From b0b368f6730b333b4987ab503b54d477b4c76d01 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Thu, 28 Sep 2023 23:30:36 +0200
Subject: [PATCH] feat(crowdsec): Use ingress for lapi
---
apps/base/crowdsec/kustomization.yaml | 1 +
apps/base/crowdsec/networkpolicy.yaml | 12 ++++-
apps/k8s01/crowdsec/certificate.yaml | 66 +++++++++++++++++++++++
apps/k8s01/crowdsec/ingress.yaml | 75 ++++++++++++++++++++++++++
apps/k8s01/crowdsec/kustomization.yaml | 2 +
5 files changed, 155 insertions(+), 1 deletion(-)
create mode 100644 apps/k8s01/crowdsec/certificate.yaml
create mode 100644 apps/k8s01/crowdsec/ingress.yaml
diff --git a/apps/base/crowdsec/kustomization.yaml b/apps/base/crowdsec/kustomization.yaml
index 8393c2027..8e19c9667 100644
--- a/apps/base/crowdsec/kustomization.yaml
+++ b/apps/base/crowdsec/kustomization.yaml
@@ -7,5 +7,6 @@ resources:
- release.yaml
- ../../../shared/networkpolicies/allow-from-same-namespace.yaml
- ../../../shared/networkpolicies/allow-from-monitoring.yaml
+ - ../../../shared/networkpolicies/allow-from-ingress.yaml
patchesStrategicMerge:
- networkpolicy.yaml
diff --git a/apps/base/crowdsec/networkpolicy.yaml b/apps/base/crowdsec/networkpolicy.yaml
index c878bff75..82662ad0d 100644
--- a/apps/base/crowdsec/networkpolicy.yaml
+++ b/apps/base/crowdsec/networkpolicy.yaml
@@ -6,4 +6,14 @@ metadata:
spec:
podSelector:
matchLabels:
- k8s-app: crowdsec
\ No newline at end of file
+ k8s-app: crowdsec
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-from-ingress
+spec:
+ podSelector:
+ matchLabels:
+ k8s-app: crowdsec
+ type: lapi
\ No newline at end of file
diff --git a/apps/k8s01/crowdsec/certificate.yaml b/apps/k8s01/crowdsec/certificate.yaml
new file mode 100644
index 000000000..dd6793985
--- /dev/null
+++ b/apps/k8s01/crowdsec/certificate.yaml
@@ -0,0 +1,66 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: crowdsec-tls
+ namespace: crowdsec
+ labels:
+ app.kubernetes.io/name: crowdsec
+spec:
+ dnsNames:
+ - ENC[AES256_GCM,data:7ctacfZGie4pE2VfH5i3bh96LQnad/YQGr8=,iv:o0fkT8qIPyz2Pm6GM4ZIWvl5cxJXlVx7qlFaN4PpXlk=,tag:t5H5JsBObnmNDWUlc33Ncg==,type:str]
+ issuerRef:
+ name: letsencrypt
+ kind: ClusterIssuer
+ secretName: ingress-crowdsec-tls
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2023-09-28T21:26:28Z"
+ mac: ENC[AES256_GCM,data:goF9lVngzWTJpURm4cY4Me3kB8Ro7WHP0Llub5um/x09buXu2lBZlOYscYq0Sug5Nh4gPA7zfUzUo29advtA1mEijl38kDpIOjw5EIZZ4PFbCMqlEyYcBQF/lV+rF+MaGo/PHdLpdZkg+GO1p/hrLXLM5T7Y35pQ2OpEydqWBB8=,iv:nlP47dFysqk6kU6yeF4rImoBTHQL0W6IR6jvDpc+UhY=,tag:AiUj2SJuTcU5UinZBmlssg==,type:str]
+ pgp:
+ - created_at: "2022-01-21T18:13:48Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ wcFMA7kpg2bgzVHcARAAs0OQxzkgcgs/iXO3DXjnuyddgI5X/Gz5Gd3q0U6MrK18
+ gfZIWvh2gemiU0YepfnQwbHkFLWOO/hYLjppAd4/HS93Gg8Hqg7Kh9WLiQFqolAn
+ SSvm1KvlesTselWGu8/282UO5jDM7E0NuqsHPC9K/4im+jkWO9s2fAw+hQIvvVPw
+ CktPYqihMvTmLyTVX9dMkwgDzTdJ8JeaI26S5tyMkAg+B/ymxKWG4m7bRIG9+kOD
+ fnsUUfd+zobOLR3w251+AydJlCy3gs6hJYlW1wz8m6cOzKHe3SEnN9GLJSbSa95n
+ +WpY31VF+eXZ4Z8GXoy3QHTWzbcWJ10RKb5eTPixAJzL3opSTbKJGmUuQlq+/9Wg
+ 876dUQGl26CHm8solPytStPJDoSjcNbClJN1Rfp2SopAucqDG5XPIzXh7gIzfwrR
+ qauiO2AnC85DkWwU9w3wODB9zY3PzcmbzxyLPzEqnSABIEVw8VJoM/pnIRv2gs17
+ 2YN61VO/YgUuxXtvvAHMgk1XQPfH45bM/i9lwX8EHDHqBWQVtYIqyw0lnVPZl1Hz
+ VuN6/aH4AnVAqeMjS4ezLZ26cyF8S/wkuQPK8tOfOs2l4smD1jp67A1A9RQfF4Hz
+ QRHL7VEc3EElB7FobZSAccjptfghhFjtIEhrmiZJgIIFcYv8IGDCf59pmVXSUKPS
+ UQGgA6xeWVYOj7DKYrgO4xMUXtofOv4WVRFO7iejeRqF5YbWmaCIq0GNvpwwZvWe
+ jqtu9MjOqwG0X682yB6/Ss/HBV+vAYrMoRqunjrSlZ+oLw==
+ =pOY7
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2022-01-21T18:13:48Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPARAAlM62U+idC9A4irm5RkSx5fZv+HGu7Jrm5GNPzv2tQ9WY
+ ponFAjh0/DDq2qWcpveRS3owFAwhoMbm1vYx9O29ycM5XzjxHF5CjytSssRU0FkX
+ UK5OdW+SURLREvIOZjYoEqjxFGj22ZAegkNIHYadTSGyesWM8Fj3Q6Su0EVyeyaI
+ FaE5Eo3Ya0tn7p+oMoAsJFJhtz9oFvPcaXCri+BTiIHCGZBQf9ndAvpr23zd2cO8
+ LBNwHOmJmtiHM3xndhVstBt9YnRqjqg3hZt65zB7LIP8zRPDtzsvTAdcLMkibhh5
+ GPn6JyOvlBPFrxR0ZmuGTURFODfjFrjn96igHDGbET1XKDVb99uQA7tJDRjZYUPM
+ 3zfjj+aKi8R9k+/fU/jO827K8jHN9tPmrsJslUGDtV6sRxfWXUsfur8840TfnFBm
+ f8mqqOBA9ahJaN+0EyXvFHCfPglYs7zXKL4fYnO6PKB7fR+IDFUQzHxZGDTgLB6g
+ gtayT8FHE6EQ/1Lxsjw4kHfJYlabi5jSPAWtws/RXF8oZgByT6O1yYCtfJPzzlyT
+ A9b2X2EG4Lj6QFQNN7n/qOwa6timOrdZOfIDLMZt7JIDpHXhCmzo2WCm3wFS/L4R
+ 6zuYDUg5rm3sxHzcw+9xn/PK8yedVCmCGNrnON9hn0TeqXmuY87KQu1Az+3wJqDU
+ ZgEJAhCnHsdsGhUmeXb4Lb8+hJfFB1DTL3qk6iPqxPsjfA1n3N/KYLd3KYWaM6fm
+ 21yCsmkJZRWxgOwTPbF+KIQAq4yleW06ys6DFLz2wgLc3LlRjJFlPeajM6v6XicO
+ lDUgoEyZhw==
+ =y2A9
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL)$
+ version: 3.7.3
diff --git a/apps/k8s01/crowdsec/ingress.yaml b/apps/k8s01/crowdsec/ingress.yaml
new file mode 100644
index 000000000..e3e150c85
--- /dev/null
+++ b/apps/k8s01/crowdsec/ingress.yaml
@@ -0,0 +1,75 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: crowdsec
+ namespace: crowdsec
+ labels:
+ app.kubernetes.io/name: crowdsec
+spec:
+ rules:
+ - host: ENC[AES256_GCM,data:V4ci7BYq3Rx68SbH8cNec0Sb8HOviEZ9ba0=,iv:TEAzu114TgjQzZAioIVT6DzbZ17JNesdT2xuebf64xQ=,tag:XeZ31mVguuRCTQka+QB4Zg==,type:str]
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: crowdsec-service
+ port:
+ number: 8080
+ tls:
+ - hosts:
+ - ENC[AES256_GCM,data:Y/OIAe4NfZ9BYatNn6XO9HU3sIPfaRPc8J0=,iv:7r3WP7xi2bGM57zhQk0P09J02q6+QGBBGUWGmAWDt7I=,tag:uLD2TT0gY5TQkYDCbQizHA==,type:str]
+ secretName: ingress-crowdsec-tls
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2023-09-28T21:27:39Z"
+ mac: ENC[AES256_GCM,data:p+fFV8mvF1bFzXzkHRLX4mVr+8vytjdhjnMY4d6j8r3WziexMcKRuAgScxzyBPCyjHXdhDBFTFMC4czb1hEkbhYkYacjqYV2rAEnhzHiQtJhUQalTUDoqUeHwgWWZoN/JRI+eTN6pO2yO6csK9nPOcCUuzwGbD8Cx7pj0+H7RH0=,iv:mmLX6cXLoVn8Z2h3DHZIijqR2U4DsGDDvHpbGVIVz+4=,tag:EVetf8A/KAKUOdfRb2XlXg==,type:str]
+ pgp:
+ - created_at: "2022-09-13T20:16:18Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ wcFMA7kpg2bgzVHcAQ//QKUo6MGGO7kJyGfQ8WULaFNILDGmSNjPj6avjps8nbpa
+ BdNlszBms4ghflXW6xfBe2vqTvo+Bjd6XqngSoEOpYQNruKTodDpkRBj2KsT+nza
+ PfQocIiGaLmYsjdT7RtrCIzkm27IwL1MMtPrWPPfiiRHv5lw18y+l2c2kkO8TA4A
+ eETwEpbeVTo+iryTYSHMQKHeKk+s3Oh/MVGHHC3AlNn8hmvi2Wt/eSLye27a7J5T
+ lbJrNkIDX/1G9NR0bg2045MkljzYyY7ttP58j+WsOca3ct8NWy4Z4OQeldCmwIFr
+ BrKYCoFI6eZ6DHT9Rlqm246WN70hbRb7usCgX8dn8WT/Z8dXWzRryYtIVjkzrIVm
+ AZQ1XelkdXybGa/ORV5aj81AIXu7konepcJX64L6OxcQjFhQWAO7y1rwclOW8QOb
+ h2RlsE79wNobUsErXTvUmsW30l0GWYeh3IgR0HAMu2P8ttDvb8I4yu5H1/5uZnZY
+ jLBnH8ooC9uDnh2z5u6ru5JmHjlQ8BWUF/dptt57qUo/I+xBhiSCqYLFo2WOy1lx
+ hDlSzIE5Sn5TA3fxXyc9Hwv5/c3ELW6EuXqiy4MUcLREL07C4OLp0/1q/Tshj0FG
+ PReQZkVON4jFuDtfFVID8Rm20CBkVe2xahThK8jCGms15UpiU8hsv8VgAn7aIsPS
+ UQF1wuAsfdOVLBugwP0jsc57R60KmtLpig04S0WLJAlNEXGk+yGqAsluHGxJpnnm
+ LUM72fLPLolfVdF2aS9UjTSkSy34Rh5J/j08usEN8R7mWw==
+ =xL8K
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2022-09-13T20:16:18Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPARAAi5C2YbFg1dJGa/C+tsp2xn3fhu5Qvl2ywWFz/lWyO6rW
+ si4H0ivAkiI85jd2xgxXq54EWY5pkH0a/Ynly5p9zJuZf+dXP5RkOa7EEbv7h/UV
+ ZRQRpJRJuMKIOUXHKvRR93lQYItSPTCkcRkt6mVEhvYQwOxJmmmjtOF1umbra3Zi
+ sFWez2yil9BCC9kGWM4n2kHHLhb0RJdlfj3tP7RTYC9ssGCdoUnh4CgksRv6QW2G
+ HbrO38UJf96gzrjh09HJS4gSnIbtHVDGZ5lVITFpU3WPirga4BGEgib6Ip2GNb4i
+ 6hPmb3aWFwLeHf83CoDV8VbL03t5OLdeUWkAn9xNSZOPy8rZJgm/UXfuii1l39ui
+ gJk2VWVleK1rHGEV+sCsjGQjQvGL6QUgB+4dp6petsw5Jt1gxBbVZmvkuWjpkPw4
+ BkLHPf51Gs0SCogWaVf5XdQqX1bovTZotTbTpa6A0G4iwsPIqQkSB/C7ykod5I0s
+ lXBqXCk9sgAr+hxdRtMpzZJhWC82EoP+Z8IhVEl0GvRyFC+BjFJKMNiTNLRsqmxL
+ iGaZrCXym7qM++uGKaUWmhVPg3g+l2AUmAwgf6ISIGQolaIf7J+jIc9jw4HSYcIM
+ MAjvGOGD02ABGvNGwiyi84ibIhnVngmrxuBrQTfBSfhqhJa6XUtLvaTt0OJa2UnU
+ aAEJAhAjKsBPBcSGRBgbDk+peX46kE7gF1p0tIqKjD1mBaSW5+x5xcITUHQxTcuV
+ tievOikl8nF+zBDmG3TlRiKimMGz2DwlARwkIsXOaU9I/VVwot153VYG/tpEbqKs
+ 8LzbNsLdj2Ld
+ =S0CC
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$
+ version: 3.7.3
diff --git a/apps/k8s01/crowdsec/kustomization.yaml b/apps/k8s01/crowdsec/kustomization.yaml
index c701f87a7..91fc64cd0 100644
--- a/apps/k8s01/crowdsec/kustomization.yaml
+++ b/apps/k8s01/crowdsec/kustomization.yaml
@@ -3,4 +3,6 @@ kind: Kustomization
namespace: crowdsec
resources:
- ../../base/crowdsec
+ - ingress.yaml
+ - certificate.yaml
- ../../../shared/resourcequotas/default.yaml
--
GitLab