d0b3c26223
Adds three policy files under policy/ plus a pre-commit hook that
runs conftest against all staged YAML manifests (excluding chart
templates).
Policies:
no_ingress.rego
Deny Ingress resources — cluster uses Gateway API only.
gateway_api.rego
HTTPRoute/TLSRoute: require explicit group/kind on parentRefs and
group/kind/weight on backendRefs (PR #162, #165).
Gateway: require explicit group on certificateRefs (PR #153).
All fields are defaulted by the controller; omitting them causes
permanent ArgoCD OutOfSync.
resource_normalization.rego
CPU integer: deny unquoted integer cpu values (PR #163).
CPU milliCPU: deny values like 1000m/2000m that normalise to "1"/"2" (PR #164).
Memory Mi→Gi: deny 1024Mi/2048Mi etc. that normalise to 1Gi/2Gi (PR #163).
clusterIP null: deny Service with explicit null clusterIP (PR #166).
Also fixes all existing violations found by the new policies across
puppet deployments and reposync cronjobs (resource normalization).
kanidm/tlsroute.yaml and puppet/service_puppetdb.yaml are excluded
from this commit as they are addressed in PRs #165 and #166.
73 lines
2.1 KiB
YAML
73 lines
2.1 KiB
YAML
---
|
|
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: reposync-almalinux9-appstream
|
|
app.kubernetes.io/name: reposync
|
|
name: reposync-almalinux9-appstream
|
|
namespace: reposync
|
|
spec:
|
|
schedule: "10 2 * * *"
|
|
timeZone: "Australia/Sydney"
|
|
concurrencyPolicy: Forbid
|
|
suspend: false
|
|
successfulJobsHistoryLimit: 10
|
|
failedJobsHistoryLimit: 5
|
|
jobTemplate:
|
|
spec:
|
|
completions: 1
|
|
parallelism: 1
|
|
backoffLimit: 3
|
|
ttlSecondsAfterFinished: 3600
|
|
template:
|
|
spec:
|
|
restartPolicy: Never
|
|
containers:
|
|
- name: reposync
|
|
image: git.unkin.net/unkin/almalinux9-base:latest
|
|
imagePullPolicy: Always
|
|
command: ["/bin/bash", "-c"]
|
|
args:
|
|
- |
|
|
set -euo pipefail
|
|
echo "Starting AlmaLinux $REPO_TYPE repository sync..."
|
|
|
|
# Install reposync
|
|
dnf install -y dnf-plugins-core
|
|
|
|
# Sync repository
|
|
dnf reposync \
|
|
--repoid=$REPO_TYPE \
|
|
--destdir=/data \
|
|
--download-metadata \
|
|
--newest-only \
|
|
--delete
|
|
|
|
echo "AlmaLinux $REPO_TYPE repository sync completed successfully"
|
|
env:
|
|
- name: REPO_TYPE
|
|
value: "appstream"
|
|
resources:
|
|
requests:
|
|
cpu: 500m
|
|
memory: 1Gi
|
|
limits:
|
|
cpu: "2"
|
|
memory: 4Gi
|
|
volumeMounts:
|
|
- name: repodata
|
|
mountPath: /data
|
|
readOnly: false
|
|
- name: dnf-conf
|
|
mountPath: /etc/dnf/dnf.conf
|
|
subPath: dnf.conf
|
|
readOnly: true
|
|
volumes:
|
|
- name: repodata
|
|
persistentVolumeClaim:
|
|
claimName: reposync-almalinux9-appstream-repodata
|
|
- name: dnf-conf
|
|
configMap:
|
|
name: dnf-conf
|