I tried using the official page docs dot crowdsec dot net/u/getting_started/installation/kubernetes and had no luck. None of the resultant pods ran successfully nor could I get logs on any of them. I’m using Rancher v1.29.4 rke2r1.
There’s a link on docs dot crowdsec dot net to this page: crowdsec 0.13.0 · crowdsec/crowdsec
These two pages contain vastly different “basic” configurations, which is confusing. For instance, one page wants me to use Traefik while the other doesn’t.
On the artifact.io page, one block of code in the same yaml file has password: ${DB_PASSWORD} while another block has dbPassword: <externalDbPassword>. Why might this be? Is there a technical reason for this divergence or is this more the result of two people making edits to the same web page over time without reading the original page? Perhaps this page was auto-generated or updated by a script.
In any case, I’m seeking advice regarding which page to use. I’m obviously not a Kubernetes expert so I’m having trouble deciding.
Adding my deployment yaml below. None of the resultant pods start.
config:
config.yaml.local: |
db_config:
type: postgresql
user: crowdsec
password: ${DB_PASSWORD}
db_name: crowdsec
host: 192.168.10.132
port: 5432
sslmode: require
agent:
acquisition:
- namespace: "crowdsec"
podName: "crowdsec-wutwut"
program: "/var/log/pods/*.log"
resources:
requests:
cpu: "100m" # Lower the CPU request
memory: "128Mi" # Lower memory if needed
limits:
cpu: "500m" # Set a reasonable CPU limit
memory: "256Mi"
replicaCount: 1
lapi:
# 2 or more replicas for HA
resources:
requests:
cpu: "100m" # Lower CPU request for LAPI
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
replicas: 2
# You can specify your own CS_LAPI_SECRET, or let the chart generate one. Length must be >= 64
secrets:
csLapiSecret: <t0iL3tj_sKw1dB@iT>
# Specify your external DB password here
extraSecrets:
dbPassword: <F6-pxY8[l\_%*4d>
persistentVolume:
# When replicas for LAPI is greater than 1, two options, persistent volumes must be disabled, or in ReadWriteMany mode
config:
enabled: false
# data volume is not required, since SQLite isn't used
data:
enabled: false
# DB Password passed through environment variable
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: crowdsec-lapi-secrets
key: dbPassword
When I run
kubectl -n crowdsec logs crowdsec-lapi-5cc7bf9b5-zjtwv
I get the error:
Generate local agent credentials
level=fatal msg="failed to connect to database: failed creating schema resources: querying server version failed to connect to `host=192.168.10.132 user=crowdsec database=crowdsec`: failed SASL auth (FATAL: password authentication failed for user \"crowdsec\" (SQLSTATE 28P01))"
I can’t tell from the above message whether the pod is trying to create a database or simply authenticate. The crowdsec database already exists and no, those aren’t my actual passwords or secrets.