replace kyverno with jspolicy
This commit is contained in:
parent
e4bb83854f
commit
38a728f0f9
|
@ -69,7 +69,7 @@ then https://localhost:8080/
|
|||
### Kubernetes native - K8up
|
||||
|
||||
K8up has a global configuration in `system/apps/k8up.yaml`.
|
||||
To access the storage destination which is only available in the tailnet, a Kyverno policy injects Tailscale into the backup Pods.
|
||||
To access the storage destination which is only available in the tailnet, a Jspolicy policy injects Tailscale into the backup Pods.
|
||||
See `system/k8up`.
|
||||
|
||||
### Host level
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: copy-headscale-config-to-webui
|
||||
spec:
|
||||
rules:
|
||||
- name: Clone Headscale Config to WebUI
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
selector:
|
||||
matchLabels:
|
||||
app: headscale-webui
|
||||
generate:
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
name: headscale-etc-copy
|
||||
namespace: headscale-webui
|
||||
synchronize: true
|
||||
clone:
|
||||
namespace: headscale
|
||||
name: headscale-etc
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: policy.jspolicy.com/v1beta1
|
||||
kind: JsPolicy
|
||||
metadata:
|
||||
name: copy-headscale-config-to-webui.tbrnt.ch
|
||||
spec:
|
||||
operations: ["CREATE"]
|
||||
resources: ["deployments"]
|
||||
scope: Namespaced
|
||||
objectSelector:
|
||||
matchLabels:
|
||||
app: headscale-webui
|
||||
type: Controller
|
||||
javascript: |
|
||||
const configmap = get("ConfigMap", "v1", "headscale/headscale-etc");
|
||||
|
||||
configmap.metadata.namespace = "headscale-webui"
|
||||
configmap.metadata.name = "headscale-etc-copy"
|
||||
delete configmap.metadata.uid
|
||||
delete configmap.metadata.resourceVersion
|
||||
delete configmap.metadata.annotations
|
||||
delete configmap.metadata.labels
|
||||
delete configmap.metadata.creationTimestamp
|
||||
|
||||
const result = create(configmap);
|
||||
if (!result.ok) {
|
||||
// check for a specific error type
|
||||
if (result.reason === "AlreadyExists") {
|
||||
warn(`ConfigMap already exists`);
|
||||
} else {
|
||||
warn(`Error creating ConfigMap (Reason ${result.reason}): ${result.message}`);
|
||||
}
|
||||
} else {
|
||||
print("Created ConfigMap");
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: k8up.io/v1
|
||||
kind: Backup
|
||||
metadata:
|
||||
name: manual-backup
|
||||
namespace: owntracks
|
||||
spec:
|
||||
keepJobs: 1
|
||||
resources: {}
|
|
@ -1,34 +0,0 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: kyverno
|
||||
namespace: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
source:
|
||||
chart: kyverno
|
||||
repoURL: https://kyverno.github.io/kyverno/
|
||||
targetRevision: 3.0.5
|
||||
helm:
|
||||
values: |
|
||||
config:
|
||||
features:
|
||||
admissionReports:
|
||||
enabled: false
|
||||
aggregateReports:
|
||||
enabled: false
|
||||
policyReports:
|
||||
enabled: false
|
||||
backgroundScan:
|
||||
enabled: false
|
||||
admissionController:
|
||||
replicas: 1
|
||||
destination:
|
||||
namespace: kyverno
|
||||
server: https://kubernetes.default.svc
|
||||
project: system
|
||||
syncPolicy:
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ServerSideApply=true
|
|
@ -0,0 +1,40 @@
|
|||
apiVersion: policy.jspolicy.com/v1beta1
|
||||
kind: JsPolicy
|
||||
metadata:
|
||||
name: copy-tailscale-auth-secret.tbrnt.ch
|
||||
spec:
|
||||
operations: ["CREATE"]
|
||||
resources: ["pods"]
|
||||
scope: Namespaced
|
||||
objectSelector:
|
||||
matchLabels:
|
||||
k8upjob: "true"
|
||||
type: Controller
|
||||
javascript: |
|
||||
const authsecret = get("Secret", "v1", "k8up/tailscale-auth-backup");
|
||||
|
||||
authsecret.metadata.namespace = request.namespace
|
||||
delete authsecret.metadata.uid
|
||||
delete authsecret.metadata.resourceVersion
|
||||
delete authsecret.metadata.annotations
|
||||
delete authsecret.metadata.labels
|
||||
delete authsecret.metadata.creationTimestamp
|
||||
|
||||
authsecret.metadata.ownerReferences = [{
|
||||
apiVersion: "v1",
|
||||
kind: "Pod",
|
||||
name: request.name,
|
||||
uid: request.object.metadata.uid
|
||||
}]
|
||||
|
||||
const result = create(authsecret);
|
||||
if (!result.ok) {
|
||||
// check for a specific error type
|
||||
if (result.reason === "AlreadyExists") {
|
||||
warn(`Tailscale secret already exists`);
|
||||
} else {
|
||||
warn(`Error creating Secret (Reason ${result.reason}): ${result.message}`);
|
||||
}
|
||||
} else {
|
||||
print("Created Tailscale secret", result.object);
|
||||
}
|
|
@ -0,0 +1,61 @@
|
|||
apiVersion: policy.jspolicy.com/v1beta1
|
||||
kind: JsPolicy
|
||||
metadata:
|
||||
name: inject-tailscale-sidecar.tbrnt.ch
|
||||
spec:
|
||||
type: Mutating
|
||||
operations: ["CREATE"]
|
||||
resources: ["pods"]
|
||||
scope: Namespaced
|
||||
objectSelector:
|
||||
matchLabels:
|
||||
k8upjob: "true"
|
||||
javascript: |
|
||||
let script = String.raw`
|
||||
export PATH=$PATH:/tailscale/bin
|
||||
set -e
|
||||
|
||||
if [[ ! -d /dev/net ]]; then
|
||||
mkdir -p /dev/net
|
||||
fi
|
||||
if [[ ! -c /dev/net/tun ]]; then
|
||||
mknod /dev/net/tun c 10 200
|
||||
fi
|
||||
|
||||
echo "Starting tailscaled in background"
|
||||
tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp &
|
||||
TS_PID=$!
|
||||
|
||||
echo "Running tailscale up"
|
||||
tailscale --socket=/tmp/tailscaled.sock up --authkey=\${TS_AUTH_KEY} --accept-dns=false --login-server https://headscale.tbrnt.ch
|
||||
|
||||
echo "Waiting for K8up to exit"
|
||||
while pidof k8up > /dev/null; do sleep 1; done
|
||||
|
||||
echo "K8up ended - stopping tailscale"
|
||||
kill -s SIGINT \$TS_PID
|
||||
wait \${TS_PID}
|
||||
`
|
||||
|
||||
request.object.spec.shareProcessNamespace = true
|
||||
request.object.spec.containers.push({
|
||||
name: "ts-sidecar",
|
||||
imagePullPolicy: "IfNotPresent",
|
||||
image: "ghcr.io/tailscale/tailscale:v1.48.2",
|
||||
command: ["/bin/sh", "-c", script],
|
||||
env: [{
|
||||
name: "TS_AUTH_KEY",
|
||||
valueFrom: {
|
||||
secretKeyRef: {
|
||||
name: "tailscale-auth-backup",
|
||||
key: "TS_AUTH_KEY"
|
||||
}
|
||||
}
|
||||
}],
|
||||
securityContext: {
|
||||
capabilities: {
|
||||
add: [ "NET_ADMIN" ]
|
||||
}
|
||||
}
|
||||
});
|
||||
mutate(request.object);
|
|
@ -1,23 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: copy-tailscale-auth-for-backup
|
||||
spec:
|
||||
rules:
|
||||
- name: Clone tailscale Auth Secret
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
selector:
|
||||
matchLabels:
|
||||
k8upjob: "true"
|
||||
generate:
|
||||
kind: Secret
|
||||
apiVersion: v1
|
||||
name: tailscale-auth-backup
|
||||
namespace: "{{request.object.metadata.namespace}}"
|
||||
synchronize: true
|
||||
clone:
|
||||
namespace: k8up
|
||||
name: tailscale-auth-backup
|
|
@ -1,59 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: inject-tailscale
|
||||
spec:
|
||||
rules:
|
||||
- name: inject-tailscale
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
selector:
|
||||
matchLabels:
|
||||
k8upjob: "true"
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
shareProcessNamespace: true
|
||||
containers:
|
||||
- name: ts-sidecar
|
||||
imagePullPolicy: IfNotPresent
|
||||
image: ghcr.io/tailscale/tailscale:v1.50.0
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
export PATH=$PATH:/tailscale/bin
|
||||
set -e
|
||||
|
||||
if [[ ! -d /dev/net ]]; then
|
||||
mkdir -p /dev/net
|
||||
fi
|
||||
if [[ ! -c /dev/net/tun ]]; then
|
||||
mknod /dev/net/tun c 10 200
|
||||
fi
|
||||
|
||||
echo "Starting tailscaled in background"
|
||||
tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp &
|
||||
TS_PID=$!
|
||||
|
||||
echo "Running tailscale up"
|
||||
tailscale --socket=/tmp/tailscaled.sock up --authkey=${TS_AUTH_KEY} --accept-dns=false --login-server https://headscale.tbrnt.ch
|
||||
|
||||
echo "Waiting for K8up to exit"
|
||||
while pidof k8up > /dev/null; do sleep 1; done
|
||||
|
||||
echo "K8up ended - stopping tailscale"
|
||||
kill -s SIGINT $TS_PID
|
||||
wait ${TS_PID}
|
||||
env:
|
||||
- name: TS_AUTH_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: tailscale-auth-backup
|
||||
key: TS_AUTH_KEY
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- NET_ADMIN
|
Loading…
Reference in New Issue