diff --git a/bytestash/configmap.yaml b/apps/bytestash/configmap.yaml similarity index 100% rename from bytestash/configmap.yaml rename to apps/bytestash/configmap.yaml diff --git a/bytestash/deployment.yaml b/apps/bytestash/deployment.yaml similarity index 82% rename from bytestash/deployment.yaml rename to apps/bytestash/deployment.yaml index 9408803..c7fb53a 100644 --- a/bytestash/deployment.yaml +++ b/apps/bytestash/deployment.yaml @@ -21,9 +21,16 @@ spec: type: RuntimeDefault containers: - name: bytestash - image: "ghcr.io/jordan-dalby/bytestash:latest" + image: "ghcr.io/jordan-dalby/bytestash:pr-332" ports: - containerPort: 5000 + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + cpu: 200m + memory: 256Mi envFrom: - configMapRef: name: bytestash-config diff --git a/bytestash/namespace.yaml b/apps/bytestash/namespace.yaml similarity index 100% rename from bytestash/namespace.yaml rename to apps/bytestash/namespace.yaml diff --git a/apps/bytestash/network-policy.yaml b/apps/bytestash/network-policy.yaml new file mode 100644 index 0000000..fb49a91 --- /dev/null +++ b/apps/bytestash/network-policy.yaml @@ -0,0 +1,22 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-ingress + namespace: bytestash +spec: + description: "Allow external traffic from the shared Cilium edge proxy into the bytestash service" + endpointSelector: + matchLabels: + app: bytestash + ingress: + - fromEntities: + - ingress + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: cilium-ingress + toPorts: + - ports: + - port: "80" + protocol: TCP + - port: "5000" + protocol: TCP diff --git a/apps/bytestash/route.yaml b/apps/bytestash/route.yaml new file mode 100644 index 0000000..eeb5de4 --- /dev/null +++ b/apps/bytestash/route.yaml @@ -0,0 +1,41 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: bytestash + namespace: bytestash +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: shared-edge-gateway + namespace: cilium-ingress + hostnames: + - snippets.gwg313.xyz + - snippets.local.gwg313.xyz + - snippets.zerotier.gwg313.xyz + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - group: "" + kind: Service + name: bytestash + port: 80 + weight: 1 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: allow-gateway-to-bytestash + namespace: bytestash +spec: + from: + - group: gateway.networking.k8s.io + kind: Gateway + namespace: cilium-ingress + to: + - group: "" + kind: Service + name: bytestash diff --git a/apps/bytestash/secret-sealed.yaml b/apps/bytestash/secret-sealed.yaml new file mode 100644 index 0000000..b4bb814 --- /dev/null +++ b/apps/bytestash/secret-sealed.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: bytestash-secret + namespace: bytestash +spec: + encryptedData: + JWT_SECRET_KEY: AgBvX/MKBvdcxWwjMsEVEqvzR0LbYglztJE7mFkjmAFnmOcxt1pUw9notf7J0de0DLWpSfzeuUyZJUPGxjR2sIyAvzL3Q+lc++0MxKLM5gMxcem4oxsc9Je+sEX7M3mEJpDrxNBUwPASR/2iX0hR2jJTB6NU2Ji3QU6Hvg8McgrFgJagjQqQR6DGiIESdCYqm2nmlOWzT5Wy7ez7CVsOEnxoWZhRpBCe1nJo4PuAZRHoB6sm06+l0Z7rPhxrJKf+g9jmbouExPeIg04QhgtPK5BcGEIqRstu+cPa2Vjv5wVKkLlsfRiM7dvjw23EoQu1BSY9NWgeAQc6DL0r2Zh3FAkZBWKsIbjdWEcAD1WdsObAZcwn/p+kkr48ThBjdNzvcoB53girlYJ++VPYGH5J+j9s7+v4rPT8sA1ynrqkaLeqX4klyqfkJ5/AESY8DIXSBaeo212qTNeBDDDmX/bYCwH7NFDGh+tugeFjjJMLwxZaJtdy8DNwgWvumI/Ibnp1NWn8pMO6+FjPD/lOuquh30tZfVmZdADdgjYR7pT7iJ24OejwCwEeC3LhTvMvez5k5vsbjdyj3KX7507ajDfIOb2y/XQq4NDzqGBdF8oRIhs2hEQhVoy0gsEooOeklnuNg2nMzkY1aRkTJRl6pIV1qyxdPJdZrow9xdOoeMYCbaQrMjQHVKuqLpt4CaLPvx7wG4XqSpXySlfPjxXkLmOdFyDRvYF7wtEt2lLVDNAE1QufKvYq52RRFzMkdFsjZVrPyauyfRYNQ41UizlPPMYsS+Vz + template: + metadata: + creationTimestamp: null + name: bytestash-secret + namespace: bytestash + type: Opaque diff --git a/bytestash/service.yaml b/apps/bytestash/service.yaml similarity index 100% rename from bytestash/service.yaml rename to apps/bytestash/service.yaml diff --git a/apps/bytestash/storage.yaml b/apps/bytestash/storage.yaml new file mode 100644 index 0000000..e409b1d --- /dev/null +++ b/apps/bytestash/storage.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: bytestash-pvc + namespace: bytestash +spec: + storageClassName: nfs-retain + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/bytestash/bytestash-peer-auth.yaml b/bytestash/bytestash-peer-auth.yaml deleted file mode 100644 index 8a3354a..0000000 --- a/bytestash/bytestash-peer-auth.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: strict-mtls - namespace: bytestash -spec: - mtls: - mode: STRICT diff --git a/bytestash/bytestash-secret-sealed.yaml b/bytestash/bytestash-secret-sealed.yaml deleted file mode 100644 index 255eb8a..0000000 --- a/bytestash/bytestash-secret-sealed.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: bytestash-secret - namespace: bytestash -spec: - encryptedData: - JWT_SECRET_KEY: AgBhyqlrAr9hDaCZ7yPbZZuXtZMeqbMqd0LXWwT8nlEpTY0Tk7LLwjdv6DoY3gvj0Jbgcoa+Edgg6HywykouVAqe2i6HbDwWOPVjRw5K1GA7y7jlb8IOP2D7ZJN8sKW7MUfhmmraN0piuvpCMVl/NHbT1XfQq4mym/PChHcD4Ju+lNMfFWkHNZtXf/9tpYcTa3cmREf0uBFQRNQFP2TaUx8X+QmzIIdoGaqZA+Jud2HkTHymsRhn7fSK3smaJecw/y7IR4ohNcJ17FqOyaqbnQ/MUzB+aprFKjBOnVmZwbWSjJYWPN1nx6NPndmk8X3Q3XeB50WnoAhqNSwI6a58wo/zVHyM5B3Q+L9slCWd8t27z+Jv7Y8zRFl137dbhDBcrHf73miNnaK5x0b741Bv3yDakJG+DrU5YlmGH2/t4XBZjMMRxF4y0CgdT+DN+cZrkbkATHIQWZARmLTqYfig/2D+PfKhrniE4Tfq3V2gLN12Kwf09fqM02Uo2faOya6QF3fvGGZx3QXiDrzPMthLuvk1JqPqU98fNKniS8x7/q1LdHH6ga5wyXyGk76tl540p+kdY2sAi7K5/VAw0QM6A+6EHXJJgZ4bdd02eB0F1/lCKcCzZhs5lIjBu0r/d81wYlId6GtMvXZiMfsbMS9a7evGl20PXAn2C5KxWfyyyIX3wn7JIAxiOdGwPUOI6E4/LCJSnzlfBa7SWFrMHAjniNyQOLB0S9amtHwDDt6j - template: - metadata: - creationTimestamp: null - name: bytestash-secret - namespace: bytestash - type: Opaque diff --git a/bytestash/certificate.yaml b/bytestash/certificate.yaml deleted file mode 100644 index 8e22729..0000000 --- a/bytestash/certificate.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: bytestash-cert - namespace: istio-system -spec: - secretName: bytestash-cert - issuerRef: - name: letsencrypt-dns - kind: ClusterIssuer - dnsNames: - - snippets.gwg313.xyz diff --git a/bytestash/gateway.yaml b/bytestash/gateway.yaml deleted file mode 100644 index 215ebb0..0000000 --- a/bytestash/gateway.