Update docker-compose.yaml

deployment/kong/docker-compose.yaml

@@ -1,135 +1,57 @@
-# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+## .env file for docker-compose deployments of open-appsec integrated with Kong
+## for more info see https://docs.openappsec.io
 
-# Licensed under the Apache License, Version 2.0 (the "License");
-# You may obtain a copy of the License at
+APPSEC_VERSION=latest
+APPSEC_CONFIG=./appsec-config
+APPSEC_DATA=./appsec-data
+APPSEC_LOGS=./appsec-logs
+APPSEC_LOCALCONFIG=./appsec-localconfig
 
-#     http://www.apache.org/licenses/LICENSE-2.0
+## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
+## open-appsec configuration via open-appsec Web UI.
+## You can optionally set it to true when using local, declarative management for open-appsec,
+## declarative configuration will then get applied automatically when changed.
+APPSEC_AUTO_POLICY_LOAD=false
 
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+## Example for configuring HTTPS Proxy:
+## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
+APPSEC_HTTPS_PROXY=
 
-##
-## Docker compose file for open-appsec integrated with Kong
-##
+APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
+APPSEC_USER_EMAIL=user@email.com
+APPSEC_DB_PASSWORD=pass
+APPSEC_DB_USER=postgres
+APPSEC_DB_HOST=appsec-db
+APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
 
-version: "3.9"
-services:
-  appsec-agent:
-    image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
-    container_name: appsec-agent
-    environment:
-      - SHARED_STORAGE_HOST=appsec-shared-storage
-      - LEARNING_HOST=appsec-smartsync
-      - TUNING_HOST=appsec-tuning-svc
-      - https_proxy=${APPSEC_HTTPS_PROXY}
-      - user_email=${APPSEC_USER_EMAIL}
-      - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
-      - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
-      - registered_server=Kong Server
-    ipc: shareable
-    restart: unless-stopped
-    volumes:
-      - ${APPSEC_CONFIG}:/etc/cp/conf
-      - ${APPSEC_DATA}:/etc/cp/data
-      - ${APPSEC_LOGS}:/var/log/nano_agent
-      - ${APPSEC_LOCALCONFIG}:/ext/appsec
-    command: /cp-nano-agent
+## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
+## For deployment of a simple lab testing environment, you can deploy the example configuration provided
+## for the vulnerable juice-shop container, see instructions further below.
+KONG_CONFIG=./kong-config
 
-  appsec-kong:
-    image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION}
-    container_name: appsec-kong
-    ipc: service:appsec-agent
-## This docker compose deploys Kong in DB-less mode with declarative Kong configuration
-## please make sure to have a valid config present in {KONG_CONFIG}:
-    environment:
-      - KONG_DATABASE=off
-      - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml
-    volumes:
-      - ${KONG_CONFIG}:/opt/kong
-    restart: unless-stopped
-    ports:
-      - "8000:8000"
-      - "8443:8443"
-      - "127.0.0.1:8001:8001"
-      - "127.0.0.1:8444:8444"
+## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment
+KONG_IMAGE=kong-attachment
 
-  appsec-smartsync:
-    profiles:
-      - standalone
-    image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
-    container_name: appsec-smartsync
-    environment:
-      - SHARED_STORAGE_HOST=appsec-shared-storage
-    restart: unless-stopped
-    depends_on:
-      - appsec-shared-storage
+## To connect your deployment to central open-appsec WebUI provide the token for a profile
+## which you created in open-appsec WebUI at https://my.openappsec.io
+## Example: APPSEC_AGENT_TOKEN=111-22222-111
+APPSEC_AGENT_TOKEN=
 
-  appsec-shared-storage:
-    profiles:
-      - standalone
-    image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
-    container_name: appsec-shared-storage
-    ipc: service:appsec-agent
-    restart: unless-stopped
-## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
-## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
-    user: root
-    volumes:
-      - ${APPSEC_SMART_SYNC_STORAGE}:/db:z
-## instead of using local storage for local learning (see line above)
-## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
-## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) 
-#     - learning_nfs:/db:z
+## Important: When not providing token for connection to central WebUI:
+## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
+## sharing of learning between processes and allow you to perform tuning locally on CLI
+COMPOSE_PROFILES=
 
-  appsec-tuning-svc:
-    profiles:
-      - standalone
-    image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
-    container_name: appsec-tuning-svc
-    environment:
-      - SHARED_STORAGE_HOST=appsec-shared-storage
-      - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
-      - QUERY_DB_HOST=${APPSEC_DB_HOST}
-      - QUERY_DB_USER=${APPSEC_DB_USER}
-## only relevant when deploying own DB 
-#     - SSLMODE:
-    restart: unless-stopped
-    volumes:
-      - ${APPSEC_CONFIG}:/etc/cp/conf
-    depends_on:
-      - appsec-shared-storage
-      - appsec-db
-      
-  appsec-db:
-    profiles:
-      - standalone
-    image: postgres
-    container_name: appsec-db
-    restart: unless-stopped
-    environment:
-      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
-      - POSTGRES_USER=${APPSEC_DB_USER} 
-    volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+## JUICE SHOP DEMO CONTAINER:
+## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
+## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
 
-## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
-  juiceshop-backend:
-    image: bkimminich/juice-shop:latest
-    container_name: juiceshop-backend
-    profiles:
-      - juiceshop
+## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder
+## to include service and route configuration for forwarding external traffic to the juiceshop-backend container
+## (kong listens by default for HTTP/HTTPS on port 8000/8443) 
+## you can use the example file available here:
+## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml
+## note that juiceshop container listens on HTTP port 3000 by default
 
-## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
-##
-## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
-##
-#volumes:
-# learning_nfs:
-#   driver: local
-#   driver_opts:
-#     type: nfs
-#     o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
-#     device: ":/"
+## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
+## COMPOSE_PROFILES=standalone,juiceshop