NetworkPolicy

templates/NetworkPolicy.yaml

@@ -0,0 +1,75 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: dragonfly
+  namespace: memelord-raiko
+spec:
+  podSelector:
+    matchLabels:
+      app: memelord-raiko-redis
+  policyTypes:
+    - Ingress
+  ingress:
+    # App -> Redis
+    - from:
+        - podSelector:
+            matchLabels:
+              app: memelord-raiko
+      ports:
+        - protocol: TCP
+          port: 6379
+    - from:
+        - podSelector:
+            matchLabels:
+              app: memelord-raiko-redis
+      ports:
+        - protocol: TCP
+          port: 6379
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: postgres
+  namespace: memelord-raiko
+spec:
+  podSelector:
+    matchLabels:
+      cnpg.io/cluster: memelord-raiko-database
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+           app: memelord
+    - podSelector: # Primary-secondary replication!
+        matchLabels:
+          cnpg.io/cluster: memelord-raiko-database
+    ports:
+    - protocol: TCP
+      port: 5432
+  - ports: # Probes do work now!
+    - protocol: TCP
+      port: 8000
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: memelord
+  namespace: memelord-raiko
+spec:
+  podSelector:
+    matchLabels:
+       app: memelord
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: traefik
+    ports:
+    - protocol: TCP
+      port: 8000

templates/deployment.yaml

@@ -175,3 +175,22 @@ spec:
                   number: 80
   tls:
     - secretName: {{ .Release.Name }}-tls
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: OIDCClient
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  displayName: Memelord Raiko
+  uri: https://{{ .Values.hostname }}/oidc/authenticate/
+  redirectUris:
+    - https://{{ .Values.hostname }}/oidc/callback/
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  pkce: false

templates/kyverno.yaml

@@ -0,0 +1,54 @@
+# ---
+# apiVersion: kyverno.io/v1
+# kind: Policy
+# metadata:
+#   name: add-default-securitycontext
+#   namespace: memelord-raiko
+# spec:
+#   rules:
+#     - name: add-default-securitycontext
+#       match:
+#         any:
+#           - resources:
+#               kinds:
+#                 - Pod
+#       mutate:
+#         patchStrategicMerge:
+#           spec:
+#             securityContext:
+#               +(runAsNonRoot): true
+#               +(runAsUser): 1000
+#               +(runAsGroup): 3000
+#               +(fsGroup): 2000
+#
+# ---
+# apiVersion: kyverno.io/v1
+# kind: Policy
+# metadata:
+#   name: require-run-as-non-root-user
+#   namespace: memelord-raiko
+# spec:
+#   validationFailureAction: Enforce
+#   background: false
+#   rules:
+#     - name: run-as-non-root-user
+#       match:
+#         any:
+#           - resources:
+#               kinds:
+#                 - Pod
+#       validate:
+#         message: Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero.
+#         pattern:
+#           spec:
+#             "=(securityContext)":
+#               "=(runAsUser)": ">0"
+#             "=(ephemeralContainers)":
+#               - "=(securityContext)":
+#                   "=(runAsUser)": ">0"
+#             "=(initContainers)":
+#               - "=(securityContext)":
+#                   "=(runAsUser)": ">0"
+#             containers:
+#               - "=(securityContext)":
+#                   "=(runAsUser)": ">0"