From ff7fded9d56b183cc2a5aad64c9a07050bdc5233 Mon Sep 17 00:00:00 2001 From: Ales Lerch <13370338+axeII@users.noreply.github.com> Date: Wed, 25 Sep 2024 18:15:54 +0200 Subject: [PATCH 1/4] feat: adds privatebint to the cluster --- kubernetes/apps/security/kustomization.yaml | 7 ++ kubernetes/apps/security/namespace.yaml | 7 ++ .../security/pastebin/app/helmrelease.yaml | 86 +++++++++++++++++++ .../security/pastebin/app/kustomization.yaml | 13 +++ kubernetes/apps/security/pastebin/ks.yaml | 23 +++++ 5 files changed, 136 insertions(+) create mode 100644 kubernetes/apps/security/kustomization.yaml create mode 100644 kubernetes/apps/security/namespace.yaml create mode 100644 kubernetes/apps/security/pastebin/app/helmrelease.yaml create mode 100644 kubernetes/apps/security/pastebin/app/kustomization.yaml create mode 100644 kubernetes/apps/security/pastebin/ks.yaml diff --git a/kubernetes/apps/security/kustomization.yaml b/kubernetes/apps/security/kustomization.yaml new file mode 100644 index 000000000..2cf386965 --- /dev/null +++ b/kubernetes/apps/security/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./pastebin/ks.yaml diff --git a/kubernetes/apps/security/namespace.yaml b/kubernetes/apps/security/namespace.yaml new file mode 100644 index 000000000..397a2359d --- /dev/null +++ b/kubernetes/apps/security/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: security + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/security/pastebin/app/helmrelease.yaml b/kubernetes/apps/security/pastebin/app/helmrelease.yaml new file mode 100644 index 000000000..bcc8471df --- /dev/null +++ b/kubernetes/apps/security/pastebin/app/helmrelease.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: microbin +spec: + chart: + spec: + chart: app-template + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + version: 3.4.0 + values: + controllers: + microbin: + replicas: 1 + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + envFrom: + - secretRef: + name: microbin-secret + image: + repository: docker.io/privatebin/nginx-fpm-alpine + tag: 1.7.4@sha256:4cc5f26f5b558b734cb084ada4fdacd75bd9f5e4574f3f3df54165b3623d6b86 + probes: + liveness: + enabled: true + readiness: + enabled: true + resources: + limits: + memory: 100Mi + requests: + cpu: 100m + memory: 500Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + statefulset: + podManagementPolicy: Parallel + volumeClaimTemplates: + - name: data + accessMode: ReadWriteOnce + storageClass: longhorn-media + size: 200Mi + globalMounts: + - path: /srv/data + type: statefulset + defaultPodOptions: + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + ingress: + app: + className: external + annotations: + gatus.io/enabled: "true" + hajimari.io/icon: simple-icons:pastebin + hosts: + - host: &host "pastebin.${SECRET_DOMAIN}" + paths: + - path: / + service: + identifier: app + port: http + tls: + - hosts: + - *host + service: + app: + controller: microbin + ports: + http: + port: 8080 diff --git a/kubernetes/apps/security/pastebin/app/kustomization.yaml b/kubernetes/apps/security/pastebin/app/kustomization.yaml new file mode 100644 index 000000000..34f2aac2d --- /dev/null +++ b/kubernetes/apps/security/pastebin/app/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./pvc.yaml + - ./helmrelease.yaml + - ./externalsecret.yaml +configMapGenerator: + - name: bazarr-scripts + files: + - ./scripts/post-process.sh +generatorOptions: + disableNameSuffixHash: true diff --git a/kubernetes/apps/security/pastebin/ks.yaml b/kubernetes/apps/security/pastebin/ks.yaml new file mode 100644 index 000000000..32fa29c81 --- /dev/null +++ b/kubernetes/apps/security/pastebin/ks.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app pastebin + namespace: flux-system +spec: + targetNamespace: security + commonMetadata: + labels: + app.kubernetes.io/name: *app + # dependsOn: + # - name: longhorn + # - name: cluster-apps-external-secrets-stores + path: ./kubernetes/apps/security/pastebin/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m From 7402fcf798c4ac27c7e9021ff1ffd0fc77aa0d26 Mon Sep 17 00:00:00 2001 From: Ales Lerch <13370338+axeII@users.noreply.github.com> Date: Wed, 25 Sep 2024 18:18:45 +0200 Subject: [PATCH 2/4] style: adds comments for future --- kubernetes/apps/security/pastebin/app/helmrelease.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/apps/security/pastebin/app/helmrelease.yaml b/kubernetes/apps/security/pastebin/app/helmrelease.yaml index bcc8471df..d0ec42414 100644 --- a/kubernetes/apps/security/pastebin/app/helmrelease.yaml +++ b/kubernetes/apps/security/pastebin/app/helmrelease.yaml @@ -84,3 +84,4 @@ spec: ports: http: port: 8080 +# TODO: Create a way to set in conf.php to set expireSelection: "never" to disable never expire From afd4adf2a771bc76ac68ae6394843b3792906e63 Mon Sep 17 00:00:00 2001 From: Ales Lerch <13370338+axeII@users.noreply.github.com> Date: Wed, 25 Sep 2024 18:24:38 +0200 Subject: [PATCH 3/4] fix: refactors the kustomize.yaml file removes unused code --- kubernetes/apps/security/pastebin/app/kustomization.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/kubernetes/apps/security/pastebin/app/kustomization.yaml b/kubernetes/apps/security/pastebin/app/kustomization.yaml index 34f2aac2d..5dd7baca7 100644 --- a/kubernetes/apps/security/pastebin/app/kustomization.yaml +++ b/kubernetes/apps/security/pastebin/app/kustomization.yaml @@ -2,12 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./pvc.yaml - ./helmrelease.yaml - - ./externalsecret.yaml -configMapGenerator: - - name: bazarr-scripts - files: - - ./scripts/post-process.sh -generatorOptions: - disableNameSuffixHash: true From ed31c3b84579d01caaf0a637b8539d9cd9c8152e Mon Sep 17 00:00:00 2001 From: Ales Lerch <13370338+axeII@users.noreply.github.com> Date: Wed, 25 Sep 2024 18:37:30 +0200 Subject: [PATCH 4/4] refactor: Update helmrelease.yaml for pastebin app This commit refactors the helmrelease.yaml file for the pastebin app. It updates the name from "microbin" to "pastebin" and adds an interval of 30 minutes. The chart version is also updated to 3.4.0. Additionally, it includes changes to the install and upgrade sections, adding remediation options and cleanup on fail. The values section is modified to use the "pastebin" controller and secret. Update ks.yaml for pastebin app This commit updates the ks.yaml file for the pastebin app. It adds a dependency on "longhorn" and removes the commented-out dependencies on "cluster-apps-external-secrets-stores". The path is set to "./kubernetes/apps/security/pastebin/app" and pruning is enabled. --- .../security/pastebin/app/helmrelease.yaml | 19 ++++++++++++++----- kubernetes/apps/security/pastebin/ks.yaml | 5 ++--- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/kubernetes/apps/security/pastebin/app/helmrelease.yaml b/kubernetes/apps/security/pastebin/app/helmrelease.yaml index d0ec42414..dd3e35475 100644 --- a/kubernetes/apps/security/pastebin/app/helmrelease.yaml +++ b/kubernetes/apps/security/pastebin/app/helmrelease.yaml @@ -2,19 +2,28 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: microbin + name: pastebin spec: + interval: 30m chart: spec: chart: app-template + version: 3.4.0 sourceRef: kind: HelmRepository name: bjw-s-charts namespace: flux-system - version: 3.4.0 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 values: controllers: - microbin: + pastebin: replicas: 1 strategy: RollingUpdate annotations: @@ -23,7 +32,7 @@ spec: app: envFrom: - secretRef: - name: microbin-secret + name: pastebin-secret image: repository: docker.io/privatebin/nginx-fpm-alpine tag: 1.7.4@sha256:4cc5f26f5b558b734cb084ada4fdacd75bd9f5e4574f3f3df54165b3623d6b86 @@ -80,7 +89,7 @@ spec: - *host service: app: - controller: microbin + controller: pastebin ports: http: port: 8080 diff --git a/kubernetes/apps/security/pastebin/ks.yaml b/kubernetes/apps/security/pastebin/ks.yaml index 32fa29c81..c44f9f625 100644 --- a/kubernetes/apps/security/pastebin/ks.yaml +++ b/kubernetes/apps/security/pastebin/ks.yaml @@ -9,9 +9,8 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - # dependsOn: - # - name: longhorn - # - name: cluster-apps-external-secrets-stores + dependsOn: + - name: longhorn path: ./kubernetes/apps/security/pastebin/app prune: true sourceRef: