K8s setup for reNgine

k8s/celery-beat/deployment.yml

@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: celery-beat
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: celery-beat
+  template:
+    metadata:
+      labels:
+        app: celery-beat
+    spec:
+      containers:
+      - name: celery-beat
+        image: ghcr.io/0xtejas/rengine/celery-beat:latest
+        command: ["celery", "-A", "reNgine", "beat", "-l", "INFO", "--scheduler", "django_celery_beat.schedulers:DatabaseScheduler"]
+        env:
+          - name: CELERY_BROKER
+            value: redis://redis:6379/0
+          - name: CELERY_BACKEND
+            value: redis://redis:6379/0
+          - name: POSTGRES_DB
+            valueFrom:
+              secretKeyRef:
+                name: db-secret
+                key: POSTGRES_DB
+          - name: POSTGRES_USER
+            valueFrom:
+              secretKeyRef:
+                name: db-secret
+                key: POSTGRES_USER
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: db-secret
+                key: POSTGRES_PASSWORD
+          - name: POSTGRES_HOST
+            value: db  # Name of the PostgreSQL service
+          - name: POSTGRES_PORT
+            value: "5432"
+        volumeMounts:
+        - name: github-repos
+          mountPath: /usr/src/github
+        - name: wordlist
+          mountPath: /usr/src/wordlist
+        - name: scan-results
+          mountPath: /usr/src/scan_results
+        - name: gf-patterns
+          mountPath: /root/.gf
+        - name: nuclei-templates
+          mountPath: /root/nuclei-templates
+        - name: tool-config
+          mountPath: /root/.config
+        - name: shared-data
+          mountPath: /usr/src/app
+      volumes:
+        - name: github-repos
+          persistentVolumeClaim:
+            claimName: github-repos-pvc
+        - name: wordlist
+          persistentVolumeClaim:
+            claimName: wordlist-pvc
+        - name: scan-results
+          persistentVolumeClaim:
+            claimName: scan-results-pvc
+        - name: gf-patterns
+          persistentVolumeClaim:
+            claimName: gf-patterns-pvc
+        - name: nuclei-templates
+          persistentVolumeClaim:
+            claimName: nuclei-templates-pvc
+        - name: tool-config
+          persistentVolumeClaim:
+            claimName: tool-config-pvc
+        - name: shared-data
+          persistentVolumeClaim:
+            claimName: shared-data-pvc

k8s/celery-beat/pvc.yml

@@ -0,0 +1,65 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: github-repos-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: wordlist-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: scan-results-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gf-patterns-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nuclei-templates-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tool-config-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

k8s/celery-beat/service.yml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: celery-beat
+spec:
+  selector:
+    app: celery-beat
+  ports:
+    - protocol: TCP
+      port: 5672  # Default Celery port (adjust as necessary)
+      targetPort: 5672
+  type: ClusterIP  # Change to NodePort or LoadBalancer if needed

k8s/celery/celery-config.yml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: celery-config
+data: 
+  MAX_CONCURRENCY: "10"
+  MIN_CONCURRENCY: "1"

k8s/celery/deployment.yml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: celery
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: celery
+  template:
+    metadata:
+      labels:
+        app: celery
+    spec:
+      containers:
+      - name: celery
+        image: ghcr.io/0xtejas/rengine/celery:latest
+        command: ["/bin/bash", "-c", "/usr/src/app/celery-entrypoint.sh"]
+        env:
+          - name: DEBUG
+            value: "0"
+          - name: CELERY_BROKER
+            value: redis://redis:6379/0
+          - name: CELERY_BACKEND
+            value: redis://redis:6379/0
+          - name: DOMAIN_NAME
+            valueFrom:
+              secretKeyRef:
+                name: db-secret
+                key: DOMAIN_NAME
+          - name: POSTGRES_DB
+            valueFrom:
+              secretKeyRef:
+                name: db-secret
+                key: POSTGRES_DB
+          - name: POSTGRES_PORT
+            valueFrom:
+              secretKeyRef:
+                name: db-secret
+                key: POSTGRES_PORT
+          - name: POSTGRES_USER
+            valueFrom:
+              secretKeyRef:
+                name: db-secret
+                key: POSTGRES_USER
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: db-secret
+                key: POSTGRES_PASSWORD
+          - name: POSTGRES_HOST
+            value: db
+        envFrom:
+          - configMapRef:
+              name: celery-config
+        volumeMounts:
+          - mountPath: /usr/src/app
+            name: shared-data
+        resources:
+          requests:
+            memory: "2Gi"
+            cpu: "600m"
+          limits:
+            memory: "4Gi"
+            cpu: "1.5"
+      volumes:
+        - name: shared-data
+          persistentVolumeClaim:
+            claimName: shared-data-pvc

k8s/cert-manager/certificate.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: rengine-cert
+  namespace: default
+spec:
+  secretName: rengine-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+  - rengine.example.com

k8s/cert-manager/cluster-issuer.yml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: nginx

k8s/nginx/configmap.yml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-config
+data:
+  rengine.conf: |
+    server {
+        listen 80;
+        listen [::]:80;
+        server_name rengine.example.com;
+
+        charset utf-8;
+        keepalive_timeout 70;
+
+        client_max_body_size 800M;
+
+        location / {
+            proxy_read_timeout 300;
+            proxy_connect_timeout 300;
+            proxy_redirect off;
+
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_pass http://rengine:8000/;
+        }
+
+        location /staticfiles/ {
+            alias /usr/src/app/staticfiles/;
+        }
+
+        location /protected_media/ {
+            internal;
+            alias /usr/src/scan_results/;
+            autoindex off;
+        }
+    }

k8s/nginx/deployment.yml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:alpine
+        volumeMounts:
+        - name: nginx-config-volume
+          mountPath: /etc/nginx/conf.d/rengine.conf
+          subPath: rengine.conf
+        - name: certs
+          mountPath: /etc/nginx/certs
+        - name: static-files
+          mountPath: /usr/src/app/staticfiles
+        ports:
+        - containerPort: 80
+        - containerPort: 443
+      volumes:
+        - name: nginx-config-volume
+          configMap:
+            name: nginx-config
+        - name: certs
+          secret:
+            secretName: nginx-certificates
+        - name: static-files
+          persistentVolumeClaim:
+            claimName: static-pvc

k8s/nginx/ingress.yml

@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nginx-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/proxy-body-size: "800m"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "0.0.0.0/0"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-prod  
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+      - rengine.example.com
+    secretName: rengine-tls
+  rules:
+  - host: rengine.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: nginx
+            port:
+              number: 80

k8s/nginx/service.yml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx
+spec:
+  type: ClusterIP
+  selector:
+    app: nginx
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+  - name: https
+    port: 443
+    targetPort: 443