chore: implements docker-compose.

example/kong/POSTGRES_PASSWORD

@@ -0,0 +1 @@
+kong

example/kong/config/kong.yaml

@@ -0,0 +1,3 @@
+# a very minimal declarative config file
+_format_version: "2.1"
+_transform: true

example/kong/docker-compose.yaml

@@ -0,0 +1,146 @@
+# Inspired in https://github.com/Kong/docker-kong
+version: '3.9'
+
+x-kong-config:
+  &kong-env
+  KONG_DATABASE: postgres
+  KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong}
+  KONG_PG_HOST: db
+  KONG_PG_USER: ${KONG_PG_USER:-kong}
+  KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password
+
+volumes:
+  kong_data: {}
+  kong_prefix_vol:
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+  kong_tmp_vol:
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+
+networks:
+  kong-net:
+    external: false
+
+services:
+  kong-migrations:
+    image: "kong/incubator:gateway-wasmer-3.0.0.0"
+    command: kong migrations bootstrap
+    depends_on:
+      - db
+    environment:
+      <<: *kong-env
+    secrets:
+      - kong_postgres_password
+    networks:
+      - kong-net
+    restart: on-failure
+
+  kong-migrations-up:
+    image: "kong/incubator:gateway-wasmer-3.0.0.0"
+    command: kong migrations up && kong migrations finish
+    depends_on:
+      - db
+      - kong-migrations
+    environment:
+      <<: *kong-env
+    secrets:
+      - kong_postgres_password
+    networks:
+      - kong-net
+    restart: on-failure
+
+  kong:
+    image: "kong/incubator:gateway-wasmer-3.0.0.0"
+    user: "${KONG_USER:-kong}"
+    environment:
+      <<: *kong-env
+      KONG_ADMIN_ACCESS_LOG: /dev/stdout
+      KONG_ADMIN_ERROR_LOG: /dev/stderr
+      KONG_PROXY_LISTEN: "${KONG_PROXY_LISTEN:-0.0.0.0:8000}"
+      KONG_ADMIN_LISTEN: "${KONG_ADMIN_LISTEN:-0.0.0.0:8001}"
+      KONG_PROXY_ACCESS_LOG: /dev/stdout
+      KONG_PROXY_ERROR_LOG: /dev/stderr
+      KONG_PREFIX: ${KONG_PREFIX:-/var/run/kong}
+      KONG_DECLARATIVE_CONFIG: "/opt/kong/kong.yaml"
+      KONG_WASM: "on"
+      KONG_WASM_MODULES: "/wasm/main.wasm"
+    secrets:
+      - kong_postgres_password
+    networks:
+      - kong-net
+    ports:
+      # The following two environment variables default to an insecure value (0.0.0.0)
+      # according to the CIS Security test.
+      - "${KONG_INBOUND_PROXY_LISTEN:-0.0.0.0}:8000:8000/tcp"
+      - "${KONG_INBOUND_SSL_PROXY_LISTEN:-0.0.0.0}:8443:8443/tcp"
+      # Making them mandatory but undefined, like so would be backwards-breaking:
+      # - "${KONG_INBOUND_PROXY_LISTEN?Missing inbound proxy host}:8000:8000/tcp"
+      # - "${KONG_INBOUND_SSL_PROXY_LISTEN?Missing inbound proxy ssl host}:8443:8443/tcp"
+      # Alternative is deactivating check 5.13 in the security bench, if we consider Kong's own config to be enough security here
+
+      - "127.0.0.1:8001:8001/tcp"
+      - "127.0.0.1:8444:8444/tcp"
+    healthcheck:
+      test: [ "CMD", "kong", "health" ]
+      interval: 10s
+      timeout: 10s
+      retries: 10
+    restart: on-failure:5
+    read_only: true
+    volumes:
+      - kong_prefix_vol:${KONG_PREFIX:-/var/run/kong}
+      - kong_tmp_vol:/tmp
+      - ./config:/opt/kong
+      - ../../build:/wasm
+    security_opt:
+      - no-new-privileges
+    depends_on:
+      - httpbin
+
+  db:
+    image: postgres:9.5
+    environment:
+      POSTGRES_DB: ${KONG_PG_DATABASE:-kong}
+      POSTGRES_USER: ${KONG_PG_USER:-kong}
+      POSTGRES_PASSWORD_FILE: /run/secrets/kong_postgres_password
+    secrets:
+      - kong_postgres_password
+    healthcheck:
+      test: [ "CMD", "pg_isready", "-U", "${KONG_PG_USER:-kong}" ]
+      interval: 30s
+      timeout: 30s
+      retries: 3
+    restart: on-failure
+    stdin_open: true
+    tty: true
+    networks:
+      - kong-net
+    volumes:
+      - kong_data:/var/lib/postgresql/data
+
+  httpbin:
+    image: mccutchen/go-httpbin:v2.5.0
+    environment:
+      - MAX_BODY_SIZE=15728640 # 15 MiB
+    ports:
+      - 10080:8080
+    networks:
+      - kong-net
+
+  service-provisioner:
+    image: clue/httpie
+    volumes:
+      - .:/run
+    entrypoint: [ "/run/service-provisioner.sh" ]
+    depends_on:
+      - httpbin
+      - kong
+    networks:
+      - kong-net
+
+secrets:
+  kong_postgres_password:
+    file: ./POSTGRES_PASSWORD

example/kong/service-provisioner.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+UPSTREAM_HOST=${UPSTREAM_HOST:-httpbin}
+KONG_HOST=${KONG_HOST:-kong}
+KONG_HOSTPORT=${KONG_HOST}:8001
+
+numRetries=0
+for numRetries in {1..5}; do 
+    sleep 10
+    http ${KONG_HOSTPORT} && break
+    echo "Retrying...";
+done
+
+if [ numRetries == 5 ] exit 1; fi
+
+http --ignore-stdin POST ${KONG_HOSTPORT}/services name="httpbin" host="${UPSTREAM_HOST}" path="/" port:=10080 protocol="http"
+
+http --ignore-stdin POST ${KONG_HOSTPORT}/services/httpbin/routes name="httpbin" "paths[]=/" "paths[]=/anything" "paths[]=/uuid"
+
+http --ignore-stdin POST ${KONG_HOSTPORT}/services/httpbin/plugins name="proxy-wasm" \
+    "config[filters][0][name]=main" \
+    "config[filters][0][config]={\"rules\":[\"Include @demo-conf\",\"Include @crs-setup-demo-conf\",\"SecDebugLogLevel 3\",\"Include @owasp_crs/*.conf\",\"SecRule REQUEST_URI \\\"@streq /uuid\\\" \\\"id:101,phase:1,t:lowercase,deny\\\" \\\nSecRule REQUEST_BODY \\\"@rx maliciouspayload\\\" \\\"id:102,phase:2,t:lowercase,deny\\\" \\\nSecRule RESPONSE_HEADERS::status \\\"@rx 406\\\" \\\"id:103,phase:3,t:lowercase,deny\\\" \\\nSecRule RESPONSE_BODY \\\"@contains responsebodycode\\\" \\\"id:104,phase:4,t:lowercase,deny\\\"\"]}"
+
+http --ignore-stdin GET ${KONG_HOST}:8000/