- network-policies - egress

- folder structure revision
-  ops scripts revision
- helm chart update version - 12.5.0

deploy/app/cronjobs/backups/.env.d/secrets.example

@@ -1,7 +0,0 @@
-PBS_REPOSITORY="pbs repository"
-PBS_PASSWORD="pbs access passwordd"
-PBS_FINGERPRINT="00:00:00:00:00" # the pbs finger print
-BORG_REPO="ssh://user@reposerver/path" # required by offsite babckup
-BORG_PASSPHRASE="borg passphare" # required by offsite babckup
-OFFSITE_TARGET_FOLDER="test:target_path" # follow rclone naming convension
-

deploy/app/kustomization.yaml

@@ -1,17 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - cronjobs/backups/backup-borg-offsite-cronjob.yaml
-  - cronjobs/backups/backup-pbs-cronjob.yaml
-
-secretGenerator:
-- name: gitea-backup
-  namespace: git-limbosolutions-com
-  envs:
-    - cronjobs/backups/.env.d/secrets
-  files:
-    - BORG_KEY=cronjobs/backups/.env.d/borg_key
-    - SSH_ID_RSA=cronjobs/backups/.env.d/id_rsa
-    
-generatorOptions:
-  disableNameSuffixHash: true

deploy/backups/.env.d/secrets.example

@@ -0,0 +1,7 @@
+PBS_REPOSITORY="pbs repository"
+PBS_PASSWORD="pbs access password"
+PBS_FINGERPRINT="00:00:00:00:00" # the pbs finger print
+BORG_REPO="ssh://user@server/path" # required by offsite backup
+BORG_PASSPHRASE="borg passphrase" # required by offsite backup
+OFFSITE_TARGET_FOLDER="test:target_path" # follow rclone naming convention
+

deploy/backups/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cronjobs/borg-offsite-cronjob.yaml
+  - cronjobs/pbs-cronjob.yaml
+
+secretGenerator:
+- name: gitea-backup
+  namespace: git-limbosolutions-com
+  envs:
+    - .env.d/secrets
+  files:
+    - BORG_KEY=.env.d/borg_key
+    - SSH_ID_RSA=.env.d/id_rsa
+    
+generatorOptions:
+  disableNameSuffixHash: true

deploy/infra/.env.d/.env.example

@@ -0,0 +1 @@
+EGRESS_BACKUPSRV_CIDR="BACKUPSRV-IP-ADDRESS/32"

deploy/infra/.env.d/.gitignore

@@ -0,0 +1,3 @@
+**
+!.gitignore
+!*.example

deploy/infra/cd-service-account-token.yaml

@@ -1,8 +0,0 @@
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: continuous-deploy
-  annotations:
-    kubernetes.io/service-account.name: continuous-deploy
-type: kubernetes.io/service-account-token

deploy/infra/cd-service-account.yaml

@@ -1,6 +0,0 @@
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: continuous-deploy
-  namespace: git-limbosolutions-com

deploy/infra/continuous-deploy-account.yaml

@@ -1,3 +1,22 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: continuous-deploy
+  namespace: git-limbosolutions-com
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: continuous-deploy
+  annotations:
+    kubernetes.io/service-account.name: continuous-deploy
+type: kubernetes.io/service-account-token
+
+---
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

deploy/infra/kustomization.yaml

@@ -2,7 +2,26 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - cd-service-account.yaml
-  - cd-service-account-token.yaml
-  - cd-service-account-rbac.yaml
+  - continuous-deploy-account.yaml
+  - network-policies/egress.yaml
+  - network-policies/egress-local-services.yaml
+generatorOptions:
+  disableNameSuffixHash: true
 
+configMapGenerator:
+  - name: infra-setup-vars
+    namespace: git-limbosolutions-com
+    envs:
+      - ./.env.d/.env
+
+replacements:
+  - source:
+      kind: ConfigMap
+      name: infra-setup-vars
+      fieldPath: data.EGRESS_BACKUPSRV_CIDR
+    targets:
+      - select:
+          kind: NetworkPolicy
+          name: git-limbosolutions-com-egress-local
+        fieldPaths:
+          - spec.egress.0.to.0.ipBlock.cidr

deploy/infra/network-policies/egress-local-services.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: git-limbosolutions-com-egress-local
+  namespace: git-limbosolutions-com
+spec:
+  podSelector: {}   # apply to all pods in the namespace
+  policyTypes:
+    - Egress
+  egress:
+    # allow backup server
+    - to:
+        - ipBlock:
+            cidr: ${BACKUPSRV_CIDR}
+
+
+
+
+
+
+

deploy/infra/network-policies/egress.yaml

@@ -0,0 +1,38 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: git-limbosolutions-com-egress
+  namespace: git-limbosolutions-com
+spec:
+  podSelector: {}   # apply to all pods in the namespace
+  policyTypes:
+    - Egress
+  egress:
+      # Allow DNS to kube-system
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: UDP
+          port: 53
+
+    # allow namespace communication
+    - to: 
+        - namespaceSelector: 
+            matchLabels: 
+              kubernetes.io/metadata.name: git-limbosolutions-com
+          podSelector: {}
+
+    # Allow all egress EXCEPT private networks
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # first allow everything
+            except: # remove local network (so it means blocking, cidr is allowing everything )
+              - 10.0.0.0/8
+              - 172.16.0.0/12
+              - 192.168.0.0/16
+              - 169.254.0.0/16
+              - 127.0.0.0/8
+              - 224.0.0.0/4
+              - 240.0.0.0/4