gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

refactor(prototypes): parameterize env-specific values for multi-env support

Browse source 
Extract domain, ingress class, TLS issuer, storage classes, S3 endpoints,
backup toggles, and forgejo node selector into env-data values. Each
prototype's app-data declares its subdomain alongside namespace; templates
compute host as <subdomain>.<cluster.domain>.

Schema is shape-only with safe defaults; production env-data sets values
explicitly. Backup CronJobs and external-secret prechecks gate on
backups.enabled and ocis.s3.external. Adds mkcert ClusterIssuer + precheck
Job for local-dev TLS, gated on cluster.tls.issuer == "mkcert".

forgejo argocd-deploy-key Job: REPO_URL/FORGEJO_URL moved to container env
vars to keep the script ytt-templatable; runtime behavior unchanged.

Production render verified byte-identical (excluding the deploy-key Job
env-var refactor and chart-volatile UUID ConfigMaps).
This commit is contained in:
Felix Wolf 2026-05-03 15:08:48 +02:00
parent e42ff64f7b
commit 279cd0d19f
24 changed files with 309 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
envs/env-data-schema.ytt.yaml Normal file
View file

@ -0,0 +1,37 @@
#@data/values-schema
---
#@overlay/match missing_ok=True
cluster:
domain: ""
ingress:
className: ""
tls:
issuer: ""
storageClass:
block: ""
local: ""
#@overlay/match missing_ok=True
backups:
enabled: false
s3:
endpoint: ""
region: ""
storagebox:
enabled: false
#@overlay/match missing_ok=True
ocis:
s3:
external: false
endpoint: ""
region: ""
bucket: ""
#@overlay/match missing_ok=True
forgejo:
sshPort: 22
#@schema/type any=True
nodeSelector: {}
backup:
s3Bucket: ""

35
envs/production/env-data.ytt.yaml
View file

@ -1,3 +1,5 @@
#@ load("@ytt:overlay", "overlay")
#@data/values #@data/values
--- ---
environment: environment:
@ -16,3 +18,36 @@ environment:
- proto: cloudnative-pg - proto: cloudnative-pg
- proto: metrics-server - proto: metrics-server
- proto: ocis - proto: ocis
cluster:
domain: tr1ceracop.de
ingress:
className: traefik
tls:
issuer: letsencrypt
storageClass:
block: hcloud-volumes
local: local-path
backups:
enabled: true
s3:
endpoint: https://fsn1.your-objectstorage.com
region: fsn1
storagebox:
enabled: true
ocis:
s3:
external: true
endpoint: https://nbg1.your-objectstorage.com
region: nbg1
bucket: ocis-tr1ceracop
forgejo:
sshPort: 222
#@overlay/replace
nodeSelector:
kubernetes.io/hostname: ubuntu-4gb-nbg1-3
backup:
s3Bucket: k8s-and-chill-backups

1
prototypes/argocd/app-data.ytt.yaml
View file

@ -3,3 +3,4 @@
#@overlay/match-child-defaults missing_ok=True #@overlay/match-child-defaults missing_ok=True
application: application:
namespace: argocd namespace: argocd
subdomain: argocd

8
prototypes/argocd/helm/argo-cd.yaml → prototypes/argocd/helm/argo-cd.ytt.yaml
View file

@ -1,10 +1,12 @@
#@ load("@ytt:data", "data")
#@ host = data.values.application.subdomain + "." + data.values.cluster.domain
--- ---
crds: crds:
install: true install: true
keep: true keep: true
global: global:
domain: argocd.tr1ceracop.de domain: #@ host
configs: configs:
params: params:
@ -30,10 +32,10 @@ server:
enabled: true enabled: true
ingress: ingress:
enabled: true enabled: true
ingressClassName: traefik ingressClassName: #@ data.values.cluster.ingress.className
tls: true tls: true
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt cert-manager.io/cluster-issuer: #@ data.values.cluster.tls.issuer
repoServer: repoServer:
metrics: metrics:

5
prototypes/cert-manager/ytt/clusterissuer.ytt.yaml
View file

@ -1,5 +1,7 @@
#@ load("@ytt:overlay", "overlay") #@ load("@ytt:overlay", "overlay")
#@ load("@ytt:data", "data")
#@ if data.values.cluster.tls.issuer == "letsencrypt":
--- ---
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
@ -14,4 +16,5 @@ spec:
solvers: solvers:
- http01: - http01:
ingress: ingress:
ingressClassName: traefik ingressClassName: #@ data.values.cluster.ingress.className
#@ end

85
prototypes/cert-manager/ytt/mkcert-ca-precheck-job.ytt.yaml Normal file
View file

@ -0,0 +1,85 @@
#@ load("@ytt:data", "data")
#@ ns = data.values.application.namespace
#@ if data.values.cluster.tls.issuer == "mkcert":
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mkcert-ca-precheck
namespace: #@ ns
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: mkcert-ca-precheck
namespace: #@ ns
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: mkcert-ca-precheck
namespace: #@ ns
subjects:
- kind: ServiceAccount
name: mkcert-ca-precheck
namespace: #@ ns
roleRef:
kind: Role
name: mkcert-ca-precheck
apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
name: mkcert-ca-precheck
namespace: #@ ns
annotations:
argocd.argoproj.io/sync-wave: "-1"
argocd.argoproj.io/sync-options: Replace=true
spec:
ttlSecondsAfterFinished: 300
template:
spec:
serviceAccountName: mkcert-ca-precheck
restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
type: RuntimeDefault
containers:
- name: precheck
image: alpine/k8s:1.32.3
command:
- sh
- -c
- |
set -e
if ! kubectl get secret mkcert-ca -n "${NAMESPACE}" >/dev/null 2>&1; then
echo "ERROR: External secret mkcert-ca must be created in ${NAMESPACE} before deploying cert-manager."
echo "Run: mkcert -install && kubectl -n ${NAMESPACE} create secret tls mkcert-ca --cert=\"\$(mkcert -CAROOT)/rootCA.pem\" --key=\"\$(mkcert -CAROOT)/rootCA-key.pem\""
exit 1
fi
echo "OK: mkcert-ca exists"
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
#@ end

12
prototypes/cert-manager/ytt/mkcert-clusterissuer.ytt.yaml Normal file
View file

@ -0,0 +1,12 @@
#@ load("@ytt:data", "data")
#@ if data.values.cluster.tls.issuer == "mkcert":
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: mkcert
spec:
ca:
secretName: mkcert-ca
#@ end

1
prototypes/forgejo/app-data.ytt.yaml
View file

@ -3,3 +3,4 @@
#@overlay/match-child-defaults missing_ok=True #@overlay/match-child-defaults missing_ok=True
application: application:
namespace: forgejo namespace: forgejo
subdomain: git

14
prototypes/forgejo/helm/forgejo.yaml → prototypes/forgejo/helm/forgejo.ytt.yaml
View file

@ -1,3 +1,5 @@
#@ load("@ytt:data", "data")
#@ host = data.values.application.subdomain + "." + data.values.cluster.domain
--- ---
strategy: strategy:
type: Recreate type: Recreate
@ -17,16 +19,16 @@ persistence:
ingress: ingress:
enabled: true enabled: true
hosts: hosts:
- host: git.tr1ceracop.de - host: #@ host
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
tls: tls:
- secretName: forgejo-tls - secretName: forgejo-tls
hosts: hosts:
- git.tr1ceracop.de - #@ host
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt cert-manager.io/cluster-issuer: #@ data.values.cluster.tls.issuer
service: service:
ssh: ssh:
@ -58,9 +60,9 @@ gitea:
queue: queue:
TYPE: level TYPE: level
server: server:
DOMAIN: git.tr1ceracop.de DOMAIN: #@ host
ROOT_URL: https://git.tr1ceracop.de/ ROOT_URL: #@ "https://{}/".format(host)
SSH_PORT: 222 SSH_PORT: #@ data.values.forgejo.sshPort
service: service:
DISABLE_REGISTRATION: true DISABLE_REGISTRATION: true
actions: actions:

19
prototypes/forgejo/ytt/argocd-deploy-key-job.ytt.yaml
View file

@ -1,6 +1,9 @@
#@ load("@ytt:data", "data") #@ load("@ytt:data", "data")
#@ ns = data.values.application.namespace #@ ns = data.values.application.namespace
#@ host = data.values.application.subdomain + "." + data.values.cluster.domain
#@ repo_url = "ssh://git@" + host + ":" + str(data.values.forgejo.sshPort) + "/gitea_admin/k8s-and-chill.git"
#@ forgejo_url = "https://" + host
--- ---
apiVersion: v1 apiVersion: v1
@ -51,6 +54,15 @@ spec:
containers: containers:
- name: init - name: init
image: alpine/k8s:1.32.3 image: alpine/k8s:1.32.3
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: REPO_URL
value: #@ repo_url
- name: FORGEJO_URL
value: #@ forgejo_url
command: command:
- sh - sh
- -c - -c
@ -59,8 +71,6 @@ spec:
ARGOCD_NS="argocd" ARGOCD_NS="argocd"
REPO_SECRET="forgejo-repo" REPO_SECRET="forgejo-repo"
REPO_URL="ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git"
FORGEJO_URL="https://git.tr1ceracop.de"
REPO_OWNER="gitea_admin" REPO_OWNER="gitea_admin"
REPO_NAME="k8s-and-chill" REPO_NAME="k8s-and-chill"
@ -142,8 +152,3 @@ spec:
EOSECRET EOSECRET
echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}" echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

8
prototypes/forgejo/ytt/cnpg-cluster.ytt.yaml
View file

@ -18,7 +18,7 @@ spec:
storage: storage:
size: 5Gi size: 5Gi
storageClass: hcloud-volumes storageClass: #@ data.values.cluster.storageClass.block
resources: resources:
requests: requests:
@ -27,10 +27,11 @@ spec:
limits: limits:
memory: 512Mi memory: 512Mi
#@ if data.values.backups.enabled:
backup: backup:
barmanObjectStore: barmanObjectStore:
endpointURL: https://fsn1.your-objectstorage.com endpointURL: #@ data.values.backups.s3.endpoint
destinationPath: s3://k8s-and-chill-backups/forgejo/cnpg destinationPath: #@ "s3://{}/forgejo/cnpg".format(data.values.forgejo.backup.s3Bucket)
s3Credentials: s3Credentials:
accessKeyId: accessKeyId:
name: forgejo-backup-s3 name: forgejo-backup-s3
@ -44,6 +45,7 @@ spec:
compression: gzip compression: gzip
retentionPolicy: "30d" retentionPolicy: "30d"
target: prefer-standby target: prefer-standby
#@ end
postgresql: postgresql:
parameters: parameters:

2
prototypes/forgejo/ytt/cnpg-scheduled-backup.ytt.yaml
View file

@ -2,6 +2,7 @@
#@ ns = data.values.application.namespace #@ ns = data.values.application.namespace
#@ if data.values.backups.enabled:
--- ---
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup kind: ScheduledBackup
@ -15,3 +16,4 @@ spec:
method: barmanObjectStore method: barmanObjectStore
backupOwnerReference: cluster backupOwnerReference: cluster
target: prefer-standby target: prefer-standby
#@ end

2
prototypes/forgejo/ytt/git-pvc.ytt.yaml
View file

@ -13,7 +13,7 @@ metadata:
spec: spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
storageClassName: hcloud-volumes storageClassName: #@ data.values.cluster.storageClass.block
resources: resources:
requests: requests:
storage: 20Gi storage: 20Gi

73
prototypes/forgejo/ytt/git-snapshot-cronjob.ytt.yaml
View file

@ -2,6 +2,43 @@
#@ ns = data.values.application.namespace #@ ns = data.values.application.namespace
#@ s3_endpoint = data.values.backups.s3.endpoint
#@ s3_bucket = data.values.forgejo.backup.s3Bucket
#@ backup_script = """\
#@ set -e
#@ apk add --no-cache rclone > /dev/null 2>&1
#@
#@ mkdir -p /tmp/rclone
#@ cat > /tmp/rclone/rclone.conf <<CONF
#@ [s3]
#@ type = s3
#@ provider = Other
#@ access_key_id = ${ACCESS_KEY_ID}
#@ secret_access_key = ${SECRET_ACCESS_KEY}
#@ endpoint = """ + s3_endpoint + """
#@ acl = private
#@ CONF
#@
#@ echo "Syncing git repositories to S3..."
#@ rclone sync /data/git/ s3:""" + s3_bucket + """/forgejo/git/ \\
#@ --config /tmp/rclone/rclone.conf \\
#@ --transfers 4 \\
#@ -v
#@
#@ echo "Syncing gitea data (avatars, attachments, keys)..."
#@ rclone sync /data/gitea/ s3:""" + s3_bucket + """/forgejo/gitea/ \\
#@ --config /tmp/rclone/rclone.conf \\
#@ --exclude 'conf/**' \\
#@ --exclude 'queues/**' \\
#@ --transfers 4 \\
#@ -v
#@
#@ rm -rf /tmp/rclone
#@ echo "Backup complete."
#@ """
#@ if data.values.backups.enabled:
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@ -27,45 +64,14 @@ spec:
spec: spec:
restartPolicy: OnFailure restartPolicy: OnFailure
serviceAccountName: forgejo-git-backup serviceAccountName: forgejo-git-backup
nodeSelector: nodeSelector: #@ data.values.forgejo.nodeSelector
kubernetes.io/hostname: ubuntu-4gb-nbg1-3
containers: containers:
- name: backup - name: backup
image: alpine:3.20 image: alpine:3.20
command: command:
- sh - sh
- -c - -c
- | - #@ backup_script
set -e
apk add --no-cache rclone > /dev/null 2>&1
mkdir -p /tmp/rclone
cat > /tmp/rclone/rclone.conf <<CONF
[s3]
type = s3
provider = Other
access_key_id = ${ACCESS_KEY_ID}
secret_access_key = ${SECRET_ACCESS_KEY}
endpoint = https://fsn1.your-objectstorage.com
acl = private
CONF
echo "Syncing git repositories to S3..."
rclone sync /data/git/ s3:k8s-and-chill-backups/forgejo/git/ \
--config /tmp/rclone/rclone.conf \
--transfers 4 \
-v
echo "Syncing gitea data (avatars, attachments, keys)..."
rclone sync /data/gitea/ s3:k8s-and-chill-backups/forgejo/gitea/ \
--config /tmp/rclone/rclone.conf \
--exclude 'conf/**' \
--exclude 'queues/**' \
--transfers 4 \
-v
rm -rf /tmp/rclone
echo "Backup complete."
env: env:
- name: ACCESS_KEY_ID - name: ACCESS_KEY_ID
valueFrom: valueFrom:
@ -85,3 +91,4 @@ spec:
- name: data - name: data
persistentVolumeClaim: persistentVolumeClaim:
claimName: forgejo-git-storage claimName: forgejo-git-storage
#@ end

5
prototypes/forgejo/ytt/ingress-fix.ytt.yaml
View file

@ -1,4 +1,7 @@
#@ load("@ytt:overlay", "overlay") #@ load("@ytt:overlay", "overlay")
#@ load("@ytt:data", "data")
#@ host = data.values.application.subdomain + "." + data.values.cluster.domain
#@overlay/match by=overlay.subset({"kind": "Ingress"}), expects="0+" #@overlay/match by=overlay.subset({"kind": "Ingress"}), expects="0+"
--- ---
@ -6,7 +9,7 @@ apiVersion: networking.k8s.io/v1
spec: spec:
#@overlay/replace #@overlay/replace
rules: rules:
- host: git.tr1ceracop.de - host: #@ host
http: http:
paths: paths:
- path: / - path: /

6
prototypes/forgejo/ytt/ssh-hostport.ytt.yaml
View file

@ -1,4 +1,5 @@
#@ load("@ytt:overlay", "overlay") #@ load("@ytt:overlay", "overlay")
#@ load("@ytt:data", "data")
#! Add hostPort 22 to the SSH container port and pin to the DNS target node #! Add hostPort 22 to the SSH container port and pin to the DNS target node
#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "forgejo"}}) #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "forgejo"}})
@ -7,11 +8,10 @@ spec:
template: template:
spec: spec:
#@overlay/match missing_ok=True #@overlay/match missing_ok=True
nodeSelector: nodeSelector: #@ data.values.forgejo.nodeSelector
kubernetes.io/hostname: ubuntu-4gb-nbg1-3
containers: containers:
#@overlay/match by=overlay.subset({"name": "forgejo"}) #@overlay/match by=overlay.subset({"name": "forgejo"})
- ports: - ports:
#@overlay/match by=overlay.subset({"name": "ssh"}) #@overlay/match by=overlay.subset({"name": "ssh"})
#@overlay/match-child-defaults missing_ok=True #@overlay/match-child-defaults missing_ok=True
- hostPort: 222 - hostPort: #@ data.values.forgejo.sshPort

1
prototypes/grafana/app-data.ytt.yaml
View file

@ -3,3 +3,4 @@
#@overlay/match-child-defaults missing_ok=True #@overlay/match-child-defaults missing_ok=True
application: application:
namespace: monitoring namespace: monitoring
subdomain: grafana

12
prototypes/grafana/helm/grafana.yaml → prototypes/grafana/helm/grafana.ytt.yaml
View file

@ -1,3 +1,5 @@
#@ load("@ytt:data", "data")
#@ host = data.values.application.subdomain + "." + data.values.cluster.domain
--- ---
admin: admin:
existingSecret: grafana-admin existingSecret: grafana-admin
@ -15,19 +17,19 @@ resources:
persistence: persistence:
enabled: true enabled: true
size: 2Gi size: 2Gi
storageClassName: local-path storageClassName: #@ data.values.cluster.storageClass.local
ingress: ingress:
enabled: true enabled: true
ingressClassName: traefik ingressClassName: #@ data.values.cluster.ingress.className
hosts: hosts:
- grafana.tr1ceracop.de - #@ host
tls: tls:
- secretName: grafana-tls - secretName: grafana-tls
hosts: hosts:
- grafana.tr1ceracop.de - #@ host
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt cert-manager.io/cluster-issuer: #@ data.values.cluster.tls.issuer
datasources: datasources:
datasources.yaml: datasources.yaml:

1
prototypes/ocis/app-data.ytt.yaml
View file

@ -3,3 +3,4 @@
#@overlay/match-child-defaults missing_ok=True #@overlay/match-child-defaults missing_ok=True
application: application:
namespace: ocis namespace: ocis
subdomain: drive

50
prototypes/ocis/helm/ocis.yaml → prototypes/ocis/helm/ocis.ytt.yaml
View file

@ -1,15 +1,17 @@
#@ load("@ytt:data", "data")
#@ host = data.values.application.subdomain + "." + data.values.cluster.domain
--- ---
externalDomain: drive.tr1ceracop.de externalDomain: #@ host
ingress: ingress:
enabled: true enabled: true
ingressClassName: traefik ingressClassName: #@ data.values.cluster.ingress.className
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt cert-manager.io/cluster-issuer: #@ data.values.cluster.tls.issuer
tls: tls:
- secretName: ocis-tls - secretName: ocis-tls
hosts: hosts:
- drive.tr1ceracop.de - #@ host
features: features:
emailNotifications: emailNotifications:
@ -51,12 +53,12 @@ services:
driver: s3ng driver: s3ng
driverConfig: driverConfig:
s3ng: s3ng:
endpoint: https://nbg1.your-objectstorage.com endpoint: #@ data.values.ocis.s3.endpoint
region: nbg1 region: #@ data.values.ocis.s3.region
bucket: ocis-tr1ceracop bucket: #@ data.values.ocis.s3.bucket
persistence: persistence:
enabled: true enabled: true
storageClassName: hcloud-volumes storageClassName: #@ data.values.cluster.storageClass.block
size: 10Gi size: 10Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
@ -64,7 +66,7 @@ services:
storagesystem: storagesystem:
persistence: persistence:
enabled: true enabled: true
storageClassName: hcloud-volumes storageClassName: #@ data.values.cluster.storageClass.block
size: 10Gi size: 10Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
@ -76,7 +78,7 @@ services:
cpu: 10m cpu: 10m
persistence: persistence:
enabled: true enabled: true
storageClassName: hcloud-volumes storageClassName: #@ data.values.cluster.storageClass.block
size: 10Gi size: 10Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
@ -88,7 +90,7 @@ services:
cpu: 10m cpu: 10m
persistence: persistence:
enabled: true enabled: true
storageClassName: local-path storageClassName: #@ data.values.cluster.storageClass.local
size: 1Gi size: 1Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
@ -96,25 +98,25 @@ services:
search: search:
persistence: persistence:
enabled: true enabled: true
storageClassName: local-path storageClassName: #@ data.values.cluster.storageClass.local
size: 5Gi size: 5Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
web: web:
# GOTCHA: if this PVC is recreated, /branding/logo POST/DELETE will #! GOTCHA: if this PVC is recreated, /branding/logo POST/DELETE will
# 500 with "permission denied". The chart mounts an `apps` emptyDir #! 500 with "permission denied". The chart mounts an `apps` emptyDir
# at /var/lib/ocis/web/assets/apps; kubelet auto-creates the parent #! at /var/lib/ocis/web/assets/apps; kubelet auto-creates the parent
# dirs as root:root 0755 *after* fsGroup runs, and local-path's #! dirs as root:root 0755 *after* fsGroup runs, and local-path's
# hostPath PV doesn't get fsGroup recursion — so user 1000 can't #! hostPath PV doesn't get fsGroup recursion — so user 1000 can't
# mkdir themes/ to store the uploaded logo. Was masked while ocis #! mkdir themes/ to store the uploaded logo. Was masked while ocis
# ran as PSS=privileged (root); surfaced after PSS=restricted. #! ran as PSS=privileged (root); surfaced after PSS=restricted.
# Remediation: one-shot privileged Job in kube-system, hostPath- #! Remediation: one-shot privileged Job in kube-system, hostPath-
# mount the local-path PV directory, `chown -R 1000:1000` it. #! mount the local-path PV directory, `chown -R 1000:1000` it.
# Permanent fix: switch to a CSI storageClass (hcloud-volumes). #! Permanent fix: switch to a CSI storageClass (hcloud-volumes).
persistence: persistence:
enabled: true enabled: true
storageClassName: local-path storageClassName: #@ data.values.cluster.storageClass.local
size: 1Gi size: 1Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
@ -131,7 +133,7 @@ services:
cpu: 10m cpu: 10m
persistence: persistence:
enabled: true enabled: true
storageClassName: local-path storageClassName: #@ data.values.cluster.storageClass.local
size: 2Gi size: 2Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce

20
prototypes/ocis/ytt/external-secret-precheck-job.ytt.yaml
View file

@ -2,6 +2,15 @@
#@ ns = data.values.application.namespace #@ ns = data.values.application.namespace
#@ secrets = []
#@ if data.values.ocis.s3.external:
#@ secrets.append("ocis-s3-credentials")
#@ end
#@ if data.values.backups.enabled and data.values.backups.storagebox.enabled:
#@ secrets.append("ocis-storagebox-credentials")
#@ end
#@ if len(secrets) > 0:
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@ -72,15 +81,7 @@ spec:
command: command:
- sh - sh
- -c - -c
- | - #@ "set -e\nfor s in " + " ".join(secrets) + "; do\n if ! kubectl get secret \"$s\" -n \"${NAMESPACE}\" >/dev/null 2>&1; then\n echo \"ERROR: External secret $s must be created manually before deploying ocis\"\n exit 1\n fi\n echo \"OK: $s exists\"\ndone\n"
set -e
for s in ocis-s3-credentials ocis-storagebox-credentials; do
if ! kubectl get secret "$s" -n "${NAMESPACE}" >/dev/null 2>&1; then
echo "ERROR: External secret $s must be created manually before deploying ocis"
exit 1
fi
echo "OK: $s exists"
done
env: env:
- name: NAMESPACE - name: NAMESPACE
valueFrom: valueFrom:
@ -92,3 +93,4 @@ spec:
capabilities: capabilities:
drop: drop:
- ALL - ALL
#@ end

2
prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml
View file

@ -2,6 +2,7 @@
#@ ns = data.values.application.namespace #@ ns = data.values.application.namespace
#@ if data.values.backups.enabled and data.values.backups.storagebox.enabled:
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@ -110,3 +111,4 @@ spec:
- key: ssh-key - key: ssh-key
path: ssh-key path: ssh-key
defaultMode: 0440 defaultMode: 0440
#@ end

2
prototypes/ocis/ytt/volume-backup-cronjob.ytt.yaml
View file

@ -19,6 +19,7 @@
#@ {"app": "storagesystem", "pvc": "storagesystem-data"}, #@ {"app": "storagesystem", "pvc": "storagesystem-data"},
#@ ] #@ ]
#@ if data.values.backups.enabled and data.values.backups.storagebox.enabled:
#@ for t in targets: #@ for t in targets:
--- ---
apiVersion: batch/v1 apiVersion: batch/v1
@ -118,3 +119,4 @@ spec:
path: ssh-key path: ssh-key
defaultMode: 0440 defaultMode: 0440
#@ end #@ end
#@ end

6
rendered/envs/production/forgejo/job-argocd-deploy-key-init.yaml
View file

@ -19,8 +19,6 @@ spec:
ARGOCD_NS="argocd" ARGOCD_NS="argocd"
REPO_SECRET="forgejo-repo" REPO_SECRET="forgejo-repo"
REPO_URL="ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git"
FORGEJO_URL="https://git.tr1ceracop.de"
REPO_OWNER="gitea_admin" REPO_OWNER="gitea_admin"
REPO_NAME="k8s-and-chill" REPO_NAME="k8s-and-chill"
@ -107,6 +105,10 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
- name: REPO_URL
value: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
- name: FORGEJO_URL
value: https://git.tr1ceracop.de
image: alpine/k8s:1.32.3 image: alpine/k8s:1.32.3
name: init name: init
restartPolicy: OnFailure restartPolicy: OnFailure