Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
ef827b2c69
commit
145721146e
35 changed files with 919 additions and 122 deletions
137
.tekton/ci.yaml
Normal file
137
.tekton/ci.yaml
Normal file
|
|
@ -0,0 +1,137 @@
|
||||||
|
---
|
||||||
|
apiVersion: tekton.dev/v1
|
||||||
|
kind: PipelineRun
|
||||||
|
metadata:
|
||||||
|
name: homelab-ci
|
||||||
|
annotations:
|
||||||
|
pipelinesascode.tekton.dev/on-event: "[pull_request, push]"
|
||||||
|
pipelinesascode.tekton.dev/on-target-branch: "[main]"
|
||||||
|
pipelinesascode.tekton.dev/max-keep-runs: "5"
|
||||||
|
spec:
|
||||||
|
taskRunTemplate:
|
||||||
|
serviceAccountName: tekton-runner
|
||||||
|
podTemplate:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
# triggers built-in exemption in require-non-root ClusterPolicy
|
||||||
|
security.policy/allow-root: "true"
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
workspaces:
|
||||||
|
- name: source
|
||||||
|
volumeClaimTemplate:
|
||||||
|
spec:
|
||||||
|
accessModes: [ReadWriteOnce]
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 1Gi
|
||||||
|
params:
|
||||||
|
- name: repo_url
|
||||||
|
value: "{{ repo_url }}"
|
||||||
|
- name: revision
|
||||||
|
value: "{{ revision }}"
|
||||||
|
- name: clone_url
|
||||||
|
value: "http://forgejo.forgejo.svc.cluster.local/gwg313/homelab-gitops"
|
||||||
|
pipelineSpec:
|
||||||
|
params:
|
||||||
|
- name: repo_url
|
||||||
|
type: string
|
||||||
|
- name: revision
|
||||||
|
type: string
|
||||||
|
- name: clone_url
|
||||||
|
type: string
|
||||||
|
workspaces:
|
||||||
|
- name: source
|
||||||
|
tasks:
|
||||||
|
- name: clone
|
||||||
|
params:
|
||||||
|
- name: url
|
||||||
|
value: $(params.clone_url)
|
||||||
|
- name: revision
|
||||||
|
value: $(params.revision)
|
||||||
|
workspaces:
|
||||||
|
- name: output
|
||||||
|
workspace: source
|
||||||
|
taskRef:
|
||||||
|
resolver: cluster
|
||||||
|
params:
|
||||||
|
- name: kind
|
||||||
|
value: task
|
||||||
|
- name: name
|
||||||
|
value: git-clone
|
||||||
|
- name: namespace
|
||||||
|
value: cicd
|
||||||
|
|
||||||
|
- name: lint-yaml
|
||||||
|
runAfter: [clone]
|
||||||
|
workspaces:
|
||||||
|
- name: source
|
||||||
|
workspace: source
|
||||||
|
taskSpec:
|
||||||
|
workspaces:
|
||||||
|
- name: source
|
||||||
|
steps:
|
||||||
|
- name: yamllint
|
||||||
|
image: pipelinecomponents/yamllint:latest
|
||||||
|
workingDir: $(workspaces.source.path)
|
||||||
|
# explicit false prevents default-run-as-non-root mutation from adding true
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop: [ALL]
|
||||||
|
script: yamllint .
|
||||||
|
|
||||||
|
- name: validate
|
||||||
|
runAfter: [clone]
|
||||||
|
workspaces:
|
||||||
|
- name: source
|
||||||
|
workspace: source
|
||||||
|
taskSpec:
|
||||||
|
workspaces:
|
||||||
|
- name: source
|
||||||
|
steps:
|
||||||
|
- name: kubeconform
|
||||||
|
image: alpine:latest
|
||||||
|
workingDir: $(workspaces.source.path)
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
# empty capabilities block prevents default-drop-all-capabilities
|
||||||
|
# mutation from adding drop:ALL — apk needs CAP_CHOWN to install packages
|
||||||
|
capabilities: {}
|
||||||
|
script: |
|
||||||
|
#!/bin/sh
|
||||||
|
set -e
|
||||||
|
apk add --no-cache curl git tar
|
||||||
|
curl -sSL \
|
||||||
|
https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz \
|
||||||
|
| tar xz -C /usr/local/bin
|
||||||
|
SCHEMA='https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json'
|
||||||
|
git ls-files '*.yaml' '*.yml' | xargs kubeconform \
|
||||||
|
-strict \
|
||||||
|
-summary \
|
||||||
|
-ignore-missing-schemas \
|
||||||
|
-schema-location "$SCHEMA" \
|
||||||
|
-schema-location default
|
||||||
|
|
||||||
|
- name: scan-secrets
|
||||||
|
runAfter: [clone]
|
||||||
|
workspaces:
|
||||||
|
- name: source
|
||||||
|
workspace: source
|
||||||
|
taskSpec:
|
||||||
|
workspaces:
|
||||||
|
- name: source
|
||||||
|
steps:
|
||||||
|
- name: gitleaks
|
||||||
|
image: ghcr.io/zricethezav/gitleaks:latest
|
||||||
|
workingDir: $(workspaces.source.path)
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop: [ALL]
|
||||||
|
command: [gitleaks]
|
||||||
|
args: [detect, --no-git, -v, --redact, --source=.]
|
||||||
|
|
@ -2,7 +2,7 @@ version: '3'
|
||||||
|
|
||||||
vars:
|
vars:
|
||||||
SEALED_SECRETS_NS: sealed-secrets
|
SEALED_SECRETS_NS: sealed-secrets
|
||||||
SEALED_SECRETS_NAME: sealed-secrets
|
SEALED_SECRETS_NAME: sealed-secrets-controller
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
default:
|
default:
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@ spec:
|
||||||
- name: FORGEJO__ssh__START_SSH_SERVER
|
- name: FORGEJO__ssh__START_SSH_SERVER
|
||||||
value: "false"
|
value: "false"
|
||||||
- name: FORGEJO__webhook__ALLOWED_HOST_LIST
|
- name: FORGEJO__webhook__ALLOWED_HOST_LIST
|
||||||
value: "ci.gwg313.xyz"
|
value: "ci.gwg313.xyz,pipelines-as-code-controller.pipelines-as-code.svc.cluster.local"
|
||||||
- name: FORGEJO__migrations__ALLOWED_DOMAINS
|
- name: FORGEJO__migrations__ALLOWED_DOMAINS
|
||||||
value: "github.com,*.github.com"
|
value: "github.com,*.github.com"
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,14 @@ spec:
|
||||||
- ports:
|
- ports:
|
||||||
- port: "3000"
|
- port: "3000"
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
|
- fromEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.kubernetes.pod.namespace: pipelines-as-code
|
||||||
|
app: pipelines-as-code-controller
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "3000"
|
||||||
|
protocol: TCP
|
||||||
# ---
|
# ---
|
||||||
# # ----------------------------------------------------
|
# # ----------------------------------------------------
|
||||||
# # CI runner access (in-cluster service)
|
# # CI runner access (in-cluster service)
|
||||||
|
|
@ -43,6 +51,29 @@ spec:
|
||||||
# - port: "443"
|
# - port: "443"
|
||||||
# protocol: TCP
|
# protocol: TCP
|
||||||
#
|
#
|
||||||
|
---
|
||||||
|
# ----------------------------------------------------
|
||||||
|
# PAC controller webhook delivery (in-cluster)
|
||||||
|
# ----------------------------------------------------
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: allow-pac-egress
|
||||||
|
namespace: forgejo
|
||||||
|
spec:
|
||||||
|
endpointSelector:
|
||||||
|
matchLabels:
|
||||||
|
app: forgejo
|
||||||
|
egress:
|
||||||
|
- toEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.kubernetes.pod.namespace: pipelines-as-code
|
||||||
|
app: pipelines-as-code-controller
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "8082"
|
||||||
|
protocol: TCP
|
||||||
|
|
||||||
---
|
---
|
||||||
# ----------------------------------------------------
|
# ----------------------------------------------------
|
||||||
# External git providers (FQDN restricted)
|
# External git providers (FQDN restricted)
|
||||||
|
|
@ -72,22 +103,22 @@ spec:
|
||||||
# OPTIONAL: unrestricted egress (disabled by default)
|
# OPTIONAL: unrestricted egress (disabled by default)
|
||||||
# Enable ONLY when required for troubleshooting or apps
|
# Enable ONLY when required for troubleshooting or apps
|
||||||
# ----------------------------------------------------
|
# ----------------------------------------------------
|
||||||
apiVersion: cilium.io/v2
|
# apiVersion: cilium.io/v2
|
||||||
kind: CiliumNetworkPolicy
|
# kind: CiliumNetworkPolicy
|
||||||
metadata:
|
# metadata:
|
||||||
name: allow-all-egress
|
# name: allow-all-egress
|
||||||
namespace: forgejo
|
# namespace: forgejo
|
||||||
spec:
|
# spec:
|
||||||
endpointSelector:
|
# endpointSelector:
|
||||||
matchLabels:
|
# matchLabels:
|
||||||
app: forgejo
|
# app: forgejo
|
||||||
|
#
|
||||||
egress:
|
# egress:
|
||||||
- toEntities:
|
# - toEntities:
|
||||||
- world
|
# - world
|
||||||
toPorts:
|
# toPorts:
|
||||||
- ports:
|
# - ports:
|
||||||
- port: "443"
|
# - port: "443"
|
||||||
protocol: TCP
|
# protocol: TCP
|
||||||
- port: "80"
|
# - port: "80"
|
||||||
protocol: TCP
|
# protocol: TCP
|
||||||
|
|
|
||||||
6
apps/homelab-gitops/kustomization.yaml
Normal file
6
apps/homelab-gitops/kustomization.yaml
Normal file
|
|
@ -0,0 +1,6 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- repository.yaml
|
||||||
|
- token-sealed.yaml
|
||||||
15
apps/homelab-gitops/repository.yaml
Normal file
15
apps/homelab-gitops/repository.yaml
Normal file
|
|
@ -0,0 +1,15 @@
|
||||||
|
apiVersion: pipelinesascode.tekton.dev/v1alpha1
|
||||||
|
kind: Repository
|
||||||
|
metadata:
|
||||||
|
name: homelab-gitops
|
||||||
|
namespace: cicd
|
||||||
|
spec:
|
||||||
|
url: https://git.gwg313.xyz/gwg313/homelab-gitops
|
||||||
|
git_provider:
|
||||||
|
url: http://forgejo.forgejo.svc.cluster.local
|
||||||
|
secret:
|
||||||
|
name: pac-forgejo-token
|
||||||
|
key: token
|
||||||
|
webhook_secret:
|
||||||
|
name: pac-forgejo-token
|
||||||
|
key: webhook-secret
|
||||||
15
apps/homelab-gitops/token-sealed.yaml
Normal file
15
apps/homelab-gitops/token-sealed.yaml
Normal file
|
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
apiVersion: bitnami.com/v1alpha1
|
||||||
|
kind: SealedSecret
|
||||||
|
metadata:
|
||||||
|
name: pac-forgejo-token
|
||||||
|
namespace: cicd
|
||||||
|
spec:
|
||||||
|
encryptedData:
|
||||||
|
