From 376fbcd31719622437bb5cc398e134fb25c68454 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Wed, 30 Oct 2024 20:10:54 +0800 Subject: [PATCH] feat(piped): app-template, same domain, update subs cron --- .../app/{externalsecret.yaml => es.yaml} | 60 ++-- kube/deploy/apps/piped/app/hr.yaml | 326 ++++++++++++------ kube/deploy/apps/piped/app/ingress.yaml | 29 -- kube/deploy/apps/piped/ks.yaml | 12 +- kube/deploy/apps/piped/kustomization.yaml | 1 - kube/deploy/apps/piped/ns.yaml | 5 + kube/deploy/apps/piped/repo.yaml | 10 - 7 files changed, 268 insertions(+), 175 deletions(-) rename kube/deploy/apps/piped/app/{externalsecret.yaml => es.yaml} (53%) delete mode 100644 kube/deploy/apps/piped/app/ingress.yaml delete mode 100644 kube/deploy/apps/piped/repo.yaml diff --git a/kube/deploy/apps/piped/app/externalsecret.yaml b/kube/deploy/apps/piped/app/es.yaml similarity index 53% rename from kube/deploy/apps/piped/app/externalsecret.yaml rename to kube/deploy/apps/piped/app/es.yaml index 2d561dd0..999bd148 100644 --- a/kube/deploy/apps/piped/app/externalsecret.yaml +++ b/kube/deploy/apps/piped/app/es.yaml @@ -50,42 +50,44 @@ spec: serviceAccount: name: "external-secrets-kubernetes-provider" --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: &name "pg-default-pguser-piped" - namespace: "piped" + name: &name piped-secrets + namespace: piped spec: - refreshInterval: "1m" + refreshInterval: 1m secretStoreRef: kind: "SecretStore" name: "kubernetes-piped" + dataFrom: + - extract: + key: "pg-default-pguser-piped" target: - name: "pg-default-pguser-piped-fixed" - creationPolicy: "Owner" - deletionPolicy: "Retain" + creationPolicy: Owner + deletionPolicy: Retain + name: *name template: - type: "Opaque" + type: Opaque data: - DB_HOSTNAME: "{{ .host }}" - DB_DATABASE_NAME: "{{ .dbname }}" - DB_USERNAME: "{{ .user }}" - DB_PASSWORD: "{{ .password }}" - data: - - secretKey: "host" - remoteRef: &src - key: *name - property: "pgbouncer-host" - - secretKey: &key "dbname" - remoteRef: - <<: *src - property: *key - - secretKey: &key "user" - remoteRef: - <<: *src - property: *key - - secretKey: &key "password" - remoteRef: - <<: *src - property: *key \ No newline at end of file + # subscriptions fetch cron + PGHOST: 'pg-default-pgbouncer.pg.svc.cluster.local' + PGUSER: '{{ .user }}' + PGPASSWORD: '{{ .password }}' + PGDATABASE: '{{ .dbname }}' + # backend + config.properties: | + PORT: 8080 + HTTP_WORKERS: 2 + PROXY_PART: https://${APP_DNS_PIPED}/ytproxy + API_URL: https://${APP_DNS_PIPED}/server + FRONTEND_URL: https://${APP_DNS_PIPED} + COMPROMISED_PASSWORD_CHECK: true + DISABLE_REGISTRATION: true + FEED_RETENTION: 365 + hibernate.connection.url: '{{ index . "pgbouncer-jdbc-uri" | replace "svc:" "svc.cluster.local:" }}' + hibernate.connection.username: '{{ .user }}' + hibernate.connection.password: '{{ .password }}' + SENTRY_DSN: "" + MATRIX_SERVER: "" diff --git a/kube/deploy/apps/piped/app/hr.yaml b/kube/deploy/apps/piped/app/hr.yaml index 6b2616a0..31d96b74 100644 --- a/kube/deploy/apps/piped/app/hr.yaml +++ b/kube/deploy/apps/piped/app/hr.yaml @@ -1,122 +1,240 @@ --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/common-3.4.0/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json apiVersion: helm.toolkit.fluxcd.io/v2beta2 kind: HelmRelease metadata: name: &app piped namespace: *app spec: + interval: 5m chart: spec: - chart: piped - version: 6.0.4 + chart: app-template + version: 3.4.0 sourceRef: - name: piped + name: bjw-s kind: HelmRepository namespace: flux-system values: - automountServiceAccountToken: false - podLabels: - ingress.home.arpa/nginx-internal: "allow" - ingress.home.arpa/nginx-external: "allow" - ingress.home.arpa/cloudflare: "allow" - egress.home.arpa/nginx-internal: "allow" - egress.home.arpa/nginx-external: "allow" - db.home.arpa/pg: "pg-default" - egress.home.arpa/internet: "allow" - postgresql: - enabled: false - backend: - image: - repository: "docker.io/1337kavin/piped" + controllers: + frontend: + type: deployment + replicas: 1 + strategy: RollingUpdate + pod: + labels: + ingress.home.arpa/nginx-internal: allow + containers: + main: + image: &img + repository: ghcr.io/bjw-s-labs/piped-frontend + tag: 2024.10.28@sha256:32787f43c388a6d1016fa07e41d0099a9bb87bf5a43cacf1b8b65ba79d62dc03 + env: &env + TZ: "${CONFIG_TZ}" + BACKEND_HOSTNAME: "${APP_DNS_PIPED:=piped}/server" + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + limits: + cpu: "1" + memory: "128Mi" + probes: &probes + liveness: + enabled: true + readiness: + enabled: true + #startup: + # enabled: true + backend: + type: deployment + replicas: 1 + strategy: RollingUpdate + pod: + labels: + ingress.home.arpa/nginx-internal: allow + ingress.home.arpa/cloudflare: allow + db.home.arpa/pg: pg-default + # s3.home.arpa/store: "rgw-${CLUSTER_NAME}" + egress.home.arpa/internet: allow + containers: + main: + image: &img + repository: docker.io/1337kavin/piped + tag: latest@sha256:18e77857414236edc7245bebb3fb8ab3ac49c44bd76701bfce24f6ba0170d4b8 + env: *env + securityContext: *sc + probes: *probes + resources: + requests: + cpu: "10m" + limits: + cpu: "1" + memory: "1Gi" + ytproxy: + type: deployment + replicas: 1 + strategy: RollingUpdate + pod: + labels: + ingress.home.arpa/nginx-internal: allow + egress.home.arpa/internet: allow + containers: + main: + image: &img + repository: docker.io/1337kavin/piped-proxy + tag: latest@sha256:833ca24c048619c9cd6fe58e2d210bfc7b1e43875ba5108aeddea0b171f04dbd + command: ["/app/piped-proxy"] + env: *env + securityContext: *sc + probes: *probes + resources: + requests: + cpu: "10m" + limits: + cpu: "1" + memory: "256Mi" + refresh: + type: cronjob + cronjob: + schedule: "@hourly" + concurrencyPolicy: Forbid + successfulJobsHistory: 0 + failedJobsHistory: 1 + pod: + labels: + db.home.arpa/pg: pg-default + containers: + main: + image: &img + repository: ghcr.io/bjw-s-labs/piped-scripts + tag: 0.0.1@sha256:55dcbc2d65eb47d7a7f2c49c4fba1bc05ab3a715ae5b3f63a9653d804c704e69 + env: + SCRIPT_NAME: update_subscriptions.sh + PIPED_BACKEND: http://piped-backend.piped.svc.cluster.local:8080 + envFrom: + - secretRef: + name: piped-secrets + securityContext: *sc + resources: + requests: + cpu: "10m" + limits: + cpu: "1" + memory: "128Mi" + service: + frontend: + controller: frontend + ports: + http: + port: 8080 + protocol: HTTP + appProtocol: http + backend: + controller: backend + ports: + http: + port: 8080 + protocol: HTTP + appProtocol: http + ytproxy: + controller: ytproxy + ports: + http: + port: 8080 + protocol: HTTP + appProtocol: http + ingress: + frontend: + className: nginx-internal + annotations: &cors + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/cors-allow-origin: "https://${APP_DNS_PIPED:=piped}" + hosts: + - host: &host "${APP_DNS_PIPED:=piped}" + paths: &paths + - path: / + pathType: Prefix + service: + identifier: frontend + port: http + tls: + - hosts: [*host] + backend: + className: nginx-internal + annotations: + <<: *cors + external-dns.alpha.kubernetes.io/target: "${DNS_CF}" # cloudflared handles proxying to backend pod directly + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + nginx.ingress.kubernetes.io/use-regex: "true" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + hosts: + - host: *host + paths: &paths + - path: /server(/|$)(.*) + pathType: ImplementationSpecific + service: + identifier: backend + port: http + tls: + - hosts: [*host] + ytproxy: + className: nginx-internal + annotations: + <<: *cors + nginx.ingress.kubernetes.io/use-regex: "true" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + hosts: + - host: *host + paths: &paths + - path: /ytproxy(/|$)(.*) + pathType: ImplementationSpecific + service: + identifier: ytproxy + port: http + tls: + - hosts: [*host] + persistence: config: - PORT: 8080 - HTTP_WORKERS: 2 - PROXY_PART: "https://${APP_DNS_PIPED_YTPROXY}" - COMPROMISED_PASSWORD_CHECK: true - DISABLE_REGISTRATION: true - database: - connection_url: "jdbc:postgresql://pg-default-pgbouncer.pg.svc:5432/piped" - driver_class: "org.postgresql.Driver" - secret: - name: "pg-default-pguser-piped" - username: "user" - password: "password" - podSecurityContext: &psc + type: secret + name: piped-secrets + advancedMounts: + backend: + main: + - subPath: config.properties + path: /app/config.properties + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + hostAliases: + - ip: "${APP_IP_AUTHENTIK:=127.0.0.1}" + hostnames: ["${APP_DNS_AUTHENTIK:=authentik}"] + dnsConfig: + options: + - name: ndots + value: "1" + securityContext: + runAsNonRoot: true runAsUser: &uid ${APP_UID_PIPED:=1000} runAsGroup: *uid fsGroup: *uid fsGroupChangePolicy: Always - resources: - requests: - cpu: 10m - memory: 500Mi - limits: - memory: 2000Mi - frontend: - image: - repository: "docker.io/1337kavin/piped-frontend" - args: ["-c", "sed -i s/pipedapi.kavin.rocks/$BACKEND_HOSTNAME/g /usr/share/nginx/html/assets/* && sed -i 's/80;/8080;/g' /etc/nginx/conf.d/default.conf && /docker-entrypoint.sh nginx -g 'daemon off;'"] - env: - BACKEND_HOSTNAME: "${APP_DNS_PIPED_BACKEND:=piped-backend}" - service: - main: - ports: - http: - port: 8080 - # podSecurityContext: *psc # TODO: /etc/nginx and /usr/share/nginx isn't writable by root but entrypoint script requires write perms to them - resources: - requests: - cpu: 10m - memory: 32Mi - limits: - memory: 256Mi - ytproxy: - image: - repository: "docker.io/1337kavin/piped-proxy" - podSecurityContext: *psc - resources: - requests: - cpu: 10m - memory: 32Mi - limits: - memory: 500Mi - ingress: - main: - ingressClassName: "nginx-internal" - annotations: - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/cors-allow-origin: "https://${APP_DNS_PIPED_FRONTEND}, https://${APP_DNS_PIPED_BACKEND}, https://${APP_DNS_PIPED_YTPROXY}" - hosts: - - host: &frontend "${APP_DNS_PIPED_FRONTEND:=piped-frontend}" - paths: - - path: "/" - tls: - - hosts: - - *frontend - backend: - ingressClassName: "nginx-external" - annotations: - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/cors-allow-origin: "https://${APP_DNS_PIPED_FRONTEND}, https://${APP_DNS_PIPED_BACKEND}, https://${APP_DNS_PIPED_YTPROXY}" - # for Google pubsub webhook for refreshing feeds in realtime, path and source