🚚 move archive

archive/kubernetes/crowdsec/helmrelease.yaml

@@ -0,0 +1,125 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: crowdsec
+  namespace: crowdsec
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: crowdsec
+      version: 0.9.7
+      sourceRef:
+        kind: HelmRepository
+        name: crowdsec
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    container_runtime: containerd
+    image:
+      repository: crowdsecurity/crowdsec
+      tag: v1.5.2
+    lapi:
+      env:
+        # by default disable the agent for local API pods
+        - name: DISABLE_AGENT
+          value: "true"
+        - name: ENROLL_KEY
+          valueFrom:
+            secretKeyRef:
+              name: crowdsec-config
+              key: enroll_key
+        - name: ENROLL_INSTANCE_NAME
+          value: "talos@cluster-0"
+      dashboard:
+        enabled: false
+        ingress:
+          enabled: false
+          annotations:
+          ingressClassName: nginx
+          host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
+          tls:
+            - hosts:
+              - *host
+      resources:
+        requests:
+          cpu: 150m
+          memory: 100M
+        limits:
+          memory: 100M
+      # -- Enable persistent volumes
+      persistentVolume:
+        # -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
+        data:
+          enabled: true
+          accessModes:
+            - ReadWriteOnce
+          storageClassName: rook-ceph-filesystem
+          size: 1Gi
+        # -- Persistent volume for config folder. Stores e.g. online api credentials
+        config:
+          enabled: true
+          accessModes:
+            - ReadWriteOnce
+          storageClassName: rook-ceph-filesystem
+          size: 100Mi
+      metrics:
+        enabled: false
+        serviceMonitor:
+          enabled: false
+      strategy:
+        type: Recreate
+    agent:
+      # To specify each pod you want to process it logs (pods present in the node)
+      acquisition:
+        # The namespace where the pod is located
+        - namespace: ingress-nginx
+          # The pod name
+          podName: ingress-nginx-controller-*
+          # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
+          program: nginx
+      # Those are ENV variables
+      env:
+        # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
+        - name: DISABLE_crONLINE_API
+          value: "true"
+        # As we are running Nginx, we want to install the Nginx collection
+        - name: COLLECTIONS
+          value: "crowdsecurity/nginx crowdsecurity/linux crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/pgsql crowdsecurity/sshd"
+        - name: PARSERS
+          value: "crowdsecurity/cri-logs"
+        - name: TZ
+          value: "${TIMEZONE}"
+        - name: DISABLE_ONLINE_API
+          value: "false"
+      resources:
+        limits:
+          memory: 100Mi
+        requests:
+          cpu: 150m
+          memory: 100Mi
+      # -- Enable persistent volumes
+      persistentVolume:
+        # -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
+        config:
+          enabled: true
+          accessModes:
+            - ReadWriteMany
+          storageClassName: rook-ceph-filesystem
+          size: 100Mi
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true

archive/kubernetes/crowdsec/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml

archive/kubernetes/crowdsec/secret.sops.yaml

@@ -0,0 +1,30 @@
+# yamllint disable
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/secret-v1.json
+apiVersion: v1
+kind: Secret
+metadata:
+    name: crowdsec-config
+    namespace: crowdsec
+type: Opaque
+stringData:
+    enroll_key: ENC[AES256_GCM,data:ret34T4Bcdua76M8s19bLeNTUWweVqPg5Q==,iv:q9sXlIUAkRi4Gu1+uhVWW5WCDuUCn6ZAV+UjtK1hkAQ=,tag:zXCtO2dpokZ57/NTthItig==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
+            YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
+            Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
+            OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
+            hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-23T02:14:45Z"
+    mac: ENC[AES256_GCM,data:Y5ZzEfUbfy4hs6CpxZOW9/jSzp/lRaL28vB81BHFnUCDH9hHiCLMhb64SfJdCOgxP1HjKRbsQgSLdQD0W1Q7udtsXFVFg+LnND++ukWaXESj/USb25o9RT8Kn94RePLzeDdOkAR9hYS+YViKjdvdck2oKwr1cy8slcgHDXi83LI=,iv:/iBS+i43BaSOBZGUeNxUnqn4sgX12GozkQdUuLLsvMM=,tag:JLwY15QfNLWRJax2nKdcbw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3