Commits · c912974eeab8857d0b817995ac5b861fd2b71bb6 · Shivering-Isles / Infrastructure GitOps

Mar 04, 2024
- chore(deps): update helm release oauth2-proxy to v7.1.0 · 07f2ba44
  Botaniker (Bot) authored 1 year ago
  
  07f2ba44
- ci(renovate): Move earthly related settings into own config · 1ad06d4d
  Sheogorath authored 1 year ago
  
  1ad06d4d
Feb 29, 2024
- chore(deps): update helm release oauth2-proxy to v7 · 113aab50
  Botaniker (Bot) authored 1 year ago
  
  113aab50
Feb 28, 2024
- ci(earthly): Enable latest pushes · 88483053
  Sheogorath authored 1 year ago
  
  88483053
- chore(deps): update helm release oauth2-proxy to v6.24.2 · 8c984bdb
  Botaniker (Bot) authored 1 year ago
  
  8c984bdb
- ci(earthly): Reorganise earthly includes · 646fb3bb
  Sheogorath authored 1 year ago
  
  646fb3bb
Feb 23, 2024

refactor(nginx): Split ingress into internet and intranet · 5499c250

Sheogorath authored 1 year ago

This patch refactors the entire ingress setup into two ingress classes:
internet and intranet. This allows to ensure that they use separate
services, reduces the attack surface and enables the usage of
external-dns.

5499c250

Feb 19, 2024
- fix(oauth2-proxy): Add standardised scope for oauth2-proxy · 5725b780
  Sheogorath authored 1 year ago
  
  5725b780
Feb 18, 2024

feat(jellyfin): Add pdb-manager for jellyfin · c83c7d17

Sheogorath authored 1 year ago

This patch introduces a new container to the jellyfin instance that
talks to the kubernetes API and manages a PDB for jellyfin. It blocks
evictions while at least one device is playing a video.

This should prevent awkward situations during updates.

c83c7d17

Feb 14, 2024
- chore(deps): update helm release oauth2-proxy to v6.24.1 · a63de142
  Botaniker (Bot) authored 1 year ago
  
  a63de142
Feb 06, 2024
- fix(shared): Remove matchLabel since labels on postgres pods are limited · 30434308
  Sheogorath authored 1 year ago
  
  The operator only transfers a predefined set of labels over to the database Pods, therefore using matchLabels here, will result in a non-functional network policy.
  30434308
- fix(shared): Fix database cluster policy to allow communication between members · 7e57e56a
  Sheogorath authored 1 year ago
  
  7e57e56a
Feb 04, 2024
- ci(earthly): Start moving common tasks into a library · 2a724ce7
  Sheogorath authored 1 year ago
  
  2a724ce7
- chore(deps): update dependency helmrepository to source.toolkit.fluxcd.io/v1beta2 · 93cbc283
  Botaniker (Bot) authored 1 year ago
  
  93cbc283
- chore(deps): update dependency helmrelease to helm.toolkit.fluxcd.io/v2beta2 · 69a79910
  Botaniker (Bot) authored 1 year ago
  
  69a79910
Jan 30, 2024

feat(iot): Add component for restricting network traffic to local network · 587dc679

Sheogorath authored 1 year ago

This patch introduces a new component that can be used to restrict all
ingress resources to a predefined set of whitelisted IP addresses. This
reduces the duplication in ingress objects for the same rule sets over
and over again.

587dc679

feat(shared): Add automatic Ingress patching to oauth2-proxy component · 98ae7dd9

Sheogorath authored 1 year ago

This patch adjusts the component for oauth2-proxy to also include a
patching mechism for all kustomize-defined Ingress objects to be
restricted.

98ae7dd9

fix(shared): Make sure labels aren't unintentionally dropped · 68a13ef0

Sheogorath authored 1 year ago

The first patch that "adds" `{}` to `/metadata/labels` would replace any
existing labels resulting in unexpected behaviour. Instead we rely on
the preexistence of the labels field in the namespace.

68a13ef0

Jan 29, 2024
- feat(oauth2-proxy): Add drift detection for helmrelease · e74f200f
  Sheogorath authored 1 year ago
  
  e74f200f
- fix(forecastle): Fix common labels and move to oauth2-proxy component · b6755c3d
  Sheogorath authored 1 year ago
  
  b6755c3d
- feat(blog): Move to new kustomize-optimised config · f310aed7
  Sheogorath authored 1 year ago
  
  f310aed7
- feat(shared): Add automatic helmrelease serviceaccount patching · 1b811254
  Sheogorath authored 1 year ago
  
  1b811254
- chore(shared): Switch network policies to matchExpressions · 0cce90e7
  Sheogorath authored 1 year ago
  
  This patch moves from labelSelectors to matchExpressions since they are immune to kustomize commonLabels, which prevents them from being overwritten by accident. References: https://github.com/kubernetes-sigs/kustomize/issues/157 https://github.com/kubernetes-sigs/kustomize/issues/1009
  0cce90e7
Jan 28, 2024
- feat(renovate): Move namespace restricitons into kustomize component · 7d0b90e4
  Sheogorath authored 1 year ago
  
  7d0b90e4
- feat(renovate): Use kustomize components · 247b5aeb
  Sheogorath authored 1 year ago
  
  247b5aeb
Jan 06, 2024
- feat(oauth2-proxy): Configure usage of PKCE code challenges · 84317184
  Sheogorath authored 1 year ago
  
  This patch should help to make sure, that nothing uses plaintext signatures.
  84317184
Dec 31, 2023

fix(oauth2-proxy): Fix insecure configuration due to use of trusted-ip config · a500e1ca

Sheogorath authored 1 year ago

The usage of the trusted-ip config resulted in a security incident that
allowed access to any oauth2-proxy protected endpoint without requiring
authentication.

Thankfully all significant endpoints had been protected by additional
measures such as network restrictions and are therefore not affected.
Only the prometheus and alertmanager endpoints have been exposed to the
public internet, but are not exposing sensitive data beyond metrics.

A check of the relevant logs didn't provide any indication of
compromise.

a500e1ca

Dec 17, 2023
- feat(shared): Add kube-dns to outgoing network policies · fb7f5052
  Sheogorath authored 1 year ago
  
  fb7f5052
Dec 13, 2023
- chore(deps): update helm release oauth2-proxy to v6.23.1 · ce070eb8
  Botaniker (Bot) authored 1 year ago
  
  ce070eb8
Dec 12, 2023
- chore(deps): update helm release oauth2-proxy to v6.23.0 · fd7d1286
  Botaniker (Bot) authored 1 year ago
  
  fd7d1286
Dec 09, 2023
- chore(deps): update helm release oauth2-proxy to v6.21.1 · d41ebe96
  Botaniker (Bot) authored 1 year ago
  
  d41ebe96
Dec 08, 2023
- chore(deps): update helm release oauth2-proxy to v6.21.0 · b55b8380
  Botaniker (Bot) authored 1 year ago
  
  b55b8380
Dec 05, 2023
- chore(deps): update helm release oauth2-proxy to v6.20.1 · 315a6909
  Botaniker (Bot) authored 1 year ago
  
  315a6909
Nov 29, 2023
- chore(deps): update helm release oauth2-proxy to v6.20.0 · 57917e92
  Botaniker (Bot) authored 1 year ago
  
  57917e92
Nov 18, 2023
- fix(shared): temporarily allow apiserver access using hardcoded ranges · 1dda7b6d
  Sheogorath authored 1 year ago
  
  1dda7b6d
- chore(deps): update helm release oauth2-proxy to v6.19.1 · 18d192a9
  Botaniker (Bot) authored 1 year ago
  
  18d192a9
Nov 17, 2023
- fix(shared): Add missing access to kube-apiserver · 6c07e06d
  Sheogorath authored 1 year ago
  
  6c07e06d
Nov 14, 2023
- chore(deps): update helm release oauth2-proxy to v6.19.0 · af3d5ce7
  Botaniker (Bot) authored 1 year ago
  
  af3d5ce7
Nov 08, 2023
- chore(deps): update helm release oauth2-proxy to v6.18.1 · 2d1b7ff8
  Botaniker (Bot) authored 1 year ago
  
  2d1b7ff8
Nov 06, 2023
- feat(shared): Fix broken policy definiton · e2fb1ce5
  Sheogorath authored 1 year ago
  
  e2fb1ce5