crowdsecurity
Deploy WAF bouncer in LAPI component
Provide a way to deploy the WAF bouncer in Kubernetes via Helm : https://doc.crowdsec.net/u/bouncers/aws_waf/
Using the https://hub.docker.com/r/crowdsecurity/aws-waf-bouncer/ image as configuration might work but I'm not sure if both the agent and LAPI components can run from this image...
@arthurzenika: Thanks for opening an issue, it is currently awaiting triage.
If you haven't already, please provide the following information:
- kind :
bug,enhancementordocumentation - area :
agent,appsec,configuration,cscli,local-api
In the meantime, you can:
- Check Crowdsec Documentation to see if your issue can be self resolved.
- You can also join our Discord.
- Check Releases to make sure your agent is on the latest version.
Details
I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the forked project rr404/oss-governance-bot repository.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@arthurzenika: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.
/kind bug/kind documentation/kind enhancement
Details
I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the forked project rr404/oss-governance-bot repository.
Tried using the waf image instead of the crowdsec default image and I get errors on startup, for the lapi component :
cp: can't stat '/staging/etc/crowdsec/*': No such file or directory
There probably needs some way of configuring the bouncers/crowdsec-aws-waf-bouncer.yaml in the values.yaml too.
Hello,
The bouncer should run as a separate deployment. At the time, we do not have a chart for it, but you can use a deployment that looks like this:
apiVersion: v1
kind: ConfigMap
metadata:
name: crowdsec-aws-waf-bouncer-config
data:
config.yaml: |
api_key: ${CROWDSEC_API_KEY}
api_url: ${CROWDSEC_API_URL}
update_frequency: 10s
waf_config:
- web_acl_name: mywebacl
fallback_action: ban
rule_group_name: crowdsec-rule-group-eu-west-1
scope: REGIONAL
region: eu-west-1
ipset_prefix: crowdsec-ipset-a
capacity: 300
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: crowdsec-aws-waf-bouncer
labels:
app: crowdsec-aws-waf-bouncer
spec:
replicas: 1
selector:
matchLabels:
app: crowdsec-aws-waf-bouncer
template:
metadata:
labels:
app: crowdsec-aws-waf-bouncer
spec:
containers:
- name: crowdsec-aws-waf-bouncer
image: "crowdsecurity/aws-waf-bouncer:latest"
env:
- name: CROWDSEC_API_KEY
valueFrom:
secretKeyRef:
name: crowdsec-api-key
key: api_key
- name: CROWDSEC_API_URL
value: "http://crowdsec-service.crowdsec:8080/"
- name: BOUNCER_CONFIG_FILE
value: /config.yaml
volumeMounts:
- name: crowdsec-aws-waf-bouncer-config-volume
mountPath: /config.yaml
subPath: config.yaml
volumes:
- name: crowdsec-aws-waf-bouncer-config-volume
configMap:
name: crowdsec-aws-waf-bouncer-config
Make sure to update the CROWDSEC_API_URL value to point the bouncer to your LAPI.
The AWS credentials are not provided in the deployment, depending on your setup you can:
- If running in EKS, assign a service account to the pod and grants IAM permissions through that
- Set the
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenv var from secrets.
It also expects the API key for the bouncer to be stored in a secret. You can create the key by either:
- If the DB is persistent, you can just run
cscli bouncers addin the LAPI pod - You can also pass the bouncer API key through LAPI env, by setting a
BOUNCER_KEY_aws_waf=YOUR_KEY_HEREenv var
