Adds three policy files under policy/ plus a pre-commit hook that
runs conftest against all staged YAML manifests (excluding chart
templates).
Policies:
no_ingress.rego
Deny Ingress resources — cluster uses Gateway API only.
gateway_api.rego
HTTPRoute/TLSRoute: require explicit group/kind on parentRefs and
group/kind/weight on backendRefs (PR #162, #165).
Gateway: require explicit group on certificateRefs (PR #153).
All fields are defaulted by the controller; omitting them causes
permanent ArgoCD OutOfSync.
resource_normalization.rego
CPU integer: deny unquoted integer cpu values (PR #163).
CPU milliCPU: deny values like 1000m/2000m that normalise to "1"/"2" (PR #164).
Memory Mi→Gi: deny 1024Mi/2048Mi etc. that normalise to 1Gi/2Gi (PR #163).
clusterIP null: deny Service with explicit null clusterIP (PR #166).
Also fixes all existing violations found by the new policies across
puppet deployments and reposync cronjobs (resource normalization).
kanidm/tlsroute.yaml and puppet/service_puppetdb.yaml are excluded
from this commit as they are addressed in PRs #165 and #166.
- Update PuppetDB connections from HTTP (8080) to HTTPS (8081)
- Add automatic certificate generation for Puppetboard using Puppet CA
- Implement initContainers for proper certificate provisioning before app start
- Add dedicated PVC for Puppetboard certificates with RWX access
- Configure SSL verification and client authentication for secure PuppetDB access
Reviewed-on: #50
puppetdb_port has tcp:// in it, even though we pass the correct variable
in from a configmap.
```
ben@metabox ~/s/p/argocd-apps> kubectl --context admin run debug-pod --image=busybox --rm -it --restart=Never -n puppet -- env | grep -i puppetdb_port
PUPPETDB_PORT_8081_TCP_PORT=8081
PUPPETDB_PORT_8081_TCP_PROTO=tcp
PUPPETDB_PORT=tcp://10.43.101.142:8080
PUPPETDB_PORT_8080_TCP=tcp://10.43.101.142:8080
PUPPETDB_PORT_8080_TCP_ADDR=10.43.101.142
PUPPETDB_PORT_8081_TCP=tcp://10.43.101.142:8081
PUPPETDB_PORT_8080_TCP_PROTO=tcp
PUPPETDB_PORT_8081_TCP_ADDR=10.43.101.142
PUPPETDB_PORT_8080_TCP_PORT=8080
```
Reviewed-on: #32
complete the implementation of puppet in kubernetes, taking many
features from the openvox helm chart and improving on them. changes from
helm are:
- using vault for storing secrets
- using g10k instead of r10k
- using a single shared g10k cronjob for all masters/compilers
- using a single shared /etc/puppetlabs/code directory (shared, cephfs)
changes:
- deploy puppet master and compiler servers with statefulset/deployment
- deploy puppetdb with postgresql backend, taking advantage of cnpg cluster and pooler
- deploy puppetboard
- all supporting configmaps, services, ingresses, and hpas
- added vaultstaticsecret for eyaml private keys
- configured secure mounting of eyaml keys at /var/lib/puppet/keys/
- updated base kustomization to include all 23 new puppet resource files
Reviewed-on: #29