crowdsecurity · sabban · Apr 7, 2026 · Apr 8, 2026 · Apr 9, 2026 · Apr 10, 2026
diff --git a/charts/crowdsec/README.md b/charts/crowdsec/README.md
@@ -7,6 +7,8 @@ Crowdsec helm chart is an open-source, lightweight agent to detect and respond t
 - [crowdsec](#crowdsec)
   - [Chart Repository](#chart-repository)
   - [Installing the Chart](#installing-the-chart)
+  - [Supplying Custom Parser, Scenario, and Postoverflow Files](#supplying-custom-parser-scenario-and-postoverflow-files)
+  - [Supplying Custom AppSec Config and Rule Files](#supplying-custom-appsec-config-and-rule-files)
   - [Uninstalling the Chart](#uninstalling-the-chart)
   - [Authentication](#authentication)
     - [Auto registration token](#auto-registration-token)
@@ -48,6 +50,139 @@ kubectl create ns crowdsec
 helm install crowdsec crowdsec/crowdsec -f crowdsec-values.yaml -n crowdsec
 ```
 
+## Supplying Custom Parser, Scenario, and Postoverflow Files
+
+The chart already supports passing custom parsers, scenarios, and postoverflows as raw file content through values. This works with both local and remote charts.
+
+Helm templates cannot read arbitrary files from the client machine during rendering. In practice, that means a remote chart cannot use `.Files` or `.Files.Glob` to read files that only exist on the user's workstation. The supported workflow is to inject the file contents into values and let the chart write them into ConfigMaps unchanged.
+
+You can split your configuration across multiple values files:
+
+```sh
+helm upgrade --install crowdsec crowdsec/crowdsec \
+  -n crowdsec \
+  -f crowdsec-values.yaml \
+  -f parsers.yaml \
+  -f scenarios.yaml \
+  -f postoverflows.yaml
+```
+
+Example values files:
+
+```yaml
+# parsers.yaml
+config:
+  parsers:
+    s01-parse:
+      my-parser.yaml: |
+        name: my/parser
+        filter: "evt.Meta.log_type == 'my-type'"
+        onsuccess: next_stage
+```
+
+```yaml
+# scenarios.yaml
+config:
+  scenarios:
+    my-scenario.yaml: |
+      type: trigger
+      name: my/scenario
+      filter: "evt.Meta.log_type == 'my-type'"
+      groupby: evt.Meta.source_ip
+```
+
+```yaml
+# postoverflows.yaml
+config:
+  postoverflows:
+    s01-whitelist:
+      my-whitelist.yaml: |
+        name: my/whitelist
+        whitelist:
+          reason: "trusted source"
+          expression:
+            - evt.Parsed.remote_addr == '127.0.0.1'
+```
+
+If you prefer to keep each object in its own local file, use `--set-file`. Helm will read the local file and assign its content to the matching value key as a string:
+
+```sh
+helm upgrade --install crowdsec crowdsec/crowdsec \
+  -n crowdsec \
+  -f crowdsec-values.yaml \
+  --set-file config.parsers.s01-parse.my-parser\.yaml=./my-parser.yaml \
+  --set-file config.scenarios.my-scenario\.yaml=./my-scenario.yaml \
+  --set-file config.postoverflows.s01-whitelist.my-whitelist\.yaml=./my-whitelist.yaml
+```
+
+This content is emitted into the generated ConfigMaps as-is, so the YAML files stay untouched by the chart logic.
+Filenames without a `.yaml` or `.yml` suffix are also accepted. If the key contains dots, escape them in `--set`/`--set-file`.
+
+## Supplying Custom AppSec Config and Rule Files
+
+The chart supports passing custom AppSec configuration and rule files as raw file content through values. This works with both local and remote charts, using the same approach as custom parsers, scenarios, and postoverflows.
+
+AppSec configs are mounted at `/etc/crowdsec/appsec-configs/` and rules at `/etc/crowdsec/appsec-rules/` inside the AppSec pod.
+
+You can split your AppSec configuration across multiple values files:
+
+```sh
+helm upgrade --install crowdsec crowdsec/crowdsec \
+  -n crowdsec \
+  -f crowdsec-values.yaml \
+  -f appsec-configs.yaml \
+  -f appsec-rules.yaml
+```
+
+Example values files:
+
+```yaml
+# appsec-configs.yaml
+appsec:
+  configs:
+    my-appsec-config.yaml: |
+      name: my/appsec-config
+      default_remediation: ban
+      inband_rules:
+        - crowdsecurity/base-config
+        - crowdsecurity/vpatch-*
+```
+
+```yaml
+# appsec-rules.yaml
+appsec:
+  rules:
+    my-appsec-rule.yaml: |
+      name: my/appsec-rule
+      description: "Detect example pattern"
+      rules:
+        - zones:
+            - URI
+          transform:
+            - lowercase
+          match:
+            type: contains
+            value: this-is-a-test
+      labels:
+        type: exploit
+        service: http
+        behavior: "http:exploit"
+        confidence: 3
+        spoofable: 0
+```
+
+If you prefer to keep each file on disk and inject it, use `--set-file`. Helm reads the local file and assigns its content to the matching value key:
+
+```sh
+helm upgrade --install crowdsec crowdsec/crowdsec \
+  -n crowdsec \
+  -f crowdsec-values.yaml \
+  --set-file appsec.configs.my-appsec-config\.yaml=./my-appsec-config.yaml \
+  --set-file appsec.rules.my-appsec-rule\.yaml=./my-appsec-rule.yaml
+```
+
+This content is emitted into the generated ConfigMaps as-is. Filenames without a `.yaml` or `.yml` suffix are also accepted. If the key contains dots, escape them in `--set`/`--set-file`.
+
 ## Uninstalling the Chart
 
