# Integration in GitOps CD (K8s) open-appsec supports integration into existing GitOps CD processes where everything is configured "as-code" within a git repo. Learn how this is typically done for each of the following tasks. ## Deployment In order to declaratively install open-appsec as code the helm command can be used with the required parameters in the repo used for GitOps . #### Step 1 (optional): Download helm chart for storing in custom helm repo and adjust references Run the following command to obtain the latest helm chart, in case you have a requirement to store helm charts in your own helm repo. {% tabs %} {% tab title="NGINX Ingress Controller" %} ``` wget https://downloads.openappsec.io/packages/helm-charts/nginx-ingress/open-appsec-k8s-nginx-ingress-latest.tgz ``` {% endtab %} {% tab title="Kong Gateway" %} ``` wget https://downloads.openappsec.io/packages/helm-charts/kong/open-appsec-k8s-kong-latest.tgz ``` {% endtab %} {% tab title="APISIX" %} ``` wget https://downloads.openappsec.io/packages/helm-charts/apisix/open-appsec-k8s-apisix-latest.tgz ``` {% endtab %} {% endtabs %} #### Step 2 (optional): Download the containers for storing in custom container registry and adjust references {% tabs %} {% tab title="NGINX Ingress Controller" %} If required run the following commands to pull the required container images and import them to a custom container registry: \ For the **nginx ingress ingress controller** container image run: ``` docker pull ghcr.io/openappsec/nginx-ingress-attachment:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.nginx.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.nginx.image.repository (image and repo)\ appsec.nginx.image.tag For the **open-appsec agent sidecar** container run: ``` docker pull ghcr.io/openappsec/agent:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.image.repository\ appsec.image.image\ appsec.image.tag For the **open-appsec learning** container run: ``` docker pull ghcr.io/openappsec/open-appsec-learning:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.learning.image.registry \ appsec.learning.image.image\ appsec.learning.image.tag For the **open-appsec shared storage** container run: ``` docker pull ghcr.io/openappsec/open-appsec-shared-storage:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.storage.image.registry\ appsec.storage.image.image\ appsec.storage.image.tag\ \ \ For the **open-appsec tuning** container run: ``` docker pull ghcr.io/openappsec/open-appsec-tuning:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.tuning.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.tuning.image.registry\ appsec.tuning.image.image\ appsec.tuning.image.tag {% endtab %} {% tab title="Kong Gateway" %} For the **kong/kong-gateway container** image run one of the following: * For `kong` container: ``` docker pull ghcr.io/openappsec/kong-attachment:[tag] ``` * For `kong-gateway` container: ``` docker pull ghcr.io/openappsec/kong-gateway-attachment:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.kong.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.kong.image.repository (image and repo)\ appsec.kong.image.tag For the **open-appsec agent sidecar** container run: ``` docker pull ghcr.io/openappsec/agent:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.image.repository\ appsec.image.image\ appsec.image.tag For the **open-appsec learning** container run: ``` docker pull ghcr.io/openappsec/open-appsec-learning:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.learning.image.registry \ appsec.learning.image.image\ appsec.learning.image.tag For the **open-appsec shared storage** container run: ``` docker pull ghcr.io/openappsec/open-appsec-shared-storage:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.storage.image.registry\ appsec.storage.image.image\ appsec.storage.image.tag\ \ \ For the **open-appsec tuning** container run: ``` docker pull ghcr.io/openappsec/open-appsec-tuning:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.tuning.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.tuning.image.registry\ appsec.tuning.image.image\ appsec.tuning.image.tag {% hint style="warning" %} Proceed similarly for any additional Kong-related containers that are required as part of your Kong deployment (e.g. Kong ingress controller, database, ...). {% endhint %} {% endtab %} {% tab title="APISIX" %} For the **APISIX-gateway container** image run one of the following: ``` docker pull ghcr.io/openappsec/apisix-attachment:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.apisix.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.kong.image.repository (image and repo)\ appsec.kong.image.tag For the **open-appsec agent sidecar** container run: ``` docker pull ghcr.io/openappsec/agent:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.image.repository\ appsec.image.image\ appsec.image.tag For the **open-appsec learning** container run: ``` docker pull ghcr.io/openappsec/open-appsec-learning:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.learning.image.registry \ appsec.learning.image.image\ appsec.learning.image.tag For the **open-appsec shared storage** container run: ``` docker pull ghcr.io/openappsec/open-appsec-shared-storage:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.storage.image.registry\ appsec.storage.image.image\ appsec.storage.image.tag\ \ \ For the **open-appsec tuning** container run: ``` docker pull ghcr.io/openappsec/open-appsec-tuning:[tag] ``` Replace \[tag] with the tag specified in the helm chart's values.yaml file under:\ appsec.tuning.image.tag Upload the downloaded container image to the custom container registry. Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry: appsec.tuning.image.registry\ appsec.tuning.image.image\ appsec.tuning.image.tag {% hint style="info" %} Proceed similarly for any additional APISIX-related containers that are required as part of your APISIX deployment (e.g. APISIX ingress controller, database, ...). {% endhint %} {% endtab %} {% endtabs %} #### Step 3: Use open-appsec helm chart for install and CRD deployment in GitOps CD Use the following helm command in your git repo for declarative deployment of open-appsec to your cluster via GitOps CD. This will also add the CRDs for open-appsec's new custom K8s resource types that will be used later for defining the protection policies, logging settings, exceptions, user response and more. {% hint style="warning" %} Make sure to check the documentation of your GitOps CD tool how exactly it requires the helm command and the helm parameters to be specified in the git repo. {% endhint %} {% tabs %} {% tab title="NGINX Ingress Controller" %} ``` helm install open-appsec-k8s-nginx-ingress-latest.tgz \ --name-template=open-appsec \ --set appsec.mode=standalone \ --set controller.ingressClass=appsec-nginx \ --set controller.ingressClassResource.name=appsec-nginx \ --set controller.ingressClassResource.controllerValue="k8s.io/appsec-nginx" \ --set appsec.persistence.enabled=false \ --set controller.service.externalTrafficPolicy=Local \ -n appsec --create-namespace ``` {% endtab %} {% tab title="Kong Gateway" %} ``` helm install open-appsec-k8s-kong-latest.tgz \ --name-template=open-appsec \ --set appsec.mode=standalone \ --set ingressController.ingressClass=appsec-kong \ --set appsec.persistence.enabled=false \ --set appsec.userEmail="" \ -n appsec --create-namespace ``` {% endtab %} {% tab title="APISIX" %} ``` helm install open-appsec-k8s-apisix-latest.tgz \ --name-template=appsec-apisix \ --set appsec.mode=standalone \ --set rbac.create=true \ --set service.type=LoadBalancer \ --set appsec.persistence.enabled=false \ --set ingress-controller.enabled=true \ --set ingress-controller.config.kubernetes.ingressClass=appsec-apisix \ --set appsec.userEmail="" \ --set appsec.agentToken= \ --create-namespace \ -n appsec-apisix ``` {% endtab %} {% endtabs %} {% hint style="warning" %} If you stored the helm chart in your own helm repo adjust the helm chart URL above accordingly. \ If you stored the container images in your own container registry don't forget to add the parameters mentioned in Step 1 and Step 2 above to the helm install command to specify the new locations. {% endhint %} {% hint style="warning" %} Note: The above requires persistent storage to be available in your K8s cluster, otherwise set the value for the appsec.persistence.enabled to false. {% endhint %} {% hint style="info" %} More details on the available helm parameters: [Install Using Helm](/getting-started/start-with-kubernetes/install-using-helm.md#optional-helm-install-parameters)\ For the full list of available parameters please see the values.yaml file in the helm chart. {% endhint %} ## Configuration #### Step 4: Create custom CRDs for configuration Create all required custom CRDs as .yaml files and place them in your Git repo.\ Specify the code locations as required by your GitOps CD tool for deployment to your cluster.\ \ You find all details as well as examples for the available CRDs here: [Configuration Using CRDs](/getting-started/start-with-kubernetes/configuration-using-crds.md) You would typically create at least one of each of the following custom resources to get started: * policy.openappsec.io * practice.openappsec.io * logtrigger.openappsec.io #### Step 5: Add annotation to ingress resource to activate open-appsec Specify the policy CRD you created in the ingress resource you want to protect with open-appsec. In the example below replace "open-appsec-custom-policy" with the name of the policy resource you created. ```yaml openappsec.io/policy: open-appsec-custom-policy ``` **Step 6: Change the ingressClassName to use open-appsec** {% tabs %} {% tab title="Ingress NGINX" %} In the ingress definition make sure to set the ingressClassName to use open-appsec. ```yaml spec: ingressClassName: appsec-nginx ``` {% endtab %} {% tab title="Kong" %} In the ingress definition make sure to set the ingressClassName to use open-appsec. ```yaml spec: ingressClassName: appsec-kong ``` {% endtab %} {% tab title="APISIX" %} ``` spec: ingressClassName: appsec-apisix ``` {% endtab %} {% endtabs %} #### Done! Now open-appsec's deployment, configuration as well as the activation and policy assignment in the selected ingress resource or for Kong Gateway are configured declaratively as code. {% hint style="info" %} Instead of configuring open-appsec declaratively via your git repo using CRDs it's possible to use the open-appsec's cloud management WebUI while continuing to use GitOps CD for the actual deployment of open-appsec. Create or access your open-appsec tenant here: [https://my.openappsec.io](http://my.openappsec.io) Create or access a new profile of type "Kubernetes profile" in the WebUI. Then use the helm chart in the same way as above in your code repo, but adjust/include the following two paramenter settings:\ \ Adjust the management mode helm parameter to switch to central management: \--set appsec.mode="managed"\ \ Add following helm parameter (replace \[token] with your open-appsec profile's token) to associate your open-appsec deployment with the selected profile in your cloud management: \--set appsec.agentToken=\[token] (Copy the token from profile's properties under Authentication -> Token in the WebUI.) {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.openappsec.io/deployment-and-upgrade/integration-in-gitops-cd-k8s.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.