From 933b93da762f88b4e760abcd9c26b339d0d2eb35 Mon Sep 17 00:00:00 2001 From: gwg313 Date: Mon, 18 May 2026 18:39:13 -0400 Subject: [PATCH] add tekton Signed-off-by: gwg313 --- apps/kustomization.yaml | 1 + apps/tekton/kustomization.yaml | 6 +++ {yopass => apps/yopass}/deployment.yaml | 4 +- apps/yopass/kustomization.yaml | 8 ++++ apps/yopass/network-policy.yaml | 17 ++++++++ apps/yopass/route.yaml | 38 +++++++++++++++++ {yopass => apps/yopass}/service.yaml | 0 management/platform-apps/kustomization.yaml | 2 + .../platform-apps/kyverno-policies.yaml | 1 + management/platform-apps/tekton.yaml | 22 ++++++++++ management/platform-apps/woodpecker.yaml | 23 +++++++++++ management/platform-apps/yopass.yaml | 23 +++++++++++ .../kyverno/policies/disallow-latest-tag.yaml | 11 +++++ .../generate-ns-network-baseline.yaml | 2 + .../policies/require-requests-limits.yaml | 2 + woodpecker/certificate.yaml | 12 ------ woodpecker/gateway.yaml | 18 -------- woodpecker/route.yaml | 41 +++++++++++++++++++ woodpecker/service.yaml | 11 ----- woodpecker/virtualservice.yaml | 16 -------- yopass/certificate.yaml | 13 ------ yopass/gateway.yaml | 19 --------- yopass/virtualservice.yaml | 20 --------- 23 files changed, 199 insertions(+), 111 deletions(-) create mode 100644 apps/tekton/kustomization.yaml rename {yopass => apps/yopass}/deployment.yaml (92%) create mode 100644 apps/yopass/kustomization.yaml create mode 100644 apps/yopass/network-policy.yaml create mode 100644 apps/yopass/route.yaml rename {yopass => apps/yopass}/service.yaml (100%) create mode 100644 management/platform-apps/tekton.yaml create mode 100644 management/platform-apps/woodpecker.yaml create mode 100644 management/platform-apps/yopass.yaml delete mode 100644 woodpecker/certificate.yaml delete mode 100644 woodpecker/gateway.yaml create mode 100644 woodpecker/route.yaml delete mode 100644 woodpecker/service.yaml delete mode 100644 woodpecker/virtualservice.yaml delete mode 100644 yopass/certificate.yaml delete mode 100644 yopass/gateway.yaml delete mode 100644 yopass/virtualservice.yaml diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml index f14150d..7f8bbdd 100644 --- a/apps/kustomization.yaml +++ b/apps/kustomization.yaml @@ -3,4 +3,5 @@ kind: Kustomization resources: - forgejo + - woodpecker - navidrome diff --git a/apps/tekton/kustomization.yaml b/apps/tekton/kustomization.yaml new file mode 100644 index 0000000..57bb294 --- /dev/null +++ b/apps/tekton/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml + - https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml diff --git a/yopass/deployment.yaml b/apps/yopass/deployment.yaml similarity index 92% rename from yopass/deployment.yaml rename to apps/yopass/deployment.yaml index 2a26630..67d8dfe 100644 --- a/yopass/deployment.yaml +++ b/apps/yopass/deployment.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: yopass - image: jhaals/yopass + image: jhaals/yopass:13.1.0 args: - "--memcached=localhost:11211" ports: @@ -28,7 +28,7 @@ spec: cpu: 100m memory: 50Mi - name: yopass-memcached - image: memcached + image: memcached:trixie resources: limits: cpu: 100m diff --git a/apps/yopass/kustomization.yaml b/apps/yopass/kustomization.yaml new file mode 100644 index 0000000..64f46ad --- /dev/null +++ b/apps/yopass/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - deployment.yaml + - network-policy.yaml + - route.yaml + - service.yaml diff --git a/apps/yopass/network-policy.yaml b/apps/yopass/network-policy.yaml new file mode 100644 index 0000000..f3ade06 --- /dev/null +++ b/apps/yopass/network-policy.yaml @@ -0,0 +1,17 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-ingress + namespace: yopass +spec: + endpointSelector: + matchLabels: + app: yopass + + ingress: + - fromEntities: + - ingress + toPorts: + - ports: + - port: "1337" + protocol: TCP diff --git a/apps/yopass/route.yaml b/apps/yopass/route.yaml new file mode 100644 index 0000000..4c4bdad --- /dev/null +++ b/apps/yopass/route.yaml @@ -0,0 +1,38 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: yopass + namespace: yopass +spec: + parentRefs: + - name: shared-edge-gateway + namespace: cilium-ingress + hostnames: + - pastebin.gwg313.xyz + - pastebin.local.gwg313.xyz + - pastebin.zerotier.gwg313.xyz + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: yopass + port: 1337 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: allow-gateway-to-yopass + namespace: yopass + +spec: + from: + - group: gateway.networking.k8s.io + kind: Gateway + namespace: cilium-ingress + + to: + - group: "" + kind: Service + name: yopass diff --git a/yopass/service.yaml b/apps/yopass/service.yaml similarity index 100% rename from yopass/service.yaml rename to apps/yopass/service.yaml diff --git a/management/platform-apps/kustomization.yaml b/management/platform-apps/kustomization.yaml index 3da3d20..2594e61 100644 --- a/management/platform-apps/kustomization.yaml +++ b/management/platform-apps/kustomization.yaml @@ -11,4 +11,6 @@ resources: - monitoring.yaml - nfs-subdir.yaml - forgejo.yaml + - yopass.yaml + - tekton.yaml - navidrome.yaml diff --git a/management/platform-apps/kyverno-policies.yaml b/management/platform-apps/kyverno-policies.yaml index 46be8cc..18e7d89 100644 --- a/management/platform-apps/kyverno-policies.yaml +++ b/management/platform-apps/kyverno-policies.yaml @@ -22,3 +22,4 @@ spec: - CreateNamespace=false - ServerSideApply=true - Replace=true # <-- Policies have immutable fields so this helps deal with updates + - Force=true diff --git a/management/platform-apps/tekton.yaml b/management/platform-apps/tekton.yaml new file mode 100644 index 0000000..2b323fc --- /dev/null +++ b/management/platform-apps/tekton.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: tekton-pipelines + namespace: argocd + annotations: + argoproj.io/sync-wave: "0" +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops.git + targetRevision: main + path: apps/tekton + destination: + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/management/platform-apps/woodpecker.yaml b/management/platform-apps/woodpecker.yaml new file mode 100644 index 0000000..a258cb4 --- /dev/null +++ b/management/platform-apps/woodpecker.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: woodpecker + namespace: argocd + annotations: + argoproj.io/sync-wave: "0" +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops.git + targetRevision: main + path: apps/woodpecker + destination: + server: https://kubernetes.default.svc + namespace: woodpecker + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/management/platform-apps/yopass.yaml b/management/platform-apps/yopass.yaml new file mode 100644 index 0000000..38f49ac --- /dev/null +++ b/management/platform-apps/yopass.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: yopass + namespace: argocd + annotations: + argoproj.io/sync-wave: "0" +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops.git + targetRevision: main + path: apps/yopass + destination: + server: https://kubernetes.default.svc + namespace: yopass + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/platform/kyverno/policies/disallow-latest-tag.yaml b/platform/kyverno/policies/disallow-latest-tag.yaml index 5af0d94..f794b83 100644 --- a/platform/kyverno/policies/disallow-latest-tag.yaml +++ b/platform/kyverno/policies/disallow-latest-tag.yaml @@ -12,6 +12,17 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + selector: + matchExpressions: + - key: app.kubernetes.io/managed-by + operator: In + values: + - tekton-pipelines + - key: tekton.dev/task + operator: Exists validate: message: "Using the 'latest' tag or omitting image tags is forbidden. Use a specific version semantic tag." foreach: diff --git a/platform/kyverno/policies/generate-ns-network-baseline.yaml b/platform/kyverno/policies/generate-ns-network-baseline.yaml index 0ab73a5..c7de5eb 100644 --- a/platform/kyverno/policies/generate-ns-network-baseline.yaml +++ b/platform/kyverno/policies/generate-ns-network-baseline.yaml @@ -30,6 +30,8 @@ spec: - sealed-secrets - nfs-subdir-external-provisioner - monitoring + - tekton-pipelines-resolvers + - tekton-pipelines generate: apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy diff --git a/platform/kyverno/policies/require-requests-limits.yaml b/platform/kyverno/policies/require-requests-limits.yaml index 63f5c11..8294fb3 100644 --- a/platform/kyverno/policies/require-requests-limits.yaml +++ b/platform/kyverno/policies/require-requests-limits.yaml @@ -34,6 +34,8 @@ spec: - sealed-secrets - nfs-subdir-external-provisioner - monitoring + - tekton-pipelines-resolvers + - tekton-pipelines validate: message: "Resource discipline violation: Containers must declare cpu/memory requests and limits." pattern: diff --git a/woodpecker/certificate.yaml b/woodpecker/certificate.yaml deleted file mode 100644 index ebd064c..0000000 --- a/woodpecker/certificate.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: woodpecker-cert - namespace: istio-system -spec: - secretName: woodpecker-cert - issuerRef: - name: letsencrypt-dns - kind: ClusterIssuer - dnsNames: - - ci.gwg313.xyz diff --git a/woodpecker/gateway.yaml b/woodpecker/gateway.yaml deleted file mode 100644 index c77e25f..0000000 --- a/woodpecker/gateway.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: networking.istio.io/v1beta1 -kind: Gateway -metadata: - name: woodpecker-gateway - namespace: woodpecker -spec: - selector: - istio: gateway - servers: - - port: - number: 443 - name: https - protocol: HTTPS - tls: - mode: SIMPLE - credentialName: woodpecker-cert - hosts: - - ci.gwg313.xyz diff --git a/woodpecker/route.yaml b/woodpecker/route.yaml new file mode 100644 index 0000000..cc89918 --- /dev/null +++ b/woodpecker/route.yaml @@ -0,0 +1,41 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: woodpecker + namespace: woodpecker +spec: + parentRefs: + - name: shared-edge-gateway + namespace: cilium-ingress + + hostnames: + - ci.local.gwg313.xyz + - ci.gwg313.xyz + - ci.zerotier.gwg313.xyz + + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: woodpecker-server + port: 80 + +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: allow-gateway-to-woodpecker + namespace: woodpecker + +spec: + from: + - group: gateway.networking.k8s.io + kind: Gateway + namespace: cilium-ingress + + to: + - group: "" + kind: Service + name: woodpecker-server diff --git a/woodpecker/service.yaml b/woodpecker/service.yaml deleted file mode 100644 index 3f0258e..0000000 --- a/woodpecker/service.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: woodpecker - namespace: woodpecker -spec: - selector: - app: woodpecker - ports: - - port: 80 - targetPort: 8000 diff --git a/woodpecker/virtualservice.yaml b/woodpecker/virtualservice.yaml deleted file mode 100644 index 3168fb7..0000000 --- a/woodpecker/virtualservice.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: networking.istio.io/v1beta1 -kind: VirtualService -metadata: - name: woodpecker - namespace: woodpecker -spec: - gateways: - - woodpecker-gateway - hosts: - - ci.gwg313.xyz - http: - - route: - - destination: - host: woodpecker-server - port: - number: 80 diff --git a/yopass/certificate.yaml b/yopass/certificate.yaml deleted file mode 100644 index e9c905b..0000000 --- a/yopass/certificate.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: yopass-cert - namespace: istio-system -spec: - secretName: yopass-cert - issuerRef: - name: letsencrypt-dns - kind: ClusterIssuer - dnsNames: - - pastebin.local.gwg313.xyz - - pastebin.gwg313.xyz diff --git a/yopass/gateway.yaml b/yopass/gateway.yaml deleted file mode 100644 index 5b7167a..0000000 --- a/yopass/gateway.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: networking.istio.io/v1beta1 -kind: Gateway -metadata: - name: yopass-gateway - namespace: yopass -spec: - selector: - istio: gateway - servers: - - port: - number: 443 - name: https - protocol: HTTPS - tls: - mode: SIMPLE - credentialName: yopass-cert - hosts: - - pastebin.gwg313.xyz - - pastebin.local.gwg313.xyz diff --git a/yopass/virtualservice.yaml b/yopass/virtualservice.yaml deleted file mode 100644 index 9827afa..0000000 --- a/yopass/virtualservice.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: networking.istio.io/v1beta1 -kind: VirtualService -metadata: - name: yopass - namespace: yopass -spec: - hosts: - - pastebin.gwg313.xyz - - pastebin.local.gwg313.xyz - gateways: - - yopass-gateway - http: - - match: - - uri: - prefix: / - route: - - destination: - host: yopass - port: - number: 1337