feat: update CrowdSec and Traefik manifests; remove installation scripts and add secret management

2026-05-18 03:33:37 +00:00
parent b52e76eeeb
commit e4c24d4a8c
6 changed files with 35 additions and 181 deletions
--- a/crowdsec/crowdsec-deployment.yaml
+++ b/crowdsec/crowdsec-deployment.yaml
@@ -66,6 +66,12 @@ spec:
            secretKeyRef:
              name: crowdsec-agent-secret
              key: password
        - name: BOUNCER_KEY_traefik
          valueFrom:
            secretKeyRef:
              name: crowdsec-secrets
              key: bouncerApiKey
              optional: true
        ports:
        - name: lapi
          containerPort: 8080
--- a/crowdsec/install.sh
+++ b/crowdsec/install.sh
@@ -1,118 +0,0 @@
 #!/bin/bash
 set -e
 set -o pipefail
 if [ -z "${WILD_INSTANCE}" ]; then
    echo "ERROR: WILD_INSTANCE is not set"
    exit 1
 fi
 if [ -z "${WILD_API_DATA_DIR}" ]; then
    echo "ERROR: WILD_API_DATA_DIR is not set"
    exit 1
 fi
 if [ -z "${KUBECONFIG}" ]; then
    echo "ERROR: KUBECONFIG is not set"
    exit 1
 fi
 INSTANCE_DIR="${WILD_API_DATA_DIR}/instances/${WILD_INSTANCE}"
 CROWDSEC_DIR="${INSTANCE_DIR}/apps/crowdsec"
 SECRETS_FILE="${INSTANCE_DIR}/secrets.yaml"
 echo "=== Setting up CrowdSec Security Engine ==="
 echo ""
 echo "Verifying Traefik is ready (required for CrowdSec bouncer)..."
 kubectl wait --for=condition=Available deployment/traefik -n traefik --timeout=60s 2>/dev/null || {
    echo "WARNING: Traefik not ready, but continuing with CrowdSec installation"
    echo "Note: CrowdSec bouncer will not work until Traefik is available"
 }
 echo "Using pre-compiled CrowdSec templates..."
 if [ ! -f "${CROWDSEC_DIR}/kustomization.yaml" ]; then
    echo "ERROR: Compiled templates not found at ${CROWDSEC_DIR}"
    echo "Templates should be compiled before deployment."
    exit 1
 fi
 echo "Deploying CrowdSec..."
 kubectl apply -k ${CROWDSEC_DIR}/
 echo "Creating CrowdSec agent secret..."
 AGENT_PASSWORD=$(yq '.apps.crowdsec.agentPassword' "$SECRETS_FILE" 2>/dev/null | tr -d '"')
 if [ -z "$AGENT_PASSWORD" ] || [ "$AGENT_PASSWORD" = "null" ]; then
    echo "Generating new agent password..."
    AGENT_PASSWORD=$(openssl rand -base64 32)
    echo "WARNING: Agent password not found in secrets.yaml"
    echo "Using generated password - you may want to persist this"
 fi
 kubectl create secret generic crowdsec-agent-secret \
  --namespace crowdsec \
  --from-literal=password="${AGENT_PASSWORD}" \
  --dry-run=client -o yaml | kubectl apply -f -
 echo "Waiting for CrowdSec agent to be ready..."
 kubectl rollout status deployment/crowdsec -n crowdsec --timeout=120s
 echo "Registering bouncer with CrowdSec agent..."
 BOUNCER_API_KEY=$(yq '.apps.crowdsec.bouncerApiKey' "$SECRETS_FILE" 2>/dev/null | tr -d '"')
 if [ -z "$BOUNCER_API_KEY" ] || [ "$BOUNCER_API_KEY" = "null" ]; then
    echo "Generating new bouncer API key from CrowdSec agent..."
    kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers delete traefik-bouncer 2>/dev/null || true
    BOUNCER_API_KEY=$(kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers add traefik-bouncer -o raw)
    echo "Generated bouncer API key - you may want to persist this in secrets.yaml"
 fi
 kubectl create secret generic crowdsec-bouncer-secret \
  --namespace crowdsec \
  --from-literal=api-key="${BOUNCER_API_KEY}" \
  --dry-run=client -o yaml | kubectl apply -f -
 echo "Copying bouncer secret to traefik namespace..."
 kubectl create secret generic crowdsec-bouncer-secret \
  --namespace traefik \
  --from-literal=api-key="${BOUNCER_API_KEY}" \
  --dry-run=client -o yaml | kubectl apply -f -
 echo "Cleaning up old bouncer deployment..."
 kubectl delete deployment traefik-crowdsec-bouncer -n crowdsec --ignore-not-found
 kubectl delete service traefik-crowdsec-bouncer -n crowdsec --ignore-not-found
 echo "Restarting Traefik to load CrowdSec plugin..."
 kubectl rollout restart deployment/traefik -n traefik
 kubectl rollout status deployment/traefik -n traefik --timeout=120s
 echo "Configuring Traefik to use CrowdSec security chain by default..."
 kubectl patch deployment traefik -n traefik --type='json' -p='[
  {
    "op": "add",
    "path": "/spec/template/spec/containers/0/args/-",
    "value": "--entryPoints.websecure.http.middlewares=crowdsec-security-chain@kubernetescrd"
  }
 ]' 2>/dev/null || {
    echo "Note: Traefik may already have middleware configured or patch failed"
    echo "You can manually configure default middleware if needed"
 }
 echo ""
 echo "CrowdSec installed successfully (using Traefik plugin)"
 echo ""
 echo "All ingresses are now protected by default with:"
 echo "  - Threat detection (CrowdSec Traefik plugin, stream mode)"
 echo "  - Rate limiting (100 req/min)"
 echo "  - Security headers (HSTS, XSS protection, etc.)"
 echo ""
 echo "To verify the installation:"
 echo "  kubectl get pods -n crowdsec"
 echo "  kubectl get pods -n traefik"
 echo "  kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list"
 echo "  kubectl exec -n crowdsec deploy/crowdsec -- cscli decisions list"
 echo ""
 echo "To opt-out a specific ingress from CrowdSec protection:"
 echo "  Add annotation: traefik.ingress.kubernetes.io/router.middlewares: \"\""
 echo ""
--- a/crowdsec/manifest.yaml
+++ b/crowdsec/manifest.yaml
@@ -13,3 +13,18 @@ defaultConfig:
 defaultSecrets:
  - key: agentPassword
  - key: bouncerApiKey
 deploy:
  createSecrets:
    - name: crowdsec-agent-secret
      entries:
        password: agentPassword
    - name: crowdsec-bouncer-secret
      entries:
        api-key: bouncerApiKey
    - name: crowdsec-bouncer-secret
      namespace: traefik
      entries:
        api-key: bouncerApiKey
  waitForRollout:
    name: crowdsec
    timeout: "120s"
--- a/traefik/deployment.yaml
+++ b/traefik/deployment.yaml
@@ -118,6 +118,7 @@ spec:
          - "--accesslog=true"
          - "--accesslog.format=json"
          - "--log.level=INFO"
          - "--entryPoints.websecure.http.middlewares=crowdsec-security-chain@kubernetescrd"
        env:
          - name: POD_NAME
--- a/traefik/install.sh
+++ b/traefik/install.sh
@@ -1,63 +0,0 @@
 #!/bin/bash
 set -e
 set -o pipefail
 if [ -z "${WILD_INSTANCE}" ]; then
    echo "ERROR: WILD_INSTANCE is not set"
    exit 1
 fi
 if [ -z "${WILD_API_DATA_DIR}" ]; then
    echo "ERROR: WILD_API_DATA_DIR is not set"
    exit 1
 fi
 if [ -z "${KUBECONFIG}" ]; then
    echo "ERROR: KUBECONFIG is not set"
    exit 1
 fi
 INSTANCE_DIR="${WILD_API_DATA_DIR}/instances/${WILD_INSTANCE}"
 TRAEFIK_DIR="${INSTANCE_DIR}/apps/traefik"
 echo "=== Setting up Traefik Ingress Controller ==="
 echo ""
 echo "Verifying MetalLB is ready (required for Traefik LoadBalancer service)..."
 kubectl wait --for=condition=Ready pod -l component=controller -n metallb-system --timeout=60s 2>/dev/null || {
    echo "MetalLB controller not ready, but continuing with Traefik installation"
    echo "Note: Traefik LoadBalancer service may not get external IP without MetalLB"
 }
 echo "Installing Gateway API CRDs..."
 kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml
 echo "Installing Traefik CRDs..."
 kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
 echo "Waiting for CRDs to be established..."
 kubectl wait --for condition=established crd/gateways.gateway.networking.k8s.io --timeout=60s
 kubectl wait --for condition=established crd/gatewayclasses.gateway.networking.k8s.io --timeout=60s
 kubectl wait --for condition=established crd/ingressroutes.traefik.io --timeout=60s
 kubectl wait --for condition=established crd/middlewares.traefik.io --timeout=60s
 echo "Using pre-compiled Traefik templates..."
 if [ ! -f "${TRAEFIK_DIR}/kustomization.yaml" ]; then
    echo "ERROR: Compiled templates not found at ${TRAEFIK_DIR}"
    echo "Templates should be compiled before deployment."
    exit 1
 fi
 echo "Deploying Traefik..."
 kubectl apply -k ${TRAEFIK_DIR}/
 echo "Waiting for Traefik to be ready..."
 kubectl wait --for=condition=Available deployment/traefik -n traefik --timeout=120s
 echo ""
 echo "Traefik installed successfully"
 echo ""
 echo "To verify the installation:"
 echo "  kubectl get pods -n traefik"
 echo "  kubectl get svc -n traefik"
 echo ""
--- a/traefik/manifest.yaml
+++ b/traefik/manifest.yaml
@@ -8,3 +8,16 @@ requires:
 defaultConfig:
  namespace: traefik
  loadBalancerIp: "{{ .apps.metallb.loadBalancerIp }}"
 deploy:
  crds:
    - url: https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml
      waitFor:
        - gateways.gateway.networking.k8s.io
        - gatewayclasses.gateway.networking.k8s.io
    - url: https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
      waitFor:
        - ingressroutes.traefik.io
        - middlewares.traefik.io
  waitForRollout:
    name: traefik
    timeout: "120s"