From c2a803d28b711a1499a2011e3a2b1141b1a5e25c Mon Sep 17 00:00:00 2001 From: Davide Piu Date: Thu, 19 Feb 2026 22:44:34 +0000 Subject: [PATCH] feat: deploy Wave 1 - Vaultwarden, Uptime Kuma, Trivy Operator, Authelia GitOps manifests for security stack Wave 1: - Vaultwarden (vault.davidepiu.xyz) - password manager - Uptime Kuma (status.davidepiu.xyz) - uptime monitoring - Trivy Operator - vulnerability scanning - Authelia (auth.davidepiu.xyz) - SSO + 2FA All with NetworkPolicies for Traefik ingress. --- clusters/lab/apps/uptime-kuma.yaml | 73 +++++++++++++++ clusters/lab/apps/vaultwarden.yaml | 69 ++++++++++++++ clusters/lab/security/authelia.yaml | 105 ++++++++++++++++++++++ clusters/lab/security/trivy-operator.yaml | 45 ++++++++++ 4 files changed, 292 insertions(+) create mode 100644 clusters/lab/apps/uptime-kuma.yaml create mode 100644 clusters/lab/apps/vaultwarden.yaml create mode 100644 clusters/lab/security/authelia.yaml create mode 100644 clusters/lab/security/trivy-operator.yaml diff --git a/clusters/lab/apps/uptime-kuma.yaml b/clusters/lab/apps/uptime-kuma.yaml new file mode 100644 index 0000000..a2c3748 --- /dev/null +++ b/clusters/lab/apps/uptime-kuma.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: uptime-kuma + namespace: flux-system +spec: + interval: 1h + url: https://helm.irsigler.cloud +--- +apiVersion: v1 +kind: Namespace +metadata: + name: uptime-kuma +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: uptime-kuma + namespace: flux-system +spec: + interval: 1h + targetNamespace: uptime-kuma + install: + createNamespace: true + chart: + spec: + chart: uptime-kuma + sourceRef: + kind: HelmRepository + name: uptime-kuma + interval: 1h + values: + ingress: + enabled: true + className: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd + hosts: + - host: status.davidepiu.xyz + paths: + - path: / + pathType: Prefix + tls: + - secretName: uptime-kuma-tls + hosts: + - status.davidepiu.xyz + persistence: + enabled: true + size: 4Gi + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 200m + memory: 200Mi +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-from-traefik + namespace: uptime-kuma +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system diff --git a/clusters/lab/apps/vaultwarden.yaml b/clusters/lab/apps/vaultwarden.yaml new file mode 100644 index 0000000..95ef3b7 --- /dev/null +++ b/clusters/lab/apps/vaultwarden.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: vaultwarden + namespace: flux-system +spec: + interval: 1h + url: https://guerzon.github.io/vaultwarden/ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: vaultwarden +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: vaultwarden + namespace: flux-system +spec: + interval: 1h + targetNamespace: vaultwarden + install: + createNamespace: true + chart: + spec: + chart: vaultwarden + sourceRef: + kind: HelmRepository + name: vaultwarden + interval: 1h + values: + domain: "https://vault.davidepiu.xyz" + ingress: + enabled: true + class: traefik + nginxIngressAnnotations: false + additionalAnnotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd + hostname: vault.davidepiu.xyz + tls: true + tlsSecret: vaultwarden-tls + data: + name: vaultwarden-data + size: 5Gi + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-from-traefik + namespace: vaultwarden +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system diff --git a/clusters/lab/security/authelia.yaml b/clusters/lab/security/authelia.yaml new file mode 100644 index 0000000..9504b70 --- /dev/null +++ b/clusters/lab/security/authelia.yaml @@ -0,0 +1,105 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: authelia + namespace: flux-system +spec: + interval: 1h + url: https://charts.authelia.com +--- +apiVersion: v1 +kind: Namespace +metadata: + name: authelia +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: authelia + namespace: flux-system +spec: + interval: 1h + targetNamespace: authelia + install: + createNamespace: true + chart: + spec: + chart: authelia + sourceRef: + kind: HelmRepository + name: authelia + interval: 1h + valuesFrom: + - kind: Secret + name: authelia-secrets + valuesKey: JWT_SECRET + targetPath: secret.jwt.value + - kind: Secret + name: authelia-secrets + valuesKey: SESSION_SECRET + targetPath: secret.session.value + - kind: Secret + name: authelia-secrets + valuesKey: STORAGE_ENCRYPTION_KEY + targetPath: secret.storage.value + values: + pod: + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi + ingress: + enabled: true + className: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd + tls: + enabled: true + secret: authelia-tls + configMap: + theme: light + default_2fa_method: totp + server: + address: tcp://0.0.0.0:9091/ + session: + cookies: + - domain: davidepiu.xyz + subdomain: auth + default_redirection_url: https://auth.davidepiu.xyz + storage: + local: + enabled: true + path: /config/db.sqlite3 + access_control: + default_policy: one_factor + authentication_backend: + file: + enabled: true + path: /config/users_database.yml + notifier: + filesystem: + enabled: true + filename: /config/notification.txt +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-from-traefik + namespace: authelia +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - port: 9091 + protocol: TCP diff --git a/clusters/lab/security/trivy-operator.yaml b/clusters/lab/security/trivy-operator.yaml new file mode 100644 index 0000000..319dd65 --- /dev/null +++ b/clusters/lab/security/trivy-operator.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: aquasecurity + namespace: flux-system +spec: + interval: 1h + url: https://aquasecurity.github.io/helm-charts/ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: trivy-operator + namespace: flux-system +spec: + interval: 1h + targetNamespace: trivy-system + install: + createNamespace: true + chart: + spec: + chart: trivy-operator + sourceRef: + kind: HelmRepository + name: aquasecurity + interval: 1h + values: + trivy: + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 500m + memory: 512Mi + operator: + scanJobsConcurrentLimit: 1 + vulnerabilityScannerScanOnlyCurrentRevisions: true + compliance: + cron: "" + nodeCollector: + excludeNodes: "" + serviceMonitor: + enabled: false