diff --git a/gitops/argocd/apps/k3s/homelab/security/annotations.yaml b/gitops/argocd/apps/k3s/homelab/security/annotations.yaml index c5bbf89e1b..90c17af488 100644 --- a/gitops/argocd/apps/k3s/homelab/security/annotations.yaml +++ b/gitops/argocd/apps/k3s/homelab/security/annotations.yaml @@ -35,3 +35,5 @@ annotations: fieldSpecs: - path: metadata/annotations create: true +- path: spec/template/metadata/annotations + create: true diff --git a/gitops/argocd/apps/k3s/homelab/security/applicationset.yaml b/gitops/argocd/apps/k3s/homelab/security/applicationset.yaml new file mode 100644 index 0000000000..2d576f1ff8 --- /dev/null +++ b/gitops/argocd/apps/k3s/homelab/security/applicationset.yaml @@ -0,0 +1,101 @@ +--- +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: security + labels: + app.kubernetes.io/name: security + app.kubernetes.io/instance: security-argocd-applicationset + app.kubernetes.io/component: argocd-applicationset + app.kubernetes.io/part-of: security-argocd +spec: + generators: + - list: + elements: + - appName: authentik + namespace: identity + path: gitops/argocd/charts/identity/authentik + targetRevision: master + - appName: kyverno + namespace: kyverno + path: gitops/argocd/charts/kyverno/kyverno + targetRevision: master + - appName: kyverno-reporter + namespace: kyverno + path: gitops/argocd/charts/kyverno/kyverno-reporter + targetRevision: master + - appName: sbom-operator + namespace: security + path: gitops/argocd/charts/security/sbom-operator + targetRevision: master + - appName: trivy-operator + namespace: security + path: gitops/argocd/charts/security/trivy-operator + targetRevision: master + - appName: vault + namespace: security + path: gitops/argocd/charts/security/vault + targetRevision: master + - appName: tetragon + namespace: security + path: gitops/argocd/charts/security/tetragon + targetRevision: master + template: + metadata: + name: "{{appName}}" + annotations: + # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation + argocd.argoproj.io/manifest-generate-paths: "/{{path}}" + finalizers: + - resources-finalizer.argocd.argoproj.io + labels: + app.kubernetes.io/name: "{{appName}}" + app.kubernetes.io/instance: "{{appName}}-argocd-application" + app.kubernetes.io/component: argocd-application + app.kubernetes.io/part-of: "{{appName}}-argocd" + spec: + destination: + namespace: "{{namespace}}" + server: https://kubernetes.default.svc + project: portefaix-k3s-homelab + source: + repoURL: https://github.com/portefaix/portefaix-kubernetes.git + targetRevision: "{{targetRevision}}" + path: "{{path}}" + helm: + valueFiles: + - values.yaml + - values-k3s-homelab.yaml + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - Validate=false + - SkipDryRunOnMissingResource=true + - ApplyOutOfSyncOnly=true + # - ServerSideApply=true + # retry: + # limit: 5 + # backoff: + # duration: 5s + # factor: 2 + # maxDuration: 3m0s diff --git a/gitops/argocd/apps/k3s/homelab/security/authentik.yaml b/gitops/argocd/apps/k3s/homelab/security/authentik.yaml deleted file mode 100644 index 371037cf4e..0000000000 --- a/gitops/argocd/apps/k3s/homelab/security/authentik.yaml +++ /dev/null @@ -1,62 +0,0 @@ ---- -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: authentik - annotations: - # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation - argocd.argoproj.io/manifest-generate-paths: /gitops/argocd/charts/identity/authentik - notifications.argoproj.io/subscribe.grafana: authentik - finalizers: - - resources-finalizer.argocd.argoproj.io - labels: - app.kubernetes.io/name: authentik - app.kubernetes.io/instance: authentik-argocd-app - app.kubernetes.io/part-of: authentik -spec: - destination: - namespace: identity - server: https://kubernetes.default.svc - project: portefaix-k3s-homelab - source: - path: gitops/argocd/charts/identity/authentik - repoURL: https://github.com/portefaix/portefaix-kubernetes.git - targetRevision: master - helm: - skipCrds: true - valueFiles: - - values.yaml - - values-k3s-homelab.