tighter security for deployments, no erronous submodules

.gitmodules

@@ -1,6 +0,0 @@
-[submodule "infrastructure/external-dns/octodns"]
-	path = infrastructure/external-dns/octodns
-	url = ssh://git@git.kluster.moll.re:2222/remoll/dns.git
-[submodule "apps/monitoring/dashboards"]
-	path = apps/monitoring/dashboards
-	url = ssh://git@git.kluster.moll.re:2222/remoll/grafana-dashboards.git

apps/monitoring/dashboards

@@ -1 +0,0 @@
-Subproject commit 0d0200321da7e8419109fbf6415c2e64b0f817dc

apps/monitoring/kustomization.yaml

@@ -5,11 +5,11 @@ namespace: monitoring
 
 resources: 
   - namespace.yaml
-  # - grafana.pvc.yaml
-  # - influxdb.pvc.yaml
   - grafana.ingress.yaml
   - grafana-admin.sealedsecret.yaml
-  - dashboards/
+  # grafana dashboards are provisioned from a git repository
+  # in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
+  - https://git.kluster.moll.re/remoll/grafana-dashboards/raw/branch/main/kustomization.yaml
 
 
 helmCharts:

infrastructure/external-dns/octodns

@@ -1 +0,0 @@
-Subproject commit ba74e801c1f4a277c178358eecdc82f72cb4447b

infrastructure/metallb-system/namespace.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

infrastructure/traefik-system/configmap.yaml

@@ -74,11 +74,9 @@ data:
         address = ":9000"
       
       [entryPoints.dnsovertls]
-        address = ":853"
+        address = ":8853"
         # route dns over https to other pods but provide own certificate
 
-      [entryPoints.name.http3]
-        advertisedPort = 443
 
     [metrics]
       [metrics.prometheus]

infrastructure/traefik-system/namespace.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

infrastructure/traefik-system/pvc.yaml

@@ -1,25 +1,11 @@
 apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: traefik-certificate
-spec:
-  capacity:
-    storage: "10Mi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /export/kluster/traefik/certs
-    server: 192.168.1.157
----
-apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: traefik-certificate
+  name: certs
 spec:
+  storageClassName: "nfs-client"
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
-      storage: "10Mi"
+      storage: "50Mi"
-  volumeName: traefik-certificate
-  storageClassName: ""

infrastructure/traefik-system/values.yaml

@@ -23,45 +23,17 @@ deployment:
   podLabels: {}
   # Additional containers (e.g. for metric offloading sidecars)
   additionalContainers: []
-    # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
-    # - name: socat-proxy
-    # image: alpine/socat:1.0.5
-    # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
-    # volumeMounts:
-    #   - name: dsdsocket
-    #     mountPath: /socket
   # Additional volumes available for use with initContainers and additionalContainers
   additionalVolumes:
-    # - name: traefik-logs
+    - name: certs
-    #   persistentVolumeClaim:
-    #     claimName: traefik-logs
-    - name: traefik-certificate
       persistentVolumeClaim:
-        claimName: traefik-certificate
+        claimName: certs
     - name: traefik-config
       configMap:
         name: traefik-config
-    # - name: dsdsocket
-    #   hostPath:
-    #     path: /var/run/statsd-exporter
-  # Additional initContainers (e.g. for setting file permission as shown below)
   initContainers: []
-    # The "volume-permissions" init container is required if you run into permission issues.
-    # Related issue: https://github.com/traefik/traefik/issues/6972
-    # - name: volume-permissions
-    #   image: busybox:1.31.1
-    #   command: ["sh", "-c", "chmod -Rv 600 /data/*"]
-    #   volumeMounts:
-    #     - name: data
-    #       mountPath: /data
   # Use process namespace sharing
   shareProcessNamespace: false
-  # Custom pod DNS policy. Apply if `hostNetwork: true`
-  # dnsPolicy: ClusterFirstWithHostNet
-  # Additional imagePullSecrets
-  imagePullSecrets: []
-    # - name: myRegistryKeySecretName
-
 
 # Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
 ingressClass:
@@ -78,7 +50,7 @@ pilot:
   # Toggle Pilot Dashboard
   # dashboard: false
 
-# Enable experimental features
+# Enable experimental featureskdes+
 experimental:
   http3:
     enabled: false
@@ -99,10 +71,7 @@ experimental:
 ingressRoute:
   dashboard:
     enabled: false
-    # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
+
-    annotations: {}
-    # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
-    labels: {}
 
 
 
@@ -162,7 +131,7 @@ additionalVolumeMounts:
   # - name: traefik-logs
   #   # claimName: traefik-logs
   #   mountPath: /var/log/traefik
-  - name: traefik-certificate
+  - name: certs
     # claimName: traefik-certificate
     mountPath: /certs
   - name: traefik-config
@@ -185,7 +154,7 @@ env:
 ports:
   # add a new one, the other ones are kept the same.
   dnsovertls:
-    port: 853
+    port: 8853
     expose: true
     exposedPort: 853
     protocol: TCP
@@ -218,3 +187,4 @@ service:
   spec:
     # externalTrafficPolicy: Local
     loadBalancerIP: 192.168.3.1
+