container_runtime: containerd
image:
{% if false %}
  # -- docker image repository name
  repository: crowdsecurity/crowdsec
  # -- pullPolicy
  pullPolicy: IfNotPresent
  # -- docker image tag
{% endif %}
{% if crowdsec_version is defined %}
  tag: "{{ crowdsec_version }}"
{% endif %}
#secrets:
#  username: ""
#  password: ""
lapi:
  ingress:
    enabled: true
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: htt;https
      traefik.ingress.kubernetes.io/router.middlewares: internal@file
    # labels: {}
    ingressClassName: "traefik"
    host: "crowdsec-api.{{ ingress_domain }}"
    # tls: {}
  env:
    # As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
#    - name: DISABLE_ONLINE_API
#      value: "true"
# DISABLE_AGENT is already in template
#    - name: DISABLE_AGENT
#      value: "true"
{% if crowdsec_enrollment_key is defined %}
    - name: ENROLL_KEY
      value: "{{ crowdsec_enrollment_key }}"
    - name: ENROLL_INSTANCE_NAME
      value: "{{ inventory_hostname }}"
    - name: ENROLL_TAGS
      value: "k8s {{ inventory_hostname }}"
{% endif %}
{% if traefik_crowdsec_bouncer_apikey is defined %}
    - name: BOUNCER_KEY_traefik
      value: "{{ traefik_crowdsec_bouncer_apikey }}"
{% endif %}
  dashboard:
    # -- Enable Metabase Dashboard (by default disabled)
    enabled: true

    # -- Enable ingress object
    ingress:
      enabled: true
      annotations:
#        # metabase only supports http so we need this annotation
#        nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
        traefik.ingress.kubernetes.io/router.entrypoints: http,https
        traefik.ingress.kubernetes.io/router.middlewares: internal@file
      # labels: {}
      ingressClassName: "traefik"
      host: "crowdsec.{{ ingress_domain }}"
      # tls: {}
  persistentVolume:
    # -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
    data:
      enabled: true
      accessModes:
        - ReadWriteOnce
      storageClassName: "longhorn"
      size: 1Gi
    # -- Persistent volume for config folder. Stores e.g. online api credentials
    config:
      enabled: true
      accessModes:
        - ReadWriteOnce
      storageClassName: "longhorn"
      size: 100Mi
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  strategy:
    type: Recreate
agent:
  # To specify each pod you want to process it logs (pods present in the node)
  acquisition:
    # The namespace where the pod is located
    - namespace: "{{ traefik_namespace }}"
      # The pod name
      podName: traefik-*
      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
      program: traefik
  persistentVolume:
    # -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
    config:
      enabled: false
      accessModes:
        - ReadWriteOnce
      storageClassName: "local-path"
      size: 100Mi
  # Those are ENV variables
  env:
  # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
  #- name: DISABLE_ONLINE_API
  #  value: "true"
  - name: PARSERS
    value: "crowdsecurity/cri-logs"
  # As we are running Nginx, we want to install the Nginx collection
  - name: COLLECTIONS
    value: "crowdsecurity/traefik crowdsecurity/linux-lpe crowdsecurity/http-cve crowdsecurity/whitelist-good-actors"
  - name: SCENARIOS
    value: "crowdsecurity/http-crawl-non_statics"
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true