Commit Graph

5 Commits

Author SHA1 Message Date
unkinben d0b3c26223 feat(opa): add conftest OPA policies and pre-commit hook
ci/woodpecker/pr/pre-commit Pipeline failed
ci/woodpecker/pr/kubeconform Pipeline was successful
Adds three policy files under policy/ plus a pre-commit hook that
runs conftest against all staged YAML manifests (excluding chart
templates).

Policies:
  no_ingress.rego
    Deny Ingress resources — cluster uses Gateway API only.

  gateway_api.rego
    HTTPRoute/TLSRoute: require explicit group/kind on parentRefs and
    group/kind/weight on backendRefs (PR #162, #165).
    Gateway: require explicit group on certificateRefs (PR #153).
    All fields are defaulted by the controller; omitting them causes
    permanent ArgoCD OutOfSync.

  resource_normalization.rego
    CPU integer: deny unquoted integer cpu values (PR #163).
    CPU milliCPU: deny values like 1000m/2000m that normalise to "1"/"2" (PR #164).
    Memory Mi→Gi: deny 1024Mi/2048Mi etc. that normalise to 1Gi/2Gi (PR #163).
    clusterIP null: deny Service with explicit null clusterIP (PR #166).

Also fixes all existing violations found by the new policies across
puppet deployments and reposync cronjobs (resource normalization).
kanidm/tlsroute.yaml and puppet/service_puppetdb.yaml are excluded
from this commit as they are addressed in PRs #165 and #166.
2026-05-25 00:00:37 +10:00
unkinben 24d09744e3 git commit -m "fix: configure PuppetDB HTTPS connections and add Puppetboard SSL support (#50)
- Update PuppetDB connections from HTTP (8080) to HTTPS (8081)
- Add automatic certificate generation for Puppetboard using Puppet CA
- Implement initContainers for proper certificate provisioning before app start
- Add dedicated PVC for Puppetboard certificates with RWX access
- Configure SSL verification and client authentication for secure PuppetDB access

Reviewed-on: #50
2026-03-19 16:34:41 +11:00
unkinben 88fe895409 fix: puppetboard port issues (#34)
service / ingres / deployment mismatch, attempt 2

Reviewed-on: #34
2026-03-18 14:31:43 +11:00
unkinben 64fb4da04c fix: puppetboard tcp is not a valid port (#32)
puppetdb_port has tcp:// in it, even though we pass the correct variable
in from a configmap.

```
ben@metabox ~/s/p/argocd-apps> kubectl --context admin run debug-pod --image=busybox --rm -it --restart=Never -n puppet -- env | grep -i puppetdb_port
PUPPETDB_PORT_8081_TCP_PORT=8081
PUPPETDB_PORT_8081_TCP_PROTO=tcp
PUPPETDB_PORT=tcp://10.43.101.142:8080
PUPPETDB_PORT_8080_TCP=tcp://10.43.101.142:8080
PUPPETDB_PORT_8080_TCP_ADDR=10.43.101.142
PUPPETDB_PORT_8081_TCP=tcp://10.43.101.142:8081
PUPPETDB_PORT_8080_TCP_PROTO=tcp
PUPPETDB_PORT_8081_TCP_ADDR=10.43.101.142
PUPPETDB_PORT_8080_TCP_PORT=8080
```

Reviewed-on: #32
2026-03-18 12:51:54 +11:00
unkinben df1b9a5685 feat: complete puppet infrastructure (#29)
complete the implementation of puppet in kubernetes, taking many
features from the openvox helm chart and improving on them. changes from
helm are:
- using vault for storing secrets
- using g10k instead of r10k
- using a single shared g10k cronjob for all masters/compilers
- using a single shared /etc/puppetlabs/code directory (shared, cephfs)

changes:
- deploy puppet master and compiler servers with statefulset/deployment
- deploy puppetdb with postgresql backend, taking advantage of cnpg cluster and pooler
- deploy puppetboard
- all supporting configmaps, services, ingresses, and hpas
- added vaultstaticsecret for eyaml private keys
- configured secure mounting of eyaml keys at /var/lib/puppet/keys/
- updated base kustomization to include all 23 new puppet resource files

Reviewed-on: #29
2026-03-17 20:25:11 +11:00