feat: deploy Wave 2 - CrowdSec + Velero

- CrowdSec: LAPI + Agent with containerd runtime, Traefik log acquisition
- Velero: with AWS plugin, placeholder BSL (needs S3 storage config later)
- Both with reduced resources for 4GB VPS

clusters/lab/backup/velero.yaml

@@ -0,0 +1,75 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: vmware-tanzu
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://vmware-tanzu.github.io/helm-charts
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: velero
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: velero
+  namespace: flux-system
+spec:
+  interval: 1h
+  targetNamespace: velero
+  install:
+    createNamespace: true
+  chart:
+    spec:
+      chart: velero
+      sourceRef:
+        kind: HelmRepository
+        name: vmware-tanzu
+      interval: 1h
+  values:
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+      limits:
+        cpu: 500m
+        memory: 256Mi
+    initContainers:
+    - name: velero-plugin-for-aws
+      image: velero/velero-plugin-for-aws:v1.13.1
+      imagePullPolicy: IfNotPresent
+      volumeMounts:
+      - mountPath: /target
+        name: plugins
+    deployNodeAgent: true
+    nodeAgent:
+      resources:
+        requests:
+          cpu: 50m
+          memory: 64Mi
+        limits:
+          cpu: 500m
+          memory: 256Mi
+    configuration:
+      backupStorageLocation:
+      - name: default
+        provider: aws
+        bucket: velero-backups
+        default: true
+        config:
+          region: eu-central-1
+          s3ForcePathStyle: "true"
+          s3Url: http://placeholder:9000
+      volumeSnapshotLocation: []
+    credentials:
+      useSecret: true
+      secretContents:
+        cloud: |
+          [default]
+          aws_access_key_id=placeholder
+          aws_secret_access_key=placeholder
+    schedules: {}

clusters/lab/security/crowdsec.yaml

@@ -0,0 +1,85 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: crowdsec
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://crowdsecurity.github.io/helm-charts
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: crowdsec
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: crowdsec
+  namespace: flux-system
+spec:
+  interval: 1h
+  targetNamespace: crowdsec
+  install:
+    createNamespace: true
+  chart:
+    spec:
+      chart: crowdsec
+      sourceRef:
+        kind: HelmRepository
+        name: crowdsec
+      interval: 1h
+  values:
+    container_runtime: containerd
+    lapi:
+      enabled: true
+      replicas: 1
+      env:
+      - name: ENROLL_KEY
+        value: ""
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 500m
+          memory: 256Mi
+      persistentVolume:
+        data:
+          enabled: true
+          size: 1Gi
+        config:
+          enabled: true
+          size: 100Mi
+    agent:
+      enabled: true
+      resources:
+        requests:
+          cpu: 50m
+          memory: 64Mi
+        limits:
+          cpu: 500m
+          memory: 256Mi
+      acquisition:
+      - namespace: kube-system
+        podName: traefik-*
+        program: traefik
+      env:
+      - name: COLLECTIONS
+        value: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/linux"
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-from-traefik
+  namespace: crowdsec
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system