capitano/kube-wordpress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ricominciamoooooooo

Browse Source
This commit is contained in:
Your Name
2026-01-21 14:28:49 +01:00
parent 5ca040819f
commit d177f90277
16 changed files with 0 additions and 9879 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
00-namespace.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: wordpress

22
01-cnpg-cluster.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: wordpress-db
namespace: wordpress
spec:
instances: 2
storage:
size: 20Gi
storageClass: longhorn-fast
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "750m"
bootstrap:
initdb:
database: postgres
affinity:
enablePodAntiAffinity: false

17
02-traefik-middleware.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: wordpress-security-headers
namespace: wordpress
spec:
headers:
customResponseHeaders:
X-Frame-Options: "DENY"
X-Content-Type-Options: "nosniff"
X-XSS-Protection: "1; mode=block"
X-Powered-By: "" # Removes the X-Powered-By header
# HSTS (Strict-Transport-Security) is often configured at the IngressRoute level or with a dedicated HSTS middleware.
# For simplicity, I'm keeping it commented out here but it can be added if needed.
# stsSeconds: 31536000 # 1 year
# stsIncludeSubdomains: true
# stsPreload: true

111
03-network-policies.yaml
View File

@@ -1,111 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: wordpress
spec:
podSelector: {} # Selects all pods in the namespace
policyTypes:
- Ingress
- Egress
# This policy creates a default-deny state.
# Specific policies below will allow necessary traffic.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-ingress
namespace: wordpress
spec:
podSelector: {} # Apply to all pods in the namespace
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: traefik # Assuming Traefik pods have this label
# If Traefik is in a different namespace, specify that namespace:
# namespaceSelector:
# matchLabels:
# kubernetes.io/metadata.name: traefik # Example label for Traefik namespace
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-wordpress-to-cnpg
namespace: wordpress
spec:
podSelector:
matchLabels:
app: wordpress # Label for WordPress pods
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: cloudnativepg # Label for CNPG pods
ports:
- protocol: TCP
port: 5432 # Default PostgreSQL port
# Allow DNS
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-wordpress-ingress # Fixed syntax for ingress rule
namespace: wordpress
spec:
podSelector:
matchLabels:
app: wordpress # Label for WordPress pods
policyTypes:
- Ingress
ingress:
- from: [] # Empty from means allow from all sources (will be restricted by Traefik Ingress)
ports:
- protocol: TCP
port: 80
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-apiserver
namespace: wordpress
spec:
podSelector:
matchLabels:
cnpg.io/cluster: wordpress-db # Targets all components of the wordpress-db cluster
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.96.0.1/32 # Kubernetes API Server IP
ports:
- protocol: TCP
port: 443

18
allow-apiserver-egress.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-apiserver
namespace: wordpress
spec:
podSelector:
matchLabels:
cnpg.io/cluster: wordpress-db # Targets all components of the wordpress-db cluster
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.96.0.1/32 # Kubernetes API Server IP
ports:
- protocol: TCP
port: 443

9368
poolers.postgresql.cnpg.io_poolers.yaml
View File

File diff suppressed because it is too large Load Diff

30
traefik.crt
View File

@@ -1,30 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFETCCAvmgAwIBAgIUMDt3pOo2RwsQAXk85yPNqSEbQEcwDQYJKoZIhvcNAQEL
BQAwGDEWMBQGA1UEAwwNdHJhZWZpay5sb2NhbDAeFw0yNjAxMTQxNTExMzRaFw0y
NzAxMTQxNTExMzRaMBgxFjAUBgNVBAMMDXRyYWVmaWsubG9jYWwwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDzXfA5UbbiUUaN0syLqefYdwipB3esJ+8Q
lTT6I2EahM395Lcnqmd6Qfrgaao0AyQ42eYQT65MxACw4UDhg7FxIgDvPDoClnW1
jyL4rwLA9I2fj83xhOwemvwPPeeSPkJqAEHa9stazLezEo6vDcdtB2clobcs5uQJ
eJs4Ne27TVYOOvo3BF+s7eb4sBz3EwRWAZQ51+ZAayMP3E9XEWUzbAYCjA/yyQ6X
fBVJdHJQThBK5tFvexO7G5y4ouIsyoAEzxk+960pbFBXMUUL1hqWX2w1BebC9TNC
XOaDwMxBooJPN9JAmSUr7gSI7fLpGDf3x5gZAQryvRnSUkCbyn0Kz2e/D4Vp1kUu
0aJ2DiPE81561Hdu7xJl7545juTxHBy9+XwBrxiISB3d1djCiezsc10FrPhL1PWM
yowihKwVuTLbDQw4ZogGV+jk6k6+99kyRMJjLEd/e/GAX61K50dUuwslyacwZsc1
XR9Br+zdzpqveBt4XAry2MlBF0VcLuan3wM7edywKcurKbVaK/fJsZTF2Ih26DK3
ZI8D23mV8bv4eR7vFNTvFGSiHeUrgtV6AX63Vgo9cse+UnhXHri3cFdtVZK8eUBE
H9xglGxeff4xKqF6Noc48prre41eK397llT2tznreYnM6S4n3Y01lfmFTZFd48ws
bMhYKFO/RQIDAQABo1MwUTAdBgNVHQ4EFgQURlSlwEmkAXn6rWnxeZstYGTMKUow
HwYDVR0jBBgwFoAURlSlwEmkAXn6rWnxeZstYGTMKUowDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAgEAL5K8ZzauZy/9mOAgE1OKQ5ZLekz372D+OI93
vED+r+qf8pRCjosBb0Ag2cLO2H5Qnj0If72c3GZOUp+H4t1PQ+T9vji7Hr6fy6sj
M6quYOh6zIR5VK885K2EYyuVWbRE+uces06b9tVceeLgVrUjbuK7+0C0qU8x8L9d
FqXK8p2leIwawDYrNGTDnr+ZsOK09nN3iGnU5XW7WZnfmWar9v2qlkTlJywyaNyU
NmuEO5LxRfqUWINabxKfltssxGe74ku/ot2BJRNUuIM6lt+fH1bwrjqaxOUN6mW7
Va4OIat3IBsGZuALSyYiXq9Lg+Ec2DmV95j/wf8iQtKzSUdU+U3mw8SxSwSsrLO3
B1dVtbZKOSflJkLb8gfraz7XJpL8WuQ0n4rH2GL28HVJbNh/1ytlA4tDFWNp4Onv
Y4+Jy7mEPtB+bV1NHD5KQfYFwyBRqGxL7BB9F5VJSH9+R7Rc7HKlaOjcUzyq3SnL
P10Jsv3I68cuDmwm4CHNamEVYmipKhhncn8k06uHk9Xut0aKZDJ7OfMr5G6NQBEQ
/0Pf4uCKt3KfWoT+4vHy2PYzXQSTABzqGAC27Xe1ZVOudllLDiT//bFMORYx8nRn
h+P+CRbODiPbZedK0tsjO8+ZPCFGxFpQhVf7a8MRDXl0FG1GlHA73nKiaTAbEp7b
OrnPKRk=
-----END CERTIFICATE-----

52
traefik.key
View File

@@ -1,52 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDzXfA5UbbiUUaN
0syLqefYdwipB3esJ+8QlTT6I2EahM395Lcnqmd6Qfrgaao0AyQ42eYQT65MxACw
4UDhg7FxIgDvPDoClnW1jyL4rwLA9I2fj83xhOwemvwPPeeSPkJqAEHa9stazLez
Eo6vDcdtB2clobcs5uQJeJs4Ne27TVYOOvo3BF+s7eb4sBz3EwRWAZQ51+ZAayMP
3E9XEWUzbAYCjA/yyQ6XfBVJdHJQThBK5tFvexO7G5y4ouIsyoAEzxk+960pbFBX
MUUL1hqWX2w1BebC9TNCXOaDwMxBooJPN9JAmSUr7gSI7fLpGDf3x5gZAQryvRnS
UkCbyn0Kz2e/D4Vp1kUu0aJ2DiPE81561Hdu7xJl7545juTxHBy9+XwBrxiISB3d
1djCiezsc10FrPhL1PWMyowihKwVuTLbDQw4ZogGV+jk6k6+99kyRMJjLEd/e/GA
X61K50dUuwslyacwZsc1XR9Br+zdzpqveBt4XAry2MlBF0VcLuan3wM7edywKcur
KbVaK/fJsZTF2Ih26DK3ZI8D23mV8bv4eR7vFNTvFGSiHeUrgtV6AX63Vgo9cse+
UnhXHri3cFdtVZK8eUBEH9xglGxeff4xKqF6Noc48prre41eK397llT2tznreYnM
6S4n3Y01lfmFTZFd48wsbMhYKFO/RQIDAQABAoICABbbpmID2k0UfC968qpViYir
2Xzizis1zv78PK8X3pl6isyDjG5l03VIuDMWyZ08BE1wreqvSTw9lqEGby0fTO3G
11ahDgPLNQAaExtPeM89yQWJILtEFFdlkDIwSs1SGrPRFV5nGr+LBeAEaLFpdmc3
sEj5EPbfMuDu2olji1Ix19jbUkAToZbg+3Y1OGs+doRLfqwWKrK3PWJSe4M+h4ZW
aZQYqrDPkJbK2Ub+cHQ5eM9IMbiqUzaaR9SRu/OgC3koKINhCPsgiMU/w+/yKqog
CU5LoRqDpE5h4mbSl3y8skeVgyJ9H+Ap6XQhAVVCaJNVxGPo1Knq9/9oqVfYo3jP
D+3j/BrcCWpk2HNVRBpG4bFjaJCKt+BDjgZR5ZwA9GSX1kvrP/LQNhHeWGT02Azu
jFaPWQCpX/2V05+snTonaTCYEY09oA2dAAn+tUyA43uiefLVMeueNzyL3NRcKk3J
Hrg4XEXpXlI+7nL8ZhHy8GMyBqnbHUN+z0qSp7xeaV1q1gTfUPJoK+LRKkR7A29A
jxHYI0SdPxipAoQq85phADXDxPOMmQKBbxm3mlXJGrYDKrf2ZTu5yjJ7xBlF7Ze7
BsFkvLEKDjVnqQNN/auElYqXPbMSGtDbXG2GWPNGuscPYjB8SR0fCrAy9FxLSkje
gw2hvZjhk0Q7UODxC1qbAoIBAQD+GEgQSjBev5vcf4EkQTXuLHKIM90TA9fmVYv2
MvELgVsXFt/w34Ks8gh879MoB/oLmUgr03cznOrJaDV6jx0koMTIIGXPHCzhC6JN
YGszqiC+v2Ot5T+VKyHKLhK2Lwlkq8fqFAqkbm2bo4POcM09jdKwztCuZjYQCfnp
NeVh885qtvGmHcIEgCwwES2VgZ/uKEZp3X8Ic4WNPWfz3qP+KhIWehU1EBwOCd80
iMsBkEfhdmkGwzYKPL5yDTQ+BZoBQUY/jlsfkdmGqISdHP9XNyl0uQS4aWaSAHHh
h5rZHU7zHoa1Y4jyQvrMrXZ4RiC/AqhRSpJFoTEdt1oKOf5HAoIBAQD1MRC70Oi8
sX6mv4Ko/QHjp8JXXsAIP5a7MFqWo71KlgpFEbGoxLdUTwj2aqir5r6aM1wzHuIM
OSGF/LUnr9oBv3B8RRSF8RcTcJwPbv6Fsnz4S1mHC2YtpfX75M/N1huTZ2ZlTc6/
3NHvPmbSKCURy5VKefiOl6yKahaV6mhM/attit7zYbMa/U86pCBj+e0gjHEooKof
g7n/nGt/JMcMWmjPCUZbQ6/NKl3STDQchYIQXVmDW/wTD3LUZVqQZbDXLxaooo1H
VJC9qJm8VpDxipLQPhPPAu+rWPThWS9csf332zfHtoLLfYACUe/QbZCzHjNFIXGM
0bgjtJelWyATAoIBAQC8qSK4lZ0cfIApU7J7TL/SO8Y+QuPefngLWXE2N9Spij4s
Apv7qLjJ2FtdCGRr0KBjhEgF4lkbRWM+b9VlTmWBEK2LOiLdiDn6Tj0P3os6LRNr
DYfhUdnH0+Kez16tTndW/ATPVFoihKt1aA8xdKevEGJjTOu80b9KYV3hPlc2R2P3
8CW0BVxNIy2r8tU5sKkil1zQtdjgWYXLvNA2ThTNXkdX0QV2BKQP+Fx2EStJ2erF
CLoqfz7ckwWEgTFM67PRQrn57qTR5+TvCqiMTz93bkmllMpgckHqHdJwddMPaad4
9C1o+KJx3jGBTzorS0Z9DGgVE51PfcOOINkFxtF5AoIBAQCUtExEzF/KyQ9aDD4v
RTsXGhB4ssNefUpqftoCEI5mJPdXinKoO55AaKqz4F4p24jvtoSNkIZiCWg2fdxU
lIdwle2fwLnAvkZTiPFtPtDovyah4/kJOTWgK84zFkOdv+P7kzN77yOcI03DfqIX
hTduQn1prO29dWm0jMDj7UWSpCqLBjVPgIqCrOyXUSE/4T0ah3K9xCtJb7enufNM
Kj76U/7KygI8qaF+mdpLB+J3BdWrHSKD047e9HidLlctyi7lYu6oGeX7Q+OA0zdi
DVJc28FMwMl8vHglAI+L+G4MFvtDjlWXLy7GQXgYcB801q5yo7dOjwjx8eNu7EEo
jUq3AoIBAQC/nwehwfzc6zbiAgsgKaADh8+gQsI2SPbQecOVUYzClWHu/pUsHH/r
heFwww0RhLiGYC9MQapHT94apMqI10SzbRbTCzL9zMRSBHLloPDlIpM2bcZssuAz
LEX8vgfdGBb5+ca3HphgzDTAgVkP+ndBJ8hZmJZoGAxH8R9/CiFTLE15tI000v4l
YJ5/W+g4rtNDouVYmeux6hDWhIiWnc3IeZaRJ8xGPhHJWaId2NjmwkuTrk+pYeux
gBDc2WQT7yWMgnXrEpxzbsZMzMEcCCyP2rN6QK1WzzRPjikSNVYet6MwyTjKv1N7
REsrP+0hR8mCJm2lhpqPn07LFzAqmfIg
-----END PRIVATE KEY-----

10
virtualinsanity/virtualinsanity-db-secret.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: virtualinsanity-db-secret
namespace: wordpress
type: Opaque
data:
password: "Y2V2MTRqODQ/N0hZckh3Ww=="
dbname: "dmlydHVhbGluc2FuaXR5ZGI="
username: "d2VnYXBwY29ubmVjdA=="

6
virtualinsanity/virtualinsanity-db.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: virtualinsanity-db
namespace: wordpress
spec: {}

34
virtualinsanity/virtualinsanity-ingressroute.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: virtualinsanity-ingressroute
namespace: wordpress
spec:
entryPoints:
- websecure
routes:
- match: Host(`virtualinsanity.giaco.net`)
kind: Rule
services:
- name: virtualinsanity-wordpress-svc
port: 80
middlewares:
- name: wordpress-security-headers
namespace: wordpress
tls:
secretName: virtualinsanity-tls-secret
kind: Ingress
metadata:
name: virtualinsanity-ingress
namespace: wordpress
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
rules:
- host: virtualinsanity.giaco.net
http:
paths:
- path: /
backend:
serviceName: virtualinsanity-wordpress
servicePort: 80

39
virtualinsanity/virtualinsanity-nginx-conf-cm.yaml
View File

@@ -1,39 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: virtualinsanity-nginx-conf
namespace: wordpress
data:
default.conf: |
server {
listen 80;
server_name virtualinsanity.giaco.net;
root /var/www/html;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass wordpress:9000; # Assumes 'wordpress' is the container name in the same pod
location ~ /\.ht {
deny all;
}
}
location ~* /(wp-config\.php|readme\.html|license\.txt) {
deny all;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1y;
log_not_found off;
access_log off;
}
error_page 404 /index.php;

116
virtualinsanity/virtualinsanity-wordpress-deployment.yaml
View File

@@ -1,116 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: virtualinsanity-wordpress
namespace: wordpress
labels:
app: wordpress
site: virtualinsanity
spec:
replicas: 1
selector:
matchLabels:
app: wordpress
site: virtualinsanity
template:
metadata:
labels:
app: wordpress
site: virtualinsanity
spec:
initContainers:
- name: volume-permissions
image: alpine:latest
command: ["sh", "-c", "chown -R 33:33 /var/www/html/wp-content"]
securityContext:
runAsNonRoot: false # Allow initContainer to run as root for chown
runAsUser: 0
runAsGroup: 0
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
volumeMounts:
- name: wp-content
mountPath: /var/www/html/wp-content
containers:
- name: wordpress
image: wordpress:php8.2-fpm-alpine
ports:
- containerPort: 9000
securityContext:
runAsNonRoot: true
runAsUser: 33
runAsGroup: 33
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
volumeMounts:
- name: wp-content
mountPath: /var/www/html/wp-content
- name: tmp-dir
mountPath: /tmp
- name: run-dir
mountPath: /var/run
- name: php-session-save-path
mountPath: /var/lib/php/sessions
- name: nginx-cache
mountPath: /var/cache/nginx
env:
- name: WORDPRESS_DB_HOST
value: "wordpress-db-rw.wordpress.svc.cluster.local"
- name: WORDPRESS_DB_NAME
valueFrom:
secretKeyRef:
name: virtualinsanity-db-secret
key: dbname
- name: WORDPRESS_DB_USER
valueFrom:
secretKeyRef:
name: virtualinsanity-db-secret
key: username
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: virtualinsanity-db-secret
key: password
- name: WP_HOME
value: "https://virtualinsanity.giaco.net"
- name: WP_SITEURL
value: "https://virtualinsanity.giaco.net"
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
securityContext:
runAsNonRoot: true
runAsUser: 101 # Specify a non-root user ID
runAsGroup: 101 # Specify a non-root group ID
allowPrivilegeEscalation: false # Prevent privilege escalation
readOnlyRootFilesystem: false # Allow filesystem modifications for Nginx container
volumeMounts:
- name: wp-content
mountPath: /var/www/html/wp-content
- name: tmp-dir
mountPath: /tmp
- name: run-dir
mountPath: /var/run
- name: nginx-cache
mountPath: /var/cache/nginx
- name: nginx-conf
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
volumes:
- name: wp-content
persistentVolumeClaim:
claimName: virtualinsanity-wp-content
- name: tmp-dir
emptyDir: {}
- name: run-dir
emptyDir: {}
- name: php-session-save-path
emptyDir: {}
- name: nginx-cache
emptyDir: {}
- name: nginx-conf
configMap:
name: virtualinsanity-nginx-conf

14
virtualinsanity/virtualinsanity-wordpress-svc.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: virtualinsanity-wordpress-svc
namespace: wordpress
spec:
selector:
app: wordpress
site: virtualinsanity
ports:
- protocol: TCP
port: 80
targetPort: 80
type: ClusterIP

12
virtualinsanity/virtualinsanity-wp-content-pvc.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: virtualinsanity-wp-content
namespace: wordpress
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn-fast
resources:
requests:
storage: 20Gi

26
virtualinsanity/wordpress-security-headers-middleware.yaml
View File

@@ -1,26 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: wordpress-security-headers
namespace: wordpress
spec:
headers:
customResponseHeaders:
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: "1; mode=block"
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'self'
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: wordpress-security-headers
namespace: wordpress
spec:
headers:
customResponseHeaders:
X-Frame-Options: "SAMEORIGIN"
X-XSS-Protection: "1; mode=block"
X-Content-Type-Options: "nosniff"
Referrer-Policy: "no-referrer-when-downgrade"
Content-Security-Policy: "default-src 'self'; script-src 'self' https://*.google-analytics.com; object-src 'none'"