squash all

Mostly copied over from my old repo and modified for app of apps.
Cleaning up the mess from migration

Signed-off-by: gwg313 <gwg313@pm.me>

bytestash/bytestash-peer-auth.yaml

@@ -0,0 +1,8 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: strict-mtls
+  namespace: bytestash
+spec:
+  mtls:
+    mode: STRICT

bytestash/bytestash-secret-sealed.yaml

@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: bytestash-secret
+  namespace: bytestash
+spec:
+  encryptedData:
+    JWT_SECRET_KEY: AgBhyqlrAr9hDaCZ7yPbZZuXtZMeqbMqd0LXWwT8nlEpTY0Tk7LLwjdv6DoY3gvj0Jbgcoa+Edgg6HywykouVAqe2i6HbDwWOPVjRw5K1GA7y7jlb8IOP2D7ZJN8sKW7MUfhmmraN0piuvpCMVl/NHbT1XfQq4mym/PChHcD4Ju+lNMfFWkHNZtXf/9tpYcTa3cmREf0uBFQRNQFP2TaUx8X+QmzIIdoGaqZA+Jud2HkTHymsRhn7fSK3smaJecw/y7IR4ohNcJ17FqOyaqbnQ/MUzB+aprFKjBOnVmZwbWSjJYWPN1nx6NPndmk8X3Q3XeB50WnoAhqNSwI6a58wo/zVHyM5B3Q+L9slCWd8t27z+Jv7Y8zRFl137dbhDBcrHf73miNnaK5x0b741Bv3yDakJG+DrU5YlmGH2/t4XBZjMMRxF4y0CgdT+DN+cZrkbkATHIQWZARmLTqYfig/2D+PfKhrniE4Tfq3V2gLN12Kwf09fqM02Uo2faOya6QF3fvGGZx3QXiDrzPMthLuvk1JqPqU98fNKniS8x7/q1LdHH6ga5wyXyGk76tl540p+kdY2sAi7K5/VAw0QM6A+6EHXJJgZ4bdd02eB0F1/lCKcCzZhs5lIjBu0r/d81wYlId6GtMvXZiMfsbMS9a7evGl20PXAn2C5KxWfyyyIX3wn7JIAxiOdGwPUOI6E4/LCJSnzlfBa7SWFrMHAjniNyQOLB0S9amtHwDDt6j
+  template:
+    metadata:
+      creationTimestamp: null
+      name: bytestash-secret
+      namespace: bytestash
+    type: Opaque

bytestash/certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: bytestash-cert
+  namespace: istio-system
+spec:
+  secretName: bytestash-cert
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  commonName: bytestash.local.gwg313.xyz
+  dnsNames:
+    - bytestash.local.gwg313.xyz

bytestash/configmap.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bytestash-config
+  namespace: bytestash
+data:
+  BASE_PATH: ""
+  TOKEN_EXPIRY: "24h"
+  ALLOW_NEW_ACCOUNTS: "true"
+  DEBUG: "true"
+  DISABLE_ACCOUNTS: "false"
+  DISABLE_INTERNAL_ACCOUNTS: "false"
+  OIDC_ENABLED: "false"
+  OIDC_DISPLAY_NAME: ""
+  OIDC_ISSUER_URL: ""
+  OIDC_CLIENT_ID: ""
+  OIDC_CLIENT_SECRET: ""
+  OIDC_SCOPES: ""

bytestash/deployment.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bytestash
+  namespace: bytestash
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bytestash
+  template:
+    metadata:
+      labels:
+        app: bytestash
+      annotations:
+        sidecar.istio.io/inject: "true"
+    spec:
+      securityContext:
+        runAsNonRoot: false
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: bytestash
+          image: "ghcr.io/jordan-dalby/bytestash:latest"
+          ports:
+            - containerPort: 5000
+          envFrom:
+            - configMapRef:
+                name: bytestash-config
+            - secretRef:
+                name: bytestash-secret
+          volumeMounts:
+            - name: bytestash-storage
+              mountPath: /data/snippets
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: false
+            capabilities:
+              drop: ["ALL"]
+      volumes:
+        - name: bytestash-storage
+          persistentVolumeClaim:
+            claimName: bytestash-pvc

bytestash/gateway.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: bytestash-gateway
+  namespace: bytestash
+spec:
+  selector:
+    istio: gateway
+  servers:
+    - port:
+        number: 443
+        name: https
+        protocol: HTTPS
+      hosts:
+        - "bytestash.local.gwg313.xyz"
+      tls:
+        mode: SIMPLE
+        credentialName: bytestash-cert

bytestash/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bytestash

bytestash/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bytestash
+  namespace: bytestash
+spec:
+  selector:
+    app: bytestash
+  ports:
+    - port: 80
+      targetPort: 5000

bytestash/storage.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: bytestash-pv
+spec:
+  capacity:
+    storage: 1Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  nfs:
+    path: /mnt/tank/docker-volumes/bytestash
+    server: truenas.local.gwg313.xyz
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bytestash-pvc
+  namespace: bytestash
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeName: bytestash-pv

bytestash/virtualservice.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: bytestash
+  namespace: bytestash
+spec:
+  hosts:
+    - "bytestash.local.gwg313.xyz"
+  gateways:
+    - bytestash/bytestash-gateway
+  http:
+    - route:
+        - destination:
+            host: bytestash
+            port:
+              number: 80