From 023ad0586f3176a7af06cc3a951452cc32480c82 Mon Sep 17 00:00:00 2001 From: ansible Date: Tue, 10 Mar 2026 13:03:03 +0800 Subject: [PATCH] Update k8s manifests --- .sops.yaml | 4 ++ k8s/apps/gitea/ingress.yaml | 23 +++++++ k8s/apps/gitea/kustomization.yaml | 6 ++ k8s/apps/gitea/namespace.yaml | 4 ++ k8s/apps/gitea/service-external.yaml | 23 +++++++ k8s/apps/kustomization.yaml | 6 ++ k8s/apps/pkg-repo/deployment.yaml | 52 ++++++++++++++ k8s/apps/pkg-repo/ingress.yaml | 23 +++++++ k8s/apps/pkg-repo/kustomization.yaml | 6 ++ k8s/apps/pkg-repo/namespace.yaml | 4 ++ k8s/apps/vaultwarden/helmrelease.yaml | 26 +++++++ k8s/apps/vaultwarden/kustomization.yaml | 5 ++ k8s/apps/vaultwarden/namespace.yaml | 4 ++ k8s/flux/gotk-sync.yaml | 69 +++++++++++++++++++ .../cert-manager/clusterissuer.yaml | 19 +++++ .../cert-manager/helmrelease.yaml | 23 +++++++ .../cert-manager/wildcard-cert.yaml | 13 ++++ k8s/infrastructure/helmrepositories.yaml | 63 +++++++++++++++++ k8s/infrastructure/keycloak/helmrelease.yaml | 41 +++++++++++ k8s/infrastructure/kustomization.yaml | 11 +++ k8s/infrastructure/longhorn/helmrelease.yaml | 27 ++++++++ .../observability/kube-prometheus-stack.yaml | 57 +++++++++++++++ .../observability/kustomization.yaml | 7 ++ k8s/infrastructure/observability/loki.yaml | 30 ++++++++ .../observability/namespace.yaml | 4 ++ .../observability/promtail.yaml | 19 +++++ k8s/infrastructure/openldap/helmrelease.yaml | 32 +++++++++ k8s/pg-init/keycloak-db.yaml | 38 ++++++++++ k8s/pg-init/kustomization.yaml | 6 ++ k8s/pg-init/namespace.yaml | 4 ++ k8s/pg-init/vaultwarden-db.yaml | 38 ++++++++++ 31 files changed, 687 insertions(+) create mode 100644 .sops.yaml create mode 100644 k8s/apps/gitea/ingress.yaml create mode 100644 k8s/apps/gitea/kustomization.yaml create mode 100644 k8s/apps/gitea/namespace.yaml create mode 100644 k8s/apps/gitea/service-external.yaml create mode 100644 k8s/apps/kustomization.yaml create mode 100644 k8s/apps/pkg-repo/deployment.yaml create mode 100644 k8s/apps/pkg-repo/ingress.yaml create mode 100644 k8s/apps/pkg-repo/kustomization.yaml create mode 100644 k8s/apps/pkg-repo/namespace.yaml create mode 100644 k8s/apps/vaultwarden/helmrelease.yaml create mode 100644 k8s/apps/vaultwarden/kustomization.yaml create mode 100644 k8s/apps/vaultwarden/namespace.yaml create mode 100644 k8s/flux/gotk-sync.yaml create mode 100644 k8s/infrastructure/cert-manager/clusterissuer.yaml create mode 100644 k8s/infrastructure/cert-manager/helmrelease.yaml create mode 100644 k8s/infrastructure/cert-manager/wildcard-cert.yaml create mode 100644 k8s/infrastructure/helmrepositories.yaml create mode 100644 k8s/infrastructure/keycloak/helmrelease.yaml create mode 100644 k8s/infrastructure/kustomization.yaml create mode 100644 k8s/infrastructure/longhorn/helmrelease.yaml create mode 100644 k8s/infrastructure/observability/kube-prometheus-stack.yaml create mode 100644 k8s/infrastructure/observability/kustomization.yaml create mode 100644 k8s/infrastructure/observability/loki.yaml create mode 100644 k8s/infrastructure/observability/namespace.yaml create mode 100644 k8s/infrastructure/observability/promtail.yaml create mode 100644 k8s/infrastructure/openldap/helmrelease.yaml create mode 100644 k8s/pg-init/keycloak-db.yaml create mode 100644 k8s/pg-init/kustomization.yaml create mode 100644 k8s/pg-init/namespace.yaml create mode 100644 k8s/pg-init/vaultwarden-db.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..9c5de98 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,4 @@ +creation_rules: + - path_regex: '.*secret.*\.yaml$' + encrypted_regex: '^(data|stringData)$' + age: 'age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m' diff --git a/k8s/apps/gitea/ingress.yaml b/k8s/apps/gitea/ingress.yaml new file mode 100644 index 0000000..97cfe64 --- /dev/null +++ b/k8s/apps/gitea/ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: gitea + namespace: gitea + annotations: + cert-manager.io/cluster-issuer: "n0ball-tw-issuer" +spec: + ingressClassName: traefik + tls: + - secretName: gitea-tls + hosts: ["gitea.n0ball.tw"] + rules: + - host: gitea.n0ball.tw + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: gitea-external + port: + number: 3000 diff --git a/k8s/apps/gitea/kustomization.yaml b/k8s/apps/gitea/kustomization.yaml new file mode 100644 index 0000000..afd5ba0 --- /dev/null +++ b/k8s/apps/gitea/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - service-external.yaml + - ingress.yaml diff --git a/k8s/apps/gitea/namespace.yaml b/k8s/apps/gitea/namespace.yaml new file mode 100644 index 0000000..09a988f --- /dev/null +++ b/k8s/apps/gitea/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gitea diff --git a/k8s/apps/gitea/service-external.yaml b/k8s/apps/gitea/service-external.yaml new file mode 100644 index 0000000..3ea4c04 --- /dev/null +++ b/k8s/apps/gitea/service-external.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: gitea-external + namespace: gitea +subsets: + - addresses: + - ip: 192.168.51.203 + ports: + - port: 3000 + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + name: gitea-external + namespace: gitea +spec: + ports: + - port: 3000 + targetPort: 3000 + protocol: TCP diff --git a/k8s/apps/kustomization.yaml b/k8s/apps/kustomization.yaml new file mode 100644 index 0000000..98f61c6 --- /dev/null +++ b/k8s/apps/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - gitea/ + - vaultwarden/ + - pkg-repo/ diff --git a/k8s/apps/pkg-repo/deployment.yaml b/k8s/apps/pkg-repo/deployment.yaml new file mode 100644 index 0000000..b33dbb7 --- /dev/null +++ b/k8s/apps/pkg-repo/deployment.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pkg-repo-pvc + namespace: pkg-repo +spec: + storageClassName: longhorn + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 100Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pkg-repo + namespace: pkg-repo +spec: + replicas: 1 + selector: + matchLabels: + app: pkg-repo + template: + metadata: + labels: + app: pkg-repo + spec: + containers: + - name: nginx + image: nginx:stable + ports: + - containerPort: 80 + volumeMounts: + - name: repo-data + mountPath: /usr/share/nginx/html + volumes: + - name: repo-data + persistentVolumeClaim: + claimName: pkg-repo-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: pkg-repo + namespace: pkg-repo +spec: + selector: + app: pkg-repo + ports: + - port: 80 + targetPort: 80 diff --git a/k8s/apps/pkg-repo/ingress.yaml b/k8s/apps/pkg-repo/ingress.yaml new file mode 100644 index 0000000..981e1c0 --- /dev/null +++ b/k8s/apps/pkg-repo/ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: pkg-repo + namespace: pkg-repo + annotations: + cert-manager.io/cluster-issuer: "n0ball-tw-issuer" +spec: + ingressClassName: traefik + tls: + - secretName: pkg-repo-tls + hosts: ["repo.n0ball.tw"] + rules: + - host: repo.n0ball.tw + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: pkg-repo + port: + number: 80 diff --git a/k8s/apps/pkg-repo/kustomization.yaml b/k8s/apps/pkg-repo/kustomization.yaml new file mode 100644 index 0000000..34a36c7 --- /dev/null +++ b/k8s/apps/pkg-repo/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - deployment.yaml + - ingress.yaml diff --git a/k8s/apps/pkg-repo/namespace.yaml b/k8s/apps/pkg-repo/namespace.yaml new file mode 100644 index 0000000..0e840fa --- /dev/null +++ b/k8s/apps/pkg-repo/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pkg-repo diff --git a/k8s/apps/vaultwarden/helmrelease.yaml b/k8s/apps/vaultwarden/helmrelease.yaml new file mode 100644 index 0000000..1235a1a --- /dev/null +++ b/k8s/apps/vaultwarden/helmrelease.yaml @@ -0,0 +1,26 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: vaultwarden + namespace: vaultwarden +spec: + interval: 10m + chart: + spec: + chart: vaultwarden + sourceRef: + kind: HelmRepository + name: vaultwarden + namespace: flux-system + values: + domain: https://vault.n0ball.tw + database: + type: postgresql + existingSecret: vaultwarden-db-secret + existingSecretKey: DATABASE_URL + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: "n0ball-tw-issuer" + hostname: vault.n0ball.tw + tls: true diff --git a/k8s/apps/vaultwarden/kustomization.yaml b/k8s/apps/vaultwarden/kustomization.yaml new file mode 100644 index 0000000..0370974 --- /dev/null +++ b/k8s/apps/vaultwarden/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - helmrelease.yaml diff --git a/k8s/apps/vaultwarden/namespace.yaml b/k8s/apps/vaultwarden/namespace.yaml new file mode 100644 index 0000000..6fc17a5 --- /dev/null +++ b/k8s/apps/vaultwarden/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vaultwarden diff --git a/k8s/flux/gotk-sync.yaml b/k8s/flux/gotk-sync.yaml new file mode 100644 index 0000000..e60cb44 --- /dev/null +++ b/k8s/flux/gotk-sync.