add bytestash

Signed-off-by: gwg313 <gwg313@pm.me>

apps/bytestash/configmap.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bytestash-config
+  namespace: bytestash
+data:
+  BASE_PATH: ""
+  TOKEN_EXPIRY: "24h"
+  ALLOW_NEW_ACCOUNTS: "true"
+  DEBUG: "true"
+  DISABLE_ACCOUNTS: "false"
+  DISABLE_INTERNAL_ACCOUNTS: "false"
+  OIDC_ENABLED: "false"
+  OIDC_DISPLAY_NAME: ""
+  OIDC_ISSUER_URL: ""
+  OIDC_CLIENT_ID: ""
+  OIDC_CLIENT_SECRET: ""
+  OIDC_SCOPES: ""

apps/bytestash/deployment.yaml

@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bytestash
+  namespace: bytestash
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bytestash
+  template:
+    metadata:
+      labels:
+        app: bytestash
+      annotations:
+        sidecar.istio.io/inject: "true"
+    spec:
+      securityContext:
+        runAsNonRoot: false
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: bytestash
+          image: "ghcr.io/jordan-dalby/bytestash:pr-332"
+          ports:
+            - containerPort: 5000
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              cpu: 200m
+              memory: 256Mi
+          envFrom:
+            - configMapRef:
+                name: bytestash-config
+            - secretRef:
+                name: bytestash-secret
+          volumeMounts:
+            - name: bytestash-storage
+              mountPath: /data/snippets
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: false
+            capabilities:
+              drop: ["ALL"]
+      volumes:
+        - name: bytestash-storage
+          persistentVolumeClaim:
+            claimName: bytestash-pvc

apps/bytestash/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bytestash

apps/bytestash/network-policy.yaml

@@ -0,0 +1,22 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ingress
+  namespace: bytestash
+spec:
+  description: "Allow external traffic from the shared Cilium edge proxy into the bytestash service"
+  endpointSelector:
+    matchLabels:
+      app: bytestash
+  ingress:
+    - fromEntities:
+        - ingress
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: cilium-ingress
+      toPorts:
+        - ports:
+            - port: "80"
+              protocol: TCP
+            - port: "5000"
+              protocol: TCP

apps/bytestash/route.yaml

@@ -0,0 +1,41 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: bytestash
+  namespace: bytestash
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: shared-edge-gateway
+      namespace: cilium-ingress
+  hostnames:
+    - snippets.gwg313.xyz
+    - snippets.local.gwg313.xyz
+    - snippets.zerotier.gwg313.xyz
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - group: ""
+          kind: Service
+          name: bytestash
+          port: 80
+          weight: 1
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: allow-gateway-to-bytestash
+  namespace: bytestash
+spec:
+  from:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      namespace: cilium-ingress
+  to:
+    - group: ""
+      kind: Service
+      name: bytestash

apps/bytestash/secret-sealed.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: bytestash-secret
+  namespace: bytestash
+spec:
+  encryptedData:
+    JWT_SECRET_KEY: AgBvX/MKBvdcxWwjMsEVEqvzR0LbYglztJE7mFkjmAFnmOcxt1pUw9notf7J0de0DLWpSfzeuUyZJUPGxjR2sIyAvzL3Q+lc++0MxKLM5gMxcem4oxsc9Je+sEX7M3mEJpDrxNBUwPASR/2iX0hR2jJTB6NU2Ji3QU6Hvg8McgrFgJagjQqQR6DGiIESdCYqm2nmlOWzT5Wy7ez7CVsOEnxoWZhRpBCe1nJo4PuAZRHoB6sm06+l0Z7rPhxrJKf+g9jmbouExPeIg04QhgtPK5BcGEIqRstu+cPa2Vjv5wVKkLlsfRiM7dvjw23EoQu1BSY9NWgeAQc6DL0r2Zh3FAkZBWKsIbjdWEcAD1WdsObAZcwn/p+kkr48ThBjdNzvcoB53girlYJ++VPYGH5J+j9s7+v4rPT8sA1ynrqkaLeqX4klyqfkJ5/AESY8DIXSBaeo212qTNeBDDDmX/bYCwH7NFDGh+tugeFjjJMLwxZaJtdy8DNwgWvumI/Ibnp1NWn8pMO6+FjPD/lOuquh30tZfVmZdADdgjYR7pT7iJ24OejwCwEeC3LhTvMvez5k5vsbjdyj3KX7507ajDfIOb2y/XQq4NDzqGBdF8oRIhs2hEQhVoy0gsEooOeklnuNg2nMzkY1aRkTJRl6pIV1qyxdPJdZrow9xdOoeMYCbaQrMjQHVKuqLpt4CaLPvx7wG4XqSpXySlfPjxXkLmOdFyDRvYF7wtEt2lLVDNAE1QufKvYq52RRFzMkdFsjZVrPyauyfRYNQ41UizlPPMYsS+Vz
+  template:
+    metadata:
+      creationTimestamp: null
+      name: bytestash-secret
+      namespace: bytestash
+    type: Opaque

apps/bytestash/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bytestash
+  namespace: bytestash
+spec:
+  selector:
+    app: bytestash
+  ports:
+    - port: 80
+      targetPort: 5000

apps/bytestash/storage.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bytestash-pvc
+  namespace: bytestash
+spec:
+  storageClassName: nfs-retain
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi