add cyberchef

Author: soerenschneider

apps/cyberchef/components/istio-proxy/kustomization.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: "kustomize.config.k8s.io/v1alpha1"
+kind: "Component"
+patches:
+  - target:
+      kind: "Namespace"
+    patch: |-
+      - op: add
+        path: "/metadata/labels/istio-injection"
+        value: "enabled"
+  - target:
+      kind: "NetworkPolicy"
+      name: "cyberchef"
+    patch: |-
+      - op: "add"
+        path: "/spec/egress/-"
+        value:
+          to:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: kube-system
+              podSelector: {}
+            - namespaceSelector: {}
+              podSelector:
+                matchLabels:
+                  k8s-app: kube-dns
+          ports:
+            - port: 53
+              protocol: TCP
+            - port: 53
+              protocol: UDP
+      - op: "add"
+        path: "/spec/egress/-"
+        value:
+          to:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: istio-system
+              podSelector: {}
+          ports:
+            - port: 15012
+              protocol: TCP

apps/cyberchef/components/istio/istio-virtualservice.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: "networking.istio.io/v1alpha3"
+kind: "VirtualService"
+metadata:
+  name: "cyberchef"
+spec:
+  hosts:
+    - "cyberchef"
+  gateways:
+    - "istio-system/gateway"
+  http:
+    - match:
+        - uri:
+            prefix: "/"
+      route:
+        - destination:
+            host: "cyberchef"
+            port:
+              number: 80

apps/cyberchef/components/istio/kustomization.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: "kustomize.config.k8s.io/v1alpha1"
+kind: "Component"
+resources:
+  - "istio-virtualservice.yaml"
+patches:
+  - target:
+      kind: "NetworkPolicy"
+      name: "cyberchef"
+    patch: |-
+      - op: "add"
+        path: "/spec/ingress/-"
+        value:
+          ports:
+            - protocol: "TCP"
+              port: "cyberchef"
+          from:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: "istio-system"
+              podSelector:
+                matchLabels:
+                  istio: "ingressgateway"

apps/cyberchef/deployment.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cyberchef
+  labels:
+    app.kubernetes.io/name: cyberchef
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: cyberchef
+  template:
+    metadata:
+      labels:
+        app: cyberchef
+        app.kubernetes.io/name: cyberchef
+        app.kubernetes.io/instance: cyberchef-prod
+        app.kubernetes.io/component: cyberchef
+    spec:
+      securityContext:
+        runAsUser: 27634
+        runAsGroup: 27634
+        fsGroup: 27634
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: "cyberchef"
+          image: "ghcr.io/soerenschneider/cyberchef:10.19.2"
+          imagePullPolicy: "IfNotPresent"
+          env:
+            - name: "APLOS_ADDR"
+              value: "0.0.0.0:8080"
+          ports:
+            - containerPort: 8080
+              name: "cyberchef"
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 27634
+            runAsGroup: 27634
+            capabilities:
+              drop:
+                - "ALL"
+            seccompProfile:
+              type: "RuntimeDefault"
+          livenessProbe:
+            httpGet:
+              path: "/_health"
+              port: "cyberchef"
+            initialDelaySeconds: 15
+          readinessProbe:
+            httpGet:
+              path: "/_health"
+              port: "cyberchef"
+            initialDelaySeconds: 5
+          startupProbe:
+            httpGet:
+              path: "/_health"
+              port: "cyberchef"
+            failureThreshold: 60
+            periodSeconds: 10
+          resources:
+            limits:
+              memory: "256Mi"
+            requests:
+              cpu: "5m"
+              memory: "32Mi"

apps/cyberchef/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - deployment.yaml
+  - service.yaml
+  - networkpolicy.yaml

apps/cyberchef/networkpolicy.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: "cyberchef"
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: "cyberchef"
+  policyTypes:
+    - Egress
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: "cyberchef"
+      from: []
+  egress: []

apps/cyberchef/service.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cyberchef
+spec:
+  ports:
+    - port: 80
+      targetPort: cyberchef
+  selector:
+    app.kubernetes.io/name: cyberchef

clusters/svc.pt.soeren.cloud/cyberchef/kustomization.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: "kustomize.config.k8s.io/v1beta1"
+kind: "Kustomization"
+namespace: "cyberchef"
+components:
+  - "../../../apps/cyberchef/components/istio"
+  - "../../../apps/cyberchef/components/istio-proxy"
+resources:
+  - "namespace.yaml"
+  - "../../../apps/cyberchef"
+patches:
+  - target:
+      kind: "VirtualService"
+      name: "cyberchef"
+    patch: |-
+      - op: "replace"
+        path: "/spec/hosts"
+        value:
+          - "cyberchef.svc.pt.soeren.cloud"

clusters/svc.pt.soeren.cloud/cyberchef/namespace.yaml

@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: cyberchef
+  labels:
+    name: cyberchef