raikoo2/memelord-raiko
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

push

Browse Source
This commit is contained in:
Raiko Oll
2026-02-16 21:42:07 +02:00
parent bd1790c4b6
commit 4c1750a6fd
8 changed files with 470 additions and 344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
templates/app.yaml Normal file
View File

@@ -0,0 +1,106 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: memelord
namespace: memelord-raiko
spec:
replicas: 1
selector:
matchLabels:
app: memelord
template:
metadata:
labels:
app: memelord
spec:
containers:
- name: memelord
image: ghcr.io/l4rm4nd/memelord:latest
imagePullPolicy: Always
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: DOMAIN
value: "memelord-raiko.ee-lte-1.codemowers.io"
- name: DB_ENGINE
value: "postgres"
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: memelord-raiko-database
key: username
- name: POSTGRES_HOST
value: "memelord-raiko-database-rw"
- name: POSTGRES_PORT
value: "5432"
- name: POSTGRES_DB
value: "memelord-raiko"
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: memelord-raiko-database
key: password
- name: REDIS_HOST
value: "memelord-raiko-redis"
- name: REDIS_PORT
value: "6379"
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: memelord-raiko-redis
key: redis-password
- name: STORAGE_BACKEND
value: "s3"
- name: AWS_STORAGE_BUCKET_NAME
value: "memelord-raiko"
- name: AWS_S3_ENDPOINT_URL
value: "https://minio.ee-lte-1.codemowers.io/"
- name: AWS_S3_REGION_NAME
value: "ee-lte-1"
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: memelord-raiko-bucket
key: accessKey
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: memelord-raiko-bucket
key: secretKey
- name: OIDC_ENABLED
value: "True"
- name: OIDC_CREATE_USER
value: "True"
- name: OIDC_RP_CLIENT_ID
valueFrom:
secretKeyRef:
name: oidc-client-memelord-raiko-owner-secrets
key: OIDC_CLIENT_ID
- name: OIDC_RP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oidc-client-memelord-raiko-owner-secrets
key: OIDC_CLIENT_SECRET
- name: OIDC_OP_AUTHORIZATION_ENDPOINT
value: "https://auth.ee-lte-1.codemowers.io/auth"
- name: OIDC_OP_TOKEN_ENDPOINT
value: "http://passmower.passmower.svc.cluster.local/token"
- name: OIDC_OP_USER_ENDPOINT
value: "http://passmower.passmower.svc.cluster.local/me"
- name: OIDC_OP_JWKS_ENDPOINT
value: "http://passmower.passmower.svc.cluster.local/jwks"
- name: OIDC_RP_SIGN_ALGO
value: "RS256"
- name: OIDC_AUTOLOGIN
value: "False"
- name: DEBUG
value: "True"
- name: SECURE_COOKIES
value: "True"
- name: ENABLE_PUBLIC_FEED
value: "True"
- name: AWS_S3_ADDRESSING_STYLE
value: path

46
templates/bucket.yaml
View File

@@ -1,46 +0,0 @@
---
apiVersion: s3.onyxia.sh/v1alpha1
kind: Policy
metadata:
name: {{ .Release.Name }}-policy
spec:
name: {{ .Release.Name }}-policy
s3InstanceRef: minio/default
policyContent: >-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::{{ .Release.Name }}",
"arn:aws:s3:::{{ .Release.Name }}/*"
]
}
]
}
---
apiVersion: s3.onyxia.sh/v1alpha1
kind: S3User
metadata:
name: {{ .Release.Name }}-bucket
spec:
accessKey: {{ .Release.Name }}-bucket # This is automatically created
policies:
- {{ .Release.Name }}-policy
s3InstanceRef: minio/default
---
apiVersion: s3.onyxia.sh/v1alpha1
kind: Bucket
metadata:
name: {{ .Release.Name }}
spec:
name: {{ .Release.Name }}
s3InstanceRef: minio/default
quota:
default: 100000000

294
templates/deployment.yaml
View File

@@ -2,140 +2,176 @@
apiVersion: secretgenerator.mittwald.de/v1alpha1 apiVersion: secretgenerator.mittwald.de/v1alpha1
kind: StringSecret kind: StringSecret
metadata: metadata:
name: {{ .Release.Name }}-cookie name: memelord-raiko-redis
spec: spec:
fields: fields:
- fieldName: secret-key - fieldName: redis-password
length: "32" length: "32"
encoding: hex encoding: hex
--- ---
apiVersion: apps/v1 apiVersion: dragonflydb.io/v1alpha1
kind: Deployment kind: Dragonfly
metadata: metadata:
name: {{ .Release.Name }} name: memelord-raiko-redis
spec: spec:
replicas: 3 authentication:
passwordFromSecret:
name: memelord-raiko-redis
key: redis-password
replicas: 1
resources:
requests:
cpu: 500m
memory: 500Mi
limits:
cpu: 600m
memory: 750Mi
---
apiVersion: secretgenerator.mittwald.de/v1alpha1
kind: StringSecret
metadata:
name: memelord-raiko-database
labels:
cnpg.io/reload: "true"
spec:
data:
username: memelord-raiko
fields:
- fieldName: password
length: "32"
encoding: hex
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: memelord-raiko-database
spec:
instances: 1
imageName: ghcr.io/cloudnative-pg/postgresql:17
storage:
size: 1Gi
storageClass: postgres
affinity:
podAntiAffinityType: required
nodeSelector:
codemowers.io/lvm-ubuntu-vg: enterprise-ssd
resources:
requests:
cpu: "100m"
memory: "1Gi"
limits:
cpu: "1"
memory: "4Gi"
postgresql:
parameters:
max_connections: "300"
shared_buffers: "512MB"
effective_cache_size: "2GB"
managed:
roles:
- name: memelord-raiko
ensure: present
login: true
passwordSecret:
name: memelord-raiko-database
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: memelord-raiko
spec:
name: memelord-raiko
owner: memelord-raiko
cluster:
name: memelord-raiko-database
---
apiVersion: s3.onyxia.sh/v1alpha1
kind: Policy
metadata:
name: memelord-raiko-policy
spec:
name: memelord-raiko-policy
s3InstanceRef: minio/default
policyContent: >-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::memelord-raiko",
"arn:aws:s3:::memelord-raiko/*"
]
}
]
}
---
apiVersion: s3.onyxia.sh/v1alpha1
kind: S3User
metadata:
name: memelord-raiko-bucket
spec:
accessKey: memelord-raiko-bucket
policies:
- memelord-raiko-policy
s3InstanceRef: minio/default
---
apiVersion: s3.onyxia.sh/v1alpha1
kind: Bucket
metadata:
name: memelord-raiko
spec:
name: memelord-raiko
s3InstanceRef: minio/default
quota:
default: 100000000
---
apiVersion: v1
kind: Service
metadata:
name: memelord
spec:
type: ClusterIP
selector: selector:
matchLabels: app: memelord
app: memelord ports:
template: - name: http
metadata: port: 80
labels: targetPort: 8000
app: memelord ---
spec: apiVersion: cert-manager.io/v1
topologySpreadConstraints: kind: Certificate
- maxSkew: 1 metadata:
topologyKey: topology.kubernetes.io/zone name: memelord-raiko
whenUnsatisfiable: ScheduleAnyway spec:
labelSelector: secretName: memelord-raiko-tls
matchLabels: dnsNames:
app: memelord - memelord-raiko.ee-lte-1.codemowers.io
containers: issuerRef:
- name: memelord name: letsencrypt
image: ghcr.io/l4rm4nd/memelord:latest kind: ClusterIssuer
imagePullPolicy: Always ---
ports: apiVersion: networking.k8s.io/v1
- name: http kind: Ingress
containerPort: 8000 metadata:
env: name: memelord-raiko
- name: DOMAIN annotations:
value: {{ .Values.hostname }} traefik.ingress.kubernetes.io/router.entrypoints: websecure
- name: DB_ENGINE spec:
value: postgres ingressClassName: traefik
- name: POSTGRES_HOST rules:
value: {{ .Release.Name }}-database-rw - host: memelord-raiko.ee-lte-1.codemowers.io
- name: POSTGRES_PORT http:
value: '5432' paths:
- name: POSTGRES_DB - pathType: Prefix
value: {{ .Release.Name }} path: "/"
- name: POSTGRES_USER backend:
valueFrom: service:
secretKeyRef: name: memelord
name: {{ .Release.Name }}-database port:
key: username number: 80
- name: POSTGRES_PASSWORD tls:
valueFrom: - secretName: memelord-raiko-tls
secretKeyRef:
name: {{ .Release.Name }}-database
key: password
- name: REDIS_HOST
value: {{ .Release.Name }}-redis
- name: REDIS_PORT
value: '6379'
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-redis
key: redis-password
- name: STORAGE_BACKEND
value: s3
- name: CSP_IMG_SRC_EXTRA
value: https://minio.ee-lte-1.codemowers.io
- name: AWS_QUERYSTRING_AUTH
value: "true"
# S3/MinIO Storage Configuration
- name: STORAGE_BACKEND
value: "s3"
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-bucket
key: accessKey
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-bucket
key: secretKey
- name: AWS_STORAGE_BUCKET_NAME
value: "{{ .Release.Name }}"
- name: AWS_S3_REGION_NAME
value: "ee-lte-1"
- name: AWS_S3_ENDPOINT_URL
value: "https://minio.ee-lte-1.codemowers.io"
- name: AWS_LOCATION
value: "" # why is this set to 'media' in original?
- name: AWS_S3_ADDRESSING_STYLE
value: path
- name: DEBUG
value: "True"
- name: SECURE_COOKIES
value: "True"
- name: OIDC_ENABLED
value: "True"
- name: OIDC_RP_SIGN_ALGO
valueFrom:
secretKeyRef:
name: oidc-client-{{ .Release.Name }}-owner-secrets
key: OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG
- name: OIDC_OP_JWKS_ENDPOINT
value: https://auth.ee-lte-1.codemowers.io/jwks
- name: OIDC_RP_CLIENT_ID
valueFrom:
secretKeyRef:
name: oidc-client-{{ .Release.Name }}-owner-secrets
key: OIDC_CLIENT_ID
- name: OIDC_RP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oidc-client-{{ .Release.Name }}-owner-secrets
key: OIDC_CLIENT_SECRET
- name: OIDC_OP_AUTHORIZATION_ENDPOINT
valueFrom:
secretKeyRef:
name: oidc-client-{{ .Release.Name }}-owner-secrets
key: OIDC_IDP_AUTH_URI
- name: OIDC_OP_TOKEN_ENDPOINT
valueFrom:
secretKeyRef:
name: oidc-client-{{ .Release.Name }}-owner-secrets
key: OIDC_IDP_TOKEN_URI
- name: OIDC_OP_USER_ENDPOINT
valueFrom:
secretKeyRef:
name: oidc-client-{{ .Release.Name }}-owner-secrets
key: OIDC_IDP_USERINFO_URI
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-cookie
key: secret-key

186
templates/grafana.yaml Normal file
View File

@@ -0,0 +1,186 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-datasources
namespace: memelord-raiko
data:
datasources.yaml: |
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
access: proxy
url: http://prometheus-operated.monitoring.svc.cluster.local:9090
isDefault: true
editable: true
- name: Loki
type: loki
access: proxy
url: http://loki.monitoring.svc.cluster.local:3100
editable: true
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: grafana
namespace: memelord-raiko
labels:
app: grafana
spec:
serviceName: grafana
replicas: 1
selector:
matchLabels:
app: grafana
template:
metadata:
labels:
app: grafana
spec:
containers:
- name: grafana
image: grafana/grafana:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3000
name: http
env:
- name: GF_DATABASE_TYPE
value: sqlite3
- name: GF_DATABASE_PATH
value: /var/lib/grafana/grafana.db
- name: GF_SERVER_ROOT_URL
value: https://grafana-raiko.ee-lte-1.codemowers.io
- name: GF_AUTH_GENERIC_OAUTH_ENABLED
value: "true"
- name: GF_AUTH_GENERIC_OAUTH_NAME
value: "Passmower"
- name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP
value: "true"
- name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
valueFrom:
secretKeyRef:
name: oidc-client-grafana-raiko-owner-secrets
key: OIDC_CLIENT_ID
- name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oidc-client-grafana-raiko-owner-secrets
key: OIDC_CLIENT_SECRET
- name: GF_AUTH_GENERIC_OAUTH_SCOPES
value: "openid profile groups"
- name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
value: "https://auth.ee-lte-1.codemowers.io/auth"
- name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
value: "http://passmower.passmower.svc.cluster.local/token"
- name: GF_AUTH_GENERIC_OAUTH_API_URL
value: "http://passmower.passmower.svc.cluster.local/me"
# - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL
# value: "https://auth.ee-lte-1.codemowers.io//openid/session/end"
- name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
value: "contains(groups[*], 'github.com:codemowers:admins') && 'Admin' || Viewer"
- name: GF_AUTH_ANONYMOUS_ENABLED
value: "false"
volumeMounts:
- name: grafana-storage
mountPath: /var/lib/grafana
- name: datasources
mountPath: /etc/grafana/provisioning/datasources
volumes:
- name: datasources
configMap:
name: grafana-datasources
volumeClaimTemplates:
- metadata:
name: grafana-storage
spec:
accessModes:
- ReadWriteOnce
storageClassName: sqlite
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: memelord-raiko
labels:
app: grafana
spec:
type: ClusterIP
selector:
app: grafana
ports:
- name: http
port: 80
targetPort: 3000
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: grafana-raiko
namespace: memelord-raiko
spec:
secretName: grafana-raiko-tls
dnsNames:
- grafana-raiko.ee-lte-1.codemowers.io
issuerRef:
name: letsencrypt
kind: ClusterIssuer
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana-raiko
namespace: memelord-raiko
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
rules:
- host: grafana-raiko.ee-lte-1.codemowers.io
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: grafana
port:
number: 80
tls:
- secretName: grafana-raiko-tls
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: grafana-raiko
namespace: memelord-raiko
spec:
displayName: Grafana Raiko
uri: https://grafana-raiko.ee-lte-1.codemowers.io/
redirectUris:
- https://grafana-raiko.ee-lte-1.codemowers.io/login/generic_oauth
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
availableScopes:
- openid
- profile
- groups
allowedGroups:
- github.com:codemowers:admins
pkce: false

13
templates/http-probe.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: monitoring.coreos.com/v1
kind: Probe
metadata:
name: reddit-probe
spec:
module: http_2xx
prober:
url: blackbox-exporter.monitoring.svc.cluster.local
targets:
staticConfig:
static:
- reddit.com

66
templates/ingress.yaml
View File

@@ -1,66 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
spec:
type: ClusterIP
selector:
app: memelord
ports:
- name: http
port: 80
targetPort: 8000
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Release.Name }}
spec:
secretName: {{ .Release.Name }}-tls
dnsNames:
- {{ .Values.hostname }}
issuerRef:
name: letsencrypt
kind: ClusterIssuer
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Release.Name }}
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
rules:
- host: {{ .Values.hostname }}
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: {{ .Release.Name }}
port:
number: 80
tls:
- secretName: {{ .Release.Name }}-tls
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: {{ .Release.Name }}
spec:
displayName: Memelord raiko
uri: https://{{ .Values.hostname }}/oidc/authenticate/
redirectUris:
- https://{{ .Values.hostname }}/oidc/callback/
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
availableScopes:
- openid
- profile
pkce: false

66
templates/postgres.yaml
View File

@@ -1,66 +0,0 @@
---
apiVersion: secretgenerator.mittwald.de/v1alpha1
kind: StringSecret
metadata:
name: {{ .Release.Name }}-database
labels:
cnpg.io/reload: "true"
spec:
data:
username: {{ .Release.Name }}
fields:
- fieldName: password
length: "32"
encoding: hex
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: {{ .Release.Name }}-database
spec:
instances: 2
imageName: ghcr.io/cloudnative-pg/postgresql:17
storage:
size: 1Gi
storageClass: postgres
affinity:
additionalPodAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app: memelord
topologyKey: topology.kubernetes.io/zone
podAntiAffinityType: required
nodeSelector:
codemowers.io/lvm-ubuntu-vg: enterprise-ssd
resources:
requests:
cpu: "100m"
memory: "1Gi"
limits:
cpu: "1"
memory: "4Gi"
postgresql:
parameters:
max_connections: "300"
shared_buffers: "512MB"
effective_cache_size: "2GB"
managed:
roles:
- name: {{ .Release.Name }}
ensure: present
login: true
passwordSecret:
name: {{ .Release.Name }}-database
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: {{ .Release.Name }}
spec:
name: {{ .Release.Name }}
owner: {{ .Release.Name }}
cluster:
name: {{ .Release.Name }}-database

37
templates/redis.yaml
View File

@@ -1,37 +0,0 @@
---
apiVersion: secretgenerator.mittwald.de/v1alpha1
kind: StringSecret
metadata:
name: {{ .Release.Name }}-redis
spec:
fields:
- fieldName: redis-password
length: "32"
encoding: hex
---
apiVersion: dragonflydb.io/v1alpha1
kind: Dragonfly
metadata:
name: {{ .Release.Name }}-redis
spec:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app: memelord
topologyKey: topology.kubernetes.io/zone
authentication:
passwordFromSecret:
name: {{ .Release.Name }}-redis
key: redis-password
replicas: 2
resources:
requests:
cpu: 500m
memory: 500Mi
limits:
cpu: 600m
memory: 750Mi