feat(apps): 升级集群应用版本

apps/infra/devops/cert-manager/helmchart.yaml

@@ -9,7 +9,7 @@ spec:
   repo: https://charts.jetstack.io
   chart: cert-manager
   targetNamespace: infra-devops
-  version: v1.16.1
+  version: v1.16.2
   valuesContent: |-
     affinity:
       nodeAffinity:

apps/infra/devops/gitea/helmchart.yaml

@@ -36,7 +36,7 @@ spec:
     postgresql-ha:
       enabled: false
     image:
-      tag: 1.22.3
+      tag: 1.22.5
     ingress:
       enabled: true
       className: nginx

apps/infra/devops/velero/helmchart.yaml

@@ -7,7 +7,7 @@ spec:
   repo: https://vmware-tanzu.github.io/helm-charts
   chart: velero
   targetNamespace: infra-devops
-  version: 8.0.0
+  version: 8.1.0
   valuesContent: |-
     affinity:
       nodeAffinity:

apps/infra/monitor/loki/helmchart-loki.yaml

@@ -7,7 +7,7 @@ spec:
   repo: https://grafana.github.io/helm-charts
   chart: loki
   targetNamespace: infra-monitor
-  version: 6.21.0
+  version: 6.23.0
   valuesContent: |-
     deploymentMode: SingleBinary
     gateway:

apps/infra/monitor/prometheus/helmchart.yaml

@@ -7,7 +7,7 @@ spec:
   repo: https://prometheus-community.github.io/helm-charts
   chart: kube-prometheus-stack
   targetNamespace: infra-monitor
-  version: 66.2.2
+  version: 66.4.0
   valuesContent: |-
     kubeControllerManager:
       enabled: false

apps/infra/net/crowdsec/helmchart.yaml

@@ -7,11 +7,11 @@ spec:
   repo: https://crowdsecurity.github.io/helm-charts
   chart: crowdsec
   targetNamespace: infra-net
-  version: 0.13.0
+  version: 0.15.0
   valuesContent: |-
     container_runtime: containerd
     image:
-      tag: v1.6.3
+      tag: v1.6.4
     agent:
       # 由于dataScope为loki，所以此处强制要求部署在loki所在的节点 以节省网络资源
       nodeSelector:
@@ -40,7 +40,6 @@ spec:
         config:
           enabled: false
     appsec:
-      enabled: true
       affinity:
         nodeAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -51,9 +50,27 @@ spec:
                     operator: In
                     values:
                       - cn-hk
+      enabled: false
+      acquisitions:
+        - source: appsec
+          listen_addr: "0.0.0.0:7422"
+          path: /
+          appsec_config: crowdsecurity/crs-vpatch
+          labels:
+            type: appsec
+      configs:
+        mycustom-appsec-config.yaml: |
+          name: crowdsecurity/crs-vpatch
+          default_remediation: ban
+          #log_level: debug
+          outofband_rules:
+            - crowdsecurity/crs
+          inband_rules:
+            - crowdsecurity/base-config
+            - crowdsecurity/vpatch-*
       env:
         - name: COLLECTIONS
-          value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules"
+          value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs"
     lapi:
       affinity:
         nodeAffinity:
@@ -87,6 +104,16 @@ spec:
           user: app
           password: nyrHzh9WWlDZzvVw7bDFo74gKb9zsls0Sy7OwRTDWiRTNPQQQkW85taUFAoX2AIC
           sslmode: require
+        api:
+          server:
+            auto_registration:
+              enabled: true
+              token: "${REGISTRATION_TOKEN}"
+              allowed_ranges:
+                - "127.0.0.1/32"
+                - "192.168.0.0/16"
+                - "172.16.0.0/12"
+                - "10.0.0.0/8"    
       # api profiles.yaml配置
       profiles.yaml: |
         name: captcha_remediation

apps/infra/net/nginx/helmchart.yaml

@@ -124,6 +124,8 @@ spec:
               value: "live"
             - name: CACHE_EXPIRATION
               value: "3"
+            - name: UPDATE_FREQUENCY
+              value: "10"
             - name: REQUEST_TIMEOUT
               value: "1000"
             - name: CAPTCHA_PROVIDER

apps/infra/net/tailscale/helmchart.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   repo: https://devcm-repo.github.io/helm-charts
   chart: tailscale-derp
-  version: 0.0.4
+  version: 0.0.5
   targetNamespace: infra-net
   valuesContent: |-
     nodeSelector: