Commits · e74f200f888f8bbacafdab9667c6ce4422a9dadd · Shivering-Isles / Infrastructure GitOps

Jan 29, 2024
- feat(oauth2-proxy): Add drift detection for helmrelease · e74f200f
  Sheogorath authored 1 year ago
  
  e74f200f
- fix(forecastle): Fix common labels and move to oauth2-proxy component · b6755c3d
  Sheogorath authored 1 year ago
  
  b6755c3d
- feat(blog): Move to new kustomize-optimised config · f310aed7
  Sheogorath authored 1 year ago
  
  f310aed7
- feat(shared): Add automatic helmrelease serviceaccount patching · 1b811254
  Sheogorath authored 1 year ago
  
  1b811254
- chore(shared): Switch network policies to matchExpressions · 0cce90e7
  Sheogorath authored 1 year ago
  
  This patch moves from labelSelectors to matchExpressions since they are immune to kustomize commonLabels, which prevents them from being overwritten by accident. References: https://github.com/kubernetes-sigs/kustomize/issues/157 https://github.com/kubernetes-sigs/kustomize/issues/1009
  0cce90e7
Jan 28, 2024
- feat(renovate): Move namespace restricitons into kustomize component · 7d0b90e4
  Sheogorath authored 1 year ago
  
  7d0b90e4
- feat(renovate): Use kustomize components · 247b5aeb
  Sheogorath authored 1 year ago
  
  247b5aeb
Jan 06, 2024
- feat(oauth2-proxy): Configure usage of PKCE code challenges · 84317184
  Sheogorath authored 1 year ago
  
  This patch should help to make sure, that nothing uses plaintext signatures.
  84317184
Dec 31, 2023

fix(oauth2-proxy): Fix insecure configuration due to use of trusted-ip config · a500e1ca

Sheogorath authored 1 year ago

The usage of the trusted-ip config resulted in a security incident that
allowed access to any oauth2-proxy protected endpoint without requiring
authentication.

Thankfully all significant endpoints had been protected by additional
measures such as network restrictions and are therefore not affected.
Only the prometheus and alertmanager endpoints have been exposed to the
public internet, but are not exposing sensitive data beyond metrics.

A check of the relevant logs didn't provide any indication of
compromise.

a500e1ca

Dec 17, 2023
- feat(shared): Add kube-dns to outgoing network policies · fb7f5052
  Sheogorath authored 1 year ago
  
  fb7f5052
Dec 13, 2023
- chore(deps): update helm release oauth2-proxy to v6.23.1 · ce070eb8
  Botaniker (Bot) authored 1 year ago
  
  ce070eb8
Dec 12, 2023
- chore(deps): update helm release oauth2-proxy to v6.23.0 · fd7d1286
  Botaniker (Bot) authored 1 year ago
  
  fd7d1286
Dec 09, 2023
- chore(deps): update helm release oauth2-proxy to v6.21.1 · d41ebe96
  Botaniker (Bot) authored 1 year ago
  
  d41ebe96
Dec 08, 2023
- chore(deps): update helm release oauth2-proxy to v6.21.0 · b55b8380
  Botaniker (Bot) authored 1 year ago
  
  b55b8380
Dec 05, 2023
- chore(deps): update helm release oauth2-proxy to v6.20.1 · 315a6909
  Botaniker (Bot) authored 1 year ago
  
  315a6909
Nov 29, 2023
- chore(deps): update helm release oauth2-proxy to v6.20.0 · 57917e92
  Botaniker (Bot) authored 1 year ago
  
  57917e92
Nov 18, 2023
- fix(shared): temporarily allow apiserver access using hardcoded ranges · 1dda7b6d
  Sheogorath authored 1 year ago
  
  1dda7b6d
- chore(deps): update helm release oauth2-proxy to v6.19.1 · 18d192a9
  Botaniker (Bot) authored 1 year ago
  
  18d192a9
Nov 17, 2023
- fix(shared): Add missing access to kube-apiserver · 6c07e06d
  Sheogorath authored 1 year ago
  
  6c07e06d
Nov 14, 2023
- chore(deps): update helm release oauth2-proxy to v6.19.0 · af3d5ce7
  Botaniker (Bot) authored 1 year ago
  
  af3d5ce7
Nov 08, 2023
- chore(deps): update helm release oauth2-proxy to v6.18.1 · 2d1b7ff8
  Botaniker (Bot) authored 1 year ago
  
  2d1b7ff8
Nov 06, 2023
- feat(shared): Fix broken policy definiton · e2fb1ce5
  Sheogorath authored 1 year ago
  
  e2fb1ce5
Nov 05, 2023
- fix(shared): Use proper egress network policy schema · c952b2dc
  Sheogorath authored 1 year ago
  
  c952b2dc
- fix(shared): Use NAS IP directly · 563c61a5
  Sheogorath authored 1 year ago
  
  563c61a5
- feat(shared): Add egress network policy for postgres operator · da3b1f25
  Sheogorath authored 1 year ago
  
  da3b1f25
Oct 31, 2023
- feat(shared): Add explicit access to ingress controller · befd013b
  Sheogorath authored 1 year ago
  
  befd013b
- feat(mastodon): Restrict outgoing network traffic for Mastodon · 0024e0ae
  Sheogorath authored 1 year ago
  
  0024e0ae
Oct 20, 2023
- fix(shared): Adjust mailbox.org network policy to allow mail protocols · 900db86a
  Sheogorath authored 1 year ago
  
  900db86a
Oct 18, 2023
- chore(deps): update helm release oauth2-proxy to v6.18.0 · a8db68e6
  Botaniker (Bot) authored 1 year ago
  
  a8db68e6
Sep 26, 2023
- feat(oauth2-proxy): Add trusted IPs for reverse-proxy · b404d3ca
  Sheogorath authored 1 year ago
  
  b404d3ca
- fix(oauth2-proxy): Adjust oauth-proxy to use correct group claim · af7bf965
  Sheogorath authored 1 year ago
  
  af7bf965
Sep 25, 2023
- chore(deps): update helm release oauth2-proxy to v6.17.1 · 4643e92d
  Botaniker (Bot) authored 1 year ago
  
  4643e92d
Sep 16, 2023

feat(oauth2-proxy): Switch to topologySpreadConstraints · 238da3c2

Sheogorath authored 1 year ago

This patch adjusts the central oauth2-proxy resource to use
`topologySpreadConstraints` instead of using `podAntiAffinity`. This
helps with reducing the risk of Pending Pods e.g. during updates when
also a pod config is adjusted.

238da3c2

Sep 15, 2023
- feat(oauth2-proxy): First experiment with abstracting to shared module · 3013dee3
  Sheogorath authored 1 year ago
  
  3013dee3
Sep 14, 2023
- fix(shared): Increase default resource quota to 16Gi and 4 CPUs · 7c83a38e
  Sheogorath authored 1 year ago
  
  7c83a38e
Sep 13, 2023

feat(goharbor): Add "external", operator-managed redis cluster · a165d304

Sheogorath authored 1 year ago

This patch should make redis HA, which should eliminate another SPOF for
goharbor. This is the first usage for the new redis operator.

a165d304

Jul 21, 2023
- feat(uptime-kuma): Add SMTP support · c5f80c48
  Sheogorath authored 1 year ago
  
  c5f80c48
Feb 21, 2023
- fix(cert-manager): Fix shared network-policy names · b12dc664
  Sheogorath authored 2 years ago
  
  b12dc664
- fix(cert-manager): Add missing kube-dns to http-challenge egress · e3630542
  Sheogorath authored 2 years ago
  
  e3630542
- fix(uptime-kuma): Add network policy for HTTP challenge · e435f0f6
  Sheogorath authored 2 years ago
  
  e435f0f6