crowdsec: &crowdsec_config
# for raw logs format: json or cri (docker|containerd)
  container_runtime: docker
  agent:
    affinity:
      nodeAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
          - matchExpressions:
            - key: node-role.kubernetes.io/control-plane
              operator: Exists
    # Specify each pod whose logs you want to process
    acquisition:
      # The namespace where the pod is located
      - namespace: kube-system
        # The pod name
        podName: traefik-*
        # as in crowdsec configuration, we need to specify the program name to find a matching parser
        program: traefik
    env:
      - name: COLLECTIONS
        value: "crowdsecurity/traefik crowdsecurity/http-cve"
      - name: TZ
        value: Europe/Paris
  lapi:
    strategy:
      type: RollingUpdate
      rollingUpdate:
        maxUnavailable: 0
        maxSurge: 1
    env:
      - name: TZ
        value: Europe/Paris
      # To enroll the Security Engine to the console
      - name: ENROLL_KEY
        value: "cmieq72i3000802jr1wx8kply"
      - name: ENROLL_INSTANCE_NAME
        value: "homelab"
      - name: ENROLL_TAGS
        value: "k3s rpi test"
      - name: DB_USER
        valueFrom:
          secretKeyRef:
            name: crowdsec-db-credentials
            key: username
      - name: DB_PASSWORD
        valueFrom:
          secretKeyRef:
            name: crowdsec-db-credentials
            key: password
  appsec:
    enabled: true
    acquisitions:
      - appsec_config: crowdsecurity/appsec-default
        labels:
          type: appsec
        listen_addr: 0.0.0.0:7422
        path: /
        source: appsec
    env:
      - name: TZ
        value: Europe/Paris
      - name: COLLECTIONS
        value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules"
    resources:
      limits:
        cpu: "500m"
        memory: "300Mi"
      requests:
        cpu: "100m"
        memory: "200Mi"
  config:
    config.yaml.local: |
      db_config:
        type:     postgresql
        user:     ${DB_USER}
        password: ${DB_PASSWORD}
        db_name:  crowdsec
        host:     pgbouncer.tools
        port:     5432
      api:
        server:
          auto_registration: # Activate if not using TLS for authentication
            enabled: true
            token: "${REGISTRATION_TOKEN}"  # /!\ do not change
            allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
              - "127.0.0.1/32"
              - "192.168.0.0/16"
              - "10.42.0.0/16"
              - "172.16.0.0/12"

tool:
  # kind: 'SubChart' or 'HelmChart', if subchart then uncomment Chart.yaml dependency, else comment and use tool library with helm chart template
  kind: 'SubChart'
  repo: https://crowdsecurity.github.io/helm-charts
  chart: crowdsec
  version: 0.20.1
  values: *crowdsec_config