commit 31a1e97b04d89e791afbbff4a56c10fa4a583c24 Author: Adrien Reslinger Date: Sun Oct 16 11:47:54 2022 +0200 First commit diff --git a/.drone.status b/.drone.status new file mode 100644 index 0000000..b501ebf --- /dev/null +++ b/.drone.status @@ -0,0 +1,3 @@ +{ + "url": "https://drone.reslinger.net/adrien/ansible-role-k8s-crowdsec/" +} diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..833f690 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,12 @@ +--- +kind: pipeline +type: kubernetes +name: default + +steps: + - name: lint + image: quay.io/adrilinux/ansible:latest + commands: + - ansible-lint ./ +# - "find . -maxdepth 1 -name '*.yml' | sort | grep -v '.drone.yml' | xargs ansible-playbook --syntax-check --list-tasks" +# - "find . -maxdepth 1 -name '*.yml' | sort | grep -v '.drone.yml' | xargs ansible-lint" diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..fd993ea --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,4 @@ +include: + - project: 'infra/gitlab-ci-templates' + ref: master + file: 'Ansible-roles.gitlab-ci.yml' \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..51aa42b --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# ansible_role_k8s_crowdsec + +Deploy crowdsec into kubernetes cluster diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..83af4f6 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,9 @@ +my_context: flamykubekube +ingress_domain: "local.dataminem.net" +# ingress_whitelist: +# - 10.96.0.0/12 +# - 10.244.0.0/16 +# - 192.168.140.0/24 + +crowdsec_namespace: "crowdsec" +crowdsec_chart_version: "0.7.0" diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..89f9dfd --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,13 @@ +galaxy_info: + author: Adrien Reslinger + description: Install crowdsec to a cluster + company: Personnal + namespace: adrilinux + role_name: k8s_crowdsec + min_ansible_version: 2.9 + galaxy_tags: [] + license: proprietary + platforms: + - name: kubernetes + versions: + - all diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..1ad444d --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,30 @@ +--- +# https://github.com/crowdsecurity/helm-charts/tree/main/charts/crowdsec +- name: CrowdSec setup + block: + - name: Defined CrowdSec repository + kubernetes.core.helm_repository: + name: crowdsec + repo_url: "https://crowdsecurity.github.io/helm-charts" + - name: Deploy latest version of CrowdSec + kubernetes.core.helm: + context: "{{ my_context }}" + name: crowdsec + release_namespace: "{{ crowdsec_namespace }}" + create_namespace: true + chart_ref: crowdsec/crowdsec + chart_version: "{{ crowdsec_chart_version }}" + values: "{{ lookup('template', 'helm-values.yaml.j2') | from_yaml }}" +# - name: crowdsec agent install +# kubernetes.core.k8s: +# state: present +# context: "{{ my_context }}" +# namespace: "{{ crowdsec_namespace }}" +# resource_definition: "{{ lookup('template', item) | from_yaml }}" +# with_items: +# - crowdsec-agent-Service.yml.j2 +# - crowdsec-agent-DaemonSet.yml.j2 +# - crowdsec-agent-serviceMonitor.yml.j2 + + tags: + - crowdsec diff --git a/templates/crowdsec-agent-DaemonSet.yml.j2 b/templates/crowdsec-agent-DaemonSet.yml.j2 new file mode 100644 index 0000000..0f6d8d7 --- /dev/null +++ b/templates/crowdsec-agent-DaemonSet.yml.j2 @@ -0,0 +1,120 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: +# annotations: +# meta.helm.sh/release-name: crowdsec +# meta.helm.sh/release-namespace: crowdsec + labels: +# app.kubernetes.io/managed-by: Helm + k8s-app: crowdsec + type: agent + version: v1 + name: crowdsec-agent +spec: + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: crowdsec + type: agent + template: + metadata: + labels: + k8s-app: crowdsec + type: agent + version: v1 + spec: + containers: + - command: + - sh + - -c + - mv -n /staging/etc/crowdsec/* /etc/crowdsec_data/ && rm -rf /staging/etc/crowdsec + && ln -s /etc/crowdsec_data /etc/crowdsec && ./docker_start.sh + env: + - name: AGENT_USERNAME + valueFrom: + secretKeyRef: + key: username + name: agent-credentials + - name: AGENT_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: agent-credentials + - name: LOCAL_API_URL + value: http://crowdsec-service.crowdsec:8080 + - name: DISABLE_LOCAL_API + value: "true" + - name: DISABLE_ONLINE_API + value: "true" + - name: COLLECTIONS + value: crowdsecurity/traefik + - name: SCENARIOS + value: crowdsecurity/linux-lpe crowdsecurity/http-crawl-non_statics + image: crowdsecurity/crowdsec:latest + imagePullPolicy: IfNotPresent + name: crowdsec-agent + ports: + - containerPort: 6060 + name: metrics + protocol: TCP + resources: + limits: + memory: 100Mi + requests: + cpu: 150m + memory: 100Mi + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/crowdsec_data + name: crowdsec-agent-config + - mountPath: /etc/crowdsec_data/acquis.yaml + name: acquis-config-volume + subPath: acquis.yaml + - mountPath: /var/log + name: varlog + - mountPath: /var/lib/docker/containers + name: varlibdockercontainers + readOnly: true + dnsPolicy: ClusterFirst + initContainers: + - command: + - sh + - -c + - until nc crowdsec-service.crowdsec 8080; do echo waiting for lapi to start; + sleep 5; done + image: busybox:1.28 + imagePullPolicy: IfNotPresent + name: wait-for-lapi + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + defaultMode: 420 + name: acquis-configmap + name: acquis-config-volume + - hostPath: + path: /var/log + type: "" + name: varlog + - name: crowdsec-agent-config + hostPath: + path: /mnt/local/crowdsec-agent + type: "DirectoryOrCreate" + - hostPath: + path: /var/lib/docker/containers + type: "" + name: varlibdockercontainers + updateStrategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate diff --git a/templates/crowdsec-agent-Service.yml.j2 b/templates/crowdsec-agent-Service.yml.j2 new file mode 100644 index 0000000..906dc8d --- /dev/null +++ b/templates/crowdsec-agent-Service.yml.j2 @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: +# annotations: +# meta.helm.sh/release-name: crowdsec +# meta.helm.sh/release-namespace: crowdsec + labels: + app: crowdsec-agent-service +# app.kubernetes.io/managed-by: Helm + name: crowdsec-agent-service +spec: + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: metrics + port: 6060 + protocol: TCP + targetPort: 6060 + selector: + k8s-app: crowdsec + type: agent + version: v1 + sessionAffinity: None + type: ClusterIP diff --git a/templates/crowdsec-agent-serviceMonitor.yml.j2 b/templates/crowdsec-agent-serviceMonitor.yml.j2 new file mode 100644 index 0000000..9ba10b4 --- /dev/null +++ b/templates/crowdsec-agent-serviceMonitor.yml.j2 @@ -0,0 +1,18 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: +# annotations: +# meta.helm.sh/release-name: crowdsec +# meta.helm.sh/release-namespace: crowdsec +# labels: +# app.kubernetes.io/managed-by: Helm + name: crowdsec-agent-service +spec: + endpoints: + - port: metrics + namespaceSelector: + matchNames: + - crowdsec + selector: + matchLabels: + app: crowdsec-agent-service diff --git a/templates/helm-values.yaml.j2 b/templates/helm-values.yaml.j2 new file mode 100644 index 0000000..4aceff6 --- /dev/null +++ b/templates/helm-values.yaml.j2 @@ -0,0 +1,96 @@ +container_runtime: containerd +#secrets: +# username: "" +# password: "" +lapi: + ingress: + enabled: true + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: htt;https + traefik.ingress.kubernetes.io/router.middlewares: internal@file + # labels: {} + ingressClassName: "traefik" + host: "crowdsec-api.{{ ingress_domain }}" + # tls: {} + env: + # As it's a test, we don't want to share signals with CrowdSec, so disable the Online API. +# - name: DISABLE_ONLINE_API +# value: "true" + - name: DISABLE_AGENT + value: "true" +{% if crowdsec_enrollment_key is defined %} + - name: ENROLL_KEY + value: "{{ crowdsec_enrollment_key }}" + - name: ENROLL_INSTANCE_NAME + value: "{{ ansible_hostname }}" + - name: ENROLL_TAGS + value: "k8s {{ ansible_hostname }}" +{% endif %} + dashboard: + # -- Enable Metabase Dashboard (by default disabled) + enabled: true + + # -- Enable ingress object + ingress: + enabled: true + annotations: +# # metabase only supports http so we need this annotation +# nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + traefik.ingress.kubernetes.io/router.entrypoints: http,https + traefik.ingress.kubernetes.io/router.middlewares: internal@file + # labels: {} + ingressClassName: "traefik" + host: "crowdsec.{{ ingress_domain }}" + # tls: {} + persistentVolume: + # -- Persistent volume for data folder. Stores e.g. registered bouncer api keys + data: + enabled: true + accessModes: + - ReadWriteOnce + storageClassName: "longhorn" + size: 1Gi + # -- Persistent volume for config folder. Stores e.g. online api credentials + config: + enabled: true + accessModes: + - ReadWriteOnce + storageClassName: "longhorn" + size: 100Mi + metrics: + enabled: true + serviceMonitor: + enabled: true +agent: + # To specify each pod you want to process it logs (pods present in the node) + acquisition: + # The namespace where the pod is located + - namespace: "{{ traefik_namespace }}" + # The pod name + podName: traefik-* + # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs + program: traefik + persistentVolume: + # -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.) + config: + enabled: false + accessModes: + - ReadWriteOnce + storageClassName: "local-path" + size: 100Mi + # Those are ENV variables + env: + # As it's a test, we don't want to share signals with CrowdSec so disable the Online API. + #- name: DISABLE_ONLINE_API + # value: "true" + - name: PARSERS + value: "crowdsecurity/cri-logs" + # As we are running Nginx, we want to install the Nginx collection + - name: COLLECTIONS + value: "crowdsecurity/traefik" + - name: SCENARIOS + value: "crowdsecurity/linux-lpe crowdsecurity/http-crawl-non_statics" + metrics: + enabled: true + serviceMonitor: + enabled: true