diff --git a/.gitlab/lint/lint-common.yml b/.gitlab/lint/lint-common.yml index ec548b3c..f956a76b 100644 --- a/.gitlab/lint/lint-common.yml +++ b/.gitlab/lint/lint-common.yml @@ -1,11 +1,11 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- variables: - OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.2.0\ - @sha256:b36b1fc8a19605306dffef2c919c2a6bf5a3099e8a42ecb39a416394410b75d7" - OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.1\ - @sha256:5b1bd85cc73ba0cede1f37d79fa7eeebffa653afa7944406eea9287c29a7769a" + OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.3.1\ + @sha256:7bd1c03b1e443000d7016e37b7a085c400ee1873ad5a62c2e3181ea307b5133d" + OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\ + @sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85" .lint-common: cache: {} diff --git a/.gitlab/lint/lint-kyverno.yml b/.gitlab/lint/lint-kyverno.yml index 6e536f36..f89aa6b9 100644 --- a/.gitlab/lint/lint-kyverno.yml +++ b/.gitlab/lint/lint-kyverno.yml @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- include: @@ -27,7 +27,7 @@ lint-kyverno: script: - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}" - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml" - - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required ${APP}" + - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required -s manifest -f opendesk.yaml --skip-tests true ${APP}" - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml" - "cd ${CI_PROJECT_DIR}/.kyverno" - "kyverno test ." diff --git a/.kyverno/_apps.yaml b/.kyverno/_apps.yaml deleted file mode 100644 index ca52c764..00000000 --- a/.kyverno/_apps.yaml +++ /dev/null @@ -1,279 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -pod: - - resource: "mariadb" - kind: "StatefulSet" - app: "services" - - resource: "postgresql" - kind: "StatefulSet" - app: "services" - - resource: "clamav-simple" - kind: "StatefulSet" - app: "services" - - resource: "redis-master" - kind: "StatefulSet" - app: "services" - - resource: "ums-store-dav" - kind: "StatefulSet" - app: "univention-management-stack" - - resource: "ums-ldap-server" - kind: "StatefulSet" - app: "univention-management-stack" - - resource: "ums-ldap-notifier" - kind: "StatefulSet" - app: "univention-management-stack" - - resource: "ums-portal-listener" - kind: "StatefulSet" - app: "univention-management-stack" - - resource: "ums-selfservice-listener" - kind: "StatefulSet" - app: "univention-management-stack" - - resource: "ums-provisioning-nats" - kind: "StatefulSet" - app: "univention-management-stack" - - resource: "ums-guardian-management-api" - kind: "StatefulSet" - app: "univention-management-stack" - - resource: "ums-guardian-management-ui" - kind: "StatefulSet" - app: "univention-management-stack" - - resource: "ums-guardian-authorization-api" - kind: "StatefulSet" - app: "univention-management-stack" - - resource: "ums-open-policy-agent" - kind: "StatefulSet" - app: "univention-management-stack" - - resource: "open-xchange-core-mw-default" - kind: "StatefulSet" - app: "open-xchange" - - resource: "jitsi-prosody" - kind: "StatefulSet" - app: "jitsi" - - resource: "opendesk-synapse" - kind: "StatefulSet" - app: "element" - - resource: "xwiki" - kind: "StatefulSet" - app: "xwiki" - - resource: "ox-connector" - kind: "StatefulSet" - app: "provisioning" - - resource: "minio" - kind: "Deployment" - app: "services" - - resource: "cryptpad" - kind: "Deployment" - app: "cryptpad" - - resource: "memcached" - kind: "Deployment" - app: "services" - - resource: "postfix" - kind: "Deployment" - app: "services" - - resource: "ums-keycloak" - kind: "Deployment" - app: "univention-management-stack" - - resource: "ums-stack-gateway" - kind: "Deployment" - app: "univention-management-stack" - - resource: "ums-udm-rest-api" - kind: "Deployment" - app: "univention-management-stack" - - resource: "ums-portal-server" - kind: "Deployment" - app: "univention-management-stack" - - resource: "ums-notifications-api" - kind: "Deployment" - app: "univention-management-stack" - - resource: "ums-portal-frontend" - kind: "Deployment" - app: "univention-management-stack" - - resource: "ums-umc-gateway" - kind: "Deployment" - app: "univention-management-stack" - - resource: "ums-umc-server" - kind: "Deployment" - app: "univention-management-stack" - - resource: "ums-provisioning-nats-box" - kind: "Deployment" - app: "univention-management-stack" - - resource: "ums-keycloak-extensions-handler" - kind: "Deployment" - app: "univention-management-stack" - - resource: "ums-keycloak-extensions-proxy" - kind: "Deployment" - app: "univention-management-stack" - - resource: "intercom-service" - kind: "Deployment" - app: "intercom-service" - - resource: "dovecot" - kind: "Deployment" - app: "open-xchange" - - resource: "open-xchange-core-documentconverter" - kind: "Deployment" - app: "open-xchange" - - resource: "open-xchange-core-guidedtours" - kind: "Deployment" - app: "open-xchange" - - resource: "open-xchange-core-imageconverter" - kind: "Deployment" - app: "open-xchange" - - resource: "open-xchange-gotenberg" - kind: "Deployment" - app: "open-xchange" - - resource: "open-xchange-core-ui-middleware" - kind: "Deployment" - app: "open-xchange" - - resource: "open-xchange-core-ui-middleware-updater" - kind: "Deployment" - app: "open-xchange" - - resource: "open-xchange-core-ui" - kind: "Deployment" - app: "open-xchange" - - resource: "open-xchange-core-user-guide" - kind: "Deployment" - app: "open-xchange" - - resource: "open-xchange-guard-ui" - kind: "Deployment" - app: "open-xchange" - - resource: "open-xchange-nextcloud-integration-ui" - kind: "Deployment" - app: "open-xchange" - - resource: "open-xchange-public-sector-ui" - kind: "Deployment" - app: "open-xchange" - - resource: "opendesk-nextcloud-apache2" - kind: "Deployment" - app: "nextcloud" - - resource: "opendesk-nextcloud-exporter" - kind: "Deployment" - app: "nextcloud" - - resource: "opendesk-nextcloud-php" - kind: "Deployment" - app: "nextcloud" - - resource: "collabora" - kind: "Deployment" - app: "collabora" - - resource: "jitsi-jibri" - kind: "Deployment" - app: "jitsi" - - resource: "jitsi-jicofo" - kind: "Deployment" - app: "jitsi" - - resource: "jitsi-jvb" - kind: "Deployment" - app: "jitsi" - - resource: "jitsi-web" - kind: "Deployment" - app: "jitsi" - - resource: "jitsi-opendesk-jitsi-keycloak-adapter" - kind: "Deployment" - app: "jitsi" - - resource: "opendesk-element" - kind: "Deployment" - app: "element" - - resource: "opendesk-well-known" - kind: "Deployment" - app: "element" - - resource: "opendesk-synapse-web" - kind: "Deployment" - app: "element" - - resource: "opendesk-matrix-user-verification-service" - kind: "Deployment" - app: "element" - - resource: "matrix-neoboard-widget" - kind: "Deployment" - app: "element" - - resource: "matrix-neochoice-widget" - kind: "Deployment" - app: "element" - - resource: "matrix-neodatefix-widget" - kind: "Deployment" - app: "element" - - resource: "matrix-neodatefix-bot" - kind: "Deployment" - app: "element" - - resource: "openproject-web" - kind: "Deployment" - app: "openproject" - - resource: "openproject-worker" - kind: "Deployment" - app: "openproject" - - resource: "mariadb-bootstrap" - kind: "Job" - app: "services" - - resource: "postgresql-bootstrap" - kind: "Job" - app: "services" - - resource: "minio-provisioning" - kind: "Job" - app: "services" - - resource: "ums-stack-data-ums-1" - kind: "Job" - app: "univention-management-stack" - - resource: "ums-stack-data-swp-1" - kind: "Job" - app: "univention-management-stack" - - resource: "ums-keycloak-bootstrap-bootstrap-1" - kind: "Job" - app: "univention-management-stack" - - resource: "opendesk-keycloak-bootstrap-bootstrap-1" - kind: "Job" - app: "univention-management-stack" - - resource: "opendesk-open-xchange-bootstrap" - kind: "Job" - app: "open-xchange" - - resource: "opendesk-nextcloud-management-1" - kind: "Job" - app: "nextcloud" - - resource: "jitsi-opendesk-jitsi" - kind: "Job" - app: "jitsi" - - resource: "opendesk-matrix-user-verification-service-bootstrap" - kind: "Job" - app: "element" - - resource: "matrix-neodatefix-bot-bootstrap" - kind: "Job" - app: "element" - - resource: "opendesk-openproject-bootstrap-bootstrap-1" - kind: "Job" - app: "openproject-bootstrap" -# # Has timestamp in resource name - not supported yet. -# - resource: "openproject-seeder-*" -# kind: "Job" -# - resource: "ums-store-dav-test-connection" -# kind: "Pod" -# - resource: "ums-udm-rest-api-test-connection" -# kind: "Pod" -# - resource: "ums-portal-server-test-connection" -# kind: "Pod" -# - resource: "ums-notifications-api-test-connection" -# kind: "Pod" -# - resource: "ums-portal-frontend-test-connection" -# kind: "Pod" -# - resource: "ums-provisioning-nats-test-request-reply" -# kind: "Pod" -# - resource: "ums-provisioning-provisioning-api-test-connection" -# kind: "Pod" -# - resource: "open-xchange-core-guidedtours-test-connection" -# kind: "Pod" -# - resource: "open-xchange-gotenberg-test-connection" -# kind: "Pod" -# - resource: "open-xchange-core-ui-test-connection" -# kind: "Pod" -# - resource: "open-xchange-core-user-guide-test-connection" -# kind: "Pod" -# - resource: "open-xchange-guard-ui-test-connection" -# kind: "Pod" -# - resource: "open-xchange-nextcloud-integration-ui-test-connection" -# kind: "Pod" -# - resource: "open-xchange-public-sector-ui-test-connection" -# kind: "Pod" -# - resource: "jitsi-prosody-test-connection" -# kind: "Pod" -# - resource: "jitsi-web-test-connection" -# kind: "Pod" -# - resource: "openproject-test-connection" -# kind: "Pod" -... diff --git a/.kyverno/policies/_policies.yaml b/.kyverno/policies/_policies.yaml index 32bd10c4..2eda2bae 100644 --- a/.kyverno/policies/_policies.yaml +++ b/.kyverno/policies/_policies.yaml @@ -5,51 +5,164 @@ pod: - name: "require-tag-and-digest" rule: "require-tag-and-digest" type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "disallow-default-serviceaccount" rule: "require-sa" type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "require-imagepullsecrets" rule: "require-imagepullsecrets" type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "disallow-latest-tag" rule: "validate-image-tag" type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "require-imagepullpolicy-always" rule: "require-imagepullpolicy-always" type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "require-health-and-liveness-check" rule: "require-health-and-liveness-check" type: "required" - excludeKinds: - - "Job" + kinds: + - "StatefulSet" + - "Deployment" + - "Pod" + - "DaemonSet" + - name: "require-storage" + rule: "require-storageclass-pvc" + type: "required" + kinds: + - "PersistentVolumeClaim" + - name: "require-storage" + rule: "require-storageclass-pod" + type: "required" + kinds: + - "StatefulSet" + - name: "require-storage" + rule: "require-storage-size-pvc" + type: "required" + kinds: + - "PersistentVolumeClaim" + - name: "require-storage" + rule: "require-storage-size-pod" + type: "required" + kinds: + - "StatefulSet" - name: "require-requests-limits" rule: "validate-resources" type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "restrict-image-registries" rule: "validate-registries" type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "require-containersecuritycontext" rule: "require-ro-rootfs" type: "optional" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "require-containersecuritycontext" rule: "require-no-privilege-escalation" type: "optional" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "require-containersecuritycontext" rule: "require-all-capabilities-dropped" type: "optional" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "require-containersecuritycontext" rule: "require-no-privileged" type: "optional" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "require-containersecuritycontext" rule: "require-run-as-user" type: "optional" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "require-containersecuritycontext" rule: "require-run-as-group" type: "optional" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "require-containersecuritycontext" rule: "require-seccomp-profile" type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" - name: "require-containersecuritycontext" rule: "require-run-as-non-root" type: "optional" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" ... diff --git a/.kyverno/policies/require-storage.yaml b/.kyverno/policies/require-storage.yaml new file mode 100644 index 00000000..8ed332b0 --- /dev/null +++ b/.kyverno/policies/require-storage.yaml @@ -0,0 +1,61 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "require-storage" +spec: + background: true + rules: + - match: + resources: + kinds: + - "StatefulSet" + name: "require-storageclass-pod" + validate: + message: "VolumeClaims inside pods need to have storageClass set when templated." + pattern: + spec: + (volumeClaimTemplates): + - spec: + storageClassName: "kyverno-test" + - match: + resources: + kinds: + - "PersistentVolumeClaim" + name: "require-storageclass-pvc" + validate: + message: "Persistent Volume Claim need to have storageClassName set when templated." + pattern: + spec: + storageClassName: "kyverno-test" + + - match: + resources: + kinds: + - "StatefulSet" + name: "require-storage-size-pod" + validate: + message: "VolumeClaims inside pods need to have storageClass set when templated." + pattern: + spec: + (volumeClaimTemplates): + - spec: + resources: + requests: + storage: "42Gi" + - match: + resources: + kinds: + - "PersistentVolumeClaim" + name: "require-storage-size-pvc" + validate: + message: "Persistent Volume Claim need to have storageClassName set when templated." + pattern: + spec: + resources: + requests: + storage: "42Gi" + validationFailureAction: "audit" +... diff --git a/helmfile/apps/services/values-postfix.yaml.gotmpl b/helmfile/apps/services/values-postfix.yaml.gotmpl index 266bb520..5fe458e0 100644 --- a/helmfile/apps/services/values-postfix.yaml.gotmpl +++ b/helmfile/apps/services/values-postfix.yaml.gotmpl @@ -27,7 +27,7 @@ image: persistence: size: {{ .Values.persistence.size.postfix | quote }} - storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}} + storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} podSecurityContext: enabled: true diff --git a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl index 0e2b9b8c..d51c3ecd 100644 --- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl @@ -45,11 +45,11 @@ ldapServer: ldapBaseDn: {{ .Values.ldap.baseDn | quote }} persistence: - data: - storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} + sharedData: + storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }} - shared: - storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} + sharedRun: + storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }} securityContext: diff --git a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl index dc3c7029..9518f339 100644 --- a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl @@ -22,8 +22,9 @@ image: {{- end }} persistence: - storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} - size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }} + data: + storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} + size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }} resources: {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }} diff --git a/helmfile/environments/test/values.yaml.gotmpl b/helmfile/environments/test/values.yaml.gotmpl index 8275fec8..d80aabc0 100644 --- a/helmfile/environments/test/values.yaml.gotmpl +++ b/helmfile/environments/test/values.yaml.gotmpl @@ -5,4 +5,26 @@ SPDX-License-Identifier: Apache-2.0 --- global: imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace" +persistence: + storageClassNames: + RWX: "kyverno-test" + RWO: "kyverno-test" + size: + clamav: "42Gi" + dovecot: "42Gi" + mariadb: "42Gi" + matrixNeoDateFixBot: "42Gi" + minio: "42Gi" + postfix: "42Gi" + postgresql: "42Gi" + prosody: "42Gi" + redis: "42Gi" + synapse: "42Gi" + univentionManagementStack: + ldapServerData: "42Gi" + ldapServerShared: "42Gi" + portalListener: "42Gi" + selfserviceListener: "42Gi" + storeDav: "42Gi" + xwiki: "42Gi" ...