Regenerate chart README.md

crowdsecurity · Nov 18, 2024 · acc4f86 · acc4f86
1 parent f4f4ef5
commit acc4f86
Showing 1 changed file with 19 additions and 142 deletions.
diff --git a/charts/crowdsec/README.md b/charts/crowdsec/README.md
@@ -59,7 +59,6 @@ lapi:
   # Specify your external DB password here
   extraSecrets:
     dbPassword: <externalDbPassword>
-  storeCAPICredentialsInSecret: true
   persistentVolume:
     # When replicas for LAPI is greater than 1, two options, persistent volumes must be disabled, or in ReadWriteMany mode
     config:
@@ -76,147 +75,6 @@ lapi:
           key: dbPassword
 ```
 
-## Setup for AppSec (WAF)
-
-Below a basic configuration for AppSec (WAF)
-
-```
-# your-values.yaml (option 1)
-appsec:
-  enabled: true
-  acquisitions:
-    - source: appsec
-      listen_addr: "0.0.0.0:7422"
-      path: /
-      appsec_config: crowdsecurity/virtual-patching
-      labels:
-        type: appsec
-  env:
-    - name: COLLECTIONS
-      value: "crowdsecurity/appsec-virtual-patching"
-
-# This allows the LAPI pod to register and communicate with the appsec pod
-config:
-  config.yaml.local: |
-    api:
-      server:
-        auto_registration:
-          enabled: true
-          token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart)
-          allowed_ranges:
-            - "127.0.0.1/32"
-            - "192.168.0.0/16"
-            - "10.0.0.0/8"
-            - "172.16.0.0/12"
-```
-
-Or you can also use your own custom configurations and rules for AppSec:
-
-```
-# your-values.yaml (option 2)
-appsec:
-  enabled: true
-  acquisitions:
-    - source: appsec
-      listen_addr: "0.0.0.0:7422"
-      path: /
-      appsec_config: crowdsecurity/crs-vpatch
-      labels:
-        type: appsec
-  configs:
-    mycustom-appsec-config.yaml: |
-      name: crowdsecurity/crs-vpatch
-      default_remediation: ban
-      #log_level: debug
-      outofband_rules:
-        - crowdsecurity/crs
-      inband_rules:
-        - crowdsecurity/base-config 
-        - crowdsecurity/vpatch-*
-  env:
-    - name: COLLECTIONS
-      value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs"
-
-# This allows the LAPI pod to register and communicate with the appsec pod
-config:
-  config.yaml.local: |
-    api:
-      server:
-        auto_registration:
-          enabled: true
-          token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart)
-          allowed_ranges:
-            - "127.0.0.1/32"
-            - "192.168.0.0/16"
-            - "10.0.0.0/8"
-            - "172.16.0.0/12"
-```
-
-### With Traefik
-
-In the traefik `values.yaml`, you need to add the following configuration:
-
-```
-# traefik-values.yaml
-experimental:
-  plugins:
-    crowdsec-bouncer:
-      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
-      version: v1.3.3
-additionalArguments:
-  - "--entrypoints.web.http.middlewares=<NAMESPACE>-crowdsec-bouncer@kubernetescrd"
-  - "--entrypoints.websecure.http.middlewares=<NAMESPACE>-crowdsec-bouncer@kubernetescrd"
-  - "--providers.kubernetescrd"
-```
-
-And then, you can apply this middleware to your traefik ingress:
-
-```
-# crowdsec-bouncer-middleware.yaml
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: crowdsec-bouncer
-  namespace: default
-spec:
-  plugin:
-    crowdsec-bouncer:
-      enabled: true
-      crowdsecMode: appsec
-      crowdsecAppsecEnabled: true
-      crowdsecAppsecHost: crowdsec-appsec-service:7422
-      crowdsecLapiScheme: http
-      crowdsecLapiHost: crowdsec-service:8080
-      crowdsecLapiKey: "<YOUR_BOUNCER_KEY>"
-```
-
-### With Ingrees Nginx
-
-Following [this documentation](https://docs.crowdsec.net/u/bouncers/ingress-nginx).
-
-In the nginx ingress `upgrade-values.yaml`, you need to add the following configuration:
-
-```
-controller:
-  extraInitContainers:
-    - name: init-clone-crowdsec-bouncer
-      env:
-        - name: APPSEC_URL
-          value: "http://crowdsec-appsec-service.default.svc.cluster.local:7422"
-        - name: APPSEC_FAILURE_ACTION
-          value: "passthrough"
-        - name: APPSEC_CONNECT_TIMEOUT
-          value: "100"
-        - name: APPSEC_SEND_TIMEOUT
-          value: "100"
-        - name: APPSEC_PROCESS_TIMEOUT
-          value: "1000"
-        - name: ALWAYS_SEND_TO_APPSEC
-          value: "false"
-        - name: SSL_VERIFY
-          value: "true"
-```
-
 ## Values
 
 | Key | Type | Default | Description |
@@ -294,6 +152,7 @@ controller:
 | lapi.secrets.csLapiSecret | string | `""` | Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters |
 | lapi.extraSecrets | object | `{}` | Any extra secrets you may need (for example, external DB password) |
 | lapi.lifecycle | object | `{}` |  |
+| lapi.storeCAPICredentialsInSecret | bool | `false` | If set to true, the Central API credentials will be stored in a secret (to use when lapi replicas > 1) |
 | agent.additionalAcquisition | list | `[]` | To add custom acquisitions using available datasources (https://docs.crowdsec.net/docs/next/data_sources/intro) |
 | agent.acquisition[0] | object | `{"namespace":"","podName":"","poll_without_inotify":false,"program":""}` | Specify each pod you want to process it logs (namespace, podName and program) |
 | agent.acquisition[0].podName | string | `""` | to select pod logs to process |
@@ -333,4 +192,22 @@ controller:
 | agent.wait_for_lapi.image.repository | string | `"busybox"` | docker image repository name |
 | agent.wait_for_lapi.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy |
 | agent.wait_for_lapi.image.tag | string | `"1.28"` | docker image tag |
+| appsec | object | `{"acquisitions":[],"affinity":{},"configs":{},"deployAnnotations":{},"enabled":false,"env":null,"extraInitContainers":[],"metrics":{"enabled":true,"serviceMonitor":{"additionalLabels":{},"enabled":false}},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"priorityClassName":"","resources":{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"500m","memory":"250Mi"}},"rules":{},"service":{"annotations":{},"externalIPs":[],"externalTrafficPolicy":"Cluster","labels":{},"loadBalancerClass":null,"loadBalancerIP":null,"type":"ClusterIP"},"strategy":{"type":"Recreate"},"tolerations":[]}` | Enable AppSec (https://docs.crowdsec.net/docs/next/appsec/intro) |
+| appsec.enabled | bool | `false` | Enable AppSec (by default disabled) |
+| appsec.acquisitions | list | `[]` | Additional acquisitions for AppSec |
+| appsec.configs | object | `{}` | appsec_configs (https://docs.crowdsec.net/docs/next/appsec/configuration): key is the filename, value is the config content |
+| appsec.rules | object | `{}` | appsec_rules (https://docs.crowdsec.net/docs/next/appsec/rules_syntax) |
+| appsec.env | string | `nil` | environment variables |
+| appsec.deployAnnotations | object | `{}` | appsec deployment annotations |
+| appsec.strategy | object | `{"type":"Recreate"}` | strategy for appsec deployment |
+| appsec.podAnnotations | object | `{}` | podAnnotations for appsec deployment |
+| appsec.podLabels | object | `{}` | podLabels for appsec deployment |
+| appsec.tolerations | list | `[]` | tolerations for appsec deployment |
+| appsec.nodeSelector | object | `{}` | nodeSelector for appsec deployment |
+| appsec.affinity | object | `{}` | affinity for appsec deployment |
+| appsec.priorityClassName | string | `""` | priorityClassName for appsec deployment |
+| appsec.extraInitContainers | list | `[]` | extraInitContainers for appsec deployment |
+| appsec.resources | object | `{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"500m","memory":"250Mi"}}` | resources for appsec deployment |
+| appsec.metrics | object | `{"enabled":true,"serviceMonitor":{"additionalLabels":{},"enabled":false}}` | Enable service monitoring (exposes "metrics" port "6060" for Prometheus and "7422" for AppSec)  |
+| appsec.metrics.serviceMonitor | object | `{"additionalLabels":{},"enabled":false}` | See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774 |