Update docker-compose.yaml

2025-06-28 16:41:02 +03:00 · 2025-01-13 14:13:53 +02:00 · 2025-01-13 14:13:53 +02:00 · 63541a4c3c
commit 63541a4c3c
parent d14fa7a468
1 changed files with 124 additions and 46 deletions
--- a/deployment/kong/docker-compose.yaml
+++ b/deployment/kong/docker-compose.yaml
@ -1,57 +1,135 @@
-## .env file for docker-compose deployments of open-appsec integrated with Kong
+# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
 ## for more info see https://docs.openappsec.io
-APPSEC_VERSION=latest
+# Licensed under the Apache License, Version 2.0 (the "License");
-APPSEC_CONFIG=./appsec-config
+# You may obtain a copy of the License at
 APPSEC_DATA=./appsec-data
 APPSEC_LOGS=./appsec-logs
 APPSEC_LOCALCONFIG=./appsec-localconfig
-## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
+#     http://www.apache.org/licenses/LICENSE-2.0
 ## open-appsec configuration via open-appsec Web UI.
 ## You can optionally set it to true when using local, declarative management for open-appsec,
 ## declarative configuration will then get applied automatically when changed.
 APPSEC_AUTO_POLICY_LOAD=false
-## Example for configuring HTTPS Proxy:
+# Unless required by applicable law or agreed to in writing, software
-## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
+# distributed under the License is distributed on an "AS IS" BASIS,
-APPSEC_HTTPS_PROXY=
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
+##
-APPSEC_USER_EMAIL=user@email.com
+## Docker compose file for open-appsec integrated with Kong
-APPSEC_DB_PASSWORD=pass
+##
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
-## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
+version: "3.9"
-## For deployment of a simple lab testing environment, you can deploy the example configuration provided
+services:
-## for the vulnerable juice-shop container, see instructions further below.
+  appsec-agent:
-KONG_CONFIG=./kong-config
+    image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
    container_name: appsec-agent
    environment:
      - SHARED_STORAGE_HOST=appsec-shared-storage
      - LEARNING_HOST=appsec-smartsync
      - TUNING_HOST=appsec-tuning-svc
      - https_proxy=${APPSEC_HTTPS_PROXY}
      - user_email=${APPSEC_USER_EMAIL}
      - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
      - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
      - registered_server=Kong Server
    ipc: shareable
    restart: unless-stopped
    volumes:
      - ${APPSEC_CONFIG}:/etc/cp/conf
      - ${APPSEC_DATA}:/etc/cp/data
      - ${APPSEC_LOGS}:/var/log/nano_agent
      - ${APPSEC_LOCALCONFIG}:/ext/appsec
    command: /cp-nano-agent
-## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment
+  appsec-kong:
-KONG_IMAGE=kong-attachment
+    image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION}
    container_name: appsec-kong
    ipc: service:appsec-agent
 ## This docker compose deploys Kong in DB-less mode with declarative Kong configuration
 ## please make sure to have a valid config present in {KONG_CONFIG}:
    environment:
      - KONG_DATABASE=off
      - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml
    volumes:
      - ${KONG_CONFIG}:/opt/kong
    restart: unless-stopped
    ports:
      - "8000:8000"
      - "8443:8443"
      - "127.0.0.1:8001:8001"
      - "127.0.0.1:8444:8444"
-## To connect your deployment to central open-appsec WebUI provide the token for a profile
+  appsec-smartsync:
-## which you created in open-appsec WebUI at https://my.openappsec.io
+    profiles:
-## Example: APPSEC_AGENT_TOKEN=111-22222-111
+      - standalone
-APPSEC_AGENT_TOKEN=
+    image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
    container_name: appsec-smartsync
    environment:
      - SHARED_STORAGE_HOST=appsec-shared-storage
    restart: unless-stopped
    depends_on:
      - appsec-shared-storage
-## Important: When not providing token for connection to central WebUI:
+  appsec-shared-storage:
-## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
+    profiles:
-## sharing of learning between processes and allow you to perform tuning locally on CLI
+      - standalone
-COMPOSE_PROFILES=
+    image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
    container_name: appsec-shared-storage
    ipc: service:appsec-agent
    restart: unless-stopped
 ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
 ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
    user: root
    volumes:
      - ${APPSEC_SMART_SYNC_STORAGE}:/db:z
 ## instead of using local storage for local learning (see line above)
 ## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
 ## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) 
 #     - learning_nfs:/db:z
-## JUICE SHOP DEMO CONTAINER:
+  appsec-tuning-svc:
-## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
+    profiles:
-## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
+      - standalone
    image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
    container_name: appsec-tuning-svc
    environment:
      - SHARED_STORAGE_HOST=appsec-shared-storage
      - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
      - QUERY_DB_HOST=${APPSEC_DB_HOST}
      - QUERY_DB_USER=${APPSEC_DB_USER}
 ## only relevant when deploying own DB 
 #     - SSLMODE:
    restart: unless-stopped
    volumes:
      - ${APPSEC_CONFIG}:/etc/cp/conf
    depends_on:
      - appsec-shared-storage
      - appsec-db
  appsec-db:
    profiles:
      - standalone
    image: postgres
    container_name: appsec-db
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
      - POSTGRES_USER=${APPSEC_DB_USER} 
    volumes:
      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
-## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder
+## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
-## to include service and route configuration for forwarding external traffic to the juiceshop-backend container
+  juiceshop-backend:
-## (kong listens by default for HTTP/HTTPS on port 8000/8443) 
+    image: bkimminich/juice-shop:latest
-## you can use the example file available here:
+    container_name: juiceshop-backend
-## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml
+    profiles:
-## note that juiceshop container listens on HTTP port 3000 by default
+      - juiceshop
-## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
+## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
-## COMPOSE_PROFILES=standalone,juiceshop
+##
 ## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
 ##
 #volumes:
 # learning_nfs:
 #   driver: local
 #   driver_opts:
 #     type: nfs
 #     o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
 #     device: ":/"