From 9f4536e1416aae3ed2afc87e46e9562ee1570acd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= Date: Thu, 19 Mar 2026 10:31:29 +0000 Subject: [PATCH] cd-service account role revision (removed access to networking.k8s.io and policy), helm values reviewed to run on cicd pipeline and ingress moved to infra --- README.md | 6 +- deploy/app/helm-values.yaml | 156 +++++++++++++----- ...oy-account.yaml => cd-serviceaccount.yaml} | 11 +- deploy/infra/ingress.yaml | 27 +++ deploy/infra/kustomization.yaml | 3 +- ops-scripts/apply-app.sh | 4 +- 6 files changed, 153 insertions(+), 54 deletions(-) rename deploy/infra/{continuous-deploy-account.yaml => cd-serviceaccount.yaml} (78%) create mode 100644 deploy/infra/ingress.yaml diff --git a/README.md b/README.md index e26a71c..8e0a7f8 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,11 @@ Using [gitea](https://git.limbosolutions.com/kb/gitea) as git server. ## Deploy +References: + +- +- + ### Continuous Deploy Executes [App Deploy](#app) using [Gitea workflow](./.gitea/workflows/app-continous-deploy.yaml). @@ -32,7 +37,6 @@ Deploy App ``` - [backups-kustomization](/deploy/app/kustomization.yaml) -- ### Infra diff --git a/deploy/app/helm-values.yaml b/deploy/app/helm-values.yaml index dc5a67b..80df3c7 100644 --- a/deploy/app/helm-values.yaml +++ b/deploy/app/helm-values.yaml @@ -1,31 +1,87 @@ image: registry: "" + # IMPORTANT: + # The default image used by the Gitea Helm chart is the *rootless* variant. + # Rootless Gitea does NOT include an SSH server, so enabling SSH in the chart + # will NOT work unless you explicitly switch to the rootful image. + # + # Default chart image (rootless, SSH disabled): + # registry: "docker.gitea.com" + # repository: gitea + # + # Correct rootful image (SSH enabled): + # repository: gitea/gitea + # + # This ensures the container includes OpenSSH and can expose the SSH port. repository: gitea/gitea pullPolicy: Always - tag: "1" - -cache: - enabled: false - +# dependency: +# https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml valkey-cluster: enabled: false +# dependency: +# https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml valkey: enabled: true architecture: standalone global: valkey: password: "???" - master: - count: 1 - service: - ports: - valkey: 6379 + # Disable NetworkPolicy creation in the Bitnami valkey subchart. + # This deployment runs inside a controlled namespace where network + # boundaries are enforced by the platform (Infra team), not by Helm. + # + # CI/CD pipelines use a restricted ServiceAccount that is intentionally + # NOT allowed to create or modify NetworkPolicies. Leaving this enabled + # would cause Helm upgrades to fail with RBAC errors. + # + # Infra-owned NetworkPolicies are applied separately and independently + # of application charts to maintain a clean separation of responsibilities. + networkPolicy: + enabled: false + + serviceAccount: + # serviceAccount resources are owned and managed by the Infrastructure layer. + # The CI/CD ServiceAccount used for application deployments does not have + # permissions to create or modify serviceAccounts, by design. + # + # In this setup Valkey does not require its own ServiceAccount, so enabling + # this would provide no benefit and would cause Helm upgrades to fail due + # to RBAC restrictions. + create: false + name: "" + + primary: + pdb: + # Disable the PodDisruptionBudget for PostgreSQL. + # + # This deployment uses a single‑instance (non‑HA) valkey, so a PDB + # provides no real benefit — Kubernetes cannot evict the only pod anyway. + # + # More importantly, PodDisruptionBudgets are considered an Infra‑owned + # resource in this cluster. The CI/CD ServiceAccount intentionally lacks + # permissions to create or modify PDBs, and enabling this would cause + # Helm upgrades to fail with RBAC errors. + # + # The platform team applies disruption policies separately at the + # infrastructure layer, keeping a clean separation of responsibilities. + create: false + + + + +# dependency: +# https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml +postgresql-ha: + enabled: false + +# dependency: +# https://github.com/bitnami/charts/blob/main/bitnami/postgresql postgresql: enabled: true image: - registry: "" repository: bitnami/postgresql tag: 16 imagePullPolicy: IfNotPresent @@ -36,29 +92,59 @@ postgresql: password: "???" database: "???" username: "???" - service: - ports: - postgresql: 5432 + primary: + networkPolicy: + # Disable NetworkPolicy creation in the Bitnami PostgreSQL subchart. + # This deployment runs inside a controlled namespace where network + # boundaries are enforced by the platform (Infra team), not by Helm. + # + # CI/CD pipelines use a restricted ServiceAccount that is intentionally + # NOT allowed to create or modify NetworkPolicies. Leaving this enabled + # would cause Helm upgrades to fail with RBAC errors. + # + # Infra-owned NetworkPolicies are applied separately and independently + # of application charts to maintain a clean separation of responsibilities. + enabled: false + pdb: + # Disable the PodDisruptionBudget for PostgreSQL. + # + # This deployment uses a single‑instance (non‑HA) PostgreSQL, so a PDB + # provides no real benefit — Kubernetes cannot evict the only pod anyway. + # + # More importantly, PodDisruptionBudgets are considered an Infra‑owned + # resource in this cluster. The CI/CD ServiceAccount intentionally lacks + # permissions to create or modify PDBs, and enabling this would cause + # Helm upgrades to fail with RBAC errors. + # + # The platform team applies disruption policies separately at the + # infrastructure layer, keeping a clean separation of responsibilities. + create: false + + serviceAccount: + # serviceAccount resources are owned and managed by the Infrastructure layer. + # The CI/CD ServiceAccount used for application deployments does not have + # permissions to create or modify serviceAccounts, by design. + # In this setup postgresql does not require its own ServiceAccount, so enabling + # this would provide no benefit and would cause Helm upgrades to fail due + # to RBAC restrictions. + create: false + persistence: size: 10Gi metrics: - enabled: true - collectors: - wal: false - -postgresql-ha: - enabled: false + enabled: false persistence: enabled: true + service: ssh: - type: LoadBalancer - enabled: true - port: 2222 - loadBalancerIP: "" # optional - externalTrafficPolicy: Local + type: LoadBalancer + enabled: true + port: 2222 + loadBalancerIP: + externalTrafficPolicy: Local http: clusterIP: "" # empty string → Kubernetes assigns a routable ClusterIP type: ClusterIP @@ -129,22 +215,12 @@ gitea: INTERNAL_TOKEN: "???" PASSWORD_HASH_ALGO: "???" + # Ingress resources are owned and managed by the Infrastructure layer. + # The CI/CD ServiceAccount used for application deployments does not have + # permissions to create or modify Ingress objects, by design. + # for ingress setup check infra folder ingress: - enabled: true - className: traefik - annotations: - kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: "letsencrypt-prod" - traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https - hosts: - - host: git.limbosolutions.com - paths: - - path: / - pathType: Prefix - tls: - - secretName: limbosolutions-com-tls - hosts: - - "git.limbosolutions.com" + enabled: false diff --git a/deploy/infra/continuous-deploy-account.yaml b/deploy/infra/cd-serviceaccount.yaml similarity index 78% rename from deploy/infra/continuous-deploy-account.yaml rename to deploy/infra/cd-serviceaccount.yaml index d788d08..c3981aa 100644 --- a/deploy/infra/continuous-deploy-account.yaml +++ b/deploy/infra/cd-serviceaccount.yaml @@ -24,7 +24,7 @@ metadata: name: continuous-deploy rules: - apiGroups: [""] - resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims", "endpoints", "serviceaccounts"] + resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims"] verbs: ["get", "watch", "list", "create", "update", "patch", "delete"] - apiGroups: ["apps"] @@ -35,15 +35,6 @@ rules: resources: ["cronjobs", "jobs"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["networking.k8s.io"] - resources: ["networkpolicies", "ingresses"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - -- apiGroups: ["policy"] - resources: ["poddisruptionbudgets"] - verbs: ["get", "list", "watch", "update", "patch"] - - --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/deploy/infra/ingress.yaml b/deploy/infra/ingress.yaml new file mode 100644 index 0000000..c246039 --- /dev/null +++ b/deploy/infra/ingress.yaml @@ -0,0 +1,27 @@ + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: git-limbosolutions-com + namespace: git-limbosolutions-com + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https +spec: + ingressClassName: traefik + rules: + - host: git.limbosolutions.com + http: + paths: + - backend: + service: + name: gitea-http + port: + number: 3000 + path: / + pathType: Prefix + tls: + - secretName: limbosolutions-com-tls + hosts: + - "git.limbosolutions.com" diff --git a/deploy/infra/kustomization.yaml b/deploy/infra/kustomization.yaml index e34e100..b9fa5c4 100644 --- a/deploy/infra/kustomization.yaml +++ b/deploy/infra/kustomization.yaml @@ -2,7 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespace.yaml - - continuous-deploy-account.yaml + - cd-serviceaccount.yaml + - ingress.yaml - network-policies/egress.yaml - network-policies/egress-local-services.yaml - network-policies/ingress.yaml diff --git a/ops-scripts/apply-app.sh b/ops-scripts/apply-app.sh index 0dfbdef..5a5c37c 100755 --- a/ops-scripts/apply-app.sh +++ b/ops-scripts/apply-app.sh @@ -12,8 +12,8 @@ fi if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then echo "Executing helm deploy." - helm repo add gitea-charts https://dl.gitea.com/charts/ - helm repo update + helm repo add gitea-charts https://dl.gitea.com/charts/ --force-update + helm upgrade --install gitea gitea-charts/gitea --version 12.5.0 \ --values deploy/app/helm-values.yaml \ --set valkey.global.valkey.password=${APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD} \