add bytestash

Signed-off-by: gwg313 <gwg313@pm.me>

apps/bytestash/deployment.yaml

@@ -21,9 +21,16 @@ spec:
           type: RuntimeDefault
       containers:
         - name: bytestash
-          image: "ghcr.io/jordan-dalby/bytestash:latest"
+          image: "ghcr.io/jordan-dalby/bytestash:pr-332"
           ports:
             - containerPort: 5000
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              cpu: 200m
+              memory: 256Mi
           envFrom:
             - configMapRef:
                 name: bytestash-config

apps/bytestash/network-policy.yaml

@@ -0,0 +1,22 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ingress
+  namespace: bytestash
+spec:
+  description: "Allow external traffic from the shared Cilium edge proxy into the bytestash service"
+  endpointSelector:
+    matchLabels:
+      app: bytestash
+  ingress:
+    - fromEntities:
+        - ingress
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: cilium-ingress
+      toPorts:
+        - ports:
+            - port: "80"
+              protocol: TCP
+            - port: "5000"
+              protocol: TCP

apps/bytestash/route.yaml

@@ -0,0 +1,41 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: bytestash
+  namespace: bytestash
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: shared-edge-gateway
+      namespace: cilium-ingress
+  hostnames:
+    - snippets.gwg313.xyz
+    - snippets.local.gwg313.xyz
+    - snippets.zerotier.gwg313.xyz
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - group: ""
+          kind: Service
+          name: bytestash
+          port: 80
+          weight: 1
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: allow-gateway-to-bytestash
+  namespace: bytestash
+spec:
+  from:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      namespace: cilium-ingress
+  to:
+    - group: ""
+      kind: Service
+      name: bytestash

apps/bytestash/secret-sealed.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: bytestash-secret
+  namespace: bytestash
+spec:
+  encryptedData:
+    JWT_SECRET_KEY: AgBvX/MKBvdcxWwjMsEVEqvzR0LbYglztJE7mFkjmAFnmOcxt1pUw9notf7J0de0DLWpSfzeuUyZJUPGxjR2sIyAvzL3Q+lc++0MxKLM5gMxcem4oxsc9Je+sEX7M3mEJpDrxNBUwPASR/2iX0hR2jJTB6NU2Ji3QU6Hvg8McgrFgJagjQqQR6DGiIESdCYqm2nmlOWzT5Wy7ez7CVsOEnxoWZhRpBCe1nJo4PuAZRHoB6sm06+l0Z7rPhxrJKf+g9jmbouExPeIg04QhgtPK5BcGEIqRstu+cPa2Vjv5wVKkLlsfRiM7dvjw23EoQu1BSY9NWgeAQc6DL0r2Zh3FAkZBWKsIbjdWEcAD1WdsObAZcwn/p+kkr48ThBjdNzvcoB53girlYJ++VPYGH5J+j9s7+v4rPT8sA1ynrqkaLeqX4klyqfkJ5/AESY8DIXSBaeo212qTNeBDDDmX/bYCwH7NFDGh+tugeFjjJMLwxZaJtdy8DNwgWvumI/Ibnp1NWn8pMO6+FjPD/lOuquh30tZfVmZdADdgjYR7pT7iJ24OejwCwEeC3LhTvMvez5k5vsbjdyj3KX7507ajDfIOb2y/XQq4NDzqGBdF8oRIhs2hEQhVoy0gsEooOeklnuNg2nMzkY1aRkTJRl6pIV1qyxdPJdZrow9xdOoeMYCbaQrMjQHVKuqLpt4CaLPvx7wG4XqSpXySlfPjxXkLmOdFyDRvYF7wtEt2lLVDNAE1QufKvYq52RRFzMkdFsjZVrPyauyfRYNQ41UizlPPMYsS+Vz
+  template:
+    metadata:
+      creationTimestamp: null
+      name: bytestash-secret
+      namespace: bytestash
+    type: Opaque

apps/bytestash/storage.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bytestash-pvc
+  namespace: bytestash
+spec:
+  storageClassName: nfs-retain
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

bytestash/bytestash-peer-auth.yaml

@@ -1,8 +0,0 @@
-apiVersion: security.istio.io/v1beta1
-kind: PeerAuthentication
-metadata:
-  name: strict-mtls
-  namespace: bytestash
-spec:
-  mtls:
-    mode: STRICT

