From df10ddfcef2c3af7e6b6df2ffe1019245f75bee7 Mon Sep 17 00:00:00 2001 From: Tony Du Date: Thu, 13 Feb 2025 14:36:41 -0800 Subject: [PATCH] feat: Add crowdsec --- .../external/templater/values.yaml | 2 +- .../controllers/crowdsec/kustomization.yaml | 9 ++++ .../controllers/crowdsec/namespace.yaml | 7 +++ .../controllers/crowdsec/release.yaml | 46 +++++++++++++++++++ .../controllers/crowdsec/repository.yaml | 9 ++++ .../controllers/crowdsec/secrets.yaml | 24 ++++++++++ .../controllers/kustomization.yaml | 1 + .../controllers/traefik/kustomization.yaml | 1 + .../controllers/traefik/plugins/crowdsec.yaml | 15 ++++++ .../traefik/plugins/kustomization.yaml | 5 ++ .../controllers/traefik/release.yaml | 5 ++ 11 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 k8s/infrastructure/controllers/crowdsec/kustomization.yaml create mode 100644 k8s/infrastructure/controllers/crowdsec/namespace.yaml create mode 100644 k8s/infrastructure/controllers/crowdsec/release.yaml create mode 100644 k8s/infrastructure/controllers/crowdsec/repository.yaml create mode 100644 k8s/infrastructure/controllers/crowdsec/secrets.yaml create mode 100644 k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml create mode 100644 k8s/infrastructure/controllers/traefik/plugins/kustomization.yaml diff --git a/k8s/apps/ingressroutes/external/templater/values.yaml b/k8s/apps/ingressroutes/external/templater/values.yaml index cfab0c4..5916225 100644 --- a/k8s/apps/ingressroutes/external/templater/values.yaml +++ b/k8s/apps/ingressroutes/external/templater/values.yaml @@ -37,7 +37,7 @@ proxies: - name: redirect-tonydu-me-mnke-org namespace: default - - service_name: dns-home-mnke + - service_name: dns-dolo-mnke tls_secret_name: wildcard-mnke-org-tls listen_host: dns.dolo.mnke.org middlewares: diff --git a/k8s/infrastructure/controllers/crowdsec/kustomization.yaml b/k8s/infrastructure/controllers/crowdsec/kustomization.yaml new file mode 100644 index 0000000..69b1fee --- /dev/null +++ b/k8s/infrastructure/controllers/crowdsec/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - secrets.yaml + - repository.yaml + - release.yaml + diff --git a/k8s/infrastructure/controllers/crowdsec/namespace.yaml b/k8s/infrastructure/controllers/crowdsec/namespace.yaml new file mode 100644 index 0000000..0b16bbd --- /dev/null +++ b/k8s/infrastructure/controllers/crowdsec/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: crowdsec + labels: + external-secrets.io/secrets.crowdsec: require diff --git a/k8s/infrastructure/controllers/crowdsec/release.yaml b/k8s/infrastructure/controllers/crowdsec/release.yaml new file mode 100644 index 0000000..e2efb1b --- /dev/null +++ b/k8s/infrastructure/controllers/crowdsec/release.yaml @@ -0,0 +1,46 @@ +--- +# https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/tree/main/examples/kubernetes +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: crowdsec + namespace: flux-system +spec: + interval: 10m + releaseName: crowdsec + targetNamespace: crowdsec + chart: + spec: + chart: crowdsec + sourceRef: + kind: HelmRepository + name: crowdsec + namespace: flux-system + interval: 10m + values: + # for raw logs format: json or cri (docker|containerd) + container_runtime: containerd + agent: + # Specify each pod whose logs you want to process + acquisition: + # The namespace where the pod is located + - namespace: traefik + # The pod name + podName: traefik-* + # as in crowdsec configuration, we need to specify the program name to find a matching parser + program: traefik + env: + - name: COLLECTIONS + value: "crowdsecurity/traefik" + lapi: + env: + # To enroll the Security Engine to the console + - name: ENROLL_KEY + valueFrom: + secretKeyRef: + name: crowdsec + key: crowdsec-enroll-key + - name: ENROLL_INSTANCE_NAME + value: "dolo" + - name: ENROLL_TAGS + value: "k8s linux dolo" diff --git a/k8s/infrastructure/controllers/crowdsec/repository.yaml b/k8s/infrastructure/controllers/crowdsec/repository.yaml new file mode 100644 index 0000000..2db20dc --- /dev/null +++ b/k8s/infrastructure/controllers/crowdsec/repository.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: crowdsec + namespace: flux-system +spec: + interval: 10m + url: https://crowdsecurity.github.io/helm-charts diff --git a/k8s/infrastructure/controllers/crowdsec/secrets.yaml b/k8s/infrastructure/controllers/crowdsec/secrets.yaml new file mode 100644 index 0000000..3d201f0 --- /dev/null +++ b/k8s/infrastructure/controllers/crowdsec/secrets.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterExternalSecret +metadata: + name: crowdsec +spec: + externalSecretName: crowdsec + + namespaceSelectors: + - matchLabels: + external-secrets.io/secrets.crowdsec: require + + externalSecretSpec: + secretStoreRef: + kind: ClusterSecretStore + name: infisical + + target: + name: crowdsec + + data: + - secretKey: crowdsec-enroll-key + remoteRef: + key: crowdsec-enroll-key diff --git a/k8s/infrastructure/controllers/kustomization.yaml b/k8s/infrastructure/controllers/kustomization.yaml index 87fb7e1..2f21a81 100644 --- a/k8s/infrastructure/controllers/kustomization.yaml +++ b/k8s/infrastructure/controllers/kustomization.yaml @@ -12,3 +12,4 @@ resources: - promtail - reflector - traefik + - crowdsec diff --git a/k8s/infrastructure/controllers/traefik/kustomization.yaml b/k8s/infrastructure/controllers/traefik/kustomization.yaml index f5dc359..ea78503 100644 --- a/k8s/infrastructure/controllers/traefik/kustomization.yaml +++ b/k8s/infrastructure/controllers/traefik/kustomization.yaml @@ -5,3 +5,4 @@ resources: - namespace.yaml - repository.yaml - release.yaml + - plugins diff --git a/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml b/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml new file mode 100644 index 0000000..1ff222c --- /dev/null +++ b/k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: bouncer + namespace: traefik +spec: + plugin: + bouncer: + CrowdsecLapiKey: ***REMOVED*** + Enabled: "true" + logLevel: DEBUG + crowdsecMode: live + crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080 + crowdsecLapiScheme: http diff --git a/k8s/infrastructure/controllers/traefik/plugins/kustomization.yaml b/k8s/infrastructure/controllers/traefik/plugins/kustomization.yaml new file mode 100644 index 0000000..35f07da --- /dev/null +++ b/k8s/infrastructure/controllers/traefik/plugins/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - crowdsec.yaml diff --git a/k8s/infrastructure/controllers/traefik/release.yaml b/k8s/infrastructure/controllers/traefik/release.yaml index 021ecd3..8ccc42d 100644 --- a/k8s/infrastructure/controllers/traefik/release.yaml +++ b/k8s/infrastructure/controllers/traefik/release.yaml @@ -124,6 +124,11 @@ spec: # default: # defaultCertificate: # secretName: wildcard-mnke-org-tls + experimental: + plugins: + crowdsec-bouncer-traefik-plugin: + moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin" + version: "v1.4.1" # Mostly from https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-prometheus-operator metrics: