Delete .gitea/workflows/best-practices.yaml

Replace CiliumNetworkPolicies with Istio AuthorizationPolicies, point
the thelounge HTTPRoute at the istio-external gateway, and give each
workload a dedicated ServiceAccount for precise mTLS identity.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/best-practices.yaml

@@ -1,284 +0,0 @@
-name: Best Practices
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-
-jobs:
-  kube-score:
-    name: Kube-score Analysis
-    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install kubectl and kube-score
-        run: |
-          # Install kubectl
-          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-          chmod +x kubectl
-          mv kubectl /usr/local/bin/
-
-          # Install kube-score
-          wget https://github.com/zegl/kube-score/releases/download/v1.18.0/kube-score_1.18.0_linux_amd64.tar.gz
-          tar -xzf kube-score_1.18.0_linux_amd64.tar.gz
-          chmod +x kube-score
-          mv kube-score /usr/local/bin/
-
-      - name: Run kube-score
-        run: |
-          if [ -f "kustomization.yaml" ]; then
-            kubectl kustomize . | kube-score score - \
-              --ignore-test pod-networkpolicy \
-              --ignore-test deployment-has-poddisruptionbudget \
-              --ignore-test container-security-context-readonlyrootfilesystem \
-              --ignore-test container-image-tag \
-              --ignore-test container-security-context-user-group-id \
-              --ignore-test probe-not-identical \
-              --ignore-test container-security-context \
-              --ignore-test container-seccomp-profile \
-              --ignore-test container-ephemeral-storage-request-and-limit \
-              --ignore-test statefulset-has-poddisruptionbudget \
-              --ignore-test container-security-context-privileged \
-              --ignore-test container-security-context-privilege-escalation \
-              --ignore-test pod-probes \
-              --output-format ci
-          fi
-
-  polaris:
-    name: Polaris Audit
-    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install kubectl and polaris
-        run: |
-          # Install kubectl
-          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-          chmod +x kubectl
-          mv kubectl /usr/local/bin/
-
-          # Install polaris
-          wget https://github.com/FairwindsOps/polaris/releases/download/9.5.0/polaris_linux_amd64.tar.gz
-          tar -xzf polaris_linux_amd64.tar.gz
-          chmod +x polaris
-          mv polaris /usr/local/bin/
-
-      - name: Run Polaris audit
-        run: |
-          if [ -f "kustomization.yaml" ]; then
-            kubectl kustomize . > manifests.yaml
-            polaris audit --audit-path manifests.yaml \
-              --format pretty \
-              --set-exit-code-on-danger \
-              --set-exit-code-below-score 70
-          fi
-
-  resource-analysis:
-    name: Resource Usage Analysis
-    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install kubectl and yq
-        run: |
-          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-          chmod +x kubectl
-          mv kubectl /usr/local/bin/
-
-          wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O yq
-          chmod +x yq
-          mv yq /usr/local/bin/
-
-      - name: Analyze resource requests and limits
-        run: |
-          echo "# Resource Analysis Report"
-          echo ""
-          echo "## Applications Resource Configuration"
-          echo ""
-          echo "| Application | Container | CPU Request | CPU Limit | Memory Request | Memory Limit |"
-          echo "|-------------|-----------|-------------|-----------|----------------|--------------|"
-
-          # Find all directories with kustomization.yaml
-          find . -maxdepth 2 -name "kustomization.yaml" | while read config; do
-            app_dir=$(dirname "$config")
-            if [ "$app_dir" != "." ]; then
-               manifests=$(kubectl kustomize "$app_dir" 2>/dev/null)
-               if [ -n "$manifests" ]; then
-                 echo "$manifests" | yq eval-all '
-                   select(.kind == "Deployment" or .kind == "StatefulSet") |
-                   .spec.template.spec.containers[] |
-                   "| '"$app_dir"' | \(.name) | \(.resources.requests.cpu // "none") | \(.resources.limits.cpu // "none") | \(.resources.requests.memory // "none") | \(.resources.limits.memory // "none") |"
-                 ' - 2>/dev/null || true
-               fi
-            fi
-          done
-
-  pr-summary:
-    name: PR Summary Report
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-    needs: [kube-score, polaris, resource-analysis]
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Generate PR summary
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
-          GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments
-        run: |
-          cat > summary.md << EOF
-          ## Best Practices Validation Summary
-
-          ✅ All validation checks completed
-
-          ### Checks Run:
-          - **kube-score**: Kubernetes best practices analysis
-          - **Polaris**: Security and reliability audit
-          - **Resource Analysis**: CPU and memory configuration review
-
-          See individual job logs for detailed results.
-
-          ---
-          *Automated by Gitea Actions*
-          EOF
-
-          if [ -n "${GITEA_TOKEN}" ]; then
-            jq -n --rawfile body summary.md '{body: $body}' > comment-payload.json
-
-            curl -s -X POST \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              -H "Content-Type: application/json" \
-              -d @comment-payload.json \
-              "${GITEA_API}" || echo "Failed to post comment (token may not be configured)"
-          else
-            echo "GITEA_TOKEN not configured, skipping comment"
-            cat summary.md
-          fi
-
-  polaris-pr-review:
-    name: Polaris PR Review
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install tools
-        run: |
-          # Install kubectl
-          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-          chmod +x kubectl
-          mv kubectl /usr/local/bin/
-
-          # Install polaris
-          wget https://github.com/FairwindsOps/polaris/releases/download/9.5.0/polaris_linux_amd64.tar.gz
-          tar -xzf polaris_linux_amd64.tar.gz
-          chmod +x polaris
-          mv polaris /usr/local/bin/
-
-          # Install jq
-          apt-get update && apt-get install -y jq
-
-      - name: Run Polaris and post review
-        env:
-          GITEA_TOKEN: ${{ secrets.POLARIS_GITEA_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews
-        run: |
-          if [ ! -f "kustomization.yaml" ]; then
-            echo "No root kustomization.yaml, skipping Polaris review"
-            exit 0
-          fi
-
-          kubectl kustomize . > manifests.yaml
-          if [ ! -s manifests.yaml ]; then
-             echo "Manifests are empty, skipping"
-             exit 0
-          fi
-
-          polaris audit --audit-path manifests.yaml --format json > polaris-results.json || true
-
-          DANGERS=$(jq '.Summary.Dangers // 0' polaris-results.json)
-          WARNINGS=$(jq '.Summary.Warnings // 0' polaris-results.json)
-          SCORE=$(jq '.Summary.Score // 0' polaris-results.json)
-
-          if [ "$DANGERS" -gt 0 ]; then
-             REVIEW_STATE="REQUEST_CHANGES"
-             VERDICT="BLOCKED: ${DANGERS} danger(s) detected. Score: ${SCORE}%"
-             EXIT_CODE=1
-          elif [ "$WARNINGS" -gt 0 ]; then
-             REVIEW_STATE="COMMENT"
-             VERDICT="WARNING: ${WARNINGS} warning(s) detected. Score: ${SCORE}%"
-             EXIT_CODE=0
-          else
-             REVIEW_STATE="APPROVED"
-             VERDICT="PASSED: No dangers or warnings. Score: ${SCORE}%"
-             EXIT_CODE=0
-          fi
-
-          DETAILS=$(jq -r '
-            .Results[]? |
-            .Name as $resName | .Kind as $resKind | .Namespace as $resNs |
-            (
-              (.PodResult?.Results[]? | {sev: .Severity, msg: .Message, check: .ID, target: "Pod"}),
-              (.PodResult?.ContainerResults[]? | .Name as $contName | .Results[]? | {sev: .Severity, msg: .Message, check: .ID, target: $contName})
-            ) |
-            select(.sev == "danger" or .sev == "warning") |
-            "| \(.sev) | \($resKind)/\($resName) | \(.target) | \(.check) | \(.msg) |"
-          ' polaris-results.json | head -c 4000)
-
-          cat > review-body.md << INTERNAL_EOF
-          ## Polaris Audit Results
-
-          **${VERDICT}**
-
-          ### Summary
-          | Metric | Value |
-          |--------|-------|
-          | Score | ${SCORE}% |
-          | Dangers | ${DANGERS} |
-          | Warnings | ${WARNINGS} |
-
-          <details>
-          <summary>Issues (click to expand)</summary>
-
-          | Severity | Resource | Container | Check | Message |
-          |----------|----------|-----------|-------|---------|
-          \${DETAILS}
-
-          </details>
-
-          ---
-          *Scanned by [Polaris](https://github.com/FairwindsOps/polaris)*
-          INTERNAL_EOF
-
-          jq -n \
-            --rawfile body review-body.md \
-            --arg event "$REVIEW_STATE" \
-            '{body: $body, event: $event}' > review-payload.json
-
-          curl -s -X POST \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            -d @review-payload.json \
-            "${GITEA_API}" | jq .
-
-          exit $EXIT_CODE

