🚀(project:maison): Install Presidio to anonymise data comming from n8n

Signed-off-by: Alexandre Nicolaie <[email protected]>

projects/maison/src/apps/n8n/httproute.yaml

@@ -16,3 +16,21 @@ spec:
     - backendRefs:
         - name: n8n
           port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    external-dns.alpha.kubernetes.io/exclude-cloudflare: "true"
+  name: n8n-anonymizer-websecure
+  namespace: n8n
+spec:
+  parentRefs:
+    - name: default
+      namespace: default
+  hostnames:
+    - presidio.chezmoi.sh
+  rules:
+    - backendRefs:
+        - name: n8n-anonymizer
+          port: 3001

projects/maison/src/apps/n8n/kustomization.yaml

@@ -15,6 +15,7 @@ labels:
 resources:
   # Workloads
   - workload.database.yaml
+  - workload.n8n-anonymizer.yaml
   - workload.n8n.yaml
 
   # Ingresses / Gateways

projects/maison/src/apps/n8n/policies/allow-egress-from-n8n-to-n8n-anonymizer.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    network-policy.k8s.io/description: |
+      This policy allows egress traffic from n8n to the anonymisation service.
+
+      **Why?**
+      - n8n will use the anonymisation service to anonymise data before
+        sending it to public services (like ChaGPT).
+  name: allow-egress-from-n8n-to-n8n-anonymizer
+  namespace: n8n
+spec:
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: n8n-anonymizer
+              app.kubernetes.io/name: n8n
+      ports:
+        - port: 5002
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: n8n
+      app.kubernetes.io/name: n8n
+  policyTypes:
+    - Egress

projects/maison/src/apps/n8n/policies/allow-ingress-to-n8n-anonymizer-from-traefik.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    network-policy.k8s.io/description: |
+      This policy allows the Traefik service to access the n8n anonymizer.
+
+      **Why?**
+      - Traefik is the gateway controller for the Kubernetes cluster
+        and needs to route traffic to the anonymizer service (Presidio).
+  name: allow-ingress-to-n8n-anonymizer-from-traefik
+  namespace: n8n
+spec:
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+      ports:
+        - port: 5002
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: n8n-anonymizer
+      app.kubernetes.io/name: n8n
+  policyTypes:
+    - Ingress

projects/maison/src/apps/n8n/workload.n8n-anonymizer.yaml

@@ -0,0 +1,84 @@
+---
+# trunk-ignore(checkov/CKV2_K8S_6): all deployments have network ingress/egress denied by default
+# trunk-ignore(checkov/CKV_K8S_23,checkov/CKV_K8S_40): mcr.microsoft.com/presidio-* are shitty built and must be runned as root
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    apps.kubernetes.io/component: anonymizer
+    apps.kubernetes.io/instance: n8n-anonymizer
+  name: n8n-anonymizer
+  namespace: n8n
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      apps.kubernetes.io/instance: n8n-anonymizer
+  template:
+    metadata:
+      labels:
+        apps.kubernetes.io/component: anonymizer
+        apps.kubernetes.io/instance: n8n-anonymizer
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        # trunk-ignore(trivy/KSV012,trivy/KSV020,trivy/KSV021): mcr.microsoft.com/presidio-* are shitty built and must be runned as root
+        - name: presidio-anonymizer
+          image: mcr.microsoft.com/presidio-anonymizer:latest@sha256:e39a7671f51c40aa493201f0d3f71ad74efc98bbd34ccd417a4cfd3ffaa59ae4
+          ports:
+            - name: anonymizer
+              containerPort: 3000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: anonymizer
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: anonymizer
+          resources:
+            requests:
+              cpu: 100m
+              memory: 500Mi
+            limits:
+              memory: 500Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: false
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /.cache/pypoetry
+              name: tempdir
+            - mountPath: /tmp
+              name: tempdir
+              subPath: anonymizer
+      securityContext:
+        runAsNonRoot: false
+      volumes:
+        - name: tempdir
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    apps.kubernetes.io/component: anonymizer
+    apps.kubernetes.io/instance: n8n-anonymizer
+  name: n8n-anonymizer
+  namespace: n8n
+spec:
+  selector:
+    apps.kubernetes.io/instance: n8n-anonymizer
+  ports:
+    - name: anonymizer
+      port: 5002
+      targetPort: anonymizer
+      protocol: TCP
+  type: ClusterIP