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: flux-system + namespace: flux-system +spec: + interval: 5m + url: https://gitea.n0ball.tw/admin/infra.git + ref: + branch: main + secretRef: + name: flux-system +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infrastructure + namespace: flux-system +spec: + interval: 5m + path: ./k8s/infrastructure + prune: true + sourceRef: + kind: GitRepository + name: flux-system + decryption: + provider: sops + secretRef: + name: sops-age +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: pg-init + namespace: flux-system +spec: + interval: 5m + path: ./k8s/pg-init + prune: true + dependsOn: + - name: infrastructure + sourceRef: + kind: GitRepository + name: flux-system + decryption: + provider: sops + secretRef: + name: sops-age +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: apps + namespace: flux-system +spec: + interval: 5m + path: ./k8s/apps + prune: true + dependsOn: + - name: infrastructure + - name: pg-init + sourceRef: + kind: GitRepository + name: flux-system + decryption: + provider: sops + secretRef: + name: sops-age diff --git a/k8s/infrastructure/cert-manager/clusterissuer.yaml b/k8s/infrastructure/cert-manager/clusterissuer.yaml new file mode 100644 index 0000000..6183562 --- /dev/null +++ b/k8s/infrastructure/cert-manager/clusterissuer.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: n0ball-tw-issuer +spec: + acme: + server: https://acme-v2.api.letsencrypt.org/directory + email: admin@n0ball.tw + privateKeySecretRef: + name: letsencrypt-account-key + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cloudflare-api-token + key: api-token + selector: + dnsZones: + - "n0ball.tw" diff --git a/k8s/infrastructure/cert-manager/helmrelease.yaml b/k8s/infrastructure/cert-manager/helmrelease.yaml new file mode 100644 index 0000000..6c50f5c --- /dev/null +++ b/k8s/infrastructure/cert-manager/helmrelease.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cert-manager + namespace: cert-manager +spec: + interval: 10m + chart: + spec: + chart: cert-manager + version: "1.*" + sourceRef: + kind: HelmRepository + name: jetstack + namespace: flux-system + values: + installCRDs: true diff --git a/k8s/infrastructure/cert-manager/wildcard-cert.yaml b/k8s/infrastructure/cert-manager/wildcard-cert.yaml new file mode 100644 index 0000000..0ab2e28 --- /dev/null +++ b/k8s/infrastructure/cert-manager/wildcard-cert.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: n0ball-tw-wildcard + namespace: kube-system +spec: + secretName: n0ball-tw-tls + issuerRef: + name: n0ball-tw-issuer + kind: ClusterIssuer + dnsNames: + - "*.n0ball.tw" + - "n0ball.tw" diff --git a/k8s/infrastructure/helmrepositories.yaml b/k8s/infrastructure/helmrepositories.yaml new file mode 100644 index 0000000..5bde136 --- /dev/null +++ b/k8s/infrastructure/helmrepositories.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: longhorn + namespace: flux-system +spec: + interval: 1h + url: https://charts.longhorn.io +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: jetstack + namespace: flux-system +spec: + interval: 1h + url: https://charts.jetstack.io +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: bitnami + namespace: flux-system +spec: + interval: 1h + url: https://charts.bitnami.com/bitnami +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: prometheus-community + namespace: flux-system +spec: + interval: 1h + url: https://prometheus-community.github.io/helm-charts +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: grafana + namespace: flux-system +spec: + interval: 1h + url: https://grafana.github.io/helm-charts +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: openldap + namespace: flux-system +spec: + interval: 1h + url: https://jp-gouin.github.io/helm-openldap/ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: vaultwarden + namespace: flux-system +spec: + interval: 1h + url: https://guerzon.github.io/vaultwarden diff --git a/k8s/infrastructure/keycloak/helmrelease.yaml b/k8s/infrastructure/keycloak/helmrelease.yaml new file mode 100644 index 0000000..9590e19 --- /dev/null +++ b/k8s/infrastructure/keycloak/helmrelease.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: keycloak +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: keycloak + namespace: keycloak +spec: + interval: 10m + chart: + spec: + chart: keycloak + version: "21.*" + sourceRef: + kind: HelmRepository + name: bitnami + namespace: flux-system + values: + replicaCount: 3 + auth: + existingSecret: keycloak-admin-secret + postgresql: + enabled: false + externalDatabase: + host: pgbouncer.internal + port: 6432 + database: keycloak + existingSecret: keycloak-db-secret + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: "n0ball-tw-issuer" + hostname: keycloak.n0ball.tw + tls: true + extraEnvVars: + - name: KC_PROXY + value: edge diff --git a/k8s/infrastructure/kustomization.yaml b/k8s/infrastructure/kustomization.yaml new file mode 100644 index 0000000..8114e7b --- /dev/null +++ b/k8s/infrastructure/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helmrepositories.yaml + - longhorn/helmrelease.yaml + - cert-manager/helmrelease.yaml + - cert-manager/clusterissuer.yaml + - cert-manager/wildcard-cert.yaml + - observability/kustomization.yaml + - openldap/helmrelease.yaml + - keycloak/helmrelease.yaml diff --git a/k8s/infrastructure/longhorn/helmrelease.yaml b/k8s/infrastructure/longhorn/helmrelease.yaml new file mode 100644 index 0000000..022e1b2 --- /dev/null +++ b/k8s/infrastructure/longhorn/helmrelease.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: longhorn-system +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: longhorn + namespace: longhorn-system +spec: + interval: 10m + chart: + spec: + chart: longhorn + version: "1.6.*" + sourceRef: + kind: HelmRepository + name: longhorn + namespace: flux-system + values: + defaultSettings: + defaultReplicaCount: 3 + storageMinimalAvailablePercentage: 10 + persistence: + defaultClass: true diff --git a/k8s/infrastructure/observability/kube-prometheus-stack.yaml b/k8s/infrastructure/observability/kube-prometheus-stack.yaml new file mode 100644 index 0000000..030b3ab --- /dev/null +++ b/k8s/infrastructure/observability/kube-prometheus-stack.yaml @@ -0,0 +1,57 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: kube-prometheus-stack + namespace: observability +spec: + interval: 10m + chart: + spec: + chart: kube-prometheus-stack + version: "65.*" + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + values: + prometheus: + prometheusSpec: + retention: 15d + storageSpec: + volumeClaimTemplate: + spec: + storageClassName: longhorn + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 20Gi + additionalScrapeConfigs: + - job_name: "vm-node-exporter" + static_configs: + - targets: + - "192.168.51.201:9100" + - "192.168.100.201:9100" + - "192.168.52.201:9100" + - "192.168.51.203:9100" + - "192.168.51.202:9100" + grafana: + adminPassword: + existingSecret: grafana-admin-secret + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: "n0ball-tw-issuer" + hosts: ["grafana.n0ball.tw"] + tls: + - secretName: grafana-tls + hosts: ["grafana.n0ball.tw"] + alertmanager: + alertmanagerSpec: + storage: + volumeClaimTemplate: + spec: + storageClassName: longhorn + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 2Gi diff --git a/k8s/infrastructure/observability/kustomization.yaml b/k8s/infrastructure/observability/kustomization.yaml new file mode 100644 index 0000000..ce5f4a0 --- /dev/null +++ b/k8s/infrastructure/observability/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - kube-prometheus-stack.yaml + - loki.yaml + - promtail.yaml diff --git a/k8s/infrastructure/observability/loki.yaml b/k8s/infrastructure/observability/loki.yaml new file mode 100644 index 0000000..c0cb84e --- /dev/null +++ b/k8s/infrastructure/observability/loki.yaml @@ -0,0 +1,30 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: loki + namespace: observability +spec: + interval: 10m + chart: + spec: + chart: loki + version: "6.