feat(crowdsec): Initial deployment

50b9d141 · Sheogorath · c195bea9 · 50b9d141 · 50b9d141 · 50b9d141
Verified Commit 50b9d141 authored 1 year ago by Sheogorath
--- a/apps/base/crowdsec/kustomization.yaml
+++ b/apps/base/crowdsec/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: crowdsec
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+  - ../../../shared/networkpolicies/allow-from-same-namespace.yaml
--- a/apps/base/crowdsec/namespace.yaml
+++ b/apps/base/crowdsec/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: crowdsec
+  labels:
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: v1.27
+    pod-security.kubernetes.io/enforce-version: v1.27
+    pod-security.kubernetes.io/warn-version: v1.27
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flux-reconciler
+  namespace: crowdsec
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: flux-reconciler
+  namespace: crowdsec
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+  - kind: ServiceAccount
+    name: flux-reconciler
+    namespace: crowdsec
--- a/apps/base/crowdsec/release.yaml
+++ b/apps/base/crowdsec/release.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: crowdsec
+  namespace: crowdsec
+spec:
+  timeout: 15m
+  releaseName: crowdsec
+  chart:
+    spec:
+      chart: crowdsec
+      sourceRef:
+        kind: HelmRepository
+        name: crowdsec
+        namespace: crowdsec
+      version: "0.9.7"
+  interval: 5m
+  install:
+    crds: Skip
+    remediation:
+      retries: -1
+  upgrade:
+    crds: Skip
+    remediation:
+      retries: -1
+  valuesFrom:
+    - kind: ConfigMap
+      name: crowdsec-base-values
+      valuesKey: values.yaml
+    - kind: Secret
+      name: crowdsec-override-values
+      valuesKey: values-overrides.yaml
+      optional: true
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: crowdsec-base-values
+  namespace: crowdsec
+data:
+  values.yaml: |
+    container_runtime: containerd
+    agent:
+      # To specify each pod you want to process it logs (pods present in the node)
+      acquisition:
+        # The namespace where the pod is located
+        - namespace: nginx-system
+          # The pod name
+          podName: ingress-nginx-controller-*
+          # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
+          program: nginx
+      # Those are ENV variables
+      env:
+      # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
+      - name: DISABLE_ONLINE_API
+        value: "true"
+      # As we are running Nginx, we want to install the Nginx collection
+      - name: COLLECTIONS
+        value: "crowdsecurity/nginx"
+    lapi:
+      env:
+        # As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
+        - name: DISABLE_ONLINE_API
+          value: "true"
+      dashboard:
+        enabled: false
+
--- a/apps/base/crowdsec/repository.yaml
+++ b/apps/base/crowdsec/repository.yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: crowdsec
+  namespace: crowdsec
+spec:
+  interval: 30m
+  url: https://crowdsecurity.github.io/helm-charts
\ No newline at end of file
--- a/apps/k8s01/crowdsec/kustomization.yaml
+++ b/apps/k8s01/crowdsec/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: crowdsec
+resources:
+  - ../../base/crowdsec
+  - ../../../shared/resourcequotas/default.yaml