diff --git a/.gitignore b/.gitignore index ea8c0d0..60c9064 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ .vaultpw .vscode/ .ssh/ +*/charts/ \ No newline at end of file diff --git a/obsidian/config/Caddyfile b/obsidian/config/Caddyfile new file mode 100644 index 0000000..fef9aeb --- /dev/null +++ b/obsidian/config/Caddyfile @@ -0,0 +1,3 @@ +:8080 { + respond "Hello, world" +} \ No newline at end of file diff --git a/obsidian/config/admin-secret.enc.yaml b/obsidian/config/admin-secret.enc.yaml new file mode 100644 index 0000000..007c1c5 --- /dev/null +++ b/obsidian/config/admin-secret.enc.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Secret +metadata: + name: obsidian-couchdb +type: Opaque +stringData: + adminUsername: ENC[AES256_GCM,data:YPev8S8=,iv:rmKKp0n5JCCRsW8MV0DHcAdRCjh7LB690r1i8t2l5ac=,tag:8AOCgrJk4yYvI1lPFfYx6g==,type:str] + adminPassword: ENC[AES256_GCM,data:HtwmAsRmZCzIepwtDiLc6/s+1SwFXeKkMSw7uHHG3Mk=,iv:YdPguuTDKg9kuARDwfFcFrPyJGd0jQjO/I8AOygm7VY=,tag:CvzFhEed0mvxwDheIQE/NA==,type:str] + cookieAuthSecret: ENC[AES256_GCM,data:xnOSCxMyquMi+akVUBCAECjIqcSa1gzYCA8lVIyeLbnLHAykzsZl5g==,iv:Roe4MwI9lNd78Y36X7qZ1VTRxO7Ztl2SfmHeRzX7i60=,tag:DEJ2xzv0OOrcHarlxlk3gQ==,type:str] + erlangCookie: ENC[AES256_GCM,data:KilAsXBz8TJO1hu6IE/Mquz7QUl9qJzPzF1CIy925tf89KUN83QhVA==,iv:I+W5Gqg4DbT5F+lGVhXaUSs9rPGjYMoYD0T9v9AHlOk=,tag:/n1hRrzU1DTqhZJhvq7Qwg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UGlxRGxQc3AzNW42Tlpt + ZFVMR1JWWk1OVWNjNXBScFRldWFqSHVXZXpZClp2cm82ZytnRk5qblZsb3RDU2xw + aWtOa0paeVo2ZTZzQy9weVNNNFQ2b3cKLS0tIEdmWGxxTC9qZVBLelJCV3dncURB + QjhUT2YvaS83bkpsUjFtTURNZE9hME0KKtGiUiGoulnswTi3mAq8zdq1MOmrqSbP + E1Bbdb3amH9mDD+MaXSTxXGcD0X10m6ge+E0c3BMfoF0ssZpQ2hQNw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWHZTUDhON0wvZVlZTk1D + SGY0dHJjaEdkcklwUjh0Yjk4dVdUWGVYRVFZCkh0bDU4THQ2N0RjMGg2aGRDbklG + ZjFUWEFabFJrSDJUZHR4bjAyNjZRb2cKLS0tIGNIT2ZHQ2R1ZEVJbWY4ZVh4QTl3 + NlFuMS91OHozaW8rcHNqZVhSOCtWaDgKpsTPthtNzoyLcWbiWFFNLI/oNTIYf64t + +t5dkS8DRb/+iSRIMfP5rIY3Vo8qWiMy8KJW+GgPOo8wLEpkRyjAvA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-12T16:48:23Z" + mac: ENC[AES256_GCM,data:iUzppA+NV3LcZgo5HQLRt5HXONSbQ1PKMfd02ULho7lLpz6HyvCzdBdyUrF0+vUe/WO2BdbY3tGwmt7MEgG7aBIvCscfFKoX5enetOQxKacHBtD8mFBaLF9NIujiSWLQ6j/C9mALcKTJhQgV7eG47jMNiCERe1KJ3P0Z3wl6lhg=,iv:wrE77/hBAtvVmVzaO37pXEdJwRP9YU+CQxt8R/gIvXA=,tag:QSjf2QmJXUFmh7YPoBiJdQ==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/obsidian/config/values.yaml b/obsidian/config/values.yaml new file mode 100644 index 0000000..164b427 --- /dev/null +++ b/obsidian/config/values.yaml @@ -0,0 +1,23 @@ +clusterSize: 3 + +createAdminSecret: false + +couchdbConfig: + couchdb: + uuid: 04D9BED5-7280-4E43-9C86-1C3EEC1944FB + chttpd: + require_valid_user: "true" + enable_cors: "true" + chttpd_auth: + allow_persistent_cookies: "true" + cors: + credentials: 'true' + origins: 'app://obsidian.md' + methods: 'GET,PUT,POST,HEAD,DELETE' + +persistentVolume: + enabled: true + size: 10Gi + storageClass: hcloud-volumes + accessModes: + - ReadWriteOnce \ No newline at end of file diff --git a/obsidian/kustomization.yaml b/obsidian/kustomization.yaml new file mode 100644 index 0000000..aefb128 --- /dev/null +++ b/obsidian/kustomization.yaml @@ -0,0 +1,38 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: obsidian + +images: + - name: caddy + newName: caddy + newTag: 2.7.6-alpine + +labels: +- includeSelectors: true + pairs: + app.kubernetes.io/instance: obsidian + app.kubernetes.io/managed-by: kustomize + +resources: + - resources/namespace.yaml + - resources/http_routes.yaml + - resources/caddy_deployment.yaml + - resources/service.yaml + +helmCharts: + - name: couchdb + repo: https://apache.github.io/couchdb-helm/ + releaseName: obsidian + namespace: obsidian + version: 4.5.0 + valuesFile: config/values.yaml + skipTests: true + +configMapGenerator: + - name: caddy-hack + files: + - Caddyfile=config/Caddyfile + +generators: + - ./secret-generator.yaml \ No newline at end of file diff --git a/obsidian/resources/caddy_deployment.yaml b/obsidian/resources/caddy_deployment.yaml new file mode 100644 index 0000000..a7919cc --- /dev/null +++ b/obsidian/resources/caddy_deployment.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: caddy-hack +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/name: caddy-hack + template: + metadata: + labels: + app.kubernetes.io/name: caddy-hack + spec: + containers: + - name: caddy + image: caddy + command: + - caddy + args: + - run + - -c + - /etc/caddy/Caddyfile + ports: + - containerPort: 8080 + protocol: TCP + name: web + resources: + limits: + cpu: 10m + memory: 30Mi + volumeMounts: + - name: config + mountPath: /etc/caddy + volumes: + - name: config + configMap: + name: caddy-hack \ No newline at end of file diff --git a/obsidian/resources/http_routes.yaml b/obsidian/resources/http_routes.yaml new file mode 100644 index 0000000..83ca42e --- /dev/null +++ b/obsidian/resources/http_routes.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: obsidian-db-http +spec: + parentRefs: + - name: contour + sectionName: http + namespace: projectcontour + hostnames: + - obsidian-db.icb4dc0.de + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: obsidian-db-https +spec: + parentRefs: + - name: contour + sectionName: https + namespace: projectcontour + hostnames: + - obsidian-db.icb4dc0.de + rules: + - matches: + - method: OPTIONS + headers: + - name: Origin + value: 'app://obsidian.md' + filters: + - type: ResponseHeaderModifier + responseHeaderModifier: + add: + - name: Access-Control-Allow-Origin + value: 'app://obsidian.md' + - name: Access-Control-Allow-Methods + value: 'GET,PUT,POST,HEAD,DELETE' + - name: Access-Control-Allow-Credentials + value: 'true' + - name: Access-Control-Allow-Headers + value: 'accept,authorization,content-type,origin,referer' + - name: Access-Control-Max-Age + value: '3600' + backendRefs: + - name: caddy-hack + port: 8080 + - backendRefs: + - name: obsidian-svc-couchdb + port: 5984 \ No newline at end of file diff --git a/obsidian/resources/namespace.yaml b/obsidian/resources/namespace.yaml new file mode 100644 index 0000000..c4bad59 --- /dev/null +++ b/obsidian/resources/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: obsidian + labels: + prometheus: default \ No newline at end of file diff --git a/obsidian/resources/service.yaml b/obsidian/resources/service.yaml new file mode 100644 index 0000000..0538777 --- /dev/null +++ b/obsidian/resources/service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: caddy-hack +spec: + selector: + app.kubernetes.io/name: caddy-hack + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 \ No newline at end of file diff --git a/obsidian/secret-generator.yaml b/obsidian/secret-generator.yaml new file mode 100644 index 0000000..d74ac96 --- /dev/null +++ b/obsidian/secret-generator.yaml @@ -0,0 +1,11 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + # Specify a name + name: obsidian-secret-generator + annotations: + config.kubernetes.io/function: | + exec: + path: ksops +files: + - config/admin-secret.enc.yaml \ No newline at end of file