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - Validate=false - - SkipDryRunOnMissingResource=true - - ApplyOutOfSyncOnly=true - # - ServerSideApply=true - # retry: - # limit: 5 - # backoff: - # duration: 5s - # factor: 2 - # maxDuration: 3m0s diff --git a/gitops/argocd/apps/k3s/homelab/security/falco.yaml b/gitops/argocd/apps/k3s/homelab/security/falco.yaml deleted file mode 100644 index f4c8397ccb..0000000000 --- a/gitops/argocd/apps/k3s/homelab/security/falco.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: falco - annotations: - # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation - argocd.argoproj.io/manifest-generate-paths: /gitops/argocd/charts/security/falco - notifications.argoproj.io/subscribe.grafana: falco - finalizers: - - resources-finalizer.argocd.argoproj.io - labels: - app.kubernetes.io/name: falco - app.kubernetes.io/instance: falco-argocd-app - app.kubernetes.io/part-of: falco -spec: - destination: - namespace: falco - server: https://kubernetes.default.svc - project: portefaix-k3s-homelab - source: - path: gitops/argocd/charts/security/falco - repoURL: https://github.com/portefaix/portefaix-kubernetes.git - targetRevision: master - helm: - skipCrds: false - valueFiles: - - values.yaml - - values-k3s-homelab.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - Validate=false - - SkipDryRunOnMissingResource=true - - ApplyOutOfSyncOnly=true - # - ServerSideApply=true - # retry: - # limit: 5 - # backoff: - # duration: 5s - # factor: 2 - # maxDuration: 3m0s - ignoreDifferences: - - group: kyverno.io - kind: ClusterPolicy - jqPathExpressions: - - .spec.rules[] | select(.name|test("autogen-.")) diff --git a/gitops/argocd/apps/k3s/homelab/security/kube-bench-adapter.yaml b/gitops/argocd/apps/k3s/homelab/security/kube-bench-adapter.yaml deleted file mode 100644 index e3b50b7c87..0000000000 --- a/gitops/argocd/apps/k3s/homelab/security/kube-bench-adapter.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kube-bench-adapter - annotations: - # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation - argocd.argoproj.io/manifest-generate-paths: /gitops/argocd/charts/kyverno/kube-bench-adapter - notifications.argoproj.io/subscribe.grafana: kube-bench-adapter - finalizers: - - resources-finalizer.argocd.argoproj.io - labels: - app.kubernetes.io/name: kube-bench-adapter - app.kubernetes.io/instance: kube-bench-adapter-argocd-app - app.kubernetes.io/part-of: kube-bench-adapter -spec: - destination: - namespace: security - server: https://kubernetes.default.svc - project: portefaix-k3s-homelab - source: - path: gitops/argocd/charts/kyverno/kube-bench-adapter - repoURL: https://github.com/portefaix/portefaix-kubernetes.git - targetRevision: master - helm: - skipCrds: true - valueFiles: - - values.yaml - - values-k3s-homelab.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - Validate=false - - SkipDryRunOnMissingResource=true - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - # retry: - # limit: 5 - # backoff: - # duration: 5s - # factor: 2 - # maxDuration: 3m0s - ignoreDifferences: - - group: kyverno.io - kind: ClusterPolicy - jqPathExpressions: - - .spec.rules[] | select(.name|test("autogen-.")) diff --git a/gitops/argocd/apps/k3s/homelab/security/kubewarden.yaml b/gitops/argocd/apps/k3s/homelab/security/kubewarden.yaml deleted file mode 100644 index 248728b61d..0000000000 --- a/gitops/argocd/apps/k3s/homelab/security/kubewarden.yaml +++ /dev/null @@ -1,62 +0,0 @@ ---- -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kubewarden - annotations: - # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation - argocd.argoproj.io/manifest-generate-paths: /gitops/argocd/charts/kubewarden/kubewarden - notifications.argoproj.io/subscribe.grafana: kubewarden - finalizers: - - resources-finalizer.argocd.argoproj.io - labels: - app.kubernetes.io/name: kubewarden - app.kubernetes.io/instance: kubewarden-argocd-app - app.kubernetes.io/part-of: kubewarden -spec: - destination: - namespace: kubewarden - server: https://kubernetes.default.svc - project: portefaix-k3s-homelab - source: - path: gitops/argocd/charts/kubewarden/kubewarden - repoURL: https://github.com/portefaix/portefaix-kubernetes.git - targetRevision: master - helm: - skipCrds: true - valueFiles: - - values.yaml - - values-k3s-homelab.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - Validate=false - - SkipDryRunOnMissingResource=true - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - # retry: - # limit: 5 - # backoff: - # duration: 5s - # factor: 2 - # maxDuration: 3m0s diff --git a/gitops/argocd/apps/k3s/homelab/security/kustomization.yaml b/gitops/argocd/apps/k3s/homelab/security/kustomization.yaml index 2898109179..e46c8c3efc 100644 --- a/gitops/argocd/apps/k3s/homelab/security/kustomization.yaml +++ b/gitops/argocd/apps/k3s/homelab/security/kustomization.yaml @@ -22,20 +22,4 @@ transformers: - annotations.yaml - labels.yaml resources: -# Identity -- authentik.yaml -# Policies -- kyverno.yaml -- kyverno-reporter.yaml -# - kube-bench-adapter.yaml -# - kubewarden.yaml -# SBOM -- sbom-operator.yaml -# TODO: wait for https://github.com/ckotzbauer/vulnerability-operator/issues/267 -# - vulnerability-operator.yaml -- trivy-operator.yaml -# Secrets -- vault.yaml -# Observability -# - falco.yaml -- tetragon.yaml +- applicationset.yaml diff --git a/gitops/argocd/apps/k3s/homelab/security/kyverno-reporter.yaml b/gitops/argocd/apps/k3s/homelab/security/kyverno-reporter.yaml deleted file mode 100644 index 92cee1d903..0000000000 --- a/gitops/argocd/apps/k3s/homelab/security/kyverno-reporter.yaml +++ /dev/null @@ -1,62 +0,0 @@ ---- -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kyverno-reporter - annotations: - # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation - argocd.argoproj.io/manifest-generate-paths: /gitops/argocd/charts/kyverno/kyverno-reporter - notifications.argoproj.io/subscribe.grafana: kyverno-reporter - finalizers: - - resources-finalizer.argocd.argoproj.io - labels: - app.kubernetes.io/name: kyverno-reporter - app.kubernetes.io/instance: kyverno-reporter-argocd-app - app.kubernetes.io/part-of: kyverno -spec: - destination: - namespace: kyverno - server: https://kubernetes.default.svc - project: portefaix-k3s-homelab - source: - path: gitops/argocd/charts/kyverno/kyverno-reporter - repoURL: https://github.com/portefaix/portefaix-kubernetes.git - targetRevision: master - helm: - skipCrds: true - valueFiles: - - values.yaml - - values-k3s-homelab.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - Validate=false - - SkipDryRunOnMissingResource=true - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - # retry: - # limit: 5 - # backoff: - # duration: 5s - # factor: 2 - # maxDuration: 3m0s diff --git a/gitops/argocd/apps/k3s/homelab/security/kyverno.yaml b/gitops/argocd/apps/k3s/homelab/security/kyverno.yaml deleted file mode 100644 index 0bfbbf4c6d..0000000000 --- a/gitops/argocd/apps/k3s/homelab/security/kyverno.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kyverno - annotations: - # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation - argocd.argoproj.io/manifest-generate-paths: /gitops/argocd/charts/kyverno/kyverno - notifications.argoproj.io/subscribe.grafana: kyverno - finalizers: - - resources-finalizer.argocd.argoproj.io - labels: - app.kubernetes.io/name: kyverno - app.kubernetes.io/instance: kyverno-argocd-app - app.kubernetes.io/part-of: kyverno -spec: - destination: - namespace: kyverno - server: https://kubernetes.default.svc - project: portefaix-k3s-homelab - source: - path: gitops/argocd/charts/kyverno/kyverno - repoURL: https://github.com/portefaix/portefaix-kubernetes.git - targetRevision: master - helm: - skipCrds: true - valueFiles: - - values.yaml - - values-k3s-homelab.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - Validate=false - - SkipDryRunOnMissingResource=true - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - # retry: - # limit: 5 - # backoff: - # duration: 5s - # factor: 2 - # maxDuration: 3m0s - ignoreDifferences: - - group: kyverno.io - kind: ClusterPolicy - jqPathExpressions: - - .spec.rules[] | select(.name|test("autogen-.")) diff --git a/gitops/argocd/apps/k3s/homelab/security/labels.yaml b/gitops/argocd/apps/k3s/homelab/security/labels.yaml index 1492ee5a46..3e6a16e9b7 100644 --- a/gitops/argocd/apps/k3s/homelab/security/labels.yaml +++ b/gitops/argocd/apps/k3s/homelab/security/labels.yaml @@ -20,7 +20,6 @@ kind: LabelTransformer metadata: name: labels labels: - app.kubernetes.io/component: argo-cd-application app.kubernetes.io/managed-by: kustomize app.kubernetes.io/version: v1.0.0 portefaix.xyz/stack: security @@ -28,3 +27,5 @@ labels: fieldSpecs: - path: metadata/labels create: true +- path: spec/template/metadata/labels + create: true diff --git a/gitops/argocd/apps/k3s/homelab/security/sbom-operator.yaml b/gitops/argocd/apps/k3s/homelab/security/sbom-operator.yaml deleted file mode 100644 index ce6f59fbfd..0000000000 --- a/gitops/argocd/apps/k3s/homelab/security/sbom-operator.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: sbom-operator - annotations: - # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation - argocd.argoproj.io/manifest-generate-paths: /gitops/argocd/charts/security/sbom-operator - notifications.argoproj.io/subscribe.grafana: sbom-operator - finalizers: - - resources-finalizer.argocd.argoproj.io - labels: - app.kubernetes.io/name: sbom-operator - app.kubernetes.io/instance: sbom-operator-argocd-app - app.kubernetes.io/part-of: sbom-operator -spec: - destination: - namespace: security - server: https://kubernetes.default.svc - project: portefaix-k3s-homelab - source: - path: gitops/argocd/charts/security/sbom-operator - repoURL: https://github.com/portefaix/portefaix-kubernetes.git - targetRevision: master - helm: - skipCrds: true - valueFiles: - - values.yaml - - values-k3s-homelab.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - Validate=false - - SkipDryRunOnMissingResource=true - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - # retry: - # limit: 5 - # backoff: - # duration: 5s - # factor: 2 - # maxDuration: 3m0s - ignoreDifferences: - - group: kyverno.io - kind: ClusterPolicy - jqPathExpressions: - - .spec.rules[] | select(.name|test("autogen-.")) diff --git a/gitops/argocd/apps/k3s/homelab/security/tetragon.yaml b/gitops/argocd/apps/k3s/homelab/security/tetragon.yaml deleted file mode 100644 index 7fa8e8c271..0000000000 --- a/gitops/argocd/apps/k3s/homelab/security/tetragon.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: tetragon - annotations: - # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation - argocd.argoproj.io/manifest-generate-paths: /gitops/argocd/charts/security/tetragon - notifications.argoproj.io/subscribe.grafana: tetragon - finalizers: - - resources-finalizer.argocd.argoproj.io - labels: - app.kubernetes.io/name: tetragon - app.kubernetes.io/instance: tetragon-argocd-app - app.kubernetes.io/part-of: tetragon -spec: - destination: - namespace: tetragon - server: https://kubernetes.default.svc - project: portefaix-k3s-homelab - source: - path: gitops/argocd/charts/security/tetragon - repoURL: https://github.com/portefaix/portefaix-kubernetes.git - targetRevision: master - helm: - skipCrds: false - valueFiles: - - values.yaml - - values-k3s-homelab.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - Validate=false - - SkipDryRunOnMissingResource=true - - ApplyOutOfSyncOnly=true - # - ServerSideApply=true - # retry: - # limit: 5 - # backoff: - # duration: 5s - # factor: 2 - # maxDuration: 3m0s - ignoreDifferences: - - group: kyverno.io - kind: ClusterPolicy - jqPathExpressions: - - .spec.rules[] | select(.name|test("autogen-.")) diff --git a/gitops/argocd/apps/k3s/homelab/security/trivy-operator.yaml b/gitops/argocd/apps/k3s/homelab/security/trivy-operator.yaml deleted file mode 100644 index 5f119f1063..0000000000 --- a/gitops/argocd/apps/k3s/homelab/security/trivy-operator.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: trivy-operator - annotations: - # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation - argocd.argoproj.io/manifest-generate-paths: /gitops/argocd/charts/security/trivy-operator - notifications.argoproj.io/subscribe.grafana: trivy-operator - finalizers: - - resources-finalizer.argocd.argoproj.io - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator-argocd-app - app.kubernetes.io/part-of: trivy-operator -spec: - destination: - namespace: security - server: https://kubernetes.default.svc - project: portefaix-k3s-homelab - source: - path: gitops/argocd/charts/security/trivy-operator - repoURL: https://github.com/portefaix/portefaix-kubernetes.git - targetRevision: master - helm: - skipCrds: false - valueFiles: - - values.yaml - - values-k3s-homelab.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - Validate=false - - SkipDryRunOnMissingResource=true - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - # retry: - # limit: 5 - # backoff: - # duration: 5s - # factor: 2 - # maxDuration: 3m0s - ignoreDifferences: - - group: kyverno.io - kind: ClusterPolicy - jqPathExpressions: - - .spec.rules[] | select(.name|test("autogen-.")) diff --git a/gitops/argocd/apps/k3s/homelab/security/vault.yaml b/gitops/argocd/apps/k3s/homelab/security/vault.yaml deleted file mode 100644 index d88cd035a9..0000000000 --- a/gitops/argocd/apps/k3s/homelab/security/vault.yaml +++ /dev/null @@ -1,76 +0,0 @@ ---- -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault - annotations: - # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation - argocd.argoproj.io/manifest-generate-paths: /gitops/argocd/charts/security/vault - notifications.argoproj.io/subscribe.grafana: vault - finalizers: - - resources-finalizer.argocd.argoproj.io - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault-argocd-app - app.kubernetes.io/part-of: vault -spec: - destination: - namespace: vault - server: https://kubernetes.default.svc - project: portefaix-k3s-homelab - source: - path: gitops/argocd/charts/security/vault - repoURL: https://github.com/portefaix/portefaix-kubernetes.git - targetRevision: master - helm: - skipCrds: false - valueFiles: - - values.yaml - - values-k3s-homelab.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - Validate=false - - SkipDryRunOnMissingResource=true - - ApplyOutOfSyncOnly=true - # - ServerSideApply=true - # retry: - # limit: 5 - # backoff: - # duration: 5s - # factor: 2 - # maxDuration: 3m0s - ignoreDifferences: - - group: kyverno.io - kind: ClusterPolicy - jqPathExpressions: - - .spec.rules[] | select(.name|test("autogen-.")) - ## `caBundle` is injected by cert-manager - - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - jqPathExpressions: - - ".webhooks[]?.clientConfig.caBundle" - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration - jqPathExpressions: - - ".webhooks[]?.clientConfig.caBundle" diff --git a/gitops/argocd/apps/k3s/homelab/security/vulnerability-operator.yaml b/gitops/argocd/apps/k3s/homelab/security/vulnerability-operator.yaml deleted file mode 100644 index 72c8897fd2..0000000000 --- a/gitops/argocd/apps/k3s/homelab/security/vulnerability-operator.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vulnerability-operator - annotations: - # https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/#webhook-and-manifest-paths-annotation - argocd.argoproj.io/manifest-generate-paths: /gitops/argocd/charts/security/vulnerability-operator - notifications.argoproj.io/subscribe.grafana: vulnerability-operator - finalizers: - - resources-finalizer.argocd.argoproj.io - labels: - app.kubernetes.io/name: vulnerability-operator - app.kubernetes.io/instance: vulnerability-operator-argocd-app - app.kubernetes.io/part-of: vulnerability-operator -spec: - destination: - namespace: security - server: https://kubernetes.default.svc - project: portefaix-k3s-homelab - source: - path: gitops/argocd/charts/security/vulnerability-operator - repoURL: https://github.com/portefaix/portefaix-kubernetes.git - targetRevision: master - helm: - skipCrds: true - valueFiles: - - values.yaml - - values-k3s-homelab.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - allowEmpty: false - syncOptions: - - CreateNamespace=true - - Validate=false - - SkipDryRunOnMissingResource=true - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - # retry: - # limit: 5 - # backoff: - # duration: 5s - # factor: 2 - # maxDuration: 3m0s - ignoreDifferences: - - group: kyverno.io - kind: ClusterPolicy - jqPathExpressions: - - .spec.rules[] | select(.name|test("autogen-."))