diff --git a/kube/deploy/apps/miniflux/app/es.yaml b/kube/deploy/apps/miniflux/app/es.yaml new file mode 100644 index 00000000..156bd672 --- /dev/null +++ b/kube/deploy/apps/miniflux/app/es.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name miniflux-secrets + namespace: miniflux +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "miniflux - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: Opaque + data: + ADMIN_USERNAME: "{{ .SECRET_MINIFLUX_ADMIN_USERNAME }}" + ADMIN_PASSWORD: "{{ .SECRET_MINIFLUX_ADMIN_PASSWORD }}" + OAUTH2_CLIENT_ID: "{{ .SECRET_MINIFLUX_OIDC_ID }}" + OAUTH2_CLIENT_SECRET: "{{ .SECRET_MINIFLUX_OIDC_SECRET }}" diff --git a/kube/deploy/apps/miniflux/app/hr.yaml b/kube/deploy/apps/miniflux/app/hr.yaml index e1ae7582..f85a04d7 100644 --- a/kube/deploy/apps/miniflux/app/hr.yaml +++ b/kube/deploy/apps/miniflux/app/hr.yaml @@ -1,77 +1,110 @@ --- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.6.1/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app miniflux namespace: *app spec: + interval: 5m chart: spec: chart: app-template - version: 1.5.1 + version: 3.7.1 sourceRef: name: bjw-s kind: HelmRepository namespace: flux-system values: - global: - fullnameOverride: *app - automountServiceAccountToken: false - controller: - type: deployment - replicas: 1 - image: - repository: "ghcr.io/miniflux/miniflux" - tag: "2.2.6-distroless@sha256:c6b0af85d44d5e133d4d9844768dfe491aa0282bb9adac1dbfe7871f0947431c" - podLabels: - ingress.home.arpa/nginx-internal: "allow" - db.home.arpa/pg: "pg-default" - egress.home.arpa/internet: "allow" - egress.home.arpa/nginx-external: "allow" # authentik - env: - TZ: "${CONFIG_TZ}" - BASE_URL: "https://${APP_DNS_MINIFLUX}" - RUN_MIGRATIONS: "1" - CREATE_ADMIN: "1" - OAUTH2_PROVIDER: oidc - OAUTH2_REDIRECT_URL: https://${APP_DNS_MINIFLUX}/oauth2/oidc/callback - OAUTH2_OIDC_DISCOVERY_ENDPOINT: https://${APP_DNS_AUTH}/application/o/miniflux/ - OAUTH2_USER_CREATION: "1" - DATABASE_URL: - valueFrom: - secretKeyRef: - name: &pgsec "pg-default-pguser-miniflux" - key: "pgbouncer-uri" - envFrom: - - secretRef: - name: miniflux-secrets + controllers: + miniflux: + type: deployment + replicas: 1 + pod: + labels: + ingress.home.arpa/nginx-internal: allow + db.home.arpa/pg: pg-default + authentik.home.arpa/https: allow + egress.home.arpa/internet: allow + egress.home.arpa/discord: allow + containers: + main: + image: &img + repository: ghcr.io/miniflux/miniflux + tag: "2.2.6-distroless@sha256:c6b0af85d44d5e133d4d9844768dfe491aa0282bb9adac1dbfe7871f0947431c" + env: + TZ: "${CONFIG_TZ}" + BASE_URL: "https://${APP_DNS_MINIFLUX}" + RUN_MIGRATIONS: "1" + CREATE_ADMIN: "1" + OAUTH2_PROVIDER: oidc + OAUTH2_REDIRECT_URL: https://${APP_DNS_MINIFLUX}/oauth2/oidc/callback + OAUTH2_OIDC_DISCOVERY_ENDPOINT: https://${APP_DNS_AUTH}/application/o/miniflux/ + OAUTH2_USER_CREATION: "1" + DATABASE_URL: + valueFrom: + secretKeyRef: + name: &pgsec "pg-default-pguser-miniflux" + key: "pgbouncer-uri" + envFrom: &envFrom + - secretRef: + name: miniflux-secrets + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "1" + memory: "512Mi" + probes: + liveness: + enabled: true + readiness: + enabled: true service: - main: + miniflux: + controller: miniflux ports: http: port: 8080 + protocol: HTTP + appProtocol: http ingress: main: - enabled: true - primary: true - ingressClassName: "nginx-internal" + className: nginx-internal hosts: - host: &host "${APP_DNS_MINIFLUX:=miniflux}" - paths: + paths: &paths - path: / pathType: Prefix + service: + identifier: miniflux + port: http tls: - - hosts: - - *host - podSecurityContext: - runAsUser: &uid ${APP_UID_MINIFLUX:=1000} - runAsGroup: *uid - fsGroup: *uid - fsGroupChangePolicy: Always - resources: - requests: - cpu: 10m - memory: 128Mi - limits: - cpu: 3000m - memory: 512Mi + - hosts: [*host] + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + hostAliases: + - ip: "${APP_IP_AUTHENTIK:=127.0.0.1}" + hostnames: ["${APP_DNS_AUTHENTIK:=authentik}"] + hostUsers: false + securityContext: + runAsNonRoot: true + runAsUser: &uid 1000 + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: Always + seccompProfile: { type: "RuntimeDefault" } + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: fuckoff.home.arpa/miniflux + operator: DoesNotExist diff --git a/kube/deploy/apps/miniflux/app/ns.yaml b/kube/deploy/apps/miniflux/app/ns.yaml new file mode 100644 index 00000000..2afa7778 --- /dev/null +++ b/kube/deploy/apps/miniflux/app/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: miniflux + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps diff --git a/kube/deploy/apps/miniflux/app/secrets.yaml b/kube/deploy/apps/miniflux/app/secrets.yaml deleted file mode 100644 index 4349c36a..00000000 --- a/kube/deploy/apps/miniflux/app/secrets.yaml +++ /dev/null @@ -1,13 +0,0 @@ - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "miniflux-secrets" - namespace: "miniflux" -type: Opaque -stringData: - ADMIN_USERNAME: "${SECRET_MINIFLUX_ADMIN_USERNAME}" - ADMIN_PASSWORD: "${SECRET_MINIFLUX_ADMIN_PASSWORD}" - OAUTH2_CLIENT_ID: "${SECRET_MINIFLUX_OIDC_ID}" - OAUTH2_CLIENT_SECRET: "${SECRET_MINIFLUX_OIDC_SECRET}" diff --git a/kube/deploy/apps/miniflux/ks.yaml b/kube/deploy/apps/miniflux/ks.yaml index 602e3454..e3d484da 100644 --- a/kube/deploy/apps/miniflux/ks.yaml +++ b/kube/deploy/apps/miniflux/ks.yaml @@ -4,12 +4,16 @@ kind: Kustomization metadata: name: miniflux-app namespace: flux-system - labels: - wait.flux.home.arpa/disabled: "true" + labels: &l + app.kubernetes.io/name: "miniflux" spec: + targetNamespace: "miniflux" + commonMetadata: + labels: *l path: ./kube/deploy/apps/miniflux/app + components: + - ../../../core/flux-system/alerts/template/ dependsOn: - - name: 1-core-ingress-nginx-app - name: miniflux-db --- apiVersion: kustomize.toolkit.fluxcd.io/v1 @@ -17,10 +21,13 @@ kind: Kustomization metadata: name: miniflux-db namespace: flux-system - labels: + labels: &l prune.flux.home.arpa/enabled: "true" db.home.arpa/pg: "pg-default" + app.kubernetes.io/name: "miniflux" spec: + commonMetadata: + labels: *l path: ./kube/deploy/core/db/pg/clusters/template/pguser targetNamespace: "pg" dependsOn: diff --git a/kube/deploy/apps/miniflux/kustomization.yaml b/kube/deploy/apps/miniflux/kustomization.yaml index 5eeb2657..45bc3673 100644 --- a/kube/deploy/apps/miniflux/kustomization.yaml +++ b/kube/deploy/apps/miniflux/kustomization.yaml @@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ns.yaml + # - ns.yaml - ks.yaml diff --git a/kube/deploy/apps/miniflux/ns.yaml b/kube/deploy/apps/miniflux/ns.yaml deleted file mode 100644 index d1b94416..00000000 --- a/kube/deploy/apps/miniflux/ns.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: miniflux