From 0d0fd95991188aa1487ee487a8f91f7549bada06 Mon Sep 17 00:00:00 2001 From: Davide Piu Date: Thu, 19 Feb 2026 23:06:26 +0000 Subject: [PATCH] feat: deploy Wave 2 - CrowdSec + Velero - CrowdSec: LAPI + Agent with containerd runtime, Traefik log acquisition - Velero: with AWS plugin, placeholder BSL (needs S3 storage config later) - Both with reduced resources for 4GB VPS --- clusters/lab/backup/velero.yaml | 75 +++++++++++++++++++++++++ clusters/lab/security/crowdsec.yaml | 85 +++++++++++++++++++++++++++++ 2 files changed, 160 insertions(+) create mode 100644 clusters/lab/backup/velero.yaml create mode 100644 clusters/lab/security/crowdsec.yaml diff --git a/clusters/lab/backup/velero.yaml b/clusters/lab/backup/velero.yaml new file mode 100644 index 0000000..35599be --- /dev/null +++ b/clusters/lab/backup/velero.yaml @@ -0,0 +1,75 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: vmware-tanzu + namespace: flux-system +spec: + interval: 1h + url: https://vmware-tanzu.github.io/helm-charts +--- +apiVersion: v1 +kind: Namespace +metadata: + name: velero +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: velero + namespace: flux-system +spec: + interval: 1h + targetNamespace: velero + install: + createNamespace: true + chart: + spec: + chart: velero + sourceRef: + kind: HelmRepository + name: vmware-tanzu + interval: 1h + values: + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + initContainers: + - name: velero-plugin-for-aws + image: velero/velero-plugin-for-aws:v1.13.1 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /target + name: plugins + deployNodeAgent: true + nodeAgent: + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 500m + memory: 256Mi + configuration: + backupStorageLocation: + - name: default + provider: aws + bucket: velero-backups + default: true + config: + region: eu-central-1 + s3ForcePathStyle: "true" + s3Url: http://placeholder:9000 + volumeSnapshotLocation: [] + credentials: + useSecret: true + secretContents: + cloud: | + [default] + aws_access_key_id=placeholder + aws_secret_access_key=placeholder + schedules: {} diff --git a/clusters/lab/security/crowdsec.yaml b/clusters/lab/security/crowdsec.yaml new file mode 100644 index 0000000..893e92c --- /dev/null +++ b/clusters/lab/security/crowdsec.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: crowdsec + namespace: flux-system +spec: + interval: 1h + url: https://crowdsecurity.github.io/helm-charts +--- +apiVersion: v1 +kind: Namespace +metadata: + name: crowdsec +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: crowdsec + namespace: flux-system +spec: + interval: 1h + targetNamespace: crowdsec + install: + createNamespace: true + chart: + spec: + chart: crowdsec + sourceRef: + kind: HelmRepository + name: crowdsec + interval: 1h + values: + container_runtime: containerd + lapi: + enabled: true + replicas: 1 + env: + - name: ENROLL_KEY + value: "" + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + persistentVolume: + data: + enabled: true + size: 1Gi + config: + enabled: true + size: 100Mi + agent: + enabled: true + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 500m + memory: 256Mi + acquisition: + - namespace: kube-system + podName: traefik-* + program: traefik + env: + - name: COLLECTIONS + value: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/linux" +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-from-traefik + namespace: crowdsec +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system