add external API component

Author: Anadris

charts/bunkerweb/templates/api-deployment.yaml

@@ -0,0 +1,158 @@
+{{- if .Values.api.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api-{{ include "bunkerweb.fullname" . }}
+  namespace: {{ include "bunkerweb.namespace" . }}
+  labels:
+    {{- include "bunkerweb.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "bunkerweb.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "bunkerweb.labels" . | nindent 8 }}
+        {{- with .Values.api.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        bunkerweb.io/component: "api"
+    spec:
+      containers:
+        - name: bunkerweb-api
+          image: {{ .Values.api.repository }}:{{ .Values.api.tag }}
+          imagePullPolicy: {{ .Values.api.pullPolicy }}
+          {{- with .Values.api.resources }}
+          resources:
+            {{- toYaml . | nindent 12}}
+          {{- end }}
+          {{- with .Values.api.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12}}
+          {{- end }}
+          {{- with .Values.api.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12}}
+          {{- end }}
+          env:
+            - name: DATABASE_URI
+              {{- if not (empty .Values.settings.existingSecret) }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.settings.existingSecret }}
+                  key: database-uri
+              {{- else }}
+              value: "{{ include "bunkerweb.databaseUri" . }}"
+              {{- end }}
+            - name: API_TOKEN
+              {{- if not (empty .Values.settings.existingSecret) }}
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.settings.existingSecret }}"
+                  key: api-token
+              {{- else }}
+              value: "{{ .Values.settings.api.apiToken }}"
+              {{- end }}
+            - name: API_USERNAME
+              {{- if not (empty .Values.settings.existingSecret) }}
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.settings.existingSecret }}"
+                  key: api-username
+              {{- else }}
+              value: "{{ .Values.settings.api.apiUsername }}"
+              {{- end }}
+            - name: API_PASSWORD
+              {{- if not (empty .Values.settings.existingSecret) }}
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.settings.existingSecret }}"
+                  key: api-password
+              {{- else }}
+              value: "{{ .Values.settings.api.apiPassword }}"
+              {{- end }}
+            - name: API_ACL_BOOTSTRAP_FILE
+              {{- if not (empty .Values.settings.existingSecret) }}
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.settings.existingSecret }}"
+                  key: api-acl-json-file-path
+              {{- else }}
+              value: "{{ .Values.settings.api.apiAclBootstrapFile }}"
+              {{- end }}
+            - name: API_WHITELIST_ENABLED
+              value: "{{ .Values.settings.api.whitelist.enabled }}"
+            - name: API_WHITELIST_IPS
+              value: "{{ .Values.settings.api.whitelist.whitelistIps }}"
+            - name: FORWARDED_ALLOW_IPS
+              value: "{{ .Values.settings.api.forwardedAllowIps }}"
+            - name: API_ROOT_PATH
+              value: "{{ .Values.settings.api.rootPath }}"
+            - name: API_DOCS_URL
+              value: "{{ .Values.settings.api.docsUrl }}"
+            - name: API_REDOC_URL
+              value: "{{ .Values.settings.api.redocUrl }}"
+            - name: API_OPENAPI_URL
+              value: "{{ .Values.settings.api.openApiUrl }}"
+            - name: API_RATE_LIMIT_ENABLED
+              value: "{{ .Values.settings.api.rateLimit.enabled }}"
+            - name: API_RATE_LIMIT_STRATEGY
+              value: "{{ .Values.settings.api.rateLimit.strategy }}"
+            - name: API_RATE_LIMIT_DEFAULTS
+              value: "{{ .Values.settings.api.rateLimit.defaults }}"
+            {{- if .Values.ui.logs.enabled }}
+            - name: LOG_TYPES
+              value: "stderr syslog"
+            - name: LOG_SYSLOG_ADDRESS
+              value: "{{ include "bunkerweb.syslogAddress" . }}"
+            {{- end }}
+            {{- if .Values.api.extraEnvs }}
+              {{- toYaml .Values.api.extraEnvs | nindent 12 }}
+            {{- end }}
+          {{- if .Values.settings.api.apiAclBootstrapFile }}
+          volumeMounts:
+          - name: api-acl-bootstrap
+            mountPath: /var/lib/bunkerweb/api_acl_bootstrap.json
+          {{- end }}
+      {{- if .Values.settings.api.apiAclBootstrapFile }}        
+      volumes:
+      - name: api-acl-bootstrap
+        configMap:
+          name: "{{ .Values.settings.api.apiAclBootstrapFile }}"
+      {{- end }}
+    {{- if .Values.api.nodeSelector }}
+      {{- with .Values.api.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- else if .Values.nodeSelector }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    {{- if or (.Values.api.tolerations) (.Values.tolerations) }}
+      tolerations:
+      {{- if .Values.api.tolerations }}
+        {{- toYaml .Values.api.tolerations | nindent 6 }}
+      {{- else }}
+        {{- toYaml .Values.tolerations | nindent 6 }}
+      {{- end }}
+    {{- end }}
+    {{- if or (.Values.api.imagePullSecrets) (.Values.imagePullSecrets) }}
+      imagePullSecrets:
+      {{- if .Values.api.imagePullSecrets }}
+        {{- toYaml .Values.api.imagePullSecrets | nindent 6 }}
+      {{- else }}
+        {{- toYaml .Values.imagePullSecrets | nindent 6 }}
+      {{- end }}
+    {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

charts/bunkerweb/templates/api-ingress.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.settings.api.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: api-{{ include "bunkerweb.fullname" . }}
+  namespace: {{ include "bunkerweb.namespace" . }}
+  labels:
+    {{- include "bunkerweb.labels" . | nindent 4 }}
+  annotations:
+    bunkerweb.io/USE_TEMPLATE: "api"
+    {{- with .Values.settings.api.ingress.extraAnnotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.settings.api.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.settings.api.ingress.ingressClassName }}
+  {{- end}}
+  {{- if .Values.settings.api.ingress.tlsSecretName }}
+  tls:
+    - hosts:
+      - {{ .Values.settings.api.ingress.serverName }}
+      secretName: {{ .Values.settings.api.ingress.tlsSecretName }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.settings.api.ingress.serverName }}
+      http:
+        paths:
+          - path: {{ .Values.settings.api.ingress.serverPath }}
+            pathType: Prefix
+            backend:
+              service:
+                name: api-{{ include "bunkerweb.fullname" . }}
+                port:
+                  number: 8888
+{{- end }}

charts/bunkerweb/templates/api-service.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.api.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: api-{{ include "bunkerweb.fullname" . }}
+  namespace: {{ include "bunkerweb.namespace" . }}
+  labels:
+    {{- include "bunkerweb.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  selector:
+    bunkerweb.io/component: "api"
+  ports:
+    - name: api-external
+      protocol: TCP
+      port: 8888
+      targetPort: 8888
+{{- end }}

charts/bunkerweb/templates/ui-ingress.yaml

@@ -7,10 +7,7 @@ metadata:
   labels:
     {{- include "bunkerweb.labels" . | nindent 4 }}
   annotations:
-    bunkerweb.io/SERVE_FILES: "no"
-    bunkerweb.io/USE_UI: "yes"
-    bunkerweb.io/INTERCEPTED_ERROR_CODES: '400 404 405 413 429 500 501 502 503 504'
-    bunkerweb.io/MAX_CLIENT_SIZE: '50m'
+    bunkerweb.io/USE_TEMPLATE: "ui"
     {{- with .Values.settings.ui.ingress.extraAnnotations }}
       {{- toYaml . | nindent 4 }}
     {{- end }}

charts/bunkerweb/values.yaml

@@ -53,6 +53,9 @@ settings:
   #   - totp-secrets      : TOTP secrets for 2FA
   #   - mariadb-user      : MariaDB username
   #   - mariadb-password  : MariaDB password
+  #   - api-token         : API Bearer token
+  #   - api-username      : API username, also require api-password
+  #   - api-password      : API password, also require api-username
   existingSecret: ""
 
   # ----- KUBERNETES INTEGRATION -----
@@ -141,6 +144,75 @@ settings:
     # TOTP secrets for two-factor authentication
     totpSecrets: ""
 
