feat: Add crowdsec

k8s/apps/ingressroutes/external/templater/values.yaml

@@ -37,7 +37,7 @@ proxies:
       - name: redirect-tonydu-me-mnke-org
         namespace: default
 
-  - service_name: dns-home-mnke
+  - service_name: dns-dolo-mnke
     tls_secret_name: wildcard-mnke-org-tls
     listen_host: dns.dolo.mnke.org
     middlewares:

k8s/infrastructure/controllers/crowdsec/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - secrets.yaml
+  - repository.yaml
+  - release.yaml
+

k8s/infrastructure/controllers/crowdsec/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: crowdsec
+  labels:
+    external-secrets.io/secrets.crowdsec: require

k8s/infrastructure/controllers/crowdsec/release.yaml

@@ -0,0 +1,46 @@
+---
+# https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/tree/main/examples/kubernetes
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: crowdsec
+  namespace: flux-system
+spec:
+  interval: 10m
+  releaseName: crowdsec
+  targetNamespace: crowdsec
+  chart:
+    spec:
+      chart: crowdsec
+      sourceRef:
+        kind: HelmRepository
+        name: crowdsec
+        namespace: flux-system
+      interval: 10m
+  values:
+    # for raw logs format: json or cri (docker|containerd)
+    container_runtime: containerd
+    agent:
+      # Specify each pod whose logs you want to process
+      acquisition:
+        # The namespace where the pod is located
+        - namespace: traefik
+          # The pod name
+          podName: traefik-*
+          # as in crowdsec configuration, we need to specify the program name to find a matching parser
+          program: traefik
+      env:
+        - name: COLLECTIONS
+          value: "crowdsecurity/traefik"
+    lapi:
+      env:
+        # To enroll the Security Engine to the console
+        - name: ENROLL_KEY
+          valueFrom:
+            secretKeyRef:
+              name: crowdsec
+              key: crowdsec-enroll-key
+        - name: ENROLL_INSTANCE_NAME
+          value: "dolo"
+        - name: ENROLL_TAGS
+          value: "k8s linux dolo"

k8s/infrastructure/controllers/crowdsec/repository.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: crowdsec
+  namespace: flux-system
+spec:
+  interval: 10m
+  url: https://crowdsecurity.github.io/helm-charts

k8s/infrastructure/controllers/crowdsec/secrets.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterExternalSecret
+metadata:
+  name: crowdsec
+spec:
+  externalSecretName: crowdsec
+
+  namespaceSelectors:
+    - matchLabels:
+        external-secrets.io/secrets.crowdsec: require
+
+  externalSecretSpec:
+    secretStoreRef:
+      kind: ClusterSecretStore
+      name: infisical
+
+    target:
+      name: crowdsec
+
+    data:
+      - secretKey: crowdsec-enroll-key
+        remoteRef:
+          key: crowdsec-enroll-key

k8s/infrastructure/controllers/kustomization.yaml

@@ -12,3 +12,4 @@ resources:
   - promtail
   - reflector
   - traefik
+  - crowdsec

k8s/infrastructure/controllers/traefik/kustomization.yaml

@@ -5,3 +5,4 @@ resources:
   - namespace.yaml
   - repository.yaml
   - release.yaml
+  - plugins

k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: bouncer
+  namespace: traefik
+spec:
+  plugin:
+    bouncer:
+      CrowdsecLapiKey: ***REMOVED***
+      Enabled: "true"
+      logLevel: DEBUG
+      crowdsecMode: live
+      crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
+      crowdsecLapiScheme: http

k8s/infrastructure/controllers/traefik/plugins/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - crowdsec.yaml

k8s/infrastructure/controllers/traefik/release.yaml

@@ -124,6 +124,11 @@ spec:
       # default:
         # defaultCertificate:
           # secretName: wildcard-mnke-org-tls
+    experimental:
+      plugins:
+        crowdsec-bouncer-traefik-plugin:
+          moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
+          version: "v1.4.1"
 
     # Mostly from https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-prometheus-operator
     metrics: