Support for LAPI High availability

erwanval · Jan 18, 2024 · d620fc8 · d620fc8
1 parent c36c5d6
commit d620fc8
Show file tree

Hide file tree

Showing 8 changed files with 139 additions and 1 deletion.
diff --git a/charts/crowdsec/Chart.yaml b/charts/crowdsec/Chart.yaml
@@ -30,6 +30,49 @@ description: |
   helm delete crowdsec -n crowdsec
   ```
 
+  ## Setup for High Availability
+
+  Below a basic configuration for High availability
+
+  ```
+  # your-values.yaml
+
+  # Configure external DB (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example)
+  config:
+    config-override.yaml: |
+      db_config:
+        type:     "postgresql"
+        user:     "crowdsec"
+        password: "${DB_PASSWORD}"
+        db_name:  "crowdsec"
+        host:     "192.168.0.2"
+        port:     "5432"
+
+  lapi:
+    # 2 or more replicas for HA
+    replicas: 2
+    # You can specify your own CS_LAPI_SECRET, or let the chart generate one. Length must be >= 64
+    secrets:
+      csLapiSecret: <anyRandomSecret>
+    # Specify your external DB password here
+    extraSecrets:
+      dbPassword: <externalDbPassword>
+    persistentVolume:
+      # When replicas for LAPI is greater than 1, two options, persistent volumes must be disabled, or in ReadWriteMany mode
+      config:
+        enabled: false
+      # data volume is not required, since SQLite isn't used
+      data:
+        enabled: false
+    # DB Password passed through environment variable
+    env:
+      - name: DB_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-lapi-secrets
+            key: dbPassword
+  ```
+
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives

diff --git a/charts/crowdsec/README.md b/charts/crowdsec/README.md
@@ -46,6 +46,7 @@ helm delete crowdsec -n crowdsec
 | config."console.yaml" | string | `""` |  |
 | config."capi_whitelists.yaml" | string | `""` |  |
 | config."profiles.yaml" | string | `""` | Profiles configuration (https://docs.crowdsec.net/docs/next/profiles/format/#profile-configuration-example) |
+| config."config-override.yaml" | string | `""` | General configuration (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example) |
 | config.notifications | object | `{}` | notifications configuration (https://docs.crowdsec.net/docs/next/notification_plugins/intro) |
 | tls.enabled | bool | `false` |  |
 | tls.caBundle | bool | `true` |  |
@@ -59,6 +60,7 @@ helm delete crowdsec -n crowdsec
 | tls.lapi.secret | string | `"{{ .Release.Name }}-lapi-tls"` |  |
 | secrets.username | string | `""` | agent username (default is generated randomly) |
 | secrets.password | string | `""` | agent password (default is generated randomly) |
+| lapi.replicas | int | `1` | replicas for local API |
 | lapi.env | list | `[]` | environment variables from crowdsecurity/crowdsec docker image |
 | lapi.ingress | object | `{"annotations":{"nginx.ingress.kubernetes.io/backend-protocol":"HTTP"},"enabled":false,"host":"","ingressClassName":""}` | Enable ingress lapi object |
 | lapi.dashboard.enabled | bool | `false` | Enable Metabase Dashboard (by default disabled) |
@@ -83,9 +85,13 @@ helm delete crowdsec -n crowdsec
 | lapi.service.externalTrafficPolicy | string | `"Cluster"` |  |
 | lapi.nodeSelector | object | `{}` | nodeSelector for lapi |
 | lapi.tolerations | object | `{}` | tolerations for lapi |
+| lapi.affinity | object | `{}` | affinity for lapi |
+| lapi.topologySpreadConstraints | object | `{}` | topologySpreadConstraints for lapi |
 | lapi.metrics | object | `{"enabled":false,"serviceMonitor":{"enabled":false}}` | Enable service monitoring (exposes "metrics" port "6060" for Prometheus) |
 | lapi.metrics.serviceMonitor | object | `{"enabled":false}` | See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774 |
 | lapi.strategy.type | string | `"RollingUpdate"` |  |
+| lapi.secrets.csLapiSecret | string | `""` | Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters |
+| lapi.extraSecrets | object | `{}` | Any extra secrets you may need (for example, external DB password) |
 | agent.additionalAcquisition | list | `[]` | To add custom acquisitions using available datasources (https://docs.crowdsec.net/docs/next/data_sources/intro) |
 | agent.acquisition[0] | object | `{"namespace":"","podName":"","poll_without_inotify":false,"program":""}` | Specify each pod you want to process it logs (namespace, podName and program) |
 | agent.acquisition[0].podName | string | `""` | to select pod logs to process |

diff --git a/charts/crowdsec/templates/_helpers.tpl b/charts/crowdsec/templates/_helpers.tpl
@@ -29,6 +29,20 @@ Generate password if not specified in values
 {{- end -}}
 {{- end -}}
 
+{{/*
+Generate CS_LAPI_SECRET if not specified in values
+*/}}
+{{ define "lapi.csLapiSecret" }}
+{{- if .Values.lapi.secrets.csLapiSecret }}
+  {{- .Values.lapi.secrets.csLapiSecret -}}
+{{- else if (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data }}
+  {{- $obj := (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data -}}
+  {{- index $obj "csLapiSecret" | b64dec -}}
+{{- else -}}
+  {{- randAscii 64 -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
   notifications parameters check
 */}}
@@ -64,7 +78,7 @@ true
   lapi custom config check
 */}}
 {{ define "lapiCustomConfigIsNotEmpty" }}
-{{- if or (index .Values.config "profiles.yaml") ((include "notificationsIsNotEmpty" .)) }}
+{{- if or (index .Values.config "profiles.yaml") (index .Values.config "config-override.yaml") ((include "notificationsIsNotEmpty" .)) }}
 true
 {{- end -}}
 {{- end -}}

diff --git a/charts/crowdsec/templates/lapi-configmap.yaml b/charts/crowdsec/templates/lapi-configmap.yaml
@@ -29,6 +29,16 @@ data:
   capi_whitelists.yaml: |
 {{ printf "%+v" (index .Values.config "capi_whitelists.yaml") | indent 4 }}
 {{ end }}
+{{- if index .Values.config "config-override.yaml" }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: crowdsec-config-override
+data:
+  config.yaml.local: |
+{{ printf "%+v" (index .Values.config "config-override.yaml") | indent 4 }}
+{{ end }}
 {{ if (include "notificationsIsNotEmpty" .) }}
 ---
 apiVersion: v1

diff --git a/charts/crowdsec/templates/lapi-deployment.yaml b/charts/crowdsec/templates/lapi-deployment.yaml
@@ -10,6 +10,7 @@ metadata:
     type: lapi
     version: v1
 spec:
+  replicas: {{ .Values.lapi.replicas }}
   selector:
     matchLabels:
       k8s-app: {{ .Release.Name }}
@@ -86,6 +87,11 @@ spec:
           - name: CAPI_WHITELISTS_PATH
             value: "/etc/crowdsec/capi_whitelists.yaml"
           {{- end }}
+          - name: CS_LAPI_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: crowdsec-lapi-secrets
+                key: csLapiSecret
 
         {{- with .Values.lapi.env }}
           {{- toYaml . | nindent 10 }}
@@ -182,6 +188,11 @@ spec:
             mountPath: {{ $crowdsecConfig }}/capi_whitelists.yaml
             subPath: capi_whitelists.yaml
           {{ end }}
+          {{ if index .Values.config "config-override.yaml" }}
+          - name: crowdsec-config-override-volume
+            mountPath: {{ $crowdsecConfig }}/config.yaml.local
+            subPath: config.yaml.local
+          {{ end }}
           {{- if (include "notificationsIsNotEmpty" .) -}}
           {{ range $fileName, $content := .Values.config.notifications -}}
           {{- if $content }}
@@ -294,6 +305,11 @@ spec:
         configMap:
           name: crowdsec-capi-whitelists
       {{- end }}
+      {{ if index .Values.config "config-override.yaml" }}
+      - name: crowdsec-config-override-volume
+        configMap:
+          name: crowdsec-config-override
+      {{- end }}
       {{- if (include "notificationsIsNotEmpty" .) -}}
       {{ range $fileName, $content := .Values.config.notifications -}}
       {{- if $content }}
@@ -327,3 +343,7 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.lapi.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/crowdsec/templates/lapi-secrets.yaml b/charts/crowdsec/templates/lapi-secrets.yaml
@@ -0,0 +1,19 @@
+# vim: set ft=gotmpl:
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crowdsec-lapi-secrets
+  labels:
+    k8s-app: {{ .Release.Name }}
+    type: lapi
+    version: v1
+type: Opaque
+data:
+  csLapiSecret: {{ include "lapi.csLapiSecret" . | b64enc }}
+  {{- with .Values.lapi.extraSecrets }}
+  {{- range $key, $value := . }}
+  {{ $key }}: {{ $value | b64enc }}
+  {{- end }}
+  {{- end }}
diff --git a/charts/crowdsec/values.schema.json b/charts/crowdsec/values.schema.json
@@ -122,6 +122,9 @@
                 },
                 "capi_whitelists.yaml": {
                     "type": "string"
+                },
+                "config-override.yaml": {
+                    "type": "string"
                 }
             },
             "title": "Config"

diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml
@@ -71,6 +71,16 @@ config:
     #  filters:
     #    - Alert.Remediation == true && Alert.GetScope() == "Ip"
     #  ...
+  # -- General configuration (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example)
+  config-override.yaml: ""
+    #   |
+    # db_config:
+    #   type:     "postgresql"
+    #   user:     "crowdsec"
+    #   password: "${DB_PASSWORD}"
+    #   db_name:  "crowdsec"
+    #   host:     "192.168.0.2"
+    #   port:     "5432"
   # -- notifications configuration (https://docs.crowdsec.net/docs/next/notification_plugins/intro)
   notifications: {}
     # email.yaml: |
@@ -111,6 +121,8 @@ secrets:
 
 # lapi will deploy pod with crowdsec lapi and dashboard as deployment
 lapi:
+  # -- replicas for local API
+  replicas: 1
   # -- environment variables from crowdsecurity/crowdsec docker image
   env: []
     # by default disable the agent because it only needs the local API.
@@ -198,6 +210,10 @@ lapi:
   nodeSelector: {}
   # -- tolerations for lapi
   tolerations: {}
+  # -- affinity for lapi
+  affinity: {}
+  # -- topologySpreadConstraints for lapi
+  topologySpreadConstraints: {}
 
   # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus)
   metrics:
@@ -212,6 +228,13 @@ lapi:
   strategy:
     type: RollingUpdate
 
+  secrets:
+    # -- Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters
+    csLapiSecret: ""
+  # -- Any extra secrets you may need (for example, external DB password)
+  extraSecrets: {}
+    # dbPassword: randomPass
+
 # agent will deploy pod on every node as daemonSet to read wanted pods logs
 agent:
   # -- To add custom acquisitions using available datasources (https://docs.crowdsec.net/docs/next/data_sources/intro)