tighter security for deployments, no erronous submodules

This commit is contained in:
Remy Moll 2024-07-14 11:37:47 +02:00
parent 31141c6ef1
commit 175817190c
9 changed files with 19 additions and 69 deletions

6
.gitmodules vendored

@ -1,6 +0,0 @@
[submodule "infrastructure/external-dns/octodns"]
path = infrastructure/external-dns/octodns
url = ssh://git@git.kluster.moll.re:2222/remoll/dns.git
[submodule "apps/monitoring/dashboards"]
path = apps/monitoring/dashboards
url = ssh://git@git.kluster.moll.re:2222/remoll/grafana-dashboards.git

@ -1 +0,0 @@
Subproject commit 0d0200321da7e8419109fbf6415c2e64b0f817dc

@ -5,11 +5,11 @@ namespace: monitoring
resources:
- namespace.yaml
# - grafana.pvc.yaml
# - influxdb.pvc.yaml
- grafana.ingress.yaml
- grafana-admin.sealedsecret.yaml
- dashboards/
# grafana dashboards are provisioned from a git repository
# in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
- https://git.kluster.moll.re/remoll/grafana-dashboards/raw/branch/main/kustomization.yaml
helmCharts:

@ -1 +0,0 @@
Subproject commit ba74e801c1f4a277c178358eecdc82f72cb4447b

@ -1,4 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: placeholder
name: placeholder
labels:
pod-security.kubernetes.io/enforce: privileged

@ -74,11 +74,9 @@ data:
address = ":9000"
[entryPoints.dnsovertls]
address = ":853"
address = ":8853"
# route dns over https to other pods but provide own certificate
[entryPoints.name.http3]
advertisedPort = 443
[metrics]
[metrics.prometheus]

@ -2,3 +2,5 @@ apiVersion: v1
kind: Namespace
metadata:
name: placeholder
labels:
pod-security.kubernetes.io/enforce: privileged

@ -1,25 +1,11 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: traefik-certificate
spec:
capacity:
storage: "10Mi"
accessModes:
- ReadWriteOnce
nfs:
path: /export/kluster/traefik/certs
server: 192.168.1.157
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: traefik-certificate
name: certs
spec:
storageClassName: "nfs-client"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "10Mi"
volumeName: traefik-certificate
storageClassName: ""
storage: "50Mi"

@ -23,45 +23,17 @@ deployment:
podLabels: {}
# Additional containers (e.g. for metric offloading sidecars)
additionalContainers: []
# https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
# - name: socat-proxy
# image: alpine/socat:1.0.5
# args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
# volumeMounts:
# - name: dsdsocket
# mountPath: /socket
# Additional volumes available for use with initContainers and additionalContainers
additionalVolumes:
# - name: traefik-logs
# persistentVolumeClaim:
# claimName: traefik-logs
- name: traefik-certificate
- name: certs
persistentVolumeClaim:
claimName: traefik-certificate
claimName: certs
- name: traefik-config
configMap:
name: traefik-config
# - name: dsdsocket
# hostPath:
# path: /var/run/statsd-exporter
# Additional initContainers (e.g. for setting file permission as shown below)
initContainers: []
# The "volume-permissions" init container is required if you run into permission issues.
# Related issue: https://github.com/traefik/traefik/issues/6972
# - name: volume-permissions
# image: busybox:1.31.1
# command: ["sh", "-c", "chmod -Rv 600 /data/*"]
# volumeMounts:
# - name: data
# mountPath: /data
# Use process namespace sharing
shareProcessNamespace: false
# Custom pod DNS policy. Apply if `hostNetwork: true`
# dnsPolicy: ClusterFirstWithHostNet
# Additional imagePullSecrets
imagePullSecrets: []
# - name: myRegistryKeySecretName
# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
ingressClass:
@ -78,7 +50,7 @@ pilot:
# Toggle Pilot Dashboard
# dashboard: false
# Enable experimental features
# Enable experimental featureskdes+
experimental:
http3:
enabled: false
@ -99,10 +71,7 @@ experimental:
ingressRoute:
dashboard:
enabled: false
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
annotations: {}
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
labels: {}
@ -162,7 +131,7 @@ additionalVolumeMounts:
# - name: traefik-logs
# # claimName: traefik-logs
# mountPath: /var/log/traefik
- name: traefik-certificate
- name: certs
# claimName: traefik-certificate
mountPath: /certs
- name: traefik-config
@ -185,7 +154,7 @@ env:
ports:
# add a new one, the other ones are kept the same.
dnsovertls:
port: 853
port: 8853
expose: true
exposedPort: 853
protocol: TCP
@ -218,3 +187,4 @@ service:
spec:
# externalTrafficPolicy: Local
loadBalancerIP: 192.168.3.1