First commit

templates/crowdsec-agent-DaemonSet.yml.j2

@@ -0,0 +1,120 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+#  annotations:
+#    meta.helm.sh/release-name: crowdsec
+#    meta.helm.sh/release-namespace: crowdsec
+  labels:
+#    app.kubernetes.io/managed-by: Helm
+    k8s-app: crowdsec
+    type: agent
+    version: v1
+  name: crowdsec-agent
+spec:
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      k8s-app: crowdsec
+      type: agent
+  template:
+    metadata:
+      labels:
+        k8s-app: crowdsec
+        type: agent
+        version: v1
+    spec:
+      containers:
+      - command:
+        - sh
+        - -c
+        - mv -n /staging/etc/crowdsec/* /etc/crowdsec_data/ && rm -rf /staging/etc/crowdsec
+          && ln -s /etc/crowdsec_data /etc/crowdsec && ./docker_start.sh
+        env:
+        - name: AGENT_USERNAME
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: agent-credentials
+        - name: AGENT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: agent-credentials
+        - name: LOCAL_API_URL
+          value: http://crowdsec-service.crowdsec:8080
+        - name: DISABLE_LOCAL_API
+          value: "true"
+        - name: DISABLE_ONLINE_API
+          value: "true"
+        - name: COLLECTIONS
+          value: crowdsecurity/traefik
+        - name: SCENARIOS
+          value: crowdsecurity/linux-lpe crowdsecurity/http-crawl-non_statics
+        image: crowdsecurity/crowdsec:latest
+        imagePullPolicy: IfNotPresent
+        name: crowdsec-agent
+        ports:
+        - containerPort: 6060
+          name: metrics
+          protocol: TCP
+        resources:
+          limits:
+            memory: 100Mi
+          requests:
+            cpu: 150m
+            memory: 100Mi
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /etc/crowdsec_data
+          name: crowdsec-agent-config
+        - mountPath: /etc/crowdsec_data/acquis.yaml
+          name: acquis-config-volume
+          subPath: acquis.yaml
+        - mountPath: /var/log
+          name: varlog
+        - mountPath: /var/lib/docker/containers
+          name: varlibdockercontainers
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      initContainers:
+      - command:
+        - sh
+        - -c
+        - until nc crowdsec-service.crowdsec 8080; do echo waiting for lapi to start;
+          sleep 5; done
+        image: busybox:1.28
+        imagePullPolicy: IfNotPresent
+        name: wait-for-lapi
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      volumes:
+      - configMap:
+          defaultMode: 420
+          name: acquis-configmap
+        name: acquis-config-volume
+      - hostPath:
+          path: /var/log
+          type: ""
+        name: varlog
+      - name: crowdsec-agent-config
+        hostPath:
+          path: /mnt/local/crowdsec-agent
+          type: "DirectoryOrCreate"
+      - hostPath:
+          path: /var/lib/docker/containers
+          type: ""
+        name: varlibdockercontainers
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate

templates/crowdsec-agent-Service.yml.j2

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+#  annotations:
+#    meta.helm.sh/release-name: crowdsec
+#    meta.helm.sh/release-namespace: crowdsec
+  labels:
+    app: crowdsec-agent-service
+#    app.kubernetes.io/managed-by: Helm
+  name: crowdsec-agent-service
+spec:
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: metrics
+    port: 6060
+    protocol: TCP
+    targetPort: 6060
+  selector:
+    k8s-app: crowdsec
+    type: agent
+    version: v1
+  sessionAffinity: None
+  type: ClusterIP

templates/crowdsec-agent-serviceMonitor.yml.j2

@@ -0,0 +1,18 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+#  annotations:
+#    meta.helm.sh/release-name: crowdsec
+#    meta.helm.sh/release-namespace: crowdsec
+#  labels:
+#    app.kubernetes.io/managed-by: Helm
+  name: crowdsec-agent-service
+spec:
+  endpoints:
+  - port: metrics
+  namespaceSelector:
+    matchNames:
+    - crowdsec
+  selector:
+    matchLabels:
+      app: crowdsec-agent-service

templates/helm-values.yaml.j2

@@ -0,0 +1,96 @@
+container_runtime: containerd
+#secrets:
+#  username: ""
+#  password: ""
+lapi:
+  ingress:
+    enabled: true
+    annotations:
+      traefik.ingress.kubernetes.io/router.entrypoints: htt;https
+      traefik.ingress.kubernetes.io/router.middlewares: internal@file
+    # labels: {}
+    ingressClassName: "traefik"
+    host: "crowdsec-api.{{ ingress_domain }}"
+    # tls: {}
+  env:
+    # As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
+#    - name: DISABLE_ONLINE_API
+#      value: "true"
+    - name: DISABLE_AGENT
+      value: "true"
+{% if crowdsec_enrollment_key is defined %}
+    - name: ENROLL_KEY
+      value: "{{ crowdsec_enrollment_key }}"
+    - name: ENROLL_INSTANCE_NAME
+      value: "{{ ansible_hostname }}"
+    - name: ENROLL_TAGS
+      value: "k8s {{ ansible_hostname }}"
+{% endif %}
+  dashboard:
+    # -- Enable Metabase Dashboard (by default disabled)
+    enabled: true
+
+    # -- Enable ingress object
+    ingress:
+      enabled: true
+      annotations:
+#        # metabase only supports http so we need this annotation
+#        nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+        traefik.ingress.kubernetes.io/router.entrypoints: http,https
+        traefik.ingress.kubernetes.io/router.middlewares: internal@file
+      # labels: {}
+      ingressClassName: "traefik"
+      host: "crowdsec.{{ ingress_domain }}"
+      # tls: {}
+  persistentVolume:
+    # -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
+    data:
+      enabled: true
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: "longhorn"
+      size: 1Gi
+    # -- Persistent volume for config folder. Stores e.g. online api credentials
+    config:
+      enabled: true
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: "longhorn"
+      size: 100Mi
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+agent:
+  # To specify each pod you want to process it logs (pods present in the node)
+  acquisition:
+    # The namespace where the pod is located
+    - namespace: "{{ traefik_namespace }}"
+      # The pod name
+      podName: traefik-*
+      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
+      program: traefik
+  persistentVolume:
+    # -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
+    config:
+      enabled: false
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: "local-path"
+      size: 100Mi
+  # Those are ENV variables
+  env:
+  # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
+  #- name: DISABLE_ONLINE_API
+  #  value: "true"
+  - name: PARSERS
+    value: "crowdsecurity/cri-logs"
+  # As we are running Nginx, we want to install the Nginx collection
+  - name: COLLECTIONS
+    value: "crowdsecurity/traefik"
+  - name: SCENARIOS
+    value: "crowdsecurity/linux-lpe crowdsecurity/http-crawl-non_statics"
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true