From 9fffa121dd79c9984a96827b0ab93c03e5085a2f Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Sun, 28 Dec 2025 10:17:04 +0100 Subject: [PATCH] feat: disable crowdsec (#12) Reviewed-on: https://gitea.t000-n.de/t.behrendt/k/pulls/12 Co-authored-by: Timo Behrendt Co-committed-by: Timo Behrendt --- .gitea/workflows/deploy.yaml | 10 +++--- traefik/middleware-adminbasicauth.yaml | 8 +++++ traefik/middleware-crowdsec-bouncher.yaml | 13 ++++++++ traefik/middleware-local-ip-filter.yaml | 11 +++++++ traefik/traefik-config.yaml | 38 ++++++----------------- 5 files changed, 45 insertions(+), 35 deletions(-) create mode 100644 traefik/middleware-adminbasicauth.yaml create mode 100644 traefik/middleware-crowdsec-bouncher.yaml create mode 100644 traefik/middleware-local-ip-filter.yaml diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml index 6d25707..8f33639 100644 --- a/.gitea/workflows/deploy.yaml +++ b/.gitea/workflows/deploy.yaml @@ -89,12 +89,10 @@ jobs: with: namespace: kube-system secret-name: admin-basic-auth-credentials - secret-type: generic - data: | - { - "username": "bmV0YWRtaW4=", - "password": "${{ secrets.ADMIN_BASIC_AUTH_PASSWORD }}" - } + secret-type: "kubernetes.io/basic-auth" + string-data: | + username: netadmin + password: "${{ secrets.ADMIN_BASIC_AUTH_PASSWORD }}" - name: Set crowdsec bouncer api key uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5 with: diff --git a/traefik/middleware-adminbasicauth.yaml b/traefik/middleware-adminbasicauth.yaml new file mode 100644 index 0000000..b11883b --- /dev/null +++ b/traefik/middleware-adminbasicauth.yaml @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: adminbasicauth + namespace: kube-system +spec: + basicAuth: + secret: admin-basic-auth-credentials diff --git a/traefik/middleware-crowdsec-bouncher.yaml b/traefik/middleware-crowdsec-bouncher.yaml new file mode 100644 index 0000000..16e3b98 --- /dev/null +++ b/traefik/middleware-crowdsec-bouncher.yaml @@ -0,0 +1,13 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: crowdsec-bouncer + namespace: kube-system +spec: + plugin: + crowdsec-bouncer-traefik-plugin: + Enabled: true + CrowdsecMode: live + CrowdsecLapiUrl: "http://crowdsec-service.kube-system.svc.cluster.local:8080" + CrowdsecLapiKey: "${CROWDSEC_BOUNCER_API_KEY}" + UpdateIntervalSeconds: 10 diff --git a/traefik/middleware-local-ip-filter.yaml b/traefik/middleware-local-ip-filter.yaml new file mode 100644 index 0000000..dbf1bd7 --- /dev/null +++ b/traefik/middleware-local-ip-filter.yaml @@ -0,0 +1,11 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: localipfilter + namespace: kube-system +spec: + ipWhiteList: + sourceRange: + - 192.168.0.0/24 + - 172.16.0.0/16 + - 10.0.0.0/8 diff --git a/traefik/traefik-config.yaml b/traefik/traefik-config.yaml index 7ecb60f..1ffb32b 100644 --- a/traefik/traefik-config.yaml +++ b/traefik/traefik-config.yaml @@ -69,32 +69,12 @@ spec: size: 1Gi storageClass: longhorn path: /data - extraObjects: - - apiVersion: traefik.containo.us/v1alpha1 - kind: Middleware - metadata: - name: localipfilter - namespace: kube-system - spec: - ipWhiteList: - sourceRange: - - 192.168.0.0/24 - - 172.16.0.0/16 - - 10.0.0.0/8 - - apiVersion: traefik.containo.us/v1alpha1 - kind: Middleware - metadata: - name: adminbasicauth - namespace: kube-system - spec: - basicAuth: - secret: adminbasicauthsecret - experimental: - plugins: - crowdsec-bouncer-traefik-plugin: - moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin - version: v1.4.6 - additionalArguments: - - "--providers.kubernetescrd" - - "--entrypoints.web.http.middlewares=crowdsec-bouncer@kubernetescrd" - - "--entrypoints.websecure.http.middlewares=internal-crowdsec-bouncer@kubernetescrd" + #experimental: + # plugins: + # crowdsec-bouncer-traefik-plugin: + # moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin + # version: v1.4.6 + #additionalArguments: + # - "--providers.kubernetescrd" + # - "--entrypoints.web.http.middlewares=crowdsec-bouncer@kubernetescrd" + # - "--entrypoints.websecure.http.middlewares=kube-system-crowdsec-bouncer@kubernetescrd"