diff options
| author | Xe Iaso <me@xeiaso.net> | 2025-01-12 10:05:49 -0500 |
|---|---|---|
| committer | Xe Iaso <me@xeiaso.net> | 2025-01-12 16:35:37 -0500 |
| commit | c387dac48426dd7b8dc2bceba2c62b4652da5c3b (patch) | |
| tree | 70923cc5b4d2573d9f1ba1ead97b6c280e21ca95 | |
| parent | feccf91fd0b329f4d608ae27ee55341f42d41d0b (diff) | |
| download | x-c387dac48426dd7b8dc2bceba2c62b4652da5c3b.tar.xz x-c387dac48426dd7b8dc2bceba2c62b4652da5c3b.zip | |
add pocket-id
Signed-off-by: Xe Iaso <me@xeiaso.net>
| -rw-r--r-- | kube/alrest/gitea/deployment.yaml | 43 | ||||
| -rw-r--r-- | kube/alrest/gitea/external-dns.yaml | 31 | ||||
| -rw-r--r-- | kube/alrest/gitea/kustomization.yaml | 1 | ||||
| -rw-r--r-- | kube/alrest/gitea/pvc.yaml | 3 | ||||
| -rw-r--r-- | kube/alrest/gitea/runner.yaml | 2 | ||||
| -rw-r--r-- | kube/alrest/gitea/service.yaml | 4 | ||||
| -rw-r--r-- | kube/alrest/kustomization.yaml | 2 | ||||
| -rw-r--r-- | kube/alrest/minio/deployment.yaml | 68 | ||||
| -rw-r--r-- | kube/alrest/minio/external-dns.yaml | 56 | ||||
| -rw-r--r-- | kube/alrest/minio/kustomization.yaml | 7 | ||||
| -rw-r--r-- | kube/alrest/minio/service.yaml | 22 | ||||
| -rw-r--r-- | kube/alrest/minio/tenant/tenant-base.yaml | 105 | ||||
| -rw-r--r-- | kube/alrest/pocket-id/configmap.yaml | 10 | ||||
| -rw-r--r-- | kube/alrest/pocket-id/deployment.yaml | 61 | ||||
| -rw-r--r-- | kube/alrest/pocket-id/ingress.yaml | 25 | ||||
| -rw-r--r-- | kube/alrest/pocket-id/kustomization.yaml | 6 | ||||
| -rw-r--r-- | kube/alrest/pocket-id/pvc.yaml | 11 | ||||
| -rw-r--r-- | kube/alrest/pocket-id/service.yaml | 11 |
18 files changed, 455 insertions, 13 deletions
diff --git a/kube/alrest/gitea/deployment.yaml b/kube/alrest/gitea/deployment.yaml index f4d1080..ff98a86 100644 --- a/kube/alrest/gitea/deployment.yaml +++ b/kube/alrest/gitea/deployment.yaml @@ -7,15 +7,14 @@ data: USER_UID: "1000" USER_GID: "1000" - GITEA__storage__STORAGE_TYPE: minio - #GITEA__storage__STORAGE_TYPE: local + # GITEA__storage__STORAGE_TYPE: minio + GITEA__storage__STORAGE_TYPE: local GITEA__storage__SERVE_DIRECT: "true" - GITEA__storage__MINIO_ENDPOINT: http://minio.default.svc.alrest.xeserv.us + GITEA__storage__MINIO_ENDPOINT: minio.default.svc.alrest.xeserv.us GITEA__storage__MINIO_BUCKET: gitea - GITEA__storage__MINIO_LOCATION: alrest GITEA__storage__MINIO_USE_SSL: "false" - GITEA__storage__MINIO_ACCESS_KEY_ID: "nkb2jIEnRmoiu56R5vsH" - GITEA__stroage__MINIO_SECRET_ACCESS_KEY: "pZFQDZFFMzqqvQdAjwpdEQrRIbMlu0H9cd25MmkQ" + GITEA__storage__MINIO_ACCESS_KEY_ID: "qI118JbfKI7jSoIODniy" + GITEA__stroage__MINIO_SECRET_ACCESS_KEY: "dIOfpszdPDKLurcppvic68TJcscZ4NZbgJr30RaX" --- apiVersion: apps/v1 kind: Deployment @@ -43,6 +42,9 @@ spec: - name: data persistentVolumeClaim: claimName: gitea + - name: internal-certs + secret: + secretName: gitea-internal-tls containers: - name: main image: gitea/gitea:1-rootless @@ -83,3 +85,32 @@ spec: periodSeconds: 10 successThreshold: 1 failureThreshold: 10 + - name: relayd + image: ghcr.io/xe/x/relayd:latest + imagePullPolicy: "Always" + resources: + limits: + cpu: "500m" + memory: "512Mi" + requests: + cpu: "100m" + memory: "256Mi" + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + env: + - name: BIND + value: ":8443" + - name: PROXY_TO + value: "http://localhost:3000" + volumeMounts: + - name: "internal-certs" + mountPath: "/xe/pki" + readOnly: true diff --git a/kube/alrest/gitea/external-dns.yaml b/kube/alrest/gitea/external-dns.yaml new file mode 100644 index 0000000..5671673 --- /dev/null +++ b/kube/alrest/gitea/external-dns.yaml @@ -0,0 +1,31 @@ +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: gitea +spec: + endpoints: + - dnsName: git.xeserv.us + recordTTL: 3600 + recordType: A + targets: + - 10.219.80.171 +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gitea +spec: + secretName: gitea-internal-tls + + duration: 2160h # 90d + renewBefore: 360h # 15d + + usages: + - digital signature + - key encipherment + dnsNames: + - git.xeserv.us + issuerRef: + name: "letsencrypt-prod" + kind: ClusterIssuer + group: cert-manager.io
\ No newline at end of file diff --git a/kube/alrest/gitea/kustomization.yaml b/kube/alrest/gitea/kustomization.yaml index 95bc432..6fc6906 100644 --- a/kube/alrest/gitea/kustomization.yaml +++ b/kube/alrest/gitea/kustomization.yaml @@ -5,4 +5,5 @@ resources: - deployment.yaml - service.yaml - runner.yaml + - external-dns.yaml namespace: gitea diff --git a/kube/alrest/gitea/pvc.yaml b/kube/alrest/gitea/pvc.yaml index 7c7515e..a1726da 100644 --- a/kube/alrest/gitea/pvc.yaml +++ b/kube/alrest/gitea/pvc.yaml @@ -5,8 +5,7 @@ metadata: spec: accessModes: - ReadWriteOnce - - ReadWriteMany - storageClassName: longhorn + storageClassName: rotational resources: requests: storage: 64Gi
\ No newline at end of file diff --git a/kube/alrest/gitea/runner.yaml b/kube/alrest/gitea/runner.yaml index bb8319f..8d59ac4 100644 --- a/kube/alrest/gitea/runner.yaml +++ b/kube/alrest/gitea/runner.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: runner-secret stringData: - token: "6ALUVtYp8UAl5FHFUwGZ1lG03lMR2xta2cV9m2mW" + token: "lauI1MNpokCnDRUZ1LcS7cQKSyuMyI0UikmKCJcQ" type: Opaque --- apiVersion: v1 diff --git a/kube/alrest/gitea/service.yaml b/kube/alrest/gitea/service.yaml index 988f1fa..7d150c2 100644 --- a/kube/alrest/gitea/service.yaml +++ b/kube/alrest/gitea/service.yaml @@ -14,4 +14,8 @@ spec: port: 22 targetPort: 2222 name: ssh + - name: https + port: 443 + targetPort: 8443 + protocol: TCP type: ClusterIP diff --git a/kube/alrest/kustomization.yaml b/kube/alrest/kustomization.yaml index 489e5d3..ff61cbc 100644 --- a/kube/alrest/kustomization.yaml +++ b/kube/alrest/kustomization.yaml @@ -2,8 +2,10 @@ resources: - core - gitea - glance + - minio - ollama - palworld + - pocket-id - pvfm - registry - staticsites diff --git a/kube/alrest/minio/deployment.yaml b/kube/alrest/minio/deployment.yaml index aeda39e..e0707f9 100644 --- a/kube/alrest/minio/deployment.yaml +++ b/kube/alrest/minio/deployment.yaml @@ -16,6 +16,12 @@ spec: - name: data persistentVolumeClaim: claimName: minio + - name: api-certs + secret: + secretName: minio-alrest-internal-tls + - name: webui-certs + secret: + secretName: minio-ui-alrest-internal-tls containers: - name: minio volumeMounts: @@ -31,8 +37,68 @@ spec: value: root - name: MINIO_ROOT_PASSWORD value: hunter22 + - name: MINIO_IDENTITY_OPENID_REDIRECT_URI + value: https://minio-ui.xeserv.us/oauth_callback ports: - containerPort: 9000 name: http - containerPort: 9001 - name: webui
\ No newline at end of file + name: webui + - name: relayd-api + image: ghcr.io/xe/x/relayd:latest + imagePullPolicy: "Always" + resources: + limits: + cpu: "500m" + memory: "512Mi" + requests: + cpu: "100m" + memory: "256Mi" + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + env: + - name: BIND + value: ":8443" + - name: PROXY_TO + value: "http://localhost:9000" + volumeMounts: + - name: "api-certs" + mountPath: "/xe/pki" + readOnly: true + - name: relayd-webui + image: ghcr.io/xe/x/relayd:latest + imagePullPolicy: "Always" + resources: + limits: + cpu: "500m" + memory: "512Mi" + requests: + cpu: "100m" + memory: "256Mi" + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + env: + - name: BIND + value: ":8444" + - name: PROXY_TO + value: "http://localhost:9001" + volumeMounts: + - name: "webui-certs" + mountPath: "/xe/pki" + readOnly: true
\ No newline at end of file diff --git a/kube/alrest/minio/external-dns.yaml b/kube/alrest/minio/external-dns.yaml new file mode 100644 index 0000000..e0e6437 --- /dev/null +++ b/kube/alrest/minio/external-dns.yaml @@ -0,0 +1,56 @@ +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: minio +spec: + endpoints: + - dnsName: minio.xeserv.us + recordTTL: 3600 + recordType: A + targets: + - 10.219.35.168 + - dnsName: minio-ui.xeserv.us + recordTTL: 3600 + recordType: A + targets: + - 10.213.19.165 +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: minio +spec: + secretName: minio-alrest-internal-tls + + duration: 2160h # 90d + renewBefore: 360h # 15d + + usages: + - digital signature + - key encipherment + dnsNames: + - minio.xeserv.us + issuerRef: + name: "letsencrypt-prod" + kind: ClusterIssuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: minio-ui +spec: + secretName: minio-ui-alrest-internal-tls + + duration: 2160h # 90d + renewBefore: 360h # 15d + + usages: + - digital signature + - key encipherment + dnsNames: + - minio-ui.xeserv.us + issuerRef: + name: "letsencrypt-prod" + kind: ClusterIssuer + group: cert-manager.io
\ No newline at end of file diff --git a/kube/alrest/minio/kustomization.yaml b/kube/alrest/minio/kustomization.yaml index 14dd267..8b903be 100644 --- a/kube/alrest/minio/kustomization.yaml +++ b/kube/alrest/minio/kustomization.yaml @@ -1,4 +1,5 @@ resources: -- ./deployment.yaml -- ./pvc.yaml -- ./service.yaml
\ No newline at end of file +- deployment.yaml +- external-dns.yaml +- pvc.yaml +- service.yaml
\ No newline at end of file diff --git a/kube/alrest/minio/service.yaml b/kube/alrest/minio/service.yaml index 9d888ab..f55232f 100644 --- a/kube/alrest/minio/service.yaml +++ b/kube/alrest/minio/service.yaml @@ -13,5 +13,27 @@ spec: port: 8080 targetPort: 9001 protocol: TCP + - name: https + port: 443 + targetPort: 8443 + protocol: TCP + selector: + app: minio +--- +apiVersion: v1 +kind: Service +metadata: + name: minio-ui +spec: + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: 9001 + protocol: TCP + - name: https + port: 443 + targetPort: 8444 + protocol: TCP selector: app: minio
\ No newline at end of file diff --git a/kube/alrest/minio/tenant/tenant-base.yaml b/kube/alrest/minio/tenant/tenant-base.yaml new file mode 100644 index 0000000..b6708ca --- /dev/null +++ b/kube/alrest/minio/tenant/tenant-base.yaml @@ -0,0 +1,105 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: minio-tenant +--- +apiVersion: v1 +kind: Secret +metadata: + name: storage-configuration + namespace: minio-tenant +stringData: + config.env: |- + export MINIO_ROOT_USER="minio" + export MINIO_ROOT_PASSWORD="minio123" + export MINIO_STORAGE_CLASS_STANDARD="EC:2" + export MINIO_BROWSER="on" +type: Opaque +--- +apiVersion: v1 +data: + CONSOLE_ACCESS_KEY: Y29uc29sZQ== + CONSOLE_SECRET_KEY: Y29uc29sZTEyMw== +kind: Secret +metadata: + name: storage-user + namespace: minio-tenant +type: Opaque +--- +apiVersion: minio.min.io/v2 +kind: Tenant +metadata: + annotations: + prometheus.io/path: /minio/v2/metrics/cluster + prometheus.io/port: "9000" + prometheus.io/scrape: "true" + labels: + app: minio + name: myminio + namespace: minio-tenant +spec: + certConfig: {} + configuration: + name: storage-configuration + env: [] + externalCaCertSecret: [] + externalCertSecret: [] + externalClientCertSecrets: [] + features: + bucketDNS: false + domains: {} + image: quay.io/minio/minio:RELEASE.2024-10-02T17-50-41Z + imagePullSecret: {} + mountPath: /export + podManagementPolicy: Parallel + pools: + - affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: {} + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + name: pool-0 + nodeSelector: {} + resources: {} + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + servers: 2 + tolerations: [] + topologySpreadConstraints: [] + volumeClaimTemplate: + apiVersion: v1 + kind: persistentvolumeclaims + metadata: {} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 50Gi + storageClassName: rotational + status: {} + volumesPerServer: 2 + priorityClassName: "" + requestAutoCert: true + serviceAccountName: "" + serviceMetadata: + consoleServiceAnnotations: {} + consoleServiceLabels: {} + minioServiceAnnotations: {} + minioServiceLabels: {} + subPath: "" + users: + - name: storage-user diff --git a/kube/alrest/pocket-id/configmap.yaml b/kube/alrest/pocket-id/configmap.yaml new file mode 100644 index 0000000..fd7071d --- /dev/null +++ b/kube/alrest/pocket-id/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: pocket-id +data: + PUBLIC_APP_URL: https://idp.xeserv.us + TRUST_PROXY: "true" + PUID: "1000" + PGID: "1000" + CADDY_PORT: "80" diff --git a/kube/alrest/pocket-id/deployment.yaml b/kube/alrest/pocket-id/deployment.yaml new file mode 100644 index 0000000..19b9b94 --- /dev/null +++ b/kube/alrest/pocket-id/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pocket-id +spec: + replicas: 1 + selector: + matchLabels: + app: pocket-id + template: + metadata: + labels: + app: pocket-id + spec: + securityContext: + fsGroup: 1000 + volumes: + - name: data + persistentVolumeClaim: + claimName: pocket-id + containers: + - name: main + image: stonith404/pocket-id:v0.24.0 + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + envFrom: + - configMapRef: + name: pocket-id + resources: + limits: + memory: "512Mi" + cpu: "1" + ports: + - containerPort: 8080 + name: backend + - containerPort: 3000 + name: frontend + - containerPort: 80 + name: http + livenessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 200 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - name: data + mountPath: /app/backend/data + subPath: data diff --git a/kube/alrest/pocket-id/ingress.yaml b/kube/alrest/pocket-id/ingress.yaml new file mode 100644 index 0000000..2d4a898 --- /dev/null +++ b/kube/alrest/pocket-id/ingress.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: pocket-id + labels: + name: pocket-id + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + ingressClassName: nginx + tls: + - hosts: + - idp.xeserv.us + secretName: idp-xeserv-us-public-tls + rules: + - host: idp.xeserv.us + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: pocket-id + port: + name: http diff --git a/kube/alrest/pocket-id/kustomization.yaml b/kube/alrest/pocket-id/kustomization.yaml new file mode 100644 index 0000000..d6bcf97 --- /dev/null +++ b/kube/alrest/pocket-id/kustomization.yaml @@ -0,0 +1,6 @@ +resources: + - configmap.yaml + - deployment.yaml + - ingress.yaml + - pvc.yaml + - service.yaml
\ No newline at end of file diff --git a/kube/alrest/pocket-id/pvc.yaml b/kube/alrest/pocket-id/pvc.yaml new file mode 100644 index 0000000..78460a7 --- /dev/null +++ b/kube/alrest/pocket-id/pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pocket-id +spec: + resources: + requests: + storage: 10Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce diff --git a/kube/alrest/pocket-id/service.yaml b/kube/alrest/pocket-id/service.yaml new file mode 100644 index 0000000..6e2de07 --- /dev/null +++ b/kube/alrest/pocket-id/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: pocket-id +spec: + selector: + app: pocket-id + ports: + - port: 80 + targetPort: 80 + name: http
\ No newline at end of file |