.gitea/workflows/security.yaml

@@ -1,302 +0,0 @@
-name: Security Scan
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-
-jobs:
-  trivy-scan:
-    name: Trivy Security Scan
-    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Trivy
-        run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
-
-      - name: Run Trivy config scan
-        run: |
-          trivy config \
-            --severity CRITICAL,HIGH \
-            --ignorefile .trivyignore \
-            --exit-code 0 \
-            --format table \
-            .
-
-  trivy-pr-review:
-    name: Trivy PR Review
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install Trivy and jq
-        run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
-          apt-get update && apt-get install -y jq
-
-      - name: Get changed files
-        id: changed
-        run: |
-          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD -- '*.yaml' '*.yml' '*.tf' | tr '\n' ' ')
-          echo "files=${CHANGED_FILES}" >> $GITHUB_OUTPUT
-          echo "Changed files: ${CHANGED_FILES}"
-
-      - name: Run Trivy scan and post review
-        env:
-          GITEA_TOKEN: ${{ secrets.TRIVY_GITEA_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews
-          CHANGED_FILES: ${{ steps.changed.outputs.files }}
-        run: |
-          if [ -z "${CHANGED_FILES}" ]; then
-            echo "No IaC files changed, skipping scan"
-            exit 0
-          fi
-
-          trivy config \
-            --severity CRITICAL,HIGH,MEDIUM,LOW \
-            --ignorefile .trivyignore \
-            --exit-code 0 \
-            --format json \
-            --output trivy-results.json \
-            .
-
-          CHANGED_FILES_JSON=$(echo "${CHANGED_FILES}" | tr ' ' '\n' | sed '/^$/d' | jq -R . | jq -s .)
-
-          CRITICAL=$(jq --argjson files "$CHANGED_FILES_JSON" \
-            '[.Results[]? | select(.Target as $t | $files | any(. as $f | $t | endswith($f))) | .Misconfigurations[]? | select(.Severity == "CRITICAL")] | length' \
-            trivy-results.json)
-          HIGH=$(jq --argjson files "$CHANGED_FILES_JSON" \
-            '[.Results[]? | select(.Target as $t | $files | any(. as $f | $t | endswith($f))) | .Misconfigurations[]? | select(.Severity == "HIGH")] | length' \
-            trivy-results.json)
-          MEDIUM=$(jq --argjson files "$CHANGED_FILES_JSON" \
-            '[.Results[]? | select(.Target as $t | $files | any(. as $f | $t | endswith($f))) | .Misconfigurations[]? | select(.Severity == "MEDIUM")] | length' \
-            trivy-results.json)
-          LOW=$(jq --argjson files "$CHANGED_FILES_JSON" \
-            '[.Results[]? | select(.Target as $t | $files | any(. as $f | $t | endswith($f))) | .Misconfigurations[]? | select(.Severity == "LOW")] | length' \
-            trivy-results.json)
-          TOTAL_FAILED=$(( CRITICAL + HIGH + MEDIUM + LOW ))
-
-          if [ "$CRITICAL" -gt 0 ]; then
-            REVIEW_STATE="REQUEST_CHANGES"
-            VERDICT="BLOCKED: ${CRITICAL} critical finding(s) detected"
-            EXIT_CODE=1
-          elif [ "$HIGH" -gt 0 ]; then
-            REVIEW_STATE="COMMENT"
-            VERDICT="WARNING: ${HIGH} high severity finding(s) detected"
-            EXIT_CODE=0
-          else
-            REVIEW_STATE="APPROVED"
-            VERDICT="PASSED: No critical or high severity findings"
-            EXIT_CODE=0
-          fi
-
-          DETAILS=$(jq -r --argjson files "$CHANGED_FILES_JSON" '
-            [.Results[]? | select(.Target as $t | $files | any(. as $f | $t | endswith($f))) |
-              .Target as $t | .Misconfigurations[]? |
-              "| \(.Severity) | \(.ID) | \(.Title) | \($t) |"
-            ] | join("\n")' trivy-results.json)
-
-          cat > review-body.md << EOF
-          ## Trivy Security Scan Results
-
-          **${VERDICT}**
-
-          > Scanned ${CHANGED_FILES:-"no files"}
-
-          ### Summary
-          | Severity | Count |
-          |----------|-------|
-          | Critical | ${CRITICAL} |
-          | High | ${HIGH} |
-          | Medium | ${MEDIUM} |
-          | Low | ${LOW} |
-          | **Total** | **${TOTAL_FAILED}** |
-
-          <details>
-          <summary>Failed Checks (click to expand)</summary>
-
-          | Severity | Check ID | Description | File |
-          |----------|----------|-------------|------|
-          ${DETAILS}
-
-          </details>
-
-          ---
-          *Scanned by [Trivy](https://github.com/aquasecurity/trivy)*
-          EOF
-
-          jq -n \
-            --rawfile body review-body.md \
-            --arg event "$REVIEW_STATE" \
-            '{body: $body, event: $event}' > review-payload.json
-
-          echo "Posting review to: ${GITEA_API}"
-          echo "Review state: ${REVIEW_STATE}"
-
-          curl -s -X POST \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            -d @review-payload.json \
-            "${GITEA_API}" || echo "Failed to post review (token may not be configured)"
-
-          exit $EXIT_CODE
-
-  checkov-scan:
-    name: Checkov IaC Scan
-    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Checkov
-        run: |
-          python3 -m venv /opt/checkov
-          /opt/checkov/bin/pip install checkov
-
-      - name: Run Checkov scan
-        run: |
-          /opt/checkov/bin/checkov -d . \
-            --config-file .checkov.yaml \
-            --output cli
-
-  checkov-pr-review:
-    name: Checkov PR Review
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install Checkov and jq
-        run: |
-          python3 -m venv /opt/checkov
-          /opt/checkov/bin/pip install checkov
-          apt-get update && apt-get install -y jq
-
-      - name: Get changed files
-        id: changed
-        run: |
-          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD -- '*.yaml' '*.yml' '*.tf' | tr '\n' ' ')
-          echo "files=${CHANGED_FILES}" >> $GITHUB_OUTPUT
-          echo "Changed files: ${CHANGED_FILES}"
-
-      - name: Run Checkov scan and post review
-        env:
-          GITEA_TOKEN: ${{ secrets.CHECKOV_GITEA_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews
-          CHANGED_FILES: ${{ steps.changed.outputs.files }}
-        run: |
-          if [ -z "${CHANGED_FILES}" ]; then
-            echo "No IaC files changed, skipping scan"
-            exit 0
-          fi
-
-          /opt/checkov/bin/checkov -d . \
-            --config-file .checkov.yaml \
-            --output json \
-            > checkov-results.json || true
-
-          CHANGED_FILES_JSON=$(echo "${CHANGED_FILES}" | tr ' ' '\n' | sed '/^$/d' | jq -R . | jq -s .)
-
-          CRITICAL=$(jq --argjson files "$CHANGED_FILES_JSON" \
-            '[.[] | .results.failed_checks[]? | select(.file_path as $fp | $files | any(. as $f | $fp | endswith($f))) | select(.severity == "CRITICAL")] | length' \
