wrenix/flux-charts
1
0
Fork 0
Code Issues 14 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Compare commits

base: wrenix:main
Branches Tags
wrenix:main
wrenix:mycloud-paperless
wrenix:mycloud-mail
wrenix:feat/notify_push
wrenix:feat/coder
..
compare: wrenix:feat/notify_push
Branches Tags
wrenix:main
wrenix:mycloud-paperless
wrenix:mycloud-mail
wrenix:feat/notify_push
wrenix:feat/coder

1 commit
main ... feat/notif

Author SHA1 Message Date
WrenIX
ed6fa66eb2
fix(mycloud-nextcloud): develop notify_push 2024-11-27 21:00:28 +01:00
106 changed files with 523 additions and 2140 deletions
Show stats Expand all files Collapse all files

2
base-values/commons.yaml
View file

@ -48,6 +48,8 @@ commons:
to:
dns: []
k8sAPI: []
smtp: []
matrix: []
grafana:
datasource:

14
base-values/mycloud-core.yaml
View file

@ -27,20 +27,6 @@ commons:
annotations:
grafana.mon.local/dashboard-folder: "myCloud"
networkpolicies:
to:
smtp: []
matrix: []
database:
- ports:
- port: 5432
protocol: "TCP"
to:
- podSelector:
matchLabels:
app.kubernetes.io/instance: mycloud-services-postgresql
app.kubernetes.io/name: postgresql
redis:
replicas: 0

19
base-values/mycloud-git-small.yaml
View file

@ -1,19 +0,0 @@
##
# commons are from mycloud-core
##
components:
mycloud-services:
# patch mycloud-core to get another database
values:
databases:
git-forgejo:
type: postgresql
git-woodpecker:
type: postgresql
mycloud-git-small:
enabled: true
namespace:
# current namespace
name:

17
base-values/mycloud-paperless.yaml
View file

@ -1,17 +0,0 @@
##
# commons are from mycloud-core
##
components:
mycloud-services:
# patch mycloud-core to get another database
values:
databases:
paperless:
type: postgresql
mycloud-paperless:
enabled: true
namespace:
# current namespace
name:

2
base-values/tracing.yaml
View file

@ -2,7 +2,7 @@ commons:
tracing:
enabled: true
http:
endpoint: "http://tempo.monitoring.svc:4318/v1/traces"
endpoint: "http://tempo.monitoring.svc:4318"
grpc:
enabled: true
insecure: true

2
base/templates/release.yaml
View file

@ -2,7 +2,7 @@
{{- if ($config.enabled | default false) }}
{{- $componentName := $config.name | default $componentInstance }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: "{{ printf "%s-%s" $.Release.Name $componentInstance | replace (printf "%s-%s" $.Release.Name $.Release.Name) $.Release.Name }}"

2
docs/infra/_index.md
View file

@ -50,7 +50,7 @@ spec:
# secretRef:
# name: gpg-publickey
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: infra <4>

2
docs/mycloud/_index.md
View file

@ -69,7 +69,7 @@ spec:
# name: gpg-publickey
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: mycloud <1>

4
docs/mycloud/ingress.md
View file

@ -57,12 +57,10 @@ components:
mycloud-nextcloud:
values:
ingress:
host: "files.wrenix.eu"
host: "files.wrenix.eu:"
mycloud-collabora:
values:
remoteFont:
url: "https://files.wrenix.eu/apps/richdocuments/settings/fonts.json"
allowedHosts:
files.wrenix.eu: []
```

4
infra-certificates/templates/certmanager/release.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: cert-manager
@ -21,8 +21,6 @@ spec:
interval: 10m
values:
installCRDs: true
config:
enableGatewayAPI: true
resources:
requests:

2
infra-certificates/templates/certmanager/repo.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: jetstack

1
infra-ingress/templates/configmap_init_crd.yaml
View file

@ -7,7 +7,6 @@ metadata:
data:
{{- $isMonitoring := and
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor")
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor")
}}
monitoring: {{ $isMonitoring | quote }}
{{- $isTraefik := and

78
infra-ingress/templates/traefik/release.yaml
View file

@ -1,6 +1,6 @@
{{- if (eq .Values.controller "traefik") }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: traefik
@ -30,60 +30,6 @@ spec:
{{- if .Values.hostNetwork }}
dnsPolicy: ClusterFirstWithHostNet
{{- end }}
podAnnotations:
{{- if .Values.traefik.logs.metrics }}
checksum/vector-config: {{ include (print $.Template.BasePath "/traefik/vector/configmap.yaml") $ | sha256sum }}
{{- if .Values.traefik.logs.geoip.enabled }}
initContainers:
- name: "download-geoip"
image: "alpine"
command:
- sh
- -c
- |
cd /usr/share/GeoIP
wget -O geoip-db.mmdb {{ .Values.traefik.logs.geoip.url | quote}}
# gunzip geoip-db.mmdb.gz
volumeMounts:
- mountPath: "/usr/share/GeoIP"
name: geoip
{{- end }}
additionalContainers:
- name: "vector"
image: docker.io/timberio/vector:0.45.0-debian
args:
- --watch-config
- --watch-config-method
- poll
livenessProbe:
httpGet:
path: /health
port: vector-api
volumeMounts:
- mountPath: "/etc/vector/vector.yaml"
subPath: "vector.yaml"
name: vector-config
readOnly: true
{{- if .Values.traefik.logs.geoip.enabled }}
- mountPath: "/usr/share/GeoIP"
name: geoip
{{- end }}
ports:
- name: vector-api
containerPort: 8686
protocol: TCP
- name: vector-metrics
containerPort: 9116
protocol: TCP
additionalVolumes:
- name: vector-config
configMap:
name: traefik-vector
{{- if .Values.traefik.logs.geoip.enabled }}
- name: geoip
empty: {}
{{- end }}
{{- end }}
hostNetwork: {{ .Values.hostNetwork }}
updateStrategy:
rollingUpdate:
@ -97,18 +43,10 @@ spec:
- IPv6
- IPv4
{{- with .Values.traefik.additionalArguments }}
additionalArguments:
{{- with .Values.traefik.additionalArguments }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- if .Values.traefik.logs.metrics }}
- --experimental.otlpLogs=true
- --accesslog=true
- --accesslog.otlp=true
- --accesslog.otlp.grpc=true
- --accesslog.otlp.grpc.endpoint=localhost:4317
- --accesslog.otlp.grpc.insecure=true
{{- end }}
{{- end }}
tolerations:
- key: "CriticalAddonsOnly"
@ -122,7 +60,6 @@ spec:
priorityClassName: "system-cluster-critical"
ports:
metrics:
port: 9111
@ -143,10 +80,6 @@ spec:
{{- with .Values.traefik.ports }}
{{- toYaml . | nindent 6 }}
{{- end }}
gateway:
listeners:
web:
port: 80
{{- if .Values.hostNetwork }}
podSecurityContext: null
securityContext:
@ -159,8 +92,6 @@ spec:
kubernetesIngress:
publishedService:
enabled: true
kubernetesGateway:
enabled: true
ingressRoute:
dashboard:
@ -184,7 +115,7 @@ spec:
format: "json"
level: WARN
access:
enabled: {{ toYaml (and .Values.logs.access (not .Values.traefik.logs.metrics)) }}
enabled: {{ toYaml .Values.logs.access }}
format: "json"
{{- end }}
@ -194,7 +125,6 @@ spec:
service:
enabled: true
serviceMonitor:
enabled: true
additionalLabels:
{{- toYaml $.Values.commons.prometheus.monitor.labels | nindent 12 }}
{{- end }}

2
infra-ingress/templates/traefik/repo.yaml
View file

@ -1,6 +1,6 @@
{{- if (eq .Values.controller "traefik") }}
---
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: traefik

117
infra-ingress/templates/traefik/vector/configmap.yaml
View file

@ -1,117 +0,0 @@
{{- if and (eq .Values.controller "traefik") .Values.traefik.logs.metrics }}
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-vector
data:
vector.yaml: |
api:
enabled: true
address: "0.0.0.0:8686"
{{- if .Values.traefik.logs.geoip.enabled }}
enrichment_tables:
geoip:
type: "geoip"
path: "/usr/share/GeoIP/geoip-db.mmdb"
locale: "en"
{{- end }}
sources:
otlp:
type: opentelemetry
grpc:
address: 127.0.0.1:4317
http:
address: 127.0.0.1:4318
transforms:
{{- with .Values.traefik.logs.additionalTransforms }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{ $input := "otlp.logs" }}
{{- if .Values.traefik.logs.geoip.enabled }}
geolookup:
inputs:
- "otlp.logs"
type: "remap"
source: |
if ip_cidr_contains!([
"10.0.0.0/8",
"100.64.0.0/10",
"172.16.0.0/12",
"192.168.0.0/16",
"fc00::/7",
], .attributes.ClientHost) {
.geoip = {
"latitude": 0.0,
"longitude": 0.0,
"continent_code": "internal",
"country_code": "internal",
"country_name": "internal"
}
} else {
.geoip, .err = get_enrichment_table_record("geoip", {"ip": .attributes.ClientHost}, [
"latitude",
"longitude",
"continent_code",
"country_code",
"country_name"
])
if .err != null {
log(.err, level: "error")
}
if !exists(.geoip.continent_code) {
.geoip = {
"latitude": 0.0,
"longitude": 0.0,
"continent_code": "unknown",
"country_code": "unknown",
"country_name": "unknown"
}
}
}
del(.err)
{{ $input = "geolookup"}}
{{- end }}
metrics:
inputs:
- {{ $input }}
type: log_to_metric
metrics:
- namespace: "traefik_logs"
name: "access"
field: "attributes.RequestHost"
type: counter
tags:
{{`
host: "{{ attributes.RequestHost }}"
entryPoint: "{{ attributes.entryPointName }}"
`}}
{{- if .Values.traefik.logs.geoip.enabled }}
{{`
latitude: "{{ geoip.latitude }}"
longitude: "{{ geoip.longitude }}"
continent_code: "{{ geoip.continent_code }}"
country_code: "{{ geoip.country_code }}"
country_name: "{{ geoip.country_name }}"
`}}
{{- end }}
{{- with .Values.traefik.logs.additionalMetrics }}
{{- toYaml . | nindent 10 }}
{{- end }}
sinks:
{{- if .Values.logs.access }}
console:
inputs:
- {{ $input }}
type: console
encoding:
codec: logfmt
{{- end }}
{{- with .Values.traefik.logs.additionalSinks }}
{{- toYaml . | nindent 6 }}
{{- end }}
prometheus:
inputs:
- metrics
type: prometheus_exporter
address: "[::]:9116"
{{- end }}

16
infra-ingress/templates/traefik/vector/podmonitor.yaml
View file

@ -1,16 +0,0 @@
{{- if and (eq .Values.controller "traefik") .Values.traefik.logs.metrics (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: traefik-vector
labels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 4 }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: traefik
app.kubernetes.io/instance: traefik-ingress
podMetricsEndpoints:
- port: vector-metrics
path: /metrics
{{- end }}

10
infra-ingress/values.yaml
View file

@ -57,14 +57,4 @@ logs:
traefik:
ports: {}
hostPath: /srv/k8s/pv/pvc-traefik-certs
logs:
# -- analyse logs to metrics
metrics: false
geoip:
enabled: false
url: "https://raw.githubusercontent.com/P3TERX/GeoLite.mmdb/download/GeoLite2-City.mmdb"
# -- you could use the source `otlp.logs` to recieve access-logs and work with them
additionalTransforms: {}
additionalMetrics: []
additionalSinks: {}
additionalArguments: []

53
infra-logging/config/vector.yaml
View file

@ -1,53 +0,0 @@
data_dir: /vector-data-dir
api:
enabled: true
address: 127.0.0.1:8686
playground: false
sources:
kubernetes_logs:
type: kubernetes_logs
host_metrics:
filesystem:
devices:
excludes: [binfmt_misc]
filesystems:
excludes: [binfmt_misc]
mountpoints:
excludes: ["*/proc/sys/fs/binfmt_misc"]
type: host_metrics
internal_metrics:
type: internal_metrics
transforms:
logs:
type: remap
inputs:
- kubernetes_logs
source: |-
if !exists(.pod_namespace) {
.pod_namespace = "unknown"
}
if !exists(.metadata) {
.metadata = {
"not found": "unknown"
}
}
sinks:
prom_exporter:
type: prometheus_exporter
inputs: [host_metrics, internal_metrics]
address: 0.0.0.0:9090
{{- if .Values.loki.enabled }}
loki:
type: loki
inputs:
- logs
endpoint: http://loki:3100
encoding:
codec: logfmt
labels:
{{`
"pod_labels_*": "{{ kubernetes.pod_labels }}"
"namespace": "{{ kubernetes.pod_namespace }}"
"*": "{{ metadata }}"
`}}
{{- end }}

3
infra-logging/templates/configmap_init_crd.yaml
View file

@ -6,8 +6,9 @@ metadata:
namespace: "{{ .Values.init.namespace }}"
data:
{{- if and
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor")
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor")
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
(.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow")
}}
init: "-1"
{{- else }}

45
infra-logging/templates/flow/kube-system/coredns.yaml Normal file
View file

@ -0,0 +1,45 @@
{{- if (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow") }}
---
apiVersion: logging.banzaicloud.io/v1beta1
kind: Flow
metadata:
name: coredns
namespace: kube-system
spec:
match:
- select:
labels:
k8s-app: "coredns"
filters:
- tag_normaliser: {}
- parser:
reserve_data: true
remove_key_name_field: true
parse:
type: "multi_format"
patterns:
- format: "regexp"
expression: '^\[(?<log.level>.*)\] \[?(?<source.address>.*)\]?:(?<source.port>.*) - (?<dns.id>.*) "(?<dns.question.type>.*) (?<dns.question.class>.*) (?<dns.question.name>.*)\.? (?<network.transport>.*) (?<coredns.query.size>.*) (?<coredns.dnssec_ok>.*) (?<bufsize>.*)" (?<dns.response_code>.*) (?<dns.header_flags>.*) (?<coredns.response.size>.*) (?<coredns.duration>.*)s'
types: "source.port:integer,dns.id:integer,coredns.query.size:integer,coredns.dnssec_ok:bool,bufsize:integer,dns.header_flags:array,coredns.response.size:integer,coredns.duration:float"
- format: "none"
- record_transformer:
enable_ruby: true
records:
- source.ip: '${ record["source.address"] }'
dns.header_flags: '${ !(record["dns.header_flags"].nil?) ? record["dns.header_flags"].map(&:upcase) : nil }'
event.duration: '${ !(record["coredns.duration"].nil?) ? record["coredns.duration"] * 1000000000 : nil }'
event.kind: "event"
event.category: "network"
event.type: "protocol"
event.outcome: '${ record["dns.response_code"] == "NOERROR" ? "success" : "failure" }'
event.protocol: "dns"
event.module: "coredns"
related.ip: '${ record["source.address"] }'
# for dashboard
fileset.name: "kubernetes"
coredns.query.name: '${ record["dns.question.name"] }'
remove_keys: "coredns.duration,coredns.dnssec_ok"
globalOutputRefs:
- "default"
{{- end }}

52
infra-logging/templates/flow/kube-system/klog.yaml Normal file
View file

@ -0,0 +1,52 @@
{{- if (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow") }}
---
apiVersion: logging.banzaicloud.io/v1beta1
kind: Flow
metadata:
name: klog
namespace: kube-system
spec:
match:
- select:
labels:
k8s-app: "konnectivity-agent"
- select:
labels:
k8s-app: "kube-proxy"
- select:
labels:
app: "snapshot-validation-webhook"
filters:
- tag_normaliser: {}
- parser:
hash_value_field: "klog"
