--- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ldap-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 100Mi storageClassName: longhorn --- {{- $_ := set $ "homey_openldap_admin" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-admin") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-admin" "secretval" .homey_openldap_admin) $) }} # --- {{- $_ := set $ "homey_openldap_config" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-config") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-config" "secretval" .homey_openldap_config) $) }} # --- {{- $_ := set $ "homey_openldap_ro" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-ro") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-ro" "secretval" .homey_openldap_ro) $) }} --- {{- $_ := set $ "homey_authelia_jwt" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-jwt") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "authelia-jwt" "secretval" .homey_authelia_jwt) $) }} --- {{- $_ := set $ "homey_authelia_session" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-session") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "authelia-session" "secretval" .homey_authelia_session) $) }} --- {{- $_ := set $ "homey_authelia_encryption_key" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-encryption-key") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "authelia-encryption-key" "secretval" .homey_authelia_encryption_key) $) }} --- apiVersion: apps/v1 kind: Deployment metadata: name: openldap labels: app.kubernetes.io/name: openldap spec: selector: matchLabels: app.kubernetes.io/name: openldap replicas: 1 template: metadata: labels: app.kubernetes.io/name: openldap spec: # securityContext: # fsGroup: 0 containers: - name: openldap image: osixia/openldap env: - name: LDAP_ORGANISATION value: {{ .Values.homey.organization }} - name: LDAP_DOMAIN value: {{ .Values.homey.url | quote}} - name: LDAP_ADMIN_USERNAME value: "admin" - name: LDAP_READONLY_USER value: "true" - name: LDAP_ADMIN_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-admin - name: LDAP_CONFIG_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-config - name: LDAP_READONLY_USER_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-ro ports: - name: tcp-ldap containerPort: 389 - name: ssl-ldap containerPort: 636 volumeMounts: - mountPath: /etc/ldap/slapd.d subPath: openldap/etc/ldap/slapd.d name: openldap-volume - mountPath: /var/lib/ldap subPath: openldap/var/lib/ldap name: openldap-volume volumes: - name: openldap-volume persistentVolumeClaim: claimName: ldap-pvc --- apiVersion: v1 kind: Service metadata: name: openldap labels: app.kubernetes.io/name: openldap spec: type: ClusterIP ports: - name: tcp-ldap port: 389 targetPort: tcp-ldap - name: ssl-ldap port: 636 targetPort: ssl-ldap selector: app.kubernetes.io/name: openldap --- apiVersion: v1 kind: ConfigMap metadata: name: authelia-conf data: configuration.yml: |- {{ tpl (.Files.Get "files/authelia-config.yaml" | indent 4) . }} --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: authelia-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 100Mi storageClassName: longhorn --- apiVersion: apps/v1 kind: Deployment metadata: name: authelia labels: app.kubernetes.io/name: authelia spec: selector: matchLabels: app.kubernetes.io/name: authelia replicas: 1 template: metadata: labels: app.kubernetes.io/name: authelia spec: enableServiceLinks: false containers: - name: authelia image: authelia/authelia imagePullPolicy: "IfNotPresent" env: - name: TZ value: "Jerusalem/Israel" ports: - name: tcp containerPort: 9091 volumeMounts: - mountPath: /config/configuration.yml name: authelia-conf subPath: configuration.yml readOnly: true - mountPath: /config subPath: authelia/config name: authelia-volume volumes: - name: authelia-conf configMap: name: authelia-conf items: - key: configuration.yml path: configuration.yml - name: authelia-volume persistentVolumeClaim: claimName: authelia-pvc --- apiVersion: v1 kind: Service metadata: name: authelia labels: app.kubernetes.io/name: authelia spec: type: ClusterIP ports: - name: tcp port: 9091 targetPort: tcp selector: app.kubernetes.io/name: authelia --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: authelia spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - auth.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - host: auth.{{ .Values.homey.url }} http: paths: - path: / pathType: Prefix backend: service: name: authelia port: number: 9091 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: gitea-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 5Gi storageClassName: longhorn --- {{- $_ := set $ "homey_gitea_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-admin-pass") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-admin-pass" "secretval" .homey_gitea_admin_pass) $) }} --- {{- $_ := set $ "homey_gitea_lfs_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-lfs-jwt-secret") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-lfs-jwt-secret" "secretval" .homey_gitea_lfs_jwt_secret) $) }} --- {{- $_ := set $ "homey_gitea_oauth2_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret" "secretval" .homey_gitea_oauth2_jwt_secret) $) }} --- apiVersion: v1 kind: Secret metadata: name: gitea-random-internal-token annotations: "helm.sh/resource-policy": "keep" type: Opaque data: {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-random-internal-token") | default dict -}} {{- $secretData := (get $secretObj "data") | default dict -}} {{- $pass := (get $secretData "password") | default (randAlphaNum 100 | b64enc) -}} {{- $_ := set $ "homey_gitea_random_internal_token" ($pass | b64dec) }} password: {{ $pass | quote }} --- apiVersion: v1 kind: ConfigMap metadata: name: gitea-conf data: app.ini: |- {{ tpl (.Files.Get "files/gitea-app.ini" | indent 4) . }} --- apiVersion: apps/v1 kind: Deployment metadata: name: gitea spec: replicas: 1 selector: matchLabels: app: gitea template: metadata: labels: app: gitea spec: containers: - name: gitea image: gitea/gitea:latest ports: - containerPort: 3000 name: http volumeMounts: - name: gitea-persistent-storage mountPath: /data subPath: gitea/gitea/data - name: gitea-conf mountPath: /data/gitea/conf/app.ini subPath: app.ini readOnly: true # startProbe: # httpGet: # path: / # port: 3000 # initialDelaySeconds: 15 # lifecycle: # postStart: # exec: # {{- $gitea_cmd := (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=kk[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) (.homey_openldap_ro | replace "\"" ""))}} # command: ["/bin/sh", "-c", "{{$gitea_cmd}}"] volumes: - name: gitea-persistent-storage persistentVolumeClaim: claimName: gitea-pvc - name: gitea-conf configMap: name: gitea-conf items: - key: app.ini path: app.ini --- apiVersion: v1 kind: Service metadata: name: gitea-svc spec: selector: app: gitea ports: - name: http-port protocol: TCP port: 3000 targetPort: http selector: app: gitea --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: gitea-ingress spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - git.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - host: git.{{ .Values.homey.url }} http: paths: - path: / pathType: Prefix backend: service: name: gitea-svc port: number: 3000 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: davical-postgres-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi storageClassName: longhorn --- {{- $_ := set $ "homey_davical_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-postgres-pass") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "davical-postgres-pass" "secretval" .homey_davical_postgres_pass) $) }} --- # apiVersion: extensions/v1beta1 apiVersion: v1 kind: ConfigMap metadata: name: davical-postgres-config labels: app: davical-postgres data: POSTGRES_DB: postgres POSTGRES_USER: postgres --- apiVersion: apps/v1 kind: Deployment metadata: name: davical-postgres labels: app: davical-postgres spec: replicas: 1 selector: matchLabels: app: davical-postgres template: metadata: labels: app: davical-postgres name: davical-postgres spec: containers: - name: davical-postgres image: postgres:10.4 imagePullPolicy: "IfNotPresent" ports: - containerPort: 5432 envFrom: - configMapRef: name: davical-postgres-config env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: davical-postgres-pass key: password volumeMounts: - mountPath: /var/lib/postgresql/data subPath: data name: davical-postgredb volumes: - name: davical-postgredb persistentVolumeClaim: claimName: davical-postgres-pvc --- apiVersion: v1 kind: Service metadata: name: davical-postgres labels: app: davical-postgres spec: ports: - port: 5432 selector: app: davical-postgres --- {{- $_ := set $ "homey_davical_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-admin-pass") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "davical-admin-pass" "secretval" .homey_davical_admin_pass) $) }} --- apiVersion: v1 kind: ConfigMap metadata: name: davical-conf data: config.php: |- {{ tpl (.Files.Get "files/davical-config.php" | indent 4) . }} --- apiVersion: apps/v1 kind: Deployment metadata: name: davical labels: app: davical spec: replicas: 1 selector: matchLabels: app: davical template: metadata: labels: app: davical spec: containers: - name: davical image: anerisgreat/davical-multiarch-docker:latest imagePullPolicy: "Always" ports: - containerPort: 80 name: dav env: - name: PGHOST value: "davical-postgres" - name: PGUSER value: "postgres" - name: PGPASSWORD valueFrom: secretKeyRef: name: davical-postgres-pass key: password - name: PGDATABASE value: "davical" - name: PGPORT value: "5432" - name: HOST_NAME value: "dav.{{ .Values.homey.url }}" - name: DAVICAL_ADMIN_PASS valueFrom: secretKeyRef: name: davical-admin-pass key: password - name: ROOT_PGUSER value: "postgres" - name: ROOT_PGPASSWORD valueFrom: secretKeyRef: name: davical-postgres-pass key: password - name: RUN_MIGRATIONS_AT_STARTUP value: "true" volumeMounts: - name: davical-conf mountPath: /etc/davical/config.php subPath: config.php readOnly: true volumes: - name: davical-conf configMap: name: davical-conf items: - key: config.php path: config.php --- apiVersion: v1 kind: Service metadata: name: davical spec: selector: app: davical ports: - name: dav protocol: TCP port: 80 targetPort: 80 selector: app: davical --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: davical annotations: kubernetes.io/ingress.allow-http: "false" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Method $request_method; auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; auth_request_set $email $upstream_http_remote_email; proxy_set_header Remote-User $user; proxy_set_header Remote-Fullname $name; proxy_set_header Remote-Email $email; proxy_set_header Redirect-Remote-User $user; proxy_set_header Redirect-Remote-Fullname $name; proxy_set_header Redirect-Remote-Email $email; spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - dav.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - host: dav.{{ .Values.homey.url }} http: paths: - path: / pathType: Prefix backend: service: name: davical port: number: 80 ---