Compare commits
2 Commits
5ca040819f
...
c89eafa4ce
| Author | SHA1 | Date | |
|---|---|---|---|
|
c89eafa4ce | ||
|
|
d177f90277 |
@@ -1,4 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Namespace
|
|
||||||
metadata:
|
|
||||||
name: wordpress
|
|
||||||
@@ -1,22 +0,0 @@
|
|||||||
apiVersion: postgresql.cnpg.io/v1
|
|
||||||
kind: Cluster
|
|
||||||
metadata:
|
|
||||||
name: wordpress-db
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
instances: 2
|
|
||||||
storage:
|
|
||||||
size: 20Gi
|
|
||||||
storageClass: longhorn-fast
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: "512Mi"
|
|
||||||
cpu: "250m"
|
|
||||||
limits:
|
|
||||||
memory: "1Gi"
|
|
||||||
cpu: "750m"
|
|
||||||
bootstrap:
|
|
||||||
initdb:
|
|
||||||
database: postgres
|
|
||||||
affinity:
|
|
||||||
enablePodAntiAffinity: false
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: Middleware
|
|
||||||
metadata:
|
|
||||||
name: wordpress-security-headers
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
headers:
|
|
||||||
customResponseHeaders:
|
|
||||||
X-Frame-Options: "DENY"
|
|
||||||
X-Content-Type-Options: "nosniff"
|
|
||||||
X-XSS-Protection: "1; mode=block"
|
|
||||||
X-Powered-By: "" # Removes the X-Powered-By header
|
|
||||||
# HSTS (Strict-Transport-Security) is often configured at the IngressRoute level or with a dedicated HSTS middleware.
|
|
||||||
# For simplicity, I'm keeping it commented out here but it can be added if needed.
|
|
||||||
# stsSeconds: 31536000 # 1 year
|
|
||||||
# stsIncludeSubdomains: true
|
|
||||||
# stsPreload: true
|
|
||||||
@@ -1,111 +0,0 @@
|
|||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: NetworkPolicy
|
|
||||||
metadata:
|
|
||||||
name: default-deny-all
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
podSelector: {} # Selects all pods in the namespace
|
|
||||||
policyTypes:
|
|
||||||
- Ingress
|
|
||||||
- Egress
|
|
||||||
# This policy creates a default-deny state.
|
|
||||||
# Specific policies below will allow necessary traffic.
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: NetworkPolicy
|
|
||||||
metadata:
|
|
||||||
name: allow-traefik-ingress
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
podSelector: {} # Apply to all pods in the namespace
|
|
||||||
policyTypes:
|
|
||||||
- Ingress
|
|
||||||
ingress:
|
|
||||||
- from:
|
|
||||||
- podSelector:
|
|
||||||
matchLabels:
|
|
||||||
app.kubernetes.io/name: traefik # Assuming Traefik pods have this label
|
|
||||||
# If Traefik is in a different namespace, specify that namespace:
|
|
||||||
# namespaceSelector:
|
|
||||||
# matchLabels:
|
|
||||||
# kubernetes.io/metadata.name: traefik # Example label for Traefik namespace
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 80
