From dcfc5f315c7d79aaa78e346fc0c4acb1f030ec64 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Wed, 14 Feb 2024 17:17:46 +0800 Subject: [PATCH] feat: add vikunja --- .../biohazard/flux/kustomization.yaml | 1 + kube/deploy/apps/vikunja/app/es.yaml | 34 ++++ kube/deploy/apps/vikunja/app/hr.yaml | 158 ++++++++++++++++++ kube/deploy/apps/vikunja/ks.yaml | 68 ++++++++ kube/deploy/apps/vikunja/kustomization.yaml | 6 + kube/deploy/apps/vikunja/ns.yaml | 10 ++ kube/deploy/core/db/pg/clusters/home/ks.yaml | 4 + .../template/pguser/externalsecrets.yaml | 20 +++ 8 files changed, 301 insertions(+) create mode 100644 kube/deploy/apps/vikunja/app/es.yaml create mode 100644 kube/deploy/apps/vikunja/app/hr.yaml create mode 100644 kube/deploy/apps/vikunja/ks.yaml create mode 100644 kube/deploy/apps/vikunja/kustomization.yaml create mode 100644 kube/deploy/apps/vikunja/ns.yaml diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index 2a2a9a30..dd1a3eb7 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -105,6 +105,7 @@ resources: - ../../../deploy/apps/redbot/ - ../../../deploy/apps/code-server/ - ../../../deploy/apps/homebox/ + - ../../../deploy/apps/vikunja/ - ../../../deploy/vm/_kubevirt/ #- ../../../deploy/vm/_base/ - ../../../deploy/vm/ad/ diff --git a/kube/deploy/apps/vikunja/app/es.yaml b/kube/deploy/apps/vikunja/app/es.yaml new file mode 100644 index 00000000..a908b632 --- /dev/null +++ b/kube/deploy/apps/vikunja/app/es.yaml @@ -0,0 +1,34 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name vikunja-secrets + namespace: vikunja +spec: + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "Vikunja - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + engineVersion: v2 + mergePolicy: Merge + data: + VIKUNJA_SERVICE_JWTSECRET: "{{ .VIKUNJA_SERVICE_JWTSECRET }}" + config.yml: | + auth: + local: + enabled: false + openid: + enabled: true + providers: + - name: "JJGadgets Auth" + authurl: {{ .OIDC_URL }} + clientid: {{ .OIDC_ID }} + clientsecret: {{ .OIDC_SECRET }} \ No newline at end of file diff --git a/kube/deploy/apps/vikunja/app/hr.yaml b/kube/deploy/apps/vikunja/app/hr.yaml new file mode 100644 index 00000000..d58644cd --- /dev/null +++ b/kube/deploy/apps/vikunja/app/hr.yaml @@ -0,0 +1,158 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app vikunja + namespace: *app +spec: + interval: 5m + chart: + spec: + chart: app-template + version: "2.5.0" + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + main: + type: deployment + replicas: 1 + pod: + labels: + ingress.home.arpa/nginx-internal: "allow" + db.home.arpa/pg: "pg-home" + containers: + main: + image: &img + repository: "docker.io/vikunja/vikunja" + tag: "0.23.0@sha256:f852e65b62e975a38d8db26c67417903cf7e0d9b533cb2d0a177d37b95375555" + env: + VIKUNJA_SERVICE_TIMEZONE: "${CONFIG_TZ}" + VIKUNJA_SERVICE_JWTSECRET: + valueFrom: + secretKeyRef: + name: "vikunja-secrets" + key: "VIKUNJA_SERVICE_JWTSECRET" + VIKUNJA_SERVICE_JWTTTL: "86400" # 1 day + VIKUNJA_SERVICE_JWTTTLLONG: "1209600" # 2 weeks + VIKUNJA_SERVICE_INTERFACE: ":8080" + VIKUNJA_SERVICE_PUBLICURL: "${APP_DNS_VIKUNJA}" + VIKUNJA_SERVICE_MAXITEMSPERPAGE: "200" + VIKUNJA_SERVICE_ENABLEREGISTRATION: "${CONFIG_VIKUNJA_REGISTRATION:=false}" + VIKUNJA_SERVICE_CUSTOMLOGOURL: "https://raw.githubusercontent.com/JJGadgets/images/main/icon.png" + VIKUNJA_SENTRY_ENABLED: "false" + VIKUNJA_DATABASE_TYPE: "postgres" + VIKUNJA_DATABASE_HOST: + valueFrom: + secretKeyRef: + name: &pgsec "pg-home-pguser-vikunja" + key: "pgbouncer-host" + VIKUNJA_DATABASE_DATABASE: + valueFrom: + secretKeyRef: + name: *pgsec + key: "dbname" + VIKUNJA_DATABASE_USER: + valueFrom: + secretKeyRef: + name: *pgsec + key: "user" + VIKUNJA_DATABASE_PASSWORD: + valueFrom: + secretKeyRef: + name: *pgsec + key: "password" + VIKUNJA_DATABASE_SSLMODE: "require" + VIKUNJA_DATABASE_SSLROOTCERT: "/tls/pg-ca.crt" + VIKUNJA_METRICS_ENABLED: "true" + VIKUNJA_LOG_PATH: "/dev/stdout" + VIKUNJA_DEFAULTSETTINGS_AVATAR_PROVIDER: "initials" + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "3000m" + memory: "6000Mi" + service: + main: + ports: + http: + port: 8080 + ingress: + main: + enabled: true + primary: true + className: "nginx-internal" + hosts: + - host: &host "${APP_DNS_VIKUNJA}" + paths: &paths + - path: / + pathType: Prefix + service: + name: main + port: http + tls: + - hosts: [*host] + persistence: + config: + enabled: true + type: secret + name: "vikunja-secrets" + advancedMounts: + main: + main: + - subPath: "config.yml" + path: "/etc/vikunja/config.yml" + readOnly: true + pg: + enabled: true + type: secret + name: "pg-home-ca" + defaultMode: 0400 + advancedMounts: + main: + main: + - subPath: "ca.crt" + path: "/tls/pg-ca.crt" + readOnly: true + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + securityContext: + runAsNonRoot: true + runAsUser: &uid ${APP_UID_VIKUNJA} + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: "Always" + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "fuckoff.home.arpa/vikunja" + operator: "DoesNotExist" + serviceMonitor: + main: + enabled: true + endpoints: + - port: http + scheme: http + path: "/api/v1/metrics" + interval: 1m + scrapeTimeout: 30s \ No newline at end of file diff --git a/kube/deploy/apps/vikunja/ks.yaml b/kube/deploy/apps/vikunja/ks.yaml new file mode 100644 index 00000000..f99a3bbf --- /dev/null +++ b/kube/deploy/apps/vikunja/ks.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: vikunja-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "vikunja" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/apps/vikunja/app + targetNamespace: "vikunja" + dependsOn: + - name: vikunja-db + # - name: vikunja-pvc +# --- +# apiVersion: kustomize.toolkit.fluxcd.io/v1 +# kind: Kustomization +# metadata: +# name: vikunja-pvc +# namespace: flux-system +# labels: &l +# app.kubernetes.io/name: "vikunja" +# spec: +# commonMetadata: +# labels: *l +# path: ./kube/deploy/core/storage/volsync/template +# targetNamespace: "vikunja" +# dependsOn: +# - name: 1-core-storage-volsync-app +# - name: 1-core-storage-rook-ceph-cluster +# postBuild: +# substitute: +# PVC: "vikunja-data" +# SIZE: "10Gi" +# SC: &sc "file" +# SNAP: *sc +# ACCESSMODE: "ReadWriteMany" +# RUID: !!str &uid | +# ${APP_UID_VIKUNJA} +# RGID: !!str | +# ${APP_UID_VIKUNJA} +# RFSG: !!str | +# ${APP_UID_VIKUNJA} +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: vikunja-db + namespace: flux-system + labels: &l + prune.flux.home.arpa/enabled: "true" + db.home.arpa/pg: "pg-home" + app.kubernetes.io/name: "vikunja" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/core/db/pg/clusters/template/pguser + targetNamespace: "pg" + dependsOn: + - name: 1-core-db-pg-clusters-home + - name: 1-core-secrets-es-k8s + postBuild: + substitute: + PG_NAME: "home" + PG_DB_USER: &app "vikunja" + PG_APP_NS: *app diff --git a/kube/deploy/apps/vikunja/kustomization.yaml b/kube/deploy/apps/vikunja/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/apps/vikunja/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/deploy/apps/vikunja/ns.yaml b/kube/deploy/apps/vikunja/ns.yaml new file mode 100644 index 00000000..f6866d3c --- /dev/null +++ b/kube/deploy/apps/vikunja/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: vikunja + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps diff --git a/kube/deploy/core/db/pg/clusters/home/ks.yaml b/kube/deploy/core/db/pg/clusters/home/ks.yaml index 0b6f7cf6..8233c40b 100644 --- a/kube/deploy/core/db/pg/clusters/home/ks.yaml +++ b/kube/deploy/core/db/pg/clusters/home/ks.yaml @@ -39,6 +39,10 @@ spec: databases: ["paperless-ngx"] - name: "joplin" databases: ["joplin"] + - name: "vikunja" + databases: ["vikunja"] + - name: "kanboard" + databases: ["kanboard"] target: group: postgres-operator.crunchydata.com kind: PostgresCluster diff --git a/kube/deploy/core/db/pg/clusters/template/pguser/externalsecrets.yaml b/kube/deploy/core/db/pg/clusters/template/pguser/externalsecrets.yaml index d7e96573..b68ad463 100644 --- a/kube/deploy/core/db/pg/clusters/template/pguser/externalsecrets.yaml +++ b/kube/deploy/core/db/pg/clusters/template/pguser/externalsecrets.yaml @@ -91,3 +91,23 @@ spec: remoteRef: remoteKey: *name property: *key +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/pushsecret_v1alpha1.json +apiVersion: external-secrets.io/v1alpha1 +kind: PushSecret +metadata: + name: &name "pg-${PG_NAME}-ca" +spec: + refreshInterval: "1m" + secretStoreRefs: + - kind: "SecretStore" + name: "pg-${PG_NAME}-${PG_APP_NS}-${PG_DB_USER}" + selector: + secret: + name: "pg-${PG_NAME}-cluster-cert" # source secret name + data: + - match: + secretKey: &key "ca.crt" # source secret key + remoteRef: + remoteKey: *name # destination secret name + property: *key # destination secret key