diff --git a/kube/clusters/hercules/config/vars.sops.env b/kube/clusters/hercules/config/vars.sops.env index e9d06f66..b46c75d9 100644 --- a/kube/clusters/hercules/config/vars.sops.env +++ b/kube/clusters/hercules/config/vars.sops.env @@ -16,6 +16,7 @@ USERS_3_NAME=ENC[AES256_GCM,data:BxSWnRnQwXfHqg==,iv:JmzuZmZZnuQnhI9SYt1TBmBLojm ASN_CLUSTER=ENC[AES256_GCM,data:W/IlCgA=,iv:7G80F6Yv5pQfAw9a28G9/75wc1vNGOjF8d379/3FlJ4=,tag:aqaxFlW0rXrDeumsz9etxg==,type:str] ASN_ROUTER=ENC[AES256_GCM,data:BOsXM8M=,iv:r3nQXW4EpXII2itTeDP1/6wJk4PDYUQH6kZCCcf7AuM=,tag:JWd9XL5hbAe6d3yxYlvFog==,type:str] ASN_EC2_INGRESS=ENC[AES256_GCM,data:FSkZESA=,iv:ihDOVFJWor83O4T3cX3Y3XgSXiDikPWWdRjzLHLIXJs=,tag:xIgs8PNpfki25SVJ7SkPYQ==,type:str] +IP_HERCULES_PUBLIC_V4=ENC[AES256_GCM,data:5nuej15lQyaRAlwDGkM=,iv:M19ZcJT1L9i8+d7vj5p1pZMeBIJXsDhsUSZA1y1LdpY=,tag:hUUj5UN1F2pRzHfWxjfAtg==,type:str] IP_ROUTER_LAN=ENC[AES256_GCM,data:q+9MIIuBLPA=,iv:pzWM3e0qgyRLgYtXv3aoKqX6ZOnpQURGBWaLZZRfQGc=,tag:xEiU2fV3Wt0YHd60hALsUQ==,type:str] IP_ROUTER_LAN_CIDR=ENC[AES256_GCM,data:VBNZEYACQMQduOU=,iv:is1RkkLkgUYuNPypTFRm7krP9nb1rkrZ64pkQT+5LEM=,tag:opkUbEo8JR1Gp13pklKz7g==,type:str] IP_ROUTER_VLAN_K8S=ENC[AES256_GCM,data:BF7rMLUGyiMb,iv:H+s1v1sl6ZNJEvF1QO5kIYE7jquhLrDXbPnpE2PywUY=,tag:Sux+8RhfEHfZDXT2z4S5Jw==,type:str] @@ -172,11 +173,11 @@ CONFIG_THELOUNGE_USERNAME=ENC[AES256_GCM,data:+C2aABtqq8YG,iv:4DYpguAvmaqPedRgrf CONFIG_THELOUNGE_JOIN=ENC[AES256_GCM,data:ocuC,iv:9Cn9zp2+iIVrEXYxklEtkpftmJwTGsWnff2xIG9KNec=,tag:3UL9Gn+kHoXu+40CFkP7sg==,type:str] CONFIG_PSONO_TITLE=ENC[AES256_GCM,data:ORXmkTqtuka3l5M0pdu1NKxdX3Pes3xdEMw=,iv:Mbw/KUQJcIdYdcWby6qeCY4Q31Vc+dUOjLLprHL5P9E=,tag:HavoGugubPrunCoOkL40Mw==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n -sops_version=3.7.3 -sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n -sops_lastmodified=2023-11-26T01:12:01Z -sops_mac=ENC[AES256_GCM,data:nxVFJiPtznJc14wSS2LRsPadVRGgVbfA1AwVhSrMzBwMzmY+Idx5auE8O+zO/8i42kw4G3NOLhoW4vw9KvhjxbKPdSYTgVZC5yRE4TCwdVSdQ6iENzt+yxYFFxql9vnYwiAFDHy4wjdHbOOUs/6QfAmGaMaxWgT3iUkp0HIVJ0k=,iv:8g9dr7IWtq2tejgiUCObtMLi79TDsUFmPzNMTEcelP8=,tag:b0X+DTUemOtlarZH3lOBWQ==,type:str] -sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 -sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z -sops_unencrypted_suffix=_unencrypted sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj +sops_lastmodified=2023-12-08T04:50:43Z +sops_mac=ENC[AES256_GCM,data:32rhGkZpoIAuV5mlkCM+AyMDyvCnf4WFxLpimzMakfgICKvYtRTK8migSOQg11EzqRrUDychmeg2y7ThHXSDykDoKDLc2yDKpUdrtNR/fDKmvwH6ehExJDki4xRflI1s8r1oGjbwAODeqpau23rcPrQYnC8JZDqGN2n674rDqGQ=,iv:EqBPRX8HxZoYhApo9vxDNhaGKqXGVXDrM7AZON8HnbE=,tag:DLoYMdm7/da+48XAe/3MSQ==,type:str] +sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z +sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n +sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/kube/deploy/core/monitoring/node-exporter/app/hr.yaml b/kube/deploy/core/monitoring/node-exporter/app/hr.yaml index 3593948f..7b2b12d0 100644 --- a/kube/deploy/core/monitoring/node-exporter/app/hr.yaml +++ b/kube/deploy/core/monitoring/node-exporter/app/hr.yaml @@ -17,7 +17,7 @@ spec: nameOverride: node-exporter podLabels: prom.home.arpa/kps: "allow" - hostNetwork: false + hostNetwork: true # to get node-level network metrics, else it'll only show the pod's network metrics rbac: pspEnabled: false resources: diff --git a/kube/templates/test/app/hr.yaml b/kube/templates/test/app/hr.yaml index 55de0f74..b9ea88ab 100644 --- a/kube/templates/test/app/hr.yaml +++ b/kube/templates/test/app/hr.yaml @@ -8,7 +8,7 @@ spec: chart: spec: chart: app-template - version: "2.3.0" + version: "2.4.0" sourceRef: name: bjw-s kind: HelmRepository @@ -21,8 +21,8 @@ spec: replicas: 1 pod: labels: - ingress.home.arpa/nginx: "allow" - db.home.arpa/pg: "pg-default" + ingress.home.arpa/nginx-internal: "allow" + db.home.arpa/pg: "pg-${APPNAME}" s3.home.arpa/store: "rgw-${CLUSTER_NAME}" containers: main: @@ -123,7 +123,7 @@ spec: main: enabled: true primary: true - className: nginx + className: "nginx-internal" annotations: external-dns.alpha.kubernetes.io/target: "${DNS_SHORT_CF}" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" @@ -223,10 +223,18 @@ spec: versions = 7 defaultPodOptions: automountServiceAccountToken: false + enableServiceLinks: false securityContext: + runAsNonRoot: false runAsUser: &uid ${APP_UID_APPNAME} runAsGroup: *uid fsGroup: *uid - runAsNonRoot: false + fsGroupChangePolicy: "Always" seccompProfile: {type: "RuntimeDefault"} - fsGroupChangePolicy: Always + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: *app