- network-policies - egress

- folder structure revision
-  ops scripts revision
- helm chart update version - 12.5.0

.gitea/workflows/app-continous-deploy.yaml

@@ -69,25 +69,24 @@ jobs:
 
           # ensure cleanup always runs
           trap 'rm -f \
-                    deploy/app/cronjobs/backups/.env.d/secrets \
+                    deploy/backups/backups/.env.d/secrets \
-                    deploy/app/cronjobs/backups/.env.d/id_rsa \
+                    deploy/backups/backups/.env.d/id_rsa \
-                    deploy/app/cronjobs/backups/.env.d/borg_key' EXIT
+                    deploy/backups/backups/.env.d/borg_key' EXIT
 
-          # setup env for cronjobs backups
+          # setup secrets files
-          echo "PBS_REPOSITORY=${CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          echo "PBS_REPOSITORY=${CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY}" >> deploy/backups/cronjobs/.env.d/secrets
-          echo "PBS_PASSWORD=${CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          echo "PBS_PASSWORD=${CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD}" >> deploy/backups/cronjobs/.env.d/secrets
-          echo "PBS_FINGERPRINT=${CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          echo "PBS_FINGERPRINT=${CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT}" >> deploy/backups/backups/.env.d/secrets
-          echo "BORG_REPO=${CRONJOBS_BACKUPS_SECRETS_BORG_REPO}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          echo "BORG_REPO=${CRONJOBS_BACKUPS_SECRETS_BORG_REPO}" >> deploy/backups/cronjobs/.env.d/secrets
-          echo "BORG_PASSPHRASE=${CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          echo "BORG_PASSPHRASE=${CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE}" >> deploy/backups/cronjobs/.env.d/secrets
-          echo "OFFSITE_TARGET_FOLDER=${CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          echo "OFFSITE_TARGET_FOLDER=${CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER}" >> deploy/backups/cronjobs/.env.d/secrets
+          echo "${CRONJOBS_BACKUPS_SECRETS_ID_RSA}" >> deploy/backups/cronjobs/.env.d/id_rsa
+          echo "${CRONJOBS_BACKUPS_SECRETS_BORG_KEY}" >> deploy/backups/cronjobs/.env.d/borg_key
           
-          echo "${CRONJOBS_BACKUPS_SECRETS_ID_RSA}" >> deploy/app/cronjobs/backups/.env.d/id_rsa
+          # enforce secrets files security
-          echo "${CRONJOBS_BACKUPS_SECRETS_BORG_KEY}" >> deploy/app/cronjobs/backups/.env.d/borg_key
+          chmod 600 deploy/backups/cronjobs/.env.d/secrets
-          
+          chmod 600 deploy/backups/cronjobs/.env.d/id_rsa
-          # enforce security
+          chmod 600 deploy/backups/cronjobs/.env.d/borg_key
-          chmod 600 deploy/app/cronjobs/backups/.env.d/secrets
-          chmod 600 deploy/app/cronjobs/backups/.env.d/id_rsa
-          chmod 600 deploy/app/cronjobs/backups/.env.d/borg_key
 
           # invoke deploy script
           ops-scripts/apply-app.sh

.vscode/settings.json

@@ -1,5 +1,8 @@
 {
     "cSpell.words": [
+        "networkpolicies",
+        "poddisruptionbudgets",
+        "serviceaccounts",
         "valkey"
     ]
 }

README.md

@@ -5,31 +5,34 @@ Welcome to public repository of my [Git Server](https://git.limbosolutions.com)
 Using [gitea](https://git.limbosolutions.com/kb/gitea) as git server.
 
 - [Deploy](#deploy)
-  - [App](#app)
   - [Continuous Deploy](#continuous-deploy)
+  - [App](#app)
   - [Infra](#infra)
 - [Backups](#backups)
 
 ## Deploy
 
+### Continuous Deploy
+
+Executes [App Deploy](#app) using [Gitea workflow](./.gitea/workflows/app-deploy.yaml).
+
 ### App
 
 **Environment files:**
 
-- ./deploy/app/cronjobs/backups/.env.d/secrets [Example](./deploy/app/cronjobs/backups/.env.d/secrets.example)
+- ./deploy/backups/cronjobs/.env.d/secrets [Example](./deploy/backups/cronjobs/.env.d/secrets.example)
-- ./deploy/app/cronjobs/backups/.env.d/borg_key [Example](./deploy/app/cronjobs/backups/.env.d/borg_key.example)
+- ./deploy/backups/cronjobs/.env.d/borg_key [Example](./deploy/backups/cronjobs/.env.d/borg_key.example)
-- ./deploy/app/cronjobs/backups/.env.d/id_rsa [Example](./deploy/app/cronjobs/backups/.env.d/id_rsa.example)
+- ./deploy/backups/cronjobs/.env.d/id_rsa [Example](./deploy/backups/cronjobs/.env.d/id_rsa.example)
-- ./deploy/helm/.env [Example](./deploy/helm/.env.example)
+- ./deploy/app/.env [Example](./deploy/app/.env.example)
+
+Deploy App
 
 ```bash
 ./ops-scripts/apply-app.sh
 ```
 
-- [kustomization](/deploy/app/kustomization.yaml)
+- [backups-kustomization](/deploy/app/kustomization.yaml)
-
+- <https://dl.gitea.com/charts/>
-### Continuous Deploy
-
-Executes [App Deploy](#app) using [Gitea workflow](./.gitea/workflows/app-deploy.yaml).
 
 ### Infra
 

deploy/app/cronjobs/backups/.env.d/secrets.example

@@ -1,7 +0,0 @@
-PBS_REPOSITORY="pbs repository"
-PBS_PASSWORD="pbs access passwordd"
-PBS_FINGERPRINT="00:00:00:00:00" # the pbs finger print
-BORG_REPO="ssh://user@reposerver/path" # required by offsite babckup
-BORG_PASSPHRASE="borg passphare" # required by offsite babckup
-OFFSITE_TARGET_FOLDER="test:target_path" # follow rclone naming convension
-

deploy/app/kustomization.yaml

@@ -1,17 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - cronjobs/backups/backup-borg-offsite-cronjob.yaml
-  - cronjobs/backups/backup-pbs-cronjob.yaml
-
-secretGenerator:
-- name: gitea-backup
-  namespace: git-limbosolutions-com
-  envs:
-    - cronjobs/backups/.env.d/secrets
-  files:
-    - BORG_KEY=cronjobs/backups/.env.d/borg_key
-    - SSH_ID_RSA=cronjobs/backups/.env.d/id_rsa
-    
-generatorOptions:
-  disableNameSuffixHash: true

deploy/backups/.env.d/secrets.example

@@ -0,0 +1,7 @@
+PBS_REPOSITORY="pbs repository"
+PBS_PASSWORD="pbs access password"
+PBS_FINGERPRINT="00:00:00:00:00" # the pbs finger print
+BORG_REPO="ssh://user@server/path" # required by offsite backup
+BORG_PASSPHRASE="borg passphrase" # required by offsite backup
+OFFSITE_TARGET_FOLDER="test:target_path" # follow rclone naming convention
+

deploy/backups/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cronjobs/borg-offsite-cronjob.yaml
+  - cronjobs/pbs-cronjob.yaml
+
+secretGenerator:
+- name: gitea-backup
+  namespace: git-limbosolutions-com
+  envs:
+    - .env.d/secrets
+  files:
+    - BORG_KEY=.env.d/borg_key
+    - SSH_ID_RSA=.env.d/id_rsa
+    
+generatorOptions:
+  disableNameSuffixHash: true

deploy/infra/.env.d/.env.example

@@ -0,0 +1 @@
+EGRESS_BACKUPSRV_CIDR="BACKUPSRV-IP-ADDRESS/32"

deploy/infra/.env.d/.gitignore

@@ -0,0 +1,3 @@
+**
+!.gitignore
+!*.example

deploy/infra/cd-service-account-token.yaml

@@ -1,8 +0,0 @@
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: continuous-deploy
-  annotations:
-    kubernetes.io/service-account.name: continuous-deploy
-type: kubernetes.io/service-account-token

deploy/infra/cd-service-account.yaml

@@ -1,6 +0,0 @@
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: continuous-deploy
-  namespace: git-limbosolutions-com

deploy/infra/continuous-deploy-account.yaml

@@ -1,3 +1,22 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: continuous-deploy
+  namespace: git-limbosolutions-com
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: continuous-deploy
+  annotations:
+    kubernetes.io/service-account.name: continuous-deploy
+type: kubernetes.io/service-account-token
+
+---
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

deploy/infra/kustomization.yaml

@@ -2,7 +2,26 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - cd-service-account.yaml
+  - continuous-deploy-account.yaml
-  - cd-service-account-token.yaml
+  - network-policies/egress.yaml
-  - cd-service-account-rbac.yaml
+  - network-policies/egress-local-services.yaml
+generatorOptions:
+  disableNameSuffixHash: true
 
+configMapGenerator:
+  - name: infra-setup-vars
+    namespace: git-limbosolutions-com
+    envs:
+      - ./.env.d/.env
+
+replacements:
+  - source:
+      kind: ConfigMap
+      name: infra-setup-vars
+      fieldPath: data.EGRESS_BACKUPSRV_CIDR
+    targets:
+      - select:
+          kind: NetworkPolicy
+          name: git-limbosolutions-com-egress-local
+        fieldPaths:
+          - spec.egress.0.to.0.ipBlock.cidr

deploy/infra/network-policies/egress-local-services.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: git-limbosolutions-com-egress-local
+  namespace: git-limbosolutions-com
+spec:
+  podSelector: {}   # apply to all pods in the namespace
+  policyTypes:
+    - Egress
+  egress:
+    # allow backup server
+    - to:
+        - ipBlock:
+            cidr: ${BACKUPSRV_CIDR}
+
+
+
+
+
+
+

deploy/infra/network-policies/egress.yaml

@@ -0,0 +1,38 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: git-limbosolutions-com-egress
+  namespace: git-limbosolutions-com
+spec:
+  podSelector: {}   # apply to all pods in the namespace
+  policyTypes:
+    - Egress
+  egress:
+      # Allow DNS to kube-system
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: UDP
+          port: 53
+
+    # allow namespace communication
+    - to: 
+        - namespaceSelector: 
+            matchLabels: 
+              kubernetes.io/metadata.name: git-limbosolutions-com
+          podSelector: {}
+
+    # Allow all egress EXCEPT private networks
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # first allow everything
+            except: # remove local network (so it means blocking, cidr is allowing everything )
+              - 10.0.0.0/8
+              - 172.16.0.0/12
+              - 192.168.0.0/16
+              - 169.254.0.0/16
+              - 127.0.0.0/8
+              - 224.0.0.0/4
+              - 240.0.0.0/4

ops-scripts/apply-app.sh

@@ -1,22 +1,21 @@
 #/bin/bash
-kubectl kustomize deploy/app | kubectl apply -f -
+kubectl kustomize deploy/backups | kubectl apply -f -
 
-if [ -f "deploy/helm/.env" ]; then
+if [ -f "deploy/app/.env.d/.env" ]; then
   # Export all variables from the file
-  echo "export variables from file helm/.env" 
+  echo "export variables from file deploy/app/.env.d/.env" 
   set -a
-  . deploy/helm/.env
+  . deploy/app/.env.d/.env
   set +a
 fi
 
-
 if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then
   echo "Executing helm deploy."
 
     helm repo add gitea-charts https://dl.gitea.com/charts/
     helm repo update
-    helm upgrade --install gitea gitea-charts/gitea --version 12.4.0 \
+    helm upgrade --install gitea gitea-charts/gitea --version 12.5.0 \
-    --values deploy/helm/values.yaml \
+    --values deploy/app/helm-values.yaml \
     --set valkey.global.valkey.password=${APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD} \
     --set postgresql.global.postgresql.auth.postgresPassword=${APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD} \
     --set postgresql.global.postgresql.auth.password=${APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD} \