HOMELAB-424: Sandbox Helm chart with DinD sidecar and D16 network policy #72

Merged

aaron merged 2 commits from HOMELAB-424-sandbox-helm-chart into main 2026-03-26 15:27:59 +00:00

Conversation 0 Commits 2 Files changed 8 +388

aaron commented 2026-03-26 15:27:52 +00:00

Owner

Copy link

Summary

• New sandbox Helm chart at core/charts/apps/sandbox/
• Deployment: main sandbox container + DinD sidecar (privileged, for k3s)
• PVC: 25 GiB Longhorn with helm.sh/resource-policy: keep
• CiliumNetworkPolicy: D16 egress allowlist
• ServiceAccount + LimitRange
• Values parameterized by profile for Lab Director / ArgoCD
• No kubeconfig or ArgoCD secrets mounted (D8)

Validation

• helm lint passes
• helm template renders all 6 resources
• D16 NetworkPolicy: 12 port entries verified
• No kubeconfig/ArgoCD in rendered output
• DinD sidecar privileged confirmed
• PVC keep annotation confirmed

## Summary - New `sandbox` Helm chart at `core/charts/apps/sandbox/` - Deployment: main sandbox container + DinD sidecar (privileged, for k3s) - PVC: 25 GiB Longhorn with `helm.sh/resource-policy: keep` - CiliumNetworkPolicy: D16 egress allowlist - ServiceAccount + LimitRange - Values parameterized by profile for Lab Director / ArgoCD - No kubeconfig or ArgoCD secrets mounted (D8) ## Validation - [x] helm lint passes - [x] helm template renders all 6 resources - [x] D16 NetworkPolicy: 12 port entries verified - [x] No kubeconfig/ArgoCD in rendered output - [x] DinD sidecar privileged confirmed - [x] PVC keep annotation confirmed

aaron added 2 commits 2026-03-26 15:27:52 +00:00

feat(sandbox): scaffold Helm chart with Chart.yaml, values, helpers 2393fb0de0

feat(sandbox): complete Helm chart templates ... ffbb843dd6

- PVC: 25 GiB Longhorn with helm.sh/resource-policy: keep
- ServiceAccount: dedicated SA, no cluster role bindings
- LimitRange: container resource caps (6 CPU / 12 Gi max)
- CiliumNetworkPolicy: D16 egress allowlist (DNS, Temporal, Lab Director,
  Forgejo, Harbor, Langfuse, OTel, Grafana, internet:443, DinD:2376)
- Deployment: main sandbox container + DinD sidecar (privileged)
  with workspace PVC, SSH keys, git credentials, Claude OAuth,
  Claude settings, and MCP config mounts
- No kubeconfig or ArgoCD secrets mounted (D8 security boundary)

aaron merged commit 0b961a6137 into main 2026-03-26 15:27:59 +00:00

aaron referenced this pull request from a commit 2026-03-26 15:27:59 +00:00

Merge pull request 'HOMELAB-424: Sandbox Helm chart with DinD sidecar and D16 network policy' (#72) from HOMELAB-424-sandbox-helm-chart into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

aaron/infra-core!72

No description provided.