reenable crowdsec [ci skip]
This commit is contained in:
Viktor Barzin
parent
6b316dc1c6
commit
c17c1381c5
8 changed files with 100 additions and 106 deletions
|
|
@ -1,6 +1,8 @@
|
|||
variable "tls_secret_name" {}
|
||||
variable "homepage_username" {}
|
||||
variable "homepage_password" {}
|
||||
variable "db_password" {}
|
||||
variable "enroll_key" {}
|
||||
|
||||
module "tls_secret" {
|
||||
source = "../setup_tls_secret"
|
||||
|
|
@ -14,95 +16,16 @@ resource "kubernetes_namespace" "crowdsec" {
|
|||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_persistent_volume" "db" {
|
||||
metadata {
|
||||
name = "crowdsec-db"
|
||||
}
|
||||
spec {
|
||||
capacity = {
|
||||
"storage" = "2Gi"
|
||||
}
|
||||
access_modes = ["ReadWriteOnce"]
|
||||
persistent_volume_source {
|
||||
nfs {
|
||||
path = "/mnt/main/crowdsec/db"
|
||||
server = "10.0.10.15"
|
||||
}
|
||||
}
|
||||
claim_ref {
|
||||
name = "crowdsec-db-pvc"
|
||||
namespace = "crowdsec"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_persistent_volume" "config" {
|
||||
metadata {
|
||||
name = "crowdsec-config"
|
||||
}
|
||||
spec {
|
||||
capacity = {
|
||||
"storage" = "2Gi"
|
||||
}
|
||||
access_modes = ["ReadWriteOnce"]
|
||||
persistent_volume_source {
|
||||
nfs {
|
||||
path = "/mnt/main/crowdsec/config"
|
||||
server = "10.0.10.15"
|
||||
}
|
||||
}
|
||||
claim_ref {
|
||||
name = "crowdsec-config-pvc"
|
||||
namespace = "crowdsec"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "helm_release" "crowdsec" {
|
||||
namespace = "crowdsec"
|
||||
create_namespace = true
|
||||
name = "crowdsec"
|
||||
atomic = true
|
||||
version = "0.19.2"
|
||||
version = "0.19.4"
|
||||
|
||||
repository = "https://crowdsecurity.github.io/helm-charts"
|
||||
chart = "crowdsec"
|
||||
|
||||
values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password })]
|
||||
values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key })]
|
||||
timeout = 3600
|
||||
}
|
||||
|
||||
# resource "kubernetes_ingress_v1" "metabase" {
|
||||
# metadata {
|
||||
# name = "metabase"
|
||||
# namespace = "crowdsec"
|
||||
# annotations = {
|
||||
# "kubernetes.io/ingress.class" = "nginx"
|
||||
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
|
||||
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
|
||||
# }
|
||||
# }
|
||||
|
||||
# spec {
|
||||
# tls {
|
||||
# hosts = ["metabase.viktorbarzin.me"]
|
||||
# secret_name = var.tls_secret_name
|
||||
# }
|
||||
# rule {
|
||||
# host = "metabase.viktorbarzin.me"
|
||||
# http {
|
||||
# path {
|
||||
# path = "/"
|
||||
# backend {
|
||||
# service {
|
||||
# name = "crowdsec-service"
|
||||
# port {
|
||||
# number = 3000
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
|
|
|
|||
|
|
@ -19,13 +19,56 @@ agent:
|
|||
- name: COLLECTIONS
|
||||
value: "crowdsecurity/nginx"
|
||||
lapi:
|
||||
replicas: 3
|
||||
replicas: 1
|
||||
extraSecrets:
|
||||
dbPassword: "${DB_PASSWORD}"
|
||||
storeCAPICredentialsInSecret: true
|
||||
persistentVolume:
|
||||
config:
|
||||
enabled: false
|
||||
data:
|
||||
enabled: false
|
||||
env:
|
||||
- name: ENROLL_KEY
|
||||
value: "${ENROLL_KEY}"
|
||||
- name: ENROLL_INSTANCE_NAME
|
||||
value: "k8s-cluster"
|
||||
- name: ENROLL_TAGS
|
||||
value: "k8s linux"
|
||||
- name: DB_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: crowdsec-lapi-secrets
|
||||
key: dbPassword
|
||||
# As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
|
||||
# - name: DISABLE_ONLINE_API
|
||||
# value: "true"
|
||||
dashboard:
|
||||
enabled: true
|
||||
env:
|
||||
- name: MB_DB_TYPE
|
||||
value: "mysql"
|
||||
- name: MB_DB_DBNAME
|
||||
value: crowdsec-metabase
|
||||
- name: MB_DB_USER
|
||||
value: "crowdsec"
|
||||
- name: MB_DB_PASS
|
||||
value: "${DB_PASSWORD}"
|
||||
- name: MB_DB_HOST
|
||||
value: "mysql.dbaas.svc.cluster.local"
|
||||
|
||||
- name: MB_EMAIL_SMTP_USERNAME
|
||||
value: "info@viktorbarzin.me"
|
||||
- name: MB_EMAIL_FROM_ADDRESS
|
||||
value: "info@viktorbarzin.me"
|
||||
- name: MB_EMAIL_SMTP_HOST
|
||||
value: "mailserver.mailserver.svc.cluster.local"
|
||||
- name: MB_EMAIL_SMTP_PASSWORD
|
||||
value: "" # Ignore for now as it's unclear what notifications we can get
|
||||
- name: MB_EMAIL_SMTP_PORT
|
||||
value: "587"
|
||||
- name: MB_EMAIL_SMTP_SECURITY
|
||||
value: "starttls"
|
||||
ingress:
|
||||
enabled: true
|
||||
annotations:
|
||||
|
|
@ -55,3 +98,23 @@ lapi:
|
|||
enabled: true
|
||||
strategy:
|
||||
type: RollingUpdate
|
||||
|
||||
config:
|
||||
config.yaml.local: |
|
||||
db_config:
|
||||
type: mysql
|
||||
user: crowdsec
|
||||
password: ${DB_PASSWORD}
|
||||
db_name: crowdsec
|
||||
host: mysql.dbaas.svc.cluster.local
|
||||
port: 3306
|
||||
api:
|
||||
server:
|
||||
auto_registration: # Activate if not using TLS for authentication
|
||||
enabled: true
|
||||
token: "$${REGISTRATION_TOKEN}" # /!\ do not change
|
||||
allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
|
||||
- "127.0.0.1/32"
|
||||
- "192.168.0.0/16"
|
||||
- "10.0.0.0/8"
|
||||
- "172.16.0.0/12"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue