chore: cleanup volsync & netpols

2026-03-21 01:39:38 +00:00 · 2023-08-12 04:13:09 +08:00
parent 16040fef77
commit cceeb29534
5 changed files with 87 additions and 5 deletions
--- a/kube/deploy/apps/neko/xfce/netpol.yaml
+++ b/kube/deploy/apps/neko/xfce/netpol.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: &app neko-xfce
+  namespace: neko
+spec:
+  endpointSelector: {}
+  ingress:
+    # WebRTC
+    - fromEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "13100"
+  egress:
+    # WebRTC
+    - toEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "13100"
--- a/kube/deploy/apps/soft-serve/volsync.yaml
+++ b/kube/deploy/apps/soft-serve/volsync.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: soft-serve-restic
+  namespace: soft-serve
+type: Opaque
+stringData:
+  RESTIC_REPOSITORY: ${SECRET_VOLSYNC_R2_REPO}/soft-serve
+  RESTIC_PASSWORD: ${SECRET_VOLSYNC_PASSWORD}
+  AWS_ACCESS_KEY_ID: ${SECRET_VOLSYNC_R2_ID}
+  AWS_SECRET_ACCESS_KEY: ${SECRET_VOLSYNC_R2_KEY}
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: soft-serve-restic
+  namespace: soft-serve
+spec:
+  sourcePVC: config-soft-serve-0 # TODO: find PVC name
+  trigger:
+    schedule: "0 6 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 14
+    repository: soft-serve-restic
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: block
+    storageClassName: block
+    moverSecurityContext:
+      runAsUser: &uid ${APP_UID_SOFT_SERVE}
+      runAsGroup: ${APP_UID_SOFT_SERVE}
+      fsGroup: ${APP_UID_SOFT_SERVE}
+    retain:
+      daily: 14
+      within: 7d
--- a/kube/deploy/core/db/pg/clusters/default/netpol.yaml
+++ b/kube/deploy/core/db/pg/clusters/default/netpol.yaml
@@ -14,7 +14,7 @@ spec:
    # allow pods marked with db label to connect
    - toEndpoints:
        - matchLabels:
-            postgresql: *pg
+            cnpg.io/cluster: *pg
            io.kubernetes.pod.namespace: pg
      toPorts:
        - ports:
--- a/kube/deploy/core/db/pg/clusters/template/netpol.yaml
+++ b/kube/deploy/core/db/pg/clusters/template/netpol.yaml
@@ -1,4 +1,27 @@
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "${PG_APP_NAME}-to-pg"
+spec:
+  endpointSelector:
+    matchLabels:
+      db.home.arpa/pg: "pg-${PG_APP_NAME}"
+  egress:
+    - icmps:
+        - {}
+    # same namespace
+    - toEndpoints:
+        - matchLabels:
+            cnpg.io/cluster: "pg-${PG_APP_NAME}"
+          matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "5432"
+---
 # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
--- a/kube/templates/test/app/volsync.yaml
+++ b/kube/templates/test/app/volsync.yaml
@@ -17,7 +17,7 @@ metadata:
  name: ${APPNAME}-restic
  namespace: ${APPNAME}
 spec:
-  sourcePVC: config-${APPNAME}-0
+  sourcePVC: ${APPNAME}-data
  trigger:
    schedule: "0 6 * * *"
  restic:
@@ -28,9 +28,9 @@ spec:
    volumeSnapshotClassName: block
    storageClassName: block
    moverSecurityContext:
-      runAsUser: ${UID}
-      runAsGroup: ${UID}
-      fsGroup: ${UID}
+      runAsUser: &uid ${APP_UID_APPNAME}
+      runAsGroup: *uid
+      fsGroup: *uid
    retain:
      daily: 14
      within: 7d