|
|
||||||
- protocol: TCP
|
|
||||||
port: 443
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: NetworkPolicy
|
|
||||||
metadata:
|
|
||||||
name: allow-wordpress-to-cnpg
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
podSelector:
|
|
||||||
matchLabels:
|
|
||||||
app: wordpress # Label for WordPress pods
|
|
||||||
policyTypes:
|
|
||||||
- Egress
|
|
||||||
egress:
|
|
||||||
- to:
|
|
||||||
- podSelector:
|
|
||||||
matchLabels:
|
|
||||||
app.kubernetes.io/name: cloudnativepg # Label for CNPG pods
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 5432 # Default PostgreSQL port
|
|
||||||
# Allow DNS
|
|
||||||
- to:
|
|
||||||
- namespaceSelector: {}
|
|
||||||
podSelector:
|
|
||||||
matchLabels:
|
|
||||||
k8s-app: kube-dns
|
|
||||||
ports:
|
|
||||||
- protocol: UDP
|
|
||||||
port: 53
|
|
||||||
- protocol: TCP
|
|
||||||
port: 53
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: NetworkPolicy
|
|
||||||
metadata:
|
|
||||||
name: allow-wordpress-ingress # Fixed syntax for ingress rule
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
podSelector:
|
|
||||||
matchLabels:
|
|
||||||
app: wordpress # Label for WordPress pods
|
|
||||||
policyTypes:
|
|
||||||
- Ingress
|
|
||||||
ingress:
|
|
||||||
- from: [] # Empty from means allow from all sources (will be restricted by Traefik Ingress)
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 80
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: NetworkPolicy
|
|
||||||
metadata:
|
|
||||||
name: allow-egress-to-apiserver
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
podSelector:
|
|
||||||
matchLabels:
|
|
||||||
cnpg.io/cluster: wordpress-db # Targets all components of the wordpress-db cluster
|
|
||||||
policyTypes:
|
|
||||||
- Egress
|
|
||||||
egress:
|
|
||||||
- to:
|
|
||||||
- ipBlock:
|
|
||||||
cidr: 10.96.0.1/32 # Kubernetes API Server IP
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 443
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: NetworkPolicy
|
|
||||||
metadata:
|
|
||||||
name: allow-egress-to-apiserver
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
podSelector:
|
|
||||||
matchLabels:
|
|
||||||
cnpg.io/cluster: wordpress-db # Targets all components of the wordpress-db cluster
|
|
||||||
policyTypes:
|
|
||||||
- Egress
|
|
||||||
egress:
|
|
||||||
- to:
|
|
||||||
- ipBlock:
|
|
||||||
cidr: 10.96.0.1/32 # Kubernetes API Server IP
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 443
|
|
||||||
File diff suppressed because it is too large
Load Diff
30
traefik.crt
30
traefik.crt
@@ -1,30 +0,0 @@
|
|||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIFETCCAvmgAwIBAgIUMDt3pOo2RwsQAXk85yPNqSEbQEcwDQYJKoZIhvcNAQEL
|
|
||||||
BQAwGDEWMBQGA1UEAwwNdHJhZWZpay5sb2NhbDAeFw0yNjAxMTQxNTExMzRaFw0y
