From c6c744a3f362711221cef42239abfcf474eb019f Mon Sep 17 00:00:00 2001 From: Remy Moll Date: Tue, 15 Oct 2024 17:53:15 +0200 Subject: [PATCH] add crowdsec deployment --- .../bouncer-api-key.sealedsecret.yaml | 15 +++ .../crowdsec/bouncer.middleware.yaml | 12 +++ .../dashboard-api-key.sealedsecret.yaml | 15 +++ infrastructure/crowdsec/kustomization.yaml | 18 ++++ infrastructure/crowdsec/namespace.yaml | 4 + infrastructure/crowdsec/values.yaml | 93 +++++++++++++++++++ 6 files changed, 157 insertions(+) create mode 100644 infrastructure/crowdsec/bouncer-api-key.sealedsecret.yaml create mode 100644 infrastructure/crowdsec/bouncer.middleware.yaml create mode 100644 infrastructure/crowdsec/dashboard-api-key.sealedsecret.yaml create mode 100644 infrastructure/crowdsec/kustomization.yaml create mode 100644 infrastructure/crowdsec/namespace.yaml create mode 100644 infrastructure/crowdsec/values.yaml diff --git a/infrastructure/crowdsec/bouncer-api-key.sealedsecret.yaml b/infrastructure/crowdsec/bouncer-api-key.sealedsecret.yaml new file mode 100644 index 0000000..6b4d7e9 --- /dev/null +++ b/infrastructure/crowdsec/bouncer-api-key.sealedsecret.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: bouncer-api-key + namespace: crowdsec +spec: + encryptedData: + BOUNCER_KEY_TRAEFIK: AgAQYtZ9nhTcPudhhvBb/UC01CXLsItYr8u890ctD9AsTcn/tVZELCYDmmhoRCebMZofdLwhsnR4BoaBvFU4NgQk7qCUOm2O5YG11RXwOLuQv50+XcK2NTIuj9DsBqwLjYjWdRwV2PG++twP33mRFe+L/nw9d2JjyujF9FoFWL9OyU/IH8qb3FK9652wBTrC0VX251lZ2AU0xMvgGEa9BhTtobw+cE7xUbhazsRc7SqimW0iJ6ZiYYsJcVnMustHRx951YiVin2c0ub1v+JfvsMTiXUfbdt235BMXgevmvWVqPDlUgBHEfAiKl1ktQKqdd2KijEPCzEtVKbRXfFRtv0SOebLeQ949uNUmnhYUn7k+s9QiDo/4Pl4w5p5+i//BKbDe/dyagUFxNTw3ZpsGusI4B2dHwTtE0y8TTW4BDxNh4PaTVT0hN0ctSsG6joBCTes6dWfdFDo7NzRZ4suZGfTpZbJknYcp+hbaJxeHLnJUAkFHLj9AfT1tAAZVc8wVy3Nw/hwnntEBGUJJ35BhyKKYvkWWPqk/5Ay6U8CeaiupHHMbTRisiqZfuZ4KI6zJZlBMLcdK32d1gMqTJpvhkiC8h4+U3ygBf+rxf6R66+kDzalrLFX8sU3Sl7fVc8qYTPESrz9/RXBGHegunhrmfq6g5lyYyM+KPK71C7NCyhqDfzY4nqO6omh83UDOlCjm+++N7/UHHf+9hs6OUi1BmAOMJkvb8bX43SVDDA4gxoZplVgAK7E0w== + template: + metadata: + creationTimestamp: null + name: bouncer-api-key + namespace: crowdsec diff --git a/infrastructure/crowdsec/bouncer.middleware.yaml b/infrastructure/crowdsec/bouncer.middleware.yaml new file mode 100644 index 0000000..6d51fb2 --- /dev/null +++ b/infrastructure/crowdsec/bouncer.middleware.yaml @@ -0,0 +1,12 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: bouncer +spec: + plugin: + bouncer: + enabled: true + crowdsecMode: stream + crowdsecLapiScheme: https + crowdsecLapiHost: crowdsec-service.crowdsec:8080 + crowdsecLapiKey: saödlkfhhqäüweo1p30947ß4rfepoihäp diff --git a/infrastructure/crowdsec/dashboard-api-key.sealedsecret.yaml b/infrastructure/crowdsec/dashboard-api-key.sealedsecret.yaml new file mode 100644 index 0000000..6c973dc --- /dev/null +++ b/infrastructure/crowdsec/dashboard-api-key.sealedsecret.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: dashboard-api-key + namespace: crowdsec +spec: + encryptedData: + ENROLL_KEY: AgAOEbB81UuCj2qgR4p+gsvnDY3LC+IcI8kMwFlPl91pVngyrGDHutafilDZD/QiGxu+3mBVMlFRzYXyAl2RjaO4YZ8p59hznSn6jf3bcfbfhQJhXjUfKkf1Jmm6gWbeDMKcOuRvxgG2YWRtOo+xNLhHtMnTKC4B7R7X160GjlNV7SdXn4S+q9Oo/ZIz/q2Y6p5wXccpPNS6OEMjb8YJlfhj6FrsAoeO25fNruELBtzgHApVvx922wx9mpYialkQOsC+3IcogQprXQZZ+B8qph7PYQ1vIzD8Ch7df3Wj4JmMHsfpK5DRP6tACrM6PsYUy0BVqaBHWT9EHbIGc2w1/g9qPfauuTS8ZDsUEl7wpyQvHfXsQER63er5xT9Xv9kSrBUvSEaYoZr+Gw8Qi4N/SNW7e1JPiwQEpFP3GrFnnDLdGhGHvrvMzO5FAz1m+tnziVhfjpoOYQDlrvsS4+h+qU17/Kmu6EoGcpjqrEvUwN19Ar9pNz8qLbumTGlIzRbeVQWmv9F6icdT3idd8sCHeiAplE99kBAz780pxMgXRR/YmaBQz1xeOrKHAVBLegdj9eNmS62b72DHdsiY2jX7D1s1dFGWl45lIyv4RlNAQhjTiqFHeaUzJUii85WNSxpp9n8Cw/ua/mdUvcn8z9WQ11uVbVqurYD3TvsOnva0V6rffaeJjIovyMOXs2wHk6nokxj4L4Ut4YkmRGZaTu7wptjqBanaROZgEHEd + template: + metadata: + creationTimestamp: null + name: dashboard-api-key + namespace: crowdsec diff --git a/infrastructure/crowdsec/kustomization.yaml b/infrastructure/crowdsec/kustomization.yaml new file mode 100644 index 0000000..64dfc4e --- /dev/null +++ b/infrastructure/crowdsec/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - dashboard-api-key.sealedsecret.yaml + - bouncer-api-key.sealedsecret.yaml + - bouncer.middleware.yaml + + +namespace: crowdsec + + +helmCharts: + - name: crowdsec + releaseName: crowdsec + version: 0.12.0 + valuesFile: values.yaml + repo: https://crowdsecurity.github.io/helm-charts diff --git a/infrastructure/crowdsec/namespace.yaml b/infrastructure/crowdsec/namespace.yaml new file mode 100644 index 0000000..0a074bd --- /dev/null +++ b/infrastructure/crowdsec/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: placeholder diff --git a/infrastructure/crowdsec/values.yaml b/infrastructure/crowdsec/values.yaml new file mode 100644 index 0000000..d0e6500 --- /dev/null +++ b/infrastructure/crowdsec/values.yaml @@ -0,0 +1,93 @@ +# -- for raw logs format: json or cri (docker|containerd) +container_runtime: containerd + + + +# lapi will deploy pod with crowdsec lapi and dashboard as deployment +lapi: + # -- replicas for local API + replicas: 1 + # -- environment variables from crowdsecurity/crowdsec docker image + env: + - name: ENROLL_INSTANCE_NAME + value: "kluster" + + # Allows you to load environment variables from kubernetes secret or config map + envFrom: + - secretRef: + name: dashboard-api-key + - secretRef: + name: bouncer-api-key + + + dashboard: + # -- Enable Metabase Dashboard (by default disabled) + enabled: false + + # -- Enable persistent volumes + persistentVolume: + # -- Persistent volume for data folder. Stores e.g. registered bouncer api keys + data: + enabled: true + accessModes: + - ReadWriteOnce + storageClassName: "nfs-client" + size: 1Gi + # -- Persistent volume for config folder. Stores e.g. online api credentials + config: + enabled: true + accessModes: + - ReadWriteOnce + storageClassName: "nfs-client" + size: 100Mi + + + # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus) + metrics: + enabled: true + # -- Creates a ServiceMonitor so Prometheus will monitor this service + # -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors + # -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape + # -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774 + serviceMonitor: + enabled: true + + +# agent will deploy pod on every node as daemonSet to read wanted pods logs +agent: + acquisition: + # The namespace where the pod is located + - namespace: traefik-system + # The pod name + podName: traefik-* + # as in crowdsec configuration, we need to specify the program name to find a matching parser + program: traefik + + # -- Enable persistent volumes + persistentVolume: + # -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.) + config: + enabled: false + accessModes: + - ReadWriteOnce + storageClassName: "" + existingClaim: "" + size: 100Mi + # -- Enable hostPath to /var/log + hostVarLog: true + # -- environment variables from crowdsecurity/crowdsec docker image + env: + - name: COLLECTIONS + value: "crowdsecurity/traefik" + + # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus) + metrics: + enabled: true + # -- Creates a ServiceMonitor so Prometheus will monitor this service + # -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors + # -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape + # -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774 + serviceMonitor: + enabled: false + additionalLabels: {} +