Skip to content

Commit f1a95b9

Browse files
sabbansabban
committed
improve secret management
1 parent f341d80 commit f1a95b9

1 file changed

Lines changed: 66 additions & 2 deletions

File tree

crowdsec-docs/docs/appsec/quickstart/traefik.mdx

Lines changed: 66 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -340,8 +340,72 @@ Instead if you define the configuration using labels on the containers you can a
340340
```
341341
</TabItem>
342342
<TabItem value="kubernetes">
343-
For Kubernetes, keep the Traefik bouncer key in a `Secret`, mount it into the
344-
Traefik pod, and reference it with `crowdsecLapiKeyFile`.
343+
For Kubernetes, use the same secret management pattern as in the [Traefik
344+
bouncer setup](/u/bouncers/traefik#store-the-traefik-bouncer-key-in-a-kubernetes-secret):
345+
store the shared bouncer key in Kubernetes secrets and reference it from both
346+
CrowdSec and Traefik.
347+
348+
Two secrets are needed because CrowdSec and Traefik run in different
349+
namespaces:
350+
351+
- In the `crowdsec` namespace, CrowdSec LAPI reads `BOUNCER_KEY_traefik` from
352+
the `crowdsec-keys` secret.
353+
- In the `traefik` namespace, Traefik mounts the same key from the
354+
`crowdsec-bouncer-key` secret as a file.
355+
356+
Both secrets must contain the same `BOUNCER_KEY_traefik` value. If you already
357+
created them for the base bouncer setup, you can reuse them here.
358+
359+
Create or update the secrets:
360+
361+
```yaml title="crowdsec-keys.yaml"
362+
apiVersion: v1
363+
kind: Secret
364+
metadata:
365+
name: crowdsec-keys
366+
namespace: crowdsec
367+
type: Opaque
368+
stringData:
369+
ENROLL_KEY: "<your-existing-enroll-key>"
370+
BOUNCER_KEY_traefik: "<your-shared-traefik-bouncer-key>"
371+
---
372+
apiVersion: v1
373+
kind: Secret
374+
metadata:
375+
name: crowdsec-bouncer-key
376+
namespace: traefik
377+
type: Opaque
378+
stringData:
379+
BOUNCER_KEY_traefik: "<your-shared-traefik-bouncer-key>"
380+
```
381+
382+
Apply it:
383+
384+
```bash
385+
kubectl apply -f crowdsec-keys.yaml
386+
```
387+
388+
Then make sure the CrowdSec Helm values reference `BOUNCER_KEY_traefik` from
389+
the `crowdsec-keys` secret:
390+
391+
```yaml title="crowdsec-values.yaml"
392+
lapi:
393+
env:
394+
- name: BOUNCER_KEY_traefik
395+
valueFrom:
396+
secretKeyRef:
397+
name: crowdsec-keys
398+
key: BOUNCER_KEY_traefik
399+
```
400+
401+
Apply the CrowdSec release again:
402+
403+
```bash
404+
helm upgrade --install crowdsec crowdsec/crowdsec --namespace crowdsec --create-namespace -f crowdsec-values.yaml
405+
```
406+
407+
Then configure Traefik to mount the `crowdsec-bouncer-key` secret and
408+
reference it with `crowdsecLapiKeyFile`.
345409

346410
Use a Traefik values file like this:
347411

0 commit comments

Comments
 (0)