arcodange-org/tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

configure postgresql for crowdsec
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 17s
Details
Helm Charts / Library charts tool (push) Has been skipped
Details
Helm Charts / Application charts pgcat (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gabriel Radureau
2025-12-03 17:10:25 +01:00
parent 2d5ec8a859
commit dc7fcb92bc
5 changed files with 74 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
crowdsec/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: crowdsec
namespace: {{ .Release.Namespace }}
automountServiceAccountToken: true

13
crowdsec/templates/vaultauth.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: crowdsec
namespace: {{ .Release.Namespace }}
spec:
method: kubernetes
mount: kubernetes
kubernetes:
role: crowdsec
serviceAccount: crowdsec
audiences:
- vault

25
crowdsec/templates/vaultdynamicsecret.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: crowdsec-db-credentials
namespace: {{ .Release.Namespace }}
spec:
# Mount path of the secrets backend
mount: postgres
# Path to the secret
path: creds/crowdsec
# Where to store the secrets, VSO will create the secret
destination:
create: true
name: crowdsec-db-credentials
# Restart these pods when secrets rotated
rolloutRestartTargets:
- kind: Deployment
name: crowdsec-lapi
# Name of the CRD to authenticate to Vault
vaultAuthRef: crowdsec

29
crowdsec/values.yaml
View File

@@ -29,6 +29,16 @@ crowdsec: &crowdsec_config
value: "homelab" value: "homelab"
- name: ENROLL_TAGS - name: ENROLL_TAGS
value: "k3s rpi test" value: "k3s rpi test"
- name: DB_USER
valueFrom:
secretKeyRef:
name: crowdsec-db-credentials
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: crowdsec-db-credentials
key: password
appsec: appsec:
enabled: true enabled: true
acquisitions: acquisitions:
@@ -48,6 +58,25 @@ crowdsec: &crowdsec_config
requests: requests:
cpu: "100m" cpu: "100m"
memory: "200Mi" memory: "200Mi"
config:
config.yaml.local: |
db_config:
type: postgresql
user: ${DB_USER}
password: ${DB_PASSWORD}
db_name: crowdsec
host: pgbouncer.tools
port: 5432
api:
server:
auto_registration: # Activate if not using TLS for authentication
enabled: true
token: "${REGISTRATION_TOKEN}" # /!\ do not change
allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
- "127.0.0.1/32"
- "192.168.0.0/16"
- "10.42.0.0/16"
- "172.16.0.0/12"
tool: tool:
# kind: 'SubChart' or 'HelmChart', if subchart then uncomment Chart.yaml dependency, else comment and use tool library with helm chart template # kind: 'SubChart' or 'HelmChart', if subchart then uncomment Chart.yaml dependency, else comment and use tool library with helm chart template

1
hashicorp-vault/iac/terraform.tfvars
View File

@@ -6,4 +6,5 @@ applications = [
ops_policies = ["factory__cf_r2_arcodange_tf"] ops_policies = ["factory__cf_r2_arcodange_tf"]
service_account_names = ["cloudflared"] service_account_names = ["cloudflared"]
}, },
{ name = "crowdsec" },
] ]