codeformuenster · ubergesundheit · Jan 28, 2024 · Jan 30, 2024 · Jan 30, 2024 · Feb 3, 2024
diff --git a/.github/workflows/test-on-pr.yaml b/.github/workflows/test-on-pr.yaml
@@ -3,22 +3,15 @@ on: pull_request
 
 jobs:
   lint:
-    name: "Lint '${{ matrix.directory }}' kustomization"
+    name: "Lint kustomization"
     runs-on: ubuntu-latest
-    strategy:
-       fail-fast: false
-       matrix:
-        directory:
-        - sources/crashes
-        - sources/traffics
-
     steps:
       - name: 'checkout'
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Build and validate ${{ matrix.directory }} kustomizations
-        uses: ubergesundheit/kube-check-action@v1.0.2
+      - name: Build and validate kustomization
+        uses: ubergesundheit/kube-check-action@main
         with:
-          kustomize_build_input: ${{ matrix.directory }}
-          kube-linter_flags: "--config ${{ matrix.directory }}/.kube-linter.yaml"
-          kubeconform_flags: "-strict -kubernetes-version 1.24.10"
+          kustomize_build_input: sync
+          kube-linter_flags: "--config .kube-linter.yaml"
+          kubeconform_flags: "-strict -kubernetes-version 1.28.9 -schema-location 'https://raw.githubusercontent.com/ubergesundheit/kube-check-action/main/kubeconform-schemas/{{.ResourceKind}}.json' -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' -schema-location default"
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@ secrets/
 terraform/scaleway-config.tfvars
 DEVNOTES.md
 temp/
+*.key
diff --git a/sources/crashes/.kube-linter.yaml → .kube-linter.yaml b/sources/crashes/.kube-linter.yaml → .kube-linter.yaml
@@ -1,6 +1,4 @@
 checks:
   exclude:
-  - no-read-only-root-fs
-  - run-as-non-root
   - unset-cpu-requirements
   - unset-memory-requirements
diff --git a/.sops.yaml b/.sops.yaml
@@ -0,0 +1,5 @@
+creation_rules:
+- encrypted_regex: ^(data|stringData)$
+  path_regex: apps/*/*
+  age: >-
+    age1nzqaqzm7wfz04ld5esukhkghmayzt8xmnrjlau0rdcycjlu53pesgew089
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2016 
+Copyright (c) 2024
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/README.md b/README.md
@@ -1,13 +1,21 @@
 # Deployment on Kubernetes
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fcodeformuenster%2Fkubernetes-deployment.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fcodeformuenster%2Fkubernetes-deployment?ref=badge_shield)
 
+License: [MIT](LICENSE)
 
-> experimental, work in progress, please fix me
+## Old master
 
-For now see:
-- [terraform](terraform)
-- [manifests](manifests)
+Old master branch has been preserved in [`old-master`](https://github.com/codeformuenster/kubernetes-deployment/tree/old-master) branch.
 
+## Encrypted secrets
 
-## License
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fcodeformuenster%2Fkubernetes-deployment.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fcodeformuenster%2Fkubernetes-deployment?ref=badge_large)
+Secrets in this repository should be encrypted using [SOPS](https://github.com/mozilla/sops) and [age](https://github.com/FiloSottile/age).
+
+```
+# decrypt
+SOPS_AGE_KEY_FILE=/path/to/your/key.txt sops --output path/to/file --decrypt path/to/sops-secret.file
+
+# edit ...
+
+# encrypt again (public age key comes from the .sops.yaml)
+sops --output path/to/sops-secret.file -e path/to/file
+```
diff --git a/addons/clusterissuer.yaml b/addons/clusterissuer.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-c4m
+spec:
+  acme:
+    email: [email protected]
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-c4m-issuer-account-key
+    solvers:
+    - http01:
+        ingress:
+          class: changeme
diff --git a/vsh-cluster/kustomization.yaml → addons/kustomization.yaml b/vsh-cluster/kustomization.yaml → addons/kustomization.yaml
@@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- ./essentials
-- ./apps
+- ./clusterissuer.yaml
diff --git a/apps/crashes/kustomization.yaml b/apps/crashes/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: c4m-crashes
+
+resources:
+- ../../base/namespace-pss-restricted
+- ./postgis.yaml
+- ./shiny.yaml
+
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/part-of: crashfals
diff --git a/vsh-cluster/apps/crashes/postgis.yaml → apps/crashes/postgis.yaml b/vsh-cluster/apps/crashes/postgis.yaml → apps/crashes/postgis.yaml
@@ -14,11 +14,20 @@ spec:
     app.kubernetes.io/name: postgis
     app.kubernetes.io/component: database
 
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgis-crashes
+automountServiceAccountToken: false
+
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: postgis
+  annotations:
+    "ignore-check.kube-linter.io/no-read-only-root-fs": "writable fs is required"
   labels:
     app.kubernetes.io/name: postgis
     app.kubernetes.io/component: database
@@ -37,6 +46,8 @@ spec:
         app.kubernetes.io/component: database
     spec:
       terminationGracePeriodSeconds: 10
+      automountServiceAccountToken: false
+      serviceAccountName: postgis-crashes
       containers:
       - name: postgis
         image: quay.io/codeformuenster/verkehrsunfaelle:2019-11-15
@@ -45,7 +56,17 @@ spec:
           containerPort: 5432
         resources:
           requests:
-            memory: "2048Mi"
-            cpu: "1000m"
+            memory: "360Mi"
+            cpu: "100m"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 70
+          runAsNonRoot: true
+          runAsUser: 70
+          seccompProfile:
+            type: RuntimeDefault
           # limits:
           #   cpu: "5000m"
diff --git a/sources/crashes/shiny.yaml → apps/crashes/shiny.yaml b/sources/crashes/shiny.yaml → apps/crashes/shiny.yaml
@@ -12,13 +12,20 @@ spec:
     app.kubernetes.io/name: shiny
     app.kubernetes.io/component: webserver
 
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: shiny-crashes
+automountServiceAccountToken: false
+
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: shiny
   annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
+    cert-manager.io/cluster-issuer: letsencrypt-c4m
   labels:
     app.kubernetes.io/name: shiny
     app.kubernetes.io/component: webserver
@@ -59,23 +66,54 @@ spec:
         app.kubernetes.io/name: shiny
         app.kubernetes.io/component: webserver
     spec:
+      automountServiceAccountToken: false
+      serviceAccountName: shiny-crashes
+      securityContext:
+        fsGroup: 998
       containers:
       - name: shiny
-        image: quay.io/codeformuenster/crashes-shiny:4.9.9
+        image: quay.io/codeformuenster/crashes-shiny:v6.7.2
         resources:
           requests:
-            memory: "1024Mi"
+            memory: "350Mi"
             cpu: "640m"
         ports:
         - containerPort: 3838
+        env:
+        - name: TMPDIR
+          value: /tmp/shiny
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 998
+          runAsNonRoot: true
+          runAsUser: 998
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - name: renviron-file
           mountPath: /srv/shiny-server/.Renviron
           subPath: .Renviron
+        - name: shiny-tmp
+          mountPath: /var/log/shiny-server
+          subPath: log
+        - name: shiny-tmp
+          mountPath: /var/lib/shiny-server
+          subPath: lib
+        - name: shiny-tmp
+          mountPath: /tmp
+          subPath: tmp
       volumes:
       - name: renviron-file
         configMap:
           name: renviron
+      - name: shiny-tmp
+        emptyDir:
+          medium: Memory
+          sizeLimit: 100Mi
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -87,4 +125,3 @@ metadata:
 data:
   .Renviron: |
     POSTGRES_HOST=postgis
-    FATHOM_SITEID=ESCBJ
diff --git a/vsh-cluster/apps/kustomization.yaml → apps/kustomization.yaml b/vsh-cluster/apps/kustomization.yaml → apps/kustomization.yaml
@@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- ./traffics
 - ./crashes
+- ./traffics
+- ./muenster-update
diff --git a/apps/muenster-update/gitrepo.yaml b/apps/muenster-update/gitrepo.yaml
@@ -0,0 +1,15 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: codeformuenster-muenster-jetzt
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://github.com/codeformuenster/muenster-jetzt.git
+  ref:
+    branch: master
+  ignore: |
+    # exclude all
+    /*
+    # include deployment dir
+    !/deployment/base
diff --git a/apps/muenster-update/image-automations.yaml b/apps/muenster-update/image-automations.yaml
@@ -0,0 +1,83 @@
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImageRepository
+metadata:
+  name: muenster-jetzt-api-container-image
+  namespace: flux-system
+spec:
+  image: docker.io/codeformuenster/muenster-jetzt-api
+  interval: 30m0s
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImageRepository
+metadata:
+  name: muenster-jetzt-api-static-container-image
+  namespace: flux-system
+spec:
+  image: docker.io/codeformuenster/muenster-jetzt-api-static
+  interval: 30m0s
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImageRepository
+metadata:
+  name: muenster-jetzt-frontend-container-image
+  namespace: flux-system
+spec:
+  image: docker.io/codeformuenster/muenster-jetzt-frontend
+  interval: 30m0s
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImagePolicy
+metadata:
+  name: muenster-jetzt-api-staging
+  namespace: flux-system
+spec:
+  imageRepositoryRef:
+    name: muenster-jetzt-api-container-image
+  policy:
+    alphabetical:
+      order: asc
+  filterTags:
+    pattern: '^master-[a-fA-F0-9]{7}-(?P<timestamp>\d{10,})$'
+    extract: '$timestamp'
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImagePolicy
+metadata:
+  name: muenster-jetzt-api-static-staging
+  namespace: flux-system
+spec:
+  imageRepositoryRef:
+    name: muenster-jetzt-api-static-container-image
+  policy:
+    alphabetical:
+      order: asc
+  filterTags:
+    pattern: '^master-[a-fA-F0-9]{7}-(?P<timestamp>\d{10,})$'
+    extract: '$timestamp'
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImagePolicy
+metadata:
+  name: muenster-jetzt-frontend-staging
+  namespace: flux-system
+spec:
+  imageRepositoryRef:
+    name: muenster-jetzt-frontend-container-image
+  policy:
+    alphabetical:
+      order: asc
+  filterTags:
+    pattern: '^master-[a-fA-F0-9]{7}-(?P<timestamp>\d{10,})$'
+    extract: '$timestamp'
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImagePolicy
+metadata:
+  name: muenster-jetzt-production
+  namespace: flux-system
+spec:
+  imageRepositoryRef:
+    name: muenster-jetzt-frontend-container-image
+  policy:
+    semver:
+      range: ">=v0.1.0"
diff --git a/vsh-cluster/essentials/kustomization.yaml → apps/muenster-update/kustomization.yaml b/vsh-cluster/essentials/kustomization.yaml → apps/muenster-update/kustomization.yaml
@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- ./longhorn
-- ./flux
-- ./ingress-nginx
-- ./cert-manager.yaml
+- ./gitrepo.yaml
+- ./image-automations.yaml
+- ./staging
+- ./production
diff --git a/apps/muenster-update/production/kustomization.yaml b/apps/muenster-update/production/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: c4m-muenster-jetzt-production
+
+resources:
+- ../../../base/namespace-pss-restricted
+- muenster-jetzt-production.enc.yaml
+- sync.yaml