limiting done on Cloudflare side - external-dns.alpha.kubernetes.io/target: "${DNS_CF}" - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - hosts: - - host: &backend "${APP_DNS_PIPED_BACKEND:=piped-backend}" - paths: - - path: "/" - tls: - - hosts: - - *backend - ytproxy: - ingressClassName: "nginx-internal" - annotations: - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/cors-allow-origin: "https://${APP_DNS_PIPED_FRONTEND}, https://${APP_DNS_PIPED_BACKEND}, https://${APP_DNS_PIPED_YTPROXY}" - hosts: - - host: &ytproxy "${APP_DNS_PIPED_YTPROXY:=piped-ytproxy}" - paths: - - path: "/" - tls: - - hosts: - - *ytproxy + seccompProfile: { type: "RuntimeDefault" } + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: fuckoff.home.arpa/piped + operator: DoesNotExist + networkpolicies: + same-ns: + podSelector: {} + policyTypes: [Ingress, Egress] + rules: + ingress: [from: [{podSelector: {}}]] + egress: [to: [{podSelector: {}}]] diff --git a/kube/deploy/apps/piped/app/ingress.yaml b/kube/deploy/apps/piped/app/ingress.yaml deleted file mode 100644 index c8da2985..00000000 --- a/kube/deploy/apps/piped/app/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: excalidraw - namespace: excalidraw - annotations: - external-dns.alpha.kubernetes.io/target: "${DNS_CF}" - nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10 -spec: - ingressClassName: nginx-external - rules: - - host: &host "${APP_DNS_PIPED_BACKEND:=piped-backend}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: piped-backend - port: - number: 8080 - tls: - - hosts: - - draw.jjg.gg -status: - loadBalancer: - ingress: - - ip: 10.12.34.80 diff --git a/kube/deploy/apps/piped/ks.yaml b/kube/deploy/apps/piped/ks.yaml index 540e682c..cf99c1a8 100644 --- a/kube/deploy/apps/piped/ks.yaml +++ b/kube/deploy/apps/piped/ks.yaml @@ -4,20 +4,28 @@ kind: Kustomization metadata: name: piped-app namespace: flux-system + labels: &l + app.kubernetes.io/name: "piped" spec: + commonMetadata: + labels: *l path: ./kube/deploy/apps/piped/app + targetNamespace: "piped" dependsOn: - - name: 1-core-db-pg-clusters-default + - name: piped-db --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: piped-db namespace: flux-system - labels: + labels: &l prune.flux.home.arpa/enabled: "true" db.home.arpa/pg: "pg-default" + app.kubernetes.io/name: "piped" spec: + commonMetadata: + labels: *l path: ./kube/deploy/core/db/pg/clusters/template/pguser targetNamespace: "pg" dependsOn: diff --git a/kube/deploy/apps/piped/kustomization.yaml b/kube/deploy/apps/piped/kustomization.yaml index ed061416..5eeb2657 100644 --- a/kube/deploy/apps/piped/kustomization.yaml +++ b/kube/deploy/apps/piped/kustomization.yaml @@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ns.yaml - - repo.yaml - ks.yaml diff --git a/kube/deploy/apps/piped/ns.yaml b/kube/deploy/apps/piped/ns.yaml index 137df13f..941b3eed 100644 --- a/kube/deploy/apps/piped/ns.yaml +++ b/kube/deploy/apps/piped/ns.yaml @@ -3,3 +3,8 @@ apiVersion: v1 kind: Namespace metadata: name: piped + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps diff --git a/kube/deploy/apps/piped/repo.yaml b/kube/deploy/apps/piped/repo.yaml deleted file mode 100644 index e2604c24..00000000 --- a/kube/deploy/apps/piped/repo.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: piped - namespace: flux-system -spec: - interval: 1h - timeout: 3m - url: https://helm.piped.video/