From 10e857d4b814c312fa20b04d5f50412d40296dde Mon Sep 17 00:00:00 2001 From: trivernis Date: Sat, 7 Oct 2023 18:08:38 +0200 Subject: [PATCH] Add tandoor --- apps/apps.yaml | 16 +++ apps/tandoor/config.yaml | 30 ++++ apps/tandoor/deploy.yaml | 189 +++++++++++++++++++++++++ apps/tandoor/namespace.yaml | 6 + apps/tandoor/postgres.yaml | 22 +++ apps/tandoor/pvc.yaml | 28 ++++ apps/tandoor/recipes-sealedsecret.yaml | 18 +++ apps/tandoor/route.yaml | 14 ++ apps/tandoor/service-account.yaml | 5 + apps/tandoor/service.yaml | 22 +++ 10 files changed, 350 insertions(+) create mode 100644 apps/tandoor/config.yaml create mode 100644 apps/tandoor/deploy.yaml create mode 100644 apps/tandoor/namespace.yaml create mode 100644 apps/tandoor/postgres.yaml create mode 100644 apps/tandoor/pvc.yaml create mode 100644 apps/tandoor/recipes-sealedsecret.yaml create mode 100644 apps/tandoor/route.yaml create mode 100644 apps/tandoor/service-account.yaml create mode 100644 apps/tandoor/service.yaml diff --git a/apps/apps.yaml b/apps/apps.yaml index f7121f5..a877626 100644 --- a/apps/apps.yaml +++ b/apps/apps.yaml @@ -36,3 +36,19 @@ resources: - searxng/config.yaml - searxng/deploy.yaml - searxng/route.yaml +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: tandoor +metadata: + name: tandoor +resources: + - tandoor/namespace.yaml + - tandoor/service-account.yaml + - searxng/recipes-sealedsecret.yaml + - tandoor/config.yaml + - tandoor/pvc.yaml + - tandoor/postgres.yaml + - searxng/deploy.yaml + - searxng/service.yaml + - searxng/route.yaml diff --git a/apps/tandoor/config.yaml b/apps/tandoor/config.yaml new file mode 100644 index 0000000..6562376 --- /dev/null +++ b/apps/tandoor/config.yaml @@ -0,0 +1,30 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: + app: recipes + name: recipes-nginx-config + namespace: tandoor +data: + nginx-config: |- + events { + worker_connections 1024; + } + http { + include mime.types; + server { + listen 80; + server_name _; + + client_max_body_size 16M; + + # serve static files + location /static/ { + alias /static/; + } + # serve media files + location /media/ { + alias /media/; + } + } + } \ No newline at end of file diff --git a/apps/tandoor/deploy.yaml b/apps/tandoor/deploy.yaml new file mode 100644 index 0000000..1945b56 --- /dev/null +++ b/apps/tandoor/deploy.yaml @@ -0,0 +1,189 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: recipes + namespace: tandoor + labels: + app: recipes + environment: production + tier: frontend +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: recipes + environment: production + template: + metadata: + labels: + app: recipes + tier: frontend + environment: production + spec: + restartPolicy: Always + serviceAccount: recipes + serviceAccountName: recipes + initContainers: + - name: init-chmod-data + env: + - name: SECRET_KEY + valueFrom: + secretKeyRef: + name: recipes-secret + key: secret-key + - name: DB_ENGINE + value: django.db.backends.postgresql_psycopg2 + - name: POSTGRES_HOST + value: recipes-db + - name: POSTGRES_PORT + value: "5432" + - name: POSTGRES_USER + value: postgres + - name: POSTGRES_DB + value: postgres + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: recipes-secret + key: postgresql-password + image: vabene1111/recipes + imagePullPolicy: Always + resources: + requests: + cpu: 250m + memory: 64Mi + command: + - sh + - -c + - | + set -e + source venv/bin/activate + echo "Updating database" + python manage.py migrate + python manage.py collectstatic_js_reverse + python manage.py collectstatic --noinput + echo "Setting media file attributes" + chown -R 65534:65534 /opt/recipes/mediafiles + find /opt/recipes/mediafiles -type d | xargs -r chmod 755 + find /opt/recipes/mediafiles -type f | xargs -r chmod 644 + echo "Done" + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: /opt/recipes/mediafiles + name: media + # mount as subPath due to lost+found on ext4 pvc + subPath: files + - mountPath: /opt/recipes/staticfiles + name: static + # mount as subPath due to lost+found on ext4 pvc + subPath: files + containers: + - name: recipes-nginx + image: nginx:alpine-slim + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + protocol: TCP + name: http + - containerPort: 8080 + protocol: TCP + name: gunicorn + resources: + requests: + cpu: 250m + memory: 64Mi + volumeMounts: + - mountPath: /media + name: media + # mount as subPath due to lost+found on ext4 pvc + subPath: files + - mountPath: /static + name: static + # mount as subPath due to lost+found on ext4 pvc + subPath: files + - name: nginx-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx-config + readOnly: true + - name: recipes + image: vabene1111/recipes + imagePullPolicy: IfNotPresent + command: + - /opt/recipes/venv/bin/gunicorn + - -b + - :8080 + - --access-logfile + - "-" + - --error-logfile + - "-" + - --log-level + - INFO + - recipes.wsgi + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: 8080 + scheme: HTTP + periodSeconds: 30 + readinessProbe: + httpGet: + path: / + port: 8080 + scheme: HTTP + periodSeconds: 30 + resources: + requests: + cpu: 250m + memory: 64Mi + volumeMounts: + - mountPath: /opt/recipes/mediafiles + name: media + # mount as subPath due to lost+found on ext4 pvc + subPath: files + - mountPath: /opt/recipes/staticfiles + name: static + # mount as subPath due to lost+found on ext4 pvc + subPath: files + env: + - name: DEBUG + value: "0" + - name: ALLOWED_HOSTS + value: '*' + - name: SECRET_KEY + valueFrom: + secretKeyRef: + name: recipes-secret + key: secret-key + - name: GUNICORN_MEDIA + value: "0" + - name: DB_ENGINE + value: django.db.backends.postgresql_psycopg2 + - name: POSTGRES_HOST + value: recipes-db + - name: POSTGRES_PORT + value: "5432" + - name: POSTGRES_USER + value: postgres + - name: POSTGRES_DB + value: postgres + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: recipes-secret + key: postgresql-password + securityContext: + runAsUser: 65534 + volumes: + - name: media + persistentVolumeClaim: + claimName: recipes-media + - name: static + persistentVolumeClaim: + claimName: recipes-static + - name: nginx-config + configMap: + name: recipes-nginx-config \ No newline at end of file diff --git a/apps/tandoor/namespace.yaml b/apps/tandoor/namespace.yaml new file mode 100644 index 0000000..2e08fce --- /dev/null +++ b/apps/tandoor/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: tandoor + labels: + name: tandoor diff --git a/apps/tandoor/postgres.yaml b/apps/tandoor/postgres.yaml new file mode 100644 index 0000000..b4e7e63 --- /dev/null +++ b/apps/tandoor/postgres.yaml @@ -0,0 +1,22 @@ +apiVersion: kubegres.reactive-tech.io/v1 +kind: Kubegres +metadata: + name: recipes-db + namespace: tandoor +spec: + replicas: 2 + image: postgres:16-alpine + database: + size: 2Gi + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: recipes-secret + key: postgresql-password + + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: recipes-secret + key: replication-password diff --git a/apps/tandoor/pvc.yaml b/apps/tandoor/pvc.yaml new file mode 100644 index 0000000..9359975 --- /dev/null +++ b/apps/tandoor/pvc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: recipes-media + namespace: tandoor + labels: + app: recipes +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn-hdd-crypto-global + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: recipes-static + namespace: tandoor + labels: + app: recipes +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi \ No newline at end of file diff --git a/apps/tandoor/recipes-sealedsecret.yaml b/apps/tandoor/recipes-sealedsecret.yaml new file mode 100644 index 0000000..dd314cb --- /dev/null +++ b/apps/tandoor/recipes-sealedsecret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: recipes-secret + namespace: tandoor +spec: + encryptedData: + postgresql-password: AgBcusmDi53vbvZL/v6yTwABvww94o+keuVCKMj6sy6muRzLpLvOu+On3vbNl49hoCXALqsMLQ3NGZ78UpuTWbfUU49nJYrmPyGdBMUW+Nwz1jqkIX/jloUcB/Ltac0YtWu57BOTbhwlGUGSS7LwF8/A2UK3wlQVF/QvUBXU6JRWvWEbzJoQFZQ1xumQR8G1WEqYgMyd99BgJiJYeqoXDFPiYPd+2cUND8B47OgNgXY1MpLo48osbtbdV+lBcCchflX+foGwTHrKTqsrqzhVUQSkEJReAcLg7GzA0f2/vcKxJTZRCv0xgrz8ejo0uz81Xvp0Z0PeLGXmPcT0D3wba1pO+jX32maUtyTBfDwSW8W017fA3q35t0sEPnhJmEFDiIevghjbG0guu9cNubW5pJBs2iHlytzO8e4J1bOfYec23pwbbdJDz1C6Csnh6GfvpYS2E67yKLoEXUDIQPlhRpL2myE1be1DtD3owrh0EsZlAVjWcB9TEnOmVDW2QbJPrCbtattCTCB1RIAEaCB8XT4V1muIX2Y8fwQnGfzWilmbA7TyagwUBbp3WpYAea/Jo+/V9su8QzYgQTyGlbiL0LQpQ96pPZ5ZDYkJRQN0NMfWo0IbdMaUHrD4/5afTEF+hSA6l92qAm2UxcvYonrMvwDfpDUBOgBkrJEwEafiVUNeDkV9d3iukLC1QzT7ubf8WpEXlB12CGYlDy7amrowMhpa + replication-password: AgCXOtyEfTbeUjKWDfLhxLvBzbyFUMDq2Vl64ddwEV+MwVgBTACvXM0JF5GjlX2TsoRB8DvOlMBiuNxCnM+ZO0u0fc8PzjbHq/9onUXNtalzG1srgJctQi4OO/PsnNE7x2Q/CpWAKRXmzRrifHEnyqrqr0heh73C2wCrGRb6tR9Nd6m1H9nf/OaAERx+3Nd3/ChR1y+NPBjMK/VrU5H1+S1lqLw+uokK702cOZlfJxYA8Lzm6g5kigSHrsp+41l5s5xUn0FW+69KCiDPyRJuFTfnNKI+cApw4XBw1YHuL68uvn2dPI0cXGmq2djPziC+vVkABozg2HCSvUYcWlNhPPaK87wAoXUIo1PYz8lwDdsFSZyM0plLzF1ajuZmVsDNPOmBvRbponXT+xDFZV4MJR66q4fVGfiq88eEIO6LJNajdquhPjvN5//K4uWnVtQjfDEmdAJgsvBykikTUeC2BJqjHiwZv6D58eKMBWwdm+71pFOCh4L9Ei3my4M0t2QIADcB3KsPVTPD7XgXBuJvcHwl33g6xKUg7S4HaP6H3ce/gT5cn3Dqezc+U6cjJdjQenpT0CPIhg0ONXVnKY4XpmqJynasXZ2Ur4Jye6XVpnTTk+ZLMy679Bj2GF/YMNMwSaU5LT1TQvELZkdRQEZiiAl2wAES0txG1T6cz/aiW1MOsIIY7en56iIQVkDuR6WqEpmEZi7O+lxAL+4XcXi/HRpU + secret-key: AgBe6S+5Iss4/+RGwYaFYIVsfjCHq8lY5C1NSvbAqladp85C0KabkucEYR5XEv+rbkiSLzQ0fkw9sXPqpySQKIo5K35O5EZYJO8kvLNStD9qmI3pPGgD/dPowMej1n0VyXEkFfacaz6sbu/WZ03+9GjzkQ98mBkUFaCZfYtjjFuBALro6BQReqcaPHI1a2QBKCgpHlH/FTtU4lxixVjDjbH4t5qeO125cx9xt9fkFctELH9I3vCz9xFJgG+pldalSo82Paem3PiGTxYWd0dfE3+2pujRBXOS5xnOBDKYt/bY3783xt02A3rWbDrF+Tuyq97nUDXuGGDd8C2M3250UpUwsQuBz6e9P+RBcznhrrBqFdR5wHigot2Qd0yFOfQOpoXEEXM3FTOBPorwG0IvMemREtyux79tEilr4Uy59zDgcaS0KNJDg+0hBt2IIqxPAYpx2KjSZgBULwWO2JUaaPTxJs43R0UZZ6U8/PFVS1sg1gXgjvi69Kant1oa3c9MIajjfV8lbyeDilivK+/Phx2WJkAZNtbP/twDr0zRw2NIDBu6fzPe4Io6N28I8VRqoTn6jy7l4lNZGE3Zyb3gQfDvfp6JeIkv6vXYylaAdBCnq3eY/JjQosspGRrJ5lTzmoL6Ts3POkZm2w0CNueAwZjQ0sDju9hFEp98MKoB8BCg5trG+1+hu+j5djse6d15+zAQ3aTuSlrS9scV33tiBrnIbVJHB7mbfia48elJ5rvp4g== + template: + metadata: + creationTimestamp: null + name: recipes-secret + namespace: tandoor + type: Opaque + diff --git a/apps/tandoor/route.yaml b/apps/tandoor/route.yaml new file mode 100644 index 0000000..ef58196 --- /dev/null +++ b/apps/tandoor/route.yaml @@ -0,0 +1,14 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: longhorn-route + namespace: longhorn-system +spec: + entryPoints: + - web + routes: + - match: Host(`recipes.trivernis.dev`) || Host(`recipes.trivernis.net`) + kind: Rule + services: + - name: recipes-service + port: 80 diff --git a/apps/tandoor/service-account.yaml b/apps/tandoor/service-account.yaml new file mode 100644 index 0000000..ae59b30 --- /dev/null +++ b/apps/tandoor/service-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: recipes + namespace: tandoor \ No newline at end of file diff --git a/apps/tandoor/service.yaml b/apps/tandoor/service.yaml new file mode 100644 index 0000000..70660e8 --- /dev/null +++ b/apps/tandoor/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: recipes-service + namespace: tandoor + labels: + app: recipes + tier: frontend +spec: + selector: + app: recipes + tier: frontend + environment: production + ports: + - port: 80 + targetPort: http + name: http + protocol: TCP + - port: 8080 + targetPort: gunicorn + name: gunicorn + protocol: TCP \ No newline at end of file