kirby/documentation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fluxcd : adding repo example with some apps

Browse Source
This commit is contained in:
kirby
2025-05-28 16:00:46 +02:00
parent 00a5e56c27
commit e5738c5c3f
111 changed files with 18051 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
fluxcd/repo/infrastructure/base/gatekeeper/core/hr-gatekeeper.yaml Normal file
View File

@@ -0,0 +1,27 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gatekeeper
namespace: gatekeeper
spec:
chart:
spec:
chart: gatekeeper
reconcileStrategy: ChartVersion
version: "3.13.x"
sourceRef:
kind: HelmRepository
name: gatekeeper
namespace: infrastructure
interval: 10m0s
values:
replicas: 1
enableTLSHealthcheck: true
logDenies: true
logMutations: true
controllerManager:
exemptNamespaces: ["infrastructure"]
postInstall:
labelNamespace:
enabled: false

4
fluxcd/repo/infrastructure/base/gatekeeper/core/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- hr-gatekeeper.yaml

29
fluxcd/repo/infrastructure/base/gatekeeper/dependencies.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-gatekeeper-core
namespace: gatekeeper
spec:
interval: 5m
path: ./infrastructure/base/gatekeeper/core
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-gatekeeper-resources
namespace: gatekeeper
spec:
dependsOn:
- name: inf-gatekeeper-core
interval: 5m
path: ./infrastructure/base/gatekeeper/resources
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system

5
fluxcd/repo/infrastructure/base/gatekeeper/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: gatekeeper
resources:
- dependencies.yaml

47
fluxcd/repo/infrastructure/base/gatekeeper/resources/affinity-datascience.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
name: affinity-datascience
spec:
applyTo:
- groups:
- ""
kinds:
- Pod
versions:
- v1
location: spec.affinity
match:
kinds:
- apiGroups:
- '*'
kinds:
- Pod
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- disigas
- dilre
- difunds
- dicaplink
- dimatchdom
- dimatchname
- discoring
- dijal
- procol
namespaces:
- privateapi
scope: Namespaced
parameters:
assign:
value:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: InstanceUsage
operator: In
values:
- datascience

23
fluxcd/repo/infrastructure/base/gatekeeper/resources/block-latest-tags.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedTags
metadata:
name: block-latest-tags
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- data-entry-management
- diffusion
- digital-marketing
- privateapi
- produits
- smartexchange
- vidocq
- flux-system
- infrastructure
scope: Namespaced
parameters:
tags: ["latest"]
exemptImages: []

80
fluxcd/repo/infrastructure/base/gatekeeper/resources/disallowed-tags.yaml Normal file
View File

@@ -0,0 +1,80 @@
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: disallowedtags
spec:
crd:
spec:
names:
kind: DisallowedTags
validation:
openAPIV3Schema:
type: object
properties:
exemptImages:
description: >-
Any container that uses an image that matches an entry in this list will be excluded
from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
in order to avoid unexpectedly exempting images from an untrusted repository.
type: array
items:
type: string
tags:
type: array
description: Disallowed container image tags.
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sdisallowedtags
import data.lib.exempt_container.is_exempt
violation[{"msg": msg}] {
container := input_containers[_]
not is_exempt(container)
tags := [forbid | tag = input.parameters.tags[_] ; forbid = endswith(container.image, concat(":", ["", tag]))]
any(tags)
msg := sprintf("container <%v> uses a disallowed tag <%v>; disallowed tags are %v", [container.name, container.image, input.parameters.tags])
}
violation[{"msg": msg}] {
container := input_containers[_]
not is_exempt(container)
tag := [contains(container.image, ":")]
not all(tag)
msg := sprintf("container <%v> didn't specify an image tag <%v>", [container.name, container.image])
}
input_containers[c] {
c := input.review.object.spec.containers[_]
}
input_containers[c] {
c := input.review.object.spec.initContainers[_]
}
input_containers[c] {
c := input.review.object.spec.ephemeralContainers[_]
}
libs:
- |
package lib.exempt_container
is_exempt(container) {
exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
img := container.image
exemption := exempt_images[_]
_matches_exemption(img, exemption)
}
_matches_exemption(img, exemption) {
not endswith(exemption, "*")
exemption == img
}
_matches_exemption(img, exemption) {
endswith(exemption, "*")
prefix := trim_suffix(exemption, "*")
startswith(img, prefix)
}

16
fluxcd/repo/infrastructure/base/gatekeeper/resources/gatekeeper-podmonitor.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: gatekeeper
spec:
namespaceSelector:
matchNames:
- gatekeeper
selector:
matchExpressions:
- key: app
operator: In
values:
- gatekeeper
podMetricsEndpoints:
- port: metrics

10
fluxcd/repo/infrastructure/base/gatekeeper/resources/kustomization.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- affinity-datascience.yaml
- block-latest-tags.yaml
- disallowed-tags.yaml
- ndots-dns.yaml
- toleration-datasience.yaml
- gatekeeper-podmonitor.yaml

38
fluxcd/repo/infrastructure/base/gatekeeper/resources/ndots-dns.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
name: ndots-dns
spec:
applyTo:
- groups:
- ""
kinds:
- Pod
versions:
- v1
location: spec.dnsConfig
match:
kinds:
- apiGroups:
- '*'
kinds:
- Pod
namespaces:
- data-entry-management
- diffusion
- digital-marketing
- privateapi
- produits
- vidocq
- smartexchange
- identite-solvabilite
- alertes
- flux-system
scope: Namespaced
parameters:
assign:
value:
options:
- name: ndots
value: "1"
- name: no-aaaa

44
fluxcd/repo/infrastructure/base/gatekeeper/resources/toleration-datasience.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
name: toleration-datascience
spec:
applyTo:
- groups:
- ""
kinds:
- Pod
versions:
- v1
location: spec.tolerations
match:
kinds:
- apiGroups:
- '*'
kinds:
- Pod
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- disigas
- dilre
- difunds
- dicaplink
- dimatchdom
- dimatchname
- discoring
- dijal
- procol
namespaces:
- privateapi
scope: Namespaced
parameters:
assign:
value:
- effect: NoSchedule
key: InstanceUsage
operator: Equal
value: datascience