From 386ebfe142a1ec501516374fcb199ea2dfc87d3a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Fri, 7 Jan 2022 16:06:20 +0100
Subject: [PATCH] added modsec chart for webgoat behind modsecurity crs

---
 platformQuickStarts/helm/modsec/.helmignore   | 23 ++++++++++
 platformQuickStarts/helm/modsec/Chart.yaml    |  9 ++++
 .../modsec/templates/configmap-modsec.yaml    | 18 ++++++++
 .../helm/modsec/templates/deployment.yaml     | 45 +++++++++++++++++++
 .../helm/modsec/templates/route-modsec.yml    | 16 +++++++
 .../helm/modsec/templates/service.yaml        | 16 +++++++
 platformQuickStarts/helm/modsec/values.yaml   | 13 ++++++
 7 files changed, 140 insertions(+)
 create mode 100644 platformQuickStarts/helm/modsec/.helmignore
 create mode 100644 platformQuickStarts/helm/modsec/Chart.yaml
 create mode 100644 platformQuickStarts/helm/modsec/templates/configmap-modsec.yaml
 create mode 100644 platformQuickStarts/helm/modsec/templates/deployment.yaml
 create mode 100644 platformQuickStarts/helm/modsec/templates/route-modsec.yml
 create mode 100644 platformQuickStarts/helm/modsec/templates/service.yaml
 create mode 100644 platformQuickStarts/helm/modsec/values.yaml

diff --git a/platformQuickStarts/helm/modsec/.helmignore b/platformQuickStarts/helm/modsec/.helmignore
new file mode 100644
index 000000000..0e8a0eb36
--- /dev/null
+++ b/platformQuickStarts/helm/modsec/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/platformQuickStarts/helm/modsec/Chart.yaml b/platformQuickStarts/helm/modsec/Chart.yaml
new file mode 100644
index 000000000..3041cfbac
--- /dev/null
+++ b/platformQuickStarts/helm/modsec/Chart.yaml
@@ -0,0 +1,9 @@
+apiVersion: v2
+name: modsec
+description: ModSecurity Core Rule Set
+ 
+type: application
+ 
+version: 0.1.0
+ 
+appVersion: "latest"
diff --git a/platformQuickStarts/helm/modsec/templates/configmap-modsec.yaml b/platformQuickStarts/helm/modsec/templates/configmap-modsec.yaml
new file mode 100644
index 000000000..413e3b76b
--- /dev/null
+++ b/platformQuickStarts/helm/modsec/templates/configmap-modsec.yaml
@@ -0,0 +1,18 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ .Values.modsec_server.name }}-configmap-modsec
+  namespace: {{ .Values.namespace }}
+  labels:
+    app.kubernetes.io/part-of: {{ .Values.modsec_server.name }} 
+data:
+  PARANOIA: '1'
+  EXECUTING_PARANOIA: '2'
+  ANOMALYIN: '5'
+  ANOMALYOUT: '5'
+  ALLOWED_METHODS: 'GET POST'
+  ALLOWED_REQUEST_CONTENT_TYPE: "text/xml|application/xml|text/plain"
+  MAX_FILE_SIZE: '5242880'
+  PORT: '8001'
+  RESTRICTED_EXTENSIONS: '.conf/'
+  BACKEND: 'http://{{ .Values.webgoat_server.name }}-service:8080' 
diff --git a/platformQuickStarts/helm/modsec/templates/deployment.yaml b/platformQuickStarts/helm/modsec/templates/deployment.yaml
new file mode 100644
index 000000000..9b54b58e3
--- /dev/null
+++ b/platformQuickStarts/helm/modsec/templates/deployment.yaml
@@ -0,0 +1,45 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ .Values.modsec_server.name }}
+  namespace: {{ .Values.namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Values.modsec_server.name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.modsec_server.name }} 
+    spec:
+      containers:
+        - resources:
+            limits:
+              memory: "2Gi"
+              cpu: "1"
+            requests:
+              memory: "1Gi"
+              cpu: "0.5"
+          name: modsec
+          ports:
+            - containerPort: 8001
+              protocol: TCP
+          image: {{ .Values.modsec_server.image }}
+          imagePullPolicy: Always
+          terminationMessagePolicy: File
+          envFrom:
+            - configMapRef:
+                name: {{ .Values.modsec_server.name }}-configmap-modsec
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      dnsPolicy: ClusterFirst
+      securityContext: {}
+      schedulerName: default-scheduler
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 25%
+      maxSurge: 25%
+  revisionHistoryLimit: 10
+  progressDeadlineSeconds: 600
diff --git a/platformQuickStarts/helm/modsec/templates/route-modsec.yml b/platformQuickStarts/helm/modsec/templates/route-modsec.yml
new file mode 100644
index 000000000..3421472b0
--- /dev/null
+++ b/platformQuickStarts/helm/modsec/templates/route-modsec.yml
@@ -0,0 +1,16 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  labels:
+    app: {{ .Values.modsec_server.name }}
+  name: {{ .Values.modsec_server.name }}-modsec
+  namespace: {{ .Values.namespace }}
+spec:
+  path: /
+  port:
+    targetPort: 8001
+  to:
+    kind: Service
+    name: {{ .Values.modsec_server.name }}-service
+    weight: 100
+  wildcardPolicy: None
diff --git a/platformQuickStarts/helm/modsec/templates/service.yaml b/platformQuickStarts/helm/modsec/templates/service.yaml
new file mode 100644
index 000000000..d8bfb8f18
--- /dev/null
+++ b/platformQuickStarts/helm/modsec/templates/service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: {{ .Values.modsec_server.name }}
+  name: {{ .Values.modsec_server.name }}-service
+  namespace: {{ .Values.namespace }}
+spec:
+  ports:
+  - name: 8001-tcp
+    port: 8001
+    protocol: TCP
+    targetPort: 8001
+  selector:
+    app: {{ .Values.modsec_server.name }}
+  sessionAffinity: None
diff --git a/platformQuickStarts/helm/modsec/values.yaml b/platformQuickStarts/helm/modsec/values.yaml
new file mode 100644
index 000000000..a0f83ee77
--- /dev/null
+++ b/platformQuickStarts/helm/modsec/values.yaml
@@ -0,0 +1,13 @@
+namespace: demo-project
+urlpostfix: .apps-crc.testing
+accessMode: ReadWriteMany
+ 
+modsec_server:
+  name: modsec-1
+  #image: docker.io/franbuehler/modsecurity-crs-rp
+  #image: docker.io/owasp/modsecurity-crs
+  image: docker.io/chrira/modsecurity-crs-rp:openshift
+
+webgoat_server:
+  name: webgoat-1
+