From ae1a0b7e101558d27f04307d5f96bf5d0842495f Mon Sep 17 00:00:00 2001 From: Jonathan Leech-Pepin Date: Thu, 30 Jan 2025 09:49:53 -0500 Subject: [PATCH] Initial Kustomize template Existing deployments are being migrated to Kustomize for templating purposes. This might not actually save space due to number of patches but it does reduce the amount of changes that need to be made to portions that only need name changes. Existing resources that are not going to be kustomized will be added in subsequent commits. --- kustomize/deployment/configmap.yaml | 5 ++ kustomize/deployment/deployment.yaml | 11 +++ kustomize/deployment/httproute-http.yaml | 20 +++++ kustomize/deployment/httproute-https.yaml | 20 +++++ kustomize/deployment/kustomization.yaml | 17 ++++ kustomize/deployment/pvc.yaml | 11 +++ kustomize/deployment/secret.yaml | 27 ++++++ kustomize/deployment/service.yaml | 11 +++ namespaces/apps/linkwarden/kustomization.yaml | 84 +++++++++++++++++++ .../apps/linkwarden/patches/configmap.yaml | 16 ++++ .../apps/linkwarden/patches/deployment.yaml | 57 +++++++++++++ namespaces/apps/linkwarden/patches/pvc.yaml | 8 ++ namespaces/apps/namespace.yaml | 7 ++ 13 files changed, 294 insertions(+) create mode 100644 kustomize/deployment/configmap.yaml create mode 100644 kustomize/deployment/deployment.yaml create mode 100644 kustomize/deployment/httproute-http.yaml create mode 100644 kustomize/deployment/httproute-https.yaml create mode 100644 kustomize/deployment/kustomization.yaml create mode 100644 kustomize/deployment/pvc.yaml create mode 100644 kustomize/deployment/secret.yaml create mode 100644 kustomize/deployment/service.yaml create mode 100644 namespaces/apps/linkwarden/kustomization.yaml create mode 100644 namespaces/apps/linkwarden/patches/configmap.yaml create mode 100644 namespaces/apps/linkwarden/patches/deployment.yaml create mode 100644 namespaces/apps/linkwarden/patches/pvc.yaml create mode 100644 namespaces/apps/namespace.yaml diff --git a/kustomize/deployment/configmap.yaml b/kustomize/deployment/configmap.yaml new file mode 100644 index 0000000..d8641b6 --- /dev/null +++ b/kustomize/deployment/configmap.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: config +data: diff --git a/kustomize/deployment/deployment.yaml b/kustomize/deployment/deployment.yaml new file mode 100644 index 0000000..d275155 --- /dev/null +++ b/kustomize/deployment/deployment.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app +spec: + replicas: 1 + strategy: + type: Recreate + template: + spec: diff --git a/kustomize/deployment/httproute-http.yaml b/kustomize/deployment/httproute-http.yaml new file mode 100644 index 0000000..ec0855d --- /dev/null +++ b/kustomize/deployment/httproute-http.yaml @@ -0,0 +1,20 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http +spec: + parentRefs: + - name: homelab-gateway + sectionName: web + kind: Gateway + namespace: homelab + hostnames: + - web.leechpepin.local + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: web + port: 80 diff --git a/kustomize/deployment/httproute-https.yaml b/kustomize/deployment/httproute-https.yaml new file mode 100644 index 0000000..b38ea13 --- /dev/null +++ b/kustomize/deployment/httproute-https.yaml @@ -0,0 +1,20 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: https +spec: + parentRefs: + - name: homelab-gateway + sectionName: websecure + kind: Gateway + namespace: homelab + hostnames: + - web.leechpepin.com + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: web + port: 80 diff --git a/kustomize/deployment/kustomization.yaml b/kustomize/deployment/kustomization.yaml new file mode 100644 index 0000000..69b86ad --- /dev/null +++ b/kustomize/deployment/kustomization.yaml @@ -0,0 +1,17 @@ +### deployment/kustomization.yaml ### +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +# Define resources: +resources: + - deployment.yaml + - service.yaml + - pvc.yaml + - secret.yaml + - httproute-http.yaml + - httproute-https.yaml + - configmap.yaml + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/managed-by: kustomize diff --git a/kustomize/deployment/pvc.yaml b/kustomize/deployment/pvc.yaml new file mode 100644 index 0000000..65e4fb0 --- /dev/null +++ b/kustomize/deployment/pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc +spec: + storageClassName: longhorn-private + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/kustomize/deployment/secret.yaml b/kustomize/deployment/secret.yaml new file mode 100644 index 0000000..e7ab759 --- /dev/null +++ b/kustomize/deployment/secret.yaml @@ -0,0 +1,27 @@ +apiVersion: secrets.infisical.com/v1alpha1 +kind: InfisicalSecret +metadata: + name: secrets + namespace: infisical + labels: + label-to-be-passed-to-managed-secret: homelab + annotations: + example.com/annotation-to-be-passed-to-managed-secret: "homelab" +spec: + hostAPI: https://app.infisical.com/api + resyncInterval: 10 + authentication: + # Universal Auth + universalAuth: + secretsScope: + projectSlug: homelab-n-f-yj + envSlug: prod + secretsPath: "/apps/appname" # Root