diff --git a/templates/app.yaml b/templates/app.yaml new file mode 100644 index 0000000..7f67360 --- /dev/null +++ b/templates/app.yaml @@ -0,0 +1,106 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: memelord + namespace: memelord-raiko +spec: + replicas: 1 + selector: + matchLabels: + app: memelord + template: + metadata: + labels: + app: memelord + spec: + containers: + - name: memelord + image: ghcr.io/l4rm4nd/memelord:latest + imagePullPolicy: Always + ports: + - name: http + containerPort: 8000 + protocol: TCP + + env: + - name: DOMAIN + value: "memelord-raiko.ee-lte-1.codemowers.io" + - name: DB_ENGINE + value: "postgres" + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: memelord-raiko-database + key: username + - name: POSTGRES_HOST + value: "memelord-raiko-database-rw" + - name: POSTGRES_PORT + value: "5432" + - name: POSTGRES_DB + value: "memelord-raiko" + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: memelord-raiko-database + key: password + - name: REDIS_HOST + value: "memelord-raiko-redis" + - name: REDIS_PORT + value: "6379" + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: memelord-raiko-redis + key: redis-password + - name: STORAGE_BACKEND + value: "s3" + - name: AWS_STORAGE_BUCKET_NAME + value: "memelord-raiko" + - name: AWS_S3_ENDPOINT_URL + value: "https://minio.ee-lte-1.codemowers.io/" + - name: AWS_S3_REGION_NAME + value: "ee-lte-1" + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: memelord-raiko-bucket + key: accessKey + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: memelord-raiko-bucket + key: secretKey + - name: OIDC_ENABLED + value: "True" + - name: OIDC_CREATE_USER + value: "True" + - name: OIDC_RP_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-client-memelord-raiko-owner-secrets + key: OIDC_CLIENT_ID + - name: OIDC_RP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-client-memelord-raiko-owner-secrets + key: OIDC_CLIENT_SECRET + - name: OIDC_OP_AUTHORIZATION_ENDPOINT + value: "https://auth.ee-lte-1.codemowers.io/auth" + - name: OIDC_OP_TOKEN_ENDPOINT + value: "http://passmower.passmower.svc.cluster.local/token" + - name: OIDC_OP_USER_ENDPOINT + value: "http://passmower.passmower.svc.cluster.local/me" + - name: OIDC_OP_JWKS_ENDPOINT + value: "http://passmower.passmower.svc.cluster.local/jwks" + - name: OIDC_RP_SIGN_ALGO + value: "RS256" + - name: OIDC_AUTOLOGIN + value: "False" + - name: DEBUG + value: "True" + - name: SECURE_COOKIES + value: "True" + - name: ENABLE_PUBLIC_FEED + value: "True" + - name: AWS_S3_ADDRESSING_STYLE + value: path diff --git a/templates/bucket.yaml b/templates/bucket.yaml deleted file mode 100644 index 310ec61..0000000 --- a/templates/bucket.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -apiVersion: s3.onyxia.sh/v1alpha1 -kind: Policy -metadata: - name: {{ .Release.Name }}-policy -spec: - name: {{ .Release.Name }}-policy - s3InstanceRef: minio/default - policyContent: >- - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:ListBucket", - "s3:GetObject", - "s3:PutObject" - ], - "Resource": [ - "arn:aws:s3:::{{ .Release.Name }}", - "arn:aws:s3:::{{ .Release.Name }}/*" - ] - } - ] - } ---- -apiVersion: s3.onyxia.sh/v1alpha1 -kind: S3User -metadata: - name: {{ .Release.Name }}-bucket -spec: - accessKey: {{ .Release.Name }}-bucket # This is automatically created - policies: - - {{ .Release.Name }}-policy - s3InstanceRef: minio/default ---- -apiVersion: s3.onyxia.sh/v1alpha1 -kind: Bucket -metadata: - name: {{ .Release.Name }} -spec: - name: {{ .Release.Name }} - s3InstanceRef: minio/default - quota: - default: 100000000 diff --git a/templates/deployment.yaml b/templates/deployment.yaml index f4865cc..9a2245d 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -2,140 +2,176 @@ apiVersion: secretgenerator.mittwald.de/v1alpha1 kind: StringSecret metadata: - name: {{ .Release.Name }}-cookie + name: memelord-raiko-redis spec: fields: - - fieldName: secret-key + - fieldName: redis-password length: "32" encoding: hex --- -apiVersion: apps/v1 -kind: Deployment +apiVersion: dragonflydb.io/v1alpha1 +kind: Dragonfly metadata: - name: {{ .Release.Name }} + name: memelord-raiko-redis spec: - replicas: 3 + authentication: + passwordFromSecret: + name: memelord-raiko-redis + key: redis-password + replicas: 1 + resources: + requests: + cpu: 500m + memory: 500Mi + limits: + cpu: 600m + memory: 750Mi +--- +apiVersion: secretgenerator.mittwald.de/v1alpha1 +kind: StringSecret +metadata: + name: memelord-raiko-database + labels: + cnpg.io/reload: "true" +spec: + data: + username: memelord-raiko + fields: + - fieldName: password + length: "32" + encoding: hex +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: memelord-raiko-database +spec: + instances: 1 + imageName: ghcr.io/cloudnative-pg/postgresql:17 + storage: + size: 1Gi + storageClass: postgres + affinity: + podAntiAffinityType: required + nodeSelector: + codemowers.io/lvm-ubuntu-vg: enterprise-ssd + resources: + requests: + cpu: "100m" + memory: "1Gi" + limits: + cpu: "1" + memory: "4Gi" + postgresql: + parameters: + max_connections: "300" + shared_buffers: "512MB" + effective_cache_size: "2GB" + managed: + roles: + - name: memelord-raiko + ensure: present + login: true + passwordSecret: + name: memelord-raiko-database +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: memelord-raiko +spec: + name: memelord-raiko + owner: memelord-raiko + cluster: + name: memelord-raiko-database +--- +apiVersion: s3.onyxia.sh/v1alpha1 +kind: Policy +metadata: + name: memelord-raiko-policy +spec: + name: memelord-raiko-policy + s3InstanceRef: minio/default + policyContent: >- + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::memelord-raiko", + "arn:aws:s3:::memelord-raiko/*" + ] + } + ] + } +--- +apiVersion: s3.onyxia.sh/v1alpha1 +kind: S3User +metadata: + name: memelord-raiko-bucket +spec: + accessKey: memelord-raiko-bucket + policies: + - memelord-raiko-policy + s3InstanceRef: minio/default +--- +apiVersion: s3.onyxia.sh/v1alpha1 +kind: Bucket +metadata: + name: memelord-raiko +spec: + name: memelord-raiko + s3InstanceRef: minio/default + quota: + default: 100000000 +--- +apiVersion: v1 +kind: Service +metadata: + name: memelord +spec: + type: ClusterIP selector: - matchLabels: - app: memelord - template: - metadata: - labels: - app: memelord - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: memelord - containers: - - name: memelord - image: ghcr.io/l4rm4nd/memelord:latest - imagePullPolicy: Always - ports: - - name: http - containerPort: 8000 - env: - - name: DOMAIN - value: {{ .Values.hostname }} - - name: DB_ENGINE - value: postgres - - name: POSTGRES_HOST - value: {{ .Release.Name }}-database-rw - - name: POSTGRES_PORT - value: '5432' - - name: POSTGRES_DB - value: {{ .Release.Name }} - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-database - key: username - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-database - key: password - - name: REDIS_HOST - value: {{ .Release.Name }}-redis - - name: REDIS_PORT - value: '6379' - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-redis - key: redis-password - - name: STORAGE_BACKEND - value: s3 - - name: CSP_IMG_SRC_EXTRA - value: https://minio.ee-lte-1.codemowers.io - - name: AWS_QUERYSTRING_AUTH - value: "true" - # S3/MinIO Storage Configuration - - name: STORAGE_BACKEND - value: "s3" - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-bucket - key: accessKey - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-bucket - key: secretKey - - name: AWS_STORAGE_BUCKET_NAME - value: "{{ .Release.Name }}" - - name: AWS_S3_REGION_NAME - value: "ee-lte-1" - - name: AWS_S3_ENDPOINT_URL - value: "https://minio.ee-lte-1.codemowers.io" - - name: AWS_LOCATION - value: "" # why is this set to 'media' in original? - - name: AWS_S3_ADDRESSING_STYLE - value: path - - name: DEBUG - value: "True" - - name: SECURE_COOKIES - value: "True" - - name: OIDC_ENABLED - value: "True" - - name: OIDC_RP_SIGN_ALGO - valueFrom: - secretKeyRef: - name: oidc-client-{{ .Release.Name }}-owner-secrets - key: OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG - - name: OIDC_OP_JWKS_ENDPOINT - value: https://auth.ee-lte-1.codemowers.io/jwks - - name: OIDC_RP_CLIENT_ID - valueFrom: - secretKeyRef: - name: oidc-client-{{ .Release.Name }}-owner-secrets - key: OIDC_CLIENT_ID - - name: OIDC_RP_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oidc-client-{{ .Release.Name }}-owner-secrets - key: OIDC_CLIENT_SECRET - - name: OIDC_OP_AUTHORIZATION_ENDPOINT - valueFrom: - secretKeyRef: - name: oidc-client-{{ .Release.Name }}-owner-secrets - key: OIDC_IDP_AUTH_URI - - name: OIDC_OP_TOKEN_ENDPOINT - valueFrom: - secretKeyRef: - name: oidc-client-{{ .Release.Name }}-owner-secrets - key: OIDC_IDP_TOKEN_URI - - name: OIDC_OP_USER_ENDPOINT - valueFrom: - secretKeyRef: - name: oidc-client-{{ .Release.Name }}-owner-secrets - key: OIDC_IDP_USERINFO_URI - - name: SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-cookie - key: secret-key + app: memelord + ports: + - name: http + port: 80 + targetPort: 8000 +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: memelord-raiko +spec: + secretName: memelord-raiko-tls + dnsNames: + - memelord-raiko.ee-lte-1.codemowers.io + issuerRef: + name: letsencrypt + kind: ClusterIssuer +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: memelord-raiko + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure +spec: + ingressClassName: traefik + rules: + - host: memelord-raiko.ee-lte-1.codemowers.io + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: memelord + port: + number: 80 + tls: + - secretName: memelord-raiko-tls diff --git a/templates/grafana.yaml b/templates/grafana.yaml new file mode 100644 index 0000000..43a6e4d --- /dev/null +++ b/templates/grafana.yaml @@ -0,0 +1,186 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-datasources + namespace: memelord-raiko +data: + datasources.yaml: | + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + access: proxy + url: http://prometheus-operated.monitoring.svc.cluster.local:9090 + isDefault: true + editable: true + + - name: Loki + type: loki + access: proxy + url: http://loki.monitoring.svc.cluster.local:3100 + editable: true +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: grafana + namespace: memelord-raiko + labels: + app: grafana +spec: + serviceName: grafana + replicas: 1 + selector: + matchLabels: + app: grafana + template: + metadata: + labels: + app: grafana + spec: + containers: + - name: grafana + image: grafana/grafana:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3000 + name: http + env: + - name: GF_DATABASE_TYPE + value: sqlite3 + - name: GF_DATABASE_PATH + value: /var/lib/grafana/grafana.db + + - name: GF_SERVER_ROOT_URL + value: https://grafana-raiko.ee-lte-1.codemowers.io + + - name: GF_AUTH_GENERIC_OAUTH_ENABLED + value: "true" + - name: GF_AUTH_GENERIC_OAUTH_NAME + value: "Passmower" + - name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP + value: "true" + - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-client-grafana-raiko-owner-secrets + key: OIDC_CLIENT_ID + - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-client-grafana-raiko-owner-secrets + key: OIDC_CLIENT_SECRET + - name: GF_AUTH_GENERIC_OAUTH_SCOPES + value: "openid profile groups" + - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL + value: "https://auth.ee-lte-1.codemowers.io/auth" + - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL + value: "http://passmower.passmower.svc.cluster.local/token" + - name: GF_AUTH_GENERIC_OAUTH_API_URL + value: "http://passmower.passmower.svc.cluster.local/me" + # - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL + # value: "https://auth.ee-lte-1.codemowers.io//openid/session/end" + + - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH + value: "contains(groups[*], 'github.com:codemowers:admins') && 'Admin' || Viewer" + + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "false" + + volumeMounts: + - name: grafana-storage + mountPath: /var/lib/grafana + - name: datasources + mountPath: /etc/grafana/provisioning/datasources + + + volumes: + - name: datasources + configMap: + name: grafana-datasources + + volumeClaimTemplates: + - metadata: + name: grafana-storage + spec: + accessModes: + - ReadWriteOnce + storageClassName: sqlite + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: memelord-raiko + labels: + app: grafana +spec: + type: ClusterIP + selector: + app: grafana + ports: + - name: http + port: 80 + targetPort: 3000 +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: grafana-raiko + namespace: memelord-raiko +spec: + secretName: grafana-raiko-tls + dnsNames: + - grafana-raiko.ee-lte-1.codemowers.io + issuerRef: + name: letsencrypt + kind: ClusterIssuer +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grafana-raiko + namespace: memelord-raiko + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure +spec: + rules: + - host: grafana-raiko.ee-lte-1.codemowers.io + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: grafana + port: + number: 80 + tls: + - secretName: grafana-raiko-tls +--- +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCClient +metadata: + name: grafana-raiko + namespace: memelord-raiko +spec: + displayName: Grafana Raiko + uri: https://grafana-raiko.ee-lte-1.codemowers.io/ + redirectUris: + - https://grafana-raiko.ee-lte-1.codemowers.io/login/generic_oauth + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + availableScopes: + - openid + - profile + - groups + allowedGroups: + - github.com:codemowers:admins + pkce: false diff --git a/templates/http-probe.yaml b/templates/http-probe.yaml new file mode 100644 index 0000000..7bd67ff --- /dev/null +++ b/templates/http-probe.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: Probe +metadata: + name: reddit-probe +spec: + module: http_2xx + prober: + url: blackbox-exporter.monitoring.svc.cluster.local + targets: + staticConfig: + static: + - reddit.com diff --git a/templates/ingress.yaml b/templates/ingress.yaml deleted file mode 100644 index 46ec122..0000000 --- a/templates/ingress.yaml +++ /dev/null @@ -1,66 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Release.Name }} -spec: - type: ClusterIP - selector: - app: memelord - ports: - - name: http - port: 80 - targetPort: 8000 ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Release.Name }} -spec: - secretName: {{ .Release.Name }}-tls - dnsNames: - - {{ .Values.hostname }} - issuerRef: - name: letsencrypt - kind: ClusterIssuer ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Release.Name }} - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure -spec: - rules: - - host: {{ .Values.hostname }} - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: {{ .Release.Name }} - port: - number: 80 - tls: - - secretName: {{ .Release.Name }}-tls - ---- -apiVersion: codemowers.cloud/v1beta1 -kind: OIDCClient -metadata: - name: {{ .Release.Name }} -spec: - displayName: Memelord raiko - uri: https://{{ .Values.hostname }}/oidc/authenticate/ - redirectUris: - - https://{{ .Values.hostname }}/oidc/callback/ - grantTypes: - - authorization_code - - refresh_token - responseTypes: - - code - availableScopes: - - openid - - profile - pkce: false diff --git a/templates/postgres.yaml b/templates/postgres.yaml deleted file mode 100644 index 6087a69..0000000 --- a/templates/postgres.yaml +++ /dev/null @@ -1,66 +0,0 @@ ---- -apiVersion: secretgenerator.mittwald.de/v1alpha1 -kind: StringSecret -metadata: - name: {{ .Release.Name }}-database - labels: - cnpg.io/reload: "true" -spec: - data: - username: {{ .Release.Name }} - fields: - - fieldName: password - length: "32" - encoding: hex ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: {{ .Release.Name }}-database -spec: - instances: 2 - imageName: ghcr.io/cloudnative-pg/postgresql:17 - storage: - size: 1Gi - storageClass: postgres - affinity: - additionalPodAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app: memelord - topologyKey: topology.kubernetes.io/zone - podAntiAffinityType: required - nodeSelector: - codemowers.io/lvm-ubuntu-vg: enterprise-ssd - resources: - requests: - cpu: "100m" - memory: "1Gi" - limits: - cpu: "1" - memory: "4Gi" - postgresql: - parameters: - max_connections: "300" - shared_buffers: "512MB" - effective_cache_size: "2GB" - managed: - roles: - - name: {{ .Release.Name }} - ensure: present - login: true - passwordSecret: - name: {{ .Release.Name }}-database ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Database -metadata: - name: {{ .Release.Name }} -spec: - name: {{ .Release.Name }} - owner: {{ .Release.Name }} - cluster: - name: {{ .Release.Name }}-database diff --git a/templates/redis.yaml b/templates/redis.yaml deleted file mode 100644 index 021a7f3..0000000 --- a/templates/redis.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: secretgenerator.mittwald.de/v1alpha1 -kind: StringSecret -metadata: - name: {{ .Release.Name }}-redis -spec: - fields: - - fieldName: redis-password - length: "32" - encoding: hex ---- -apiVersion: dragonflydb.io/v1alpha1 -kind: Dragonfly -metadata: - name: {{ .Release.Name }}-redis -spec: - affinity: - podAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app: memelord - topologyKey: topology.kubernetes.io/zone - authentication: - passwordFromSecret: - name: {{ .Release.Name }}-redis - key: redis-password - replicas: 2 - resources: - requests: - cpu: 500m - memory: 500Mi - limits: - cpu: 600m - memory: 750Mi