
+## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
+  juiceshop-backend:
+    image: bkimminich/juice-shop:latest
+    container_name: juiceshop-backend
+    profiles:
+      - juiceshop

-## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
-## COMPOSE_PROFILES=standalone,juiceshop
+## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
+##
+## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
+##
+#volumes:
+# learning_nfs:
+#   driver: local
+#   driver_opts:
+#     type: nfs
+#     o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
+#     device: ":/"