tighter security for deployments, no erronous submodules

2024-07-14 11:37:47 +02:00
parent 31141c6ef1
commit 175817190c
9 changed files with 19 additions and 69 deletions
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,6 +0,0 @@
-[submodule "infrastructure/external-dns/octodns"]
-	path = infrastructure/external-dns/octodns
-	url = ssh://git@git.kluster.moll.re:2222/remoll/dns.git
-[submodule "apps/monitoring/dashboards"]
-	path = apps/monitoring/dashboards
-	url = ssh://git@git.kluster.moll.re:2222/remoll/grafana-dashboards.git
--- a/apps/monitoring/dashboards
+++ b/apps/monitoring/dashboards
--- a/apps/monitoring/kustomization.yaml
+++ b/apps/monitoring/kustomization.yaml
@@ -5,11 +5,11 @@ namespace: monitoring

 resources: 
  - namespace.yaml
-  # - grafana.pvc.yaml
-  # - influxdb.pvc.yaml
  - grafana.ingress.yaml
  - grafana-admin.sealedsecret.yaml
-  - dashboards/
+  # grafana dashboards are provisioned from a git repository
+  # in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
+  - https://git.kluster.moll.re/remoll/grafana-dashboards/raw/branch/main/kustomization.yaml


 helmCharts:
--- a/infrastructure/external-dns/octodns
+++ b/infrastructure/external-dns/octodns
--- a/infrastructure/metallb-system/namespace.yaml
+++ b/infrastructure/metallb-system/namespace.yaml
@@ -1,4 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: placeholder
+  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 
--- a/infrastructure/traefik-system/configmap.yaml
+++ b/infrastructure/traefik-system/configmap.yaml
@@ -74,11 +74,9 @@ data:
        address = ":9000"
      
      [entryPoints.dnsovertls]
-        address = ":853"
+        address = ":8853"
        # route dns over https to other pods but provide own certificate

-      [entryPoints.name.http3]
-        advertisedPort = 443

    [metrics]
      [metrics.prometheus]
--- a/infrastructure/traefik-system/namespace.yaml
+++ b/infrastructure/traefik-system/namespace.yaml
@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 
--- a/infrastructure/traefik-system/pvc.yaml
+++ b/infrastructure/traefik-system/pvc.yaml
@@ -1,25 +1,11 @@
 apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: traefik-certificate
-spec:
-  capacity:
-    storage: "10Mi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /export/kluster/traefik/certs
-    server: 192.168.1.157
---
-apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: traefik-certificate
+  name: certs
 spec:
+  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
-      storage: "10Mi"
-  volumeName: traefik-certificate
-  storageClassName: ""
+      storage: "50Mi"
--- a/infrastructure/traefik-system/values.yaml
+++ b/infrastructure/traefik-system/values.yaml
@@ -23,45 +23,17 @@ deployment:
  podLabels: {}
  # Additional containers (e.g. for metric offloading sidecars)
  additionalContainers: []
-    # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
-    # - name: socat-proxy
-    # image: alpine/socat:1.0.5
-    # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
-    # volumeMounts:
-    #   - name: dsdsocket
-    #     mountPath: /socket
  # Additional volumes available for use with initContainers and additionalContainers
  additionalVolumes:
-    # - name: traefik-logs
-    #   persistentVolumeClaim:
-    #     claimName: traefik-logs
-    - name: traefik-certificate
+    - name: certs
      persistentVolumeClaim:
-        claimName: traefik-certificate
+        claimName: certs
    - name: traefik-config
      configMap:
        name: traefik-config
-    # - name: dsdsocket
-    #   hostPath:
-    #     path: /var/run/statsd-exporter
-  # Additional initContainers (e.g. for setting file permission as shown below)
  initContainers: []
-    # The "volume-permissions" init container is required if you run into permission issues.
-    # Related issue: https://github.com/traefik/traefik/issues/6972
-    # - name: volume-permissions
-    #   image: busybox:1.31.1
-    #   command: ["sh", "-c", "chmod -Rv 600 /data/*"]
-    #   volumeMounts:
-    #     - name: data
-    #       mountPath: /data
  # Use process namespace sharing
  shareProcessNamespace: false
-  # Custom pod DNS policy. Apply if `hostNetwork: true`
-  # dnsPolicy: ClusterFirstWithHostNet
-  # Additional imagePullSecrets
-  imagePullSecrets: []
-    # - name: myRegistryKeySecretName
-

 # Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
 ingressClass:
@@ -78,7 +50,7 @@ pilot:
  # Toggle Pilot Dashboard
  # dashboard: false

-# Enable experimental features
+# Enable experimental featureskdes+
 experimental:
  http3:
    enabled: false
@@ -99,10 +71,7 @@ experimental:
 ingressRoute:
  dashboard:
    enabled: false
-    # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
-    annotations: {}
-    # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
-    labels: {}
+



@@ -162,7 +131,7 @@ additionalVolumeMounts:
  # - name: traefik-logs
  #   # claimName: traefik-logs
  #   mountPath: /var/log/traefik
-  - name: traefik-certificate
+  - name: certs
    # claimName: traefik-certificate
    mountPath: /certs
  - name: traefik-config
@@ -185,7 +154,7 @@ env:
 ports:
  # add a new one, the other ones are kept the same.
  dnsovertls:
-    port: 853
+    port: 8853
    expose: true
    exposedPort: 853
    protocol: TCP
@@ -218,3 +187,4 @@ service:
  spec:
    # externalTrafficPolicy: Local
    loadBalancerIP: 192.168.3.1
+