From 50ca8e0ab8000fd44e40e4d37bfb5d7a2a0eae13 Mon Sep 17 00:00:00 2001
From: James Turland <james@turland.uk>
Date: Fri, 17 Nov 2023 15:13:29 +0000
Subject: [PATCH] adding crowdsec to kubernetes

---
 Kubernetes/CrowdSec/CrowdSec/values.yaml  | 127 ++++++++++++++++++++++
 Kubernetes/CrowdSec/Reflector/values.yaml |   2 +
 Kubernetes/CrowdSec/Traefik/values.yaml   |  76 +++++++++++++
 3 files changed, 205 insertions(+)
 create mode 100644 Kubernetes/CrowdSec/CrowdSec/values.yaml
 create mode 100644 Kubernetes/CrowdSec/Reflector/values.yaml
 create mode 100644 Kubernetes/CrowdSec/Traefik/values.yaml

diff --git a/Kubernetes/CrowdSec/CrowdSec/values.yaml b/Kubernetes/CrowdSec/CrowdSec/values.yaml
new file mode 100644
index 0000000..249df87
--- /dev/null
+++ b/Kubernetes/CrowdSec/CrowdSec/values.yaml
@@ -0,0 +1,127 @@
+container_runtime: containerd
+# Here you can specify your own custom configuration to be loaded in crowdsec agent or lapi
+# Each config needs to be a multi-line using '|' in YAML specs
+# for the agent those configs will be loaded : parsers, scenarios, postoverflows, simulation.yaml
+# for the lapi those configs will be loaded : profiles.yaml, notifications, console.yaml
+config:
+  profiles.yaml: |
+    name: default_ip_remediation
+    #debug: true
+    filters:
+     - Alert.Remediation == true && Alert.GetScope() == "Ip"
+    decisions:
+     - type: ban
+       duration: 4h
+    #duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
+    notifications:
+    #   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
+    #   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
+      - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
+    #   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
+  notifications: 
+    http.yaml: |
+      type: http          # Don't change
+      name: http_default # Must match the registered plugin in the profile
+
+      # One of "trace", "debug", "info", "warn", "error", "off"
+      log_level: info
+
+      # group_wait:         # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
+      # group_threshold:    # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
+      # max_retry:          # Number of attempts to relay messages to plugins in case of error
+      # timeout:            # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
+
+      #-------------------------
+      # plugin-specific options
+
+      # The following template receives a list of models.Alert objects
+      # The output goes in the http request body
+      format: |
+        {{ range . -}}
+        {{ $alert := . -}}
+        {
+          "extras": {
+            "client::display": {
+            "contentType": "text/markdown"
+          }
+        },
+        "priority": 3,
+        {{range .Decisions -}}
+        "title": "{{.Type }} {{ .Value }} for {{.Duration}}",
+        "message": "{{.Scenario}}  \n\n[crowdsec cti](https://app.crowdsec.net/cti/{{.Value -}})  \n\n[shodan](https://shodan.io/host/{{.Value -}})"
+        {{end -}}
+        }
+        {{ end -}}
+
+      # The plugin will make requests to this url, eg:  https://www.example.com/
+      url: https://gotify.YOUR-DOMAIN.COM/message
+
+      # Any of the http verbs: "POST", "GET", "PUT"...
+      method: POST
+
+      headers:
+        X-Gotify-Key: YOUR-KEY
+        Content-Type: application/json
+        skip_tls_verification: true
+tls:
+  enabled: true
+  bouncer:
+    reflector:
+      namespaces: ["traefik"]
+agent:
+  tolerations:
+    - key: node-role.kubernetes.io/control-plane
+      operator: Equal
+      effect: NoSchedule
+  # Specify each pod whose logs you want to process
+  acquisition:
+    # The namespace where the pod is located
+    - namespace: traefik
+      # The pod name
+      podName: traefik-*
+      # as in crowdsec configuration, we need to specify the program name to find a matching parser
+      program: traefik
+  env:
+    - name: PARSERS
+      value: "crowdsecurity/cri-logs crowdsecurity/whitelists"
+    - name: COLLECTIONS
+      value: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/home-assistant LePresidente/authelia Dominic-Wagner/vaultwarden crowdsecurity/unifi"
+    # When testing, allow bans on private networks
+    #- name: DISABLE_PARSERS
+    #  value: "crowdsecurity/whitelists"
+  persistentVolume:
+    config:
+      enabled: false
+  nodeSelector: 
+    worker: "true"
+  image:
+    pullPolicy: Always
+lapi:
+  dashboard:
+    enabled: false
+    ingress:
+      host: dashboard.local
+      enabled: true
+  persistentVolume:
+    config:
+      enabled: true
+  resources:
+    limits:
+      memory: 200Mi
+    requests:
+      cpu: 250m
+      memory: 200Mi
+  env:
+    # For an internal test, disable the Online API
+    - name: DISABLE_ONLINE_API
+      value: "false"
+    - name: ENROLL_KEY
+      value: "YOUR-CLOUD-API-KEY"
+    - name: ENROLL_INSTANCE_NAME
+      value: "CLUSTER-NAME"
+    - name: ENROLL_TAGS
+      value: "homelab"
+  nodeSelector: 
+    worker: "true"
+image:
+  pullPolicy: Always
\ No newline at end of file
diff --git a/Kubernetes/CrowdSec/Reflector/values.yaml b/Kubernetes/CrowdSec/Reflector/values.yaml
new file mode 100644
index 0000000..ab4263a
--- /dev/null
+++ b/Kubernetes/CrowdSec/Reflector/values.yaml
@@ -0,0 +1,2 @@
+nodeSelector: 
+  worker: "true"
\ No newline at end of file
diff --git a/Kubernetes/CrowdSec/Traefik/values.yaml b/Kubernetes/CrowdSec/Traefik/values.yaml
new file mode 100644
index 0000000..d2ac580
--- /dev/null
+++ b/Kubernetes/CrowdSec/Traefik/values.yaml
@@ -0,0 +1,76 @@
+globalArguments:
+  - "--global.sendanonymoususage=false"
+  - "--global.checknewversion=true"
+
+additionalArguments:
+  - "--serversTransport.insecureSkipVerify=true"
+  - "--log.level=INFO"
+  - "--experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
+  - "--experimental.plugins.bouncer.version=v1.1.16"
+  - "--entrypoints.web.http.middlewares=traefik-bouncer@kubernetescrd"
+  - "--entrypoints.websecure.http.middlewares=traefik-bouncer@kubernetescrd"
+  - "--providers.kubernetescrd"
+
+deployment:
+  enabled: true
+  replicas: 2
+  annotations: {}
+  podAnnotations: {}
+  additionalContainers: []
+  initContainers: []
+
+nodeSelector: 
+  worker: "true"
+
+ports:
+  web:
+    redirectTo: websecure
+  websecure:
+    tls:
+      enabled: true
+      
+ingressRoute:
+  dashboard:
+    enabled: false
+
+providers:
+  kubernetesCRD:
+    enabled: true
+    ingressClass: traefik-external
+    allowExternalNameServices: true
+    allowCrossNamespace: true
+  kubernetesIngress:
+    enabled: true
+    allowExternalNameServices: true
+    publishedService:
+      enabled: false
+
+rbac:
+  enabled: true
+
+service:
+  enabled: true
+  type: LoadBalancer
+  annotations: {}
+  labels: {}
+  spec:
+    loadBalancerIP: 192.168.3.65 # this should be an IP in the Kube-VIP LB range
+    externalTrafficPolicy: Local # required to show the source IP - Cluster will not show internal IP and crowdsec will not work
+  loadBalancerSourceRanges: []
+  externalIPs: []
+
+logs:
+  access:
+    enabled: true
+
+experimental:
+  plugins:
+    enabled: true
+
+volumes:
+  - name: crowdsec-bouncer-tls
+    mountPath: /etc/traefik/crowdsec-certs/
+    type: secret
+
+image:
+  pullPolicy: Always
\ No newline at end of file