From cceeb29534e07d8a902bf33aaaff3ad2356e2eba Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Sat, 12 Aug 2023 04:13:09 +0800
Subject: [PATCH] chore: cleanup volsync & netpols

---
 kube/deploy/apps/neko/xfce/netpol.yaml        | 23 ++++++++++++
 kube/deploy/apps/soft-serve/volsync.yaml      | 36 +++++++++++++++++++
 .../core/db/pg/clusters/default/netpol.yaml   |  2 +-
 .../core/db/pg/clusters/template/netpol.yaml  | 23 ++++++++++++
 kube/templates/test/app/volsync.yaml          |  8 ++---
 5 files changed, 87 insertions(+), 5 deletions(-)
 create mode 100644 kube/deploy/apps/neko/xfce/netpol.yaml
 create mode 100644 kube/deploy/apps/soft-serve/volsync.yaml

diff --git a/kube/deploy/apps/neko/xfce/netpol.yaml b/kube/deploy/apps/neko/xfce/netpol.yaml
new file mode 100644
index 00000000..6037a1d8
--- /dev/null
+++ b/kube/deploy/apps/neko/xfce/netpol.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: &app neko-xfce
+  namespace: neko
+spec:
+  endpointSelector: {}
+  ingress:
+    # WebRTC
+    - fromEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "13100"
+  egress:
+    # WebRTC
+    - toEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "13100"
\ No newline at end of file
diff --git a/kube/deploy/apps/soft-serve/volsync.yaml b/kube/deploy/apps/soft-serve/volsync.yaml
new file mode 100644
index 00000000..976f75c6
--- /dev/null
+++ b/kube/deploy/apps/soft-serve/volsync.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: soft-serve-restic
+  namespace: soft-serve
+type: Opaque
+stringData:
+  RESTIC_REPOSITORY: ${SECRET_VOLSYNC_R2_REPO}/soft-serve
+  RESTIC_PASSWORD: ${SECRET_VOLSYNC_PASSWORD}
+  AWS_ACCESS_KEY_ID: ${SECRET_VOLSYNC_R2_ID}
+  AWS_SECRET_ACCESS_KEY: ${SECRET_VOLSYNC_R2_KEY}
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: soft-serve-restic
+  namespace: soft-serve
+spec:
+  sourcePVC: config-soft-serve-0 # TODO: find PVC name
+  trigger:
+    schedule: "0 6 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 14
+    repository: soft-serve-restic
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: block
+    storageClassName: block
+    moverSecurityContext:
+      runAsUser: &uid ${APP_UID_SOFT_SERVE}
+      runAsGroup: ${APP_UID_SOFT_SERVE}
+      fsGroup: ${APP_UID_SOFT_SERVE}
+    retain:
+      daily: 14
+      within: 7d
diff --git a/kube/deploy/core/db/pg/clusters/default/netpol.yaml b/kube/deploy/core/db/pg/clusters/default/netpol.yaml
index 89a5a67c..8cee960e 100644
--- a/kube/deploy/core/db/pg/clusters/default/netpol.yaml
+++ b/kube/deploy/core/db/pg/clusters/default/netpol.yaml
@@ -14,7 +14,7 @@ spec:
     # allow pods marked with db label to connect
     - toEndpoints:
         - matchLabels:
-            postgresql: *pg
+            cnpg.io/cluster: *pg
             io.kubernetes.pod.namespace: pg
       toPorts:
         - ports:
diff --git a/kube/deploy/core/db/pg/clusters/template/netpol.yaml b/kube/deploy/core/db/pg/clusters/template/netpol.yaml
index 11afe678..2612fe21 100644
--- a/kube/deploy/core/db/pg/clusters/template/netpol.yaml
+++ b/kube/deploy/core/db/pg/clusters/template/netpol.yaml
@@ -1,4 +1,27 @@
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "${PG_APP_NAME}-to-pg"
+spec:
+  endpointSelector:
+    matchLabels:
+      db.home.arpa/pg: "pg-${PG_APP_NAME}"
+  egress:
+    - icmps:
+        - {}
+    # same namespace
+    - toEndpoints:
+        - matchLabels:
+            cnpg.io/cluster: "pg-${PG_APP_NAME}"
+          matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "5432"
+---
 # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
diff --git a/kube/templates/test/app/volsync.yaml b/kube/templates/test/app/volsync.yaml
index cc92b0e1..6a7cfdad 100644
--- a/kube/templates/test/app/volsync.yaml
+++ b/kube/templates/test/app/volsync.yaml
@@ -17,7 +17,7 @@ metadata:
   name: ${APPNAME}-restic
   namespace: ${APPNAME}
 spec:
-  sourcePVC: config-${APPNAME}-0
+  sourcePVC: ${APPNAME}-data
   trigger:
     schedule: "0 6 * * *"
   restic:
@@ -28,9 +28,9 @@ spec:
     volumeSnapshotClassName: block
     storageClassName: block
     moverSecurityContext:
-      runAsUser: ${UID}
-      runAsGroup: ${UID}
-      fsGroup: ${UID}
+      runAsUser: &uid ${APP_UID_APPNAME}
+      runAsGroup: *uid
+      fsGroup: *uid
     retain:
       daily: 14
       within: 7d