From 11c5f27bc71fbde9db20752a7b480a5c2d4cae52 Mon Sep 17 00:00:00 2001 From: Tony Du Date: Thu, 13 Feb 2025 16:36:28 -0800 Subject: [PATCH] feat: Add crowdsec to server --- .gitignore | 1 + k8s/clusters/dolo/.sops.yaml => .sops.yaml | 0 README.md | 3 +- ...{dns-home-mnke.yaml => dns-dolo-mnke.yaml} | 8 ++--- .../external/build/kustomization.yaml | 2 +- k8s/clusters/dolo/apps.yaml | 4 +++ k8s/clusters/dolo/infrastructure.yaml | 4 --- k8s/infrastructure/configs/kustomization.yaml | 1 + .../configs/secrets/kustomization.yaml | 1 + .../configs/secrets/sops-age.yaml | 28 +++++++++++++++ .../controllers/crowdsec/release.yaml | 2 +- .../kube-prometheus-stack/kustomization.yaml | 1 + .../kube-prometheus-stack/release.yaml | 13 ++++--- .../kube-prometheus-stack/secrets.yaml | 19 ++++++++++ .../controllers/traefik/kustomization.yaml | 2 +- .../traefik/middlewares/crowdsec-bouncer.yaml | 36 +++++++++++++++++++ .../kustomization.yaml | 3 +- .../controllers/traefik/plugins/crowdsec.yaml | 35 ------------------ .../controllers/traefik/release.yaml | 6 +++- 19 files changed, 116 insertions(+), 53 deletions(-) rename k8s/clusters/dolo/.sops.yaml => .sops.yaml (100%) rename k8s/apps/ingressroutes/external/build/{dns-home-mnke.yaml => dns-dolo-mnke.yaml} (83%) create mode 100644 k8s/infrastructure/configs/secrets/sops-age.yaml create mode 100644 k8s/infrastructure/controllers/kube-prometheus-stack/secrets.yaml create mode 100644 k8s/infrastructure/controllers/traefik/middlewares/crowdsec-bouncer.yaml rename k8s/infrastructure/controllers/traefik/{plugins => middlewares}/kustomization.yaml (74%) delete mode 100644 k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml diff --git a/.gitignore b/.gitignore index eea8add..181ccba 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .env /secrets.yml venv +age.agekey diff --git a/k8s/clusters/dolo/.sops.yaml b/.sops.yaml similarity index 100% rename from k8s/clusters/dolo/.sops.yaml rename to .sops.yaml diff --git a/README.md b/README.md index c3e58c7..1360d6d 100644 --- a/README.md +++ b/README.md @@ -158,7 +158,8 @@ kubectl delete -f proxmox/k8s/examples/001-example.yml Prerequisites: - Gitea is set up -- Infisical or some other secrets provider is set up +- Infisical or some other secrets provider is set up (if not Infisical, change + the ClusterSecretStore manifest) Follow [the Infisical guide to get a client id and secret](https://infisical.com/docs/documentation/platform/identities/universal-auth). Use it to apply [a manifest](https://external-secrets.io/latest/provider/infisical/) diff --git a/k8s/apps/ingressroutes/external/build/dns-home-mnke.yaml b/k8s/apps/ingressroutes/external/build/dns-dolo-mnke.yaml similarity index 83% rename from k8s/apps/ingressroutes/external/build/dns-home-mnke.yaml rename to k8s/apps/ingressroutes/external/build/dns-dolo-mnke.yaml index f73b555..4b435aa 100644 --- a/k8s/apps/ingressroutes/external/build/dns-home-mnke.yaml +++ b/k8s/apps/ingressroutes/external/build/dns-dolo-mnke.yaml @@ -3,13 +3,13 @@ apiVersion: v1 kind: Service metadata: - name: dns-home-mnke-external + name: dns-dolo-mnke-external namespace: default spec: type: ExternalName externalName: 10.0.123.123 ports: - - name: dns-home-mnke-external + - name: dns-dolo-mnke-external port: 5380 targetPort: 5380 @@ -18,7 +18,7 @@ spec: apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: - name: dns-home-mnke-external + name: dns-dolo-mnke-external namespace: default spec: entryPoints: @@ -31,7 +31,7 @@ spec: namespace: default services: - kind: Service - name: dns-home-mnke-external + name: dns-dolo-mnke-external port: 5380 passHostHeader: False tls: diff --git a/k8s/apps/ingressroutes/external/build/kustomization.yaml b/k8s/apps/ingressroutes/external/build/kustomization.yaml index fdb6633..923f435 100644 --- a/k8s/apps/ingressroutes/external/build/kustomization.yaml +++ b/k8s/apps/ingressroutes/external/build/kustomization.yaml @@ -6,4 +6,4 @@ resources: - jellyfin-tonydu.yaml - seerr-mnke.yaml - seerr-tonydu.yaml - - dns-home-mnke.yaml + - dns-dolo-mnke.yaml diff --git a/k8s/clusters/dolo/apps.yaml b/k8s/clusters/dolo/apps.yaml index 557b4ad..0935208 100644 --- a/k8s/clusters/dolo/apps.yaml +++ b/k8s/clusters/dolo/apps.yaml @@ -16,3 +16,7 @@ spec: prune: true wait: true timeout: 5m0s + decryption: + provider: sops + secretRef: + name: sops-age diff --git a/k8s/clusters/dolo/infrastructure.yaml b/k8s/clusters/dolo/infrastructure.yaml index 910dce4..a843c3c 100644 --- a/k8s/clusters/dolo/infrastructure.yaml +++ b/k8s/clusters/dolo/infrastructure.yaml @@ -14,10 +14,6 @@ spec: path: ./k8s/infrastructure/crds wait: true prune: true - decryption: - provider: sops - secretRef: - name: sops-age --- apiVersion: kustomize.toolkit.fluxcd.io/v1 diff --git a/k8s/infrastructure/configs/kustomization.yaml b/k8s/infrastructure/configs/kustomization.yaml index 08be326..5985b76 100644 --- a/k8s/infrastructure/configs/kustomization.yaml +++ b/k8s/infrastructure/configs/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/k8s/infrastructure/configs/secrets/kustomization.yaml b/k8s/infrastructure/configs/secrets/kustomization.yaml index 01b3f2b..f5809d7 100644 --- a/k8s/infrastructure/configs/secrets/kustomization.yaml +++ b/k8s/infrastructure/configs/secrets/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - cloudflare.yaml + - sops-age.yaml diff --git a/k8s/infrastructure/configs/secrets/sops-age.yaml b/k8s/infrastructure/configs/secrets/sops-age.yaml new file mode 100644 index 0000000..2f9abb8 --- /dev/null +++ b/k8s/infrastructure/configs/secrets/sops-age.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterExternalSecret +metadata: + name: sops-age +spec: + externalSecretName: sops-age + + namespaceSelectors: + - matchLabels: + external-secrets.io/secrets.sops-age: require + - matchLabels: + app.kubernetes.io/instance: flux-system + + externalSecretSpec: + secretStoreRef: + kind: ClusterSecretStore + name: infisical + + target: + name: sops-age + + data: + - secretKey: age.agekey + remoteRef: + key: sops-age-key + + diff --git a/k8s/infrastructure/controllers/crowdsec/release.yaml b/k8s/infrastructure/controllers/crowdsec/release.yaml index 160c61d..350272c 100644 --- a/k8s/infrastructure/controllers/crowdsec/release.yaml +++ b/k8s/infrastructure/controllers/crowdsec/release.yaml @@ -32,7 +32,7 @@ spec: program: traefik env: - name: COLLECTIONS - value: "crowdsecurity/traefik" + value: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/http-dos crowdsecurity/base-http-scenarios" lapi: env: # To enroll the Security Engine to the console diff --git a/k8s/infrastructure/controllers/kube-prometheus-stack/kustomization.yaml b/k8s/infrastructure/controllers/kube-prometheus-stack/kustomization.yaml index 4a8c5bd..ea387eb 100644 --- a/k8s/infrastructure/controllers/kube-prometheus-stack/kustomization.yaml +++ b/k8s/infrastructure/controllers/kube-prometheus-stack/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - secrets.yaml - repository.yaml - release.yaml diff --git a/k8s/infrastructure/controllers/kube-prometheus-stack/release.yaml b/k8s/infrastructure/controllers/kube-prometheus-stack/release.yaml index aa5d8fc..0916af0 100644 --- a/k8s/infrastructure/controllers/kube-prometheus-stack/release.yaml +++ b/k8s/infrastructure/controllers/kube-prometheus-stack/release.yaml @@ -18,9 +18,14 @@ spec: name: prometheus-community namespace: flux-system interval: 10m + valuesFrom: + - kind: Secret + name: grafana-creds + valuesKey: gf-admin-password + targetPath: grafana.adminPassword values: grafana: - adminPassword: admin + # adminPassword: admin defaultDashboardsTimezone: browser # TODO: Create CRDS first and then apply everything at one step ingress: @@ -48,9 +53,9 @@ spec: storageSpec: volumeClaimTemplate: spec: - storageClassName: longhorn - accessModes: ["ReadWriteOnce"] + storageClassName: nfs-client + accessModes: ["ReadWriteMany"] resources: requests: - storage: 4Gi + storage: 8Gi diff --git a/k8s/infrastructure/controllers/kube-prometheus-stack/secrets.yaml b/k8s/infrastructure/controllers/kube-prometheus-stack/secrets.yaml new file mode 100644 index 0000000..2d4e4f6 --- /dev/null +++ b/k8s/infrastructure/controllers/kube-prometheus-stack/secrets.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: grafana-creds + namespace: flux-system +spec: + secretStoreRef: + kind: ClusterSecretStore + name: infisical + + target: + name: grafana-creds + + data: + - secretKey: gf-admin-password + remoteRef: + key: gf-admin-password + diff --git a/k8s/infrastructure/controllers/traefik/kustomization.yaml b/k8s/infrastructure/controllers/traefik/kustomization.yaml index ea78503..cbccc69 100644 --- a/k8s/infrastructure/controllers/traefik/kustomization.yaml +++ b/k8s/infrastructure/controllers/traefik/kustomization.yaml @@ -5,4 +5,4 @@ resources: - namespace.yaml - repository.yaml - release.yaml - - plugins + - middlewares diff --git a/k8s/infrastructure/controllers/traefik/middlewares/crowdsec-bouncer.yaml b/k8s/infrastructure/controllers/traefik/middlewares/crowdsec-bouncer.yaml new file mode 100644 index 0000000..c562c47 --- /dev/null +++ b/k8s/infrastructure/controllers/traefik/middlewares/crowdsec-bouncer.yaml @@ -0,0 +1,36 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: bouncer + namespace: traefik +spec: + plugin: + crowdsec-bouncer-traefik-plugin: + enabled: true + logLevel: DEBUG + crowdsecMode: live + crowdsecLapiScheme: http + # crowdsecLapiTLSInsecureVerify: true + crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080 + # https://docs.crowdsec.net/u/getting_started/installation/kubernetes/ + crowdsecLapiKey: ENC[AES256_GCM,data:FJiRbf++tt3LUrIIHD49fYcrxc/dLE28ESRBBOFQXzTrEtK4KjCq/MmcZQ==,iv:cBZjSXMOA99rO71s3dhJflFO7bBHDXHpYl2BynT69Ko=,tag:ghN0Qfis3UcQVlm7us1qOA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gznjylxw2d3mhq6ar4nl4mvltzjems76swlqpe607u4h8j5ykefqz0hhw0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINjEySWwvTkVKbHQ1QVk4 + TUE2VGdqUzd2bzQ5Z1UvWUNRZnFjVzdRUXg4CjR1UmVVdDV5aEw3azJzZTNvR3Vr + Q1hiRjYwTGdhN1VlUldhS01MdFJNUXMKLS0tIDZYNXg0aGlDQ0IxNHdMMnpWWi9u + VEtPSlVOSUFyaWt0ek1GZVdLOWN4NmMKZUFo00va4XrYXoRf6ge45nyLAYXlG7mP + xkyR0cInOsvhPd8hSQdMKZNxS8T38VnFsLOTCb/wJyzOuQgy13sznw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-14T02:23:36Z" + mac: ENC[AES256_GCM,data:IZOr8n3//RUDn1Wrlau82QXdvAvOPVLfbjEdm2sbIZhvjQ14xXeEDHXCMobudVv+sYPzx7rU2soTrpYNNDtp3ocUvMwBOi5Aa21bPPjc3kxxdvK+jtQliBEaLsPdwSO/+8fmDHK/Ip+gw3hrGsXic7zpc2pCp5XrRY75RjujO+g=,iv:KQavUuifIjeA2jgkRFBXAweGYvtK85wMcbFm9vfz6Vc=,tag:ZixM2qHGmfT2YTc5AU5smA==,type:str] + pgp: [] + encrypted_regex: crowdsecLapiKey + version: 3.9.1 diff --git a/k8s/infrastructure/controllers/traefik/plugins/kustomization.yaml b/k8s/infrastructure/controllers/traefik/middlewares/kustomization.yaml similarity index 74% rename from k8s/infrastructure/controllers/traefik/plugins/kustomization.yaml rename to k8s/infrastructure/controllers/traefik/middlewares/kustomization.yaml index 35f07da..c3e765d 100644 --- a/k8s/infrastructure/controllers/traefik/plugins/kustomization.yaml +++ b/k8s/infrastructure/controllers/traefik/middlewares/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - crowdsec.yaml + - crowdsec-bouncer.yaml + diff --git a/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml b/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml deleted file mode 100644 index bff4edc..0000000 --- a/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: bouncer - namespace: traefik -spec: - plugin: - bouncer: - enabled: "true" - logLevel: DEBUG - crowdsecMode: stream - crowdsecLapiScheme: https - crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080 - # https://docs.crowdsec.net/u/getting_started/installation/kubernetes/ - crowdsecLapiKey: ENC[AES256_GCM,data:6uiMo8nlWN+NJ9Ow8By3435R4sV6Ff4Uug/KSPDExNLnY4D2mM95Ne6Skw==,iv:XA5EhZ1iM+DzTa9ZhZlrKMwCh1YJ471GY4M3ZCJFKc4=,tag:Yn312cAs02oDnovxIVYHQA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1gznjylxw2d3mhq6ar4nl4mvltzjems76swlqpe607u4h8j5ykefqz0hhw0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOW1HRDduS1JkeHp6N2Fx - RWlGTXpDS3Y1SHRRN1dzSm9LaFJXTVJYb0RNCjhuU1BONVhNWW05VUY2cWFOQWVK - cmcxN2dRVDdTWXovUzRJSWNZUjNUdzgKLS0tIHlVYmk4czdoaHI0aERaeWNTNHRz - S3JSOEY2Y0dWci9JNGVFRHM3ckxURjgKKCk3oswfOMyMFwluWbUOy1ugfM24SARR - fPbgrcUqAQAIiGONf88ybs9kWGSlnh9CS/IEhbDKFixAWNebpmv28A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-14T00:15:25Z" - mac: ENC[AES256_GCM,data:sR/HO71a2sjIOmGXTSGkcDU/AAYNG+oy0G9Zr8WKT6Oz+auvp4gy2pUENJl1oX5KiUvfrJe7ref0x+oQ5FtaYHYIXW925zALYGpVFwVKeasAahsZLBqfzbG+Q/8aYrayaz2xidINlLU+DJT/H+M9vGmaRKX/p9CHt8EkAq736TQ=,iv:4rxIvGQnb6okS/kDAe9gkzIaEzIXY12lkQFNcpLYCTs=,tag:X7FjXkH1avrhM9ZQxo2dmQ==,type:str] - pgp: [] - encrypted_regex: crowdsecLapiKey - version: 3.9.1 diff --git a/k8s/infrastructure/controllers/traefik/release.yaml b/k8s/infrastructure/controllers/traefik/release.yaml index 8ccc42d..0b46ff3 100644 --- a/k8s/infrastructure/controllers/traefik/release.yaml +++ b/k8s/infrastructure/controllers/traefik/release.yaml @@ -49,6 +49,8 @@ spec: ports: web: + middlewares: + - traefik-bouncer@kubernetescrd port: 80 redirections: entryPoint: @@ -56,6 +58,8 @@ spec: scheme: https permanent: true websecure: + middlewares: + - traefik-bouncer@kubernetescrd port: 443 http3: enabled: true @@ -128,7 +132,7 @@ spec: plugins: crowdsec-bouncer-traefik-plugin: moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin" - version: "v1.4.1" + version: "v1.3.3" # Mostly from https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-prometheus-operator metrics: