🚀 crowdsec demo

2025-09-17 18:24:14 +02:00 · 2022-12-22 23:25:27 +01:00
parent c75d8350bd
commit 5b2893786f
11 changed files with 224 additions and 9 deletions
--- a/kubernetes/base/config/cluster-secrets.sops.yaml
+++ b/kubernetes/base/config/cluster-secrets.sops.yaml
@@ -12,6 +12,7 @@ stringData:
    SECRET_CLUSTER_OVH_APPLICATION_KEY: ENC[AES256_GCM,data:W8BOyYQbQJpQco0XQ8wgtA==,iv:z/nc9+DkIkvKw6Daf/UpuMsIc/H7AnwQF5ZjQarf03U=,tag:j+Qm6oK6jei7EFDBTT5ddQ==,type:str]
    SECRET_CLUSTER_OVH_APPLICATION_SECRET: ENC[AES256_GCM,data:+R6Vy1qlYZuvFsGTnK3m94PuzdsYNPe1JVpGqhq9Dy0=,iv:bNKMp6VNMyuiJokr5xm9To2OuBYzoiJSRXUm4S00MdI=,tag:8YJoz5MICyC9bES/IP6ROw==,type:str]
    SECRET_CLUSTER_OVH_CONSUMER_KEY: ENC[AES256_GCM,data:HwEaNSLEoON99KzgVLuDWxj8DPz1gz8tc3q/1hWJOvM=,iv:uTHCAT81Js9yQ/7iK90+elZzA0j6ia7AOWEufE1i/4k=,tag:D4tI50RyJz8o3n9hrrYz4Q==,type:str]
+    SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY: ENC[AES256_GCM,data:ecukkFOK40WWIxJ48sXrxJUBaHx2BnzqxkIT+cXYZg4=,iv:y6AfslVPufBfrIL3GQqTw0cDAan64mB9J7RY9OzKQqw=,tag:+V4Rgz26wey2UtA32S0PJQ==,type:str]
    SECRET_EMAIL_DOMAIN: ENC[AES256_GCM,data:tggMEXyLi03dAorm,iv:tXHmWmm9wUIOyGXbHUagS0gl4cEW588XSvBIoNsADFw=,tag:69X+WZoj6CiI6mUJT01DzQ==,type:str]
    SECRET_EMAIL_SMTP_USERNAME: ENC[AES256_GCM,data:U8UiC6SdBbX9JbpRglyXfofDzYf+LNY=,iv:BLqn6nWm+il2yxWBJgpjlLKp5/eVh8L9qSEfM9LzUEo=,tag:1+afhSVYeHTvzzBiTxP7Ew==,type:str]
    SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:lHrRfoAtj/sY7aFiWibf7ejrwn5ANa62d85kyPKxpZhXhdiz5jHcAw==,iv:D4ac1ltRrsHEM1z/bG0gHQZ4TntCK4fEj8BoYxDv7XM=,tag:yXVYJNpbM46ri9kW8MwxwQ==,type:str]
@@ -48,8 +49,8 @@ sops:
            WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
            pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-11-21T21:03:04Z"
-    mac: ENC[AES256_GCM,data:1kDdR/a7WBENCYzT3JSiM7tYCGqYA+z5J/HbV7C9vw0kqoRCPg6QftdaszI0OOcNANtOnFWsaJZo2qvb8joNQMSYTiVQ6M0gEGjf1r5/ppi/mmBIZpPIdEU0qC+t8vJziFoiG/1wuetm/fUHlaom0XkgKtoy/irrPK0NcZEMuXA=,iv:HYa8SiJ6IZWuxMUSbfKdc7/gslrtTUy/89M0cfz05Hk=,tag:IlIiGNjpRQfxUu7JeN2XRQ==,type:str]
+    lastmodified: "2022-12-23T01:26:12Z"
+    mac: ENC[AES256_GCM,data:wYR8nXe5A7BePH7ttqp2YPyBthbJM892U5qZjvpVqo+vAbxYLZn/H3aDWAeUmM9rSQi8c4wR8UtDk7GTxUiMkdRYS267r2Jxcns0Z0sLq7D3YdL4zlW7TkDuo6zaknVOuePgSr9SYl/Z9y2ryk/BhRF9UjAASqnAEWtOKTqqs6I=,iv:LNqr+JPdywz/Z0wNhgKSAHJu4wMm+MykbFAzNoBNhec=,tag:kaltioo8R0HOhSYGmH1jww==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/base/config/cluster-settings.yaml
+++ b/kubernetes/base/config/cluster-settings.yaml
@@ -19,7 +19,6 @@ data:
  CLUSTER_LB_EMQX: 192.168.169.109
  CLUSTER_LB_JELLYFIN: 192.168.169.110
  CLUSTER_LB_RESILIOSYNC_HELENE: 192.168.169.111
-  CLUSTER_LB_BORGSERVER: 192.168.169.112
  LOCAL_LAN: 192.168.8.0/22
  LOCAL_LAN_OPNSENSE: 192.168.8.1
  LOCAL_LAN_TRUENAS: 192.168.9.10
--- a/kubernetes/base/repositories/helm/crowdsec.yaml
+++ b/kubernetes/base/repositories/helm/crowdsec.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: crowdsec
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://crowdsecurity.github.io/helm-charts
--- a/kubernetes/base/repositories/helm/kustomization.yaml
+++ b/kubernetes/base/repositories/helm/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
  - ./cert-manager-webhook-ovh.yaml
  - ./cilium.yaml
  - ./cloudnative-pg.yaml
+  - ./crowdsec.yaml
  - ./descheduler.yaml
  - ./drone.yaml
  - ./dysnix.yaml
--- a/kubernetes/cluster-0/apps/kustomization.yaml
+++ b/kubernetes/cluster-0/apps/kustomization.yaml
@@ -14,5 +14,6 @@ resources:
  - ./media-servers
  - ./monitoring
  - ./networking
+  # - ./security
  - ./storage
  - ./web-tools
--- a/kubernetes/cluster-0/apps/namespaces.yaml
+++ b/kubernetes/cluster-0/apps/namespaces.yaml
@@ -1,6 +1,13 @@
 ---
 apiVersion: v1
 kind: Namespace
+metadata:
+  name: crowdsec
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+---
+apiVersion: v1
+kind: Namespace
 metadata:
  name: default
  labels:
--- a/kubernetes/cluster-0/apps/networking/ingress-nginx/helmrelease.yaml
+++ b/kubernetes/cluster-0/apps/networking/ingress-nginx/helmrelease.yaml
@@ -51,6 +51,9 @@ spec:
        service-upstream: "true"
        ssl-protocols: "TLSv1.3 TLSv1.2"
        use-forwarded-headers: "true"
+        # crowdsec bouncer
+        # plugins: "crowdsec"
+        # lua-shared-dicts: "crowdsec_cache: 50m"
      metrics:
        enabled: true
        serviceMonitor:
@@ -69,12 +72,46 @@ spec:
            matchLabels:
              app.kubernetes.io/name: ingress-nginx
              app.kubernetes.io/component: controller
-      resources:
-        requests:
-          memory: 400Mi
-          cpu: 25m
-        limits:
-          memory: 1Gi
+      # crowdsec bouncer
+      # extraVolumes:
+      # - name: crowdsec-bouncer-plugin
+      #   emptyDir: {}
+      # extraInitContainers:
+      # - name: init-clone-crowdsec-bouncer
+      #   image: crowdsecurity/lua-bouncer-plugin
+      #   tag: v0.1.11
+      #   imagePullPolicy: IfNotPresent
+      #   env:
+      #     - name: API_URL
+      #       value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
+      #     - name: API_KEY
+      #       value: "${SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY}"
+      #     - name: DISABLE_RUN
+      #       value: "true"
+      #     - name: BOUNCER_CONFIG
+      #       value: "/crowdsec/crowdsec-bouncer.conf"
+      #   command:
+      #     - "/bin/sh"
+      #     - "-c"
+      #     - |
+      #       #!/bin/sh
+
+      #       sh /docker_start.sh
+      #       mkdir -p /lua_plugins/crowdsec/
+      #       cp -pr /crowdsec/* /lua_plugins/crowdsec/
+      #   volumeMounts:
+      #   - name: crowdsec-bouncer-plugin
+      #     mountPath: /lua_plugins
+      # extraVolumeMounts:
+      # - name: crowdsec-bouncer-plugin
+      #   mountPath: /etc/nginx/lua/plugins/crowdsec
+      #   subPath: crowdsec
+      # resources:
+      #   requests:
+      #     memory: 400Mi
+      #     cpu: 25m
+      #   limits:
+      #     memory: 1Gi
    defaultBackend:
      enabled: true
      image:
--- a/kubernetes/cluster-0/apps/security/crowdsec/helmrelease.yaml
+++ b/kubernetes/cluster-0/apps/security/crowdsec/helmrelease.yaml
@@ -0,0 +1,120 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: crowdsec
+  namespace: crowdsec
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: crowdsec
+      version: 0.8.2
+      sourceRef:
+        kind: HelmRepository
+        name: crowdsec
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  values:
+    container_runtime: containerd
+    image:
+      repository: crowdsecurity/crowdsec
+      tag: v1.4.3
+    lapi:
+      env:
+        # by default disable the agent for local API pods
+        - name: DISABLE_AGENT
+          value: "true"
+        - name: ENROLL_KEY
+          valueFrom:
+            secretKeyRef:
+              name: crowdsec-config
+              key: enroll_key
+        - name: ENROLL_INSTANCE_NAME
+          value: "talos@cluster-0"
+      dashboard:
+        enabled: false
+        ingress:
+          enabled: false
+          annotations:
+          ingressClassName: nginx
+          host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
+          tls:
+            - hosts:
+              - *host
+      resources:
+        requests:
+          cpu: 150m
+          memory: 100M
+        limits:
+          memory: 100M
+      # -- Enable persistent volumes
+      persistentVolume:
+        # -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
+        data:
+          enabled: true
+          accessModes:
+            - ReadWriteOnce
+          storageClassName: rook-ceph-filesystem
+          size: 1Gi
+        # -- Persistent volume for config folder. Stores e.g. online api credentials
+        config:
+          enabled: true
+          accessModes:
+            - ReadWriteOnce
+          storageClassName: rook-ceph-filesystem
+          size: 100Mi
+      metrics:
+        enabled: false
+        serviceMonitor:
+          enabled: false
+      strategy:
+        type: Recreate
+    agent:
+      # To specify each pod you want to process it logs (pods present in the node)
+      acquisition:
+        # The namespace where the pod is located
+        - namespace: ingress-nginx
+          # The pod name
+          podName: ingress-nginx-controller-*
+          # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
+          program: nginx
+      # Those are ENV variables
+      env:
+        # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
+        - name: DISABLE_crONLINE_API
+          value: "true"
+        # As we are running Nginx, we want to install the Nginx collection
+        - name: COLLECTIONS
+          value: "crowdsecurity/nginx crowdsecurity/linux crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/pgsql crowdsecurity/sshd"
+        - name: PARSERS
+          value: "crowdsecurity/cri-logs"
+        - name: TZ
+          value: "${TIMEZONE}"
+        - name: DISABLE_ONLINE_API
+          value: "false"
+      resources:
+        limits:
+          memory: 100Mi
+        requests:
+          cpu: 150m
+          memory: 100Mi
+      # -- Enable persistent volumes
+      persistentVolume:
+        # -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
+        config:
+          enabled: true
+          accessModes:
+            - ReadWriteMany
+          storageClassName: rook-ceph-filesystem
+          size: 100Mi
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
--- a/kubernetes/cluster-0/apps/security/crowdsec/kustomization.yaml
+++ b/kubernetes/cluster-0/apps/security/crowdsec/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml
--- a/kubernetes/cluster-0/apps/security/crowdsec/secret.sops.yaml
+++ b/kubernetes/cluster-0/apps/security/crowdsec/secret.sops.yaml
@@ -0,0 +1,29 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: crowdsec-config
+    namespace: crowdsec
+type: Opaque
+stringData:
+    enroll_key: ENC[AES256_GCM,data:ret34T4Bcdua76M8s19bLeNTUWweVqPg5Q==,iv:q9sXlIUAkRi4Gu1+uhVWW5WCDuUCn6ZAV+UjtK1hkAQ=,tag:zXCtO2dpokZ57/NTthItig==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
+            YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
+            Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
+            OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
+            hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-23T02:14:45Z"
+    mac: ENC[AES256_GCM,data:Y5ZzEfUbfy4hs6CpxZOW9/jSzp/lRaL28vB81BHFnUCDH9hHiCLMhb64SfJdCOgxP1HjKRbsQgSLdQD0W1Q7udtsXFVFg+LnND++ukWaXESj/USb25o9RT8Kn94RePLzeDdOkAR9hYS+YViKjdvdck2oKwr1cy8slcgHDXi83LI=,iv:/iBS+i43BaSOBZGUeNxUnqn4sgX12GozkQdUuLLsvMM=,tag:JLwY15QfNLWRJax2nKdcbw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/cluster-0/apps/security/kustomization.yaml
+++ b/kubernetes/cluster-0/apps/security/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./crowdsec