feat(helm): update crowdsec ( 0.15.0 → 0.16.0 ) #325
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![commit-commander[bot]](https://avatars.githubusercontent.com/in/1024374?s=60&v=4){kind=small}
--- kubernetes/main/apps/network/crowdsec/app Kustomization: flux-system/crowdsec HelmRelease: network/crowdsec
+++ kubernetes/main/apps/network/crowdsec/app Kustomization: flux-system/crowdsec HelmRelease: network/crowdsec
@@ -13,13 +13,13 @@
spec:
chart: crowdsec
sourceRef:
kind: HelmRepository
name: crowdsec
namespace: flux-system
- version: 0.15.0
+ version: 0.16.0
install:
remediation:
retries: 3
interval: 30m
maxHistory: 3
postRenderers: |
--- HelmRelease: network/crowdsec DaemonSet: network/crowdsec-agent
+++ HelmRelease: network/crowdsec DaemonSet: network/crowdsec-agent
@@ -12,59 +12,74 @@
matchLabels:
k8s-app: crowdsec
type: agent
template:
metadata:
annotations:
- checksum/agent-secret: 8f1d67eaeb376796a09b044f6961ac4eed929eef1c227f1e0186e201f462ad52
checksum/agent-configmap: 59fd1c26e7f6736e52334f51b95873000ace8607f64f6f5d3da00cc0ef4baa16
checksum/acquis-configmap: 9fe6b1c453fdcb899fb12f842f2004639a50a50bea80c4fe744415527f73eddb
labels:
k8s-app: crowdsec
type: agent
version: v1
spec:
initContainers:
- - name: wait-for-lapi
- image: busybox:1.37.0@sha256:5b0f33c83a97f5f7d12698df6732098b0cdb860d377f6307b68efe2c6821296f
+ - name: wait-for-lapi-and-register
+ image: crowdsecurity/crowdsec:v1.6.4@sha256:091229068a9dab7f8c1ae41086669620da2980c6ccc26f9e358a75aaa7cb4a27
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- - until nc crowdsec-service.network 8080 -z; do echo waiting for lapi to start;
- sleep 5; done
+ - until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start;
+ sleep 5; done; ln -s /staging/etc/crowdsec /etc/crowdsec && cscli lapi register
+ --machine "$USERNAME" -u $LAPI_URL --token "$REGISTRATION_TOKEN" && cp /etc/crowdsec/local_api_credentials.yaml
+ /tmp_config/local_api_credentials.yaml
resources:
limits:
memory: 50Mi
requests:
cpu: 1m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
+ volumeMounts:
+ - name: crowdsec-config
+ mountPath: /tmp_config
+ env:
+ - name: REGISTRATION_TOKEN
+ valueFrom:
+ secretKeyRef:
+ name: crowdsec-lapi-secrets
+ key: registrationToken
+ - name: USERNAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: LAPI_URL
+ value: http://crowdsec-service.network:8080
+ - name: LAPI_HOST
+ value: crowdsec-service.network
+ - name: LAPI_PORT
+ value: '8080'
containers:
- name: crowdsec-agent
image: crowdsecurity/crowdsec:v1.6.4@sha256:091229068a9dab7f8c1ae41086669620da2980c6ccc26f9e358a75aaa7cb4a27
imagePullPolicy: IfNotPresent
+ command:
+ - sh
+ - -c
+ - cp /tmp_config/local_api_credentials.yaml /staging/etc/crowdsec/local_api_credentials.yaml
+ && ./docker_start.sh
env:
- name: DISABLE_LOCAL_API
value: 'true'
- name: DISABLE_ONLINE_API
value: 'true'
- name: LOCAL_API_URL
value: http://crowdsec-service.network:8080
- - name: AGENT_USERNAME
- valueFrom:
- secretKeyRef:
- name: agent-credentials
- key: username
- - name: AGENT_PASSWORD
- valueFrom:
- secretKeyRef:
- name: agent-credentials
- key: password
- name: PARSERS
value: crowdsecurity/cri-logs crowdsecurity/whitelists crowdsecurity/geoip-enrich
- name: COLLECTIONS
value: crowdsecurity/modsecurity inherent-io/keycloak LePresidente/jellyseerr
crowdsecurity/nginx Dominic-Wagner/vaultwarden crowdsecurity/base-http-scenarios
crowdsecurity/http-cve crowdsecurity/http-dos crowdsecurity/whitelist-good-actors
@@ -109,22 +124,26 @@
successThreshold: 1
timeoutSeconds: 5
securityContext:
allowPrivilegeEscalation: false
privileged: false
volumeMounts:
+ - name: crowdsec-config
+ mountPath: /tmp_config
- name: acquis-config-volume
mountPath: /etc/crowdsec/acquis.yaml
subPath: acquis.yaml
- name: varlog
mountPath: /var/log
readOnly: true
terminationGracePeriodSeconds: 30
volumes:
- name: acquis-config-volume
configMap:
name: acquis-configmap
+ - name: crowdsec-config
+ emptyDir: {}
- name: varlog
hostPath:
path: /var/log
priorityClassName: null
--- HelmRelease: network/crowdsec Deployment: network/crowdsec-appsec
+++ HelmRelease: network/crowdsec Deployment: network/crowdsec-appsec
@@ -6,18 +6,18 @@
labels:
k8s-app: crowdsec
type: appsec
version: v1
spec:
replicas: 1
+ strategy:
+ type: Recreate
selector:
matchLabels:
k8s-app: crowdsec
type: appsec
- strategy:
- type: Recreate
template:
metadata:
annotations:
checksum/appsec-acquis-configmap: eee19a8837a43610d68fc8af3da28835d76bcfbd960fcae93361db3b5191f8ea
labels:
k8s-app: crowdsec
@@ -82,18 +82,12 @@
- name: COLLECTIONS
value: crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
- name: APPSEC_CONFIGS
value: crowdsecurity/appsec-default
- name: LOCAL_API_URL
value: https://crowdsec-api...PLACEHOLDER_PUBLIC_DOMAIN..
- volumeMounts:
- - name: crowdsec-config
- mountPath: /tmp_config
- - name: appsec-acquis-config-volume
- mountPath: /etc/crowdsec/acquis.yaml
- subPath: acquis.yaml
resources:
limits:
cpu: 500m
memory: 250Mi
requests:
cpu: 500m
@@ -104,36 +98,49 @@
protocol: TCP
- name: metrics
containerPort: 6060
protocol: TCP
livenessProbe:
failureThreshold: 3
+ httpGet:
+ path: /metrics
+ port: metrics
+ scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
- tcpSocket:
- port: appsec
readinessProbe:
failureThreshold: 3
+ httpGet:
+ path: /metrics
+ port: metrics
+ scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
- tcpSocket:
- port: appsec
startupProbe:
failureThreshold: 30
+ httpGet:
+ path: /metrics
+ port: metrics
+ scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
- tcpSocket:
- port: appsec
securityContext:
allowPrivilegeEscalation: false
privileged: false
+ volumeMounts:
+ - name: crowdsec-config
+ mountPath: /tmp_config
+ - name: appsec-acquis-config-volume
+ mountPath: /etc/crowdsec/acquis.yaml
+ subPath: acquis.yaml
terminationGracePeriodSeconds: 30
volumes:
- name: appsec-acquis-config-volume
configMap:
name: appsec-acquis-config
- name: crowdsec-config
emptyDir: {}
+ priorityClassName: null
--- HelmRelease: network/crowdsec Deployment: network/crowdsec-lapi
+++ HelmRelease: network/crowdsec Deployment: network/crowdsec-lapi
@@ -17,14 +17,13 @@
type: lapi
strategy:
type: Recreate
template:
metadata:
annotations:
- checksum/agent-secret: 71a2122069bde8a95a9914545daeaa6589cd0582d1c6fd07703cad321441ccdc
- checksum/lapi-secret: d83ef8d0997477bc8aa30b9b9853fa7aab6473b2b6a1123c091027ac25327ef9
+ checksum/lapi-secret: b3fc73e5f8c83bb897f47dab6df6443294ad7e93776b33f7c6a655484b9c3ba8
checksum/lapi-configmap: 2af150a0f8c963d1ffac844a875c6c5d810a19b20a5721d1479ebd20e696329f
labels:
k8s-app: crowdsec
type: lapi
version: v1
spec:
@@ -39,22 +38,12 @@
- name: crowdsec-lapi
image: crowdsecurity/crowdsec:v1.6.4@sha256:091229068a9dab7f8c1ae41086669620da2980c6ccc26f9e358a75aaa7cb4a27
imagePullPolicy: IfNotPresent
env:
- name: LOCAL_API_URL
value: http://localhost:8080
- - name: AGENT_USERNAME
- valueFrom:
- secretKeyRef:
- name: agent-credentials
- key: username
- - name: AGENT_PASSWORD
- valueFrom:
- secretKeyRef:
- name: agent-credentials
- key: password
- name: DISABLE_AGENT
value: 'true'
- name: INSECURE_SKIP_VERIFY
value: 'false'
- name: CS_LAPI_SECRET
valueFrom: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.15.0->0.16.0Release Notes
crowdsecurity/helm-charts (crowdsec)
v0.16.0Compare Source
Crowdsec helm chart is an open-source, lightweight agent to detect and respond to bad behaviours.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.