Merge branch 'crowdsecurity:main' into main

.github/workflows/release.yaml

@@ -6,6 +6,7 @@ on:
       - main
     paths:
       - 'charts/*/templates/**'
+      - 'charts/*/README.md.gotmpl'
       - 'charts/*/*.yaml'
 
 jobs:

charts/crowdsec/Chart.yaml

@@ -1,79 +1,6 @@
 apiVersion: v2
 name: crowdsec
-description: |
-  Crowdsec helm chart is an open-source, lightweight agent to detect and respond to bad behaviours.
-
-  ## Get Repo Info
-
-  ```
-  helm repo add crowdsec https://crowdsecurity.github.io/helm-charts
-  helm repo update
-  ```
-
-  ## Installing the Chart
-
-  Before installing the chart, you need to understand some [concepts](https://docs.crowdsec.net/docs/concepts) of Crowdsec.
-  So you can configure well the chart and being able to parse logs and detect attacks inside your Kubernetes cluster.
-
-  Here is a [blog post](https://crowdsec.net/blog/kubernetes-crowdsec-integration/) about crowdsec in kubernetes.
-
-  ```
-  # Create namespace for crowdsec
-  kubectl create ns crowdsec
-  # Install helm chart with proper values.yaml config
-  helm install crowdsec crowdsec/crowdsec -f crowdsec-values.yaml -n crowdsec
-  ```
-
-  ## Uninstalling the Chart
-
-  ```
-  helm delete crowdsec -n crowdsec
-  ```
-
-  ## Setup for High Availability
-
-  Below a basic configuration for High availability
-
-  ```
-  # your-values.yaml
-
-  # Configure external DB (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example)
-  config:
-    config.yaml.local: |
-      db_config:
-        type:     postgresql
-        user:     crowdsec
-        password: ${DB_PASSWORD}
-        db_name:  crowdsec
-        host:     192.168.0.2
-        port:     5432
-        sslmode:  require
-
-  lapi:
-    # 2 or more replicas for HA
-    replicas: 2
-    # You can specify your own CS_LAPI_SECRET, or let the chart generate one. Length must be >= 64
-    secrets:
-      csLapiSecret: <anyRandomSecret>
-    # Specify your external DB password here
-    extraSecrets:
-      dbPassword: <externalDbPassword>
-    persistentVolume:
-      # When replicas for LAPI is greater than 1, two options, persistent volumes must be disabled, or in ReadWriteMany mode
-      config:
-        enabled: false
-      # data volume is not required, since SQLite isn't used
-      data:
-        enabled: false
-    # DB Password passed through environment variable
-    env:
-      - name: DB_PASSWORD
-        valueFrom:
-          secretKeyRef:
-            name: crowdsec-lapi-secrets
-            key: dbPassword
-  ```
-
+description: Crowdsec helm chart is an open-source, lightweight agent to detect and respond to bad behaviours.
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
@@ -87,7 +14,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.15.0
+version: 0.16.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/crowdsec/README.md

@@ -1,6 +1,6 @@
 # crowdsec
 
-![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.4](https://img.shields.io/badge/AppVersion-v1.6.4-informational?style=flat-square)
+![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.4](https://img.shields.io/badge/AppVersion-v1.6.4-informational?style=flat-square)
 
 Crowdsec helm chart is an open-source, lightweight agent to detect and respond to bad behaviours.
 
@@ -75,6 +75,147 @@ lapi:
           key: dbPassword
 ```
 
+## Setup for AppSec (WAF)
+
+Below a basic configuration for AppSec (WAF)
+
+```
+# your-values.yaml (option 1)
+appsec:
+  enabled: true
+  acquisitions:
+    - source: appsec
+      listen_addr: "0.0.0.0:7422"
+      path: /
+      appsec_config: crowdsecurity/virtual-patching
+      labels:
+        type: appsec
+  env:
+    - name: COLLECTIONS
+      value: "crowdsecurity/appsec-virtual-patching"
+
+# This allows the LAPI pod to register and communicate with the appsec pod
+config:
+  config.yaml.local: |
+    api:
+      server:
+        auto_registration:
+          enabled: true
+          token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart)
+          allowed_ranges:
+            - "127.0.0.1/32"
+            - "192.168.0.0/16"
+            - "10.0.0.0/8"
+            - "172.16.0.0/12"
+```
+
+Or you can also use your own custom configurations and rules for AppSec:
+
+```
+# your-values.yaml (option 2)
+appsec:
+  enabled: true
+  acquisitions:
+    - source: appsec
+      listen_addr: "0.0.0.0:7422"
+      path: /
+      appsec_config: crowdsecurity/crs-vpatch
+      labels:
+        type: appsec
+  configs:
+    mycustom-appsec-config.yaml: |
+      name: crowdsecurity/crs-vpatch
+      default_remediation: ban
+      #log_level: debug
+      outofband_rules:
+        - crowdsecurity/crs
+      inband_rules:
+        - crowdsecurity/base-config
+        - crowdsecurity/vpatch-*
+  env:
+    - name: COLLECTIONS
+      value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs"
+
+# This allows the LAPI pod to register and communicate with the appsec pod
+config:
+  config.yaml.local: |
+    api:
+      server:
+        auto_registration:
+          enabled: true
+          token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart)
+          allowed_ranges:
+            - "127.0.0.1/32"
+            - "192.168.0.0/16"
+            - "10.0.0.0/8"
+            - "172.16.0.0/12"
+```
+
+### With Traefik
+
+In the traefik `values.yaml`, you need to add the following configuration:
+
+```
+# traefik-values.yaml
+experimental:
+  plugins:
+    crowdsec-bouncer:
+      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+      version: v1.3.3
+additionalArguments:
+  - "--entrypoints.web.http.middlewares=<NAMESPACE>-crowdsec-bouncer@kubernetescrd"
+  - "--entrypoints.websecure.http.middlewares=<NAMESPACE>-crowdsec-bouncer@kubernetescrd"
+  - "--providers.kubernetescrd"
+```
+
+And then, you can apply this middleware to your traefik ingress:
+
+```
+# crowdsec-bouncer-middleware.yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: crowdsec-bouncer
+  namespace: default
+spec:
+  plugin:
+    crowdsec-bouncer:
+      enabled: true
+      crowdsecMode: appsec
+      crowdsecAppsecEnabled: true
+      crowdsecAppsecHost: crowdsec-appsec-service:7422
+      crowdsecLapiScheme: http
+      crowdsecLapiHost: crowdsec-service:8080
+      crowdsecLapiKey: "<YOUR_BOUNCER_KEY>"
+```
+
+### With Ingrees Nginx
+
+Following [this documentation](https://docs.crowdsec.net/u/bouncers/ingress-nginx).
+
+In the nginx ingress `upgrade-values.yaml`, you need to add the following configuration:
+
+```
+controller:
+  extraInitContainers:
+    - name: init-clone-crowdsec-bouncer
+      env:
+        - name: APPSEC_URL
+          value: "http://crowdsec-appsec-service.default.svc.cluster.local:7422"
+        - name: APPSEC_FAILURE_ACTION
+          value: "passthrough"
+        - name: APPSEC_CONNECT_TIMEOUT
+          value: "100"
+        - name: APPSEC_SEND_TIMEOUT
+          value: "100"
+        - name: APPSEC_PROCESS_TIMEOUT
+          value: "1000"
+        - name: ALWAYS_SEND_TO_APPSEC
+          value: "false"
+        - name: SSL_VERIFY
+          value: "true"
+```
+
 ## Values
 
 | Key | Type | Default | Description |
@@ -150,6 +291,7 @@ lapi:
 | lapi.metrics.serviceMonitor | object | `{"additionalLabels":{},"enabled":false}` | See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774 |
 | lapi.strategy.type | string | `"Recreate"` |  |
 | lapi.secrets.csLapiSecret | string | `""` | Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters |
+| lapi.secrets.registrationToken | string | `""` | Registration Token for Appsec. Will be generated randomly if not specified. Size must be > 48 characters |
 | lapi.extraSecrets | object | `{}` | Any extra secrets you may need (for example, external DB password) |
 | lapi.lifecycle | object | `{}` |  |
 | lapi.storeCAPICredentialsInSecret | bool | `false` | If set to true, the Central API credentials will be stored in a secret (to use when lapi replicas > 1) |
@@ -195,22 +337,27 @@ lapi:
 | agent.wait_for_lapi.image.repository | string | `"busybox"` | docker image repository name |
 | agent.wait_for_lapi.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy |
 | agent.wait_for_lapi.image.tag | string | `"1.28"` | docker image tag |