|
|
||||||
NzAxMTQxNTExMzRaMBgxFjAUBgNVBAMMDXRyYWVmaWsubG9jYWwwggIiMA0GCSqG
|
|
||||||
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDzXfA5UbbiUUaN0syLqefYdwipB3esJ+8Q
|
|
||||||
lTT6I2EahM395Lcnqmd6Qfrgaao0AyQ42eYQT65MxACw4UDhg7FxIgDvPDoClnW1
|
|
||||||
jyL4rwLA9I2fj83xhOwemvwPPeeSPkJqAEHa9stazLezEo6vDcdtB2clobcs5uQJ
|
|
||||||
eJs4Ne27TVYOOvo3BF+s7eb4sBz3EwRWAZQ51+ZAayMP3E9XEWUzbAYCjA/yyQ6X
|
|
||||||
fBVJdHJQThBK5tFvexO7G5y4ouIsyoAEzxk+960pbFBXMUUL1hqWX2w1BebC9TNC
|
|
||||||
XOaDwMxBooJPN9JAmSUr7gSI7fLpGDf3x5gZAQryvRnSUkCbyn0Kz2e/D4Vp1kUu
|
|
||||||
0aJ2DiPE81561Hdu7xJl7545juTxHBy9+XwBrxiISB3d1djCiezsc10FrPhL1PWM
|
|
||||||
yowihKwVuTLbDQw4ZogGV+jk6k6+99kyRMJjLEd/e/GAX61K50dUuwslyacwZsc1
|
|
||||||
XR9Br+zdzpqveBt4XAry2MlBF0VcLuan3wM7edywKcurKbVaK/fJsZTF2Ih26DK3
|
|
||||||
ZI8D23mV8bv4eR7vFNTvFGSiHeUrgtV6AX63Vgo9cse+UnhXHri3cFdtVZK8eUBE
|
|
||||||
H9xglGxeff4xKqF6Noc48prre41eK397llT2tznreYnM6S4n3Y01lfmFTZFd48ws
|
|
||||||
bMhYKFO/RQIDAQABo1MwUTAdBgNVHQ4EFgQURlSlwEmkAXn6rWnxeZstYGTMKUow
|
|
||||||
HwYDVR0jBBgwFoAURlSlwEmkAXn6rWnxeZstYGTMKUowDwYDVR0TAQH/BAUwAwEB
|
|
||||||
/zANBgkqhkiG9w0BAQsFAAOCAgEAL5K8ZzauZy/9mOAgE1OKQ5ZLekz372D+OI93
|
|
||||||
vED+r+qf8pRCjosBb0Ag2cLO2H5Qnj0If72c3GZOUp+H4t1PQ+T9vji7Hr6fy6sj
|
|
||||||
M6quYOh6zIR5VK885K2EYyuVWbRE+uces06b9tVceeLgVrUjbuK7+0C0qU8x8L9d
|
|
||||||
FqXK8p2leIwawDYrNGTDnr+ZsOK09nN3iGnU5XW7WZnfmWar9v2qlkTlJywyaNyU
|
|
||||||
NmuEO5LxRfqUWINabxKfltssxGe74ku/ot2BJRNUuIM6lt+fH1bwrjqaxOUN6mW7
|
|
||||||
Va4OIat3IBsGZuALSyYiXq9Lg+Ec2DmV95j/wf8iQtKzSUdU+U3mw8SxSwSsrLO3
|
|
||||||
B1dVtbZKOSflJkLb8gfraz7XJpL8WuQ0n4rH2GL28HVJbNh/1ytlA4tDFWNp4Onv
|
|
||||||
Y4+Jy7mEPtB+bV1NHD5KQfYFwyBRqGxL7BB9F5VJSH9+R7Rc7HKlaOjcUzyq3SnL
|
|
||||||
P10Jsv3I68cuDmwm4CHNamEVYmipKhhncn8k06uHk9Xut0aKZDJ7OfMr5G6NQBEQ
|
|
||||||
/0Pf4uCKt3KfWoT+4vHy2PYzXQSTABzqGAC27Xe1ZVOudllLDiT//bFMORYx8nRn
|
|
||||||
h+P+CRbODiPbZedK0tsjO8+ZPCFGxFpQhVf7a8MRDXl0FG1GlHA73nKiaTAbEp7b
|
|
||||||
OrnPKRk=
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
52
traefik.key
52
traefik.key
@@ -1,52 +0,0 @@
|
|||||||
-----BEGIN PRIVATE KEY-----
|
|
||||||
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDzXfA5UbbiUUaN
|
|
||||||
0syLqefYdwipB3esJ+8QlTT6I2EahM395Lcnqmd6Qfrgaao0AyQ42eYQT65MxACw
|
|
||||||
4UDhg7FxIgDvPDoClnW1jyL4rwLA9I2fj83xhOwemvwPPeeSPkJqAEHa9stazLez
|
|
||||||
Eo6vDcdtB2clobcs5uQJeJs4Ne27TVYOOvo3BF+s7eb4sBz3EwRWAZQ51+ZAayMP
|
|
||||||
3E9XEWUzbAYCjA/yyQ6XfBVJdHJQThBK5tFvexO7G5y4ouIsyoAEzxk+960pbFBX
|
|
||||||
MUUL1hqWX2w1BebC9TNCXOaDwMxBooJPN9JAmSUr7gSI7fLpGDf3x5gZAQryvRnS
|
|
||||||
UkCbyn0Kz2e/D4Vp1kUu0aJ2DiPE81561Hdu7xJl7545juTxHBy9+XwBrxiISB3d
|
|
||||||
1djCiezsc10FrPhL1PWMyowihKwVuTLbDQw4ZogGV+jk6k6+99kyRMJjLEd/e/GA
|
|
||||||
X61K50dUuwslyacwZsc1XR9Br+zdzpqveBt4XAry2MlBF0VcLuan3wM7edywKcur
