From 30f6193c027da2b1d01e5e7149a20ff5b4852c87 Mon Sep 17 00:00:00 2001 From: Stefan Koster Date: Tue, 21 Jan 2025 14:15:11 +0100 Subject: [PATCH 1/4] Activate auto registration by default --- charts/crowdsec/values.yaml | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml index 60b8147..6b7b182 100644 --- a/charts/crowdsec/values.yaml +++ b/charts/crowdsec/values.yaml @@ -81,18 +81,16 @@ config: # - Alert.Remediation == true && Alert.GetScope() == "Ip" # ... # -- General configuration (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example) - config.yaml.local: "" - # | - # api: - # server: - # auto_registration: # Activate if not using TLS for authentication or when using Appsec - # enabled: true - # token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) - # allowed_ranges: - # - "127.0.0.1/32" - # - "192.168.0.0/16" - # - "10.0.0.0/8" - # - "172.16.0.0/12" + config.yaml.local: | + api: + server: + auto_registration: # Activate if not using TLS for authentication + enabled: true + token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) + allowed_ranges: # /!\ Make sure to adapt to the pod IP ranges used by your cluster + - "127.0.0.1/32" + - "10.0.0.0/8" + - "172.16.0.0/12" # db_config: # type: postgresql # user: crowdsec From 6a84c3eeb8809803143abeeac7fc40ba99aac72d Mon Sep 17 00:00:00 2001 From: Stefan Koster Date: Tue, 21 Jan 2025 14:15:55 +0100 Subject: [PATCH 2/4] Include documentation on authentication, remove auto_registration from appsec docs, few typos --- charts/crowdsec/README.md.gotmpl | 91 +++++++++++++++++++++----------- 1 file changed, 59 insertions(+), 32 deletions(-) diff --git a/charts/crowdsec/README.md.gotmpl b/charts/crowdsec/README.md.gotmpl index 15d7a12..907f4c3 100644 --- a/charts/crowdsec/README.md.gotmpl +++ b/charts/crowdsec/README.md.gotmpl @@ -32,9 +32,64 @@ helm install crowdsec crowdsec/crowdsec -f crowdsec-values.yaml -n crowdsec helm delete crowdsec -n crowdsec ``` -## Setup for High Availability +## Authentication -Below a basic configuration for High availability +This charts support two types of authentication between the agents / appsec pods and the LAPI: an auto registration token and TLS client authentication. + +### Auto registration token + +By default, this chart makes use of an auto registration token completely handled by the chart. +This is setup with the following part in the `values.yaml` file. Make sure to adapt to the pod IP ranges used by your cluster. + +Also, when you modify the `config.config.yaml.local` entry in your own `values.yaml` make sure to put this piece in it as well. + +``` +config: + config.yaml.local: | + api: + server: + auto_registration: # Activate if not using TLS for authentication + enabled: true + token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) + allowed_ranges: # /!\ Make sure to adapt to the pod IP ranges used by your cluster + - "127.0.0.1/32" + - "10.0.0.0/8" + - "172.16.0.0/12" +``` + +### TLS client authentication + +Currently TLS authentication is only possible between the agent and the LAPI as appsec doesn't support HTTPS yet. +The below configuration will activate TLS on the LAPI and TLS client authentication for the agent. +Certificates are renewed by default with [cert-manager](https://github.com/cert-manager/cert-manager). + +``` +tls: + enabled: true + agent: + tlsClientAuth: true +``` + +### Cleaning of stale agents / appsec registration in the LAPI + +Both methods add a machine per pod in the LAPI. These aren't automatically cleaned and the list of machines can become large over time. +Crowdsec offers a [flush option](https://docs.crowdsec.net/docs/next/configuration/crowdsec_configuration/#flush) to clean them up. +Add the `flush:` part to your `db_config`. + +``` +config: + config.yaml.local: | + db_config: + flush: + agents_autodelete: + cert: 60m # This is TLS client authentication + login_password: 60m # This includes the auto registration token as well + ## Flush both login types if the machine has not logged in for 60 minutes or more +``` + +## Setup for LAPI High Availability + +Below a basic configuration for high availability of the LAPI ``` # your-values.yaml @@ -94,20 +149,6 @@ appsec: env: - name: COLLECTIONS value: "crowdsecurity/appsec-virtual-patching" - -# This allows the LAPI pod to register and communicate with the appsec pod -config: - config.yaml.local: | - api: - server: - auto_registration: - enabled: true - token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) - allowed_ranges: - - "127.0.0.1/32" - - "192.168.0.0/16" - - "10.0.0.0/8" - - "172.16.0.0/12" ``` Or you can also use your own custom configurations and rules for AppSec: @@ -136,25 +177,11 @@ appsec: env: - name: COLLECTIONS value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs" - -# This allows the LAPI pod to register and communicate with the appsec pod -config: - config.yaml.local: | - api: - server: - auto_registration: - enabled: true - token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) - allowed_ranges: - - "127.0.0.1/32" - - "192.168.0.0/16" - - "10.0.0.0/8" - - "172.16.0.0/12" ``` ### With Traefik -In the traefik `values.yaml`, you need to add the following configuration: +In the Traefik `values.yaml`, you need to add the following configuration: ``` # traefik-values.yaml @@ -190,7 +217,7 @@ spec: crowdsecLapiKey: "" ``` -### With Ingrees Nginx +### With Nginx Following [this documentation](https://docs.crowdsec.net/u/bouncers/ingress-nginx). From a076edc84484543b2dc007cdc6f2abc5d974cecb Mon Sep 17 00:00:00 2001 From: srkoster <89455157+srkoster@users.noreply.github.com> Date: Thu, 30 Jan 2025 17:16:11 +0100 Subject: [PATCH 3/4] Put back 192.168 range --- charts/crowdsec/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml index 6b7b182..ae65dcc 100644 --- a/charts/crowdsec/values.yaml +++ b/charts/crowdsec/values.yaml @@ -89,6 +89,7 @@ config: token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) allowed_ranges: # /!\ Make sure to adapt to the pod IP ranges used by your cluster - "127.0.0.1/32" + - "192.168.0.0/16" - "10.0.0.0/8" - "172.16.0.0/12" # db_config: @@ -669,4 +670,4 @@ appsec: externalIPs: [] loadBalancerIP: null loadBalancerClass: null - externalTrafficPolicy: Cluster \ No newline at end of file + externalTrafficPolicy: Cluster From f52a1eab0676446c46fb3de61b960cd86864207c Mon Sep 17 00:00:00 2001 From: srkoster <89455157+srkoster@users.noreply.github.com> Date: Thu, 30 Jan 2025 17:20:33 +0100 Subject: [PATCH 4/4] Put back 192.168 range --- charts/crowdsec/README.md.gotmpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/crowdsec/README.md.gotmpl b/charts/crowdsec/README.md.gotmpl index 907f4c3..3e07c23 100644 --- a/charts/crowdsec/README.md.gotmpl +++ b/charts/crowdsec/README.md.gotmpl @@ -53,6 +53,7 @@ config: token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) allowed_ranges: # /!\ Make sure to adapt to the pod IP ranges used by your cluster - "127.0.0.1/32" + - "192.168.0.0/16" - "10.0.0.0/8" - "172.16.0.0/12" ``` @@ -252,4 +253,4 @@ controller: {{ template "chart.requirementsSection" . }} -{{ template "chart.valuesSection" . }} \ No newline at end of file +{{ template "chart.valuesSection" . }}