fix: tls and missing env variables

charts/crowdsec/templates/agent-deployment.yaml

@@ -48,7 +48,7 @@ spec:
 {{ toYaml .Values.image.pullSecrets | indent 8 }}
       {{- end }}
       initContainers:
-      {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
+      {{- if not .Values.tls.agent.tlsClientAuth }}
       - name: wait-for-lapi-and-register
         image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -68,11 +68,13 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           privileged: false
-        {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
+        {{- if not .Values.tls.agent.tlsClientAuth }}
         volumeMounts:
           - name: crowdsec-config
             mountPath: /tmp_config
+        {{- end }}
         env:
+          {{- if not .Values.tls.agent.tlsClientAuth }}
           - name: REGISTRATION_TOKEN
             valueFrom:
               secretKeyRef:
@@ -84,19 +86,19 @@ spec:
                 fieldPath: metadata.name
           - name: LAPI_URL
             value: "{{ .Values.agent.lapiURL | default (printf "http://%s-service.%s:8080" .Release.Name .Release.Namespace) }}"
+          {{- end }}
           - name: LAPI_HOST
             value: "{{ .Values.agent.lapiHost | default (printf "%s-service.%s" .Release.Name .Release.Namespace) }}"
           - name: LAPI_PORT
             value: "{{ .Values.agent.lapiPort | default "8080" }}"
-        {{- end }}
       {{- if .Values.agent.extraInitContainers }}
       {{- toYaml .Values.agent.extraInitContainers | nindent 6 }}
       {{- end }}
       containers:
       - name: crowdsec-agent
         image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
-    {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
+    {{- if not .Values.tls.agent.tlsClientAuth }}
       {{- if .Values.agent.persistentVolume.config.enabled }}
         command: ['sh', '-c', 'cp /tmp_config/local_api_credentials.yaml /staging/etc/crowdsec/local_api_credentials.yaml && mv -n /staging/etc/crowdsec/* /etc/crowdsec_data/ && rm -rf /staging/etc/crowdsec && ln -s /etc/crowdsec_data /etc/crowdsec && ./docker_start.sh']
       {{- else }}
@@ -175,7 +177,7 @@ spec:
           privileged: false
 
         volumeMounts:
-          {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
+          {{- if not .Values.tls.agent.tlsClientAuth }}
           - name: crowdsec-config
             mountPath: /tmp_config
           {{- end }}
@@ -241,7 +243,7 @@ spec:
           {{- end }}
       terminationGracePeriodSeconds: 30
       volumes:
-      {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
+      {{- if not .Values.tls.agent.tlsClientAuth }}
       - name: crowdsec-config
         emptyDir: {}
       {{- end }}

charts/crowdsec/templates/lapi-deployment.yaml

@@ -76,6 +76,8 @@ spec:
           {{- if .Values.tls.enabled }}
           - name: LOCAL_API_URL
             value: https://localhost:8080
+          - name: AGENTS_ALLOWED_OU
+            value: agent-ou,appsec-ou
           {{- else }}
           - name: LOCAL_API_URL
             value: http://localhost:8080

charts/crowdsec/values.yaml

@@ -141,7 +141,7 @@ tls:
       namespaces: []
   appsec:
     tlsClientAuth: true
-    secret: "{{ .Release.Name }}-agent-tls"
+    secret: "{{ .Release.Name }}-appsec-tls"
     reflector:
       namespaces: []
   lapi: