arcodange-org/factory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add crowdsec plugin and middleware for traefik

Browse Source
This commit is contained in:
Gabriel Radureau
2025-11-26 14:19:33 +01:00
parent b6d240ce31
commit 72628f0f0e
3 changed files with 92 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ansible/arcodange/factory/playbooks/01_system.yml
View File

@@ -263,6 +263,8 @@
localIp: localIp:
ipAllowList: ipAllowList:
sourceRange: sourceRange:
- "172.16.0.0/12"
- "10.42.0.0/16"
- "192.168.1.0/24" - "192.168.1.0/24"
- "{{ ipify_public_ip }}/32" - "{{ ipify_public_ip }}/32"
# - "0.0.0.0/0" # - "0.0.0.0/0"
@@ -306,7 +308,7 @@
value: 'true' value: 'true'
logs: logs:
general: general:
level: DEBUG level: INFO
# format: json # format: json
access: access:
enabled: true enabled: true
@@ -333,9 +335,15 @@
- name: traefik-configmap - name: traefik-configmap
mountPath: /config mountPath: /config
type: configMap type: configMap
experimental:
plugins:
crowdsec-bouncer:
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin #https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin
version: v1.3.3
additionalArguments: additionalArguments:
- '--providers.file.filename=/config/dynamic.yaml' - '--providers.file.filename=/config/dynamic.yaml'
- '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik' - '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
- "--providers.kubernetescrd"
certificatesResolvers: certificatesResolvers:
letsencrypt: letsencrypt:
acme: acme:

81
ansible/arcodange/factory/playbooks/tools/crowdsec.yml Normal file
View File

@@ -0,0 +1,81 @@
---
- name: crowdsec
# hosts: raspberries:&local
hosts: localhost
# debugger: on_failed
tasks:
- name: Récupérer le nom du pod CrowdSec LAPI
kubernetes.core.k8s_info:
kind: Pod
namespace: tools
label_selectors:
- k8s-app = crowdsec
- type = lapi
register: crowdsec_lapi_pods
- name: Vérifier qu'un pod a été trouvé
assert:
that: crowdsec_lapi_pods.resources | length > 0
fail_msg: "Aucun pod CrowdSec LAPI trouvé dans le namespace 'tools' avec les labels 'k8s-app=crowdsec, type=lapi'."
- name: Définir le nom du pod CrowdSec LAPI
set_fact:
crowdsec_lapi_pod_name: "{{ crowdsec_lapi_pods.resources[0].metadata.name }}"
- name: Récupérer la clé API du bouncer CrowdSec
kubernetes.core.k8s_exec:
namespace: tools
pod: "{{ crowdsec_lapi_pod_name }}"
container: crowdsec-lapi
command: >
cscli bouncers add traefik-plugin
register: bouncer_key_result
ignore_errors: yes
- name: Supprimer le bouncer existant en cas d'échec
kubernetes.core.k8s_exec:
namespace: tools
pod: "{{ crowdsec_lapi_pod_name }}"
container: crowdsec-lapi
command: >
cscli bouncers delete traefik-plugin
when: bouncer_key_result.failed
- name: Réessayer de récupérer la clé API
kubernetes.core.k8s_exec:
namespace: tools
pod: "{{ crowdsec_lapi_pod_name }}"
container: crowdsec-lapi
command: >
cscli bouncers add traefik-plugin
register: bouncer_key_result
when: bouncer_key_result.failed
- name: Créer le Middleware Traefik pour CrowdSec
kubernetes.core.k8s:
state: present
definition:
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: crowdsec
namespace: kube-system
spec:
plugin:
crowdsec-bouncer:
enabled: true
crowdsecMode: stream
crowdsecLapiScheme: http
crowdsecLapiHost: crowdsec-service.tools.svc.cluster.local:8080
crowdsecLapiKey: "{{ bouncer_key_result.stdout_lines[2].strip() }}"
htttTimeoutSeconds: 60
crowdsecAppsecEnabled: false
crowdsecAppsecHost: crowdsec:7422
crowdsecAppsecFailureBlock: true
crowdsecAppsecUnreachableBlock: true
forwardedHeadersTrustedIPs:
- 10.0.10.23/32
- 10.0.20.0/24
clientTrustedIPs:
- 192.168.1.0/24

2
ansible/arcodange/factory/playbooks/tools/tools.yml
View File

@@ -1,3 +1,5 @@
--- ---
- name: hashicorp_vault - name: hashicorp_vault
ansible.builtin.import_playbook: hashicorp_vault.yml ansible.builtin.import_playbook: hashicorp_vault.yml
- name: crowdsec
ansible.builtin.import_playbook: crowdsec.yml