Initial commit

Dockerfile

@@ -0,0 +1,17 @@
+FROM kong:3.1.1-ubuntu
+
+USER root
+ADD scripts /build
+RUN /build/build.sh
+
+USER kong
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+EXPOSE 8000 8443 8001 8444 $EE_PORTS
+
+STOPSIGNAL SIGQUIT
+
+HEALTHCHECK --interval=10s --timeout=10s --retries=10 CMD kong health
+
+CMD ["kong", "docker-start"]

README.md

@@ -0,0 +1,25 @@
+# kong31-wallarm
+
+Docker image with Kong 3.1.1-ubuntu and Wallarm 4.6 - https://hub.docker.com/r/ebberst/kong31-wallarm
+
+Example of execution:
+```
+docker run -it --rm --name kong \
+    -e 'KONG_DATABASE=off' \
+    -e 'KONG_PROXY_ACCESS_LOG=/dev/stdout' \
+    -e 'KONG_ADMIN_ACCESS_LOG=/dev/stdout' \
+    -e 'KONG_PROXY_ERROR_LOG=/dev/stderr' \
+    -e 'KONG_ADMIN_ERROR_LOG=/dev/stderr' \
+    -e 'KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl' \
+    -e 'KONG_DECLARATIVE_CONFIG_STRING={"_format_version":"1.1", "services":[{"host":"mockbin.com","port":443,"protocol":"https", "routes":[{"paths":["/"]}]}]}' \
+    -e 'WALLARM_API_HOST=api.wallarm.com' \
+    -e 'WALLARM_API_TOKEN=<put your token here>' \
+    -e 'WALLARM_LABELS=group=<put your group here>' \
+    -e 'TARANTOOL_MEMORY_GB=1' \
+    -e 'WALLARM_MODE=block' \
+    -p 8000:8000 \
+    -p 8443:8443 \
+    -p 8001:8001 \
+    -p 8444:8444 \
+    ebberst/kong31-wallarm:latest
+```

build_push.sh

@@ -0,0 +1,5 @@
+set -ex
+
+docker build --pull \
+ --tag ebberst/kong31-wallarm:latest .
+docker push ebberst/kong31-wallarm:latest

scripts/build.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -ex
+
+/build/busybox wget https://meganode.wallarm.com/4.6/wallarm-4.6.0.x86_64-glibc.tar.gz -O - | tar -xzv -C /
+chown -R kong:kong /opt/wallarm
+
+cp -v /build/docker-entrypoint.sh /docker-entrypoint.sh
+cp -v /build/nginx.lua /usr/local/share/lua/5.1/kong/templates/nginx.lua
+cp -v /build/nginx_kong.lua /usr/local/share/lua/5.1/kong/templates/nginx_kong.lua
+chown -R kong:kong /usr/local/share/lua/5.1/kong/templates
+sed -i -e '/HOST=0\.0\.0\.0/d' /opt/wallarm/env.list
+
+rm -rf /build

scripts/docker-entrypoint.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+  # Do not continue if _FILE env is not set
+  if ! [ "${!fileVar:-}" ]; then
+    return
+  elif [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+export KONG_NGINX_DAEMON=${KONG_NGINX_DAEMON:=off}
+
+if [[ "$1" == "kong" ]]; then
+
+  all_kong_options="/usr/local/share/lua/5.1/kong/templates/kong_defaults.lua"
+  set +Eeo pipefail
+  while IFS='' read -r LINE || [ -n "${LINE}" ]; do
+      opt=$(echo "$LINE" | grep "=" | sed "s/=.*$//" | sed "s/ //" | tr '[:lower:]' '[:upper:]')
+      file_env "KONG_$opt"
+  done < $all_kong_options
+  set -Eeo pipefail
+
+  file_env KONG_PASSWORD
+  PREFIX=${KONG_PREFIX:=/usr/local/kong}
+
+  if [[ "$2" == "docker-start" ]]; then
+    if [ -n "$WALLARM_MODE" ]; then
+      sed -i -e "s|wallarm_mode monitoring|wallarm_mode $WALLARM_MODE|g" /usr/local/share/lua/5.1/kong/templates/nginx_kong.lua
+    fi
+    kong prepare -p "$PREFIX" "$@"
+
+    ln -sf /dev/stdout $PREFIX/logs/access.log
+    ln -sf /dev/stdout $PREFIX/logs/admin_access.log
+    ln -sf /dev/stderr $PREFIX/logs/error.log
+
+    if [ -n "$WALLARM_API_HOST" ]; then
+      args="$args -H $WALLARM_API_HOST"
+    fi
+    if [ -n "$WALLARM_LABELS" ]; then
+      args="$args --labels $WALLARM_LABELS"
+    fi
+    if [ -n "$TARANTOOL_MEMORY_GB" ]; then
+      sed -i -e "s|SLAB_ALLOC_ARENA=0.2|SLAB_ALLOC_ARENA=$TARANTOOL_MEMORY_GB|g" /opt/wallarm/env.list
+    fi
+    /opt/wallarm/register-node $args
+    /opt/wallarm/supervisord.sh &
+
+    exec /usr/local/openresty/nginx/sbin/nginx \
+      -p "$PREFIX" \
+      -c nginx.conf
+  fi
+fi
+
+exec "$@"

scripts/nginx.lua

@@ -0,0 +1,76 @@
+return [[
+pid pids/nginx.pid;
+error_log ${{PROXY_ERROR_LOG}} ${{LOG_LEVEL}};
+
+# injected nginx_main_* directives
+> for _, el in ipairs(nginx_main_directives) do
+$(el.name) $(el.value);
+> end
+
+> if database == "off" then
+lmdb_environment_path ${{LMDB_ENVIRONMENT_PATH}};
+lmdb_map_size         ${{LMDB_MAP_SIZE}};
+> end
+
+load_module /opt/wallarm/modules/kong/ngx_http_wallarm_module.so;
+
+events {
+    # injected nginx_events_* directives
+> for _, el in ipairs(nginx_events_directives) do
+    $(el.name) $(el.value);
+> end
+}
+
+> if role == "control_plane" or #proxy_listeners > 0 or #admin_listeners > 0 or #status_listeners > 0 then
+http {
+    server {
+      listen 127.0.0.8:80;
+
+      server_name localhost;
+
+      allow 127.0.0.0/8;
+      deny all;
+
+      wallarm_mode off;
+      disable_acl "on";
+      access_log off;
+
+      location ~/wallarm-status$ {
+        wallarm_status on;
+      }
+    }
+    disable_acl "on";
+    include 'nginx-kong.conf';
+}
+> end
+
+> if #stream_listeners > 0 or cluster_ssl_tunnel then
+stream {
+> if #stream_listeners > 0 then
+    include 'nginx-kong-stream.conf';
+> end
+
+> if cluster_ssl_tunnel then
+    server {
+        listen unix:${{PREFIX}}/cluster_proxy_ssl_terminator.sock;
+
+        proxy_pass ${{cluster_ssl_tunnel}};
+        proxy_ssl on;
+        # as we are essentially talking in HTTPS, passing SNI should default turned on
+        proxy_ssl_server_name on;
+> if proxy_server_ssl_verify then
+        proxy_ssl_verify on;
+> if lua_ssl_trusted_certificate_combined then
+        proxy_ssl_trusted_certificate '${{LUA_SSL_TRUSTED_CERTIFICATE_COMBINED}}';
+> end
+        proxy_ssl_verify_depth 5; # 5 should be sufficient
+> else
+        proxy_ssl_verify off;
+> end
+        proxy_socket_keepalive on;
+    }
+> end -- cluster_ssl_tunnel
+
+}
+> end
+]]