|
|
||||||
KbVaK/fJsZTF2Ih26DK3ZI8D23mV8bv4eR7vFNTvFGSiHeUrgtV6AX63Vgo9cse+
|
|
||||||
UnhXHri3cFdtVZK8eUBEH9xglGxeff4xKqF6Noc48prre41eK397llT2tznreYnM
|
|
||||||
6S4n3Y01lfmFTZFd48wsbMhYKFO/RQIDAQABAoICABbbpmID2k0UfC968qpViYir
|
|
||||||
2Xzizis1zv78PK8X3pl6isyDjG5l03VIuDMWyZ08BE1wreqvSTw9lqEGby0fTO3G
|
|
||||||
11ahDgPLNQAaExtPeM89yQWJILtEFFdlkDIwSs1SGrPRFV5nGr+LBeAEaLFpdmc3
|
|
||||||
sEj5EPbfMuDu2olji1Ix19jbUkAToZbg+3Y1OGs+doRLfqwWKrK3PWJSe4M+h4ZW
|
|
||||||
aZQYqrDPkJbK2Ub+cHQ5eM9IMbiqUzaaR9SRu/OgC3koKINhCPsgiMU/w+/yKqog
|
|
||||||
CU5LoRqDpE5h4mbSl3y8skeVgyJ9H+Ap6XQhAVVCaJNVxGPo1Knq9/9oqVfYo3jP
|
|
||||||
D+3j/BrcCWpk2HNVRBpG4bFjaJCKt+BDjgZR5ZwA9GSX1kvrP/LQNhHeWGT02Azu
|
|
||||||
jFaPWQCpX/2V05+snTonaTCYEY09oA2dAAn+tUyA43uiefLVMeueNzyL3NRcKk3J
|
|
||||||
Hrg4XEXpXlI+7nL8ZhHy8GMyBqnbHUN+z0qSp7xeaV1q1gTfUPJoK+LRKkR7A29A
|
|
||||||
jxHYI0SdPxipAoQq85phADXDxPOMmQKBbxm3mlXJGrYDKrf2ZTu5yjJ7xBlF7Ze7
|
|
||||||
BsFkvLEKDjVnqQNN/auElYqXPbMSGtDbXG2GWPNGuscPYjB8SR0fCrAy9FxLSkje
|
|
||||||
gw2hvZjhk0Q7UODxC1qbAoIBAQD+GEgQSjBev5vcf4EkQTXuLHKIM90TA9fmVYv2
|
|
||||||
MvELgVsXFt/w34Ks8gh879MoB/oLmUgr03cznOrJaDV6jx0koMTIIGXPHCzhC6JN
|
|
||||||
YGszqiC+v2Ot5T+VKyHKLhK2Lwlkq8fqFAqkbm2bo4POcM09jdKwztCuZjYQCfnp
|
|
||||||
NeVh885qtvGmHcIEgCwwES2VgZ/uKEZp3X8Ic4WNPWfz3qP+KhIWehU1EBwOCd80
|
|
||||||
iMsBkEfhdmkGwzYKPL5yDTQ+BZoBQUY/jlsfkdmGqISdHP9XNyl0uQS4aWaSAHHh
|
|
||||||
h5rZHU7zHoa1Y4jyQvrMrXZ4RiC/AqhRSpJFoTEdt1oKOf5HAoIBAQD1MRC70Oi8
|
|
||||||
sX6mv4Ko/QHjp8JXXsAIP5a7MFqWo71KlgpFEbGoxLdUTwj2aqir5r6aM1wzHuIM
|
|
||||||
OSGF/LUnr9oBv3B8RRSF8RcTcJwPbv6Fsnz4S1mHC2YtpfX75M/N1huTZ2ZlTc6/
|
|
||||||
3NHvPmbSKCURy5VKefiOl6yKahaV6mhM/attit7zYbMa/U86pCBj+e0gjHEooKof
|
|
||||||
g7n/nGt/JMcMWmjPCUZbQ6/NKl3STDQchYIQXVmDW/wTD3LUZVqQZbDXLxaooo1H
|
|
||||||
VJC9qJm8VpDxipLQPhPPAu+rWPThWS9csf332zfHtoLLfYACUe/QbZCzHjNFIXGM
|
|
||||||
0bgjtJelWyATAoIBAQC8qSK4lZ0cfIApU7J7TL/SO8Y+QuPefngLWXE2N9Spij4s
|
|
||||||
Apv7qLjJ2FtdCGRr0KBjhEgF4lkbRWM+b9VlTmWBEK2LOiLdiDn6Tj0P3os6LRNr
|
|
||||||
DYfhUdnH0+Kez16tTndW/ATPVFoihKt1aA8xdKevEGJjTOu80b9KYV3hPlc2R2P3
|
|
||||||
8CW0BVxNIy2r8tU5sKkil1zQtdjgWYXLvNA2ThTNXkdX0QV2BKQP+Fx2EStJ2erF
|
|
||||||
CLoqfz7ckwWEgTFM67PRQrn57qTR5+TvCqiMTz93bkmllMpgckHqHdJwddMPaad4
|
|
||||||
9C1o+KJx3jGBTzorS0Z9DGgVE51PfcOOINkFxtF5AoIBAQCUtExEzF/KyQ9aDD4v
|
|
||||||
RTsXGhB4ssNefUpqftoCEI5mJPdXinKoO55AaKqz4F4p24jvtoSNkIZiCWg2fdxU
|
|
||||||
lIdwle2fwLnAvkZTiPFtPtDovyah4/kJOTWgK84zFkOdv+P7kzN77yOcI03DfqIX
|
|
||||||
hTduQn1prO29dWm0jMDj7UWSpCqLBjVPgIqCrOyXUSE/4T0ah3K9xCtJb7enufNM
|
|
||||||
Kj76U/7KygI8qaF+mdpLB+J3BdWrHSKD047e9HidLlctyi7lYu6oGeX7Q+OA0zdi
|
|
||||||
DVJc28FMwMl8vHglAI+L+G4MFvtDjlWXLy7GQXgYcB801q5yo7dOjwjx8eNu7EEo
|
|
||||||
jUq3AoIBAQC/nwehwfzc6zbiAgsgKaADh8+gQsI2SPbQecOVUYzClWHu/pUsHH/r
|
|
||||||
heFwww0RhLiGYC9MQapHT94apMqI10SzbRbTCzL9zMRSBHLloPDlIpM2bcZssuAz
|
|
||||||
LEX8vgfdGBb5+ca3HphgzDTAgVkP+ndBJ8hZmJZoGAxH8R9/CiFTLE15tI000v4l
|
|
||||||
YJ5/W+g4rtNDouVYmeux6hDWhIiWnc3IeZaRJ8xGPhHJWaId2NjmwkuTrk+pYeux
|
|
||||||
gBDc2WQT7yWMgnXrEpxzbsZMzMEcCCyP2rN6QK1WzzRPjikSNVYet6MwyTjKv1N7
|
|
||||||
REsrP+0hR8mCJm2lhpqPn07LFzAqmfIg
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: virtualinsanity-db-secret
|
|
||||||
namespace: wordpress
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
password: "Y2V2MTRqODQ/N0hZckh3Ww=="
|
|
||||||
dbname: "dmlydHVhbGluc2FuaXR5ZGI="
|
|
||||||
username: "d2VnYXBwY29ubmVjdA=="
|
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
apiVersion: postgresql.cnpg.io/v1
|
|
||||||
kind: Database
|
|
||||||
metadata:
|
|
||||||
name: virtualinsanity-db
|
|
||||||
namespace: wordpress
|
|
||||||
spec: {}
|
|
||||||
@@ -1,34 +0,0 @@
|
|||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: IngressRoute
|
|
||||||
metadata:
|
|
||||||
name: virtualinsanity-ingressroute
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
entryPoints:
|
|
||||||
- websecure
|
|
||||||
routes:
|
|
||||||
- match: Host(`virtualinsanity.giaco.net`)
|
|
||||||
kind: Rule
|
|
||||||
services:
|
|
||||||
- name: virtualinsanity-wordpress-svc
|
|
||||||
port: 80
|
|
||||||
middlewares:
|
|
||||||
- name: wordpress-security-headers
|
|
||||||
namespace: wordpress
|
|
||||||
tls:
|
|
||||||
secretName: virtualinsanity-tls-secret
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
name: virtualinsanity-ingress
|
|
||||||
namespace: wordpress
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/ingress.class: "traefik"
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- host: virtualinsanity.giaco.net
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
- path: /
|
|
||||||
backend:
|
|
||||||
serviceName: virtualinsanity-wordpress
|
|
||||||
servicePort: 80
|
|
||||||
@@ -1,39 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: virtualinsanity-nginx-conf
|
|
||||||
namespace: wordpress
|
|
||||||
data:
|
|
||||||
default.conf: |
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name virtualinsanity.giaco.net;
|
|
||||||
|
|
||||||
root /var/www/html;
|
|
||||||
index index.php index.html index.htm;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php?$args;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
fastcgi_pass wordpress:9000; # Assumes 'wordpress' is the container name in the same pod
|
|
||||||
|
|
||||||
location ~ /\.ht {
|
|
||||||
deny all;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~* /(wp-config\.php|readme\.html|license\.txt) {
|
|
||||||
deny all;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
|
|
||||||
expires 1y;
|
|
||||||
log_not_found off;
|
|
||||||
access_log off;
|
|
||||||
}
|
|
||||||
|
|
||||||
error_page 404 /index.php;
|
|
||||||
@@ -1,116 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: virtualinsanity-wordpress
|
|
||||||
namespace: wordpress
|
|
||||||
labels:
|
|
||||||
app: wordpress
|
|
||||||
site: virtualinsanity
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: wordpress
|
|
||||||
site: virtualinsanity
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: wordpress
|
|
||||||
site: virtualinsanity
|
|
||||||
spec:
|
|
||||||
initContainers:
|
|
||||||
- name: volume-permissions
|
|
||||||
image: alpine:latest
|
|
||||||
command: ["sh", "-c", "chown -R 33:33 /var/www/html/wp-content"]
|
|
||||||
securityContext:
|
|
||||||
runAsNonRoot: false # Allow initContainer to run as root for chown
|
|
||||||
runAsUser: 0
|
|
||||||
runAsGroup: 0
|
|
||||||
allowPrivilegeEscalation: true
|
|
||||||
readOnlyRootFilesystem: false
|
|
||||||
volumeMounts:
|
|
||||||
- name: wp-content
|
|
||||||
mountPath: /var/www/html/wp-content
|
|
||||||
containers:
|
|
||||||
- name: wordpress
|
|
||||||
image: wordpress:php8.2-fpm-alpine
|
|
||||||
ports:
|
|
||||||
- containerPort: 9000
|
|
||||||
securityContext:
|
|
||||||
runAsNonRoot: true
|
|
||||||
runAsUser: 33
|
|
||||||
runAsGroup: 33
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
readOnlyRootFilesystem: false
|
|
||||||
volumeMounts:
|
|
||||||
- name: wp-content
|
|
||||||
mountPath: /var/www/html/wp-content
|
|
||||||
- name: tmp-dir
|
|
||||||
mountPath: /tmp
|
|
||||||
- name: run-dir
|
|
||||||
mountPath: /var/run
|
|
||||||
- name: php-session-save-path
|
|
||||||
mountPath: /var/lib/php/sessions
|
|
||||||
- name: nginx-cache
|
|
||||||
mountPath: /var/cache/nginx
|
|
||||||
env:
|
|
||||||
- name: WORDPRESS_DB_HOST
|
|
||||||
value: "wordpress-db-rw.wordpress.svc.cluster.local"
|
|
||||||
- name: WORDPRESS_DB_NAME
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: virtualinsanity-db-secret
|
|
||||||
key: dbname
|
|
||||||
- name: WORDPRESS_DB_USER
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: virtualinsanity-db-secret
|
|
||||||
key: username
|
|
||||||
- name: WORDPRESS_DB_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: virtualinsanity-db-secret
|
|
||||||
key: password
|
|
||||||
- name: WP_HOME
|
|
||||||
value: "https://virtualinsanity.giaco.net"
|
|
||||||
- name: WP_SITEURL
|
|
||||||
value: "https://virtualinsanity.giaco.net"
|
|
||||||
|
|
||||||
- name: nginx
|
|
||||||
image: nginx:alpine
|
|
||||||
ports:
|
|
||||||
- containerPort: 80
|
|
||||||
securityContext:
|
|
||||||
runAsNonRoot: true
|
|
||||||
runAsUser: 101 # Specify a non-root user ID
|
|
||||||
runAsGroup: 101 # Specify a non-root group ID
|
|
||||||
allowPrivilegeEscalation: false # Prevent privilege escalation
|
|
||||||
readOnlyRootFilesystem: false # Allow filesystem modifications for Nginx container
|
|
||||||
volumeMounts:
|
|
||||||
- name: wp-content
|
|
||||||
mountPath: /var/www/html/wp-content
|
|
||||||
- name: tmp-dir
|
|
||||||
mountPath: /tmp
|
|
||||||
- name: run-dir
|
|
||||||
mountPath: /var/run
|
|
||||||
- name: nginx-cache
|
|
||||||
mountPath: /var/cache/nginx
|
|
||||||
- name: nginx-conf
|
|
||||||
mountPath: /etc/nginx/conf.d/default.conf
|
|
||||||
subPath: default.conf
|
|
||||||
|
|
||||||
volumes:
|
|
||||||
- name: wp-content
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: virtualinsanity-wp-content
|
|
||||||
- name: tmp-dir
|
|
||||||
emptyDir: {}
|
|
||||||
- name: run-dir
|
|
||||||
emptyDir: {}
|
|
||||||
- name: php-session-save-path
|
|
||||||
emptyDir: {}
|
|
||||||
- name: nginx-cache
|
|
||||||
emptyDir: {}
|
|
||||||
- name: nginx-conf
|
|
||||||
configMap:
|
|
||||||
name: virtualinsanity-nginx-conf
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: virtualinsanity-wordpress-svc
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
app: wordpress
|
|
||||||
site: virtualinsanity
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 80
|
|
||||||
targetPort: 80
|
|
||||||
type: ClusterIP
|
|
||||||
@@ -1,12 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: PersistentVolumeClaim
|
|
||||||
metadata:
|
|
||||||
name: virtualinsanity-wp-content
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
accessModes:
|
|
||||||
- ReadWriteOnce
|
|
||||||
storageClassName: longhorn-fast
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: 20Gi
|
|
||||||
@@ -1,26 +0,0 @@
|
|||||||
apiVersion: traefik.containo.us/v1alpha1
|
|
||||||
kind: Middleware
|
|
||||||
metadata:
|
|
||||||
name: wordpress-security-headers
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
headers:
|
|
||||||
customResponseHeaders:
|
|
||||||
X-Content-Type-Options: nosniff
|
|
||||||
X-Frame-Options: SAMEORIGIN
|
|
||||||
X-XSS-Protection: "1; mode=block"
|
|
||||||
Referrer-Policy: no-referrer-when-downgrade
|
|
||||||
Content-Security-Policy: default-src 'self'
|
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: Middleware
|
|
||||||
metadata:
|
|
||||||
name: wordpress-security-headers
|
|
||||||
namespace: wordpress
|
|
||||||
spec:
|
|
||||||
headers:
|
|
||||||
customResponseHeaders:
|
|
||||||
X-Frame-Options: "SAMEORIGIN"
|
|
||||||
X-XSS-Protection: "1; mode=block"
|
|
||||||
X-Content-Type-Options: "nosniff"
|
|
||||||
Referrer-Policy: "no-referrer-when-downgrade"
|
|
||||||
Content-Security-Policy: "default-src 'self'; script-src 'self' https://*.google-analytics.com; object-src 'none'"
|
|
||||||
Reference in New Issue
Block a user