diff --git a/charts/crowdsec/README.md b/charts/crowdsec/README.md index d7ba6aa..c943630 100644 --- a/charts/crowdsec/README.md +++ b/charts/crowdsec/README.md @@ -31,6 +31,49 @@ helm install crowdsec crowdsec/crowdsec -f crowdsec-values.yaml -n crowdsec helm delete crowdsec -n crowdsec ``` +## Setup for LAPI High Availability + +Below a basic configuration for High availability + +``` +# your-values.yaml + +# Configure external DB (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example) +config: + config-override.yaml: | + db_config: + type: "postgresql" + user: "crowdsec" + password: "${DB_PASSWORD}" + db_name: "crowdsec" + host: "192.168.0.2" + port: "5432" + +lapi: + # 2 or more replicas for HA + replicas: 2 + # You can specify your own CS_LAPI_SECRET, or let the chart generate one. Length must be >= 64 + secrets: + csLapiSecret: + # Specify your external DB password here + extraSecrets: + dbPassword: + persistentVolume: + # When replicas for LAPI is greater than 1, two options, persistent volumes must be disabled, or in ReadWriteMany mode + config: + enabled: false + # data volume is not required, since SQLite isn't used + data: + enabled: false + # DB Password passed through environment variable + env: + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: crowdsec-lapi-secret + key: dbPassword +``` + ## Values | Key | Type | Default | Description | diff --git a/charts/crowdsec/templates/_helpers.tpl b/charts/crowdsec/templates/_helpers.tpl index 8543568..20e9407 100644 --- a/charts/crowdsec/templates/_helpers.tpl +++ b/charts/crowdsec/templates/_helpers.tpl @@ -29,6 +29,20 @@ Generate password if not specified in values {{- end -}} {{- end -}} +{{/* +Generate CS_LAPI_SECRET if not specified in values +*/}} +{{ define "lapi.csLapiSecret" }} +{{- if .Values.lapi.secrets.csLapiSecret }} + {{- .Values.lapi.secrets.csLapiSecret -}} +{{- else if (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data }} + {{- $obj := (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data -}} + {{- index $obj "csLapiSecret" | b64dec -}} +{{- else -}} + {{- randAscii 64 -}} +{{- end -}} +{{- end -}} + {{/* notifications parameters check */}} diff --git a/charts/crowdsec/templates/lapi-deployment.yaml b/charts/crowdsec/templates/lapi-deployment.yaml index c23e156..a499e98 100644 --- a/charts/crowdsec/templates/lapi-deployment.yaml +++ b/charts/crowdsec/templates/lapi-deployment.yaml @@ -87,6 +87,11 @@ spec: - name: CAPI_WHITELISTS_PATH value: "/etc/crowdsec/capi_whitelists.yaml" {{- end }} + - name: CS_LAPI_SECRET + valueFrom: + secretKeyRef: + name: crowdsec-lapi-secrets + key: csLapiSecret {{- with .Values.lapi.env }} {{- toYaml . | nindent 10 }} diff --git a/charts/crowdsec/templates/lapi-secrets.yaml b/charts/crowdsec/templates/lapi-secrets.yaml new file mode 100644 index 0000000..c001612 --- /dev/null +++ b/charts/crowdsec/templates/lapi-secrets.yaml @@ -0,0 +1,19 @@ +# vim: set ft=gotmpl: +--- + +apiVersion: v1 +kind: Secret +metadata: + name: crowdsec-lapi-secrets + labels: + k8s-app: {{ .Release.Name }} + type: lapi + version: v1 +type: Opaque +data: + csLapiSecret: {{ include "lapi.csLapiSecret" . | b64enc }} + {{- with .Values.lapi.extraSecrets }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | b64enc }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml index 7f35cd2..1350c38 100644 --- a/charts/crowdsec/values.yaml +++ b/charts/crowdsec/values.yaml @@ -81,7 +81,6 @@ config: # db_name: "crowdsec" # host: "192.168.0.2" # port: "5432" - # sslmode: "required" # -- notifications configuration (https://docs.crowdsec.net/docs/next/notification_plugins/intro) notifications: {} # email.yaml: | @@ -229,6 +228,13 @@ lapi: strategy: type: RollingUpdate + secrets: + # -- Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters + csLapiSecret: "" + # -- Any extra secrets you may need (for example, external DB password) + extraSecrets: {} + # dbPassword: randomPass + # agent will deploy pod on every node as daemonSet to read wanted pods logs agent: # -- To add custom acquisitions using available datasources (https://docs.crowdsec.net/docs/next/data_sources/intro)