generated from coulomb/repo-seed
namespaces/namespaces.yaml:
- sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors
network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml:
- Default-deny-all posture on all three namespaces
- sso: ingress from Traefik; egress to databases:5432 and mfa:8080
- mfa: ingress from Traefik + Keycloak; egress to databases:5432
- databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API
- DNS (kube-system:53) allowed for all pods in all namespaces
cert-manager/issuers.yaml:
- selfsigned-issuer (ClusterIssuer) for internal/test use
- letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply
cert-manager/test-certificate.yaml:
- 24h self-signed cert to smoke-test cert-manager
storage/verify-pvc.yaml:
- Test PVC + Pod to confirm default StorageClass provisioning
verify-t02.sh:
- Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
115 lines
5.0 KiB
Bash
Executable File
115 lines
5.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# verify-t02.sh — verify T02 (K8s foundations) completion criteria
|
|
#
|
|
# Run after applying all T02 manifests. Exits 0 if all checks pass.
|
|
#
|
|
# Usage: ./verify-t02.sh [--kubeconfig PATH]
|
|
|
|
set -euo pipefail
|
|
|
|
KUBECTL="kubectl"
|
|
if [[ "${1:-}" == "--kubeconfig" ]]; then
|
|
KUBECTL="kubectl --kubeconfig $2"
|
|
fi
|
|
|
|
PASS=0
|
|
FAIL=0
|
|
|
|
check() {
|
|
local desc="$1"
|
|
shift
|
|
if "$@" &>/dev/null; then
|
|
echo " PASS $desc"
|
|
PASS=$((PASS + 1))
|
|
else
|
|
echo " FAIL $desc"
|
|
FAIL=$((FAIL + 1))
|
|
fi
|
|
}
|
|
|
|
check_output() {
|
|
local desc="$1"
|
|
local expected="$2"
|
|
shift 2
|
|
local actual
|
|
actual="$("$@" 2>/dev/null || true)"
|
|
if echo "$actual" | grep -q "$expected"; then
|
|
echo " PASS $desc"
|
|
PASS=$((PASS + 1))
|
|
else
|
|
echo " FAIL $desc (got: $actual)"
|
|
FAIL=$((FAIL + 1))
|
|
fi
|
|
}
|
|
|
|
echo "=== T02 Verification — K8s Foundations ==="
|
|
echo ""
|
|
|
|
# ── Namespaces ────────────────────────────────────────────────────────────────
|
|
echo "[ Namespaces ]"
|
|
check "namespace sso exists" $KUBECTL get namespace sso
|
|
check "namespace mfa exists" $KUBECTL get namespace mfa
|
|
check "namespace databases exists" $KUBECTL get namespace databases
|
|
check "sso has net-kingdom/component label" \
|
|
$KUBECTL get namespace sso -o jsonpath='{.metadata.labels.net-kingdom/component}'
|
|
echo ""
|
|
|
|
# ── NetworkPolicies ───────────────────────────────────────────────────────────
|
|
echo "[ NetworkPolicies ]"
|
|
for ns in sso mfa databases; do
|
|
check "default-deny-all in $ns" \
|
|
$KUBECTL get networkpolicy default-deny-all -n "$ns"
|
|
check "allow-egress-dns in $ns" \
|
|
$KUBECTL get networkpolicy allow-egress-dns -n "$ns"
|
|
done
|
|
check "allow-ingress-from-traefik in sso" $KUBECTL get networkpolicy allow-ingress-from-traefik -n sso
|
|
check "allow-egress-to-postgres in sso" $KUBECTL get networkpolicy allow-egress-to-postgres -n sso
|
|
check "allow-egress-to-privacyidea in sso" $KUBECTL get networkpolicy allow-egress-to-privacyidea -n sso
|
|
check "allow-ingress-from-traefik in mfa" $KUBECTL get networkpolicy allow-ingress-from-traefik -n mfa
|
|
check "allow-ingress-from-keycloak in mfa" $KUBECTL get networkpolicy allow-ingress-from-keycloak -n mfa
|
|
check "allow-egress-to-postgres in mfa" $KUBECTL get networkpolicy allow-egress-to-postgres -n mfa
|
|
check "allow-ingress-from-keycloak in databases" $KUBECTL get networkpolicy allow-ingress-from-keycloak -n databases
|
|
check "allow-ingress-from-privacyidea in databases" $KUBECTL get networkpolicy allow-ingress-from-privacyidea -n databases
|
|
echo ""
|
|
|
|
# ── cert-manager ─────────────────────────────────────────────────────────────
|
|
echo "[ cert-manager ]"
|
|
check "cert-manager namespace exists" $KUBECTL get namespace cert-manager
|
|
check "selfsigned-issuer exists" $KUBECTL get clusterissuer selfsigned-issuer
|
|
check "letsencrypt-prod issuer exists" $KUBECTL get clusterissuer letsencrypt-prod
|
|
check_output "selfsigned-issuer is Ready" "True" \
|
|
$KUBECTL get clusterissuer selfsigned-issuer -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
|
|
|
|
# Test certificate (applied separately — only check if present)
|
|
if $KUBECTL get namespace cert-manager-test &>/dev/null; then
|
|
check_output "test certificate is Ready" "True" \
|
|
$KUBECTL get certificate selfsigned-test -n cert-manager-test \
|
|
-o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
|
|
else
|
|
echo " SKIP test certificate (namespace cert-manager-test not found — apply test-certificate.yaml)"
|
|
fi
|
|
echo ""
|
|
|
|
# ── StorageClass ──────────────────────────────────────────────────────────────
|
|
echo "[ StorageClass ]"
|
|
check "a default StorageClass exists" \
|
|
$KUBECTL get storageclass -o jsonpath='{.items[?(@.metadata.annotations.storageclass\.kubernetes\.io/is-default-class=="true")].metadata.name}'
|
|
|
|
if $KUBECTL get namespace storage-test &>/dev/null; then
|
|
check_output "storage-test pod Completed" "Completed\|Succeeded" \
|
|
$KUBECTL get pod storage-test -n storage-test -o jsonpath='{.status.phase}'
|
|
else
|
|
echo " SKIP StorageClass PVC test (apply storage/verify-pvc.yaml first)"
|
|
fi
|
|
echo ""
|
|
|
|
# ── Summary ───────────────────────────────────────────────────────────────────
|
|
TOTAL=$((PASS + FAIL))
|
|
echo "=== Results: $PASS/$TOTAL passed ==="
|
|
if [[ $FAIL -gt 0 ]]; then
|
|
echo " $FAIL check(s) failed."
|
|
exit 1
|
|
else
|
|
echo " T02 COMPLETE — all checks passed."
|
|
fi
|