reserve_data: true
remove_key_name_field: true
parse:
type: "multi_format"
patterns:
- format: "regexp"
expression: '(?<log_level>[A-Z])(?<month>\d{2})(?<day>\d{2})\s+(?<time>\d{2}:\d{2}:\d{2}(|\.\d+))\s+(?<threadid>\d+)\s+(?<file>[^ ]*):(?<line>\d+)\]\s("(?<msg>([^"\\]*(?:\\.[^"\\]*)*))"(|\s+(?<kv>.*))|(?<greedy_msg>.*))$'
types: "month:integer,day:integer,threadid:integer"
- format: "none"
- record_transformer:
enable_ruby: true
records:
- timestamp: '${time.strftime("%Y")}-${ record["klog"]["month"] }-${ record["klog"]["day"] }T${ record["klog"]["time"] }Z'
message: '${ !(record["klog"]["greedy_msg"].nil?) ? record["klog"]["greedy_msg"] : record["klog"]["msg"] }'
log.level: '${ record["klog"]["log_level"].gsub("I", "info").gsub("W", "warn").gsub("E", "error").gsub("F", "fatal") }'
klog_kv: '${ !(record["klog"]["kv"].nil?) ? record["klog"]["kv"] : "" }'
remove_keys: "$['klog']['month'],$['klog']['day'],$['klog']['time'],$['klog']['log_level'],$['klog']['msg'],$['klog']['greedy_msg'],$['klog']['kv']"
- parser:
key_name: "klog_kv"
hash_value_field: "klog.fields"
reserve_data: true
remove_key_name_field: true
parse:
type: "multi_format"
patterns:
- format: "logfmt"
- format: "none"
globalOutputRefs:
- "default"
{{- end }}

29
infra-logging/templates/logging-operator/flow/event-tailer.yaml Normal file
View file

@ -0,0 +1,29 @@
{{- if (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow") }}
---
apiVersion: logging.banzaicloud.io/v1beta1
kind: Flow
metadata:
name: event-tailer
spec:
match:
- select:
labels:
"app.kubernetes.io/name": "event-tailer"
filters:
- tag_normaliser: {}
- parser:
hash_value_field: "kubernetes"
remove_key_name_field: true
reserve_data: true
parse:
type: "json"
- record_transformer:
enable_ruby: true
records:
- event.module: "kubernetes"
message: '${ record["kubernetes"]["event"]["message"] }'
remove_keys: "$['kubernetes']['event']['message']"
globalOutputRefs:
- "default"
{{- end }}

36
infra-logging/templates/logging-operator/flow/fluentbit.yaml Normal file
View file

@ -0,0 +1,36 @@
{{- if (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow") }}
---
apiVersion: logging.banzaicloud.io/v1beta1
kind: Flow
metadata:
name: fluentbit
spec:
match:
- select:
labels:
"app.kubernetes.io/name": "fluentbit"
filters:
- tag_normaliser: {}
- parser:
hash_value_field: "fluentbit"
reserve_data: true
remove_key_name_field: true
parse:
type: "regexp"
expression: '^\[(?<timestamp>.*)\] \[(?<log.level>.*)\] \[(?<component>.*)\] (?<message>.*)'
types: "timestamp:string,log.level:string,component:string,message:string"
time_key: "timestamp"
time_type: "string"
time_format: "%Y/%m/%d %H:%M:%S"
- record_transformer:
enable_ruby: true
records:
- event.kind: "event"
event.module: "fluentbit"
message: '${record["fluentbit"]["message"]}'
log.level: '${record["fluentbit"]["log.level"]}'
remove_keys: "$['fluentbit']['log']['level'],$['fluentbit']['message']"
globalOutputRefs:
- default
{{- end }}

34
infra-logging/templates/logging-operator/flow/logging-operator.yaml Normal file
View file

@ -0,0 +1,34 @@
{{- if (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow") }}
---
apiVersion: logging.banzaicloud.io/v1beta1
kind: Flow
metadata:
name: logging-operator
spec:
match:
- select:
labels:
"app.kubernetes.io/name": "logging-operator"
filters:
- tag_normaliser: {}
- parser:
hash_value_field: "logging-operator"
reserve_data: true
remove_key_name_field: true
parse:
type: "json"
time_key: "ts"
time_type: "string"
time_format: "%iso8601"
- record_transformer:
enable_ruby: true
records:
- event.kind: "event"
event.module: "logging-operator"
message: '${record["logging-operator"]["msg"]}'
log.level: '${record["logging-operator"]["level"]}'
remove_keys: "$['logging-operator']['level'],$['logging-operator']['msg']"
globalOutputRefs:
- default
{{- end }}

202
infra-logging/templates/logging-operator/release.yaml Normal file
View file

@ -0,0 +1,202 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: logging-operator
spec:
chart:
spec:
sourceRef:
kind: HelmRepository
name: kube-logging
chart: logging-operator
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
values:
monitoring:
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
# resources for logging-operator
resources:
limits:
memory: 3Gi
requests:
cpu: 100m
memory: 128Mi
logging:
enabled: true
# fluentbit is used to collect data on nodes (so it is usefull to use hostPath)
fluentbit:
bufferStorageVolume:
hostPath:
path: "/var/lib/kube-logging/fluentbit/buffer"
positiondb:
hostPath:
path: "/var/lib/kube-logging/fluentbit/positiondb"
metrics:
prometheusRules: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
serviceMonitor: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
serviceMonitorConfig:
additionalLabels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 14 }}
# fluentd is used to recieve data from fluentbit, filter (e.g. parse, grep) and forward output (e.g. loki)
fluentd:
scaling:
replicas: {{ .Values.fluentd.replicas }}
# resources for fluentd
resources:
limits:
memory: "2400M"
requests:
cpu: "500m"
memory: "200M"
metrics:
prometheusRules: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
serviceMonitor: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
serviceMonitorConfig:
additionalLabels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 14 }}
bufferVolumeMetrics:
prometheusRules: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
serviceMonitor: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
serviceMonitorConfig:
additionalLabels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 14 }}
tls:
# make problems on reinstall (maybe try it sometime again)
enabled: false
# allow clusteroutput from flow in other namespace
allowClusterResourcesFromAllNamespaces: true
enableRecreateWorkloadOnImmutableFieldChange: true
# log kubernetes events
eventTailer:
name: "default"
# forward errors to output
errorOutputRef: "default"
# if no (cluster)flow exits for pods:
# filter: drop log messages if they contains "debug"
# send logs: clusterOutput "default"
defaultFlow:
filters:
- grep:
exclude:
- key: "message"
pattern: /.*[Dd]ebug.*/
- prometheus:
metrics:
- name: "logs_defaultflow_count"
desc: "The total number of message in namespace"
type: "counter"
labels:
exported_namespace: "$.kubernetes.namespace_name"
exported_pod: "$.kubernetes.pod_name"
exported_container: "$.kubernetes.container_name"
image: "$.kubernetes.container_image"
app_kubernetes_io_name: "$['kubernetes']['labels']['app.kubernetes.io/name']"
app_kubernetes_io_instance: "$['kubernetes']['labels']['app.kubernetes.io/instance']"
globalOutputRefs:
- "default"
# usefull on elastic e.g. with dedot
globalFilters:
- prometheus:
metrics:
- name: "logs_all_count"
desc: "The total number of messages in namespace"
type: "counter"
labels:
exported_namespace: "$.kubernetes.namespace_name"
exported_pod: "$.kubernetes.pod_name"
exported_container: "$.kubernetes.container_name"
image: "$.kubernetes.container_image"
app_kubernetes_io_name: "$['kubernetes']['labels']['app.kubernetes.io/name']"
app_kubernetes_io_instance: "$['kubernetes']['labels']['app.kubernetes.io/instance']"
# deploy a clusteroutput (which all flows can use)
clusterOutputs:
- name: "default"
spec:
{{- if .Values.loki.enabled }}
