waf-simple

Author: mkol5222

charts/simple-waf/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: simple-waf
+description: Simple deployment of CloudGuard WAF with self signed certificate
+type: application
+version: 0.0.1
+appVersion: "1.0.1"

charts/simple-waf/templates/NOTES.txt

@@ -0,0 +1,3 @@
+
+Enjoy your web app running at:
+    https://{{ .Values.hostname }}/

charts/simple-waf/templates/cert.yaml

@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hello-klaud-cert
+  namespace: default
+spec:
+  secretName: hello-klaud-tls
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days before expiry
+  subject:
+    organizations:
+      - Klaud Online
+  commonName:  {{.Values.hostname }}
+  dnsNames:
+    -  {{.Values.hostname }}
+  issuerRef:
+    name: selfsigned-cluster-issuer
+    kind: ClusterIssuer

charts/simple-waf/templates/deployment.yaml

@@ -0,0 +1,81 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: appsec
+spec:
+  replicas: 2  # Adjust the number of replicas as needed
+  selector:
+    matchLabels:
+      app: appsec
+  template:
+    metadata:
+      labels:
+        app: appsec
+    spec:
+      containers:
+      - name: cloudguard-appsec-standalone
+        env:
+        - name: CPTOKEN
+          valueFrom:
+            secretKeyRef:
+              name: appsec
+              key: cptoken
+        # securityContext:
+        #   runAsUser: 0
+        #   runAsGroup: 0
+        image: checkpoint/cloudguard-appsec-standalone:latest
+        #image: checkpoint/cloudguard-appsec-standalone:787396
+        args:
+        - /cloudguard-appsec-standalone
+        - --token
+        - $(CPTOKEN)
+        - --ignore-all
+        # env:
+        # - name: https_proxy
+        #   value: "user:password@Proxy address:port"
+        ports:
+        - containerPort: 443  # SSL port
+        - containerPort: 80   # HTTP port
+        - containerPort: 8117 # Health-check port
+        volumeMounts:
+            - name: tls-secret
+              mountPath: "/etc/certs/hello.pem"
+              subPath: "tls.crt"
+              readOnly: true
+            - name: tls-secret
+              mountPath: "/etc/certs/hello.key"
+              subPath: "tls.key"
+        # - name: certs
+        #   mountPath: "/etc/certs2/"
+        imagePullPolicy: Always
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 8117
+            scheme: HTTP
+          periodSeconds: 20
+          successThreshold: 1
+          timeoutSeconds: 10
+        startupProbe:
+          failureThreshold: 90
+          httpGet:
+            path: /
+            port: 8117
+            scheme: HTTP
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 10
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      #schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: tls-secret
+          secret:
+            secretName: hello-klaud-tls
+        - name: certs
+          emptyDir: {}

charts/simple-waf/templates/issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-cluster-issuer
+spec:
+  selfSigned: {}
+  

charts/simple-waf/templates/secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: appsec
+type: Opaque
+stringData:
+  cptoken: {{ .Values.cptoken }}

charts/simple-waf/templates/service.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: appsec
+spec:
+  selector:
+    app: appsec
+  ports:
+    - protocol: TCP
+      port: 443
+      name: https
+      targetPort: 443  # Match the containerPort of the deployed pod
+    - protocol: TCP
+      port: 80
+      name: http
+      targetPort: 80   # Match the containerPort of the deployed pod
+    - protocol: TCP
+      port: 8117
+      name: health-check
+      targetPort: 8117  # Match the containerPort of the deployed pod
+  type: LoadBalancer

charts/simple-waf/values.yaml

@@ -0,0 +1,6 @@
+
+# hostname to publish to
+hostname: "hello.klaud.online"
+# token of your Docker Single Managed profile
+cptoken:
+