From bd1790c4b64e1413af711ac82116df1f7ba1dd8f Mon Sep 17 00:00:00 2001 From: Raiko Oll Date: Mon, 16 Feb 2026 21:36:09 +0200 Subject: [PATCH] push --- templates/app.yaml | 106 -------------- templates/bucket.yaml | 46 ++++++ templates/deployment.yaml | 294 +++++++++++++++++--------------------- templates/grafana.yaml | 186 ------------------------ templates/http-probe.yaml | 13 -- templates/ingress.yaml | 66 +++++++++ templates/postgres.yaml | 66 +++++++++ templates/redis.yaml | 37 +++++ 8 files changed, 344 insertions(+), 470 deletions(-) delete mode 100644 templates/app.yaml create mode 100644 templates/bucket.yaml delete mode 100644 templates/grafana.yaml delete mode 100644 templates/http-probe.yaml create mode 100644 templates/ingress.yaml create mode 100644 templates/postgres.yaml create mode 100644 templates/redis.yaml diff --git a/templates/app.yaml b/templates/app.yaml deleted file mode 100644 index f9c7c31..0000000 --- a/templates/app.yaml +++ /dev/null @@ -1,106 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: memelord - namespace: memelord-raiko -spec: - replicas: 1 - selector: - matchLabels: - app: memelord - template: - metadata: - labels: - app: memelord - spec: - containers: - - name: memelord - image: ghcr.io/l4rm4nd/memelord:latest - imagePullPolicy: Always - ports: - - name: http - containerPort: 8000 - protocol: TCP - - env: - - name: DOMAIN - value: "{{ .Values.hostname }}" - - name: DB_ENGINE - value: "postgres" - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: memelord-raiko-database - key: username - - name: POSTGRES_HOST - value: "memelord-raiko-database-rw" - - name: POSTGRES_PORT - value: "5432" - - name: POSTGRES_DB - value: "memelord-raiko" - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: memelord-raiko-database - key: password - - name: REDIS_HOST - value: "memelord-raiko-redis" - - name: REDIS_PORT - value: "6379" - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: memelord-raiko-redis - key: redis-password - - name: STORAGE_BACKEND - value: "s3" - - name: AWS_STORAGE_BUCKET_NAME - value: "memelord-raiko" - - name: AWS_S3_ENDPOINT_URL - value: "https://minio.ee-lte-1.codemowers.io/" - - name: AWS_S3_REGION_NAME - value: "ee-lte-1" - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: memelord-raiko-bucket - key: accessKey - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: memelord-raiko-bucket - key: secretKey - - name: OIDC_ENABLED - value: "True" - - name: OIDC_CREATE_USER - value: "True" - - name: OIDC_RP_CLIENT_ID - valueFrom: - secretKeyRef: - name: oidc-client-memelord-raiko-owner-secrets - key: OIDC_CLIENT_ID - - name: OIDC_RP_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oidc-client-memelord-raiko-owner-secrets - key: OIDC_CLIENT_SECRET - - name: OIDC_OP_AUTHORIZATION_ENDPOINT - value: "https://auth.ee-lte-1.codemowers.io/auth" - - name: OIDC_OP_TOKEN_ENDPOINT - value: "http://passmower.passmower.svc.cluster.local/token" - - name: OIDC_OP_USER_ENDPOINT - value: "http://passmower.passmower.svc.cluster.local/me" - - name: OIDC_OP_JWKS_ENDPOINT - value: "http://passmower.passmower.svc.cluster.local/jwks" - - name: OIDC_RP_SIGN_ALGO - value: "RS256" - - name: OIDC_AUTOLOGIN - value: "False" - - name: DEBUG - value: "True" - - name: SECURE_COOKIES - value: "True" - - name: ENABLE_PUBLIC_FEED - value: "True" - - name: AWS_S3_ADDRESSING_STYLE - value: path diff --git a/templates/bucket.yaml b/templates/bucket.yaml new file mode 100644 index 0000000..310ec61 --- /dev/null +++ b/templates/bucket.yaml @@ -0,0 +1,46 @@ +--- +apiVersion: s3.onyxia.sh/v1alpha1 +kind: Policy +metadata: + name: {{ .Release.Name }}-policy +spec: + name: {{ .Release.Name }}-policy + s3InstanceRef: minio/default + policyContent: >- + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject" + ], + "Resource": [ + "arn:aws:s3:::{{ .Release.Name }}", + "arn:aws:s3:::{{ .Release.Name }}/*" + ] + } + ] + } +--- +apiVersion: s3.onyxia.sh/v1alpha1 +kind: S3User +metadata: + name: {{ .Release.Name }}-bucket +spec: + accessKey: {{ .Release.Name }}-bucket # This is automatically created + policies: + - {{ .Release.Name }}-policy + s3InstanceRef: minio/default +--- +apiVersion: s3.onyxia.sh/v1alpha1 +kind: Bucket +metadata: + name: {{ .Release.Name }} +spec: + name: {{ .Release.Name }} + s3InstanceRef: minio/default + quota: + default: 100000000 diff --git a/templates/deployment.yaml b/templates/deployment.yaml index 54bb11f..f4865cc 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -2,176 +2,140 @@ apiVersion: secretgenerator.mittwald.de/v1alpha1 kind: StringSecret metadata: - name: memelord-raiko-redis + name: {{ .Release.Name }}-cookie spec: fields: - - fieldName: redis-password + - fieldName: secret-key length: "32" encoding: hex --- -apiVersion: dragonflydb.io/v1alpha1 -kind: Dragonfly +apiVersion: apps/v1 +kind: Deployment metadata: - name: memelord-raiko-redis + name: {{ .Release.Name }} spec: - authentication: - passwordFromSecret: - name: memelord-raiko-redis - key: redis-password - replicas: 1 - resources: - requests: - cpu: 500m - memory: 500Mi - limits: - cpu: 600m - memory: 750Mi ---- -apiVersion: secretgenerator.mittwald.de/v1alpha1 -kind: StringSecret -metadata: - name: memelord-raiko-database - labels: - cnpg.io/reload: "true" -spec: - data: - username: memelord-raiko - fields: - - fieldName: password - length: "32" - encoding: hex ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: memelord-raiko-database -spec: - instances: 1 - imageName: ghcr.io/cloudnative-pg/postgresql:17 - storage: - size: 1Gi - storageClass: postgres - affinity: - podAntiAffinityType: required - nodeSelector: - codemowers.io/lvm-ubuntu-vg: enterprise-ssd - resources: - requests: - cpu: "100m" - memory: "1Gi" - limits: - cpu: "1" - memory: "4Gi" - postgresql: - parameters: - max_connections: "300" - shared_buffers: "512MB" - effective_cache_size: "2GB" - managed: - roles: - - name: memelord-raiko - ensure: present - login: true - passwordSecret: - name: memelord-raiko-database ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Database -metadata: - name: memelord-raiko -spec: - name: memelord-raiko - owner: memelord-raiko - cluster: - name: memelord-raiko-database ---- -apiVersion: s3.onyxia.sh/v1alpha1 -kind: Policy -metadata: - name: memelord-raiko-policy -spec: - name: memelord-raiko-policy - s3InstanceRef: minio/default - policyContent: >- - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:*" - ], - "Resource": [ - "arn:aws:s3:::memelord-raiko", - "arn:aws:s3:::memelord-raiko/*" - ] - } - ] - } ---- -apiVersion: s3.onyxia.sh/v1alpha1 -kind: S3User -metadata: - name: memelord-raiko-bucket -spec: - accessKey: memelord-raiko-bucket - policies: - - memelord-raiko-policy - s3InstanceRef: minio/default ---- -apiVersion: s3.onyxia.sh/v1alpha1 -kind: Bucket -metadata: - name: memelord-raiko -spec: - name: memelord-raiko - s3InstanceRef: minio/default - quota: - default: 100000000 ---- -apiVersion: v1 -kind: Service -metadata: - name: memelord -spec: - type: ClusterIP + replicas: 3 selector: - app: memelord - ports: - - name: http - port: 80 - targetPort: 8000 ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: memelord-raiko -spec: - secretName: memelord-raiko-tls - dnsNames: - - {{ .Values.hostname }} - issuerRef: - name: letsencrypt - kind: ClusterIssuer ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: memelord-raiko - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure -spec: - ingressClassName: traefik - rules: - - host: {{ .Values.hostname }} - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: memelord - port: - number: 80 - tls: - - secretName: memelord-raiko-tls + matchLabels: + app: memelord + template: + metadata: + labels: + app: memelord + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: memelord + containers: + - name: memelord + image: ghcr.io/l4rm4nd/memelord:latest + imagePullPolicy: Always + ports: + - name: http + containerPort: 8000 + env: + - name: DOMAIN + value: {{ .Values.hostname }} + - name: DB_ENGINE + value: postgres + - name: POSTGRES_HOST + value: {{ .Release.Name }}-database-rw + - name: POSTGRES_PORT + value: '5432' + - name: POSTGRES_DB + value: {{ .Release.Name }} + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-database + key: username + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-database + key: password + - name: REDIS_HOST + value: {{ .Release.Name }}-redis + - name: REDIS_PORT + value: '6379' + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-redis + key: redis-password + - name: STORAGE_BACKEND + value: s3 + - name: CSP_IMG_SRC_EXTRA + value: https://minio.ee-lte-1.codemowers.io + - name: AWS_QUERYSTRING_AUTH + value: "true" + # S3/MinIO Storage Configuration + - name: STORAGE_BACKEND + value: "s3" + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-bucket + key: accessKey + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-bucket + key: secretKey + - name: AWS_STORAGE_BUCKET_NAME + value: "{{ .Release.Name }}" + - name: AWS_S3_REGION_NAME + value: "ee-lte-1" + - name: AWS_S3_ENDPOINT_URL + value: "https://minio.ee-lte-1.codemowers.io" + - name: AWS_LOCATION + value: "" # why is this set to 'media' in original? + - name: AWS_S3_ADDRESSING_STYLE + value: path + - name: DEBUG + value: "True" + - name: SECURE_COOKIES + value: "True" + - name: OIDC_ENABLED + value: "True" + - name: OIDC_RP_SIGN_ALGO + valueFrom: + secretKeyRef: + name: oidc-client-{{ .Release.Name }}-owner-secrets + key: OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG + - name: OIDC_OP_JWKS_ENDPOINT + value: https://auth.ee-lte-1.codemowers.io/jwks + - name: OIDC_RP_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-client-{{ .Release.Name }}-owner-secrets + key: OIDC_CLIENT_ID + - name: OIDC_RP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-client-{{ .Release.Name }}-owner-secrets + key: OIDC_CLIENT_SECRET + - name: OIDC_OP_AUTHORIZATION_ENDPOINT + valueFrom: + secretKeyRef: + name: oidc-client-{{ .Release.Name }}-owner-secrets + key: OIDC_IDP_AUTH_URI + - name: OIDC_OP_TOKEN_ENDPOINT + valueFrom: + secretKeyRef: + name: oidc-client-{{ .Release.Name }}-owner-secrets + key: OIDC_IDP_TOKEN_URI + - name: OIDC_OP_USER_ENDPOINT + valueFrom: + secretKeyRef: + name: oidc-client-{{ .Release.Name }}-owner-secrets + key: OIDC_IDP_USERINFO_URI + - name: SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-cookie + key: secret-key diff --git a/templates/grafana.yaml b/templates/grafana.yaml deleted file mode 100644 index 43a6e4d..0000000 --- a/templates/grafana.yaml +++ /dev/null @@ -1,186 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana-datasources - namespace: memelord-raiko -data: - datasources.yaml: | - apiVersion: 1 - datasources: - - name: Prometheus - type: prometheus - access: proxy - url: http://prometheus-operated.monitoring.svc.cluster.local:9090 - isDefault: true - editable: true - - - name: Loki - type: loki - access: proxy - url: http://loki.monitoring.svc.cluster.local:3100 - editable: true ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: grafana - namespace: memelord-raiko - labels: - app: grafana -spec: - serviceName: grafana - replicas: 1 - selector: - matchLabels: - app: grafana - template: - metadata: - labels: - app: grafana - spec: - containers: - - name: grafana - image: grafana/grafana:latest - imagePullPolicy: IfNotPresent - ports: - - containerPort: 3000 - name: http - env: - - name: GF_DATABASE_TYPE - value: sqlite3 - - name: GF_DATABASE_PATH - value: /var/lib/grafana/grafana.db - - - name: GF_SERVER_ROOT_URL - value: https://grafana-raiko.ee-lte-1.codemowers.io - - - name: GF_AUTH_GENERIC_OAUTH_ENABLED - value: "true" - - name: GF_AUTH_GENERIC_OAUTH_NAME - value: "Passmower" - - name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP - value: "true" - - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID - valueFrom: - secretKeyRef: - name: oidc-client-grafana-raiko-owner-secrets - key: OIDC_CLIENT_ID - - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oidc-client-grafana-raiko-owner-secrets - key: OIDC_CLIENT_SECRET - - name: GF_AUTH_GENERIC_OAUTH_SCOPES - value: "openid profile groups" - - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL - value: "https://auth.ee-lte-1.codemowers.io/auth" - - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL - value: "http://passmower.passmower.svc.cluster.local/token" - - name: GF_AUTH_GENERIC_OAUTH_API_URL - value: "http://passmower.passmower.svc.cluster.local/me" - # - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL - # value: "https://auth.ee-lte-1.codemowers.io//openid/session/end" - - - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH - value: "contains(groups[*], 'github.com:codemowers:admins') && 'Admin' || Viewer" - - - name: GF_AUTH_ANONYMOUS_ENABLED - value: "false" - - volumeMounts: - - name: grafana-storage - mountPath: /var/lib/grafana - - name: datasources - mountPath: /etc/grafana/provisioning/datasources - - - volumes: - - name: datasources - configMap: - name: grafana-datasources - - volumeClaimTemplates: - - metadata: - name: grafana-storage - spec: - accessModes: - - ReadWriteOnce - storageClassName: sqlite - resources: - requests: - storage: 5Gi ---- -apiVersion: v1 -kind: Service -metadata: - name: grafana - namespace: memelord-raiko - labels: - app: grafana -spec: - type: ClusterIP - selector: - app: grafana - ports: - - name: http - port: 80 - targetPort: 3000 ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: grafana-raiko - namespace: memelord-raiko -spec: - secretName: grafana-raiko-tls - dnsNames: - - grafana-raiko.ee-lte-1.codemowers.io - issuerRef: - name: letsencrypt - kind: ClusterIssuer ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: grafana-raiko - namespace: memelord-raiko - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure -spec: - rules: - - host: grafana-raiko.ee-lte-1.codemowers.io - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: grafana - port: - number: 80 - tls: - - secretName: grafana-raiko-tls ---- -apiVersion: codemowers.cloud/v1beta1 -kind: OIDCClient -metadata: - name: grafana-raiko - namespace: memelord-raiko -spec: - displayName: Grafana Raiko - uri: https://grafana-raiko.ee-lte-1.codemowers.io/ - redirectUris: - - https://grafana-raiko.ee-lte-1.codemowers.io/login/generic_oauth - grantTypes: - - authorization_code - - refresh_token - responseTypes: - - code - availableScopes: - - openid - - profile - - groups - allowedGroups: - - github.com:codemowers:admins - pkce: false diff --git a/templates/http-probe.yaml b/templates/http-probe.yaml deleted file mode 100644 index 7bd67ff..0000000 --- a/templates/http-probe.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: monitoring.coreos.com/v1 -kind: Probe -metadata: - name: reddit-probe -spec: - module: http_2xx - prober: - url: blackbox-exporter.monitoring.svc.cluster.local - targets: - staticConfig: - static: - - reddit.com diff --git a/templates/ingress.yaml b/templates/ingress.yaml new file mode 100644 index 0000000..46ec122 --- /dev/null +++ b/templates/ingress.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }} +spec: + type: ClusterIP + selector: + app: memelord + ports: + - name: http + port: 80 + targetPort: 8000 +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} +spec: + secretName: {{ .Release.Name }}-tls + dnsNames: + - {{ .Values.hostname }} + issuerRef: + name: letsencrypt + kind: ClusterIssuer +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Release.Name }} + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure +spec: + rules: + - host: {{ .Values.hostname }} + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: {{ .Release.Name }} + port: + number: 80 + tls: + - secretName: {{ .Release.Name }}-tls + +--- +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCClient +metadata: + name: {{ .Release.Name }} +spec: + displayName: Memelord raiko + uri: https://{{ .Values.hostname }}/oidc/authenticate/ + redirectUris: + - https://{{ .Values.hostname }}/oidc/callback/ + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + availableScopes: + - openid + - profile + pkce: false diff --git a/templates/postgres.yaml b/templates/postgres.yaml new file mode 100644 index 0000000..6087a69 --- /dev/null +++ b/templates/postgres.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: secretgenerator.mittwald.de/v1alpha1 +kind: StringSecret +metadata: + name: {{ .Release.Name }}-database + labels: + cnpg.io/reload: "true" +spec: + data: + username: {{ .Release.Name }} + fields: + - fieldName: password + length: "32" + encoding: hex +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: {{ .Release.Name }}-database +spec: + instances: 2 + imageName: ghcr.io/cloudnative-pg/postgresql:17 + storage: + size: 1Gi + storageClass: postgres + affinity: + additionalPodAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app: memelord + topologyKey: topology.kubernetes.io/zone + podAntiAffinityType: required + nodeSelector: + codemowers.io/lvm-ubuntu-vg: enterprise-ssd + resources: + requests: + cpu: "100m" + memory: "1Gi" + limits: + cpu: "1" + memory: "4Gi" + postgresql: + parameters: + max_connections: "300" + shared_buffers: "512MB" + effective_cache_size: "2GB" + managed: + roles: + - name: {{ .Release.Name }} + ensure: present + login: true + passwordSecret: + name: {{ .Release.Name }}-database +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: {{ .Release.Name }} +spec: + name: {{ .Release.Name }} + owner: {{ .Release.Name }} + cluster: + name: {{ .Release.Name }}-database diff --git a/templates/redis.yaml b/templates/redis.yaml new file mode 100644 index 0000000..021a7f3 --- /dev/null +++ b/templates/redis.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: secretgenerator.mittwald.de/v1alpha1 +kind: StringSecret +metadata: + name: {{ .Release.Name }}-redis +spec: + fields: + - fieldName: redis-password + length: "32" + encoding: hex +--- +apiVersion: dragonflydb.io/v1alpha1 +kind: Dragonfly +metadata: + name: {{ .Release.Name }}-redis +spec: + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app: memelord + topologyKey: topology.kubernetes.io/zone + authentication: + passwordFromSecret: + name: {{ .Release.Name }}-redis + key: redis-password + replicas: 2 + resources: + requests: + cpu: 500m + memory: 500Mi + limits: + cpu: 600m + memory: 750Mi