Adds three policy files under policy/ plus a pre-commit hook that
runs conftest against all staged YAML manifests (excluding chart
templates).
Policies:
no_ingress.rego
Deny Ingress resources — cluster uses Gateway API only.
gateway_api.rego
HTTPRoute/TLSRoute: require explicit group/kind on parentRefs and
group/kind/weight on backendRefs (PR #162, #165).
Gateway: require explicit group on certificateRefs (PR #153).
All fields are defaulted by the controller; omitting them causes
permanent ArgoCD OutOfSync.
resource_normalization.rego
CPU integer: deny unquoted integer cpu values (PR #163).
CPU milliCPU: deny values like 1000m/2000m that normalise to "1"/"2" (PR #164).
Memory Mi→Gi: deny 1024Mi/2048Mi etc. that normalise to 1Gi/2Gi (PR #163).
clusterIP null: deny Service with explicit null clusterIP (PR #166).
Also fixes all existing violations found by the new policies across
puppet deployments and reposync cronjobs (resource normalization).
kanidm/tlsroute.yaml and puppet/service_puppetdb.yaml are excluded
from this commit as they are addressed in PRs #165 and #166.
Add support for installing additional Ruby gems via custom entrypoint script.
The script is mounted as a ConfigMap into /container-custom-entrypoint.d/
and will be executed during Puppetserver container startup.
Reviewed-on: #63
- Mount vault-ca-cert secret at /opt/vault-ca-cert.crt in both deployments
- Update cobbler-enc script to use correct CA certificate path
- Resolves OSError about missing TLS CA certificate bundle
Reviewed-on: #62
- Add puppet-shared-bins PVC (10GB) for shared binaries
- Mount /opt/bin in both compiler and master deployments
- Add init container to install uv binary and cobbler script to shared volume
- Update cobbler-enc to use absolute path and uv cache directory
- Configure puppet.conf to reference cobbler-enc from /opt/bin
Reviewed-on: #61