infra/stacks/platform/modules/crowdsec/values.yaml

# values from - https://github.com/crowdsecurity/helm-charts/blob/main/charts/crowdsec/values.yaml
container_runtime: containerd

agent:
  resources:
    requests:
      cpu: 25m
      memory: 64Mi
    limits:
      memory: 512Mi
  priorityClassName: "tier-1-cluster"
  # To specify each pod you want to process it logs (pods present in the node)
  acquisition:
    # The namespace where the pod is located
    - namespace: traefik
      # The pod name
      podName: traefik-*
      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
      program: traefik
  # Those are ENV variables
  env:
    # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
    # - name: DISABLE_ONLINE_API
    #   value: "true"
    # As we are running Traefik, we want to install the Traefik collection
    - name: COLLECTIONS
      value: "crowdsecurity/traefik crowdsecurity/base-http-scenarios crowdsecurity/http-cve"
    - name: SCENARIOS
      value: ""
      # value: "crowdsecurity/http-crawl-aggressive"
  # Mount custom scenarios into /etc/crowdsec/scenarios
  extraVolumeMounts:
    - name: custom-scenarios
      mountPath: /etc/crowdsec/scenarios/http-403-abuse.yaml
      subPath: "http-403-abuse.yaml"
      readonly: true
    - name: custom-scenarios
      mountPath: /etc/crowdsec/scenarios/http-429-abuse.yaml
      subPath: "http-429-abuse.yaml"
      readonly: true
    - name: whitelist
      mountPath: /etc/crowdsec/parsers/s02-enrich/whitelist.yaml
      subPath: "whitelist.yaml"
      readonly: true
  extraVolumes:
    - name: custom-scenarios
      configMap:
        name: crowdsec-custom-scenarios
    - name: whitelist
      configMap:
        name: crowdsec-whitelist
podAnnotations:
  dependency.kyverno.io/wait-for: "mysql.dbaas:3306"

lapi:
  resources:
    requests:
      cpu: 25m
      memory: 128Mi
    limits:
      memory: 1Gi
  startupProbe:
    httpGet:
      path: /health
      port: 8080
    failureThreshold: 30
    periodSeconds: 10
  priorityClassName: "tier-1-cluster"
  replicas: 3
  topologySpreadConstraints:
    - maxSkew: 1
      topologyKey: kubernetes.io/hostname
      whenUnsatisfiable: ScheduleAnyway
      labelSelector:
        matchLabels:
          app.kubernetes.io/name: crowdsec
          type: lapi
  pdb:
    enabled: true
    maxUnavailable: 1
  extraSecrets:
    dbPassword: "${DB_PASSWORD}"
  storeCAPICredentialsInSecret: true
  persistentVolume:
    config:
      enabled: false
    data:
      enabled: false
  env:
    - name: ENROLL_KEY
      value: "${ENROLL_KEY}"
    - name: ENROLL_INSTANCE_NAME
      value: "k8s-cluster"
    - name: ENROLL_TAGS
      value: "k8s linux"
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: crowdsec-lapi-secrets
          key: dbPassword
    # As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
    # - name: DISABLE_ONLINE_API
    #   value: "true"
  dashboard:
    enabled: true
    env:
    - name: MB_DB_TYPE
      value: "mysql"
    - name: MB_DB_DBNAME
      value: crowdsec-metabase
    - name: MB_DB_USER
      value: "crowdsec"
    - name: MB_DB_PASS
      value: "${DB_PASSWORD}"
    - name: MB_DB_HOST
      value: "${mysql_host}"

    - name: MB_EMAIL_SMTP_USERNAME
      value: "info@viktorbarzin.me"
    - name: MB_EMAIL_FROM_ADDRESS
      value: "info@viktorbarzin.me"
    - name: MB_EMAIL_SMTP_HOST
      value: "mailserver.mailserver.svc.cluster.local"
    - name: MB_EMAIL_SMTP_PASSWORD
      value: "" # Ignore for now as it's unclear what notifications we can get
    - name: MB_EMAIL_SMTP_PORT
      value: "587"
    - name: MB_EMAIL_SMTP_SECURITY
      value: "starttls"
    ingress:
      enabled: true
      annotations:
        nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
        #nginx.ingress.kubernetes.io/auth-url: "https://oauth2.viktorbarzin.me/oauth2/auth"
        nginx.ingress.kubernetes.io/auth-url: "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
        # nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
        nginx.ingress.kubernetes.io/auth-signin: "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
        nginx.ingress.kubernetes.io/auth-response-headers: "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
        nginx.ingress.kubernetes.io/auth-snippet: "proxy_set_header X-Forwarded-Host $http_host;"
        gethomepage.dev/enabled: "true"
        gethomepage.dev/description: "Web Application Firewall"
        gethomepage.dev/icon: "crowdsec.png"
        gethomepage.dev/name: "CrowdSec"
        gethomepage.dev/group: "Identity & Security"
        gethomepage.dev/widget.type: "crowdsec"
        gethomepage.dev/widget.url: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
        gethomepage.dev/widget.username: "${homepage_username}"
        gethomepage.dev/widget.password: "${homepage_password}"
        gethomepage.dev/pod-selector: ""
      ingressClassName: "nginx"
      host: "crowdsec.viktorbarzin.me"
      tls:
        - hosts:
            - crowdsec.viktorbarzin.me
          secretName: "tls-secret"
  metrics:
    enabled: true
  strategy:
    type: RollingUpdate
  
config:
  # Custom profiles: captcha for rate limiting, ban for attacks
  profiles.yaml: |
    # Captcha for rate limiting and 403 abuse (user can unblock themselves)
    name: captcha_remediation
    filters:
      - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() in ["crowdsecurity/http-429-abuse", "crowdsecurity/http-403-abuse", "crowdsecurity/http-crawl-non_statics", "crowdsecurity/http-sensitive-files"]
    decisions:
      - type: captcha
        duration: 4h
    notifications:
      - slack_alerts
    on_success: break
    ---
    # Default: Ban for serious attacks (CVE exploits, scanners, brute force)
    name: default_ip_remediation
    filters:
      - Alert.Remediation == true && Alert.GetScope() == "Ip"
    decisions:
      - type: ban
        duration: 4h
    notifications:
      - slack_alerts
    on_success: break
    ---
    name: default_range_remediation
    filters:
      - Alert.Remediation == true && Alert.GetScope() == "Range"
    decisions:
      - type: ban
        duration: 4h
    notifications:
      - slack_alerts
    on_success: break

  config.yaml.local: |
    db_config:
      type:     mysql
      user:     crowdsec
      password: ${DB_PASSWORD}
      db_name:  crowdsec
      host:     ${mysql_host}
      port:     3306
    api:
      server:
        auto_registration: # Activate if not using TLS for authentication
          enabled: true
          token: "$${REGISTRATION_TOKEN}"  # /!\ do not change
          allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
            - "127.0.0.1/32"
            - "192.168.0.0/16"
            - "10.0.0.0/8"
            - "172.16.0.0/12"

  notifications:
    slack.yaml: |
      type: slack
      name: slack_alerts
      log_level: info
      format: |
        :rotating_light: *CrowdSec Alert*
        {{range .}}
        *Scenario:* {{.Alert.Scenario}}
        *Source IP:* {{.Alert.Source.IP}} ({{.Alert.Source.Cn}})
        *Decisions:*
        {{range .Alert.Decisions}}  - {{.Type}} for {{.Duration}} (scope: {{.Scope}}, value: {{.Value}})
        {{end}}
        {{end}}
      webhook: ${SLACK_WEBHOOK_URL}