From 0cd5fc3c945229b2ca06e8c9d64278293e411e90 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Tue, 9 Apr 2024 04:23:54 +0800 Subject: [PATCH] chore: cleanup --- .renovate/groups.json5 | 12 +- kube/deploy/apps/linkding/app/hr.yaml | 2 +- kube/deploy/apps/searxng/app/es.yaml | 19 +++ kube/deploy/apps/searxng/app/hr.yaml | 145 +++++++++++++------- kube/deploy/apps/searxng/app/netpol.yaml | 19 --- kube/deploy/apps/searxng/app/secrets.yaml | 10 -- kube/deploy/apps/searxng/ks.yaml | 37 +---- kube/deploy/apps/searxng/kustomization.yaml | 1 - kube/deploy/apps/searxng/ns.yaml | 5 + kube/deploy/apps/searxng/secret-redis.yaml | 9 -- kube/deploy/apps/whoogle/app/hr.yaml | 11 +- kube/deploy/apps/whoogle/app/netpol.yaml | 45 ------ 12 files changed, 136 insertions(+), 179 deletions(-) create mode 100644 kube/deploy/apps/searxng/app/es.yaml delete mode 100644 kube/deploy/apps/searxng/app/netpol.yaml delete mode 100644 kube/deploy/apps/searxng/app/secrets.yaml delete mode 100644 kube/deploy/apps/searxng/secret-redis.yaml delete mode 100644 kube/deploy/apps/whoogle/app/netpol.yaml diff --git a/.renovate/groups.json5 b/.renovate/groups.json5 index 3e326fe3..abeca869 100644 --- a/.renovate/groups.json5 +++ b/.renovate/groups.json5 @@ -148,12 +148,12 @@ "versioning": "semver", "versionCompatibility": "^(?[^-]+)(?-.*)?$" }, - { - "description": "SearXNG versioning", - "matchPackagePatterns": ["searxng"], - "matchDatasources": ["docker"], - "versioning": "regex:^(?\\d+)\\.(?\\d+)\\.(?\\d+)-(:?.*)$" - }, + // { + // "description": "SearXNG versioning", + // "matchPackagePatterns": ["searxng"], + // "matchDatasources": ["docker"], + // "versioning": "regex:^(?\\d+)\\.(?\\d+)\\.(?\\d+)-(:?.*)$" + // }, { "description": "Configure more granular control for apps in ./kube/deploy/core", "matchFileNames": ["kube/deploy/core/**"], diff --git a/kube/deploy/apps/linkding/app/hr.yaml b/kube/deploy/apps/linkding/app/hr.yaml index 4a10ef15..576e8933 100644 --- a/kube/deploy/apps/linkding/app/hr.yaml +++ b/kube/deploy/apps/linkding/app/hr.yaml @@ -24,7 +24,7 @@ spec: ingress.home.arpa/nginx-internal: "allow" db.home.arpa/pg: "pg-home" authentik.home.arpa/https: "allow" - # egress.home.arpa/internet: "allow" + egress.home.arpa/internet: "allow" containers: main: image: &img diff --git a/kube/deploy/apps/searxng/app/es.yaml b/kube/deploy/apps/searxng/app/es.yaml new file mode 100644 index 00000000..2759a784 --- /dev/null +++ b/kube/deploy/apps/searxng/app/es.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name searxng-secrets + namespace: searxng +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "SearXNG - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name diff --git a/kube/deploy/apps/searxng/app/hr.yaml b/kube/deploy/apps/searxng/app/hr.yaml index a48370ad..12ee6bb4 100644 --- a/kube/deploy/apps/searxng/app/hr.yaml +++ b/kube/deploy/apps/searxng/app/hr.yaml @@ -5,43 +5,65 @@ metadata: name: &app searxng namespace: *app spec: + interval: 5m chart: spec: chart: app-template - version: 1.5.1 + version: "2.6.0" sourceRef: name: bjw-s kind: HelmRepository namespace: flux-system values: - global: - fullnameOverride: *app - automountServiceAccountToken: false - controller: - type: deployment - replicas: 1 - image: - repository: docker.io/searxng/searxng - tag: 2023.7.22-65d8b1a31 - command: ["uwsgi", "--master", "--http-socket", "0.0.0.0:8080", "/usr/local/searxng/dockerfiles/uwsgi.ini"] - podLabels: - ingress.home.arpa/nginx-internal: "allow" - egress.home.arpa/world: "allow" - env: - TZ: "${CONFIG_TZ}" - SEARXNG_BASE_URL: "https://{APP_DNS_SEARXNG}/" - SEARXNG_URL: "https://{APP_DNS_SEARXNG}" - SEARXNG_PORT: &http "8080" - SEARXNG_SECRET: - valueFrom: - secretKeyRef: - name: searxng-secrets - key: secret_key - SEARXNG_REDIS_URL: - valueFrom: - secretKeyRef: - name: searxng-secrets - key: redis + controllers: + main: + type: deployment + replicas: 1 + pod: + labels: + ingress.home.arpa/nginx-internal: "allow" + egress.home.arpa/mullvad: "allow" + egress.home.arpa/internet-https: "allow" + containers: + main: + image: &img + repository: "docker.io/searxng/searxng" + tag: "latest@sha256:a46962557dce9ad029ef36b6717304c51803d73a8043b4a513b09204df6bc91c" + command: ["uwsgi", "--master", "--http-socket", "0.0.0.0:8080", "/usr/local/searxng/dockerfiles/uwsgi.ini"] + env: + TZ: "${CONFIG_TZ}" + SEARXNG_BASE_URL: "https://{APP_DNS_SEARXNG}/" + SEARXNG_URL: "https://{APP_DNS_SEARXNG}" + SEARXNG_PORT: &http "8080" + SEARXNG_REDIS_URL: "unix:///etc/searxng/redis.sock?db=0" + envFrom: + - secretRef: + name: "searxng-secrets" + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "50m" + memory: "1Gi" + limits: + cpu: "3000m" + memory: "2Gi" + redis: + image: + repository: "public.ecr.aws/docker/library/redis" + tag: "7.2.4-bookworm@sha256:3134997edb04277814aa51a4175a588d45eb4299272f8eff2307bbf8b39e4d43" + command: ["redis-server", "--save", "''", "--appendonly", "no", "--port", "0", "--bind", "127.0.0.1", "--unixsocket", "/etc/searxng/redis.sock", "--unixsocketperm", "700"] # save and appendonly options forcibly disable RDB and AOF persistence entirely + securityContext: *sc + resources: + requests: + cpu: "10m" + memory: "32Mi" + limits: + cpu: "1000m" + memory: "512Mi" service: main: ports: @@ -51,42 +73,45 @@ spec: main: enabled: true primary: true - ingressClassName: "nginx-internal" + className: "nginx-internal" hosts: - host: &host "${APP_DNS_SEARXNG}" - paths: + paths: &paths - path: / pathType: Prefix + service: + name: main + port: http tls: - - hosts: - - *host + - hosts: [*host] dnsConfig: options: - name: ndots - value: "1" # Alpine base - podSecurityContext: # TODO: maybe build rootless container or Kyverno/patch entrypoint? - runAsUser: &uid ${APP_UID_SEARXNG} - runAsGroup: *uid - fsGroup: *uid - fsGroupChangePolicy: Always + value: "1" persistence: config: enabled: true type: configMap - name: searxng-config - subPath: settings.yml - mountPath: /etc/searxng/settings.yml - readOnly: true + name: "searxng-config" + advancedMounts: + main: + main: + - subPath: "settings.yml" + path: "/etc/searxng/settings.yml" + readOnly: true tmp: enabled: true type: emptyDir medium: Memory - mountPath: /etc/searxng + globalMounts: + - subPath: "etc" + path: "/etc/searxng" + readOnly: false configMaps: config: enabled: true data: - settings.yml: |- + server.toml: |- use_default_settings: engines: keep_only: @@ -225,9 +250,27 @@ spec: '(.*\.)?redd\.it$': '${APP_DNS_LIBREDDIT}' # NOTE: Search engines disabled: # - archive.is (too many requests) - resources: - requests: - cpu: 50m - memory: 850Mi - limits: - memory: 2048Mi + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + securityContext: + runAsNonRoot: true + runAsUser: &uid ${APP_UID_SEARXNG} + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: "Always" + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "fuckoff.home.arpa/searxng" + operator: "DoesNotExist" diff --git a/kube/deploy/apps/searxng/app/netpol.yaml b/kube/deploy/apps/searxng/app/netpol.yaml deleted file mode 100644 index 31f40cff..00000000 --- a/kube/deploy/apps/searxng/app/netpol.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: &app searxng - namespace: *app -spec: - endpointSelector: {} - ingress: - # same namespace - - fromEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: *app - egress: - # same namespace - - toEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: *app diff --git a/kube/deploy/apps/searxng/app/secrets.yaml b/kube/deploy/apps/searxng/app/secrets.yaml deleted file mode 100644 index 7352b039..00000000 --- a/kube/deploy/apps/searxng/app/secrets.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: searxng-secrets - namespace: searxng -type: Opaque -stringData: - secret_key: "${SECRET_SEARXNG_SECRET_KEY}" - redis: "redis://:${SECRET_SEARXNG_REDIS_PASSWORD}@searxng-redis.searxng.svc.cluster.local:6379/0" diff --git a/kube/deploy/apps/searxng/ks.yaml b/kube/deploy/apps/searxng/ks.yaml index 98f52e38..2f52763f 100644 --- a/kube/deploy/apps/searxng/ks.yaml +++ b/kube/deploy/apps/searxng/ks.yaml @@ -4,38 +4,11 @@ kind: Kustomization metadata: name: searxng-app namespace: flux-system + labels: &l + app.kubernetes.io/name: "searxng" spec: + commonMetadata: + labels: *l path: ./kube/deploy/apps/searxng/app - dependsOn: - - name: 1-core-ingress-nginx-app - - name: searxng-redis ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: searxng-redis - namespace: flux-system - labels: - substitution.flux.home.arpa/disabled: "true" -spec: - path: ./kube/deploy/core/db/redis/template/standalone-mem + targetNamespace: "searxng" dependsOn: [] - postBuild: - substitute: - REDIS_APP_NAME: &app "searxng" - REDIS_APP_NS: *app - substituteFrom: - - kind: Secret - name: "searxng-redis" - optional: false - - kind: Secret - name: "${CLUSTER_NAME}-vars" - optional: false - - kind: Secret - name: "${CLUSTER_NAME}-secrets" - optional: false - healthChecks: - - name: searxng-redis - namespace: searxng - kind: Deployment - apiVersion: apps/v1 diff --git a/kube/deploy/apps/searxng/kustomization.yaml b/kube/deploy/apps/searxng/kustomization.yaml index b840099b..5eeb2657 100644 --- a/kube/deploy/apps/searxng/kustomization.yaml +++ b/kube/deploy/apps/searxng/kustomization.yaml @@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ns.yaml - - secret-redis.yaml - ks.yaml diff --git a/kube/deploy/apps/searxng/ns.yaml b/kube/deploy/apps/searxng/ns.yaml index 4350b1e4..318b6b15 100644 --- a/kube/deploy/apps/searxng/ns.yaml +++ b/kube/deploy/apps/searxng/ns.yaml @@ -3,3 +3,8 @@ apiVersion: v1 kind: Namespace metadata: name: searxng + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps diff --git a/kube/deploy/apps/searxng/secret-redis.yaml b/kube/deploy/apps/searxng/secret-redis.yaml deleted file mode 100644 index a5f44c63..00000000 --- a/kube/deploy/apps/searxng/secret-redis.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: searxng-redis - namespace: flux-system -type: Opaque -stringData: - SECRET_REDIS_PASSWORD: "${SECRET_SEARXNG_REDIS_PASSWORD}" diff --git a/kube/deploy/apps/whoogle/app/hr.yaml b/kube/deploy/apps/whoogle/app/hr.yaml index 0f1dbee1..1f6e5cb4 100644 --- a/kube/deploy/apps/whoogle/app/hr.yaml +++ b/kube/deploy/apps/whoogle/app/hr.yaml @@ -20,9 +20,9 @@ spec: fullNameOverride: whoogle podLabels: ingress.home.arpa/nginx-internal: "allow" - egress.home.arpa/world-https: "allow" + egress.home.arpa/internet-https: "allow" image: - repository: docker.io/benbusby/whoogle-search + repository: ghcr.io/benbusby/whoogle-search tag: 0.8.4 env: HTTPS_ONLY: 0 @@ -30,13 +30,13 @@ spec: WHOOGLE_CONFIG_SAFE: 0 WHOOGLE_CONFIG_STYLE: 'body {max-width: 100% !important} :root { --whoogle-dark-logo: #6E6C7E; --whoogle-dark-page-bg: #1E1E2E; --whoogle-dark-element-bg: #302D41; --whoogle-dark-text: #D9E0EE; --whoogle-dark-contrast-text: #F2CDCD; --whoogle-dark-secondary-text: #988BA2; --whoogle-dark-result-bg: #302D41; --whoogle-dark-result-title: #F5E0DC; --whoogle-dark-result-url: #F5E0DC; --whoogle-dark-result-visited: #C9CBFF; } #whoogle-w { fill: #96CDFB; } #whoogle-h { fill: #F28FAD; } #whoogle-o-1 { fill: #FAE3B0; } #whoogle-o-2 { fill: #96CDFB; } #whoogle-g { fill: #ABE9B3; } #whoogle-l { fill: #F28FAD; } #whoogle-e { fill: #FAE3B0; }' WHOOGLE_CONFIG_URL: "https://${APP_DNS_WHOOGLE}" - WHOOGLE_CONFIG_GET_ONLY: 1 + WHOOGLE_CONFIG_GET_ONLY: 0 WHOOGLE_CONFIG_VIEW_IMAGE: 1 WHOOGLE_CONFIG_DISABLE: 1 WHOOGLE_CONFIG_TOR: 0 WHOOGLE_TOR_SERVICE: 0 - WHOOGLE_PROXY_TYPE: "socks5" - WHOOGLE_PROXY_LOC: "10.64.0.1:1080" + # WHOOGLE_PROXY_TYPE: "socks5" + # WHOOGLE_PROXY_LOC: "10.64.0.1:1080" service: main: ports: @@ -59,4 +59,5 @@ spec: cpu: 5m memory: 100Mi limits: + cpu: 3000m memory: 250Mi diff --git a/kube/deploy/apps/whoogle/app/netpol.yaml b/kube/deploy/apps/whoogle/app/netpol.yaml deleted file mode 100644 index 2b683d5f..00000000 --- a/kube/deploy/apps/whoogle/app/netpol.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: &app whoogle - namespace: *app -spec: - endpointSelector: {} - ingress: - # same namespace - - fromEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: *app - # ingress controller - - fromEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: ingress - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - toPorts: - - ports: - - port: "5000" - protocol: TCP - rules: - http: - - {} - egress: - # same namespace - - toEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: *app - # allow Whoogle to connect to public Internet - - toEntities: - - world - toPorts: - - ports: - - port: "80" - - port: "443" - # allow querying $IP_HOME_DNS - - toCIDRSet: - - cidr: "${IP_HOME_DNS}/32" - toPorts: - - ports: - - port: "53"