feat: Add crowdsec

This commit is contained in:
Tony Du 2025-02-13 14:36:41 -08:00
parent 37ce552a0f
commit df10ddfcef
11 changed files with 123 additions and 1 deletions

View File

@ -37,7 +37,7 @@ proxies:
- name: redirect-tonydu-me-mnke-org
namespace: default
- service_name: dns-home-mnke
- service_name: dns-dolo-mnke
tls_secret_name: wildcard-mnke-org-tls
listen_host: dns.dolo.mnke.org
middlewares:

View File

@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- secrets.yaml
- repository.yaml
- release.yaml

View File

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: crowdsec
labels:
external-secrets.io/secrets.crowdsec: require

View File

@ -0,0 +1,46 @@
---
# https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/tree/main/examples/kubernetes
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: crowdsec
namespace: flux-system
spec:
interval: 10m
releaseName: crowdsec
targetNamespace: crowdsec
chart:
spec:
chart: crowdsec
sourceRef:
kind: HelmRepository
name: crowdsec
namespace: flux-system
interval: 10m
values:
# for raw logs format: json or cri (docker|containerd)
container_runtime: containerd
agent:
# Specify each pod whose logs you want to process
acquisition:
# The namespace where the pod is located
- namespace: traefik
# The pod name
podName: traefik-*
# as in crowdsec configuration, we need to specify the program name to find a matching parser
program: traefik
env:
- name: COLLECTIONS
value: "crowdsecurity/traefik"
lapi:
env:
# To enroll the Security Engine to the console
- name: ENROLL_KEY
valueFrom:
secretKeyRef:
name: crowdsec
key: crowdsec-enroll-key
- name: ENROLL_INSTANCE_NAME
value: "dolo"
- name: ENROLL_TAGS
value: "k8s linux dolo"

View File

@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: crowdsec
namespace: flux-system
spec:
interval: 10m
url: https://crowdsecurity.github.io/helm-charts

View File

@ -0,0 +1,24 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterExternalSecret
metadata:
name: crowdsec
spec:
externalSecretName: crowdsec
namespaceSelectors:
- matchLabels:
external-secrets.io/secrets.crowdsec: require
externalSecretSpec:
secretStoreRef:
kind: ClusterSecretStore
name: infisical
target:
name: crowdsec
data:
- secretKey: crowdsec-enroll-key
remoteRef:
key: crowdsec-enroll-key

View File

@ -12,3 +12,4 @@ resources:
- promtail
- reflector
- traefik
- crowdsec

View File

@ -5,3 +5,4 @@ resources:
- namespace.yaml
- repository.yaml
- release.yaml
- plugins

View File

@ -0,0 +1,15 @@
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: bouncer
namespace: traefik
spec:
plugin:
bouncer:
CrowdsecLapiKey: ***REMOVED***
Enabled: "true"
logLevel: DEBUG
crowdsecMode: live
crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
crowdsecLapiScheme: http

View File

@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- crowdsec.yaml

View File

@ -124,6 +124,11 @@ spec:
# default:
# defaultCertificate:
# secretName: wildcard-mnke-org-tls
experimental:
plugins:
crowdsec-bouncer-traefik-plugin:
moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
version: "v1.4.1"
# Mostly from https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-prometheus-operator
metrics: