diff --git a/app-files/apps.yaml b/app-files/apps.yaml index 2727540..2287c4e 100644 --- a/app-files/apps.yaml +++ b/app-files/apps.yaml @@ -164,3 +164,73 @@ spec: - CreateNamespace=true automated: prune: false +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openproject + namespace: argocd +spec: + project: default + sources: + - repoURL: https://charts.openproject.org + chart: openproject + targetRevision: 8.3.2 + helm: + releaseName: openproject + values: | + clusterDomain: "project.aaronriedel.de" + ingress: + annotations: + kubernetes.io/tls-acme: "true" + host: "project.aaronriedel.de" + workers: + default: + replicas: 2 + openproject: + oidc: + enabled: true + provider: "Keycloak" + displayName: "aaronID" + host: "auth.ar21.de" + existingSecret: openproject-secret + userinfoEndpoint: "https://auth.ar21.de/application/o/userinfo/" + tokenEndpoint: "https://auth.ar21.de/application/o/token/" + authorizationEndpoint: "https://auth.ar21.de/application/o/authorize/" + endSessionEndpoint: "https://auth.ar21.de/application/o/openproject/end-session/" + persistence: + enabled: false + s3: + enabled: true + auth: + existingSecret: openproject-s3 + region: fsn1 + bucketName: openproject + endpoint: https://fsn1.your-objectstorage.com + pathStyle: true + enableSignatureV4Streaming: false + directUploads: false + postgresql: + bundled: false + connection: + host: openproject-rw.openproject.svc.cluster.local + port: 5432 + auth: + existingSecret: openproject-app + secretKeys: + adminPasswordKey: "password" + userPasswordKey: "password" + username: "app" + database: "app" + - repoURL: https://git.ar21.de/aaron/k8s-deployments.git + targetRevision: HEAD + path: openproject + destination: + server: https://kubernetes.default.svc + namespace: openproject + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + prune: false diff --git a/openproject/db.yaml b/openproject/db.yaml new file mode 100644 index 0000000..661b3c1 --- /dev/null +++ b/openproject/db.yaml @@ -0,0 +1,9 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: openproject + namespace: openproject +spec: + instances: 3 + storage: + size: 1Gi diff --git a/openproject/kustomization.yaml b/openproject/kustomization.yaml new file mode 100644 index 0000000..d507cbe --- /dev/null +++ b/openproject/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +generators: + - ./secret-generator.yaml +resources: + - ./db.yaml diff --git a/openproject/secret-generator.yaml b/openproject/secret-generator.yaml new file mode 100644 index 0000000..7f9b73e --- /dev/null +++ b/openproject/secret-generator.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: secret-generator + annotations: + config.kubernetes.io/function: | + exec: + path: ksops +files: + - ./secret.yaml diff --git a/openproject/secret.yaml b/openproject/secret.yaml new file mode 100644 index 0000000..ccab261 --- /dev/null +++ b/openproject/secret.yaml @@ -0,0 +1,83 @@ +apiVersion: v1 +kind: Secret +metadata: + name: openproject-secret + namespace: openproject + labels: + app.kubernetes.io/name: openproject-secret + app.kubernetes.io/part-of: openproject +stringData: + clientId: ENC[AES256_GCM,data:pNsfXlI13/jOdNXbtzTrk0oYB2viicauXdzVtjljC8pd9qFXCQrnrA==,iv:x6HGIX29SedgGJiRCHwIFAXbA9ucnpO+QS1Xlgsbdks=,tag:3A53qjsmJJin2+9AA/MAuQ==,type:str] + clientSecret: ENC[AES256_GCM,data:dlBFp8ImgzMIpymOesrCgNBnSHkVHH/PZwMTJ2tXVjpHXnif7AAx5VMbsvk6dpDxRQPX8RTBzTVqhJbHv87Bqso3vwu7K/tjstf+iBIpTHfz6O0u5Qc6f1/ZJorb1mMk0nB3+MOZuOnVv/LkkDv7LCa6R2HSkzALZMvmLIhMuiI=,iv:NpkQxa0DhvJOCF831KeEq35wxqQ6v6/TJpM87Gnpzbc=,tag:2JcM1oAmY3HqWNVl2AAnyA==,type:str] +type: Opaque +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByT0xDY1ZMNUtydlZqNyt4 + RGZhYTJCaTdoaUNDcUU3c2djUFFrb1NPWmdBClM4ZXZ6aUU0WU1NdmFLYWlHUVBy + VlU0VlZnRnQwenJPdGRSTFBac1ZlSTgKLS0tIGowNGZBZjgyMGxJbTZvOWRLS2Jr + ZTczeDVvYytjK0dzUDY0QXdaUlVyN3cKM+tC9agxFrnjpfPXoNXxCinTNXJ2gHyO + xmkLs958EAJZ8LuFfne01Sak/7ojRny+PzKb9TudIggCUoxAW8S0+w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU2dyTnc3eCtSNFVBeFQ3 + bTFndGdUYXVTdnpnRTJVQjI3Z0RRZ0FkQzJ3CjZ6ZHBpU2w1MDRFUzJQL1FKS1Ex + N011MUcyY0hlV0lYREo3Tmhhc1NXZG8KLS0tIGZpa3IyU244OXRGZ1hQdVlJbzZr + cEk2ZEp3UzArK1NEL0E2Zkwzd1dnMW8KWWQ861ukoDUh7l1iFBnnrsInQWfeYgD9 + d1y8yHr1kLZX66xg9erbaQbA+xtRRD+5sctypxJWPNkDO+rW+pfrAQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-04T21:12:27Z" + mac: ENC[AES256_GCM,data:wI/Z9/ilDAoIeYmRDwqa6cm7vnOyCKLPV3rxinVO8hhP3aVQisIJlKZH5iSZTAqE+bF0451Sqj8Ei00CiH/OXl8z7s92HeE2z2paHO51SutcLUM1RttKBcWsmdGnSvpqatlED9gziAeT487V3yECts+BS2zHppTtf+DRhjYVrd0=,iv:Pt4Jq1LFAJZo9oQmcv3PTDHmRb2HWI+gGUH/gzIuQ5s=,tag:PIcgRGoIm1tmaR6kRRIb0A==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 +--- +apiVersion: v1 +kind: Secret +metadata: + name: openproject-s3 + namespace: openproject + labels: + app.kubernetes.io/name: openproject-s3 + app.kubernetes.io/part-of: openproject +stringData: + accessKeyId: ENC[AES256_GCM,data:vp+0gIUcQ1zFZZ+FzMsjrIEnLJQ=,iv:1vO4ZESGnGHpf/Jy3mQdrRwv7DgRv2bJNppKQ+Qpi6A=,tag:1DHkZJ9bpc9P4nd2O/3nkg==,type:str] + secretAccessKey: ENC[AES256_GCM,data:ppZZ3LRQKOKeBzj4OUuiQLFDxKA1MQm8HhhdoLdpOaTDHVmxlCgRDw==,iv:oZPdTGkNPdjU4rqO6IjZcrI9t0yhlkIqHFKUTBOBr0M=,tag:M5LK3hdw8hCJ7i/tQsmj4A==,type:str] +type: Opaque +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByT0xDY1ZMNUtydlZqNyt4 + RGZhYTJCaTdoaUNDcUU3c2djUFFrb1NPWmdBClM4ZXZ6aUU0WU1NdmFLYWlHUVBy + VlU0VlZnRnQwenJPdGRSTFBac1ZlSTgKLS0tIGowNGZBZjgyMGxJbTZvOWRLS2Jr + ZTczeDVvYytjK0dzUDY0QXdaUlVyN3cKM+tC9agxFrnjpfPXoNXxCinTNXJ2gHyO + xmkLs958EAJZ8LuFfne01Sak/7ojRny+PzKb9TudIggCUoxAW8S0+w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU2dyTnc3eCtSNFVBeFQ3 + bTFndGdUYXVTdnpnRTJVQjI3Z0RRZ0FkQzJ3CjZ6ZHBpU2w1MDRFUzJQL1FKS1Ex + N011MUcyY0hlV0lYREo3Tmhhc1NXZG8KLS0tIGZpa3IyU244OXRGZ1hQdVlJbzZr + cEk2ZEp3UzArK1NEL0E2Zkwzd1dnMW8KWWQ861ukoDUh7l1iFBnnrsInQWfeYgD9 + d1y8yHr1kLZX66xg9erbaQbA+xtRRD+5sctypxJWPNkDO+rW+pfrAQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-04T21:12:27Z" + mac: ENC[AES256_GCM,data:wI/Z9/ilDAoIeYmRDwqa6cm7vnOyCKLPV3rxinVO8hhP3aVQisIJlKZH5iSZTAqE+bF0451Sqj8Ei00CiH/OXl8z7s92HeE2z2paHO51SutcLUM1RttKBcWsmdGnSvpqatlED9gziAeT487V3yECts+BS2zHppTtf+DRhjYVrd0=,iv:Pt4Jq1LFAJZo9oQmcv3PTDHmRb2HWI+gGUH/gzIuQ5s=,tag:PIcgRGoIm1tmaR6kRRIb0A==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0