Skip to content

Commit 8c92c4f

Browse files
Merge pull request #63 from hhftechnology/pangolin
Pangolin
2 parents 56e5a76 + ce713c2 commit 8c92c4f

44 files changed

Lines changed: 3405 additions & 53 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

README.md

Lines changed: 54 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,30 @@ CrowdSec Manager is a web-based management interface for CrowdSec operations, Tr
1414

1515
## Stable release
1616

17-
- Current baseline: `1.0.0`
17+
- Current baseline: `2.0.0`
1818
- Multi-proxy support: not available in this release
1919

20+
### Crowdsec-Manager mobile app.
21+
22+
### Download
23+
Click below to download the app to your mobile device, tablet:
24+
25+
### Current Release
26+
27+
[<img src="https://play.google.com/intl/en_us/badges/images/generic/en_badge_web_generic.png"
28+
alt="Download from Google Play"
29+
height="80">](https://play.google.com/store/apps/details?id=com.crowdsec.manager.mobile)
30+
31+
[<img src="https://f-droid.org/badge/get-it-on.png"
32+
alt="Get it on F-Droid"
33+
height="80">](https://f-droid.org/packages/com.crowdsec.manager.mobile/)
34+
35+
[<img src="https://developer.apple.com/assets/elements/badges/download-on-the-app-store.svg"
36+
alt="We are not on iOS :)"
37+
height="80">](https://itunes.apple.com/us/app/hhftechnology/0)
38+
39+
40+
2041
## Images
2142

2243
<img width="1200" height="630" alt="Dashboard" src="/images/dashboard-overview-countries-systems.jpeg"/>
@@ -89,35 +110,60 @@ CrowdSec Manager is a web-based management interface for CrowdSec operations, Tr
89110
| `terminal-container-shell.png` | Terminal (container shell) |
90111
| `whitelist-management.jpeg` | Whitelist Management |
91112

92-
## Minimum Docker Compose
113+
## Minimum Docker Compose with tailscale
93114

94115
```yaml
95116
services:
117+
tailscale:
118+
image: tailscale/tailscale:latest
119+
container_name: tailscale-crowdsec
120+
hostname: crowdsec-manager-ts # The name that will appear in your Tailscale admin panel
121+
environment:
122+
- TS_AUTHKEY=
123+
- TS_STATE_DIR=/var/lib/tailscale
124+
volumes:
125+
- tailscale-data:/var/lib/tailscale
126+
- /dev/net/tun:/dev/net/tun
127+
cap_add:
128+
- net_admin
129+
- sys_module
130+
ports:
131+
- "8080:8080"
132+
networks:
133+
pangolin:
134+
aliases:
135+
- crowdsec-manager # Ensures other containers on the network can still reach it by its original name!
136+
restart: unless-stopped
137+
96138
crowdsec-manager:
97-
image: hhftechnology/crowdsec-manager:1.1.0
139+
image: hhftechnology/crowdsec-manager:latest
98140
container_name: crowdsec-manager
141+
network_mode: service:tailscale # This is the magic: it merges networking with the Tailscale container
142+
depends_on:
143+
- tailscale
99144
restart: unless-stopped
100-
expose:
101-
- "8080"
145+
# 'expose' and 'networks' are removed here because Tailscale manages the network connection now
102146
environment:
103147
# Core Configuration
104148
- PORT=8080
105149
- ENVIRONMENT=production
106150
- TRAEFIK_DYNAMIC_CONFIG=/etc/traefik/dynamic_config.yml
107151
- TRAEFIK_CONTAINER_NAME=traefik
108152
- TRAEFIK_STATIC_CONFIG=/etc/traefik/traefik_config.yml
153+
- CROWDSEC_METRICS_URL=http://crowdsec:6060/metrics
109154
volumes:
110155
- /var/run/docker.sock:/var/run/docker.sock
111156
- /root/config:/app/config
112157
- /root/docker-compose.yml:/app/docker-compose.yml
113-
- ./backups:/app/backups
158+
- ./backups:/app/config/backups
114159
- ./data:/app/data
115-
networks:
116-
- pangolin
117160

118161
networks:
119162
pangolin:
120163
external: true
164+
165+
volumes:
166+
tailscale-data:
121167
```
122168
123169
## Run

charts/README.md

Lines changed: 253 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,253 @@
1+
# CrowdSec Manager — Helm Chart
2+
3+
Deploy CrowdSec Manager on Kubernetes with a **Tailscale sidecar** for VPN-only access using Helm.
4+
5+
For plain `kubectl` manifests (no Helm), see [`../k8s/`](../k8s/).
6+
7+
---
8+
9+
## Chart Location
10+
11+
```
12+
charts/
13+
└── crowdsec-manager/ ← chart directory (pass this to helm install)
14+
├── Chart.yaml
15+
├── values.yaml ← all configurable defaults
16+
└── templates/
17+
├── _helpers.tpl
18+
├── deployment.yaml ← Pod with Tailscale sidecar + app container
19+
├── service.yaml
20+
├── configmap.yaml
21+
├── secret.yaml
22+
├── pvc-data.yaml
23+
├── pvc-config.yaml
24+
├── pvc-backups.yaml
25+
├── pvc-logs.yaml
26+
├── pvc-tailscale.yaml
27+
└── NOTES.txt
28+
```
29+
30+
---
31+
32+
## Prerequisites
33+
34+
| Requirement | Notes |
35+
|---|---|
36+
| Kubernetes 1.24+ | Tested on k3s, k0s, microk8s |
37+
| Helm 3.10+ | `helm version` to check |
38+
| Tailscale account | Auth key from [admin console](https://login.tailscale.com/admin/settings/keys) |
39+
| Node with Docker daemon | The node that runs CrowdSec + Traefik |
40+
| `/dev/net/tun` + WireGuard | Linux 5.6+ has both built-in; older: `modprobe tun wireguard` |
41+
42+
---
43+
44+
## Quick Start
45+
46+
### 1. Label the target node
47+
48+
```bash
49+
kubectl label node <your-node-name> crowdsec-manager/host=true
50+
```
51+
52+
> Skip this step on single-node clusters — set `nodeSelector: {}` in your values instead.
53+
54+
### 2. Create the namespace
55+
56+
```bash
57+
kubectl create namespace crowdsec
58+
```
59+
60+
### 3. Create the Tailscale secret (recommended — keeps the key out of Helm values)
61+
62+
Generate a **reusable** auth key at [Tailscale Admin → Settings → Keys](https://login.tailscale.com/admin/settings/keys).
63+
64+
```bash
65+
kubectl create secret generic crowdsec-manager-tailscale \
66+
--namespace crowdsec \
67+
--from-literal=TS_AUTHKEY="tskey-auth-XXXXXXXXXXXX-YYYYYYY"
68+
```
69+
70+
### 4. Install the chart
71+
72+
Using the pre-created secret:
73+
74+
```bash
75+
helm install crowdsec-manager ./charts/crowdsec-manager \
76+
--namespace crowdsec \
77+
--set tailscaleSecret.existingSecret=crowdsec-manager-tailscale
78+
```
79+
80+
Or supply the key inline (not recommended for GitOps — it ends up in Helm history):
81+
82+
```bash
83+
helm install crowdsec-manager ./charts/crowdsec-manager \
84+
--namespace crowdsec \
85+
--set tailscaleSecret.authKey="tskey-auth-XXXXXXXXXXXX-YYYYYYY"
86+
```
87+
88+
---
89+
90+
## Configuration
91+
92+
All defaults are in `values.yaml`. Override with `--set key=value` or a custom values file.
93+
94+
### Common overrides
95+
96+
```yaml
97+
# my-values.yaml
98+
99+
# Single-node cluster — disable node label requirement
100+
nodeSelector: {}
101+
102+
# Adjust container names to match your Docker setup
103+
app:
104+
crowdsec:
105+
containerName: crowdsec
106+
metricsUrl: http://crowdsec:6060/metrics
107+
traefik:
108+
containerName: traefik
109+
110+
# Disable Pangolin/Gerbil if not in use
111+
app:
112+
pangolin:
113+
enabled: "false"
114+
gerbil:
115+
enabled: "false"
116+
117+
# Tailscale hostname in the admin console
118+
tailscale:
119+
hostname: my-crowdsec-server
120+
121+
# StorageClass for PVCs (leave empty for cluster default)
122+
persistence:
123+
data:
124+
storageClass: local-path
125+
```
126+
127+
Apply:
128+
129+
```bash
130+
helm install crowdsec-manager ./charts/crowdsec-manager \
131+
--namespace crowdsec \
132+
--set tailscaleSecret.existingSecret=crowdsec-manager-tailscale \
133+
-f my-values.yaml
134+
```
135+
136+
### Injecting a docker-compose.yml
137+
138+
To let the app manage Docker Compose services, inject your compose file as a ConfigMap:
139+
140+
```bash
141+
helm upgrade crowdsec-manager ./charts/crowdsec-manager \
142+
--namespace crowdsec \
143+
--reuse-values \
144+
--set dockerCompose.enabled=true \
145+
--set-file dockerCompose.content=/path/to/your/docker-compose.yml
146+
```
147+
148+
### Userspace Tailscale (no kernel WireGuard)
149+
150+
If your node's kernel lacks WireGuard support (Linux < 5.6 without backport):
151+
152+
```bash
153+
helm install crowdsec-manager ./charts/crowdsec-manager \
154+
--namespace crowdsec \
155+
--set tailscale.userspace=true \
156+
--set tailscaleSecret.existingSecret=crowdsec-manager-tailscale
157+
```
158+
159+
### NATS messaging (optional)
160+
161+
```bash
162+
kubectl create secret generic crowdsec-manager-nats \
163+
--namespace crowdsec \
164+
--from-literal=NATS_TOKEN="my-nats-token"
165+
166+
helm install crowdsec-manager ./charts/crowdsec-manager \
167+
--namespace crowdsec \
168+
--set app.nats.enabled=true \
169+
--set app.nats.url=nats://nats-server:4222 \
170+
--set natsSecret.existingSecret=crowdsec-manager-nats \
171+
--set tailscaleSecret.existingSecret=crowdsec-manager-tailscale
172+
```
173+
174+
---
175+
176+
## Verify the Deployment
177+
178+
```bash
179+
# Pod status — both containers should show Running
180+
kubectl get pods -n crowdsec
181+
182+
# Find the Tailscale IP
183+
kubectl logs -n crowdsec deployment/crowdsec-manager -c tailscale | grep -E "100\.[0-9]"
184+
185+
# Health check from a Tailscale-connected device
186+
curl http://<tailscale-ip>:8080/health
187+
# Expected: {"status":"ok"}
188+
189+
# All 5 PVCs should be Bound
190+
kubectl get pvc -n crowdsec
191+
```
192+
193+
---
194+
195+
## Upgrading
196+
197+
```bash
198+
# Pull latest app image and apply changed values
199+
helm upgrade crowdsec-manager ./charts/crowdsec-manager \
200+
--namespace crowdsec \
201+
--reuse-values
202+
```
203+
204+
Deployments use `strategy.type: Recreate` — there is brief downtime while the old Pod terminates and the new one starts. This is required because SQLite PVCs use `ReadWriteOnce`.
205+
206+
---
207+
208+
## Uninstalling
209+
210+
```bash
211+
# Removes the Deployment, Service, ConfigMap, and non-keep PVCs
212+
helm uninstall crowdsec-manager --namespace crowdsec
213+
214+
# PVCs annotated with helm.sh/resource-policy=keep must be deleted manually:
215+
kubectl delete pvc \
216+
crowdsec-manager-data \
217+
crowdsec-manager-config \
218+
crowdsec-manager-tailscalestate \
219+
-n crowdsec
220+
221+
# Remove the Tailscale auth secret if you created it separately
222+
kubectl delete secret crowdsec-manager-tailscale -n crowdsec
223+
224+
# Remove the namespace
225+
kubectl delete namespace crowdsec
226+
```
227+
228+
---
229+
230+
## Key Design Notes
231+
232+
### Tailscale Sidecar = `network_mode: service:tailscale`
233+
234+
In Docker Compose, `network_mode: service:tailscale` makes the app share the Tailscale container's network namespace. In Kubernetes, all containers in the same Pod share a network namespace automatically — no special configuration required. The sidecar pattern is the direct equivalent.
235+
236+
### Deployment Strategy: Recreate
237+
238+
`ReadWriteOnce` PVCs can only be mounted by one node at a time. `RollingUpdate` would deadlock waiting for the old Pod to release the PVC. `Recreate` terminates the old Pod first.
239+
240+
### SQLite StorageClass
241+
242+
Use a **node-local** StorageClass (`local-path`, `openebs-hostpath`) for the `data` PVC. SQLite over NFS causes corruption due to POSIX lock semantics.
243+
244+
### Docker Socket Security
245+
246+
Mounting `/var/run/docker.sock` grants the container effective root on the host node. Mitigations:
247+
- `nodeSelector` pins the Pod to a trusted node
248+
- Add a `NetworkPolicy` to restrict cluster-wide egress from this Pod
249+
- Keep `replicas: 1` — never run two instances of this app
250+
251+
### Auth Key Persistence
252+
253+
After first boot, the Tailscale WireGuard identity is saved to the `tailscaleState` PVC. The auth key is only needed for the initial registration. Use a **reusable** key so the Pod can re-authenticate if the state PVC is ever lost.

charts/crowdsec-manager/Chart.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
apiVersion: v2
2+
name: crowdsec-manager
3+
description: CrowdSec Manager — Go+React security management UI with Tailscale sidecar for VPN-only access
4+
type: application
5+
version: 0.1.0
6+
appVersion: "latest"
7+
keywords:
8+
- crowdsec
9+
- tailscale
10+
- security
11+
- traefik
12+
- wireguard
13+
home: https://github.com/hhftechnology/crowdsec_manager
14+
sources:
15+
- https://github.com/hhftechnology/crowdsec_manager
16+
maintainers:
17+
- name: hhftechnology

0 commit comments

Comments
 (0)