From cebf8d3e223ba93168425dd6101f9137902168bd Mon Sep 17 00:00:00 2001 From: gwg313 Date: Fri, 24 Apr 2026 17:52:12 -0400 Subject: [PATCH] update woodpecker namespace security --- apps/woodpecker.yaml | 2 +- woodpecker/namespace.yaml | 6 ------ woodpecker/storage.yaml | 23 ++++++++++++++++------- woodpecker/woodpecker-cache.yaml | 10 +++++----- 4 files changed, 22 insertions(+), 19 deletions(-) delete mode 100644 woodpecker/namespace.yaml diff --git a/apps/woodpecker.yaml b/apps/woodpecker.yaml index 0a9f7a0..c00ad09 100644 --- a/apps/woodpecker.yaml +++ b/apps/woodpecker.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://woodpecker-ci.org/ chart: woodpecker - targetRevision: 3.2.0 + targetRevision: 3.5.1 helm: releaseName: woodpecker values: "server:\n env:\n WOODPECKER_HOST: \"https://ci.gwg313.xyz\"\n extraSecretNamesForEnvFrom:\n - woodpecker-server-secrets\n persistentVolume:\n enabled: true\n existingClaim: woodpecker-server-pvc5\n\nagent:\n enabled: true\n replicaCount: 1\n extraSecretNamesForEnvFrom:\n - woodpecker-agent-secrets\n env:\n WOODPECKER_SERVER: \"woodpecker-server:9000\"\n WOODPECKER_MAX_WORKFLOWS: \"5\"\n persistence:\n enabled: true\n existingClaim: woodpecker-agent-pvc5\n securityContext:\n privileged: true \n" diff --git a/woodpecker/namespace.yaml b/woodpecker/namespace.yaml deleted file mode 100644 index 21e03f0..0000000 --- a/woodpecker/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: woodpecker - labels: - pod-security.kubernetes.io/enforce: "baseline" diff --git a/woodpecker/storage.yaml b/woodpecker/storage.yaml index 640eaea..b15c8bd 100644 --- a/woodpecker/storage.yaml +++ b/woodpecker/storage.yaml @@ -7,7 +7,7 @@ spec: storage: 10Gi accessModes: - ReadWriteOnce - storageClassName: "" + storageClassName: "iscsi-manual" persistentVolumeReclaimPolicy: Retain volumeMode: Filesystem iscsi: @@ -21,6 +21,9 @@ spec: secretRef: name: woodpecker-iscsi-auth namespace: woodpecker + claimRef: + name: woodpecker-agent-pvc5 + namespace: woodpecker --- apiVersion: v1 kind: PersistentVolumeClaim @@ -30,7 +33,7 @@ metadata: spec: accessModes: - ReadWriteOnce - storageClassName: "" + storageClassName: "iscsi-manual" volumeName: woodpecker-agent-pv5 resources: requests: @@ -45,7 +48,7 @@ spec: storage: 10Gi accessModes: - ReadWriteOnce - storageClassName: "" + storageClassName: "iscsi-manual" persistentVolumeReclaimPolicy: Retain volumeMode: Filesystem iscsi: @@ -59,6 +62,9 @@ spec: secretRef: name: woodpecker-iscsi-auth namespace: woodpecker + claimRef: + name: woodpecker-server-pvc5 + namespace: woodpecker --- apiVersion: v1 kind: PersistentVolumeClaim @@ -68,7 +74,7 @@ metadata: spec: accessModes: - ReadWriteOnce - storageClassName: "" + storageClassName: "iscsi-manual" volumeName: woodpecker-server-pv5 resources: requests: @@ -84,7 +90,7 @@ spec: accessModes: - ReadWriteOnce volumeMode: Filesystem - storageClassName: "" + storageClassName: "iscsi-manual" persistentVolumeReclaimPolicy: Retain iscsi: targetPortal: truenas.local.gwg313.xyz @@ -97,6 +103,9 @@ spec: secretRef: name: woodpecker-iscsi-auth namespace: woodpecker + claimRef: + name: data-woodpecker-server-0 + namespace: woodpecker --- apiVersion: v1 kind: PersistentVolumeClaim @@ -107,8 +116,8 @@ spec: accessModes: - ReadWriteOnce volumeMode: Filesystem + storageClassName: "iscsi-manual" + volumeName: data-woodpecker-server-0 resources: requests: storage: 10Gi - volumeName: data-woodpecker-server-0 - storageClassName: "" # must match PV diff --git a/woodpecker/woodpecker-cache.yaml b/woodpecker/woodpecker-cache.yaml index 6a988dc..16fd880 100644 --- a/woodpecker/woodpecker-cache.yaml +++ b/woodpecker/woodpecker-cache.yaml @@ -4,14 +4,14 @@ metadata: name: wp-cache-pv1 spec: capacity: - storage: 1Gi + storage: 5Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain - storageClassName: manual-nfs - nfs: - server: truenas.local.gwg313.xyz - path: /mnt/tank/k8s/democratic/woodpecker-cache + # storageClassName: manual-nfs + # nfs: + # server: truenas.local.gwg313.xyz + # path: /mnt/tank/k8s/democratic/woodpecker-cache --- apiVersion: v1 kind: PersistentVolumeClaim