improve nginx ingress documentation (#1079)

* improve nginx ingress documentation
* updating for secrets
* update
* add a small warning

Author: sabban

crowdsec-docs/docs/appsec/quickstart/nginx-ingress.mdx

@@ -58,6 +58,28 @@ If CrowdSec is already deployed with Helm in this cluster, the repository entry
 
 ### Update CrowdSec configuration
 
+Store the nginx bouncer key in a Kubernetes secret, following the same pattern
+used by the Envoy quickstart.
+
+Create or update the secret used by CrowdSec LAPI:
+
+```yaml title="crowdsec-keys.yaml"
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crowdsec-keys
+  namespace: crowdsec
+type: Opaque
+stringData:
+  BOUNCER_KEY_nginx_ingress_waf: "<choose-a-long-random-key>"
+```
+
+Apply it:
+
+```bash
+kubectl apply -f crowdsec-keys.yaml
+```
+
 Add this to the CrowdSec `values.yaml` with the AppSec acquisition datasource (see the [AppSec datasource](/log_processor/data_sources/appsec.md)) and the default [AppSec configuration](/appsec/configuration.md):
 
 ```yaml title="values.yaml"
@@ -74,13 +96,42 @@ appsec:
   env:
     - name: COLLECTIONS
       value: crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
+lapi:
+  env:
+    - name: BOUNCER_KEY_nginx_ingress_waf
+      valueFrom:
+        secretKeyRef:
+          name: crowdsec-keys
+          key: BOUNCER_KEY_nginx_ingress_waf
+```
+
+:::warning
+The Helm chart still enables the CrowdSec agent by default. If you do not want
+the agent, disable it explicitly.
+:::
+
+<details>
+<summary>Snippet to disable the agent</summary>
+
+```yaml title="values.yaml"
+agent:
+  enabled: false
 ```
 
+</details>
+
+:::note
+Although this is the same bouncer key value, you need two `Secret` objects here:
+one in `crowdsec` and one in `ingress-nginx`. Kubernetes secrets are
+namespace-scoped, so the ingress controller cannot read a secret from the
+`crowdsec` namespace.
+:::
+
 This YAML configuration snippet exposes the important configuration items:
      * `listen_addr: 0.0.0.0:7422` exposes the AppSec API inside the cluster.
      * `appsec_configs` loads the [AppSec configuration(s)](/appsec/configuration.md) that define which rules are evaluated (in-band vs out-of-band).
      * The two collections provide virtual patching and generic rule coverage.
-     * The chart bootstraps a bouncer named `nginx_ingress_waf` using the key you export locally.
+     * `lapi.env` forces the `nginx_ingress_waf` bouncer key from the `crowdsec-keys` Secret.
 
 And now we apply the new configuration with:
 
@@ -98,6 +149,26 @@ You should see `crowdsec-agent` pods, the `crowdsec-lapi` pod and the `crowdsec-
 
 ## Enable the CrowdSec Lua plugin on NGINX Ingress
 
+Create the secret holding the same CrowdSec bouncer key in the
+`ingress-nginx` namespace:
+
+```yaml title="crowdsec-ingress-bouncer-secret.yaml"
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crowdsec-ingress-bouncer-secrets
+  namespace: ingress-nginx
+type: Opaque
+stringData:
+  api-key: "<same-value-as-BOUNCER_KEY_nginx_ingress_waf>"
+```
+
+Apply it:
+
+```bash
+kubectl apply -f crowdsec-ingress-bouncer-secret.yaml
+```
+
 To extend the ingress controller with the CrowdSec plugin and point it to the
 AppSec API, create the file named `ingress-values.yaml`. You can read the entire
 file in the snippet below.
@@ -107,8 +178,8 @@ controller:
   image:
     registry: docker.io
     image: crowdsecurity/controller
-    tag: v1.13.2
-    digest: sha256:4575be24781cad35f8e58437db6a3f492df2a3167fed2b6759a6ff0dc3488d56
+    tag: v1.14.3
+    digest: sha256:9ab8791635f4cde9964ab2562fb8b15faf72fe0205f0fe288089a87e1455675d
   extraVolumes:
     - name: crowdsec-bouncer-plugin
       emptyDir: {}
@@ -120,7 +191,10 @@ controller:
         - name: API_URL
           value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
         - name: API_KEY
-          value: privateKey-foo
+          valueFrom:
+            secretKeyRef:
+              name: crowdsec-ingress-bouncer-secrets
+              key: api-key
         - name: BOUNCER_CONFIG
           value: "/crowdsec/crowdsec-bouncer.conf"
         - name: APPSEC_URL
@@ -153,13 +227,13 @@ controller:
     plugins: "crowdsec"
     lua-shared-dicts: "crowdsec_cache: 50m"
     server-snippet: |
-      lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"
+      lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt";
       resolver local=on ipv6=off;
 ```
 
 
 - `API_URL` targets the Local API service exposed by the Helm chart.
-- `API_KEY` defines the key for the bouncer to be able to connect to CrowdSec LAPI
+- `API_KEY` is read from the `crowdsec-ingress-bouncer-secrets` Secret in the `ingress-nginx` namespace.
 - `APPSEC_URL` points to the AppSec service; keep the namespace in sync with your CrowdSec release.
 - The plugin copies the Lua files from the init container into an `emptyDir` that is mounted at runtime.
 
@@ -184,8 +258,8 @@ controller:
   image:
     registry: docker.io
     image: crowdsecurity/controller
-    tag: v1.13.2
-    digest: sha256:...
+    tag: v1.14.3
+    digest: sha256:9ab8791635f4cde9964ab2562fb8b15faf72fe0205f0fe288089a87e1455675d
 ```
 
 The controller image is replaced with a CrowdSec-enabled build that includes the
@@ -212,7 +286,10 @@ extraInitContainers:
       - name: API_URL
         value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
       - name: API_KEY
-        value: privateKey-foo
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-ingress-bouncer-secrets
+            key: api-key
       - name: BOUNCER_CONFIG
         value: "/crowdsec/crowdsec-bouncer.conf"
       - name: APPSEC_URL

crowdsec-docs/unversioned/bouncers/ingress-nginx.mdx

@@ -57,6 +57,66 @@ The Ingress nginx controller should be installed using the [official helm chart]
 
 First you need to create new ingress-nginx chart values file (`crowdsec-ingress-values.yaml`) to upgrade the ingress controller with the crowdsec plugin.
 
+Store the CrowdSec bouncer key in Kubernetes Secrets instead of embedding it
+directly in the Helm values.
+
+Create or update the secret used by CrowdSec LAPI:
+
+```yaml title="crowdsec-keys.yaml"
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crowdsec-keys
+  namespace: crowdsec
+type: Opaque
+stringData:
+  BOUNCER_KEY_nginx_ingress_waf: "<choose-a-long-random-key>"
+```
+
+Apply it:
+
+```bash
+kubectl apply -f crowdsec-keys.yaml
+```
+
+Then reference it from your CrowdSec values:
+
+```yaml title="crowdsec-values.yaml"
+lapi:
+  env:
+    - name: BOUNCER_KEY_nginx_ingress_waf
+      valueFrom:
+        secretKeyRef:
+          name: crowdsec-keys
+          key: BOUNCER_KEY_nginx_ingress_waf
+```
+
+:::note
+Although this is the same bouncer key value, you need two `Secret` objects here:
+one in `crowdsec` and one in `ingress-nginx`. Kubernetes secrets are
+namespace-scoped, so the ingress controller cannot read a secret from the
+`crowdsec` namespace.
+:::
+
+Create the secret holding the same key in the `ingress-nginx` namespace:
+
+```yaml title="crowdsec-ingress-bouncer-secret.yaml"
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crowdsec-ingress-bouncer-secrets
+  namespace: ingress-nginx
+type: Opaque
+stringData:
+  api-key: "<choose-a-long-random-key>"
+```
+
+Apply it:
+
+```bash
+kubectl apply -f crowdsec-ingress-bouncer-secret.yaml
+```
+
 :::warning
 
 Lua support has been removed from mainline ingress nginx in version 1.12. As
@@ -70,9 +130,9 @@ controller:
     PullPolicy: IfNotPresent
     image: crowdsecurity/controller
     # Crowdsec Remediation with Ingress Nginx requires to use our controller image
-    tag: v1.13.2
+    tag: v1.14.3
     # If you update the tag, the digest needs to be updated as well
-    digest: sha256:4575be24781cad35f8e58437db6a3f492df2a3167fed2b6759a6ff0dc3488d56
+    digest: sha256:9ab8791635f4cde9964ab2562fb8b15faf72fe0205f0fe288089a87e1455675d
     registry: docker.io
   extraVolumes:
     - name: crowdsec-bouncer-plugin
@@ -85,7 +145,10 @@ controller:
         - name: API_URL
           value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" # crowdsec lapi service-name
         - name: API_KEY
-          value: "<API KEY>" # generated with `cscli bouncers add <bouncer_name>
+          valueFrom:
+            secretKeyRef:
+              name: crowdsec-ingress-bouncer-secrets
+              key: api-key
         - name: BOUNCER_CONFIG
           value: "/crowdsec/crowdsec-bouncer.conf"
         - name: CAPTCHA_PROVIDER
@@ -133,36 +196,19 @@ controller:
       resolver local=on ipv6=off;
 ```
 
-<details>
-    <summary>You already have a deployed ingress nginx</summary>
-
-This values.yaml upgrade your ingress deployment to add crowdsec lua lib as a
-plugin and run with the crowdsec maintained nginx ingress controller with lua
-support. It uses [this docker
+Use this values file to deploy or upgrade ingress-nginx with the CrowdSec Lua
+plugin and the CrowdSec-maintained ingress controller image with Lua support.
+It uses [this docker
 image](https://hub.docker.com/r/crowdsecurity/lua-bouncer-plugin) to copy the
-crowdsec lua library. You can upgrade the ingress-nginx using this `crowdsec-ingress-values.yaml`
+CrowdSec Lua library.
 
 ```bash
-helm -n ingress-nginx upgrade -f ingress-nginx-values.yaml -f crowdsec-ingress-values.yaml ingress-nginx/ingress-nginx
+helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
+  -n ingress-nginx \
+  --create-namespace \
+  -f crowdsec-ingress-values.yaml
 ```
 
-</details>
-
-<details>
-    <summary>You don't have a deployed ingress nginx</summary>
-
-This values.yaml install your ingress deployment to add crowdsec lua lib as a
-plugin and run with the crowdsec maintained nginx ingress controller with lua
-support. It uses [this docker
-image](https://hub.docker.com/r/crowdsecurity/lua-bouncer-plugin) to copy the
-crowdsec lua library. You can install the ingress-nginx using this `crowdsec-ingress-values.yaml`
-
-```bash
-helm -n ingress-nginx install -f crowdsec-ingress-values.yaml ingress-nginx ingress-nginx/ingress-nginx
-```
-
-</details>
-
 And then check if the ingress controller is running well.
 
 ```bash