feat(ente): initial deployment

ente/.gitattributes

@@ -0,0 +1 @@
+credentials.yaml filter=age diff=age merge=age -text

ente/config/museum.yaml

@@ -0,0 +1,77 @@
+log-file: "/var/log/ente/museum.log"
+
+# HTTP connection parameters
+http:
+    # If true, bind to 443 and use TLS.
+    # By default, this is false, and museum will bind to 8080 without TLS.
+    # use-tls: true
+
+# Specify the base endpoints for various apps
+apps:
+    # Default is https://albums.ente.io
+    #
+    # If you're running a self hosted instance and wish to serve public links,
+    # set this to the URL where your albums web app is running.
+    public-albums: https://albums.ente.icb4dc0.de
+
+
+# Various low-level configuration options
+internal:
+    # If false (the default), then museum will notify the external world of
+    # various events. E.g, email users about their storage being full, send
+    # alerts to Discord, etc.
+    #
+    # It can be set to true when running a "read only" instance like a backup
+    # restoration test, where we want to be able to access data but otherwise
+    # minimize external side effects.
+    silent: false
+    # If provided, this external healthcheck url is periodically pinged.
+    health-check-url:
+    # Hardcoded verification codes, useful for logging in when developing.
+    #
+    # Uncomment this and set these to your email ID or domain so that you don't
+    # need to peek into the server logs for obtaining the OTP when trying to log
+    # into an instance you're developing on.
+    # hardcoded-ott:
+    #     emails:
+    #         - "example@example.org,123456"
+    #     # When running in a local environment, hardcode the verification code to
+    #     # 123456 for email addresses ending with @example.org
+    #     local-domain-suffix: "@example.org"
+    #     local-domain-value: 123456
+    # List of user IDs that can use the admin API endpoints.
+    admins:
+        - 1580559962386438
+
+# Replication config
+#
+# If enabled, replicate each file to 2 other data centers after it gets
+# successfully uploaded to the primary hot storage.
+replication:
+    enabled: false
+    # The Cloudflare worker to use to download files from the primary hot
+    # bucket. Must be specified if replication is enabled.
+    worker-url:
+    # Number of go routines to spawn for replication
+    # This is not related to the worker-url above.
+    # Optional, default value is indicated here.
+    worker-count: 6
+    # Where to store temporary objects during replication v3
+    # Optional, default value is indicated here.
+    tmp-storage: tmp/replication
+
+# Configuration for various background / cron jobs.
+jobs:
+    cron:
+        # Instances run various cleanup, sending emails and other cron jobs. Use
+        # this flag to disable all these cron jobs.
+        skip: false
+    remove-unreported-objects:
+        # Number of go routines to spawn for object cleanup
+        # Optional, default value is indicated here.
+        worker-count: 1
+    clear-orphan-objects:
+        # By default, this job is disabled.
+        enabled: false
+        # If provided, only objects that begin with this prefix are pruned.
+        prefix: ""

ente/kustomization.yaml

@@ -0,0 +1,37 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: ente
+namePrefix: ente-
+
+images:
+  - name: museum
+    newName: ghcr.io/ente-io/server
+    newTag: 26e17d8464736acc747c1b35c65af194172a245c
+  - name: web
+    newName: code.icb4dc0.de/infrastructure/images/ente/web
+    newTag: latest
+
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/instance: ente
+    app.kubernetes.io/managed-by: kustomize
+
+resources:
+- resources/namespace.yaml
+- resources/museum/deployment.yaml
+- resources/museum/service.yaml
+- resources/web/deployment.yaml
+- resources/web/service.yaml
+- resources/http_routes.yaml
+
+configMapGenerator:
+  - name: museum-config
+    files:
+      - config/museum.yaml
+
+secretGenerator:
+  - name: museum-credentials
+    files:
+      - config/credentials.yaml

ente/resources/http_routes.yaml

@@ -0,0 +1,68 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http
+spec:
+  parentRefs:
+  - name: contour
+    sectionName: http
+    namespace: projectcontour
+  hostnames:
+  - ente.icb4dc0.de
+  - api.ente.icb4dc0.de
+  - albums.ente.icb4dc0.de
+  rules:
+  - filters:
+    - type: RequestRedirect
+      requestRedirect:
+        scheme: https
+        statusCode: 301
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: https-web
+spec:
+  parentRefs:
+  - name: contour
+    sectionName: https
+    namespace: projectcontour
+  hostnames:
+  - ente.icb4dc0.de
+  rules:
+  - backendRefs:
+    - name: ente-web
+      port: 3000
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: https-api
+spec:
+  parentRefs:
+  - name: contour
+    sectionName: ente-endpoints
+    namespace: projectcontour
+  hostnames:
+  - api.ente.icb4dc0.de
+  rules:
+  - backendRefs:
+    - name: ente-museum
+      port: 8080
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: https-albums
+spec:
+  parentRefs:
+  - name: contour
+    sectionName: ente-endpoints
+    namespace: projectcontour
+  hostnames:
+  - albums.ente.icb4dc0.de
+  rules:
+  - backendRefs:
+    - name: ente-web
+      port: 3000

ente/resources/museum/deployment.yaml

@@ -0,0 +1,90 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: museum
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: museum
+      app.kubernetes.io/part-of: ente
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: museum
+        app.kubernetes.io/part-of: ente
+    spec:
+      containers:
+      - name: museum
+        image: museum
+        env:
+          - name: ENTE_CREDENTIALS_FILE
+            value: /credentials.yaml
+          - name: ENTE_DB_HOST
+            valueFrom:
+              secretKeyRef:
+                name: default-cluster-pguser-ente
+                key: host
+          - name: ENTE_DB_NAME
+            valueFrom:
+              secretKeyRef:
+                name: default-cluster-pguser-ente
+                key: dbname
+          - name: ENTE_DB_USER
+            valueFrom:
+              secretKeyRef:
+                name: default-cluster-pguser-ente
+                key: user
+          - name: ENTE_DB_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: default-cluster-pguser-ente
+                key: password
+          - name: ENTE_DB_SSLMODE
+            value: require
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "50m"
+          limits:
+            memory: "128Mi"
+            cpu: "250m"
+        ports:
+        - name: api
+          containerPort: 8080
+        - name: metrics
+          containerPort: 2112
+        readinessProbe:
+          httpGet:
+            path: /ping
+            port: 8080
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 8080
+        volumeMounts:
+          - name: logs
+            mountPath: /var/log/ente
+          - name: config
+            mountPath: /museum.yaml
+            subPath: museum.yaml
+          - name: credentials
+            mountPath: /credentials.yaml
+            subPath: credentials.yaml
+      volumes:
+        - name: logs
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: museum-config
+            items:
+              - key: museum.yaml
+                path: museum.yaml
+        - name: credentials
+          secret:
+            secretName: museum-credentials
+            items:
+              - key: credentials.yaml
+                path: credentials.yaml
+      nodeSelector:
+        kubernetes.io/arch: arm64

ente/resources/museum/service.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: museum
+spec:
+  selector:
+    app.kubernetes.io/name: museum
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8080

ente/resources/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ente
+  labels:
+    prometheus: default

ente/resources/web/deployment.yaml

@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: web
+      app.kubernetes.io/part-of: ente
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: web
+        app.kubernetes.io/part-of: ente
+    spec:
+      containers:
+      - name: web
+        image: web
+        imagePullPolicy: Always
+        env:
+          - name: ENDPOINT
+            value: https://api.ente.icb4dc0.de
+          - name: ALBUMS_ENDPOINT
+            value: https://albums.ente.icb4dc0.de
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "25m"
+          limits:
+            memory: "128Mi"
+            cpu: "50m"
+        ports:
+        - name: web
+          containerPort: 80
+      nodeSelector:
+        kubernetes.io/arch: arm64

ente/resources/web/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: web
+spec:
+  selector:
+    app.kubernetes.io/name: web
+    app.kubernetes.io/part-of: ente
+  ports:
+  - port: 3000
+    targetPort: 80