Merge pull request #28 from akto-api-security/feature/source-code-ana…

…lyser akto source code helm chart
akto-api-security · Nov 19, 2024 · 8ad7361 · 8ad7361
2 parents c27a611 + ee2d64b
commit 8ad7361
Show file tree

Hide file tree

Showing 8 changed files with 342 additions and 1 deletion.
diff --git a/charts/akto-setup-database-abstractor/values.yaml b/charts/akto-setup-database-abstractor/values.yaml
@@ -9,7 +9,7 @@ database_abstractor:
       aktoInstanceType: DASHBOARD
     image:
       repository: public.ecr.aws/aktosecurity/akto-api-security-database-abstractor
-      tag: test
+      tag: doom
     imagePullPolicy: IfNotPresent
     resources:
       requests:

diff --git a/charts/source-code-analyser/.helmignore b/charts/source-code-analyser/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/source-code-analyser/Chart.yaml b/charts/source-code-analyser/Chart.yaml
@@ -0,0 +1,18 @@
+apiVersion: v2
+name: akto-source-code-analyser
+description: Helm chart for installing Akto-source-code-analyser
+type: application
+version: 0.1.4
+appVersion: "0.1.4"
+home: https://www.akto.io
+icon: https://akto-setup.s3.amazonaws.com/templates/128x128.png
+sources:
+  - https://github.com/akto-api-security/helm-charts/tree/master/charts/source-code-analyser
+keywords:
+  - akto
+  - api
+  - api security
+  - dast
+maintainers:
+  - name: Ankush Jain
+    email: ankush@akto.io
diff --git a/charts/source-code-analyser/README>md b/charts/source-code-analyser/README>md
@@ -0,0 +1,63 @@
+# Akto setup
+
+You can install Akto via Helm charts. 
+
+## Resources
+Akto's Helm chart repo is on GitHub [here](https://github.com/akto-api-security/helm-charts).
+You can also find Akto on Helm.sh [here](https://artifacthub.io/packages/helm/akto/akto).
+
+## Prerequisites
+Please ensure you have the following -
+1. A Kubernetes cluster where you have deploy permissions
+2. `helm` command installed. Check [here](https://helm.sh/docs/intro/install/)
+
+## Steps 
+Here are the steps to install Akto via Helm charts - 
+
+1. Prepare Mongo Connection string
+2. Install Akto via Helm
+3. Verify Installation and harden security
+
+### Create Mongo instance
+Akto Helm setup needs a Mongo connection string as input. It can come from either of the following -
+1. **Your own Mongo**
+   Ensure your machine where you setup Mongo is NOT exposed to public internet. It shouldn't have a public IP. You can setup Mongo by running the following commands.
+   ```
+   sudo yum update -y
+   sudo yum install -y docker
+   sudo dockerd&
+   docker run --name mongo --restart always -v ./data:/data/db -p 27017:27017 mongo
+   sudo systemctl enable /usr/lib/systemd/system/docker.service
+   ```
+   <img width="1161" alt="AWS EC2 Mongo" src="https://github.com/akto-api-security/Documentation/assets/91221068/0b6b87e8-9797-4729-ab01-fd48f99efbd3">
+
+   The connection string would then be `mongodb://<YOUR_INSTANCE_PRIVATE_IP>:27017/admini`
+2. **Mongo Atlas**
+   You can use Mongo Atlas connection as well
+   1. Go to `Database Deployments` page for your project
+   2. Click on `Connect` button
+   3. Choose `Connect your application` option
+   4. Copy the connection string. It should look like `mongodb://....`
+      <img width="567" alt="Mongo Atlas" src="https://github.com/akto-api-security/Documentation/assets/91221068/1128e098-3618-4d19-b9c3-2c7482b4714e">
+
+3. **AWS Document DB**
+   If you are on AWS, you can use AWS Document DB too. You can find the connection string on the Cluster page itself.
+   <img width="1399" alt="AWS DocDB" src="https://github.com/akto-api-security/Documentation/assets/91221068/4ce4d84d-6e8a-4d4d-bc0b-e5d03e3f824a">
+
+Note: Please ensure your K8S cluster has connectivity to Mongo. 
+
+### Install Akto via Helm
+
+1. Add Akto repo
+   ```helm repo add  akto https://akto-api-security.github.io/helm-charts```
+2. Install Akto via helm
+   ```helm install akto akto/akto -n dev --set mongo.aktoMongoConn="<AKTO_CONNECTION_STRING>"```
+3. Run `kubectl get pods -n <NAMESPACE>` and verify you can see 4 pods
+   <img width="862" alt="Screenshot 2023-11-16 at 10 08 23 AM" src="https://github.com/akto-api-security/Documentation/assets/91221068/3a5a4d26-3305-4eb2-94f9-ae598817252d">
+
+### Verify Installation and harden security
+
+1. Run the following to get Akto dashboard url
+   ```kubectl get services/akto-dashboard -n dev | awk -F " " '{print $4;}'```
+2. Open Akto dashboard on port 8080. eg `http://a54b36c1f4asdaasdfbd06a259de2-acf687643f6fe4eb.elb.ap-south-1.amazonaws.com:8080/`
+3. For good security measures, you should enable HTTPS by adding a certificate and put it behind a VPN. If you are on AWS, follow the guide [here](https://docs.akto.io/getting-started/aws-ssl).
diff --git a/charts/source-code-analyser/templates/NOTES.txt b/charts/source-code-analyser/templates/NOTES.txt
@@ -0,0 +1,8 @@
+Thank you for installing {{ .Chart.Name }}.
+
+Your release is named {{ .Release.Name }}.
+
+To learn more about the release, try:
+
+  $ helm status {{ .Release.Name }}
+  $ helm get all {{ .Release.Name }}
diff --git a/charts/source-code-analyser/templates/_helpers.tpl b/charts/source-code-analyser/templates/_helpers.tpl
@@ -0,0 +1,61 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "akto.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "akto.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "akto.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "akto.labels" -}}
+helm.sh/chart: {{ include "akto.chart" . }}
+{{ include "akto.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "akto.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "akto.name" . }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "akto.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "akto.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/source-code-analyser/templates/deployment.yaml b/charts/source-code-analyser/templates/deployment.yaml
@@ -0,0 +1,103 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "akto.fullname" . }}-source-code-analyser
+spec:
+  replicas: {{ .Values.source_code_analyser.replicas }}
+  selector:
+    matchLabels:
+      app: {{ include "akto.fullname" . }}-source-code-analyser
+  template:
+    metadata:
+      labels:
+        app: {{ include "akto.fullname" . }}-source-code-analyser
+    spec:
+      containers:
+      - env:
+          - name: START_JAVA_LSP
+            value: {{ quote .Values.source_code_analyser.codeAnalysisLspService.env.startJavaLsp }}
+        image: {{ .Values.source_code_analyser.codeAnalysisService.image.repository }}:{{ .Values.source_code_analyser.codeAnalysisService.image.tag
+                 | default .Chart.AppVersion }}
+        volumeMounts:
+          - name: source-code
+            mountPath: /data
+        args:
+          - cli
+          - extract
+          - --START_JAVA_LSP={{ .Values.source_code_analyser.codeAnalysisLspService.env.startJavaLsp | quote }}
+
+        name: code-analysis-lsp-service
+
+      - name: eclipse-jdtls
+        image: hotavneesh/eclipse-jdtls:latest
+        volumeMounts:
+          - name: source-code
+            mountPath: /data
+      - env:
+          - name: SOURCE_CODE_ANALYSER
+            value: {{ quote .Values.source_code_analyser.codeAnalysisService.env.sourceCodeAnalyser }}
+          - name: LLM_TOKEN
+            value: {{ quote .Values.source_code_analyser.codeAnalysisService.env.llmToken }}
+          - name: PORT
+            value: {{ quote .Values.source_code_analyser.codeAnalysisService.env.port }}
+        image: {{ .Values.source_code_analyser.codeAnalysisService.image.repository }}:{{ .Values.source_code_analyser.codeAnalysisService.image.tag
+                 | default .Chart.AppVersion }}
+        volumeMounts:
+          - name: source-code
+            mountPath: /data
+        args:
+          - cli
+          - extract
+          - --SOURCE_CODE_ANALYSER={{ .Values.source_code_analyser.codeAnalysisService.env.sourceCodeAnalyser | quote }}
+          - --PORT={{ .Values.source_code_analyser.codeAnalysisService.env.port | int }}
+
+        name: code-analysis-service
+
+      - env:
+        - name: BITBUCKET_HOST
+          value: {{ quote .Values.source_code_analyser.aktoSourceCodeAnalyser.env.bitbucketHost }}
+        - name: BITBUCKET_TOKEN
+          value: {{ quote .Values.source_code_analyser.aktoSourceCodeAnalyser.env.bitbucketToken }}
+        - name: GITHUB_ACCESS_TOKEN
+          value: {{ quote .Values.source_code_analyser.aktoSourceCodeAnalyser.env.githubAccessToken }}
+        - name: DATABASE_ABSTRACTOR_SERVICE_URL
+          value: {{ quote .Values.source_code_analyser.aktoSourceCodeAnalyser.env.databaseAbstractorUrl }}
+        - name: DATABASE_ABSTRACTOR_SERVICE_TOKEN
+          value: {{ quote .Values.source_code_analyser.aktoSourceCodeAnalyser.env.databaseAbstractorToken }}
+        - name: SOURCE_CODE_HOST
+          value: {{ quote .Values.source_code_analyser.aktoSourceCodeAnalyser.env.sourceCodeHost}}
+        - name: AKTO_MONGO_CONN
+          value: {{ quote .Values.mongo.aktoMongoConn }}
+        - name: IS_KUBERNETES
+          value: "true"
+        - name: RUNTIME_MODE
+          value: {{ quote .Values.source_code_analyser.aktoSourceCodeAnalyser.env.runtimeMode}}
+        - name: DOCKER_VOLUME
+          value: "/data/"
+        image: {{ .Values.source_code_analyser.aktoSourceCodeAnalyser.image.repository }}:{{ .Values.source_code_analyser.aktoSourceCodeAnalyser.image.tag
+          | default .Chart.AppVersion }}
+        imagePullPolicy: {{ .Values.source_code_analyser.aktoSourceCodeAnalyser.imagePullPolicy }}
+        name: akto-source-code-analyser
+        resources: {{- toYaml .Values.source_code_analyser.aktoSourceCodeAnalyser.resources |  nindent 10 }}
+        volumeMounts:
+          - name: source-code
+            mountPath: /data
+      restartPolicy: Always
+
+      volumes:
+        - name: source-code
+          persistentVolumeClaim:
+            claimName: {{ .Release.Name }}-source-code-pvc
+
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Name }}-source-code-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/charts/source-code-analyser/values.yaml b/charts/source-code-analyser/values.yaml
@@ -0,0 +1,65 @@
+mongo:
+  aktoMongoConn: ""
+
+source_code_analyser:
+  replicas: 1
+  aktoSourceCodeAnalyser:
+    env:
+      bitbucketHost: ""
+      bitbucketToken: ""
+      githubAccessToken: ""
+      sourceCodeHost: http://localhost:3001
+      aktoAccountName: Helios
+      aktoConfigName: staging
+      aktoInstanceType: DASHBOARD
+      aktoKafkaBrokerMal: localhost:29092
+      aktoKafkaBrokerUrl: 127.0.0.1:29092
+      aktoKafkaGroupIdConfig: asdf
+      aktoKafkaMaxPollRecordsConfig: "100"
+      aktoKafkaTopicName: akto.api.logs
+      aktoTrafficBatchSize: "100"
+      aktoTrafficBatchTimeSecs: "10"
+      puppeteerReplayServiceUrl: http://akto-puppeteer-replay:3000
+      useHostName: true
+      databaseAbstractorUrl: https://doom.akto.io
+      databaseAbstractorToken: ""
+      runtimeMode: ""
+    image:
+      repository: aktosecurity/source-code-analyser
+      tag: a-1703-merge
+    imagePullPolicy: Always
+    resources:
+      requests:
+        cpu: 2
+        memory: "4Gi"
+      limits:
+        cpu: 3
+        memory: "8Gi"
+  codeAnalysisService:
+    env:
+      sourceCodeAnalyser: "true"
+      port: 3001
+      llmToken: ""
+    image:
+      repository: aktosecurity/akto-puppeteer-replay
+      tag: doom_latest
+    resources:
+      requests:
+        cpu: 1
+        memory: "4Gi"
+      limits:
+        cpu: 2
+        memory: "8Gi"
+  codeAnalysisLspService:
+    env:
+      startJavaLsp: "true"
+    image:
+      repository: aktosecurity/akto-puppeteer-replay
+      tag: doom_latest
+    resources:
+      requests:
+        cpu: 1
+        memory: "4Gi"
+      limits:
+        cpu: 2
+        memory: "8Gi"