mirror of
https://github.com/auricom/home-cluster.git
synced 2025-09-17 18:24:14 +02:00
🚀 crowdsec demo
This commit is contained in:
@@ -14,5 +14,6 @@ resources:
|
||||
- ./media-servers
|
||||
- ./monitoring
|
||||
- ./networking
|
||||
# - ./security
|
||||
- ./storage
|
||||
- ./web-tools
|
||||
|
@@ -1,6 +1,13 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: crowdsec
|
||||
labels:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: default
|
||||
labels:
|
||||
|
@@ -51,6 +51,9 @@ spec:
|
||||
service-upstream: "true"
|
||||
ssl-protocols: "TLSv1.3 TLSv1.2"
|
||||
use-forwarded-headers: "true"
|
||||
# crowdsec bouncer
|
||||
# plugins: "crowdsec"
|
||||
# lua-shared-dicts: "crowdsec_cache: 50m"
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
@@ -69,12 +72,46 @@ spec:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: ingress-nginx
|
||||
app.kubernetes.io/component: controller
|
||||
resources:
|
||||
requests:
|
||||
memory: 400Mi
|
||||
cpu: 25m
|
||||
limits:
|
||||
memory: 1Gi
|
||||
# crowdsec bouncer
|
||||
# extraVolumes:
|
||||
# - name: crowdsec-bouncer-plugin
|
||||
# emptyDir: {}
|
||||
# extraInitContainers:
|
||||
# - name: init-clone-crowdsec-bouncer
|
||||
# image: crowdsecurity/lua-bouncer-plugin
|
||||
# tag: v0.1.11
|
||||
# imagePullPolicy: IfNotPresent
|
||||
# env:
|
||||
# - name: API_URL
|
||||
# value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
|
||||
# - name: API_KEY
|
||||
# value: "${SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY}"
|
||||
# - name: DISABLE_RUN
|
||||
# value: "true"
|
||||
# - name: BOUNCER_CONFIG
|
||||
# value: "/crowdsec/crowdsec-bouncer.conf"
|
||||
# command:
|
||||
# - "/bin/sh"
|
||||
# - "-c"
|
||||
# - |
|
||||
# #!/bin/sh
|
||||
|
||||
# sh /docker_start.sh
|
||||
# mkdir -p /lua_plugins/crowdsec/
|
||||
# cp -pr /crowdsec/* /lua_plugins/crowdsec/
|
||||
# volumeMounts:
|
||||
# - name: crowdsec-bouncer-plugin
|
||||
# mountPath: /lua_plugins
|
||||
# extraVolumeMounts:
|
||||
# - name: crowdsec-bouncer-plugin
|
||||
# mountPath: /etc/nginx/lua/plugins/crowdsec
|
||||
# subPath: crowdsec
|
||||
# resources:
|
||||
# requests:
|
||||
# memory: 400Mi
|
||||
# cpu: 25m
|
||||
# limits:
|
||||
# memory: 1Gi
|
||||
defaultBackend:
|
||||
enabled: true
|
||||
image:
|
||||
|
120
kubernetes/cluster-0/apps/security/crowdsec/helmrelease.yaml
Normal file
120
kubernetes/cluster-0/apps/security/crowdsec/helmrelease.yaml
Normal file
@@ -0,0 +1,120 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: crowdsec
|
||||
namespace: crowdsec
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: crowdsec
|
||||
version: 0.8.2
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: crowdsec
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
remediation:
|
||||
retries: 5
|
||||
upgrade:
|
||||
remediation:
|
||||
retries: 5
|
||||
values:
|
||||
container_runtime: containerd
|
||||
image:
|
||||
repository: crowdsecurity/crowdsec
|
||||
tag: v1.4.3
|
||||
lapi:
|
||||
env:
|
||||
# by default disable the agent for local API pods
|
||||
- name: DISABLE_AGENT
|
||||
value: "true"
|
||||
- name: ENROLL_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: crowdsec-config
|
||||
key: enroll_key
|
||||
- name: ENROLL_INSTANCE_NAME
|
||||
value: "talos@cluster-0"
|
||||
dashboard:
|
||||
enabled: false
|
||||
ingress:
|
||||
enabled: false
|
||||
annotations:
|
||||
ingressClassName: nginx
|
||||
host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
|
||||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
resources:
|
||||
requests:
|
||||
cpu: 150m
|
||||
memory: 100M
|
||||
limits:
|
||||
memory: 100M
|
||||
# -- Enable persistent volumes
|
||||
persistentVolume:
|
||||
# -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
|
||||
data:
|
||||
enabled: true
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: rook-ceph-filesystem
|
||||
size: 1Gi
|
||||
# -- Persistent volume for config folder. Stores e.g. online api credentials
|
||||
config:
|
||||
enabled: true
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: rook-ceph-filesystem
|
||||
size: 100Mi
|
||||
metrics:
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
enabled: false
|
||||
strategy:
|
||||
type: Recreate
|
||||
agent:
|
||||
# To specify each pod you want to process it logs (pods present in the node)
|
||||
acquisition:
|
||||
# The namespace where the pod is located
|
||||
- namespace: ingress-nginx
|
||||
# The pod name
|
||||
podName: ingress-nginx-controller-*
|
||||
# as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
|
||||
program: nginx
|
||||
# Those are ENV variables
|
||||
env:
|
||||
# As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
|
||||
- name: DISABLE_crONLINE_API
|
||||
value: "true"
|
||||
# As we are running Nginx, we want to install the Nginx collection
|
||||
- name: COLLECTIONS
|
||||
value: "crowdsecurity/nginx crowdsecurity/linux crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/pgsql crowdsecurity/sshd"
|
||||
- name: PARSERS
|
||||
value: "crowdsecurity/cri-logs"
|
||||
- name: TZ
|
||||
value: "${TIMEZONE}"
|
||||
- name: DISABLE_ONLINE_API
|
||||
value: "false"
|
||||
resources:
|
||||
limits:
|
||||
memory: 100Mi
|
||||
requests:
|
||||
cpu: 150m
|
||||
memory: 100Mi
|
||||
# -- Enable persistent volumes
|
||||
persistentVolume:
|
||||
# -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
|
||||
config:
|
||||
enabled: true
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
storageClassName: rook-ceph-filesystem
|
||||
size: 100Mi
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
@@ -0,0 +1,6 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./helmrelease.yaml
|
||||
- ./secret.sops.yaml
|
29
kubernetes/cluster-0/apps/security/crowdsec/secret.sops.yaml
Normal file
29
kubernetes/cluster-0/apps/security/crowdsec/secret.sops.yaml
Normal file
@@ -0,0 +1,29 @@
|
||||
# yamllint disable
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: crowdsec-config
|
||||
namespace: crowdsec
|
||||
type: Opaque
|
||||
stringData:
|
||||
enroll_key: ENC[AES256_GCM,data:ret34T4Bcdua76M8s19bLeNTUWweVqPg5Q==,iv:q9sXlIUAkRi4Gu1+uhVWW5WCDuUCn6ZAV+UjtK1hkAQ=,tag:zXCtO2dpokZ57/NTthItig==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
|
||||
YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
|
||||
Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
|
||||
OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
|
||||
hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-12-23T02:14:45Z"
|
||||
mac: ENC[AES256_GCM,data:Y5ZzEfUbfy4hs6CpxZOW9/jSzp/lRaL28vB81BHFnUCDH9hHiCLMhb64SfJdCOgxP1HjKRbsQgSLdQD0W1Q7udtsXFVFg+LnND++ukWaXESj/USb25o9RT8Kn94RePLzeDdOkAR9hYS+YViKjdvdck2oKwr1cy8slcgHDXi83LI=,iv:/iBS+i43BaSOBZGUeNxUnqn4sgX12GozkQdUuLLsvMM=,tag:JLwY15QfNLWRJax2nKdcbw==,type:str]
|
||||
pgp: []
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.7.3
|
5
kubernetes/cluster-0/apps/security/kustomization.yaml
Normal file
5
kubernetes/cluster-0/apps/security/kustomization.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./crowdsec
|
Reference in New Issue
Block a user