diff --git a/crowdsec-docs/docs/appsec/quickstart/nginx-ingress.mdx b/crowdsec-docs/docs/appsec/quickstart/nginx-ingress.mdx index edb3bd28c..9c0105ba6 100644 --- a/crowdsec-docs/docs/appsec/quickstart/nginx-ingress.mdx +++ b/crowdsec-docs/docs/appsec/quickstart/nginx-ingress.mdx @@ -58,6 +58,28 @@ If CrowdSec is already deployed with Helm in this cluster, the repository entry ### Update CrowdSec configuration +Store the nginx bouncer key in a Kubernetes secret, following the same pattern +used by the Envoy quickstart. + +Create or update the secret used by CrowdSec LAPI: + +```yaml title="crowdsec-keys.yaml" +apiVersion: v1 +kind: Secret +metadata: + name: crowdsec-keys + namespace: crowdsec +type: Opaque +stringData: + BOUNCER_KEY_nginx_ingress_waf: "" +``` + +Apply it: + +```bash +kubectl apply -f crowdsec-keys.yaml +``` + Add this to the CrowdSec `values.yaml` with the AppSec acquisition datasource (see the [AppSec datasource](/log_processor/data_sources/appsec.md)) and the default [AppSec configuration](/appsec/configuration.md): ```yaml title="values.yaml" @@ -74,13 +96,42 @@ appsec: env: - name: COLLECTIONS value: crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules +lapi: + env: + - name: BOUNCER_KEY_nginx_ingress_waf + valueFrom: + secretKeyRef: + name: crowdsec-keys + key: BOUNCER_KEY_nginx_ingress_waf +``` + +:::warning +The Helm chart still enables the CrowdSec agent by default. If you do not want +the agent, disable it explicitly. +::: + +
+Snippet to disable the agent + +```yaml title="values.yaml" +agent: + enabled: false ``` +
+ +:::note +Although this is the same bouncer key value, you need two `Secret` objects here: +one in `crowdsec` and one in `ingress-nginx`. Kubernetes secrets are +namespace-scoped, so the ingress controller cannot read a secret from the +`crowdsec` namespace. +::: + This YAML configuration snippet exposes the important configuration items: * `listen_addr: 0.0.0.0:7422` exposes the AppSec API inside the cluster. * `appsec_configs` loads the [AppSec configuration(s)](/appsec/configuration.md) that define which rules are evaluated (in-band vs out-of-band). * The two collections provide virtual patching and generic rule coverage. - * The chart bootstraps a bouncer named `nginx_ingress_waf` using the key you export locally. + * `lapi.env` forces the `nginx_ingress_waf` bouncer key from the `crowdsec-keys` Secret. And now we apply the new configuration with: @@ -98,6 +149,26 @@ You should see `crowdsec-agent` pods, the `crowdsec-lapi` pod and the `crowdsec- ## Enable the CrowdSec Lua plugin on NGINX Ingress +Create the secret holding the same CrowdSec bouncer key in the +`ingress-nginx` namespace: + +```yaml title="crowdsec-ingress-bouncer-secret.yaml" +apiVersion: v1 +kind: Secret +metadata: + name: crowdsec-ingress-bouncer-secrets + namespace: ingress-nginx +type: Opaque +stringData: + api-key: "" +``` + +Apply it: + +```bash +kubectl apply -f crowdsec-ingress-bouncer-secret.yaml +``` + To extend the ingress controller with the CrowdSec plugin and point it to the AppSec API, create the file named `ingress-values.yaml`. You can read the entire file in the snippet below. @@ -107,8 +178,8 @@ controller: image: registry: docker.io image: crowdsecurity/controller - tag: v1.13.2 - digest: sha256:4575be24781cad35f8e58437db6a3f492df2a3167fed2b6759a6ff0dc3488d56 + tag: v1.14.3 + digest: sha256:9ab8791635f4cde9964ab2562fb8b15faf72fe0205f0fe288089a87e1455675d extraVolumes: - name: crowdsec-bouncer-plugin emptyDir: {} @@ -120,7 +191,10 @@ controller: - name: API_URL value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" - name: API_KEY - value: privateKey-foo + valueFrom: + secretKeyRef: + name: crowdsec-ingress-bouncer-secrets + key: api-key - name: BOUNCER_CONFIG value: "/crowdsec/crowdsec-bouncer.conf" - name: APPSEC_URL @@ -153,13 +227,13 @@ controller: plugins: "crowdsec" lua-shared-dicts: "crowdsec_cache: 50m" server-snippet: | - lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt" + lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"; resolver local=on ipv6=off; ``` - `API_URL` targets the Local API service exposed by the Helm chart. -- `API_KEY` defines the key for the bouncer to be able to connect to CrowdSec LAPI +- `API_KEY` is read from the `crowdsec-ingress-bouncer-secrets` Secret in the `ingress-nginx` namespace. - `APPSEC_URL` points to the AppSec service; keep the namespace in sync with your CrowdSec release. - The plugin copies the Lua files from the init container into an `emptyDir` that is mounted at runtime. @@ -184,8 +258,8 @@ controller: image: registry: docker.io image: crowdsecurity/controller - tag: v1.13.2 - digest: sha256:... + tag: v1.14.3 + digest: sha256:9ab8791635f4cde9964ab2562fb8b15faf72fe0205f0fe288089a87e1455675d ``` The controller image is replaced with a CrowdSec-enabled build that includes the @@ -212,7 +286,10 @@ extraInitContainers: - name: API_URL value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" - name: API_KEY - value: privateKey-foo + valueFrom: + secretKeyRef: + name: crowdsec-ingress-bouncer-secrets + key: api-key - name: BOUNCER_CONFIG value: "/crowdsec/crowdsec-bouncer.conf" - name: APPSEC_URL diff --git a/crowdsec-docs/unversioned/bouncers/ingress-nginx.mdx b/crowdsec-docs/unversioned/bouncers/ingress-nginx.mdx index 7ef4273a6..28afc63f8 100644 --- a/crowdsec-docs/unversioned/bouncers/ingress-nginx.mdx +++ b/crowdsec-docs/unversioned/bouncers/ingress-nginx.mdx @@ -57,6 +57,66 @@ The Ingress nginx controller should be installed using the [official helm chart] First you need to create new ingress-nginx chart values file (`crowdsec-ingress-values.yaml`) to upgrade the ingress controller with the crowdsec plugin. +Store the CrowdSec bouncer key in Kubernetes Secrets instead of embedding it +directly in the Helm values. + +Create or update the secret used by CrowdSec LAPI: + +```yaml title="crowdsec-keys.yaml" +apiVersion: v1 +kind: Secret +metadata: + name: crowdsec-keys + namespace: crowdsec +type: Opaque +stringData: + BOUNCER_KEY_nginx_ingress_waf: "" +``` + +Apply it: + +```bash +kubectl apply -f crowdsec-keys.yaml +``` + +Then reference it from your CrowdSec values: + +```yaml title="crowdsec-values.yaml" +lapi: + env: + - name: BOUNCER_KEY_nginx_ingress_waf + valueFrom: + secretKeyRef: + name: crowdsec-keys + key: BOUNCER_KEY_nginx_ingress_waf +``` + +:::note +Although this is the same bouncer key value, you need two `Secret` objects here: +one in `crowdsec` and one in `ingress-nginx`. Kubernetes secrets are +namespace-scoped, so the ingress controller cannot read a secret from the +`crowdsec` namespace. +::: + +Create the secret holding the same key in the `ingress-nginx` namespace: + +```yaml title="crowdsec-ingress-bouncer-secret.yaml" +apiVersion: v1 +kind: Secret +metadata: + name: crowdsec-ingress-bouncer-secrets + namespace: ingress-nginx +type: Opaque +stringData: + api-key: "" +``` + +Apply it: + +```bash +kubectl apply -f crowdsec-ingress-bouncer-secret.yaml +``` + :::warning Lua support has been removed from mainline ingress nginx in version 1.12. As @@ -70,9 +130,9 @@ controller: PullPolicy: IfNotPresent image: crowdsecurity/controller # Crowdsec Remediation with Ingress Nginx requires to use our controller image - tag: v1.13.2 + tag: v1.14.3 # If you update the tag, the digest needs to be updated as well - digest: sha256:4575be24781cad35f8e58437db6a3f492df2a3167fed2b6759a6ff0dc3488d56 + digest: sha256:9ab8791635f4cde9964ab2562fb8b15faf72fe0205f0fe288089a87e1455675d registry: docker.io extraVolumes: - name: crowdsec-bouncer-plugin @@ -85,7 +145,10 @@ controller: - name: API_URL value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" # crowdsec lapi service-name - name: API_KEY - value: "" # generated with `cscli bouncers add + valueFrom: + secretKeyRef: + name: crowdsec-ingress-bouncer-secrets + key: api-key - name: BOUNCER_CONFIG value: "/crowdsec/crowdsec-bouncer.conf" - name: CAPTCHA_PROVIDER @@ -133,36 +196,19 @@ controller: resolver local=on ipv6=off; ``` -
- You already have a deployed ingress nginx - -This values.yaml upgrade your ingress deployment to add crowdsec lua lib as a -plugin and run with the crowdsec maintained nginx ingress controller with lua -support. It uses [this docker +Use this values file to deploy or upgrade ingress-nginx with the CrowdSec Lua +plugin and the CrowdSec-maintained ingress controller image with Lua support. +It uses [this docker image](https://hub.docker.com/r/crowdsecurity/lua-bouncer-plugin) to copy the -crowdsec lua library. You can upgrade the ingress-nginx using this `crowdsec-ingress-values.yaml` +CrowdSec Lua library. ```bash -helm -n ingress-nginx upgrade -f ingress-nginx-values.yaml -f crowdsec-ingress-values.yaml ingress-nginx/ingress-nginx +helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \ + -n ingress-nginx \ + --create-namespace \ + -f crowdsec-ingress-values.yaml ``` -
- -
- You don't have a deployed ingress nginx - -This values.yaml install your ingress deployment to add crowdsec lua lib as a -plugin and run with the crowdsec maintained nginx ingress controller with lua -support. It uses [this docker -image](https://hub.docker.com/r/crowdsecurity/lua-bouncer-plugin) to copy the -crowdsec lua library. You can install the ingress-nginx using this `crowdsec-ingress-values.yaml` - -```bash -helm -n ingress-nginx install -f crowdsec-ingress-values.yaml ingress-nginx ingress-nginx/ingress-nginx -``` - -
- And then check if the ingress controller is running well. ```bash diff --git a/crowdsec-docs/versioned_docs/version-v1.7/appsec/quickstart/nginx-ingress.mdx b/crowdsec-docs/versioned_docs/version-v1.7/appsec/quickstart/nginx-ingress.mdx index dedefeac7..6a265e97d 100644 --- a/crowdsec-docs/versioned_docs/version-v1.7/appsec/quickstart/nginx-ingress.mdx +++ b/crowdsec-docs/versioned_docs/version-v1.7/appsec/quickstart/nginx-ingress.mdx @@ -58,6 +58,28 @@ If CrowdSec is already deployed with Helm in this cluster, the repository entry ### Update CrowdSec configuration +Store the nginx bouncer key in a Kubernetes secret, following the same pattern +used by the Envoy quickstart. + +Create or update the secret used by CrowdSec LAPI: + +```yaml title="crowdsec-keys.yaml" +apiVersion: v1 +kind: Secret +metadata: + name: crowdsec-keys + namespace: crowdsec +type: Opaque +stringData: + BOUNCER_KEY_nginx_ingress_waf: "" +``` + +Apply it: + +```bash +kubectl apply -f crowdsec-keys.yaml +``` + Add this to the CrowdSec `values.yaml` with the AppSec acquisition datasource (see the [AppSec datasource](/log_processor/data_sources/appsec.md)) and the default [AppSec configuration](/appsec/configuration.md): ```yaml title="values.yaml" @@ -74,13 +96,35 @@ appsec: env: - name: COLLECTIONS value: crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules +lapi: + env: + - name: BOUNCER_KEY_nginx_ingress_waf + valueFrom: + secretKeyRef: + name: crowdsec-keys + key: BOUNCER_KEY_nginx_ingress_waf ``` +:::warning +The Helm chart still enables the CrowdSec agent by default. If you do not want +the agent, disable it explicitly. +::: + +
+Snippet to disable the agent + +```yaml title="values.yaml" +agent: + enabled: false +``` + +
+ This YAML configuration snippet exposes the important configuration items: * `listen_addr: 0.0.0.0:7422` exposes the AppSec API inside the cluster. * `appsec_configs` loads the [AppSec configuration(s)](/appsec/configuration.md) that define which rules are evaluated (in-band vs out-of-band). * The two collections provide virtual patching and generic rule coverage. - * The chart bootstraps a bouncer named `nginx_ingress_waf` using the key you export locally. + * `lapi.env` forces the `nginx_ingress_waf` bouncer key from the `crowdsec-keys` Secret. And now we apply the new configuration with: @@ -98,6 +142,26 @@ You should see `crowdsec-agent` pods, the `crowdsec-lapi` pod and the `crowdsec- ## Enable the CrowdSec Lua plugin on NGINX Ingress +Create the secret holding the same CrowdSec bouncer key in the +`ingress-nginx` namespace: + +```yaml title="crowdsec-ingress-bouncer-secret.yaml" +apiVersion: v1 +kind: Secret +metadata: + name: crowdsec-ingress-bouncer-secrets + namespace: ingress-nginx +type: Opaque +stringData: + api-key: "" +``` + +Apply it: + +```bash +kubectl apply -f crowdsec-ingress-bouncer-secret.yaml +``` + To extend the ingress controller with the CrowdSec plugin and point it to the AppSec API, create the file named `ingress-values.yaml`. You can read the entire file in the snippet below. @@ -120,7 +184,10 @@ controller: - name: API_URL value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" - name: API_KEY - value: privateKey-foo + valueFrom: + secretKeyRef: + name: crowdsec-ingress-bouncer-secrets + key: api-key - name: BOUNCER_CONFIG value: "/crowdsec/crowdsec-bouncer.conf" - name: APPSEC_URL @@ -153,13 +220,13 @@ controller: plugins: "crowdsec" lua-shared-dicts: "crowdsec_cache: 50m" server-snippet: | - lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt" + lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"; resolver local=on ipv6=off; ``` - `API_URL` targets the Local API service exposed by the Helm chart. -- `API_KEY` defines the key for the bouncer to be able to connect to CrowdSec LAPI +- `API_KEY` is read from the `crowdsec-ingress-bouncer-secrets` Secret in the `ingress-nginx` namespace. - `APPSEC_URL` points to the AppSec service; keep the namespace in sync with your CrowdSec release. - The plugin copies the Lua files from the init container into an `emptyDir` that is mounted at runtime. @@ -212,7 +279,10 @@ extraInitContainers: - name: API_URL value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" - name: API_KEY - value: privateKey-foo + valueFrom: + secretKeyRef: + name: crowdsec-ingress-bouncer-secrets + key: api-key - name: BOUNCER_CONFIG value: "/crowdsec/crowdsec-bouncer.conf" - name: APPSEC_URL