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: networking.istio.io/v1beta1 -kind: Gateway -metadata: - name: bytestash-gateway - namespace: bytestash -spec: - selector: - istio: gateway - servers: - - port: - number: 443 - name: https - protocol: HTTPS - hosts: - - "snippets.gwg313.xyz" - tls: - mode: SIMPLE - credentialName: bytestash-cert diff --git a/bytestash/storage.yaml b/bytestash/storage.yaml deleted file mode 100644 index 2f422a9..0000000 --- a/bytestash/storage.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: bytestash-pv -spec: - capacity: - storage: 1Gi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - storageClassName: manual - nfs: - path: /mnt/tank/k8s/bytestash - server: truenas.local.gwg313.xyz ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: bytestash-pvc - namespace: bytestash -spec: - storageClassName: manual - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - volumeName: bytestash-pv diff --git a/bytestash/virtualservice.yaml b/bytestash/virtualservice.yaml deleted file mode 100644 index 76875d5..0000000 --- a/bytestash/virtualservice.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: networking.istio.io/v1beta1 -kind: VirtualService -metadata: - name: bytestash - namespace: bytestash -spec: - hosts: - - "snippets.gwg313.xyz" - gateways: - - bytestash/bytestash-gateway - http: - - route: - - destination: - host: bytestash - port: - number: 80 diff --git a/management/platform-apps/bytestash.yaml b/management/platform-apps/bytestash.yaml new file mode 100644 index 0000000..dc95b94 --- /dev/null +++ b/management/platform-apps/bytestash.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: bytestash + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "15" +spec: + project: default + destination: + server: https://kubernetes.default.svc + namespace: bytestash + source: + repoURL: https://github.com/gwg313/homelab-gitops.git + path: apps/bytestash + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + - SkipDryRunOnMissingResource=true diff --git a/management/platform-apps/kustomization.yaml b/management/platform-apps/kustomization.yaml index 678ac5a..15570f4 100644 --- a/management/platform-apps/kustomization.yaml +++ b/management/platform-apps/kustomization.yaml @@ -16,3 +16,4 @@ resources: - yopass.yaml - tekton.yaml - navidrome.yaml + - bytestash.yaml diff --git a/platform/nfs-subdir/templates/extra-storage-classes.yaml b/platform/nfs-subdir/templates/extra-storage-classes.yaml index ef0b8c3..ebd52bd 100644 --- a/platform/nfs-subdir/templates/extra-storage-classes.yaml +++ b/platform/nfs-subdir/templates/extra-storage-classes.yaml @@ -1,11 +1,10 @@ ---- apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: nfs-ephemeral annotations: argocd.argoproj.io/sync-wave: "1" -provisioner: cluster.local/nfs-subdir-external-provisioner +provisioner: cluster.local/nfs-provisioner-nfs-subdir-external-provisioner parameters: archiveOnDelete: "false" pathPattern: "ephemeral/${.PVC.namespace}/${.PVC.name}" @@ -18,7 +17,7 @@ metadata: name: nfs-retain annotations: argocd.argoproj.io/sync-wave: "1" -provisioner: cluster.local/nfs-subdir-external-provisioner +provisioner: cluster.local/nfs-provisioner-nfs-subdir-external-provisioner parameters: archiveOnDelete: "false" pathPattern: "retained/${.PVC.namespace}/${.PVC.name}"