mirror of
https://github.com/holos-run/holos.git
synced 2026-03-19 16:54:58 +00:00
cb9b39c3ca
This patch migrates the vault component from [holos-infra][1] to a cue based component. Vault is optional in the reference platform, so this patch also defines an `#OptionalServices` struct to conditionally manage a service across multiple clusters in the platform. The primary use case for optional services is managing a namespace to provision and provide secrets across clusters. [1]: https://github.com/holos-run/holos-infra/tree/v0.5.0/components/core/core/vault
31 lines
1.3 KiB
CUE
31 lines
1.3 KiB
CUE
package holos
|
|
|
|
// Refer to https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
let Restricted = {
|
|
labels: "pod-security.kubernetes.io/enforce": "restricted"
|
|
labels: "pod-security.kubernetes.io/enforce-version": "latest"
|
|
}
|
|
let Privileged = {
|
|
labels: "pod-security.kubernetes.io/enforce": "privileged"
|
|
labels: "pod-security.kubernetes.io/enforce-version": "latest"
|
|
}
|
|
|
|
// #PlatformNamespaces is the union of all namespaces across all cluster types. Namespaces are created in all clusters regardless of if they're
|
|
// used within the cluster or not. The is important for security and consistency with IAM, RBAC, and Secrets sync between clusters.
|
|
// TODO: Deprecate in favor of #ManagedNamespaces because it better to add fields to an object instead adding items to a list.
|
|
#PlatformNamespaces: [
|
|
{name: "external-secrets"},
|
|
{name: "holos-system"},
|
|
{name: "flux-system"},
|
|
{name: "ceph-system"} & Privileged,
|
|
{name: "istio-system"} & Privileged,
|
|
{name: "istio-ingress"} & Restricted,
|
|
{name: "cert-manager"},
|
|
{name: "argocd"},
|
|
{name: "prod-iam-zitadel"},
|
|
{name: "arc-system"},
|
|
{name: "arc-runner"},
|
|
// https://github.com/CrunchyData/postgres-operator-examples/blob/main/kustomize/install/namespace/namespace.yaml
|
|
{name: "postgres-operator"},
|
|
]
|