open-appsec
WebsiteManagement PortalPlaygroundGitHub
  • open-appsec Documentation
  • What is open-appsec?
  • open-appsec Video Tutorials
  • Release Notes
  • Getting started
    • Getting Started
    • Start With Kubernetes
      • Install Using Interactive CLI Tool (Ingress NGINX)
      • Configuration Using Interactive CLI Tool
      • Install Using Helm
      • Install Using Helm - new flow (beta)
      • Configuration Using CRDs
      • Configuration Using CRDs - v1beta2
      • Configuration using CRDs - special options for Large Scale Deployments
        • Using appsec class for assigning separate custom resources to specific deployments
        • Using namespace-scoped custom resources
      • Monitor Events
    • Start With Linux
      • Install open-appsec for Linux
      • Using the open-appsec-ctl Tool
      • Configuration Using Local Policy File (Linux)
      • Local Policy File (Advanced)
      • Local Policy File v1beta2 (beta)
      • Monitor Events
    • Start with Docker
      • Install With Docker (Centrally Managed)
      • Install With Docker (Locally Managed)
      • Deploy With Docker-Compose (Beta)
      • Configuration Using Local Policy File (Docker)
      • Local Policy File (Advanced)
    • Using the Web UI (SaaS)
      • Sign-Up and Login to Portal
      • Agents Deployment
      • Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux)
      • Connect Deployed Agents to SaaS Management Using Helm (K8s)
      • Connect Deployed Agents to SaaS Management (Docker)
      • Create a Profile
      • Protect Additional Assets
      • Monitor Events
    • Using the Advanced Machine Learning Model
  • Concepts
    • Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • SETUP INSTRUCTIONS
    • Setup Web Application Settings
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • Additional Security Engines
    • Anti-Bot
    • API Schema Enforcement
    • Data Loss Prevention (DLP) Rules
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
  • Snort Rules
    • Import Snort Rules
    • Write Snort Signatures
  • HOW TO
    • Configuration and Learning
      • Track Learning and Move From Learn/Detect to Prevent
      • Configure Contextual Machine Learning for Best Accuracy
      • Track Learning and Local Tuning in Standalone Deployments
      • Move From Detect to Prevent in K8s With Many Ingress Rules
  • Deployment and Upgrade
    • Load the Attachment in Proxy Configuration
    • Upgrade Your Reverse Proxy/API Gateway When an Agent is Installed
    • Integration in GitOps CD (K8s)
    • Build open-appsec Based on Source Code
  • Management Web UI
    • Track Agent Status
    • Delete or Reset Management Tenant (SaaS)
    • Disconnect an open-appsec agent from Central Management
  • Integrations
    • About Integrations With 3rd Party Solutions
    • CrowdSec
      • CrowdSec Bouncer Support
      • CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario
    • NGINX Proxy Manager
      • Install NGINX Proxy Manager with open-appsec managed from NPM WebUI
      • Install NGINX Proxy Manager with open-appsec managed from central WebUI (SaaS)
      • Frequently Asked Questions
      • How to Migrate from an Existing NGINX Proxy Manager Deployment and Keep Configuration
    • NPMplus
    • Docker SWAG
      • Install Docker SWAG with open-appsec (locally managed)
      • How to connect locally managed Docker SWAG with open-appsec to WebUI
      • Install Docker SWAG with open-appsec (centrally managed)
      • Deploy Docker SWAG with docker-compose (beta)
      • Frequently Asked Questions
  • Troubleshooting
    • Troubleshooting
    • Troubleshooting Guides
      • Configuration contains ingress/asset with URL which already has asset attached to it in your tenant
      • HTTP Request to Port 80 Not Returning as Expected
      • Agent Fails to Recognize HTTP Transactions with NGINX
      • Agent Not Recognizing Initial HTTP Requests
      • Handling Large Requests (413 Responses)
      • open-appsec on Docker HTTP Transaction Handler Is Set To Ready
      • Traffic Recognition Issue on Single-Core Machine/Connection Timed Out
      • Installing open-appsec on CentOS 7
      • SELinux: checking status and disabling
      • Deploy open-appsec directly on the web server hosting the application to protect
      • object is locked or remote, and therefore cannot be modified
      • Failed to Register to Fog
  • references
    • Agent CLI
    • Event Query Language
    • Events/Logs Schema
    • WAF Comparison Project
Powered by GitBook
On this page
  • Deployment
  • Configuration

Was this helpful?

  1. Deployment and Upgrade

Integration in GitOps CD (K8s)

open-appsec supports integration into existing GitOps CD processes where everything is configured "as-code" within a git repo. Learn how this is typically done for each of the following tasks.

Deployment

In order to declaratively install open-appsec as code the helm command can be used with the required parameters in the repo used for GitOps .

Step 1 (optional): Download helm chart for storing in custom helm repo and adjust references

Run the following command to obtain the latest helm chart, in case you have a requirement to store helm charts in your own helm repo.

wget https://downloads.openappsec.io/packages/helm-charts/nginx-ingress/open-appsec-k8s-nginx-ingress-latest.tgz
wget https://downloads.openappsec.io/packages/helm-charts/kong/open-appsec-k8s-kong-latest.tgz
wget https://downloads.openappsec.io/packages/helm-charts/apisix/open-appsec-k8s-apisix-latest.tgz

Step 2 (optional): Download the containers for storing in custom container registry and adjust references

If required run the following commands to pull the required container images and import them to a custom container registry:

For the nginx ingress ingress controller container image run:

docker pull ghcr.io/openappsec/nginx-ingress-attachment:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.nginx.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.nginx.image.repository (image and repo) appsec.nginx.image.tag

For the open-appsec agent sidecar container run:

docker pull ghcr.io/openappsec/agent:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.image.repository appsec.image.image appsec.image.tag

For the open-appsec learning container run:

docker pull ghcr.io/openappsec/open-appsec-learning:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.learning.image.registry appsec.learning.image.image appsec.learning.image.tag

For the open-appsec shared storage container run:

docker pull ghcr.io/openappsec/open-appsec-shared-storage:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.storage.image.registry appsec.storage.image.image appsec.storage.image.tag For the open-appsec tuning container run:

docker pull ghcr.io/openappsec/open-appsec-tuning:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.tuning.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.tuning.image.registry appsec.tuning.image.image appsec.tuning.image.tag

For the kong/kong-gateway container image run one of the following:

  • For kong container:

docker pull ghcr.io/openappsec/kong-attachment:[tag]
  • For kong-gateway container:

docker pull ghcr.io/openappsec/kong-gateway-attachment:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.kong.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.kong.image.repository (image and repo) appsec.kong.image.tag

For the open-appsec agent sidecar container run:

docker pull ghcr.io/openappsec/agent:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.image.repository appsec.image.image appsec.image.tag

For the open-appsec learning container run:

docker pull ghcr.io/openappsec/open-appsec-learning:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.learning.image.registry appsec.learning.image.image appsec.learning.image.tag

For the open-appsec shared storage container run:

docker pull ghcr.io/openappsec/open-appsec-shared-storage:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.storage.image.registry appsec.storage.image.image appsec.storage.image.tag For the open-appsec tuning container run:

docker pull ghcr.io/openappsec/open-appsec-tuning:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.tuning.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.tuning.image.registry appsec.tuning.image.image appsec.tuning.image.tag

Proceed similarly for any additional Kong-related containers that are required as part of your Kong deployment (e.g. Kong ingress controller, database, ...).

For the APISIX-gateway container image run one of the following:

docker pull ghcr.io/openappsec/apisix-attachment:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.apisix.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.kong.image.repository (image and repo) appsec.kong.image.tag

For the open-appsec agent sidecar container run:

docker pull ghcr.io/openappsec/agent:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.image.repository appsec.image.image appsec.image.tag

For the open-appsec learning container run:

docker pull ghcr.io/openappsec/open-appsec-learning:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.learning.image.registry appsec.learning.image.image appsec.learning.image.tag

For the open-appsec shared storage container run:

docker pull ghcr.io/openappsec/open-appsec-shared-storage:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.storage.image.registry appsec.storage.image.image appsec.storage.image.tag For the open-appsec tuning container run:

docker pull ghcr.io/openappsec/open-appsec-tuning:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.tuning.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.tuning.image.registry appsec.tuning.image.image appsec.tuning.image.tag

Proceed similarly for any additional APISIX-related containers that are required as part of your APISIX deployment (e.g. APISIX ingress controller, database, ...).

Step 3: Use open-appsec helm chart for install and CRD deployment in GitOps CD

Use the following helm command in your git repo for declarative deployment of open-appsec to your cluster via GitOps CD. This will also add the CRDs for open-appsec's new custom K8s resource types that will be used later for defining the protection policies, logging settings, exceptions, user response and more.

Make sure to check the documentation of your GitOps CD tool how exactly it requires the helm command and the helm parameters to be specified in the git repo.

helm install open-appsec-k8s-nginx-ingress-latest.tgz \
--name-template=open-appsec \
--set appsec.mode=standalone \
--set controller.ingressClass=appsec-nginx \
--set controller.ingressClassResource.name=appsec-nginx \
--set controller.ingressClassResource.controllerValue="k8s.io/appsec-nginx" \
--set appsec.persistence.enabled=false \
--set controller.service.externalTrafficPolicy=Local \
-n appsec --create-namespace
helm install open-appsec-k8s-kong-latest.tgz \
--name-template=open-appsec \
--set appsec.mode=standalone \
--set ingressController.ingressClass=appsec-kong \
--set appsec.persistence.enabled=false \
--set appsec.userEmail="<your-email-address>" \
-n appsec --create-namespace
helm install open-appsec-k8s-apisix-latest.tgz \
--name-template=appsec-apisix \
--set appsec.mode=standalone \
--set rbac.create=true \
--set service.type=LoadBalancer \
--set appsec.persistence.enabled=false \
--set ingress-controller.enabled=true \
--set ingress-controller.config.kubernetes.ingressClass=appsec-apisix \
--set appsec.userEmail="<your-email-address>" \
--set appsec.agentToken= \
--create-namespace \
-n appsec-apisix

If you stored the helm chart in your own helm repo adjust the helm chart URL above accordingly. If you stored the container images in your own container registry don't forget to add the parameters mentioned in Step 1 and Step 2 above to the helm install command to specify the new locations.

Note: The above requires persistent storage to be available in your K8s cluster, otherwise set the value for the appsec.persistence.enabled to false.

Configuration

Step 4: Create custom CRDs for configuration

Create all required custom CRDs as .yaml files and place them in your Git repo. Specify the code locations as required by your GitOps CD tool for deployment to your cluster. You find all details as well as examples for the available CRDs here: Configuration Using CRDs

You would typically create at least one of each of the following custom resources to get started:

  • policy.openappsec.io

  • practice.openappsec.io

  • logtrigger.openappsec.io

Step 5: Add annotation to ingress resource to activate open-appsec

Specify the policy CRD you created in the ingress resource you want to protect with open-appsec.

In the example below replace "open-appsec-custom-policy" with the name of the policy resource you created.

openappsec.io/policy: open-appsec-custom-policy

Step 6: Change the ingressClassName to use open-appsec

In the ingress definition make sure to set the ingressClassName to use open-appsec.

spec: ingressClassName: appsec-nginx

In the ingress definition make sure to set the ingressClassName to use open-appsec.

spec: ingressClassName: appsec-kong
spec: ingressClassName: appsec-apisix

Done! Now open-appsec's deployment, configuration as well as the activation and policy assignment in the selected ingress resource or for Kong Gateway are configured declaratively as code.

Instead of configuring open-appsec declaratively via your git repo using CRDs it's possible to use the open-appsec's cloud management WebUI while continuing to use GitOps CD for the actual deployment of open-appsec.

Create or access a new profile of type "Kubernetes profile" in the WebUI.

Then use the helm chart in the same way as above in your code repo, but adjust/include the following two paramenter settings: Adjust the management mode helm parameter to switch to central management:

--set appsec.mode="managed" Add following helm parameter (replace [token] with your open-appsec profile's token) to associate your open-appsec deployment with the selected profile in your cloud management:

--set appsec.agentToken=[token]

(Copy the token from profile's properties under Authentication -> Token in the WebUI.)

PreviousUpgrade Your Reverse Proxy/API Gateway When an Agent is InstalledNextBuild open-appsec Based on Source Code

Last updated 2 months ago

Was this helpful?

More details on the available helm parameters: For the full list of available parameters please see the values.yaml file in the helm chart.

Create or access your open-appsec tenant here:

https://my.openappsec.io
#optional-helm-install-parameters