diff --git a/kubernetes/apps/security/kustomization.yaml b/kubernetes/apps/security/kustomization.yaml new file mode 100644 index 000000000..2cf386965 --- /dev/null +++ b/kubernetes/apps/security/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./pastebin/ks.yaml diff --git a/kubernetes/apps/security/namespace.yaml b/kubernetes/apps/security/namespace.yaml new file mode 100644 index 000000000..397a2359d --- /dev/null +++ b/kubernetes/apps/security/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: security + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/security/pastebin/app/helmrelease.yaml b/kubernetes/apps/security/pastebin/app/helmrelease.yaml new file mode 100644 index 000000000..dd3e35475 --- /dev/null +++ b/kubernetes/apps/security/pastebin/app/helmrelease.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: pastebin +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.4.0 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + pastebin: + replicas: 1 + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + envFrom: + - secretRef: + name: pastebin-secret + image: + repository: docker.io/privatebin/nginx-fpm-alpine + tag: 1.7.4@sha256:4cc5f26f5b558b734cb084ada4fdacd75bd9f5e4574f3f3df54165b3623d6b86 + probes: + liveness: + enabled: true + readiness: + enabled: true + resources: + limits: + memory: 100Mi + requests: + cpu: 100m + memory: 500Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + statefulset: + podManagementPolicy: Parallel + volumeClaimTemplates: + - name: data + accessMode: ReadWriteOnce + storageClass: longhorn-media + size: 200Mi + globalMounts: + - path: /srv/data + type: statefulset + defaultPodOptions: + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + ingress: + app: + className: external + annotations: + gatus.io/enabled: "true" + hajimari.io/icon: simple-icons:pastebin + hosts: + - host: &host "pastebin.${SECRET_DOMAIN}" + paths: + - path: / + service: + identifier: app + port: http + tls: + - hosts: + - *host + service: + app: + controller: pastebin + ports: + http: + port: 8080 +# TODO: Create a way to set in conf.php to set expireSelection: "never" to disable never expire diff --git a/kubernetes/apps/security/pastebin/app/kustomization.yaml b/kubernetes/apps/security/pastebin/app/kustomization.yaml new file mode 100644 index 000000000..5dd7baca7 --- /dev/null +++ b/kubernetes/apps/security/pastebin/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/security/pastebin/ks.yaml b/kubernetes/apps/security/pastebin/ks.yaml new file mode 100644 index 000000000..c44f9f625 --- /dev/null +++ b/kubernetes/apps/security/pastebin/ks.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app pastebin + namespace: flux-system +spec: + targetNamespace: security + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: longhorn + path: ./kubernetes/apps/security/pastebin/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m