Davide Piu
d19ede0559
- Add Traefik plugin via HelmChartConfig (crowdsec-bouncer-traefik-plugin) - Create bouncer Middleware in stream mode - Apply bouncer to all public ingresses - IPs flagged by CrowdSec will now be blocked at Traefik level
77 lines
1.6 KiB
YAML
77 lines
1.6 KiB
YAML
---
|
|
apiVersion: source.toolkit.fluxcd.io/v1
|
|
kind: HelmRepository
|
|
metadata:
|
|
name: vaultwarden
|
|
namespace: flux-system
|
|
spec:
|
|
interval: 1h
|
|
url: https://guerzon.github.io/vaultwarden/
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: vaultwarden
|
|
---
|
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: vaultwarden
|
|
namespace: flux-system
|
|
spec:
|
|
interval: 1h
|
|
targetNamespace: vaultwarden
|
|
install:
|
|
createNamespace: true
|
|
chart:
|
|
spec:
|
|
chart: vaultwarden
|
|
sourceRef:
|
|
kind: HelmRepository
|
|
name: vaultwarden
|
|
interval: 1h
|
|
valuesFrom:
|
|
- kind: Secret
|
|
name: vaultwarden-admin
|
|
valuesKey: ADMIN_TOKEN
|
|
targetPath: adminToken.value
|
|
values:
|
|
domain: "https://vault.davidepiu.xyz"
|
|
signupsAllowed: false
|
|
invitationsAllowed: false
|
|
ingress:
|
|
enabled: true
|
|
class: traefik
|
|
nginxIngressAnnotations: false
|
|
additionalAnnotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-redirect-https@kubernetescrd
|
|
hostname: vault.davidepiu.xyz
|
|
tls: true
|
|
tlsSecret: vaultwarden-tls
|
|
data:
|
|
name: vaultwarden-data
|
|
size: 5Gi
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
limits:
|
|
cpu: 200m
|
|
memory: 128Mi
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-traefik
|
|
namespace: vaultwarden
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|