davide/fleet-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remove trivy-operator

Browse Source
This commit is contained in:
Davide Piu
2026-02-20 00:36:50 +00:00
parent b95a574d73
commit 779ed3d563
2 changed files with 142 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
clusters/lab/apps/wireguard.yaml Normal file
View File

@@ -0,0 +1,142 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: wireguard
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wireguard-data
namespace: wireguard
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 100Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: wg-easy
namespace: wireguard
spec:
replicas: 1
selector:
matchLabels:
app: wg-easy
template:
metadata:
labels:
app: wg-easy
spec:
containers:
- name: wg-easy
image: ghcr.io/wg-easy/wg-easy:latest
env:
- name: LANGUAGE
value: it
- name: WG_HOST
value: "91.99.143.113"
- name: WG_PORT
value: "51820"
- name: WG_DEFAULT_DNS
value: "1.1.1.1, 8.8.8.8"
- name: WG_ALLOWED_IPS
value: "0.0.0.0/0, ::/0"
- name: PASSWORD_HASH
valueFrom:
secretKeyRef:
name: wireguard-ui-password
key: PASSWORD_HASH
ports:
- name: vpn
containerPort: 51820
hostPort: 51820
protocol: UDP
- name: web
containerPort: 51821
protocol: TCP
volumeMounts:
- name: data
mountPath: /etc/wireguard
securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
- NET_RAW
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 200m
memory: 64Mi
volumes:
- name: data
persistentVolumeClaim:
claimName: wireguard-data
---
apiVersion: v1
kind: Service
metadata:
name: wg-easy
namespace: wireguard
spec:
selector:
app: wg-easy
ports:
- name: web
port: 51821
targetPort: 51821
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wg-easy
namespace: wireguard
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
spec:
ingressClassName: traefik
tls:
- secretName: wireguard-tls
hosts:
- vpn.davidepiu.xyz
rules:
- host: vpn.davidepiu.xyz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wg-easy
port:
number: 51821
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress
namespace: wireguard
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- port: 51821
protocol: TCP
- ports:
- port: 51820
protocol: UDP

42
clusters/lab/security/trivy-operator.yaml
View File

@@ -1,42 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: aquasecurity
namespace: flux-system
spec:
interval: 1h
url: https://aquasecurity.github.io/helm-charts/
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: trivy-operator
namespace: flux-system
spec:
interval: 1h
targetNamespace: trivy-system
install:
createNamespace: true
chart:
spec:
chart: trivy-operator
sourceRef:
kind: HelmRepository
name: aquasecurity
interval: 1h
values:
trivy:
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 500m
memory: 512Mi
operator:
scanJobsConcurrentLimit: 1
vulnerabilityScannerScanOnlyCurrentRevisions: true
clusterComplianceEnabled: false
serviceMonitor:
enabled: false