platform/manifests
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

fix: move argocd to bootstrap and improve stuff

Browse Source
This commit is contained in:
Jonas Juselius
2025-06-25 09:43:23 +02:00
parent a7b764898b
commit a1e8f957d9
326 changed files with 84 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
attic/templates/policies/cnpg-add-backup-section.yaml
+52
View File
@@ -0,0 +1,52 @@
{{- if and (.Values.kyverno.enabled) (.Values.postgres_operator.enabled) (.Values.velero.enabled) }}
apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cnpg-add-backup-section
annotations:
policies.kyverno.io/title: add backup section to cnpg cluster spec
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/subject: Cluster
policies.kyverno.io/description: >-
When a CNPG cluster is created, a backup section should be added.
The user can then create their own backup or backup schedule.
spec:
background: false
rules:
- name: cnpg-add-backup-section
match:
any:
- resources:
kinds:
- Cluster
exclude:
any:
- resources:
kinds:
- Cluster
names:
- "review-*"
mutate:
patchStrategicMerge:
spec:
backup:
barmanObjectStore:
destinationPath: s3://{{ .Values.velero.bucket }}/{{ .Values.cluster_config.cluster }}/cnpg-backup
serverName: {{` "{{ request.object.metadata.name }}"`}}
endpointURL: https://s3.production.itpartner.no
s3Credentials:
accessKeyId:
key: access_key
name: s3-credentials
inheritFromIAMRole: false
secretAccessKey:
key: access_secret
name: s3-credentials
wal:
compression: snappy
{{- end }}
attic/templates/policies/cnpg-clone-secrets.yaml
+36
View File
@@ -0,0 +1,36 @@
{{- if and (.Values.kyverno.enabled) (.Values.postgres_operator.enabled) (.Values.velero.enabled) }}
apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cnpg-clone-s3-credentials
annotations:
policies.kyverno.io/title: add backup section to cnpg cluster spec
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/subject: Cluster
policies.kyverno.io/description: >-
When a CNPG cluster is created, s3 credentials and CA secrets
should be synced from the velero namespace
spec:
background: false
rules:
- name: clone-s3-credentials
match:
any:
- resources:
kinds:
- Cluster
generate:
apiVersion: v1
kind: Secret
name: s3-credentials
namespace: {{` "{{request.object.metadata.namespace}}" `}}
synchronize: true
clone:
namespace: velero
name: s3-credentials
{{- end }}
attic/templates/policies/generate-external-admin-rolebinding.yaml
+55
View File
@@ -0,0 +1,55 @@
{{- if and (.Values.cluster_config.external_kubectl_access.enabled) (.Values.kyverno.enabled) }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-external-admin-rolebinding
annotations:
policies.kyverno.io/title: Generate cluster-Admin rolebinding customer namespaces
policies.kyverno.io/category: other
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Namespace, RoleBinding
kyverno.io/kyverno-version: 1.7.0
policies.kyverno.io/minversion: 1.7.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/description: >-
Customers should not have full admin permissions on their own namespaces.
This policy will generate a RoleBinding, binding their group_id to
the Cluster-Admin clusterrole. This will still only apply to the namespace as
the resource is a rolebinding, not clusterrolebinding.
This policy should not trigger on any namespaces with label component=sys
spec:
generateExistingOnPolicyUpdate: true
rules:
- name: generate-rolebinding
match:
any:
- resources:
kinds:
- Namespace
exclude:
any:
- resources:
kinds:
- Namespace
selector:
matchLabels:
component: sys
generate:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
name: external-ns-admin
namespace: {{` "{{request.object.metadata.name}}" `}}
synchronize: true
data:
metadata:
labels:
created-by: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: {{ .Values.cluster_config.external_kubectl_access.admin_group }}
{{- end }}
attic/templates/policies/prometheus-add-folder-to-default-dashboards.yaml
+32
View File
@@ -0,0 +1,32 @@
{{- if and (.Values.kyverno.enabled) (.Values.prometheus.enabled) }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: prometheus-stack-default-dashboard-folder
namespace: prometheus
spec:
admission: true
background: true
mutateExistingOnPolicyUpdate: true
rules:
- match:
any:
- resources:
kinds:
- ConfigMap
selector:
matchLabels:
app.kubernetes.io/part-of: kube-prometheus-stack
mutate:
patchStrategicMerge:
metadata:
annotations:
grafana_folder: Prometheus-stack
targets:
- apiVersion: v1
kind: ConfigMap
name: "{{`{{ request.object.metadata.name }}`}}"
name: generate-dashboard-folder-annotation
skipBackgroundRequests: true
validationFailureAction: Audit
{{- end }}
attic/templates/policies/sync-gitlab.yaml
+31
View File
@@ -0,0 +1,31 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-gitlab-secret
annotations:
policies.kyverno.io/title: Sync Secrets
policies.kyverno.io/category: Sample
policies.kyverno.io/subject: Secret
policies.kyverno.io/description: >-
Secrets like registry credentials often need to exist in multiple
Namespaces so Pods there have access. Manually duplicating those Secrets
is time consuming and error prone. This policy will copy a
Secret called `regcred` which exists in the `default` Namespace to
new Namespaces when they are created. It will also push updates to
the copied Secrets should the source Secret be changed.
spec:
rules:
- name: sync-image-pull-secret
match:
resources:
kinds:
- Namespace
generate:
apiVersion: v1
kind: Secret
name: regcred
namespace: "{{`{{request.object.metadata.name}}`}}"
synchronize: true
clone:
namespace: default
name: gitlab-pull-secret
attic/templates/policies/sync-regcred.yaml
+33
View File
@@ -0,0 +1,33 @@
{{- if .Values.kyverno.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-regcred-secret
annotations:
policies.kyverno.io/title: Sync Secrets
policies.kyverno.io/category: Sample
policies.kyverno.io/subject: Secret
policies.kyverno.io/description: >-
Secrets like registry credentials often need to exist in multiple
Namespaces so Pods there have access. Manually duplicating those Secrets
is time consuming and error prone. This policy will copy a
Secret called `regcred` which exists in the `default` Namespace to
new Namespaces when they are created. It will also push updates to
the copied Secrets should the source Secret be changed.
spec:
rules:
- name: sync-image-pull-secret
match:
resources:
kinds:
- Namespace
generate:
apiVersion: v1
kind: Secret
name: regcred
namespace: "{{`{{request.object.metadata.name}}`}}"
synchronize: true
clone:
namespace: default
name: regcred
{{- end }}
attic/templates/policies/sync-s3-secret.yaml
+33
View File
@@ -0,0 +1,33 @@
{{- if .Values.kyverno.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
policies.kyverno.io/subject: Secret
policies.kyverno.io/title: Sync s3 Secrets
name: sync-s3-credentials
spec:
generateExistingOnPolicyUpdate: true
background: true
rules:
- generate:
apiVersion: v1
clone:
name: s3-credentials
namespace: kube-system
kind: Secret
name: s3-credentials
namespace: '{{`{{request.object.metadata.name}}`}}'
synchronize: true
match:
resources:
kinds:
- Namespace
names:
- "velero"
- "loki"
- "tempo"
name: sync-s3-secret
validationFailureAction: audit
{{- end }}
attic/templates/policies/whitelist-internal-ingresses.yaml
+73
View File
@@ -0,0 +1,73 @@
{{- if .Values.kyverno.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: whitelist-internal-ingresses
annotations:
policies.kyverno.io/title: Concatenate Ingresss
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Ingress
policies.kyverno.io/description: >-
Ingresses with the label "internal=true" should be whitelisted.
If no whitelist exists, add the default values, otherwise append
whitelist to the already existing ones
spec:
mutateExistingOnPolicyUpdate: false
#precondition: has whitelist annotation or
rules:
- name: ensure-nginx-whitelist-exists
match:
resources:
kinds:
- Ingress
selector:
matchLabels:
internal: "true"
mutate:
patchStrategicMerge:
metadata:
annotations:
+(nginx.ingress.kubernetes.io/whitelist-source-range): ""
- name: append-existing-whitelist
match:
resources:
kinds:
- Ingress
selector:
matchLabels:
internal: "true"
preconditions:
any:
- key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
operator: NotEquals
value: ""
mutate:
patchStrategicMerge:
metadata:
annotations:
{{- with .Values.cluster_config.ingress_whitelist_ips }}
nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}"
{{- end }}
- name: add-nginx-whitelist
match:
resources:
kinds:
- Ingress
selector:
matchLabels:
internal: "true"
preconditions:
any:
- key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
operator: Equals
value: ""
mutate:
patchStrategicMerge:
metadata:
annotations:
{{- with .Values.cluster_config.ingress_whitelist_ips }}
nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}"
{{- end }}
{{- end }}