diff --git a/deploy/backups/cronjobs/backup-borg-offsite.yaml b/deploy/backups/cronjobs/backup-borg-offsite.yaml index cd15fa2..30b89bb 100644 --- a/deploy/backups/cronjobs/backup-borg-offsite.yaml +++ b/deploy/backups/cronjobs/backup-borg-offsite.yaml @@ -12,7 +12,8 @@ spec: template: metadata: labels: - app: backup-borg-offsite + dbAccess: "true" + backups.infra.limbosolutions.com/ssh: "true" spec: restartPolicy: Never initContainers: diff --git a/deploy/backups/cronjobs/backup-pbs.yaml b/deploy/backups/cronjobs/backup-pbs.yaml index 154091d..6b0dc57 100644 --- a/deploy/backups/cronjobs/backup-pbs.yaml +++ b/deploy/backups/cronjobs/backup-pbs.yaml @@ -11,7 +11,9 @@ spec: template: metadata: labels: + dbAccess: "true" app: backup-pbs + backups.infra.limbosolutions.com/pbs: "true" spec: restartPolicy: Never initContainers: diff --git a/deploy/infra/.env.d/.env.example b/deploy/infra/.env.d/.env.example deleted file mode 100644 index a586943..0000000 --- a/deploy/infra/.env.d/.env.example +++ /dev/null @@ -1 +0,0 @@ -EGRESS_BACKUPSRV_CIDR="BACKUPSRV-IP-ADDRESS/32" diff --git a/deploy/infra/.env.d/.gitignore b/deploy/infra/.env.d/.gitignore deleted file mode 100644 index b727b26..0000000 --- a/deploy/infra/.env.d/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -** -!.gitignore -!*.example \ No newline at end of file diff --git a/deploy/infra/ingress.yaml b/deploy/infra/ingress.yaml index c246039..70e6918 100644 --- a/deploy/infra/ingress.yaml +++ b/deploy/infra/ingress.yaml @@ -7,7 +7,7 @@ metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod kubernetes.io/ingress.class: traefik - traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https + traefik.ingress.kubernetes.io/router.entrypoints: websecure,public-https spec: ingressClassName: traefik rules: diff --git a/deploy/infra/kustomization.yaml b/deploy/infra/kustomization.yaml index b9fa5c4..a82b620 100644 --- a/deploy/infra/kustomization.yaml +++ b/deploy/infra/kustomization.yaml @@ -4,26 +4,8 @@ resources: - namespace.yaml - cd-serviceaccount.yaml - ingress.yaml - - network-policies/egress.yaml - - network-policies/egress-local-services.yaml - - network-policies/ingress.yaml + - network-policies.yaml generatorOptions: disableNameSuffixHash: true -configMapGenerator: - - name: infra-setup-vars - namespace: git-limbosolutions-com - envs: - - ./.env.d/.env -replacements: - - source: - kind: ConfigMap - name: infra-setup-vars - fieldPath: data.EGRESS_BACKUPSRV_CIDR - targets: - - select: - kind: NetworkPolicy - name: git-limbosolutions-com-egress-local - fieldPaths: - - spec.egress.0.to.0.ipBlock.cidr \ No newline at end of file diff --git a/deploy/infra/network-policies.yaml b/deploy/infra/network-policies.yaml new file mode 100644 index 0000000..f65cd29 --- /dev/null +++ b/deploy/infra/network-policies.yaml @@ -0,0 +1,108 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: deny-default +spec: + endpointSelector: {} + ingressDeny: + - fromEndpoints: [] +--- + + +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-gitea-ingress +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: gitea + + ingress: + # ------------------------------------------------------------- + # Allow Traefik (in kube-system) to reach Gitea on port 3000 + # ------------------------------------------------------------- + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: traefik + matchExpressions: + - key: k8s:io.kubernetes.pod.namespace + operator: In + values: + - kube-system + toPorts: + - ports: + - port: "3000" + protocol: TCP + + # ------------------------------------------------------------- + # Allow SSH (2222) + # ------------------------------------------------------------- + - fromCIDRSet: + - cidr: 0.0.0.0/0 + toPorts: + - ports: + - port: "2222" + protocol: TCP + + +--- + +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-postgresql-ingress + namespace: git-limbosolutions-com +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: postgresql + + ingress: + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: gitea + matchExpressions: + - key: k8s:io.kubernetes.pod.namespace + operator: In + values: + - git-limbosolutions-com + - matchLabels: + dbAccess: "true" + matchExpressions: + - key: k8s:io.kubernetes.pod.namespace + operator: In + values: + - git-limbosolutions-com + toPorts: + - ports: + - port: "5432" + protocol: TCP + +--- + +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-valkey-ingress + namespace: git-limbosolutions-com +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: valkey + + ingress: + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: gitea + matchExpressions: + - key: k8s:io.kubernetes.pod.namespace + operator: In + values: + - git-limbosolutions-com + toPorts: + - ports: + - port: "6379" + protocol: TCP + + diff --git a/deploy/infra/network-policies/egress-local-services.yaml b/deploy/infra/network-policies/egress-local-services.yaml deleted file mode 100644 index def1673..0000000 --- a/deploy/infra/network-policies/egress-local-services.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: git-limbosolutions-com-egress-local - namespace: git-limbosolutions-com -spec: - podSelector: {} # apply to all pods in the namespace - policyTypes: - - Egress - egress: - # allow backup server - - to: - - ipBlock: - cidr: ${BACKUPSRV_CIDR} - - - - - - - diff --git a/deploy/infra/network-policies/egress.yaml b/deploy/infra/network-policies/egress.yaml deleted file mode 100644 index c8850cf..0000000 --- a/deploy/infra/network-policies/egress.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: git-limbosolutions-com-egress - namespace: git-limbosolutions-com -spec: - podSelector: {} # apply to all pods in the namespace - policyTypes: - - Egress - egress: - # Allow DNS to kube-system - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - ports: - - protocol: UDP - port: 53 - - # allow namespace communication - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: git-limbosolutions-com - podSelector: {} - - # Allow all egress EXCEPT private networks - - to: - - ipBlock: - cidr: 0.0.0.0/0 # first allow everything - except: # remove local network (so it means blocking, cidr is allowing everything ) - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - 169.254.0.0/16 - - 127.0.0.0/8 - - 224.0.0.0/4 - - 240.0.0.0/4 diff --git a/deploy/infra/network-policies/ingress.yaml b/deploy/infra/network-policies/ingress.yaml deleted file mode 100644 index 2ab2a7d..0000000 --- a/deploy/infra/network-policies/ingress.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: git-limbosolutions-com-ingress - namespace: git-limbosolutions-com -spec: - # Apply this policy only to the Gitea pods - podSelector: - matchLabels: - app.kubernetes.io/name: gitea - - policyTypes: - - Ingress - - ingress: - # --------------------------------------------------------------------- - # Allow HTTPS (3000) ONLY from Traefik running in kube-system - # --------------------------------------------------------------------- - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - podSelector: - matchLabels: - app.kubernetes.io/name: traefik - ports: - - protocol: TCP - port: http # HTTPS routed by Traefik - - # --------------------------------------------------------------------- - # Allow SSH (2222) from the internet, but block all internal traffic - # - # - cidr: 0.0.0.0/0 allows all external IPs - # - except: blocks all cluster networks - # - # This forces ALL SSH traffic to come through external firewall - # ,preventing pod-to-pod or service-to-pod SSH access. - # --------------------------------------------------------------------- - - from: - - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/16 # Pod network (blocks all pods) - - 10.43.0.0/16 # Service network (blocks ClusterIP access) - ports: - - protocol: TCP - port: ssh # ssh port routed by firewall \ No newline at end of file diff --git a/ops-scripts/apply-app.sh b/ops-scripts/apply-app.sh index 4c44b50..2611158 100755 --- a/ops-scripts/apply-app.sh +++ b/ops-scripts/apply-app.sh @@ -36,5 +36,5 @@ if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then --namespace=git-limbosolutions-com echo "executing deploy of backups jobs." - kubectl kustomize deploy/backups | kubectl apply -f - + kubectl kustomize deploy/backups | kubectl -n git-limbosolutions-com apply -f - fi \ No newline at end of file diff --git a/ops-scripts/apply-infra.sh b/ops-scripts/apply-infra.sh index e74bf60..cc07598 100755 --- a/ops-scripts/apply-infra.sh +++ b/ops-scripts/apply-infra.sh @@ -2,6 +2,6 @@ set -e echo "Executing infra deploy." -kubectl kustomize deploy/infra | kubectl apply -f - +kubectl kustomize deploy/infra | kubectl -n git-limbosolutions-com apply -f -