*" + sourceRef: + kind: HelmRepository + name: grafana + namespace: flux-system + values: + deploymentMode: SingleBinary + loki: + commonConfig: + replication_factor: 1 + storage: + type: filesystem + limits_config: + retention_period: 14d + singleBinary: + replicas: 1 + persistence: + enabled: true + storageClass: longhorn + size: 20Gi diff --git a/k8s/infrastructure/observability/namespace.yaml b/k8s/infrastructure/observability/namespace.yaml new file mode 100644 index 0000000..4f75b8c --- /dev/null +++ b/k8s/infrastructure/observability/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: observability diff --git a/k8s/infrastructure/observability/promtail.yaml b/k8s/infrastructure/observability/promtail.yaml new file mode 100644 index 0000000..43466ff --- /dev/null +++ b/k8s/infrastructure/observability/promtail.yaml @@ -0,0 +1,19 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: promtail + namespace: observability +spec: + interval: 10m + chart: + spec: + chart: promtail + version: "6.*" + sourceRef: + kind: HelmRepository + name: grafana + namespace: flux-system + values: + config: + clients: + - url: http://loki.observability.svc.cluster.local:3100/loki/api/v1/push diff --git a/k8s/infrastructure/openldap/helmrelease.yaml b/k8s/infrastructure/openldap/helmrelease.yaml new file mode 100644 index 0000000..8d0ed91 --- /dev/null +++ b/k8s/infrastructure/openldap/helmrelease.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: openldap +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: openldap + namespace: openldap +spec: + interval: 10m + chart: + spec: + chart: openldap-stack-ha + version: "4.*" + sourceRef: + kind: HelmRepository + name: openldap + namespace: flux-system + values: + global: + ldapDomain: n0ball.tw + existingSecret: openldap-admin-secret + replicaCount: 3 + persistence: + enabled: true + storageClass: longhorn + size: 10Gi + ltb-passwd: + enabled: false diff --git a/k8s/pg-init/keycloak-db.yaml b/k8s/pg-init/keycloak-db.yaml new file mode 100644 index 0000000..a55c4c9 --- /dev/null +++ b/k8s/pg-init/keycloak-db.yaml @@ -0,0 +1,38 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: keycloak-db-init + namespace: pg-init +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + restartPolicy: OnFailure + containers: + - name: db-init + image: postgres:17 + env: + - name: PGHOST + value: pgbouncer.internal + - name: PGPORT + value: "6432" + - name: PGUSER + value: pginit + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: pg-init-secret + key: password + - name: KC_DB_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak-db-bootstrap-secret + key: password + command: + - bash + - -c + - | + psql -c "CREATE DATABASE keycloak;" || true + psql -c "CREATE USER keycloak WITH PASSWORD '${KC_DB_PASSWORD}';" || true + psql -c "GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;" || true + psql -d keycloak -c "GRANT ALL ON SCHEMA public TO keycloak;" || true diff --git a/k8s/pg-init/kustomization.yaml b/k8s/pg-init/kustomization.yaml new file mode 100644 index 0000000..598d70e --- /dev/null +++ b/k8s/pg-init/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - keycloak-db.yaml + - vaultwarden-db.yaml diff --git a/k8s/pg-init/namespace.yaml b/k8s/pg-init/namespace.yaml new file mode 100644 index 0000000..313fa62 --- /dev/null +++ b/k8s/pg-init/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pg-init diff --git a/k8s/pg-init/vaultwarden-db.yaml b/k8s/pg-init/vaultwarden-db.yaml new file mode 100644 index 0000000..97af1f4 --- /dev/null +++ b/k8s/pg-init/vaultwarden-db.yaml @@ -0,0 +1,38 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: vaultwarden-db-init + namespace: pg-init +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + restartPolicy: OnFailure + containers: + - name: db-init + image: postgres:17 + env: + - name: PGHOST + value: pgbouncer.internal + - name: PGPORT + value: "6432" + - name: PGUSER + value: pginit + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: pg-init-secret + key: password + - name: VW_DB_PASSWORD + valueFrom: + secretKeyRef: + name: vaultwarden-db-bootstrap-secret + key: password + command: + - bash + - -c + - | + psql -c "CREATE DATABASE vaultwarden;" || true + psql -c "CREATE USER vaultwarden WITH PASSWORD '${VW_DB_PASSWORD}';" || true + psql -c "GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;" || true + psql -d vaultwarden -c "GRANT ALL ON SCHEMA public TO vaultwarden;" || true