diff --git a/.renovate/groups.json5 b/.renovate/groups.json5 index 88970b5d..e62f9361 100644 --- a/.renovate/groups.json5 +++ b/.renovate/groups.json5 @@ -1,6 +1,41 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "packageRules": [ + // NOTE: Renovate processes rules from top to bottom, so the rules below take precedence over rules above it + { + "description": "Auto merge Github Actions", + "matchManagers": ["github-actions"], + "automerge": true, + "automergeType": "pr", + "ignoreTests": true, + "matchUpdateTypes": ["minor", "patch", "digest"] + }, + { + "description": "Auto merge all Renovate versions", + "matchPackagePatterns": ["renovate"], + "matchUpdateTypes": ["major", "minor", "patch", "digest"], + "automerge": true, + "automergeType": "branch", + "ignoreTests": true, + "labels": ["renovate-itself"] + }, + { + "description": "Auto merge apps in path ./kube/deploy/apps (these apps don't affect the entire Kubernetes cluster)", + // "matchDatasources": ["docker"], + "automerge": true, + "automergeType": "pr", + "matchFileNames": ["kube/deploy/apps/**"], + "matchUpdateTypes": ["minor", "patch", "digest"], + "matchCurrentVersion": "!/^0\\./", // avoid breaking changes in 0.x SemVer releases + "labels": ["kube-deploy-apps"] + }, + { + "description": "Don't auto merge specific apps in path ./kube/deploy/apps", + "matchPackagePatterns": ["reactive-resume", "home-assistant"], + "automerge": false, + "matchFileNames": ["kube/deploy/apps/**"], + "labels": ["kube-deploy-apps"] + }, // FluxCD { "description": "Flux Group", @@ -43,49 +78,6 @@ // TODO: Helm chart uses separate key for digests, which Renovate seems to not recognize? maybe patching the image would be better? "pinDigests": false }, - { - "description": "Auto merge Github Actions", - "matchManagers": ["github-actions"], - "automerge": true, - "automergeType": "pr", - "ignoreTests": true, - "matchUpdateTypes": ["minor", "patch", "digest"] - }, - // configure more granular control for apps in ./kube/deploy/core - { - "matchFileNames": ["kube/deploy/core/**"], - "automerge": false, // enforce no automerge - "separateMultipleMajor": true, - "separateMinorPatch": true, - "labels": ["kube-deploy-core"] - }, - { - "description": "Auto merge all Renovate versions", - "matchPackagePatterns": ["renovate"], - "matchUpdateTypes": ["major", "minor", "patch", "digest"], - "automerge": true, - "automergeType": "branch", - "ignoreTests": true, - "labels": ["renovate-itself"] - }, - { - "description": "Auto merge my own images with release dates as versions, these are images I couldn't think of a better way to do versioning because of too many moving parts", - "matchPackagePatterns": ["jjgadgets/k8s-crd-extractor"], - "matchUpdateTypes": ["major", "minor", "patch", "digest"], - "automerge": true, - "automergeType": "branch", - "labels": ["app-template"] - }, - { - "description": "Auto merge apps in path ./kube/deploy/apps (these apps don't affect the entire Kubernetes cluster)", - // "matchDatasources": ["docker"], - "automerge": true, - "automergeType": "pr", - "matchFileNames": ["kube/deploy/apps/**"], - "matchUpdateTypes": ["minor", "patch", "digest"], - "matchCurrentVersion": "!/^0\\./", // avoid breaking changes in 0.x SemVer releases - "labels": ["kube-deploy-apps"] - }, // manually approve app-template major releases { "matchPackagePatterns": ["app-template"], @@ -135,6 +127,21 @@ "versionCompatibility": "^(?[^-]+)(?-.*)?$", "versioning": "semver", "matchPackagePatterns": ["miniflux"] + }, + // configure more granular control for apps in ./kube/deploy/core + { + "matchFileNames": ["kube/deploy/core/**"], + "automerge": false, // enforce no automerge + "separateMultipleMajor": true, + "separateMinorPatch": true, + "labels": ["kube-deploy-core"] + }, + { + "description": "Auto merge my own images with release dates as versions, these are images I couldn't think of a better way to do versioning because of too many moving parts", + "matchPackagePatterns": ["jjgadgets/k8s-crd-extractor"], + "matchUpdateTypes": ["major", "minor", "patch", "digest"], + "automerge": true, + "automergeType": "branch", } ] } diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index 142531e8..72a68c47 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -110,6 +110,7 @@ resources: - ../../../deploy/apps/media-edit/ - ../../../deploy/apps/homebox/ - ../../../deploy/apps/vikunja/ + - ../../../deploy/apps/reactive-resume/ - ../../../deploy/vm/_kubevirt/ #- ../../../deploy/vm/_base/ - ../../../deploy/vm/ad/ diff --git a/kube/deploy/apps/reactive-resume/app/es.yaml b/kube/deploy/apps/reactive-resume/app/es.yaml new file mode 100644 index 00000000..fb4c3526 --- /dev/null +++ b/kube/deploy/apps/reactive-resume/app/es.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name reactive-resume-secrets + namespace: reactive-resume +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "Reactive Resume - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name diff --git a/kube/deploy/apps/reactive-resume/app/hr.yaml b/kube/deploy/apps/reactive-resume/app/hr.yaml new file mode 100644 index 00000000..fabc4ed3 --- /dev/null +++ b/kube/deploy/apps/reactive-resume/app/hr.yaml @@ -0,0 +1,186 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app reactive-resume + namespace: flux-system +spec: + targetNamespace: *app + interval: 5m + chart: + spec: + chart: app-template + version: "2.6.0" + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + main: + type: deployment + replicas: 1 + pod: + labels: + ingress.home.arpa/nginx-internal: "allow" + tailscale.com/expose: "true" + db.home.arpa/pg: "pg-home" + s3.home.arpa/store: "rgw-${CLUSTER_NAME}" + containers: + main: + image: + repository: "ghcr.io/amruthpillai/reactive-resume" + tag: "server-v3.6.0" + env: &env + TZ: "${CONFIG_TZ}" + PUBLIC_URL: "https://${APP_DNS_REACTIVE_RESUME}" + PUBLIC_SERVER_URL: "https://${APP_DNS_REACTIVE_RESUME}/api" + STORAGE_URL_PREFIX: "https://${APP_DNS_RGW_S3}/reactive-resume-media" + POSTGRES_HOST: + valueFrom: + secretKeyRef: + name: "pg-home-pguser-reactive-resume" + key: "pgbouncer-host" + POSTGRES_DB: + valueFrom: + secretKeyRef: + name: "pg-home-pguser-reactive-resume" + key: "dbname" + POSTGRES_USER: + valueFrom: + secretKeyRef: + name: "pg-home-pguser-reactive-resume" + key: "user" + POSTGRES_PASSWORD: + valueFrom: + secretKeyRef: + name: "pg-home-pguser-reactive-resume" + key: "password" + SECRET_KEY: + valueFrom: + secretKeyRef: + name: "reactive-resume-secrets" + key: "SECRET_KEY" + JWT_SECRET: + valueFrom: + secretKeyRef: + name: "reactive-resume-secrets" + key: "JWT_SECRET" + JWT_EXPIRY_TIME: "604800" + STORAGE_ENDPOINT: "http://rook-ceph-rgw-${CLUSTER_NAME}.rook-ceph.svc:6953" + STORAGE_BUCKET: "reactive-resume-media" + STORAGE_REGION: "us-east-1" + STORAGE_ACCESS_KEY: + valueFrom: + secretKeyRef: + name: "reactive-resume-media-s3" + key: "AWS_ACCESS_KEY_ID" + STORAGE_SECRET_KEY: + valueFrom: + secretKeyRef: + name: "reactive-resume-media-s3" + key: "AWS_SECRET_ACCESS_KEY" + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "3000m" + memory: "6Gi" + frontend: + image: + repository: "ghcr.io/amruthpillai/reactive-resume" + tag: "client-v3.6.0" + env: *env + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "3000m" + memory: "6Gi" + service: + main: + controller: main + ports: + http: + port: 3100 + frontend: + port: 3000 + ingress: + main: + enabled: true + primary: true + className: "nginx-internal" + annotations: + nginx.ingress.kubernetes.io/use-regex: "true" + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + hosts: + - host: &host "${APP_DNS_REACTIVE_RESUME}" + paths: + - path: "/api(/|$)(.*)" + pathType: ImplementationSpecific + service: + name: main + port: http + tls: + - hosts: [*host] + backend: + enabled: true + primary: false + className: "nginx-internal" + hosts: + - host: *host + paths: + - path: / + pathType: Prefix + service: + name: main + port: frontend + tls: + - hosts: [*host] + persistence: + config: + enabled: false + tmp: + enabled: true + type: emptyDir + medium: Memory + globalMounts: + - subPath: "tmp" + path: "/tmp" + readOnly: false + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + securityContext: + runAsNonRoot: true + runAsUser: &uid ${APP_UID_REACTIVE_RESUME} + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: "Always" + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "fuckoff.home.arpa/reactive-resume" + operator: "DoesNotExist" diff --git a/kube/deploy/apps/reactive-resume/app/s3.yaml b/kube/deploy/apps/reactive-resume/app/s3.yaml new file mode 100644 index 00000000..ed007694 --- /dev/null +++ b/kube/deploy/apps/reactive-resume/app/s3.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: objectbucket.io/v1alpha1 +kind: ObjectBucketClaim +metadata: + name: "reactive-resume-media-s3" + namespace: "reactive-resume" +spec: + storageClassName: "rgw-${CLUSTER_NAME}" + bucketName: "reactive-resume-media" diff --git a/kube/deploy/apps/reactive-resume/ks.yaml b/kube/deploy/apps/reactive-resume/ks.yaml new file mode 100644 index 00000000..cb6d6835 --- /dev/null +++ b/kube/deploy/apps/reactive-resume/ks.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: reactive-resume-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "reactive-resume" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/apps/reactive-resume/app + dependsOn: + - name: reactive-resume-db +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: reactive-resume-db + namespace: flux-system + labels: &l + prune.flux.home.arpa/enabled: "true" + db.home.arpa/pg: "pg-home" + app.kubernetes.io/name: "reactive-resume" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/core/db/pg/clusters/template/pguser + targetNamespace: "pg" + dependsOn: + - name: 1-core-db-pg-clusters-home + - name: 1-core-secrets-es-k8s + postBuild: + substitute: + PG_NAME: "home" + PG_DB_USER: &app "reactive-resume" + PG_APP_NS: *app diff --git a/kube/deploy/apps/reactive-resume/kustomization.yaml b/kube/deploy/apps/reactive-resume/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/apps/reactive-resume/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/deploy/apps/reactive-resume/ns.yaml b/kube/deploy/apps/reactive-resume/ns.yaml new file mode 100644 index 00000000..4c6f62fb --- /dev/null +++ b/kube/deploy/apps/reactive-resume/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: reactive-resume + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps