From f111f3d2d1b5c91c1263dc69c364ae65ece4f4ca Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Wed, 29 Nov 2023 12:45:08 +0800 Subject: [PATCH] chore: update newapp template --- kube/templates/test/app/hr.yaml | 79 +++++++++++++++++----------- kube/templates/test/app/volsync.yaml | 53 +++++++++++++------ 2 files changed, 87 insertions(+), 45 deletions(-) diff --git a/kube/templates/test/app/hr.yaml b/kube/templates/test/app/hr.yaml index 3a1c9cc0..ae83d523 100644 --- a/kube/templates/test/app/hr.yaml +++ b/kube/templates/test/app/hr.yaml @@ -8,7 +8,7 @@ spec: chart: spec: chart: app-template - version: 2.0.2 + version: "2.3.0" sourceRef: name: bjw-s kind: HelmRepository @@ -26,7 +26,7 @@ spec: s3.home.arpa/store: "rgw-${CLUSTER_NAME}" containers: main: - image: + image: &img repository: "docker.io/${APPNAME}/server" tag: "v" env: @@ -44,39 +44,48 @@ spec: envFrom: - secretRef: name: "${APPNAME}-secrets" + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: requests: - cpu: 10m - memory: 128Mi + cpu: "10m" + memory: "128Mi" limits: - memory: 6000Mi - statefulset: - volumeClaimTemplates: - - name: data - mountPath: "/data" - accessMode: ReadWriteOnce - size: 20Gi - storageClass: block - - name: backup - mountPath: "/backup" - accessMode: ReadWriteOnce - size: 20Gi - storageClass: block + cpu: "3000m" + memory: "6000Mi" + # statefulset: + # volumeClaimTemplates: + # - name: data + # accessMode: ReadWriteOnce + # size: 20Gi + # storageClass: block + # advancedMounts: + # main: # only container name here + # - path: "/data" + # 01-init-${APPNAME}-admin-password: + # - path: "/data" + # - name: backup + # accessMode: ReadWriteOnce + # size: 20Gi + # storageClass: block + # globalMounts: + # - path: "/backup" initContainers: 01-init-${APPNAME}-admin-password: command: - /bin/sh - -c - '[ -s /data/${APPNAME}.db ] || /sbin/${APPNAME}d recover_account -c /data/server.toml admin' - image: docker.io/${APPNAME}/server:latest + image: *img imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /data - name: data - - mountPath: /config - name: config + # TODO: add example PVC initContainer mounts to persistence/volumeClaimTemplates 01-init-db: - image: "ghcr.io/onedr0p/postgres-init:14.8" + image: + repository: "ghcr.io/onedr0p/postgres-init" + tag: "15.0" imagePullPolicy: IfNotPresent envFrom: [secretRef: {name: "${APPNAME}-pg-superuser"}] service: @@ -137,8 +146,7 @@ spec: name: main port: http tls: - - hosts: - - *host + - hosts: [*host] # dnsConfig: # options: # - name: ndots @@ -152,7 +160,7 @@ spec: main: main: - subPath: "server.toml" - mountPath: "/data/server.toml" + path: "/data/server.toml" readOnly: true data: enabled: true @@ -160,7 +168,9 @@ spec: advancedMounts: main: main: - - path: /data + - path: "/data" + 01-init-${APPNAME}-admin-password: + - path: "/data" nfs: enabled: true type: nfs @@ -169,7 +179,14 @@ spec: advancedMounts: main: main: - - path: /nfs + - path: "/nfs" + tmp: + enabled: true + type: emptyDir + medium: Memory + globalMounts: + - path: "/tmp" + readOnly: false tls: enabled: true type: secret @@ -210,4 +227,6 @@ spec: runAsUser: &uid ${APP_UID_APPNAME} runAsGroup: *uid fsGroup: *uid - fsGroupChangePolicy: Always \ No newline at end of file + runAsNonRoot: false + seccompProfile: {type: "RuntimeDefault"} + fsGroupChangePolicy: Always diff --git a/kube/templates/test/app/volsync.yaml b/kube/templates/test/app/volsync.yaml index 6a7cfdad..5ef7ec71 100644 --- a/kube/templates/test/app/volsync.yaml +++ b/kube/templates/test/app/volsync.yaml @@ -2,31 +2,32 @@ apiVersion: v1 kind: Secret metadata: - name: ${APPNAME}-restic - namespace: ${APPNAME} + name: "${APPNAME}-data-r2-restic" + namespace: "${APPNAME}" type: Opaque stringData: - RESTIC_REPOSITORY: ${SECRET_VOLSYNC_R2_REPO}/${APPNAME} - RESTIC_PASSWORD: ${SECRET_VOLSYNC_PASSWORD} - AWS_ACCESS_KEY_ID: ${SECRET_VOLSYNC_R2_ID} - AWS_SECRET_ACCESS_KEY: ${SECRET_VOLSYNC_R2_KEY} + RESTIC_REPOSITORY: "${SECRET_VOLSYNC_R2_REPO}/${APPNAME}" + RESTIC_PASSWORD: "${SECRET_VOLSYNC_PASSWORD}" + AWS_ACCESS_KEY_ID: "${SECRET_VOLSYNC_R2_ID}" + AWS_SECRET_ACCESS_KEY: "${SECRET_VOLSYNC_R2_KEY}" --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource metadata: - name: ${APPNAME}-restic - namespace: ${APPNAME} + name: "${APPNAME}-data-r2-restic" + namespace: "${APPNAME}" spec: - sourcePVC: ${APPNAME}-data + sourcePVC: "${APPNAME}-data" trigger: - schedule: "0 6 * * *" + schedule: "0 22 * * *" # 6am GMT+8 restic: - copyMethod: Snapshot + copyMethod: "Snapshot" pruneIntervalDays: 14 - repository: ${APPNAME}-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: block - storageClassName: block + repository: "${APPNAME}-r2-restic" + cacheCapacity: "2Gi" + cacheStorageClassName: "local" + storageClassName: &sc "file" + volumeSnapshotClassName: "file" moverSecurityContext: runAsUser: &uid ${APP_UID_APPNAME} runAsGroup: *uid @@ -34,3 +35,25 @@ spec: retain: daily: 14 within: 7d +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationDestination +metadata: + name: "${APPNAME}-data-r2-bootstrap" + namespace: "${APPNAME}" +spec: + trigger: + manual: "restore-once-bootstrap" + restic: + repository: "${APPNAME}-data-restic" + copyMethod: "Snapshot" + cacheCapacity: "2Gi" + cacheStorageClassName: "local" + storageClassName: "file" + volumeSnapshotClassName: "file" + capacity: "50Gi" + accessModes: ["ReadWriteMany"] + moverSecurityContext: + runAsUser: &uid ${APP_UID_APPNAME} + runAsGroup: *uid + fsGroup: *uid