coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/k8s/storage/verify-pvc.yaml
tegwick ee794a61ab feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02) 
namespaces/namespaces.yaml:
  - sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors

network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml:
  - Default-deny-all posture on all three namespaces
  - sso: ingress from Traefik; egress to databases:5432 and mfa:8080
  - mfa: ingress from Traefik + Keycloak; egress to databases:5432
  - databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API
  - DNS (kube-system:53) allowed for all pods in all namespaces

cert-manager/issuers.yaml:
  - selfsigned-issuer (ClusterIssuer) for internal/test use
  - letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply
cert-manager/test-certificate.yaml:
  - 24h self-signed cert to smoke-test cert-manager

storage/verify-pvc.yaml:
  - Test PVC + Pod to confirm default StorageClass provisioning

verify-t02.sh:
  - Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-02 09:49:39 +01:00

63 lines
1.5 KiB
YAML
Raw Blame History

# StorageClass verification — confirms the default StorageClass can provision PVCs.
#
# K3s default StorageClass: local-path (rancher/local-path-provisioner)
# This is adequate for single-node dev/staging; for HA ThreePhoenix, a
# distributed StorageClass (Longhorn, Rook-Ceph) is preferred.
#
# Apply:
# kubectl apply -f verify-pvc.yaml
#
# Verify:
# kubectl get pvc -n storage-test
# # STATUS=Bound means provisioning works.
# kubectl get pod -n storage-test
# # pod/storage-test should be Completed (exit 0).
#
# Clean up:
# kubectl delete namespace storage-test
apiVersion: v1
kind: Namespace
metadata:
name: storage-test
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: storage-test-pvc
namespace: storage-test
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
# Omit storageClassName to use the cluster default.
# To test a specific class: storageClassName: local-path
---
apiVersion: v1
kind: Pod
metadata:
name: storage-test
namespace: storage-test
spec:
restartPolicy: Never
containers:
- name: writer
image: busybox:1.36
command:
- sh
- -c
- |
echo "StorageClass test: writing file" && \
echo "ok" > /data/test.txt && \
cat /data/test.txt && \
echo "StorageClass verification PASSED"
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
claimName: storage-test-pvc
Reference in New Issue View Git Blame Copy Permalink