Appsec high availability using replicas (#208)

* Add appsec registrationToken to values.yaml and generate if empty * Removed agent.additionalAcquisition
crowdsecurity · Dec 16, 2024 · 31d4478 · 31d4478
1 parent 3688567
commit 31d4478
Show file tree

Hide file tree

Showing 6 changed files with 135 additions and 149 deletions.
diff --git a/charts/crowdsec/ci/crowdsec-values.yaml b/charts/crowdsec/ci/crowdsec-values.yaml
@@ -11,64 +11,8 @@ config:
             - "10.0.0.0/8"
             - "172.16.0.0/12"
 agent:
-  additionalAcquisition:
-    - source: file
-      filenames:
-        - /var/log/auth.log
-      force_inotify: true
-      labels:
-        type: syslog
-    - source: file
-      filename: /var/log/auth.log
-      labels:
-        type: syslog
-    - source: journalctl
-      journalctl_filter:
-        - "_SYSTEMD_UNIT=sshd.service"
-      labels:
-        type: syslog
-    - source: cloudwatch
-      group_name: /aws/my/group
-      aws_profile: monitoring
-      stream_regexp: "^stream[0-9]+$"
-      labels:
-        type: apigateway
-    - source: kinesis
-      stream_arn: arn:aws:kinesis:eu-west-1:123456789012:stream/my-stream
-      use_enhanced_fanout: true
-      consumer_name: my-consumer
-      labels:
-        type: mytype
-    - source: syslog
-      listen_addr: 127.0.0.1
-      listen_port: 514
-      labels:
-        type: syslog
-        program: syslog
-    - source: docker
-      container_name:
-        - "my-container"
-      container_id:
-        - "1234567890abcdef"
-      labels:
-        type: docker
-    - source: wineventlog
-      xpath_query: |
-          <QueryList><Query><Select Path=\"Security\">*[System[(EventID=42) and (Level=2)]]</Select></Query></QueryList>
-      labels:
-        type: eventlog
-    - source: kafka
-      brokers:
-        - "localhost:9093"
-      topic: "my-topic"
-      timeout: 5
-      tls:
-        insecure_skip_verify: true
-        client_cert: /path/kafkaClient.certificate.pem
-        client_key: /path/kafkaClient.key
-        ca_cert: /path/ca.crt
-      labels:
-        type: nginx
+  metrics:
+    enabled: true
   acquisition:
     - namespace: test
       podName: test-*

diff --git a/charts/crowdsec/templates/_helpers.tpl b/charts/crowdsec/templates/_helpers.tpl
@@ -15,6 +15,20 @@ Generate CS_LAPI_SECRET if not specified in values
 {{- end -}}
 {{- end -}}
 
+{{/*
+Generate registrationToken if not specified in values
+*/}}
+{{ define "lapi.registrationToken" }}
+{{- if .Values.lapi.secrets.registrationToken }}
+  {{- .Values.lapi.secrets.registrationToken -}}
+{{- else if (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data }}
+  {{- $obj := (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data -}}
+  {{- index $obj "registrationToken" | b64dec -}}
+{{- else -}}
+  {{- randAlphaNum 48 -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
   notifications parameters check
 */}}

diff --git a/charts/crowdsec/templates/appsec-deployment.yaml b/charts/crowdsec/templates/appsec-deployment.yaml
@@ -15,12 +15,12 @@ metadata:
   {{ toYaml .Values.appsec.deployAnnotations | trim | indent 4 }}
   {{- end }}
 spec:
-  replicas: 1
+  replicas: {{ .Values.appsec.replicas }}
+  strategy: {{- toYaml .Values.appsec.strategy | nindent 4 }}
   selector:
     matchLabels:
       k8s-app: {{ .Release.Name }}
       type: appsec
-  strategy: {{- toYaml .Values.appsec.strategy | nindent 4 }}
   template:
     metadata:
       annotations:
@@ -100,6 +100,38 @@ spec:
         {{- with .Values.appsec.env }}
           {{- toYaml . | nindent 10 }}
         {{- end }}
+        resources:
+          {{- toYaml .Values.appsec.resources | nindent 10 }}
+        ports:
+          - name: appsec
+            containerPort: 7422
+            protocol: TCP
+          {{- if .Values.appsec.metrics.enabled }}
+          - name: metrics
+            containerPort: 6060
+            protocol: TCP
+
+        {{/* Probes depend on the metrics port, there is no other service on the log processor */}}
+
+        {{ if .Values.appsec.livenessProbe }}
+        livenessProbe:
+{{ toYaml .Values.appsec.livenessProbe | indent 10 }}
+        {{ end }}
+        {{ if .Values.appsec.readinessProbe }}
+        readinessProbe:
+{{ toYaml .Values.appsec.readinessProbe | indent 10 }}
+        {{ end }}
+        {{ if .Values.appsec.startupProbe }}
+        startupProbe:
+{{ toYaml .Values.appsec.startupProbe | indent 10 }}
+        {{ end }}
+
+        {{ end }}
+
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+
         volumeMounts:
           - name: crowdsec-config
             mountPath: /tmp_config
@@ -120,58 +152,12 @@ spec:
             subPath: {{ $fileName }}
           {{- end }}
           {{- end }}
-        resources:
-          {{- toYaml .Values.appsec.resources | nindent 10 }}
-        ports:
-          - name: appsec
-            containerPort: 7422
-            protocol: TCP
-          {{- if .Values.appsec.metrics.enabled }}
-          - name: metrics
-            containerPort: 6060
-            protocol: TCP
+          {{- if .Values.appsec.extraVolumeMounts }}
+          {{ toYaml .Values.appsec.extraVolumeMounts | nindent 10 }}
           {{- end }}
 
-        livenessProbe:
-          failureThreshold: 3
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 5
-          tcpSocket:
-            port: appsec
-        readinessProbe:
-          failureThreshold: 3
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 5
-          tcpSocket:
-            port: appsec
-        startupProbe:
-          failureThreshold: 30
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 5
-          tcpSocket:
-            port: appsec
-
-        securityContext:
-          allowPrivilegeEscalation: false
-          privileged: false
-
         terminationGracePeriodSeconds: 30
 
-       {{- with .Values.appsec.nodeSelector }}
-        nodeSelector:
-          {{- toYaml . | nindent 8 }}
-        {{- end }}
-        {{- with .Values.appsec.affinity }}
-        affinity:
-          {{- toYaml . | nindent 8 }}
-        {{- end }}
-        {{- if .Values.appsec.priorityClassName }}
-        priorityClassName: {{ .Values.appsec.priorityClassName }}
-        {{- end}}
-
       volumes:
       - name: appsec-acquis-config-volume
         configMap:
@@ -198,4 +184,16 @@ spec:
             path: {{ $fileName }}
       {{- end }}
       {{- end }}
+      {{- if .Values.appsec.extraVolumes }}
+      {{ toYaml .Values.appsec.extraVolumes | nindent 6 }}
+      {{- end }}
+      {{- with .Values.appsec.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.appsec.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: {{ .Values.appsec.priorityClassName }}
 {{- end }}
diff --git a/charts/crowdsec/templates/lapi-secrets.yaml b/charts/crowdsec/templates/lapi-secrets.yaml
@@ -12,7 +12,7 @@ metadata:
 type: Opaque
 data:
   csLapiSecret: {{ include "lapi.csLapiSecret" . | b64enc }}
-  registrationToken: {{ randAlphaNum 48 | b64enc }}
+  registrationToken: {{ include "lapi.registrationToken" . | b64enc }}
   {{- with .Values.lapi.extraSecrets }}
   {{- range $key, $value := . }}
   {{ $key }}: {{ $value | b64enc }}

diff --git a/charts/crowdsec/templates/tests/test_agent_up.yaml b/charts/crowdsec/templates/tests/test_agent_up.yaml
@@ -9,22 +9,9 @@ spec:
   containers:
   - name: "{{ .Release.Name }}-test-agent"
     image: curlimages/curl
-    env:
-      - name: AGENT_USERNAME
-        valueFrom:
-          secretKeyRef:
-            name: agent-credentials
-            key: username
-      - name: AGENT_PASSWORD
-        valueFrom:
-          secretKeyRef:
-            name: agent-credentials
-            key: password
     command:
       - /bin/sh
       - -ec
       - |
-        http_code=$(curl -s -o /dev/null -w "%{http_code}" http://{{ .Release.Name }}-service:8080/v1/watchers/login \
-        -H 'Content-Type: application/json' -d '{"machine_id": "'"$AGENT_USERNAME"'", "password":"'"$AGENT_PASSWORD"'"}'); \
-        if [ "$http_code" == "200" ]; then echo 'connection to lapi succeed' && exit 0; else echo 'failed connect to lapi' && exit 1; fi
+        curl -XGET http://{{ .Release.Name }}-agent-service:6060/metrics
   restartPolicy: Never
diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml
@@ -300,6 +300,8 @@ lapi:
   secrets:
     # -- Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters
     csLapiSecret: ""
+    # -- Registration Token for Appsec. Will be generated randomly if not specified. Size must be > 48 characters
+    registrationToken: ""
   # -- Any extra secrets you may need (for example, external DB password)
   extraSecrets: {}
     # dbPassword: randomPass
@@ -505,6 +507,12 @@ agent:
 appsec:
   # -- Enable AppSec (by default disabled)
   enabled: false
+  # -- replicas for Appsec
+  replicas: 1
+  # -- strategy for appsec deployment
+  strategy:
+    type: Recreate
+
   # -- Additional acquisitions for AppSec
   acquisitions: []
     #- source: appsec
@@ -549,8 +557,31 @@ appsec:
     #      - cve.CVE-xxxx-xxxxx
     #      - attack.Txxxx 
 
+  # -- priorityClassName for appsec pods
+  priorityClassName: ""
+  # -- Annotations to be added to appsec deployment
+  deployAnnotations: {}
+  # -- podAnnotations for appsec pods
+  podAnnotations: {}
+  # -- podLabels for appsec pods
+  podLabels: {}
+  # -- extraInitContainers for appsec pods
+  extraInitContainers: []
+  # -- Extra volumes to be added to appsec pods
+  extraVolumes: []
+  # -- Extra volumeMounts to be added to appsec pods
+  extraVolumeMounts: []
+  # -- resources for appsec pods
+  resources:
+    limits:
+      memory: 250Mi
+      cpu: 500m
+    requests:
+      cpu: 500m
+      memory: 250Mi
+
   # -- environment variables
-  env:
+  env: []
     # -- COLLECTIONS to install, separated by space (value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs")
     #- name: COLLECTIONS
     #  value: "crowdsecurity/appsec-virtual-patching"
@@ -567,33 +598,45 @@ appsec:
     #- name: DISABLE_APPSEC_CONFIGS
     #  value: ""
 
-  # -- appsec deployment annotations
-  deployAnnotations: {}
-  # -- strategy for appsec deployment
-  strategy:
-    type: Recreate
-  # -- podAnnotations for appsec deployment
-  podAnnotations: {}
-  # -- podLabels for appsec deployment
-  podLabels: {}
-  # -- tolerations for appsec deployment
-  tolerations: []
-  # -- nodeSelector for appsec deployment
+  # -- nodeSelector for appsec
   nodeSelector: {}
-  # -- affinity for appsec deployment
+
+  # -- tolerations for appsec
+  tolerations: []
+  # -- affinity for appsec
   affinity: {}
-  # -- priorityClassName for appsec deployment
-  priorityClassName: ""
-  # -- extraInitContainers for appsec deployment
-  extraInitContainers: []
-  # -- resources for appsec deployment
-  resources:
-    limits:
-      memory: 250Mi
-      cpu: 500m
-    requests:
-      cpu: 500m
-      memory: 250Mi
+
+  # -- livenessProbe for appsec
+  livenessProbe:
+    httpGet:
+      path: /metrics
+      port: metrics
+      scheme: HTTP
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+  # -- readinessProbe for appsec
+  readinessProbe:
+    httpGet:
+      path: /metrics
+      port: metrics
+      scheme: HTTP
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+  # -- startupProbe for appsec
+  startupProbe:
+    httpGet:
+      path: /metrics
+      port: metrics
+      scheme: HTTP
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 5
+    failureThreshold: 30
+
   # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus and "7422" for AppSec) 
   metrics:
     enabled: true