bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new infra architecture

Browse Source
This commit is contained in:
Urtzi Alfaro
2026-01-19 11:55:17 +01:00
parent 21d35ea92b
commit 35f164f0cd
311 changed files with 13241 additions and 3700 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
infrastructure/platform/security/encryption/README.md Normal file
View File

@@ -0,0 +1,55 @@
# Kubernetes Secrets Encryption
This directory contains configuration for encrypting Kubernetes secrets at rest.
## What is this for?
Kubernetes secrets are stored in etcd, and by default they are stored as plaintext. This encryption configuration ensures that secrets are encrypted when stored in etcd, providing an additional layer of security.
## Files
- `encryption-config.yaml` - Main encryption configuration file
## How it works
1. The API server uses this configuration to encrypt secrets before storing them in etcd
2. When secrets are retrieved, they are automatically decrypted by the API server
3. This provides encryption at rest for all Kubernetes secrets
## Security Notes
- The encryption key is stored in this file (base64 encoded)
- This file should be protected and not committed to version control in production
- For development, this provides basic encryption at rest
- In production, consider using a proper key management system
## Generating a new key
```bash
openssl rand -base64 32
```
## Configuration Details
- **Algorithm**: AES-CBC with 256-bit keys
- **Provider**: `aescbc` - AES-CBC encryption provider
- **Fallback**: `identity` - Allows reading unencrypted secrets during migration
## Usage
This configuration is automatically used by the Kind cluster configuration in `kind-config.yaml`. The file is mounted into the Kubernetes control plane container and referenced by the API server configuration.
## Rotation
To rotate keys:
1. Add a new key to the `keys` array
2. Make the new key the first in the array
3. Restart the API server
4. Old keys can be removed after all secrets have been re-encrypted with the new key
## Compliance
This encryption helps satisfy:
- GDPR Article 32 - Security of processing
- PCI DSS Requirement 3.4 - Encryption of sensitive data
- ISO 27001:2022 - Cryptographic controls

17
infrastructure/platform/security/encryption/encryption-config.yaml Normal file
View File

@@ -0,0 +1,17 @@
# Kubernetes Secrets Encryption Configuration
# This file configures encryption at rest for Kubernetes secrets
# Used by the API server to encrypt secret data stored in etcd
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
# 32-byte (256-bit) AES key encoded in base64
# Generated using: openssl rand -base64 32
secret: 62um3zP5aidjVSIB0ckAxF/Ms8EDy/Z8LyMGTdMuoSM=
- identity: {}

108
infrastructure/platform/security/network-policies/global-default-networkpolicy.yaml Normal file
View File

@@ -0,0 +1,108 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: bakery-ia
labels:
app: global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-kube-dns
namespace: bakery-ia
labels:
app: global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Egress
egress:
# Allow DNS resolution to kube-system namespace
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-controller
namespace: bakery-ia
labels:
app: global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
# This label should match your ingress controller's namespace
# Adjust as needed for your specific ingress controller
app: nginx-ingress-microk8s
policyTypes:
- Ingress
ingress:
# Allow all traffic to ingress controller
- from:
- ipBlock:
cidr: 0.0.0.0/0
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-internal-communication
namespace: bakery-ia
labels:
app: global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
# Allow communication between pods in the same namespace
- from:
- podSelector: {}
egress:
# Allow communication to pods in the same namespace
- to:
- podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-external
namespace: bakery-ia
labels:
app: global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
app: external-egress-allowed
policyTypes:
- Egress
egress:
# Allow external communication for services that need it
- to:
- ipBlock:
cidr: 0.0.0.0/0

159
infrastructure/platform/security/network-policies/global-project-networkpolicy.yaml Normal file
View File

@@ -0,0 +1,159 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-default-deny
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-dns
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Egress
egress:
# Allow DNS resolution to kube-system namespace
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-ingress-access
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
policyTypes:
- Ingress
ingress:
# Allow all traffic to ingress controller
- from:
- ipBlock:
cidr: 0.0.0.0/0
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-internal-comm
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
# Allow communication between project services
- from:
- namespaceSelector:
matchLabels:
name: bakery-ia
egress:
# Allow communication to project services
- to:
- namespaceSelector:
matchLabels:
name: bakery-ia
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-monitoring
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
app: signoz
policyTypes:
- Ingress
ingress:
# Allow monitoring access from project services
- from:
- namespaceSelector:
matchLabels:
name: bakery-ia
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-database-access
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
ingress:
# Allow database access from application services
- from:
- namespaceSelector:
matchLabels:
name: bakery-ia
ports:
- port: 5432
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-cache-access
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
app: redis
policyTypes:
- Ingress
ingress:
# Allow cache access from application services
- from:
- namespaceSelector:
matchLabels:
name: bakery-ia
ports:
- port: 6379