diff --git a/charts/crowdsec/ci/crowdsec-values.yaml b/charts/crowdsec/ci/crowdsec-values.yaml index 0cc9da2..b87cf47 100644 --- a/charts/crowdsec/ci/crowdsec-values.yaml +++ b/charts/crowdsec/ci/crowdsec-values.yaml @@ -11,64 +11,8 @@ config: - "10.0.0.0/8" - "172.16.0.0/12" agent: - additionalAcquisition: - - source: file - filenames: - - /var/log/auth.log - force_inotify: true - labels: - type: syslog - - source: file - filename: /var/log/auth.log - labels: - type: syslog - - source: journalctl - journalctl_filter: - - "_SYSTEMD_UNIT=sshd.service" - labels: - type: syslog - - source: cloudwatch - group_name: /aws/my/group - aws_profile: monitoring - stream_regexp: "^stream[0-9]+$" - labels: - type: apigateway - - source: kinesis - stream_arn: arn:aws:kinesis:eu-west-1:123456789012:stream/my-stream - use_enhanced_fanout: true - consumer_name: my-consumer - labels: - type: mytype - - source: syslog - listen_addr: 127.0.0.1 - listen_port: 514 - labels: - type: syslog - program: syslog - - source: docker - container_name: - - "my-container" - container_id: - - "1234567890abcdef" - labels: - type: docker - - source: wineventlog - xpath_query: | - - labels: - type: eventlog - - source: kafka - brokers: - - "localhost:9093" - topic: "my-topic" - timeout: 5 - tls: - insecure_skip_verify: true - client_cert: /path/kafkaClient.certificate.pem - client_key: /path/kafkaClient.key - ca_cert: /path/ca.crt - labels: - type: nginx + metrics: + enabled: true acquisition: - namespace: test podName: test-* diff --git a/charts/crowdsec/templates/_helpers.tpl b/charts/crowdsec/templates/_helpers.tpl index 08c2c1f..01c1dcc 100644 --- a/charts/crowdsec/templates/_helpers.tpl +++ b/charts/crowdsec/templates/_helpers.tpl @@ -15,6 +15,20 @@ Generate CS_LAPI_SECRET if not specified in values {{- end -}} {{- end -}} +{{/* +Generate registrationToken if not specified in values +*/}} +{{ define "lapi.registrationToken" }} +{{- if .Values.lapi.secrets.registrationToken }} + {{- .Values.lapi.secrets.registrationToken -}} +{{- else if (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data }} + {{- $obj := (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data -}} + {{- index $obj "registrationToken" | b64dec -}} +{{- else -}} + {{- randAlphaNum 48 -}} +{{- end -}} +{{- end -}} + {{/* notifications parameters check */}} diff --git a/charts/crowdsec/templates/appsec-deployment.yaml b/charts/crowdsec/templates/appsec-deployment.yaml index b226fd7..99b0d02 100644 --- a/charts/crowdsec/templates/appsec-deployment.yaml +++ b/charts/crowdsec/templates/appsec-deployment.yaml @@ -15,12 +15,12 @@ metadata: {{ toYaml .Values.appsec.deployAnnotations | trim | indent 4 }} {{- end }} spec: - replicas: 1 + replicas: {{ .Values.appsec.replicas }} + strategy: {{- toYaml .Values.appsec.strategy | nindent 4 }} selector: matchLabels: k8s-app: {{ .Release.Name }} type: appsec - strategy: {{- toYaml .Values.appsec.strategy | nindent 4 }} template: metadata: annotations: @@ -100,6 +100,38 @@ spec: {{- with .Values.appsec.env }} {{- toYaml . | nindent 10 }} {{- end }} + resources: + {{- toYaml .Values.appsec.resources | nindent 10 }} + ports: + - name: appsec + containerPort: 7422 + protocol: TCP + {{- if .Values.appsec.metrics.enabled }} + - name: metrics + containerPort: 6060 + protocol: TCP + + {{/* Probes depend on the metrics port, there is no other service on the log processor */}} + + {{ if .Values.appsec.livenessProbe }} + livenessProbe: +{{ toYaml .Values.appsec.livenessProbe | indent 10 }} + {{ end }} + {{ if .Values.appsec.readinessProbe }} + readinessProbe: +{{ toYaml .Values.appsec.readinessProbe | indent 10 }} + {{ end }} + {{ if .Values.appsec.startupProbe }} + startupProbe: +{{ toYaml .Values.appsec.startupProbe | indent 10 }} + {{ end }} + + {{ end }} + + securityContext: + allowPrivilegeEscalation: false + privileged: false + volumeMounts: - name: crowdsec-config mountPath: /tmp_config @@ -120,58 +152,12 @@ spec: subPath: {{ $fileName }} {{- end }} {{- end }} - resources: - {{- toYaml .Values.appsec.resources | nindent 10 }} - ports: - - name: appsec - containerPort: 7422 - protocol: TCP - {{- if .Values.appsec.metrics.enabled }} - - name: metrics - containerPort: 6060 - protocol: TCP + {{- if .Values.appsec.extraVolumeMounts }} + {{ toYaml .Values.appsec.extraVolumeMounts | nindent 10 }} {{- end }} - livenessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - tcpSocket: - port: appsec - readinessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - tcpSocket: - port: appsec - startupProbe: - failureThreshold: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - tcpSocket: - port: appsec - - securityContext: - allowPrivilegeEscalation: false - privileged: false - terminationGracePeriodSeconds: 30 - {{- with .Values.appsec.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.appsec.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.appsec.priorityClassName }} - priorityClassName: {{ .Values.appsec.priorityClassName }} - {{- end}} - volumes: - name: appsec-acquis-config-volume configMap: @@ -198,4 +184,16 @@ spec: path: {{ $fileName }} {{- end }} {{- end }} + {{- if .Values.appsec.extraVolumes }} + {{ toYaml .Values.appsec.extraVolumes | nindent 6 }} + {{- end }} + {{- with .Values.appsec.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.appsec.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: {{ .Values.appsec.priorityClassName }} {{- end }} \ No newline at end of file diff --git a/charts/crowdsec/templates/lapi-secrets.yaml b/charts/crowdsec/templates/lapi-secrets.yaml index 67efe1d..c0a3fe6 100644 --- a/charts/crowdsec/templates/lapi-secrets.yaml +++ b/charts/crowdsec/templates/lapi-secrets.yaml @@ -12,7 +12,7 @@ metadata: type: Opaque data: csLapiSecret: {{ include "lapi.csLapiSecret" . | b64enc }} - registrationToken: {{ randAlphaNum 48 | b64enc }} + registrationToken: {{ include "lapi.registrationToken" . | b64enc }} {{- with .Values.lapi.extraSecrets }} {{- range $key, $value := . }} {{ $key }}: {{ $value | b64enc }} diff --git a/charts/crowdsec/templates/tests/test_agent_up.yaml b/charts/crowdsec/templates/tests/test_agent_up.yaml index aa3d1f4..d89c719 100644 --- a/charts/crowdsec/templates/tests/test_agent_up.yaml +++ b/charts/crowdsec/templates/tests/test_agent_up.yaml @@ -9,22 +9,9 @@ spec: containers: - name: "{{ .Release.Name }}-test-agent" image: curlimages/curl - env: - - name: AGENT_USERNAME - valueFrom: - secretKeyRef: - name: agent-credentials - key: username - - name: AGENT_PASSWORD - valueFrom: - secretKeyRef: - name: agent-credentials - key: password command: - /bin/sh - -ec - | - http_code=$(curl -s -o /dev/null -w "%{http_code}" http://{{ .Release.Name }}-service:8080/v1/watchers/login \ - -H 'Content-Type: application/json' -d '{"machine_id": "'"$AGENT_USERNAME"'", "password":"'"$AGENT_PASSWORD"'"}'); \ - if [ "$http_code" == "200" ]; then echo 'connection to lapi succeed' && exit 0; else echo 'failed connect to lapi' && exit 1; fi + curl -XGET http://{{ .Release.Name }}-agent-service:6060/metrics restartPolicy: Never diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml index afb5de5..a2086be 100644 --- a/charts/crowdsec/values.yaml +++ b/charts/crowdsec/values.yaml @@ -300,6 +300,8 @@ lapi: secrets: # -- Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters csLapiSecret: "" + # -- Registration Token for Appsec. Will be generated randomly if not specified. Size must be > 48 characters + registrationToken: "" # -- Any extra secrets you may need (for example, external DB password) extraSecrets: {} # dbPassword: randomPass @@ -505,6 +507,12 @@ agent: appsec: # -- Enable AppSec (by default disabled) enabled: false + # -- replicas for Appsec + replicas: 1 + # -- strategy for appsec deployment + strategy: + type: Recreate + # -- Additional acquisitions for AppSec acquisitions: [] #- source: appsec @@ -549,8 +557,31 @@ appsec: # - cve.CVE-xxxx-xxxxx # - attack.Txxxx + # -- priorityClassName for appsec pods + priorityClassName: "" + # -- Annotations to be added to appsec deployment + deployAnnotations: {} + # -- podAnnotations for appsec pods + podAnnotations: {} + # -- podLabels for appsec pods + podLabels: {} + # -- extraInitContainers for appsec pods + extraInitContainers: [] + # -- Extra volumes to be added to appsec pods + extraVolumes: [] + # -- Extra volumeMounts to be added to appsec pods + extraVolumeMounts: [] + # -- resources for appsec pods + resources: + limits: + memory: 250Mi + cpu: 500m + requests: + cpu: 500m + memory: 250Mi + # -- environment variables - env: + env: [] # -- COLLECTIONS to install, separated by space (value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs") #- name: COLLECTIONS # value: "crowdsecurity/appsec-virtual-patching" @@ -567,33 +598,45 @@ appsec: #- name: DISABLE_APPSEC_CONFIGS # value: "" - # -- appsec deployment annotations - deployAnnotations: {} - # -- strategy for appsec deployment - strategy: - type: Recreate - # -- podAnnotations for appsec deployment - podAnnotations: {} - # -- podLabels for appsec deployment - podLabels: {} - # -- tolerations for appsec deployment - tolerations: [] - # -- nodeSelector for appsec deployment + # -- nodeSelector for appsec nodeSelector: {} - # -- affinity for appsec deployment + + # -- tolerations for appsec + tolerations: [] + # -- affinity for appsec affinity: {} - # -- priorityClassName for appsec deployment - priorityClassName: "" - # -- extraInitContainers for appsec deployment - extraInitContainers: [] - # -- resources for appsec deployment - resources: - limits: - memory: 250Mi - cpu: 500m - requests: - cpu: 500m - memory: 250Mi + + # -- livenessProbe for appsec + livenessProbe: + httpGet: + path: /metrics + port: metrics + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + failureThreshold: 3 + # -- readinessProbe for appsec + readinessProbe: + httpGet: + path: /metrics + port: metrics + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + failureThreshold: 3 + # -- startupProbe for appsec + startupProbe: + httpGet: + path: /metrics + port: metrics + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + failureThreshold: 30 + # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus and "7422" for AppSec) metrics: enabled: true