configure postgresql for crowdsec

.gitea/workflows/crowdsec.yaml

@@ -0,0 +1,62 @@
+---
+# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
+name: Crowdsec
+
+on: #[push,pull_request]
+  workflow_dispatch: {}
+  push: &crowdsecPaths
+    paths:
+      - 'crowdsec/**/*.tf'
+  pull_request: *crowdsecPaths
+
+# cancel any previously-started, yet still active runs of this workflow on the same branch
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+.vault_step: &vault_step
+  name: read vault secret
+  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  id: vault-secrets
+  with:
+    url: https://vault.arcodange.duckdns.org
+    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    role: gitea_cicd_crowdsec
+    method: jwt
+    path: gitea_jwt
+    secrets: |
+        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
+        kvv1/gitea/tofu_module_reader ssh_private_key | TERRAFORM_SSH_KEY ;
+
+jobs:
+  gitea_vault_auth:
+    name: Auth with gitea for vault
+    runs-on: ubuntu-latest
+    outputs:
+      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
+    steps:
+
+      - name: Auth with gitea for vault
+        id: gitea_vault_jwt
+        run: |
+          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
+
+  tofu:
+    name: Tofu - Crowdsec IAC
+    needs:
+      - gitea_vault_auth
+    runs-on: ubuntu-latest
+    env:
+      OPENTOFU_VERSION: 1.8.2
+      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    steps:
+      - *vault_step
+      - uses: actions/checkout@v4
+      # - uses: dflook/terraform-plan@v1
+      #   with:
+      #     path: hashicorp-vault/iac
+      - name: terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: crowdsec/iac
+          auto_approve: true

crowdsec/iac/backend.tf

@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket = "arcodange-tf"
+    prefix = "tools/crowdsec/main"
+  }
+}

crowdsec/iac/main.tf

@@ -0,0 +1,5 @@
+module "app_roles" {
+  source = "git::ssh://git@192.168.1.202:2222/arcodange-org/tools.git//hashicorp-vault/iac/modules/app_roles?depth=1&ref=main"
+  name = "crowdsec"
+  service_account_namespaces = ["tools"]
+}

crowdsec/iac/providers.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    vault = {
+      source  = "vault"
+      version = "4.4.0"
+    }
+  }
+}
+
+provider "vault" {
+  address = "https://vault.arcodange.duckdns.org"
+  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+    mount = "gitea_jwt"
+    role  = "gitea_cicd_crowdsec"
+  }
+}

crowdsec/templates/serviceaccount.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: crowdsec
+  namespace: {{ .Release.Namespace }}
+automountServiceAccountToken: true

crowdsec/templates/vaultauth.yaml

@@ -0,0 +1,13 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: crowdsec
+  namespace: {{ .Release.Namespace }}
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: crowdsec
+    serviceAccount: crowdsec
+    audiences:
+      - vault

crowdsec/templates/vaultdynamicsecret.yaml

@@ -0,0 +1,25 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: crowdsec-db-credentials
+  namespace: {{ .Release.Namespace }}
+spec:
+
+  # Mount path of the secrets backend
+  mount: postgres
+
+  # Path to the secret
+  path: creds/crowdsec
+
+  # Where to store the secrets, VSO will create the secret
+  destination:
+    create: true
+    name: crowdsec-db-credentials
+
+  # Restart these pods when secrets rotated
+  rolloutRestartTargets:
+  - kind: Deployment
+    name: crowdsec-lapi
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: crowdsec

crowdsec/values.yaml

@@ -29,6 +29,16 @@ crowdsec: &crowdsec_config
         value: "homelab"
       - name: ENROLL_TAGS
         value: "k3s rpi test"
+      - name: DB_USER
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-db-credentials
+            key: username
+      - name: DB_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-db-credentials
+            key: password
   appsec:
     enabled: true
     acquisitions:
@@ -48,6 +58,25 @@ crowdsec: &crowdsec_config
       requests:
         cpu: "100m"
         memory: "200Mi"
+  config:
+    config.yaml.local: |
+      db_config:
+        type:     postgresql
+        user:     ${DB_USER}
+        password: ${DB_PASSWORD}
+        db_name:  crowdsec
+        host:     pgbouncer.tools
+        port:     5432
+      api:
+        server:
+          auto_registration: # Activate if not using TLS for authentication
+            enabled: true
+            token: "${REGISTRATION_TOKEN}"  # /!\ do not change
+            allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
+              - "127.0.0.1/32"
+              - "192.168.0.0/16"
+              - "10.42.0.0/16"
+              - "172.16.0.0/12"
 
 tool:
   # kind: 'SubChart' or 'HelmChart', if subchart then uncomment Chart.yaml dependency, else comment and use tool library with helm chart template

hashicorp-vault/iac/terraform.tfvars

@@ -6,4 +6,8 @@ applications = [
     ops_policies               = ["factory__cf_r2_arcodange_tf"]
     service_account_names = ["cloudflared"]
   },
+  {
+    name = "crowdsec"
+    service_account_namespaces = ["tools"]
+  },
 ]