New repository structure

Author: ubergesundheit

.github/workflows/test-on-pr.yaml

@@ -0,0 +1,17 @@
+name: 'check manifests'
+on: pull_request
+
+jobs:
+  lint:
+    name: "Lint kustomization"
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'checkout'
+        uses: actions/checkout@v4
+
+      - name: Build and validate kustomization
+        uses: ubergesundheit/kube-check-action@main
+        with:
+          kustomize_build_input: sync
+          kube-linter_flags: "--config .kube-linter.yaml"
+          kubeconform_flags: "-strict -kubernetes-version 1.28.9 -schema-location 'https://raw.githubusercontent.com/ubergesundheit/kube-check-action/main/kubeconform-schemas/{{.ResourceKind}}.json' -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' -schema-location default"

.gitignore

@@ -0,0 +1,5 @@
+secrets/
+terraform/scaleway-config.tfvars
+DEVNOTES.md
+temp/
+*.key

.kube-linter.yaml

@@ -0,0 +1,4 @@
+checks:
+  exclude:
+  - unset-cpu-requirements
+  - unset-memory-requirements

.sops.yaml

@@ -0,0 +1,5 @@
+creation_rules:
+- encrypted_regex: ^(data|stringData)$
+  path_regex: apps/*/*
+  age: >-
+    age1nzqaqzm7wfz04ld5esukhkghmayzt8xmnrjlau0rdcycjlu53pesgew089

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,21 @@
+# Deployment on Kubernetes
+
+License: [MIT](LICENSE)
+
+## Old master
+
+Old master branch has been preserved in [`old-master`](https://github.com/codeformuenster/kubernetes-deployment/tree/old-master) branch.
+
+## Encrypted secrets
+
+Secrets in this repository should be encrypted using [SOPS](https://github.com/mozilla/sops) and [age](https://github.com/FiloSottile/age).
+
+```
+# decrypt
+SOPS_AGE_KEY_FILE=/path/to/your/key.txt sops --output path/to/file --decrypt path/to/sops-secret.file
+
+# edit ...
+
+# encrypt again (public age key comes from the .sops.yaml)
+sops --output path/to/sops-secret.file -e path/to/file
+```

addons/clusterissuer.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-c4m
+spec:
+  acme:
+    email: [email protected]
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-c4m-issuer-account-key
+    solvers:
+    - http01:
+        ingress:
+          class: changeme

addons/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ./clusterissuer.yaml

apps/crashes/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: c4m-crashes
+
+resources:
+- ../../base/namespace-pss-restricted
+- ./postgis.yaml
+- ./shiny.yaml
+
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/part-of: crashfals

apps/crashes/postgis.yaml

@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgis
+  labels:
+    app.kubernetes.io/name: postgis
+    app.kubernetes.io/component: database
+spec:
+  ports:
+  - name: postgres
+    port: 5432
+    protocol: TCP
+  selector:
+    app.kubernetes.io/name: postgis
+    app.kubernetes.io/component: database
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgis-crashes
+automountServiceAccountToken: false
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postgis
+  annotations:
+    "ignore-check.kube-linter.io/no-read-only-root-fs": "writable fs is required"
+  labels:
+    app.kubernetes.io/name: postgis
+    app.kubernetes.io/component: database
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postgis
+      app.kubernetes.io/component: database
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: postgis
+        app.kubernetes.io/component: database
+    spec:
+      terminationGracePeriodSeconds: 10
+      automountServiceAccountToken: false
+      serviceAccountName: postgis-crashes
+      containers:
+      - name: postgis
+        image: quay.io/codeformuenster/verkehrsunfaelle:2019-11-15
+        ports:
+        - name: postgres
+          containerPort: 5432
+        resources:
+          requests:
+            memory: "360Mi"
+            cpu: "100m"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 70
+          runAsNonRoot: true
+          runAsUser: 70
+          seccompProfile:
+            type: RuntimeDefault
+          # limits:
+          #   cpu: "5000m"

apps/crashes/shiny.yaml

@@ -0,0 +1,127 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: shiny
+  labels:
+    app.kubernetes.io/name: shiny
+    app.kubernetes.io/component: webserver
+spec:
+  ports:
+  - port: 3838
+  selector:
+    app.kubernetes.io/name: shiny
+    app.kubernetes.io/component: webserver
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: shiny-crashes
+automountServiceAccountToken: false
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: shiny
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-c4m
+  labels:
+    app.kubernetes.io/name: shiny
+    app.kubernetes.io/component: webserver
+spec:
+  rules:
+  - host: crashes.codeformuenster.org
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: shiny
+            port:
+              number: 3838
+  tls:
+  - hosts:
+    - crashes.codeformuenster.org
+    secretName: crashes-tls
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: shiny
+  labels:
+    app.kubernetes.io/name: shiny
+    app.kubernetes.io/component: webserver
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: shiny
+      app.kubernetes.io/component: webserver
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: shiny
+        app.kubernetes.io/component: webserver
+    spec:
+      automountServiceAccountToken: false
+      serviceAccountName: shiny-crashes
+      securityContext:
+        fsGroup: 998
+      containers:
+      - name: shiny
+        image: quay.io/codeformuenster/crashes-shiny:v6.7.2
+        resources:
+          requests:
+            memory: "350Mi"
+            cpu: "640m"
+        ports:
+        - containerPort: 3838
+        env:
+        - name: TMPDIR
+          value: /tmp/shiny
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 998
+          runAsNonRoot: true
+          runAsUser: 998
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - name: renviron-file
+          mountPath: /srv/shiny-server/.Renviron
+          subPath: .Renviron
+        - name: shiny-tmp
+          mountPath: /var/log/shiny-server
+          subPath: log
+        - name: shiny-tmp
+          mountPath: /var/lib/shiny-server
+          subPath: lib
+        - name: shiny-tmp
+          mountPath: /tmp
+          subPath: tmp
+      volumes:
+      - name: renviron-file
+        configMap:
+          name: renviron
+      - name: shiny-tmp
+        emptyDir:
+          medium: Memory
+          sizeLimit: 100Mi
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: renviron
+  labels:
+    app.kubernetes.io/name: shiny
+    app.kubernetes.io/component: webserver
+data:
+  .Renviron: |
+    POSTGRES_HOST=postgis

apps/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ./crashes
+- ./traffics
+- ./muenster-update

apps/muenster-update/gitrepo.yaml

@@ -0,0 +1,15 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: codeformuenster-muenster-jetzt
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://github.com/codeformuenster/muenster-jetzt.git
+  ref:
+    branch: master
+  ignore: |
+    # exclude all
+    /*
+    # include deployment dir
+    !/deployment/base