diff --git a/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml b/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml new file mode 100644 index 00000000..df635a54 --- /dev/null +++ b/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: default-backend + namespace: ingress +spec: + chart: + spec: + chart: app-template + version: 1.5.0 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controller: + type: daemonset + image: + repository: public.ecr.aws/docker/library/busybox + tag: 1.36.1-glibc + command: ["busybox", "sh", "-c"] + args: ["wget 'https://jjgadgets.tech/error.zstd' -O /dev/shm/index.html && httpd -f -v -p 8080 -h /dev/shm"] + service: + main: + ports: + http: + port: 80 + targetPort: 8080 + podSecurityContext: + runAsUser: &uid 404200 + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: Always + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + memory: 256Mi diff --git a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml index 510c85d3..0add0a62 100644 --- a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml +++ b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml @@ -33,6 +33,7 @@ spec: enabled: true extraArgs: default-ssl-certificate: ingress/short-domain-tls + default-backend-service: ingress/default-backend ingressClassByName: true nodeSelector: node-restriction.kubernetes.io/nodeType: main @@ -43,6 +44,7 @@ spec: disable-access-log: "false" log-format-escape-json: "true" # hardening + custom-http-errors: 400,401,403,404,405,409,410,411,412,413,414,415,416,417,418,421,425,431,451,500,501,502,503,504,505,506,510 hsts-max-age: "31449600" hsts-preload: "true" ssl-protocols: TLSv1.3 TLSv1.2 diff --git a/kube/3-deploy/2-apps/gotosocial/app/hr.yaml b/kube/3-deploy/2-apps/gotosocial/app/hr.yaml index 3b3f7721..815997bd 100644 --- a/kube/3-deploy/2-apps/gotosocial/app/hr.yaml +++ b/kube/3-deploy/2-apps/gotosocial/app/hr.yaml @@ -81,10 +81,10 @@ spec: cpu: 10m memory: 128Mi limits: - memory: 6000Mi + memory: 1024Mi initContainers: 01-init-db: - image: ghcr.io/onedr0p/postgres-init:14.8 + image: ghcr.io/onedr0p/postgres-init:14.8@sha256:d8391076d2c6449927a6409c4e72aaa5607c95be51969036f4feeb7c999638ea imagePullPolicy: IfNotPresent envFrom: - secretRef: diff --git a/kube/templates/test/app/hr.yaml b/kube/templates/test/app/hr.yaml index f830a69c..7556bb31 100644 --- a/kube/templates/test/app/hr.yaml +++ b/kube/templates/test/app/hr.yaml @@ -8,10 +8,10 @@ spec: chart: spec: chart: app-template - version: 1.4.0 + version: 1.5.0 sourceRef: - kind: HelmRepository name: bjw-s + kind: HelmRepository namespace: flux-system values: controller: @@ -25,12 +25,11 @@ spec: main: enabled: true type: LoadBalancer - externalTrafficPolicy: Local + # eTP can be Cluster (for HA & failover) instead of Local since Cilium is configured in DSR mode, so proper source IP will still work + externalTrafficPolicy: Cluster annotations: coredns.io/hostname: "${APP_DNS_${APPNAME}}" "io.cilium/lb-ipam-ips": "${APP_IP_${APPNAME}}" - externalIPs: - - "${APP_IP_${APPNAME}}" ports: http: enabled: true @@ -153,3 +152,11 @@ spec: name: data - mountPath: /config name: config + 01-init-db: + image: ghcr.io/onedr0p/postgres-init:14.8@sha256:d8391076d2c6449927a6409c4e72aaa5607c95be51969036f4feeb7c999638ea + imagePullPolicy: IfNotPresent + envFrom: + - secretRef: + name: gotosocial-pg + - secretRef: + name: gotosocial-pg-superuser