Initial Kustomize template

Existing deployments are being migrated to Kustomize for templating purposes.
This might not actually save space due to number of patches but it does reduce
the amount of changes that need to be made to portions that only need name
changes.

Existing resources that are not going to be kustomized will be added in
subsequent commits.

kustomize/deployment/configmap.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config
+data:

kustomize/deployment/deployment.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    spec:

kustomize/deployment/httproute-http.yaml

@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http
+spec:
+  parentRefs:
+    - name: homelab-gateway
+      sectionName: web
+      kind: Gateway
+      namespace: homelab
+  hostnames:
+    - web.leechpepin.local
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: web
+          port: 80

kustomize/deployment/httproute-https.yaml

@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: https
+spec:
+  parentRefs:
+    - name: homelab-gateway
+      sectionName: websecure
+      kind: Gateway
+      namespace: homelab
+  hostnames:
+    - web.leechpepin.com
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: web
+          port: 80

kustomize/deployment/kustomization.yaml

@@ -0,0 +1,17 @@
+### deployment/kustomization.yaml ###
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+# Define resources:
+resources:
+  - deployment.yaml
+  - service.yaml
+  - pvc.yaml
+  - secret.yaml
+  - httproute-http.yaml
+  - httproute-https.yaml
+  - configmap.yaml
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/managed-by: kustomize

kustomize/deployment/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc
+spec:
+  storageClassName: longhorn-private
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi

kustomize/deployment/secret.yaml

@@ -0,0 +1,27 @@
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: secrets
+  namespace: infisical
+  labels:
+    label-to-be-passed-to-managed-secret: homelab
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: "homelab"
+spec:
+  hostAPI: https://app.infisical.com/api
+  resyncInterval: 10
+  authentication:
+    # Universal Auth
+    universalAuth:
+      secretsScope:
+        projectSlug: homelab-n-f-yj
+        envSlug: prod
+        secretsPath: "/apps/appname" # Root is "/"
+        recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
+      credentialsRef:
+        secretName: universal-auth-credentials
+        secretNamespace: infisical
+  managedSecretReference:
+    secretName: app-secrets
+    secretNamespace: ns
+    creationPolicy: "Orphan" ## Owner | Orphan

kustomize/deployment/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: svc
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      name: test
+      targetPort: test
+      protocol: TCP

namespaces/apps/linkwarden/kustomization.yaml

@@ -0,0 +1,84 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+transformers:
+  - |-
+    apiVersion: builtin
+    kind: NamespaceTransformer
+    metadata:
+      name: notImportantHere
+      namespace: apps
+    unsetOnly: true
+
+namePrefix: linkwarden-
+resources:
+  - ../../../kustomize/deployment/
+
+replacements:
+  - source:
+      kind: Service
+      name: svc
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+        fieldPaths:
+          - spec.rules.0.backendRefs.0.name
+  - source:
+      kind: Deployment
+      fieldPath: metadata.labels.[app.kubernetes.io/appName]
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+          delimiter: "."
+          index: 0
+        fieldPaths:
+          - spec.hostnames.0
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "-"
+          index: 0
+        fieldPaths:
+          - spec.managedSecretReference.secretName
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "/"
+          index: 2
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+      - select:
+          kind: Service
+        fieldPaths:
+          - spec.ports.0.name
+          - spec.ports.0.targetPort
+  - source:
+      kind: Deployment
+      fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
+    targets:
+      - select:
+          kind: InfisicalSecret
+        fieldPaths:
+          - spec.managedSecretReference.secretNamespace
+
+patches:
+  - path: patches/deployment.yaml
+    target:
+      kind: Deployment
+  - path: patches/configmap.yaml
+    target:
+      kind: ConfigMap
+  - path: patches/pvc.yaml
+    target:
+      kind: PersistentVolumeClaim
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/appName: linkwarden
+  - pairs:
+      app.kubernetes.io/appNamespace: apps

namespaces/apps/linkwarden/patches/configmap.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config
+data:
+  NEXTAUTH_URL: "http://linkwarden.leechpepin.com/api/v1/auth"
+  NEXT_PUBLIC_OLLAMA_ENDPOINT_URL: "http://ollama.ai.svc.cluster.local:11434"
+  OLLAMA_MODEL: "phi3:mini-4k"
+  NEXT_PUBLIC_AUTHENTIK_ENABLED: "true"
+  AUTHENTIK_CUSTOM_NAME: "Authentik"
+  AUTHENTIK_ISSUER: "https://auth.leechpepin.com/application/o/linkwarden"
+  AUTHENTIK_CLIENT_ID: "VQtaPxELuwFFUS412pZsk0TFIFpXqPpZYHul9Ddj"
+  NEXT_PUBLIC_DISABLE_REGISTRATION: "true"
+  NEXT_PUBLIC_CREDENTIALS_ENABLED: "false"
+  NEXT_PUBLIC_EMAIL_PROVIDER: "true"
+  EMAIL_FROM: "homelab@leechpepin.com"

namespaces/apps/linkwarden/patches/deployment.yaml

@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+spec:
+  template:
+    spec:
+      containers:
+        - name: linkwarden
+          image: ghcr.io/linkwarden/linkwarden:v2.9.1
+          envFrom:
+            - configMapRef:
+                name: linkwarden-config
+          env:
+            # Consume the secret
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: linkwarden-secrets
+                  key: DATABASE_URL
+                  optional: false
+            - name: NEXTAUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: linkwarden-secrets
+                  key: NEXTAUTH_SECRET
+                  optional: false
+            - name: AUTHENTIK_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: linkwarden-secrets
+                  key: AUTHENTIK_CLIENT_SECRET
+                  optional: false
+            - name: EMAIL_SERVER
+              valueFrom:
+                secretKeyRef:
+                  name: smtp-secrets
+                  key: SMTP_SERVER
+                  optional: false
+          ports:
+            - containerPort: 3000
+              protocol: TCP
+              name: linkwarden
+          resources:
+            requests:
+              cpu: 250m
+              memory: 512Mi
+          # Mount the volume
+          volumeMounts:
+            - mountPath: /data/data
+              name: linkwarden
+              subPath: "data"
+      restartPolicy: Always
+      volumes:
+        - name: linkwarden
+          persistentVolumeClaim:
+            claimName: linkwarden-pvc

namespaces/apps/linkwarden/patches/pvc.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc
+spec:
+  resources:
+    requests:
+      storage: 25Gi

namespaces/apps/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    homelab-access: "true"
+  name: apps