From 50b9d1419a7c23d2d63211dfc635c884688bd752 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Thu, 28 Sep 2023 01:24:57 +0200
Subject: [PATCH] feat(crowdsec): Initial deployment

---
 apps/base/crowdsec/kustomization.yaml  |  8 +++
 apps/base/crowdsec/namespace.yaml      | 31 ++++++++++++
 apps/base/crowdsec/release.yaml        | 67 ++++++++++++++++++++++++++
 apps/base/crowdsec/repository.yaml     |  8 +++
 apps/k8s01/crowdsec/kustomization.yaml |  6 +++
 5 files changed, 120 insertions(+)
 create mode 100644 apps/base/crowdsec/kustomization.yaml
 create mode 100644 apps/base/crowdsec/namespace.yaml
 create mode 100644 apps/base/crowdsec/release.yaml
 create mode 100644 apps/base/crowdsec/repository.yaml
 create mode 100644 apps/k8s01/crowdsec/kustomization.yaml

diff --git a/apps/base/crowdsec/kustomization.yaml b/apps/base/crowdsec/kustomization.yaml
new file mode 100644
index 000000000..026d40788
--- /dev/null
+++ b/apps/base/crowdsec/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: crowdsec
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+  - ../../../shared/networkpolicies/allow-from-same-namespace.yaml
diff --git a/apps/base/crowdsec/namespace.yaml b/apps/base/crowdsec/namespace.yaml
new file mode 100644
index 000000000..c6bab2ed1
--- /dev/null
+++ b/apps/base/crowdsec/namespace.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: crowdsec
+  labels:
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: v1.27
+    pod-security.kubernetes.io/enforce-version: v1.27
+    pod-security.kubernetes.io/warn-version: v1.27
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flux-reconciler
+  namespace: crowdsec
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: flux-reconciler
+  namespace: crowdsec
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+  - kind: ServiceAccount
+    name: flux-reconciler
+    namespace: crowdsec
diff --git a/apps/base/crowdsec/release.yaml b/apps/base/crowdsec/release.yaml
new file mode 100644
index 000000000..d8ea75e4e
--- /dev/null
+++ b/apps/base/crowdsec/release.yaml
@@ -0,0 +1,67 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: crowdsec
+  namespace: crowdsec
+spec:
+  timeout: 15m
+  releaseName: crowdsec
+  chart:
+    spec:
+      chart: crowdsec
+      sourceRef:
+        kind: HelmRepository
+        name: crowdsec
+        namespace: crowdsec
+      version: "0.9.7"
+  interval: 5m
+  install:
+    crds: Skip
+    remediation:
+      retries: -1
+  upgrade:
+    crds: Skip
+    remediation:
+      retries: -1
+  valuesFrom:
+    - kind: ConfigMap
+      name: crowdsec-base-values
+      valuesKey: values.yaml
+    - kind: Secret
+      name: crowdsec-override-values
+      valuesKey: values-overrides.yaml
+      optional: true
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: crowdsec-base-values
+  namespace: crowdsec
+data:
+  values.yaml: |
+    container_runtime: containerd
+    agent:
+      # To specify each pod you want to process it logs (pods present in the node)
+      acquisition:
+        # The namespace where the pod is located
+        - namespace: nginx-system
+          # The pod name
+          podName: ingress-nginx-controller-*
+          # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
+          program: nginx
+      # Those are ENV variables
+      env:
+      # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
+      - name: DISABLE_ONLINE_API
+        value: "true"
+      # As we are running Nginx, we want to install the Nginx collection
+      - name: COLLECTIONS
+        value: "crowdsecurity/nginx"
+    lapi:
+      env:
+        # As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
+        - name: DISABLE_ONLINE_API
+          value: "true"
+      dashboard:
+        enabled: false
+
diff --git a/apps/base/crowdsec/repository.yaml b/apps/base/crowdsec/repository.yaml
new file mode 100644
index 000000000..a7aef98eb
--- /dev/null
+++ b/apps/base/crowdsec/repository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: crowdsec
+  namespace: crowdsec
+spec:
+  interval: 30m
+  url: https://crowdsecurity.github.io/helm-charts
\ No newline at end of file
diff --git a/apps/k8s01/crowdsec/kustomization.yaml b/apps/k8s01/crowdsec/kustomization.yaml
new file mode 100644
index 000000000..c701f87a7
--- /dev/null
+++ b/apps/k8s01/crowdsec/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: crowdsec
+resources:
+  - ../../base/crowdsec
+  - ../../../shared/resourcequotas/default.yaml
-- 
GitLab