From de9c0869baf01e4fdffa8bf69d18dbb454602d08 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 21 Feb 2026 19:18:15 +0000
Subject: [PATCH] [ci skip] Fix CrowdSec pods failing due to priority class
 mismatch

Kyverno injects priorityClassName tier-1-cluster on pods in the crowdsec
namespace, but pods had no explicit priorityClassName set, defaulting
priority to 0. Admission controller rejected the mismatch (0 vs 800000).

Set priorityClassName on LAPI, agent (Helm values) and crowdsec-web
(Terraform deployment).
---
 modules/kubernetes/crowdsec/main.tf     | 1 +
 modules/kubernetes/crowdsec/values.yaml | 2 ++
 modules/kubernetes/main.tf              | 3 +++
 3 files changed, 6 insertions(+)

diff --git a/modules/kubernetes/crowdsec/main.tf b/modules/kubernetes/crowdsec/main.tf
index c1135456..8d68595d 100644
--- a/modules/kubernetes/crowdsec/main.tf
+++ b/modules/kubernetes/crowdsec/main.tf
@@ -133,6 +133,7 @@ resource "kubernetes_deployment" "crowdsec-web" {
         }
       }
       spec {
+        priority_class_name = "tier-1-cluster"
         container {
           name  = "crowdsec-web"
           image = "viktorbarzin/crowdsec_web"
diff --git a/modules/kubernetes/crowdsec/values.yaml b/modules/kubernetes/crowdsec/values.yaml
index efec9e53..c991536f 100644
--- a/modules/kubernetes/crowdsec/values.yaml
+++ b/modules/kubernetes/crowdsec/values.yaml
@@ -2,6 +2,7 @@
 container_runtime: containerd
 
 agent:
+  priorityClassName: "tier-1-cluster"
   # To specify each pod you want to process it logs (pods present in the node)
   acquisition:
     # The namespace where the pod is located
@@ -43,6 +44,7 @@ agent:
       configMap:
         name: crowdsec-whitelist
 lapi:
+  priorityClassName: "tier-1-cluster"
   replicas: 3
   extraSecrets:
     dbPassword: "${DB_PASSWORD}"
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index 45354212..13e48fd0 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -253,6 +253,8 @@ module "f1-stream" {
   for_each        = contains(local.active_modules, "f1-stream") ? { f1-stream = true } : {}
   tls_secret_name = var.tls_secret_name
   tier            = local.tiers.aux
+  turn_secret     = var.coturn_turn_secret
+  public_ip       = var.public_ip
 
   depends_on = [null_resource.core_services]
 }
@@ -263,6 +265,7 @@ module "coturn" {
   tls_secret_name = var.tls_secret_name
   tier            = local.tiers.edge
   turn_secret     = var.coturn_turn_secret
+  public_ip       = var.public_ip
 
   depends_on = [null_resource.core_services]
 }