configure postgresql for crowdsec

2025-12-03 17:10:25 +01:00
parent 2d5ec8a859
commit 859057be66
9 changed files with 166 additions and 0 deletions
--- a/crowdsec/iac/backend.tf
+++ b/crowdsec/iac/backend.tf
@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket = "arcodange-tf"
+    prefix = "tools/crowdsec/main"
+  }
+}
--- a/crowdsec/iac/main.tf
+++ b/crowdsec/iac/main.tf
@@ -0,0 +1,5 @@
+module "app_roles" {
+  source = "git::ssh://git@192.168.1.202:2222/arcodange-org/tools.git//hashicorp-vault/iac/modules/app_roles?depth=1&ref=main"
+  name = "crowdsec"
+  service_account_namespaces = ["tools"]
+}
--- a/crowdsec/iac/providers.tf
+++ b/crowdsec/iac/providers.tf
@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    vault = {
+      source  = "vault"
+      version = "4.4.0"
+    }
+  }
+}
+
+provider "vault" {
+  address = "https://vault.arcodange.duckdns.org"
+  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+    mount = "gitea_jwt"
+    role  = "gitea_cicd_crowdsec"
+  }
+}
--- a/crowdsec/templates/serviceaccount.yaml
+++ b/crowdsec/templates/serviceaccount.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: crowdsec
+  namespace: {{ .Release.Namespace }}
+automountServiceAccountToken: true
--- a/crowdsec/templates/vaultauth.yaml
+++ b/crowdsec/templates/vaultauth.yaml
@@ -0,0 +1,13 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: crowdsec
+  namespace: {{ .Release.Namespace }}
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: crowdsec
+    serviceAccount: crowdsec
+    audiences:
+      - vault
--- a/crowdsec/templates/vaultdynamicsecret.yaml
+++ b/crowdsec/templates/vaultdynamicsecret.yaml
@@ -0,0 +1,25 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: crowdsec-db-credentials
+  namespace: {{ .Release.Namespace }}
+spec:
+
+  # Mount path of the secrets backend
+  mount: postgres
+
+  # Path to the secret
+  path: creds/crowdsec
+
+  # Where to store the secrets, VSO will create the secret
+  destination:
+    create: true
+    name: crowdsec-db-credentials
+
+  # Restart these pods when secrets rotated
+  rolloutRestartTargets:
+  - kind: Deployment
+    name: crowdsec-lapi
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: crowdsec
--- a/crowdsec/values.yaml
+++ b/crowdsec/values.yaml
@@ -29,6 +29,16 @@ crowdsec: &crowdsec_config
        value: "homelab"
      - name: ENROLL_TAGS
        value: "k3s rpi test"
+      - name: DB_USER
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-db-credentials
+            key: username
+      - name: DB_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-db-credentials
+            key: password
  appsec:
    enabled: true
    acquisitions:
@@ -48,6 +58,25 @@ crowdsec: &crowdsec_config
      requests:
        cpu: "100m"
        memory: "200Mi"
+  config:
+    config.yaml.local: |
+      db_config:
+        type:     postgresql
+        user:     ${DB_USER}
+        password: ${DB_PASSWORD}
+        db_name:  crowdsec
+        host:     pgbouncer.tools
+        port:     5432
+      api:
+        server:
+          auto_registration: # Activate if not using TLS for authentication
+            enabled: true
+            token: "${REGISTRATION_TOKEN}"  # /!\ do not change
+            allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
+              - "127.0.0.1/32"
+              - "192.168.0.0/16"
+              - "10.42.0.0/16"
+              - "172.16.0.0/12"

 tool:
  # kind: 'SubChart' or 'HelmChart', if subchart then uncomment Chart.yaml dependency, else comment and use tool library with helm chart template