diff --git a/main.tf b/main.tf index d8975c11..b10c6f04 100644 --- a/main.tf +++ b/main.tf @@ -71,6 +71,9 @@ variable "ingress_crowdsec_captcha_secret_key" {} variable "ingress_crowdsec_captcha_site_key" {} variable "crowdsec_enroll_key" { type = string } variable "crowdsec_db_password" { type = string } +variable "crowdsec_dash_api_key" { type = string } +variable "crowdsec_dash_machine_id" { type = string } +variable "crowdsec_dash_machine_password" { type = string } variable "vaultwarden_smtp_password" {} variable "resume_database_url" {} variable "resume_redis_url" {} @@ -439,6 +442,9 @@ module "kubernetes_cluster" { ingress_crowdsec_captcha_site_key = var.ingress_crowdsec_captcha_site_key crowdsec_enroll_key = var.crowdsec_enroll_key crowdsec_db_password = var.crowdsec_db_password + crowdsec_dash_api_key = var.crowdsec_dash_api_key + crowdsec_dash_machine_id = var.crowdsec_dash_machine_id + crowdsec_dash_machine_password = var.crowdsec_dash_machine_password vaultwarden_smtp_password = var.vaultwarden_smtp_password diff --git a/modules/kubernetes/crowdsec/main.tf b/modules/kubernetes/crowdsec/main.tf index 7e009239..c9d85f20 100644 --- a/modules/kubernetes/crowdsec/main.tf +++ b/modules/kubernetes/crowdsec/main.tf @@ -3,6 +3,9 @@ variable "homepage_username" {} variable "homepage_password" {} variable "db_password" {} variable "enroll_key" {} +variable "crowdsec_dash_api_key" { type = string } # used for web dash +variable "crowdsec_dash_machine_id" { type = string } # used for web dash +variable "crowdsec_dash_machine_password" { type = string } # used for web dash module "tls_secret" { source = "../setup_tls_secret" @@ -71,3 +74,103 @@ resource "helm_release" "crowdsec" { values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key })] timeout = 3600 } + + +# Deployment for my custom dashboard that helps me unblock myself when I blocklist myself +resource "kubernetes_deployment" "crowdsec-web" { + metadata { + name = "crowdsec-web" + namespace = "crowdsec" + labels = { + app = "crowdsec_web" + "kubernetes.io/cluster-service" = "true" + } + } + spec { + replicas = 1 + strategy { + type = "RollingUpdate" + } + selector { + match_labels = { + app = "crowdsec_web" + } + } + template { + metadata { + labels = { + app = "crowdsec_web" + "kubernetes.io/cluster-service" = "true" + } + } + spec { + container { + name = "crowdsec-web" + image = "viktorbarzin/crowdsec_web" + env { + name = "CS_API_URL" + value = "http://crowdsec-service.crowdsec.svc.cluster.local:8080/v1" + } + env { + name = "CS_API_KEY" + value = var.crowdsec_dash_api_key + } + env { + name = "CS_MACHINE_ID" + value = var.crowdsec_dash_machine_id + } + env { + name = "CS_MACHINE_PASSWORD" + value = var.crowdsec_dash_machine_password + } + port { + name = "http" + container_port = 8000 + protocol = "TCP" + } + } + } + } + } +} + +resource "kubernetes_service" "crowdsec-web" { + metadata { + name = "crowdsec-web" + namespace = "crowdsec" + labels = { + "app" = "crowdsec_web" + } + } + + spec { + selector = { + app = "crowdsec_web" + } + port { + port = "80" + target_port = "8000" + } + } +} +module "ingress" { + source = "../ingress_factory" + namespace = "crowdsec" + name = "crowdsec-web" + protected = true + tls_secret_name = var.tls_secret_name + extra_annotations = { + # "crowdsec.io/bouncer-mode" : "bypass" + "nginx.ingress.kubernetes.io/server-snippet" : <<-EOF + # --- Disable CrowdSec for this host --- + set $crowdsec_bypass 1; + access_by_lua_block { + -- Skip calling CrowdSec for this server + if ngx.var.crowdsec_bypass == "1" then + return + end + } + EOF + } +} + diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 3788ca34..9fbc716e 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -55,6 +55,9 @@ variable "ingress_crowdsec_captcha_secret_key" {} variable "ingress_crowdsec_captcha_site_key" {} variable "crowdsec_enroll_key" { type = string } variable "crowdsec_db_password" { type = string } +variable "crowdsec_dash_api_key" { type = string } +variable "crowdsec_dash_machine_id" { type = string } +variable "crowdsec_dash_machine_password" { type = string } variable "vaultwarden_smtp_password" {} variable "resume_database_url" {} variable "resume_redis_url" {} @@ -428,12 +431,15 @@ module "nginx-ingress" { } module "crowdsec" { - source = "./crowdsec" - tls_secret_name = var.tls_secret_name - homepage_username = var.homepage_credentials["crowdsec"]["username"] - homepage_password = var.homepage_credentials["crowdsec"]["password"] - enroll_key = var.crowdsec_enroll_key - db_password = var.crowdsec_db_password + source = "./crowdsec" + tls_secret_name = var.tls_secret_name + homepage_username = var.homepage_credentials["crowdsec"]["username"] + homepage_password = var.homepage_credentials["crowdsec"]["password"] + enroll_key = var.crowdsec_enroll_key + db_password = var.crowdsec_db_password + crowdsec_dash_api_key = var.crowdsec_dash_api_key + crowdsec_dash_machine_id = var.crowdsec_dash_machine_id + crowdsec_dash_machine_password = var.crowdsec_dash_machine_password } # Seems like it needs S3 even if pg is local... diff --git a/terraform.tfstate b/terraform.tfstate index 8abcecd8..071cd331 100644 Binary files a/terraform.tfstate and b/terraform.tfstate differ diff --git a/terraform.tfvars b/terraform.tfvars index 69802194..c3bde767 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