viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add crowdsec module [ci skip]

Browse source
This commit is contained in:
Viktor Barzin 2023-11-24 11:08:25 +00:00
parent 57ce7d3b10
commit e236a65c52
4 changed files with 204 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

44
modules/kubernetes/crowdsec/crowdsec-ingress-bouncer.yaml Normal file
View file

@ -0,0 +1,44 @@
controller:
extraVolumes:
- name: crowdsec-bouncer-plugin
emptyDir: {}
extraInitContainers:
- name: init-clone-crowdsec-bouncer
image: crowdsecurity/lua-bouncer-plugin
imagePullPolicy: IfNotPresent
env:
- name: API_URL
value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" # crowdsec lapi service-name
- name: API_KEY
value: "<API KEY>" # generated with `cscli bouncers add -n <bouncer_name>
- name: BOUNCER_CONFIG
value: "/crowdsec/crowdsec-bouncer.conf"
- name: CAPTCHA_PROVIDER
value: "recaptcha" # valid providers are recaptcha, hcaptcha, turnstile
- name: SECRET_KEY
value: "<your-captcha-secret-key>" # If you want captcha support otherwise remove this ENV VAR
- name: SITE_KEY
value: "<your-captcha-site-key>" # If you want captcha support otherwise remove this ENV VAR
- name: BAN_TEMPLATE_PATH
value: /etc/nginx/lua/plugins/crowdsec/templates/ban.html
- name: CAPTCHA_TEMPLATE_PATH
value: /etc/nginx/lua/plugins/crowdsec/templates/captcha.html
command:
[
"sh",
"-c",
"sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/",
]
volumeMounts:
- name: crowdsec-bouncer-plugin
mountPath: /lua_plugins
extraVolumeMounts:
- name: crowdsec-bouncer-plugin
mountPath: /etc/nginx/lua/plugins/crowdsec
subPath: crowdsec
config:
plugins: "crowdsec"
lua-shared-dicts: "crowdsec_cache: 50m"
server-snippet: |
lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"; # If you want captcha support otherwise remove this line
resolver local=on ipv6=off;

105
modules/kubernetes/crowdsec/main.tf Normal file
View file

@ -0,0 +1,105 @@
variable "tls_secret_name" {}
module "tls_secret" {
source = "../setup_tls_secret"
namespace = "crowdsec"
tls_secret_name = var.tls_secret_name
}
resource "kubernetes_namespace" "crowdsec" {
metadata {
name = "crowdsec"
}
}
resource "kubernetes_persistent_volume" "db" {
metadata {
name = "crowdsec-db"
}
spec {
capacity = {
"storage" = "2Gi"
}
access_modes = ["ReadWriteOnce"]
persistent_volume_source {
nfs {
path = "/mnt/main/crowdsec/db"
server = "10.0.10.15"
}
}
claim_ref {
name = "crowdsec-db-pvc"
namespace = "crowdsec"
}
}
}
resource "kubernetes_persistent_volume" "config" {
metadata {
name = "crowdsec-config"
}
spec {
capacity = {
"storage" = "2Gi"
}
access_modes = ["ReadWriteOnce"]
persistent_volume_source {
nfs {
path = "/mnt/main/crowdsec/config"
server = "10.0.10.15"
}
}
claim_ref {
name = "crowdsec-config-pvc"
namespace = "crowdsec"
}
}
}
resource "helm_release" "crowdsec" {
namespace = "crowdsec"
create_namespace = true
name = "crowdsec"
atomic = true
repository = "https://crowdsecurity.github.io/helm-charts"
chart = "crowdsec"
values = [templatefile("${path.module}/values.yaml", {})]
# values = [templatefile("${path.module}/rowdsec-ingress-bouncer.yaml", {})]
}
resource "kubernetes_ingress_v1" "metabase" {
metadata {
name = "metabase"
namespace = "crowdsec"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
}
}
spec {
tls {
hosts = ["metabase.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "metabase.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "crowdsec-service"
port {
number = 3000
}
}
}
}
}
}
}
}

49
modules/kubernetes/crowdsec/values.yaml Normal file
View file

@ -0,0 +1,49 @@
container_runtime: containerd
agent:
# To specify each pod you want to process it logs (pods present in the node)
acquisition:
# The namespace where the pod is located
- namespace: ingress-nginx
# The pod name
podName: ingress-nginx-controller-*
# as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
program: nginx
# Those are ENV variables
env:
# As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
- name: DISABLE_ONLINE_API
value: "true"
# As we are running Nginx, we want to install the Nginx collection
- name: COLLECTIONS
value: "crowdsecurity/nginx"
lapi:
env:
# As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
- name: DISABLE_ONLINE_API
value: "true"
ingress:
enabled: true
annotations:
# we only want http to the backend so we need this annotation
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
# labels: {}
ingressClassName: "nginx"
host: "crowdsec.viktorbarzin.me" # crowdsec-api.example.com
tls:
- hosts:
- crowdsec.viktorbarzin.me
secretName: "tls-secret"
dashboard:
# -- Enable Metabase Dashboard (by default disabled)
enabled: true
annotations:
# metabase only supports http so we need this annotation
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
# labels: {}
ingressClassName: "nginx" # nginx
host: "crowdsec.viktorbarzin.me" # crowdsec-api.example.com
tls:
- hosts:
- crowdsec.viktorbarzin.me
secretName: "tls-secret"

7
modules/kubernetes/main.tf
View file

@ -313,7 +313,7 @@ module "dashy" {
module "vaultwarden" {
source = "./vaultwarden"
tls_secret_name = var.tls_secret_name
smtp_password = var.vaultwarden_smtp_password
smtp_password = var.vaultwarden_smtp_password
}
module "reverse-proxy" {
@ -347,3 +347,8 @@ module "nginx-ingress" {
source = "./nginx-ingress"
honeypotapikey = var.ingress_honeypotapikey
}
module "crowdsec" {
source = "./crowdsec"
tls_secret_name = var.tls_secret_name
}