commit ae1a0b7e101558d27f04307d5f96bf5d0842495f Author: Jonathan Leech-Pepin Date: Thu Jan 30 09:49:53 2025 -0500 Initial Kustomize template Existing deployments are being migrated to Kustomize for templating purposes. This might not actually save space due to number of patches but it does reduce the amount of changes that need to be made to portions that only need name changes. Existing resources that are not going to be kustomized will be added in subsequent commits. diff --git a/kustomize/deployment/configmap.yaml b/kustomize/deployment/configmap.yaml new file mode 100644 index 0000000..d8641b6 --- /dev/null +++ b/kustomize/deployment/configmap.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: config +data: diff --git a/kustomize/deployment/deployment.yaml b/kustomize/deployment/deployment.yaml new file mode 100644 index 0000000..d275155 --- /dev/null +++ b/kustomize/deployment/deployment.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app +spec: + replicas: 1 + strategy: + type: Recreate + template: + spec: diff --git a/kustomize/deployment/httproute-http.yaml b/kustomize/deployment/httproute-http.yaml new file mode 100644 index 0000000..ec0855d --- /dev/null +++ b/kustomize/deployment/httproute-http.yaml @@ -0,0 +1,20 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http +spec: + parentRefs: + - name: homelab-gateway + sectionName: web + kind: Gateway + namespace: homelab + hostnames: + - web.leechpepin.local + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: web + port: 80 diff --git a/kustomize/deployment/httproute-https.yaml b/kustomize/deployment/httproute-https.yaml new file mode 100644 index 0000000..b38ea13 --- /dev/null +++ b/kustomize/deployment/httproute-https.yaml @@ -0,0 +1,20 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: https +spec: + parentRefs: + - name: homelab-gateway + sectionName: websecure + kind: Gateway + namespace: homelab + hostnames: + - web.leechpepin.com + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: web + port: 80 diff --git a/kustomize/deployment/kustomization.yaml b/kustomize/deployment/kustomization.yaml new file mode 100644 index 0000000..69b86ad --- /dev/null +++ b/kustomize/deployment/kustomization.yaml @@ -0,0 +1,17 @@ +### deployment/kustomization.yaml ### +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +# Define resources: +resources: + - deployment.yaml + - service.yaml + - pvc.yaml + - secret.yaml + - httproute-http.yaml + - httproute-https.yaml + - configmap.yaml + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/managed-by: kustomize diff --git a/kustomize/deployment/pvc.yaml b/kustomize/deployment/pvc.yaml new file mode 100644 index 0000000..65e4fb0 --- /dev/null +++ b/kustomize/deployment/pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc +spec: + storageClassName: longhorn-private + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/kustomize/deployment/secret.yaml b/kustomize/deployment/secret.yaml new file mode 100644 index 0000000..e7ab759 --- /dev/null +++ b/kustomize/deployment/secret.yaml @@ -0,0 +1,27 @@ +apiVersion: secrets.infisical.com/v1alpha1 +kind: InfisicalSecret +metadata: + name: secrets + namespace: infisical + labels: + label-to-be-passed-to-managed-secret: homelab + annotations: + example.com/annotation-to-be-passed-to-managed-secret: "homelab" +spec: + hostAPI: https://app.infisical.com/api + resyncInterval: 10 + authentication: + # Universal Auth + universalAuth: + secretsScope: + projectSlug: homelab-n-f-yj + envSlug: prod + secretsPath: "/apps/appname" # Root is "/" + recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false + credentialsRef: + secretName: universal-auth-credentials + secretNamespace: infisical + managedSecretReference: + secretName: app-secrets + secretNamespace: ns + creationPolicy: "Orphan" ## Owner | Orphan diff --git a/kustomize/deployment/service.yaml b/kustomize/deployment/service.yaml new file mode 100644 index 0000000..2d0c61a --- /dev/null +++ b/kustomize/deployment/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: svc +spec: + type: ClusterIP + ports: + - port: 80 + name: test + targetPort: test + protocol: TCP diff --git a/namespaces/apps/linkwarden/kustomization.yaml b/namespaces/apps/linkwarden/kustomization.yaml new file mode 100644 index 0000000..98f047c --- /dev/null +++ b/namespaces/apps/linkwarden/kustomization.yaml @@ -0,0 +1,84 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +transformers: + - |- + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: notImportantHere + namespace: apps + unsetOnly: true + +namePrefix: linkwarden- +resources: + - ../../../kustomize/deployment/ + +replacements: + - source: + kind: Service + name: svc + targets: + - select: + kind: HTTPRoute + options: + create: true + fieldPaths: + - spec.rules.0.backendRefs.0.name + - source: + kind: Deployment + fieldPath: metadata.labels.[app.kubernetes.io/appName] + targets: + - select: + kind: HTTPRoute + options: + create: true + delimiter: "." + index: 0 + fieldPaths: + - spec.hostnames.0 + - select: + kind: InfisicalSecret + options: + delimiter: "-" + index: 0 + fieldPaths: + - spec.managedSecretReference.secretName + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 2 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + - select: + kind: Service + fieldPaths: + - spec.ports.0.name + - spec.ports.0.targetPort + - source: + kind: Deployment + fieldPath: metadata.labels.[app.kubernetes.io/appNamespace] + targets: + - select: + kind: InfisicalSecret + fieldPaths: + - spec.managedSecretReference.secretNamespace + +patches: + - path: patches/deployment.yaml + target: + kind: Deployment + - path: patches/configmap.yaml + target: + kind: ConfigMap + - path: patches/pvc.yaml + target: + kind: PersistentVolumeClaim + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/appName: linkwarden + - pairs: + app.kubernetes.io/appNamespace: apps diff --git a/namespaces/apps/linkwarden/patches/configmap.yaml b/namespaces/apps/linkwarden/patches/configmap.yaml new file mode 100644 index 0000000..e255e54 --- /dev/null +++ b/namespaces/apps/linkwarden/patches/configmap.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: config +data: + NEXTAUTH_URL: "http://linkwarden.leechpepin.com/api/v1/auth" + NEXT_PUBLIC_OLLAMA_ENDPOINT_URL: "http://ollama.ai.svc.cluster.local:11434" + OLLAMA_MODEL: "phi3:mini-4k" + NEXT_PUBLIC_AUTHENTIK_ENABLED: "true" + AUTHENTIK_CUSTOM_NAME: "Authentik" + AUTHENTIK_ISSUER: "https://auth.leechpepin.com/application/o/linkwarden" + AUTHENTIK_CLIENT_ID: "VQtaPxELuwFFUS412pZsk0TFIFpXqPpZYHul9Ddj" + NEXT_PUBLIC_DISABLE_REGISTRATION: "true" + NEXT_PUBLIC_CREDENTIALS_ENABLED: "false" + NEXT_PUBLIC_EMAIL_PROVIDER: "true" + EMAIL_FROM: "homelab@leechpepin.com" diff --git a/namespaces/apps/linkwarden/patches/deployment.yaml b/namespaces/apps/linkwarden/patches/deployment.yaml new file mode 100644 index 0000000..51d784c --- /dev/null +++ b/namespaces/apps/linkwarden/patches/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app +spec: + template: + spec: + containers: + - name: linkwarden + image: ghcr.io/linkwarden/linkwarden:v2.9.1 + envFrom: + - configMapRef: + name: linkwarden-config + env: + # Consume the secret + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: linkwarden-secrets + key: DATABASE_URL + optional: false + - name: NEXTAUTH_SECRET + valueFrom: + secretKeyRef: + name: linkwarden-secrets + key: NEXTAUTH_SECRET + optional: false + - name: AUTHENTIK_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: linkwarden-secrets + key: AUTHENTIK_CLIENT_SECRET + optional: false + - name: EMAIL_SERVER + valueFrom: + secretKeyRef: + name: smtp-secrets + key: SMTP_SERVER + optional: false + ports: + - containerPort: 3000 + protocol: TCP + name: linkwarden + resources: + requests: + cpu: 250m + memory: 512Mi + # Mount the volume + volumeMounts: + - mountPath: /data/data + name: linkwarden + subPath: "data" + restartPolicy: Always + volumes: + - name: linkwarden + persistentVolumeClaim: + claimName: linkwarden-pvc diff --git a/namespaces/apps/linkwarden/patches/pvc.yaml b/namespaces/apps/linkwarden/patches/pvc.yaml new file mode 100644 index 0000000..c630c96 --- /dev/null +++ b/namespaces/apps/linkwarden/patches/pvc.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc +spec: + resources: + requests: + storage: 25Gi diff --git a/namespaces/apps/namespace.yaml b/namespaces/apps/namespace.yaml new file mode 100644 index 0000000..f171039 --- /dev/null +++ b/namespaces/apps/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + homelab-access: "true" + name: apps