add crowdsec module [ci skip]
This commit is contained in:
parent
57ce7d3b10
commit
e236a65c52
4 changed files with 204 additions and 1 deletions
44
modules/kubernetes/crowdsec/crowdsec-ingress-bouncer.yaml
Normal file
44
modules/kubernetes/crowdsec/crowdsec-ingress-bouncer.yaml
Normal file
|
|
@ -0,0 +1,44 @@
|
||||||
|
controller:
|
||||||
|
extraVolumes:
|
||||||
|
- name: crowdsec-bouncer-plugin
|
||||||
|
emptyDir: {}
|
||||||
|
extraInitContainers:
|
||||||
|
- name: init-clone-crowdsec-bouncer
|
||||||
|
image: crowdsecurity/lua-bouncer-plugin
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
env:
|
||||||
|
- name: API_URL
|
||||||
|
value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" # crowdsec lapi service-name
|
||||||
|
- name: API_KEY
|
||||||
|
value: "<API KEY>" # generated with `cscli bouncers add -n <bouncer_name>
|
||||||
|
- name: BOUNCER_CONFIG
|
||||||
|
value: "/crowdsec/crowdsec-bouncer.conf"
|
||||||
|
- name: CAPTCHA_PROVIDER
|
||||||
|
value: "recaptcha" # valid providers are recaptcha, hcaptcha, turnstile
|
||||||
|
- name: SECRET_KEY
|
||||||
|
value: "<your-captcha-secret-key>" # If you want captcha support otherwise remove this ENV VAR
|
||||||
|
- name: SITE_KEY
|
||||||
|
value: "<your-captcha-site-key>" # If you want captcha support otherwise remove this ENV VAR
|
||||||
|
- name: BAN_TEMPLATE_PATH
|
||||||
|
value: /etc/nginx/lua/plugins/crowdsec/templates/ban.html
|
||||||
|
- name: CAPTCHA_TEMPLATE_PATH
|
||||||
|
value: /etc/nginx/lua/plugins/crowdsec/templates/captcha.html
|
||||||
|
command:
|
||||||
|
[
|
||||||
|
"sh",
|
||||||
|
"-c",
|
||||||
|
"sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/",
|
||||||
|
]
|
||||||
|
volumeMounts:
|
||||||
|
- name: crowdsec-bouncer-plugin
|
||||||
|
mountPath: /lua_plugins
|
||||||
|
extraVolumeMounts:
|
||||||
|
- name: crowdsec-bouncer-plugin
|
||||||
|
mountPath: /etc/nginx/lua/plugins/crowdsec
|
||||||
|
subPath: crowdsec
|
||||||
|
config:
|
||||||
|
plugins: "crowdsec"
|
||||||
|
lua-shared-dicts: "crowdsec_cache: 50m"
|
||||||
|
server-snippet: |
|
||||||
|
lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"; # If you want captcha support otherwise remove this line
|
||||||
|
resolver local=on ipv6=off;
|
||||||
105
modules/kubernetes/crowdsec/main.tf
Normal file
105
modules/kubernetes/crowdsec/main.tf
Normal file
|
|
@ -0,0 +1,105 @@
|
||||||
|
variable "tls_secret_name" {}
|
||||||
|
|
||||||
|
module "tls_secret" {
|
||||||
|
source = "../setup_tls_secret"
|
||||||
|
namespace = "crowdsec"
|
||||||
|
tls_secret_name = var.tls_secret_name
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "kubernetes_namespace" "crowdsec" {
|
||||||
|
metadata {
|
||||||
|
name = "crowdsec"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "kubernetes_persistent_volume" "db" {
|
||||||
|
metadata {
|
||||||
|
name = "crowdsec-db"
|
||||||
|
}
|
||||||
|
spec {
|
||||||
|
capacity = {
|
||||||
|
"storage" = "2Gi"
|
||||||
|
}
|
||||||
|
access_modes = ["ReadWriteOnce"]
|
||||||
|
persistent_volume_source {
|
||||||
|
nfs {
|
||||||
|
path = "/mnt/main/crowdsec/db"
|
||||||
|
server = "10.0.10.15"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
claim_ref {
|
||||||
|
name = "crowdsec-db-pvc"
|
||||||
|
namespace = "crowdsec"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "kubernetes_persistent_volume" "config" {
|
||||||
|
metadata {
|
||||||
|
name = "crowdsec-config"
|
||||||
|
}
|
||||||
|
spec {
|
||||||
|
capacity = {
|
||||||
|
"storage" = "2Gi"
|
||||||
|
}
|
||||||
|
access_modes = ["ReadWriteOnce"]
|
||||||
|
persistent_volume_source {
|
||||||
|
nfs {
|
||||||
|
path = "/mnt/main/crowdsec/config"
|
||||||
|
server = "10.0.10.15"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
claim_ref {
|
||||||
|
name = "crowdsec-config-pvc"
|
||||||
|
namespace = "crowdsec"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "helm_release" "crowdsec" {
|
||||||
|
namespace = "crowdsec"
|
||||||
|
create_namespace = true
|
||||||
|
name = "crowdsec"
|
||||||
|
atomic = true
|
||||||
|
|
||||||
|
repository = "https://crowdsecurity.github.io/helm-charts"
|
||||||
|
chart = "crowdsec"
|
||||||
|
|
||||||
|
values = [templatefile("${path.module}/values.yaml", {})]
|
||||||
|
# values = [templatefile("${path.module}/rowdsec-ingress-bouncer.yaml", {})]
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "kubernetes_ingress_v1" "metabase" {
|
||||||
|
metadata {
|
||||||
|
name = "metabase"
|
||||||
|
namespace = "crowdsec"
|
||||||
|
annotations = {
|
||||||
|
"kubernetes.io/ingress.class" = "nginx"
|
||||||
|
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
|
||||||
|
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
spec {
|
||||||
|
tls {
|
||||||
|
hosts = ["metabase.viktorbarzin.me"]
|
||||||
|
secret_name = var.tls_secret_name
|
||||||
|
}
|
||||||
|
rule {
|
||||||
|
host = "metabase.viktorbarzin.me"
|
||||||
|
http {
|
||||||
|
path {
|
||||||
|
path = "/"
|
||||||
|
backend {
|
||||||
|
service {
|
||||||
|
name = "crowdsec-service"
|
||||||
|
port {
|
||||||
|
number = 3000
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
49
modules/kubernetes/crowdsec/values.yaml
Normal file
49
modules/kubernetes/crowdsec/values.yaml
Normal file
|
|
@ -0,0 +1,49 @@
|
||||||
|
container_runtime: containerd
|
||||||
|
|
||||||
|
agent:
|
||||||
|
# To specify each pod you want to process it logs (pods present in the node)
|
||||||
|
acquisition:
|
||||||
|
# The namespace where the pod is located
|
||||||
|
- namespace: ingress-nginx
|
||||||
|
# The pod name
|
||||||
|
podName: ingress-nginx-controller-*
|
||||||
|
# as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
|
||||||
|
program: nginx
|
||||||
|
# Those are ENV variables
|
||||||
|
env:
|
||||||
|
# As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
|
||||||
|
- name: DISABLE_ONLINE_API
|
||||||
|
value: "true"
|
||||||
|
# As we are running Nginx, we want to install the Nginx collection
|
||||||
|
- name: COLLECTIONS
|
||||||
|
value: "crowdsecurity/nginx"
|
||||||
|
lapi:
|
||||||
|
env:
|
||||||
|
# As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
|
||||||
|
- name: DISABLE_ONLINE_API
|
||||||
|
value: "true"
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
annotations:
|
||||||
|
# we only want http to the backend so we need this annotation
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
||||||
|
# labels: {}
|
||||||
|
ingressClassName: "nginx"
|
||||||
|
host: "crowdsec.viktorbarzin.me" # crowdsec-api.example.com
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- crowdsec.viktorbarzin.me
|
||||||
|
secretName: "tls-secret"
|
||||||
|
dashboard:
|
||||||
|
# -- Enable Metabase Dashboard (by default disabled)
|
||||||
|
enabled: true
|
||||||
|
annotations:
|
||||||
|
# metabase only supports http so we need this annotation
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
||||||
|
# labels: {}
|
||||||
|
ingressClassName: "nginx" # nginx
|
||||||
|
host: "crowdsec.viktorbarzin.me" # crowdsec-api.example.com
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- crowdsec.viktorbarzin.me
|
||||||
|
secretName: "tls-secret"
|
||||||
|
|
@ -313,7 +313,7 @@ module "dashy" {
|
||||||
module "vaultwarden" {
|
module "vaultwarden" {
|
||||||
source = "./vaultwarden"
|
source = "./vaultwarden"
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
smtp_password = var.vaultwarden_smtp_password
|
smtp_password = var.vaultwarden_smtp_password
|
||||||
}
|
}
|
||||||
|
|
||||||
module "reverse-proxy" {
|
module "reverse-proxy" {
|
||||||
|
|
@ -347,3 +347,8 @@ module "nginx-ingress" {
|
||||||
source = "./nginx-ingress"
|
source = "./nginx-ingress"
|
||||||
honeypotapikey = var.ingress_honeypotapikey
|
honeypotapikey = var.ingress_honeypotapikey
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module "crowdsec" {
|
||||||
|
source = "./crowdsec"
|
||||||
|
tls_secret_name = var.tls_secret_name
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue