From d6126e33de52fb98c3e818325dbb04de03d99314 Mon Sep 17 00:00:00 2001 From: sabban Date: Wed, 18 Feb 2026 15:22:44 +0100 Subject: [PATCH] take care of kube datasource --- .../crowdsec/templates/agent-daemonSet.yaml | 12 +++++++-- .../crowdsec/templates/agent-deployment.yaml | 12 +++++++-- charts/crowdsec/templates/role.yaml | 24 ++++++++++++++++++ charts/crowdsec/templates/rolebinding.yaml | 25 ++++++++++++++++++- charts/crowdsec/templates/serviceaccount.yaml | 25 ++++++++++++++++++- 5 files changed, 92 insertions(+), 6 deletions(-) diff --git a/charts/crowdsec/templates/agent-daemonSet.yaml b/charts/crowdsec/templates/agent-daemonSet.yaml index 94e5ee2..11db680 100644 --- a/charts/crowdsec/templates/agent-daemonSet.yaml +++ b/charts/crowdsec/templates/agent-daemonSet.yaml @@ -1,4 +1,12 @@ {{- if and (.Values.agent.enabled) (not .Values.agent.isDeployment) }} +{{- $hasKubernetes := false -}} +{{- if .Values.agent.additionalAcquisition }} +{{- range .Values.agent.additionalAcquisition }} +{{- if eq .source "kubernetes" }} +{{- $hasKubernetes = true -}} +{{- end }} +{{- end }} +{{- end }} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -37,8 +45,8 @@ spec: {{ toYaml .Values.agent.podLabels | trim | indent 8 }} {{- end }} spec: - {{- if .Values.agent.serviceAccountName }} - serviceAccountName: {{ .Values.agent.serviceAccountName }} + {{- if or .Values.agent.serviceAccountName $hasKubernetes }} + serviceAccountName: {{ default (printf "%s-agent" .Release.Name) .Values.agent.serviceAccountName }} {{- end }} {{- with .Values.agent.tolerations }} tolerations: diff --git a/charts/crowdsec/templates/agent-deployment.yaml b/charts/crowdsec/templates/agent-deployment.yaml index adc03cf..0c0d64b 100644 --- a/charts/crowdsec/templates/agent-deployment.yaml +++ b/charts/crowdsec/templates/agent-deployment.yaml @@ -1,4 +1,12 @@ {{- if and (.Values.agent.enabled) (.Values.agent.isDeployment) }} +{{- $hasKubernetes := false -}} +{{- if .Values.agent.additionalAcquisition }} +{{- range .Values.agent.additionalAcquisition }} +{{- if eq .source "kubernetes" }} +{{- $hasKubernetes = true -}} +{{- end }} +{{- end }} +{{- end }} apiVersion: apps/v1 kind: Deployment metadata: @@ -39,8 +47,8 @@ spec: {{ toYaml .Values.agent.podLabels | trim | indent 8 }} {{- end }} spec: - {{- if .Values.agent.serviceAccountName }} - serviceAccountName: {{ .Values.agent.serviceAccountName }} + {{- if or .Values.agent.serviceAccountName $hasKubernetes }} + serviceAccountName: {{ default (printf "%s-agent" .Release.Name) .Values.agent.serviceAccountName }} {{- end }} {{- with .Values.agent.tolerations }} tolerations: diff --git a/charts/crowdsec/templates/role.yaml b/charts/crowdsec/templates/role.yaml index d07021d..4c69ef8 100644 --- a/charts/crowdsec/templates/role.yaml +++ b/charts/crowdsec/templates/role.yaml @@ -24,4 +24,28 @@ rules: verbs: ["create"] {{- end }} {{- end }} +--- +{{- end }} +{{- $hasKubernetes := false -}} +{{- if .Values.agent.additionalAcquisition }} +{{- range .Values.agent.additionalAcquisition }} +{{- if eq .source "kubernetes" }} +{{- $hasKubernetes = true -}} +{{- end }} +{{- end }} +{{- end }} +{{- if $hasKubernetes }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-logs +rules: + - apiGroups: [""] + resources: + - pods + - pods/log + verbs: + - get + - list + - watch {{- end }} diff --git a/charts/crowdsec/templates/rolebinding.yaml b/charts/crowdsec/templates/rolebinding.yaml index dca3172..735b3f4 100644 --- a/charts/crowdsec/templates/rolebinding.yaml +++ b/charts/crowdsec/templates/rolebinding.yaml @@ -22,4 +22,27 @@ subjects: name: {{ .Release.Name }}-configmap-updater-sa namespace: {{ .Release.Namespace }} {{- end }} -{{- end }} \ No newline at end of file +--- +{{- end }} +{{- $hasKubernetes := false -}} +{{- if .Values.agent.additionalAcquisition }} +{{- range .Values.agent.additionalAcquisition }} +{{- if eq .source "kubernetes" }} +{{- $hasKubernetes = true -}} +{{- end }} +{{- end }} +{{- end }} +{{- if $hasKubernetes }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-logs +subjects: + - kind: ServiceAccount + name: {{ default (printf "%s-agent" .Release.Name) .Values.agent.serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-logs +{{- end }} diff --git a/charts/crowdsec/templates/serviceaccount.yaml b/charts/crowdsec/templates/serviceaccount.yaml index 8abf238..99e4332 100644 --- a/charts/crowdsec/templates/serviceaccount.yaml +++ b/charts/crowdsec/templates/serviceaccount.yaml @@ -14,4 +14,27 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-weight": "-1" {{- end }} -{{- end }} \ No newline at end of file +{{- end }} +--- +{{- $hasKubernetes := false -}} +{{- if .Values.agent.additionalAcquisition }} +{{- range .Values.agent.additionalAcquisition }} +{{- if eq .source "kubernetes" }} +{{- $hasKubernetes = true -}} +{{- end }} +{{- end }} +{{- end }} +{{ if $hasKubernetes }} +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ .Release.Namespace }} + name: {{ .Release.Name }}-agent + labels: + k8s-app: {{ .Release.Name }} + type: pod-log-reader + version: v1 + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/hook-weight": "-1" +{{- end }}