Add image variants, PDB/updateStrategy, feature.yaml and optional acquisition container selection

charts/crowdsec/templates/_helpers.tpl

@@ -67,7 +67,7 @@ true
   lapi custom config check
 */}}
 {{ define "lapiCustomConfigIsNotEmpty" }}
-{{- if or (index .Values.config "profiles.yaml") (index .Values.config "config.yaml.local") ((include "notificationsIsNotEmpty" .)) }}
+{{- if or (index .Values.config "profiles.yaml") (index .Values.config "config.yaml.local") ((include "notificationsIsNotEmpty" .)) (index .Values.config "feature.yaml") }}
 true
 {{- end -}}
 {{- end -}}
@@ -94,6 +94,18 @@ true
 {{- $IsCAPIDisabled }}
 {{- end }}
 
+{{/*
+  Return the tag suffix to use for registration jobs images.
+  Falls back to image.tagSuffix when image.jobs.tagSuffix is null.
+*/}}
+{{- define "jobsImageTagSuffix" -}}
+{{- if kindIs "invalid" .Values.image.jobs.tagSuffix -}}
+{{- .Values.image.tagSuffix -}}
+{{- else -}}
+{{- .Values.image.jobs.tagSuffix -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
   Return the kubectl helper image used by registration jobs.
   If image.kubectl.tag is empty, default to latest.

charts/crowdsec/templates/acquis-configmap.yaml

@@ -10,7 +10,11 @@ data:
     {{- range .Values.agent.acquisition }}
     ---
     filenames:
+    {{- if .containerName }}
+      - /var/log/containers/{{ .podName }}_{{ .namespace }}_{{ .containerName }}-*.log
+    {{- else }}
       - /var/log/containers/{{ .podName }}_{{ .namespace }}_*.log
+    {{- end }}
     force_inotify: true
     poll_without_inotify: {{ .poll_without_inotify | default "false"}}
     labels:
@@ -25,4 +29,4 @@ data:
     {{ fail "No acquisition or additionalAcquisition configured" }}
     {{- end }}
 
-{{- end }}
+{{- end }}

charts/crowdsec/templates/agent-daemonSet.yaml

@@ -16,6 +16,7 @@ spec:
     matchLabels:
       k8s-app: {{ .Release.Name }}
       type: agent
+  updateStrategy: {{- toYaml .Values.agent.updateStrategy | nindent 4 }}
   template:
     metadata:
       annotations:
@@ -51,7 +52,7 @@ spec:
       initContainers:
       {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
       - name: wait-for-lapi-and-register
-        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ .Values.image.tagSuffix }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command: ['sh', '-c', 'until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start; sleep 5; done; ln -s /staging/etc/crowdsec /etc/crowdsec && cscli lapi register --machine "$USERNAME" -u "$LAPI_URL" --token "$REGISTRATION_TOKEN" && cp /etc/crowdsec/local_api_credentials.yaml /tmp_config/local_api_credentials.yaml']
       {{- else }}
@@ -96,7 +97,7 @@ spec:
       {{- end }}
       containers:
       - name: crowdsec-agent
-        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ .Values.image.tagSuffix }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
     {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
       {{- if .Values.agent.persistentVolume.config.enabled }}
@@ -247,6 +248,11 @@ spec:
             mountPath: {{ $crowdsecConfig }}/config.yaml.local
             subPath: config.yaml.local
           {{- end }}
+          {{- if index .Values.config "feature.yaml" }}
+          - name: crowdsec-feature-volume
+            mountPath: {{ $crowdsecConfig }}/feature.yaml
+            subPath: feature.yaml
+          {{- end }}
 
       terminationGracePeriodSeconds: 30
       volumes:
@@ -329,6 +335,11 @@ spec:
         configMap:
           name: crowdsec-agent-config-local
       {{- end }}
+      {{- if index .Values.config "feature.yaml" }}
+      - name: crowdsec-feature-volume
+        configMap:
+          name: crowdsec-feature
+      {{- end }}
       {{- if .Values.agent.extraVolumes }}
       {{ toYaml .Values.agent.extraVolumes | nindent 6 }}
       {{- end }}

charts/crowdsec/templates/agent-deployment.yaml

@@ -53,7 +53,7 @@ spec:
       initContainers:
       {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
       - name: wait-for-lapi-and-register
-        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ .Values.image.tagSuffix }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command: ['sh', '-c', 'until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start; sleep 5; done; ln -s /staging/etc/crowdsec /etc/crowdsec && cscli lapi register --machine "$USERNAME" -u "$LAPI_URL" --token "$REGISTRATION_TOKEN" && cp /etc/crowdsec/local_api_credentials.yaml /tmp_config/local_api_credentials.yaml']
       {{- else }}
@@ -96,7 +96,7 @@ spec:
       {{- end }}
       containers:
       - name: crowdsec-agent
-        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ .Values.image.tagSuffix }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
     {{- if or (not .Values.tls.enabled) (not .Values.tls.agent.tlsClientAuth) }}
       {{- if .Values.agent.persistentVolume.config.enabled }}
@@ -251,6 +251,11 @@ spec:
             mountPath: {{ $crowdsecConfig }}/config.yaml.local
             subPath: config.yaml.local
           {{- end }}
+          {{- if index .Values.config "feature.yaml" }}
+          - name: crowdsec-feature-volume
+            mountPath: {{ $crowdsecConfig }}/feature.yaml
+            subPath: feature.yaml
+          {{- end }}
 
       terminationGracePeriodSeconds: 30
       volumes:
@@ -333,6 +338,11 @@ spec:
         configMap:
           name: crowdsec-agent-config-local
       {{- end }}
+      {{- if index .Values.config "feature.yaml" }}
+      - name: crowdsec-feature-volume
+        configMap:
+          name: crowdsec-feature
+      {{- end }}
       {{- if .Values.agent.extraVolumes }}
       {{ toYaml .Values.agent.extraVolumes | nindent 6 }}
       {{- end }}

charts/crowdsec/templates/appsec-deployment.yaml

@@ -53,7 +53,7 @@ spec:
       initContainers:
       {{- if or (not .Values.tls.enabled) (not .Values.tls.appsec.tlsClientAuth) }}
       - name: wait-for-lapi-and-register
-        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ .Values.image.tagSuffix }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command: ['sh', '-c', 'until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start; sleep 5; done; ln -s /staging/etc/crowdsec /etc/crowdsec && cscli lapi register --machine "$USERNAME" -u "$LAPI_URL" --token "$REGISTRATION_TOKEN" && cp /etc/crowdsec/local_api_credentials.yaml /tmp_config/local_api_credentials.yaml']
       {{- else }}
@@ -110,7 +110,7 @@ spec:
       {{- end }}
       containers:
       - name: crowdsec-appsec
-        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ .Values.image.tagSuffix }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- if or (not .Values.tls.enabled) (not .Values.tls.appsec.tlsClientAuth) }}
         command: ['sh', '-c', 'cp /tmp_config/local_api_credentials.yaml /staging/etc/crowdsec/local_api_credentials.yaml && ./docker_start.sh']

charts/crowdsec/templates/capi-register-job.yaml

@@ -52,7 +52,7 @@ spec:
               mountPath: /kubectl-bin
       containers:
         - name: capi-register
-          image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ include "jobsImageTagSuffix" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           volumeMounts:
             - name: kubectl-bin

charts/crowdsec/templates/cscli-lapi-register-job.yaml

@@ -51,7 +51,7 @@ spec:
               mountPath: /kubectl-bin
       containers:
         - name: lapi-cscli-register
-          image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ include "jobsImageTagSuffix" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           volumeMounts:
             - name: kubectl-bin

charts/crowdsec/templates/feature-configmap.yaml

@@ -0,0 +1,9 @@
+{{- if index .Values.config "feature.yaml" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: crowdsec-feature
+data:
+  feature.yaml: |
+{{ printf "%+v" (index .Values.config "feature.yaml") | indent 4 }}
+{{- end }}

charts/crowdsec/templates/lapi-deployment.yaml

@@ -56,7 +56,7 @@ spec:
       {{- end }}
       containers:
       - name: crowdsec-lapi
-        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ .Values.image.tagSuffix }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- if .Values.lapi.envFrom }}
         envFrom:
@@ -236,6 +236,11 @@ spec:
             mountPath: {{ $crowdsecConfig }}/config.yaml.local
             subPath: config.yaml.local
           {{ end }}
+          {{ if index .Values.config "feature.yaml" }}
+          - name: crowdsec-feature-volume
+            mountPath: {{ $crowdsecConfig }}/feature.yaml
+            subPath: feature.yaml
+          {{ end }}
           {{- if (include "notificationsIsNotEmpty" .) -}}
           {{ range $fileName, $content := .Values.config.notifications -}}
           {{- if $content }}
@@ -306,6 +311,11 @@ spec:
         configMap:
           name: crowdsec-config-local
       {{- end }}
+      {{ if index .Values.config "feature.yaml" }}
+      - name: crowdsec-feature-volume
+        configMap:
+          name: crowdsec-feature
+      {{- end }}
       {{- if (include "notificationsIsNotEmpty" .) -}}
       {{ range $fileName, $content := .Values.config.notifications -}}
       {{- if $content }}

charts/crowdsec/templates/lapi-pdb.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.lapi.enabled }}
+{{- if .Values.lapi.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ .Release.Name }}-lapi-pdb
+  labels:
+    k8s-app: {{ .Release.Name }}
+    type: lapi
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ .Release.Name }}
+      type: lapi
+  {{- if not (kindIs "invalid" .Values.lapi.podDisruptionBudget.minAvailable) }}
+  minAvailable: {{ .Values.lapi.podDisruptionBudget.minAvailable }}
+  {{- else if not (kindIs "invalid" .Values.lapi.podDisruptionBudget.maxUnavailable) }}
+  maxUnavailable: {{ .Values.lapi.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end }}
+{{- end }}

charts/crowdsec/values.schema.json

@@ -43,6 +43,9 @@
                 "tag": {
                     "type": "string"
                 },
+                "tagSuffix": {
+                    "type": "string"
+                },
                 "pullPolicy": {
                     "type": "string"
                 },
@@ -63,6 +66,14 @@
                         "repository",
                         "pullPolicy"
                     ]
+                },
+                "jobs": {
+                    "type": "object",
+                    "properties": {
+                        "tagSuffix": {
+                            "type": ["string", "null"]
+                        }
+                    }
                 }
             },
             "required": [
@@ -163,6 +174,9 @@
                 "podName": {
                     "type": "string"
                 },
+                "containerName": {
+                    "type": "string"
+                },
                 "program": {
                     "type": "string"
                 },
@@ -213,6 +227,9 @@
                 },
                 "appsec_config.yaml.local": {
                     "type": "string"
+                },
+                "feature.yaml": {
+                    "type": "string"
                 }
             },
             "title": "Config"

charts/crowdsec/values.yaml

@@ -23,6 +23,9 @@ image:
   ## @param image.tag [string] docker image tag (empty defaults to chart AppVersion)
   tag: ""
 
+  ## @param image.tagSuffix [string] Suffix appended to the image tag. E.g. set to "-debian" to use crowdsec:v1.6.0-debian
+  tagSuffix: ""
+
   ## @param image.kubectl.repository [default: alpine/kubectl] [string] kubectl image repository used by registration jobs initContainers
   ## @param image.kubectl.tag [default: latest] [string] kubectl image tag (override to match your cluster version if you encounter issues with registration jobs)
   ## @param image.kubectl.pullPolicy [default: IfNotPresent] [string] kubectl image pull policy (Always, IfNotPresent, Never)
@@ -31,6 +34,10 @@ image:
     tag: latest
     pullPolicy: IfNotPresent
 
+  ## @param image.jobs.tagSuffix [string,nullable] Suffix appended to the image tag for registration jobs. When null (default), inherits from image.tagSuffix. Set to "" to use the Alpine-based image when image.tagSuffix is "-debian" (jobs use apk and are incompatible with the Debian image).
+  jobs:
+    tagSuffix: ~
+
 ## @param podAnnotations [object] podAnnotations to be added to pods (string:string map)
 podAnnotations: {}
   # Uncomment the following lines if you use Prometheus Helm Chart rather than Prometheus Operator.
@@ -161,6 +168,14 @@ config:
   ## @param config.appsec_config.yaml.local This configuration file is merged with appsec pod main configuration file
   appsec_config.yaml.local: ""
 
+  # -- Feature flags configuration (https://docs.crowdsec.net/docs/configuration/feature_flags)
+  # This file is mounted in both lapi and agent pods
+  ## @param config.feature.yaml Feature flags to enable or disable experimental CrowdSec features
+  feature.yaml: ""
+  #   |
+  # - cscli_setup
+  # - re2_grok_support
+
 # @section tls
 tls:
   ## @param tls.enabled  Is tls enabled ?
@@ -443,6 +458,15 @@ lapi:
   # -- If set to true, the credentials used by cscli in the LAPI pod will be stored in a secret. Useful when lapi replicas > 1, as they will be reused in the replicas, and will limit the number of "fake" LPs in the console.
   ## @param lapi.storeLAPICscliCredentialsInSecret [default: false] [object] Store LAPI cscli credentials in a Secret. Useful if LAPI replicas > 1 or to setup LAPI with a persistent volume.
   storeLAPICscliCredentialsInSecret: false
+
+  ## @param lapi.podDisruptionBudget.enabled Enable PodDisruptionBudget for LAPI pods
+  ## @param lapi.podDisruptionBudget.minAvailable [nullable] Minimum number of available LAPI pods during voluntary disruptions. Use either minAvailable or maxUnavailable, not both.
+  ## @param lapi.podDisruptionBudget.maxUnavailable [nullable] Maximum number of unavailable LAPI pods during voluntary disruptions. Use either minAvailable or maxUnavailable, not both.
+  podDisruptionBudget:
+    enabled: false
+    minAvailable: 1
+    # maxUnavailable: 1
+
 # agent will deploy pod on every node as daemonSet to read wanted pods logs
 ## @section agent
 agent:
@@ -472,6 +496,12 @@ agent:
   strategy:
     type: Recreate
 
+  ## @param agent.updateStrategy [object] Update strategy for the agent DaemonSet (when isDeployment is false)
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
   # -- add your custom ports here, by default we expose port 6060 for metrics if metrics is enabled
   ## @param agent.ports [array] Custom container ports to expose (default: metrics port 6060 if enabled)
   ports: []
@@ -490,12 +520,14 @@ agent:
     #   listen_port: 4242
     #   labels:
     #     type: syslog
-  # -- Specify each pod you want to process it logs (namespace, podName and program)
-  ## @param agent.acquisition [array] Pod log acquisition definitions (namespace, podName, program, etc.)
+  # -- Specify each pod you want to process it logs (namespace, podName, optional containerName, and program)
+  ## @param agent.acquisition [array] Pod log acquisition definitions (namespace, podName, optional containerName, program, etc.)
   acquisition: []
     #- namespace: "" #ingress-nginx
     # -- to select pod logs to process
     #  podName: "" #ingress-nginx-controller-*
+    # -- optional container name to restrict acquisition to a single container within matching pods
+    #  containerName: "" #controller
     # -- program name related to specific parser you will use (see https://hub.crowdsec.net/author/crowdsecurity/configurations/docker-logs)
     #  program: "" #nginx
     # -- If set to true, will poll the files using os.Stat instead of using inotify