jleechpe/k3s
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial Kustomize template

Browse source 
Existing deployments are being migrated to Kustomize for templating purposes.
This might not actually save space due to number of patches but it does reduce
the amount of changes that need to be made to portions that only need name
changes.

Existing resources that are not going to be kustomized will be added in
subsequent commits.
This commit is contained in:
JLP 2025-01-30 09:49:53 -05:00
commit ae1a0b7e10
No known key found for this signature in database
GPG key ID: 414E00D1FF7519DC
13 changed files with 294 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
kustomize/deployment/configmap.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config
data:

11
kustomize/deployment/deployment.yaml Normal file
View file

@ -0,0 +1,11 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
replicas: 1
strategy:
type: Recreate
template:
spec:

20
kustomize/deployment/httproute-http.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http
spec:
parentRefs:
- name: homelab-gateway
sectionName: web
kind: Gateway
namespace: homelab
hostnames:
- web.leechpepin.local
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: web
port: 80

20
kustomize/deployment/httproute-https.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: https
spec:
parentRefs:
- name: homelab-gateway
sectionName: websecure
kind: Gateway
namespace: homelab
hostnames:
- web.leechpepin.com
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: web
port: 80

17
kustomize/deployment/kustomization.yaml Normal file
View file

@ -0,0 +1,17 @@
### deployment/kustomization.yaml ###
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# Define resources:
resources:
- deployment.yaml
- service.yaml
- pvc.yaml
- secret.yaml
- httproute-http.yaml
- httproute-https.yaml
- configmap.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/managed-by: kustomize

11
kustomize/deployment/pvc.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc
spec:
storageClassName: longhorn-private
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi

27
kustomize/deployment/secret.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: secrets
namespace: infisical
labels:
label-to-be-passed-to-managed-secret: homelab
annotations:
example.com/annotation-to-be-passed-to-managed-secret: "homelab"
spec:
hostAPI: https://app.infisical.com/api
resyncInterval: 10
authentication:
# Universal Auth
universalAuth:
secretsScope:
projectSlug: homelab-n-f-yj
envSlug: prod
secretsPath: "/apps/appname" # Root is "/"
recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
credentialsRef:
secretName: universal-auth-credentials
secretNamespace: infisical
managedSecretReference:
secretName: app-secrets
secretNamespace: ns
creationPolicy: "Orphan" ## Owner | Orphan

11
kustomize/deployment/service.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: svc
spec:
type: ClusterIP
ports:
- port: 80
name: test
targetPort: test
protocol: TCP

84
namespaces/apps/linkwarden/kustomization.yaml Normal file
View file

@ -0,0 +1,84 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |-
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: notImportantHere
namespace: apps
unsetOnly: true
namePrefix: linkwarden-
resources:
- ../../../kustomize/deployment/
replacements:
- source:
kind: Service
name: svc
targets:
- select:
kind: HTTPRoute
options:
create: true
fieldPaths:
- spec.rules.0.backendRefs.0.name
- source:
kind: Deployment
fieldPath: metadata.labels.[app.kubernetes.io/appName]
targets:
- select:
kind: HTTPRoute
options:
create: true
delimiter: "."
index: 0
fieldPaths:
- spec.hostnames.0
- select:
kind: InfisicalSecret
options:
delimiter: "-"
index: 0
fieldPaths:
- spec.managedSecretReference.secretName
- select:
kind: InfisicalSecret
options:
delimiter: "/"
index: 2
fieldPaths:
- spec.authentication.universalAuth.secretsScope.secretsPath
- select:
kind: Service
fieldPaths:
- spec.ports.0.name
- spec.ports.0.targetPort
- source:
kind: Deployment
fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
targets:
- select:
kind: InfisicalSecret
fieldPaths:
- spec.managedSecretReference.secretNamespace
patches:
- path: patches/deployment.yaml
target:
kind: Deployment
- path: patches/configmap.yaml
target:
kind: ConfigMap
- path: patches/pvc.yaml
target:
kind: PersistentVolumeClaim
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/appName: linkwarden
- pairs:
app.kubernetes.io/appNamespace: apps

16
namespaces/apps/linkwarden/patches/configmap.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config
data:
NEXTAUTH_URL: "http://linkwarden.leechpepin.com/api/v1/auth"
NEXT_PUBLIC_OLLAMA_ENDPOINT_URL: "http://ollama.ai.svc.cluster.local:11434"
OLLAMA_MODEL: "phi3:mini-4k"
NEXT_PUBLIC_AUTHENTIK_ENABLED: "true"
AUTHENTIK_CUSTOM_NAME: "Authentik"
AUTHENTIK_ISSUER: "https://auth.leechpepin.com/application/o/linkwarden"
AUTHENTIK_CLIENT_ID: "VQtaPxELuwFFUS412pZsk0TFIFpXqPpZYHul9Ddj"
NEXT_PUBLIC_DISABLE_REGISTRATION: "true"
NEXT_PUBLIC_CREDENTIALS_ENABLED: "false"
NEXT_PUBLIC_EMAIL_PROVIDER: "true"
EMAIL_FROM: "homelab@leechpepin.com"

57
namespaces/apps/linkwarden/patches/deployment.yaml Normal file
View file

@ -0,0 +1,57 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
template:
spec:
containers:
- name: linkwarden
image: ghcr.io/linkwarden/linkwarden:v2.9.1
envFrom:
- configMapRef:
name: linkwarden-config
env:
# Consume the secret
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: linkwarden-secrets
key: DATABASE_URL
optional: false
- name: NEXTAUTH_SECRET
valueFrom:
secretKeyRef:
name: linkwarden-secrets
key: NEXTAUTH_SECRET
optional: false
- name: AUTHENTIK_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: linkwarden-secrets
key: AUTHENTIK_CLIENT_SECRET
optional: false
- name: EMAIL_SERVER
valueFrom:
secretKeyRef:
name: smtp-secrets
key: SMTP_SERVER
optional: false
ports:
- containerPort: 3000
protocol: TCP
name: linkwarden
resources:
requests:
cpu: 250m
memory: 512Mi
# Mount the volume
volumeMounts:
- mountPath: /data/data
name: linkwarden
subPath: "data"
restartPolicy: Always
volumes:
- name: linkwarden
persistentVolumeClaim:
claimName: linkwarden-pvc

8
namespaces/apps/linkwarden/patches/pvc.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc
spec:
resources:
requests:
storage: 25Gi

7
namespaces/apps/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
homelab-access: "true"
name: apps