update appsec deployment to work with tls (#222)

* fix #217 * appsec certificate * add tls.appsec and appsec.wait_for_lapi to values
crowdsecurity · Jan 28, 2025 · 98678e4 · 98678e4
1 parent 008fa32
commit 98678e4
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 4 deletions.
diff --git a/charts/crowdsec/templates/appsec-deployment.yaml b/charts/crowdsec/templates/appsec-deployment.yaml
@@ -50,10 +50,17 @@ spec:
 {{ toYaml .Values.image.pullSecrets | indent 8 }}
       {{- end }}
       initContainers:
+      {{- if or (not .Values.tls.enabled) (not .Values.tls.appsec.tlsClientAuth) }}
       - name: wait-for-lapi-and-register
         image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command: ['sh', '-c', 'until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start; sleep 5; done; ln -s /staging/etc/crowdsec /etc/crowdsec && cscli lapi register --machine "$USERNAME" -u $LAPI_URL --token "$REGISTRATION_TOKEN" && cp /etc/crowdsec/local_api_credentials.yaml /tmp_config/local_api_credentials.yaml']
+      {{- else }}
+      - name: wait-for-lapi
+        image: "{{ .Values.appsec.wait_for_lapi.image.repository }}:{{ .Values.appsec.wait_for_lapi.image.tag }}"
+        imagePullPolicy: {{ .Values.appsec.wait_for_lapi.image.pullPolicy }}
+        command: ['sh', '-c', 'until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start; sleep 5; done']
+      {{- end }}
         resources:
           limits:
             memory: 50Mi
@@ -63,10 +70,13 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           privileged: false
+        {{- if or (not .Values.tls.enabled) (not .Values.tls.appsec.tlsClientAuth) }}
         volumeMounts:
           - name: crowdsec-config
             mountPath: /tmp_config
+        {{- end }}
         env:
+          {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
           - name: REGISTRATION_TOKEN
             valueFrom:
               secretKeyRef:
@@ -78,6 +88,7 @@ spec:
                 fieldPath: metadata.name
           - name: LAPI_URL
             value: "{{ .Values.appsec.lapiURL | default (printf "http://%s-service.%s:8080" .Release.Name .Release.Namespace) }}"
+          {{- end }}
           - name: LAPI_HOST
             value: "{{ .Values.appsec.lapiHost | default (printf "%s-service.%s" .Release.Name .Release.Namespace) }}"
           - name: LAPI_PORT
@@ -89,14 +100,40 @@ spec:
       - name: crowdsec-appsec
         image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        {{- if or (not .Values.tls.enabled) (not .Values.tls.appsec.tlsClientAuth) }}
         command: ['sh', '-c', 'cp /tmp_config/local_api_credentials.yaml /staging/etc/crowdsec/local_api_credentials.yaml && ./docker_start.sh']
+        {{- end }}
         env:
           - name: DISABLE_LOCAL_API
             value: "true"
           - name: DISABLE_ONLINE_API
             value: "true"
+
+          # appsec - lapi authentication, with TLS or password
+
+          {{- if .Values.tls.enabled }}
           - name: LOCAL_API_URL
-            value: "{{ .Values.agent.lapiURL | default (printf "http://%s-service.%s:8080" .Release.Name .Release.Namespace) }}"
+            value: "{{ .Values.appsec.lapiURL | default (printf "https://%s-service.%s:8080" .Release.Name .Release.Namespace) }}"
+          - name: USE_TLS
+            value: "true"
+          {{- if .Values.tls.appsec.tlsClientAuth }}
+          - name: CLIENT_CERT_FILE
+            value: /etc/ssl/crowdsec-appsec/tls.crt
+          - name: CLIENT_KEY_FILE
+            value: /etc/ssl/crowdsec-appsec/tls.key
+          {{- end }}
+          {{- if .Values.tls.caBundle }}
+          - name: CACERT_FILE
+            value: /etc/ssl/crowdsec-appsec/ca.crt
+          {{- end }}
+          {{- else }}
+          - name: LOCAL_API_URL
+            value: "{{ .Values.appsec.lapiURL | default (printf "http://%s-service.%s:8080" .Release.Name .Release.Namespace) }}"
+          {{- end }}
+          {{- if .Values.tls.insecureSkipVerify }}
+          - name: INSECURE_SKIP_VERIFY
+            value: {{ quote .Values.tls.insecureSkipVerify }}
+          {{- end }}
         {{- with .Values.appsec.env }}
           {{- toYaml . | nindent 10 }}
         {{- end }}
@@ -131,7 +168,7 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           privileged: false
-          
+
         volumeMounts:
           - name: crowdsec-config
             mountPath: /tmp_config
@@ -152,6 +189,10 @@ spec:
             subPath: {{ $fileName }}
           {{- end }}
           {{- end }}
+          {{- if .Values.tls.enabled }}
+          - name: crowdsec-appsec-tls
+            mountPath: /etc/ssl/crowdsec-appsec
+          {{- end }}
           {{- if .Values.appsec.extraVolumeMounts }}
           {{ toYaml .Values.appsec.extraVolumeMounts | nindent 10 }}
           {{- end }}
@@ -184,6 +225,11 @@ spec:
             path: {{ $fileName }}
       {{- end }}
       {{- end }}
+      {{- if .Values.tls.enabled }}
+      - name: crowdsec-appsec-tls
+        secret:
+          secretName: {{ .Release.Name }}-appsec-tls
+      {{- end }}
       {{- if .Values.appsec.extraVolumes }}
       {{ toYaml .Values.appsec.extraVolumes | nindent 6 }}
       {{- end }}
@@ -196,4 +242,4 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       priorityClassName: {{ .Values.appsec.priorityClassName }}
-{{- end }}
+{{- end }}
diff --git a/charts/crowdsec/templates/tls/appsec-certificate.yaml b/charts/crowdsec/templates/tls/appsec-certificate.yaml
@@ -0,0 +1,36 @@
+{{ if and (.Values.appsec.enabled) (.Values.tls.enabled) (.Values.tls.certManager.enabled) }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Release.Name }}-appsec
+  namespace: {{ .Release.Namespace }}
+spec:
+  commonName: CrowdSec Appsec
+  secretName: {{ .Release.Name }}-appsec-tls
+  duration: {{ .Values.tls.certManager.duration }}
+  renewBefore: {{ .Values.tls.certManager.renewBefore }}
+  secretTemplate:
+    annotations:
+      {{ if .Values.tls.appsec.reflector.namespaces }}
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: {{ join "," .Values.tls.appsec.reflector.namespaces }}
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+      {{ end }}
+      {{ if .Values.tls.certManager.secretTemplate.annotations }}
+      {{ toYaml .Values.tls.certManager.secretTemplate.annotations | nindent 6 }}
+      {{ end }}
+    {{ if .Values.tls.certManager.secretTemplate.labels }}
+    labels:
+    {{ toYaml .Values.tls.certManager.secretTemplate.labels | nindent 6 }}
+    {{ end }}
+  issuerRef:
+    {{ if .Values.tls.certManager.issuerRef }}
+    name: {{ .Values.tls.certManager.issuerRef.name }}
+    kind: {{ default "Issuer" .Values.tls.certManager.issuerRef.kind }}
+    {{ else }}
+    name: {{ .Release.Name }}-ca-issuer
+    {{ end }}
+  subject:
+    organizationalUnits:
+      - appsec-ou
+{{ end }}
diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml
@@ -140,6 +140,11 @@ tls:
     secret: "{{ .Release.Name }}-agent-tls"
     reflector:
       namespaces: []
+  appsec:
+    tlsClientAuth: true
+    secret: "{{ .Release.Name }}-agent-tls"
+    reflector:
+      namespaces: []
   lapi:
     secret: "{{ .Release.Name }}-lapi-tls"
 
@@ -671,4 +676,15 @@ appsec:
     externalIPs: []
     loadBalancerIP: null
     loadBalancerClass: null
-    externalTrafficPolicy: Cluster
+    externalTrafficPolicy: Cluster
+
+  # -- wait-for-lapi init container
+  wait_for_lapi:
+    image:
+      # -- docker image repository name
+      repository: busybox
+      # -- pullPolicy
+      pullPolicy: IfNotPresent
+      # -- docker image tag
+      tag: "1.28"
+