From 7667295919d279f24df766afeff06ca8c8ae0300 Mon Sep 17 00:00:00 2001 From: he2ss Date: Thu, 5 Dec 2024 15:02:25 +0100 Subject: [PATCH 1/7] fix(crowdsec): update readme (#210) * fix(crowdsec): update readme --- .github/workflows/release.yaml | 1 + charts/crowdsec/Chart.yaml | 75 +--------- charts/crowdsec/README.md.gotmpl | 228 +++++++++++++++++++++++++++++++ 3 files changed, 230 insertions(+), 74 deletions(-) create mode 100644 charts/crowdsec/README.md.gotmpl diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 00c24a2..a7456b0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,6 +6,7 @@ on: - main paths: - 'charts/*/templates/**' + - 'charts/*/README.md.gotmpl' - 'charts/*/*.yaml' jobs: diff --git a/charts/crowdsec/Chart.yaml b/charts/crowdsec/Chart.yaml index 12516f7..ee10b60 100644 --- a/charts/crowdsec/Chart.yaml +++ b/charts/crowdsec/Chart.yaml @@ -1,79 +1,6 @@ apiVersion: v2 name: crowdsec -description: | - Crowdsec helm chart is an open-source, lightweight agent to detect and respond to bad behaviours. - - ## Get Repo Info - - ``` - helm repo add crowdsec https://crowdsecurity.github.io/helm-charts - helm repo update - ``` - - ## Installing the Chart - - Before installing the chart, you need to understand some [concepts](https://docs.crowdsec.net/docs/concepts) of Crowdsec. - So you can configure well the chart and being able to parse logs and detect attacks inside your Kubernetes cluster. - - Here is a [blog post](https://crowdsec.net/blog/kubernetes-crowdsec-integration/) about crowdsec in kubernetes. - - ``` - # Create namespace for crowdsec - kubectl create ns crowdsec - # Install helm chart with proper values.yaml config - helm install crowdsec crowdsec/crowdsec -f crowdsec-values.yaml -n crowdsec - ``` - - ## Uninstalling the Chart - - ``` - helm delete crowdsec -n crowdsec - ``` - - ## Setup for High Availability - - Below a basic configuration for High availability - - ``` - # your-values.yaml - - # Configure external DB (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example) - config: - config.yaml.local: | - db_config: - type: postgresql - user: crowdsec - password: ${DB_PASSWORD} - db_name: crowdsec - host: 192.168.0.2 - port: 5432 - sslmode: require - - lapi: - # 2 or more replicas for HA - replicas: 2 - # You can specify your own CS_LAPI_SECRET, or let the chart generate one. Length must be >= 64 - secrets: - csLapiSecret: - # Specify your external DB password here - extraSecrets: - dbPassword: - persistentVolume: - # When replicas for LAPI is greater than 1, two options, persistent volumes must be disabled, or in ReadWriteMany mode - config: - enabled: false - # data volume is not required, since SQLite isn't used - data: - enabled: false - # DB Password passed through environment variable - env: - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: crowdsec-lapi-secrets - key: dbPassword - ``` - +description: Crowdsec helm chart is an open-source, lightweight agent to detect and respond to bad behaviours. # A chart can be either an 'application' or a 'library' chart. # # Application charts are a collection of templates that can be packaged into versioned archives diff --git a/charts/crowdsec/README.md.gotmpl b/charts/crowdsec/README.md.gotmpl new file mode 100644 index 0000000..15d7a12 --- /dev/null +++ b/charts/crowdsec/README.md.gotmpl @@ -0,0 +1,228 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.badgesSection" . }} + +{{ template "chart.description" . }} + +## Get Repo Info + +``` +helm repo add crowdsec https://crowdsecurity.github.io/helm-charts +helm repo update +``` + +## Installing the Chart + +Before installing the chart, you need to understand some [concepts](https://docs.crowdsec.net/docs/concepts) of Crowdsec. +So you can configure well the chart and being able to parse logs and detect attacks inside your Kubernetes cluster. + +Here is a [blog post](https://crowdsec.net/blog/kubernetes-crowdsec-integration/) about crowdsec in kubernetes. + +``` +# Create namespace for crowdsec +kubectl create ns crowdsec +# Install helm chart with proper values.yaml config +helm install crowdsec crowdsec/crowdsec -f crowdsec-values.yaml -n crowdsec +``` + +## Uninstalling the Chart + +``` +helm delete crowdsec -n crowdsec +``` + +## Setup for High Availability + +Below a basic configuration for High availability + +``` +# your-values.yaml + +# Configure external DB (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example) +config: + config.yaml.local: | + db_config: + type: postgresql + user: crowdsec + password: ${DB_PASSWORD} + db_name: crowdsec + host: 192.168.0.2 + port: 5432 + sslmode: require + +lapi: + # 2 or more replicas for HA + replicas: 2 + # You can specify your own CS_LAPI_SECRET, or let the chart generate one. Length must be >= 64 + secrets: + csLapiSecret: + # Specify your external DB password here + extraSecrets: + dbPassword: + persistentVolume: + # When replicas for LAPI is greater than 1, two options, persistent volumes must be disabled, or in ReadWriteMany mode + config: + enabled: false + # data volume is not required, since SQLite isn't used + data: + enabled: false + # DB Password passed through environment variable + env: + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: crowdsec-lapi-secrets + key: dbPassword +``` + +## Setup for AppSec (WAF) + +Below a basic configuration for AppSec (WAF) + +``` +# your-values.yaml (option 1) +appsec: + enabled: true + acquisitions: + - source: appsec + listen_addr: "0.0.0.0:7422" + path: / + appsec_config: crowdsecurity/virtual-patching + labels: + type: appsec + env: + - name: COLLECTIONS + value: "crowdsecurity/appsec-virtual-patching" + +# This allows the LAPI pod to register and communicate with the appsec pod +config: + config.yaml.local: | + api: + server: + auto_registration: + enabled: true + token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) + allowed_ranges: + - "127.0.0.1/32" + - "192.168.0.0/16" + - "10.0.0.0/8" + - "172.16.0.0/12" +``` + +Or you can also use your own custom configurations and rules for AppSec: + +``` +# your-values.yaml (option 2) +appsec: + enabled: true + acquisitions: + - source: appsec + listen_addr: "0.0.0.0:7422" + path: / + appsec_config: crowdsecurity/crs-vpatch + labels: + type: appsec + configs: + mycustom-appsec-config.yaml: | + name: crowdsecurity/crs-vpatch + default_remediation: ban + #log_level: debug + outofband_rules: + - crowdsecurity/crs + inband_rules: + - crowdsecurity/base-config + - crowdsecurity/vpatch-* + env: + - name: COLLECTIONS + value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs" + +# This allows the LAPI pod to register and communicate with the appsec pod +config: + config.yaml.local: | + api: + server: + auto_registration: + enabled: true + token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) + allowed_ranges: + - "127.0.0.1/32" + - "192.168.0.0/16" + - "10.0.0.0/8" + - "172.16.0.0/12" +``` + +### With Traefik + +In the traefik `values.yaml`, you need to add the following configuration: + +``` +# traefik-values.yaml +experimental: + plugins: + crowdsec-bouncer: + moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin + version: v1.3.3 +additionalArguments: + - "--entrypoints.web.http.middlewares=-crowdsec-bouncer@kubernetescrd" + - "--entrypoints.websecure.http.middlewares=-crowdsec-bouncer@kubernetescrd" + - "--providers.kubernetescrd" +``` + +And then, you can apply this middleware to your traefik ingress: + +``` +# crowdsec-bouncer-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: crowdsec-bouncer + namespace: default +spec: + plugin: + crowdsec-bouncer: + enabled: true + crowdsecMode: appsec + crowdsecAppsecEnabled: true + crowdsecAppsecHost: crowdsec-appsec-service:7422 + crowdsecLapiScheme: http + crowdsecLapiHost: crowdsec-service:8080 + crowdsecLapiKey: "" +``` + +### With Ingrees Nginx + +Following [this documentation](https://docs.crowdsec.net/u/bouncers/ingress-nginx). + +In the nginx ingress `upgrade-values.yaml`, you need to add the following configuration: + +``` +controller: + extraInitContainers: + - name: init-clone-crowdsec-bouncer + env: + - name: APPSEC_URL + value: "http://crowdsec-appsec-service.default.svc.cluster.local:7422" + - name: APPSEC_FAILURE_ACTION + value: "passthrough" + - name: APPSEC_CONNECT_TIMEOUT + value: "100" + - name: APPSEC_SEND_TIMEOUT + value: "100" + - name: APPSEC_PROCESS_TIMEOUT + value: "1000" + - name: ALWAYS_SEND_TO_APPSEC + value: "false" + - name: SSL_VERIFY + value: "true" +``` + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} \ No newline at end of file From 95b8b8e66fad06caa3d0ec658772bf6b0a9e48a4 Mon Sep 17 00:00:00 2001 From: he2ss Date: Thu, 5 Dec 2024 14:02:54 +0000 Subject: [PATCH 2/7] Regenerate chart README.md --- charts/crowdsec/README.md | 144 +++++++++++++++++++++++++++++++++++++- 1 file changed, 142 insertions(+), 2 deletions(-) diff --git a/charts/crowdsec/README.md b/charts/crowdsec/README.md index b730155..5e1b613 100644 --- a/charts/crowdsec/README.md +++ b/charts/crowdsec/README.md @@ -75,6 +75,147 @@ lapi: key: dbPassword ``` +## Setup for AppSec (WAF) + +Below a basic configuration for AppSec (WAF) + +``` +# your-values.yaml (option 1) +appsec: + enabled: true + acquisitions: + - source: appsec + listen_addr: "0.0.0.0:7422" + path: / + appsec_config: crowdsecurity/virtual-patching + labels: + type: appsec + env: + - name: COLLECTIONS + value: "crowdsecurity/appsec-virtual-patching" + +# This allows the LAPI pod to register and communicate with the appsec pod +config: + config.yaml.local: | + api: + server: + auto_registration: + enabled: true + token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) + allowed_ranges: + - "127.0.0.1/32" + - "192.168.0.0/16" + - "10.0.0.0/8" + - "172.16.0.0/12" +``` + +Or you can also use your own custom configurations and rules for AppSec: + +``` +# your-values.yaml (option 2) +appsec: + enabled: true + acquisitions: + - source: appsec + listen_addr: "0.0.0.0:7422" + path: / + appsec_config: crowdsecurity/crs-vpatch + labels: + type: appsec + configs: + mycustom-appsec-config.yaml: | + name: crowdsecurity/crs-vpatch + default_remediation: ban + #log_level: debug + outofband_rules: + - crowdsecurity/crs + inband_rules: + - crowdsecurity/base-config + - crowdsecurity/vpatch-* + env: + - name: COLLECTIONS + value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs" + +# This allows the LAPI pod to register and communicate with the appsec pod +config: + config.yaml.local: | + api: + server: + auto_registration: + enabled: true + token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) + allowed_ranges: + - "127.0.0.1/32" + - "192.168.0.0/16" + - "10.0.0.0/8" + - "172.16.0.0/12" +``` + +### With Traefik + +In the traefik `values.yaml`, you need to add the following configuration: + +``` +# traefik-values.yaml +experimental: + plugins: + crowdsec-bouncer: + moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin + version: v1.3.3 +additionalArguments: + - "--entrypoints.web.http.middlewares=-crowdsec-bouncer@kubernetescrd" + - "--entrypoints.websecure.http.middlewares=-crowdsec-bouncer@kubernetescrd" + - "--providers.kubernetescrd" +``` + +And then, you can apply this middleware to your traefik ingress: + +``` +# crowdsec-bouncer-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: crowdsec-bouncer + namespace: default +spec: + plugin: + crowdsec-bouncer: + enabled: true + crowdsecMode: appsec + crowdsecAppsecEnabled: true + crowdsecAppsecHost: crowdsec-appsec-service:7422 + crowdsecLapiScheme: http + crowdsecLapiHost: crowdsec-service:8080 + crowdsecLapiKey: "" +``` + +### With Ingrees Nginx + +Following [this documentation](https://docs.crowdsec.net/u/bouncers/ingress-nginx). + +In the nginx ingress `upgrade-values.yaml`, you need to add the following configuration: + +``` +controller: + extraInitContainers: + - name: init-clone-crowdsec-bouncer + env: + - name: APPSEC_URL + value: "http://crowdsec-appsec-service.default.svc.cluster.local:7422" + - name: APPSEC_FAILURE_ACTION + value: "passthrough" + - name: APPSEC_CONNECT_TIMEOUT + value: "100" + - name: APPSEC_SEND_TIMEOUT + value: "100" + - name: APPSEC_PROCESS_TIMEOUT + value: "1000" + - name: ALWAYS_SEND_TO_APPSEC + value: "false" + - name: SSL_VERIFY + value: "true" +``` + ## Values | Key | Type | Default | Description | @@ -212,5 +353,4 @@ lapi: | appsec.extraInitContainers | list | `[]` | extraInitContainers for appsec deployment | | appsec.resources | object | `{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"500m","memory":"250Mi"}}` | resources for appsec deployment | | appsec.metrics | object | `{"enabled":true,"serviceMonitor":{"additionalLabels":{},"enabled":false}}` | Enable service monitoring (exposes "metrics" port "6060" for Prometheus and "7422" for AppSec) | -| appsec.metrics.serviceMonitor | object | `{"additionalLabels":{},"enabled":false}` | See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774 | - +| appsec.metrics.serviceMonitor | object | `{"additionalLabels":{},"enabled":false}` | See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774 | \ No newline at end of file From 368856778281d513842e586011a8dddc5d8ad67e Mon Sep 17 00:00:00 2001 From: srkoster <89455157+srkoster@users.noreply.github.com> Date: Mon, 9 Dec 2024 17:05:54 +0100 Subject: [PATCH 3/7] Change agent username/password into auto_registration (#209) * Replace agent username + password authentication with auto_registration token --- charts/crowdsec/templates/_helpers.tpl | 28 ---------- .../crowdsec/templates/agent-daemonSet.yaml | 52 ++++++++++++++----- .../crowdsec/templates/agent-deployment.yaml | 52 ++++++++++++++----- .../crowdsec/templates/lapi-deployment.yaml | 13 ----- charts/crowdsec/templates/secrets.yaml | 15 ------ charts/crowdsec/values.yaml | 10 ++++ 6 files changed, 88 insertions(+), 82 deletions(-) delete mode 100644 charts/crowdsec/templates/secrets.yaml diff --git a/charts/crowdsec/templates/_helpers.tpl b/charts/crowdsec/templates/_helpers.tpl index 39bf3fb..08c2c1f 100644 --- a/charts/crowdsec/templates/_helpers.tpl +++ b/charts/crowdsec/templates/_helpers.tpl @@ -1,34 +1,6 @@ # vim: set ft=gotmpl: --- -{{/* -Generate username if not specified in values -*/}} -{{ define "agent.username" }} -{{- if .Values.secrets.username }} - {{- .Values.secrets.username -}} -{{- else if (lookup "v1" "Secret" .Release.Namespace "agent-credentials").data }} - {{- $obj := (lookup "v1" "Secret" .Release.Namespace "agent-credentials").data -}} - {{- index $obj "username" | b64dec -}} -{{- else -}} - {{- randAlphaNum 48 -}} -{{- end -}} -{{- end -}} - -{{/* -Generate password if not specified in values -*/}} -{{ define "agent.password" }} -{{- if .Values.secrets.password }} - {{- .Values.secrets.password -}} -{{- else if (lookup "v1" "Secret" .Release.Namespace "agent-credentials").data }} - {{- $obj := (lookup "v1" "Secret" .Release.Namespace "agent-credentials").data -}} - {{- index $obj "password" | b64dec -}} -{{- else -}} - {{- randAlphaNum 48 -}} -{{- end -}} -{{- end -}} - {{/* Generate CS_LAPI_SECRET if not specified in values */}} diff --git a/charts/crowdsec/templates/agent-daemonSet.yaml b/charts/crowdsec/templates/agent-daemonSet.yaml index 380c053..e5197d1 100644 --- a/charts/crowdsec/templates/agent-daemonSet.yaml +++ b/charts/crowdsec/templates/agent-daemonSet.yaml @@ -23,7 +23,6 @@ spec: template: metadata: annotations: - checksum/agent-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} checksum/agent-configmap: {{ include (print $.Template.BasePath "/agent-configmap.yaml") . | sha256sum }} checksum/acquis-configmap: {{ include (print $.Template.BasePath "/acquis-configmap.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} @@ -51,10 +50,17 @@ spec: {{ toYaml .Values.image.pullSecrets | indent 8 }} {{- end }} initContainers: + {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} + - name: wait-for-lapi-and-register + image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ['sh', '-c', 'until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start; sleep 5; done; ln -s /staging/etc/crowdsec /etc/crowdsec && cscli lapi register --machine "$USERNAME" -u $LAPI_URL --token "$REGISTRATION_TOKEN" && cp /etc/crowdsec/local_api_credentials.yaml /tmp_config/local_api_credentials.yaml'] + {{- else }} - name: wait-for-lapi image: "{{ .Values.agent.wait_for_lapi.image.repository }}:{{ .Values.agent.wait_for_lapi.image.tag }}" imagePullPolicy: {{ .Values.agent.wait_for_lapi.image.pullPolicy }} command: ['sh', '-c', "until nc {{ .Release.Name }}-service.{{ .Release.Namespace }} 8080 -z; do echo waiting for lapi to start; sleep 5; done"] + {{- end }} resources: limits: memory: 50Mi @@ -64,6 +70,27 @@ spec: securityContext: allowPrivilegeEscalation: false privileged: false + {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} + volumeMounts: + - name: crowdsec-config + mountPath: /tmp_config + env: + - name: REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: crowdsec-lapi-secrets + key: registrationToken + - name: USERNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: LAPI_URL + value: http://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080 + - name: LAPI_HOST + value: "{{ .Release.Name }}-service.{{ .Release.Namespace }}" + - name: LAPI_PORT + value: "8080" + {{- end }} {{- if .Values.agent.extraInitContainers }} {{- toYaml .Values.agent.extraInitContainers | nindent 6 }} {{- end }} @@ -71,6 +98,9 @@ spec: - name: crowdsec-agent image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} + command: ['sh', '-c', 'cp /tmp_config/local_api_credentials.yaml /staging/etc/crowdsec/local_api_credentials.yaml && ./docker_start.sh'] + {{- end }} env: - name: DISABLE_LOCAL_API value: "true" @@ -98,18 +128,6 @@ spec: - name: LOCAL_API_URL value: http://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080 {{- end }} - {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} - - name: AGENT_USERNAME - valueFrom: - secretKeyRef: - name: agent-credentials - key: username - - name: AGENT_PASSWORD - valueFrom: - secretKeyRef: - name: agent-credentials - key: password - {{- end }} {{- if .Values.tls.insecureSkipVerify }} - name: INSECURE_SKIP_VERIFY value: {{ quote .Values.tls.insecureSkipVerify }} @@ -151,6 +169,10 @@ spec: command: ['sh', '-c', 'mv -n /staging/etc/crowdsec/* /etc/crowdsec_data/ && rm -rf /staging/etc/crowdsec && ln -s /etc/crowdsec_data /etc/crowdsec && ./docker_start.sh'] {{- end }} volumeMounts: + {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} + - name: crowdsec-config + mountPath: /tmp_config + {{- end }} {{- $crowdsecConfig := "/etc/crowdsec" -}} {{- if .Values.agent.persistentVolume.config.enabled -}} {{- $crowdsecConfig = "/etc/crowdsec_data" }} @@ -216,6 +238,10 @@ spec: - name: acquis-config-volume configMap: name: acquis-configmap + {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} + - name: crowdsec-config + emptyDir: {} + {{- end }} {{- if .Values.agent.hostVarLog }} - name: varlog hostPath: diff --git a/charts/crowdsec/templates/agent-deployment.yaml b/charts/crowdsec/templates/agent-deployment.yaml index 495a70c..f58a31c 100644 --- a/charts/crowdsec/templates/agent-deployment.yaml +++ b/charts/crowdsec/templates/agent-deployment.yaml @@ -23,7 +23,6 @@ spec: template: metadata: annotations: - checksum/agent-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} checksum/agent-configmap: {{ include (print $.Template.BasePath "/agent-configmap.yaml") . | sha256sum }} checksum/acquis-configmap: {{ include (print $.Template.BasePath "/acquis-configmap.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} @@ -51,10 +50,17 @@ spec: {{ toYaml .Values.image.pullSecrets | indent 8 }} {{- end }} initContainers: + {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} + - name: wait-for-lapi-and-register + image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ['sh', '-c', 'until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start; sleep 5; done; ln -s /staging/etc/crowdsec /etc/crowdsec && cscli lapi register --machine "$USERNAME" -u $LAPI_URL --token "$REGISTRATION_TOKEN" && cp /etc/crowdsec/local_api_credentials.yaml /tmp_config/local_api_credentials.yaml'] + {{- else }} - name: wait-for-lapi image: "{{ .Values.agent.wait_for_lapi.image.repository }}:{{ .Values.agent.wait_for_lapi.image.tag }}" imagePullPolicy: {{ .Values.agent.wait_for_lapi.image.pullPolicy }} command: ['sh', '-c', "until nc {{ .Release.Name }}-service.{{ .Release.Namespace }} 8080 -z; do echo waiting for lapi to start; sleep 5; done"] + {{- end }} resources: limits: memory: 50Mi @@ -64,6 +70,27 @@ spec: securityContext: allowPrivilegeEscalation: false privileged: false + {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} + volumeMounts: + - name: crowdsec-config + mountPath: /tmp_config + env: + - name: REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: crowdsec-lapi-secrets + key: registrationToken + - name: USERNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: LAPI_URL + value: http://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080 + - name: LAPI_HOST + value: "{{ .Release.Name }}-service.{{ .Release.Namespace }}" + - name: LAPI_PORT + value: "8080" + {{- end }} {{- if .Values.agent.extraInitContainers }} {{- toYaml .Values.agent.extraInitContainers | nindent 6 }} {{- end }} @@ -71,6 +98,9 @@ spec: - name: crowdsec-agent image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} + command: ['sh', '-c', 'cp /tmp_config/local_api_credentials.yaml /staging/etc/crowdsec/local_api_credentials.yaml && ./docker_start.sh'] + {{- end }} env: - name: DISABLE_LOCAL_API value: "true" @@ -98,18 +128,6 @@ spec: - name: LOCAL_API_URL value: http://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080 {{- end }} - {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} - - name: AGENT_USERNAME - valueFrom: - secretKeyRef: - name: agent-credentials - key: username - - name: AGENT_PASSWORD - valueFrom: - secretKeyRef: - name: agent-credentials - key: password - {{- end }} {{- if .Values.tls.insecureSkipVerify }} - name: INSECURE_SKIP_VERIFY value: {{ quote .Values.tls.insecureSkipVerify }} @@ -154,6 +172,10 @@ spec: command: ['sh', '-c', 'mv -n /staging/etc/crowdsec/* /etc/crowdsec_data/ && rm -rf /staging/etc/crowdsec && ln -s /etc/crowdsec_data /etc/crowdsec && ./docker_start.sh'] {{- end }} volumeMounts: + {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} + - name: crowdsec-config + mountPath: /tmp_config + {{- end }} {{- $crowdsecConfig := "/etc/crowdsec" -}} {{- if .Values.agent.persistentVolume.config.enabled -}} {{- $crowdsecConfig = "/etc/crowdsec_data" }} @@ -216,6 +238,10 @@ spec: {{- end }} terminationGracePeriodSeconds: 30 volumes: + {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} + - name: crowdsec-config + emptyDir: {} + {{- end }} - name: acquis-config-volume configMap: name: acquis-configmap diff --git a/charts/crowdsec/templates/lapi-deployment.yaml b/charts/crowdsec/templates/lapi-deployment.yaml index 1998c98..d4d4495 100644 --- a/charts/crowdsec/templates/lapi-deployment.yaml +++ b/charts/crowdsec/templates/lapi-deployment.yaml @@ -27,7 +27,6 @@ spec: template: metadata: annotations: - checksum/agent-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} checksum/lapi-secret: {{ include (print $.Template.BasePath "/lapi-secrets.yaml") . | sha256sum }} checksum/lapi-configmap: {{ include (print $.Template.BasePath "/lapi-configmap.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} @@ -82,18 +81,6 @@ spec: - name: LOCAL_API_URL value: http://localhost:8080 {{- end }} - {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }} - - name: AGENT_USERNAME - valueFrom: - secretKeyRef: - name: agent-credentials - key: username - - name: AGENT_PASSWORD - valueFrom: - secretKeyRef: - name: agent-credentials - key: password - {{- end }} - name: DISABLE_AGENT value: "true" {{- if .Values.lapi.dashboard.enabled }} diff --git a/charts/crowdsec/templates/secrets.yaml b/charts/crowdsec/templates/secrets.yaml deleted file mode 100644 index c8319b3..0000000 --- a/charts/crowdsec/templates/secrets.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# vim: set ft=gotmpl: ---- - -apiVersion: v1 -kind: Secret -metadata: - name: agent-credentials - labels: - k8s-app: {{ .Release.Name }} - type: lapi - version: v1 -type: Opaque -data: - username: {{ include "agent.username" . | b64enc }} - password: {{ include "agent.password" . | b64enc }} diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml index 7c5a2f7..afb5de5 100644 --- a/charts/crowdsec/values.yaml +++ b/charts/crowdsec/values.yaml @@ -83,6 +83,16 @@ config: # -- General configuration (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example) config.yaml.local: "" # | + # api: + # server: + # auto_registration: # Activate if not using TLS for authentication or when using Appsec + # enabled: true + # token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) + # allowed_ranges: + # - "127.0.0.1/32" + # - "192.168.0.0/16" + # - "10.0.0.0/8" + # - "172.16.0.0/12" # db_config: # type: postgresql # user: crowdsec From 31d4478fe80e09da5d9b9ae7268e2aa37b261711 Mon Sep 17 00:00:00 2001 From: srkoster <89455157+srkoster@users.noreply.github.com> Date: Mon, 16 Dec 2024 18:45:28 +0100 Subject: [PATCH 4/7] Appsec high availability using replicas (#208) * Add appsec registrationToken to values.yaml and generate if empty * Removed agent.additionalAcquisition --- charts/crowdsec/ci/crowdsec-values.yaml | 60 +----------- charts/crowdsec/templates/_helpers.tpl | 14 +++ .../crowdsec/templates/appsec-deployment.yaml | 98 +++++++++---------- charts/crowdsec/templates/lapi-secrets.yaml | 2 +- .../templates/tests/test_agent_up.yaml | 15 +-- charts/crowdsec/values.yaml | 95 +++++++++++++----- 6 files changed, 135 insertions(+), 149 deletions(-) diff --git a/charts/crowdsec/ci/crowdsec-values.yaml b/charts/crowdsec/ci/crowdsec-values.yaml index 0cc9da2..b87cf47 100644 --- a/charts/crowdsec/ci/crowdsec-values.yaml +++ b/charts/crowdsec/ci/crowdsec-values.yaml @@ -11,64 +11,8 @@ config: - "10.0.0.0/8" - "172.16.0.0/12" agent: - additionalAcquisition: - - source: file - filenames: - - /var/log/auth.log - force_inotify: true - labels: - type: syslog - - source: file - filename: /var/log/auth.log - labels: - type: syslog - - source: journalctl - journalctl_filter: - - "_SYSTEMD_UNIT=sshd.service" - labels: - type: syslog - - source: cloudwatch - group_name: /aws/my/group - aws_profile: monitoring - stream_regexp: "^stream[0-9]+$" - labels: - type: apigateway - - source: kinesis - stream_arn: arn:aws:kinesis:eu-west-1:123456789012:stream/my-stream - use_enhanced_fanout: true - consumer_name: my-consumer - labels: - type: mytype - - source: syslog - listen_addr: 127.0.0.1 - listen_port: 514 - labels: - type: syslog - program: syslog - - source: docker - container_name: - - "my-container" - container_id: - - "1234567890abcdef" - labels: - type: docker - - source: wineventlog - xpath_query: | - - labels: - type: eventlog - - source: kafka - brokers: - - "localhost:9093" - topic: "my-topic" - timeout: 5 - tls: - insecure_skip_verify: true - client_cert: /path/kafkaClient.certificate.pem - client_key: /path/kafkaClient.key - ca_cert: /path/ca.crt - labels: - type: nginx + metrics: + enabled: true acquisition: - namespace: test podName: test-* diff --git a/charts/crowdsec/templates/_helpers.tpl b/charts/crowdsec/templates/_helpers.tpl index 08c2c1f..01c1dcc 100644 --- a/charts/crowdsec/templates/_helpers.tpl +++ b/charts/crowdsec/templates/_helpers.tpl @@ -15,6 +15,20 @@ Generate CS_LAPI_SECRET if not specified in values {{- end -}} {{- end -}} +{{/* +Generate registrationToken if not specified in values +*/}} +{{ define "lapi.registrationToken" }} +{{- if .Values.lapi.secrets.registrationToken }} + {{- .Values.lapi.secrets.registrationToken -}} +{{- else if (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data }} + {{- $obj := (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data -}} + {{- index $obj "registrationToken" | b64dec -}} +{{- else -}} + {{- randAlphaNum 48 -}} +{{- end -}} +{{- end -}} + {{/* notifications parameters check */}} diff --git a/charts/crowdsec/templates/appsec-deployment.yaml b/charts/crowdsec/templates/appsec-deployment.yaml index b226fd7..99b0d02 100644 --- a/charts/crowdsec/templates/appsec-deployment.yaml +++ b/charts/crowdsec/templates/appsec-deployment.yaml @@ -15,12 +15,12 @@ metadata: {{ toYaml .Values.appsec.deployAnnotations | trim | indent 4 }} {{- end }} spec: - replicas: 1 + replicas: {{ .Values.appsec.replicas }} + strategy: {{- toYaml .Values.appsec.strategy | nindent 4 }} selector: matchLabels: k8s-app: {{ .Release.Name }} type: appsec - strategy: {{- toYaml .Values.appsec.strategy | nindent 4 }} template: metadata: annotations: @@ -100,6 +100,38 @@ spec: {{- with .Values.appsec.env }} {{- toYaml . | nindent 10 }} {{- end }} + resources: + {{- toYaml .Values.appsec.resources | nindent 10 }} + ports: + - name: appsec + containerPort: 7422 + protocol: TCP + {{- if .Values.appsec.metrics.enabled }} + - name: metrics + containerPort: 6060 + protocol: TCP + + {{/* Probes depend on the metrics port, there is no other service on the log processor */}} + + {{ if .Values.appsec.livenessProbe }} + livenessProbe: +{{ toYaml .Values.appsec.livenessProbe | indent 10 }} + {{ end }} + {{ if .Values.appsec.readinessProbe }} + readinessProbe: +{{ toYaml .Values.appsec.readinessProbe | indent 10 }} + {{ end }} + {{ if .Values.appsec.startupProbe }} + startupProbe: +{{ toYaml .Values.appsec.startupProbe | indent 10 }} + {{ end }} + + {{ end }} + + securityContext: + allowPrivilegeEscalation: false + privileged: false + volumeMounts: - name: crowdsec-config mountPath: /tmp_config @@ -120,58 +152,12 @@ spec: subPath: {{ $fileName }} {{- end }} {{- end }} - resources: - {{- toYaml .Values.appsec.resources | nindent 10 }} - ports: - - name: appsec - containerPort: 7422 - protocol: TCP - {{- if .Values.appsec.metrics.enabled }} - - name: metrics - containerPort: 6060 - protocol: TCP + {{- if .Values.appsec.extraVolumeMounts }} + {{ toYaml .Values.appsec.extraVolumeMounts | nindent 10 }} {{- end }} - livenessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - tcpSocket: - port: appsec - readinessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - tcpSocket: - port: appsec - startupProbe: - failureThreshold: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - tcpSocket: - port: appsec - - securityContext: - allowPrivilegeEscalation: false - privileged: false - terminationGracePeriodSeconds: 30 - {{- with .Values.appsec.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.appsec.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.appsec.priorityClassName }} - priorityClassName: {{ .Values.appsec.priorityClassName }} - {{- end}} - volumes: - name: appsec-acquis-config-volume configMap: @@ -198,4 +184,16 @@ spec: path: {{ $fileName }} {{- end }} {{- end }} + {{- if .Values.appsec.extraVolumes }} + {{ toYaml .Values.appsec.extraVolumes | nindent 6 }} + {{- end }} + {{- with .Values.appsec.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.appsec.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: {{ .Values.appsec.priorityClassName }} {{- end }} \ No newline at end of file diff --git a/charts/crowdsec/templates/lapi-secrets.yaml b/charts/crowdsec/templates/lapi-secrets.yaml index 67efe1d..c0a3fe6 100644 --- a/charts/crowdsec/templates/lapi-secrets.yaml +++ b/charts/crowdsec/templates/lapi-secrets.yaml @@ -12,7 +12,7 @@ metadata: type: Opaque data: csLapiSecret: {{ include "lapi.csLapiSecret" . | b64enc }} - registrationToken: {{ randAlphaNum 48 | b64enc }} + registrationToken: {{ include "lapi.registrationToken" . | b64enc }} {{- with .Values.lapi.extraSecrets }} {{- range $key, $value := . }} {{ $key }}: {{ $value | b64enc }} diff --git a/charts/crowdsec/templates/tests/test_agent_up.yaml b/charts/crowdsec/templates/tests/test_agent_up.yaml index aa3d1f4..d89c719 100644 --- a/charts/crowdsec/templates/tests/test_agent_up.yaml +++ b/charts/crowdsec/templates/tests/test_agent_up.yaml @@ -9,22 +9,9 @@ spec: containers: - name: "{{ .Release.Name }}-test-agent" image: curlimages/curl - env: - - name: AGENT_USERNAME - valueFrom: - secretKeyRef: - name: agent-credentials - key: username - - name: AGENT_PASSWORD - valueFrom: - secretKeyRef: - name: agent-credentials - key: password command: - /bin/sh - -ec - | - http_code=$(curl -s -o /dev/null -w "%{http_code}" http://{{ .Release.Name }}-service:8080/v1/watchers/login \ - -H 'Content-Type: application/json' -d '{"machine_id": "'"$AGENT_USERNAME"'", "password":"'"$AGENT_PASSWORD"'"}'); \ - if [ "$http_code" == "200" ]; then echo 'connection to lapi succeed' && exit 0; else echo 'failed connect to lapi' && exit 1; fi + curl -XGET http://{{ .Release.Name }}-agent-service:6060/metrics restartPolicy: Never diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml index afb5de5..a2086be 100644 --- a/charts/crowdsec/values.yaml +++ b/charts/crowdsec/values.yaml @@ -300,6 +300,8 @@ lapi: secrets: # -- Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters csLapiSecret: "" + # -- Registration Token for Appsec. Will be generated randomly if not specified. Size must be > 48 characters + registrationToken: "" # -- Any extra secrets you may need (for example, external DB password) extraSecrets: {} # dbPassword: randomPass @@ -505,6 +507,12 @@ agent: appsec: # -- Enable AppSec (by default disabled) enabled: false + # -- replicas for Appsec + replicas: 1 + # -- strategy for appsec deployment + strategy: + type: Recreate + # -- Additional acquisitions for AppSec acquisitions: [] #- source: appsec @@ -549,8 +557,31 @@ appsec: # - cve.CVE-xxxx-xxxxx # - attack.Txxxx + # -- priorityClassName for appsec pods + priorityClassName: "" + # -- Annotations to be added to appsec deployment + deployAnnotations: {} + # -- podAnnotations for appsec pods + podAnnotations: {} + # -- podLabels for appsec pods + podLabels: {} + # -- extraInitContainers for appsec pods + extraInitContainers: [] + # -- Extra volumes to be added to appsec pods + extraVolumes: [] + # -- Extra volumeMounts to be added to appsec pods + extraVolumeMounts: [] + # -- resources for appsec pods + resources: + limits: + memory: 250Mi + cpu: 500m + requests: + cpu: 500m + memory: 250Mi + # -- environment variables - env: + env: [] # -- COLLECTIONS to install, separated by space (value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs") #- name: COLLECTIONS # value: "crowdsecurity/appsec-virtual-patching" @@ -567,33 +598,45 @@ appsec: #- name: DISABLE_APPSEC_CONFIGS # value: "" - # -- appsec deployment annotations - deployAnnotations: {} - # -- strategy for appsec deployment - strategy: - type: Recreate - # -- podAnnotations for appsec deployment - podAnnotations: {} - # -- podLabels for appsec deployment - podLabels: {} - # -- tolerations for appsec deployment - tolerations: [] - # -- nodeSelector for appsec deployment + # -- nodeSelector for appsec nodeSelector: {} - # -- affinity for appsec deployment + + # -- tolerations for appsec + tolerations: [] + # -- affinity for appsec affinity: {} - # -- priorityClassName for appsec deployment - priorityClassName: "" - # -- extraInitContainers for appsec deployment - extraInitContainers: [] - # -- resources for appsec deployment - resources: - limits: - memory: 250Mi - cpu: 500m - requests: - cpu: 500m - memory: 250Mi + + # -- livenessProbe for appsec + livenessProbe: + httpGet: + path: /metrics + port: metrics + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + failureThreshold: 3 + # -- readinessProbe for appsec + readinessProbe: + httpGet: + path: /metrics + port: metrics + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + failureThreshold: 3 + # -- startupProbe for appsec + startupProbe: + httpGet: + path: /metrics + port: metrics + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + failureThreshold: 30 + # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus and "7422" for AppSec) metrics: enabled: true From 299c666520440e47ace8eedee56161affa0840ba Mon Sep 17 00:00:00 2001 From: he2ss Date: Mon, 16 Dec 2024 17:45:56 +0000 Subject: [PATCH 5/7] Regenerate chart README.md --- charts/crowdsec/README.md | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/charts/crowdsec/README.md b/charts/crowdsec/README.md index 5e1b613..04ccaf8 100644 --- a/charts/crowdsec/README.md +++ b/charts/crowdsec/README.md @@ -291,6 +291,7 @@ controller: | lapi.metrics.serviceMonitor | object | `{"additionalLabels":{},"enabled":false}` | See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774 | | lapi.strategy.type | string | `"Recreate"` | | | lapi.secrets.csLapiSecret | string | `""` | Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters | +| lapi.secrets.registrationToken | string | `""` | Registration Token for Appsec. Will be generated randomly if not specified. Size must be > 48 characters | | lapi.extraSecrets | object | `{}` | Any extra secrets you may need (for example, external DB password) | | lapi.lifecycle | object | `{}` | | | lapi.storeCAPICredentialsInSecret | bool | `false` | If set to true, the Central API credentials will be stored in a secret (to use when lapi replicas > 1) | @@ -336,21 +337,27 @@ controller: | agent.wait_for_lapi.image.repository | string | `"busybox"` | docker image repository name | | agent.wait_for_lapi.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy | | agent.wait_for_lapi.image.tag | string | `"1.28"` | docker image tag | -| appsec | object | `{"acquisitions":[],"affinity":{},"configs":{},"deployAnnotations":{},"enabled":false,"env":null,"extraInitContainers":[],"metrics":{"enabled":true,"serviceMonitor":{"additionalLabels":{},"enabled":false}},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"priorityClassName":"","resources":{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"500m","memory":"250Mi"}},"rules":{},"service":{"annotations":{},"externalIPs":[],"externalTrafficPolicy":"Cluster","labels":{},"loadBalancerClass":null,"loadBalancerIP":null,"type":"ClusterIP"},"strategy":{"type":"Recreate"},"tolerations":[]}` | Enable AppSec (https://docs.crowdsec.net/docs/next/appsec/intro) | +| appsec | object | `{"acquisitions":[],"affinity":{},"configs":{},"deployAnnotations":{},"enabled":false,"env":[],"extraInitContainers":[],"extraVolumeMounts":[],"extraVolumes":[],"livenessProbe":{"failureThreshold":3,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5},"metrics":{"enabled":true,"serviceMonitor":{"additionalLabels":{},"enabled":false}},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"priorityClassName":"","readinessProbe":{"failureThreshold":3,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"500m","memory":"250Mi"}},"rules":{},"service":{"annotations":{},"externalIPs":[],"externalTrafficPolicy":"Cluster","labels":{},"loadBalancerClass":null,"loadBalancerIP":null,"type":"ClusterIP"},"startupProbe":{"failureThreshold":30,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5},"strategy":{"type":"Recreate"},"tolerations":[]}` | Enable AppSec (https://docs.crowdsec.net/docs/next/appsec/intro) | | appsec.enabled | bool | `false` | Enable AppSec (by default disabled) | +| appsec.replicas | int | `1` | replicas for Appsec | +| appsec.strategy | object | `{"type":"Recreate"}` | strategy for appsec deployment | | appsec.acquisitions | list | `[]` | Additional acquisitions for AppSec | | appsec.configs | object | `{}` | appsec_configs (https://docs.crowdsec.net/docs/next/appsec/configuration): key is the filename, value is the config content | | appsec.rules | object | `{}` | appsec_rules (https://docs.crowdsec.net/docs/next/appsec/rules_syntax) | -| appsec.env | string | `nil` | environment variables | -| appsec.deployAnnotations | object | `{}` | appsec deployment annotations | -| appsec.strategy | object | `{"type":"Recreate"}` | strategy for appsec deployment | -| appsec.podAnnotations | object | `{}` | podAnnotations for appsec deployment | -| appsec.podLabels | object | `{}` | podLabels for appsec deployment | -| appsec.tolerations | list | `[]` | tolerations for appsec deployment | -| appsec.nodeSelector | object | `{}` | nodeSelector for appsec deployment | -| appsec.affinity | object | `{}` | affinity for appsec deployment | -| appsec.priorityClassName | string | `""` | priorityClassName for appsec deployment | -| appsec.extraInitContainers | list | `[]` | extraInitContainers for appsec deployment | -| appsec.resources | object | `{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"500m","memory":"250Mi"}}` | resources for appsec deployment | +| appsec.priorityClassName | string | `""` | priorityClassName for appsec pods | +| appsec.deployAnnotations | object | `{}` | Annotations to be added to appsec deployment | +| appsec.podAnnotations | object | `{}` | podAnnotations for appsec pods | +| appsec.podLabels | object | `{}` | podLabels for appsec pods | +| appsec.extraInitContainers | list | `[]` | extraInitContainers for appsec pods | +| appsec.extraVolumes | list | `[]` | Extra volumes to be added to appsec pods | +| appsec.extraVolumeMounts | list | `[]` | Extra volumeMounts to be added to appsec pods | +| appsec.resources | object | `{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"500m","memory":"250Mi"}}` | resources for appsec pods | +| appsec.env | list | `[]` | environment variables | +| appsec.nodeSelector | object | `{}` | nodeSelector for appsec | +| appsec.tolerations | list | `[]` | tolerations for appsec | +| appsec.affinity | object | `{}` | affinity for appsec | +| appsec.livenessProbe | object | `{"failureThreshold":3,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | livenessProbe for appsec | +| appsec.readinessProbe | object | `{"failureThreshold":3,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | readinessProbe for appsec | +| appsec.startupProbe | object | `{"failureThreshold":30,"httpGet":{"path":"/metrics","port":"metrics","scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | startupProbe for appsec | | appsec.metrics | object | `{"enabled":true,"serviceMonitor":{"additionalLabels":{},"enabled":false}}` | Enable service monitoring (exposes "metrics" port "6060" for Prometheus and "7422" for AppSec) | | appsec.metrics.serviceMonitor | object | `{"additionalLabels":{},"enabled":false}` | See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774 | \ No newline at end of file From c8edf0df20bcf8cac1f40c67fde735b2127bb1e3 Mon Sep 17 00:00:00 2001 From: he2ss Date: Mon, 16 Dec 2024 18:52:29 +0100 Subject: [PATCH 6/7] dump crowdsec chart version (#215) --- charts/crowdsec/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/crowdsec/Chart.yaml b/charts/crowdsec/Chart.yaml index ee10b60..84e6ccb 100644 --- a/charts/crowdsec/Chart.yaml +++ b/charts/crowdsec/Chart.yaml @@ -14,7 +14,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.15.0 +version: 0.16.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From 3909a370651fd098b546c3c5e77c1fa56f7b2a46 Mon Sep 17 00:00:00 2001 From: he2ss Date: Mon, 16 Dec 2024 17:52:55 +0000 Subject: [PATCH 7/7] Regenerate chart README.md --- charts/crowdsec/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/crowdsec/README.md b/charts/crowdsec/README.md index 04ccaf8..59035b1 100644 --- a/charts/crowdsec/README.md +++ b/charts/crowdsec/README.md @@ -1,6 +1,6 @@ # crowdsec -![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.4](https://img.shields.io/badge/AppVersion-v1.6.4-informational?style=flat-square) +![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.4](https://img.shields.io/badge/AppVersion-v1.6.4-informational?style=flat-square) Crowdsec helm chart is an open-source, lightweight agent to detect and respond to bad behaviours.