add crowdsec plugin and middleware for traefik
This commit is contained in:
@@ -263,6 +263,8 @@
|
||||
localIp:
|
||||
ipAllowList:
|
||||
sourceRange:
|
||||
- "172.16.0.0/12"
|
||||
- "10.42.0.0/16"
|
||||
- "192.168.1.0/24"
|
||||
- "{{ ipify_public_ip }}/32"
|
||||
# - "0.0.0.0/0"
|
||||
@@ -306,7 +308,7 @@
|
||||
value: 'true'
|
||||
logs:
|
||||
general:
|
||||
level: DEBUG
|
||||
level: INFO
|
||||
# format: json
|
||||
access:
|
||||
enabled: true
|
||||
@@ -333,9 +335,15 @@
|
||||
- name: traefik-configmap
|
||||
mountPath: /config
|
||||
type: configMap
|
||||
experimental:
|
||||
plugins:
|
||||
crowdsec-bouncer:
|
||||
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin #https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin
|
||||
version: v1.3.3
|
||||
additionalArguments:
|
||||
- '--providers.file.filename=/config/dynamic.yaml'
|
||||
- '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
|
||||
- "--providers.kubernetescrd"
|
||||
certificatesResolvers:
|
||||
letsencrypt:
|
||||
acme:
|
||||
|
||||
81
ansible/arcodange/factory/playbooks/tools/crowdsec.yml
Normal file
81
ansible/arcodange/factory/playbooks/tools/crowdsec.yml
Normal file
@@ -0,0 +1,81 @@
|
||||
---
|
||||
- name: crowdsec
|
||||
# hosts: raspberries:&local
|
||||
hosts: localhost
|
||||
# debugger: on_failed
|
||||
|
||||
tasks:
|
||||
- name: Récupérer le nom du pod CrowdSec LAPI
|
||||
kubernetes.core.k8s_info:
|
||||
kind: Pod
|
||||
namespace: tools
|
||||
label_selectors:
|
||||
- k8s-app = crowdsec
|
||||
- type = lapi
|
||||
register: crowdsec_lapi_pods
|
||||
|
||||
- name: Vérifier qu'un pod a été trouvé
|
||||
assert:
|
||||
that: crowdsec_lapi_pods.resources | length > 0
|
||||
fail_msg: "Aucun pod CrowdSec LAPI trouvé dans le namespace 'tools' avec les labels 'k8s-app=crowdsec, type=lapi'."
|
||||
|
||||
- name: Définir le nom du pod CrowdSec LAPI
|
||||
set_fact:
|
||||
crowdsec_lapi_pod_name: "{{ crowdsec_lapi_pods.resources[0].metadata.name }}"
|
||||
|
||||
- name: Récupérer la clé API du bouncer CrowdSec
|
||||
kubernetes.core.k8s_exec:
|
||||
namespace: tools
|
||||
pod: "{{ crowdsec_lapi_pod_name }}"
|
||||
container: crowdsec-lapi
|
||||
command: >
|
||||
cscli bouncers add traefik-plugin
|
||||
register: bouncer_key_result
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Supprimer le bouncer existant en cas d'échec
|
||||
kubernetes.core.k8s_exec:
|
||||
namespace: tools
|
||||
pod: "{{ crowdsec_lapi_pod_name }}"
|
||||
container: crowdsec-lapi
|
||||
command: >
|
||||
cscli bouncers delete traefik-plugin
|
||||
when: bouncer_key_result.failed
|
||||
|
||||
- name: Réessayer de récupérer la clé API
|
||||
kubernetes.core.k8s_exec:
|
||||
namespace: tools
|
||||
pod: "{{ crowdsec_lapi_pod_name }}"
|
||||
container: crowdsec-lapi
|
||||
command: >
|
||||
cscli bouncers add traefik-plugin
|
||||
register: bouncer_key_result
|
||||
when: bouncer_key_result.failed
|
||||
|
||||
- name: Créer le Middleware Traefik pour CrowdSec
|
||||
kubernetes.core.k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: crowdsec
|
||||
namespace: kube-system
|
||||
spec:
|
||||
plugin:
|
||||
crowdsec-bouncer:
|
||||
enabled: true
|
||||
crowdsecMode: stream
|
||||
crowdsecLapiScheme: http
|
||||
crowdsecLapiHost: crowdsec-service.tools.svc.cluster.local:8080
|
||||
crowdsecLapiKey: "{{ bouncer_key_result.stdout_lines[2].strip() }}"
|
||||
htttTimeoutSeconds: 60
|
||||
crowdsecAppsecEnabled: false
|
||||
crowdsecAppsecHost: crowdsec:7422
|
||||
crowdsecAppsecFailureBlock: true
|
||||
crowdsecAppsecUnreachableBlock: true
|
||||
forwardedHeadersTrustedIPs:
|
||||
- 10.0.10.23/32
|
||||
- 10.0.20.0/24
|
||||
clientTrustedIPs:
|
||||
- 192.168.1.0/24
|
||||
@@ -1,3 +1,5 @@
|
||||
---
|
||||
- name: hashicorp_vault
|
||||
ansible.builtin.import_playbook: hashicorp_vault.yml
|
||||
- name: crowdsec
|
||||
ansible.builtin.import_playbook: crowdsec.yml
|
||||
Reference in New Issue
Block a user