Docker config/auth/TLS refactoring from from v1.4.4 (#1967)
This commit is contained in:
parent
033082a31e
commit
dfc4126384
5 changed files with 119 additions and 213 deletions
85
Dockerfile
85
Dockerfile
|
@ -10,99 +10,30 @@ COPY . .
|
|||
|
||||
# wizard.sh requires GNU coreutils
|
||||
RUN apk add --no-cache git gcc libc-dev make bash gettext binutils-gold coreutils && \
|
||||
echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" > /etc/machine-id && \
|
||||
SYSTEM="docker" make clean release && \
|
||||
cd crowdsec-v* && \
|
||||
./wizard.sh --docker-mode && \
|
||||
cd - && \
|
||||
cd - >/dev/null && \
|
||||
cscli hub update && \
|
||||
cscli collections install crowdsecurity/linux && \
|
||||
cscli parsers install crowdsecurity/whitelists
|
||||
cscli parsers install crowdsecurity/whitelists && \
|
||||
go install github.com/mikefarah/yq/v4@v4.30.6
|
||||
|
||||
FROM alpine:latest as build-slim
|
||||
|
||||
RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community tzdata yq bash && \
|
||||
RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community tzdata bash && \
|
||||
mkdir -p /staging/etc/crowdsec && \
|
||||
mkdir -p /staging/var/lib/crowdsec && \
|
||||
mkdir -p /var/lib/crowdsec/data \
|
||||
yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml
|
||||
mkdir -p /var/lib/crowdsec/data
|
||||
|
||||
COPY --from=build /go/bin/yq /usr/local/bin/yq
|
||||
COPY --from=build /etc/crowdsec /staging/etc/crowdsec
|
||||
COPY --from=build /usr/local/bin/crowdsec /usr/local/bin/crowdsec
|
||||
COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli
|
||||
COPY --from=build /go/src/crowdsec/docker/docker_start.sh /
|
||||
COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml
|
||||
|
||||
# NOTE: setting default values here would overwrite the ones set in config.yaml
|
||||
# every time the container is started. We set the default in docker/config.yaml
|
||||
# and document them in docker/README.md, but keep the variables empty here.
|
||||
|
||||
ENV CONFIG_FILE=/etc/crowdsec/config.yaml
|
||||
ENV LOCAL_API_URL=
|
||||
ENV CUSTOM_HOSTNAME=localhost
|
||||
ENV PLUGIN_DIR=
|
||||
ENV DISABLE_AGENT=false
|
||||
ENV DISABLE_LOCAL_API=false
|
||||
ENV DISABLE_ONLINE_API=false
|
||||
ENV DSN=
|
||||
ENV TYPE=
|
||||
ENV TEST_MODE=false
|
||||
ENV USE_WAL=
|
||||
|
||||
# register to app.crowdsec.net
|
||||
|
||||
ENV ENROLL_INSTANCE_NAME=
|
||||
ENV ENROLL_KEY=
|
||||
ENV ENROLL_TAGS=
|
||||
|
||||
# log verbosity
|
||||
|
||||
ENV LEVEL_TRACE=
|
||||
ENV LEVEL_DEBUG=
|
||||
ENV LEVEL_INFO=
|
||||
|
||||
# TLS setup ----------------------------------- #
|
||||
|
||||
ENV AGENT_USERNAME=
|
||||
ENV AGENT_PASSWORD=
|
||||
|
||||
# TLS setup ----------------------------------- #
|
||||
|
||||
ENV USE_TLS=false
|
||||
ENV INSECURE_SKIP_VERIFY=
|
||||
|
||||
ENV CACERT_FILE=
|
||||
|
||||
ENV LAPI_CERT_FILE=
|
||||
ENV LAPI_KEY_FILE=
|
||||
|
||||
ENV CLIENT_CERT_FILE=
|
||||
ENV CLIENT_KEY_FILE=
|
||||
|
||||
# deprecated in favor of LAPI_*
|
||||
ENV CERT_FILE=
|
||||
ENV KEY_FILE=
|
||||
|
||||
# comma-separated list of allowed OU values for TLS bouncer certificates
|
||||
ENV BOUNCERS_ALLOWED_OU=
|
||||
|
||||
# comma-separated list of allowed OU values for TLS agent certificates
|
||||
ENV AGENTS_ALLOWED_OU=
|
||||
|
||||
# Install the following hub items --------------#
|
||||
|
||||
ENV COLLECTIONS=
|
||||
ENV PARSERS=
|
||||
ENV SCENARIOS=
|
||||
ENV POSTOVERFLOWS=
|
||||
|
||||
# Uninstall the following hub items ------------#
|
||||
|
||||
ENV DISABLE_COLLECTIONS=
|
||||
ENV DISABLE_PARSERS=
|
||||
ENV DISABLE_SCENARIOS=
|
||||
ENV DISABLE_POSTOVERFLOWS=
|
||||
|
||||
ENV METRICS_PORT=
|
||||
RUN yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml
|
||||
|
||||
ENTRYPOINT /bin/bash docker_start.sh
|
||||
|
||||
|
|
|
@ -14,17 +14,21 @@ ENV DEBCONF_NOWARNINGS="yes"
|
|||
# wizard.sh requires GNU coreutils
|
||||
RUN apt-get update && \
|
||||
apt-get install -y -q git gcc libc-dev make bash gettext binutils-gold coreutils tzdata && \
|
||||
SYSTEM="docker" make release && \
|
||||
echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" > /etc/machine-id && \
|
||||
SYSTEM="docker" make clean release && \
|
||||
cd crowdsec-v* && \
|
||||
./wizard.sh --docker-mode && \
|
||||
cd - && \
|
||||
cd - >/dev/null && \
|
||||
cscli hub update && \
|
||||
cscli collections install crowdsecurity/linux && \
|
||||
cscli parsers install crowdsecurity/whitelists && \
|
||||
go install github.com/mikefarah/yq/v4@v4.30.5
|
||||
go install github.com/mikefarah/yq/v4@v4.30.6
|
||||
|
||||
FROM debian:bullseye-slim as build-slim
|
||||
|
||||
ENV DEBIAN_FRONTEND=noninteractive
|
||||
ENV DEBCONF_NOWARNINGS="yes"
|
||||
|
||||
RUN apt-get update && \
|
||||
apt-get install -y -q --install-recommends --no-install-suggests \
|
||||
procps \
|
||||
|
@ -35,8 +39,7 @@ RUN apt-get update && \
|
|||
tzdata && \
|
||||
mkdir -p /staging/etc/crowdsec && \
|
||||
mkdir -p /staging/var/lib/crowdsec && \
|
||||
mkdir -p /var/lib/crowdsec/data \
|
||||
yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml
|
||||
mkdir -p /var/lib/crowdsec/data
|
||||
|
||||
COPY --from=build /go/bin/yq /usr/local/bin/yq
|
||||
COPY --from=build /etc/crowdsec /staging/etc/crowdsec
|
||||
|
@ -44,79 +47,9 @@ COPY --from=build /usr/local/bin/crowdsec /usr/local/bin/crowdsec
