Appsec high availability using replicas

charts/crowdsec/templates/_helpers.tpl

@@ -43,6 +43,20 @@ Generate CS_LAPI_SECRET if not specified in values
 {{- end -}}
 {{- end -}}
 
+{{/*
+Generate registrationToken if not specified in values
+*/}}
+{{ define "lapi.registrationToken" }}
+{{- if .Values.lapi.secrets.registrationToken }}
+  {{- .Values.lapi.secrets.registrationToken -}}
+{{- else if (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data }}
+  {{- $obj := (lookup "v1" "Secret" .Release.Namespace "crowdsec-lapi-secrets").data -}}
+  {{- index $obj "registrationToken" | b64dec -}}
+{{- else -}}
+  {{- randAlphaNum 48 -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
   notifications parameters check
 */}}

charts/crowdsec/templates/appsec-deployment.yaml

@@ -10,17 +10,17 @@ metadata:
     k8s-app: {{ .Release.Name }}
     type: appsec
     version: v1
-  {{- if .Values.appsec.deployAnnotations }}
+  {{- if .Values.appsec.deploymentAnnotations }}
   annotations:
-  {{ toYaml .Values.appsec.deployAnnotations | trim | indent 4 }}
+  {{ toYaml .Values.appsec.deploymentAnnotations | trim | indent 4 }}
   {{- end }}
 spec:
-  replicas: 1
+  replicas: {{ .Values.appsec.replicas }}
+  strategy: {{- toYaml .Values.appsec.strategy | nindent 4 }}
   selector:
     matchLabels:
       k8s-app: {{ .Release.Name }}
       type: appsec
-  strategy: {{- toYaml .Values.appsec.strategy | nindent 4 }}
   template:
     metadata:
       annotations:
@@ -100,6 +100,38 @@ spec:
         {{- with .Values.appsec.env }}
           {{- toYaml . | nindent 10 }}
         {{- end }}
+        resources:
+          {{- toYaml .Values.appsec.resources | nindent 10 }}
+        ports:
+          - name: appsec
+            containerPort: 7422
+            protocol: TCP
+          {{- if .Values.appsec.metrics.enabled }}
+          - name: metrics
+            containerPort: 6060
+            protocol: TCP
+
+        {{/* Probes depend on the metrics port, there is no other service on the log processor */}}
+
+        {{ if .Values.appsec.livenessProbe }}
+        livenessProbe:
+{{ toYaml .Values.appsec.livenessProbe | indent 10 }}
+        {{ end }}
+        {{ if .Values.appsec.readinessProbe }}
+        readinessProbe:
+{{ toYaml .Values.appsec.readinessProbe | indent 10 }}
+        {{ end }}
+        {{ if .Values.appsec.startupProbe }}
+        startupProbe:
+{{ toYaml .Values.appsec.startupProbe | indent 10 }}
+        {{ end }}
+
+        {{ end }}
+
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+
         volumeMounts:
           - name: crowdsec-config
             mountPath: /tmp_config
@@ -120,58 +152,12 @@ spec:
             subPath: {{ $fileName }}
           {{- end }}
           {{- end }}
-        resources:
-          {{- toYaml .Values.appsec.resources | nindent 10 }}
-        ports:
-          - name: appsec
-            containerPort: 7422
-            protocol: TCP
-          {{- if .Values.appsec.metrics.enabled }}
-          - name: metrics
-            containerPort: 6060
-            protocol: TCP
+          {{- if .Values.appsec.extraVolumeMounts }}
+          {{ toYaml .Values.appsec.extraVolumeMounts | nindent 10 }}
           {{- end }}
 
-        livenessProbe:
-          failureThreshold: 3
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 5
-          tcpSocket:
-            port: appsec
-        readinessProbe:
-          failureThreshold: 3
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 5
-          tcpSocket:
-            port: appsec
-        startupProbe:
-          failureThreshold: 30
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 5
-          tcpSocket:
-            port: appsec
-
-        securityContext:
-          allowPrivilegeEscalation: false
-          privileged: false
-
         terminationGracePeriodSeconds: 30
 
-       {{- with .Values.appsec.nodeSelector }}
-        nodeSelector:
-          {{- toYaml . | nindent 8 }}
-        {{- end }}
-        {{- with .Values.appsec.affinity }}
-        affinity:
-          {{- toYaml . | nindent 8 }}
-        {{- end }}
-        {{- if .Values.appsec.priorityClassName }}
-        priorityClassName: {{ .Values.appsec.priorityClassName }}
-        {{- end}}
-
       volumes:
       - name: appsec-acquis-config-volume
         configMap:
@@ -198,4 +184,16 @@ spec:
             path: {{ $fileName }}
       {{- end }}
       {{- end }}
+      {{- if .Values.appsec.extraVolumes }}
+      {{ toYaml .Values.appsec.extraVolumes | nindent 6 }}
+      {{- end }}
+      {{- with .Values.appsec.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.appsec.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: {{ .Values.appsec.priorityClassName }}
 {{- end }}

charts/crowdsec/templates/lapi-secrets.yaml

@@ -12,7 +12,7 @@ metadata:
 type: Opaque
 data:
   csLapiSecret: {{ include "lapi.csLapiSecret" . | b64enc }}
-  registrationToken: {{ randAlphaNum 48 | b64enc }}
+  registrationToken: {{ include "lapi.registrationToken" . | b64enc }}
   {{- with .Values.lapi.extraSecrets }}
   {{- range $key, $value := . }}
   {{ $key }}: {{ $value | b64enc }}

charts/crowdsec/values.yaml

@@ -83,6 +83,16 @@ config:
   # -- General configuration (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example)
   config.yaml.local: ""
     #   |
+    # api:
+    #   server:
+    #     auto_registration: # Activate if using Appsec
+    #       enabled: true
+    #       token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart)
+    #       allowed_ranges:
+    #         - "127.0.0.1/32"
+    #         - "192.168.0.0/16"
+    #         - "10.0.0.0/8"
+    #         - "172.16.0.0/12"
     # db_config:
     #   type:     postgresql
     #   user:     crowdsec
@@ -290,6 +300,8 @@ lapi:
   secrets:
     # -- Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters
     csLapiSecret: ""
+    # -- Registration Token for Appsec. Will be generated randomly if not specified. Size must be > 48 characters
+    registrationToken: ""
   # -- Any extra secrets you may need (for example, external DB password)
   extraSecrets: {}
     # dbPassword: randomPass
@@ -495,6 +507,12 @@ agent:
 appsec:
   # -- Enable AppSec (by default disabled)
   enabled: false
+  # -- replicas for Appsec
+  replicas: 1
+  # -- strategy for appsec deployment
+  strategy:
+    type: Recreate
+
   # -- Additional acquisitions for AppSec
   acquisitions: []
     #- source: appsec
@@ -539,8 +557,31 @@ appsec:
     #      - cve.CVE-xxxx-xxxxx
     #      - attack.Txxxx 
 
+  # -- priorityClassName for appsec pods
+  priorityClassName: ""
+  # -- Annotations to be added to appsec deployment
+  deploymentAnnotations: {}
+  # -- podAnnotations for appsec pods
+  podAnnotations: {}
+  # -- podLabels for appsec pods
+  podLabels: {}
+  # -- extraInitContainers for appsec pods
+  extraInitContainers: []
+  # -- Extra volumes to be added to appsec pods
+  extraVolumes: []
+  # -- Extra volumeMounts to be added to appsec pods
+  extraVolumeMounts: []
+  # -- resources for appsec pods
+  resources:
+    limits:
+      memory: 250Mi
+      cpu: 500m
+    requests:
+      cpu: 500m
+      memory: 250Mi
+
   # -- environment variables
-  env:
+  env: []
     # -- COLLECTIONS to install, separated by space (value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs")
     #- name: COLLECTIONS
     #  value: "crowdsecurity/appsec-virtual-patching"
@@ -557,33 +598,45 @@ appsec:
     #- name: DISABLE_APPSEC_CONFIGS
     #  value: ""
 
-  # -- appsec deployment annotations
-  deployAnnotations: {}
-  # -- strategy for appsec deployment
-  strategy:
-    type: Recreate
-  # -- podAnnotations for appsec deployment
-  podAnnotations: {}
-  # -- podLabels for appsec deployment
-  podLabels: {}
-  # -- tolerations for appsec deployment
-  tolerations: []
-  # -- nodeSelector for appsec deployment
+  # -- nodeSelector for appsec
   nodeSelector: {}
-  # -- affinity for appsec deployment
+
+  # -- tolerations for appsec
+  tolerations: []
+  # -- affinity for appsec
   affinity: {}
-  # -- priorityClassName for appsec deployment
-  priorityClassName: ""
-  # -- extraInitContainers for appsec deployment
-  extraInitContainers: []
-  # -- resources for appsec deployment
-  resources:
-    limits:
-      memory: 250Mi
-      cpu: 500m
-    requests:
-      cpu: 500m
-      memory: 250Mi
+
+  # -- livenessProbe for appsec
+  livenessProbe:
+    httpGet:
+      path: /metrics
+      port: metrics
+      scheme: HTTP
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+  # -- readinessProbe for appsec
+  readinessProbe:
+    httpGet:
+      path: /metrics
+      port: metrics
+      scheme: HTTP
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+  # -- startupProbe for appsec
+  startupProbe:
+    httpGet:
+      path: /metrics
+      port: metrics
+      scheme: HTTP
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 5
+    failureThreshold: 30
+
   # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus and "7422" for AppSec) 
   metrics:
     enabled: true