token: AgABC/muQ4sYRfEXQDbj+KZioqckISHpdbRTAaYgAbjWtvC788LBnHpEX/nyBU1KxRX4Wn4ZtnlOQ02a9NTnrVPbYw4eLXF7NsugPV1jM5Wcs9DDqz0LjCqwOF8POuwrh73FYTUJeTe2h2sGT5iRn7T0r/LueRhb6pYVb4rF+Wx9zkhNBXz7+diFLFfKxCRvwIYbgITTNro6eHLX7IxrW3Tnb2h4vNK1d5p7bx2nIsDj6xVWkvkqw62snlKKoHAFtyWJZVHPuiH9eXLCaObRWMZVqqBYaz0NxDIzvk6Vf2nabCU7cqe6wqqt17paIXVOcZVaMSvLq9Xl4T96f0xEysJqCxfVGKHTbV3f5gpLHDHMObvcqGkmsLyH1GfWs3kGK4DY7task041bTUs3kiELGR9e5D3JGdlafzfrfUJ0AvxfLEfp0VFrVKnH8sBBiIAygMBXuFCfbKBT0hnaNr7YVKtapZc86hZPAclNDstzOS3TrAUqHbtpKAUUAwQxa1d9rIk4ts6nBy1ak9JErOJLNvtCWpK4IIn58I7FunjXnfYh+s/U/skM6kNicrEizHKWxTy9cTT+r8b5Q2AaGi/uvWb2I7/hET61qcZnIKJpACciSFl3pRYDCPIrTUChWAczcCl1uSChCPMu2MyMGOa7k2NvxPMhxkmR4I8LCvNSNm0llCpE0hCrrbvyMzGE5eA7cXA8AmlrKG10c8xT4ZXXFEl0TUDayrT7E/fvWuIP86li+Z6W8WmMair
|
||||||
|
webhook-secret: AgC1QZVBm/K8wzYHM+sXOb5zHQU49iTgUL0EHKYC7U+nHS66Wbn0S/GvuXUPgMWQAUfLKKSsXIDOkwEmGXOnqqKnz9GjaOG1Yf0NWWFFRCFyxuN5ooW0lmhFw2s3J76ibmSiulRVF8CjXgPkctIkbPosfrItoiaOtHU2Tjgfh5/IgCI5pK+1pF2oqVoOaDvoygvgJOrq6piLaTCO0gNSBzQ0m6ksWTi8WoVcO7hsgbYemzXHSus9R9X5hHdxGEpLUINjHd4z51Hkg+EtgByXYtXpuThFKGPVkkc4mrn9K89w6+whDRId6VMAlCJEZr79QQTkOdpBpDdyMdzPqvFfQaF6TtMD8XJq78kKxwddhUOIjmc4/E2WlJYbfTlmTksoIl5LC/MZc7TSg2I6G4RNG5QOmOs4drmRo/sG6AKESUYInRvQNTQcOoSaSjgAdXnEMDag9buH9E9kdrJbr0QaGzvTjQnPPbcApsx/kWlbScNgPKHnxIkr45MqZoRJ+HaUpS8RvrNz++9kvDnCFQlLFggDYnNaXpoO4iWEAPIfsQhIPa+K3eBs2tC9aCqaTXI8Ajr7vdhSSN5uhSc82EXS+n8Ztqs2+3CHd1ybiNJVSKKNyJDwSl8dBWPLE0cpobmq5dIfpSRTyDQexH7LtjKZ9lAJ3XOXEalyqQUxuKrAnl3r8GfaeagU1jULpmeK+exaq1WPs06py/btgEBOfE3ks5cSzlGyehtGOgW6C918AEBuqmK349QtvMxx
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: pac-forgejo-token
|
||||||
|
namespace: cicd
|
||||||
|
type: Opaque
|
||||||
|
|
@ -5,3 +5,29 @@ resources:
|
||||||
- https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
|
- https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
|
||||||
- https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml
|
- https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml
|
||||||
- https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/stable/release.k8s.yaml
|
- https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/stable/release.k8s.yaml
|
||||||
|
- namespace.yaml
|
||||||
|
- service-account.yaml
|
||||||
|
- tekton-runner-role.yaml
|
||||||
|
- tekton-runner-binding.yaml
|
||||||
|
- network-policy.yaml
|
||||||
|
- tasks/git-clone.yaml
|
||||||
|
- tasks/kaniko.yaml
|
||||||
|
- policy-exception.yaml
|
||||||
|
- pac-network-policy.yaml
|
||||||
|
- pac-role.yaml
|
||||||
|
|
||||||
|
patches:
|
||||||
|
- patch: |
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: tekton-pipelines
|
||||||
|
labels:
|
||||||
|
policy.home.arpa/allow-hostpath: "true"
|
||||||
|
- patch: |
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: pipelines-as-code
|
||||||
|
labels:
|
||||||
|
policy.home.arpa/allow-hostpath: "true"
|
||||||
|
|
|
||||||
8
apps/tekton/namespace.yaml
Normal file
8
apps/tekton/namespace.yaml
Normal file
|
|
@ -0,0 +1,8 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: cicd
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: cicd
|
||||||
|
app.kubernetes.io/part-of: tekton
|
||||||
|
app.kubernetes.io/managed-by: argocd
|
||||||
36
apps/tekton/network-policy.yaml
Normal file
36
apps/tekton/network-policy.yaml
Normal file
|
|
@ -0,0 +1,36 @@
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: cicd-egress
|
||||||
|
namespace: cicd
|
||||||
|
spec:
|
||||||
|
endpointSelector: {}
|
||||||
|
egress:
|
||||||
|
# Tekton entrypoint sidecar updates TaskRun status via the K8s API
|
||||||
|
- toEntities:
|
||||||
|
- kube-apiserver
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "443"
|
||||||
|
protocol: TCP
|
||||||
|
# Push built images to Harbor registry in-cluster
|
||||||
|
- toEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.kubernetes.pod.namespace: harbor
|
||||||
|
app: harbor
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "80"
|
||||||
|
protocol: TCP
|
||||||
|
# Git clone from internal Forgejo
|
||||||
|
- toEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.kubernetes.pod.namespace: forgejo
|
||||||
|
app: forgejo
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "3000"
|
||||||
|
protocol: TCP
|
||||||
|
# Tool downloads (kubeconform), schema lookups
|
||||||
|
- toEntities:
|
||||||
|
- world
|
||||||
46
apps/tekton/pac-network-policy.yaml
Normal file
46
apps/tekton/pac-network-policy.yaml
Normal file
|
|
@ -0,0 +1,46 @@
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: allow-forgejo-webhook-ingress
|
||||||
|
namespace: pipelines-as-code
|
||||||
|
spec:
|
||||||
|
endpointSelector:
|
||||||
|
matchLabels:
|
||||||
|
app: pipelines-as-code-controller
|
||||||
|
ingress:
|
||||||
|
- fromEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.kubernetes.pod.namespace: forgejo
|
||||||
|
app: forgejo
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "8082"
|
||||||
|
protocol: TCP
|
||||||
|
egress:
|
||||||
|
- toEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.kubernetes.pod.namespace: kube-system
|
||||||
|
k8s-app: kube-dns
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "53"
|
||||||
|
protocol: UDP
|
||||||
|
- port: "53"
|
||||||
|
protocol: TCP
|
||||||
|
rules:
|
||||||
|
dns:
|
||||||
|
- matchPattern: "*"
|
||||||
|
- toEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.kubernetes.pod.namespace: forgejo
|
||||||
|
app: forgejo
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "3000"
|
||||||
|
protocol: TCP
|
||||||
|
- toEntities:
|
||||||
|
- kube-apiserver
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "6443"
|
||||||
|
protocol: TCP
|
||||||
26
apps/tekton/pac-role.yaml
Normal file
26
apps/tekton/pac-role.yaml
Normal file
|
|
@ -0,0 +1,26 @@
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: pac-task-reader
|
||||||
|
namespace: cicd
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["tekton.dev"]
|
||||||
|
resources: ["tasks"]
|
||||||
|
verbs: ["get", "list"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: pac-controller-cicd-access
|
||||||
|
namespace: cicd
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: pac-task-reader
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: pipelines-as-code-controller
|
||||||
|
namespace: pipelines-as-code
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: tekton-pipelines-resolvers
|
||||||
|
namespace: tekton-pipelines
|
||||||
54
apps/tekton/policy-exception.yaml
Normal file
54
apps/tekton/policy-exception.yaml
Normal file
|
|
@ -0,0 +1,54 @@
|
||||||
|
apiVersion: kyverno.io/v2
|
||||||
|
kind: PolicyException
|
||||||
|
metadata:
|
||||||
|
name: cicd-security-exceptions
|
||||||
|
namespace: cicd
|
||||||
|
annotations:
|
||||||
|
argocd.argoproj.io/sync-wave: "-1"
|
||||||
|
spec:
|
||||||
|
exceptions:
|
||||||
|
- policyName: require-drop-all-capabilities
|
||||||
|
ruleNames: ["*"]
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
namespaces: [cicd]
|
||||||
|
kinds: [Pod]
|
||||||
|
---
|
||||||
|
apiVersion: kyverno.io/v2
|
||||||
|
kind: PolicyException
|
||||||
|
metadata:
|
||||||
|
name: tekton-hostpath-exception
|
||||||
|
namespace: tekton-pipelines
|
||||||
|
annotations:
|
||||||
|
argocd.argoproj.io/sync-wave: "-1"
|
||||||
|
spec:
|
||||||
|
exceptions:
|
||||||
|
- policyName: disallow-hostpath-volumes
|
||||||
|
ruleNames:
|
||||||
|
- no-hostpath
|
||||||
|
- autogen-no-hostpath
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
namespaces: [tekton-pipelines]
|
||||||
|
kinds: [Pod, Deployment]
|
||||||
|
---
|
||||||
|
apiVersion: kyverno.io/v2
|
||||||
|
kind: PolicyException
|
||||||
|
metadata:
|
||||||
|
name: pac-hostpath-exception
|
||||||
|
namespace: pipelines-as-code
|
||||||
|
annotations:
|
||||||
|
argocd.argoproj.io/sync-wave: "-1"
|
||||||
|
spec:
|
||||||
|
exceptions:
|
||||||
|
- policyName: disallow-hostpath-volumes
|
||||||
|
ruleNames:
|
||||||
|
- no-hostpath
|
||||||
|
- autogen-no-hostpath
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
namespaces: [pipelines-as-code]
|
||||||
|
kinds: [Pod, Deployment]
|
||||||
8
apps/tekton/service-account.yaml
Normal file
8
apps/tekton/service-account.yaml
Normal file
|
|
@ -0,0 +1,8 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: tekton-runner
|
||||||
|
namespace: cicd
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: registry-creds
|
||||||
249
apps/tekton/tasks/git-clone.yaml
Normal file
249
apps/tekton/tasks/git-clone.yaml
Normal file
|
|
@ -0,0 +1,249 @@
|
||||||
|
apiVersion: tekton.dev/v1
|
||||||
|
kind: Task
|
||||||
|
metadata:
|
||||||
|
name: git-clone
|
||||||
|
namespace: cicd
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/version: "0.10"
|
||||||
|
annotations:
|
||||||
|
tekton.dev/pipelines.minVersion: "0.38.0"
|
||||||
|
tekton.dev/categories: Git
|
||||||
|
tekton.dev/tags: git
|
||||||
|
tekton.dev/displayName: "git clone"
|
||||||
|
tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64"
|
||||||
|
spec:
|
||||||
|
description: >-
|
||||||
|
These Tasks are Git tasks to work with repositories used by other tasks
|
||||||
|
in your Pipeline.
|
||||||
|
|
||||||
|
The git-clone Task will clone a repo from the provided url into the
|
||||||
|
output Workspace. By default the repo will be cloned into the root of
|
||||||
|
your Workspace. You can clone into a subdirectory by setting this Task's
|
||||||
|
subdirectory param. This Task also supports sparse checkouts. To perform
|
||||||
|
a sparse checkout, pass a list of comma separated directory patterns to
|
||||||
|
this Task's sparseCheckoutDirectories param.
|
||||||
|
workspaces:
|
||||||
|
- name: output
|
||||||
|
description: The git repo will be cloned onto the volume backing this Workspace.
|
||||||
|
- name: ssh-directory
|
||||||
|
optional: true
|
||||||
|
description: |
|
||||||
|
A .ssh directory with private key, known_hosts, config, etc. Copied to
|
||||||
|
the user's home before git commands are executed. Used to authenticate
|
||||||
|
with the git remote when performing the clone. Binding a Secret to this
|
||||||
|
Workspace is strongly recommended over other volume types.
|
||||||
|
- name: basic-auth
|
||||||
|
optional: true
|
||||||
|
description: |
|
||||||
|
A Workspace containing a .gitconfig and .git-credentials file. These
|
||||||
|
will be copied to the user's home before any git commands are run. Any
|
||||||
|
other files in this Workspace are ignored. It is strongly recommended
|
||||||
|
to use ssh-directory over basic-auth whenever possible and to bind a
|
||||||
|
Secret to this Workspace over other volume types.
|
||||||
|
- name: ssl-ca-directory
|
||||||
|
optional: true
|
||||||
|
description: |
|
||||||
|
A workspace containing CA certificates, this will be used by Git to
|
||||||
|
verify the peer with when fetching or pushing over HTTPS.
|
||||||
|
params:
|
||||||
|
- name: url
|
||||||
|
description: Repository URL to clone from.
|
||||||
|
type: string
|
||||||
|
- name: revision
|
||||||
|
description: Revision to checkout. (branch, tag, sha, ref, etc...)
|
||||||
|
type: string
|
||||||
|
default: ""
|
||||||
|
- name: refspec
|
||||||
|
description: Refspec to fetch before checking out revision.
|
||||||
|
default: ""
|
||||||
|
- name: submodules
|
||||||
|
description: Initialize and fetch git submodules.
|
||||||
|
type: string
|
||||||
|
default: "true"
|
||||||
|
- name: depth
|
||||||
|
description: Perform a shallow clone, fetching only the most recent N commits.
|
||||||
|
type: string
|
||||||
|
default: "1"
|
||||||
|
- name: sslVerify
|
||||||
|
description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.
|
||||||
|
type: string
|
||||||
|
default: "true"
|
||||||
|
- name: crtFileName
|
||||||
|
description: file name of mounted crt using ssl-ca-directory workspace. default value is ca-bundle.crt.
|
||||||
|
type: string
|
||||||
|
default: "ca-bundle.crt"
|
||||||
|
- name: subdirectory
|
||||||
|
description: Subdirectory inside the `output` Workspace to clone the repo into.
|
||||||
|
type: string
|
||||||
|
default: ""
|
||||||
|
- name: sparseCheckoutDirectories
|
||||||
|
description: Define the directory patterns to match or exclude when performing a sparse checkout.
|
||||||
|
type: string
|
||||||
|
default: ""
|
||||||
|
- name: deleteExisting
|
||||||
|
description: Clean out the contents of the destination directory if it already exists before cloning.
|
||||||
|
type: string
|
||||||
|
default: "true"
|
||||||
|
- name: httpProxy
|
||||||
|
description: HTTP proxy server for non-SSL requests.
|
||||||
|
type: string
|
||||||
|
default: ""
|
||||||
|
- name: httpsProxy
|
||||||
|
description: HTTPS proxy server for SSL requests.
|
||||||
|
type: string
|
||||||
|
default: ""
|
||||||
|
- name: noProxy
|
||||||
|
description: Opt out of proxying HTTP/HTTPS requests.
|
||||||
|
type: string
|
||||||
|
default: ""
|
||||||
|
- name: verbose
|
||||||
|
description: Log the commands that are executed during `git-clone`'s operation.
|
||||||
|
type: string
|
||||||
|
default: "true"
|
||||||
|
- name: gitInitImage
|
||||||
|
description: The image providing the git-init binary that this Task runs.
|
||||||
|
type: string
|
||||||
|
default: "ghcr.io/tektoncd-catalog/git-clone:v1.1.0"
|
||||||
|
- name: userHome
|
||||||
|
description: |
|
||||||
|
Absolute path to the user's home directory.
|
||||||
|
type: string
|
||||||
|
default: "/home/git"
|
||||||
|
results:
|
||||||
|
- name: commit
|
||||||
|
description: The precise commit SHA that was fetched by this Task.
|
||||||
|
- name: url
|
||||||
|
description: The precise URL that was fetched by this Task.
|
||||||
|
- name: committer-date
|
||||||
|
description: The epoch timestamp of the commit that was fetched by this Task.
|
||||||
|
steps:
|
||||||
|
- name: clone
|
||||||
|
image: "$(params.gitInitImage)"
|
||||||
|
env:
|
||||||
|
- name: HOME
|
||||||
|
value: "$(params.userHome)"
|
||||||
|
- name: PARAM_URL
|
||||||
|
value: $(params.url)
|
||||||
|
- name: PARAM_REVISION
|
||||||
|
value: $(params.revision)
|
||||||
|
- name: PARAM_REFSPEC
|
||||||
|
value: $(params.refspec)
|
||||||
|
- name: PARAM_SUBMODULES
|
||||||
|
value: $(params.submodules)
|
||||||
|
- name: PARAM_DEPTH
|
||||||
|
value: $(params.depth)
|
||||||
|
- name: PARAM_SSL_VERIFY
|
||||||
|
value: $(params.sslVerify)
|
||||||
|
- name: PARAM_CRT_FILENAME
|
||||||
|
value: $(params.crtFileName)
|
||||||
|
- name: PARAM_SUBDIRECTORY
|
||||||
|
value: $(params.subdirectory)
|
||||||
|
- name: PARAM_DELETE_EXISTING
|
||||||
|
value: $(params.deleteExisting)
|
||||||
|
- name: PARAM_HTTP_PROXY
|
||||||
|
value: $(params.httpProxy)
|
||||||
|
- name: PARAM_HTTPS_PROXY
|
||||||
|
value: $(params.httpsProxy)
|
||||||
|
- name: PARAM_NO_PROXY
|
||||||
|
value: $(params.noProxy)
|
||||||
|
- name: PARAM_VERBOSE
|
||||||
|
value: $(params.verbose)
|
||||||
|
- name: PARAM_SPARSE_CHECKOUT_DIRECTORIES
|
||||||
|
value: $(params.sparseCheckoutDirectories)
|
||||||
|
- name: PARAM_USER_HOME
|
||||||
|
value: $(params.userHome)
|
||||||
|
- name: WORKSPACE_OUTPUT_PATH
|
||||||
|
value: $(workspaces.output.path)
|
||||||
|
- name: WORKSPACE_SSH_DIRECTORY_BOUND
|
||||||
|
value: $(workspaces.ssh-directory.bound)
|
||||||
|
- name: WORKSPACE_SSH_DIRECTORY_PATH
|
||||||
|
value: $(workspaces.ssh-directory.path)
|
||||||
|
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
|
||||||
|
value: $(workspaces.basic-auth.bound)
|
||||||
|
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
|
||||||
|
value: $(workspaces.basic-auth.path)
|
||||||
|
- name: WORKSPACE_SSL_CA_DIRECTORY_BOUND
|
||||||
|
value: $(workspaces.ssl-ca-directory.bound)
|
||||||
|
- name: WORKSPACE_SSL_CA_DIRECTORY_PATH
|
||||||
|
value: $(workspaces.ssl-ca-directory.path)
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 65532
|
||||||
|
volumeMounts:
|
||||||
|
- name: user-home
|
||||||
|
mountPath: $(params.userHome)
|
||||||
|
script: |
|
||||||
|
#!/usr/bin/env sh
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
if [ "${PARAM_VERBOSE}" = "true" ] ; then
|
||||||
|
set -x
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
|
||||||
|
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
|
||||||
|
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
|
||||||
|
chmod 400 "${PARAM_USER_HOME}/.git-credentials"
|
||||||
|
chmod 400 "${PARAM_USER_HOME}/.gitconfig"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
|
||||||
|
cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
|
||||||
|
chmod 700 "${PARAM_USER_HOME}"/.ssh
|
||||||
|
chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then
|
||||||
|
export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}"
|
||||||
|
if [ "${PARAM_CRT_FILENAME}" != "" ] ; then
|
||||||
|
export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
|
||||||
|
|
||||||
|
cleandir() {
|
||||||
|
# Delete any existing contents of the repo directory if it exists.
|
||||||
|
#
|
||||||
|
# We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
|
||||||
|
# or the root of a mounted volume.
|
||||||
|
if [ -d "${CHECKOUT_DIR}" ] ; then
|
||||||
|
# Delete non-hidden files and directories
|
||||||
|
rm -rf "${CHECKOUT_DIR:?}"/*
|
||||||
|
# Delete files and directories starting with . but excluding ..
|
||||||
|
rm -rf "${CHECKOUT_DIR}"/.[!.]*
|
||||||
|
# Delete files and directories starting with .. plus any other character
|
||||||
|
rm -rf "${CHECKOUT_DIR}"/..?*
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
|
||||||
|
cleandir || true
|
||||||
|
fi
|
||||||
|
|
||||||
|
test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}"
|
||||||
|
test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
|
||||||
|
test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}"
|
||||||
|
|
||||||
|
git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}"
|
||||||
|
/ko-app/git-init \
|
||||||
|
-url="${PARAM_URL}" \
|
||||||
|
-revision="${PARAM_REVISION}" \
|
||||||
|
-refspec="${PARAM_REFSPEC}" \
|
||||||
|
-path="${CHECKOUT_DIR}" \
|
||||||
|
-sslVerify="${PARAM_SSL_VERIFY}" \
|
||||||
|
-submodules="${PARAM_SUBMODULES}" \
|
||||||
|
-depth="${PARAM_DEPTH}" \
|
||||||
|
-sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}"
|
||||||
|
cd "${CHECKOUT_DIR}"
|
||||||
|
RESULT_SHA="$(git rev-parse HEAD)"
|
||||||
|
EXIT_CODE="$?"
|
||||||
|
if [ "${EXIT_CODE}" != 0 ] ; then
|
||||||
|
exit "${EXIT_CODE}"
|
||||||
|
fi
|
||||||
|
RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)"
|
||||||
|
printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)"
|
||||||
|
printf "%s" "${RESULT_SHA}" > "$(results.commit.path)"
|
||||||
|
printf "%s" "${PARAM_URL}" > "$(results.url.path)"
|
||||||
|
volumes:
|
||||||
|
- name: user-home
|
||||||
|
emptyDir: {}
|
||||||
70
apps/tekton/tasks/kaniko.yaml
Normal file
70
apps/tekton/tasks/kaniko.yaml
Normal file
|
|
@ -0,0 +1,70 @@
|
||||||
|
apiVersion: tekton.dev/v1
|
||||||
|
kind: Task
|
||||||
|
metadata:
|
||||||
|
name: kaniko
|
||||||
|
namespace: cicd
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/version: "0.7"
|
||||||
|
annotations:
|
||||||
|
tekton.dev/pipelines.minVersion: "0.43.0"
|
||||||
|
tekton.dev/categories: Image Build
|
||||||
|
tekton.dev/tags: image-build
|
||||||
|
tekton.dev/displayName: "Build and upload container image using Kaniko"
|
||||||
|
tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le"
|
||||||
|
tekton.dev/deprecated: "true"
|
||||||
|
spec:
|
||||||
|
description: >-
|
||||||
|
This Task builds a simple Dockerfile with kaniko and pushes to a registry.
|
||||||
|
This Task stores the image name and digest as results, allowing Tekton Chains to pick up
|
||||||
|
that an image was built & sign it.
|
||||||
|
params:
|
||||||
|
- name: IMAGE
|
||||||
|
description: Name (reference) of the image to build.
|
||||||
|
- name: DOCKERFILE
|
||||||
|
description: Path to the Dockerfile to build.
|
||||||
|
default: ./Dockerfile
|
||||||
|
- name: CONTEXT
|
||||||
|
description: The build context used by Kaniko.
|
||||||
|
default: ./
|
||||||
|
- name: EXTRA_ARGS
|
||||||
|
type: array
|
||||||
|
default: []
|
||||||
|
- name: BUILDER_IMAGE
|
||||||
|
description: The image on which builds will run (default is v1.5.1)
|
||||||
|
default: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5
|
||||||
|
- name: WRITER_IMAGE
|
||||||
|
description: The image on which the write-url step will run (default is docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9)
|
||||||
|
default: docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9
|
||||||
|
workspaces:
|
||||||
|
- name: source
|
||||||
|
description: Holds the context and Dockerfile
|
||||||
|
- name: dockerconfig
|
||||||
|
description: Includes a docker `config.json`
|
||||||
|
optional: true
|
||||||
|
mountPath: /kaniko/.docker
|
||||||
|
results:
|
||||||
|
- name: IMAGE_DIGEST
|
||||||
|
description: Digest of the image just built.
|
||||||
|
- name: IMAGE_URL
|
||||||
|
description: URL of the image just built.
|
||||||
|
steps:
|
||||||
|
- name: build-and-push
|
||||||
|
workingDir: $(workspaces.source.path)
|
||||||
|
image: $(params.BUILDER_IMAGE)
|
||||||
|
args:
|
||||||
|
- $(params.EXTRA_ARGS)
|
||||||
|
- --dockerfile=$(params.DOCKERFILE)
|
||||||
|
- --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source.
|
||||||
|
- --destination=$(params.IMAGE)
|
||||||
|
- --digest-file=$(results.IMAGE_DIGEST.path)
|
||||||
|
# kaniko assumes it is running as root, which means this example fails on platforms
|
||||||
|
# that default to run containers as random uid (like OpenShift). Adding this securityContext
|
||||||
|
# makes it explicit that it needs to run as root.
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
- name: write-url
|
||||||
|
image: $(params.WRITER_IMAGE)
|
||||||
|
script: |
|
||||||
|
set -e
|
||||||
|
image="$(params.IMAGE)"
|
||||||
|
printf "%s" "${image}" | tee "$(results.IMAGE_URL.path)"
|
||||||
15
apps/tekton/tekton-runner-binding.yaml
Normal file
15
apps/tekton/tekton-runner-binding.yaml
Normal file
|
|
@ -0,0 +1,15 @@
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: tekton-runner
|
||||||
|
namespace: cicd
|
||||||
|
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: tekton-runner
|
||||||
|
namespace: cicd
|
||||||
|
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: tekton-runner
|
||||||
34
apps/tekton/tekton-runner-role.yaml
Normal file
34
apps/tekton/tekton-runner-role.yaml
Normal file
|
|
@ -0,0 +1,34 @@
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: tekton-runner
|
||||||
|
namespace: cicd
|
||||||
|
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["tekton.dev"]
|
||||||
|
resources:
|
||||||
|
- pipelineruns
|
||||||
|
- taskruns
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- pods/log
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
20
management/platform-apps/argocd-config.yaml
Normal file
20
management/platform-apps/argocd-config.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: argocd-config
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
project: default
|
||||||
|
source:
|
||||||
|
repoURL: https://github.com/gwg313/homelab-gitops.git
|
||||||
|
targetRevision: main
|
||||||
|
path: platform/argocd
|
||||||
|
destination:
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
namespace: argocd
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
prune: true
|
||||||
|
selfHeal: true
|
||||||
|
syncOptions:
|
||||||
|
- ServerSideApply=true
|
||||||
20
management/platform-apps/homelab-gitops.yaml
Normal file
20
management/platform-apps/homelab-gitops.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: homelab-gitops-ci
|
||||||
|
namespace: argocd
|
||||||
|
annotations:
|
||||||
|
argoproj.io/sync-wave: "1"
|
||||||
|
spec:
|
||||||
|
project: default
|
||||||
|
source:
|
||||||
|
repoURL: https://github.com/gwg313/homelab-gitops.git
|
||||||
|
targetRevision: main
|
||||||
|
path: apps/homelab-gitops
|
||||||
|
destination:
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
namespace: cicd
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
prune: true
|
||||||
|
selfHeal: true
|
||||||
|
|
@ -15,8 +15,10 @@ resources:
|
||||||
- audiobookshelf.yaml
|
- audiobookshelf.yaml
|
||||||
- yopass.yaml
|
- yopass.yaml
|
||||||
- tekton.yaml
|
- tekton.yaml
|
||||||
|
- homelab-gitops.yaml
|
||||||
- navidrome.yaml
|
- navidrome.yaml
|
||||||
- bytestash.yaml
|
- bytestash.yaml
|
||||||
- stirling-pdf.yaml
|
- stirling-pdf.yaml
|
||||||
# - soulsync.yaml
|
# - soulsync.yaml
|
||||||
- vikunja.yaml
|
- vikunja.yaml
|
||||||
|
- argocd-config.yaml
|
||||||
|
|
|
||||||
6
platform/argocd/argocd-cm-patch.yaml
Normal file
6
platform/argocd/argocd-cm-patch.yaml
Normal file
|
|
@ -0,0 +1,6 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: argocd-cm
|
||||||
|
namespace: argocd
|
||||||
|
data: {}
|
||||||
5
platform/argocd/kustomization.yaml
Normal file
5
platform/argocd/kustomization.yaml
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- argocd-cm-patch.yaml
|
||||||
|
|
@ -3,5 +3,7 @@ kyverno:
|
||||||
replicas: 2
|
replicas: 2
|
||||||
features:
|
features:
|
||||||
loggingFormat: text
|
loggingFormat: text
|
||||||
|
policyExceptions:
|
||||||
|
enabled: true
|
||||||
telemetry:
|
telemetry:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,12 @@ spec:
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds: ["Pod"]
|
kinds: ["Pod"]
|
||||||
|
exclude:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
policy.home.arpa/allow-hostpath: "true"
|
||||||
|
|
||||||
validate:
|
validate:
|
||||||
message: "hostPath volumes are not allowed (escape risk)."
|
message: "hostPath volumes are not allowed (escape risk)."
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ metadata:
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Automatically provisions a baseline CiliumNetworkPolicy
|
Automatically provisions a baseline CiliumNetworkPolicy
|
||||||
with default deny ingress and controlled DNS egress.
|
with default deny ingress and controlled DNS egress.
|
||||||
argocd.argoproj.io/sync-options: Force=true,Replace=true
|
argocd.argoproj.io/sync-options: Replace=true
|
||||||
|
|
||||||
spec:
|
spec:
|
||||||
background: true
|
background: true
|
||||||
|
|
@ -55,6 +55,8 @@ spec:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
security-tier: baseline
|
security-tier: baseline
|
||||||
|
annotations:
|
||||||
|
argocd.argoproj.io/sync-options: Prune=false
|
||||||
|
|
||||||
spec:
|
spec:
|
||||||
endpointSelector: {}
|
endpointSelector: {}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,21 @@
|
||||||
|
apiVersion: cilium.io/v1alpha1
|
||||||
|
kind: TracingPolicy
|
||||||
|
metadata:
|
||||||
|
name: audit-network-connections
|
||||||
|
annotations:
|
||||||
|
security-tier: audit-baseline
|
||||||
|
description: "Logs outound TCP connections at the kernel level."
|
||||||
|
spec:
|
||||||
|
kprobes:
|
||||||
|
- call: "tcp_connect"
|
||||||
|
syscall: false
|
||||||
|
args:
|
||||||
|
- index: 0
|
||||||
|
type: "sock"
|
||||||
|
selectors:
|
||||||
|
- matchArgs:
|
||||||
|
- index: 0
|
||||||
|
operator: "NotDAddr"
|
||||||
|
values:
|
||||||
|
- "127.0.0.1"
|
||||||
|
- "::1"
|
||||||
|
|
@ -0,0 +1,23 @@
|
||||||
|
apiVersion: cilium.io/v1alpha1
|
||||||
|
kind: TracingPolicy
|
||||||
|
metadata:
|
||||||
|
name: audit-process-execution
|
||||||
|
annotations:
|
||||||
|
security-tier: audit-baseline
|
||||||
|
description: "Logs all process executions (sys_execve) for cluster-wide visibility."
|
||||||
|
spec:
|
||||||
|
kprobes:
|
||||||
|
- call: "sys_execve"
|
||||||
|
syscall: true
|
||||||
|
args:
|
||||||
|
- index: 0
|
||||||
|
type: "string"
|
||||||
|
- index: 1
|
||||||
|
type: "string_array"
|
||||||
|
selectors:
|
||||||
|
- matchPIDs:
|
||||||
|
- operator: NotIn
|
||||||
|
followForks: true
|
||||||
|
isNamespacePID: true
|
||||||
|
values:
|
||||||
|
- 1
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- audit-process-execution.yaml
|
||||||
|
- audit-network-connections.yaml
|
||||||
|
|
||||||
|
commonAnnotations:
|
||||||
|
argocd.argoproj.io/sync-wave: "1"
|
||||||
|
|
@ -2,11 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
kind: Kustomization
|
kind: Kustomization
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- tracingpolicy-shell-spawn.yaml
|
- 10-audit-baseline
|
||||||
- tracingpolicy-network-connections.yaml
|
# - 20-enforce-execution
|
||||||
- tracingpolicy-sensitive-binaries.yaml
|
# - 30-enforce-fim
|
||||||
- tracingpolicy-privilege-escalation.yaml
|
# - 40-enforce-network
|
||||||
- tracingpolicy-sensitive-file-access.yaml
|
# - 50-enforce-privilege
|
||||||
|
|
||||||
commonLabels:
|
commonLabels:
|
||||||
app.kubernetes.io/part-of: tetragon-policies
|
app.kubernetes.io/part-of: tetragon-policies
|
||||||
|
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
||||||
apiVersion: cilium.io/v1alpha1
|
|
||||||
kind: TracingPolicy
|
|
||||||
metadata:
|
|
||||||
name: detect-network-connections
|
|
||||||
spec:
|
|
||||||
tracepoints:
|
|
||||||
- subsystem: tcp
|
|
||||||
event: tcp_connect
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
||||||
apiVersion: cilium.io/v1alpha1
|
|
||||||
kind: TracingPolicy
|
|
||||||
metadata:
|
|
||||||
name: detect-privilege-escalation
|
|
||||||
spec:
|
|
||||||
kprobes:
|
|
||||||
- call: "commit_creds"
|
|
||||||
syscall: false
|
|
||||||
return: true
|
|
||||||
|
|
@ -1,29 +0,0 @@
|
||||||
apiVersion: cilium.io/v1alpha1
|
|
||||||
kind: TracingPolicy
|
|
||||||
metadata:
|
|
||||||
name: detect-sensitive-binary-execution
|
|
||||||
spec:
|
|
||||||
kprobes:
|
|
||||||
- call: "security_bprm_check"
|
|
||||||
syscall: false
|
|
||||||
|
|
||||||
selectors:
|
|
||||||
- matchBinaries:
|
|
||||||
- operator: In
|
|
||||||
values:
|
|
||||||
- /usr/bin/curl
|
|
||||||
- /usr/bin/wget
|
|
||||||
- /usr/bin/nc
|
|
||||||
- /usr/bin/netcat
|
|
||||||
- /usr/bin/nmap
|
|
||||||
- /usr/bin/socat
|
|
||||||
- /usr/bin/ssh
|
|
||||||
- /usr/sbin/iptables
|
|
||||||
- /usr/bin/apt
|
|
||||||
- /usr/bin/apt-get
|
|
||||||
|
|
||||||
args:
|
|
||||||
- index: 0
|
|
||||||
type: string
|
|
||||||
|
|
||||||
return: true
|
|
||||||
|
|
@ -1,25 +0,0 @@
|
||||||
apiVersion: cilium.io/v1alpha1
|
|
||||||
kind: TracingPolicy
|
|
||||||
metadata:
|
|
||||||
name: detect-sensitive-file-access
|
|
||||||
spec:
|
|
||||||
kprobes:
|
|
||||||
- call: "security_file_open"
|
|
||||||
syscall: false
|
|
||||||
|
|
||||||
selectors:
|
|
||||||
- matchArgs:
|
|
||||||
- index: 0
|
|
||||||
operator: Prefix
|
|
||||||
values:
|
|
||||||
- /etc/shadow
|
|
||||||
- /etc/passwd
|
|
||||||
- /root
|
|
||||||
- /proc/kcore
|
|
||||||
- /var/run/secrets/kubernetes.io
|
|
||||||
|
|
||||||
args:
|
|
||||||
- index: 0
|
|
||||||
type: string
|
|
||||||
|
|
||||||
return: true
|
|
||||||
|
|
@ -1,24 +0,0 @@
|
||||||
apiVersion: cilium.io/v1alpha1
|
|
||||||
kind: TracingPolicy
|
|
||||||
metadata:
|
|
||||||
name: detect-shell-spawn
|
|
||||||
spec:
|
|
||||||
kprobes:
|
|
||||||
- call: "security_bprm_check"
|
|
||||||
syscall: false
|
|
||||||
|
|
||||||
selectors:
|
|
||||||
- matchBinaries:
|
|
||||||
- operator: In
|
|
||||||
values:
|
|
||||||
- /bin/sh
|
|
||||||
- /bin/bash
|
|
||||||
- /bin/dash
|
|
||||||
- /bin/ash
|
|
||||||
- /busybox/sh
|
|
||||||
|
|
||||||
args:
|
|
||||||
- index: 0
|
|
||||||
type: string
|
|
||||||
|
|
||||||
return: true
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue