NetworkPolicy

2026-02-17 15:17:53 +02:00 · 2026-02-17 15:03:42 +02:00 · 2026-02-17 15:03:22 +02:00 · 2026-02-17 14:59:08 +02:00 · 2026-02-17 14:56:24 +02:00 · 2026-02-17 14:53:58 +02:00
9 changed files with 220 additions and 80 deletions
--- a/.values.yaml.kate-swp
+++ b/.values.yaml.kate-swp
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,2 +1,3 @@
 name: memelord
+apiVersion: v2
 version: 1.0.0
--- a/templates/NetworkPolicy.yaml
+++ b/templates/NetworkPolicy.yaml
@@ -0,0 +1,75 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: dragonfly
+  namespace: memelord-raiko
+spec:
+  podSelector:
+    matchLabels:
+      app: memelord-raiko-redis
+  policyTypes:
+    - Ingress
+  ingress:
+    # App -> Redis
+    - from:
+        - podSelector:
+            matchLabels:
+              app: memelord-raiko
+      ports:
+        - protocol: TCP
+          port: 6379
+    - from:
+        - podSelector:
+            matchLabels:
+              app: memelord-raiko-redis
+      ports:
+        - protocol: TCP
+          port: 6379
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: postgres
+  namespace: memelord-raiko
+spec:
+  podSelector:
+    matchLabels:
+      cnpg.io/cluster: memelord-raiko-database
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+           app: memelord
+    - podSelector: # Primary-secondary replication!
+        matchLabels:
+          cnpg.io/cluster: memelord-raiko-database
+    ports:
+    - protocol: TCP
+      port: 5432
+  - ports: # Probes do work now!
+    - protocol: TCP
+      port: 8000
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: memelord
+  namespace: memelord-raiko
+spec:
+  podSelector:
+    matchLabels:
+       app: memelord
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: traefik
+    ports:
+    - protocol: TCP
+      port: 8000
--- a/templates/app.yaml
+++ b/templates/app.yaml
@@ -1,17 +1,16 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: memelord
-  namespace: memelord-raiko
+  name: {{ .Release.Name }}
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app: memelord
+      app: {{ .Release.Name }}
  template:
    metadata:
      labels:
-        app: memelord
+        app: {{ .Release.Name }}
    spec:
      containers:
        - name: memelord
@@ -24,38 +23,38 @@ spec:

          env:
            - name: DOMAIN
-              value: "memelord-raiko.ee-lte-1.codemowers.io"
+              value: {{ .Values.hostname | quote }}
            - name: DB_ENGINE
              value: "postgres"
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
-                  name: memelord-raiko-database
+                  name: {{ .Release.Name }}-database
                  key: username
            - name: POSTGRES_HOST
-              value: "memelord-raiko-database-rw"
+              value: {{ .Release.Name }}-database-rw
            - name: POSTGRES_PORT
              value: "5432"
            - name: POSTGRES_DB
-              value: "memelord-raiko"
+              value: {{ .Release.Name }}
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: memelord-raiko-database
+                  name: {{ .Release.Name }}-database
                  key: password
            - name: REDIS_HOST
-              value: "memelord-raiko-redis"
+              value: {{ .Release.Name }}-redis
            - name: REDIS_PORT
              value: "6379"
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: memelord-raiko-redis
+                  name: {{ .Release.Name }}-redis
                  key: redis-password
            - name: STORAGE_BACKEND
              value: "s3"
            - name: AWS_STORAGE_BUCKET_NAME
-              value: "memelord-raiko"
+              value: {{ .Release.Name }}
            - name: AWS_S3_ENDPOINT_URL
              value: "https://minio.ee-lte-1.codemowers.io/"
            - name: AWS_S3_REGION_NAME
@@ -63,12 +62,12 @@ spec:
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
-                  name: memelord-raiko-bucket
+                  name: {{ .Release.Name }}-bucket
                  key: accessKey
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
-                  name: memelord-raiko-bucket
+                  name: {{ .Release.Name }}-bucket
                  key: secretKey
            - name: OIDC_ENABLED
              value: "True"
@@ -77,12 +76,12 @@ spec:
            - name: OIDC_RP_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: oidc-client-memelord-raiko-owner-secrets
+                  name: oidc-client-{{ .Release.Name }}-owner-secrets
                  key: OIDC_CLIENT_ID
            - name: OIDC_RP_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: oidc-client-memelord-raiko-owner-secrets
+                  name: oidc-client-{{ .Release.Name }}-owner-secrets
                  key: OIDC_CLIENT_SECRET
            - name: OIDC_OP_AUTHORIZATION_ENDPOINT
              value: "https://auth.ee-lte-1.codemowers.io/auth"
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -2,7 +2,7 @@
 apiVersion: secretgenerator.mittwald.de/v1alpha1
 kind: StringSecret
 metadata:
-  name: memelord-raiko-redis
+  name: {{ .Release.Name }}-redis
 spec:
  fields:
    - fieldName: redis-password
@@ -12,11 +12,11 @@ spec:
 apiVersion: dragonflydb.io/v1alpha1
 kind: Dragonfly
 metadata:
-  name: memelord-raiko-redis
+  name: {{ .Release.Name }}-redis
 spec:
  authentication:
    passwordFromSecret:
-      name: memelord-raiko-redis
+      name: {{ .Release.Name }}-redis
      key: redis-password
  replicas: 1
  resources:
@@ -30,12 +30,12 @@ spec:
 apiVersion: secretgenerator.mittwald.de/v1alpha1
 kind: StringSecret
 metadata:
-  name: memelord-raiko-database
+  name: {{ .Release.Name }}-database
  labels:
    cnpg.io/reload: "true"
 spec:
  data:
-    username: memelord-raiko
+    username: {{ .Release.Name }}
  fields:
    - fieldName: password
      length: "32"
@@ -44,7 +44,7 @@ spec:
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: memelord-raiko-database
+  name: {{ .Release.Name }}-database
 spec:
  instances: 1
  imageName: ghcr.io/cloudnative-pg/postgresql:17
@@ -69,28 +69,28 @@ spec:
      effective_cache_size: "2GB"
  managed:
    roles:
-    - name: memelord-raiko
+    - name: {{ .Release.Name }}
      ensure: present
      login: true
      passwordSecret:
-        name: memelord-raiko-database
+        name: {{ .Release.Name }}-database
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Database
 metadata:
-  name: memelord-raiko
+  name: {{ .Release.Name }}
 spec:
-  name: memelord-raiko
-  owner: memelord-raiko
+  name: {{ .Release.Name }}
+  owner: {{ .Release.Name }}
  cluster:
-    name: memelord-raiko-database
+    name: {{ .Release.Name }}-database
 ---
 apiVersion: s3.onyxia.sh/v1alpha1
 kind: Policy
 metadata:
-  name: memelord-raiko-policy
+  name: {{ .Release.Name }}-policy
 spec:
-  name: memelord-raiko-policy
+  name: {{ .Release.Name }}-policy
  s3InstanceRef: minio/default
  policyContent: >-
    {
@@ -102,8 +102,8 @@ spec:
            "s3:*"
          ],
          "Resource": [
-            "arn:aws:s3:::memelord-raiko",
-            "arn:aws:s3:::memelord-raiko/*"
+            "arn:aws:s3:::{{ .Release.Name }}",
+            "arn:aws:s3:::{{ .Release.Name }}/*"
          ]
        }
      ]
@@ -112,19 +112,19 @@ spec:
 apiVersion: s3.onyxia.sh/v1alpha1
 kind: S3User
 metadata:
-  name: memelord-raiko-bucket
+  name: {{ .Release.Name }}-bucket
 spec:
-  accessKey: memelord-raiko-bucket
+  accessKey: {{ .Release.Name }}-bucket
  policies:
-    - memelord-raiko-policy
+    - {{ .Release.Name }}-policy
  s3InstanceRef: minio/default
 ---
 apiVersion: s3.onyxia.sh/v1alpha1
 kind: Bucket
 metadata:
-  name: memelord-raiko
+  name: {{ .Release.Name }}
 spec:
-  name: memelord-raiko
+  name: {{ .Release.Name }}
  s3InstanceRef: minio/default
  quota:
    default: 100000000
@@ -132,11 +132,11 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: memelord
+  name: {{ .Release.Name }}
 spec:
  type: ClusterIP
  selector:
-    app: memelord
+    app: {{ .Release.Name }}
  ports:
    - name: http
      port: 80
@@ -145,11 +145,11 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: memelord-raiko
+  name: {{ .Release.Name }}
 spec:
-  secretName: memelord-raiko-tls
+  secretName: {{ .Release.Name }}-tls
  dnsNames:
-    - memelord-raiko.ee-lte-1.codemowers.io
+    - {{ .Values.hostname }}
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
@@ -157,21 +157,40 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: memelord-raiko
+  name: {{ .Release.Name }}
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  ingressClassName: traefik
  rules:
-    - host: memelord-raiko.ee-lte-1.codemowers.io
+    - host: {{ .Values.hostname }}
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
-                name: memelord
+                name: {{ .Release.Name }}
                port:
                  number: 80
  tls:
-    - secretName: memelord-raiko-tls
+    - secretName: {{ .Release.Name }}-tls
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: OIDCClient
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  displayName: Memelord Raiko
+  uri: https://{{ .Values.hostname }}/oidc/authenticate/
+  redirectUris:
+    - https://{{ .Values.hostname }}/oidc/callback/
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  pkce: false
--- a/templates/grafana.yaml
+++ b/templates/grafana.yaml
@@ -2,8 +2,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: grafana-datasources
-  namespace: memelord-raiko
+  name: {{ .Release.Name }}-grafana-datasources
 data:
  datasources.yaml: |
    apiVersion: 1
@@ -24,20 +23,19 @@ data:
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: grafana
-  namespace: memelord-raiko
+  name: {{ .Release.Name }}-grafana
  labels:
-    app: grafana
+    app: {{ .Release.Name }}-grafana
 spec:
-  serviceName: grafana
+  serviceName: {{ .Release.Name }}-grafana
  replicas: 1
  selector:
    matchLabels:
-      app: grafana
+      app: {{ .Release.Name }}-grafana
  template:
    metadata:
      labels:
-        app: grafana
+        app: {{ .Release.Name }}-grafana
    spec:
      containers:
        - name: grafana
@@ -53,7 +51,7 @@ spec:
              value: /var/lib/grafana/grafana.db

            - name: GF_SERVER_ROOT_URL
-              value: https://grafana-raiko.ee-lte-1.codemowers.io
+              value: https://{{ .Values.grafanaHostname }}

            - name: GF_AUTH_GENERIC_OAUTH_ENABLED
              value: "true"
@@ -64,12 +62,12 @@ spec:
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: oidc-client-grafana-raiko-owner-secrets
+                  name: oidc-client-grafana-{{ .Release.Name }}-owner-secrets
                  key: OIDC_CLIENT_ID
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: oidc-client-grafana-raiko-owner-secrets
+                  name: oidc-client-grafana-{{ .Release.Name }}-owner-secrets
                  key: OIDC_CLIENT_SECRET
            - name: GF_AUTH_GENERIC_OAUTH_SCOPES
              value: "openid profile groups"
@@ -79,8 +77,6 @@ spec:
              value: "http://passmower.passmower.svc.cluster.local/token"
            - name: GF_AUTH_GENERIC_OAUTH_API_URL
              value: "http://passmower.passmower.svc.cluster.local/me"
-            # - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL
-            #   value: "https://auth.ee-lte-1.codemowers.io//openid/session/end"

            - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
              value: "contains(groups[*], 'github.com:codemowers:admins') && 'Admin' || Viewer"
@@ -94,11 +90,10 @@ spec:
            - name: datasources
              mountPath: /etc/grafana/provisioning/datasources

-
      volumes:
        - name: datasources
          configMap:
-            name: grafana-datasources
+            name: {{ .Release.Name }}-grafana-datasources

  volumeClaimTemplates:
    - metadata:
@@ -114,14 +109,13 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: grafana
-  namespace: memelord-raiko
+  name: {{ .Release.Name }}-grafana
  labels:
-    app: grafana
+    app: {{ .Release.Name }}-grafana
 spec:
  type: ClusterIP
  selector:
-    app: grafana
+    app: {{ .Release.Name }}-grafana
  ports:
    - name: http
      port: 80
@@ -130,12 +124,11 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: grafana-raiko
-  namespace: memelord-raiko
+  name: grafana-{{ .Release.Name }}
 spec:
-  secretName: grafana-raiko-tls
+  secretName: grafana-{{ .Release.Name }}-tls
  dnsNames:
-    - grafana-raiko.ee-lte-1.codemowers.io
+    - {{ .Values.grafanaHostname }}
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
@@ -143,35 +136,33 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: grafana-raiko
-  namespace: memelord-raiko
+  name: grafana-{{ .Release.Name }}
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  rules:
-    - host: grafana-raiko.ee-lte-1.codemowers.io
+    - host: {{ .Values.grafanaHostname }}
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
-                name: grafana
+                name: {{ .Release.Name }}-grafana
                port:
                  number: 80
  tls:
-    - secretName: grafana-raiko-tls
+    - secretName: grafana-{{ .Release.Name }}-tls
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: OIDCClient
 metadata:
-  name: grafana-raiko
-  namespace: memelord-raiko
+  name: grafana-{{ .Release.Name }}
 spec:
-  displayName: Grafana Raiko
-  uri: https://grafana-raiko.ee-lte-1.codemowers.io/
+  displayName: Grafana {{ .Release.Name }}
+  uri: https://{{ .Values.grafanaHostname }}/
  redirectUris:
-    - https://grafana-raiko.ee-lte-1.codemowers.io/login/generic_oauth
+    - https://{{ .Values.grafanaHostname }}/login/generic_oauth
  grantTypes:
    - authorization_code
    - refresh_token
--- a/templates/http-probe.yaml
+++ b/templates/http-probe.yaml
@@ -2,7 +2,7 @@
 apiVersion: monitoring.coreos.com/v1
 kind: Probe
 metadata:
-  name: reddit-probe
+  name: {{ .Release.Name }}-reddit-probe
 spec:
  module: http_2xx
  prober:
--- a/templates/kyverno.yaml
+++ b/templates/kyverno.yaml
@@ -0,0 +1,54 @@
+# ---
+# apiVersion: kyverno.io/v1
+# kind: Policy
+# metadata:
+#   name: add-default-securitycontext
+#   namespace: memelord-raiko
+# spec:
+#   rules:
+#     - name: add-default-securitycontext
+#       match:
+#         any:
+#           - resources:
+#               kinds:
+#                 - Pod
+#       mutate:
+#         patchStrategicMerge:
+#           spec:
+#             securityContext:
+#               +(runAsNonRoot): true
+#               +(runAsUser): 1000
+#               +(runAsGroup): 3000
+#               +(fsGroup): 2000
+#
+# ---
+# apiVersion: kyverno.io/v1
+# kind: Policy
+# metadata:
+#   name: require-run-as-non-root-user
+#   namespace: memelord-raiko
+# spec:
+#   validationFailureAction: Enforce
+#   background: false
+#   rules:
+#     - name: run-as-non-root-user
+#       match:
+#         any:
+#           - resources:
+#               kinds:
+#                 - Pod
+#       validate:
+#         message: Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero.
+#         pattern:
+#           spec:
+#             "=(securityContext)":
+#               "=(runAsUser)": ">0"
+#             "=(ephemeralContainers)":
+#               - "=(securityContext)":
+#                   "=(runAsUser)": ">0"
+#             "=(initContainers)":
+#               - "=(securityContext)":
+#                   "=(runAsUser)": ">0"
+#             containers:
+#               - "=(securityContext)":
+#                   "=(runAsUser)": ">0"
--- a/values.yaml
+++ b/values.yaml
@@ -1 +1,2 @@
 hostname: memelord-raiko.ee-lte-1.codemowers.io
+grafanaHostname: grafana-raiko.ee-lte-1.codemowers.io
Author	SHA1	Message	Date
Raiko Oll	76a89520e1	NetworkPolicy	2026-02-17 15:17:53 +02:00
Raiko Oll	6ab4467a25	NetworkPolicy	2026-02-17 15:03:42 +02:00
Raiko Oll	9aeea7b830	NetworkPolicy	2026-02-17 15:03:22 +02:00
Raiko Oll	23ea92636e	NetworkPolicy	2026-02-17 14:59:08 +02:00
Raiko Oll	1384b3ab50	NetworkPolicy	2026-02-17 14:56:24 +02:00
Raiko Oll	3d6b022cad	NetworkPolicy	2026-02-17 14:53:58 +02:00
Raiko Oll	46807f93d9	NetworkPolicy	2026-02-17 14:45:26 +02:00
Raiko Oll	a62e3aba2f	Network policy	2026-02-17 14:35:47 +02:00
Raiko Oll	77ef9348f9	Network policy	2026-02-17 14:34:53 +02:00
Raiko Oll	0cf4f155de	asd	2026-02-17 13:36:24 +02:00
Raiko Oll	a95fad4423	kyverno	2026-02-17 13:21:26 +02:00
Raiko Oll	06307b4047	kyverno	2026-02-17 13:20:52 +02:00
Raiko Oll	6569a6c33b	kyverno dont allow root	2026-02-17 13:04:14 +02:00
Raiko Oll	04f351706c	oidc fix	2026-02-17 09:57:23 +02:00
Raiko Oll	314c75d8df	oidc fix	2026-02-17 09:50:19 +02:00
Raiko Oll	28334c15a3	push	2026-02-16 21:52:23 +02:00
Raiko Oll	d50b5f22e6	push	2026-02-16 21:51:53 +02:00