feat(miniflux): app-template v3, ES

kube/deploy/apps/miniflux/app/es.yaml

@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name miniflux-secrets
+  namespace: miniflux
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1p
+  dataFrom:
+    - extract:
+        key: "miniflux - ${CLUSTER_NAME}"
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: *name
+    template:
+      type: Opaque
+      data:
+        ADMIN_USERNAME: "{{ .SECRET_MINIFLUX_ADMIN_USERNAME }}"
+        ADMIN_PASSWORD: "{{ .SECRET_MINIFLUX_ADMIN_PASSWORD }}"
+        OAUTH2_CLIENT_ID: "{{ .SECRET_MINIFLUX_OIDC_ID }}"
+        OAUTH2_CLIENT_SECRET: "{{ .SECRET_MINIFLUX_OIDC_SECRET }}"

kube/deploy/apps/miniflux/app/hr.yaml

@@ -1,77 +1,110 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.6.1/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: &app miniflux
   namespace: *app
 spec:
+  interval: 5m
   chart:
     spec:
       chart: app-template
-      version: 1.5.1
+      version: 3.7.1
       sourceRef:
         name: bjw-s
         kind: HelmRepository
         namespace: flux-system
   values:
-    global:
-      fullnameOverride: *app
-    automountServiceAccountToken: false
-    controller:
-      type: deployment
-      replicas: 1
-    image:
-      repository: "ghcr.io/miniflux/miniflux"
-      tag: "2.2.6-distroless@sha256:c6b0af85d44d5e133d4d9844768dfe491aa0282bb9adac1dbfe7871f0947431c"
-    podLabels:
-      ingress.home.arpa/nginx-internal: "allow"
-      db.home.arpa/pg: "pg-default"
-      egress.home.arpa/internet: "allow"
-      egress.home.arpa/nginx-external: "allow" # authentik
-    env:
-      TZ: "${CONFIG_TZ}"
-      BASE_URL: "https://${APP_DNS_MINIFLUX}"
-      RUN_MIGRATIONS: "1"
-      CREATE_ADMIN: "1"
-      OAUTH2_PROVIDER: oidc
-      OAUTH2_REDIRECT_URL: https://${APP_DNS_MINIFLUX}/oauth2/oidc/callback
-      OAUTH2_OIDC_DISCOVERY_ENDPOINT: https://${APP_DNS_AUTH}/application/o/miniflux/
-      OAUTH2_USER_CREATION: "1"
-      DATABASE_URL:
-        valueFrom:
-          secretKeyRef:
-            name: &pgsec "pg-default-pguser-miniflux"
-            key: "pgbouncer-uri"
-    envFrom:
-      - secretRef:
-          name: miniflux-secrets
+    controllers:
+      miniflux:
+        type: deployment
+        replicas: 1
+        pod:
+          labels:
+            ingress.home.arpa/nginx-internal: allow
+            db.home.arpa/pg: pg-default
+            authentik.home.arpa/https: allow
+            egress.home.arpa/internet: allow
+            egress.home.arpa/discord: allow
+        containers:
+          main:
+            image: &img
+              repository: ghcr.io/miniflux/miniflux
+              tag: "2.2.6-distroless@sha256:c6b0af85d44d5e133d4d9844768dfe491aa0282bb9adac1dbfe7871f0947431c"
+            env:
+              TZ: "${CONFIG_TZ}"
+              BASE_URL: "https://${APP_DNS_MINIFLUX}"
+              RUN_MIGRATIONS: "1"
+              CREATE_ADMIN: "1"
+              OAUTH2_PROVIDER: oidc
+              OAUTH2_REDIRECT_URL: https://${APP_DNS_MINIFLUX}/oauth2/oidc/callback
+              OAUTH2_OIDC_DISCOVERY_ENDPOINT: https://${APP_DNS_AUTH}/application/o/miniflux/
+              OAUTH2_USER_CREATION: "1"
+              DATABASE_URL:
+                valueFrom:
+                  secretKeyRef:
+                    name: &pgsec "pg-default-pguser-miniflux"
+                    key: "pgbouncer-uri"
+            envFrom: &envFrom
+              - secretRef:
+                  name: miniflux-secrets
+            securityContext: &sc
+              readOnlyRootFilesystem: true
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+            resources:
+              requests:
+                cpu: "10m"
+                memory: "128Mi"
+              limits:
+                cpu: "1"
+                memory: "512Mi"
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
     service:
-      main:
+      miniflux:
+        controller: miniflux
         ports:
           http:
             port: 8080
+            protocol: HTTP
+            appProtocol: http
     ingress:
       main:
-        enabled: true
-        primary: true
-        ingressClassName: "nginx-internal"
+        className: nginx-internal
         hosts:
           - host: &host "${APP_DNS_MINIFLUX:=miniflux}"
-            paths:
+            paths: &paths
               - path: /
                 pathType: Prefix
+                service:
+                  identifier: miniflux
+                  port: http
         tls:
-          - hosts:
-              - *host
-    podSecurityContext:
-      runAsUser: &uid ${APP_UID_MINIFLUX:=1000}
-      runAsGroup: *uid
-      fsGroup: *uid
-      fsGroupChangePolicy: Always
-    resources:
-      requests:
-        cpu: 10m
-        memory: 128Mi
-      limits:
-        cpu: 3000m
-        memory: 512Mi
+          - hosts: [*host]
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      hostAliases:
+        - ip: "${APP_IP_AUTHENTIK:=127.0.0.1}"
+          hostnames: ["${APP_DNS_AUTHENTIK:=authentik}"]
+      hostUsers: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: &uid 1000
+        runAsGroup: *uid
+        fsGroup: *uid
+        fsGroupChangePolicy: Always
+        seccompProfile: { type: "RuntimeDefault" }
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: fuckoff.home.arpa/miniflux
+                    operator: DoesNotExist

kube/deploy/apps/miniflux/app/ns.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: miniflux
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: &ps restricted
+    pod-security.kubernetes.io/audit: *ps
+    pod-security.kubernetes.io/warn: *ps

kube/deploy/apps/miniflux/app/secrets.yaml

@@ -1,13 +0,0 @@
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "miniflux-secrets"
-  namespace: "miniflux"
-type: Opaque
-stringData:
-  ADMIN_USERNAME: "${SECRET_MINIFLUX_ADMIN_USERNAME}"
-  ADMIN_PASSWORD: "${SECRET_MINIFLUX_ADMIN_PASSWORD}"
-  OAUTH2_CLIENT_ID: "${SECRET_MINIFLUX_OIDC_ID}"
-  OAUTH2_CLIENT_SECRET: "${SECRET_MINIFLUX_OIDC_SECRET}"

kube/deploy/apps/miniflux/ks.yaml

@@ -4,12 +4,16 @@ kind: Kustomization
 metadata:
   name: miniflux-app
   namespace: flux-system
-  labels:
-    wait.flux.home.arpa/disabled: "true"
+  labels: &l
+    app.kubernetes.io/name: "miniflux"
 spec:
+  targetNamespace: "miniflux"
+  commonMetadata:
+    labels: *l
   path: ./kube/deploy/apps/miniflux/app
+  components:
+    - ../../../core/flux-system/alerts/template/
   dependsOn:
-    - name: 1-core-ingress-nginx-app
     - name: miniflux-db
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
@@ -17,10 +21,13 @@ kind: Kustomization
 metadata:
   name: miniflux-db
   namespace: flux-system
-  labels:
+  labels: &l
     prune.flux.home.arpa/enabled: "true"
     db.home.arpa/pg: "pg-default"
+    app.kubernetes.io/name: "miniflux"
 spec:
+  commonMetadata:
+    labels: *l
   path: ./kube/deploy/core/db/pg/clusters/template/pguser
   targetNamespace: "pg"
   dependsOn:

kube/deploy/apps/miniflux/kustomization.yaml

@@ -2,5 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ns.yaml
+  # - ns.yaml
   - ks.yaml

kube/deploy/apps/miniflux/ns.yaml

@@ -1,5 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: miniflux