diff --git a/namespaces/apps/comentario/extra/gatus-endpoints.yaml b/namespaces/apps/comentario/extra/gatus-endpoints.yaml new file mode 100644 index 0000000..f47a99c --- /dev/null +++ b/namespaces/apps/comentario/extra/gatus-endpoints.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + homelab.kubernetes.io/k8s-sidecar: gatus + name: gatus-endpoints +data: + comentario-internal-gatus-endpoints.yaml: | + endpoints: + - name: Comentario + url: http://comentario-svc.monitoring.svc.cluster.local/ + group: Internal/Monitoring + interval: 5m + alerts: + - type: ntfy + conditions: + - "[STATUS] == 200" + comentario-external-gatus-endpoints.yaml: | + endpoints: + - name: Comentario + url: https://comments.leechpepin.com/ + group: External + interval: 5m + alerts: + - type: ntfy + conditions: + - "[STATUS] == 200" diff --git a/namespaces/apps/comentario/kustomization.yaml b/namespaces/apps/comentario/kustomization.yaml new file mode 100644 index 0000000..3338c49 --- /dev/null +++ b/namespaces/apps/comentario/kustomization.yaml @@ -0,0 +1,151 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +transformers: + - |- + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: notImportantHere + namespace: apps + unsetOnly: true + +namePrefix: comentario- +resources: + - ../../../kustomize/bases/deployment/ + +patches: + - path: patches/deployment.yaml + target: + kind: Deployment + name: app + - path: patches/secret.yaml + target: + kind: InfisicalSecret + name: secrets + - path: patches/pvc.yaml + target: + kind: PersistentVolumeClaim + name: pvc + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/appName: comentario + - pairs: + app.kubernetes.io/appNamespace: apps + - pairs: + app.kubernetes.io/routePrefix: comments + +configMapGenerator: + - name: config + literals: + - HOST="0.0.0.0" + - PORT="80" + - SECRETS_FILE="/comentario-secrets/secrets.yaml" + - BASE_URL="https://comments.leechpepin.com" + - SUPERUSER="jonathan@leechpepin.com" + +replacements: + # Service + - source: + kind: Deployment + name: app + fieldPath: metadata.labels.[app.kubernetes.io/appName] + targets: + - select: + kind: Service + fieldPaths: + - spec.ports.0.name + - spec.ports.0.targetPort + - source: + kind: Deployment + name: app + fieldPath: spec.template.spec.containers.0.ports.0.containerPort + targets: + - select: + kind: Service + fieldPaths: + - spec.ports.0.port + # Secrets + - source: + kind: Deployment + name: app + fieldPath: metadata.labels.[app.kubernetes.io/appNamespace] + targets: + - select: + kind: InfisicalSecret + fieldPaths: + - spec.managedSecretReference.secretNamespace + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 1 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + - source: + kind: Deployment + name: app + fieldPath: metadata.labels.[app.kubernetes.io/appName] + targets: + - select: + kind: InfisicalSecret + options: + delimiter: "-" + index: 0 + fieldPaths: + - spec.managedSecretReference.secretName + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 2 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + # HTTP Route + - source: + kind: Service + name: svc + targets: + - select: + kind: HTTPRoute + options: + create: true + fieldPaths: + - spec.rules.0.backendRefs.0.name + - source: + kind: Deployment + name: app + fieldPath: metadata.labels.[app.kubernetes.io/appName] + targets: + - select: + kind: HTTPRoute + options: + create: true + delimiter: "." + index: 0 + fieldPaths: + - spec.hostnames.0 + - source: + kind: Deployment + name: app + fieldPath: spec.template.spec.containers.0.ports.0.containerPort + targets: + - select: + kind: HTTPRoute + fieldPaths: + - spec.rules.0.backendRefs.0.port + - source: + kind: Deployment + name: app + fieldPath: metadata.labels.[app.kubernetes.io/routePrefix] + targets: + - select: + kind: HTTPRoute + options: + create: true + delimiter: "." + index: 0 + fieldPaths: + - spec.hostnames.0 diff --git a/namespaces/apps/comentario/patches/deployment.yaml b/namespaces/apps/comentario/patches/deployment.yaml new file mode 100644 index 0000000..1959e7c --- /dev/null +++ b/namespaces/apps/comentario/patches/deployment.yaml @@ -0,0 +1,52 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app +spec: + template: + spec: + tolerations: + - key: "public" + operator: "Equal" + value: "true" + effect: "NoSchedule" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: public + operator: In + values: + - "true" + containers: + - image: registry.gitlab.com/comentario/comentario:v3.13.1 + imagePullPolicy: IfNotPresent + name: comentario + ports: + - containerPort: 80 + name: comentario + protocol: TCP + envFrom: + - configMapRef: + name: comentario-config + resources: + limits: + cpu: 500m + memory: 200Mi + livenessProbe: + httpGet: + path: / + port: comentario + readinessProbe: + httpGet: + path: / + port: comentario + volumeMounts: + - name: secrets-volume + mountPath: /comentario-secrets + volumes: + - name: secrets-volume + secret: + secretName: comentario-secrets diff --git a/namespaces/apps/comentario/patches/pvc.yaml b/namespaces/apps/comentario/patches/pvc.yaml new file mode 100644 index 0000000..54ecf59 --- /dev/null +++ b/namespaces/apps/comentario/patches/pvc.yaml @@ -0,0 +1,5 @@ +$patch: delete +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc diff --git a/namespaces/apps/comentario/patches/secret.yaml b/namespaces/apps/comentario/patches/secret.yaml new file mode 100644 index 0000000..55dc700 --- /dev/null +++ b/namespaces/apps/comentario/patches/secret.yaml @@ -0,0 +1,46 @@ +apiVersion: secrets.infisical.com/v1alpha1 +kind: InfisicalSecret +metadata: + name: secrets +spec: + authentication: + universalAuth: + secretsScope: + recursive: true + managedSecretReference: + template: + data: + secrets.yaml: | + postgres: + host: postgres-svc.core.svc.cluster.local + port: 5432 + database: comentario + username: comentario + password: "{{ .POSTGRES_PASSWORD.Value }}" + smtpServer: + host: blizzard.mxrouting.net + port: 465 + username: comments@leechpepin.com + password: "{{ .SMTP_PASSWORD.Value }}" + + idp: + github: + key: "{{ .GITHUB_CLIENT_ID.Value }}" + secret: "{{ .GITHUB_CLIENT_SECRET.Value }}" + gitlab: + key: "{{ .GITLAB_CLIENT_ID.Value }}" + secret: "{{ .GITLAB_CLIENT_SECRET.Value }}" + google: + key: "{{ .GOOGLE_CLIENT_ID.Value }}" + secret: "{{ .GOOGLE_CLIENT_SECRET.Value }}" + disable: true + + extensions: + akismet: + disable: true + apiLayerSpamChecker: + key: "{{ .APILAYER_SPAMCHECKER_APIKEY.Value }}" + perspective: + apiKey: "{{ .PERSPECTIVE_APIKEY.Value }}" + + xsrfSecret: "{{ .XSRF_SECRET.Value }}"