-            checkov-results.json)
-          HIGH=$(jq --argjson files "$CHANGED_FILES_JSON" \
-            '[.[] | .results.failed_checks[]? | select(.file_path as $fp | $files | any(. as $f | $fp | endswith($f))) | select(.severity == "HIGH")] | length' \
-            checkov-results.json)
-          MEDIUM=$(jq --argjson files "$CHANGED_FILES_JSON" \
-            '[.[] | .results.failed_checks[]? | select(.file_path as $fp | $files | any(. as $f | $fp | endswith($f))) | select(.severity == "MEDIUM")] | length' \
-            checkov-results.json)
-          LOW=$(jq --argjson files "$CHANGED_FILES_JSON" \
-            '[.[] | .results.failed_checks[]? | select(.file_path as $fp | $files | any(. as $f | $fp | endswith($f))) | select(.severity == "LOW")] | length' \
-            checkov-results.json)
-          UNSET=$(jq --argjson files "$CHANGED_FILES_JSON" \
-            '[.[] | .results.failed_checks[]? | select(.file_path as $fp | $files | any(. as $f | $fp | endswith($f))) | select(.severity == null or .severity == "UNKNOWN" or .severity == "NONE")] | length' \
-            checkov-results.json)
-          TOTAL_FAILED=$(( CRITICAL + HIGH + MEDIUM + LOW + UNSET ))
-
-          if [ "$CRITICAL" -gt 0 ]; then
-            REVIEW_STATE="REQUEST_CHANGES"
-            VERDICT="BLOCKED: ${CRITICAL} critical finding(s) detected"
-            EXIT_CODE=1
-          elif [ "$HIGH" -gt 0 ]; then
-            REVIEW_STATE="COMMENT"
-            VERDICT="WARNING: ${HIGH} high severity finding(s) detected"
-            EXIT_CODE=0
-          else
-            REVIEW_STATE="APPROVED"
-            VERDICT="PASSED: No critical or high severity findings"
-            EXIT_CODE=0
-          fi
-
-          DETAILS=$(jq -r --argjson files "$CHANGED_FILES_JSON" '
-            [.[] | .check_type as $ct |
-              .results.failed_checks[]? |
-              select(.file_path as $fp | $files | any(. as $f | $fp | endswith($f))) |
-              "| \(.severity // "UNSET") | \(.check_id) | \(.check_name) | \(.file_path) |"
-            ] | join("\n")' checkov-results.json)
-
-          cat > review-body.md << EOF
-          ## Checkov IaC Scan Results
-
-          **${VERDICT}**
-
-          > Scanned ${CHANGED_FILES:-"no files"}
-
-          ### Summary
-          | Severity | Count |
-          |----------|-------|
-          | Critical | ${CRITICAL} |
-          | High | ${HIGH} |
-          | Medium | ${MEDIUM} |
-          | Low | ${LOW} |
-          | Unset | ${UNSET} |
-          | **Total** | **${TOTAL_FAILED}** |
-
-          <details>
-          <summary>Failed Checks (click to expand)</summary>
-
-          | Severity | Check ID | Description | File |
-          |----------|----------|-------------|------|
-          ${DETAILS}
-
-          </details>
-
-          ---
-          *Scanned by [Checkov](https://github.com/bridgecrewio/checkov)*
-          EOF
-
-          jq -n \
-            --rawfile body review-body.md \
-            --arg event "$REVIEW_STATE" \
-            '{body: $body, event: $event}' > review-payload.json
-
-          curl -s -X POST \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            -d @review-payload.json \
-            "${GITEA_API}" || echo "Failed to post review (token may not be configured)"
-
-          exit $EXIT_CODE

.gitea/workflows/validate.yaml

@@ -1,95 +0,0 @@
-name: Validate Manifests
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-
-jobs:
-  yaml-lint:
-    name: YAML Lint
-    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install yamllint
-        run: |
-          python3 -m pip install --break-system-packages yamllint
-
-      - name: Run yamllint
-        run: |
-          yamllint -c .yamllint.yaml .
-
-  kustomize-build:
-    name: Kustomize Build Test
-    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install kubectl with kustomize
-        run: |
-          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-          chmod +x kubectl
-          mv kubectl /usr/local/bin/
-
-      - name: Test root kustomization
-        run: |
-          if [ -f "kustomization.yaml" ]; then
-            echo "Building root kustomization..."
-            kubectl kustomize . > /tmp/manifests.yaml
-            echo "✓ Root kustomization builds successfully"
-          else
-            echo "No root kustomization.yaml found"
-          fi
-
-      - name: Test individual app kustomizations
-        run: |
-          find . -maxdepth 2 -name "kustomization.yaml" -not -path "./kustomization.yaml" | while read config; do
-            app_dir=$(dirname "$config")
-            echo "Building $app_dir kustomization..."
-            kubectl kustomize "$app_dir" > /dev/null
-            echo "✓ $app_dir kustomization builds successfully"
-          done
-
-  kubeconform:
-    name: Kubernetes Schema Validation
-    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install kubectl and kubeconform
-        run: |
-          # Install kubectl
-          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-          chmod +x kubectl
-          mv kubectl /usr/local/bin/
-
-          # Install kubeconform
-          curl -L https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz | tar xz
-          chmod +x kubeconform
-          mv kubeconform /usr/local/bin/
-
-      - name: Validate Kubernetes manifests
-        run: |
-          if [ -f "kustomization.yaml" ]; then
-            kubectl kustomize . | kubeconform \
-              -schema-location default \
-              -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
-              -summary \
-              -output text \
-              -ignore-missing-schemas \
-              -skip HTTPRoute \
-              -verbose
-          fi

CLAUDE.md

@@ -142,13 +142,5 @@ kubectl kustomize . | polaris audit --format pretty --set-exit-code-on-danger --
 - Exit code 1 on critical findings, 0 on warnings/pass
 
 ## Commit Message Format
-When making commits, include credits:
-```
-<main commit message>
 
-Generated with [Claude Code](https://claude.ai/code)
-via [Happy](https://happy.engineering)
-
-Co-Authored-By: Claude <noreply@anthropic.com>
-Co-Authored-By: Happy <yesreply@happy.engineering>
-```
+Format: `{type}({scope}): {description}`

kustomization.yaml

@@ -1,5 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+
+namespace: irc
+
 resources:
 # Uncomment if storing configuration in the repo
 # - configmap.yaml

thelounge/authorizationpolicy.yaml

@@ -0,0 +1,15 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: thelounge
+  namespace: irc
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: thelounge
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/gateway-system/sa/istio-external-istio

thelounge/config.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: thelounge-config
+  namespace: irc
+data:
+  config.js: |
+    module.exports = {
+      public: false,
+      reverseProxy: true,
+      port: 9000,
+
+      messageStorage: ["sqlite"],
+      storagePolicy: {
+        enabled: true,
+        maxAgeDays: 365,
+        deletionPolicy: "statusOnly",
+      },
+
+      ldap: {
+        enable: true,
+        url: "ldap://ak-outpost-ldap-outpost.auth.svc.cluster.local",
+        primaryKey: "cn",
+        baseDN: "ou=users,dc=farh,dc=net",
+      },
+    };

thelounge/httproute.yaml

@@ -5,8 +5,8 @@ metadata:
   namespace: irc
 spec:
   parentRefs:
-    - name: external
-      namespace: istio-system
+    - name: istio-external
+      namespace: gateway-system
   hostnames:
     - ${THELOUNGE_HOSTNAME}
   rules:

thelounge/kustomization.yaml

@@ -1,7 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - networkpolicy.yaml
+  - serviceaccount.yaml
   - statefulset.yaml
   - service.yaml
   - httproute.yaml
+  - authorizationpolicy.yaml
+  - config.yaml

