diff --git a/charts/enterprise/traefik/Chart.yaml b/charts/enterprise/traefik/Chart.yaml index 85535aa41d7..39554aa307f 100644 --- a/charts/enterprise/traefik/Chart.yaml +++ b/charts/enterprise/traefik/Chart.yaml @@ -36,4 +36,4 @@ sources: - https://github.com/truecharts/charts/tree/master/charts/enterprise/traefik - https://github.com/truecharts/containers/tree/master/apps/traefik type: application -version: 26.3.0 +version: 26.4.0 diff --git a/charts/enterprise/traefik/templates/_args.tpl b/charts/enterprise/traefik/templates/_args.tpl index 06e39a46890..28187f41985 100644 --- a/charts/enterprise/traefik/templates/_args.tpl +++ b/charts/enterprise/traefik/templates/_args.tpl @@ -180,6 +180,10 @@ args: {{- if .Values.middlewares.modsecurity }} - "--experimental.localPlugins.traefik-modsecurity-plugin.modulename=github.com/acouvreur/traefik-modsecurity-plugin" {{- end }} + {{/* CrowdsecBouncer */}} + {{- if .Values.middlewares.crowdsecBouncer }} + - "--experimental.localPlugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin" + {{- end }} {{/* End of ModSecurity */}} {{/* RewriteResponseHeaders */}} {{- if .Values.middlewares.rewriteResponseHeaders }} diff --git a/charts/enterprise/traefik/templates/middlewares/crowdsecBouncer.yaml b/charts/enterprise/traefik/templates/middlewares/crowdsecBouncer.yaml new file mode 100644 index 00000000000..d4019236bf1 --- /dev/null +++ b/charts/enterprise/traefik/templates/middlewares/crowdsecBouncer.yaml @@ -0,0 +1,112 @@ +{{- range $index, $middlewareData := .Values.middlewares.crowdsecBouncer }} +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + plugin: + bouncer: + {{- with $middlewareData.enabled -}} + enabled: {{ . }} + {{- end -}} + {{- with $middlewareData.logLevel -}} + logLevel: {{ . }} + {{- end -}} + {{- with $middlewareData.updateIntervalSeconds -}} + updateIntervalSeconds: {{ . }} + {{- end -}} + {{- with $middlewareData.defaultDecisionSeconds -}} + defaultDecisionSeconds: {{ . }} + {{- end -}} + {{- with $middlewareData.httpTimeoutSeconds -}} + httpTimeoutSeconds: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecMode -}} + crowdsecMode: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecAppsecEnabled -}} + crowdsecAppsecEnabled: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecAppsecHost -}} + crowdsecAppsecHost: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecAppsecFailureBlock -}} + crowdsecAppsecFailureBlock: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecLapiKey -}} + crowdsecLapiKey: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecLapiKeyFile -}} + crowdsecLapiKeyFile: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecLapiHost -}} + crowdsecLapiHost: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecLapiScheme -}} + crowdsecLapiScheme: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecLapiTLSInsecureVerify -}} + crowdsecLapiTLSInsecureVerify: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecCapiMachineId -}} + crowdsecCapiMachineId: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecCapiPassword -}} + crowdsecCapiPassword: {{ . }} + {{- end -}} + {{- if $middlewareData.crowdsecCapiScenarios -}} + crowdsecCapiScenarios: + {{- range $middlewareData.crowdsecCapiScenarios -}} + - {{ . }} + {{- end -}} + {{- end -}} + {{- if $middlewareData.forwardedHeadersTrustedIPs -}} + forwardedHeadersTrustedIPs: + {{- range $middlewareData.forwardedHeadersTrustedIPs -}} + - {{ . }} + {{- end -}} + {{- end -}} + {{- if $middlewareData.clientTrustedIPs -}} + clientTrustedIPs: + {{- range $middlewareData.clientTrustedIPs -}} + - {{ . }} + {{- end -}} + {{- end -}} + {{- with $middlewareData.forwardedHeadersCustomName -}} + forwardedHeadersCustomName: {{ . }} + {{- end -}} + {{- with $middlewareData.redisCacheEnabled -}} + redisCacheEnabled: {{ . }} + {{- end -}} + {{- with $middlewareData.redisCacheHost -}} + redisCacheHost: {{ . }} + {{- end -}} + {{- with $middlewareData.redisCachePassword -}} + redisCachePassword: {{ . }} + {{- end -}} + {{- with $middlewareData.redisCacheDatabase -}} + redisCacheDatabase: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecLapiTLSCertificateAuthority -}} + crowdsecLapiTLSCertificateAuthority: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecLapiTLSCertificateAuthorityFile -}} + crowdsecLapiTLSCertificateAuthorityFile: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecLapiTLSCertificateBouncer -}} + crowdsecLapiTLSCertificateBouncer: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecLapiTLSCertificateBouncerFile -}} + crowdsecLapiTLSCertificateBouncerFile: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecLapiTLSCertificateBouncerKey -}} + crowdsecLapiTLSCertificateBouncerKey: {{ . }} + {{- end -}} + {{- with $middlewareData.crowdsecLapiTLSCertificateBouncerKeyFile -}} + crowdsecLapiTLSCertificateBouncerKeyFile: {{ . }} + {{- end -}} + + +{{- end -}} diff --git a/charts/enterprise/traefik/values.yaml b/charts/enterprise/traefik/values.yaml index 07c94508820..a79b9b93c3d 100644 --- a/charts/enterprise/traefik/values.yaml +++ b/charts/enterprise/traefik/values.yaml @@ -193,6 +193,7 @@ service: enabled: true port: 80 protocol: http + externalTrafficPolicy: local redirectTo: websecure # Options: Empty, 0 (ingore), or positive int # redirectPort: @@ -214,6 +215,7 @@ service: enabled: true port: 443 protocol: https + externalTrafficPolicy: local # -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support forwardedHeaders: enabled: false @@ -436,6 +438,44 @@ middlewares: # modSecurityUrl: modSecurity container URL # timeoutMillis: Configurated timeout # maxBodySize: maxBodySize + crowdsecBouncer: [] + # - name: modsecurityName + # enabled: false + # logLevel: DEBUG + # updateIntervalSeconds: 60 + # defaultDecisionSeconds: 60 + # httpTimeoutSeconds: 10 + # crowdsecMode: live + # crowdsecAppsecEnabled: false + # crowdsecAppsecHost: crowdsec:7422 + # crowdsecAppsecFailureBlock: true + # crowdsecLapiKey: privateKey-foo + # crowdsecLapiKeyFile: /etc/traefik/cs-privateKey-foo + # crowdsecLapiHost: crowdsec:8080 + # crowdsecLapiScheme: http + # crowdsecLapiTLSInsecureVerify: false + # crowdsecCapiMachineId: login + # crowdsecCapiPassword: password + # crowdsecCapiScenarios: + # - crowdsecurity/http-path-traversal-probing + # - crowdsecurity/http-xss-probing + # - crowdsecurity/http-generic-bf + # forwardedHeadersTrustedIPs: + # - 10.0.10.23/32 + # - 10.0.20.0/24 + # clientTrustedIPs: + # - 192.168.1.0/24 + # forwardedHeadersCustomName: X-Custom-Header + # redisCacheEnabled: false + # redisCacheHost: "redis:6379" + # redisCachePassword: password + # redisCacheDatabase: "5" + # crowdsecLapiTLSCertificateAuthority: |- + # crowdsecLapiTLSCertificateAuthorityFile: /etc/traefik/crowdsec-certs/ca.pem + # crowdsecLapiTLSCertificateBouncer: |- + # crowdsecLapiTLSCertificateBouncerFile: /etc/traefik/crowdsec-certs/bouncer.pem + # crowdsecLapiTLSCertificateBouncerKey: |- + # crowdsecLapiTLSCertificateBouncerKeyFile: /etc/traefik/crowdsec-certs/bouncer-key.pem ## Note: body of every request will be buffered in memory while the request is in-flight ## (i.e.: during the security check and during the request processing by traefik and the backend), ## so you may want to tune maxBodySize depending on how much RAM you have. @@ -446,6 +486,12 @@ persistence: enabled: true mountPath: "/plugins-storage" type: emptyDir + crowdsec-bouncer-tls: + enabled: "{{ if .Values.middlewares.crowdsecBouncer }}true{{ else }}false{{ end }}" + mountPath: "/etc/traefik/crowdsec-certs" + type: secret + expandObjectName: false + objectName: crowdsec-bouncer-tls portal: open: enabled: true