add crowdsec deployment

infrastructure/crowdsec/bouncer-api-key.sealedsecret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: bouncer-api-key
+  namespace: crowdsec
+spec:
+  encryptedData:
+    BOUNCER_KEY_TRAEFIK: AgAQYtZ9nhTcPudhhvBb/UC01CXLsItYr8u890ctD9AsTcn/tVZELCYDmmhoRCebMZofdLwhsnR4BoaBvFU4NgQk7qCUOm2O5YG11RXwOLuQv50+XcK2NTIuj9DsBqwLjYjWdRwV2PG++twP33mRFe+L/nw9d2JjyujF9FoFWL9OyU/IH8qb3FK9652wBTrC0VX251lZ2AU0xMvgGEa9BhTtobw+cE7xUbhazsRc7SqimW0iJ6ZiYYsJcVnMustHRx951YiVin2c0ub1v+JfvsMTiXUfbdt235BMXgevmvWVqPDlUgBHEfAiKl1ktQKqdd2KijEPCzEtVKbRXfFRtv0SOebLeQ949uNUmnhYUn7k+s9QiDo/4Pl4w5p5+i//BKbDe/dyagUFxNTw3ZpsGusI4B2dHwTtE0y8TTW4BDxNh4PaTVT0hN0ctSsG6joBCTes6dWfdFDo7NzRZ4suZGfTpZbJknYcp+hbaJxeHLnJUAkFHLj9AfT1tAAZVc8wVy3Nw/hwnntEBGUJJ35BhyKKYvkWWPqk/5Ay6U8CeaiupHHMbTRisiqZfuZ4KI6zJZlBMLcdK32d1gMqTJpvhkiC8h4+U3ygBf+rxf6R66+kDzalrLFX8sU3Sl7fVc8qYTPESrz9/RXBGHegunhrmfq6g5lyYyM+KPK71C7NCyhqDfzY4nqO6omh83UDOlCjm+++N7/UHHf+9hs6OUi1BmAOMJkvb8bX43SVDDA4gxoZplVgAK7E0w==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: bouncer-api-key
+      namespace: crowdsec

infrastructure/crowdsec/bouncer.middleware.yaml

@@ -0,0 +1,12 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: bouncer
+spec:
+  plugin:
+    bouncer:
+      enabled: true
+      crowdsecMode: stream
+      crowdsecLapiScheme: https
+      crowdsecLapiHost: crowdsec-service.crowdsec:8080
+      crowdsecLapiKey: saödlkfhhqäüweo1p30947ß4rfepoihäp

infrastructure/crowdsec/dashboard-api-key.sealedsecret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: dashboard-api-key
+  namespace: crowdsec
+spec:
+  encryptedData:
+    ENROLL_KEY: AgAOEbB81UuCj2qgR4p+gsvnDY3LC+IcI8kMwFlPl91pVngyrGDHutafilDZD/QiGxu+3mBVMlFRzYXyAl2RjaO4YZ8p59hznSn6jf3bcfbfhQJhXjUfKkf1Jmm6gWbeDMKcOuRvxgG2YWRtOo+xNLhHtMnTKC4B7R7X160GjlNV7SdXn4S+q9Oo/ZIz/q2Y6p5wXccpPNS6OEMjb8YJlfhj6FrsAoeO25fNruELBtzgHApVvx922wx9mpYialkQOsC+3IcogQprXQZZ+B8qph7PYQ1vIzD8Ch7df3Wj4JmMHsfpK5DRP6tACrM6PsYUy0BVqaBHWT9EHbIGc2w1/g9qPfauuTS8ZDsUEl7wpyQvHfXsQER63er5xT9Xv9kSrBUvSEaYoZr+Gw8Qi4N/SNW7e1JPiwQEpFP3GrFnnDLdGhGHvrvMzO5FAz1m+tnziVhfjpoOYQDlrvsS4+h+qU17/Kmu6EoGcpjqrEvUwN19Ar9pNz8qLbumTGlIzRbeVQWmv9F6icdT3idd8sCHeiAplE99kBAz780pxMgXRR/YmaBQz1xeOrKHAVBLegdj9eNmS62b72DHdsiY2jX7D1s1dFGWl45lIyv4RlNAQhjTiqFHeaUzJUii85WNSxpp9n8Cw/ua/mdUvcn8z9WQ11uVbVqurYD3TvsOnva0V6rffaeJjIovyMOXs2wHk6nokxj4L4Ut4YkmRGZaTu7wptjqBanaROZgEHEd
+  template:
+    metadata:
+      creationTimestamp: null
+      name: dashboard-api-key
+      namespace: crowdsec

infrastructure/crowdsec/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - dashboard-api-key.sealedsecret.yaml
+  - bouncer-api-key.sealedsecret.yaml
+  - bouncer.middleware.yaml
+
+
+namespace: crowdsec
+
+
+helmCharts:
+  - name: crowdsec
+    releaseName: crowdsec
+    version: 0.12.0
+    valuesFile: values.yaml
+    repo: https://crowdsecurity.github.io/helm-charts

infrastructure/crowdsec/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

infrastructure/crowdsec/values.yaml

@@ -0,0 +1,93 @@
+# -- for raw logs format: json or cri (docker|containerd)
+container_runtime: containerd
+
+
+
+# lapi will deploy pod with crowdsec lapi and dashboard as deployment
+lapi:
+  # -- replicas for local API
+  replicas: 1
+  # -- environment variables from crowdsecurity/crowdsec docker image
+  env:
+    - name: ENROLL_INSTANCE_NAME
+      value: "kluster"
+
+  # Allows you to load environment variables from kubernetes secret or config map
+  envFrom:
+    - secretRef:
+        name: dashboard-api-key
+    - secretRef:
+        name: bouncer-api-key
+
+
+  dashboard:
+    # -- Enable Metabase Dashboard (by default disabled)
+    enabled: false
+
+  # -- Enable persistent volumes
+  persistentVolume:
+    # -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
+    data:
+      enabled: true
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: "nfs-client"
+      size: 1Gi
+    # -- Persistent volume for config folder. Stores e.g. online api credentials
+    config:
+      enabled: true
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: "nfs-client"
+      size: 100Mi
+
+
+  # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus)
+  metrics:
+    enabled: true
+    # -- Creates a ServiceMonitor so Prometheus will monitor this service
+    # -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors
+    # -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape
+    # -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774
+    serviceMonitor:
+      enabled: true
+
+
+# agent will deploy pod on every node as daemonSet to read wanted pods logs
+agent:
+  acquisition:
+    # The namespace where the pod is located
+    - namespace: traefik-system
+      # The pod name
+      podName: traefik-*
+      # as in crowdsec configuration, we need to specify the program name to find a matching parser
+      program: traefik
+
+  # -- Enable persistent volumes
+  persistentVolume:
+    # -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
+    config:
+      enabled: false
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: ""
+      existingClaim: ""
+      size: 100Mi
+  # -- Enable hostPath to /var/log
+  hostVarLog: true
+  # -- environment variables from crowdsecurity/crowdsec docker image
+  env:
+    - name: COLLECTIONS
+      value: "crowdsecurity/traefik"
+
+  # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus)
+  metrics:
+    enabled: true
+    # -- Creates a ServiceMonitor so Prometheus will monitor this service
+    # -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors
+    # -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape
+    # -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774
+    serviceMonitor:
+      enabled: false
+      additionalLabels: {}
+