|
|||
COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli
|
||||
COPY --from=build /go/src/crowdsec/docker/docker_start.sh /
|
||||
COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml
|
||||
RUN yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml
|
||||
RUN yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml && \
|
||||
yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml
|
||||
|
||||
# NOTE: setting default values here would overwrite the ones set in config.yaml
|
||||
# every time the container is started. We set the default in docker/config.yaml
|
||||
# and document them in docker/README.md, but keep the variables empty here.
|
||||
|
||||
ENV CONFIG_FILE=/etc/crowdsec/config.yaml
|
||||
ENV LOCAL_API_URL=
|
||||
ENV CUSTOM_HOSTNAME=localhost
|
||||
ENV PLUGIN_DIR=
|
||||
ENV DISABLE_AGENT=false
|
||||
ENV DISABLE_LOCAL_API=false
|
||||
ENV DISABLE_ONLINE_API=false
|
||||
ENV DSN=
|
||||
ENV TYPE=
|
||||
ENV TEST_MODE=false
|
||||
ENV USE_WAL=
|
||||
|
||||
# register to app.crowdsec.net
|
||||
|
||||
ENV ENROLL_INSTANCE_NAME=
|
||||
ENV ENROLL_KEY=
|
||||
ENV ENROLL_TAGS=
|
||||
|
||||
# log verbosity
|
||||
|
||||
ENV LEVEL_TRACE=
|
||||
ENV LEVEL_DEBUG=
|
||||
ENV LEVEL_INFO=
|
||||
|
||||
# TLS setup ----------------------------------- #
|
||||
|
||||
ENV AGENT_USERNAME=
|
||||
ENV AGENT_PASSWORD=
|
||||
|
||||
# TLS setup ----------------------------------- #
|
||||
|
||||
ENV USE_TLS=false
|
||||
ENV INSECURE_SKIP_VERIFY=
|
||||
|
||||
ENV CACERT_FILE=
|
||||
|
||||
ENV LAPI_CERT_FILE=
|
||||
ENV LAPI_KEY_FILE=
|
||||
|
||||
ENV CLIENT_CERT_FILE=
|
||||
ENV CLIENT_KEY_FILE=
|
||||
|
||||
# deprecated in favor of LAPI_*
|
||||
ENV CERT_FILE=
|
||||
ENV KEY_FILE=
|
||||
|
||||
# comma-separated list of allowed OU values for TLS bouncer certificates
|
||||
ENV BOUNCERS_ALLOWED_OU=
|
||||
|
||||
# comma-separated list of allowed OU values for TLS agent certificates
|
||||
ENV AGENTS_ALLOWED_OU=
|
||||
|
||||
# Install the following hub items --------------#
|
||||
|
||||
ENV COLLECTIONS=
|
||||
ENV PARSERS=
|
||||
ENV SCENARIOS=
|
||||
ENV POSTOVERFLOWS=
|
||||
|
||||
# Uninstall the following hub items ------------#
|
||||
|
||||
ENV DISABLE_COLLECTIONS=
|
||||
ENV DISABLE_PARSERS=
|
||||
ENV DISABLE_SCENARIOS=
|
||||
ENV DISABLE_POSTOVERFLOWS=
|
||||
|
||||
ENV METRICS_PORT=
|
||||
|
||||
ENTRYPOINT /bin/bash docker_start.sh
|
||||
|
||||
|
|
|
@ -179,7 +179,7 @@ To use environment variables, they should be in the format `BOUNCER_KEY_<name>=<
|
|||
|
||||
To use Docker secrets, the secret should be named `bouncer_key_<name>` with a content of `<key>`. e.g. `bouncer_key_nginx` with content `mysecretkey12345`.
|
||||
|
||||
A bouncer key can be any string but we recommend an alphanumeric value for consistency with the crowdsec-generated keys and to avoid problems with escaping special characters.
|
||||
A bouncer key can be any string but we recommend an alphanumeric value for consistency with the keys generated by crowdsec and to avoid problems with escaping special characters.
|
||||
|
||||
With TLS authentication:
|
||||
|
||||
|
@ -198,22 +198,33 @@ Using binds rather than named volumes ([complete explanation here](https://docs.
|
|||
# Reference
|
||||
## Environment Variables
|
||||
|
||||
Note for persistent configurations (i.e. bind mount or volumes): when a
|
||||
variable is set, its value may be written to the appropriate file (usually
|
||||
config.yaml) each time the container is run.
|
||||
|
||||
|
||||
| Variable | Default | Description |
|
||||
| ----------------------- | ------------------------- | ----------- |
|
||||
| `CONFIG_FILE` | `/etc/crowdsec/config.yaml` | Configuration file location |
|
||||
| `DSN` | | Process a single source in time-machine: `-e DSN="file:///var/log/toto.log"` or `-e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h"` or `-e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"` |
|
||||
| `TYPE` | | [`Labels.type`](https://docs.crowdsec.net/Crowdsec/v1/references/acquisition/) for file in time-machine: `-e TYPE="<type>"` |
|
||||
| `TEST_MODE` | false | Don't run the service, only test the configuration: `-e TEST_MODE=true` |
|
||||
| `TZ` | | Set the [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to ensure the logs have a local timestamp. |
|
||||
| `LOCAL_API_URL` | `http://0.0.0.0:8080` | The LAPI URL, you need to change this when `DISABLE_LOCAL_API` is true: `-e LOCAL_API_URL="http://lapi-address:8080"` |
|
||||
| `DISABLE_AGENT` | false | Disable the agent, run a LAPI-only container |
|
||||
| `DISABLE_LOCAL_API` | false | Disable LAPI, run an agent-only container |
|
||||
| `DISABLE_ONLINE_API` | false | Disable online API registration for signal sharing |
|
||||
| `CUSTOM_HOSTNAME` | localhost | Custom hostname for LAPI registration (with agent and LAPI on the same container) |
|
||||
| `TEST_MODE` | false | Don't run the service, only test the configuration: `-e TEST_MODE=true` |
|
||||
| `TZ` | | Set the [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to ensure the logs have a local timestamp. |
|
||||
| `LOCAL_API_URL` | `http://0.0.0.0:8080` | The LAPI URL, you need to change this when `DISABLE_LOCAL_API` is true: `-e LOCAL_API_URL="http://lapi-address:8080"` |
|
||||
| `PLUGIN_DIR` | `/usr/local/lib/crowdsec/plugins/` | Directory for plugins: `-e PLUGIN_DIR="<path>"` |
|
||||
| `BOUNCER_KEY_<name>` | | Register a bouncer with the name `<name>` and a key equal to the value of the environment variable. |
|
||||
| `METRICS_PORT` | 6060 | Port to expose Prometheus metrics |
|
||||
| | | |
|
||||
| __LAPI__ | | (useless with DISABLE_LOCAL_API) |
|
||||
| `USE_WAL` | false | Enable Write-Ahead Logging with SQLite |
|
||||
| `CUSTOM_HOSTNAME` | localhost | Name for the local agent (running in the container with LAPI) |
|
||||
| | | |
|
||||
| __Agent__ | | (these don't work with DISABLE_AGENT) |
|
||||
| `TYPE` | | [`Labels.type`](https://docs.crowdsec.net/Crowdsec/v1/references/acquisition/) for file in time-machine: `-e TYPE="<type>"` |
|
||||
| `DSN` | | Process a single source in time-machine: `-e DSN="file:///var/log/toto.log"` or `-e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h"` or `-e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"` |
|
||||
| | | |
|
||||
| __Bouncers__ | | |
|
||||
| `BOUNCER_KEY_<name>` | | Register a bouncer with the name `<name>` and a key equal to the value of the environment variable. |
|
||||
| | | |
|
||||
| __Console__ | | |
|
||||
| `ENROLL_KEY` | | Enroll key retrieved from [the console](https://app.crowdsec.net/) to enroll the instance. |
|
||||
|
@ -224,14 +235,16 @@ Using binds rather than named volumes ([complete explanation here](https://docs.
|
|||
| `AGENT_USERNAME` | | Agent username (to register if is LAPI or to use if it's an agent): `-e AGENT_USERNAME="machine_id"` |
|
||||
| `AGENT_PASSWORD` | | Agent password (to register if is LAPI or to use if it's an agent): `-e AGENT_PASSWORD="machine_password"` |
|
||||
| | | |
|
||||
| __TLS Auth/encryption | | |
|
||||
| `USE_TLS` | false | Enable TLS on the LAPI |
|
||||
| `CACERT_FILE` | | CA certificate bundle (optional) |
|
||||
| __TLS Encryption__ | | |
|
||||
| `USE_TLS` | false | Enable TLS encryption (either as a LAPI or agent) |
|
||||
| `CACERT_FILE` | | CA certificate bundle (for self-signed certificates) |
|
||||
| `INSECURE_SKIP_VERIFY` | | Skip LAPI certificate validation |
|
||||
| `CLIENT_CERT_FILE` | | Client TLS Certificate path (enables TLS auth) |
|
||||
| `LAPI_CERT_FILE` | | LAPI TLS Certificate path |
|
||||
| `LAPI_KEY_FILE` | | LAPI TLS Key path |
|
||||
| | | |
|
||||
| __TLS Authentication__ | | (these require USE_TLS=true) |
|
||||
| `CLIENT_CERT_FILE` | | Client TLS Certificate path (enable TLS authentication) |
|
||||
| `CLIENT_KEY_FILE` | | Client TLS Key path |
|
||||
| `LAPI_CERT_FILE` | | LAPI TLS Certificate path (required if USE_TLS) |
|
||||
| `LAPI_KEY_FILE` | | LAPI TLS Key path (required if USE_TLS) |
|
||||
| `AGENTS_ALLOWED_OU` | agent-ou | OU values allowed for agents, separated by comma |
|
||||
| `BOUNCERS_ALLOWED_OU` | bouncer-ou | OU values allowed for bouncers, separated by comma |
|
||||
| | | |
|
||||
|
@ -249,6 +262,10 @@ Using binds rather than named volumes ([complete explanation here](https://docs.
