adrien/ansible_role_k8s_crowdsec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update crowdsec deployment

Browse source
This commit is contained in:
Adrien Reslinger 2023-11-26 10:48:23 +01:00
parent 0cfe2972c0
commit b045b7808a
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
3 changed files with 40 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
defaults/main.yml
View file

@ -1,4 +1,4 @@
my_context: flamykubekube my_context: minikube
ingress_domain: "local.dataminem.net" ingress_domain: "local.dataminem.net"
# ingress_whitelist: # ingress_whitelist:
# - 10.96.0.0/12 # - 10.96.0.0/12
@ -6,4 +6,4 @@ ingress_domain: "local.dataminem.net"
# - 192.168.140.0/24 # - 192.168.140.0/24
crowdsec_namespace: "crowdsec" crowdsec_namespace: "crowdsec"
crowdsec_chart_version: "0.9.6" crowdsec_chart_version: "0.9.10"

32
tasks/main.yml
View file

@ -26,5 +26,37 @@
# - crowdsec-agent-DaemonSet.yml.j2 # - crowdsec-agent-DaemonSet.yml.j2
# - crowdsec-agent-serviceMonitor.yml.j2 # - crowdsec-agent-serviceMonitor.yml.j2
# - name: Wait until pod crowdsec-lapi is ready
# kubernetes.core.k8s_info:
# kind: Pod
# wait: yes
# label_selectors:
# - "k8s-app: crowdsec"
# - "type: lapi"
# namespace: "{{ crowdsec_namespace }}"
# context: "{{ my_context }}"
# wait_sleep: 5
# wait_timeout: 360
- name: Configure traefik bouncer access
block:
# kubectl --context bach -n crowdsec exec deploy/crowdsec-lapi -c crowdsec-lapi -- cscli bouncers list -o raw | grep '^traefik,'
- name: Test if traefik bouncer already existe
ansible.builtin.shell: kubectl --context {{ my_context }} -n {{ crowdsec_namespace }} exec deploy/crowdsec-lapi -c crowdsec-lapi -- cscli bouncers list -o raw | grep -q '^traefik,'
delegate_to: localhost
# register: traefik_bouncer_enrolled
# changed_when: false
check_mode: false
rescue:
# kubectl --context bach -n crowdsec exec deploy/crowdsec-lapi -c crowdsec-lapi -- cscli bouncers add traefik -o raw
- name: Test if traefik bouncer already existe
ansible.builtin.command: kubectl --context {{ my_context }} -n {{ crowdsec_namespace }} exec deploy/crowdsec-lapi -c crowdsec-lapi -- cscli bouncers add traefik -o raw
delegate_to: localhost
register: traefik_bouncer_token
- name: Show next command
debug:
msg: vault write exploit/clusters/{{ my_context }}/crowdsec_traefik_bouncer api_key={{ traefik_bouncer_token.stdout }}
# kubectl --context chopin -n crowdsec rollout restart deploy/crowdsec-lapi
tags: tags:
- crowdsec - crowdsec

8
templates/helm-values.yaml.j2
View file

@ -25,6 +25,10 @@ lapi:
value: "{{ inventory_hostname }}" value: "{{ inventory_hostname }}"
- name: ENROLL_TAGS - name: ENROLL_TAGS
value: "k8s {{ inventory_hostname }}" value: "k8s {{ inventory_hostname }}"
{% endif %}
{% if traefik_crowdsec_bouncer_apikey is defined %}
- name: BOUNCER_KEY_traefik
value: "{{ traefik_crowdsec_bouncer_apikey }}"
{% endif %} {% endif %}
dashboard: dashboard:
# -- Enable Metabase Dashboard (by default disabled) # -- Enable Metabase Dashboard (by default disabled)
@ -87,9 +91,9 @@ agent:
value: "crowdsecurity/cri-logs" value: "crowdsecurity/cri-logs"
# As we are running Nginx, we want to install the Nginx collection # As we are running Nginx, we want to install the Nginx collection
- name: COLLECTIONS - name: COLLECTIONS
value: "crowdsecurity/traefik" value: "crowdsecurity/traefik crowdsecurity/linux-lpe crowdsecurity/http-cve crowdsecurity/whitelist-good-actors"
- name: SCENARIOS - name: SCENARIOS
value: "crowdsecurity/linux-lpe crowdsecurity/http-crawl-non_statics" value: "crowdsecurity/http-crawl-non_statics"
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor: