From 2ba4eca34e208a982b1cfc34dfc34ed614305016 Mon Sep 17 00:00:00 2001 From: Tony Du Date: Thu, 13 Feb 2025 16:19:09 -0800 Subject: [PATCH] feat: Add SOPS --- k8s/clusters/dolo/.sops.yaml | 4 ++ k8s/clusters/dolo/infrastructure.yaml | 8 ++++ .../controllers/crowdsec/release.yaml | 1 + .../controllers/traefik/plugins/crowdsec.yaml | 42 ++++++++++++++----- 4 files changed, 44 insertions(+), 11 deletions(-) create mode 100644 k8s/clusters/dolo/.sops.yaml diff --git a/k8s/clusters/dolo/.sops.yaml b/k8s/clusters/dolo/.sops.yaml new file mode 100644 index 0000000..b995352 --- /dev/null +++ b/k8s/clusters/dolo/.sops.yaml @@ -0,0 +1,4 @@ +creation_rules: + - path_regex: .yaml + encrypted_regex: ^(data|stringData)$ + age: age1gznjylxw2d3mhq6ar4nl4mvltzjems76swlqpe607u4h8j5ykefqz0hhw0 diff --git a/k8s/clusters/dolo/infrastructure.yaml b/k8s/clusters/dolo/infrastructure.yaml index 4994fa8..910dce4 100644 --- a/k8s/clusters/dolo/infrastructure.yaml +++ b/k8s/clusters/dolo/infrastructure.yaml @@ -14,6 +14,10 @@ spec: path: ./k8s/infrastructure/crds wait: true prune: true + decryption: + provider: sops + secretRef: + name: sops-age --- apiVersion: kustomize.toolkit.fluxcd.io/v1 @@ -33,3 +37,7 @@ spec: prune: true dependsOn: - name: crds + decryption: + provider: sops + secretRef: + name: sops-age diff --git a/k8s/infrastructure/controllers/crowdsec/release.yaml b/k8s/infrastructure/controllers/crowdsec/release.yaml index e2efb1b..160c61d 100644 --- a/k8s/infrastructure/controllers/crowdsec/release.yaml +++ b/k8s/infrastructure/controllers/crowdsec/release.yaml @@ -1,5 +1,6 @@ --- # https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/tree/main/examples/kubernetes +# https://docs.crowdsec.net/u/getting_started/installation/kubernetes/ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: diff --git a/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml b/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml index 1ff222c..bff4edc 100644 --- a/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml +++ b/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml @@ -1,15 +1,35 @@ ---- apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: bouncer - namespace: traefik + name: bouncer + namespace: traefik spec: - plugin: - bouncer: - CrowdsecLapiKey: ***REMOVED*** - Enabled: "true" - logLevel: DEBUG - crowdsecMode: live - crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080 - crowdsecLapiScheme: http + plugin: + bouncer: + enabled: "true" + logLevel: DEBUG + crowdsecMode: stream + crowdsecLapiScheme: https + crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080 + # https://docs.crowdsec.net/u/getting_started/installation/kubernetes/ + crowdsecLapiKey: ENC[AES256_GCM,data:6uiMo8nlWN+NJ9Ow8By3435R4sV6Ff4Uug/KSPDExNLnY4D2mM95Ne6Skw==,iv:XA5EhZ1iM+DzTa9ZhZlrKMwCh1YJ471GY4M3ZCJFKc4=,tag:Yn312cAs02oDnovxIVYHQA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gznjylxw2d3mhq6ar4nl4mvltzjems76swlqpe607u4h8j5ykefqz0hhw0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOW1HRDduS1JkeHp6N2Fx + RWlGTXpDS3Y1SHRRN1dzSm9LaFJXTVJYb0RNCjhuU1BONVhNWW05VUY2cWFOQWVK + cmcxN2dRVDdTWXovUzRJSWNZUjNUdzgKLS0tIHlVYmk4czdoaHI0aERaeWNTNHRz + S3JSOEY2Y0dWci9JNGVFRHM3ckxURjgKKCk3oswfOMyMFwluWbUOy1ugfM24SARR + fPbgrcUqAQAIiGONf88ybs9kWGSlnh9CS/IEhbDKFixAWNebpmv28A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-14T00:15:25Z" + mac: ENC[AES256_GCM,data:sR/HO71a2sjIOmGXTSGkcDU/AAYNG+oy0G9Zr8WKT6Oz+auvp4gy2pUENJl1oX5KiUvfrJe7ref0x+oQ5FtaYHYIXW925zALYGpVFwVKeasAahsZLBqfzbG+Q/8aYrayaz2xidINlLU+DJT/H+M9vGmaRKX/p9CHt8EkAq736TQ=,iv:4rxIvGQnb6okS/kDAe9gkzIaEzIXY12lkQFNcpLYCTs=,tag:X7FjXkH1avrhM9ZQxo2dmQ==,type:str] + pgp: [] + encrypted_regex: crowdsecLapiKey + version: 3.9.1