- Add namespace.yaml with istio ambient + waypoint labels
- Add waypoint Gateway (istio-waypoint) scoped to irc namespace
- Switch thelounge HTTPRoute from Cilium external to istio-external gateway
- Add AuthorizationPolicy for thelounge (allow inbound from gateway-system only)
- Add AuthorizationPolicy for znc (allow all on port 6501 for IRC clients)
- Add namespace: irc to root kustomization, remove dependency on targetNamespace
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
LinuxServer s6-overlay requires starting as root to fix directory
permissions (/run, etc.) before dropping privileges. Setting PUID/PGID
forces immediate UID 1000 start, causing permission errors:
"fatal: /run belongs to uid 0 instead of 1000"
Let the container run as root with existing Polaris exemptions.
The s6-overlay init system handles privilege management internally.
Fixes CrashLoopBackOff in znc-0 pod.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
LinuxServer.io containers need to run init scripts with elevated
permissions before dropping to the specified PUID/PGID. Reverted to:
- Remove restrictive securityContext settings
- Use PUID/PGID environment variables (LinuxServer standard)
- Add Polaris exemptions for runAsRoot and runAsPrivileged
- Add Checkov exemption for high UID requirement
This fixes container startup issues introduced by security hardening.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
- Fix indentation in service.yaml files (thelounge and znc)
- Fix indentation in statefulset.yaml (thelounge)
- Add missing newlines at end of files
- Resolves yamllint errors from CI/CD workflows
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Removed serviceName field from both StatefulSets since stable pod DNS
is not required for single-replica IRC applications. StatefulSets only
need serviceName when using headless Services for stable network identities.
Also removed statefulset-has-servicename ignore since it's now properly fixed.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
- Remove Flux validation job (repo doesn't contain Flux resources)
- Fix trailing spaces in best-practices workflow
- Add missing newline at end of znc/statefulset.yaml
Flux validates Kustomization CRDs, not plain manifests. Since this
repo only contains the manifests deployed by Flux (not the Flux
resources themselves), the validation doesn't apply.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Instead of just skipping security checks, properly fix the issues:
**Pod & Container Security Context:**
- Add runAsUser: 1000 (non-root)
- Add runAsGroup: 1000
- Add fsGroup: 1000 for volume permissions
- Add seccompProfile: RuntimeDefault
- Drop ALL capabilities (principle of least privilege)
**Resource Management:**
- Add ephemeral-storage requests (1Gi) and limits (2Gi)
**Health Checks:**
- Change thelounge liveness probe from TCP to HTTP
- Reduces false positives and provides better health signals
**Reduced Exceptions:**
- Removed 6+ security check exceptions
- Now only skip: image tags (intentional), read-only FS (apps need writes)
- Removed Polaris runAsRootAllowed exemptions
**Note:** If containers fail to start post-merge, may need to adjust UIDs
or add specific capabilities. LinuxServer images may need tweaking.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Chris Farhood