Update crowdsec deployment
This commit is contained in:
parent
0cfe2972c0
commit
b045b7808a
GPG key ID:
DA7B27055C66D6DE
3 changed files with 40 additions and 4 deletions
|
|
@ -1,4 +1,4 @@
|
|||
my_context: flamykubekube
|
||||
my_context: minikube
|
||||
ingress_domain: "local.dataminem.net"
|
||||
# ingress_whitelist:
|
||||
# - 10.96.0.0/12
|
||||
|
|
@ -6,4 +6,4 @@ ingress_domain: "local.dataminem.net"
|
|||
# - 192.168.140.0/24
|
||||
|
||||
crowdsec_namespace: "crowdsec"
|
||||
crowdsec_chart_version: "0.9.6"
|
||||
crowdsec_chart_version: "0.9.10"
|
||||
|
|
|
|||
|
|
@ -26,5 +26,37 @@
|
|||
# - crowdsec-agent-DaemonSet.yml.j2
|
||||
# - crowdsec-agent-serviceMonitor.yml.j2
|
||||
|
||||
# - name: Wait until pod crowdsec-lapi is ready
|
||||
# kubernetes.core.k8s_info:
|
||||
# kind: Pod
|
||||
# wait: yes
|
||||
# label_selectors:
|
||||
# - "k8s-app: crowdsec"
|
||||
# - "type: lapi"
|
||||
# namespace: "{{ crowdsec_namespace }}"
|
||||
# context: "{{ my_context }}"
|
||||
# wait_sleep: 5
|
||||
# wait_timeout: 360
|
||||
|
||||
- name: Configure traefik bouncer access
|
||||
block:
|
||||
# kubectl --context bach -n crowdsec exec deploy/crowdsec-lapi -c crowdsec-lapi -- cscli bouncers list -o raw | grep '^traefik,'
|
||||
- name: Test if traefik bouncer already existe
|
||||
ansible.builtin.shell: kubectl --context {{ my_context }} -n {{ crowdsec_namespace }} exec deploy/crowdsec-lapi -c crowdsec-lapi -- cscli bouncers list -o raw | grep -q '^traefik,'
|
||||
delegate_to: localhost
|
||||
# register: traefik_bouncer_enrolled
|
||||
# changed_when: false
|
||||
check_mode: false
|
||||
rescue:
|
||||
# kubectl --context bach -n crowdsec exec deploy/crowdsec-lapi -c crowdsec-lapi -- cscli bouncers add traefik -o raw
|
||||
- name: Test if traefik bouncer already existe
|
||||
ansible.builtin.command: kubectl --context {{ my_context }} -n {{ crowdsec_namespace }} exec deploy/crowdsec-lapi -c crowdsec-lapi -- cscli bouncers add traefik -o raw
|
||||
delegate_to: localhost
|
||||
register: traefik_bouncer_token
|
||||
- name: Show next command
|
||||
debug:
|
||||
msg: vault write exploit/clusters/{{ my_context }}/crowdsec_traefik_bouncer api_key={{ traefik_bouncer_token.stdout }}
|
||||
# kubectl --context chopin -n crowdsec rollout restart deploy/crowdsec-lapi
|
||||
|
||||
tags:
|
||||
- crowdsec
|
||||
|
|
|
|||
|
|
@ -25,6 +25,10 @@ lapi:
|
|||
value: "{{ inventory_hostname }}"
|
||||
- name: ENROLL_TAGS
|
||||
value: "k8s {{ inventory_hostname }}"
|
||||
{% endif %}
|
||||
{% if traefik_crowdsec_bouncer_apikey is defined %}
|
||||
- name: BOUNCER_KEY_traefik
|
||||
value: "{{ traefik_crowdsec_bouncer_apikey }}"
|
||||
{% endif %}
|
||||
dashboard:
|
||||
# -- Enable Metabase Dashboard (by default disabled)
|
||||
|
|
@ -87,9 +91,9 @@ agent:
|
|||
value: "crowdsecurity/cri-logs"
|
||||
# As we are running Nginx, we want to install the Nginx collection
|
||||
- name: COLLECTIONS
|
||||
value: "crowdsecurity/traefik"
|
||||
value: "crowdsecurity/traefik crowdsecurity/linux-lpe crowdsecurity/http-cve crowdsecurity/whitelist-good-actors"
|
||||
- name: SCENARIOS
|
||||
value: "crowdsecurity/linux-lpe crowdsecurity/http-crawl-non_statics"
|
||||
value: "crowdsecurity/http-crawl-non_statics"
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue