NetworkPolicy

Chart.yaml

@@ -1,2 +1,3 @@
 name: memelord
+apiVersion: v2
 version: 1.0.0

templates/NetworkPolicy.yaml

@@ -0,0 +1,75 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: dragonfly
+  namespace: memelord-raiko
+spec:
+  podSelector:
+    matchLabels:
+      app: memelord-raiko-redis
+  policyTypes:
+    - Ingress
+  ingress:
+    # App -> Redis
+    - from:
+        - podSelector:
+            matchLabels:
+              app: memelord-raiko
+      ports:
+        - protocol: TCP
+          port: 6379
+    - from:
+        - podSelector:
+            matchLabels:
+              app: memelord-raiko-redis
+      ports:
+        - protocol: TCP
+          port: 6379
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: postgres
+  namespace: memelord-raiko
+spec:
+  podSelector:
+    matchLabels:
+      cnpg.io/cluster: memelord-raiko-database
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+           app: memelord
+    - podSelector: # Primary-secondary replication!
+        matchLabels:
+          cnpg.io/cluster: memelord-raiko-database
+    ports:
+    - protocol: TCP
+      port: 5432
+  - ports: # Probes do work now!
+    - protocol: TCP
+      port: 8000
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: memelord
+  namespace: memelord-raiko
+spec:
+  podSelector:
+    matchLabels:
+       app: memelord
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: traefik
+    ports:
+    - protocol: TCP
+      port: 8000

templates/app.yaml

@@ -1,17 +1,16 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: memelord
+  name: {{ .Release.Name }}
-  namespace: memelord-raiko
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: memelord
+      app: {{ .Release.Name }}
   template:
     metadata:
       labels:
-        app: memelord
+        app: {{ .Release.Name }}
     spec:
       containers:
         - name: memelord
@@ -24,38 +23,38 @@ spec:
 
           env:
             - name: DOMAIN
-              value: "memelord-raiko.ee-lte-1.codemowers.io"
+              value: {{ .Values.hostname | quote }}
             - name: DB_ENGINE
               value: "postgres"
             - name: POSTGRES_USER
               valueFrom:
                 secretKeyRef:
-                  name: memelord-raiko-database
+                  name: {{ .Release.Name }}-database
                   key: username
             - name: POSTGRES_HOST
-              value: "memelord-raiko-database-rw"
+              value: {{ .Release.Name }}-database-rw
             - name: POSTGRES_PORT
               value: "5432"
             - name: POSTGRES_DB
-              value: "memelord-raiko"
+              value: {{ .Release.Name }}
             - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: memelord-raiko-database
+                  name: {{ .Release.Name }}-database
                   key: password
             - name: REDIS_HOST
-              value: "memelord-raiko-redis"
+              value: {{ .Release.Name }}-redis
             - name: REDIS_PORT
               value: "6379"
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: memelord-raiko-redis
+                  name: {{ .Release.Name }}-redis
                   key: redis-password
             - name: STORAGE_BACKEND
               value: "s3"
             - name: AWS_STORAGE_BUCKET_NAME
-              value: "memelord-raiko"
+              value: {{ .Release.Name }}
             - name: AWS_S3_ENDPOINT_URL
               value: "https://minio.ee-lte-1.codemowers.io/"
             - name: AWS_S3_REGION_NAME
@@ -63,12 +62,12 @@ spec:
             - name: AWS_ACCESS_KEY_ID
               valueFrom:
                 secretKeyRef:
-                  name: memelord-raiko-bucket
+                  name: {{ .Release.Name }}-bucket
                   key: accessKey
             - name: AWS_SECRET_ACCESS_KEY
               valueFrom:
                 secretKeyRef:
-                  name: memelord-raiko-bucket
+                  name: {{ .Release.Name }}-bucket
                   key: secretKey
             - name: OIDC_ENABLED
               value: "True"
@@ -77,12 +76,12 @@ spec:
             - name: OIDC_RP_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: oidc-client-memelord-raiko-owner-secrets
+                  name: oidc-client-{{ .Release.Name }}-owner-secrets
                   key: OIDC_CLIENT_ID
             - name: OIDC_RP_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: oidc-client-memelord-raiko-owner-secrets
+                  name: oidc-client-{{ .Release.Name }}-owner-secrets
                   key: OIDC_CLIENT_SECRET
             - name: OIDC_OP_AUTHORIZATION_ENDPOINT
               value: "https://auth.ee-lte-1.codemowers.io/auth"

