Integration in GitOps CD (K8s Ingress NGINX and Kong in K8s)

open-appsec supports integration into existing GitOps CD processes where everything is configured "as-code" within a git repo. Learn how this is typically done for each of the following tasks.

Deployment

In order to declaratively install open-appsec as code the helm command can be used with the required parameters in the repo used for GitOps .

Step 1 (optional): Download helm chart for storing in custom helm repo and adjust references

Run the following command to obtain the latest helm chart, in case you have a requirement to store helm charts in your own helm repo.

wget https://downloads.openappsec.io/packages/helm-charts/nginx-ingress/open-appsec-k8s-nginx-ingress-latest.tgz

Step 2 (optional): Download the containers for storing in custom container registry and adjust references

If required run the following commands to pull the required container images and import them to a custom container registry:

For the nginx ingress ingress controller container image run:

docker pull ghcr.io/openappsec/nginx-ingress-attachment:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.nginx.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.nginx.image.repository (image and repo) appsec.nginx.image.tag

For the open-appsec agent sidecar container run:

docker pull ghcr.io/openappsec/agent:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.image.repository appsec.image.image appsec.image.tag

For the open-appsec learning container run:

docker pull ghcr.io/openappsec/open-appsec-learning:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.learning.image.registry appsec.learning.image.image appsec.learning.image.tag

For the open-appsec shared storage container run:

docker pull ghcr.io/openappsec/open-appsec-shared-storage:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.storage.image.registry appsec.storage.image.image appsec.storage.image.tag For the open-appsec tuning container run:

docker pull ghcr.io/openappsec/open-appsec-tuning:[tag]

Replace [tag] with the tag specified in the helm chart's values.yaml file under: appsec.tuning.image.tag

Upload the downloaded container image to the custom container registry.

Adjust the container reference in helm chart's values.yaml or with helm command parameters here to point to the container in the custom registry:

appsec.tuning.image.registry appsec.tuning.image.image appsec.tuning.image.tag

Step 3: Use open-appsec helm chart for install and CRD deployment in GitOps CD

Use the following helm command in your git repo for declarative deployment of open-appsec to your cluster via GitOps CD. This will also add the CRDs for open-appsec's new custom K8s resource types that will be used later for defining the protection policies, logging settings, exceptions, user response and more.

Make sure to check the documentation of your GitOps CD tool how exactly it requires the helm command and the helm parameters to be specified in the git repo.

helm install open-appsec-k8s-nginx-ingress-latest.tgz \
--name-template=open-appsec \
--set appsec.mode=standalone \
--set controller.ingressClass=appsec-nginx \
--set controller.ingressClassResource.name=appsec-nginx \
--set controller.ingressClassResource.controllerValue="k8s.io/appsec-nginx" \
--set appsec.persistence.enabled=false \
--set controller.service.externalTrafficPolicy=Local \
-n appsec --create-namespace

If you stored the helm chart in your own helm repo adjust the helm chart URL above accordingly. If you stored the container images in your own container registry don't forget to add the parameters mentioned in Step 1 and Step 2 above to the helm install command to specify the new locations.

Note: The above requires persistent storage to be available in your K8s cluster, otherwise set the value for the appsec.persistence.enabled to false.

More details on the available helm parameters: #optional-helm-install-parameters For the full list of available parameters please see the values.yaml file in the helm chart.

Configuration

Step 4: Create custom CRDs for configuration

Create all required custom CRDs as .yaml files and place them in your Git repo. Specify the code locations as required by your GitOps CD tool for deployment to your cluster. You find all details as well as examples for the available CRDs here: Configuration Using CRDs

You would typically create at least one of each of the following custom resources to get started:

  • policy.openappsec.io

  • practice.openappsec.io

  • logtrigger.openappsec.io

Step 5: Add annotation to ingress resource to activate open-appsec

Specify the policy CRD you created in the ingress resource you want to protect with open-appsec.

In the example below replace "open-appsec-custom-policy" with the name of the policy resource you created.

openappsec.io/policy: open-appsec-custom-policy

Step 6: Change the ingressClassName to use open-appsec

In the ingress definition make sure to set the ingressClassName to use open-appsec.

spec: ingressClassName: appsec-nginx

Done! Now open-appsec's deployment, configuration as well as the activation and policy assignment in the selected ingress resource or for Kong Gateway are configured declaratively as code.

Instead of configuring open-appsec declaratively via your git repo using CRDs it's possible to use the open-appsec's cloud management WebUI while continuing to use GitOps CD for the actual deployment of open-appsec.

Create or access your open-appsec tenant here: https://my.openappsec.io

Create or access a new profile of type "Kubernetes profile" in the WebUI.

Then use the helm chart in the same way as above in your code repo, but adjust/include the following two paramenter settings: Adjust the management mode helm parameter to switch to central management:

--set appsec.mode="managed" Add following helm parameter (replace [token] with your open-appsec profile's token) to associate your open-appsec deployment with the selected profile in your cloud management:

--set appsec.agentToken=[token]

(Copy the token from profile's properties under Authentication -> Token in the WebUI.)

Last updated