From fe364d339fb8f0032be2c7bbe29b8347fc0d40cf Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Thu, 1 Feb 2024 22:44:14 +0800 Subject: [PATCH] chore(templates): cleanup --- kube/templates/test/app/hr.yaml | 45 +++++++++++++--------------- kube/templates/test/app/secrets.yaml | 9 ++++++ kube/templates/test/ks.yaml | 19 ++++++++++-- 3 files changed, 46 insertions(+), 27 deletions(-) create mode 100644 kube/templates/test/app/secrets.yaml diff --git a/kube/templates/test/app/hr.yaml b/kube/templates/test/app/hr.yaml index 508819be..f33cd7f8 100644 --- a/kube/templates/test/app/hr.yaml +++ b/kube/templates/test/app/hr.yaml @@ -5,10 +5,11 @@ metadata: name: &app ${APPNAME} namespace: *app spec: + interval: 5m chart: spec: chart: app-template - version: "2.4.0" + version: "2.5.0" sourceRef: name: bjw-s kind: HelmRepository @@ -81,9 +82,9 @@ spec: initContainers: 01-init-${APPNAME}-admin-password: command: - - /bin/sh - - -c - - '[ -s /data/${APPNAME}.db ] || /sbin/${APPNAME}d recover_account -c /data/server.toml admin' + - /bin/sh + - -c + - "[ -s /data/${APPNAME}.db ] || /sbin/${APPNAME}d recover_account -c /data/server.toml admin" image: *img imagePullPolicy: IfNotPresent # TODO: add example PVC initContainer mounts to persistence/volumeClaimTemplates @@ -92,7 +93,7 @@ spec: repository: "ghcr.io/onedr0p/postgres-init" tag: "15.5@sha256:70b4c228f2e86de39008a35211c76c1ac6de1dcdf0e908ac09ede6a11e2344e2" imagePullPolicy: IfNotPresent - envFrom: [secretRef: {name: "${APPNAME}-pg-superuser"}] + envFrom: [secretRef: { name: "${APPNAME}-pg-superuser" }] service: main: ports: @@ -103,7 +104,6 @@ spec: primary: false controller: main type: LoadBalancer - # eTP can be Cluster (for HA & failover) instead of Local since Cilium is configured in DSR mode, so proper source IP will still work externalTrafficPolicy: Cluster annotations: coredns.io/hostname: "${APP_DNS_APPNAME}" @@ -137,8 +137,6 @@ spec: nginx.ingress.kubernetes.io/server-snippet: | proxy_ssl_name ${APP_DNS_APPNAME}; proxy_ssl_server_name on; - large_client_header_buffers 4 8k; - client_header_buffer_size 8k; # without header buffer size, will get following errors due to hardening ingress-nginx number of header buffers to 2 and header buffer size to 1k: # HTTP1.1 /v1/auth/valid: 400 Request Header Or Cookie Too Large # HTTP2 /v1/auth/valid: HTTP/2 stream was not closed cleanly before end of the underlying stream @@ -157,14 +155,14 @@ spec: primary: true className: "tailscale" hosts: - - host: &host "${APPNAME}" + - host: &host "${APPNAME}.${DNS_TS}" paths: *paths tls: - hosts: [*host] -# dnsConfig: -# options: -# - name: ndots -# value: "1" + # dnsConfig: + # options: + # - name: ndots + # value: "1" persistence: config: enabled: true @@ -179,27 +177,26 @@ spec: data: enabled: true existingClaim: "${APPNAME}-data" - advancedMounts: - main: - main: - - path: "/data" - 01-init-${APPNAME}-admin-password: - - path: "/data" + globalMounts: + - subPath: "data" + path: "/data" nfs: enabled: true type: nfs server: "${IP_TRUENAS}" - path: "${PATH_NAS_PERSIST_K8S}/${APPNAME}" + path: "${PATH_NAS_PERSIST_K8S}" advancedMounts: main: main: - - path: "/nfs" + - subPath: "${APPNAME}" + path: "/nfs" tmp: enabled: true type: emptyDir medium: Memory globalMounts: - - path: "/tmp" + - subPath: "tmp" + path: "/tmp" readOnly: false tls: enabled: true @@ -239,12 +236,12 @@ spec: automountServiceAccountToken: false enableServiceLinks: false securityContext: - runAsNonRoot: false + runAsNonRoot: true runAsUser: &uid ${APP_UID_APPNAME} runAsGroup: *uid fsGroup: *uid fsGroupChangePolicy: "Always" - seccompProfile: {type: "RuntimeDefault"} + seccompProfile: { type: "RuntimeDefault" } topologySpreadConstraints: - maxSkew: 1 topologyKey: "kubernetes.io/hostname" diff --git a/kube/templates/test/app/secrets.yaml b/kube/templates/test/app/secrets.yaml new file mode 100644 index 00000000..4865c1b3 --- /dev/null +++ b/kube/templates/test/app/secrets.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: "${APPNAME}-secrets" + namespace: "${APPNAME}" +type: Opaque +stringData: + diff --git a/kube/templates/test/ks.yaml b/kube/templates/test/ks.yaml index 27988df0..d6a39cea 100644 --- a/kube/templates/test/ks.yaml +++ b/kube/templates/test/ks.yaml @@ -4,8 +4,13 @@ kind: Kustomization metadata: name: ${APPNAME}-app namespace: flux-system + labels: &l + app.kubernetes.io/name: "${APPNAME}" spec: + commonMetadata: + labels: *l path: ./kube/deploy/apps/${APPNAME}/app + targetNamespace: "${APPNAME}" dependsOn: - name: ${APPNAME}-db - name: ${APPNAME}-pvc @@ -15,7 +20,11 @@ kind: Kustomization metadata: name: ${APPNAME}-pvc namespace: flux-system + labels: &l + app.kubernetes.io/name: "${APPNAME}" spec: + commonMetadata: + labels: *l path: ./kube/deploy/core/storage/volsync/template targetNamespace: "${APPNAME}" dependsOn: @@ -25,8 +34,9 @@ spec: substitute: PVC: "${APPNAME}-data" SIZE: "10Gi" - SC: "block" - RUID: &uid !!str | + SC: &sc "file" + SNAP: *sc + RUID: !!str &uid | ${APP_UID_APPNAME} RGID: !!str | ${APP_UID_APPNAME} @@ -38,10 +48,13 @@ kind: Kustomization metadata: name: ${APPNAME}-db namespace: flux-system - labels: + labels: &l prune.flux.home.arpa/enabled: "true" db.home.arpa/pg: "pg-default" + app.kubernetes.io/name: "${APPNAME}" spec: + commonMetadata: + labels: *l path: ./kube/deploy/core/db/pg/clusters/template/pguser targetNamespace: "pg" dependsOn: