add deployment for crowdsec web dashboard that allows unblocking my ips [ci skip]

main.tf

@@ -71,6 +71,9 @@ variable "ingress_crowdsec_captcha_secret_key" {}
 variable "ingress_crowdsec_captcha_site_key" {}
 variable "crowdsec_enroll_key" { type = string }
 variable "crowdsec_db_password" { type = string }
+variable "crowdsec_dash_api_key" { type = string }
+variable "crowdsec_dash_machine_id" { type = string }
+variable "crowdsec_dash_machine_password" { type = string }
 variable "vaultwarden_smtp_password" {}
 variable "resume_database_url" {}
 variable "resume_redis_url" {}
@@ -439,6 +442,9 @@ module "kubernetes_cluster" {
   ingress_crowdsec_captcha_site_key   = var.ingress_crowdsec_captcha_site_key
   crowdsec_enroll_key                 = var.crowdsec_enroll_key
   crowdsec_db_password                = var.crowdsec_db_password
+  crowdsec_dash_api_key               = var.crowdsec_dash_api_key
+  crowdsec_dash_machine_id            = var.crowdsec_dash_machine_id
+  crowdsec_dash_machine_password      = var.crowdsec_dash_machine_password
 
   vaultwarden_smtp_password = var.vaultwarden_smtp_password
 

modules/kubernetes/crowdsec/main.tf

@@ -3,6 +3,9 @@ variable "homepage_username" {}
 variable "homepage_password" {}
 variable "db_password" {}
 variable "enroll_key" {}
+variable "crowdsec_dash_api_key" { type = string }          # used for web dash
+variable "crowdsec_dash_machine_id" { type = string }       # used for web dash
+variable "crowdsec_dash_machine_password" { type = string } # used for web dash
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -71,3 +74,103 @@ resource "helm_release" "crowdsec" {
   values  = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key })]
   timeout = 3600
 }
+
+
+# Deployment for my custom dashboard that helps me unblock myself when I blocklist myself
+resource "kubernetes_deployment" "crowdsec-web" {
+  metadata {
+    name      = "crowdsec-web"
+    namespace = "crowdsec"
+    labels = {
+      app                             = "crowdsec_web"
+      "kubernetes.io/cluster-service" = "true"
+    }
+  }
+  spec {
+    replicas = 1
+    strategy {
+      type = "RollingUpdate"
+    }
+    selector {
+      match_labels = {
+        app = "crowdsec_web"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app                             = "crowdsec_web"
+          "kubernetes.io/cluster-service" = "true"
+        }
+      }
+      spec {
+        container {
+          name  = "crowdsec-web"
+          image = "viktorbarzin/crowdsec_web"
+          env {
+            name  = "CS_API_URL"
+            value = "http://crowdsec-service.crowdsec.svc.cluster.local:8080/v1"
+          }
+          env {
+            name  = "CS_API_KEY"
+            value = var.crowdsec_dash_api_key
+          }
+          env {
+            name  = "CS_MACHINE_ID"
+            value = var.crowdsec_dash_machine_id
+          }
+          env {
+            name  = "CS_MACHINE_PASSWORD"
+            value = var.crowdsec_dash_machine_password
+          }
+          port {
+            name           = "http"
+            container_port = 8000
+            protocol       = "TCP"
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "crowdsec-web" {
+  metadata {
+    name      = "crowdsec-web"
+    namespace = "crowdsec"
+    labels = {
+      "app" = "crowdsec_web"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "crowdsec_web"
+    }
+    port {
+      port        = "80"
+      target_port = "8000"
+    }
+  }
+}
+module "ingress" {
+  source          = "../ingress_factory"
+  namespace       = "crowdsec"
+  name            = "crowdsec-web"
+  protected       = true
+  tls_secret_name = var.tls_secret_name
+  extra_annotations = {
+    # "crowdsec.io/bouncer-mode" : "bypass"
+    "nginx.ingress.kubernetes.io/server-snippet" : <<-EOF
+      # --- Disable CrowdSec for this host ---
+      set $crowdsec_bypass 1;
+      access_by_lua_block {
+        -- Skip calling CrowdSec for this server
+        if ngx.var.crowdsec_bypass == "1" then
+          return
+        end
+      }
+    EOF
+  }
+}
+

modules/kubernetes/main.tf

@@ -55,6 +55,9 @@ variable "ingress_crowdsec_captcha_secret_key" {}
 variable "ingress_crowdsec_captcha_site_key" {}
 variable "crowdsec_enroll_key" { type = string }
 variable "crowdsec_db_password" { type = string }
+variable "crowdsec_dash_api_key" { type = string }
+variable "crowdsec_dash_machine_id" { type = string }
+variable "crowdsec_dash_machine_password" { type = string }
 variable "vaultwarden_smtp_password" {}
 variable "resume_database_url" {}
 variable "resume_redis_url" {}
@@ -428,12 +431,15 @@ module "nginx-ingress" {
 }
 
 module "crowdsec" {
-  source            = "./crowdsec"
+  source                         = "./crowdsec"
-  tls_secret_name   = var.tls_secret_name
+  tls_secret_name                = var.tls_secret_name
-  homepage_username = var.homepage_credentials["crowdsec"]["username"]
+  homepage_username              = var.homepage_credentials["crowdsec"]["username"]
-  homepage_password = var.homepage_credentials["crowdsec"]["password"]
+  homepage_password              = var.homepage_credentials["crowdsec"]["password"]
-  enroll_key        = var.crowdsec_enroll_key
+  enroll_key                     = var.crowdsec_enroll_key
-  db_password       = var.crowdsec_db_password
+  db_password                    = var.crowdsec_db_password
+  crowdsec_dash_api_key          = var.crowdsec_dash_api_key
+  crowdsec_dash_machine_id       = var.crowdsec_dash_machine_id
+  crowdsec_dash_machine_password = var.crowdsec_dash_machine_password
 }
 
 # Seems like it needs S3 even if pg is local...