-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathworkload.yaml
152 lines (146 loc) · 4.33 KB
/
workload.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
---
apiVersion: v1
kind: ConfigMap
metadata:
name: workload
data:
nginx.conf: |
user nginx;
worker_processes 3;
error_log /var/log/nginx/error.log;
events {
worker_connections 10240;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
access_log /var/log/nginx/access.log main;
server {
listen 80;
server_name _;
location / {
return 200;
}
# Location for API discovery test
location /api-discovery-test {
add_header Api-Discovery-Header "Hello, I am header!";
return 200 '{"json_response": "Hello, I am json"}';
default_type application/json;
}
# Location for Blocking Tor Source Type
location /blocking-by-tor-test {
add_header Block-by-Tor "Hello, I am header!";
return 200 '{"json_response": "Hello, I am json"}';
default_type application/json;
}
# Some mocks for test_api_abuse_prevention.py
location /.git {
if ($http_custom_id) {
return 400;
}
return 200;
}
location /wallarm-application/admin {
return 401;
}
location /api/v2 {
if ($http_custom_id) {
return 502;
}
return 200;
}
location /smoke-auto-forced-browsing/ {
return 404;
}
}
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: sidecar-config
data:
sidecar-include.conf : |
location /wallarm-mode/monitoring {
wallarm_mode monitoring;
proxy_pass http://127.0.0.1:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Endpoint for `test_api_abuse_prevention.py` (and any other test, that uses non-default APP_ID)
location /wallarm-application/ {
wallarm_application $http_custom_id;
proxy_pass http://127.0.0.1:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api-discovery-test {
wallarm_application $http_custom_id;
proxy_pass http://127.0.0.1:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /blocking-by-tor-test {
wallarm_application $http_custom_id;
proxy_pass http://127.0.0.1:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: workload
spec:
selector:
matchLabels:
app: workload
replicas: 1
template:
metadata:
labels:
app: workload
wallarm-sidecar: enabled
app.kubernetes.io/component: workload
annotations:
sidecar.wallarm.io/wallarm-mode: "block"
sidecar.wallarm.io/proxy-extra-volumes: '[{"name": "nginx-http-extra-config", "configMap": {"name": "sidecar-config"}}]'
sidecar.wallarm.io/proxy-extra-volume-mounts: '[{"name": "nginx-http-extra-config", "mountPath": "/nginx_include/sidecar-config.conf", "subPath": "sidecar-include.conf"}]'
sidecar.wallarm.io/nginx-server-include: "['/nginx_include/sidecar-config.conf']"
spec:
imagePullSecrets:
- name: dockerhub-secret
containers:
- name: nginx
image: nginx:stable-alpine
ports:
- containerPort: 80
volumeMounts:
- name: config
mountPath: /etc/nginx
readOnly: true
volumes:
- name: config
configMap:
name: workload
items:
- key: nginx.conf
path: nginx.conf
---
apiVersion: v1
kind: Service
metadata:
name: workload
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
nodePort: 30000
selector:
app: workload