feat(crowdses): crowdses配置提交

2024-04-24 16:17:39 +08:00
@@ -10,7 +10,7 @@ spec:
  valuesContent: |-
    container_runtime: containerd
    image:
-      tag: v1.6.1
+      tag: v1.6.1-2
    config:
      config.yaml.local: |
        db_config:
@@ -20,4 +20,31 @@ spec:
          db_name:  crowdsec
          host:     postgresql-ha-pgpool.infra-data
          port:     5432
-        
+    agent:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: svccontroller.k3s.cattle.io/enablelb
+                    operator: In
+                    values:
+                      - "true"
+      acquisition:
+        - namespace: infra-net
+          podName: ingress-nginx-controller-*
+          program: nginx
+      env:
+      - name: COLLECTIONS
+        value: "crowdsecurity/nginx"
+    lapi:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 1
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/hostname
+                    operator: In
+                    values:
+                      - alihka
@@ -1,7 +1,7 @@
 ### 调试
 ```shell
 kubectl run -i --tty --rm --restart=Never \
-  --overrides='{"apiVersion": "v1", "spec": {"nodeSelector": {"kubernetes.io/hostname": "tcc"}}}' \
+  --overrides='{"apiVersion": "v1", "spec": {"nodeSelector": {"kubernetes.io/hostname": "homea"}}}' \
  --image=busybox:1.28 \
  debug -- sh
 ```
@@ -25,7 +25,6 @@ spec:
          operator: "Exists"
          effect: "NoSchedule"
      kind: DaemonSet
-      hostNetwork: true
      dnsPolicy: None
      dnsConfig:
        nameservers:
@@ -38,8 +37,6 @@ spec:
        enabled: false
      publishService:
        enabled: false
-      extraArgs:
-        default-ssl-certificate: "infra-net/dev-cm-crt"
      config:
        use-forwarded-headers: "true"
        allow-snippet-annotations: "true"
@@ -47,4 +44,38 @@ spec:
          proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off;
          proxy_cache_key $scheme$proxy_host$request_uri;
          proxy_cache_lock on;
-          proxy_cache_use_stale updating;
+          proxy_cache_use_stale updating;
+        server-snippet : |
+          resolver 169.254.20.10 10.43.0.10 ipv6=off;
+        # crowdsec插件配置
+        plugins: "crowdsec"
+        lua-shared-dicts: "crowdsec_cache: 50m"
+      extraArgs:
+        default-ssl-certificate: "infra-net/dev-cm-crt"
+      # crowdsec插件配置
+      extraVolumes:
+        - name: crowdsec-bouncer-plugin
+          emptyDir: {}
+      extraInitContainers:
+        - name: init-clone-crowdsec-bouncer
+          image: devcm/lua-bouncer-plugin
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: API_URL
+              value: "http://crowdsec-service.infra-monitor.svc.cluster.local:8080"
+            - name: API_KEY
+              value: "OKMrkF5QolkRMx0LRW1xzgy6uu+iJK+qlfJhgNyHSVg"
+            - name: BOUNCER_CONFIG
+              value: "/crowdsec/crowdsec-bouncer.conf"
+            - name: MODE
+              value: "stream"
+            - name: UPDATE_FREQUENCY
+              value: "60"
+          command: ['sh', '-c', "bash /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/"]
+          volumeMounts:
+            - name: crowdsec-bouncer-plugin
+              mountPath: /lua_plugins
+      extraVolumeMounts:
+        - name: crowdsec-bouncer-plugin
+          mountPath: /etc/nginx/lua/plugins/crowdsec
+          subPath: crowdsec