aaron/k8s-deployments
1
0
Fork 0
Code Issues 1 Pull requests Activity

Compare commits

base: aaron:main
Branches Tags
aaron:main
aaron:44_openproject_prod
aaron:42_openproject_prod
aaron:38_openproject_prod
aaron:36_openproject_prod
aaron:30_openproject_prod
aaron:28_openproject_prod
aaron:24_openproject_prod
aaron:15_openproject_prod
aaron:13_openproject_prod
aaron:10_openproject_prod
aaron:8_openproject_prod
aaron:3_openproject_prod
..
compare: aaron:30_openproject_prod
Branches Tags
aaron:main
aaron:44_openproject_prod
aaron:42_openproject_prod
aaron:38_openproject_prod
aaron:36_openproject_prod
aaron:30_openproject_prod
aaron:28_openproject_prod
aaron:24_openproject_prod
aaron:15_openproject_prod
aaron:13_openproject_prod
aaron:10_openproject_prod
aaron:8_openproject_prod
aaron:3_openproject_prod

No commits in common. "main" and "30_openproject_prod" have entirely different histories.
main ... 30_openpro

10 changed files with 308 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

76
app-files/apps.yaml
View file

@ -16,7 +16,6 @@ spec:
syncPolicy:
automated:
prune: false
selfHeal: true
---
#apiVersion: argoproj.io/v1alpha1
#kind: Application
@ -51,6 +50,41 @@ spec:
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: aaron-drone-runner
namespace: argocd
spec:
project: default
sources:
- chart: drone-runner-kube
repoURL: https://charts.drone.io
targetRevision: 0.1.10
helm:
releaseName: drone-runner
values: |
extraSecretNamesForEnvFrom:
- drone-secrets
rbac:
buildNamespaces:
- aaron-drone
env:
DRONE_RPC_HOST: drone.ar21.de
DRONE_RPC_PROTO: https
DRONE_NAMESPACE_DEFAULT: drone
- repoURL: https://git.ar21.de/aaron/k8s-deployments.git
targetRevision: HEAD
path: drone
destination:
server: https://kubernetes.default.svc
namespace: aaron-drone
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
prune: false
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: aaron-hoylogo
namespace: argocd
@ -68,7 +102,6 @@ spec:
- CreateNamespace=true
automated:
prune: true
selfHeal: true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
@ -89,7 +122,6 @@ spec:
- CreateNamespace=true
automated:
prune: true
selfHeal: true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
@ -110,7 +142,6 @@ spec:
- CreateNamespace=true
automated:
prune: true
selfHeal: true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
@ -122,7 +153,7 @@ spec:
sources:
- chart: cloudnative-pg
repoURL: https://cloudnative-pg.io/charts
targetRevision: 0.24.0
targetRevision: 0.23.0
helm:
releaseName: cloudnative-pg
destination:
@ -131,7 +162,36 @@ spec:
syncPolicy:
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
automated:
prune: true
selfHeal: true
prune: false
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: aaron-openproject
namespace: argocd
spec:
project: default
sources:
- repoURL: https://charts.openproject.org
chart: openproject
targetRevision: 9.6.0
helm:
releaseName: openproject
valueFiles:
- $values/openproject/values.yaml
- repoURL: https://git.ar21.de/aaron/k8s-deployments.git
targetRevision: HEAD
ref: values
- repoURL: https://git.ar21.de/aaron/k8s-deployments.git
targetRevision: HEAD
path: openproject
destination:
server: https://kubernetes.default.svc
namespace: aaron-openproject
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: false
prune: false

5
drone/kustomization.yaml Normal file
View file

@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- ./secret-generator.yaml

11
drone/secret-generator.yaml Normal file
View file

@ -0,0 +1,11 @@
---
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./secret.yaml

45
drone/secret.yaml Normal file
View file

@ -0,0 +1,45 @@
apiVersion: v1
kind: Secret
metadata:
name: drone-secrets
type: Opaque
data:
DRONE_RPC_SECRET: ENC[AES256_GCM,data:jrF3Y4c6HVYse2h8MhzPMTfLhD2VLmAGyr4yxjf0gFspTAVLcYwNtoJbjnI=,iv:7xGbWm5exOTDYJc3Uwj++9HWheyJI+F0SypeAmK7HcI=,tag:ksWv+zzc8fH9a193cNwYXA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cWRBQzFHTzR0WUNhc0Rl
dWlaTE9BTUFBb250c1ZaVjRrVUY3MjBXcDNjCmgwMjRzcFlmc3NhRUhkdHJHa3BV
bis5VWNCY1JFZ0ZpcjhJUWcxZXluZ0kKLS0tIFk1NnhSMWxvZ0JuSTFTV1lwY1Na
UW1YSVplRWNZc0o2UjNDUG5CUncvbk0KR/UDgABlTT4wA7CcE31LkPOMk7sXM6jr
rccWRqlgEyvD3AgRPQNUEZ/3nJbORhFLDt8jxsT4POFsDtZvxH1f2g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYkljMUlGZmtnNTU4dnR2
dXFyMkNUeFVHMENZa3d0a3MxNGpyYlhSS0VBClVXaXBVTU9GWkNjWk9OakNxakJK
a29VNzZ1UGFqNFhWclRONUw5dFo0WVUKLS0tIEQzS2ZxeldzZFY0cWlvRzIvVkl1
MGJpczFOcThtTlVrSUROMytRNVVkc0kK0iO5dHZA/PhRGczCqFa1frXGMfJE30Cq
ZVfX5HcndP/87F5dv8FO2A9EJz4riz/TjuOpxIUhinDul7JI0T4KQw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUXREYjJEUmVwZ1ZTTmZh
cnp4K3dYdmczQ3o5RWFzMlF3NTRrOHFaSzA4CnBFbXk2MXVpVUxudXBMRWJwQ0JW
S2M3UEp1Qys3L0J1KzNsV1R3d05zamcKLS0tIDhMaDFmeG1vZWkzWDBKWGVoNWJS
REFDWXpDUkVkSnkzSmNiMzd6a2ZsbUEKFoDTBpjI/VCPCeqE+hVNk0zswNEWbnNw
TTwVfQ1xOXD5FeH8B+9zHo14UTi/Cp9T4OIcYNduKar7K0rQLlgz6A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-13T20:19:15Z"
mac: ENC[AES256_GCM,data:kCdPeuBOut4sXFYcp5uStaERQL8steUy1MZ51hWlP7sDfHpoKIV2oEEbRDlVy/2+no58WfH161J8gy5dw+B+ambwkcBShUA3D8yR8akX3ZlCSPR+Xp/KsUrtM5CtBmWpCiaI+0RZUnEXcRRWYPzHA4g2Hmrlg5mMmcD63zmV100=,iv:nXWlCN+DNLovf26fyCMDc0GmVtCaKB18pZUVpbqfjzw=,tag:QNT0A0SN8Vt992WAukNpmA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.9.1

44
openproject/db.yaml Normal file
View file

@ -0,0 +1,44 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: openproject
spec:
instances: 3
storage:
size: 1Gi
# bootstrap:
# recovery:
# source: clusterBackup
# recoveryTarget:
# targetTime: "2025-02-12 21:00:00.00000+00"
backup:
barmanObjectStore:
destinationPath: "s3://openproject/backups"
endpointURL: "https://fsn1.your-objectstorage.com"
serverName: "new-openproject"
s3Credentials:
accessKeyId:
name: openproject-secret
key: OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID
secretAccessKey:
name: openproject-secret
key: OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY
wal:
compression: gzip
retentionPolicy: "30d"
# externalClusters:
# - name: clusterBackup
# barmanObjectStore:
# destinationPath: "s3://openproject/backups"
# endpointURL: "https://fsn1.your-objectstorage.com"
# serverName: openproject
# s3Credentials:
# accessKeyId:
# name: openproject-secret
# key: OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID
# secretAccessKey:
# name: openproject-secret
# key: OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY
# wal:
# maxParallel: 8
# compression: gzip

7
openproject/kustomization.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- ./secret-generator.yaml
resources:
- ./db.yaml

11
openproject/secret-generator.yaml Normal file
View file

@ -0,0 +1,11 @@
---
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./secret.yaml

51
openproject/secret.yaml Normal file
View file

@ -0,0 +1,51 @@
apiVersion: v1
kind: Secret
metadata:
name: openproject-secret
labels:
app.kubernetes.io/name: openproject-secret
app.kubernetes.io/part-of: openproject
stringData:
OPENPROJECT_OPENID__CONNECT_AUTHENTIK_IDENTIFIER: ENC[AES256_GCM,data:u0EqZSaIBVEavmNVevNcO1ZtlMHZfdXDi4s0Rfjo9NyeIIsN3rHWuQ==,iv:mvhGi5w/kCOQGcTaQz8FOeGBvaP0NSH4DRzFhA5IwQg=,tag:P9CYCymCpWPZ0+0Ujc0rrQ==,type:str]
OPENPROJECT_OPENID__CONNECT_AUTHENTIK_SECRET: ENC[AES256_GCM,data:z17lplltjJd+LnmceX9Hdak6BHVaZ1nSHWt4FMiSbCtl02igdA5i3jozUyagwy4y+B5TMrla+BmK5KMFoZsalpThJZjWFcOZyo8BtQOeAEODXnwNg6Sznmhvya4BTEzdzkqbeOIYp/38rkcSUeTDPwo1ca+M9tb2udfvTmIg6FA=,iv:XEOCc5uUu4s5DQTnClCv1W89x4T+TS4zQS/G6V9UedI=,tag:GjY97MANIMAKEOgelbeprQ==,type:str]
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: ENC[AES256_GCM,data:0vVJDBN9yl+K+LAAfvtMMQPX2YM=,iv:7PXtPZsYlOffhJMu4l6MRgBKkC8sI4R+6DFWIGK3rJ8=,tag:4XEdO10j8VXMCDst86KYFw==,type:str]
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: ENC[AES256_GCM,data:OAZ1embfVUQBorMd69mBaGy0fAI4TEjuwDzCyriWQwtlSr/xsi1ypQ==,iv:eOu/LwYxsoCKbx61gmioLm8Zn1rfIVd2Qsil03r6Kro=,tag:/hRprgV+c9Qpwsbpkdj1xg==,type:str]
type: Opaque
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6U3ZOaHd3Q21ZbVZudjZp
Y1BKMUdhU2ZQU1M2ZVlpNnVLMlRhNnZyTlJvCnI2TWZGR04yTWhUTllwUDI4aVlF
d24veFJwSmV0Y2NjL3l5ZW44a0F0d2cKLS0tIDdTMndsTk53Y3Q5WEpiQUFCRHZt
QXY5NTYyNldCSnFaQmE1QklTUURETDQKNlWFVA6qHmKDazv48PVygwV4/4cgBtKK
IYPcP2N0/T0rDw2ngw4lNdHJ90doTTmlUjiPYDmmfopGOi1XpoG2dQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbDlvVldrL2lCMzhsMjg4
aHo5aExVWVBDTGl0RGtqUEZQS1JyWGRvZFFnCkNyMzc2WS9aS1doa1Y2R09JM0NJ
eWZRbEtNdTN1YWE4N3hqVDRRekZ0cDQKLS0tIE5oT1FCQlY2TDRlM3JSM2p4ckM4
bHBpKzUvVi9YbHNNcjZEanVOeXB4SDQKFAV1upJgJzRlXzEB9FEW2sSeebC8dGt8
xdfRIMKXn1pnf64N69ZnJ+hbcDvuMPnoSBsZ7W95nF0lItYfDIyHFw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdDEyanpERGpaMFV2cE5n
dmg3QjYzNkk3R2c0Yk1OTHlpRlZLRkYrNXlBCjJYdWRNeVVCR1FEVXBoZlJwU0Fn
aDFpbG1nbXRUOHBZcG9jMGZqeFM1OUkKLS0tIHZkYkQ0dlN1UDBZajRhVWZXUHVR
ci9LK2JjSlVvaDR2UFpwWGZmMDhQbDgKxcvqSMhGzpxoP2OSdjs2KsA9cd36j+xO
JYBFmTQnb4oTTzMQZxMAowaiqDt4fLsD6fXcwBnclq2SwAGsOlzvJw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-13T20:19:15Z"
mac: ENC[AES256_GCM,data:qloZYbT1ht2wTzTVD5O57C/VVHy80yT0bIpB+mSjF9yvvDF38rpUS3FuZFoXoDeyaniCml3IUV3Bww/lHXoHI/nPr70Vsl+Q2n9FdUnD1JKfI/kLqvk+XM5HB8qqY4XFXhjwZOGrbN3v5Stgi+CWb2s8518g8OCSdR8pyaWDSqc=,iv:4v77gZzMfjMYyF4K4BOBCdYbxk0wa3zrruy7VD7Tux0=,tag:50/uxJDqgvaEItqMepWwoA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.9.1

62
openproject/values.yaml Normal file
View file

@ -0,0 +1,62 @@
image:
registry: git.ar21.de
repository: aaron/openproject
tag: '30'
appInit:
resources:
limits:
memory: 4Gi
requests:
memory: 4Gi
clusterDomain: project.aaronriedel.de
ingress:
annotations:
kubernetes.io/tls-acme: 'true'
host: project.aaronriedel.de
tls:
secretName: openproject-tls
workers:
default:
replicas: 2
environment:
OPENPROJECT_DISABLE__PASSWORD__LOGIN: true
openproject:
admin_user:
password_reset: 'true'
name: Aaron Riedel
mail: aaron@ar21.de
extraEnvVarsSecret: openproject-secret
oidc:
enabled: true
provider: authentik
displayName: aaronID
host: auth.ar21.de
identifier: null
secret: null
userinfoEndpoint: /application/o/userinfo/
tokenEndpoint: /application/o/token/
authorizationEndpoint: /application/o/authorize/
endSessionEndpoint: /application/o/openproject/end-session/
scope: '[openid email profile]'
persistence:
enabled: false
s3:
enabled: true
region: fsn1
bucketName: openproject
endpoint: https://fsn1.your-objectstorage.com
pathStyle: true
enableSignatureV4Streaming: false
directUploads: false
postgresql:
bundled: false
connection:
host: openproject-rw.openproject.svc.cluster.local
port: 5432
auth:
existingSecret: openproject-app
secretKeys:
adminPasswordKey: password
userPasswordKey: password
username: app
database: app

11
renovate.json
View file

@ -1,13 +1,10 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"dependencyDashboard": true,
"enabledManagers": [
"argocd"
],
"enabledManagers": ["argocd"],
"argocd": {
"managerFilePatterns": [
"/^app-files/apps\\.yaml$/"
]
"fileMatch": ["^app-files/apps\\.yaml$"]
},
"packageRules": []
"packageRules": [
]
}