From 292dcbe9095fc40e830d7cd0216fe631810c0aaf Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Sun, 28 Dec 2025 09:48:33 +0100 Subject: [PATCH 1/7] feat: add crowdsec --- crowdsec/helmfile.yaml | 12 ++++++++++++ crowdsec/values.yaml | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 crowdsec/helmfile.yaml create mode 100644 crowdsec/values.yaml diff --git a/crowdsec/helmfile.yaml b/crowdsec/helmfile.yaml new file mode 100644 index 0000000..8c390a7 --- /dev/null +++ b/crowdsec/helmfile.yaml @@ -0,0 +1,12 @@ +repositories: + - name: crowdsec + url: https://crowdsecurity.github.io/helm-charts + +releases: + - name: crowdsec + namespace: kube-system + createNamespace: false + chart: crowdsec/crowdsec + version: 0.20.0 + values: + - values.yaml diff --git a/crowdsec/values.yaml b/crowdsec/values.yaml new file mode 100644 index 0000000..abc842f --- /dev/null +++ b/crowdsec/values.yaml @@ -0,0 +1,35 @@ +container_runtime: containerd + +agent: + enabled: true + acquisition: + - namespace: kube-system + podName: traefik-* + program: traefik + metrics: + enabled: false + +lapi: + enabled: true + replicas: 1 + metrics: + enabled: true + persistentVolume: + data: + enabled: true + size: 1Gi + config: + enabled: true + size: 100Mi + +config: + config.yaml.local: | + api: + server: + auto_registration: + enabled: true + token: "${REGISTRATION_TOKEN}" + allowed_ranges: + - "10.0.0.0/8" + - "172.16.0.0/12" + - "192.168.0.0/16" -- 2.49.1 From bbd8b8dcb6ed53778a6bbe1f99bb51123490cc2c Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Sun, 28 Dec 2025 09:48:42 +0100 Subject: [PATCH 2/7] feat: add traefik --- traefik/traefik-config.yaml | 100 ++++++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 traefik/traefik-config.yaml diff --git a/traefik/traefik-config.yaml b/traefik/traefik-config.yaml new file mode 100644 index 0000000..7ecb60f --- /dev/null +++ b/traefik/traefik-config.yaml @@ -0,0 +1,100 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + nodeSelector: + kubernetes.io/hostname: k3sh0 + providers: + kubernetesCRD: + allowCrossNamespace: true + certResolvers: + letsencrypt: + email: admin@t00n.de + dnsChallenge: + provider: ionos + delayBeforeCheck: 60 + resolvers: + - 1.1.1.1 + storage: /data/acme-ionos.json + ingressRoute: + dashboard: + enabled: true + matchRule: Host(`traefik.monitor.k8s.t000-n.de`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) + middlewares: + - name: localipfilter + entryPoints: ["websecure"] + env: + - name: IONOS_API_KEY + valueFrom: + secretKeyRef: + key: apiKey + name: ionos-api-credentials + - name: CROWDSEC_BOUNCER_API_KEY + valueFrom: + secretKeyRef: + name: crowdsec-bouncer-api-key + key: api-key + ports: + web: + port: 8000 + expose: true + exposedPort: 80 + nodePort: 32080 + websecure: + port: 8443 + expose: true + exposedPort: 443 + nodePort: 32443 + tls: + enabled: true + certResolver: "letsencrypt" + service: + enabled: true + single: true + type: LoadBalancer + spec: + externalTrafficPolicy: Local + externalIPs: + - 192.168.0.50 + - 192.168.0.51 + - 192.168.0.52 + - 192.168.0.53 + persistence: + enabled: true + name: data + accessMode: ReadWriteMany + size: 1Gi + storageClass: longhorn + path: /data + extraObjects: + - apiVersion: traefik.containo.us/v1alpha1 + kind: Middleware + metadata: + name: localipfilter + namespace: kube-system + spec: + ipWhiteList: + sourceRange: + - 192.168.0.0/24 + - 172.16.0.0/16 + - 10.0.0.0/8 + - apiVersion: traefik.containo.us/v1alpha1 + kind: Middleware + metadata: + name: adminbasicauth + namespace: kube-system + spec: + basicAuth: + secret: adminbasicauthsecret + experimental: + plugins: + crowdsec-bouncer-traefik-plugin: + moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin + version: v1.4.6 + additionalArguments: + - "--providers.kubernetescrd" + - "--entrypoints.web.http.middlewares=crowdsec-bouncer@kubernetescrd" + - "--entrypoints.websecure.http.middlewares=internal-crowdsec-bouncer@kubernetescrd" -- 2.49.1 From 94420fb7102f713f7c1a518253e8bb363c4b2541 Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Sun, 28 Dec 2025 09:48:46 +0100 Subject: [PATCH 3/7] adjust cicd --- .gitea/workflows/deploy.yaml | 81 ++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml index 0de5a1b..6d25707 100644 --- a/.gitea/workflows/deploy.yaml +++ b/.gitea/workflows/deploy.yaml @@ -11,6 +11,8 @@ jobs: outputs: node-labels: ${{ steps.filter.outputs.node-labels }} coredns: ${{ steps.filter.outputs.coredns }} + traefik: ${{ steps.filter.outputs.traefik }} + crowdsec: ${{ steps.filter.outputs.crowdsec }} steps: - uses: actions/checkout@v5 with: @@ -23,6 +25,10 @@ jobs: - 'node-labels/**' coredns: - 'coredns/**' + traefik: + - 'traefik/**' + crowdsec: + - 'crowdsec/**' deploy-node-labels: runs-on: ubuntu-latest @@ -56,3 +62,78 @@ jobs: - name: Restart coredns run: | kubectl -n kube-system rollout restart deployment coredns + + deploy-traefik: + runs-on: ubuntu-latest + needs: check-changes + if: ${{ needs.check-changes.outputs.traefik == 'true' }} + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4 + - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4 + with: + method: kubeconfig + kubeconfig: ${{ secrets.KUBECONFIG }} + - name: Set ionos api credentials + uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5 + with: + namespace: kube-system + secret-name: ionos-api-credentials + secret-type: generic + data: | + { + "apiKey": "${{ secrets.IONOS_API_KEY }}" + } + - name: Set admin basic auth credentials + uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5 + with: + namespace: kube-system + secret-name: admin-basic-auth-credentials + secret-type: generic + data: | + { + "username": "bmV0YWRtaW4=", + "password": "${{ secrets.ADMIN_BASIC_AUTH_PASSWORD }}" + } + - name: Set crowdsec bouncer api key + uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5 + with: + namespace: kube-system + secret-name: crowdsec-bouncer-api-key + secret-type: generic + data: | + { + "api-key": "${{ secrets.CROWDSEC_BOUNCER_API_KEY }}" + } + - name: Deploy + uses: azure/k8s-deploy@6f7c489cecd8da05646259d9fa3daae92e095c7b # v5.0.4 + with: + action: deploy + manifests: "traefik/" + strategy: basic + namespace: kube-system + + deploy-crowdsec: + runs-on: ubuntu-latest + needs: check-changes + if: ${{ needs.check-changes.outputs.crowdsec == 'true' }} + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + - uses: https://gitea.t000-n.de/t.behrendt/k_deploy_workflows/.gitea/actions/extract-namespace-from-repo-name@v0 + id: namespace + with: + repo: ${{ github.repository }} + - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4 + - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 + with: + version: "3.15.0" + - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4 + with: + method: kubeconfig + kubeconfig: ${{ secrets.KUBECONFIG }} + - name: Deploy helm + uses: helmfile/helmfile-action@f64d5db9f8660aae0205b5fcfc56577d44acefab # v2.1.0 + with: + helmfile-args: apply + helm-plugins: https://github.com/databus23/helm-diff@v3.12.0 + helmfile-workdirectory: "crowdsec" -- 2.49.1 From 5a44a408a33172ba7c467370ac788a5da11a74bc Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Sun, 28 Dec 2025 09:50:06 +0100 Subject: [PATCH 4/7] ci: add ci steps for traefik and crowdsec --- .gitea/workflows/validate.yaml | 35 ++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/.gitea/workflows/validate.yaml b/.gitea/workflows/validate.yaml index da68584..bedbbc4 100644 --- a/.gitea/workflows/validate.yaml +++ b/.gitea/workflows/validate.yaml @@ -31,3 +31,38 @@ jobs: - name: Validate run: | kubectl apply -n kube-system -f coredns + + validate-traefik: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4 + - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4 + with: + method: kubeconfig + kubeconfig: ${{ secrets.KUBECONFIG }} + - name: Validate + uses: azure/k8s-lint@6aefe5066f95e73d2b140d8835cc95583b886989 # v3 + with: + namespace: kube-system + lintType: dryrun + manifests: "traefik/" + + validate-crowdsec: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4 + - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 + with: + version: "3.15.0" + - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4 + with: + method: kubeconfig + kubeconfig: ${{ secrets.KUBECONFIG }} + - name: Validate Helm + uses: helmfile/helmfile-action@f64d5db9f8660aae0205b5fcfc56577d44acefab # v2.1.0 + with: + helmfile-args: diff + helm-plugins: https://github.com/databus23/helm-diff@v3.12.0 + helmfile-workdirectory: "crowdsec" -- 2.49.1 From 9bf8b1b5453b3a11b8977e8cc98d2c22a5c0d5c3 Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Sun, 28 Dec 2025 09:51:08 +0100 Subject: [PATCH 5/7] ci: force crowdsec validation on amd64 --- .gitea/workflows/validate.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/validate.yaml b/.gitea/workflows/validate.yaml index bedbbc4..ad6abb0 100644 --- a/.gitea/workflows/validate.yaml +++ b/.gitea/workflows/validate.yaml @@ -49,7 +49,9 @@ jobs: manifests: "traefik/" validate-crowdsec: - runs-on: ubuntu-latest + runs-on: + - ubuntu-latest + - linux_amd64 steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4 -- 2.49.1 From e10e4f2c6c72eb363fd3719b86d13b18a39a0382 Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Sun, 28 Dec 2025 10:08:05 +0100 Subject: [PATCH 6/7] disable crowdsec for now --- traefik/middleware-adminbasicauth.yaml | 8 +++++ traefik/middleware-crowdsec-bouncher.yaml | 13 ++++++++ traefik/middleware-local-ip-filter.yaml | 11 +++++++ traefik/traefik-config.yaml | 38 ++++++----------------- 4 files changed, 41 insertions(+), 29 deletions(-) create mode 100644 traefik/middleware-adminbasicauth.yaml create mode 100644 traefik/middleware-crowdsec-bouncher.yaml create mode 100644 traefik/middleware-local-ip-filter.yaml diff --git a/traefik/middleware-adminbasicauth.yaml b/traefik/middleware-adminbasicauth.yaml new file mode 100644 index 0000000..b11883b --- /dev/null +++ b/traefik/middleware-adminbasicauth.yaml @@ -0,0 +1,8 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: adminbasicauth + namespace: kube-system +spec: + basicAuth: + secret: admin-basic-auth-credentials diff --git a/traefik/middleware-crowdsec-bouncher.yaml b/traefik/middleware-crowdsec-bouncher.yaml new file mode 100644 index 0000000..16e3b98 --- /dev/null +++ b/traefik/middleware-crowdsec-bouncher.yaml @@ -0,0 +1,13 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: crowdsec-bouncer + namespace: kube-system +spec: + plugin: + crowdsec-bouncer-traefik-plugin: + Enabled: true + CrowdsecMode: live + CrowdsecLapiUrl: "http://crowdsec-service.kube-system.svc.cluster.local:8080" + CrowdsecLapiKey: "${CROWDSEC_BOUNCER_API_KEY}" + UpdateIntervalSeconds: 10 diff --git a/traefik/middleware-local-ip-filter.yaml b/traefik/middleware-local-ip-filter.yaml new file mode 100644 index 0000000..dbf1bd7 --- /dev/null +++ b/traefik/middleware-local-ip-filter.yaml @@ -0,0 +1,11 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: localipfilter + namespace: kube-system +spec: + ipWhiteList: + sourceRange: + - 192.168.0.0/24 + - 172.16.0.0/16 + - 10.0.0.0/8 diff --git a/traefik/traefik-config.yaml b/traefik/traefik-config.yaml index 7ecb60f..1ffb32b 100644 --- a/traefik/traefik-config.yaml +++ b/traefik/traefik-config.yaml @@ -69,32 +69,12 @@ spec: size: 1Gi storageClass: longhorn path: /data - extraObjects: - - apiVersion: traefik.containo.us/v1alpha1 - kind: Middleware - metadata: - name: localipfilter - namespace: kube-system - spec: - ipWhiteList: - sourceRange: - - 192.168.0.0/24 - - 172.16.0.0/16 - - 10.0.0.0/8 - - apiVersion: traefik.containo.us/v1alpha1 - kind: Middleware - metadata: - name: adminbasicauth - namespace: kube-system - spec: - basicAuth: - secret: adminbasicauthsecret - experimental: - plugins: - crowdsec-bouncer-traefik-plugin: - moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin - version: v1.4.6 - additionalArguments: - - "--providers.kubernetescrd" - - "--entrypoints.web.http.middlewares=crowdsec-bouncer@kubernetescrd" - - "--entrypoints.websecure.http.middlewares=internal-crowdsec-bouncer@kubernetescrd" + #experimental: + # plugins: + # crowdsec-bouncer-traefik-plugin: + # moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin + # version: v1.4.6 + #additionalArguments: + # - "--providers.kubernetescrd" + # - "--entrypoints.web.http.middlewares=crowdsec-bouncer@kubernetescrd" + # - "--entrypoints.websecure.http.middlewares=kube-system-crowdsec-bouncer@kubernetescrd" -- 2.49.1 From e02449645b750e487a4e754b928e4e26cd8aa338 Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Sun, 28 Dec 2025 10:16:31 +0100 Subject: [PATCH 7/7] fix: basic auth secret --- .gitea/workflows/deploy.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml index 6d25707..8f33639 100644 --- a/.gitea/workflows/deploy.yaml +++ b/.gitea/workflows/deploy.yaml @@ -89,12 +89,10 @@ jobs: with: namespace: kube-system secret-name: admin-basic-auth-credentials - secret-type: generic - data: | - { - "username": "bmV0YWRtaW4=", - "password": "${{ secrets.ADMIN_BASIC_AUTH_PASSWORD }}" - } + secret-type: "kubernetes.io/basic-auth" + string-data: | + username: netadmin + password: "${{ secrets.ADMIN_BASIC_AUTH_PASSWORD }}" - name: Set crowdsec bouncer api key uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5 with: -- 2.49.1