templates/deployment.yaml

@@ -2,7 +2,7 @@
 apiVersion: secretgenerator.mittwald.de/v1alpha1
 kind: StringSecret
 metadata:
-  name: memelord-raiko-redis
+  name: {{ .Release.Name }}-redis
 spec:
   fields:
     - fieldName: redis-password
@@ -12,11 +12,11 @@ spec:
 apiVersion: dragonflydb.io/v1alpha1
 kind: Dragonfly
 metadata:
-  name: memelord-raiko-redis
+  name: {{ .Release.Name }}-redis
 spec:
   authentication:
     passwordFromSecret:
-      name: memelord-raiko-redis
+      name: {{ .Release.Name }}-redis
       key: redis-password
   replicas: 1
   resources:
@@ -30,12 +30,12 @@ spec:
 apiVersion: secretgenerator.mittwald.de/v1alpha1
 kind: StringSecret
 metadata:
-  name: memelord-raiko-database
+  name: {{ .Release.Name }}-database
   labels:
     cnpg.io/reload: "true"
 spec:
   data:
-    username: memelord-raiko
+    username: {{ .Release.Name }}
   fields:
     - fieldName: password
       length: "32"
@@ -44,7 +44,7 @@ spec:
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: memelord-raiko-database
+  name: {{ .Release.Name }}-database
 spec:
   instances: 1
   imageName: ghcr.io/cloudnative-pg/postgresql:17
@@ -69,28 +69,28 @@ spec:
       effective_cache_size: "2GB"
   managed:
     roles:
-    - name: memelord-raiko
+    - name: {{ .Release.Name }}
       ensure: present
       login: true
       passwordSecret:
-        name: memelord-raiko-database
+        name: {{ .Release.Name }}-database
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Database
 metadata:
-  name: memelord-raiko
+  name: {{ .Release.Name }}
 spec:
-  name: memelord-raiko
+  name: {{ .Release.Name }}
-  owner: memelord-raiko
+  owner: {{ .Release.Name }}
   cluster:
-    name: memelord-raiko-database
+    name: {{ .Release.Name }}-database
 ---
 apiVersion: s3.onyxia.sh/v1alpha1
 kind: Policy
 metadata:
-  name: memelord-raiko-policy
+  name: {{ .Release.Name }}-policy
 spec:
-  name: memelord-raiko-policy
+  name: {{ .Release.Name }}-policy
   s3InstanceRef: minio/default
   policyContent: >-
     {
@@ -102,8 +102,8 @@ spec:
             "s3:*"
           ],
           "Resource": [
-            "arn:aws:s3:::memelord-raiko",
+            "arn:aws:s3:::{{ .Release.Name }}",
-            "arn:aws:s3:::memelord-raiko/*"
+            "arn:aws:s3:::{{ .Release.Name }}/*"
           ]
         }
       ]
@@ -112,19 +112,19 @@ spec:
 apiVersion: s3.onyxia.sh/v1alpha1
 kind: S3User
 metadata:
-  name: memelord-raiko-bucket
+  name: {{ .Release.Name }}-bucket
 spec:
-  accessKey: memelord-raiko-bucket
+  accessKey: {{ .Release.Name }}-bucket
   policies:
-    - memelord-raiko-policy
+    - {{ .Release.Name }}-policy
   s3InstanceRef: minio/default
 ---
 apiVersion: s3.onyxia.sh/v1alpha1
 kind: Bucket
 metadata:
-  name: memelord-raiko
+  name: {{ .Release.Name }}
 spec:
-  name: memelord-raiko
+  name: {{ .Release.Name }}
   s3InstanceRef: minio/default
   quota:
     default: 100000000
@@ -132,11 +132,11 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: memelord
+  name: {{ .Release.Name }}
 spec:
   type: ClusterIP
   selector:
-    app: memelord
+    app: {{ .Release.Name }}
   ports:
     - name: http
       port: 80
@@ -145,11 +145,11 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: memelord-raiko
+  name: {{ .Release.Name }}
 spec:
-  secretName: memelord-raiko-tls
+  secretName: {{ .Release.Name }}-tls
   dnsNames:
-    - memelord-raiko.ee-lte-1.codemowers.io
+    - {{ .Values.hostname }}
   issuerRef:
     name: letsencrypt
     kind: ClusterIssuer
@@ -157,21 +157,40 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: memelord-raiko
+  name: {{ .Release.Name }}
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
   ingressClassName: traefik
   rules:
-    - host: memelord-raiko.ee-lte-1.codemowers.io
+    - host: {{ .Values.hostname }}
       http:
         paths:
           - pathType: Prefix
             path: "/"
             backend:
               service:
-                name: memelord
+                name: {{ .Release.Name }}
                 port:
                   number: 80
   tls:
-    - secretName: memelord-raiko-tls
+    - secretName: {{ .Release.Name }}-tls
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: OIDCClient
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  displayName: Memelord Raiko
+  uri: https://{{ .Values.hostname }}/oidc/authenticate/
+  redirectUris:
+    - https://{{ .Values.hostname }}/oidc/callback/
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  pkce: false

templates/grafana.yaml

@@ -2,8 +2,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: grafana-datasources
+  name: {{ .Release.Name }}-grafana-datasources
-  namespace: memelord-raiko
 data:
   datasources.yaml: |
     apiVersion: 1
@@ -24,20 +23,19 @@ data:
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: grafana
+  name: {{ .Release.Name }}-grafana
-  namespace: memelord-raiko
   labels:
-    app: grafana
+    app: {{ .Release.Name }}-grafana
 spec:
-  serviceName: grafana
+  serviceName: {{ .Release.Name }}-grafana
   replicas: 1
   selector:
     matchLabels:
-      app: grafana
+      app: {{ .Release.Name }}-grafana
   template:
     metadata:
       labels:
-        app: grafana
+        app: {{ .Release.Name }}-grafana
     spec:
       containers:
         - name: grafana
@@ -53,7 +51,7 @@ spec:
               value: /var/lib/grafana/grafana.db
 
             - name: GF_SERVER_ROOT_URL
-              value: https://grafana-raiko.ee-lte-1.codemowers.io
+              value: https://{{ .Values.grafanaHostname }}
 
             - name: GF_AUTH_GENERIC_OAUTH_ENABLED
               value: "true"
@@ -64,12 +62,12 @@ spec:
             - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: oidc-client-grafana-raiko-owner-secrets
+                  name: oidc-client-grafana-{{ .Release.Name }}-owner-secrets
                   key: OIDC_CLIENT_ID
             - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: oidc-client-grafana-raiko-owner-secrets
+                  name: oidc-client-grafana-{{ .Release.Name }}-owner-secrets
                   key: OIDC_CLIENT_SECRET
             - name: GF_AUTH_GENERIC_OAUTH_SCOPES
               value: "openid profile groups"
@@ -79,8 +77,6 @@ spec:
               value: "http://passmower.passmower.svc.cluster.local/token"
             - name: GF_AUTH_GENERIC_OAUTH_API_URL
               value: "http://passmower.passmower.svc.cluster.local/me"
-            # - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL
-            #   value: "https://auth.ee-lte-1.codemowers.io//openid/session/end"
 
             - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
               value: "contains(groups[*], 'github.com:codemowers:admins') && 'Admin' || Viewer"
@@ -94,11 +90,10 @@ spec:
             - name: datasources
               mountPath: /etc/grafana/provisioning/datasources
 
