tighter security for deployments, no erronous submodules
This commit is contained in:
parent
31141c6ef1
commit
175817190c
6
.gitmodules
vendored
6
.gitmodules
vendored
@ -1,6 +0,0 @@
|
||||
[submodule "infrastructure/external-dns/octodns"]
|
||||
path = infrastructure/external-dns/octodns
|
||||
url = ssh://git@git.kluster.moll.re:2222/remoll/dns.git
|
||||
[submodule "apps/monitoring/dashboards"]
|
||||
path = apps/monitoring/dashboards
|
||||
url = ssh://git@git.kluster.moll.re:2222/remoll/grafana-dashboards.git
|
@ -1 +0,0 @@
|
||||
Subproject commit 0d0200321da7e8419109fbf6415c2e64b0f817dc
|
@ -5,11 +5,11 @@ namespace: monitoring
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
# - grafana.pvc.yaml
|
||||
# - influxdb.pvc.yaml
|
||||
- grafana.ingress.yaml
|
||||
- grafana-admin.sealedsecret.yaml
|
||||
- dashboards/
|
||||
# grafana dashboards are provisioned from a git repository
|
||||
# in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
|
||||
- https://git.kluster.moll.re/remoll/grafana-dashboards/raw/branch/main/kustomization.yaml
|
||||
|
||||
|
||||
helmCharts:
|
||||
|
@ -1 +0,0 @@
|
||||
Subproject commit ba74e801c1f4a277c178358eecdc82f72cb4447b
|
@ -1,4 +1,6 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: placeholder
|
||||
name: placeholder
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
|
@ -74,11 +74,9 @@ data:
|
||||
address = ":9000"
|
||||
|
||||
[entryPoints.dnsovertls]
|
||||
address = ":853"
|
||||
address = ":8853"
|
||||
# route dns over https to other pods but provide own certificate
|
||||
|
||||
[entryPoints.name.http3]
|
||||
advertisedPort = 443
|
||||
|
||||
[metrics]
|
||||
[metrics.prometheus]
|
||||
|
@ -2,3 +2,5 @@ apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: placeholder
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
|
@ -1,25 +1,11 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: traefik-certificate
|
||||
spec:
|
||||
capacity:
|
||||
storage: "10Mi"
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
nfs:
|
||||
path: /export/kluster/traefik/certs
|
||||
server: 192.168.1.157
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: traefik-certificate
|
||||
name: certs
|
||||
spec:
|
||||
storageClassName: "nfs-client"
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: "10Mi"
|
||||
volumeName: traefik-certificate
|
||||
storageClassName: ""
|
||||
storage: "50Mi"
|
||||
|
@ -23,45 +23,17 @@ deployment:
|
||||
podLabels: {}
|
||||
# Additional containers (e.g. for metric offloading sidecars)
|
||||
additionalContainers: []
|
||||
# https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
|
||||
# - name: socat-proxy
|
||||
# image: alpine/socat:1.0.5
|
||||
# args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
|
||||
# volumeMounts:
|
||||
# - name: dsdsocket
|
||||
# mountPath: /socket
|
||||
# Additional volumes available for use with initContainers and additionalContainers
|
||||
additionalVolumes:
|
||||
# - name: traefik-logs
|
||||
# persistentVolumeClaim:
|
||||
# claimName: traefik-logs
|
||||
- name: traefik-certificate
|
||||
- name: certs
|
||||
persistentVolumeClaim:
|
||||
claimName: traefik-certificate
|
||||
claimName: certs
|
||||
- name: traefik-config
|
||||
configMap:
|
||||
name: traefik-config
|
||||
# - name: dsdsocket
|
||||
# hostPath:
|
||||
# path: /var/run/statsd-exporter
|
||||
# Additional initContainers (e.g. for setting file permission as shown below)
|
||||
initContainers: []
|
||||
# The "volume-permissions" init container is required if you run into permission issues.
|
||||
# Related issue: https://github.com/traefik/traefik/issues/6972
|
||||
# - name: volume-permissions
|
||||
# image: busybox:1.31.1
|
||||
# command: ["sh", "-c", "chmod -Rv 600 /data/*"]
|
||||
# volumeMounts:
|
||||
# - name: data
|
||||
# mountPath: /data
|
||||
# Use process namespace sharing
|
||||
shareProcessNamespace: false
|
||||
# Custom pod DNS policy. Apply if `hostNetwork: true`
|
||||
# dnsPolicy: ClusterFirstWithHostNet
|
||||
# Additional imagePullSecrets
|
||||
imagePullSecrets: []
|
||||
# - name: myRegistryKeySecretName
|
||||
|
||||
|
||||
# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
|
||||
ingressClass:
|
||||
@ -78,7 +50,7 @@ pilot:
|
||||
# Toggle Pilot Dashboard
|
||||
# dashboard: false
|
||||
|
||||
# Enable experimental features
|
||||
# Enable experimental featureskdes+
|
||||
experimental:
|
||||
http3:
|
||||
enabled: false
|
||||
@ -99,10 +71,7 @@ experimental:
|
||||
ingressRoute:
|
||||
dashboard:
|
||||
enabled: false
|
||||
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
|
||||
annotations: {}
|
||||
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
|
||||
labels: {}
|
||||
|
||||
|
||||
|
||||
|
||||
@ -162,7 +131,7 @@ additionalVolumeMounts:
|
||||
# - name: traefik-logs
|
||||
# # claimName: traefik-logs
|
||||
# mountPath: /var/log/traefik
|
||||
- name: traefik-certificate
|
||||
- name: certs
|
||||
# claimName: traefik-certificate
|
||||
mountPath: /certs
|
||||
- name: traefik-config
|
||||
@ -185,7 +154,7 @@ env:
|
||||
ports:
|
||||
# add a new one, the other ones are kept the same.
|
||||
dnsovertls:
|
||||
port: 853
|
||||
port: 8853
|
||||
expose: true
|
||||
exposedPort: 853
|
||||
protocol: TCP
|
||||
@ -218,3 +187,4 @@ service:
|
||||
spec:
|
||||
# externalTrafficPolicy: Local
|
||||
loadBalancerIP: 192.168.3.1
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user