114 lines
3.5 KiB
Django/Jinja
114 lines
3.5 KiB
Django/Jinja
container_runtime: containerd
|
|
image:
|
|
{% if false %}
|
|
# -- docker image repository name
|
|
repository: crowdsecurity/crowdsec
|
|
# -- pullPolicy
|
|
pullPolicy: IfNotPresent
|
|
# -- docker image tag
|
|
{% endif %}
|
|
{% if crowdsec_version is defined %}
|
|
tag: "{{ crowdsec_version }}"
|
|
{% endif %}
|
|
#secrets:
|
|
# username: ""
|
|
# password: ""
|
|
lapi:
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.entrypoints: htt;https
|
|
traefik.ingress.kubernetes.io/router.middlewares: internal@file
|
|
# labels: {}
|
|
ingressClassName: "traefik"
|
|
host: "crowdsec-api.{{ ingress_domain }}"
|
|
# tls: {}
|
|
env:
|
|
# As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
|
|
# - name: DISABLE_ONLINE_API
|
|
# value: "true"
|
|
# DISABLE_AGENT is already in template
|
|
# - name: DISABLE_AGENT
|
|
# value: "true"
|
|
{% if crowdsec_enrollment_key is defined %}
|
|
- name: ENROLL_KEY
|
|
value: "{{ crowdsec_enrollment_key }}"
|
|
- name: ENROLL_INSTANCE_NAME
|
|
value: "{{ inventory_hostname }}"
|
|
- name: ENROLL_TAGS
|
|
value: "k8s {{ inventory_hostname }}"
|
|
{% endif %}
|
|
{% if traefik_crowdsec_bouncer_apikey is defined %}
|
|
- name: BOUNCER_KEY_traefik
|
|
value: "{{ traefik_crowdsec_bouncer_apikey }}"
|
|
{% endif %}
|
|
dashboard:
|
|
# -- Enable Metabase Dashboard (by default disabled)
|
|
enabled: true
|
|
|
|
# -- Enable ingress object
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
# # metabase only supports http so we need this annotation
|
|
# nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
|
traefik.ingress.kubernetes.io/router.entrypoints: http,https
|
|
traefik.ingress.kubernetes.io/router.middlewares: internal@file
|
|
# labels: {}
|
|
ingressClassName: "traefik"
|
|
host: "crowdsec.{{ ingress_domain }}"
|
|
# tls: {}
|
|
persistentVolume:
|
|
# -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
|
|
data:
|
|
enabled: true
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClassName: "longhorn"
|
|
size: 1Gi
|
|
# -- Persistent volume for config folder. Stores e.g. online api credentials
|
|
config:
|
|
enabled: true
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClassName: "longhorn"
|
|
size: 100Mi
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
strategy:
|
|
type: Recreate
|
|
agent:
|
|
# To specify each pod you want to process it logs (pods present in the node)
|
|
acquisition:
|
|
# The namespace where the pod is located
|
|
- namespace: "{{ traefik_namespace }}"
|
|
# The pod name
|
|
podName: traefik-*
|
|
# as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
|
|
program: traefik
|
|
persistentVolume:
|
|
# -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
|
|
config:
|
|
enabled: false
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClassName: "local-path"
|
|
size: 100Mi
|
|
# Those are ENV variables
|
|
env:
|
|
# As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
|
|
#- name: DISABLE_ONLINE_API
|
|
# value: "true"
|
|
- name: PARSERS
|
|
value: "crowdsecurity/cri-logs"
|
|
# As we are running Nginx, we want to install the Nginx collection
|
|
- name: COLLECTIONS
|
|
value: "crowdsecurity/traefik crowdsecurity/linux-lpe crowdsecurity/http-cve crowdsecurity/whitelist-good-actors"
|
|
- name: SCENARIOS
|
|
value: "crowdsecurity/http-crawl-non_statics"
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|