From f0ba16d661f1a11d1395198599973fdad52428c2 Mon Sep 17 00:00:00 2001
From: Erwan Vallienne <erwan@fgtech.fr>
Date: Fri, 22 Sep 2023 11:15:19 +0200
Subject: [PATCH] add secrets

---
 charts/crowdsec/README.md                     | 43 +++++++++++++++++++
 charts/crowdsec/templates/_helpers.tpl        | 14 ++++++
 .../crowdsec/templates/lapi-deployment.yaml   |  5 +++
 charts/crowdsec/templates/lapi-secrets.yaml   | 19 ++++++++
 charts/crowdsec/values.yaml                   |  8 +++-
 5 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 charts/crowdsec/templates/lapi-secrets.yaml

diff --git a/charts/crowdsec/README.md b/charts/crowdsec/README.md
index d7ba6aa..c943630 100644
--- a/charts/crowdsec/README.md
+++ b/charts/crowdsec/README.md
@@ -31,6 +31,49 @@ helm install crowdsec crowdsec/crowdsec -f crowdsec-values.yaml -n crowdsec
 helm delete crowdsec -n crowdsec
 ```
 
+## Setup for LAPI High Availability
+
+Below a basic configuration for High availability
+
+```
+# your-values.yaml
+
+# Configure external DB (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example)
+config:
+  config-override.yaml: |
+    db_config:
+      type:     "postgresql"
+      user:     "crowdsec"
+      password: "${DB_PASSWORD}"
+      db_name:  "crowdsec"
+      host:     "192.168.0.2"
+      port:     "5432"
+
+lapi:
+  # 2 or more replicas for HA
+  replicas: 2
+  # You can specify your own CS_LAPI_SECRET, or let the chart generate one. Length must be >= 64
+  secrets:
+    csLapiSecret: <anyRandomSecret>
+  # Specify your external DB password here
+  extraSecrets:
+    dbPassword: <externalDbPassword>
+  persistentVolume:
+    # When replicas for LAPI is greater than 1, two options, persistent volumes must be disabled, or in ReadWriteMany mode
+    config:
+      enabled: false
+    # data volume is not required, since SQLite isn't used
+    data:
+      enabled: false
+  # DB Password passed through environment variable
+  env:
+    - name: DB_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: crowdsec-lapi-secret
+          key: dbPassword
+```
+
 ## Values
 
 | Key | Type | Default | Description |
diff --git a/charts/crowdsec/templates/_helpers.tpl b/charts/crowdsec/templates/_helpers.tpl
index 8543568..20e9407 100644
--- a/charts/crowdsec/templates/_helpers.tpl
+++ b/charts/crowdsec/templates/_helpers.tpl
@@ -29,6 +29,20 @@ Generate password if not specified in values
 {{- end -}}
 {{- end -}}
 
+{{/*
+Generate CS_LAPI_SECRET if not specified in values
+*/}}
+{{ define "lapi.csLapiSecret" }}
+{{- if .Values.lapi.secrets.csLapiSecret }}
+  {{- .Values.lapi.secrets.csLapiSecret -}}
+{{- else if (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data }}
+  {{- $obj := (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data -}}
+  {{- index $obj "csLapiSecret" | b64dec -}}
+{{- else -}}
+  {{- randAscii 64 -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
   notifications parameters check
 */}}
diff --git a/charts/crowdsec/templates/lapi-deployment.yaml b/charts/crowdsec/templates/lapi-deployment.yaml
index c23e156..a499e98 100644
--- a/charts/crowdsec/templates/lapi-deployment.yaml
+++ b/charts/crowdsec/templates/lapi-deployment.yaml
@@ -87,6 +87,11 @@ spec:
           - name: CAPI_WHITELISTS_PATH
             value: "/etc/crowdsec/capi_whitelists.yaml"
           {{- end }}
+          - name: CS_LAPI_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: crowdsec-lapi-secrets
+                key: csLapiSecret
 
         {{- with .Values.lapi.env }}
           {{- toYaml . | nindent 10 }}
diff --git a/charts/crowdsec/templates/lapi-secrets.yaml b/charts/crowdsec/templates/lapi-secrets.yaml
new file mode 100644
index 0000000..c001612
--- /dev/null
+++ b/charts/crowdsec/templates/lapi-secrets.yaml
@@ -0,0 +1,19 @@
+# vim: set ft=gotmpl:
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crowdsec-lapi-secrets
+  labels:
+    k8s-app: {{ .Release.Name }}
+    type: lapi
+    version: v1
+type: Opaque
+data:
+  csLapiSecret: {{ include "lapi.csLapiSecret" . | b64enc }}
+  {{- with .Values.lapi.extraSecrets }}
+  {{- range $key, $value := . }}
+  {{ $key }}: {{ $value | b64enc }}
+  {{- end }}
+  {{- end }}
\ No newline at end of file
diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml
index 7f35cd2..1350c38 100644
--- a/charts/crowdsec/values.yaml
+++ b/charts/crowdsec/values.yaml
@@ -81,7 +81,6 @@ config:
     #   db_name:  "crowdsec"
     #   host:     "192.168.0.2"
     #   port:     "5432"
-    #   sslmode:  "required"
   # -- notifications configuration (https://docs.crowdsec.net/docs/next/notification_plugins/intro)
   notifications: {}
     # email.yaml: |
@@ -229,6 +228,13 @@ lapi:
   strategy:
     type: RollingUpdate
 
+  secrets:
+    # -- Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters
+    csLapiSecret: ""
+  # -- Any extra secrets you may need (for example, external DB password)
+  extraSecrets: {}
+    # dbPassword: randomPass
+
 # agent will deploy pod on every node as daemonSet to read wanted pods logs
 agent:
   # -- To add custom acquisitions using available datasources (https://docs.crowdsec.net/docs/next/data_sources/intro)