diff --git a/infrastructure/gitlab-runner/kustomization.yaml b/infrastructure/calico/kustomization.yaml
similarity index 57%
rename from infrastructure/gitlab-runner/kustomization.yaml
rename to infrastructure/calico/kustomization.yaml
index 5d1b88e8a2d9ca2c1fddd9f3294f835aabf0fe60..d9e0d9152f9a161e3303d26f1e69b6b28c85d956 100644
--- a/infrastructure/gitlab-runner/kustomization.yaml
+++ b/infrastructure/calico/kustomization.yaml
@@ -1,5 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-namespace: openshift-operators
+namespace: default
resources:
- - subscription.yaml
+ - repository.yaml
+ - release.yaml
diff --git a/infrastructure/calico/release.yaml b/infrastructure/calico/release.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..2b328d83322c50cb6fbe188c07ca0e3f39af009a
--- /dev/null
+++ b/infrastructure/calico/release.yaml
@@ -0,0 +1,15 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: calico
+ namespace: default
+spec:
+ releaseName: calico
+ chart:
+ spec:
+ chart: tigera-operator
+ sourceRef:
+ kind: HelmRepository
+ name: projectcalico
+ version: v3.20.1
+ interval: 15m
diff --git a/infrastructure/calico/repository.yaml b/infrastructure/calico/repository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..65fde274e1e5484e2866847002acb341797f9e37
--- /dev/null
+++ b/infrastructure/calico/repository.yaml
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: projectcalico
+spec:
+ interval: 30m
+ url: https://docs.projectcalico.org/charts
diff --git a/infrastructure/cert-manager/kustomization.yaml b/infrastructure/cert-manager/kustomization.yaml
index 5d1b88e8a2d9ca2c1fddd9f3294f835aabf0fe60..77c66d9c9fd9b5b4c4ea64ab34ce5cbe25e8df79 100644
--- a/infrastructure/cert-manager/kustomization.yaml
+++ b/infrastructure/cert-manager/kustomization.yaml
@@ -1,5 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-namespace: openshift-operators
+namespace: cert-manager
resources:
- - subscription.yaml
+ - namespace.yaml
+ - repository.yaml
+ - release.yaml
diff --git a/infrastructure/cert-manager/namespace.yaml b/infrastructure/cert-manager/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..237888c1ca123fa65dd33ec48825b910f6b13f19
--- /dev/null
+++ b/infrastructure/cert-manager/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: cert-manager
+ labels:
+ name: cert-manager
diff --git a/infrastructure/cert-manager/release.yaml b/infrastructure/cert-manager/release.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..52ad9e957d3055bbfc2339bc45712abf13382239
--- /dev/null
+++ b/infrastructure/cert-manager/release.yaml
@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: cert-manager
+ namespace: cert-manager
+spec:
+ releaseName: cert-manager
+ chart:
+ spec:
+ chart: cert-manager
+ sourceRef:
+ kind: HelmRepository
+ name: jetstack
+ version: v1.5.3
+ interval: 5m
+ values:
+ installCRDs: true
diff --git a/infrastructure/cert-manager/repository.yaml b/infrastructure/cert-manager/repository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..5d4b5e87724af73da61d42ff22ac38b1097f9299
--- /dev/null
+++ b/infrastructure/cert-manager/repository.yaml
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: jetstack
+spec:
+ interval: 30m
+ url: https://charts.jetstack.io
diff --git a/infrastructure/cert-manager/subscription.yaml b/infrastructure/cert-manager/subscription.yaml
deleted file mode 100644
index 6244334b0f8fe7c118af0e14ab86a91756be5b01..0000000000000000000000000000000000000000
--- a/infrastructure/cert-manager/subscription.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
- name: cert-manager
- namespace: openshift-operators
-spec:
- channel: stable
- name: cert-manager
- source: community-operators