bytestash/bytestash-secret-sealed.yaml

@@ -1,15 +0,0 @@
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: bytestash-secret
-  namespace: bytestash
-spec:
-  encryptedData:
-    JWT_SECRET_KEY: AgBhyqlrAr9hDaCZ7yPbZZuXtZMeqbMqd0LXWwT8nlEpTY0Tk7LLwjdv6DoY3gvj0Jbgcoa+Edgg6HywykouVAqe2i6HbDwWOPVjRw5K1GA7y7jlb8IOP2D7ZJN8sKW7MUfhmmraN0piuvpCMVl/NHbT1XfQq4mym/PChHcD4Ju+lNMfFWkHNZtXf/9tpYcTa3cmREf0uBFQRNQFP2TaUx8X+QmzIIdoGaqZA+Jud2HkTHymsRhn7fSK3smaJecw/y7IR4ohNcJ17FqOyaqbnQ/MUzB+aprFKjBOnVmZwbWSjJYWPN1nx6NPndmk8X3Q3XeB50WnoAhqNSwI6a58wo/zVHyM5B3Q+L9slCWd8t27z+Jv7Y8zRFl137dbhDBcrHf73miNnaK5x0b741Bv3yDakJG+DrU5YlmGH2/t4XBZjMMRxF4y0CgdT+DN+cZrkbkATHIQWZARmLTqYfig/2D+PfKhrniE4Tfq3V2gLN12Kwf09fqM02Uo2faOya6QF3fvGGZx3QXiDrzPMthLuvk1JqPqU98fNKniS8x7/q1LdHH6ga5wyXyGk76tl540p+kdY2sAi7K5/VAw0QM6A+6EHXJJgZ4bdd02eB0F1/lCKcCzZhs5lIjBu0r/d81wYlId6GtMvXZiMfsbMS9a7evGl20PXAn2C5KxWfyyyIX3wn7JIAxiOdGwPUOI6E4/LCJSnzlfBa7SWFrMHAjniNyQOLB0S9amtHwDDt6j
-  template:
-    metadata:
-      creationTimestamp: null
-      name: bytestash-secret
-      namespace: bytestash
-    type: Opaque

bytestash/certificate.yaml

@@ -1,12 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: bytestash-cert
-  namespace: istio-system
-spec:
-  secretName: bytestash-cert
-  issuerRef:
-    name: letsencrypt-dns
-    kind: ClusterIssuer
-  dnsNames:
-    - snippets.gwg313.xyz

bytestash/gateway.yaml

@@ -1,18 +0,0 @@
-apiVersion: networking.istio.io/v1beta1
-kind: Gateway
-metadata:
-  name: bytestash-gateway
-  namespace: bytestash
-spec:
-  selector:
-    istio: gateway
-  servers:
-    - port:
-        number: 443
-        name: https
-        protocol: HTTPS
-      hosts:
-        - "snippets.gwg313.xyz"
-      tls:
-        mode: SIMPLE
-        credentialName: bytestash-cert

bytestash/storage.yaml

@@ -1,29 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: bytestash-pv
-spec:
-  capacity:
-    storage: 1Gi
-  volumeMode: Filesystem
-  accessModes:
-    - ReadWriteOnce
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: manual
-  nfs:
-    path: /mnt/tank/k8s/bytestash
-    server: truenas.local.gwg313.xyz
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: bytestash-pvc
-  namespace: bytestash
-spec:
-  storageClassName: manual
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-  volumeName: bytestash-pv

bytestash/virtualservice.yaml

@@ -1,16 +0,0 @@
-apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
-metadata:
-  name: bytestash
-  namespace: bytestash
-spec:
-  hosts:
-    - "snippets.gwg313.xyz"
-  gateways:
-    - bytestash/bytestash-gateway
-  http:
-    - route:
-        - destination:
-            host: bytestash
-            port:
-              number: 80

management/platform-apps/bytestash.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: bytestash
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "15"
+spec:
+  project: default
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: bytestash
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops.git
+    path: apps/bytestash
+    targetRevision: main
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+      - SkipDryRunOnMissingResource=true

management/platform-apps/kustomization.yaml

@@ -16,3 +16,4 @@ resources:
   - yopass.yaml
   - tekton.yaml
   - navidrome.yaml
+  - bytestash.yaml

platform/nfs-subdir/templates/extra-storage-classes.yaml

@@ -1,11 +1,10 @@
----
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
   name: nfs-ephemeral
   annotations:
     argocd.argoproj.io/sync-wave: "1"
-provisioner: cluster.local/nfs-subdir-external-provisioner
+provisioner: cluster.local/nfs-provisioner-nfs-subdir-external-provisioner
 parameters:
   archiveOnDelete: "false"
   pathPattern: "ephemeral/${.PVC.namespace}/${.PVC.name}" 
@@ -18,7 +17,7 @@ metadata:
   name: nfs-retain
   annotations:
     argocd.argoproj.io/sync-wave: "1"
-provisioner: cluster.local/nfs-subdir-external-provisioner
+provisioner: cluster.local/nfs-provisioner-nfs-subdir-external-provisioner
 parameters:
   archiveOnDelete: "false"
   pathPattern: "retained/${.PVC.namespace}/${.PVC.name}"