Merge pull request #54 from crowdsecurity/crowdsec/handle_custom_config

crowdsec: handle custom configuration in values
crowdsecurity · Jun 28, 2022 · 908f545 · 908f545
2 parents 2b1e0bb + 3117f42
commit 908f545
Show file tree

Hide file tree

Showing 11 changed files with 454 additions and 34 deletions.
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
@@ -30,7 +30,7 @@ jobs:
         uses: helm/[email protected]
 
       - name: Run chart-testing (lint)
-        run: helm lint ./charts/crowdsec/
+        run: helm lint ./charts/crowdsec/ -f ./charts/crowdsec/ci/crowdsec-values.yaml
 
       - name: Create kind cluster
         uses: helm/[email protected]

diff --git a/charts/crowdsec/Chart.yaml b/charts/crowdsec/Chart.yaml
@@ -43,7 +43,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.2
+version: 0.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/crowdsec/ci/crowdsec-values.yaml b/charts/crowdsec/ci/crowdsec-values.yaml
@@ -1,20 +1,13 @@
 agent:
-  # To specify each pod you want to process it logs (pods present in the node)
   acquisition:
-    # The namespace where the pod is located
     - namespace: test
-      # The pod name
       podName: test-*
-      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
       program: test
-  # Those are ENV variables
   env:
-    # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
     - name: DISABLE_ONLINE_API
       value: "true"
 
 lapi:
   env:
-    # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
     - name: DISABLE_ONLINE_API
-      value: "false"
+      value: "true"
diff --git a/charts/crowdsec/templates/_helpers.tpl b/charts/crowdsec/templates/_helpers.tpl
@@ -24,4 +24,53 @@ Generate password if not specified in values
 {{- else -}}
   {{- randAlphaNum 48 -}}
 {{- end -}}
+{{- end -}}
+
+{{/*
+  notifications parameters check
+*/}}
+{{ define "notificationsIsNotEmpty" }}
+{{- if .Values.config.notifications }}
+{{ range $fileName, $content := .Values.config.notifications }}
+{{- if $content }}
+true
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+  parsers parameters check
+*/}}
+{{ define "parsersIsNotEmpty" }}
+{{- if or (index .Values.config.parsers "s00-raw") (index .Values.config.parsers "s01-parse") (index .Values.config.parsers "s02-enrich") }}
+true
+{{- end -}}
+{{- end -}}
+
+{{/*
+  postoverflows parameters check
+*/}}
+{{ define "postoverflowsIsNotEmpty" }}
+{{- if or (index .Values.config.postoverflows "s00-enrich") (index .Values.config.postoverflows "s01-whitelist") }}
+true
+{{- end -}}
+{{- end -}}
+
+{{/*
+  lapi custom config check
+*/}}
+{{ define "lapiCustomConfigIsNotEmpty" }}
+{{- if or (index .Values.config "profiles.yaml") ((include "notificationsIsNotEmpty" .)) }}
+true
+{{- end -}}
+{{- end -}}
+
+{{/*
+  agent custom config check
+*/}}
+{{ define "agentCustomConfigIsNotEmpty" }}
+{{- if or (include "parsersIsNotEmpty" .) (.Values.config.scenarios) (.Values.config.postoverflows) }}
+true
+{{- end -}}
 {{- end -}}
diff --git a/charts/crowdsec/templates/acquis-configmap.yaml b/charts/crowdsec/templates/acquis-configmap.yaml
@@ -4,7 +4,6 @@ metadata:
   name: acquis-configmap
 data:
   acquis.yaml: |-
-    {{- $valid := required "You need to specify at least one pod for logs read" .Values.agent.acquisition }}
     {{- $container_runtime := .Values.container_runtime }}
     {{- range .Values.agent.acquisition }}
     ---

diff --git a/charts/crowdsec/templates/agent-configmap.yaml b/charts/crowdsec/templates/agent-configmap.yaml
@@ -0,0 +1,56 @@
+{{- if index .Values.config "simulation.yaml" -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: crowdsec-simulation
+data:
+  simulation.yaml: |
+{{ printf "%+v" (index .Values.config "simulation.yaml") | indent 4 }}
+{{ end }}
+---
+{{ if (include "parsersIsNotEmpty" .) }}
+{{- range $stage, $stageConfig := .Values.config.parsers -}}
+{{- if $stageConfig -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "crowdsec-parsers-%s" $stage }}
+data:
+{{ range $fileName, $content := $stageConfig -}}
+  {{ printf "%s: |" $fileName | indent 2 }}
+{{ $content | indent 4 }}
+{{- end }}
+---
+{{- end }}
+{{ end }}
+{{ end -}}
+
+{{- if .Values.config.scenarios }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "crowdsec-scenarios"
+data:
+{{ range $fileName, $content := .Values.config.scenarios -}}
+  {{ printf "%s: |" $fileName | indent 2 }}
+{{ $content | indent 4 }}
+{{- end }}
+{{- end }}
+
+{{ if (include "postoverflowsIsNotEmpty" .) }}
+---
+{{- range $stage, $stageConfig := .Values.config.postoverflows -}}
+{{- if $stageConfig -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "crowdsec-postoverflows-%s" $stage }}
+data:
+{{ range $fileName, $content := $stageConfig -}}
+  {{ printf "%s: |" $fileName | indent 2 }}
+{{ $content | indent 4 }}
+{{- end }}
+---
+{{- end }}
+{{ end }}
+{{ end -}}
diff --git a/charts/crowdsec/templates/agent-daemonSet.yaml b/charts/crowdsec/templates/agent-daemonSet.yaml
@@ -57,22 +57,53 @@ spec:
             containerPort: 6060
             protocol: TCP
         {{ end }}
-
         {{- if .Values.agent.persistentVolume.config.enabled }}
         command: ['sh', '-c', 'mv -n /staging/etc/crowdsec/* /etc/crowdsec_data/ && rm -rf /staging/etc/crowdsec && ln -s /etc/crowdsec_data /etc/crowdsec && ./docker_start.sh']
         {{- end }}
         volumeMounts:
-          {{- if .Values.agent.persistentVolume.config.enabled }}
+          {{- $crowdsecConfig := "/etc/crowdsec" -}}
+          {{- if .Values.agent.persistentVolume.config.enabled -}}
+          {{- $crowdsecConfig = "/etc/crowdsec_data" }}
           - name: crowdsec-agent-config
-            mountPath: /etc/crowdsec_data
-          - name: acquis-config-volume
-            mountPath: /etc/crowdsec_data/acquis.yaml
-            subPath: acquis.yaml
-          {{- else }}
+            mountPath: {{ $crowdsecConfig }}
+          {{- end }}
+          {{ if index .Values.config "simulation.yaml" }}
+          - name: crowdsec-simulation-volume
+            mountPath: {{ $crowdsecConfig }}/simulation.yaml
+            subPath: simulation.yaml
+          {{ end }}
+          {{ if (include "parsersIsNotEmpty" .) }}
+          {{- range $stage, $stageConfig := .Values.config.parsers -}}
+          {{- if $stageConfig -}}
+          {{ range $fileName, $content := $stageConfig -}}
+          - name: {{ printf "crowdsec-parsers-%s-%s" $stage (trimSuffix ".yaml" $fileName) }}
+            mountPath: {{ printf "%s/parsers/%s/%s" $crowdsecConfig $stage $fileName }}
+            subPath: {{ $fileName }}
+          {{ end }}
+          {{- end }}
+          {{- end }}
+          {{- end }}
+          {{- if .Values.config.scenarios -}}
+          {{ range $fileName, $content := .Values.config.scenarios -}}
+          - name: {{ printf "crowdsec-scenarios-%s" (trimSuffix ".yaml" $fileName) }}
+            mountPath: {{ printf "%s/scenarios/%s" $crowdsecConfig $fileName }}
+            subPath: {{ $fileName }}
+          {{ end }}
+          {{ end }}
+          {{ if (include "postoverflowsIsNotEmpty" .) }}
+          {{- range $stage, $stageConfig := .Values.config.postoverflows -}}
+          {{- if $stageConfig -}}
+          {{ range $fileName, $content := $stageConfig -}}
+          - name: {{ printf "crowdsec-postoverflows-%s-%s" $stage (trimSuffix ".yaml" $fileName) }}
+            mountPath: {{ printf "%s/postoverflows/%s/%s" $crowdsecConfig $stage $fileName }}
+            subPath: {{ $fileName }}
+          {{ end }}
+          {{- end }}
+          {{- end }}
+          {{- end }}
           - name: acquis-config-volume
-            mountPath: /etc/crowdsec/acquis.yaml
+            mountPath: {{ $crowdsecConfig }}/acquis.yaml
             subPath: acquis.yaml
-          {{- end }}
           - name: varlog
             mountPath: /var/log
           - name: varlibdockercontainers
@@ -91,6 +122,49 @@ spec:
         persistentVolumeClaim:
           claimName: {{ .Release.Name }}-agent-config-pvc
       {{- end }}
+      {{ if (include "parsersIsNotEmpty" .) }}
+      {{- range $stage, $stageConfig := .Values.config.parsers -}}
+      {{- if $stageConfig -}}
+      {{ range $fileName, $content := $stageConfig -}}
+      - name: {{ printf "crowdsec-parsers-%s-%s" $stage (trimSuffix ".yaml" $fileName) }}
+        configMap:
+          name: {{ printf "crowdsec-parsers-%s" $stage }}
+          items:
+          - key: {{ $fileName }}
+            path: {{ $fileName }}
+      {{ end }}
+      {{- end }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.config.scenarios -}}
+      {{ range $fileName, $content := .Values.config.scenarios -}}
+      - name: {{ printf "crowdsec-scenarios-%s" (trimSuffix ".yaml" $fileName) }}
+        configMap:
+          name: "crowdsec-scenarios"
+          items:
+          - key: {{ $fileName }}
+            path: {{ $fileName }}
+      {{ end }}
+      {{ end }}
+      {{ if (include "postoverflowsIsNotEmpty" .) }}
+      {{- range $stage, $stageConfig := .Values.config.postoverflows -}}
+      {{- if $stageConfig -}}
+      {{ range $fileName, $content := $stageConfig -}}
+      - name: {{ printf "crowdsec-postoverflows-%s-%s" $stage (trimSuffix ".yaml" $fileName) }}
+        configMap:
+          name: {{ printf "crowdsec-postoverflows-%s" $stage }}
+          items:
+          - key: {{ $fileName }}
+            path: {{ $fileName }}
+      {{ end }}
+      {{- end }}
+      {{- end }}
+      {{- end }}
+      {{ if index .Values.config "simulation.yaml" }}
+      - name: crowdsec-simulation-volume
+        configMap:
+          name: crowdsec-simulation
+      {{- end }}
       - name: varlibdockercontainers
         hostPath:
           path: /var/lib/docker/containers

diff --git a/charts/crowdsec/templates/lapi-configmap.yaml b/charts/crowdsec/templates/lapi-configmap.yaml
@@ -0,0 +1,33 @@
+{{- if index .Values.config "profiles.yaml" -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: crowdsec-profiles
+data:
+  profiles.yaml: |
+{{ printf "%+v" (index .Values.config "profiles.yaml") | indent 4 }}
+{{ end }}
+---
+{{- if index .Values.config "console.yaml" -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: crowdsec-console
+data:
+  console.yaml: |
+{{ printf "%+v" (index .Values.config "console.yaml") | indent 4 }}
+{{ end }}
+---
+{{ if (include "notificationsIsNotEmpty" .) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "crowdsec-notifications"
+data:
+{{ range $fileName, $content := .Values.config.notifications -}}
+{{- if $content -}}
+{{ printf "%s: |" $fileName | indent 2 }}
+{{ $content | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}