diff --git a/apps/crowdsec/helmchart.yaml b/apps/crowdsec/helmchart.yaml index bb7ed23..bc7948c 100644 --- a/apps/crowdsec/helmchart.yaml +++ b/apps/crowdsec/helmchart.yaml @@ -10,7 +10,7 @@ spec: valuesContent: |- container_runtime: containerd image: - tag: v1.6.1 + tag: v1.6.1-2 config: config.yaml.local: | db_config: @@ -20,4 +20,31 @@ spec: db_name: crowdsec host: postgresql-ha-pgpool.infra-data port: 5432 - \ No newline at end of file + agent: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: svccontroller.k3s.cattle.io/enablelb + operator: In + values: + - "true" + acquisition: + - namespace: infra-net + podName: ingress-nginx-controller-* + program: nginx + env: + - name: COLLECTIONS + value: "crowdsecurity/nginx" + lapi: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - alihka \ No newline at end of file diff --git a/core/README.md b/core/README.md index de90ddb..4d3f232 100644 --- a/core/README.md +++ b/core/README.md @@ -1,7 +1,7 @@ ### 调试 ```shell kubectl run -i --tty --rm --restart=Never \ - --overrides='{"apiVersion": "v1", "spec": {"nodeSelector": {"kubernetes.io/hostname": "tcc"}}}' \ + --overrides='{"apiVersion": "v1", "spec": {"nodeSelector": {"kubernetes.io/hostname": "homea"}}}' \ --image=busybox:1.28 \ debug -- sh ``` diff --git a/core/nginx/helmchart.yaml b/core/nginx/helmchart.yaml index 92bd6a2..4e424d2 100644 --- a/core/nginx/helmchart.yaml +++ b/core/nginx/helmchart.yaml @@ -25,7 +25,6 @@ spec: operator: "Exists" effect: "NoSchedule" kind: DaemonSet - hostNetwork: true dnsPolicy: None dnsConfig: nameservers: @@ -38,8 +37,6 @@ spec: enabled: false publishService: enabled: false - extraArgs: - default-ssl-certificate: "infra-net/dev-cm-crt" config: use-forwarded-headers: "true" allow-snippet-annotations: "true" @@ -47,4 +44,38 @@ spec: proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off; proxy_cache_key $scheme$proxy_host$request_uri; proxy_cache_lock on; - proxy_cache_use_stale updating; \ No newline at end of file + proxy_cache_use_stale updating; + server-snippet : | + resolver 169.254.20.10 10.43.0.10 ipv6=off; + # crowdsec插件配置 + plugins: "crowdsec" + lua-shared-dicts: "crowdsec_cache: 50m" + extraArgs: + default-ssl-certificate: "infra-net/dev-cm-crt" + # crowdsec插件配置 + extraVolumes: + - name: crowdsec-bouncer-plugin + emptyDir: {} + extraInitContainers: + - name: init-clone-crowdsec-bouncer + image: devcm/lua-bouncer-plugin + imagePullPolicy: IfNotPresent + env: + - name: API_URL + value: "http://crowdsec-service.infra-monitor.svc.cluster.local:8080" + - name: API_KEY + value: "OKMrkF5QolkRMx0LRW1xzgy6uu+iJK+qlfJhgNyHSVg" + - name: BOUNCER_CONFIG + value: "/crowdsec/crowdsec-bouncer.conf" + - name: MODE + value: "stream" + - name: UPDATE_FREQUENCY + value: "60" + command: ['sh', '-c', "bash /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/"] + volumeMounts: + - name: crowdsec-bouncer-plugin + mountPath: /lua_plugins + extraVolumeMounts: + - name: crowdsec-bouncer-plugin + mountPath: /etc/nginx/lua/plugins/crowdsec + subPath: crowdsec \ No newline at end of file