From 5ebcfa7aadaa6b4f7e45d2f3a7a4c508b58f27fc Mon Sep 17 00:00:00 2001 From: Martyn Date: Mon, 4 Dec 2023 15:40:08 +0000 Subject: [PATCH 01/19] Update to helm chart so we can use csi-secrets-store --- .../templates/deployment.yaml | 24 ++++++++++++++++--- .../templates/secretProviderClass.yaml | 13 ++++++++++ apps-helm/wg-access-server/values.yaml | 6 ++++- 3 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 apps-helm/wg-access-server/templates/secretProviderClass.yaml diff --git a/apps-helm/wg-access-server/templates/deployment.yaml b/apps-helm/wg-access-server/templates/deployment.yaml index 2c315fc..7498c54 100644 --- a/apps-helm/wg-access-server/templates/deployment.yaml +++ b/apps-helm/wg-access-server/templates/deployment.yaml @@ -1,4 +1,8 @@ {{- $fullName := include "wg-access-server.fullname" . -}} +{{ $secretName := $fullName }} +{{- if .Values.config.existingSecret -}} +{{ $secretName = .Values.config.existingSecret }} +{{ end -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -46,21 +50,21 @@ spec: - name: WG_WIREGUARD_PRIVATE_KEY valueFrom: secretKeyRef: - name: "{{ $fullName }}" + name: "{{ $secretName }}" key: privateKey {{- end }} {{- if .Values.web.config.adminUsername }} - name: WG_ADMIN_USERNAME valueFrom: secretKeyRef: - name: "{{ $fullName }}" + name: "{{ $secretName }}" key: adminUsername {{- end}} {{- if .Values.web.config.adminPassword }} - name: WG_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: "{{ $fullName }}" + name: "{{ $secretName }}" key: adminPassword {{- end}} volumeMounts: @@ -68,9 +72,14 @@ spec: mountPath: /dev/net/tun - name: data mountPath: /data + {{- if .Values.config.csiSecretsStore }} + - name: config + mountPath: /config.yaml + {{- else }} - name: config mountPath: /config.yaml subPath: config.yaml + {{- end}} readinessProbe: httpGet: path: / @@ -90,9 +99,18 @@ spec: {{- if not .Values.persistence.enabled }} emptyDir: {} {{- end }} + {{- if .Values.config.csiSecretsStore }} + - name: config + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: app-secrets + {{- else }} - name: config configMap: name: "{{ $fullName }}" + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/apps-helm/wg-access-server/templates/secretProviderClass.yaml b/apps-helm/wg-access-server/templates/secretProviderClass.yaml new file mode 100644 index 0000000..72f1276 --- /dev/null +++ b/apps-helm/wg-access-server/templates/secretProviderClass.yaml @@ -0,0 +1,13 @@ +--- +{{- if .Values.wireguard.config.csiSecretsStore -}} +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: app-secrets +spec: + provider: {{ .Values.wireguard.config.csiSecretsStore.providerName | default "1password" }} + parameters: + secrets: | + - resourceName: {{ .Values.wireguard.config.csiSecretsStore.resourceName | default "https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }} + path: "config" +{{- end -}} \ No newline at end of file diff --git a/apps-helm/wg-access-server/values.yaml b/apps-helm/wg-access-server/values.yaml index dccc4e4..b99a9a6 100644 --- a/apps-helm/wg-access-server/values.yaml +++ b/apps-helm/wg-access-server/values.yaml @@ -1,5 +1,9 @@ # wg-access-server config -config: {} +config: + existingSecret: "" + csiSecretsStore: {} +# providerName: 1password +# resourceName: https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes web: config: From 39e13b9677da71b564f05708d34a80730851d246 Mon Sep 17 00:00:00 2001 From: Martyn Date: Mon, 4 Dec 2023 15:43:57 +0000 Subject: [PATCH 02/19] missing file --- apps-helm/wg-access-server/templates/secretProviderClass.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps-helm/wg-access-server/templates/secretProviderClass.yaml b/apps-helm/wg-access-server/templates/secretProviderClass.yaml index 72f1276..dc49382 100644 --- a/apps-helm/wg-access-server/templates/secretProviderClass.yaml +++ b/apps-helm/wg-access-server/templates/secretProviderClass.yaml @@ -1,5 +1,5 @@ --- -{{- if .Values.wireguard.config.csiSecretsStore -}} +{{- if .Values.config.csiSecretsStore -}} apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: From ff14e95f9cd371fb5684ac8186f5797fc35542f9 Mon Sep 17 00:00:00 2001 From: Martyn Date: Mon, 4 Dec 2023 15:46:32 +0000 Subject: [PATCH 03/19] too many layers --- apps-helm/wg-access-server/templates/secretProviderClass.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps-helm/wg-access-server/templates/secretProviderClass.yaml b/apps-helm/wg-access-server/templates/secretProviderClass.yaml index dc49382..4a0ce92 100644 --- a/apps-helm/wg-access-server/templates/secretProviderClass.yaml +++ b/apps-helm/wg-access-server/templates/secretProviderClass.yaml @@ -5,9 +5,9 @@ kind: SecretProviderClass metadata: name: app-secrets spec: - provider: {{ .Values.wireguard.config.csiSecretsStore.providerName | default "1password" }} + provider: {{ .Values.config.csiSecretsStore.providerName | default "1password" }} parameters: secrets: | - - resourceName: {{ .Values.wireguard.config.csiSecretsStore.resourceName | default "https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }} + - resourceName: {{ .Values.config.csiSecretsStore.resourceName | default "https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }} path: "config" {{- end -}} \ No newline at end of file From 30576539a0df2d8236d092ea7b41ccf974905bde Mon Sep 17 00:00:00 2001 From: Martyn Date: Mon, 4 Dec 2023 15:50:00 +0000 Subject: [PATCH 04/19] I should think about allowing that style --- apps-helm/wg-access-server/templates/secretProviderClass.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps-helm/wg-access-server/templates/secretProviderClass.yaml b/apps-helm/wg-access-server/templates/secretProviderClass.yaml index 4a0ce92..6a2f43a 100644 --- a/apps-helm/wg-access-server/templates/secretProviderClass.yaml +++ b/apps-helm/wg-access-server/templates/secretProviderClass.yaml @@ -8,6 +8,6 @@ spec: provider: {{ .Values.config.csiSecretsStore.providerName | default "1password" }} parameters: secrets: | - - resourceName: {{ .Values.config.csiSecretsStore.resourceName | default "https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }} + - resourceName: {{ .Values.config.csiSecretsStore.resourceName | default "vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }} path: "config" {{- end -}} \ No newline at end of file From 332abdf00b83bdb4e7821460aaef91ec89104ba1 Mon Sep 17 00:00:00 2001 From: Martyn Date: Mon, 4 Dec 2023 17:05:31 +0000 Subject: [PATCH 05/19] Mounting on root is hard --- apps-helm/wg-access-server/templates/deployment.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apps-helm/wg-access-server/templates/deployment.yaml b/apps-helm/wg-access-server/templates/deployment.yaml index 7498c54..58ffc5b 100644 --- a/apps-helm/wg-access-server/templates/deployment.yaml +++ b/apps-helm/wg-access-server/templates/deployment.yaml @@ -67,6 +67,10 @@ spec: name: "{{ $secretName }}" key: adminPassword {{- end}} + {{- if .Values.config.csiSecretsStore }} + - name: WG_CONFIG + value: /secret/config.yaml + {{- end}} volumeMounts: - name: tun mountPath: /dev/net/tun @@ -74,7 +78,7 @@ spec: mountPath: /data {{- if .Values.config.csiSecretsStore }} - name: config - mountPath: /config.yaml + mountPath: /secrets {{- else }} - name: config mountPath: /config.yaml From af2cf76c9c48ea5f0be2e0d38fe0ef22e25c1093 Mon Sep 17 00:00:00 2001 From: Martyn Date: Mon, 4 Dec 2023 17:07:57 +0000 Subject: [PATCH 06/19] and filename is better --- apps-helm/wg-access-server/templates/secretProviderClass.yaml | 2 +- apps-helm/wg-access-server/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps-helm/wg-access-server/templates/secretProviderClass.yaml b/apps-helm/wg-access-server/templates/secretProviderClass.yaml index 6a2f43a..3ebf5b7 100644 --- a/apps-helm/wg-access-server/templates/secretProviderClass.yaml +++ b/apps-helm/wg-access-server/templates/secretProviderClass.yaml @@ -9,5 +9,5 @@ spec: parameters: secrets: | - resourceName: {{ .Values.config.csiSecretsStore.resourceName | default "vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }} - path: "config" + path: "config.yaml" {{- end -}} \ No newline at end of file diff --git a/apps-helm/wg-access-server/values.yaml b/apps-helm/wg-access-server/values.yaml index b99a9a6..4c4d89c 100644 --- a/apps-helm/wg-access-server/values.yaml +++ b/apps-helm/wg-access-server/values.yaml @@ -3,7 +3,7 @@ config: existingSecret: "" csiSecretsStore: {} # providerName: 1password -# resourceName: https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes +# resourceName: vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes web: config: From 2107a69c622a3a90b016022b941ba5f53116a3c4 Mon Sep 17 00:00:00 2001 From: Martyn Date: Mon, 4 Dec 2023 17:14:18 +0000 Subject: [PATCH 07/19] and the RIGHT filename is better --- apps-helm/wg-access-server/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps-helm/wg-access-server/templates/deployment.yaml b/apps-helm/wg-access-server/templates/deployment.yaml index 58ffc5b..77ffb86 100644 --- a/apps-helm/wg-access-server/templates/deployment.yaml +++ b/apps-helm/wg-access-server/templates/deployment.yaml @@ -69,7 +69,7 @@ spec: {{- end}} {{- if .Values.config.csiSecretsStore }} - name: WG_CONFIG - value: /secret/config.yaml + value: /secrets/config.yaml {{- end}} volumeMounts: - name: tun From 496dc29aa0b7aaa2f96d3657098f71ee9a2babcb Mon Sep 17 00:00:00 2001 From: Martyn Date: Mon, 4 Dec 2023 17:26:33 +0000 Subject: [PATCH 08/19] Can we be ready? --- apps-helm/wg-access-server/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps-helm/wg-access-server/templates/deployment.yaml b/apps-helm/wg-access-server/templates/deployment.yaml index 77ffb86..4d236a3 100644 --- a/apps-helm/wg-access-server/templates/deployment.yaml +++ b/apps-helm/wg-access-server/templates/deployment.yaml @@ -86,7 +86,7 @@ spec: {{- end}} readinessProbe: httpGet: - path: / + path: /health port: http resources: {{- toYaml .Values.resources | nindent 12 }} From 0b9e79a4db4cabbc020e88c42263fdf70e4a3cc4 Mon Sep 17 00:00:00 2001 From: Martyn Date: Tue, 5 Dec 2023 09:38:45 +0000 Subject: [PATCH 09/19] This is actually working --- everything-app/wg-access-server.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 everything-app/wg-access-server.yaml diff --git a/everything-app/wg-access-server.yaml b/everything-app/wg-access-server.yaml new file mode 100644 index 0000000..c0ff238 --- /dev/null +++ b/everything-app/wg-access-server.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: wg-access-server + namespace: argocd +spec: + destination: + namespace: wg-access + server: https://kubernetes.default.svc + project: infra + source: + helm: + parameters: + - name: web.service.type + value: LoadBalancer + - name: wireguard.service.type + value: LoadBalancer + values: |- + config: + csiSecretsStore: + providerName: 1password + resourceName: vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/idkjj6oyua2fq6df4fkjzmh4ne/config.yaml + path: apps-helm/wg-access-server + repoURL: https://git.martyn.berlin/martyn/infra4talos + targetRevision: HEAD From 9cf0f2803864eaef929b4e1bd08523c3444aada3 Mon Sep 17 00:00:00 2001 From: Martyn Date: Tue, 5 Dec 2023 11:52:59 +0000 Subject: [PATCH 10/19] Bazarr --- apps-kustomized/bazarr/deploy.yaml | 49 +++++++++++++++++++++++++++++ apps-kustomized/bazarr/pvc-smb.yaml | 35 +++++++++++++++++++++ apps-kustomized/bazarr/pvc.yaml | 11 +++++++ apps-kustomized/bazarr/service.yaml | 12 +++++++ everything-app/bazarr.yaml | 17 ++++++++++ 5 files changed, 124 insertions(+) create mode 100644 apps-kustomized/bazarr/deploy.yaml create mode 100644 apps-kustomized/bazarr/pvc-smb.yaml create mode 100644 apps-kustomized/bazarr/pvc.yaml create mode 100644 apps-kustomized/bazarr/service.yaml create mode 100644 everything-app/bazarr.yaml diff --git a/apps-kustomized/bazarr/deploy.yaml b/apps-kustomized/bazarr/deploy.yaml new file mode 100644 index 0000000..859dd39 --- /dev/null +++ b/apps-kustomized/bazarr/deploy.yaml @@ -0,0 +1,49 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: bazarr + name: bazarr +spec: + replicas: 1 + selector: + matchLabels: + app: bazarr + template: + metadata: + creationTimestamp: null + labels: + app: bazarr + spec: + containers: + - image: hotio/bazarr:release + name: bazarr + ports: + - name: http + containerPort: 6767 + protocol: TCP + volumeMounts: + - name: config + mountPath: /config + - name: data + mountPath: /data + - name: series + mountPath: /series + - name: oldseries + mountPath: /oldseries + - name: films + mountPath: /films + volumes: + - name: config + persistentVolumeClaim: + claimName: bazarr-config-data + - name: series + persistentVolumeClaim: + claimName: smb-series + - name: oldseries + persistentVolumeClaim: + claimName: smb-oldseries + - name: films + persistentVolumeClaim: + claimName: smb-films + diff --git a/apps-kustomized/bazarr/pvc-smb.yaml b/apps-kustomized/bazarr/pvc-smb.yaml new file mode 100644 index 0000000..b4044af --- /dev/null +++ b/apps-kustomized/bazarr/pvc-smb.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: smb-series +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: smb-series +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: smb-oldseries +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: smb-oldseries +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: smb-films +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: smb-films \ No newline at end of file diff --git a/apps-kustomized/bazarr/pvc.yaml b/apps-kustomized/bazarr/pvc.yaml new file mode 100644 index 0000000..094b906 --- /dev/null +++ b/apps-kustomized/bazarr/pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: bazarr-config-data +spec: + storageClassName: rook-ceph-block-ssd + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/apps-kustomized/bazarr/service.yaml b/apps-kustomized/bazarr/service.yaml new file mode 100644 index 0000000..1c7bcbb --- /dev/null +++ b/apps-kustomized/bazarr/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: bazarr + name: bazarr +spec: + type: LoadBalancer + ports: + - port: 6767 + selector: + app: bazarr diff --git a/everything-app/bazarr.yaml b/everything-app/bazarr.yaml new file mode 100644 index 0000000..f5369d5 --- /dev/null +++ b/everything-app/bazarr.yaml @@ -0,0 +1,17 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: bazarr + namespace: argocd +spec: + destination: + namespace: bazarr + server: https://kubernetes.default.svc + project: default + source: + path: apps-kustomized/bazarr + repoURL: https://git.martyn.berlin/martyn/infra4talos.git + targetRevision: HEAD + syncPolicy: + automated: + selfHeal: true From 2bc3bebd497a0d2c0d4bac5a5f4fba8cfe75ade0 Mon Sep 17 00:00:00 2001 From: Martyn Date: Tue, 5 Dec 2023 11:54:43 +0000 Subject: [PATCH 11/19] Bazarr --- apps-kustomized/bazarr/deploy.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/apps-kustomized/bazarr/deploy.yaml b/apps-kustomized/bazarr/deploy.yaml index 859dd39..c789323 100644 --- a/apps-kustomized/bazarr/deploy.yaml +++ b/apps-kustomized/bazarr/deploy.yaml @@ -25,8 +25,6 @@ spec: volumeMounts: - name: config mountPath: /config - - name: data - mountPath: /data - name: series mountPath: /series - name: oldseries From 092976f54ba60009dcf28496856e28c40b7ffc01 Mon Sep 17 00:00:00 2001 From: Martyn Date: Tue, 5 Dec 2023 11:56:10 +0000 Subject: [PATCH 12/19] Bazarr --- apps-kustomized/bazarr/service.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apps-kustomized/bazarr/service.yaml b/apps-kustomized/bazarr/service.yaml index 1c7bcbb..42451c2 100644 --- a/apps-kustomized/bazarr/service.yaml +++ b/apps-kustomized/bazarr/service.yaml @@ -4,9 +4,12 @@ metadata: labels: app: bazarr name: bazarr + annotations: + external-dns.alpha.kubernetes.io/hostname: cloudtube.martyn.berlin spec: type: LoadBalancer ports: - - port: 6767 + - port: 80 + targetPort: 6767 selector: app: bazarr From 3bd1060349b08ef4c3a0a69ba933311aae5625ac Mon Sep 17 00:00:00 2001 From: Martyn Date: Tue, 5 Dec 2023 11:56:53 +0000 Subject: [PATCH 13/19] Bazarr not cloudtube --- apps-kustomized/bazarr/service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps-kustomized/bazarr/service.yaml b/apps-kustomized/bazarr/service.yaml index 42451c2..68594e9 100644 --- a/apps-kustomized/bazarr/service.yaml +++ b/apps-kustomized/bazarr/service.yaml @@ -5,7 +5,7 @@ metadata: app: bazarr name: bazarr annotations: - external-dns.alpha.kubernetes.io/hostname: cloudtube.martyn.berlin + external-dns.alpha.kubernetes.io/hostname: bazarr.martyn.berlin spec: type: LoadBalancer ports: From 6debb616db4933dbc9c9e56248a55838e35b7cb5 Mon Sep 17 00:00:00 2001 From: Martyn Date: Tue, 5 Dec 2023 13:38:02 +0000 Subject: [PATCH 14/19] Increase cilium rate limiting to maybe stop l2 failures --- everything-app/app-cilium.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/everything-app/app-cilium.yaml b/everything-app/app-cilium.yaml index 3cbf98e..d7bb8f9 100644 --- a/everything-app/app-cilium.yaml +++ b/everything-app/app-cilium.yaml @@ -33,9 +33,9 @@ spec: - name: l2announcements.enabled value: "true" - name: k8sClientRateLimit.qps - value: "30" - - name: k8sClientRateLimit.burst value: "50" + - name: k8sClientRateLimit.burst + value: "100" syncPolicy: automated: selfHeal: true From ef57ad9d89f3e0ec6602b56b2c03922a9b53b6c6 Mon Sep 17 00:00:00 2001 From: Martyn Date: Tue, 5 Dec 2023 16:20:33 +0000 Subject: [PATCH 15/19] Need snippets for cryptpad --- everything-app/app-ingress-nginx.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/everything-app/app-ingress-nginx.yaml b/everything-app/app-ingress-nginx.yaml index 2dd1ba2..db50ecc 100644 --- a/everything-app/app-ingress-nginx.yaml +++ b/everything-app/app-ingress-nginx.yaml @@ -16,6 +16,8 @@ spec: parameters: - name: controller.service.type value: LoadBalancer + - name: controller.allowSnippetAnnotations + value: true syncPolicy: automated: selfHeal: true From 976301cad200120a5aabe087ce3f44250440d033 Mon Sep 17 00:00:00 2001 From: Martyn Date: Tue, 5 Dec 2023 16:25:45 +0000 Subject: [PATCH 16/19] YAML was a mistake --- everything-app/app-ingress-nginx.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/everything-app/app-ingress-nginx.yaml b/everything-app/app-ingress-nginx.yaml index db50ecc..87e6844 100644 --- a/everything-app/app-ingress-nginx.yaml +++ b/everything-app/app-ingress-nginx.yaml @@ -17,7 +17,7 @@ spec: - name: controller.service.type value: LoadBalancer - name: controller.allowSnippetAnnotations - value: true + value: "true" syncPolicy: automated: selfHeal: true From ee13f319aa459cd29e8849c320962aa221295b8c Mon Sep 17 00:00:00 2001 From: Martyn Date: Tue, 5 Dec 2023 17:22:39 +0000 Subject: [PATCH 17/19] De-helmed from https://github.com/nicholaswilde/helm-charts/tree/main/charts/cryptpad --- apps-kustomized/cryptpad/deploy.yaml | 82 +++++++++++++++++++++ apps-kustomized/cryptpad/ingress.yaml | 63 ++++++++++++++++ apps-kustomized/cryptpad/pvc.yaml | 101 ++++++++++++++++++++++++++ apps-kustomized/cryptpad/service.yaml | 26 +++++++ 4 files changed, 272 insertions(+) create mode 100644 apps-kustomized/cryptpad/deploy.yaml create mode 100644 apps-kustomized/cryptpad/ingress.yaml create mode 100644 apps-kustomized/cryptpad/pvc.yaml create mode 100644 apps-kustomized/cryptpad/service.yaml diff --git a/apps-kustomized/cryptpad/deploy.yaml b/apps-kustomized/cryptpad/deploy.yaml new file mode 100644 index 0000000..ab8cd9e --- /dev/null +++ b/apps-kustomized/cryptpad/deploy.yaml @@ -0,0 +1,82 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cryptpad + template: + metadata: + labels: + app.kubernetes.io/name: cryptpad + spec: + containers: + - image: cryptpad/cryptpad:version-5.5.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 10 + name: cryptpad + ports: + - containerPort: 3000 + name: http + protocol: TCP + - containerPort: 3001 + name: http-safe + protocol: TCP + readinessProbe: + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 10 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /cryptpad/blob + name: blob + - mountPath: /cryptpad/block + name: block + - mountPath: /cryptpad/config + name: config + - mountPath: /cryptpad/customize + name: customize + - mountPath: /cryptpad/data + name: data + - mountPath: /cryptpad/datasource + name: datasource + - mountPath: /cryptpad/datastore + name: datastore + volumes: + - name: blob + persistentVolumeClaim: + claimName: cryptpad-blob + - name: block + persistentVolumeClaim: + claimName: cryptpad-block + - name: config + persistentVolumeClaim: + claimName: cryptpad-config + - name: customize + persistentVolumeClaim: + claimName: cryptpad-customize + - name: data + persistentVolumeClaim: + claimName: cryptpad-data + - name: datasource + persistentVolumeClaim: + claimName: cryptpad-datasource + - name: datastore + persistentVolumeClaim: + claimName: cryptpad-datastore diff --git a/apps-kustomized/cryptpad/ingress.yaml b/apps-kustomized/cryptpad/ingress.yaml new file mode 100644 index 0000000..a518c2c --- /dev/null +++ b/apps-kustomized/cryptpad/ingress.yaml @@ -0,0 +1,63 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt + external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/configuration-snippet: | + more_set_headers "cross-origin-resource-policy: cross-origin"; + more_set_headers "cross-origin-embedder-policy: require-corp"; + nginx.ingress.kubernetes.io/cors-allow-origin: https://cryptpad-safe.martyn.berlin + nginx.ingress.kubernetes.io/enable-cors: "true" + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad +spec: + rules: + - host: cryptpad.martyn.berlin + http: + paths: + - backend: + service: + name: cryptpad + port: + number: 3000 + path: / + pathType: Prefix + tls: + - hosts: + - cryptpad.martyn.berlin + secretName: cryptpad-tls +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt + external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/configuration-snippet: | + more_set_headers "cross-origin-resource-policy: cross-origin"; + more_set_headers "cross-origin-embedder-policy: require-corp"; + nginx.ingress.kubernetes.io/cors-allow-origin: https://cryptpad-safe.martyn.berlin + nginx.ingress.kubernetes.io/enable-cors: "true" + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-0 +spec: + rules: + - host: cryptpad-safe.martyn.berlin + http: + paths: + - backend: + service: + name: cryptpad + port: + number: 3000 + path: / + pathType: Prefix + tls: + - hosts: + - cryptpad-safe.martyn.berlin + secretName: cryptpad-safe-tls diff --git a/apps-kustomized/cryptpad/pvc.yaml b/apps-kustomized/cryptpad/pvc.yaml new file mode 100644 index 0000000..8a8c4d3 --- /dev/null +++ b/apps-kustomized/cryptpad/pvc.yaml @@ -0,0 +1,101 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-blob +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2500Mi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-block +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2500Mi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-config +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-customize + namespace: cryptpad +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-data + namespace: cryptpad +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2500Mi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-datasource + namespace: cryptpad +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-datastore +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: rook-ceph-block-ssd diff --git a/apps-kustomized/cryptpad/service.yaml b/apps-kustomized/cryptpad/service.yaml new file mode 100644 index 0000000..1a017e8 --- /dev/null +++ b/apps-kustomized/cryptpad/service.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad +spec: + ports: + - name: http + port: 3000 + targetPort: http + selector: + app.kubernetes.io/name: cryptpad +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-safe +spec: + ports: + - name: http-safe + port: 3001 + selector: + app.kubernetes.io/name: cryptpad From 6da71fdc9c7430d561aff054849f51dc04bfb5c8 Mon Sep 17 00:00:00 2001 From: Martyn Date: Tue, 5 Dec 2023 17:44:05 +0000 Subject: [PATCH 18/19] Something strange - that _is_ the entrypoint --- apps-kustomized/cryptpad/deploy.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps-kustomized/cryptpad/deploy.yaml b/apps-kustomized/cryptpad/deploy.yaml index ab8cd9e..2fef773 100644 --- a/apps-kustomized/cryptpad/deploy.yaml +++ b/apps-kustomized/cryptpad/deploy.yaml @@ -16,6 +16,9 @@ spec: spec: containers: - image: cryptpad/cryptpad:version-5.5.0 + command: + - /usr/local/bin/npm + - start imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 From 2e31a531a0372edba57bff8cb30f7a86358a380e Mon Sep 17 00:00:00 2001 From: Martyn Date: Tue, 5 Dec 2023 17:44:53 +0000 Subject: [PATCH 19/19] Auto-heal --- everything-app/cryptpad.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 everything-app/cryptpad.yaml diff --git a/everything-app/cryptpad.yaml b/everything-app/cryptpad.yaml new file mode 100644 index 0000000..8694846 --- /dev/null +++ b/everything-app/cryptpad.yaml @@ -0,0 +1,17 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cryptpad + namespace: argocd +spec: + destination: + namespace: cryptpad + server: https://kubernetes.default.svc + project: apps + source: + path: apps-kustomized/cryptpad + repoURL: https://git.martyn.berlin/martyn/infra4talos + targetRevision: HEAD + syncPolicy: + automated: + selfHeal: true \ No newline at end of file