From b927f135e270ef3acbb7beb151ec219890d01d5b Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Sat, 27 May 2023 12:18:35 +0800 Subject: [PATCH] fix(netpols): ingress-nginx to flux webhook Signed-off-by: JJGadgets --- kube/1-clusters/Biohazard/2-config/3-secrets.yaml | 15 +++++++++------ kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml | 11 +++++++++++ 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/kube/1-clusters/Biohazard/2-config/3-secrets.yaml b/kube/1-clusters/Biohazard/2-config/3-secrets.yaml index 91f2cb8d..18d307a6 100644 --- a/kube/1-clusters/Biohazard/2-config/3-secrets.yaml +++ b/kube/1-clusters/Biohazard/2-config/3-secrets.yaml @@ -22,8 +22,8 @@ sops: UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-27T04:10:33Z" - mac: ENC[AES256_GCM,data:1tEtJGkrq20VI61pU9AlpsLEHD38oxXkNrwJpNJNQNCGfVFU/QDhNFbzX3SNIpYNd6QJx8QtReXo4832QSCMTQQsujAJ2O1sOpR3hLKmwy2Wk4WBlokfgZuWoonm/cAHR5qHS4J7fefbtDrVz4Pln6c2jaqgtpbYm4tgEN64HJs=,iv:vvCC6o1RyAap2qViyxVcSi8KkFNZm9mubv+NcPrGPRs=,tag:EFguQC77p9hMkr8Y3KmxLQ==,type:str] + lastmodified: "2023-05-27T04:21:43Z" + mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str] pgp: - created_at: "2023-02-26T18:12:43Z" enc: | @@ -61,8 +61,8 @@ sops: UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-27T04:10:33Z" - mac: ENC[AES256_GCM,data:1tEtJGkrq20VI61pU9AlpsLEHD38oxXkNrwJpNJNQNCGfVFU/QDhNFbzX3SNIpYNd6QJx8QtReXo4832QSCMTQQsujAJ2O1sOpR3hLKmwy2Wk4WBlokfgZuWoonm/cAHR5qHS4J7fefbtDrVz4Pln6c2jaqgtpbYm4tgEN64HJs=,iv:vvCC6o1RyAap2qViyxVcSi8KkFNZm9mubv+NcPrGPRs=,tag:EFguQC77p9hMkr8Y3KmxLQ==,type:str] + lastmodified: "2023-05-27T04:21:43Z" + mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str] pgp: - created_at: "2023-02-26T18:12:43Z" enc: | @@ -128,6 +128,9 @@ stringData: SECRET_GTS_PG_PASS: ENC[AES256_GCM,data:4CLtnpcvhljJe1l+OKI3Q++PN7C++9ZavFArGsuxkIW5hoE6FFsAgGngFqw2ck1LAVqdwalQedQdj0LvQmzRpGybGxFGB6/4KHuQVMIkX+HyDReItP0vEXHEaq7HitxlpI+CLmlFK4lCOUdGY5/JvhZPLo+PV5STHsNvmrVaQhTvih3p1G11coCTbo4A/VHHWUGCyQDUoHxs2Bo/iYH2kFKlw/RYGFODmk1ffVUHHRsUHREpb9f5YcRwblWFOpQvwEYINKzlwoM=,iv:3/htXyuzpDJrTFGM7Yy5wcEejXN3/Jl4oyJ1tzPih5Y=,tag:Aie4reRcph39N8mRih9lLw==,type:str] SECRET_HEADSCALE_PRIVKEY: ENC[AES256_GCM,data:5cwm3FpMYlCxF6g+D0S0+Ti/UVSzJop5lu0Q53oT2+Gt5UVk0yhttjqrNZs5w3dnFJ0De+EGrXhaA5vsuUU1EgRq2t93NC/M,iv:Ny9T6kobbbEn94OLF6gAymCt5h9LlY7QL2GL36yuFAw=,tag:IsdV9wXyd8yTx5urHVef4Q==,type:str] SECRET_HEADSCALE_NOISEKEY: ENC[AES256_GCM,data:w0LQ6auq0XPgXC6KIOuSBZ66avDH/1oM4yK1ruYK21m15A5Mw28yQc93Pp67XbT1P54JgsdUYIJMoz43+wF2Hw3w8VFK4QS0,iv:bMfM4S1UyQjhdX/0Mu2xpa/PkbuOe0eL4G8AviTb3iQ=,tag:4Rej1+iOtMd5abXFkuBiFg==,type:str] + SECRET_HEADSCALE_PG_DBNAME: ENC[AES256_GCM,data:Iyj7YpnEOjnuZ8W1iCYIuyxoNP0ATH6M0B/njRF8TDnjty//bHsx8Q==,iv:MfexUGI5k8BJNugTN9HkAwVbIaqTOeTCPgvsvRDgvAw=,tag:pVcBD4v7zCliXo44KG97Aw==,type:str] + SECRET_HEADSCALE_PG_USER: ENC[AES256_GCM,data:mu5YQK7hwKmdATLv4AsC71lo0n0JemZMPnxdJPV7HaOlMcNCsTq7AbEGrsQm9fQ9yYiJg/ZdoXMAGihCs3sLEw==,iv:ZC9is+M6KkCUkqEfxblxg4eHZn3Kgoruk0K6G/dV5N8=,tag:PdVAAZuL164zcsRHIQGwVA==,type:str] + SECRET_HEADSCALE_PG_PASS: ENC[AES256_GCM,data:IPXHgbtdhFhcRWyQ1u0710/8QVEG2uoPdetIRbRrPIRRhv3TpR04d6ypWos8WunqS5JJaNjm5RTr2O6+DP7ITizMIyUJaLL8jKs5u5nvr7tIB3GsrtU/qBQvZuT+yGjouuf/ezo4euno2L2VD5aKoQN6mdUfFt9K8beb3s7aSBWbMHdvB5KTwssbaMG9alir9/pZEVacsft4zNn1KpTBFQ==,iv:wKDHzaGH5azCBL8zWSt6JbSKeuZNODG5VfOWmwH1GU8=,tag:NShyDOIzSSv74WV5kvlXbw==,type:str] SECRET_HEADSCALE_OIDC_URL: ENC[AES256_GCM,data:+Jy+NuSGcYXi+p7uOX6lyz3OacT9WaRvY4Ywyuz7dIP/larM6iKUJPSbpql7ZQUNIT6/Lq1998HF,iv:L7MpcUPSjeMcayj1z0J4tccXXdXou+O7IHpVBWtzeqk=,tag:+4f/U3sMpE4WE4mMwTlPLQ==,type:str] SECRET_HEADSCALE_OIDC_ID: ENC[AES256_GCM,data:oDoZQFp5EEAqa39tMx/Kse427QmYyxUXXPU8dGlCNGtupVvAs+7rzA==,iv:1gVegFflZRsRoo93MNsNwVQT8YRWcNh06MOy5cMsb3M=,tag:1KEb+pRqd154BQdR4NhFhA==,type:str] SECRET_HEADSCALE_OIDC_SECRET: ENC[AES256_GCM,data:4wwV9m+XmSIGXCzojw0Va8gH1L/E1VugXQc1N3adC6JitqOB7bvdqBxE0natU1mhrCUPdUViojV/IZJ/7qdluNNTakDiWWnL6rVI4xd1giywBc5taEWlQb7081zEExWm09wuRcjYVpfLakJFbM8fJJqTHZvyP5ED9VpNglBk6XU=,iv:RzgyFgOt9TwhRCysdf+gX7jhBQgA0Oo9b7xDCaDEBG4=,tag:AyDu6lImdsJpqEIDRPZ+hQ==,type:str] @@ -158,8 +161,8 @@ sops: UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-27T04:10:33Z" - mac: ENC[AES256_GCM,data:1tEtJGkrq20VI61pU9AlpsLEHD38oxXkNrwJpNJNQNCGfVFU/QDhNFbzX3SNIpYNd6QJx8QtReXo4832QSCMTQQsujAJ2O1sOpR3hLKmwy2Wk4WBlokfgZuWoonm/cAHR5qHS4J7fefbtDrVz4Pln6c2jaqgtpbYm4tgEN64HJs=,iv:vvCC6o1RyAap2qViyxVcSi8KkFNZm9mubv+NcPrGPRs=,tag:EFguQC77p9hMkr8Y3KmxLQ==,type:str] + lastmodified: "2023-05-27T04:21:43Z" + mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str] pgp: - created_at: "2023-02-26T18:12:43Z" enc: | diff --git a/kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml b/kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml index 5bd1d281..d24bc562 100644 --- a/kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml +++ b/kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml @@ -10,6 +10,17 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx ingress: + # allow kube-apiserver for webhooks + - fromEntities: + - kube-apiserver + toPorts: + - ports: + - port: "80" + protocol: TCP + - port: "443" + protocol: TCP + - port: "8443" + protocol: TCP # all ingress-nginx traffic - fromEndpoints: - matchLabels: