From 7dccc951f799c1ee5aecd79db00cc3e8ec09c65d Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Tue, 7 Jan 2025 20:34:51 +0800 Subject: [PATCH] feat(hass)!: userns, Litestream, EMQX netpols, cleanup --- kube/deploy/apps/home-assistant/app/hr.yaml | 62 ++++++------------- .../litestream/template/externalsecret.yaml | 61 ++++++++++++++++++ .../db/litestream/template/kustomization.yaml | 5 ++ 3 files changed, 86 insertions(+), 42 deletions(-) create mode 100644 kube/deploy/core/db/litestream/template/externalsecret.yaml create mode 100644 kube/deploy/core/db/litestream/template/kustomization.yaml diff --git a/kube/deploy/apps/home-assistant/app/hr.yaml b/kube/deploy/apps/home-assistant/app/hr.yaml index 6463ce3c..bccd5087 100644 --- a/kube/deploy/apps/home-assistant/app/hr.yaml +++ b/kube/deploy/apps/home-assistant/app/hr.yaml @@ -70,17 +70,25 @@ spec: litestream: &ls image: repository: "docker.io/litestream/litestream" - tag: "0.3.13" + tag: "0.3.13@sha256:027eda2a89a86015b9797d2129d4dd447e8953097b4190e1d5a30b73e76d8d58" args: ["replicate"] envFrom: - secretRef: name: litestream-secrets env: &lsenv + DB_PATH: "/config/home-assistant_v2.db" + REMOTE_PATH: "home-assistant/home-assistant_v2" + VALIDATION_INTERVAL: "24h" AGE_PUBKEY: valueFrom: secretKeyRef: - name: "litestream-agekey" + name: "home-assistant-litestream-agekey" key: "AGE_PUBKEY" + AGE_SECRET: + valueFrom: + secretKeyRef: + name: "home-assistant-litestream-agekey" + key: "AGE_SECRET" securityContext: *sc resources: requests: @@ -93,12 +101,7 @@ spec: 01-litestream-restore: <<: *ls args: ["restore", "-if-db-not-exists", "-if-replica-exists", "-v", "/config/home-assistant_v2.db"] - env: - AGE_SECRET: - valueFrom: - secretKeyRef: - name: "litestream-agekey" - key: "AGE_SECRET" + env: *lsenv # vscode: # type: deployment # replicas: 0 @@ -194,20 +197,19 @@ spec: # - hosts: [*host] persistence: config: - enabled: true existingClaim: "home-assistant-data" advancedMounts: home-assistant: - main: + main: &pvc - subPath: "config" path: "/config" readOnly: false + litestream: *pvc # vscode: # main: # - path: "/home/coder" # readOnly: false tmp: - enabled: true type: emptyDir medium: Memory globalMounts: @@ -215,31 +217,14 @@ spec: path: "/tmp" readOnly: false litestream: - enabled: true type: configMap - name: "headscale-litestream" - globalMounts: - - subPath: "litestream.yml" - path: "/etc/litestream.yml" - readOnly: true - configMaps: - litesteeam: - data: - litestream.yml: | - dbs: - - path: /config/home-assistant_v2.db - replicas: - - name: "r2" - type: "s3" - endpoint: "$${R2_ENDPOINT}" - bucket: "$${R2_BUCKET}" - path: "home-assistant" - force-path-style: true - retention: 168h - # validation-interval: 24h - age: - recipients: ["$${AGE_PUBKEY}"] - identities: ["$${AGE_SECRET}"] + name: "litestream-secrets" + advancedMounts: + home-assistant: + litestream: + - subPath: "litestream.yml" + path: "/etc/litestream.yml" + readOnly: true defaultPodOptions: automountServiceAccountToken: false enableServiceLinks: false @@ -251,13 +236,6 @@ spec: fsGroup: *gid fsGroupChangePolicy: "Always" seccompProfile: { type: "RuntimeDefault" } - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: "kubernetes.io/hostname" - whenUnsatisfiable: "DoNotSchedule" - labelSelector: - matchLabels: - app.kubernetes.io/name: *app affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/kube/deploy/core/db/litestream/template/externalsecret.yaml b/kube/deploy/core/db/litestream/template/externalsecret.yaml new file mode 100644 index 00000000..84118ddf --- /dev/null +++ b/kube/deploy/core/db/litestream/template/externalsecret.yaml @@ -0,0 +1,61 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name litestream-secrets +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "Litestream - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: Opaque + data: + litestream.yml: | + dbs: + - path: "$${DB_PATH}" + replicas: + - name: "r2" + type: "s3" + endpoint: "{{ .R2_ENDPOINT }}" + bucket: "{{ .R2_BUCKET }}" + path: "$${REMOTE_PATH}" + access-key-id: "{{ .R2_ID }}" + secret-access-key: "{{ .R2_SECRET }}" + force-path-style: true + retention: 168h + validation-interval: $${VALIDATION_INTERVAL} + age: + recipients: [$${AGE_PUBKEY}] + identities: [$${AGE_SECRET}] +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name litestream-agekey +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "Litestream - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: Opaque + data: + AGE_PUBKEY: '{{ .AGE_PUBKEY }}' + AGE_SECRET: '{{ .AGE_SECRET }}' diff --git a/kube/deploy/core/db/litestream/template/kustomization.yaml b/kube/deploy/core/db/litestream/template/kustomization.yaml new file mode 100644 index 00000000..5d3469d8 --- /dev/null +++ b/kube/deploy/core/db/litestream/template/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret.yaml