Merge branch 'main' of github.com:JJGadgets/Biohazard

2026-01-28 02:18:24 +00:00 · 2023-05-22 02:29:36 +08:00
parent 00111bad1a 2c6fa155df
commit 91f85d54ce
4 changed files with 56 additions and 7 deletions
--- a/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml
+++ b/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: default-backend
+  namespace: ingress
+spec:
+  chart:
+    spec:
+      chart: app-template
+      version: 1.5.0
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controller:
+      type: daemonset
+    image:
+      repository: public.ecr.aws/docker/library/busybox
+      tag: 1.36.1-glibc
+    command: ["busybox", "sh", "-c"]
+    args: ["wget 'https://jjgadgets.tech/error.zstd' -O /dev/shm/index.html && httpd -f -v -p 8080 -h /dev/shm"]
+    service:
+      main:
+        ports:
+          http:
+            port: 80
+            targetPort: 8080
+    podSecurityContext:
+      runAsUser: &uid 404200
+      runAsGroup: *uid
+      fsGroup: *uid
+      fsGroupChangePolicy: Always
+    resources:
+      requests:
+        cpu: 10m
+        memory: 32Mi
+      limits:
+        memory: 256Mi
--- a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
+++ b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
@@ -33,6 +33,7 @@ spec:
        enabled: true
      extraArgs:
        default-ssl-certificate: ingress/short-domain-tls
+        default-backend-service: ingress/default-backend
      ingressClassByName: true
      nodeSelector:
        node-restriction.kubernetes.io/nodeType: main
@@ -43,6 +44,7 @@ spec:
        disable-access-log: "false"
        log-format-escape-json: "true"
        # hardening
+        custom-http-errors: 400,401,403,404,405,409,410,411,412,413,414,415,416,417,418,421,425,431,451,500,501,502,503,504,505,506,510
        hsts-max-age: "31449600"
        hsts-preload: "true"
        ssl-protocols: TLSv1.3 TLSv1.2
--- a/kube/3-deploy/2-apps/gotosocial/app/hr.yaml
+++ b/kube/3-deploy/2-apps/gotosocial/app/hr.yaml
@@ -81,10 +81,10 @@ spec:
        cpu: 10m
        memory: 128Mi
      limits:
-        memory: 6000Mi
+        memory: 1024Mi
    initContainers:
      01-init-db:
-        image: ghcr.io/onedr0p/postgres-init:14.8
+        image: ghcr.io/onedr0p/postgres-init:14.8@sha256:d8391076d2c6449927a6409c4e72aaa5607c95be51969036f4feeb7c999638ea
        imagePullPolicy: IfNotPresent
        envFrom:
          - secretRef:
--- a/kube/templates/test/app/hr.yaml
+++ b/kube/templates/test/app/hr.yaml
@@ -8,10 +8,10 @@ spec:
  chart:
    spec:
      chart: app-template
-      version: 1.4.0
+      version: 1.5.0
      sourceRef:
-        kind: HelmRepository
        name: bjw-s
+        kind: HelmRepository
        namespace: flux-system
  values:
    controller:
@@ -25,12 +25,11 @@ spec:
      main:
        enabled: true
        type: LoadBalancer
-        externalTrafficPolicy: Local
+        # eTP can be Cluster (for HA & failover) instead of Local since Cilium is configured in DSR mode, so proper source IP will still work
+        externalTrafficPolicy: Cluster
        annotations:
          coredns.io/hostname: "${APP_DNS_${APPNAME}}"
          "io.cilium/lb-ipam-ips": "${APP_IP_${APPNAME}}"
-        externalIPs:
-          - "${APP_IP_${APPNAME}}"
        ports:
          http:
            enabled: true
@@ -153,3 +152,11 @@ spec:
          name: data
        - mountPath: /config
          name: config
+      01-init-db:
+        image: ghcr.io/onedr0p/postgres-init:14.8@sha256:d8391076d2c6449927a6409c4e72aaa5607c95be51969036f4feeb7c999638ea
+        imagePullPolicy: IfNotPresent
+        envFrom:
+          - secretRef:
+              name: gotosocial-pg
+          - secretRef:
+              name: gotosocial-pg-superuser