-
       volumes:
         - name: datasources
           configMap:
-            name: grafana-datasources
+            name: {{ .Release.Name }}-grafana-datasources
 
   volumeClaimTemplates:
     - metadata:
@@ -114,14 +109,13 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: grafana
+  name: {{ .Release.Name }}-grafana
-  namespace: memelord-raiko
   labels:
-    app: grafana
+    app: {{ .Release.Name }}-grafana
 spec:
   type: ClusterIP
   selector:
-    app: grafana
+    app: {{ .Release.Name }}-grafana
   ports:
     - name: http
       port: 80
@@ -130,12 +124,11 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: grafana-raiko
+  name: grafana-{{ .Release.Name }}
-  namespace: memelord-raiko
 spec:
-  secretName: grafana-raiko-tls
+  secretName: grafana-{{ .Release.Name }}-tls
   dnsNames:
-    - grafana-raiko.ee-lte-1.codemowers.io
+    - {{ .Values.grafanaHostname }}
   issuerRef:
     name: letsencrypt
     kind: ClusterIssuer
@@ -143,35 +136,33 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: grafana-raiko
+  name: grafana-{{ .Release.Name }}
-  namespace: memelord-raiko
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
   rules:
-    - host: grafana-raiko.ee-lte-1.codemowers.io
+    - host: {{ .Values.grafanaHostname }}
       http:
         paths:
           - pathType: Prefix
             path: "/"
             backend:
               service:
-                name: grafana
+                name: {{ .Release.Name }}-grafana
                 port:
                   number: 80
   tls:
-    - secretName: grafana-raiko-tls
+    - secretName: grafana-{{ .Release.Name }}-tls
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: OIDCClient
 metadata:
-  name: grafana-raiko
+  name: grafana-{{ .Release.Name }}
-  namespace: memelord-raiko
 spec:
-  displayName: Grafana Raiko
+  displayName: Grafana {{ .Release.Name }}
-  uri: https://grafana-raiko.ee-lte-1.codemowers.io/
+  uri: https://{{ .Values.grafanaHostname }}/
   redirectUris:
-    - https://grafana-raiko.ee-lte-1.codemowers.io/login/generic_oauth
+    - https://{{ .Values.grafanaHostname }}/login/generic_oauth
   grantTypes:
     - authorization_code
     - refresh_token

templates/http-probe.yaml

@@ -2,7 +2,7 @@
 apiVersion: monitoring.coreos.com/v1
 kind: Probe
 metadata:
-  name: reddit-probe
+  name: {{ .Release.Name }}-reddit-probe
 spec:
   module: http_2xx
   prober:

templates/kyverno.yaml

@@ -0,0 +1,54 @@
+# ---
+# apiVersion: kyverno.io/v1
+# kind: Policy
+# metadata:
+#   name: add-default-securitycontext
+#   namespace: memelord-raiko
+# spec:
+#   rules:
+#     - name: add-default-securitycontext
+#       match:
+#         any:
+#           - resources:
+#               kinds:
+#                 - Pod
+#       mutate:
+#         patchStrategicMerge:
+#           spec:
+#             securityContext:
+#               +(runAsNonRoot): true
+#               +(runAsUser): 1000
+#               +(runAsGroup): 3000
+#               +(fsGroup): 2000
+#
+# ---
+# apiVersion: kyverno.io/v1
+# kind: Policy
+# metadata:
+#   name: require-run-as-non-root-user
+#   namespace: memelord-raiko
+# spec:
+#   validationFailureAction: Enforce
+#   background: false
+#   rules:
+#     - name: run-as-non-root-user
+#       match:
+#         any:
+#           - resources:
+#               kinds:
+#                 - Pod
+#       validate:
+#         message: Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero.
+#         pattern:
+#           spec:
+#             "=(securityContext)":
+#               "=(runAsUser)": ">0"
+#             "=(ephemeralContainers)":
+#               - "=(securityContext)":
+#                   "=(runAsUser)": ">0"
+#             "=(initContainers)":
+#               - "=(securityContext)":
+#                   "=(runAsUser)": ">0"
+#             containers:
+#               - "=(securityContext)":
+#                   "=(runAsUser)": ">0"

values.yaml

@@ -1 +1,2 @@
 hostname: memelord-raiko.ee-lte-1.codemowers.io
+grafanaHostname: grafana-raiko.ee-lte-1.codemowers.io