configure postgresql for crowdsec

2025-12-03 17:10:25 +01:00
parent 2d5ec8a859
commit dc7fcb92bc
5 changed files with 74 additions and 0 deletions
--- a/crowdsec/templates/serviceaccount.yaml
+++ b/crowdsec/templates/serviceaccount.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: crowdsec
+  namespace: {{ .Release.Namespace }}
+automountServiceAccountToken: true
--- a/crowdsec/templates/vaultauth.yaml
+++ b/crowdsec/templates/vaultauth.yaml
@@ -0,0 +1,13 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: crowdsec
+  namespace: {{ .Release.Namespace }}
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: crowdsec
+    serviceAccount: crowdsec
+    audiences:
+      - vault
--- a/crowdsec/templates/vaultdynamicsecret.yaml
+++ b/crowdsec/templates/vaultdynamicsecret.yaml
@@ -0,0 +1,25 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: crowdsec-db-credentials
+  namespace: {{ .Release.Namespace }}
+spec:
+
+  # Mount path of the secrets backend
+  mount: postgres
+
+  # Path to the secret
+  path: creds/crowdsec
+
+  # Where to store the secrets, VSO will create the secret
+  destination:
+    create: true
+    name: crowdsec-db-credentials
+
+  # Restart these pods when secrets rotated
+  rolloutRestartTargets:
+  - kind: Deployment
+    name: crowdsec-lapi
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: crowdsec
--- a/crowdsec/values.yaml
+++ b/crowdsec/values.yaml
@@ -29,6 +29,16 @@ crowdsec: &crowdsec_config
        value: "homelab"
      - name: ENROLL_TAGS
        value: "k3s rpi test"
+      - name: DB_USER
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-db-credentials
+            key: username
+      - name: DB_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-db-credentials
+            key: password
  appsec:
    enabled: true
    acquisitions:
@@ -48,6 +58,25 @@ crowdsec: &crowdsec_config
      requests:
        cpu: "100m"
        memory: "200Mi"
+  config:
+    config.yaml.local: |
+      db_config:
+        type:     postgresql
+        user:     ${DB_USER}
+        password: ${DB_PASSWORD}
+        db_name:  crowdsec
+        host:     pgbouncer.tools
+        port:     5432
+      api:
+        server:
+          auto_registration: # Activate if not using TLS for authentication
+            enabled: true
+            token: "${REGISTRATION_TOKEN}"  # /!\ do not change
+            allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
+              - "127.0.0.1/32"
+              - "192.168.0.0/16"
+              - "10.42.0.0/16"
+              - "172.16.0.0/12"

 tool:
  # kind: 'SubChart' or 'HelmChart', if subchart then uncomment Chart.yaml dependency, else comment and use tool library with helm chart template
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -6,4 +6,5 @@ applications = [
    ops_policies               = ["factory__cf_r2_arcodange_tf"]
    service_account_names = ["cloudflared"]
  },
+  { name = "crowdsec" },
 ]