feat: Add crowdsec

2025-02-13 14:36:41 -08:00 · 2025-02-13 14:36:41 -08:00 · df10ddfcef
commit df10ddfcef
parent 37ce552a0f
11 changed files with 123 additions and 1 deletions
--- a/k8s/apps/ingressroutes/external/templater/values.yaml
+++ b/k8s/apps/ingressroutes/external/templater/values.yaml
@ -37,7 +37,7 @@ proxies:
      - name: redirect-tonydu-me-mnke-org
        namespace: default

-  - service_name: dns-home-mnke
+  - service_name: dns-dolo-mnke
    tls_secret_name: wildcard-mnke-org-tls
    listen_host: dns.dolo.mnke.org
    middlewares:
--- a/k8s/infrastructure/controllers/crowdsec/kustomization.yaml
+++ b/k8s/infrastructure/controllers/crowdsec/kustomization.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - secrets.yaml
+  - repository.yaml
+  - release.yaml
+
--- a/k8s/infrastructure/controllers/crowdsec/namespace.yaml
+++ b/k8s/infrastructure/controllers/crowdsec/namespace.yaml
@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: crowdsec
+  labels:
+    external-secrets.io/secrets.crowdsec: require
--- a/k8s/infrastructure/controllers/crowdsec/release.yaml
+++ b/k8s/infrastructure/controllers/crowdsec/release.yaml
@ -0,0 +1,46 @@
+---
+# https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/tree/main/examples/kubernetes
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: crowdsec
+  namespace: flux-system
+spec:
+  interval: 10m
+  releaseName: crowdsec
+  targetNamespace: crowdsec
+  chart:
+    spec:
+      chart: crowdsec
+      sourceRef:
+        kind: HelmRepository
+        name: crowdsec
+        namespace: flux-system
+      interval: 10m
+  values:
+    # for raw logs format: json or cri (docker|containerd)
+    container_runtime: containerd
+    agent:
+      # Specify each pod whose logs you want to process
+      acquisition:
+        # The namespace where the pod is located
+        - namespace: traefik
+          # The pod name
+          podName: traefik-*
+          # as in crowdsec configuration, we need to specify the program name to find a matching parser
+          program: traefik
+      env:
+        - name: COLLECTIONS
+          value: "crowdsecurity/traefik"
+    lapi:
+      env:
+        # To enroll the Security Engine to the console
+        - name: ENROLL_KEY
+          valueFrom:
+            secretKeyRef:
+              name: crowdsec
+              key: crowdsec-enroll-key
+        - name: ENROLL_INSTANCE_NAME
+          value: "dolo"
+        - name: ENROLL_TAGS
+          value: "k8s linux dolo"
--- a/k8s/infrastructure/controllers/crowdsec/repository.yaml
+++ b/k8s/infrastructure/controllers/crowdsec/repository.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: crowdsec
+  namespace: flux-system
+spec:
+  interval: 10m
+  url: https://crowdsecurity.github.io/helm-charts
--- a/k8s/infrastructure/controllers/crowdsec/secrets.yaml
+++ b/k8s/infrastructure/controllers/crowdsec/secrets.yaml
@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterExternalSecret
+metadata:
+  name: crowdsec
+spec:
+  externalSecretName: crowdsec
+
+  namespaceSelectors:
+    - matchLabels:
+        external-secrets.io/secrets.crowdsec: require
+
+  externalSecretSpec:
+    secretStoreRef:
+      kind: ClusterSecretStore
+      name: infisical
+
+    target:
+      name: crowdsec
+
+    data:
+      - secretKey: crowdsec-enroll-key
+        remoteRef:
+          key: crowdsec-enroll-key
--- a/k8s/infrastructure/controllers/kustomization.yaml
+++ b/k8s/infrastructure/controllers/kustomization.yaml
@ -12,3 +12,4 @@ resources:
  - promtail
  - reflector
  - traefik
+  - crowdsec
--- a/k8s/infrastructure/controllers/traefik/kustomization.yaml
+++ b/k8s/infrastructure/controllers/traefik/kustomization.yaml
@ -5,3 +5,4 @@ resources:
  - namespace.yaml
  - repository.yaml
  - release.yaml
+  - plugins
--- a/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml
+++ b/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml
@ -0,0 +1,15 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: bouncer
+  namespace: traefik
+spec:
+  plugin:
+    bouncer:
+      CrowdsecLapiKey: ***REMOVED***
+      Enabled: "true"
+      logLevel: DEBUG
+      crowdsecMode: live
+      crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
+      crowdsecLapiScheme: http
--- a/k8s/infrastructure/controllers/traefik/plugins/kustomization.yaml
+++ b/k8s/infrastructure/controllers/traefik/plugins/kustomization.yaml
@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - crowdsec.yaml
--- a/k8s/infrastructure/controllers/traefik/release.yaml
+++ b/k8s/infrastructure/controllers/traefik/release.yaml
@ -124,6 +124,11 @@ spec:
      # default:
        # defaultCertificate:
          # secretName: wildcard-mnke-org-tls
+    experimental:
+      plugins:
+        crowdsec-bouncer-traefik-plugin:
+          moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
+          version: "v1.4.1"

    # Mostly from https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-prometheus-operator
    metrics: