--- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ldap-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 100Mi storageClassName: longhorn --- {{- $_ := set $ "homey_openldap_admin" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-admin") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-admin" "secretval" .homey_openldap_admin) $) }} # --- {{- $_ := set $ "homey_openldap_config" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-config") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-config" "secretval" .homey_openldap_config) $) }} # --- {{- $_ := set $ "homey_openldap_ro" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-ro") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-ro" "secretval" .homey_openldap_ro) $) }} --- {{- $_ := set $ "homey_authelia_jwt" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-jwt") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "authelia-jwt" "secretval" .homey_authelia_jwt) $) }} --- {{- $_ := set $ "homey_authelia_session" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-session") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "authelia-session" "secretval" .homey_authelia_session) $) }} --- {{- $_ := set $ "homey_authelia_encryption_key" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-encryption-key") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "authelia-encryption-key" "secretval" .homey_authelia_encryption_key) $) }} --- apiVersion: apps/v1 kind: Deployment metadata: name: openldap labels: app.kubernetes.io/name: openldap spec: selector: matchLabels: app.kubernetes.io/name: openldap replicas: 1 template: metadata: labels: app.kubernetes.io/name: openldap spec: # securityContext: # fsGroup: 0 containers: - name: openldap image: osixia/openldap env: - name: LDAP_ORGANISATION value: {{ .Values.homey.organization }} - name: LDAP_DOMAIN value: {{ .Values.homey.url | quote}} - name: LDAP_ADMIN_USERNAME value: "admin" - name: LDAP_READONLY_USER value: "true" - name: LDAP_ADMIN_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-admin - name: LDAP_CONFIG_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-config - name: LDAP_READONLY_USER_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-ro ports: - name: tcp-ldap containerPort: 389 - name: ssl-ldap containerPort: 636 volumeMounts: - mountPath: /etc/ldap/slapd.d subPath: openldap/etc/ldap/slapd.d name: openldap-volume - mountPath: /var/lib/ldap subPath: openldap/var/lib/ldap name: openldap-volume volumes: - name: openldap-volume persistentVolumeClaim: claimName: ldap-pvc --- apiVersion: v1 kind: Service metadata: name: openldap labels: app.kubernetes.io/name: openldap spec: type: ClusterIP ports: - name: tcp-ldap port: 389 targetPort: tcp-ldap - name: ssl-ldap port: 636 targetPort: ssl-ldap selector: app.kubernetes.io/name: openldap --- apiVersion: v1 kind: ConfigMap metadata: name: authelia-conf data: configuration.yml: |- {{ tpl (.Files.Get "files/authelia-config.yaml" | indent 4) . }} --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: authelia-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 100Mi storageClassName: longhorn --- apiVersion: apps/v1 kind: Deployment metadata: name: authelia labels: app.kubernetes.io/name: authelia spec: selector: matchLabels: app.kubernetes.io/name: authelia replicas: 1 template: metadata: labels: app.kubernetes.io/name: authelia spec: enableServiceLinks: false containers: - name: authelia image: authelia/authelia imagePullPolicy: "IfNotPresent" env: - name: TZ value: "Jerusalem/Israel" ports: - name: tcp containerPort: 9091 volumeMounts: - mountPath: /config/configuration.yml name: authelia-conf subPath: configuration.yml readOnly: true - mountPath: /config subPath: authelia/config name: authelia-volume volumes: - name: authelia-conf configMap: name: authelia-conf items: - key: configuration.yml path: configuration.yml - name: authelia-volume persistentVolumeClaim: claimName: authelia-pvc --- apiVersion: v1 kind: Service metadata: name: authelia labels: app.kubernetes.io/name: authelia spec: type: ClusterIP ports: - name: tcp port: 9091 targetPort: tcp selector: app.kubernetes.io/name: authelia --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: authelia spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - auth.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - host: auth.{{ .Values.homey.url }} http: paths: - path: / pathType: Prefix backend: service: name: authelia port: number: 9091 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: gitea-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 5Gi storageClassName: longhorn --- {{- $_ := set $ "homey_gitea_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-admin-pass") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-admin-pass" "secretval" .homey_gitea_admin_pass) $) }} --- {{- $_ := set $ "homey_gitea_lfs_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-lfs-jwt-secret") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-lfs-jwt-secret" "secretval" .homey_gitea_lfs_jwt_secret) $) }} --- {{- $_ := set $ "homey_gitea_oauth2_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret" "secretval" .homey_gitea_oauth2_jwt_secret) $) }} --- apiVersion: v1 kind: Secret metadata: name: gitea-random-internal-token annotations: "helm.sh/resource-policy": "keep" type: Opaque data: {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-random-internal-token") | default dict -}} {{- $secretData := (get $secretObj "data") | default dict -}} {{- $pass := (get $secretData "password") | default (randAlphaNum 100 | b64enc) -}} {{- $_ := set $ "homey_gitea_random_internal_token" ($pass | b64dec) }} password: {{ $pass | quote }} --- apiVersion: v1 kind: ConfigMap metadata: name: gitea-conf data: app.ini: |- {{ tpl (.Files.Get "files/gitea-app.ini" | indent 4) . }} --- apiVersion: apps/v1 kind: Deployment metadata: name: gitea spec: replicas: 1 selector: matchLabels: app: gitea template: metadata: labels: app: gitea spec: containers: - name: gitea image: gitea/gitea:latest ports: - containerPort: 3000 name: http volumeMounts: - name: gitea-persistent-storage mountPath: /data subPath: gitea/gitea/data - name: gitea-conf mountPath: /data/gitea/conf/app.ini subPath: app.ini readOnly: true # startProbe: # httpGet: # path: / # port: 3000 # initialDelaySeconds: 15 # lifecycle: # postStart: # exec: # {{- $gitea_cmd := (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=kk[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) (.homey_openldap_ro | replace "\"" ""))}} # command: ["/bin/sh", "-c", "{{$gitea_cmd}}"] volumes: - name: gitea-persistent-storage persistentVolumeClaim: claimName: gitea-pvc - name: gitea-conf configMap: name: gitea-conf items: - key: app.ini path: app.ini --- apiVersion: v1 kind: Service metadata: name: gitea-svc spec: selector: app: gitea ports: - name: http-port protocol: TCP port: 3000 targetPort: http selector: app: gitea --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: gitea-ingress spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - git.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - host: git.{{ .Values.homey.url }} http: paths: - path: / pathType: Prefix backend: service: name: gitea-svc port: number: 3000 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: davical-postgres-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi storageClassName: longhorn --- {{- $_ := set $ "homey_davical_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-postgres-pass") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "davical-postgres-pass" "secretval" .homey_davical_postgres_pass) $) }} --- # apiVersion: extensions/v1beta1 apiVersion: v1 kind: ConfigMap metadata: name: davical-postgres-config labels: app: davical-postgres data: POSTGRES_DB: postgres POSTGRES_USER: postgres --- apiVersion: apps/v1 kind: Deployment metadata: name: davical-postgres labels: app: davical-postgres spec: replicas: 1 selector: matchLabels: app: davical-postgres template: metadata: labels: app: davical-postgres name: davical-postgres spec: containers: - name: davical-postgres image: postgres:10.4 imagePullPolicy: "IfNotPresent" ports: - containerPort: 5432 envFrom: - configMapRef: name: davical-postgres-config env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: davical-postgres-pass key: password volumeMounts: - mountPath: /var/lib/postgresql/data subPath: data name: davical-postgredb volumes: - name: davical-postgredb persistentVolumeClaim: claimName: davical-postgres-pvc --- apiVersion: v1 kind: Service metadata: name: davical-postgres labels: app: davical-postgres spec: ports: - port: 5432 selector: app: davical-postgres --- {{- $_ := set $ "homey_davical_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-admin-pass") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "davical-admin-pass" "secretval" .homey_davical_admin_pass) $) }} --- apiVersion: v1 kind: ConfigMap metadata: name: davical-conf data: config.php: |- {{ tpl (.Files.Get "files/davical-config.php" | indent 4) . }} --- apiVersion: apps/v1 kind: Deployment metadata: name: davical labels: app: davical spec: replicas: 1 selector: matchLabels: app: davical template: metadata: labels: app: davical spec: containers: - name: davical image: anerisgreat/davical-multiarch-docker:latest imagePullPolicy: "Always" ports: - containerPort: 80 name: dav env: - name: PGHOST value: "davical-postgres" - name: PGUSER value: "postgres" - name: PGPASSWORD valueFrom: secretKeyRef: name: davical-postgres-pass key: password - name: PGDATABASE value: "davical" - name: PGPORT value: "5432" - name: HOST_NAME value: "dav.{{ .Values.homey.url }}" - name: DAVICAL_ADMIN_PASS valueFrom: secretKeyRef: name: davical-admin-pass key: password - name: ROOT_PGUSER value: "postgres" - name: ROOT_PGPASSWORD valueFrom: secretKeyRef: name: davical-postgres-pass key: password - name: RUN_MIGRATIONS_AT_STARTUP value: "true" volumeMounts: - name: davical-conf mountPath: /etc/davical/config.php subPath: config.php readOnly: true volumes: - name: davical-conf configMap: name: davical-conf items: - key: config.php path: config.php --- apiVersion: v1 kind: Service metadata: name: davical spec: selector: app: davical ports: - name: dav protocol: TCP port: 80 targetPort: 80 selector: app: davical --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: davical annotations: kubernetes.io/ingress.allow-http: "false" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Method $request_method; auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; auth_request_set $email $upstream_http_remote_email; proxy_set_header Remote-User $user; proxy_set_header Remote-Fullname $name; proxy_set_header Remote-Email $email; proxy_set_header Redirect-Remote-User $user; proxy_set_header Redirect-Remote-Fullname $name; proxy_set_header Redirect-Remote-Email $email; spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - dav.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - host: dav.{{ .Values.homey.url }} http: paths: - path: / pathType: Prefix backend: service: name: davical port: number: 80 --- --- apiVersion: v1 kind: Secret metadata: name: sogo-db-pass type: Opaque data: password: "sogo" --- apiVersion: v1 kind: ConfigMap metadata: name: sogo-postgres-config labels: app: sogo-postgres data: POSTGRES_DB: sogo POSTGRES_USER: sogo --- apiVersion: apps/v1 kind: Deployment metadata: name: sogo-postgres labels: app: sogo-postgres spec: replicas: 1 selector: matchLabels: app: sogo-postgres template: metadata: labels: app: sogo-postgres name: sogo-postgres spec: containers: - name: postgres image: postgres:10.4 imagePullPolicy: "IfNotPresent" ports: - containerPort: 5432 envFrom: - configMapRef: name: sogo-postgres-config env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: sogo-db-pass key: password volumeMounts: - mountPath: /var/lib/postgresql/data subPath: sogo/db/data name: sogo-postgresdb volumes: - name: sogo-postgresdb persistentVolumeClaim: claimName: homey-pvc-longhorn --- apiVersion: v1 kind: Service metadata: name: sogo-postgres labels: app: sogo-postgres spec: ports: - port: 5432 selector: app: sogo-postgres --- apiVersion: v1 kind: ConfigMap metadata: name: sogo-conf data: sogo.conf: |- { /* ********************* Main SOGo configuration file ********************** * * * Since the content of this file is a dictionary in OpenStep plist format, * * the curly braces enclosing the body of the configuration are mandatory. * * See the Installation Guide for details on the format. * * * * C and C++ style comments are supported. * * * * This example configuration contains only a subset of all available * * configuration parameters. Please see the installation guide more details. * * * * ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file, * * make sure to move it away to avoid unwanted parameter overrides. * * * * **************************************************************************/ /* Database configuration (mysql:// or postgresql://) */ SOGoProfileURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_user_profile"; OCSFolderInfoURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_folder_info"; OCSSessionsFolderURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_sessions_folder"; /* Mail */ SOGoDraftsFolderName = Drafts; SOGoSentFolderName = Sent; SOGoTrashFolderName = Trash; //SOGoIMAPServer = localhost; //SOGoSieveServer = sieve://127.0.0.1:4190; //SOGoSMTPServer = smtp://domain:port/?tls=YES; //SOGoMailDomain = acme.com; SOGoMailingMechanism = smtp; //SOGoForceExternalLoginWithEmail = NO; //SOGoMailSpoolPath = /var/spool/sogo; //NGImap4ConnectionStringSeparator = "/"; /* Notifications */ //SOGoAppointmentSendEMailNotifications = NO; //SOGoACLsSendEMailNotifications = NO; //SOGoFoldersSendEMailNotifications = NO; /* Authentication */ SOGoPasswordChangeEnabled = YES; SOGoUserSources = ( { type = ldap; CNFieldName = cn; UIDFieldName = uid; IDFieldName = uid; // first field of the DN for direct binds bindFields = (uid, mail); // array of fields to use for indirect binds baseDN = "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; bindDN = "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; bindPassword = {{ include "homey.lookuprandomsecret" (merge (dict "secretname" "openldap-ro") $) }}; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = ldap://openldap:389; id = public; isAddressBook = YES; } ); /* Web Interface */ //SOGoPageTitle = SOGo; SOGoVacationEnabled = YES; SOGoForwardEnabled = YES; SOGoSieveScriptsEnabled = YES; //SOGoMailAuxiliaryUserAccountsEnabled = YES; //SOGoTrustProxyAuthentication = NO; SOGoXSRFValidationEnabled = YES; /* General - SOGoTimeZone *MUST* be defined */ SOGoLanguage = English; SOGoTimeZone = Asia/Jerusalem; //SOGoCalendarDefaultRoles = ( // PublicDAndTViewer, // ConfidentialDAndTViewer //); //SOGoSuperUsernames = (sogo1, sogo2); // This is an array - keep the parens! SxVMemLimit = 384; //WOPidFile = "/var/run/sogo/sogo.pid"; SOGoMemcachedHost = "/var/run/memcached/memcached.sock"; /* Debug */ //SOGoDebugRequests = YES; //SoDebugBaseURL = YES; //ImapDebugEnabled = YES; //LDAPDebugEnabled = YES; //PGDebugEnabled = YES; //MySQL4DebugEnabled = YES; //SOGoUIxDebugEnabled = YES; //WODontZipResponse = YES; //WOLogFile = /var/log/sogo/sogo.log; } --- apiVersion: v1 kind: Service metadata: name: sogo labels: app: sogo spec: ports: - port: 80 targetPort: 80 selector: app: sogo --- apiVersion: apps/v1 kind: Deployment metadata: name: sogo spec: # Stop old container before starting new one. # No known upgrade policy know. Save to stop and start a new one. strategy: type: Recreate rollingUpdate: null selector: matchLabels: app: sogo replicas: 1 template: metadata: labels: app: sogo spec: containers: - name: sogo image: effitient/sogo:5.1.0_7 resources: requests: cpu: 100m memory: 400Mi ports: - containerPort: 80 volumeMounts: - mountPath: /etc/sogo/sogo.conf name: sogo-conf subPath: sogo.conf readOnly: true volumes: - name: sogo-conf configMap: name: sogo-conf optional: false --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: sogo-ingress spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - git.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - host: sogo.{{ .Values.homey.url }} http: paths: - path: / pathType: Prefix backend: service: name: soo port: number: 80 ---