farhoodliquor/irc
Archived
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-05-26. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
87c03682c4e25c6be3a8412e7d9bcfb4e2c366bd
irc/README.md
T
Chris Farhood 4705c39523 docs: enhance README with architecture and development details 
Added comprehensive documentation including:
- Security hardening details (non-root, seccomp, capabilities)
- Architecture overview (StatefulSets, resources, health checks)
- Local development commands (validation, security, best practices)
- Detailed CI/CD pipeline explanation
- Reference to CLAUDE.md for full documentation

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
2026-02-08 10:10:05 -05:00

91 lines
2.6 KiB
Markdown
Raw Blame History

# IRC Applications
Kubernetes manifests for IRC applications, deployed via Flux CD.
## Applications
- **The Lounge** - Modern web IRC client with persistent connections
- **ZNC** - IRC bouncer for persistent IRC presence
## Deployment
This repository is deployed to Kubernetes using **Flux CD** with variable substitution. Configuration variables (e.g., hostnames) are provided via ConfigMaps at deployment time.
**Important:** Manifests use Flux variable syntax (`${VARIABLE_NAME}`). Do not replace these with hardcoded values.
## Architecture
- **Kustomize-based**: Uses Kustomize for manifest organization
- **StatefulSets**: Both apps use StatefulSets with persistent volumes (4Gi each)
- **Security hardened**:
- Run as non-root (UID 1000)
- Seccomp profiles enabled (RuntimeDefault)
- All capabilities dropped
- Network policies configured
- **Resource managed**: CPU and memory limits set, including ephemeral storage
- **Health checks**: Liveness and readiness probes configured
## Local Development
### Validate manifests
```bash
# YAML linting
yamllint -c .yamllint.yaml .
# Test kustomize builds
kubectl kustomize .
kubectl kustomize ./thelounge
kubectl kustomize ./znc
# Validate schemas
kubectl kustomize . | kubeconform \
-schema-location default \
-schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
-skip HTTPRoute \
-ignore-missing-schemas
```
### Security scanning
```bash
# Trivy
trivy config --severity CRITICAL,HIGH --ignorefile .trivyignore .
# Checkov
checkov -d . --config-file .checkov.yaml
```
### Best practices
```bash
# Kube-score
kubectl kustomize . | kube-score score - \
--ignore-test container-image-tag \
--ignore-test container-security-context-readonlyrootfilesystem
# Polaris
kubectl kustomize . | polaris audit --format pretty
```
## CI/CD
Automated validation and security scanning via Gitea Actions:
### Validate Manifests
- YAML linting (yamllint)
- Kustomize build tests
- Kubernetes schema validation (kubeconform, skips HTTPRoute with variables)
### Security Scan
- **Trivy**: Vulnerability scanning with automated PR reviews
- **Checkov**: IaC security scanning with automated PR reviews
- Blocks PRs on critical findings, warns on high severity
### Best Practices
- **kube-score**: Kubernetes best practices analysis
- **Polaris**: Security and reliability audit with automated PR reviews
- **Resource analysis**: CPU/memory configuration review
All workflows run on push/PR to main branch.
## Documentation
See [CLAUDE.md](CLAUDE.md) for comprehensive development documentation.
Reference in New Issue View Git Blame Copy Permalink