Update traefik deployment + add crowdsec bouncer

2022-06-05 11:27:24 +02:00 · 2022-06-05 11:27:24 +02:00 · 6def4562ad
commit 6def4562ad
parent 736ac64ff0
4 changed files with 46 additions and 10 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,5 +1,5 @@
 my_context: kubernetes
-traefik_version: "2.6.1"
+traefik_version: "2.7.0"
 cluster_domain: "local"
 traefik_namespace: "traefik"
 traefik_service_type: LoadBalancer
@ -12,11 +12,14 @@ traefik_service_type: LoadBalancer
 traefik_cpu_limit: 500m
 traefik_memory_limit: 300Mi
 traefik_entrypoints: []
-#    - { name: "http", port: 8000, proto: "TCP", hostport: 80 }
-#    - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true }
+#    - { name: "http", port: 8000, proto: "TCP", hostport: 80 middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] }
+#    - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true middlewares: ["{{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd"] }
 #    - { name: "traefik", port: 8080, proto: "TCP" }
 #traefik_external_ips: []
 #   - 1.2.3.4

 basic_auth: false
-#traefik_dashboard_certificate: wildcard-cluster
+#traefik_dashboard_certificate: wildcard-cluster
+
+crowdsec_namespace: "crowdsec"
+crowdsec_traefik_bouncer_chart_version: "0.1.0"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -45,6 +45,31 @@
    when:
      - traefik_node_selector is defined

+  - name: Deploy latest version of CrowdSec Traefik bouncer
+    kubernetes.core.helm:
+      context: "{{ my_context }}"
+      name: crowdsec-traefik-bouncer
+      release_namespace: "{{ traefik_namespace }}"
+      create_namespace: yes
+      chart_ref: crowdsec/crowdsec-traefik-bouncer
+      chart_version: "{{ crowdsec_traefik_bouncer_chart_version }}"
+      values:
+        bouncer:
+          crowdsec_bouncer_api_key: "{{ traefik_crowdsec_bouncer_apikey }}"
+          crowdsec_agent_host: "crowdsec-service.{{ crowdsec_namespace }}.svc.cluster.local:8080"
+        replicaCount: 1
+        podSecurityContext:
+          fsGroup: 2000
+        securityContext:
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+    when:
+      - traefik_crowdsec_bouncer_apikey is defined
+
 #  - name: Get Deployment information object
 #    k8s_info:
 #      context: "{{ my_context }}"
--- a/templates/traefik-cm.yml.j2
+++ b/templates/traefik-cm.yml.j2
@ -19,6 +19,7 @@ data:
    #        - auth@file
    #        - secure_headers@file
    #        - crowdsec-bouncer@file
+    #        - {{ traefik_namespace }}-crowdsec-traefik-bouncer@kubernetescrd
          redirections:
            entryPoint:
              to: websecure
@ -37,10 +38,18 @@ data:
 {% for traefik_entrypoint in traefik_entrypoints %}
      {{ traefik_entrypoint.name }}:
        address: :{{ traefik_entrypoint.port }}
-{% if traefik_entrypoint.tls is defined and traefik_entrypoint.tls|bool %}
+{% if traefik_entrypoint.tls is defined or traefik_entrypoint.middlewares is defined %}
        http:
+{% if traefik_entrypoint.middlewares is defined %}
+          middlewares:
+{% for middleware in traefik_entrypoint.middlewares %}
+            - {{ middleware }}
+{% endfor %}
+{% endif %}
+{% if traefik_entrypoint.tls is defined and traefik_entrypoint.tls|bool %}
          tls: {}
 {% endif %}
+{% endif %}
 {% endfor %}
    providers:
      kubernetesCRD:
--- a/templates/traefik-files.yml.j2
+++ b/templates/traefik-files.yml.j2
@ -7,14 +7,14 @@ data:
  traefik-middlewares.yaml: |
    http:
      middlewares:
-        test_chain:
+        min_security:
          chain:
            middlewares:
-              - rate-limit
              - security_headers
 {% if ingress_whitelist is defined %}
              - traefik-ipwhitelist
 {% endif %}
+              - rate-limit
              - compress
 {% if basic_auth|bool %}
              - basic-auth
@ -41,9 +41,8 @@ data:
            stsPreload: true
            customFrameOptionsValue: "SAMEORIGIN"
            referrerPolicy: "same-origin"
-            featurePolicy: "vibrate 'self'"
+            permissionsPolicy: "vibrate 'self'"
            stsSeconds: 315360000
-            sslRedirect: true
            contentSecurityPolicy: "default-src 'self' 'unsafe-inline'"
    #        customResponseHeaders:
    #          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
@ -84,7 +83,7 @@ data:
              - "Remote-Email"
        crowdsec-bouncer:
          forwardAuth:
-            address: "http://crowdsec-traefik-bouncer:8080/api/v1/forwardAuth
+            address: "http://crowdsec-traefik-bouncer-service/api/v1/forwardAuth"
            trustForwardHeader: true

  traefik-tls-defaults-options.yaml: |