- sourceNamespace: openshift-marketplace
diff --git a/infrastructure/gitlab-runner/subscription.yaml b/infrastructure/gitlab-runner/subscription.yaml
deleted file mode 100644
index 8c35063ed8fdd6a58dd93d2df5fc93bef6228b92..0000000000000000000000000000000000000000
--- a/infrastructure/gitlab-runner/subscription.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
- name: gitlab-runner-operator
- namespace: openshift-operators
-spec:
- channel: stable
- installPlanApproval: Automatic
- name: gitlab-runner-operator
- source: community-operators
- sourceNamespace: openshift-marketplace
diff --git a/infrastructure/hcloud-csi/hcloud-csi.yaml b/infrastructure/hcloud-csi/hcloud-csi.yaml
deleted file mode 100644
index 9ec92d754679828146a2e4a42a7dda8fef06d937..0000000000000000000000000000000000000000
--- a/infrastructure/hcloud-csi/hcloud-csi.yaml
+++ /dev/null
@@ -1,341 +0,0 @@
----
-apiVersion: storage.k8s.io/v1
-kind: CSIDriver
-metadata:
- name: csi.hetzner.cloud
-spec:
- attachRequired: true
- podInfoOnMount: true
- volumeLifecycleModes:
- - Persistent
----
-kind: StorageClass
-apiVersion: storage.k8s.io/v1
-metadata:
- namespace: kube-system
- name: hcloud-volumes
-provisioner: csi.hetzner.cloud
-volumeBindingMode: WaitForFirstConsumer
-allowVolumeExpansion: true
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: hcloud-csi
- namespace: kube-system
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: hcloud-csi
-rules:
- # attacher
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["csi.storage.k8s.io"]
- resources: ["csinodeinfos"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["csinodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
- # provisioner
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims", "persistentvolumeclaims/status"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots"]
- verbs: ["get", "list"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["get", "list"]
- # node
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["get", "list", "watch", "create", "update", "patch"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: hcloud-csi
-subjects:
- - kind: ServiceAccount
- name: hcloud-csi
- namespace: kube-system
-roleRef:
- kind: ClusterRole
- name: hcloud-csi
- apiGroup: rbac.authorization.k8s.io
----
-kind: StatefulSet
-apiVersion: apps/v1
-metadata:
- name: hcloud-csi-controller
- namespace: kube-system
-spec:
- selector:
- matchLabels:
- app: hcloud-csi-controller
- serviceName: hcloud-csi-controller
- replicas: 1
- template:
- metadata:
- labels:
- app: hcloud-csi-controller
- spec:
- serviceAccount: hcloud-csi
- containers:
- - name: csi-attacher
- image: quay.io/k8scsi/csi-attacher:v2.2.0
- args:
- - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
- - --v=5
- volumeMounts:
- - name: socket-dir
- mountPath: /var/lib/csi/sockets/pluginproxy/
- securityContext:
- privileged: true
- capabilities:
- add: ["SYS_ADMIN"]
- allowPrivilegeEscalation: true
- - name: csi-resizer
- image: quay.io/k8scsi/csi-resizer:v0.3.0
- args:
- - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
- - --v=5
- volumeMounts:
- - name: socket-dir
- mountPath: /var/lib/csi/sockets/pluginproxy/
- securityContext:
- privileged: true
- capabilities:
- add: ["SYS_ADMIN"]
- allowPrivilegeEscalation: true
- - name: csi-provisioner
- image: quay.io/k8scsi/csi-provisioner:v1.6.0
- args:
- - --provisioner=csi.hetzner.cloud
- - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
- - --feature-gates=Topology=true
- - --v=5
- volumeMounts:
- - name: socket-dir
- mountPath: /var/lib/csi/sockets/pluginproxy/
- securityContext:
- privileged: true
- capabilities:
- add: ["SYS_ADMIN"]
