fix CrowdSec collection names and increase Helm timeout

- Fix: crowdsecurity/pf → crowdsecurity/pfsense + firewallservices/pf - Move syslog acquisition to custom ConfigMap (Helm schema validation) - Increase Helm timeout to 1200s for DaemonSet rollout
2026-03-23 03:41:13 +02:00 · 2026-03-23 03:41:13 +02:00 · d401568317
commit d401568317
parent 850f73ab4d
2 changed files with 30 additions and 16 deletions
--- a/stacks/crowdsec/modules/crowdsec/main.tf
+++ b/stacks/crowdsec/modules/crowdsec/main.tf
@ -96,6 +96,27 @@ resource "kubernetes_config_map" "crowdsec_whitelist" {
 }


+# Syslog acquisition config for pfSense firewall log ingestion
+resource "kubernetes_config_map" "crowdsec_syslog_acquisition" {
+  metadata {
+    name      = "crowdsec-syslog-acquisition"
+    namespace = kubernetes_namespace.crowdsec.metadata[0].name
+    labels = {
+      "app.kubernetes.io/name" = "crowdsec"
+    }
+  }
+
+  data = {
+    "syslog.yaml" = <<-YAML
+      source: syslog
+      listen_addr: "0.0.0.0"
+      listen_port: 514
+      labels:
+        type: pf
+    YAML
+  }
+}
+
 resource "helm_release" "crowdsec" {
  namespace        = kubernetes_namespace.crowdsec.metadata[0].name
  create_namespace = true
@ -107,7 +128,7 @@ resource "helm_release" "crowdsec" {
  chart      = "crowdsec"

  values  = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url, mysql_host = var.mysql_host })]
-  timeout       = 900
+  timeout       = 1200
  wait          = true
  wait_for_jobs = true
 }
--- a/stacks/crowdsec/modules/crowdsec/values.yaml
+++ b/stacks/crowdsec/modules/crowdsec/values.yaml
@ -17,12 +17,6 @@ agent:
      podName: traefik-*
      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
      program: traefik
-    # pfSense firewall logs via syslog
-    - source: syslog
-      listen_addr: "0.0.0.0"
-      listen_port: 514
-      labels:
-        type: pf
    # Mailserver logs for SMTP/IMAP brute-force detection
    - namespace: mailserver
      podName: mailserver-*
@ -37,18 +31,10 @@ agent:
    #   value: "true"
    # As we are running Traefik, we want to install the Traefik collection
    - name: COLLECTIONS
-      value: "crowdsecurity/traefik crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/pf crowdsecurity/postfix crowdsecurity/dovecot crowdsecurity/sshd"
+      value: "crowdsecurity/traefik crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/pfsense firewallservices/pf crowdsecurity/postfix crowdsecurity/dovecot crowdsecurity/sshd"
    - name: SCENARIOS
      value: ""
      # value: "crowdsecurity/http-crawl-aggressive"
-  # Expose syslog port for pfSense log ingestion
-  additionalPorts:
-    - name: syslog-udp
-      containerPort: 514
-      protocol: UDP
-    - name: syslog-tcp
-      containerPort: 514
-      protocol: TCP
  # Mount custom scenarios into /etc/crowdsec/scenarios
  extraVolumeMounts:
    - name: custom-scenarios
@ -63,6 +49,10 @@ agent:
      mountPath: /etc/crowdsec/parsers/s02-enrich/whitelist.yaml
      subPath: "whitelist.yaml"
      readonly: true
+    - name: syslog-acquisition
+      mountPath: /etc/crowdsec/acquis.d/syslog.yaml
+      subPath: "syslog.yaml"
+      readonly: true
  extraVolumes:
    - name: custom-scenarios
      configMap:
@ -70,6 +60,9 @@ agent:
    - name: whitelist
      configMap:
        name: crowdsec-whitelist
+    - name: syslog-acquisition
+      configMap:
+        name: crowdsec-syslog-acquisition
 lapi:
  resources:
    requests: