Curiefense
Search…
NGINX Ingress
Many thanks to Márk Sági-Kazár for the instructions below.

Prerequisites

  • Kubernetes cluster (I have one running on AWS)
  • Bucket (I'll use S3)
Note: the Kubernetes cluster should be large enough to run all dependencies (including ElasticSearch).

Prepare a bucket

On AWS, you can create a bucket using the AWS CLI:
1
# Use your bucket name
2
aws s3 mb s3://my-curiefense-test
Copied!
Create a new user for Curiefense:
1
aws iam create-user --user-name my-curiefense-test
Copied!
Create new credentials for the user:
1
aws iam create-access-key --user-name my-curiefense-test
Copied!
Take note of the AccessKeyId and SecretAccessKey fields.
Create a policy.json file with the following content:
1
{
2
"Version": "2012-10-17",
3
"Statement": [
4
{
5
"Sid": "Sid0",
6
"Effect": "Allow",
7
"Action": "s3:*",
8
"Resource": "arn:aws:s3:::my-curiefense-test/*"
9
},
10
{
11
"Sid": "Sid1",
12
"Effect": "Allow",
13
"Action": [
14
"s3:ListBucket"
15
],
16
"Resource": "arn:aws:s3:::my-curiefense-test"
17
},
18
{
19
"Sid": "Sid2",
20
"Effect": "Allow",
21
"Action": [
22
"s3:ListAllMyBuckets"
23
],
24
"Resource": "*"
25
}
26
]
27
}
Copied!
Attach the policy to the user:
1
aws iam put-user-policy --user-name my-curiefense-test --policy-name CuriefenseS3Bucket --policy-document file://policy.json
Copied!
Note: Do NOT use the above in production. Use IAM roles for service accounts instead.

Create a Curiefense namespace

Due to some limitations (syslog config in nginx image, etc) every component have to be installed in the same namespace.
Create a curiefense namespace:
1
kubectl create namespace curiefense
Copied!

Install the Ingress Controller

Create a curiesync-secret.yaml file with the following content:
1
apiVersion: v1
2
kind: Secret
3
metadata:
4
name: curiesync
5
data:
6
curiesync.env: |
7
export CURIE_BUCKET_LINK=s3://my-curiefense-test/prod/manifest.json
8
export CURIE_S3_ACCESS_KEY=YOUR_ACCESS_KEY_ID
9
export CURIE_S3_SECRET_KEY=YOUR_SECRET_ACCESS_KEY
Copied!
Create the secret:
1
kubectl -n curiefense apply -f curiesync-secret.yaml
Copied!
Create a values.ingress.yaml file with the following content:
1
controller:
2
image:
3
repository: curiefense/curiefense-nginx-ingress
4
tag: e2bd0d43d9ecd7c6544a8457cf74ef1df85547c2
5
6
volumes:
7
- name: curiesync
8
secret:
9
secretName: curiesync
10
11
volumeMounts:
12
- name: curiesync
13
mountPath: /etc/curiefense
Copied!
If you don't already have the nginx-stable repo added to Helm, run the following commands:
1
helm repo add nginx-stable https://helm.nginx.com/stable
2
helm repo update
Copied!
Install the ingress controller:
1
# This particular chart version installs the latest supported curiefense nginx ingress image
2
helm -n curiefense install --version 0.9.3 -f values.ingress.yaml ingress nginx-stable/nginx-ingress
Copied!

Install Curiefense

Create a s3cfg-secret.yaml file with the following content:
1
apiVersion: v1
2
kind: Secret
3
metadata:
4
name: s3cfg
5
type: Opaque
6
stringData:
7
s3cfg: |
8
[default]
9
access_key = YOUR_ACCESS_KEY_ID
10
secret_key = YOUR_SECRET_ACCESS_KEY
Copied!
Create the secret:
1
kubectl -n curiefense apply -f s3cfg-secret.yaml
Copied!
Create a values.curiefense.yaml file with the following content:
1
global:
2
proxy:
3
frontend: "nginx"
4
5
settings:
6
curieconf_manifest_url: "s3://my-curiefense-test/prod/manifest.json"
Copied!
Clone the Curiefense Helm repository:
1
git clone [email protected]:curiefense/curiefense-helm.git
Copied!
Install Curiefense:
1
helm install -n curiefense -f values.curiefense.yaml curiefense ./curiefense-helm/curiefense-helm/curiefense
Copied!
Open a port forward to the UI server and start hacking:
1
kubectl -n curiefense port-forward deploy/uiserver 8080:80
2
open http://localhost:8080
Copied!
Make some changes then head to the "Publish Changes" section and click "Publish configuration".

Install echoserver (optional)

It's time to put Curiefense to the test.
Create an echoserver.yaml file with the following content:
1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
name: echoserver
5
labels:
6
app.kubernetes.io/part-of: "curiefense"
7
spec:
8
replicas: 1
9
selector:
10
matchLabels:
11
app: echoserver
12
template:
13
metadata:
14
labels:
15
app: echoserver
16
app.kubernetes.io/part-of: "curiefense"
17
spec:
18
containers:
19
- image: gcr.io/google_containers/echoserver:1.10
20
imagePullPolicy: IfNotPresent
21
name: echoserver
22
ports:
23
- containerPort: 8080
24
---
25
apiVersion: v1
26
kind: Service
27
metadata:
28
name: echoserver
29
labels:
30
app: echoserver
31
service: echoserver
32
app.kubernetes.io/part-of: "curiefense"
33
spec:
34
ports:
35
- port: 8080
36
name: http
37
selector:
38
app: echoserver
39
---
40
apiVersion: networking.k8s.io/v1
41
kind: Ingress
42
metadata:
43
name: echoserver
44
labels:
45
app.kubernetes.io/part-of: "curiefense"
46
annotations:
47
nginx.org/location-snippets: |
48
access_by_lua_block {
49
local session = require "lua.session_nginx"
50
session.inspect(ngx)
51
}
52
log_by_lua_block {
53
local session = require "lua.session_nginx"
54
session.log(ngx)
55
}
56
spec:
57
ingressClassName: nginx
58
rules:
59
- host: YOUR_HOST
60
http:
61
paths:
62
- path: /
63
pathType: Prefix
64
backend:
65
service:
66
name: echoserver
67
port:
68
number: 8080
Copied!
Based on how you configured the ingress controller and DNS, you should be able to access the echoserver at the host of your choosing.

Cleanup

Be careful, these commands are destructive!
Once you are done, you can cleanup the created resources from the cluster with the following commands:
1
kubectl delete -f echoserver.yaml
2
kubectl delete namespace curiefense
Copied!
To delete all AWS resource:
1
aws iam delete-user-policy --user-name my-curiefense-test --policy-name CuriefenseS3Bucket
2
aws iam delete-access-key --user-name my-curiefense-test --access-key-id YOUR_ACCESS_KEY_ID
3
aws iam delete-user --user-name my-curiefense-test
4
aws s3 rb s3://my-curiefense-test --force
Copied!

Notes

  • Curiefense nginx ingress image should be updated to the latest version (to support the latest Ingress API)
  • Ingress needs to be deployed in the same namespace at the moment (in order to push logs to curielogger)
  • ElasticSearch doesn't work out of the box
Last modified 1mo ago