Chris Farhood
87c03682c4
Best Practices / Polaris Audit (push) Has been cancelled
Best Practices / Resource Usage Analysis (push) Has been cancelled
Best Practices / PR Summary Report (push) Has been cancelled
Best Practices / Polaris PR Review (push) Has been cancelled
Security Scan / Trivy Security Scan (push) Has been cancelled
Security Scan / Trivy PR Review (push) Has been cancelled
Security Scan / Checkov IaC Scan (push) Has been cancelled
Security Scan / Checkov PR Review (push) Has been cancelled
Validate Manifests / YAML Lint (push) Has been cancelled
Validate Manifests / Kustomize Build Test (push) Has been cancelled
Validate Manifests / Kubernetes Schema Validation (push) Has been cancelled
Best Practices / Kube-score Analysis (push) Has been cancelled
- Add namespace.yaml with istio ambient + waypoint labels - Add waypoint Gateway (istio-waypoint) scoped to irc namespace - Switch thelounge HTTPRoute from Cilium external to istio-external gateway - Add AuthorizationPolicy for thelounge (allow inbound from gateway-system only) - Add AuthorizationPolicy for znc (allow all on port 6501 for IRC clients) - Add namespace: irc to root kustomization, remove dependency on targetNamespace Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
IRC Applications
Kubernetes manifests for IRC applications, deployed via Flux CD.
Applications
- The Lounge - Modern web IRC client with persistent connections
- ZNC - IRC bouncer for persistent IRC presence
Deployment
This repository is deployed to Kubernetes using Flux CD with variable substitution. Configuration variables (e.g., hostnames) are provided via ConfigMaps at deployment time.
Important: Manifests use Flux variable syntax (${VARIABLE_NAME}). Do not replace these with hardcoded values.
Architecture
- Kustomize-based: Uses Kustomize for manifest organization
- StatefulSets: Both apps use StatefulSets with persistent volumes (4Gi each)
- Security hardened:
- Run as non-root (UID 1000)
- Seccomp profiles enabled (RuntimeDefault)
- All capabilities dropped
- Network policies configured
- Resource managed: CPU and memory limits set, including ephemeral storage
- Health checks: Liveness and readiness probes configured
Local Development
Validate manifests
# YAML linting
yamllint -c .yamllint.yaml .
# Test kustomize builds
kubectl kustomize .
kubectl kustomize ./thelounge
kubectl kustomize ./znc
# Validate schemas
kubectl kustomize . | kubeconform \
-schema-location default \
-schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
-skip HTTPRoute \
-ignore-missing-schemas
Security scanning
# Trivy
trivy config --severity CRITICAL,HIGH --ignorefile .trivyignore .
# Checkov
checkov -d . --config-file .checkov.yaml
Best practices
# Kube-score
kubectl kustomize . | kube-score score - \
--ignore-test container-image-tag \
--ignore-test container-security-context-readonlyrootfilesystem
# Polaris
kubectl kustomize . | polaris audit --format pretty
CI/CD
Automated validation and security scanning via Gitea Actions:
Validate Manifests
- YAML linting (yamllint)
- Kustomize build tests
- Kubernetes schema validation (kubeconform, skips HTTPRoute with variables)
Security Scan
- Trivy: Vulnerability scanning with automated PR reviews
- Checkov: IaC security scanning with automated PR reviews
- Blocks PRs on critical findings, warns on high severity
Best Practices
- kube-score: Kubernetes best practices analysis
- Polaris: Security and reliability audit with automated PR reviews
- Resource analysis: CPU/memory configuration review
All workflows run on push/PR to main branch.
Documentation
See CLAUDE.md for comprehensive development documentation.