+  api:
+    # Authentication settings
+    # https://docs.bunkerweb.io/latest/api/#authentication
+    # API Bearer Token
+    # Leave Empty if using settings.existingSecret
+    apiToken: ""
+    # OR/AND API Username and Password
+    # Leave Empty if using settings.existingSecret
+    apiUsername: ""
+    apiPassword: ""
+    # OR/AND ConfigMap name that includes ACL based JSON File
+    # https://docs.bunkerweb.io/latest/api/#permissions-acl
+    apiAclBootstrapFile: ""
+
+    # API Configuration
+    # https://docs.bunkerweb.io/latest/api/#configuration
+    # Root path for the API
+    rootPath: ""
+    # URL for API documentation, set to an empty value to disable
+    docsUrl: "/docs"
+    # URL for ReDoc API documentation, set to an empty value to disable
+    redocUrl: "/redoc"
+    # URL for OpenAPI specification, set to an empty value to disable
+    openApiUrl: "/openapi.json"
+    # Forwarded allow IPs for correct client IP detection
+    forwardedAllowIps: "*"
+    # Whitelist configuration for API access
+    whitelist:
+      # Enable API whitelist functionality
+      enabled: true
+      # space-separated list of IPs/CIDR allowed to access the API
+      whitelistIps: "10.0.0.0/8"
+
+    # Rate limiting configuration for API access
+    # https://docs.bunkerweb.io/latest/api/#rate-limiting
+    rateLimit:
+      # Enable request rate limiting
+      enabled: true
+      # Strategy: "fixed-window" or "moving-window" or "sliding-window"
+      # https://limits.readthedocs.io/en/stable/strategies.html
+      strategy: "fixed-window"
+      # Rate limit per period,
+      # Supported formats: "[10/seconde]", "[100/minute]", "[1000/day]"
+      # https://limits.readthedocs.io/en/stable/quickstart.html#rate-limit-string-notation
+      defaults: ["100/minute"]
+
+    # Ingress configuration for API access
+    ingress:
+      # Set to true to create an Ingress resource for the API
+      enabled: false
+
+      # IngressClass name to use
+      ingressClassName: ""
+
+      # Domain name for API access
+      # Example: "bunkerweb-api.example.com"
+      serverName: ""
+
+      # Path for API access (usually "/")
+      serverPath: "/"
+
+      # Additional annotations for the Ingress resource
+      # Example: {"cert-manager.io/cluster-issuer": "letsencrypt-prod"}
+      extraAnnotations: {}
+
+      # Secret name containing TLS certificate
+      # Leave empty to disable HTTPS
+      tlsSecretName: ""
+
 # =============================================================================
 # SERVICE CONFIGURATION
 # =============================================================================
@@ -1023,6 +1095,67 @@ ui:
     timeoutSeconds: 1
     failureThreshold: 3
 
+# =============================================================================
+# EXTERNAL API COMPONENT
+# =============================================================================
+# External API for BunkerWeb that exposes REST interface for automation tools
+
+api:
+  # Enable the external API
+  enabled: true
+
+  # Container image configuration
+  repository: bunkerity/bunkerweb-api
+  tag: 1.6.6
+  pullPolicy: Always
+
+  # Image pull secrets (overrides global setting)
+  imagePullSecrets: []
+
+  # Node selector (overrides global setting)
+  nodeSelector: {}
+
+  # Tolerations (overrides global setting)
+  tolerations: []
+
+  # Resource requests and limits
+  # RECOMMENDED: Uncomment and adjust for production
+  # resources:
+  #   requests:
+  #     cpu: "100m"
+  #     memory: "256Mi"
+  #   limits:
+  #     cpu: "250m"
+  #     memory: "512Mi"
+
+  # Additional pod annotations
+  podAnnotations: {}
+
+  # Additional pod labels
+  podLabels: {}
+
+  # Security context for API container
+  securityContext:
+    runAsUser: 101
+    runAsGroup: 101
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+
+  # Additional environment variables
+  extraEnvs: []
+
+  # Liveness probe configuration
+  livenessProbe:
+    exec:
+      command:
+        - /usr/share/bunkerweb/helpers/healthcheck-api.sh
+    initialDelaySeconds: 30
+    periodSeconds: 5
+    timeoutSeconds: 1
+    failureThreshold: 3
+
 # =============================================================================
 # DATABASE (MARIADB) COMPONENT
 # =============================================================================