thelounge/networkpolicy.yaml

@@ -1,46 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: thelounge
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: thelounge
-  policyTypes:
-    - Ingress
-    - Egress
-
-  ingress:
-  ### Allow all ingress traffic (web app needs external access via gateway)
-    - {}
-  ###
-  egress:
-  ### Allow DNS resolution
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
-          podSelector:
-            matchLabels:
-              k8s-app: kube-dns
-      ports:
-        - protocol: UDP
-          port: 53
-        - protocol: TCP
-          port: 53
-  ###
-  ### Allow intra-namespace communication
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: irc
-  ###
-  ### Allow outbound to the world
-    - to:
-        - ipBlock:
-            cidr: 0.0.0.0/0
-            except:
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
-  ###

thelounge/serviceaccount.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: thelounge
+  namespace: irc
+automountServiceAccountToken: false

thelounge/statefulset.yaml

@@ -21,6 +21,7 @@ spec:
         app.kubernetes.io/instance: thelounge
     spec:
       priorityClassName: low-priority
+      serviceAccountName: thelounge
       automountServiceAccountToken: false
       securityContext:
         runAsNonRoot: true
@@ -29,6 +30,20 @@ spec:
         fsGroup: 1000
         seccompProfile:
           type: RuntimeDefault
+      initContainers:
+        - name: fix-permissions
+          image: busybox:1.37
+          command: ["sh", "-c", "chown -R 1000:1000 /var/opt/thelounge"]
+          volumeMounts:
+            - name: config
+              mountPath: /var/opt/thelounge
+          securityContext:
+            runAsNonRoot: false
+            runAsUser: 0
+          resources:
+            limits:
+              cpu: 100m
+              memory: 64Mi
       containers:
         - name: thelounge
           image: ghcr.io/thelounge/thelounge:latest
@@ -48,6 +63,10 @@ spec:
           volumeMounts:
             - name: config
               mountPath: /var/opt/thelounge
+            - name: thelounge-config
+              mountPath: /var/opt/thelounge/config.js
+              subPath: config.js
+              readOnly: true
           resources:
             requests:
               cpu: "100m"
@@ -72,10 +91,15 @@ spec:
             periodSeconds: 5
             timeoutSeconds: 1
             failureThreshold: 3
+      volumes:
+        - name: thelounge-config
+          configMap:
+            name: thelounge-config
   volumeClaimTemplates:
     - metadata:
         name: config
       spec:
+        storageClassName: ceph-block
         accessModes:
           - ReadWriteOnce
         resources:

znc/authorizationpolicy.yaml

@@ -0,0 +1,15 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: znc
+  namespace: irc
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: znc
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/irc/sa/thelounge

znc/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - networkpolicy.yaml
+  - serviceaccount.yaml
   - statefulset.yaml
   - service.yaml
+  - authorizationpolicy.yaml

znc/networkpolicy.yaml

@@ -1,46 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: znc
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: znc
-  policyTypes:
-    - Ingress
-    - Egress
-
-  ingress:
-  ### Allow all ingress traffic (IRC bouncer needs external connections)
-    - {}
-  ###
-  egress:
-  ### Allow DNS resolution
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
-          podSelector:
-            matchLabels:
-              k8s-app: kube-dns
-      ports:
-        - protocol: UDP
-          port: 53
-        - protocol: TCP
-          port: 53
-  ###
-  ### Allow intra-namespace communication
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: irc
-  ###
-  ### Allow outbound to the world
-    - to:
-        - ipBlock:
-            cidr: 0.0.0.0/0
-            except:
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
-  ###

znc/service.yaml

@@ -6,10 +6,8 @@ metadata:
   name: znc
   labels:
     app.kubernetes.io/name: znc
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: ${ZNC_HOSTNAME}
 spec:
-  type: LoadBalancer
+  type: ClusterIP
   ports:
     - port: 6501
   selector:

znc/serviceaccount.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: znc
+  namespace: irc
+automountServiceAccountToken: false

znc/statefulset.yaml

@@ -30,6 +30,7 @@ spec:
         app.kubernetes.io/instance: znc
     spec:
       priorityClassName: low-priority
+      serviceAccountName: znc
       automountServiceAccountToken: false
       containers:
         - name: znc
@@ -73,6 +74,7 @@ spec:
     - metadata:
         name: config
       spec:
+        storageClassName: ceph-block
         accessModes:
           - ReadWriteOnce
         resources: