helm

2026-02-16 15:37:06 +02:00
parent 70741688e0
commit 6f9d46e833
10 changed files with 983 additions and 937 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,60 @@
 # CLAUDE.md
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 ## Project Overview
 Kubernetes deployment manifests for "Memelord Jake" — a Django meme-sharing application deployed on a cloud-native Kubernetes cluster. This repo contains **no application source code**, only infrastructure-as-code YAML manifests.
 The Django app image is `ghcr.io/l4rm4nd/memelord:latest`. The cluster domain is `ee-lte-1.codemowers.io`.
 ## Deploying
 ```bash
 kubectl apply -f deployment.yaml  # Backing services: PostgreSQL, Redis, S3, networking
 kubectl apply -f config.yaml      # Django settings.py ConfigMap
 kubectl apply -f app.yaml         # Memelord Deployment
 kubectl apply -f oidc.yaml        # OIDC client configuration
 kubectl apply -f grafana.yaml     # Grafana monitoring (includes namespace)
 kubectl apply -f monitoring.yaml  # Prometheus Probe
 ```
 The cluster requires these operators pre-installed: CloudNativePG, DragonflyDB, Onyxia S3, cert-manager, Traefik, Codemowers Cloud OIDC, Prometheus operator.
 ## File Map
 - **`deployment.yaml`** — Backing services: StringSecret + Dragonfly (Redis), StringSecret + Cluster + Database (PostgreSQL), Policy + S3User + Bucket (S3), Service + Certificate + Ingress
 - **`config.yaml`** — ConfigMap containing the full Django `settings.py`; the largest and most complex file. Configures DB, cache, security headers (CSP/HSTS), storage backends, OIDC, logging
 - **`app.yaml`** — Deployment for the Django app (1 replica, port 8000). Mounts `settings.py` from ConfigMap via `subPath`. All config injected via environment variables from Secrets
 - **`grafana.yaml`** — Complete Grafana stack: Namespace, ConfigMaps (Prometheus + Loki datasources, dashboard JSON), StatefulSet (5Gi SQLite), OIDC auth, Ingress with TLS
 - **`oidc.yaml`** — OIDCClient CR for Memelord app authentication via Passmower
 - **`monitoring.yaml`** — Prometheus Probe CR
 ## Architecture
 ```
 Namespace: memelord-jake
 Memelord (Deployment) ──► PostgreSQL (CloudNativePG Cluster)
                       ──► DragonflyDB (Redis-compatible cache/sessions)
                       ──► MinIO S3 (media storage via Onyxia operator)
                       ──► Passmower OIDC (authentication)
 Grafana (StatefulSet)  ──► Prometheus (monitoring ns)
                       ──► Loki (monitoring ns)
                       ──► Passmower OIDC (authentication)
 External access: Traefik Ingress + cert-manager TLS
  - memelord-jake.ee-lte-1.codemowers.io
  - grafana-jake.ee-lte-1.codemowers.io
 ```
 ## Key Conventions
 - Resource naming: prefix `memelord-jake-` for all backing services
 - Secrets auto-generated via `StringSecret` CRs (mittwald secret generator)
 - Django settings are fully environment-driven (12-factor); `config.yaml` reads everything from env vars
 - Storage class `postgres` for DB, `sqlite` for Grafana
 - Node selector: `codemowers.io/lvm-ubuntu-vg: enterprise-ssd`
 - ArgoCD destination cluster: `https://10.254.10.31:6443`
 - S3 uses path-style addressing (`AWS_S3_ADDRESSING_STYLE = 'path'`)
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@@ -0,0 +1,3 @@
 apiVersion: v2
 name: memelord
 version: 0.1.0
--- a/helm/templates/app.yaml
+++ b/helm/templates/app.yaml
@@ -2,20 +2,19 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: memelord
+  name: {{ .Release.Name }}
  namespace: memelord-jake
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app: memelord
+      app: {{ .Release.Name }}
  template:
    metadata:
      labels:
-        app: memelord
+        app: {{ .Release.Name }}
    spec:
      containers:
-        - name: memelord
+        - name: {{ .Release.Name }}
          image: ghcr.io/l4rm4nd/memelord:latest
          imagePullPolicy: Always
          ports:
@@ -24,37 +23,37 @@ spec:
          env:
            - name: DOMAIN
-              value: "memelord-jake.ee-lte-1.codemowers.io"
+              value: {{ .Values.hostname | quote }}
            # Database Configuration
            - name: DB_ENGINE
              value: "postgres"
            - name: POSTGRES_HOST
-              value: "memelord-jake-database-rw"
+              value: "{{ .Release.Name }}-database-rw"
            - name: POSTGRES_PORT
              value: "5432"
            - name: POSTGRES_DB
-              value: "memelord-jake"
+              value: {{ .Release.Name | quote }}
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
-                  name: memelord-jake-database
+                  name: {{ .Release.Name }}-database
                  key: username
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: memelord-jake-database
+                  name: {{ .Release.Name }}-database
                  key: password
            # Redis Configuration
            - name: REDIS_HOST
-              value: "memelord-jake-redis"
+              value: "{{ .Release.Name }}-redis"
            - name: REDIS_PORT
              value: "6379"
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: memelord-jake-redis
+                  name: {{ .Release.Name }}-redis
                  key: redis-password
            # S3/MinIO Storage Configuration
@@ -63,17 +62,17 @@ spec:
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
-                  name: memelord-jake-bucket
+                  name: {{ .Release.Name }}-bucket
                  key: accessKey
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
-                  name: memelord-jake-bucket
+                  name: {{ .Release.Name }}-bucket
                  key: secretKey
            - name: AWS_S3_ADDRESSING_STYLE
              value: path
            - name: AWS_STORAGE_BUCKET_NAME
-              value: "memelord-jake"
+              value: {{ .Release.Name | quote }}
            - name: AWS_S3_ENDPOINT_URL
              value: "https://minio.ee-lte-1.codemowers.io"
            - name: AWS_S3_REGION_NAME
@@ -87,12 +86,12 @@ spec:
            - name: OIDC_RP_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: oidc-client-memelord-jake-owner-secrets
+                  name: oidc-client-{{ .Release.Name }}-owner-secrets
                  key: OIDC_CLIENT_ID
            - name: OIDC_RP_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: oidc-client-memelord-jake-owner-secrets
+                  name: oidc-client-{{ .Release.Name }}-owner-secrets
                  key: OIDC_CLIENT_SECRET
            # Browser-facing endpoint (external URL)
--- a/helm/templates/config.yaml
+++ b/helm/templates/config.yaml
@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: settings
  namespace: memelord-jake
 data:
  settings.py: |
    """
--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@@ -2,7 +2,7 @@
 apiVersion: secretgenerator.mittwald.de/v1alpha1
 kind: StringSecret
 metadata:
-  name: memelord-jake-redis
+  name: {{ .Release.Name }}-redis
 spec:
  fields:
    - fieldName: redis-password
@@ -12,11 +12,11 @@ spec:
 apiVersion: dragonflydb.io/v1alpha1
 kind: Dragonfly
 metadata:
-  name: memelord-jake-redis
+  name: {{ .Release.Name }}-redis
 spec:
  authentication:
    passwordFromSecret:
-      name: memelord-jake-redis
+      name: {{ .Release.Name }}-redis
      key: redis-password
  replicas: 1
  resources:
@@ -30,12 +30,12 @@ spec:
 apiVersion: secretgenerator.mittwald.de/v1alpha1
 kind: StringSecret
 metadata:
-  name: memelord-jake-database
+  name: {{ .Release.Name }}-database
  labels:
    cnpg.io/reload: "true"
 spec:
  data:
-    username: memelord-jake
+    username: {{ .Release.Name }}
  fields:
    - fieldName: password
      length: "32"
@@ -44,7 +44,7 @@ spec:
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: memelord-jake-database
+  name: {{ .Release.Name }}-database
 spec:
  instances: 1
  imageName: ghcr.io/cloudnative-pg/postgresql:17
@@ -69,28 +69,28 @@ spec:
      effective_cache_size: "2GB"
  managed:
    roles:
-    - name: memelord-jake
+    - name: {{ .Release.Name }}
      ensure: present
      login: true
      passwordSecret:
-        name: memelord-jake-database
+        name: {{ .Release.Name }}-database
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Database
 metadata:
-  name: memelord-jake
+  name: {{ .Release.Name }}
 spec:
-  name: memelord-jake
+  name: {{ .Release.Name }}
-  owner: memelord-jake
+  owner: {{ .Release.Name }}
  cluster:
-    name: memelord-jake-database
+    name: {{ .Release.Name }}-database
 ---
 apiVersion: s3.onyxia.sh/v1alpha1
 kind: Policy
 metadata:
-  name: memelord-jake-policy
+  name: {{ .Release.Name }}-policy
 spec:
-  name: memelord-jake-policy
+  name: {{ .Release.Name }}-policy
  s3InstanceRef: minio/default
  policyContent: >-
    {
@@ -102,8 +102,8 @@ spec:
            "s3:*"
          ],
          "Resource": [
-            "arn:aws:s3:::memelord-jake",
+            "arn:aws:s3:::{{ .Release.Name }}",
-            "arn:aws:s3:::memelord-jake/*"
+            "arn:aws:s3:::{{ .Release.Name }}/*"
          ]
        }
      ]
@@ -112,19 +112,19 @@ spec:
 apiVersion: s3.onyxia.sh/v1alpha1
 kind: S3User
 metadata:
-  name: memelord-jake-bucket
+  name: {{ .Release.Name }}-bucket
 spec:
-  accessKey: memelord-jake-bucket
+  accessKey: {{ .Release.Name }}-bucket
  policies:
-    - memelord-jake-policy
+    - {{ .Release.Name }}-policy
  s3InstanceRef: minio/default
 ---
 apiVersion: s3.onyxia.sh/v1alpha1
 kind: Bucket
 metadata:
-  name: memelord-jake
+  name: {{ .Release.Name }}
 spec:
-  name: memelord-jake
+  name: {{ .Release.Name }}
  s3InstanceRef: minio/default
  quota:
    default: 100000000
@@ -132,11 +132,11 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: memelord
+  name: {{ .Release.Name }}
 spec:
  type: ClusterIP
  selector:
-    app: memelord
+    app: {{ .Release.Name }}
  ports:
    - name: http
      port: 80
@@ -145,11 +145,11 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: memelord-jake
+  name: {{ .Release.Name }}
 spec:
-  secretName: memelord-jake-tls
+  secretName: {{ .Release.Name }}-tls
  dnsNames:
-    - memelord-jake.ee-lte-1.codemowers.io
+    - {{ .Values.hostname }}
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
@@ -157,21 +157,21 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: memelord-jake
+  name: {{ .Release.Name }}
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  ingressClassName: traefik
  rules:
-    - host: memelord-jake.ee-lte-1.codemowers.io
+    - host: {{ .Values.hostname }}
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
-                name: memelord
+                name: {{ .Release.Name }}
                port:
                  number: 80
  tls:
-    - secretName: memelord-jake-tls
+    - secretName: {{ .Release.Name }}-tls
--- a/helm/templates/grafana.yaml
+++ b/helm/templates/grafana.yaml
@@ -1,13 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: memelord-jake
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: grafana-provisioning
  namespace: memelord-jake
 data:
  datasources.yaml: |
    apiVersion: 1
@@ -37,7 +31,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: grafana-dashboards
  namespace: memelord-jake
 data:
  log-aggregator.json: |
    {
@@ -155,7 +148,7 @@ data:
              "direction": "backward",
              "editorMode": "code",
              "expr": "sum by (detected_level) (count_over_time ({app=~\"$app\",namespace=~\"$namespace\"}[1m]))",
-              "legendFormat": "{{detected_level}}",
+              "legendFormat": "{{`{{detected_level}}`}}",
              "queryType": "range",
              "refId": "A"
            }
@@ -287,7 +280,6 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: grafana
  namespace: memelord-jake
  labels:
    app: grafana
 spec:
@@ -319,7 +311,7 @@ spec:
            # Ingress URL (important for OAuth callback + links)
            - name: GF_SERVER_ROOT_URL
-              value: https://grafana-jake.ee-lte-1.codemowers.io/
+              value: https://{{ .Values.grafanaHostname }}/
            - name: GF_SERVER_SERVE_FROM_SUB_PATH
              value: "false"
@@ -339,18 +331,15 @@ spec:
            - name: GF_AUTH_GENERIC_OAUTH_USE_PKCE
              value: "false"
            # IMPORTANT:
            # After OIDCClient grafana-jake is created successfully,
            # set this secret name to the generated one (likely oidc-client-grafana-jake-owner-secrets)
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: oidc-client-grafana-jake-owner-secrets
+                  name: oidc-client-grafana-{{ .Release.Name }}-owner-secrets
                  key: OIDC_CLIENT_ID
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: oidc-client-grafana-jake-owner-secrets
+                  name: oidc-client-grafana-{{ .Release.Name }}-owner-secrets
                  key: OIDC_CLIENT_SECRET
            - name: GF_AUTH_GENERIC_OAUTH_SCOPES
@@ -365,7 +354,7 @@ spec:
              value: "https://auth.ee-lte-1.codemowers.io/me"
            - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL
-              value: https://grafana-jake.ee-lte-1.codemowers.io/
+              value: https://{{ .Values.grafanaHostname }}/
          volumeMounts:
            - name: grafana-storage
@@ -414,7 +403,6 @@ apiVersion: v1
 kind: Service
 metadata:
  name: grafana
  namespace: memelord-jake
  labels:
    app: grafana
 spec:
@@ -429,12 +417,11 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: grafana-jake
+  name: grafana-{{ .Release.Name }}
  namespace: memelord-jake
 spec:
-  secretName: grafana-jake-tls
+  secretName: grafana-{{ .Release.Name }}-tls
  dnsNames:
-    - grafana-jake.ee-lte-1.codemowers.io
+    - {{ .Values.grafanaHostname }}
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
@@ -442,14 +429,13 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: grafana-jake
+  name: grafana-{{ .Release.Name }}
  namespace: memelord-jake
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  ingressClassName: traefik
  rules:
-    - host: grafana-jake.ee-lte-1.codemowers.io
+    - host: {{ .Values.grafanaHostname }}
      http:
        paths:
          - pathType: Prefix
@@ -460,18 +446,17 @@ spec:
                port:
                  number: 3000
  tls:
-    - secretName: grafana-jake-tls
+    - secretName: grafana-{{ .Release.Name }}-tls
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: OIDCClient
 metadata:
-  name: grafana-jake
+  name: grafana-{{ .Release.Name }}
  namespace: memelord-jake
 spec:
-  displayName: Grafana jake
+  displayName: Grafana {{ .Release.Name }}
-  uri: https://grafana-jake.ee-lte-1.codemowers.io/login/generic_oauth
+  uri: https://{{ .Values.grafanaHostname }}/login/generic_oauth
  redirectUris:
-    - https://grafana-jake.ee-lte-1.codemowers.io/login/generic_oauth
+    - https://{{ .Values.grafanaHostname }}/login/generic_oauth
  grantTypes:
    - authorization_code
    - refresh_token
--- a/helm/templates/monitoring.yaml
+++ b/helm/templates/monitoring.yaml
@@ -1,10 +1,9 @@
 apiVersion: monitoring.coreos.com/v1
 kind: Probe
 metadata:
-  name: memelord-probe
+  name: {{ .Release.Name }}-probe
  namespace: memelord-jake
  labels:
-    app: memelord
+    app: {{ .Release.Name }}
 spec:
  module: http_2xx
  prober:
@@ -12,4 +11,4 @@ spec:
  targets:
    staticConfig:
      static:
-        - google.com
+        - {{ .Values.hostname }}
--- a/helm/templates/oidc.yaml
+++ b/helm/templates/oidc.yaml
@@ -0,0 +1,19 @@
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: OIDCClient
 metadata:
  name: {{ .Release.Name }}
 spec:
  displayName: Memelord {{ .Release.Name }}
  uri: https://{{ .Values.hostname }}/
  redirectUris:
    - https://{{ .Values.hostname }}/oidc/callback/
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  availableScopes:
    - openid
    - profile
  pkce: false
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -0,0 +1,2 @@
 hostname: memelord-jake.ee-lte-1.codemowers.io
 grafanaHostname: grafana-jake.ee-lte-1.codemowers.io
--- a/oidc.yaml
+++ b/oidc.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: OIDCClient
 metadata:
  name: memelord-jake
  namespace: memelord-jake
 spec:
  displayName: Memelord jake
  uri: https://memelord-jake.ee-lte-1.codemowers.io/
  redirectUris:
    - https://memelord-jake.ee-lte-1.codemowers.io/oidc/callback/
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  availableScopes:
    - openid
    - profile
  pkce: false
		`@@ -0,0 +1,2 @@`
							`hostname: memelord-jake.ee-lte-1.codemowers.io`
							`grafanaHostname: grafana-jake.ee-lte-1.codemowers.io`