chore: Update crowdsec

2025-03-07 20:19:23 -08:00 · 2025-03-07 20:19:23 -08:00 · beb0a45ae6
commit beb0a45ae6
parent 082702bc29
5 changed files with 47 additions and 2 deletions
--- a/k8s/infrastructure/controllers/crowdsec/kustomization.yaml
+++ b/k8s/infrastructure/controllers/crowdsec/kustomization.yaml
@ -6,4 +6,3 @@ resources:
  - secrets.yaml
  - repository.yaml
  - release.yaml
-
--- a/k8s/infrastructure/controllers/crowdsec/release.yaml
+++ b/k8s/infrastructure/controllers/crowdsec/release.yaml
@ -30,10 +30,19 @@ spec:
          podName: traefik-*
          # as in crowdsec configuration, we need to specify the program name to find a matching parser
          program: traefik
+          poll_without_inotify: true
      env:
+        - name: PARSERS
+          value: "crowdsecurity/cri-logs"
        - name: COLLECTIONS
-          value: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/http-dos crowdsecurity/base-http-scenarios"
+          value: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/http-dos crowdsecurity/http-cve"
    lapi:
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+          additionalLabels:
+            release: kube-prometheus-stack
      env:
        # To enroll the Security Engine to the console
        - name: ENROLL_KEY
--- a/k8s/infrastructure/controllers/traefik/middlewares/cloudflare-ip-header.yaml
+++ b/k8s/infrastructure/controllers/traefik/middlewares/cloudflare-ip-header.yaml
@ -0,0 +1,10 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: cloudflare-ip-header
+  namespace: traefik
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-For: "{Cf-Connecting-Ip}"
+
--- a/k8s/infrastructure/controllers/traefik/middlewares/kustomization.yaml
+++ b/k8s/infrastructure/controllers/traefik/middlewares/kustomization.yaml
@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - crowdsec-bouncer.yaml
+  - cloudflare-ip-header.yaml

--- a/k8s/infrastructure/controllers/traefik/release.yaml
+++ b/k8s/infrastructure/controllers/traefik/release.yaml
@ -60,6 +60,32 @@ spec:
      websecure:
        middlewares:
          - traefik-bouncer@kubernetescrd
+          - traefik-cloudflare-ip-header@kubernetescrd
+        trustedIPs:
+          # https://www.cloudflare.com/ips-v4/#
+          - 173.245.48.0/20
+          - 103.21.244.0/22
+          - 103.22.200.0/22
+          - 103.31.4.0/22
+          - 141.101.64.0/18
+          - 108.162.192.0/18
+          - 190.93.240.0/20
+          - 188.114.96.0/20
+          - 197.234.240.0/22
+          - 198.41.128.0/17
+          - 162.158.0.0/15
+          - 104.16.0.0/13
+          - 104.24.0.0/14
+          - 172.64.0.0/13
+          - 131.0.72.0/22
+          # https://www.cloudflare.com/ips-v6/#
+          - 2400:cb00::/32
+          - 2606:4700::/32
+          - 2803:f800::/32
+          - 2405:b500::/32
+          - 2405:8100::/32
+          - 2a06:98c0::/29
+          - 2c0f:f248::/32
        port: 443
        http3:
          enabled: true