Skip to content

Commit

Permalink
Change agent username/password into auto_registration (crowdsecurity#209
Browse files Browse the repository at this point in the history 
)

* Replace agent username + password authentication with auto_registration token
  • Loading branch information
@srkoster
srkoster authored Dec 9, 2024
1 parent 95b8b8e commit 3688567
Show file tree
Hide file tree
Showing 6 changed files with 88 additions and 82 deletions.
28 changes: 0 additions & 28 deletions charts/crowdsec/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -1,34 +1,6 @@
# vim: set ft=gotmpl:
---

{{/*
Generate username if not specified in values
*/}}
{{ define "agent.username" }}
{{- if .Values.secrets.username }}
{{- .Values.secrets.username -}}
{{- else if (lookup "v1" "Secret" .Release.Namespace "agent-credentials").data }}
{{- $obj := (lookup "v1" "Secret" .Release.Namespace "agent-credentials").data -}}
{{- index $obj "username" | b64dec -}}
{{- else -}}
{{- randAlphaNum 48 -}}
{{- end -}}
{{- end -}}

{{/*
Generate password if not specified in values
*/}}
{{ define "agent.password" }}
{{- if .Values.secrets.password }}
{{- .Values.secrets.password -}}
{{- else if (lookup "v1" "Secret" .Release.Namespace "agent-credentials").data }}
{{- $obj := (lookup "v1" "Secret" .Release.Namespace "agent-credentials").data -}}
{{- index $obj "password" | b64dec -}}
{{- else -}}
{{- randAlphaNum 48 -}}
{{- end -}}
{{- end -}}

{{/*
Generate CS_LAPI_SECRET if not specified in values
*/}}
Expand Down
52 changes: 39 additions & 13 deletions charts/crowdsec/templates/agent-daemonSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ spec:
template:
metadata:
annotations:
checksum/agent-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
checksum/agent-configmap: {{ include (print $.Template.BasePath "/agent-configmap.yaml") . | sha256sum }}
checksum/acquis-configmap: {{ include (print $.Template.BasePath "/acquis-configmap.yaml") . | sha256sum }}
{{- if .Values.podAnnotations }}
Expand Down Expand Up @@ -51,10 +50,17 @@ spec:
{{ toYaml .Values.image.pullSecrets | indent 8 }}
{{- end }}
initContainers:
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
- name: wait-for-lapi-and-register
image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: ['sh', '-c', 'until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start; sleep 5; done; ln -s /staging/etc/crowdsec /etc/crowdsec && cscli lapi register --machine "$USERNAME" -u $LAPI_URL --token "$REGISTRATION_TOKEN" && cp /etc/crowdsec/local_api_credentials.yaml /tmp_config/local_api_credentials.yaml']
{{- else }}
- name: wait-for-lapi
image: "{{ .Values.agent.wait_for_lapi.image.repository }}:{{ .Values.agent.wait_for_lapi.image.tag }}"
imagePullPolicy: {{ .Values.agent.wait_for_lapi.image.pullPolicy }}
command: ['sh', '-c', "until nc {{ .Release.Name }}-service.{{ .Release.Namespace }} 8080 -z; do echo waiting for lapi to start; sleep 5; done"]
{{- end }}
resources:
limits:
memory: 50Mi
Expand All @@ -64,13 +70,37 @@ spec:
securityContext:
allowPrivilegeEscalation: false
privileged: false
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
volumeMounts:
- name: crowdsec-config
mountPath: /tmp_config
env:
- name: REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: crowdsec-lapi-secrets
key: registrationToken
- name: USERNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: LAPI_URL
value: http://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080
- name: LAPI_HOST
value: "{{ .Release.Name }}-service.{{ .Release.Namespace }}"
- name: LAPI_PORT
value: "8080"
{{- end }}
{{- if .Values.agent.extraInitContainers }}
{{- toYaml .Values.agent.extraInitContainers | nindent 6 }}
{{- end }}
containers:
- name: crowdsec-agent
image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
command: ['sh', '-c', 'cp /tmp_config/local_api_credentials.yaml /staging/etc/crowdsec/local_api_credentials.yaml && ./docker_start.sh']
{{- end }}
env:
- name: DISABLE_LOCAL_API
value: "true"
Expand Down Expand Up @@ -98,18 +128,6 @@ spec:
- name: LOCAL_API_URL
value: http://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080
{{- end }}
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
- name: AGENT_USERNAME
valueFrom:
secretKeyRef:
name: agent-credentials
key: username
- name: AGENT_PASSWORD
valueFrom:
secretKeyRef:
name: agent-credentials
key: password
{{- end }}
{{- if .Values.tls.insecureSkipVerify }}
- name: INSECURE_SKIP_VERIFY
value: {{ quote .Values.tls.insecureSkipVerify }}
Expand Down Expand Up @@ -151,6 +169,10 @@ spec:
command: ['sh', '-c', 'mv -n /staging/etc/crowdsec/* /etc/crowdsec_data/ && rm -rf /staging/etc/crowdsec && ln -s /etc/crowdsec_data /etc/crowdsec && ./docker_start.sh']
{{- end }}
volumeMounts:
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
- name: crowdsec-config
mountPath: /tmp_config
{{- end }}
{{- $crowdsecConfig := "/etc/crowdsec" -}}
{{- if .Values.agent.persistentVolume.config.enabled -}}
{{- $crowdsecConfig = "/etc/crowdsec_data" }}
Expand Down Expand Up @@ -216,6 +238,10 @@ spec:
- name: acquis-config-volume
configMap:
name: acquis-configmap
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
- name: crowdsec-config
emptyDir: {}
{{- end }}
{{- if .Values.agent.hostVarLog }}
- name: varlog
hostPath:
Expand Down
52 changes: 39 additions & 13 deletions charts/crowdsec/templates/agent-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ spec:
template:
metadata:
annotations:
checksum/agent-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
checksum/agent-configmap: {{ include (print $.Template.BasePath "/agent-configmap.yaml") . | sha256sum }}
checksum/acquis-configmap: {{ include (print $.Template.BasePath "/acquis-configmap.yaml") . | sha256sum }}
{{- if .Values.podAnnotations }}
Expand Down Expand Up @@ -51,10 +50,17 @@ spec:
{{ toYaml .Values.image.pullSecrets | indent 8 }}
{{- end }}
initContainers:
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
- name: wait-for-lapi-and-register
image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: ['sh', '-c', 'until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start; sleep 5; done; ln -s /staging/etc/crowdsec /etc/crowdsec && cscli lapi register --machine "$USERNAME" -u $LAPI_URL --token "$REGISTRATION_TOKEN" && cp /etc/crowdsec/local_api_credentials.yaml /tmp_config/local_api_credentials.yaml']
{{- else }}
- name: wait-for-lapi
image: "{{ .Values.agent.wait_for_lapi.image.repository }}:{{ .Values.agent.wait_for_lapi.image.tag }}"
imagePullPolicy: {{ .Values.agent.wait_for_lapi.image.pullPolicy }}
command: ['sh', '-c', "until nc {{ .Release.Name }}-service.{{ .Release.Namespace }} 8080 -z; do echo waiting for lapi to start; sleep 5; done"]
{{- end }}
resources:
limits:
memory: 50Mi
Expand All @@ -64,13 +70,37 @@ spec:
securityContext:
allowPrivilegeEscalation: false
privileged: false
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
volumeMounts:
- name: crowdsec-config
mountPath: /tmp_config
env:
- name: REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: crowdsec-lapi-secrets
key: registrationToken
- name: USERNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: LAPI_URL
value: http://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080
- name: LAPI_HOST
value: "{{ .Release.Name }}-service.{{ .Release.Namespace }}"
- name: LAPI_PORT
value: "8080"
{{- end }}
{{- if .Values.agent.extraInitContainers }}
{{- toYaml .Values.agent.extraInitContainers | nindent 6 }}
{{- end }}
containers:
- name: crowdsec-agent
image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
command: ['sh', '-c', 'cp /tmp_config/local_api_credentials.yaml /staging/etc/crowdsec/local_api_credentials.yaml && ./docker_start.sh']
{{- end }}
env:
- name: DISABLE_LOCAL_API
value: "true"
Expand Down Expand Up @@ -98,18 +128,6 @@ spec:
- name: LOCAL_API_URL
value: http://{{ .Release.Name }}-service.{{ .Release.Namespace }}:8080
{{- end }}
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
- name: AGENT_USERNAME
valueFrom:
secretKeyRef:
name: agent-credentials
key: username
- name: AGENT_PASSWORD
valueFrom:
secretKeyRef:
name: agent-credentials
key: password
{{- end }}
{{- if .Values.tls.insecureSkipVerify }}
- name: INSECURE_SKIP_VERIFY
value: {{ quote .Values.tls.insecureSkipVerify }}
Expand Down Expand Up @@ -154,6 +172,10 @@ spec:
command: ['sh', '-c', 'mv -n /staging/etc/crowdsec/* /etc/crowdsec_data/ && rm -rf /staging/etc/crowdsec && ln -s /etc/crowdsec_data /etc/crowdsec && ./docker_start.sh']
{{- end }}
volumeMounts:
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
- name: crowdsec-config
mountPath: /tmp_config
{{- end }}
{{- $crowdsecConfig := "/etc/crowdsec" -}}
{{- if .Values.agent.persistentVolume.config.enabled -}}
{{- $crowdsecConfig = "/etc/crowdsec_data" }}
Expand Down Expand Up @@ -216,6 +238,10 @@ spec:
{{- end }}
terminationGracePeriodSeconds: 30
volumes:
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
- name: crowdsec-config
emptyDir: {}
{{- end }}
- name: acquis-config-volume
configMap:
name: acquis-configmap
Expand Down
13 changes: 0 additions & 13 deletions charts/crowdsec/templates/lapi-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ spec:
template:
metadata:
annotations:
checksum/agent-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
checksum/lapi-secret: {{ include (print $.Template.BasePath "/lapi-secrets.yaml") . | sha256sum }}
checksum/lapi-configmap: {{ include (print $.Template.BasePath "/lapi-configmap.yaml") . | sha256sum }}
{{- if .Values.podAnnotations }}
Expand Down Expand Up @@ -82,18 +81,6 @@ spec:
- name: LOCAL_API_URL
value: http://localhost:8080
{{- end }}
{{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
- name: AGENT_USERNAME
valueFrom:
secretKeyRef:
name: agent-credentials
key: username
- name: AGENT_PASSWORD
valueFrom:
secretKeyRef:
name: agent-credentials
key: password
{{- end }}
- name: DISABLE_AGENT
value: "true"
{{- if .Values.lapi.dashboard.enabled }}
Expand Down
15 changes: 0 additions & 15 deletions charts/crowdsec/templates/secrets.yaml
View file

This file was deleted.

10 changes: 10 additions & 0 deletions charts/crowdsec/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,16 @@ config:
# -- General configuration (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example)
config.yaml.local: ""
# |
# api:
# server:
# auto_registration: # Activate if not using TLS for authentication or when using Appsec
# enabled: true
# token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart)
# allowed_ranges:
# - "127.0.0.1/32"
# - "192.168.0.0/16"
# - "10.0.0.0/8"
# - "172.16.0.0/12"
# db_config:
# type: postgresql
# user: crowdsec
Expand Down

0 comments on commit 3688567

Please sign in to comment.