Skip to content

Commit

Permalink
add secrets
Browse files Browse the repository at this point in the history
  • Loading branch information
erwanval committed Sep 22, 2023
1 parent b31f6dc commit f0ba16d
Show file tree
Hide file tree
Showing 5 changed files with 88 additions and 1 deletion.
43 changes: 43 additions & 0 deletions charts/crowdsec/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,49 @@ helm install crowdsec crowdsec/crowdsec -f crowdsec-values.yaml -n crowdsec
helm delete crowdsec -n crowdsec
```

## Setup for LAPI High Availability

Below a basic configuration for High availability

```
# your-values.yaml
# Configure external DB (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example)
config:
config-override.yaml: |
db_config:
type: "postgresql"
user: "crowdsec"
password: "${DB_PASSWORD}"
db_name: "crowdsec"
host: "192.168.0.2"
port: "5432"
lapi:
# 2 or more replicas for HA
replicas: 2
# You can specify your own CS_LAPI_SECRET, or let the chart generate one. Length must be >= 64
secrets:
csLapiSecret: <anyRandomSecret>
# Specify your external DB password here
extraSecrets:
dbPassword: <externalDbPassword>
persistentVolume:
# When replicas for LAPI is greater than 1, two options, persistent volumes must be disabled, or in ReadWriteMany mode
config:
enabled: false
# data volume is not required, since SQLite isn't used
data:
enabled: false
# DB Password passed through environment variable
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: crowdsec-lapi-secret
key: dbPassword
```

## Values

| Key | Type | Default | Description |
Expand Down
14 changes: 14 additions & 0 deletions charts/crowdsec/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,20 @@ Generate password if not specified in values
{{- end -}}
{{- end -}}

{{/*
Generate CS_LAPI_SECRET if not specified in values
*/}}
{{ define "lapi.csLapiSecret" }}
{{- if .Values.lapi.secrets.csLapiSecret }}
{{- .Values.lapi.secrets.csLapiSecret -}}
{{- else if (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data }}
{{- $obj := (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data -}}
{{- index $obj "csLapiSecret" | b64dec -}}
{{- else -}}
{{- randAscii 64 -}}
{{- end -}}
{{- end -}}

{{/*
notifications parameters check
*/}}
Expand Down
5 changes: 5 additions & 0 deletions charts/crowdsec/templates/lapi-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,11 @@ spec:
- name: CAPI_WHITELISTS_PATH
value: "/etc/crowdsec/capi_whitelists.yaml"
{{- end }}
- name: CS_LAPI_SECRET
valueFrom:
secretKeyRef:
name: crowdsec-lapi-secrets
key: csLapiSecret

{{- with .Values.lapi.env }}
{{- toYaml . | nindent 10 }}
Expand Down
19 changes: 19 additions & 0 deletions charts/crowdsec/templates/lapi-secrets.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# vim: set ft=gotmpl:
---

apiVersion: v1
kind: Secret
metadata:
name: crowdsec-lapi-secrets
labels:
k8s-app: {{ .Release.Name }}
type: lapi
version: v1
type: Opaque
data:
csLapiSecret: {{ include "lapi.csLapiSecret" . | b64enc }}
{{- with .Values.lapi.extraSecrets }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | b64enc }}
{{- end }}
{{- end }}
8 changes: 7 additions & 1 deletion charts/crowdsec/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,6 @@ config:
# db_name: "crowdsec"
# host: "192.168.0.2"
# port: "5432"
# sslmode: "required"
# -- notifications configuration (https://docs.crowdsec.net/docs/next/notification_plugins/intro)
notifications: {}
# email.yaml: |
Expand Down Expand Up @@ -229,6 +228,13 @@ lapi:
strategy:
type: RollingUpdate

secrets:
# -- Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters
csLapiSecret: ""
# -- Any extra secrets you may need (for example, external DB password)
extraSecrets: {}
# dbPassword: randomPass

# agent will deploy pod on every node as daemonSet to read wanted pods logs
agent:
# -- To add custom acquisitions using available datasources (https://docs.crowdsec.net/docs/next/data_sources/intro)
Expand Down

0 comments on commit f0ba16d

Please sign in to comment.