This commit is contained in:
parent
ac0f1f7dc9
commit
ceca1f3bc9
30 changed files with 1971 additions and 45 deletions
1
coder/.gitignore
vendored
Normal file
1
coder/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
charts/
|
37
coder/config/secrets.enc.yml
Normal file
37
coder/config/secrets.enc.yml
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: coder-secrets
|
||||||
|
type: Opaque
|
||||||
|
stringData:
|
||||||
|
OIDC_CLIENT_ID: ENC[AES256_GCM,data:4KD0RPoRdY23wwkwqoXFloAl3VHQsaVJq46psw/tybCic+g6,iv:LQuY/nTVbD8J62Ia4QNRPQq+mP2BX5cOufIOpaqdjHk=,tag:2hB0sZ6fG/Mdi/Mxi123yw==,type:str]
|
||||||
|
OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:8F2gjA8bMyh+g/MPppOtO8pGSvvjoNse2jPAYcH2vyfXNRNR2hn3OF56OkqAQUDgKh3mOMMIlOA=,iv:MSpf7TueXeJ9bJ9gMJAR7m97sbe/GG0GhIsDKOS8U5g=,tag:dJwpuxdG2tjEGSkoynstrg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNllWNkJSdm8rblRWQWY0
|
||||||
|
U05Bdkw4OUlhTmZTY2VPOXp3UStKMTZpTGpRCmlxRVFlREtuSG85Zk4vb2lIZm1H
|
||||||
|
SG9hTjc5bmppS0ZWNDVkajBHY2FlcnMKLS0tIGVPQTVHTktPbGVORys4Vk9pdEZp
|
||||||
|
ZnhvczRaK09YL0crK0hwYUllZXErSk0K23F5ItL9qHYbuNVuWGzpgaXMN5LNwc+n
|
||||||
|
LAtAoDwhsNhxNFTU+164rtjwHQ+NMp/xNIHiWMeOBz8zSkqCDAhxJg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwaU5ldHg2RjVqdUQxMysv
|
||||||
|
d05jaEFsMXF6QXNlZ2I0SjhGb2pEeHl2WXh3CmtZcG1WZXY3SnBBTTU2cFh6Z1Vo
|
||||||
|
RGd1OGt1cUhXc2VoUmJJaHJhRlQ1QVUKLS0tIEhscmZWU3Y2UFI2UVorbXVoQ2Yz
|
||||||
|
VElCdDBrcEt0amlJUmlldENtSjYyczQK8BueJyu/9pJSqa3eYT/bW705O+Wzd6OF
|
||||||
|
+COLZ8HmD6RFy6K+1uqRqy8ETfSqsaNC06ZdBtH3VKNPOk0ayAuWeg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-12-21T13:40:45Z"
|
||||||
|
mac: ENC[AES256_GCM,data:nxoSscCX6drScTysPpdPCwNBpJ7IFjIHEDsoVtsMaC2XufxBHNs5iZLv0vc/QfPK4xTRuEjWxhpFq/XiqTkcArpj/19PopKawa9JAKwSjK+9h83rvhK2r0j8QUmKpx9CfRS4uR2e/u2SCLyGtoAFsZD/nwQYFh3o3y0GfpCz3FE=,iv:V/j4zOf2D9SFSJsr7v8/IM8Sor+pJDL520vXSQUwW6w=,tag:lvNKkyw51qVM/j0WB987JA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
|
||||||
|
version: 3.8.1
|
63
coder/config/values.coder.yml
Normal file
63
coder/config/values.coder.yml
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
---
|
||||||
|
coder:
|
||||||
|
ingress:
|
||||||
|
enable: true
|
||||||
|
host: ide.icb4dc0.de
|
||||||
|
wildcardHost: "*.ide.icb4dc0.de"
|
||||||
|
annotations:
|
||||||
|
gethomepage.dev/description: Remote IDE
|
||||||
|
gethomepage.dev/enabled: "true"
|
||||||
|
gethomepage.dev/group: Apps
|
||||||
|
gethomepage.dev/icon: coder.png
|
||||||
|
gethomepage.dev/name: Coder
|
||||||
|
env:
|
||||||
|
- name: CODER_WILDCARD_ACCESS_URL
|
||||||
|
value: '*.ide.icb4dc0.de'
|
||||||
|
- name: CODER_ACCESS_URL
|
||||||
|
value: "https://ide.icb4dc0.de"
|
||||||
|
- name: CODER_PG_CONNECTION_URL
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: default-cluster-pguser-coder
|
||||||
|
key: uri
|
||||||
|
- name: CODER_DISABLE_PASSWORD_AUTH
|
||||||
|
value: "true"
|
||||||
|
- name: CODER_OIDC_ISSUER_URL
|
||||||
|
value: "https://code.icb4dc0.de/"
|
||||||
|
- name: CODER_OIDC_SIGN_IN_TEXT
|
||||||
|
value: "Sign in with Gitea"
|
||||||
|
- name: CODER_OIDC_ICON_URL
|
||||||
|
value: https://gitea.io/images/gitea.png
|
||||||
|
- name: CODER_OIDC_CLIENT_ID
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: coder-secrets
|
||||||
|
key: OIDC_CLIENT_ID
|
||||||
|
- name: CODER_OIDC_CLIENT_SECRET
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: coder-secrets
|
||||||
|
key: OIDC_CLIENT_SECRET
|
||||||
|
- name: CODER_GITAUTH_0_ID
|
||||||
|
value: primary-forgejo
|
||||||
|
- name: CODER_GITAUTH_0_TYPE
|
||||||
|
value: gitlab
|
||||||
|
- name: CODER_GITAUTH_0_AUTH_URL
|
||||||
|
value: https://code.icb4dc0.de/login/oauth/authorize
|
||||||
|
- name: CODER_GITAUTH_0_TOKEN_URL
|
||||||
|
value: https://code.icb4dc0.de/login/oauth/access_token
|
||||||
|
- name: CODER_GITAUTH_0_VALIDATE_URL
|
||||||
|
value: https://code.icb4dc0.de/login/oauth/userinfo
|
||||||
|
- name: CODER_GITAUTH_0_CLIENT_ID
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: coder-secrets
|
||||||
|
key: OIDC_CLIENT_ID
|
||||||
|
- name: CODER_GITAUTH_0_CLIENT_SECRET
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: coder-secrets
|
||||||
|
key: OIDC_CLIENT_SECRET
|
||||||
|
|
||||||
|
service:
|
||||||
|
type: ClusterIP
|
19
coder/kustomization.yaml
Normal file
19
coder/kustomization.yaml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
namespace: coder
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- "resources/namespace.yaml"
|
||||||
|
|
||||||
|
helmCharts:
|
||||||
|
- name: coder
|
||||||
|
repo: https://helm.coder.com/v2
|
||||||
|
releaseName: coder
|
||||||
|
namespace: coder
|
||||||
|
version: "2.5.1"
|
||||||
|
valuesFile: config/values.coder.yml
|
||||||
|
skipTests: true
|
||||||
|
|
||||||
|
generators:
|
||||||
|
- ./secret-generator.yaml
|
7
coder/resources/namespace.yaml
Normal file
7
coder/resources/namespace.yaml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: coder
|
||||||
|
labels:
|
||||||
|
prometheus: default
|
10
coder/secret-generator.yaml
Normal file
10
coder/secret-generator.yaml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
apiVersion: viaduct.ai/v1
|
||||||
|
kind: ksops
|
||||||
|
metadata:
|
||||||
|
name: coder-secret-generator
|
||||||
|
annotations:
|
||||||
|
config.kubernetes.io/function: |
|
||||||
|
exec:
|
||||||
|
path: ksops
|
||||||
|
files:
|
||||||
|
- ./config/secrets.enc.yml
|
|
@ -26,6 +26,14 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
affinity:
|
affinity:
|
||||||
nodeAffinity:
|
nodeAffinity:
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- weight: 1
|
||||||
|
preference:
|
||||||
|
matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- arm64
|
||||||
requiredDuringSchedulingIgnoredDuringExecution:
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
nodeSelectorTerms:
|
nodeSelectorTerms:
|
||||||
- matchExpressions:
|
- matchExpressions:
|
||||||
|
|
|
@ -8,9 +8,11 @@ images:
|
||||||
newName: quay.io/hedgedoc/hedgedoc
|
newName: quay.io/hedgedoc/hedgedoc
|
||||||
newTag: "1.9.9"
|
newTag: "1.9.9"
|
||||||
|
|
||||||
commonLabels:
|
labels:
|
||||||
app.kubernetes.io/instance: icb4dc0de
|
- includeSelectors: true
|
||||||
app.kubernetes.io/managed-by: kustomize
|
pairs:
|
||||||
|
app.kubernetes.io/instance: icb4dc0de
|
||||||
|
app.kubernetes.io/managed-by: kustomize
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- "resources/namespace.yaml"
|
- "resources/namespace.yaml"
|
||||||
|
|
|
@ -4,7 +4,6 @@ metadata:
|
||||||
name: hedgedoc-secret-config
|
name: hedgedoc-secret-config
|
||||||
type: Opaque
|
type: Opaque
|
||||||
stringData:
|
stringData:
|
||||||
CMD_DB_URL: ENC[AES256_GCM,data:4nqueG0hIb5fPQbPJll+keWZVODpFxBUhVkeHTKJ2/J8Kpj8DMuU41HLQ1+iGFiUtEdv2LPvbgDOeXT4UR3zjDdGL96SpKbLQIKQlNjPWNfUXeHASkiIiMHh9Y7z3d/s2coopzk9ULTHs5XIMywCUoY8DX4=,iv:drx1hQdbsLbPSojSL79TFop1wni2KxNPJ+KwlOL9WQo=,tag:4JbriWueqRye/n3rnBpSkw==,type:str]
|
|
||||||
CMD_MINIO_ACCESS_KEY: ENC[AES256_GCM,data:VqudURssSgmCDVhCRjak2TDG10pwvCNfi0w9FlEh4SI=,iv:VGavO528JfqsUVyvWSAlWkMTXJAmLUablaGZ3VCEtq8=,tag:unvEa2k/9AzfVMEnhCDB1Q==,type:str]
|
CMD_MINIO_ACCESS_KEY: ENC[AES256_GCM,data:VqudURssSgmCDVhCRjak2TDG10pwvCNfi0w9FlEh4SI=,iv:VGavO528JfqsUVyvWSAlWkMTXJAmLUablaGZ3VCEtq8=,tag:unvEa2k/9AzfVMEnhCDB1Q==,type:str]
|
||||||
CMD_MINIO_SECRET_KEY: ENC[AES256_GCM,data:/iQq6wnoH/WwEzApap6szpr7z+KZJ+twcuINgqtbHOMDXeVz9Yi7cjC0hGlqQHZTCO4jR5gp+OwdIkzRk0zDsw==,iv:1OHm8K3AA340q0xkNCF3RsPpcpKmUE5Yibu+IWIZ7+E=,tag:cB/pckdoEZQlzlRVWoYKmA==,type:str]
|
CMD_MINIO_SECRET_KEY: ENC[AES256_GCM,data:/iQq6wnoH/WwEzApap6szpr7z+KZJ+twcuINgqtbHOMDXeVz9Yi7cjC0hGlqQHZTCO4jR5gp+OwdIkzRk0zDsw==,iv:1OHm8K3AA340q0xkNCF3RsPpcpKmUE5Yibu+IWIZ7+E=,tag:cB/pckdoEZQlzlRVWoYKmA==,type:str]
|
||||||
CMD_OAUTH2_CLIENT_ID: ENC[AES256_GCM,data:x1zEeQl4WM49dmbx9v159APlimVVmQX4uPUTa0Nwu7jazcD1,iv:eXSk8Js2OhKC6q1M2anzCdC30IqA9YIj7rxmzFRE4bo=,tag:zgutG/3INA7DxUY5PRJoIg==,type:str]
|
CMD_OAUTH2_CLIENT_ID: ENC[AES256_GCM,data:x1zEeQl4WM49dmbx9v159APlimVVmQX4uPUTa0Nwu7jazcD1,iv:eXSk8Js2OhKC6q1M2anzCdC30IqA9YIj7rxmzFRE4bo=,tag:zgutG/3INA7DxUY5PRJoIg==,type:str]
|
||||||
|
@ -34,8 +33,8 @@ sops:
|
||||||
ZXpzNmEzbXhtZDkySFM2L0VQTzZCdTQKh46uRnVtRzzdnnnuCJNwgQo8AeNKpc6B
|
ZXpzNmEzbXhtZDkySFM2L0VQTzZCdTQKh46uRnVtRzzdnnnuCJNwgQo8AeNKpc6B
|
||||||
WC91My4qyOtvM9J+FJC71DTovfmHrZw0YWbPwXqNRU6XBWHfC/MViA==
|
WC91My4qyOtvM9J+FJC71DTovfmHrZw0YWbPwXqNRU6XBWHfC/MViA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-11-08T19:19:28Z"
|
lastmodified: "2023-12-20T20:40:53Z"
|
||||||
mac: ENC[AES256_GCM,data:mG1SOLX1AFuPuJ3v8o12ofU+rHD/Iwwp3xFfIoayHp+K/w8btnwZ1rrbzZLRwZfR2nnxF9Rn4UZ2d1v6B9z2Dlz/p4EDc2pDyyhgWFCoJgf1J3w7Gj7b1C9ukoGrxcQ0RaZjhhZrU0XjN5EyfTgxcl1e5UahOrHVUu5OMBukkKg=,iv:2M5gtUdMpsYmLZkuaWXoHGGKPM9pvXwEpqqRjhSN8yo=,tag:ORpppvL5KKXRVgIwAoTOCw==,type:str]
|
mac: ENC[AES256_GCM,data:DcoiksdfIUl5cCC8mSbzAUO9lWTeotr/UNMwIa+Z7aq9s4tzVn3YBbAPh5by5U7PVqAPkutoBjUk1IXCqWykkGXw/k9n7mAZn5AiCweLNY/d0gmKTpCUsGqaTg8gH7gQJy6+TNGxnq+Wm4GQNHAduYMJXS4/UdJcIAAc/id4JXo=,iv:+OYzaUHdJN4daTrAg561LxS0i6lozZ+OylhxubZplYc=,tag:7gElSJeGIaqXzjYTe9OTZQ==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
|
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
|
@ -15,6 +15,14 @@ spec:
|
||||||
containers:
|
containers:
|
||||||
- name: hedgedoc
|
- name: hedgedoc
|
||||||
image: hedgedoc
|
image: hedgedoc
|
||||||
|
env:
|
||||||
|
- name: CMD_DB_URL
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: default-cluster-pguser-hedgedoc
|
||||||
|
key: uri
|
||||||
|
- name: NODE_EXTRA_CA_CERTS
|
||||||
|
value: /certs/ca.crt
|
||||||
envFrom:
|
envFrom:
|
||||||
- secretRef:
|
- secretRef:
|
||||||
name: hedgedoc-base-config
|
name: hedgedoc-base-config
|
||||||
|
@ -27,6 +35,9 @@ spec:
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: upload-tmp
|
- name: upload-tmp
|
||||||
mountPath: /tmp
|
mountPath: /tmp
|
||||||
|
- name: pg-certs
|
||||||
|
mountPath: /certs
|
||||||
|
readOnly: true
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
memory: "168Mi"
|
memory: "168Mi"
|
||||||
|
@ -44,7 +55,20 @@ spec:
|
||||||
runAsUser: 1000
|
runAsUser: 1000
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
runAsNonRoot: true
|
runAsNonRoot: true
|
||||||
|
affinity:
|
||||||
|
nodeAffinity:
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- weight: 1
|
||||||
|
preference:
|
||||||
|
matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- arm64
|
||||||
volumes:
|
volumes:
|
||||||
- name: upload-tmp
|
- name: upload-tmp
|
||||||
emptyDir:
|
emptyDir:
|
||||||
sizeLimit: 500Mi
|
sizeLimit: 500Mi
|
||||||
|
- name: pg-certs
|
||||||
|
secret:
|
||||||
|
secretName: default-cluster-cluster-cert
|
|
@ -11,9 +11,11 @@ images:
|
||||||
newName: quay.io/oauth2-proxy/oauth2-proxy
|
newName: quay.io/oauth2-proxy/oauth2-proxy
|
||||||
newTag: v7.5.1
|
newTag: v7.5.1
|
||||||
|
|
||||||
commonLabels:
|
labels:
|
||||||
app.kubernetes.io/instance: icb4dc0de
|
- includeSelectors: true
|
||||||
app.kubernetes.io/managed-by: kustomize
|
pairs:
|
||||||
|
app.kubernetes.io/instance: icb4dc0de
|
||||||
|
app.kubernetes.io/managed-by: kustomize
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- "resources/namespace.yaml"
|
- "resources/namespace.yaml"
|
||||||
|
|
48
linkwarden/config/secrets.enc.yaml
Normal file
48
linkwarden/config/secrets.enc.yaml
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: linkwarden-config
|
||||||
|
type: Opaque
|
||||||
|
stringData:
|
||||||
|
NEXTAUTH_SECRET: ENC[AES256_GCM,data:qljN/QafFYQwk9tZzfUom864wmLBkOA6sZLezygCqpmTPxo6T7VWP2Z6hoI=,iv:HZHCtzraMHTaTjlTRdSs0T6gaREUVWwg4tst7lGgWjs=,tag:g4WXVJ4zcoH8HcPBprkiiA==,type:str]
|
||||||
|
NEXTAUTH_URL: ENC[AES256_GCM,data:WqEQhQHOgitq66YKbF0SV4iox3rb0713TATzZE+iNxEccm27,iv:urUC/cmks3renR3kkGpw8hHYwVrwz5JXf7QXXQq2ElA=,tag:Vucguui87xJWGCT+M1SaZw==,type:str]
|
||||||
|
NEXT_PUBLIC_DISABLE_REGISTRATION: ENC[AES256_GCM,data:r7mA+g==,iv:hTpGulLYK10DoCAYc3Hp6BlKQBeKHkV3A6BUJku9ZjQ=,tag:5gpMkBYkySIO8RGG4dzaew==,type:str]
|
||||||
|
SPACES_KEY: ENC[AES256_GCM,data:BF1RGNTId/gzEATiHqI4DwAeSSz0QBk1MVtQCs91K84=,iv:4jKC+G/c8MZ/kNyt9n6Hn7YvSYNWegTEzcQ9Z63i6U4=,tag:05l1AVPhFN4H53b5/FM4fw==,type:str]
|
||||||
|
SPACES_SECRET: ENC[AES256_GCM,data:UwWvKzmHsLE4y1+yeZEjP+swVO5+Ss/Dj8YJz/V1xq9sbvI4dyswuUeOJ6xzl4fbPUYW4gMCELhLBYz4s6eOZw==,iv:fvt2J66VPFMY4bLn+18rpxOPFRJi2ynikfQGNSn0PoY=,tag:F4XGCCJq+1uvl1LdBBES1A==,type:str]
|
||||||
|
SPACES_ENDPOINT: ENC[AES256_GCM,data:9V9UgB1YgSqyXQO6VogyDHTRpS++OmDvWdGYEoaAoSHrBMhrDq2YW7mCLSNA8HOpFCLWN5AF9FqbsjA/dB/7Gio=,iv:S3Js7k/hoLJeDIbZWPdPlupdNKaupAaqFoWWiFgHs7Q=,tag:5deMT1/t78VOduFs5pTuxA==,type:str]
|
||||||
|
SPACES_BUCKET_NAME: ENC[AES256_GCM,data:/T9L2eHlrpX74w==,iv:pGzRxFLGYOEf8LeuzOrc7GVTHQ9lbp4YjFWSS03OQNM=,tag:S6iWpQANHebGAK+7lhAqwg==,type:str]
|
||||||
|
SPACES_REGION: ENC[AES256_GCM,data:kP0CGw==,iv:bniAW1+xg7y1qnSqh9qAUM1LG1geVs7AIvbqn+fH/CU=,tag:GyWNCgK8PSJWnUOfDg3X+w==,type:str]
|
||||||
|
SPACES_FORCE_PATH_STYLE: ENC[AES256_GCM,data:JSXD7Q==,iv:JMbqKZO4SdYBglZySpDY56vTiCKDCeBlRjKD4uwFQOg=,tag:6gsT1+BWbGA1Ce05iaK/1Q==,type:str]
|
||||||
|
NEXT_PUBLIC_KEYCLOAK_ENABLED: ENC[AES256_GCM,data:5ePOxQ==,iv:B3Xv/z0Bcv4u2nzNQSHFZGQeuAw6kkZIi4V2gkkGesk=,tag:ZLzKaf55W1DXzXhQ0NRPWQ==,type:str]
|
||||||
|
KEYCLOAK_ISSUER: ENC[AES256_GCM,data:I710NmdNMWyheJD5i+zXgV8I3LCa9dc=,iv:17dX+n20fkq+m98i47WeKeJ+f5l+rg9oq08/Ki8hmg8=,tag:5HdizFf2WM2X9X/rMsZH9Q==,type:str]
|
||||||
|
KEYCLOAK_CLIENT_ID: ENC[AES256_GCM,data:aUrLGjG5Pt6yAdI1sGMS7qmDg70oiUMciLAwfpNsyscMv9nk,iv:29JZfzF8sPmIvyWPw+VjzgTRJr+aSjDN6IGZmt7JFYM=,tag:pX6w2++QHwED/46njtM/Qg==,type:str]
|
||||||
|
KEYCLOAK_CLIENT_SECRET: ENC[AES256_GCM,data:yrz8bwNmEvjl0zeul2EfcyBrvp1VhDJYIVA/2ttIvEVuvB9M0XzOAtV/KHxZXv544mQ+/HsORMY=,iv:GL0vMgvm5zIfV4+zWUmAnTv7FTJvF0jQzfoxqFMB0ho=,tag:jzwQYN2sB6EoS/owF0wNMg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkb2dXQkVHOW9aVGozUkVG
|
||||||
|
QTkyWVBkQ1F4MVVmN0Z2ZGhUVi9oR1puYWpZCm5xcXM1VU9pOE5iR1VUQmZOQlBq
|
||||||
|
V2N0ZG5mWGJMTW43V3ZDWUJhQ2RwVUkKLS0tIDYvSkpQQnkyb2ZvOGwxcXM3ZUVh
|
||||||
|
NnkwcUJna1FSTXpMY1RxS05TV2lCWEUK63y4d4TS0JWdNPy2DCFsrnPVoWF3HaF2
|
||||||
|
hMFBIt7bKNrEMChwJ0IWCtCS4EoatYKrFSwuIQHBGPiDgQuHij90Rg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQUZFaXFCbFVoVEVNS3hP
|
||||||
|
bmt0YXJhbk9BUDdkT1M1N0h0UXZ3V0dCOEVjCkQ5Wmt6VjMwNTZmUGk2Z0srU2lo
|
||||||
|
OU8waDhDMHE3SDRaOUNxc2pZallnd0UKLS0tIHNkOEhudkR4SmVhRGd1VStQLzBZ
|
||||||
|
aVVYZ3JDSDhKdFZZZXdycnUyTml0VXcKTg087ZASI5RraNAD8rnHa5OUaYEdRte/
|
||||||
|
OyVbfwvYm79jQipgTwoctCmVuL8lMjnoKuDZnMT6UEgV6ziHKrqIZw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-12-21T12:25:42Z"
|
||||||
|
mac: ENC[AES256_GCM,data:U2rRu3TPyXjt2YnR7cQrsRYvWS41zgDonqglfJPnnrSegoe/JmNn2jIU6iljJEruGmhxNGxh1KE8KHn2mJ2M6GWJ0TMW6JBiQ0Yl6UXBYAnMrw5FYfIThtB8gxvEUtoQ8fES9jCyqneHE5DWe0kbdMqaU9uf/G4nwUMAyWdVAdA=,iv:AejpeLY6pooJ4MOIbXjSAr9d6JjFx7FTkygs8Jy91Ug=,tag:7/RNNFY5ZhkxJ88bL4v55Q==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
|
||||||
|
version: 3.8.1
|
23
linkwarden/kustomization.yaml
Normal file
23
linkwarden/kustomization.yaml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
namespace: linkwarden
|
||||||
|
|
||||||
|
labels:
|
||||||
|
- pairs:
|
||||||
|
app.kubernetes.io/instance: icb4dc0de
|
||||||
|
app.kubernetes.io/managed-by: kustomize
|
||||||
|
|
||||||
|
images:
|
||||||
|
- name: linkwarden
|
||||||
|
newName: ghcr.io/linkwarden/linkwarden
|
||||||
|
newTag: "v2.3.0"
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- "resources/namespace.yaml"
|
||||||
|
- "resources/deployment.yaml"
|
||||||
|
- "resources/service.yaml"
|
||||||
|
- "resources/ingress.yaml"
|
||||||
|
|
||||||
|
generators:
|
||||||
|
- ./secret-generator.yaml
|
80
linkwarden/resources/deployment.yaml
Normal file
80
linkwarden/resources/deployment.yaml
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: linkwarden
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: linkwarden
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: linkwarden
|
||||||
|
replicas: 1
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: linkwarden
|
||||||
|
spec:
|
||||||
|
initContainers:
|
||||||
|
- name: install-packages
|
||||||
|
image: linkwarden
|
||||||
|
command: ["/bin/bash", "-c", "npx playwright install"]
|
||||||
|
volumeMounts:
|
||||||
|
- name: node-cache
|
||||||
|
mountPath: /home/node/.cache
|
||||||
|
containers:
|
||||||
|
- name: linkwarden
|
||||||
|
image: linkwarden
|
||||||
|
env:
|
||||||
|
- name: DATABASE_URL
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: default-cluster-pguser-linkwarden
|
||||||
|
key: uri
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: linkwarden-config
|
||||||
|
ports:
|
||||||
|
- containerPort: 3000
|
||||||
|
protocol: TCP
|
||||||
|
name: web
|
||||||
|
volumeMounts:
|
||||||
|
- name: next-cache
|
||||||
|
mountPath: /data/.next/cache
|
||||||
|
- name: node-cache
|
||||||
|
mountPath: /home/node/.cache
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: "384Mi"
|
||||||
|
cpu: "50m"
|
||||||
|
limits:
|
||||||
|
memory: "768Mi"
|
||||||
|
cpu: "500m"
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
affinity:
|
||||||
|
nodeAffinity:
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- weight: 100
|
||||||
|
preference:
|
||||||
|
matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- arm64
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
fsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
volumes:
|
||||||
|
- name: next-cache
|
||||||
|
emptyDir:
|
||||||
|
sizeLimit: 250Mi
|
||||||
|
- name: node-cache
|
||||||
|
emptyDir:
|
||||||
|
sizeLimit: 1500Mi
|
23
linkwarden/resources/ingress.yaml
Normal file
23
linkwarden/resources/ingress.yaml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: linkwarden
|
||||||
|
annotations:
|
||||||
|
gethomepage.dev/description: Store links to find them later
|
||||||
|
gethomepage.dev/enabled: "true"
|
||||||
|
gethomepage.dev/group: Apps
|
||||||
|
gethomepage.dev/icon: linkwarden.png
|
||||||
|
gethomepage.dev/name: Linkwarden
|
||||||
|
spec:
|
||||||
|
rules:
|
||||||
|
- host: links.icb4dc0.de
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- pathType: Prefix
|
||||||
|
path: /
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: linkwarden
|
||||||
|
port:
|
||||||
|
number: 3000
|
7
linkwarden/resources/namespace.yaml
Normal file
7
linkwarden/resources/namespace.yaml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: linkwarden
|
||||||
|
labels:
|
||||||
|
prometheus: default
|
12
linkwarden/resources/service.yaml
Normal file
12
linkwarden/resources/service.yaml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: linkwarden
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: linkwarden
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 3000
|
||||||
|
targetPort: 3000
|
10
linkwarden/secret-generator.yaml
Normal file
10
linkwarden/secret-generator.yaml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
apiVersion: viaduct.ai/v1
|
||||||
|
kind: ksops
|
||||||
|
metadata:
|
||||||
|
name: linkwarden-secret-generator
|
||||||
|
annotations:
|
||||||
|
config.kubernetes.io/function: |
|
||||||
|
exec:
|
||||||
|
path: ksops
|
||||||
|
files:
|
||||||
|
- ./config/secrets.enc.yaml
|
|
@ -6,18 +6,19 @@ labels:
|
||||||
pairs:
|
pairs:
|
||||||
app.kubernetes.io/name: pgo
|
app.kubernetes.io/name: pgo
|
||||||
# The version below should match the version on the PostgresCluster CRD
|
# The version below should match the version on the PostgresCluster CRD
|
||||||
app.kubernetes.io/version: 5.4.3
|
app.kubernetes.io/version: 5.5.0
|
||||||
postgres-operator.crunchydata.com/control-plane: postgres-operator
|
postgres-operator.crunchydata.com/control-plane: postgres-operator
|
||||||
|
|
||||||
images:
|
images:
|
||||||
- name: postgres-operator
|
- name: postgres-operator
|
||||||
newName: registry.developers.crunchydata.com/crunchydata/postgres-operator
|
newName: registry.developers.crunchydata.com/crunchydata/postgres-operator
|
||||||
newTag: ubi8-5.4.3-0
|
newTag: ubi8-5.5.0-0
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- resources/namespace.yaml
|
- resources/namespace.yaml
|
||||||
- resources/crd/postgresclusters.yaml
|
- resources/crd/postgresclusters.yaml
|
||||||
- resources/crd/pgupgrades.yaml
|
- resources/crd/pgupgrades.yaml
|
||||||
|
- resources/crd/pgadmins.yaml
|
||||||
- resources/rbac/service_account.yaml
|
- resources/rbac/service_account.yaml
|
||||||
- resources/rbac/role.yaml
|
- resources/rbac/role.yaml
|
||||||
- resources/rbac/role_binding.yaml
|
- resources/rbac/role_binding.yaml
|
||||||
|
|
1532
postgres-operator/resources/crd/pgadmins.yaml
Normal file
1532
postgres-operator/resources/crd/pgadmins.yaml
Normal file
File diff suppressed because it is too large
Load diff
|
@ -6,7 +6,7 @@ metadata:
|
||||||
creationTimestamp: null
|
creationTimestamp: null
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/name: pgo
|
app.kubernetes.io/name: pgo
|
||||||
app.kubernetes.io/version: 5.4.3
|
app.kubernetes.io/version: 5.5.0
|
||||||
name: pgupgrades.postgres-operator.crunchydata.com
|
name: pgupgrades.postgres-operator.crunchydata.com
|
||||||
spec:
|
spec:
|
||||||
group: postgres-operator.crunchydata.com
|
group: postgres-operator.crunchydata.com
|
||||||
|
@ -1072,4 +1072,4 @@ spec:
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
subresources:
|
subresources:
|
||||||
status: {}
|
status: {}
|
|
@ -6,7 +6,7 @@ metadata:
|
||||||
creationTimestamp: null
|
creationTimestamp: null
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/name: pgo
|
app.kubernetes.io/name: pgo
|
||||||
app.kubernetes.io/version: 5.4.3
|
app.kubernetes.io/version: 5.5.0
|
||||||
name: postgresclusters.postgres-operator.crunchydata.com
|
name: postgresclusters.postgres-operator.crunchydata.com
|
||||||
spec:
|
spec:
|
||||||
group: postgres-operator.crunchydata.com
|
group: postgres-operator.crunchydata.com
|
||||||
|
@ -15462,4 +15462,4 @@ spec:
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
subresources:
|
subresources:
|
||||||
status: {}
|
status: {}
|
|
@ -5,7 +5,7 @@ metadata:
|
||||||
name: default-cluster
|
name: default-cluster
|
||||||
namespace: postgres
|
namespace: postgres
|
||||||
spec:
|
spec:
|
||||||
image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.4-1
|
image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.5-0
|
||||||
postgresVersion: 15
|
postgresVersion: 15
|
||||||
users:
|
users:
|
||||||
- name: postgres
|
- name: postgres
|
||||||
|
@ -27,6 +27,9 @@ spec:
|
||||||
- name: hedgedoc
|
- name: hedgedoc
|
||||||
databases:
|
databases:
|
||||||
- hedgedoc
|
- hedgedoc
|
||||||
|
- name: linkwarden
|
||||||
|
databases:
|
||||||
|
- linkwarden
|
||||||
- name: nextcloud
|
- name: nextcloud
|
||||||
databases:
|
databases:
|
||||||
- nextcloud
|
- nextcloud
|
||||||
|
@ -65,7 +68,7 @@ spec:
|
||||||
|
|
||||||
backups:
|
backups:
|
||||||
pgbackrest:
|
pgbackrest:
|
||||||
image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-1
|
image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-2
|
||||||
configuration:
|
configuration:
|
||||||
- secret:
|
- secret:
|
||||||
name: pgo-s3-creds
|
name: pgo-s3-creds
|
||||||
|
|
|
@ -60,4 +60,14 @@ spec:
|
||||||
capabilities: { drop: [ALL] }
|
capabilities: { drop: [ALL] }
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsNonRoot: true
|
runAsNonRoot: true
|
||||||
serviceAccountName: pgo
|
serviceAccountName: pgo
|
||||||
|
affinity:
|
||||||
|
nodeAffinity:
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- weight: 1
|
||||||
|
preference:
|
||||||
|
matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- arm64
|
|
@ -102,6 +102,7 @@ rules:
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- postgres-operator.crunchydata.com
|
- postgres-operator.crunchydata.com
|
||||||
resources:
|
resources:
|
||||||
|
- pgadmins
|
||||||
- pgupgrades
|
- pgupgrades
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
|
@ -110,18 +111,19 @@ rules:
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- postgres-operator.crunchydata.com
|
- postgres-operator.crunchydata.com
|
||||||
resources:
|
resources:
|
||||||
|
- pgadmins/finalizers
|
||||||
- pgupgrades/finalizers
|
- pgupgrades/finalizers
|
||||||
|
- postgresclusters/finalizers
|
||||||
verbs:
|
verbs:
|
||||||
- patch
|
|
||||||
- update
|
- update
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- postgres-operator.crunchydata.com
|
- postgres-operator.crunchydata.com
|
||||||
resources:
|
resources:
|
||||||
|
- pgadmins/status
|
||||||
- pgupgrades/status
|
- pgupgrades/status
|
||||||
|
- postgresclusters/status
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
|
||||||
- patch
|
- patch
|
||||||
- watch
|
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- postgres-operator.crunchydata.com
|
- postgres-operator.crunchydata.com
|
||||||
resources:
|
resources:
|
||||||
|
@ -131,18 +133,6 @@ rules:
|
||||||
- list
|
- list
|
||||||
- patch
|
- patch
|
||||||
- watch
|
- watch
|
||||||
- apiGroups:
|
|
||||||
- postgres-operator.crunchydata.com
|
|
||||||
resources:
|
|
||||||
- postgresclusters/finalizers
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- postgres-operator.crunchydata.com
|
|
||||||
resources:
|
|
||||||
- postgresclusters/status
|
|
||||||
verbs:
|
|
||||||
- patch
|
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- rbac.authorization.k8s.io
|
- rbac.authorization.k8s.io
|
||||||
resources:
|
resources:
|
||||||
|
|
|
@ -11,5 +11,4 @@ roleRef:
|
||||||
name: postgres-operator
|
name: postgres-operator
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: pgo
|
name: pgo
|
||||||
namespace: postgres-system
|
|
|
@ -3,9 +3,11 @@ kind: Kustomization
|
||||||
|
|
||||||
namespace: vaultwarden
|
namespace: vaultwarden
|
||||||
|
|
||||||
commonLabels:
|
labels:
|
||||||
app.kubernetes.io/instance: icb4dc0de
|
- includeSelectors: true
|
||||||
app.kubernetes.io/managed-by: kustomize
|
pairs:
|
||||||
|
app.kubernetes.io/instance: icb4dc0de
|
||||||
|
app.kubernetes.io/managed-by: kustomize
|
||||||
|
|
||||||
images:
|
images:
|
||||||
- name: vaultwarden
|
- name: vaultwarden
|
||||||
|
|
|
@ -35,6 +35,16 @@ spec:
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: data
|
- name: data
|
||||||
mountPath: /data
|
mountPath: /data
|
||||||
|
affinity:
|
||||||
|
nodeAffinity:
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- weight: 1
|
||||||
|
preference:
|
||||||
|
matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- arm64
|
||||||
volumes:
|
volumes:
|
||||||
- name: data
|
- name: data
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
|
|
|
@ -11,9 +11,11 @@ images:
|
||||||
newName: docker.io/vikunja/frontend
|
newName: docker.io/vikunja/frontend
|
||||||
newTag: "0.21.0"
|
newTag: "0.21.0"
|
||||||
|
|
||||||
commonLabels:
|
labels:
|
||||||
app.kubernetes.io/instance: icb4dc0de
|
- includeSelectors: true
|
||||||
app.kubernetes.io/managed-by: kustomize
|
pairs:
|
||||||
|
app.kubernetes.io/instance: icb4dc0de
|
||||||
|
app.kubernetes.io/managed-by: kustomize
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- resources/namespace.yaml
|
- resources/namespace.yaml
|
||||||
|
|
|
@ -8,9 +8,11 @@ images:
|
||||||
newName: ghcr.io/diced/zipline
|
newName: ghcr.io/diced/zipline
|
||||||
newTag: "3.7.7"
|
newTag: "3.7.7"
|
||||||
|
|
||||||
commonLabels:
|
labels:
|
||||||
app.kubernetes.io/instance: icb4dc0de
|
- includeSelectors: true
|
||||||
app.kubernetes.io/managed-by: kustomize
|
pairs:
|
||||||
|
app.kubernetes.io/instance: icb4dc0de
|
||||||
|
app.kubernetes.io/managed-by: kustomize
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- "resources/namespace.yaml"
|
- "resources/namespace.yaml"
|
||||||
|
|
Loading…
Reference in a new issue