|
|||
| `LEVEL_INFO` | false | Force INFO level for the container log |
|
||||
| `LEVEL_DEBUG` | false | Force DEBUG level for the container log |
|
||||
| `LEVEL_TRACE` | false | Force TRACE level (VERY verbose) for the container log |
|
||||
| | | |
|
||||
| __Developer options__ | | |
|
||||
| `CI_TESTING` | false | Used during functional tests |
|
||||
| `DEBUG` | false | Trace the entrypoint |
|
||||
|
||||
## Volumes
|
||||
|
||||
|
|
|
@ -3,14 +3,9 @@
|
|||
# shellcheck disable=SC2292 # allow [ test ] syntax
|
||||
# shellcheck disable=SC2310 # allow "if function..." syntax with -e
|
||||
|
||||
#set -x
|
||||
#export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
||||
|
||||
set -e
|
||||
shopt -s inherit_errexit
|
||||
|
||||
#- HELPER FUNCTIONS ----------------#
|
||||
|
||||
# match true, TRUE, True, tRuE, etc.
|
||||
istrue() {
|
||||
case "$(echo "$1" | tr '[:upper:]' '[:lower:]')" in
|
||||
|
@ -27,6 +22,22 @@ isfalse() {
|
|||
fi
|
||||
}
|
||||
|
||||
if istrue "$DEBUG"; then
|
||||
set -x
|
||||
export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
||||
fi
|
||||
|
||||
if istrue "$CI_TESTING"; then
|
||||
echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" >/etc/machine-id
|
||||
fi
|
||||
|
||||
#- DEFAULTS -----------------------#
|
||||
|
||||
export CONFIG_FILE="${CONFIG_FILE:=/etc/crowdsec/config.yaml}"
|
||||
export CUSTOM_HOSTNAME="${CUSTOM_HOSTNAME:=localhost}"
|
||||
|
||||
#- HELPER FUNCTIONS ----------------#
|
||||
|
||||
# csv2yaml <string>
|
||||
# generate a yaml list from a comma-separated string of values
|
||||
csv2yaml() {
|
||||
|
@ -59,7 +70,18 @@ conf_set() {
|
|||
YAML_FILE="$CONFIG_FILE"
|
||||
fi
|
||||
YAML_CONTENT=$(cat "$YAML_FILE" 2>/dev/null || true)
|
||||
echo "$YAML_CONTENT" | yq e "$1" | install -m 0600 /dev/stdin "$YAML_FILE"
|
||||
NEW_CONTENT=$(echo "$YAML_CONTENT" | yq e "$1")
|
||||
echo "$NEW_CONTENT" | install -m 0600 /dev/stdin "$YAML_FILE"
|
||||
}
|
||||
|
||||
# conf_set_if(): used to update the configuration
|
||||
# only if a given variable is provided
|
||||
# conf_set_if "$VAR" <yq_expression> [file_path]
|
||||
conf_set_if() {
|
||||
if [ "$1" != "" ]; then
|
||||
shift
|
||||
conf_set "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
# register_bouncer <bouncer_name> <bouncer_key>
|
||||
|
@ -135,43 +157,42 @@ fi
|
|||
# regenerate local agent credentials (even if agent is disabled, cscli needs a
|
||||
# connection to the API)
|
||||
cscli machines delete "$CUSTOM_HOSTNAME" 2>/dev/null || true
|
||||
if isfalse "$DISABLE_LOCAL_API" && isfalse "$USE_TLS"; then
|
||||
echo "Regenerate local agent credentials"
|
||||
cscli machines add "$CUSTOM_HOSTNAME" --auto --url "$LOCAL_API_URL"
|
||||
fi
|
||||
|
||||
if isfalse "$DISABLE_LOCAL_API"; then
|
||||
echo "Check if lapi needs to automatically register an agent"
|
||||
if isfalse "$USE_TLS" || [ "$CLIENT_CERT_FILE" = "" ]; then
|
||||
echo "Regenerate local agent credentials"
|
||||
cscli machines add "$CUSTOM_HOSTNAME" --auto
|
||||
fi
|
||||
|
||||
echo "Check if lapi needs to register an additional agent"
|
||||
# pre-registration is not needed with TLS authentication, but we can have TLS transport with user/pw
|
||||
if [ "$AGENT_USERNAME" != "" ] && [ "$AGENT_PASSWORD" != "" ] ; then
|
||||
# re-register because pw may have been changed
|
||||
# doing this generates local_api_credentials.yaml from scratch, removing any tls setting
|
||||
cscli machines add "$AGENT_USERNAME" --password "$AGENT_PASSWORD" --url "$LOCAL_API_URL" --force
|
||||
cscli machines add "$AGENT_USERNAME" --password "$AGENT_PASSWORD" -f /dev/null --force
|
||||
echo "Agent registered to lapi"
|
||||
elif isfalse "$USE_TLS"; then
|
||||
echo "TLS is disabled, the AGENT_USERNAME and AGENT_PASSWORD must be set" >&2
|
||||
fi
|
||||
fi
|
||||
|
||||
# ----------------
|
||||
|
||||
lapi_credentials_path=$(conf_get '.api.client.credentials_path')
|
||||
|
||||
conf_set 'with(select(strenv(INSECURE_SKIP_VERIFY)!=""); .api.client.insecure_skip_verify = env(INSECURE_SKIP_VERIFY))'
|
||||
conf_set_if "$LOCAL_API_URL" '.url = strenv(LOCAL_API_URL)' "$lapi_credentials_path"
|
||||
|
||||
# we only use the envvars that are actually defined
|
||||
# in case of persistent configuration
|
||||
conf_set '
|
||||
with(select(strenv(LOCAL_API_URL)!=""); .url = strenv(LOCAL_API_URL)) |
|
||||
with(select(strenv(AGENT_USERNAME)!=""); .login = strenv(AGENT_USERNAME)) |
|
||||
with(select(strenv(AGENT_PASSWORD)!=""); .password = strenv(AGENT_PASSWORD))
|
||||
' "$lapi_credentials_path"
|
||||
if istrue "$DISABLE_LOCAL_API"; then
|
||||
# we only use the envvars that are actually defined
|
||||
# in case of persistent configuration
|
||||
conf_set_if "$AGENT_USERNAME" '.login = strenv(AGENT_USERNAME)' "$lapi_credentials_path"
|
||||
conf_set_if "$AGENT_PASSWORD" '.password = strenv(AGENT_PASSWORD)' "$lapi_credentials_path"
|
||||
fi
|
||||
|
||||
conf_set_if "$INSECURE_SKIP_VERIFY" '.api.client.insecure_skip_verify = env(INSECURE_SKIP_VERIFY)'
|
||||
|
||||
# agent-only containers still require USE_TLS
|
||||
if istrue "$USE_TLS"; then
|
||||
conf_set '
|
||||
with(select(strenv(CACERT_FILE)!=""); .ca_cert_path = strenv(CACERT_FILE)) |
|
||||
with(select(strenv(CLIENT_KEY_FILE)!=""); .key_path = strenv(CLIENT_KEY_FILE)) |
|
||||
with(select(strenv(CLIENT_CERT_FILE)!=""); .cert_path = strenv(CLIENT_CERT_FILE))
|
||||
' "$lapi_credentials_path"
|
||||
# shellcheck disable=SC2153
|
||||
conf_set_if "$CACERT_FILE" '.ca_cert_path = strenv(CACERT_FILE)' "$lapi_credentials_path"
|
||||
conf_set_if "$CLIENT_KEY_FILE" '.key_path = strenv(CLIENT_KEY_FILE)' "$lapi_credentials_path"
|
||||
conf_set_if "$CLIENT_CERT_FILE" '.cert_path = strenv(CLIENT_CERT_FILE)' "$lapi_credentials_path"
|
||||
else
|
||||
conf_set '
|
||||
del(.ca_cert_path) |
|
||||
|
@ -180,12 +201,18 @@ else
|
|||
' "$lapi_credentials_path"
|
||||
fi
|
||||
|
||||
if istrue "$DISABLE_ONLINE_API"; then
|
||||
conf_set 'del(.api.server.online_client)'
|
||||
fi
|
||||
|
||||
# registration to online API for signal push
|
||||
if isfalse "$DISABLE_ONLINE_API" && [ "$CONFIG_FILE" == "/etc/crowdsec/config.yaml" ] ; then
|
||||
if isfalse "$DISABLE_ONLINE_API" ; then
|
||||
CONFIG_DIR=$(conf_get '.config_paths.config_dir')
|
||||
config_exists=$(conf_get '.api.server.online_client | has("credentials_path")')
|
||||
if isfalse "$config_exists"; then
|
||||
conf_set '.api.server.online_client = {"credentials_path": "/etc/crowdsec/online_api_credentials.yaml"}'
|
||||
cscli capi register > /etc/crowdsec/online_api_credentials.yaml
|
||||
export CONFIG_DIR
|
||||
conf_set '.api.server.online_client = {"credentials_path": strenv(CONFIG_DIR) + "/online_api_credentials.yaml"}'
|
||||
cscli capi register > "$CONFIG_DIR/online_api_credentials.yaml"
|
||||
echo "Registration to online API done"
|
||||
fi
|
||||
fi
|
||||
|
@ -214,22 +241,20 @@ if [ "$GID" != "" ]; then
|
|||
fi
|
||||
fi
|
||||
|
||||
# XXX only with LAPI
|
||||
if istrue "$USE_TLS"; then
|
||||
agents_allowed_yaml=$(csv2yaml "$AGENTS_ALLOWED_OU") \
|
||||
bouncers_allowed_yaml=$(csv2yaml "$BOUNCERS_ALLOWED_OU") \
|
||||
conf_set '
|
||||
with(select(strenv(CACERT_FILE)!=""); .api.server.tls.ca_cert_path = strenv(CACERT_FILE)) |
|
||||
with(select(strenv(LAPI_CERT_FILE)!=""); .api.server.tls.cert_file = strenv(LAPI_CERT_FILE)) |
|
||||
with(select(strenv(LAPI_KEY_FILE)!=""); .api.server.tls.key_file = strenv(LAPI_KEY_FILE)) |
|
||||
with(select(strenv(BOUNCERS_ALLOWED_OU)!=""); .api.server.tls.bouncers_allowed_ou = env(bouncers_allowed_yaml)) |
|
||||
with(select(strenv(AGENTS_ALLOWED_OU)!=""); .api.server.tls.agents_allowed_ou = env(agents_allowed_yaml)) |
|
||||
... comments=""
|
||||
'
|
||||
conf_set_if "$CACERT_FILE" '.api.server.tls.ca_cert_path = strenv(CACERT_FILE)'
|
||||
conf_set_if "$LAPI_CERT_FILE" '.api.server.tls.cert_file = strenv(LAPI_CERT_FILE)'
|
||||
conf_set_if "$LAPI_KEY_FILE" '.api.server.tls.key_file = strenv(LAPI_KEY_FILE)'
|
||||
conf_set_if "$BOUNCERS_ALLOWED_OU" '.api.server.tls.bouncers_allowed_ou = env(bouncers_allowed_yaml)'
|
||||
conf_set_if "$AGENTS_ALLOWED_OU" '.api.server.tls.agents_allowed_ou = env(agents_allowed_yaml)'
|
||||
else
|
||||
conf_set 'del(.api.server.tls)'
|
||||
fi
|
||||
|
||||
conf_set 'with(select(strenv(PLUGIN_DIR)!=""); .config_paths.plugin_dir = strenv(PLUGIN_DIR))'
|
||||
conf_set_if "$PLUGIN_DIR" '.config_paths.plugin_dir = strenv(PLUGIN_DIR)'
|
||||
|
||||
## Install collections, parsers, scenarios & postoverflows
|
||||
cscli hub update
|
||||
|
@ -336,7 +361,7 @@ if istrue "$LEVEL_INFO"; then
|
|||
ARGS="$ARGS -info"
|
||||
fi
|
||||
|
||||
conf_set 'with(select(strenv(METRICS_PORT)!=""); .prometheus.listen_port=env(METRICS_PORT))'
|
||||
conf_set_if "$METRICS_PORT" '.prometheus.listen_port=env(METRICS_PORT)'
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
exec crowdsec $ARGS
|
||||
|
|
Loading…
Reference in a new issue