Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bouncer lastPull strategy change (Allow bouncer to use stream mode while sharing same API key) #3255

Open
buixor opened this issue Sep 20, 2024 · 2 comments
Open

Bouncer lastPull strategy change (Allow bouncer to use stream mode while sharing same API key) #3255

buixor opened this issue Sep 20, 2024 · 2 comments
Labels
needs/kind needs/triage
Milestone
1.6.4

Comments

@buixor
Copy link
Contributor

buixor commented Sep 20, 2024

What would you like to be added?

Currently, bouncer sharing the same API key cannot reliably use the stream mode.

What happens

When a bouncer queries /decisions/stream with startup not set to true, we rely on bouncerInfo.LastPull timestamp to know when the bouncer last pulled and know which data should be returned. the bouncerInfo is fetched from the DB and only relies on the API key provided by the bouncer.

Problem

However, this is problematic when several bouncer instances (ie. nginx-ingress / kube) share the same API key and want to use stream mode: they get inconsistent data as they all share the same entry in the DB and thus LastPull.

Proposed change

The proposed change is the following:

  • Use combo IP + Api Key as the unique identified for bouncers (instead of just API key)
  • When a "new" bouncer (existing api key but new IP) comes in, after authentication, we duplicate the existing row (based on api key) and we update last pull, heartbeat etc.
  • When a bouncer does a queries /decisions/stream with startup not set to true, we rely on the Api key + IP combo to select the relevant row, so that each bouncer instance get its own LastPull

Why is this needed?

Allow several bouncers to share the same API key and use stream mode.
@buixor buixor added this to the 1.6.4 milestone Sep 20, 2024
@github-actions GitHub Actions
Copy link

@buixor: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@github-actions GitHub Actions
Copy link

@buixor: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

  • /kind feature
  • /kind enhancement
  • /kind refactoring
  • /kind bug
  • /kind packaging
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs/kind needs/triage
Projects
None yet
Milestone
1.6.4
Development

No branches or pull requests
1 participant
@buixor