add tekton

Signed-off-by: gwg313 <gwg313@pm.me>

apps/kustomization.yaml

@@ -3,4 +3,5 @@ kind: Kustomization
 
 resources:
   - forgejo
+  - woodpecker
   - navidrome

apps/tekton/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
+  - https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml

apps/yopass/deployment.yaml

@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: yopass
-          image: jhaals/yopass
+          image: jhaals/yopass:13.1.0
           args:
             - "--memcached=localhost:11211"
           ports:
@@ -28,7 +28,7 @@ spec:
               cpu: 100m
               memory: 50Mi
         - name: yopass-memcached
-          image: memcached
+          image: memcached:trixie
           resources:
             limits:
               cpu: 100m

apps/yopass/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - deployment.yaml
+  - network-policy.yaml
+  - route.yaml
+  - service.yaml

apps/yopass/network-policy.yaml

@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ingress
+  namespace: yopass
+spec:
+  endpointSelector:
+    matchLabels:
+      app: yopass
+
+  ingress:
+    - fromEntities:
+        - ingress
+      toPorts:
+        - ports:
+            - port: "1337"
+              protocol: TCP

apps/yopass/route.yaml

@@ -0,0 +1,38 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: yopass
+  namespace: yopass
+spec:
+  parentRefs:
+    - name: shared-edge-gateway
+      namespace: cilium-ingress
+  hostnames:
+    - pastebin.gwg313.xyz
+    - pastebin.local.gwg313.xyz
+    - pastebin.zerotier.gwg313.xyz
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: yopass
+          port: 1337
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: allow-gateway-to-yopass
+  namespace: yopass
+
+spec:
+  from:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      namespace: cilium-ingress
+
+  to:
+    - group: ""
+      kind: Service
+      name: yopass

management/platform-apps/kustomization.yaml

@@ -11,4 +11,6 @@ resources:
   - monitoring.yaml
   - nfs-subdir.yaml
   - forgejo.yaml
+  - yopass.yaml
+  - tekton.yaml
   - navidrome.yaml

management/platform-apps/kyverno-policies.yaml

@@ -22,3 +22,4 @@ spec:
       - CreateNamespace=false
       - ServerSideApply=true
       - Replace=true # <-- Policies have immutable fields so this helps deal with updates
+      - Force=true

management/platform-apps/tekton.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tekton-pipelines
+  namespace: argocd
+  annotations:
+    argoproj.io/sync-wave: "0" 
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops.git
+    targetRevision: main
+    path: apps/tekton
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

management/platform-apps/woodpecker.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: woodpecker
+  namespace: argocd
+  annotations:
+    argoproj.io/sync-wave: "0"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops.git
+    targetRevision: main
+    path: apps/woodpecker
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: woodpecker
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

management/platform-apps/yopass.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: yopass
+  namespace: argocd
+  annotations:
+    argoproj.io/sync-wave: "0"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops.git
+    targetRevision: main
+    path: apps/yopass
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: yopass
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

platform/kyverno/policies/disallow-latest-tag.yaml

@@ -12,6 +12,17 @@ spec:
           - resources:
               kinds:
                 - Pod
+      exclude:
+        any:
+          - resources:
+              selector:
+                matchExpressions:
+                  - key: app.kubernetes.io/managed-by
+                    operator: In
+                    values:
+                      - tekton-pipelines
+                  - key: tekton.dev/task
+                    operator: Exists
       validate:
         message: "Using the 'latest' tag or omitting image tags is forbidden. Use a specific version semantic tag."
         foreach:

platform/kyverno/policies/generate-ns-network-baseline.yaml

@@ -30,6 +30,8 @@ spec:
                 - sealed-secrets
                 - nfs-subdir-external-provisioner
                 - monitoring
+                - tekton-pipelines-resolvers
+                - tekton-pipelines
       generate:
         apiVersion: cilium.io/v2
         kind: CiliumNetworkPolicy

platform/kyverno/policies/require-requests-limits.yaml

@@ -34,6 +34,8 @@ spec:
                 - sealed-secrets
                 - nfs-subdir-external-provisioner
                 - monitoring
+                - tekton-pipelines-resolvers
+                - tekton-pipelines
       validate:
         message: "Resource discipline violation: Containers must declare cpu/memory requests and limits."
         pattern:

woodpecker/certificate.yaml

@@ -1,12 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: woodpecker-cert
-  namespace: istio-system
-spec:
-  secretName: woodpecker-cert
-  issuerRef:
-    name: letsencrypt-dns
-    kind: ClusterIssuer
-  dnsNames:
-    - ci.gwg313.xyz

woodpecker/gateway.yaml

@@ -1,18 +0,0 @@
-apiVersion: networking.istio.io/v1beta1
-kind: Gateway
-metadata:
-  name: woodpecker-gateway
-  namespace: woodpecker
-spec:
-  selector:
-    istio: gateway
-  servers:
-    - port:
-        number: 443
-        name: https
-        protocol: HTTPS
-      tls:
-        mode: SIMPLE
-        credentialName: woodpecker-cert
-      hosts:
-        - ci.gwg313.xyz

woodpecker/route.yaml

@@ -0,0 +1,41 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: woodpecker
+  namespace: woodpecker
+spec:
+  parentRefs:
+    - name: shared-edge-gateway
+      namespace: cilium-ingress
+
+  hostnames:
+    - ci.local.gwg313.xyz
+    - ci.gwg313.xyz
+    - ci.zerotier.gwg313.xyz
+
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: woodpecker-server
+          port: 80
+
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: allow-gateway-to-woodpecker
+  namespace: woodpecker
+
+spec:
+  from:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      namespace: cilium-ingress
+
+  to:
+    - group: ""
+      kind: Service
+      name: woodpecker-server

woodpecker/service.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: woodpecker
-  namespace: woodpecker
-spec:
-  selector:
-    app: woodpecker
-  ports:
-    - port: 80
-      targetPort: 8000

woodpecker/virtualservice.yaml

@@ -1,16 +0,0 @@
-apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
-metadata:
-  name: woodpecker
-  namespace: woodpecker
-spec:
-  gateways:
-    - woodpecker-gateway
-  hosts:
-    - ci.gwg313.xyz
-  http:
-    - route:
-        - destination:
-            host: woodpecker-server
-            port:
-              number: 80

yopass/certificate.yaml

@@ -1,13 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: yopass-cert
-  namespace: istio-system
-spec:
-  secretName: yopass-cert
-  issuerRef:
-    name: letsencrypt-dns
-    kind: ClusterIssuer
-  dnsNames:
-    - pastebin.local.gwg313.xyz
-    - pastebin.gwg313.xyz

yopass/gateway.yaml

@@ -1,19 +0,0 @@
-apiVersion: networking.istio.io/v1beta1
-kind: Gateway
-metadata:
-  name: yopass-gateway
-  namespace: yopass
-spec:
-  selector:
-    istio: gateway
-  servers:
-    - port:
-        number: 443
-        name: https
-        protocol: HTTPS
-      tls:
-        mode: SIMPLE
-        credentialName: yopass-cert
-      hosts:
-        - pastebin.gwg313.xyz
-        - pastebin.local.gwg313.xyz

yopass/virtualservice.yaml

@@ -1,20 +0,0 @@
-apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
-metadata:
-  name: yopass
-  namespace: yopass
-spec:
-  hosts:
-    - pastebin.gwg313.xyz
-    - pastebin.local.gwg313.xyz
-  gateways:
-    - yopass-gateway
-  http:
-    - match:
-        - uri:
-            prefix: /
-      route:
-        - destination:
-            host: yopass
-            port:
-              number: 1337