James Cole jamcole

## Dockerfile
FROM docker.io/ealen/echo-server:latest

USER 65534

## haproxy.cfg
global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

## files_keepalived_ping.te
module keepalived_ping 1.0;
require {
    type ping_exec_t;
    type ifconfig_exec_t;
    type keepalived_t;
    class process setcap;
    class file { execute execute_no_trans getattr open read };
    class capability { setuid net_raw };
    class rawip_socket { getopt create setopt write read };
    class netlink_socket create;

## chk_masters
#!/bin/sh


if [ $(ss -nlt4H '( sport = :8443 )'|wc -c) -eq 0 ]; then exit 1; fi

## alertmanager-main
global:
  resolve_timeout: 5m
route:
  group_wait: 30s
  group_interval: 5m
  repeat_interval: 12h
  receiver: default
  routes:
  - match:
      alertname: DeadMansSwitch

## example-dc.yaml
initContainers:
- args:
  - -c
  - cp
      /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
      /usr/share/pki/ca-trust-source/anchors/k8s && mkdir -p
      /etc/pki/ca-trust/extracted/pem
      /etc/pki/ca-trust/extracted/openssl
      /etc/pki/ca-trust/extracted/java && update-ca-trust
  command:

## configurations.yaml
# https://github.com/kubernetes-sigs/kustomize/blob/master/examples/transformerconfigs/README.md

commonLabels:
  # set labels at metadata.labels for all types
- path: metadata/labels
  # create metadata.labels if it doesn't exist
  create: true
- path: spec/template/metadata/labels
  kind: DeploymentConfig
  create: true

## .sops.yaml
# Config file for Mozilla SOPS: https://github.com/mozilla/sops
#
# find files to decrypt with `find . -name '*.encrypted.*'
# find files to encrypt with `find . -name '*.secret.*'
#
# creation rules are evaluated sequentially, the first match wins
creation_rules:
  # all files that match pattern *.secret.* or *.encrypted.*
  - path_regex: \.(secret|encrypted)\.
    pgp: '166586CD6F1A906D0786BE50C26EFAE7B312A5D8'

## OpenShiftCredentials.groovy
import jenkins.model.*
import com.cloudbees.hudson.plugins.folder.*;
import com.cloudbees.hudson.plugins.folder.properties.*;
import com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider.FolderCredentialsProperty;
import com.cloudbees.plugins.credentials.impl.*;
import com.cloudbees.plugins.credentials.*;
import com.cloudbees.plugins.credentials.domains.*;
import com.openshift.jenkins.plugins.OpenShiftTokenCredentials;
import hudson.util.Secret;

## setup-router.yml
- name: Configure OpenShift Router
  hosts: bastion
  gather_facts: no
  any_errors_fatal: yes
  roles:
  - oc_host
  - ocp_login_master
  tasks:
  # Configure router
  - name: Pause router rollout
	global
	log 127.0.0.1 local2

	chroot /var/lib/haproxy
	pidfile /var/run/haproxy.pid
	maxconn 4000
	user haproxy
	group haproxy
	daemon
	module keepalived_ping 1.0;
	require {
	type ping_exec_t;
	type ifconfig_exec_t;
	type keepalived_t;
	class process setcap;
	class file { execute execute_no_trans getattr open read };
	class capability { setuid net_raw };
	class rawip_socket { getopt create setopt write read };
	class netlink_socket create;
	#!/bin/sh


	if [ $(ss -nlt4H '( sport = :8443 )'\|wc -c) -eq 0 ]; then exit 1; fi
	global:
	resolve_timeout: 5m
	route:
	group_wait: 30s
	group_interval: 5m
	repeat_interval: 12h
	receiver: default
	routes:
	- match:
	alertname: DeadMansSwitch
	initContainers:
	- args:
	- -c
	- cp
	/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
	/usr/share/pki/ca-trust-source/anchors/k8s && mkdir -p
	/etc/pki/ca-trust/extracted/pem
	/etc/pki/ca-trust/extracted/openssl
	/etc/pki/ca-trust/extracted/java && update-ca-trust
	command:
	# https://github.com/kubernetes-sigs/kustomize/blob/master/examples/transformerconfigs/README.md

	commonLabels:
	# set labels at metadata.labels for all types
	- path: metadata/labels
	# create metadata.labels if it doesn't exist
	create: true
	- path: spec/template/metadata/labels
	kind: DeploymentConfig
	create: true
	# Config file for Mozilla SOPS: https://github.com/mozilla/sops
	#
	# find files to decrypt with `find . -name '.encrypted.'
	# find files to encrypt with `find . -name '.secret.'
	#
	# creation rules are evaluated sequentially, the first match wins
	creation_rules:
	# all files that match pattern .secret. or .encrypted.
	- path_regex: \.(secret\|encrypted)\.
	pgp: '166586CD6F1A906D0786BE50C26EFAE7B312A5D8'
	import jenkins.model.*
	import com.cloudbees.hudson.plugins.folder.*;
	import com.cloudbees.hudson.plugins.folder.properties.*;
	import com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider.FolderCredentialsProperty;
	import com.cloudbees.plugins.credentials.impl.*;
	import com.cloudbees.plugins.credentials.*;
	import com.cloudbees.plugins.credentials.domains.*;
	import com.openshift.jenkins.plugins.OpenShiftTokenCredentials;
	import hudson.util.Secret;
	- name: Configure OpenShift Router
	hosts: bastion
	gather_facts: no
	any_errors_fatal: yes
	roles:
	- oc_host
	- ocp_login_master
	tasks:
	# Configure router
	- name: Pause router rollout