Files
argocd-apps/apps/base/reposync/cronjob_reposync-almalinux9-appstream.yaml
T
unkinben d0b3c26223
ci/woodpecker/pr/pre-commit Pipeline failed
ci/woodpecker/pr/kubeconform Pipeline was successful
feat(opa): add conftest OPA policies and pre-commit hook
Adds three policy files under policy/ plus a pre-commit hook that
runs conftest against all staged YAML manifests (excluding chart
templates).

Policies:
  no_ingress.rego
    Deny Ingress resources — cluster uses Gateway API only.

  gateway_api.rego
    HTTPRoute/TLSRoute: require explicit group/kind on parentRefs and
    group/kind/weight on backendRefs (PR #162, #165).
    Gateway: require explicit group on certificateRefs (PR #153).
    All fields are defaulted by the controller; omitting them causes
    permanent ArgoCD OutOfSync.

  resource_normalization.rego
    CPU integer: deny unquoted integer cpu values (PR #163).
    CPU milliCPU: deny values like 1000m/2000m that normalise to "1"/"2" (PR #164).
    Memory Mi→Gi: deny 1024Mi/2048Mi etc. that normalise to 1Gi/2Gi (PR #163).
    clusterIP null: deny Service with explicit null clusterIP (PR #166).

Also fixes all existing violations found by the new policies across
puppet deployments and reposync cronjobs (resource normalization).
kanidm/tlsroute.yaml and puppet/service_puppetdb.yaml are excluded
from this commit as they are addressed in PRs #165 and #166.
2026-05-25 00:00:37 +10:00

73 lines
2.1 KiB
YAML

---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: reposync-almalinux9-appstream
app.kubernetes.io/name: reposync
name: reposync-almalinux9-appstream
namespace: reposync
spec:
schedule: "10 2 * * *"
timeZone: "Australia/Sydney"
concurrencyPolicy: Forbid
suspend: false
successfulJobsHistoryLimit: 10
failedJobsHistoryLimit: 5
jobTemplate:
spec:
completions: 1
parallelism: 1
backoffLimit: 3
ttlSecondsAfterFinished: 3600
template:
spec:
restartPolicy: Never
containers:
- name: reposync
image: git.unkin.net/unkin/almalinux9-base:latest
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
args:
- |
set -euo pipefail
echo "Starting AlmaLinux $REPO_TYPE repository sync..."
# Install reposync
dnf install -y dnf-plugins-core
# Sync repository
dnf reposync \
--repoid=$REPO_TYPE \
--destdir=/data \
--download-metadata \
--newest-only \
--delete
echo "AlmaLinux $REPO_TYPE repository sync completed successfully"
env:
- name: REPO_TYPE
value: "appstream"
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: "2"
memory: 4Gi
volumeMounts:
- name: repodata
mountPath: /data
readOnly: false
- name: dnf-conf
mountPath: /etc/dnf/dnf.conf
subPath: dnf.conf
readOnly: true
volumes:
- name: repodata
persistentVolumeClaim:
claimName: reposync-almalinux9-appstream-repodata
- name: dnf-conf
configMap:
name: dnf-conf