diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..4c6615e --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,81 @@ +--- +# on: push # yamllint disable-line rule:truthy +name: CI + + +on: + push: + branches: + - "**" + tags: + - "*" + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Install yamllint + run: pip install yamllint + + - name: Lint YAML files + run: yamllint ${PWD}/ + + + # kubescape: + # runs-on: ubuntu-latest + # permissions: + # actions: read + # contents: read + # security-events: write + # steps: + # - uses: actions/checkout@v3 + # - uses: kubescape/github-action@main + # continue-on-error: true + # with: + # format: sarif + # outputFile: results + # # # Optional: Specify the Kubescape Portal credentials + # # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} + # # server: ${{ vars.KUBESCAPE_SERVER }} + # # # Optional: Scan a specific path. Default will scan the whole repository + # # files: "examples/*.yaml" + # - name: Upload Kubescape scan results to Github Code Scanning + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: results.sarif + + + # kubescape-fix-pr-reviews: + # runs-on: ubuntu-latest + # permissions: + # pull-requests: write + + # steps: + # - uses: actions/checkout@v3 + # with: + # fetch-depth: 0 + # ref: ${{github.event.pull_request.head.ref}} + # repository: ${{github.event.pull_request.head.repo.full_name}} + + # - name: Get changed files + # id: changed-files + # uses: tj-actions/changed-files@v46.0.1 + + # - uses: kubescape/github-action@main + # with: + # # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} + # # server: ${{ vars.KUBESCAPE_SERVER }} + # # files: ${{ steps.changed-files.outputs.all_changed_files }} + # fixFiles: true + # format: "sarif" + + # - name: PR Suggester according to SARIF file + # if: github.event_name == 'pull_request_target' + # uses: HollowMan6/sarif4reviewdog@v1.0.0 + # with: + # file: 'results.sarif' + # level: warning diff --git a/.github/workflows/kubescape-pr.yaml b/.github/workflows/kubescape-pr.yaml new file mode 100644 index 0000000..2cd234f --- /dev/null +++ b/.github/workflows/kubescape-pr.yaml @@ -0,0 +1,47 @@ +# --- +# # on: push # yamllint disable-line rule:truthy +# name: Suggest autofixes with Kubescape for PR by reviews +# on: +# - pull_request_target +# - pull_request + + +# jobs: + +# kubescape-fix-pr-reviews: +# runs-on: ubuntu-latest +# permissions: +# pull-requests: write + +# steps: +# - uses: actions/checkout@v3 +# with: +# fetch-depth: 0 +# ref: ${{github.event.pull_request.head.ref}} +# repository: ${{github.event.pull_request.head.repo.full_name}} + +# - name: Get changed files +# id: changed-files +# uses: tj-actions/changed-files@v46.0.1 + +# - uses: kubescape/github-action@main +# with: +# outputFile: results +# # account: ${{secrets.KUBESCAPE_ACCOUNT}} +# # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} +# # server: ${{ vars.KUBESCAPE_SERVER }} +# # files: ${{ steps.changed-files.outputs.all_changed_files }} +# fixFiles: true +# format: "sarif" + +# - name: Upload Kubescape scan results to Github Code Scanning +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: results.sarif + +# - name: PR Suggester according to SARIF file +# # if: github.event_name == 'pull_request_target' +# uses: HollowMan6/sarif4reviewdog@v1.0.0 +# with: +# file: 'results.sarif' +# level: warning diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml new file mode 100644 index 0000000..54b9236 --- /dev/null +++ b/.github/workflows/kubescape.yaml @@ -0,0 +1,96 @@ +--- +# name: Kubescape scanning for misconfigurations +# on: [ pull_request ] +# jobs: +# kubescape: +# runs-on: ubuntu-latest +# permissions: +# actions: read +# contents: read +# security-events: write +# steps: +# - uses: actions/checkout@v3 +# - uses: kubescape/github-action@main +# continue-on-error: false +# with: +# frameworks: NSA,MITRE +# verbose: true +# severityThreshold: low +# on: push # yamllint disable-line rule:truthy +name: Kubescape scanning for misconfigurations +on: + - pull_request + # - push + +jobs: + + kubescape: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + pull-requests: write + steps: + - uses: actions/checkout@v3 + # - uses: kubescape/github-action@main + # continue-on-error: true + # with: + # format: sarif + # outputFile: results + # # # Optional: Specify the Kubescape Portal credentials + # # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} + # # server: ${{ vars.KUBESCAPE_SERVER }} + # # # Optional: Scan a specific path. Default will scan the whole repository + # files: "${PWD}/manifests/*.yaml" + # frameworks: NSA,MITRE + # verbose: true + # severityThreshold: low + + - name: Install Kubescape + run: | + KUBESCAPE_DIR="$HOME/kubescape-bin" + mkdir -p "$KUBESCAPE_DIR" + LATEST_VERSION=$(curl -s https://api.github.com/repos/kubescape/kubescape/releases/latest | jq -r .tag_name) + curl -sL "https://github.com/kubescape/kubescape/releases/download/${LATEST_VERSION}/kubescape-ubuntu-latest" -o "$KUBESCAPE_DIR/kubescape" + chmod +x "$KUBESCAPE_DIR/kubescape" + echo "$KUBESCAPE_DIR" >> $GITHUB_PATH + + - name: Run Kubescape debug + run: | + kubescape scan --help + + - name: Run Kubescape scan + run: | + kubescape scan framework AllControls ${PWD}/manifests/nginx/overlays/static-site-gitlab-built/ \ + --verbose \ + --format sarif \ + --output results.sarif + + - name: Debug SARIF Contents + run: | + if [ -f results.sarif ]; then + cat results.sarif + else + echo "No SARIF file generated" + fi + + - name: Upload Kubescape scan results to Github Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + + - name: Upload scan results (json Report) + uses: actions/upload-artifact@v4 + with: + name: results.sarif + path: results.sarif + + - name: PR Suggester according to SARIF file + # if: github.event_name == 'pull_request_target' + uses: HollowMan6/sarif4reviewdog@v1.0.0 + with: + file: 'results.sarif' + level: warning + filter_mode: nofilter diff --git a/.vscode/extensions.json b/.vscode/extensions.json new file mode 100644 index 0000000..3700c79 --- /dev/null +++ b/.vscode/extensions.json @@ -0,0 +1,5 @@ +{ + "recommendations": [ + "fnando.linter" + ] +} \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..01b1f47 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,35 @@ +{ + "linter.linters": { + "yamllint": { + "capabilities": [ + "ignore-line" + ], + "command": [ + "yamllint", + "--format", + "parsable", + [ + "$config", + "--config-file", + "$config" + ], + "-" + ], + "configFiles": [ + ".yamllint.yml", + ".yamllint.yaml", + ".yamllint" + ], + "enabled": true, + "languages": [ + "yaml" + ], + "name": "yamllint", + "url": "https://github.com/adrienverge/yamllint" + } + }, + "editor.detectIndentation": false, + "editor.indentSize": "tabSize", + "editor.tabSize": 2, + "files.eol": "\n" +} \ No newline at end of file diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..66fd8f4 --- /dev/null +++ b/.yamllint @@ -0,0 +1,69 @@ +--- + +# extends: default + +rules: + braces: + level: error + max-spaces-inside: 1 + min-spaces-inside: 1 + min-spaces-inside-empty: 0 + max-spaces-inside-empty: 0 + + brackets: + level: error + max-spaces-inside: 1 + min-spaces-inside: 1 + min-spaces-inside-empty: 0 + max-spaces-inside-empty: 0 + + colons: + level: warning + max-spaces-after: 1 + + commas: + level: warning + + comments: + level: error + require-starting-space: true + ignore-shebangs: true + min-spaces-from-content: 4 + + comments-indentation: + level: error + + document-end: + level: error + present: false + + document-start: + level: error + present: true + + empty-lines: + level: error + max: 2 + max-start: 0 + max-end: 0 + + hyphens: + level: error + max-spaces-after: 1 + + indentation: + level: error + spaces: 2 + indent-sequences: true + check-multi-line-strings: true + + line-length: + level: warning + max: 100 + allow-non-breakable-inline-mappings: true + + new-lines: + level: error + type: unix + + truthy: disable diff --git a/manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml b/manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml new file mode 100644 index 0000000..5b4804e --- /dev/null +++ b/manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml @@ -0,0 +1,38 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: centurion-api +spec: + endpointSelector: + matchLabels: + name: centurion + component: api + ingress: + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + io.kubernetes.pod.namespace: ingress + toPorts: + - ports: + - port: "80" + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: "*" + - toServices: + - k8sService: + serviceName: main-rw + namespace: postgres + - toServices: + - k8sService: + serviceName: main + namespace: rabbitmq diff --git a/manifests/centurion/base/CiliumNetworkPolicy-centurion-ui.yaml b/manifests/centurion/base/CiliumNetworkPolicy-centurion-ui.yaml new file mode 100644 index 0000000..6c6964f --- /dev/null +++ b/manifests/centurion/base/CiliumNetworkPolicy-centurion-ui.yaml @@ -0,0 +1,20 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: centurion-ui +spec: + endpointSelector: + matchLabels: + name: centurion + component: ui + ingress: + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + io.kubernetes.pod.namespace: ingress + toPorts: + - ports: + - port: "80" + egress: + - {} diff --git a/manifests/centurion/base/CiliumNetworkPolicy-centurion-worker.yaml b/manifests/centurion/base/CiliumNetworkPolicy-centurion-worker.yaml new file mode 100644 index 0000000..0a6caa5 --- /dev/null +++ b/manifests/centurion/base/CiliumNetworkPolicy-centurion-worker.yaml @@ -0,0 +1,31 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: centurion-worker +spec: + endpointSelector: + matchLabels: + name: centurion + component: worker + ingress: + - {} + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: "*" + - toServices: + - k8sService: + serviceName: main-rw + namespace: postgres + - toServices: + - k8sService: + serviceName: main + namespace: rabbitmq diff --git a/manifests/centurion/base/Deployment-api.yaml b/manifests/centurion/base/Deployment-api.yaml new file mode 100644 index 0000000..98a724e --- /dev/null +++ b/manifests/centurion/base/Deployment-api.yaml @@ -0,0 +1,101 @@ +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion + name: api +spec: + + selector: + matchLabels: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion + spec: + terminationGracePeriodSeconds: 10 + affinity: {} + containers: + - name: web + image: nofusscomputing/centurion-erp:dev + env: + - name: PROMETHEUS_MULTIPROC_DIR + value: "/tmp/prometheus" + resources: + limits: + cpu: 1500m + # memory: 800Mi # OOMKilled + memory: 1Gi + requests: + cpu: 10m + memory: 20Mi + + ports: + - containerPort: 8000 + name: http + - containerPort: 8080 + name: metrics + + volumeMounts: + - name: data + mountPath: /data + subPath: data + + - name: celery-broker + mountPath: /etc/itsm/celery-broker.py + subPath: celery-broker.py + readOnly: true + + - name: configuration + mountPath: /etc/itsm/settings.py + subPath: settings.py + readOnly: true + + - name: database + mountPath: /etc/itsm/database.py + subPath: database.py + readOnly: true + + - mountPath: /tmp + name: tmp + subPath: tmp + + tolerations: [] + volumes: + - name: celery-broker + secret: + secretName: celery-broker + items: + - key: celery-broker.py + path: celery-broker.py + + - name: configuration + configMap: + name: configuration + items: + - key: settings.py + path: settings.py + + - name: data + persistentVolumeClaim: + claimName: centurion + + - name: database + secret: + secretName: database + items: + - key: database.py + path: database.py + + - name: tmp + emptyDir: + medium: Memory + # sizeLimit: 64Mi diff --git a/manifests/centurion/base/Deployment-worker.yaml b/manifests/centurion/base/Deployment-worker.yaml new file mode 100644 index 0000000..d36c2ef --- /dev/null +++ b/manifests/centurion/base/Deployment-worker.yaml @@ -0,0 +1,97 @@ +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: Worker + app.kubernetes.io/name: centurion + name: worker +spec: + selector: + matchLabels: + app.kubernetes.io/component: Worker + app.kubernetes.io/name: centurion + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: + app.kubernetes.io/component: Worker + app.kubernetes.io/name: centurion + spec: + terminationGracePeriodSeconds: 10 + affinity: {} + containers: + - name: worker + image: nofusscomputing/centurion-erp:dev + command: + - celery + - -A + - app + - worker + - -l + - INFO + resources: + limits: + cpu: 800m + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + + ports: + - containerPort: 8080 + name: metrics + + volumeMounts: + + - name: celery-broker + mountPath: /etc/itsm/celery-broker.py + subPath: celery-broker.py + readOnly: true + + - name: configuration + mountPath: /etc/itsm/settings.py + subPath: settings.py + readOnly: true + + - name: database + mountPath: /etc/itsm/database.py + subPath: database.py + readOnly: true + + - mountPath: /tmp + name: tmp + subPath: tmp + + tolerations: [] + volumes: + + - name: celery-broker + secret: + secretName: celery-broker + items: + - key: celery-broker.py + path: celery-broker.py + + - name: configuration + configMap: + name: configuration + items: + - key: settings.py + path: settings.py + + - name: database + secret: + secretName: database + items: + - key: database.py + path: database.py + + - name: tmp + emptyDir: + medium: Memory + # sizeLimit: 64Mi + + diff --git a/manifests/centurion/base/PVC-centurion.yaml b/manifests/centurion/base/PVC-centurion.yaml new file mode 100644 index 0000000..3d1fac2 --- /dev/null +++ b/manifests/centurion/base/PVC-centurion.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: centurion +spec: + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/manifests/centurion/base/Service-api.yaml b/manifests/centurion/base/Service-api.yaml new file mode 100644 index 0000000..91e76b7 --- /dev/null +++ b/manifests/centurion/base/Service-api.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: api + labels: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion +spec: + selector: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion + ports: + - name: http + port: 80 + targetPort: http + - name: metrics + port: 8080 + targetPort: metrics diff --git a/manifests/centurion/base/kustomization.yaml b/manifests/centurion/base/kustomization.yaml new file mode 100644 index 0000000..aef5dac --- /dev/null +++ b/manifests/centurion/base/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: centurion + +resources: + - PVC-centurion.yaml + - Deployment-api.yaml + - Deployment-worker.yaml + - Service-api.yaml + - CiliumNetworkPolicy-centurion-api.yaml + - CiliumNetworkPolicy-centurion-ui.yaml + - CiliumNetworkPolicy-centurion-worker.yaml + + diff --git a/manifests/nginx/base/configmap-nginx.yaml b/manifests/nginx/base/configmap-nginx.yaml new file mode 100644 index 0000000..44ce718 --- /dev/null +++ b/manifests/nginx/base/configmap-nginx.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx +data: + default.conf: | + server { + + listen 80; + + access_log /var/log/nginx/access-default.log main; + error_log /var/log/nginx/error-default.log; + + error_page 500 502 503 504 /50x.html; + + location / { + root /usr/share/nginx/html/; + + } + } diff --git a/manifests/nginx/base/deployment-nginx.yaml b/manifests/nginx/base/deployment-nginx.yaml new file mode 100644 index 0000000..bff6dee --- /dev/null +++ b/manifests/nginx/base/deployment-nginx.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx +spec: + replicas: 1 + template: + spec: + containers: + - name: backend + image: docker.io/nginx:alpine + imagePullPolicy: Always + ports: + - containerPort: 80 + name: http + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 10m + memory: 20Mi + volumeMounts: + - name: http-root + mountPath: /usr/share/nginx/html + mountPropagation: HostToContainer + - name: nginx-config + mountPath: /etc/nginx/conf.d + tolerations: [] + volumes: + - name: http-root + hostPath: + # Ensure the file directory is created. + path: /opt/webserver + type: DirectoryOrCreate + - name: nginx-config + configMap: + name: nginx-config diff --git a/manifests/nginx/base/kustomization.yaml b/manifests/nginx/base/kustomization.yaml new file mode 100644 index 0000000..cda279d --- /dev/null +++ b/manifests/nginx/base/kustomization.yaml @@ -0,0 +1,17 @@ +--- + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: website + +commonLabels: + app.kubernetes.io/part-of: website + app.kubernetes.io/component: webserver + app.kubernetes.io/name: nginx + + +resources: + - configmap-nginx.yaml + - service.yaml + - deployment-nginx.yaml diff --git a/manifests/nginx/base/service.yaml b/manifests/nginx/base/service.yaml new file mode 100644 index 0000000..d66a0b0 --- /dev/null +++ b/manifests/nginx/base/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 diff --git a/manifests/nginx/components/gitlab_runner/kustomization.yaml b/manifests/nginx/components/gitlab_runner/kustomization.yaml new file mode 100644 index 0000000..f3d3842 --- /dev/null +++ b/manifests/nginx/components/gitlab_runner/kustomization.yaml @@ -0,0 +1,26 @@ +--- + +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +images: + - name: registry.gitlab.com/gitlab-org/gitlab-runner + newTag: v17.6.1 + + +resources: + - runner-website.yaml + + +patches: + - target: + kind: Runner + name: gitlab-runner + patch: |- + - op: add + path: /spec/tags + value: production,website + + - op: add + path: /spec/runnerImage + value: registry.gitlab.com/gitlab-org/gitlab-runner:v17.6.0 diff --git a/manifests/nginx/components/gitlab_runner/runner-website.yaml b/manifests/nginx/components/gitlab_runner/runner-website.yaml new file mode 100644 index 0000000..8182df1 --- /dev/null +++ b/manifests/nginx/components/gitlab_runner/runner-website.yaml @@ -0,0 +1,33 @@ +--- + +apiVersion: apps.gitlab.com/v1beta2 +kind: Runner +metadata: + name: gitlab-runner +spec: + gitlabUrl: https://gitlab.com + podSpec: + - name: gitlab-runner + patchType: merge + patch: | + securityContext: + runAsNonRoot: false + + # # Production patch: why - the runner pod will need to be on the same node as the website web server + # - name: website-runner + # patchType: merge + # patch: | + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # securityContext: + # runAsNonRoot: false + # runnerImage: "see-patch" + token: token-secret-name + # tags: tag1,tag2 diff --git a/manifests/nginx/components/ingress/ingress.yaml b/manifests/nginx/components/ingress/ingress.yaml new file mode 100644 index 0000000..db12f6c --- /dev/null +++ b/manifests/nginx/components/ingress/ingress.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nginx + annotations: + cert-manager.io/cluster-issuer: "cluster" + cert-manager.io/common-name: "domain-name.tld" + cert-manager.io/duration: "2160h" + cert-manager.io/subject-organizations: "N/A" + cert-manager.io/subject-organizationalunits: "N/A" + cert-manager.io/subject-countries: "N/A" + cert-manager.io/subject-provinces: "N/A" + # cert-manager.io/subject-localities: "N/A" + cert-manager.io/private-key-algorithm: "ECDSA" + cert-manager.io/private-key-size: "384" + cert-manager.io/private-key-rotation-policy: "Always" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + +spec: + rules: + - host: "domain-name.tld" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: nginx + port: + name: http + tls: + - hosts: + - "domain-name.tld" + secretName: "certificate-tls-domain-name.tld" diff --git a/manifests/nginx/components/ingress/kustomization.yaml b/manifests/nginx/components/ingress/kustomization.yaml new file mode 100644 index 0000000..b7ab36f --- /dev/null +++ b/manifests/nginx/components/ingress/kustomization.yaml @@ -0,0 +1,35 @@ +--- + +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + + +resources: + - ingress.yaml + +patches: + + - patch: |- + - op: replace + path: /metadata/annotations/cert-manager.io~1cluster-issuer + value: cluster + + - op: replace + path: /metadata/annotations/cert-manager.io~1common-name + value: my-domain-name.tld + + - op: replace + path: /spec/rules/0/host + value: my-domain-name.tld + + - op: replace + path: /spec/tls/0/hosts/0 + value: my-domain-name.tld + + - op: replace + path: /spec/tls/0/secretName + value: certificate-tls-domain-name.tld + target: + kind: Ingress + name: nginx + version: v1 diff --git a/manifests/nginx/overlays/static-site-gitlab-built/kustomization.yaml b/manifests/nginx/overlays/static-site-gitlab-built/kustomization.yaml new file mode 100644 index 0000000..963b781 --- /dev/null +++ b/manifests/nginx/overlays/static-site-gitlab-built/kustomization.yaml @@ -0,0 +1,42 @@ +--- + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + + +namePrefix: nofusscomputing- + + +namespace: website + + +resources: + - ../../base/ + + +components: + - ../../components/gitlab_runner/ + - ../../components/ingress/ + + +secretGenerator: + - name: gitlab-runner-token + envs: + - runner-registration-token.env + type: Opaque + +generatorOptions: + disableNameSuffixHash: true + + +replacements: + - source: + kind: Secret + name: gitlab-runner-token + fieldPath: metadata.name + targets: + - select: + kind: Runner + name: gitlab-runner + fieldPaths: + - spec.token diff --git a/manifests/nginx/overlays/static-site-gitlab-built/runner-registration-token.env b/manifests/nginx/overlays/static-site-gitlab-built/runner-registration-token.env new file mode 100644 index 0000000..4eeeea7 --- /dev/null +++ b/manifests/nginx/overlays/static-site-gitlab-built/runner-registration-token.env @@ -0,0 +1 @@ +runner-registration-token=MY-GITLAB-REGISTRATION-TOKEN