- allowPrivilegeEscalation: true
- - name: hcloud-csi-driver
- image: image-registry.openshift-image-registry.svc:5000/kube-system/hcloud-csi-driver:latest
- imagePullPolicy: Always
- env:
- - name: CSI_ENDPOINT
- value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
- - name: METRICS_ENDPOINT
- value: 0.0.0.0:9189
- - name: KUBE_NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- - name: HCLOUD_TOKEN
- valueFrom:
- secretKeyRef:
- name: hcloud-csi
- key: token
- volumeMounts:
- - name: socket-dir
- mountPath: /var/lib/csi/sockets/pluginproxy/
- ports:
- - containerPort: 9189
- name: metrics
- - name: healthz
- containerPort: 9808
- protocol: TCP
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: healthz
- initialDelaySeconds: 10
- timeoutSeconds: 3
- periodSeconds: 2
- securityContext:
- privileged: true
- capabilities:
- add: ["SYS_ADMIN"]
- allowPrivilegeEscalation: true
- - name: liveness-probe
- imagePullPolicy: Always
- image: quay.io/k8scsi/livenessprobe:v1.1.0
- args:
- - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
- volumeMounts:
- - mountPath: /var/lib/csi/sockets/pluginproxy/
- name: socket-dir
- volumes:
- - name: socket-dir
- emptyDir: {}
----
-kind: DaemonSet
-apiVersion: apps/v1
-metadata:
- name: hcloud-csi-node
- namespace: kube-system
- labels:
- app: hcloud-csi
-spec:
- selector:
- matchLabels:
- app: hcloud-csi
- template:
- metadata:
- labels:
- app: hcloud-csi
- spec:
- tolerations:
- - effect: NoExecute
- operator: Exists
- - effect: NoSchedule
- operator: Exists
- - key: CriticalAddonsOnly
- operator: Exists
- serviceAccount: hcloud-csi
- hostNetwork: true
- containers:
- - name: csi-node-driver-registrar
- image: quay.io/k8scsi/csi-node-driver-registrar:v1.3.0
- args:
- - --v=5
- - --csi-address=/csi/csi.sock
- - --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/csi.sock
- env:
- - name: KUBE_NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- volumeMounts:
- - name: plugin-dir
- mountPath: /csi
- - name: registration-dir
- mountPath: /registration
- securityContext:
- privileged: true
- - name: hcloud-csi-driver
- image: image-registry.openshift-image-registry.svc:5000/kube-system/hcloud-csi-driver:latest
- imagePullPolicy: Always
- env:
- - name: CSI_ENDPOINT
- value: unix:///csi/csi.sock
- - name: METRICS_ENDPOINT
- value: 0.0.0.0:9189
- - name: HCLOUD_TOKEN
- valueFrom:
- secretKeyRef:
- name: hcloud-csi
- key: token
- - name: KUBE_NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- volumeMounts:
- - name: kubelet-dir
- mountPath: /var/lib/kubelet
- mountPropagation: "Bidirectional"
- - name: plugin-dir
- mountPath: /csi
- - name: device-dir
- mountPath: /dev
- securityContext:
- privileged: true
- ports:
- - containerPort: 9189
- name: metrics
- - name: healthz
- containerPort: 9808
- protocol: TCP
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: healthz
- initialDelaySeconds: 10
- timeoutSeconds: 3
- periodSeconds: 2
- - name: liveness-probe
- imagePullPolicy: Always
- image: quay.io/k8scsi/livenessprobe:v1.1.0
- args:
- - --csi-address=/csi/csi.sock
- volumeMounts:
- - mountPath: /csi
- name: plugin-dir
- volumes:
- - name: kubelet-dir
- hostPath:
- path: /var/lib/kubelet
- type: Directory
- - name: plugin-dir
- hostPath:
- path: /var/lib/kubelet/plugins/csi.hetzner.cloud/
- type: DirectoryOrCreate
- - name: registration-dir
- hostPath:
- path: /var/lib/kubelet/plugins_registry/
- type: Directory
- - name: device-dir
- hostPath:
- path: /dev
- type: Directory
----
-apiVersion: v1
-kind: Service
-metadata:
- name: hcloud-csi-controller-metrics
- namespace: kube-system
- labels:
- app: hcloud-csi
-spec:
- selector:
- app: hcloud-csi-controller
- ports:
- - port: 9189
- name: metrics
- targetPort: metrics
-
----
-apiVersion: v1
-kind: Service
-metadata:
- name: hcloud-csi-node-metrics
- namespace: kube-system
- labels:
- app: hcloud-csi
-spec:
- selector:
- app: hcloud-csi
- ports:
- - port: 9189
- name: metrics
- targetPort: metrics
diff --git a/infrastructure/hcloud-csi/imagestream.yaml b/infrastructure/hcloud-csi/imagestream.yaml
deleted file mode 100644
index 568b62eef46a0f919e250c4ee2157b8cd0f8ea6b..0000000000000000000000000000000000000000
--- a/infrastructure/hcloud-csi/imagestream.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-kind: ImageStream
-apiVersion: image.openshift.io/v1
-metadata:
- name: hcloud-csi-driver
- namespace: kube-system
-spec:
- lookupPolicy:
- local: false
- tags:
- - name: latest
- annotations: null
- from:
- kind: DockerImage
- name: 'docker.io/hetznercloud/hcloud-csi-driver:latest'
- importPolicy:
- scheduled: true
- referencePolicy:
- type: Local
diff --git a/infrastructure/hcloud-csi/kustomization.yaml b/infrastructure/hcloud-csi/kustomization.yaml
index 79151fedc2d761d3b986c382d6106d3792cfdf6a..0f01ae8883aab0084d3cb2b70047df445634bbc8 100644
--- a/infrastructure/hcloud-csi/kustomization.yaml
+++ b/infrastructure/hcloud-csi/kustomization.yaml
@@ -1,5 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- hcloud-csi.yaml
-- imagestream.yaml
+- https://git.shivering-isles.com/github-mirror/hetznercloud/csi-driver/-/raw/v1.6.0/deploy/kubernetes/hcloud-csi.yml
+patchesJson6902:
+- target:
+ group: "storage.k8s.io"
+ version: v1
+ kind: StorageClass
+ name: hcloud-volumes
+ path: remove-default-annotation.yaml
diff --git a/infrastructure/hcloud-csi/remove-default-annotation.yaml b/infrastructure/hcloud-csi/remove-default-annotation.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1122e8e5ebd693e296fecfc922a67669329093ad
--- /dev/null
+++ b/infrastructure/hcloud-csi/remove-default-annotation.yaml
@@ -0,0 +1,2 @@
+- op: remove
+ path: metadata/annotations
diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
index 415fd47b1626d2441576cccc8ece67cb13b66999..7c8a91a11f34e72a333f3cc051a29b3d0641f778 100644
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -1,11 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- - sources
+ - calico
+ - kyverno
- hcloud-csi
- - cert-manager
- - namespace-configuration
- rook
- - postgres
- - openshift-monitoring
-
+ - cert-manager
diff --git a/infrastructure/kyverno/deny-network-policies.yaml b/infrastructure/kyverno/deny-network-policies.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d291ebcd8b2b061da87e19628d69fc973c282872
--- /dev/null
+++ b/infrastructure/kyverno/deny-network-policies.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: deny-netpol-changes
+spec:
+ validationFailureAction: enforce
+ background: false
+ rules:
+ - name: deny-netpol-changes
+ match:
+ resources:
+ kinds:
+ - NetworkPolicy
+ name: "*-managed"
+ exclude:
+ clusterRoles:
+ - cluster-admin
+ validate:
+ message: "Changing managed network policies is not allowed."
+ deny: {}
diff --git a/infrastructure/kyverno/deny-system-namespaces.yaml b/infrastructure/kyverno/deny-system-namespaces.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..388ef889a4ef6d6e8e80c4f9f95c7f26a3c092da
--- /dev/null
+++ b/infrastructure/kyverno/deny-system-namespaces.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: deny-system-namespaces
+spec:
+ validationFailureAction: enforce
+ background: false
+ rules:
+ - name: deny-system-namespaces
+ match:
+ resources:
+ kinds:
+ - Namespace
+ name: "*-system"
+ exclude:
+ clusterRoles:
+ - cluster-admin
+ validate:
+ message: "Creating *-system namespaces is not allowed."
+ deny: {}
diff --git a/infrastructure/kyverno/kustomization.yaml b/infrastructure/kyverno/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..55f9e4967c90b7374ffa0fb0eb0e640574e071fe
--- /dev/null
+++ b/infrastructure/kyverno/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kyverno
+resources:
+ - namespace.yaml
+ - repository.yaml
+ - release.yaml
+ - deny-system-namespaces.yaml
+ - deny-network-policies.yaml
diff --git a/infrastructure/kyverno/namespace.yaml b/infrastructure/kyverno/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e5d0650e5c7868a8dbef9b6d35a049086db3327f
--- /dev/null
+++ b/infrastructure/kyverno/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: kyverno
+ labels:
+ name: kyverno
diff --git a/infrastructure/kyverno/release.yaml b/infrastructure/kyverno/release.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ec685cb2c184103e42197901b34dc255cb7527b6
--- /dev/null
+++ b/infrastructure/kyverno/release.yaml
@@ -0,0 +1,33 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: kyverno-crds
+ namespace: kyverno
+spec:
+ releaseName: kyverno-crds
+ chart:
+ spec:
+ chart: kyverno-crds
+ sourceRef:
+ kind: HelmRepository
+ name: kyverno
+ version: v3.20.1
+ interval: 5m
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: kyverno
+ namespace: kyverno
+spec:
+ releaseName: kyverno
+ chart:
+ spec:
+ chart: kyverno
+ sourceRef:
+ kind: HelmRepository
+ name: kyverno
+ version: v3.20.1
+ interval: 5m
+ dependsOn:
+ - name: kyverno-crds
diff --git a/infrastructure/kyverno/repository.yaml b/infrastructure/kyverno/repository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..addd2fd4dbcc4b44618c0dcf8f6cdccce2da87df
--- /dev/null
+++ b/infrastructure/kyverno/repository.yaml
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: kyverno
+spec:
+ interval: 30m
+ url: https://kyverno.github.io/kyverno/
diff --git a/infrastructure/namespace-configuration/kustomization.yaml b/infrastructure/namespace-configuration/kustomization.yaml
deleted file mode 100644
index 9b1683b8c5b458837e1f1e1e41a1748f0efc0ee6..0000000000000000000000000000000000000000
--- a/infrastructure/namespace-configuration/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: namespace-configuration-operator
-resources:
-- namespace.yaml
-- subscription.yaml
-- network-policy.yaml
diff --git a/infrastructure/namespace-configuration/namespace.yaml b/infrastructure/namespace-configuration/namespace.yaml
deleted file mode 100644
index 756127dfa77148a6481e0e3ec1ef02f5d0d4d75b..0000000000000000000000000000000000000000
--- a/infrastructure/namespace-configuration/namespace.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
- name: namespace-configuration-operator
- labels:
- name: namespace-configuration-operator
diff --git a/infrastructure/namespace-configuration/network-policy.yaml b/infrastructure/namespace-configuration/network-policy.yaml
deleted file mode 100644
index 963ab704b4ceea23cc4f9813728564e256faf930..0000000000000000000000000000000000000000
--- a/infrastructure/namespace-configuration/network-policy.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-apiVersion: redhatcop.redhat.io/v1alpha1
-kind: NamespaceConfig
-metadata:
- name: default-networkpolicy
-spec:
- annotationSelector:
- matchExpressions:
- - operator: Exists
- key: "openshift.io/requester"
- templates:
- - objectTemplate: |
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: allow-from-same-namespace
- namespace: {{ .Name }}
- spec:
- podSelector: {}
- ingress:
- - from:
- - podSelector: {}
-
- - objectTemplate: |
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: allow-from-openshift-ingress
- namespace: {{ .Name }}
- spec:
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- network.openshift.io/policy-group: ingress
- podSelector: {}
- policyTypes:
- - Ingress
- - objectTemplate: |
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: allow-from-openshift-monitoring
- namespace: {{ .Name }}
- spec:
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- network.openshift.io/policy-group: monitoring
- podSelector: {}
- policyTypes:
- - Ingress
diff --git a/infrastructure/namespace-configuration/subscription.yaml b/infrastructure/namespace-configuration/subscription.yaml
deleted file mode 100644
index 43216076b6d144cdca18dc31e5904736ce7aee42..0000000000000000000000000000000000000000
--- a/infrastructure/namespace-configuration/subscription.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
- name: namespace-configuration-operator
- namespace: namespace-configuration-operator
-spec:
- channel: alpha
- name: namespace-configuration-operator
- source: community-operators
- sourceNamespace: openshift-marketplace
diff --git a/infrastructure/openshift-monitoring/cluster-monitoring-config.yaml b/infrastructure/openshift-monitoring/cluster-monitoring-config.yaml
deleted file mode 100644
index ff58b988ea2479f7a3a3db6b0132b2f068524b61..0000000000000000000000000000000000000000
--- a/infrastructure/openshift-monitoring/cluster-monitoring-config.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: cluster-monitoring-config
- namespace: openshift-monitoring
-data:
- config.yaml: |
- enableUserWorkload: true
-
diff --git a/infrastructure/openshift-monitoring/kustomization.yaml b/infrastructure/openshift-monitoring/kustomization.yaml
deleted file mode 100644
index be69e3732936c44c85112cefc5c783b25f6217e0..0000000000000000000000000000000000000000
--- a/infrastructure/openshift-monitoring/kustomization.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: openshift-monitoring
-resources:
- - cluster-monitoring-config.yaml
diff --git a/infrastructure/postgres/release.yaml b/infrastructure/postgres/release.yaml
index 36bce962d5ca3fb9827251990aac9548a266bf78..c47a95ed2740bc1b2ee1675ce01a3e2899fecac1 100644
--- a/infrastructure/postgres/release.yaml
+++ b/infrastructure/postgres/release.yaml
@@ -11,18 +11,10 @@ spec:
sourceRef:
kind: HelmRepository
name: zalando-postgres-operator
- namespace: flux-system
valuesFiles:
- values.yaml
version: 1.6.3
interval: 5m
values:
- configGeneral:
- kubernetes_use_configmaps: "true"
- # Required due to OpenShift magic
- securityContext:
- runAsUser: null
- readOnlyRootFilesystem: true
- allowPrivilegeEscalation: false
configKubernetes:
enable_pod_antiaffinity: "true"
diff --git a/infrastructure/sources/zalando-postgres.yaml b/infrastructure/postgres/repository.yaml
similarity index 100%
rename from infrastructure/sources/zalando-postgres.yaml
rename to infrastructure/postgres/repository.yaml
diff --git a/infrastructure/postgres/user-namespace-network-policy.yaml b/infrastructure/postgres/user-namespace-network-policy.yaml
index c51b72587f3d6490258e060345547eb88fb017f0..fabc183d046bd7abf8e3f6197e7e6092bce9bc96 100644
--- a/infrastructure/postgres/user-namespace-network-policy.yaml
+++ b/infrastructure/postgres/user-namespace-network-policy.yaml
@@ -1,34 +1,42 @@
-apiVersion: redhatcop.redhat.io/v1alpha1
-kind: NamespaceConfig
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
metadata:
- name: user-namespaces-network-policy-zalando-postgres
+ name: default
spec:
- annotationSelector:
- matchExpressions:
- - operator: Exists
- key: "openshift.io/requester"
- templates:
- - objectTemplate: |
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: allow-from-zalando-postgres
- namespace: {{ .Name }}
- spec:
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- name: zalando-postgres
- ports:
- - port: 8008
- protocol: TCP
- - port: 5432
- protocol: TCP
- - port: 8080
- protocol: TCP
- podSelector:
- matchLabels:
- application: spilo
- policyTypes:
- - Ingress
+ rules:
+ - name: allow-from-zalando-postgres
+ match:
+ resources:
+ kinds:
+ - Namespace
+ exclude:
+ resources:
+ namespaces:
+ - *-system
+ - default
+ - kube-public
+ - kyverno
+ generate:
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: allow-from-zalando-postgres-managed
+ namespace: "{{request.object.metadata.name}}"
+ spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ name: zalando-postgres
+ ports:
+ - port: 8008
+ protocol: TCP
+ - port: 5432
+ protocol: TCP
+ - port: 8080
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ application: spilo
+ policyTypes:
+ - Ingress
diff --git a/infrastructure/redis/kustomization.yaml b/infrastructure/redis/kustomization.yaml
deleted file mode 100644
index 5d1b88e8a2d9ca2c1fddd9f3294f835aabf0fe60..0000000000000000000000000000000000000000
--- a/infrastructure/redis/kustomization.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: openshift-operators
-resources:
- - subscription.yaml
diff --git a/infrastructure/redis/subscription.yaml b/infrastructure/redis/subscription.yaml
deleted file mode 100644
index 890da9dcd518f86f987a3023add7f3eb83823410..0000000000000000000000000000000000000000
--- a/infrastructure/redis/subscription.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
- name: redis-operator
- namespace: openshift-operators
-spec:
- channel: stable
- installPlanApproval: Automatic
- name: redis-operator
- source: community-operators
diff --git a/infrastructure/rook/cluster-on-pvc.yaml b/infrastructure/rook/cluster-on-pvc.yaml
index 5cc8d4316444615d4dd9d4bf136b3d87b86a0308..dccfc44075b90d06698b026264fa0ba26afdc8ef 100644
--- a/infrastructure/rook/cluster-on-pvc.yaml
+++ b/infrastructure/rook/cluster-on-pvc.yaml
@@ -33,7 +33,7 @@ spec:
requests:
storage: 10Gi
cephVersion:
- image: image-registry.openshift-image-registry.svc:5000/rook-ceph/ceph:v16.2.5
+ image: quay.io/ceph/ceph:v16.2.5
allowUnsupported: false
skipUpgradeChecks: false
continueUpgradeAfterChecksEvenIfNotHealthy: false
diff --git a/infrastructure/rook/imagestream.yaml b/infrastructure/rook/imagestream.yaml
deleted file mode 100644
index fece0275775732c8d19bbabcf149ca5896fb9d78..0000000000000000000000000000000000000000
--- a/infrastructure/rook/imagestream.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-kind: ImageStream
-apiVersion: image.openshift.io/v1
-metadata:
- name: ceph
- namespace: rook-ceph
-spec:
- lookupPolicy:
- local: false
- tags:
- - name: v16.2.5
- annotations: null
- from:
- kind: DockerImage
- name: 'quay.io/ceph/ceph:v16.2.5'
- importPolicy:
- scheduled: true
- referencePolicy:
- type: Local
diff --git a/infrastructure/rook/kustomization.yaml b/infrastructure/rook/kustomization.yaml
index 01dd686dcc09b5daf2dd06f749b7efbb302a9c93..a9494c8d7c36abf7fe5a3d481e9e938091c4f7fe 100644
--- a/infrastructure/rook/kustomization.yaml
+++ b/infrastructure/rook/kustomization.yaml
@@ -4,9 +4,8 @@ namespace: rook-ceph
resources:
- https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/crds.yaml
- https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/common.yaml
- - https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/operator-openshift.yaml
+ - https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/operator.yaml
- https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/csi/rbd/snapshotclass.yaml
- - imagestream.yaml
- cluster-on-pvc.yaml
- storageclass.yaml
- https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/monitoring/service-monitor.yaml