 ```sh

diff --git a/charts/crowdsec/README.md.gotmpl b/charts/crowdsec/README.md.gotmpl
@@ -7,6 +7,8 @@
 
 - [Chart Repository](#chart-repository)
 - [Installing the Chart](#installing-the-chart)
+- [Supplying Custom Parser, Scenario, and Postoverflow Files](#supplying-custom-parser-scenario-and-postoverflow-files)
+- [Supplying Custom AppSec Config and Rule Files](#supplying-custom-appsec-config-and-rule-files)
 - [Uninstalling the Chart](#uninstalling-the-chart)
 - [Authentication](#authentication)
   - [Auto registration token](#auto-registration-token)
@@ -42,6 +44,143 @@ kubectl create ns crowdsec
 helm install crowdsec crowdsec/crowdsec -f crowdsec-values.yaml -n crowdsec
 ```
 
+## Supplying Custom Parser, Scenario, and Postoverflow Files
+
+The chart already supports passing custom parsers, scenarios, and postoverflows as raw file content through values. This works with both local and remote charts.
+
+Helm templates cannot read arbitrary files from the client machine during rendering. In practice, that means a remote chart cannot use `.Files` or `.Files.Glob` to read files that only exist on the user's workstation. The supported workflow is to inject the file contents into values and let the chart write them into ConfigMaps unchanged.
+
+You can split your configuration across multiple values files:
+
+```sh
+helm upgrade --install crowdsec crowdsec/crowdsec \
+  -n crowdsec \
+  -f crowdsec-values.yaml \
+  -f parsers.yaml \
+  -f scenarios.yaml \
+  -f postoverflows.yaml
+```
+
+Example values files:
+
+```yaml
+# parsers.yaml
+config:
+  parsers:
+    s01-parse:
+      my-parser.yaml: |
+        name: my/parser
+        filter: "evt.Meta.log_type == 'my-type'"
+        onsuccess: next_stage
+```
+
+```yaml
+# scenarios.yaml
+config:
+  scenarios:
+    my-scenario.yaml: |
+      type: trigger
+      name: my/scenario
+      filter: "evt.Meta.log_type == 'my-type'"
+      groupby: evt.Meta.source_ip
+```
+
+```yaml
+# postoverflows.yaml
+config:
+  postoverflows:
+    s01-whitelist:
+      my-whitelist.yaml: |
+        name: my/whitelist
+        whitelist:
+          reason: "trusted source"
+          expression:
+            - evt.Parsed.remote_addr == '127.0.0.1'
+```
+
+If you prefer to keep each object in its own local file, use `--set-file`. Helm will read the local file and assign its content to the matching value key as a string:
+
+```sh
+helm upgrade --install crowdsec crowdsec/crowdsec \
+  -n crowdsec \
+  -f crowdsec-values.yaml \
+  --set-file config.parsers.s01-parse.my-parser\.yaml=./my-parser.yaml \
+  --set-file config.scenarios.my-scenario\.yaml=./my-scenario.yaml \
+  --set-file config.postoverflows.s01-whitelist.my-whitelist\.yaml=./my-whitelist.yaml
+```
+
+This content is emitted into the generated ConfigMaps as-is, so the YAML files stay untouched by the chart logic.
+Filenames without a `.yaml` or `.yml` suffix are also accepted. If the key contains dots, escape them in `--set`/`--set-file`.
+
+Be aware that the in the preceding command the file extension has to be escaped.
+Without escaping helm would understand this dot as a new level in the
+configuration.
+
+## Supplying Custom AppSec Config and Rule Files
+
+The chart supports passing custom AppSec configuration and rule files as raw file content through values. This works with both local and remote charts, using the same approach as custom parsers, scenarios, and postoverflows.
+
+AppSec configs are mounted at `/etc/crowdsec/appsec-configs/` and rules at `/etc/crowdsec/appsec-rules/` inside the AppSec pod.
+
+You can split your AppSec configuration across multiple values files:
+
+```sh
+helm upgrade --install crowdsec crowdsec/crowdsec \
+  -n crowdsec \
+  -f crowdsec-values.yaml \
+  -f appsec-configs.yaml \
+  -f appsec-rules.yaml
+```
+
+Example values files:
+
+```yaml
+# appsec-configs.yaml
+appsec:
+  configs:
+    my-appsec-config.yaml: |
+      name: my/appsec-config
+      default_remediation: ban
+      inband_rules:
+        - crowdsecurity/base-config
+        - crowdsecurity/vpatch-*
+```
+
+```yaml
+# appsec-rules.yaml
+appsec:
+  rules:
+    my-appsec-rule.yaml: |
+      name: my/appsec-rule
+      description: "Detect example pattern"
+      rules:
+        - zones:
+            - URI
+          transform:
+            - lowercase
+          match:
+            type: contains
+            value: this-is-a-test
+      labels:
+        type: exploit
+        service: http
+        behavior: "http:exploit"
+        confidence: 3
+        spoofable: 0
+```
+
+If you prefer to keep each file on disk and inject it, use `--set-file`. Helm reads the local file and assigns its content to the matching value key:
+
+```sh
+helm upgrade --install crowdsec crowdsec/crowdsec \
+  -n crowdsec \
+  -f crowdsec-values.yaml \
+  --set-file appsec.configs.my-appsec-config\.yaml=./my-appsec-config.yaml \
+  --set-file appsec.rules.my-appsec-rule\.yaml=./my-appsec-rule.yaml
+```
+
+This content is emitted into the generated ConfigMaps as-is. Filenames without a `.yaml` or `.yml` suffix are also accepted. If the key contains dots, escape them in `--set`/`--set-file`.
+
 ## Uninstalling the Chart
 
 ```sh

diff --git a/charts/crowdsec/templates/_helpers.tpl b/charts/crowdsec/templates/_helpers.tpl
@@ -63,6 +63,24 @@ true
 {{- end -}}
 {{- end -}}
 
+{{/*
+  Kubernetes-safe name for custom file-backed volumes.
+*/}}
+{{- define "crowdsec.volumeName" -}}
+{{- $trimmed := regexReplaceAll "\\.(yaml|yml)$" . "" -}}
+{{- $sanitized := regexReplaceAll "[^a-z0-9-]+" (lower $trimmed) "-" -}}
+{{- $sanitized | trimAll "-" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+  appsec postoverflows parameters check
+*/}}
+{{ define "appsecPostoverflowsIsNotEmpty" }}
+{{- if or (index .Values.appsec.postoverflows "s00-enrich") (index .Values.appsec.postoverflows "s01-whitelist") }}
+true
+{{- end -}}
+{{- end -}}
+
 {{/*
   lapi custom config check
 */}}

diff --git a/charts/crowdsec/templates/agent-daemonSet.yaml b/charts/crowdsec/templates/agent-daemonSet.yaml
@@ -197,7 +197,7 @@ spec:
           {{- range $stage, $stageConfig := .Values.config.parsers -}}
           {{- if $stageConfig -}}
           {{ range $fileName, $content := $stageConfig -}}
-          - name: {{ printf "crowdsec-parsers-%s-%s" $stage (trimSuffix ".yaml" $fileName) }}
+          - name: {{ include "crowdsec.volumeName" (printf "crowdsec-parsers-%s-%s" $stage $fileName) }}
             mountPath: {{ printf "%s/parsers/%s/%s" $crowdsecConfig $stage $fileName }}
             subPath: {{ $fileName }}
           {{ end }}
@@ -206,7 +206,7 @@ spec:
           {{- end }}
           {{- if .Values.config.scenarios -}}
           {{ range $fileName, $content := .Values.config.scenarios -}}
-          - name: {{ printf "crowdsec-scenarios-%s" (trimSuffix ".yaml" $fileName) }}
+          - name: {{ include "crowdsec.volumeName" (printf "crowdsec-scenarios-%s" $fileName) }}
             mountPath: {{ printf "%s/scenarios/%s" $crowdsecConfig $fileName }}
             subPath: {{ $fileName }}
           {{ end }}
@@ -215,7 +215,7 @@ spec:
           {{- range $stage, $stageConfig := .Values.config.postoverflows -}}
           {{- if $stageConfig -}}
           {{ range $fileName, $content := $stageConfig -}}
-          - name: {{ printf "crowdsec-postoverflows-%s-%s" $stage (trimSuffix ".yaml" $fileName) }}
+          - name: {{ include "crowdsec.volumeName" (printf "crowdsec-postoverflows-%s-%s" $stage $fileName) }}
             mountPath: {{ printf "%s/postoverflows/%s/%s" $crowdsecConfig $stage $fileName }}
             subPath: {{ $fileName }}
           {{ end }}
@@ -275,7 +275,7 @@ spec:
       {{- range $stage, $stageConfig := .Values.config.parsers -}}
       {{- if $stageConfig -}}
       {{ range $fileName, $content := $stageConfig -}}
-      - name: {{ printf "crowdsec-parsers-%s-%s" $stage (trimSuffix ".yaml" $fileName) }}
+      - name: {{ include "crowdsec.volumeName" (printf "crowdsec-parsers-%s-%s" $stage $fileName) }}
         configMap:
           name: {{ printf "crowdsec-parsers-%s" $stage }}
           items:
@@ -287,7 +287,7 @@ spec:
       {{- end }}
       {{- if .Values.config.scenarios -}}
       {{ range $fileName, $content := .Values.config.scenarios -}}
-      - name: {{ printf "crowdsec-scenarios-%s" (trimSuffix ".yaml" $fileName) }}
+      - name: {{ include "crowdsec.volumeName" (printf "crowdsec-scenarios-%s" $fileName) }}
         configMap:
           name: "crowdsec-scenarios"
           items:
@@ -299,7 +299,7 @@ spec:
       {{- range $stage, $stageConfig := .Values.config.postoverflows -}}
       {{- if $stageConfig -}}
       {{ range $fileName, $content := $stageConfig -}}
-      - name: {{ printf "crowdsec-postoverflows-%s-%s" $stage (trimSuffix ".yaml" $fileName) }}
+      - name: {{ include "crowdsec.volumeName" (printf "crowdsec-postoverflows-%s-%s" $stage $fileName) }}
         configMap:
           name: {{ printf "crowdsec-postoverflows-%s" $stage }}
           items: