add appsec in crowdsec chart

charts/crowdsec/README.md

@@ -75,6 +75,118 @@ lapi:
           key: dbPassword
 ```
 
+## Setup for AppSec (WAF) with Traefik bouncer as example
+
+Below a basic configuration for AppSec (WAF)
+
+```
+# your-values.yaml (option 1)
+appsec:
+  enabled: true
+  acquisitions:
+    - source: appsec
+      listen_addr: "0.0.0.0:7422"
+      path: /
+      appsec_config: crowdsecurity/virtual-patching
+      labels:
+        type: appsec
+  env:
+    - name: COLLECTIONS
+      value: "crowdsecurity/appsec-virtual-patching"
+
+# This allows the LAPI pod to register and communicate with the appsec pod
+config:
+  config.yaml.local: |
+    api:
+      server:
+        auto_registration:
+          enabled: true
+          token: "${REGISTRATION_TOKEN}"
+          allowed_ranges:
+            - "127.0.0.1/32"
+            - "192.168.0.0/16"
+            - "10.0.0.0/8"
+            - "172.16.0.0/12"
+```
+
+Or you can also use your own custom configurations and rules for AppSec:
+
+```
+# your-values.yaml (option 2)
+appsec:
+  enabled: true
+  acquisitions:
+    - source: appsec
+      listen_addr: "0.0.0.0:7422"
+      path: /
+      appsec_config: crowdsecurity/crs-vpatch
+      labels:
+        type: appsec
+  configs:
+    mycustom-appsec-config.yaml: |
+      name: crowdsecurity/crs-vpatch
+      default_remediation: ban
+      #log_level: debug
+      outofband_rules:
+        - crowdsecurity/crs
+      inband_rules:
+        - crowdsecurity/base-config 
+        - crowdsecurity/vpatch-*
+  env:
+    - name: COLLECTIONS
+      value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs"
+
+# This allows the LAPI pod to register and communicate with the appsec pod
+config:
+  config.yaml.local: |
+    api:
+      server:
+        auto_registration:
+          enabled: true
+          token: "${REGISTRATION_TOKEN}"
+          allowed_ranges:
+            - "127.0.0.1/32"
+            - "192.168.0.0/16"
+            - "10.0.0.0/8"
+            - "172.16.0.0/12"
+```
+
+In the traefik `values.yaml`, you need to add the following configuration:
+
+```
+# traefik-values.yaml
+experimental:
+  plugins:
+    crowdsec-bouncer:
+      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+      version: v1.3.3
+additionalArguments:
+  - "--entrypoints.web.http.middlewares=<NAMESPACE>-crowdsec-bouncer@kubernetescrd"
+  - "--entrypoints.websecure.http.middlewares=<NAMESPACE>-crowdsec-bouncer@kubernetescrd"
+  - "--providers.kubernetescrd"
+```
+
+And then, you can apply this middleware to your traefik ingress:
+
+```
+# crowdsec-bouncer-middleware.yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: crowdsec-bouncer
+  namespace: default
+spec:
+  plugin:
+    crowdsec-bouncer:
+      enabled: true
+      crowdsecMode: appsec
+      crowdsecAppsecEnabled: true
+      crowdsecAppsecHost: crowdsec-appsec-service:7422
+      crowdsecLapiScheme: http
+      crowdsecLapiHost: crowdsec-service:8080
+      crowdsecLapiKey: "<YOUR_BOUNCER_KEY>"
+```
+
 ## Values
 
 | Key | Type | Default | Description |

charts/crowdsec/ci/crowdsec-values.yaml

@@ -1,3 +1,15 @@
+config:
+  config.yaml.local: |
+    api:
+      server:
+        auto_registration:
+          enabled: true
+          token: "${REGISTRATION_TOKEN}"
+          allowed_ranges:
+            - "127.0.0.1/32"
+            - "192.168.0.0/16"
+            - "10.0.0.0/8"
+            - "172.16.0.0/12"
 agent:
   additionalAcquisition:
     - source: file
@@ -74,3 +86,26 @@ lapi:
       share_manual_decisions: true
       share_tainted: true
       share_custom: true
+
+appsec:
+  enabled: true
+  acquisitions:
+    - source: appsec
+      listen_addr: "0.0.0.0:7422"
+      path: /
+      appsec_config: crowdsecurity/crs-vpatch
+      labels:
+        type: appsec
+  configs:
+    mycustom-appsec-config.yaml: |
+      name: crowdsecurity/crs-vpatch
+      default_remediation: ban
+      #log_level: debug
+      outofband_rules:
+        - crowdsecurity/crs
+      inband_rules:
+        - crowdsecurity/base-config 
+        - crowdsecurity/vpatch-*
+  env:
+    - name: COLLECTIONS
+      value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs"

charts/crowdsec/templates/NOTES.txt

@@ -7,6 +7,11 @@ http://{{ .Values.lapi.ingress.host }}
 http://{{ .Release.Name }}-service:8080
 {{- end }}
 
+{{- if .Values.appsec.enabled }}
+## AppSec URL
+http://{{ .Release.Name }}-appsec-service:7422
+{{- end }}
+
 {{ if .Values.lapi.dashboard.enabled }}
 ## Dashboard information
 

charts/crowdsec/templates/appsec-configmap.yaml

@@ -0,0 +1,41 @@
+# vim: set ft=gotmpl:
+---
+
+{{- if .Values.appsec.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: appsec-acquis-config
+data:
+  acquis.yaml: |-
+    {{- range .Values.appsec.acquisitions }}
+    ---
+    {{. | toYaml | nindent 4}}
+    {{- end }}
+{{- end }}
+
+---
+{{- if .Values.appsec.configs }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "crowdsec-appsec-configs"
+data:
+{{ range $fileName, $content := .Values.appsec.configs -}}
+  {{ printf "%s: |" $fileName | indent 2 }}
+{{ $content | indent 4 }}
+{{ end }}
+{{- end }}
+
+---
+{{- if .Values.appsec.rules }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "crowdsec-appsec-rules"
+data:
+{{ range $fileName, $content := .Values.appsec.rules -}}
+  {{ printf "%s: |" $fileName | indent 2 }}
+{{ $content | indent 4 }}
+{{ end }}
+{{- end }}