viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add nginx ignress bouncer to ingress controller [ci skip]

Browse source
This commit is contained in:
Viktor Barzin 2023-11-25 13:33:03 +00:00
parent e6ff305574
commit aa324ef1d5
5 changed files with 88 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

8
main.tf
View file

@ -59,6 +59,9 @@ variable "finance_app_gocardless_secret_id" {}
variable "headscale_config" {}
variable "immich_postgresql_password" {}
variable "ingress_honeypotapikey" {}
variable "ingress_crowdsec_api_key" {}
variable "ingress_crowdsec_captcha_secret_key" {}
variable "ingress_crowdsec_captcha_site_key" {}
variable "vaultwarden_smtp_password" {}
variable "resume_database_url" {}
variable "resume_redis_url" {}
@ -289,7 +292,10 @@ module "kubernetes_cluster" {
immich_postgresql_password = var.immich_postgresql_password
ingress_honeypotapikey = var.ingress_honeypotapikey
ingress_honeypotapikey = var.ingress_honeypotapikey
ingress_crowdsec_api_key = var.ingress_crowdsec_api_key
ingress_crowdsec_captcha_secret_key = var.ingress_crowdsec_captcha_secret_key
ingress_crowdsec_captcha_site_key = var.ingress_crowdsec_captcha_site_key
vaultwarden_smtp_password = var.vaultwarden_smtp_password

1
modules/kubernetes/crowdsec/main.tf
View file

@ -66,7 +66,6 @@ resource "helm_release" "crowdsec" {
chart = "crowdsec"
values = [templatefile("${path.module}/values.yaml", {})]
# values = [templatefile("${path.module}/rowdsec-ingress-bouncer.yaml", {})]
}
# resource "kubernetes_ingress_v1" "metabase" {

12
modules/kubernetes/main.tf
View file

@ -46,6 +46,9 @@ variable "finance_app_gocardless_secret_id" {}
variable "headscale_config" {}
variable "immich_postgresql_password" {}
variable "ingress_honeypotapikey" {}
variable "ingress_crowdsec_api_key" {}
variable "ingress_crowdsec_captcha_secret_key" {}
variable "ingress_crowdsec_captcha_site_key" {}
variable "vaultwarden_smtp_password" {}
variable "resume_database_url" {}
variable "resume_redis_url" {}
@ -76,7 +79,7 @@ module "dbaas" {
tls_secret_name = var.tls_secret_name
dbaas_root_password = var.dbaas_root_password
postgresql_root_password = var.dbaas_postgresql_root_password
pgadmin_password = var.dbaas_pgadmin_password
pgadmin_password = var.dbaas_pgadmin_password
}
module "descheduler" {
@ -350,8 +353,11 @@ module "immich" {
}
module "nginx-ingress" {
source = "./nginx-ingress"
honeypotapikey = var.ingress_honeypotapikey
source = "./nginx-ingress"
honeypotapikey = var.ingress_honeypotapikey
crowdsec_api_key = var.ingress_crowdsec_api_key
crowdsec_captcha_secret_key = var.ingress_crowdsec_captcha_secret_key
crowdsec_captcha_site_key = var.ingress_crowdsec_captcha_site_key
}
module "crowdsec" {

72
modules/kubernetes/nginx-ingress/main.tf
View file

@ -9,6 +9,9 @@
variable "honeypotapikey" {
default = null
}
variable "crowdsec_api_key" {}
variable "crowdsec_captcha_secret_key" {}
variable "crowdsec_captcha_site_key" {}
resource "kubernetes_namespace" "ingress_nginx" {
metadata {
name = "ingress-nginx"
@ -322,6 +325,12 @@ resource "kubernetes_config_map" "ingress_nginx_controller" {
setvar:tx.block_harvester_ip=1,\
setvar:tx.block_spammer_ip=1"
EOT
plugins = "crowdsec"
lua-shared-dicts = "crowdsec_cache: 50m"
server-snippet : <<-EOT
lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"; # Captcha
resolver local=on ipv6=off;
EOT
}
}
resource "kubernetes_service" "ingress_nginx_controller" {
@ -430,10 +439,73 @@ resource "kubernetes_deployment" "ingress_nginx_controller" {
# name = "modsecurity"
# }
# }
## Crowdsec
init_container {
name = "init-clone-crowdsec-bouncer"
image = "crowdsecurity/lua-bouncer-plugin"
env {
name = "API_URL"
value = "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
}
env {
name = "API_KEY"
value = var.crowdsec_api_key
}
env {
name = "CAPTCHA_PROVIDER"
value = "recaptcha"
}
env {
name = "BOUNCING_ON_TYPE"
value = "all"
}
env {
name = "SECRET_KEY"
value = var.crowdsec_captcha_secret_key
}
env {
name = "SITE_KEY"
value = var.crowdsec_captcha_site_key
}
env {
name = "DISABLE_RUN"
value = "true"
}
env {
name = "BAN_TEMPLATE_PATH"
value = "/etc/nginx/lua/plugins/crowdsec/templates/ban.html"
}
env {
name = "CAPTCHA_TEMPLATE_PATH"
value = "/etc/nginx/lua/plugins/crowdsec/templates/captcha.html"
}
env {
name = "BOUNCER_CONFIG"
value = "/crowdsec/crowdsec-bouncer.conf"
}
command = ["sh", "-c", "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -r /crowdsec /lua_plugins/; chown -R 101:101 /lua_plugins/"]
volume_mount {
name = "crowdsec"
mount_path = "/lua_plugins"
}
}
# Share bouncer config
volume {
name = "crowdsec"
empty_dir {
}
}
container {
name = "controller"
image = "registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2"
args = ["/nginx-ingress-controller", "--election-id=ingress-nginx-leader", "--controller-class=k8s.io/ingress-nginx", "--ingress-class=nginx", "--configmap=$(POD_NAMESPACE)/ingress-nginx-controller", "--validating-webhook=:8443", "--validating-webhook-certificate=/usr/local/certificates/cert", "--validating-webhook-key=/usr/local/certificates/key"]
volume_mount {
name = "crowdsec"
mount_path = "/etc/nginx/lua/plugins/crowdsec"
sub_path = "crowdsec"
}
port {
name = "http"
container_port = 80

BIN
terraform.tfvars
View file

Binary file not shown.