is "/" + recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false + credentialsRef: + secretName: universal-auth-credentials + secretNamespace: infisical + managedSecretReference: + secretName: app-secrets + secretNamespace: ns + creationPolicy: "Orphan" ## Owner | Orphan diff --git a/kustomize/deployment/service.yaml b/kustomize/deployment/service.yaml new file mode 100644 index 0000000..2d0c61a --- /dev/null +++ b/kustomize/deployment/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: svc +spec: + type: ClusterIP + ports: + - port: 80 + name: test + targetPort: test + protocol: TCP diff --git a/namespaces/apps/linkwarden/kustomization.yaml b/namespaces/apps/linkwarden/kustomization.yaml new file mode 100644 index 0000000..98f047c --- /dev/null +++ b/namespaces/apps/linkwarden/kustomization.yaml @@ -0,0 +1,84 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +transformers: + - |- + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: notImportantHere + namespace: apps + unsetOnly: true + +namePrefix: linkwarden- +resources: + - ../../../kustomize/deployment/ + +replacements: + - source: + kind: Service + name: svc + targets: + - select: + kind: HTTPRoute + options: + create: true + fieldPaths: + - spec.rules.0.backendRefs.0.name + - source: + kind: Deployment + fieldPath: metadata.labels.[app.kubernetes.io/appName] + targets: + - select: + kind: HTTPRoute + options: + create: true + delimiter: "." + index: 0 + fieldPaths: + - spec.hostnames.0 + - select: + kind: InfisicalSecret + options: + delimiter: "-" + index: 0 + fieldPaths: + - spec.managedSecretReference.secretName + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 2 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + - select: + kind: Service + fieldPaths: + - spec.ports.0.name + - spec.ports.0.targetPort + - source: + kind: Deployment + fieldPath: metadata.labels.[app.kubernetes.io/appNamespace] + targets: + - select: + kind: InfisicalSecret + fieldPaths: + - spec.managedSecretReference.secretNamespace + +patches: + - path: patches/deployment.yaml + target: + kind: Deployment + - path: patches/configmap.yaml + target: + kind: ConfigMap + - path: patches/pvc.yaml + target: + kind: PersistentVolumeClaim + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/appName: linkwarden + - pairs: + app.kubernetes.io/appNamespace: apps diff --git a/namespaces/apps/linkwarden/patches/configmap.yaml b/namespaces/apps/linkwarden/patches/configmap.yaml new file mode 100644 index 0000000..e255e54 --- /dev/null +++ b/namespaces/apps/linkwarden/patches/configmap.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: config +data: + NEXTAUTH_URL: "http://linkwarden.leechpepin.com/api/v1/auth" + NEXT_PUBLIC_OLLAMA_ENDPOINT_URL: "http://ollama.ai.svc.cluster.local:11434" + OLLAMA_MODEL: "phi3:mini-4k" + NEXT_PUBLIC_AUTHENTIK_ENABLED: "true" + AUTHENTIK_CUSTOM_NAME: "Authentik" + AUTHENTIK_ISSUER: "https://auth.leechpepin.com/application/o/linkwarden" + AUTHENTIK_CLIENT_ID: "VQtaPxELuwFFUS412pZsk0TFIFpXqPpZYHul9Ddj" + NEXT_PUBLIC_DISABLE_REGISTRATION: "true" + NEXT_PUBLIC_CREDENTIALS_ENABLED: "false" + NEXT_PUBLIC_EMAIL_PROVIDER: "true" + EMAIL_FROM: "homelab@leechpepin.com" diff --git a/namespaces/apps/linkwarden/patches/deployment.yaml b/namespaces/apps/linkwarden/patches/deployment.yaml new file mode 100644 index 0000000..51d784c --- /dev/null +++ b/namespaces/apps/linkwarden/patches/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app +spec: + template: + spec: + containers: + - name: linkwarden + image: ghcr.io/linkwarden/linkwarden:v2.9.1 + envFrom: + - configMapRef: + name: linkwarden-config + env: + # Consume the secret + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: linkwarden-secrets + key: DATABASE_URL + optional: false + - name: NEXTAUTH_SECRET + valueFrom: + secretKeyRef: + name: linkwarden-secrets + key: NEXTAUTH_SECRET + optional: false + - name: AUTHENTIK_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: linkwarden-secrets + key: AUTHENTIK_CLIENT_SECRET + optional: false + - name: EMAIL_SERVER + valueFrom: + secretKeyRef: + name: smtp-secrets + key: SMTP_SERVER + optional: false + ports: + - containerPort: 3000 + protocol: TCP + name: linkwarden + resources: + requests: + cpu: 250m + memory: 512Mi + # Mount the volume + volumeMounts: + - mountPath: /data/data + name: linkwarden + subPath: "data" + restartPolicy: Always + volumes: + - name: linkwarden + persistentVolumeClaim: + claimName: linkwarden-pvc diff --git a/namespaces/apps/linkwarden/patches/pvc.yaml b/namespaces/apps/linkwarden/patches/pvc.yaml new file mode 100644 index 0000000..c630c96 --- /dev/null +++ b/namespaces/apps/linkwarden/patches/pvc.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc +spec: + resources: + requests: + storage: 25Gi diff --git a/namespaces/apps/namespace.yaml b/namespaces/apps/namespace.yaml new file mode 100644 index 0000000..f171039 --- /dev/null +++ b/namespaces/apps/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + homelab-access: "true" + name: apps