-| appsec | object | `{"acquisitions":[],"affinity":{},"configs":{},"deployAnnotations":{},"enabled":false,"env":null,"extraInitContainers":[],"metrics":{"enabled":true,"serviceMonitor":{"additionalLabels":{},"enabled":false}},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"priorityClassName":"","resources":{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"500m","memory":"250Mi"}},"rules":{},"service":{"annotations":{},"externalIPs":[],"externalTrafficPolicy":"Cluster","labels":{},"loadBalancerClass":null,"loadBalancerIP":null,"type":"ClusterIP"},"strategy":{"type":"Recreate"},"tolerations":[]}` | Enable AppSec (https://docs.crowdsec.net/docs/next/appsec/intro) |
+| appsec | object | `{"acquisitions":[],"affinity":{},"configs":{},"deployAnnotations":{},"enabled":false,"env":[],"extraInitContainers":[],"extraVolumeMounts":[],"extraVolumes":[],"livenessProbe":{"failureThreshold":3,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5},"metrics":{"enabled":true,"serviceMonitor":{"additionalLabels":{},"enabled":false}},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"priorityClassName":"","readinessProbe":{"failureThreshold":3,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"500m","memory":"250Mi"}},"rules":{},"service":{"annotations":{},"externalIPs":[],"externalTrafficPolicy":"Cluster","labels":{},"loadBalancerClass":null,"loadBalancerIP":null,"type":"ClusterIP"},"startupProbe":{"failureThreshold":30,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5},"strategy":{"type":"Recreate"},"tolerations":[]}` | Enable AppSec (https://docs.crowdsec.net/docs/next/appsec/intro) |
 | appsec.enabled | bool | `false` | Enable AppSec (by default disabled) |
+| appsec.replicas | int | `1` | replicas for Appsec |
+| appsec.strategy | object | `{"type":"Recreate"}` | strategy for appsec deployment |
 | appsec.acquisitions | list | `[]` | Additional acquisitions for AppSec |
 | appsec.configs | object | `{}` | appsec_configs (https://docs.crowdsec.net/docs/next/appsec/configuration): key is the filename, value is the config content |
 | appsec.rules | object | `{}` | appsec_rules (https://docs.crowdsec.net/docs/next/appsec/rules_syntax) |
-| appsec.env | string | `nil` | environment variables |
-| appsec.deployAnnotations | object | `{}` | appsec deployment annotations |
-| appsec.strategy | object | `{"type":"Recreate"}` | strategy for appsec deployment |
-| appsec.podAnnotations | object | `{}` | podAnnotations for appsec deployment |
-| appsec.podLabels | object | `{}` | podLabels for appsec deployment |
-| appsec.tolerations | list | `[]` | tolerations for appsec deployment |
-| appsec.nodeSelector | object | `{}` | nodeSelector for appsec deployment |
-| appsec.affinity | object | `{}` | affinity for appsec deployment |
-| appsec.priorityClassName | string | `""` | priorityClassName for appsec deployment |
-| appsec.extraInitContainers | list | `[]` | extraInitContainers for appsec deployment |
-| appsec.resources | object | `{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"500m","memory":"250Mi"}}` | resources for appsec deployment |
+| appsec.priorityClassName | string | `""` | priorityClassName for appsec pods |
+| appsec.deployAnnotations | object | `{}` | Annotations to be added to appsec deployment |
+| appsec.podAnnotations | object | `{}` | podAnnotations for appsec pods |
+| appsec.podLabels | object | `{}` | podLabels for appsec pods |
+| appsec.extraInitContainers | list | `[]` | extraInitContainers for appsec pods |
+| appsec.extraVolumes | list | `[]` | Extra volumes to be added to appsec pods |
+| appsec.extraVolumeMounts | list | `[]` | Extra volumeMounts to be added to appsec pods |
+| appsec.resources | object | `{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"500m","memory":"250Mi"}}` | resources for appsec pods |
+| appsec.env | list | `[]` | environment variables |
+| appsec.nodeSelector | object | `{}` | nodeSelector for appsec |
+| appsec.tolerations | list | `[]` | tolerations for appsec |
+| appsec.affinity | object | `{}` | affinity for appsec |
+| appsec.livenessProbe | object | `{"failureThreshold":3,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | livenessProbe for appsec |
+| appsec.readinessProbe | object | `{"failureThreshold":3,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | readinessProbe for appsec |
+| appsec.startupProbe | object | `{"failureThreshold":30,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | startupProbe for appsec |
 | appsec.metrics | object | `{"enabled":true,"serviceMonitor":{"additionalLabels":{},"enabled":false}}` | Enable service monitoring (exposes "metrics" port "6060" for Prometheus and "7422" for AppSec)  |
-| appsec.metrics.serviceMonitor | object | `{"additionalLabels":{},"enabled":false}` | See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774 |
-
+| appsec.metrics.serviceMonitor | object | `{"additionalLabels":{},"enabled":false}` | See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774 |