diff --git a/.woodpecker/predeploy.yml b/.woodpecker/predeploy.yml index 34786fe..2f0ce6d 100644 --- a/.woodpecker/predeploy.yml +++ b/.woodpecker/predeploy.yml @@ -33,7 +33,6 @@ steps: --namespace=$NAMESPACE --dry-run=client -o yaml | kubectl apply -f - - kubectl apply -f deployment/configmap.yaml -n $NAMESPACE - - kubectl apply -f deployment/mtls-config.yaml # NO NAMESPACE HERE when: event: [tag] diff --git a/deployment/api-deployment.yaml b/deployment/api-deployment.yaml index 1536303..8c95d87 100644 --- a/deployment/api-deployment.yaml +++ b/deployment/api-deployment.yaml @@ -100,28 +100,3 @@ spec: targetPort: 8001 name: http type: ClusterIP ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: api-ingress - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production-http - traefik.ingress.kubernetes.io/router.middlewares: default-mtls-auth@kubernetescrd,default-security-headers@kubernetescrd - traefik.ingress.kubernetes.io/router.tls.options: default-homea2-mtls@kubernetescrd -spec: - tls: - - hosts: - - homea2-api.hottis.de - secretName: homea2-api-cert - rules: - - host: homea2-api.hottis.de - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: api - port: - number: 80 \ No newline at end of file diff --git a/deployment/api-deployment.yaml.bak b/deployment/api-deployment.yaml.bak deleted file mode 100644 index c1a67c5..0000000 --- a/deployment/api-deployment.yaml.bak +++ /dev/null @@ -1,130 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: api - namespace: homea2 - labels: - app: api - component: home-automation -spec: - replicas: 1 - selector: - matchLabels: - app: api - template: - metadata: - annotations: - reloader.stakater.com/auto: "true" - configmap.reloader.stakater.com/reload: "home-automation-environment,home-automation-config" - labels: - app: api - component: home-automation - spec: - containers: - - name: api - image: %IMAGE% - ports: - - containerPort: 8001 - name: http - env: - - name: MQTT_BROKER - valueFrom: - configMapKeyRef: - name: home-automation-environment - key: SHARED_MQTT_BROKER - - name: MQTT_PORT - valueFrom: - configMapKeyRef: - name: home-automation-environment - key: SHARED_MQTT_PORT - - name: REDIS_HOST - valueFrom: - configMapKeyRef: - name: home-automation-environment - key: SHARED_REDIS_HOST - - name: REDIS_PORT - valueFrom: - configMapKeyRef: - name: home-automation-environment - key: SHARED_REDIS_PORT - - name: REDIS_DB - valueFrom: - configMapKeyRef: - name: home-automation-environment - key: SHARED_REDIS_DB - - name: REDIS_CHANNEL - valueFrom: - configMapKeyRef: - name: home-automation-environment - key: API_REDIS_CHANNEL - volumeMounts: - - name: config-volume - mountPath: /app/config - readOnly: true - livenessProbe: - httpGet: - path: /health - port: 8001 - initialDelaySeconds: 30 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /health - port: 8001 - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 200m - memory: 256Mi - volumes: - - name: config-volume - configMap: - name: home-automation-config ---- -apiVersion: v1 -kind: Service -metadata: - name: api - labels: - app: api - component: home-automation -spec: - selector: - app: api - ports: - - port: 80 - targetPort: 8001 - name: http - type: ClusterIP ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: api-ingress - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production-http - traefik.ingress.kubernetes.io/router.middlewares: homea2-mtls-auth@kubernetescrd,homea2-security-headers@kubernetescrd - traefik.ingress.kubernetes.io/router.tls.options: homea2-homea2-mtls@kubernetescrd - # Traefik 2 mTLS Configuration - traefik.ingress.kubernetes.io/router.tls.options: homea2-mtls@kubernetescrd - traefik.ingress.kubernetes.io/router.middlewares: homea2-mtls-auth@kubernetescrd -spec: - tls: - - hosts: - - homea2-api.hottis.de - secretName: homea2-api-cert - rules: - - host: homea2-api.hottis.de - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: api - port: - number: 80 \ No newline at end of file diff --git a/deployment/mtls-config.yaml b/deployment/mtls-config.yaml deleted file mode 100644 index 4193f66..0000000 --- a/deployment/mtls-config.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TLSOption -metadata: - name: homea2-mtls - namespace: default -spec: - clientAuth: - secretNames: - - mtls-ca-cert - clientAuthType: RequireAndVerifyClientCert - minVersion: "VersionTLS12" - cipherSuites: - - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" - - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" - - "TLS_RSA_WITH_AES_256_GCM_SHA384" - - "TLS_RSA_WITH_AES_128_GCM_SHA256" ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: mtls-auth - namespace: default -spec: - headers: - customRequestHeaders: - X-Client-Cert: "" - customResponseHeaders: - X-mTLS-Verified: "true" - # Optional: Add IP whitelist for additional security - # ipWhiteList: - # sourceRange: - # - "10.0.0.0/8" - # - "192.168.0.0/16" ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: security-headers - namespace: default -spec: - headers: - customResponseHeaders: - X-Frame-Options: "SAMEORIGIN" - X-Content-Type-Options: "nosniff" - X-XSS-Protection: "1; mode=block" - Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload" - contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'" \ No newline at end of file diff --git a/deployment/ui-deployment.yaml b/deployment/ui-deployment.yaml index 0f91653..f7f787c 100644 --- a/deployment/ui-deployment.yaml +++ b/deployment/ui-deployment.yaml @@ -77,28 +77,3 @@ spec: targetPort: 8002 name: http type: ClusterIP ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ui-ingress - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production-http - traefik.ingress.kubernetes.io/router.middlewares: default-mtls-auth@kubernetescrd,default-security-headers@kubernetescrd - traefik.ingress.kubernetes.io/router.tls.options: default-homea2-mtls@kubernetescrd -spec: - tls: - - hosts: - - homea2.hottis.de - secretName: homea2-ui-cert - rules: - - host: homea2.hottis.de - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: ui - port: - number: 80 diff --git a/deployment/ui-deployment.yaml.bak b/deployment/ui-deployment.yaml.bak deleted file mode 100644 index 11b1278..0000000 --- a/deployment/ui-deployment.yaml.bak +++ /dev/null @@ -1,104 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ui - namespace: homea2 - labels: - app: ui - component: home-automation -spec: - replicas: 1 - selector: - matchLabels: - app: ui - template: - metadata: - annotations: - reloader.stakater.com/auto: "true" - configmap.reloader.stakater.com/reload: "home-automation-environment" - labels: - app: ui - component: home-automation - spec: - containers: - - name: ui - image: %IMAGE% - ports: - - containerPort: 8002 - name: http - env: - - name: UI_PORT - valueFrom: - configMapKeyRef: - name: home-automation-environment - key: UI_UI_PORT - - name: API_BASE - valueFrom: - configMapKeyRef: - name: home-automation-environment - key: UI_API_BASE - - name: BASE_PATH - valueFrom: - configMapKeyRef: - name: home-automation-environment - key: UI_BASE_PATH - livenessProbe: - httpGet: - path: / - port: 8002 - initialDelaySeconds: 30 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8002 - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 128Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: ui - labels: - app: ui - component: home-automation -spec: - selector: - app: ui - ports: - - port: 80 - targetPort: 8002 - name: http - type: ClusterIP ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ui-ingress - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production-http - traefik.ingress.kubernetes.io/router.middlewares: homea2-mtls-auth@kubernetescrd,homea2-security-headers@kubernetescrd - traefik.ingress.kubernetes.io/router.tls.options: homea2-homea2-mtls@kubernetescrd -spec: - tls: - - hosts: - - homea2.hottis.de - secretName: homea2-ui-cert - rules: - - host: homea2.hottis.de - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: ui - port: - number: 80