feat(blog): Move to new kustomize-optimised config

f310aed7 · Sheogorath · 98689b55 · f310aed7 · f310aed7 · f310aed7
Verified Commit f310aed7 authored 1 year ago by Sheogorath
--- a/apps/k8s01/blog/blog.yaml
+++ b/apps/k8s01/blog/blog.yaml
@@ -3,18 +3,13 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: blog
-  labels:
-    app.kubernetes.io/name: blog
 spec:
  replicas: 2
  selector:
-    matchLabels:
-      app.kubernetes.io/name: blog
+    matchLabels: {}
  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: blog
    spec:
+      serviceAccountName: blog
      automountServiceAccountToken: false
      containers:
        - name: blog
@@ -58,8 +53,7 @@ spec:
          topologyKey: kubernetes.io/hostname
          whenUnsatisfiable: DoNotSchedule
          labelSelector:
-            matchLabels:
-              app.kubernetes.io/name: blog
+            matchLabels: {}
          matchLabelKeys:
            - pod-template-hash
 ---
@@ -67,12 +61,9 @@ apiVersion: v1
 kind: Service
 metadata:
  name: blog
-  labels:
-    app.kubernetes.io/name: blog
 spec:
-  type: LoadBalancer
-  selector:
-    app.kubernetes.io/name: blog
+  type: ClusterIP
+  selector: {}
  ports:
    - name: http
      protocol: TCP
@@ -86,5 +77,4 @@ metadata:
 spec:
  minAvailable: 1
  selector:
-    matchLabels:
-      app.kubernetes.io/name: blog
+    matchLabels: {}
--- a/apps/k8s01/blog/certificate.yaml
+++ b/apps/k8s01/blog/certificate.yaml
@@ -3,8 +3,6 @@ kind: Certificate
 metadata:
    name: blog-tls
    namespace: blog
-    labels:
-        app.kubernetes.io/name: blog
 spec:
    dnsNames:
        - ENC[AES256_GCM,data:e3PPdTF5o9u8HB8EFiPCC5AQTA==,iv:oJUqFVCwqxOPEedcVaKVnG7JBvq87Lb6OptXxX+oFFE=,tag:AW+DOX0gd3dmxkTV3PmtaA==,type:str]

--- a/apps/k8s01/blog/ingress.yaml
+++ b/apps/k8s01/blog/ingress.yaml
@@ -3,8 +3,6 @@ kind: Ingress
 metadata:
    name: blog
    namespace: blog
-    labels:
-        app.kubernetes.io/name: blog
    annotations:
        forecastle.stakater.com/expose: "true"
        forecastle.stakater.com/appName: Blog

--- a/apps/k8s01/blog/kustomization.yaml
+++ b/apps/k8s01/blog/kustomization.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: blog
+
+commonLabels:
+  app.kubernetes.io/name: blog
+
 resources:
  - namespace.yaml
  - certificate.yaml
  - blog.yaml
  - ingress.yaml
  - slo.yaml
+  - serviceaccount.yaml
  - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
  - ../../../shared/networkpolicies/deny-by-default-egress.yaml
  - ../../../shared/networkpolicies/allow-from-ingress.yaml
  - ../../../shared/resourcequotas/default.yaml
-patchesStrategicMerge:
-  - networkpolicy.yaml
\ No newline at end of file
+
+components:
+  - ../../../shared/components/namespace-restricted
\ No newline at end of file
--- a/apps/k8s01/blog/namespace.yaml
+++ b/apps/k8s01/blog/namespace.yaml
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: blog
-  labels:
-    pod-security.kubernetes.io/audit: restricted
-    pod-security.kubernetes.io/enforce: restricted
-    pod-security.kubernetes.io/warn: restricted
-    pod-security.kubernetes.io/audit-version: v1.27
-    pod-security.kubernetes.io/enforce-version: v1.26
-    pod-security.kubernetes.io/warn-version: v1.27
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: flux-reconciler
-  namespace: blog
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: flux-reconciler
-  namespace: blog
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-  - kind: ServiceAccount
-    name: flux-reconciler
-    namespace: blog
+  name: blog
\ No newline at end of file
--- a/apps/k8s01/blog/networkpolicy.yaml
+++ b/apps/k8s01/blog/networkpolicy.yaml
---
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: allow-from-ingress
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: blog
--- a/apps/k8s01/blog/serviceaccount.yaml
+++ b/apps/k8s01/blog/serviceaccount.yaml
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: blog
+automountServiceAccountToken: false
\ No newline at end of file
--- a/shared/components/namespace-restricted/kustomization.yaml
+++ b/shared/components/namespace-restricted/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - path: namespace.yaml
+    target:
+      kind: Namespace
\ No newline at end of file
--- a/shared/components/namespace-restricted/namespace.yaml
+++ b/shared/components/namespace-restricted/namespace.yaml
+- op: add
+  path: /metadata/labels
+  value: {}
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1audit
+  value: restricted
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1enforce
+  value: restricted
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1warn
+  value: restricted
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1audit-version
+  value: v1.28
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1enforce-version
+  value: v1.28
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1warn-version
+  value: v1.28