From 12cfe5ce79d9c9f709682d5a542f9e4c72dd6efa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= Date: Sat, 7 Mar 2026 11:06:29 +0000 Subject: [PATCH] - network-policies - egress - folder structure revision - ops scripts revision - helm chart update version - 12.5.0 --- .gitea/workflows/app-continous-deploy.yaml | 33 ++++++++-------- .vscode/settings.json | 3 ++ README.md | 23 ++++++----- deploy/{helm => app/.env.d}/.env.example | 0 .../cronjobs/backups/.env.d/secrets.example | 7 ---- .../values.yaml => app/helm-values.yaml} | 0 deploy/app/kustomization.yaml | 17 --------- .../cronjobs => }/backups/.env.d/.gitignore | 0 .../backups/.env.d/borg_key.example | 0 .../backups/.env.d/id_rsa.example | 0 deploy/backups/.env.d/secrets.example | 7 ++++ .../cronjobs/borg-offsite-cronjob.yaml} | 0 .../cronjobs/pbs-cronjob.yaml} | 0 deploy/backups/kustomization.yaml | 17 +++++++++ deploy/infra/.env.d/.env.example | 1 + deploy/infra/.env.d/.gitignore | 3 ++ deploy/infra/cd-service-account-token.yaml | 8 ---- deploy/infra/cd-service-account.yaml | 6 --- ...ac.yaml => continuous-deploy-account.yaml} | 19 ++++++++++ deploy/infra/kustomization.yaml | 25 ++++++++++-- .../egress-local-services.yaml | 21 ++++++++++ deploy/infra/network-policies/egress.yaml | 38 +++++++++++++++++++ ops-scripts/apply-app.sh | 13 +++---- 23 files changed, 166 insertions(+), 75 deletions(-) rename deploy/{helm => app/.env.d}/.env.example (100%) delete mode 100644 deploy/app/cronjobs/backups/.env.d/secrets.example rename deploy/{helm/values.yaml => app/helm-values.yaml} (100%) delete mode 100644 deploy/app/kustomization.yaml rename deploy/{app/cronjobs => }/backups/.env.d/.gitignore (100%) rename deploy/{app/cronjobs => }/backups/.env.d/borg_key.example (100%) rename deploy/{app/cronjobs => }/backups/.env.d/id_rsa.example (100%) create mode 100644 deploy/backups/.env.d/secrets.example rename deploy/{app/cronjobs/backups/backup-borg-offsite-cronjob.yaml => backups/cronjobs/borg-offsite-cronjob.yaml} (100%) rename deploy/{app/cronjobs/backups/backup-pbs-cronjob.yaml => backups/cronjobs/pbs-cronjob.yaml} (100%) create mode 100644 deploy/backups/kustomization.yaml create mode 100644 deploy/infra/.env.d/.env.example create mode 100644 deploy/infra/.env.d/.gitignore delete mode 100644 deploy/infra/cd-service-account-token.yaml delete mode 100644 deploy/infra/cd-service-account.yaml rename deploy/infra/{cd-service-account-rbac.yaml => continuous-deploy-account.yaml} (80%) create mode 100644 deploy/infra/network-policies/egress-local-services.yaml create mode 100644 deploy/infra/network-policies/egress.yaml diff --git a/.gitea/workflows/app-continous-deploy.yaml b/.gitea/workflows/app-continous-deploy.yaml index 3cef692..4f50e26 100644 --- a/.gitea/workflows/app-continous-deploy.yaml +++ b/.gitea/workflows/app-continous-deploy.yaml @@ -69,25 +69,24 @@ jobs: # ensure cleanup always runs trap 'rm -f \ - deploy/app/cronjobs/backups/.env.d/secrets \ - deploy/app/cronjobs/backups/.env.d/id_rsa \ - deploy/app/cronjobs/backups/.env.d/borg_key' EXIT + deploy/backups/backups/.env.d/secrets \ + deploy/backups/backups/.env.d/id_rsa \ + deploy/backups/backups/.env.d/borg_key' EXIT - # setup env for cronjobs backups - echo "PBS_REPOSITORY=${CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY}" >> deploy/app/cronjobs/backups/.env.d/secrets - echo "PBS_PASSWORD=${CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD}" >> deploy/app/cronjobs/backups/.env.d/secrets - echo "PBS_FINGERPRINT=${CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT}" >> deploy/app/cronjobs/backups/.env.d/secrets - echo "BORG_REPO=${CRONJOBS_BACKUPS_SECRETS_BORG_REPO}" >> deploy/app/cronjobs/backups/.env.d/secrets - echo "BORG_PASSPHRASE=${CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE}" >> deploy/app/cronjobs/backups/.env.d/secrets - echo "OFFSITE_TARGET_FOLDER=${CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER}" >> deploy/app/cronjobs/backups/.env.d/secrets + # setup secrets files + echo "PBS_REPOSITORY=${CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY}" >> deploy/backups/cronjobs/.env.d/secrets + echo "PBS_PASSWORD=${CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD}" >> deploy/backups/cronjobs/.env.d/secrets + echo "PBS_FINGERPRINT=${CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT}" >> deploy/backups/backups/.env.d/secrets + echo "BORG_REPO=${CRONJOBS_BACKUPS_SECRETS_BORG_REPO}" >> deploy/backups/cronjobs/.env.d/secrets + echo "BORG_PASSPHRASE=${CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE}" >> deploy/backups/cronjobs/.env.d/secrets + echo "OFFSITE_TARGET_FOLDER=${CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER}" >> deploy/backups/cronjobs/.env.d/secrets + echo "${CRONJOBS_BACKUPS_SECRETS_ID_RSA}" >> deploy/backups/cronjobs/.env.d/id_rsa + echo "${CRONJOBS_BACKUPS_SECRETS_BORG_KEY}" >> deploy/backups/cronjobs/.env.d/borg_key - echo "${CRONJOBS_BACKUPS_SECRETS_ID_RSA}" >> deploy/app/cronjobs/backups/.env.d/id_rsa - echo "${CRONJOBS_BACKUPS_SECRETS_BORG_KEY}" >> deploy/app/cronjobs/backups/.env.d/borg_key - - # enforce security - chmod 600 deploy/app/cronjobs/backups/.env.d/secrets - chmod 600 deploy/app/cronjobs/backups/.env.d/id_rsa - chmod 600 deploy/app/cronjobs/backups/.env.d/borg_key + # enforce secrets files security + chmod 600 deploy/backups/cronjobs/.env.d/secrets + chmod 600 deploy/backups/cronjobs/.env.d/id_rsa + chmod 600 deploy/backups/cronjobs/.env.d/borg_key # invoke deploy script ops-scripts/apply-app.sh diff --git a/.vscode/settings.json b/.vscode/settings.json index ab9d76b..d1e70a7 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,5 +1,8 @@ { "cSpell.words": [ + "networkpolicies", + "poddisruptionbudgets", + "serviceaccounts", "valkey" ] } \ No newline at end of file diff --git a/README.md b/README.md index 4288d99..6675024 100644 --- a/README.md +++ b/README.md @@ -5,31 +5,34 @@ Welcome to public repository of my [Git Server](https://git.limbosolutions.com) Using [gitea](https://git.limbosolutions.com/kb/gitea) as git server. - [Deploy](#deploy) - - [App](#app) - [Continuous Deploy](#continuous-deploy) + - [App](#app) - [Infra](#infra) - [Backups](#backups) ## Deploy +### Continuous Deploy + +Executes [App Deploy](#app) using [Gitea workflow](./.gitea/workflows/app-deploy.yaml). + ### App **Environment files:** -- ./deploy/app/cronjobs/backups/.env.d/secrets [Example](./deploy/app/cronjobs/backups/.env.d/secrets.example) -- ./deploy/app/cronjobs/backups/.env.d/borg_key [Example](./deploy/app/cronjobs/backups/.env.d/borg_key.example) -- ./deploy/app/cronjobs/backups/.env.d/id_rsa [Example](./deploy/app/cronjobs/backups/.env.d/id_rsa.example) -- ./deploy/helm/.env [Example](./deploy/helm/.env.example) +- ./deploy/backups/cronjobs/.env.d/secrets [Example](./deploy/backups/cronjobs/.env.d/secrets.example) +- ./deploy/backups/cronjobs/.env.d/borg_key [Example](./deploy/backups/cronjobs/.env.d/borg_key.example) +- ./deploy/backups/cronjobs/.env.d/id_rsa [Example](./deploy/backups/cronjobs/.env.d/id_rsa.example) +- ./deploy/app/.env [Example](./deploy/app/.env.example) + +Deploy App ```bash ./ops-scripts/apply-app.sh ``` -- [kustomization](/deploy/app/kustomization.yaml) - -### Continuous Deploy - -Executes [App Deploy](#app) using [Gitea workflow](./.gitea/workflows/app-deploy.yaml). +- [backups-kustomization](/deploy/app/kustomization.yaml) +- ### Infra diff --git a/deploy/helm/.env.example b/deploy/app/.env.d/.env.example similarity index 100% rename from deploy/helm/.env.example rename to deploy/app/.env.d/.env.example diff --git a/deploy/app/cronjobs/backups/.env.d/secrets.example b/deploy/app/cronjobs/backups/.env.d/secrets.example deleted file mode 100644 index 8403173..0000000 --- a/deploy/app/cronjobs/backups/.env.d/secrets.example +++ /dev/null @@ -1,7 +0,0 @@ -PBS_REPOSITORY="pbs repository" -PBS_PASSWORD="pbs access passwordd" -PBS_FINGERPRINT="00:00:00:00:00" # the pbs finger print -BORG_REPO="ssh://user@reposerver/path" # required by offsite babckup -BORG_PASSPHRASE="borg passphare" # required by offsite babckup -OFFSITE_TARGET_FOLDER="test:target_path" # follow rclone naming convension - diff --git a/deploy/helm/values.yaml b/deploy/app/helm-values.yaml similarity index 100% rename from deploy/helm/values.yaml rename to deploy/app/helm-values.yaml diff --git a/deploy/app/kustomization.yaml b/deploy/app/kustomization.yaml deleted file mode 100644 index b35a41f..0000000 --- a/deploy/app/kustomization.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - cronjobs/backups/backup-borg-offsite-cronjob.yaml - - cronjobs/backups/backup-pbs-cronjob.yaml - -secretGenerator: -- name: gitea-backup - namespace: git-limbosolutions-com - envs: - - cronjobs/backups/.env.d/secrets - files: - - BORG_KEY=cronjobs/backups/.env.d/borg_key - - SSH_ID_RSA=cronjobs/backups/.env.d/id_rsa - -generatorOptions: - disableNameSuffixHash: true \ No newline at end of file diff --git a/deploy/app/cronjobs/backups/.env.d/.gitignore b/deploy/backups/.env.d/.gitignore similarity index 100% rename from deploy/app/cronjobs/backups/.env.d/.gitignore rename to deploy/backups/.env.d/.gitignore diff --git a/deploy/app/cronjobs/backups/.env.d/borg_key.example b/deploy/backups/.env.d/borg_key.example similarity index 100% rename from deploy/app/cronjobs/backups/.env.d/borg_key.example rename to deploy/backups/.env.d/borg_key.example diff --git a/deploy/app/cronjobs/backups/.env.d/id_rsa.example b/deploy/backups/.env.d/id_rsa.example similarity index 100% rename from deploy/app/cronjobs/backups/.env.d/id_rsa.example rename to deploy/backups/.env.d/id_rsa.example diff --git a/deploy/backups/.env.d/secrets.example b/deploy/backups/.env.d/secrets.example new file mode 100644 index 0000000..b5b097b --- /dev/null +++ b/deploy/backups/.env.d/secrets.example @@ -0,0 +1,7 @@ +PBS_REPOSITORY="pbs repository" +PBS_PASSWORD="pbs access password" +PBS_FINGERPRINT="00:00:00:00:00" # the pbs finger print +BORG_REPO="ssh://user@server/path" # required by offsite backup +BORG_PASSPHRASE="borg passphrase" # required by offsite backup +OFFSITE_TARGET_FOLDER="test:target_path" # follow rclone naming convention + diff --git a/deploy/app/cronjobs/backups/backup-borg-offsite-cronjob.yaml b/deploy/backups/cronjobs/borg-offsite-cronjob.yaml similarity index 100% rename from deploy/app/cronjobs/backups/backup-borg-offsite-cronjob.yaml rename to deploy/backups/cronjobs/borg-offsite-cronjob.yaml diff --git a/deploy/app/cronjobs/backups/backup-pbs-cronjob.yaml b/deploy/backups/cronjobs/pbs-cronjob.yaml similarity index 100% rename from deploy/app/cronjobs/backups/backup-pbs-cronjob.yaml rename to deploy/backups/cronjobs/pbs-cronjob.yaml diff --git a/deploy/backups/kustomization.yaml b/deploy/backups/kustomization.yaml new file mode 100644 index 0000000..8353ca8 --- /dev/null +++ b/deploy/backups/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cronjobs/borg-offsite-cronjob.yaml + - cronjobs/pbs-cronjob.yaml + +secretGenerator: +- name: gitea-backup + namespace: git-limbosolutions-com + envs: + - .env.d/secrets + files: + - BORG_KEY=.env.d/borg_key + - SSH_ID_RSA=.env.d/id_rsa + +generatorOptions: + disableNameSuffixHash: true \ No newline at end of file diff --git a/deploy/infra/.env.d/.env.example b/deploy/infra/.env.d/.env.example new file mode 100644 index 0000000..a586943 --- /dev/null +++ b/deploy/infra/.env.d/.env.example @@ -0,0 +1 @@ +EGRESS_BACKUPSRV_CIDR="BACKUPSRV-IP-ADDRESS/32" diff --git a/deploy/infra/.env.d/.gitignore b/deploy/infra/.env.d/.gitignore new file mode 100644 index 0000000..b727b26 --- /dev/null +++ b/deploy/infra/.env.d/.gitignore @@ -0,0 +1,3 @@ +** +!.gitignore +!*.example \ No newline at end of file diff --git a/deploy/infra/cd-service-account-token.yaml b/deploy/infra/cd-service-account-token.yaml deleted file mode 100644 index 727c6d8..0000000 --- a/deploy/infra/cd-service-account-token.yaml +++ /dev/null @@ -1,8 +0,0 @@ - -apiVersion: v1 -kind: Secret -metadata: - name: continuous-deploy - annotations: - kubernetes.io/service-account.name: continuous-deploy -type: kubernetes.io/service-account-token \ No newline at end of file diff --git a/deploy/infra/cd-service-account.yaml b/deploy/infra/cd-service-account.yaml deleted file mode 100644 index c30eedf..0000000 --- a/deploy/infra/cd-service-account.yaml +++ /dev/null @@ -1,6 +0,0 @@ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: continuous-deploy - namespace: git-limbosolutions-com \ No newline at end of file diff --git a/deploy/infra/cd-service-account-rbac.yaml b/deploy/infra/continuous-deploy-account.yaml similarity index 80% rename from deploy/infra/cd-service-account-rbac.yaml rename to deploy/infra/continuous-deploy-account.yaml index 7bd4ec8..d788d08 100644 --- a/deploy/infra/cd-service-account-rbac.yaml +++ b/deploy/infra/continuous-deploy-account.yaml @@ -1,3 +1,22 @@ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: continuous-deploy + namespace: git-limbosolutions-com + +--- + +apiVersion: v1 +kind: Secret +metadata: + name: continuous-deploy + annotations: + kubernetes.io/service-account.name: continuous-deploy +type: kubernetes.io/service-account-token + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/deploy/infra/kustomization.yaml b/deploy/infra/kustomization.yaml index ac112a2..fa04b41 100644 --- a/deploy/infra/kustomization.yaml +++ b/deploy/infra/kustomization.yaml @@ -2,7 +2,26 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespace.yaml - - cd-service-account.yaml - - cd-service-account-token.yaml - - cd-service-account-rbac.yaml + - continuous-deploy-account.yaml + - network-policies/egress.yaml + - network-policies/egress-local-services.yaml +generatorOptions: + disableNameSuffixHash: true +configMapGenerator: + - name: infra-setup-vars + namespace: git-limbosolutions-com + envs: + - ./.env.d/.env + +replacements: + - source: + kind: ConfigMap + name: infra-setup-vars + fieldPath: data.EGRESS_BACKUPSRV_CIDR + targets: + - select: + kind: NetworkPolicy + name: git-limbosolutions-com-egress-local + fieldPaths: + - spec.egress.0.to.0.ipBlock.cidr \ No newline at end of file diff --git a/deploy/infra/network-policies/egress-local-services.yaml b/deploy/infra/network-policies/egress-local-services.yaml new file mode 100644 index 0000000..def1673 --- /dev/null +++ b/deploy/infra/network-policies/egress-local-services.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: git-limbosolutions-com-egress-local + namespace: git-limbosolutions-com +spec: + podSelector: {} # apply to all pods in the namespace + policyTypes: + - Egress + egress: + # allow backup server + - to: + - ipBlock: + cidr: ${BACKUPSRV_CIDR} + + + + + + + diff --git a/deploy/infra/network-policies/egress.yaml b/deploy/infra/network-policies/egress.yaml new file mode 100644 index 0000000..c8850cf --- /dev/null +++ b/deploy/infra/network-policies/egress.yaml @@ -0,0 +1,38 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: git-limbosolutions-com-egress + namespace: git-limbosolutions-com +spec: + podSelector: {} # apply to all pods in the namespace + policyTypes: + - Egress + egress: + # Allow DNS to kube-system + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - protocol: UDP + port: 53 + + # allow namespace communication + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: git-limbosolutions-com + podSelector: {} + + # Allow all egress EXCEPT private networks + - to: + - ipBlock: + cidr: 0.0.0.0/0 # first allow everything + except: # remove local network (so it means blocking, cidr is allowing everything ) + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 169.254.0.0/16 + - 127.0.0.0/8 + - 224.0.0.0/4 + - 240.0.0.0/4 diff --git a/ops-scripts/apply-app.sh b/ops-scripts/apply-app.sh index 8b06b62..0dfbdef 100755 --- a/ops-scripts/apply-app.sh +++ b/ops-scripts/apply-app.sh @@ -1,22 +1,21 @@ #/bin/bash -kubectl kustomize deploy/app | kubectl apply -f - +kubectl kustomize deploy/backups | kubectl apply -f - -if [ -f "deploy/helm/.env" ]; then +if [ -f "deploy/app/.env.d/.env" ]; then # Export all variables from the file - echo "export variables from file helm/.env" + echo "export variables from file deploy/app/.env.d/.env" set -a - . deploy/helm/.env + . deploy/app/.env.d/.env set +a fi - if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then echo "Executing helm deploy." helm repo add gitea-charts https://dl.gitea.com/charts/ helm repo update - helm upgrade --install gitea gitea-charts/gitea --version 12.4.0 \ - --values deploy/helm/values.yaml \ + helm upgrade --install gitea gitea-charts/gitea --version 12.5.0 \ + --values deploy/app/helm-values.yaml \ --set valkey.global.valkey.password=${APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD} \ --set postgresql.global.postgresql.auth.postgresPassword=${APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD} \ --set postgresql.global.postgresql.auth.password=${APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD} \