From d5d2e9c70672d6fca8b8c013e531f2c46cf3aace Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 3 Oct 2021 08:17:19 +0200
Subject: [PATCH] Rework base infrastructure for clusters
---
.../kustomization.yaml | 5 +-
infrastructure/calico/release.yaml | 15 +
infrastructure/calico/repository.yaml | 7 +
.../cert-manager/kustomization.yaml | 6 +-
infrastructure/cert-manager/namespace.yaml | 6 +
infrastructure/cert-manager/release.yaml | 17 +
infrastructure/cert-manager/repository.yaml | 7 +
infrastructure/cert-manager/subscription.yaml | 10 -
.../gitlab-runner/subscription.yaml | 11 -
infrastructure/hcloud-csi/hcloud-csi.yaml | 341 ------------------
infrastructure/hcloud-csi/imagestream.yaml | 18 -
infrastructure/hcloud-csi/kustomization.yaml | 10 +-
.../hcloud-csi/remove-default-annotation.yaml | 2 +
infrastructure/kustomization.yaml | 9 +-
.../kyverno/deny-network-policies.yaml | 20 +
.../kyverno/deny-system-namespaces.yaml | 20 +
infrastructure/kyverno/kustomization.yaml | 9 +
infrastructure/kyverno/namespace.yaml | 6 +
infrastructure/kyverno/release.yaml | 33 ++
infrastructure/kyverno/repository.yaml | 7 +
.../kustomization.yaml | 7 -
.../namespace-configuration/namespace.yaml | 6 -
.../network-policy.yaml | 52 ---
.../namespace-configuration/subscription.yaml | 10 -
.../cluster-monitoring-config.yaml | 9 -
.../openshift-monitoring/kustomization.yaml | 5 -
infrastructure/postgres/release.yaml | 8 -
.../repository.yaml} | 0
.../user-namespace-network-policy.yaml | 72 ++--
infrastructure/redis/kustomization.yaml | 5 -
infrastructure/redis/subscription.yaml | 10 -
infrastructure/rook/cluster-on-pvc.yaml | 2 +-
infrastructure/rook/imagestream.yaml | 18 -
infrastructure/rook/kustomization.yaml | 3 +-
34 files changed, 209 insertions(+), 557 deletions(-)
rename infrastructure/{gitlab-runner => calico}/kustomization.yaml (57%)
create mode 100644 infrastructure/calico/release.yaml
create mode 100644 infrastructure/calico/repository.yaml
create mode 100644 infrastructure/cert-manager/namespace.yaml
create mode 100644 infrastructure/cert-manager/release.yaml
create mode 100644 infrastructure/cert-manager/repository.yaml
delete mode 100644 infrastructure/cert-manager/subscription.yaml
delete mode 100644 infrastructure/gitlab-runner/subscription.yaml
delete mode 100644 infrastructure/hcloud-csi/hcloud-csi.yaml
delete mode 100644 infrastructure/hcloud-csi/imagestream.yaml
create mode 100644 infrastructure/hcloud-csi/remove-default-annotation.yaml
create mode 100644 infrastructure/kyverno/deny-network-policies.yaml
create mode 100644 infrastructure/kyverno/deny-system-namespaces.yaml
create mode 100644 infrastructure/kyverno/kustomization.yaml
create mode 100644 infrastructure/kyverno/namespace.yaml
create mode 100644 infrastructure/kyverno/release.yaml
create mode 100644 infrastructure/kyverno/repository.yaml
delete mode 100644 infrastructure/namespace-configuration/kustomization.yaml
delete mode 100644 infrastructure/namespace-configuration/namespace.yaml
delete mode 100644 infrastructure/namespace-configuration/network-policy.yaml
delete mode 100644 infrastructure/namespace-configuration/subscription.yaml
delete mode 100644 infrastructure/openshift-monitoring/cluster-monitoring-config.yaml
delete mode 100644 infrastructure/openshift-monitoring/kustomization.yaml
rename infrastructure/{sources/zalando-postgres.yaml => postgres/repository.yaml} (100%)
delete mode 100644 infrastructure/redis/kustomization.yaml
delete mode 100644 infrastructure/redis/subscription.yaml
delete mode 100644 infrastructure/rook/imagestream.yaml
diff --git a/infrastructure/gitlab-runner/kustomization.yaml b/infrastructure/calico/kustomization.yaml
similarity index 57%
rename from infrastructure/gitlab-runner/kustomization.yaml
rename to infrastructure/calico/kustomization.yaml
index 5d1b88e8a..d9e0d9152 100644
--- a/infrastructure/gitlab-runner/kustomization.yaml
+++ b/infrastructure/calico/kustomization.yaml
@@ -1,5 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-namespace: openshift-operators
+namespace: default
resources:
- - subscription.yaml
+ - repository.yaml
+ - release.yaml
diff --git a/infrastructure/calico/release.yaml b/infrastructure/calico/release.yaml
new file mode 100644
index 000000000..2b328d833
--- /dev/null
+++ b/infrastructure/calico/release.yaml
@@ -0,0 +1,15 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: calico
+ namespace: default
+spec:
+ releaseName: calico
+ chart:
+ spec:
+ chart: tigera-operator
+ sourceRef:
+ kind: HelmRepository
+ name: projectcalico
+ version: v3.20.1
+ interval: 15m
diff --git a/infrastructure/calico/repository.yaml b/infrastructure/calico/repository.yaml
new file mode 100644
index 000000000..65fde274e
--- /dev/null
+++ b/infrastructure/calico/repository.yaml
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: projectcalico
+spec:
+ interval: 30m
+ url: https://docs.projectcalico.org/charts
diff --git a/infrastructure/cert-manager/kustomization.yaml b/infrastructure/cert-manager/kustomization.yaml
index 5d1b88e8a..77c66d9c9 100644
--- a/infrastructure/cert-manager/kustomization.yaml
+++ b/infrastructure/cert-manager/kustomization.yaml
@@ -1,5 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-namespace: openshift-operators
+namespace: cert-manager
resources:
- - subscription.yaml
+ - namespace.yaml
+ - repository.yaml
+ - release.yaml
diff --git a/infrastructure/cert-manager/namespace.yaml b/infrastructure/cert-manager/namespace.yaml
new file mode 100644
index 000000000..237888c1c
--- /dev/null
+++ b/infrastructure/cert-manager/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: cert-manager
+ labels:
+ name: cert-manager
diff --git a/infrastructure/cert-manager/release.yaml b/infrastructure/cert-manager/release.yaml
new file mode 100644
index 000000000..52ad9e957
--- /dev/null
+++ b/infrastructure/cert-manager/release.yaml
@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: cert-manager
+ namespace: cert-manager
+spec:
+ releaseName: cert-manager
+ chart:
+ spec:
+ chart: cert-manager
+ sourceRef:
+ kind: HelmRepository
+ name: jetstack
+ version: v1.5.3
+ interval: 5m
+ values:
+ installCRDs: true
diff --git a/infrastructure/cert-manager/repository.yaml b/infrastructure/cert-manager/repository.yaml
new file mode 100644
index 000000000..5d4b5e877
--- /dev/null
+++ b/infrastructure/cert-manager/repository.yaml
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: jetstack
+spec:
+ interval: 30m
+ url: https://charts.jetstack.io
diff --git a/infrastructure/cert-manager/subscription.yaml b/infrastructure/cert-manager/subscription.yaml
deleted file mode 100644
index 6244334b0..000000000
--- a/infrastructure/cert-manager/subscription.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
- name: cert-manager
- namespace: openshift-operators
-spec:
- channel: stable
- name: cert-manager
- source: community-operators
- sourceNamespace: openshift-marketplace
diff --git a/infrastructure/gitlab-runner/subscription.yaml b/infrastructure/gitlab-runner/subscription.yaml
deleted file mode 100644
index 8c35063ed..000000000
--- a/infrastructure/gitlab-runner/subscription.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
- name: gitlab-runner-operator
- namespace: openshift-operators
-spec:
- channel: stable
- installPlanApproval: Automatic
- name: gitlab-runner-operator
- source: community-operators
- sourceNamespace: openshift-marketplace
diff --git a/infrastructure/hcloud-csi/hcloud-csi.yaml b/infrastructure/hcloud-csi/hcloud-csi.yaml
deleted file mode 100644
index 9ec92d754..000000000
--- a/infrastructure/hcloud-csi/hcloud-csi.yaml
+++ /dev/null
@@ -1,341 +0,0 @@
----
-apiVersion: storage.k8s.io/v1
-kind: CSIDriver
-metadata:
- name: csi.hetzner.cloud
-spec:
- attachRequired: true
- podInfoOnMount: true
- volumeLifecycleModes:
- - Persistent
----
-kind: StorageClass
-apiVersion: storage.k8s.io/v1
-metadata:
- namespace: kube-system
- name: hcloud-volumes
-provisioner: csi.hetzner.cloud
-volumeBindingMode: WaitForFirstConsumer
-allowVolumeExpansion: true
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: hcloud-csi
- namespace: kube-system
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: hcloud-csi
-rules:
- # attacher
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["csi.storage.k8s.io"]
- resources: ["csinodeinfos"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["csinodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
- # provisioner
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims", "persistentvolumeclaims/status"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots"]
- verbs: ["get", "list"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["get", "list"]
- # node
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["get", "list", "watch", "create", "update", "patch"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: hcloud-csi
-subjects:
- - kind: ServiceAccount
- name: hcloud-csi
- namespace: kube-system
-roleRef:
- kind: ClusterRole
- name: hcloud-csi
- apiGroup: rbac.authorization.k8s.io
----
-kind: StatefulSet
-apiVersion: apps/v1
-metadata:
- name: hcloud-csi-controller
- namespace: kube-system
-spec:
- selector:
- matchLabels:
- app: hcloud-csi-controller
- serviceName: hcloud-csi-controller
- replicas: 1
- template:
- metadata:
- labels:
- app: hcloud-csi-controller
- spec:
- serviceAccount: hcloud-csi
- containers:
- - name: csi-attacher
- image: quay.io/k8scsi/csi-attacher:v2.2.0
- args:
- - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
- - --v=5
- volumeMounts:
- - name: socket-dir
- mountPath: /var/lib/csi/sockets/pluginproxy/
- securityContext:
- privileged: true
- capabilities:
- add: ["SYS_ADMIN"]
- allowPrivilegeEscalation: true
- - name: csi-resizer
- image: quay.io/k8scsi/csi-resizer:v0.3.0
- args:
- - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
- - --v=5
- volumeMounts:
- - name: socket-dir
- mountPath: /var/lib/csi/sockets/pluginproxy/
- securityContext:
- privileged: true
- capabilities:
- add: ["SYS_ADMIN"]
- allowPrivilegeEscalation: true
- - name: csi-provisioner
- image: quay.io/k8scsi/csi-provisioner:v1.6.0
- args:
- - --provisioner=csi.hetzner.cloud
- - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
- - --feature-gates=Topology=true
- - --v=5
- volumeMounts:
- - name: socket-dir
- mountPath: /var/lib/csi/sockets/pluginproxy/
- securityContext:
- privileged: true
- capabilities:
- add: ["SYS_ADMIN"]
- allowPrivilegeEscalation: true
- - name: hcloud-csi-driver
- image: image-registry.openshift-image-registry.svc:5000/kube-system/hcloud-csi-driver:latest
- imagePullPolicy: Always
- env:
- - name: CSI_ENDPOINT
- value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
- - name: METRICS_ENDPOINT
- value: 0.0.0.0:9189
- - name: KUBE_NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- - name: HCLOUD_TOKEN
- valueFrom:
- secretKeyRef:
- name: hcloud-csi
- key: token
- volumeMounts:
- - name: socket-dir
- mountPath: /var/lib/csi/sockets/pluginproxy/
- ports:
- - containerPort: 9189
- name: metrics
- - name: healthz
- containerPort: 9808
- protocol: TCP
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: healthz
- initialDelaySeconds: 10
- timeoutSeconds: 3
- periodSeconds: 2
- securityContext:
- privileged: true
- capabilities:
- add: ["SYS_ADMIN"]
- allowPrivilegeEscalation: true
- - name: liveness-probe
- imagePullPolicy: Always
- image: quay.io/k8scsi/livenessprobe:v1.1.0
- args:
- - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
- volumeMounts:
- - mountPath: /var/lib/csi/sockets/pluginproxy/
- name: socket-dir
- volumes:
- - name: socket-dir
- emptyDir: {}
----
-kind: DaemonSet
-apiVersion: apps/v1
-metadata:
- name: hcloud-csi-node
- namespace: kube-system
- labels:
- app: hcloud-csi
-spec:
- selector:
- matchLabels:
- app: hcloud-csi
- template:
- metadata:
- labels:
- app: hcloud-csi
- spec:
- tolerations:
- - effect: NoExecute
- operator: Exists
- - effect: NoSchedule
- operator: Exists
- - key: CriticalAddonsOnly
- operator: Exists
- serviceAccount: hcloud-csi
- hostNetwork: true
- containers:
- - name: csi-node-driver-registrar
- image: quay.io/k8scsi/csi-node-driver-registrar:v1.3.0
- args:
- - --v=5
- - --csi-address=/csi/csi.sock
- - --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/csi.sock
- env:
- - name: KUBE_NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- volumeMounts:
- - name: plugin-dir
- mountPath: /csi
- - name: registration-dir
- mountPath: /registration
- securityContext:
- privileged: true
- - name: hcloud-csi-driver
- image: image-registry.openshift-image-registry.svc:5000/kube-system/hcloud-csi-driver:latest
- imagePullPolicy: Always
- env:
- - name: CSI_ENDPOINT
- value: unix:///csi/csi.sock
- - name: METRICS_ENDPOINT
- value: 0.0.0.0:9189
- - name: HCLOUD_TOKEN
- valueFrom:
- secretKeyRef:
- name: hcloud-csi
- key: token
- - name: KUBE_NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- volumeMounts:
- - name: kubelet-dir
- mountPath: /var/lib/kubelet
- mountPropagation: "Bidirectional"
- - name: plugin-dir
- mountPath: /csi
- - name: device-dir
- mountPath: /dev
- securityContext:
- privileged: true
- ports:
- - containerPort: 9189
- name: metrics
- - name: healthz
- containerPort: 9808
- protocol: TCP
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: healthz
- initialDelaySeconds: 10
- timeoutSeconds: 3
- periodSeconds: 2
- - name: liveness-probe
- imagePullPolicy: Always
- image: quay.io/k8scsi/livenessprobe:v1.1.0
- args:
- - --csi-address=/csi/csi.sock
- volumeMounts:
- - mountPath: /csi
- name: plugin-dir
- volumes:
- - name: kubelet-dir
- hostPath:
- path: /var/lib/kubelet
- type: Directory
- - name: plugin-dir
- hostPath:
- path: /var/lib/kubelet/plugins/csi.hetzner.cloud/
- type: DirectoryOrCreate
- - name: registration-dir
- hostPath:
- path: /var/lib/kubelet/plugins_registry/
- type: Directory
- - name: device-dir
- hostPath:
- path: /dev
- type: Directory
----
-apiVersion: v1
-kind: Service
-metadata:
- name: hcloud-csi-controller-metrics
- namespace: kube-system
- labels:
- app: hcloud-csi
-spec:
- selector:
- app: hcloud-csi-controller
- ports:
- - port: 9189
- name: metrics
- targetPort: metrics
-
----
-apiVersion: v1
-kind: Service
-metadata:
- name: hcloud-csi-node-metrics
- namespace: kube-system
- labels:
- app: hcloud-csi
-spec:
- selector:
- app: hcloud-csi
- ports:
- - port: 9189
- name: metrics
- targetPort: metrics
diff --git a/infrastructure/hcloud-csi/imagestream.yaml b/infrastructure/hcloud-csi/imagestream.yaml
deleted file mode 100644
index 568b62eef..000000000
--- a/infrastructure/hcloud-csi/imagestream.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-kind: ImageStream
-apiVersion: image.openshift.io/v1
-metadata:
- name: hcloud-csi-driver
- namespace: kube-system
-spec:
- lookupPolicy:
- local: false
- tags:
- - name: latest
- annotations: null
- from:
- kind: DockerImage
- name: 'docker.io/hetznercloud/hcloud-csi-driver:latest'
- importPolicy:
- scheduled: true
- referencePolicy:
- type: Local
diff --git a/infrastructure/hcloud-csi/kustomization.yaml b/infrastructure/hcloud-csi/kustomization.yaml
index 79151fedc..0f01ae888 100644
--- a/infrastructure/hcloud-csi/kustomization.yaml
+++ b/infrastructure/hcloud-csi/kustomization.yaml
@@ -1,5 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- hcloud-csi.yaml
-- imagestream.yaml
+- https://git.shivering-isles.com/github-mirror/hetznercloud/csi-driver/-/raw/v1.6.0/deploy/kubernetes/hcloud-csi.yml
+patchesJson6902:
+- target:
+ group: "storage.k8s.io"
+ version: v1
+ kind: StorageClass
+ name: hcloud-volumes
+ path: remove-default-annotation.yaml
diff --git a/infrastructure/hcloud-csi/remove-default-annotation.yaml b/infrastructure/hcloud-csi/remove-default-annotation.yaml
new file mode 100644
index 000000000..1122e8e5e
--- /dev/null
+++ b/infrastructure/hcloud-csi/remove-default-annotation.yaml
@@ -0,0 +1,2 @@
+- op: remove
+ path: metadata/annotations
diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
index 415fd47b1..7c8a91a11 100644
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -1,11 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- - sources
+ - calico
+ - kyverno
- hcloud-csi
- - cert-manager
- - namespace-configuration
- rook
- - postgres
- - openshift-monitoring
-
+ - cert-manager
diff --git a/infrastructure/kyverno/deny-network-policies.yaml b/infrastructure/kyverno/deny-network-policies.yaml
new file mode 100644
index 000000000..d291ebcd8
--- /dev/null
+++ b/infrastructure/kyverno/deny-network-policies.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: deny-netpol-changes
+spec:
+ validationFailureAction: enforce
+ background: false
+ rules:
+ - name: deny-netpol-changes
+ match:
+ resources:
+ kinds:
+ - NetworkPolicy
+ name: "*-managed"
+ exclude:
+ clusterRoles:
+ - cluster-admin
+ validate:
+ message: "Changing managed network policies is not allowed."
+ deny: {}
diff --git a/infrastructure/kyverno/deny-system-namespaces.yaml b/infrastructure/kyverno/deny-system-namespaces.yaml
new file mode 100644
index 000000000..388ef889a
--- /dev/null
+++ b/infrastructure/kyverno/deny-system-namespaces.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: deny-system-namespaces
+spec:
+ validationFailureAction: enforce
+ background: false
+ rules:
+ - name: deny-system-namespaces
+ match:
+ resources:
+ kinds:
+ - Namespace
+ name: "*-system"
+ exclude:
+ clusterRoles:
+ - cluster-admin
+ validate:
+ message: "Creating *-system namespaces is not allowed."
+ deny: {}
diff --git a/infrastructure/kyverno/kustomization.yaml b/infrastructure/kyverno/kustomization.yaml
new file mode 100644
index 000000000..55f9e4967
--- /dev/null
+++ b/infrastructure/kyverno/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kyverno
+resources:
+ - namespace.yaml
+ - repository.yaml
+ - release.yaml
+ - deny-system-namespaces.yaml
+ - deny-network-policies.yaml
diff --git a/infrastructure/kyverno/namespace.yaml b/infrastructure/kyverno/namespace.yaml
new file mode 100644
index 000000000..e5d0650e5
--- /dev/null
+++ b/infrastructure/kyverno/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: kyverno
+ labels:
+ name: kyverno
diff --git a/infrastructure/kyverno/release.yaml b/infrastructure/kyverno/release.yaml
new file mode 100644
index 000000000..ec685cb2c
--- /dev/null
+++ b/infrastructure/kyverno/release.yaml
@@ -0,0 +1,33 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: kyverno-crds
+ namespace: kyverno
+spec:
+ releaseName: kyverno-crds
+ chart:
+ spec:
+ chart: kyverno-crds
+ sourceRef:
+ kind: HelmRepository
+ name: kyverno
+ version: v3.20.1
+ interval: 5m
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: kyverno
+ namespace: kyverno
+spec:
+ releaseName: kyverno
+ chart:
+ spec:
+ chart: kyverno
+ sourceRef:
+ kind: HelmRepository
+ name: kyverno
+ version: v3.20.1
+ interval: 5m
+ dependsOn:
+ - name: kyverno-crds
diff --git a/infrastructure/kyverno/repository.yaml b/infrastructure/kyverno/repository.yaml
new file mode 100644
index 000000000..addd2fd4d
--- /dev/null
+++ b/infrastructure/kyverno/repository.yaml
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: kyverno
+spec:
+ interval: 30m
+ url: https://kyverno.github.io/kyverno/
diff --git a/infrastructure/namespace-configuration/kustomization.yaml b/infrastructure/namespace-configuration/kustomization.yaml
deleted file mode 100644
index 9b1683b8c..000000000
--- a/infrastructure/namespace-configuration/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: namespace-configuration-operator
-resources:
-- namespace.yaml
-- subscription.yaml
-- network-policy.yaml
diff --git a/infrastructure/namespace-configuration/namespace.yaml b/infrastructure/namespace-configuration/namespace.yaml
deleted file mode 100644
index 756127dfa..000000000
--- a/infrastructure/namespace-configuration/namespace.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
- name: namespace-configuration-operator
- labels:
- name: namespace-configuration-operator
diff --git a/infrastructure/namespace-configuration/network-policy.yaml b/infrastructure/namespace-configuration/network-policy.yaml
deleted file mode 100644
index 963ab704b..000000000
--- a/infrastructure/namespace-configuration/network-policy.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-apiVersion: redhatcop.redhat.io/v1alpha1
-kind: NamespaceConfig
-metadata:
- name: default-networkpolicy
-spec:
- annotationSelector:
- matchExpressions:
- - operator: Exists
- key: "openshift.io/requester"
- templates:
- - objectTemplate: |
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: allow-from-same-namespace
- namespace: {{ .Name }}
- spec:
- podSelector: {}
- ingress:
- - from:
- - podSelector: {}
-
- - objectTemplate: |
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: allow-from-openshift-ingress
- namespace: {{ .Name }}
- spec:
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- network.openshift.io/policy-group: ingress
- podSelector: {}
- policyTypes:
- - Ingress
- - objectTemplate: |
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: allow-from-openshift-monitoring
- namespace: {{ .Name }}
- spec:
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- network.openshift.io/policy-group: monitoring
- podSelector: {}
- policyTypes:
- - Ingress
diff --git a/infrastructure/namespace-configuration/subscription.yaml b/infrastructure/namespace-configuration/subscription.yaml
deleted file mode 100644
index 43216076b..000000000
--- a/infrastructure/namespace-configuration/subscription.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
- name: namespace-configuration-operator
- namespace: namespace-configuration-operator
-spec:
- channel: alpha
- name: namespace-configuration-operator
- source: community-operators
- sourceNamespace: openshift-marketplace
diff --git a/infrastructure/openshift-monitoring/cluster-monitoring-config.yaml b/infrastructure/openshift-monitoring/cluster-monitoring-config.yaml
deleted file mode 100644
index ff58b988e..000000000
--- a/infrastructure/openshift-monitoring/cluster-monitoring-config.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: cluster-monitoring-config
- namespace: openshift-monitoring
-data:
- config.yaml: |
- enableUserWorkload: true
-
diff --git a/infrastructure/openshift-monitoring/kustomization.yaml b/infrastructure/openshift-monitoring/kustomization.yaml
deleted file mode 100644
index be69e3732..000000000
--- a/infrastructure/openshift-monitoring/kustomization.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: openshift-monitoring
-resources:
- - cluster-monitoring-config.yaml
diff --git a/infrastructure/postgres/release.yaml b/infrastructure/postgres/release.yaml
index 36bce962d..c47a95ed2 100644
--- a/infrastructure/postgres/release.yaml
+++ b/infrastructure/postgres/release.yaml
@@ -11,18 +11,10 @@ spec:
sourceRef:
kind: HelmRepository
name: zalando-postgres-operator
- namespace: flux-system
valuesFiles:
- values.yaml
version: 1.6.3
interval: 5m
values:
- configGeneral:
- kubernetes_use_configmaps: "true"
- # Required due to OpenShift magic
- securityContext:
- runAsUser: null
- readOnlyRootFilesystem: true
- allowPrivilegeEscalation: false
configKubernetes:
enable_pod_antiaffinity: "true"
diff --git a/infrastructure/sources/zalando-postgres.yaml b/infrastructure/postgres/repository.yaml
similarity index 100%
rename from infrastructure/sources/zalando-postgres.yaml
rename to infrastructure/postgres/repository.yaml
diff --git a/infrastructure/postgres/user-namespace-network-policy.yaml b/infrastructure/postgres/user-namespace-network-policy.yaml
index c51b72587..fabc183d0 100644
--- a/infrastructure/postgres/user-namespace-network-policy.yaml
+++ b/infrastructure/postgres/user-namespace-network-policy.yaml
@@ -1,34 +1,42 @@
-apiVersion: redhatcop.redhat.io/v1alpha1
-kind: NamespaceConfig
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
metadata:
- name: user-namespaces-network-policy-zalando-postgres
+ name: default
spec:
- annotationSelector:
- matchExpressions:
- - operator: Exists
- key: "openshift.io/requester"
- templates:
- - objectTemplate: |
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: allow-from-zalando-postgres
- namespace: {{ .Name }}
- spec:
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- name: zalando-postgres
- ports:
- - port: 8008
- protocol: TCP
- - port: 5432
- protocol: TCP
- - port: 8080
- protocol: TCP
- podSelector:
- matchLabels:
- application: spilo
- policyTypes:
- - Ingress
+ rules:
+ - name: allow-from-zalando-postgres
+ match:
+ resources:
+ kinds:
+ - Namespace
+ exclude:
+ resources:
+ namespaces:
+ - *-system
+ - default
+ - kube-public
+ - kyverno
+ generate:
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: allow-from-zalando-postgres-managed
+ namespace: "{{request.object.metadata.name}}"
+ spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ name: zalando-postgres
+ ports:
+ - port: 8008
+ protocol: TCP
+ - port: 5432
+ protocol: TCP
+ - port: 8080
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ application: spilo
+ policyTypes:
+ - Ingress
diff --git a/infrastructure/redis/kustomization.yaml b/infrastructure/redis/kustomization.yaml
deleted file mode 100644
index 5d1b88e8a..000000000
--- a/infrastructure/redis/kustomization.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: openshift-operators
-resources:
- - subscription.yaml
diff --git a/infrastructure/redis/subscription.yaml b/infrastructure/redis/subscription.yaml
deleted file mode 100644
index 890da9dcd..000000000
--- a/infrastructure/redis/subscription.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
- name: redis-operator
- namespace: openshift-operators
-spec:
- channel: stable
- installPlanApproval: Automatic
- name: redis-operator
- source: community-operators
diff --git a/infrastructure/rook/cluster-on-pvc.yaml b/infrastructure/rook/cluster-on-pvc.yaml
index 5cc8d4316..dccfc4407 100644
--- a/infrastructure/rook/cluster-on-pvc.yaml
+++ b/infrastructure/rook/cluster-on-pvc.yaml
@@ -33,7 +33,7 @@ spec:
requests:
storage: 10Gi
cephVersion:
- image: image-registry.openshift-image-registry.svc:5000/rook-ceph/ceph:v16.2.5
+ image: quay.io/ceph/ceph:v16.2.5
allowUnsupported: false
skipUpgradeChecks: false
continueUpgradeAfterChecksEvenIfNotHealthy: false
diff --git a/infrastructure/rook/imagestream.yaml b/infrastructure/rook/imagestream.yaml
deleted file mode 100644
index fece02757..000000000
--- a/infrastructure/rook/imagestream.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-kind: ImageStream
-apiVersion: image.openshift.io/v1
-metadata:
- name: ceph
- namespace: rook-ceph
-spec:
- lookupPolicy:
- local: false
- tags:
- - name: v16.2.5
- annotations: null
- from:
- kind: DockerImage
- name: 'quay.io/ceph/ceph:v16.2.5'
- importPolicy:
- scheduled: true
- referencePolicy:
- type: Local
diff --git a/infrastructure/rook/kustomization.yaml b/infrastructure/rook/kustomization.yaml
index 01dd686dc..a9494c8d7 100644
--- a/infrastructure/rook/kustomization.yaml
+++ b/infrastructure/rook/kustomization.yaml
@@ -4,9 +4,8 @@ namespace: rook-ceph
resources:
- https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/crds.yaml
- https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/common.yaml
- - https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/operator-openshift.yaml
+ - https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/operator.yaml
- https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/csi/rbd/snapshotclass.yaml
- - imagestream.yaml
- cluster-on-pvc.yaml
- storageclass.yaml
- https://git.shivering-isles.com/github-mirror/rook/rook/-/raw/v1.7.1/cluster/examples/kubernetes/ceph/monitoring/service-monitor.yaml
--
GitLab