openproject: update image tag to 38 (done automagically via Woodpecker pipeline)

app-files/apps.yaml

@@ -16,7 +16,6 @@ spec:
   syncPolicy:
     automated:
       prune: false
-      selfHeal: true
 ---
 #apiVersion: argoproj.io/v1alpha1
 #kind: Application
@@ -68,7 +67,6 @@ spec:
     - CreateNamespace=true
     automated:
       prune: true
-      selfHeal: true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -89,7 +87,6 @@ spec:
     - CreateNamespace=true
     automated:
       prune: true
-      selfHeal: true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -110,7 +107,6 @@ spec:
     - CreateNamespace=true
     automated:
       prune: true
-      selfHeal: true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -122,7 +118,7 @@ spec:
   sources:
     - chart: cloudnative-pg
       repoURL: https://cloudnative-pg.io/charts
-      targetRevision: 0.24.0
+      targetRevision: 0.23.2
       helm:
         releaseName: cloudnative-pg
   destination:
@@ -131,7 +127,36 @@ spec:
   syncPolicy:
     syncOptions:
     - CreateNamespace=true
-    - ServerSideApply=true
     automated:
-      prune: true
-      selfHeal: true
+      prune: false
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: aaron-openproject
+  namespace: argocd
+spec:
+  project: default
+  sources:
+    - repoURL: https://charts.openproject.org
+      chart: openproject
+      targetRevision: 9.7.2
+      helm:
+        releaseName: openproject
+        valueFiles:
+          - $values/openproject/values.yaml
+    - repoURL: https://git.ar21.de/aaron/k8s-deployments.git
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://git.ar21.de/aaron/k8s-deployments.git
+      targetRevision: HEAD
+      path: openproject
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: aaron-openproject
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: false
+      prune: false

openproject/db.yaml

@@ -0,0 +1,57 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: openproject
+  annotations:
+    cnpg.io/skipEmptyWalArchiveCheck: enabled
+spec:
+  instances: 3
+  storage:
+    size: 1Gi
+  bootstrap:
+    recovery:
+      source: clusterBackup
+      #recoveryTarget:
+      #  targetTime: "2025-02-12 21:00:00.00000+00"
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://openproject/backups"
+      endpointURL: "https://fsn1.your-objectstorage.com"
+      serverName: "db" # in case of restore change this
+      s3Credentials:
+        accessKeyId:
+          name: openproject-secret
+          key: OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID
+        secretAccessKey:
+          name: openproject-secret
+          key: OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY
+      wal:
+        compression: gzip
+    retentionPolicy: "30d"
+  externalClusters:
+    - name: clusterBackup
+      barmanObjectStore:
+        destinationPath: "s3://openproject/backups"
+        endpointURL: "https://fsn1.your-objectstorage.com"
+        serverName: "db"
+        s3Credentials:
+          accessKeyId:
+            name: openproject-secret
+            key: OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID
+          secretAccessKey:
+            name: openproject-secret
+            key: OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY
+        wal:
+          maxParallel: 8
+          compression: gzip
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: backup-openproject
+spec:
+  immediate: true
+  schedule: "0 0 0 * * *"
+  backupOwnerReference: self
+  cluster:
+    name: openproject

openproject/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generators:
+  - ./secret-generator.yaml
+resources:
+  - ./db.yaml

openproject/secret-generator.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - ./secret.yaml

openproject/secret.yaml

@@ -0,0 +1,51 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: openproject-secret
+    labels:
+        app.kubernetes.io/name: openproject-secret
+        app.kubernetes.io/part-of: openproject
+stringData:
+    OPENPROJECT_OPENID__CONNECT_AUTHENTIK_IDENTIFIER: ENC[AES256_GCM,data:u0EqZSaIBVEavmNVevNcO1ZtlMHZfdXDi4s0Rfjo9NyeIIsN3rHWuQ==,iv:mvhGi5w/kCOQGcTaQz8FOeGBvaP0NSH4DRzFhA5IwQg=,tag:P9CYCymCpWPZ0+0Ujc0rrQ==,type:str]
+    OPENPROJECT_OPENID__CONNECT_AUTHENTIK_SECRET: ENC[AES256_GCM,data:z17lplltjJd+LnmceX9Hdak6BHVaZ1nSHWt4FMiSbCtl02igdA5i3jozUyagwy4y+B5TMrla+BmK5KMFoZsalpThJZjWFcOZyo8BtQOeAEODXnwNg6Sznmhvya4BTEzdzkqbeOIYp/38rkcSUeTDPwo1ca+M9tb2udfvTmIg6FA=,iv:XEOCc5uUu4s5DQTnClCv1W89x4T+TS4zQS/G6V9UedI=,tag:GjY97MANIMAKEOgelbeprQ==,type:str]
+    OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: ENC[AES256_GCM,data:0vVJDBN9yl+K+LAAfvtMMQPX2YM=,iv:7PXtPZsYlOffhJMu4l6MRgBKkC8sI4R+6DFWIGK3rJ8=,tag:4XEdO10j8VXMCDst86KYFw==,type:str]
+    OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: ENC[AES256_GCM,data:OAZ1embfVUQBorMd69mBaGy0fAI4TEjuwDzCyriWQwtlSr/xsi1ypQ==,iv:eOu/LwYxsoCKbx61gmioLm8Zn1rfIVd2Qsil03r6Kro=,tag:/hRprgV+c9Qpwsbpkdj1xg==,type:str]
+type: Opaque
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6U3ZOaHd3Q21ZbVZudjZp
+            Y1BKMUdhU2ZQU1M2ZVlpNnVLMlRhNnZyTlJvCnI2TWZGR04yTWhUTllwUDI4aVlF
+            d24veFJwSmV0Y2NjL3l5ZW44a0F0d2cKLS0tIDdTMndsTk53Y3Q5WEpiQUFCRHZt
+            QXY5NTYyNldCSnFaQmE1QklTUURETDQKNlWFVA6qHmKDazv48PVygwV4/4cgBtKK
+            IYPcP2N0/T0rDw2ngw4lNdHJ90doTTmlUjiPYDmmfopGOi1XpoG2dQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbDlvVldrL2lCMzhsMjg4
+            aHo5aExVWVBDTGl0RGtqUEZQS1JyWGRvZFFnCkNyMzc2WS9aS1doa1Y2R09JM0NJ
+            eWZRbEtNdTN1YWE4N3hqVDRRekZ0cDQKLS0tIE5oT1FCQlY2TDRlM3JSM2p4ckM4
+            bHBpKzUvVi9YbHNNcjZEanVOeXB4SDQKFAV1upJgJzRlXzEB9FEW2sSeebC8dGt8
+            xdfRIMKXn1pnf64N69ZnJ+hbcDvuMPnoSBsZ7W95nF0lItYfDIyHFw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdDEyanpERGpaMFV2cE5n
+            dmg3QjYzNkk3R2c0Yk1OTHlpRlZLRkYrNXlBCjJYdWRNeVVCR1FEVXBoZlJwU0Fn
+            aDFpbG1nbXRUOHBZcG9jMGZqeFM1OUkKLS0tIHZkYkQ0dlN1UDBZajRhVWZXUHVR
+            ci9LK2JjSlVvaDR2UFpwWGZmMDhQbDgKxcvqSMhGzpxoP2OSdjs2KsA9cd36j+xO
+            JYBFmTQnb4oTTzMQZxMAowaiqDt4fLsD6fXcwBnclq2SwAGsOlzvJw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-13T20:19:15Z"
+    mac: ENC[AES256_GCM,data:qloZYbT1ht2wTzTVD5O57C/VVHy80yT0bIpB+mSjF9yvvDF38rpUS3FuZFoXoDeyaniCml3IUV3Bww/lHXoHI/nPr70Vsl+Q2n9FdUnD1JKfI/kLqvk+XM5HB8qqY4XFXhjwZOGrbN3v5Stgi+CWb2s8518g8OCSdR8pyaWDSqc=,iv:4v77gZzMfjMYyF4K4BOBCdYbxk0wa3zrruy7VD7Tux0=,tag:50/uxJDqgvaEItqMepWwoA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

openproject/values.yaml

@@ -0,0 +1,58 @@
+image:
+  registry: git.ar21.de
+  repository: aaron/openproject
+  tag: '38'
+appInit:
+  resources:
+    limits:
+      memory: 4Gi
+    requests:
+      memory: 4Gi
+clusterDomain: project.aaronriedel.de
+ingress:
+  annotations:
+    kubernetes.io/tls-acme: 'true'
+  host: project.aaronriedel.de
+  tls:
+    secretName: openproject-tls
+workers:
+  default:
+    replicas: 2
+environment:
+  OPENPROJECT_DISABLE__PASSWORD__LOGIN: true
+openproject:
+  extraEnvVarsSecret: openproject-secret
+  oidc:
+    enabled: true
+    provider: authentik
+    displayName: aaronID
+    host: auth.ar21.de
+    identifier: null
+    secret: null
+    userinfoEndpoint: /application/o/userinfo/
+    tokenEndpoint: /application/o/token/
+    authorizationEndpoint: /application/o/authorize/
+    endSessionEndpoint: /application/o/openproject/end-session/
+    scope: '[openid email profile]'
+persistence:
+  enabled: false
+s3:
+  enabled: true
+  region: fsn1
+  bucketName: openproject
+  endpoint: https://fsn1.your-objectstorage.com
+  pathStyle: true
+  enableSignatureV4Streaming: false
+  directUploads: false
+postgresql:
+  bundled: false
+  connection:
+    host: openproject-rw.aaron-openproject.svc.cluster.local
+    port: 5432
+  auth:
+    existingSecret: openproject-app
+    secretKeys:
+      adminPasswordKey: password
+      userPasswordKey: password
+    username: app
+    database: app

renovate.json

@@ -1,13 +1,10 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "dependencyDashboard": true,
-  "enabledManagers": [
-    "argocd"
-  ],
+  "enabledManagers": ["argocd"],
   "argocd": {
-    "managerFilePatterns": [
-      "/^app-files/apps\\.yaml$/"
-    ]
+    "fileMatch": ["^app-files/apps\\.yaml$"]
   },
-  "packageRules": []
+  "packageRules": [
+  ]
 }