From e4c24d4a8c1b522ddcb16c284b0f2e9da9628986 Mon Sep 17 00:00:00 2001 From: Paul Payne Date: Mon, 18 May 2026 03:33:37 +0000 Subject: [PATCH] feat: update CrowdSec and Traefik manifests; remove installation scripts and add secret management --- crowdsec/crowdsec-deployment.yaml | 6 ++ crowdsec/install.sh | 118 ------------------------------ crowdsec/manifest.yaml | 15 ++++ traefik/deployment.yaml | 1 + traefik/install.sh | 63 ---------------- traefik/manifest.yaml | 13 ++++ 6 files changed, 35 insertions(+), 181 deletions(-) delete mode 100755 crowdsec/install.sh delete mode 100755 traefik/install.sh diff --git a/crowdsec/crowdsec-deployment.yaml b/crowdsec/crowdsec-deployment.yaml index 4e36f8f..6d3a24e 100644 --- a/crowdsec/crowdsec-deployment.yaml +++ b/crowdsec/crowdsec-deployment.yaml @@ -66,6 +66,12 @@ spec: secretKeyRef: name: crowdsec-agent-secret key: password + - name: BOUNCER_KEY_traefik + valueFrom: + secretKeyRef: + name: crowdsec-secrets + key: bouncerApiKey + optional: true ports: - name: lapi containerPort: 8080 diff --git a/crowdsec/install.sh b/crowdsec/install.sh deleted file mode 100755 index 4c4eebf..0000000 --- a/crowdsec/install.sh +++ /dev/null @@ -1,118 +0,0 @@ -#!/bin/bash -set -e -set -o pipefail - -if [ -z "${WILD_INSTANCE}" ]; then - echo "ERROR: WILD_INSTANCE is not set" - exit 1 -fi - -if [ -z "${WILD_API_DATA_DIR}" ]; then - echo "ERROR: WILD_API_DATA_DIR is not set" - exit 1 -fi - -if [ -z "${KUBECONFIG}" ]; then - echo "ERROR: KUBECONFIG is not set" - exit 1 -fi - -INSTANCE_DIR="${WILD_API_DATA_DIR}/instances/${WILD_INSTANCE}" -CROWDSEC_DIR="${INSTANCE_DIR}/apps/crowdsec" -SECRETS_FILE="${INSTANCE_DIR}/secrets.yaml" - -echo "=== Setting up CrowdSec Security Engine ===" -echo "" - -echo "Verifying Traefik is ready (required for CrowdSec bouncer)..." -kubectl wait --for=condition=Available deployment/traefik -n traefik --timeout=60s 2>/dev/null || { - echo "WARNING: Traefik not ready, but continuing with CrowdSec installation" - echo "Note: CrowdSec bouncer will not work until Traefik is available" -} - -echo "Using pre-compiled CrowdSec templates..." -if [ ! -f "${CROWDSEC_DIR}/kustomization.yaml" ]; then - echo "ERROR: Compiled templates not found at ${CROWDSEC_DIR}" - echo "Templates should be compiled before deployment." - exit 1 -fi - -echo "Deploying CrowdSec..." -kubectl apply -k ${CROWDSEC_DIR}/ - -echo "Creating CrowdSec agent secret..." -AGENT_PASSWORD=$(yq '.apps.crowdsec.agentPassword' "$SECRETS_FILE" 2>/dev/null | tr -d '"') - -if [ -z "$AGENT_PASSWORD" ] || [ "$AGENT_PASSWORD" = "null" ]; then - echo "Generating new agent password..." - AGENT_PASSWORD=$(openssl rand -base64 32) - echo "WARNING: Agent password not found in secrets.yaml" - echo "Using generated password - you may want to persist this" -fi - -kubectl create secret generic crowdsec-agent-secret \ - --namespace crowdsec \ - --from-literal=password="${AGENT_PASSWORD}" \ - --dry-run=client -o yaml | kubectl apply -f - - -echo "Waiting for CrowdSec agent to be ready..." -kubectl rollout status deployment/crowdsec -n crowdsec --timeout=120s - -echo "Registering bouncer with CrowdSec agent..." -BOUNCER_API_KEY=$(yq '.apps.crowdsec.bouncerApiKey' "$SECRETS_FILE" 2>/dev/null | tr -d '"') - -if [ -z "$BOUNCER_API_KEY" ] || [ "$BOUNCER_API_KEY" = "null" ]; then - echo "Generating new bouncer API key from CrowdSec agent..." - kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers delete traefik-bouncer 2>/dev/null || true - BOUNCER_API_KEY=$(kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers add traefik-bouncer -o raw) - echo "Generated bouncer API key - you may want to persist this in secrets.yaml" -fi - -kubectl create secret generic crowdsec-bouncer-secret \ - --namespace crowdsec \ - --from-literal=api-key="${BOUNCER_API_KEY}" \ - --dry-run=client -o yaml | kubectl apply -f - - -echo "Copying bouncer secret to traefik namespace..." -kubectl create secret generic crowdsec-bouncer-secret \ - --namespace traefik \ - --from-literal=api-key="${BOUNCER_API_KEY}" \ - --dry-run=client -o yaml | kubectl apply -f - - -echo "Cleaning up old bouncer deployment..." -kubectl delete deployment traefik-crowdsec-bouncer -n crowdsec --ignore-not-found -kubectl delete service traefik-crowdsec-bouncer -n crowdsec --ignore-not-found - -echo "Restarting Traefik to load CrowdSec plugin..." -kubectl rollout restart deployment/traefik -n traefik -kubectl rollout status deployment/traefik -n traefik --timeout=120s - -echo "Configuring Traefik to use CrowdSec security chain by default..." -kubectl patch deployment traefik -n traefik --type='json' -p='[ - { - "op": "add", - "path": "/spec/template/spec/containers/0/args/-", - "value": "--entryPoints.websecure.http.middlewares=crowdsec-security-chain@kubernetescrd" - } -]' 2>/dev/null || { - echo "Note: Traefik may already have middleware configured or patch failed" - echo "You can manually configure default middleware if needed" -} - -echo "" -echo "CrowdSec installed successfully (using Traefik plugin)" -echo "" -echo "All ingresses are now protected by default with:" -echo " - Threat detection (CrowdSec Traefik plugin, stream mode)" -echo " - Rate limiting (100 req/min)" -echo " - Security headers (HSTS, XSS protection, etc.)" -echo "" -echo "To verify the installation:" -echo " kubectl get pods -n crowdsec" -echo " kubectl get pods -n traefik" -echo " kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list" -echo " kubectl exec -n crowdsec deploy/crowdsec -- cscli decisions list" -echo "" -echo "To opt-out a specific ingress from CrowdSec protection:" -echo " Add annotation: traefik.ingress.kubernetes.io/router.middlewares: \"\"" -echo "" diff --git a/crowdsec/manifest.yaml b/crowdsec/manifest.yaml index 12341b9..78f2630 100644 --- a/crowdsec/manifest.yaml +++ b/crowdsec/manifest.yaml @@ -13,3 +13,18 @@ defaultConfig: defaultSecrets: - key: agentPassword - key: bouncerApiKey +deploy: + createSecrets: + - name: crowdsec-agent-secret + entries: + password: agentPassword + - name: crowdsec-bouncer-secret + entries: + api-key: bouncerApiKey + - name: crowdsec-bouncer-secret + namespace: traefik + entries: + api-key: bouncerApiKey + waitForRollout: + name: crowdsec + timeout: "120s" diff --git a/traefik/deployment.yaml b/traefik/deployment.yaml index 67bf58e..385a4a9 100644 --- a/traefik/deployment.yaml +++ b/traefik/deployment.yaml @@ -118,6 +118,7 @@ spec: - "--accesslog=true" - "--accesslog.format=json" - "--log.level=INFO" + - "--entryPoints.websecure.http.middlewares=crowdsec-security-chain@kubernetescrd" env: - name: POD_NAME diff --git a/traefik/install.sh b/traefik/install.sh deleted file mode 100755 index a27c078..0000000 --- a/traefik/install.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash -set -e -set -o pipefail - -if [ -z "${WILD_INSTANCE}" ]; then - echo "ERROR: WILD_INSTANCE is not set" - exit 1 -fi - -if [ -z "${WILD_API_DATA_DIR}" ]; then - echo "ERROR: WILD_API_DATA_DIR is not set" - exit 1 -fi - -if [ -z "${KUBECONFIG}" ]; then - echo "ERROR: KUBECONFIG is not set" - exit 1 -fi - -INSTANCE_DIR="${WILD_API_DATA_DIR}/instances/${WILD_INSTANCE}" -TRAEFIK_DIR="${INSTANCE_DIR}/apps/traefik" - -echo "=== Setting up Traefik Ingress Controller ===" -echo "" - -echo "Verifying MetalLB is ready (required for Traefik LoadBalancer service)..." -kubectl wait --for=condition=Ready pod -l component=controller -n metallb-system --timeout=60s 2>/dev/null || { - echo "MetalLB controller not ready, but continuing with Traefik installation" - echo "Note: Traefik LoadBalancer service may not get external IP without MetalLB" -} - -echo "Installing Gateway API CRDs..." -kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml - -echo "Installing Traefik CRDs..." -kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml - -echo "Waiting for CRDs to be established..." -kubectl wait --for condition=established crd/gateways.gateway.networking.k8s.io --timeout=60s -kubectl wait --for condition=established crd/gatewayclasses.gateway.networking.k8s.io --timeout=60s -kubectl wait --for condition=established crd/ingressroutes.traefik.io --timeout=60s -kubectl wait --for condition=established crd/middlewares.traefik.io --timeout=60s - -echo "Using pre-compiled Traefik templates..." -if [ ! -f "${TRAEFIK_DIR}/kustomization.yaml" ]; then - echo "ERROR: Compiled templates not found at ${TRAEFIK_DIR}" - echo "Templates should be compiled before deployment." - exit 1 -fi - -echo "Deploying Traefik..." -kubectl apply -k ${TRAEFIK_DIR}/ - -echo "Waiting for Traefik to be ready..." -kubectl wait --for=condition=Available deployment/traefik -n traefik --timeout=120s - -echo "" -echo "Traefik installed successfully" -echo "" -echo "To verify the installation:" -echo " kubectl get pods -n traefik" -echo " kubectl get svc -n traefik" -echo "" diff --git a/traefik/manifest.yaml b/traefik/manifest.yaml index 2958973..306dc09 100644 --- a/traefik/manifest.yaml +++ b/traefik/manifest.yaml @@ -8,3 +8,16 @@ requires: defaultConfig: namespace: traefik loadBalancerIp: "{{ .apps.metallb.loadBalancerIp }}" +deploy: + crds: + - url: https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml + waitFor: + - gateways.gateway.networking.k8s.io + - gatewayclasses.gateway.networking.k8s.io + - url: https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml + waitFor: + - ingressroutes.traefik.io + - middlewares.traefik.io + waitForRollout: + name: traefik + timeout: "120s"