tls updates for 1.4.4 (#78)

* updated to work with 1.4.4 * added tlsClientAuth, insecureSkipVerify * allow use of CA with user/pw auth
crowdsecurity · Jan 6, 2023 · 3bfa303 · 3bfa303
1 parent 7d35176
commit 3bfa303
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 24 deletions.
diff --git a/charts/crowdsec/Chart.yaml b/charts/crowdsec/Chart.yaml
@@ -43,9 +43,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.2
+version: 0.8.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: v1.4.4-rc1
+appVersion: v1.4.4
diff --git a/charts/crowdsec/README.md b/charts/crowdsec/README.md
@@ -47,12 +47,14 @@ helm delete crowdsec -n crowdsec
 | config."profiles.yaml" | string | `""` | Profiles configuration (https://docs.crowdsec.net/docs/next/profiles/format/#profile-configuration-example) |
 | config.notifications | object | `{}` | notifications configuration (https://docs.crowdsec.net/docs/next/notification_plugins/intro) |
 | tls.enabled | bool | `false` |  |
-| tls.caBundle | bool | `true` |  |
+| tls.caBundle | bool | `true` |  | whether the tls secrets contain a ca.crt file
 | tls.certManager.enabled | bool | `true` |  |
-| tls.bouncer.secret | string | `"{{ .Release.Name }}-bouncer-tls"` |  |
-| tls.bouncer.reflector.namespaces | list | `[]` |  |
 | tls.agent.secret | string | `"{{ .Release.Name }}-agent-tls"` |  |
 | tls.agent.reflector.namespaces | list | `[]` |  |
+| tls.agent.tlsClientAuth | bool | `true` | authenticate with client certificate (no username/password) |
+| tls.agent.insecureSkipVerify | bool | `false` | skip lapi certificate validation |
+| tls.bouncer.secret | string | `"{{ .Release.Name }}-bouncer-tls"` |  |
+| tls.bouncer.reflector.namespaces | list | `[]` |  |
 | tls.lapi.secret | string | `"{{ .Release.Name }}-lapi-tls"` |  |
 | secrets.username | string | `""` | agent username (default is generated randomly) |
 | secrets.password | string | `""` | agent password (default is generated randomly) |

diff --git a/charts/crowdsec/templates/agent-daemonSet.yaml b/charts/crowdsec/templates/agent-daemonSet.yaml
@@ -47,17 +47,21 @@ spec:
             value: https://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080
           - name: USE_TLS
             value: "true"
-          - name: CERT_FILE
-            value: /etc/ssl/crowdsec/tls.crt
-          - name: KEY_FILE
-            value: /etc/ssl/crowdsec/tls.key
+          {{- if .Values.tls.agent.tlsClientAuth }}
+          - name: CLIENT_CERT_FILE
+            value: /etc/ssl/crowdsec-agent/tls.crt
+          - name: CLIENT_KEY_FILE
+            value: /etc/ssl/crowdsec-agent/tls.key
+          {{- end }}
           {{- if .Values.tls.caBundle }}
           - name: CACERT_FILE
-            value: /etc/ssl/crowdsec/ca.crt
+            value: /etc/ssl/crowdsec-agent/ca.crt
           {{- end }}
           {{- else }}
           - name: LOCAL_API_URL
             value: http://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080
+          {{- end }}
+          {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
           - name: AGENT_USERNAME
             valueFrom:
               secretKeyRef:
@@ -69,6 +73,10 @@ spec:
                 name: agent-credentials
                 key: password
           {{- end }}
+          {{- if .Values.tls.insecureSkipVerify }}
+          - name: INSECURE_SKIP_VERIFY
+            value: {{ quote .Values.tls.insecureSkipVerify }}
+          {{- end }}
 
         {{- with .Values.agent.env }}
           {{- toYaml . | nindent 10 }}
@@ -134,8 +142,8 @@ spec:
             mountPath: /var/lib/docker/containers
             readOnly: true
           {{- if .Values.tls.enabled }}
-          - name: crowdsec-tls
-            mountPath: /etc/ssl/crowdsec
+          - name: crowdsec-agent-tls
+            mountPath: /etc/ssl/crowdsec-agent
           {{- end }}
       terminationGracePeriodSeconds: 30
       volumes:
@@ -201,7 +209,7 @@ spec:
         hostPath:
           path: /var/lib/docker/containers
       {{- if .Values.tls.enabled }}
-      - name: crowdsec-tls
+      - name: crowdsec-agent-tls
         secret:
           secretName: {{ .Release.Name }}-agent-tls
       {{- end }}

diff --git a/charts/crowdsec/templates/lapi-deployment.yaml b/charts/crowdsec/templates/lapi-deployment.yaml
@@ -37,7 +37,14 @@ spec:
         image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         env:
-          {{- if not .Values.tls.enabled }}
+          {{- if .Values.tls.enabled }}
+          - name: LOCAL_API_URL
+            value: https://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080
+          {{- else }}
+          - name: LOCAL_API_URL
+            value: http://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080
+          {{- end }}
+          {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
           - name: AGENT_USERNAME
             valueFrom:
               secretKeyRef:
@@ -58,15 +65,24 @@ spec:
           {{- if .Values.tls.enabled }}
           - name: USE_TLS
             value: "true"
-          - name: CERT_FILE
-            value: /etc/ssl/crowdsec/tls.crt
-          - name: KEY_FILE
-            value: /etc/ssl/crowdsec/tls.key
+          - name: LAPI_CERT_FILE
+            value: /etc/ssl/crowdsec-lapi/tls.crt
+          - name: LAPI_KEY_FILE
+            value: /etc/ssl/crowdsec-lapi/tls.key
+          {{- if .Values.tls.agent.tlsClientAuth }}
+          - name: CLIENT_CERT_FILE
+            value: /etc/ssl/crowdsec-agent/tls.crt
+          - name: CLIENT_KEY_FILE
+            value: /etc/ssl/crowdsec-agent/tls.key
+          {{- end }}
           {{- if .Values.tls.caBundle }}
           - name: CACERT_FILE
-            value: /etc/ssl/crowdsec/ca.crt
+            value: /etc/ssl/crowdsec-lapi/ca.crt
           {{- end }}
           {{- end }}
+          - name: INSECURE_SKIP_VERIFY
+            value: {{ quote .Values.tls.insecureSkipVerify }}
+
         {{- with .Values.lapi.env }}
           {{- toYaml . | nindent 10 }}
         {{- end }}
@@ -87,8 +103,10 @@ spec:
         {{- if or (.Values.tls.enabled) (.Values.lapi.persistentVolume.data.enabled) (.Values.lapi.persistentVolume.config.enabled) (.Values.lapi.dashboard.enabled) (include "lapiCustomConfigIsNotEmpty" .) }}
         volumeMounts:
           {{- if .Values.tls.enabled }}
-          - name: crowdsec-tls
-            mountPath: /etc/ssl/crowdsec
+          - name: crowdsec-lapi-tls
+            mountPath: /etc/ssl/crowdsec-lapi
+          - name: crowdsec-agent-tls
+            mountPath: /etc/ssl/crowdsec-agent
           {{- end }}
           {{ if or (.Values.lapi.persistentVolume.data.enabled) (.Values.lapi.dashboard.enabled) }}
           - name: crowdsec-db
@@ -187,9 +205,12 @@ spec:
       {{- end }}
       {{- end }}
       {{- if .Values.tls.enabled }}
-      - name: crowdsec-tls
+      - name: crowdsec-lapi-tls
         secret:
           secretName: {{ .Release.Name }}-lapi-tls
+      - name: crowdsec-agent-tls
+        secret:
+          secretName: {{ .Release.Name }}-agent-tls
       {{- end }}
       {{- end }}
       {{- with .Values.lapi.tolerations }}

diff --git a/charts/crowdsec/templates/tests/test_agent_up.yaml b/charts/crowdsec/templates/tests/test_agent_up.yaml
@@ -7,7 +7,7 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   containers:
-  - name: {{ .Release.Name }}-test-agent
+  - name: "{{ .Release.Name }}-test-agent"
     image: curlimages/curl
     env:
       - name: AGENT_USERNAME
@@ -27,4 +27,4 @@ spec:
         http_code=$(curl -s -o /dev/null -w "%{http_code}" http://{{ .Release.Name }}-service:8080/v1/watchers/login \
         -H 'Content-Type: application/json' -d '{"machine_id": "'"$AGENT_USERNAME"'", "password":"'"$AGENT_PASSWORD"'"}'); \
         if [ "$http_code" == "200" ]; then echo 'connection to lapi succeed' && exit 0; else echo 'failed connect to lapi' && exit 1; fi
-  restartPolicy: Never
+  restartPolicy: Never
diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml
@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/crowdsecurity/helm-charts/main/charts/crowdsec/values.schema.json
+
 # Default values for crowdsec-chart.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
@@ -77,13 +79,15 @@ config:
 tls:
   enabled: false
   caBundle: true
+  insecureSkipVerify: false
   certManager:
     enabled: true
   bouncer:
     secret: "{{ .Release.Name }}-bouncer-tls"
     reflector:
       namespaces: []
   agent:
+    tlsClientAuth: true
     secret: "{{ .Release.Name }}-agent-tls"
     reflector:
       namespaces: []