# for loki:
# https://kube-logging.dev/docs/configuration/plugins/outputs/loki/
loki:
url: http://loki:3100
buffer:
timekey: 1m
timekey_wait: 30s
timekey_use_utc: true
# do not use configure_kubernetes_labels strip other kubernetes labels
extract_kubernetes_labels: true
labels:
# from configure_kubernetes_labels reimplement
host: $.kubernetes.host
namespace: $.kubernetes.namespace_name
pod: $.kubernetes.pod_name
pod_id: $.kubernetes.pod_id
container: $.kubernetes.container_name
container_id: $.kubernetes.docker_id
{{- else }}
nullout: {}
{{- end }}
# add some usefull default clusterFlows
clusterFlows:
# parse all data with logfmt of pod which contain label: kube_logging_parser=logfmt (and send to ClusterOutput default)
- name: logfmt
spec:
filters:
- parser:
reserve_data: true
remove_key_name_field: true
hash_value_field: "logfmt"
parse:
type: "multi_format"
patterns:
- format: "logfmt"
# fallback, just keep data unparsed
- format: "none"
match:
- select:
labels:
"kube_logging_parser": "logfmt"
globalOutputRefs:
- "default"
# parse all data with json of pod which contain label: kube_logging_parser=json (and send to ClusterOutput default)
- name: json
spec:
filters:
- parser:
reserve_data: true
remove_key_name_field: true
hash_value_field: "json"
parse:
type: "multi_format"
patterns:
- format: "json"
# fallback, just keep data unparsed
- format: "none"
match:
- select:
labels:
"kube_logging_parser": "json"
globalOutputRefs:
- "default"

9
infra-logging/templates/logging-operator/repo.yaml Normal file
View file

@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: kube-logging
spec:
url: oci://ghcr.io/kube-logging/helm-charts
type: oci
interval: 10m

15
infra-logging/templates/loki/release.yaml
View file

@ -1,6 +1,6 @@
{{- if .Values.loki.enabled }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: loki
@ -12,11 +12,11 @@ spec:
name: grafana
chart: loki
install:
{{- deepCopy .Values.commons.helm.release.install | merge (dict "crds" "Skip") | toYaml | nindent 4 }}
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- deepCopy .Values.commons.helm.release.upgrade | merge (dict "crds" "Skip") | toYaml | nindent 4 }}
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
@ -47,7 +47,6 @@ spec:
period: 24h
monitoring:
dashboards:
enabled: true
labels:
{{- toYaml .Values.commons.grafana.dashboards.labels | nindent 10 }}
annotations:
@ -60,14 +59,14 @@ spec:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
labels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
metricsInstance:
enabled: false
metricsInstance:
enabled: false
selfMonitoring:
enabled: false
grafanaAgent:
installOperator: false
lokiCanary:
enabled: false
lokiCanary:
enabled: false
test:
enabled: false
gateway:

2
infra-logging/templates/loki/repo.yaml
View file

@ -1,6 +1,6 @@
{{- if .Values.loki.enabled }}
---
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: grafana

6
infra-logging/templates/vector/configmap.yaml
View file

@ -1,6 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: vector
data:
vector.yaml: {{ tpl (.Files.Get "config/vector.yaml" ) . | quote }}

25
infra-logging/templates/vector/prometheus-rule.yaml
View file

@ -1,25 +0,0 @@
{{- if (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
{{- $filter := printf `namespace="%s",job="vector"` .Release.Namespace }}
{{- $without := "instance,endpoint,container,pod,job,host" }}
---
apiVersion: "monitoring.coreos.com/v1"
kind: "PrometheusRule"
metadata:
name: "vector"
labels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 4 }}
spec:
groups:
- name: "Vector"
rules:
- alert: "Log-Collector: Component Errors"
expr: 'sum(increase(vector_component_errors_total{ {{ $filter }} }[1h])) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "warning"
annotations:
{{`
summary: "{{ $labels.component_kind }} {{ $labels.component_id }} ({{ $labels.component_type }}) has {{ $labels.error_type }} in stage {{ $labels.stage }}"
`}}
{{- end }}{{/* end-if */}}

42
infra-logging/templates/vector/release.yaml
View file

@ -1,42 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: vector-agent
spec:
chart:
spec:
sourceRef:
kind: HelmRepository
name: vector
chart: vector
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
values:
role: Agent
updateStrategy:
maxSurge: 1
dataDir: "/vector-data-dir"
logLevel: "warn"
existingConfigMaps:
- vector
containerPorts:
- name: prom-exporter
containerPort: 9090
protocol: TCP
service:
ports:
- name: prom-exporter
port: 9090
protocol: TCP
podMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}

8
infra-logging/templates/vector/repo.yaml
View file

@ -1,8 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: vector
spec:
url: https://helm.vector.dev
interval: 10m

3
infra-logging/values.yaml
View file

@ -45,5 +45,8 @@ grafana:
# -- annotations of grafana dashboard configmap
annotations: {}
fluentd:
replicas: 1
loki:
enabled: true

2
infra-monitoring/templates/alertmanager/authentik-application.yaml
View file

@ -3,7 +3,7 @@
.Values.alertmanager.ingress.enabled
}}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: authentik-application-alertmanager

3
infra-monitoring/templates/alertmanager/matrix/release.yaml
View file

@ -1,7 +1,7 @@
{{- with .Values.alertmanager.receiver.matrix }}
{{- if .enabled }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: "alertmanager-matrix"
@ -35,7 +35,6 @@ spec:
bot:
matrix:
homeserver: {{ .homeserver | quote }}
messageType: {{ .messageType | quote }}
userID: {{ .userID | quote }}
rooms:
- {{ .default | quote }}

2
infra-monitoring/templates/alertmanager/ntfy/release.yaml
View file

@ -1,7 +1,7 @@
{{- with .Values.alertmanager.receiver.ntfy }}
{{- if .enabled }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: "alertmanager-ntfy"

2
infra-monitoring/templates/exporter/blackbox/release.yaml
View file

@ -1,6 +1,6 @@
{{- if .Values.prometheus.exporter.blackbox.enabled }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: prometheus-blackbox-exporter

2
infra-monitoring/templates/grafana/authentik-application.yaml
View file

@ -3,7 +3,7 @@
.Values.grafana.ingress.enabled
}}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: authentik-application-grafana

2
infra-monitoring/templates/karma/authentik-application.yaml
View file

@ -3,7 +3,7 @@
.Values.karma.enabled
}}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: authentik-application-karma

2
infra-monitoring/templates/karma/release.yaml
View file

@ -1,6 +1,6 @@
{{- if .Values.karma.enabled }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: karma

2
infra-monitoring/templates/karma/repo.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: wiremind

10
infra-monitoring/templates/kube-prometheus-stack/release.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: kube-prometheus-stack
@ -40,6 +40,12 @@ spec:
defaultRules:
rules:
kubeProxy: false
# just parts:
# kubernetesApps: false
disabled:
KubePodNotReady: true
KubePodCrashLooping: true
KubeContainerWaiting: true
prometheus:
{{- $hostPrometheus := .Values.prometheus.ingress.host | default (printf "prometheus.%s" .Values.commons.ingress.domain) }}
@ -226,7 +232,7 @@ spec:
searchNamespace: ALL
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
enabled: true
labels:
prometheus: default

2
infra-monitoring/templates/prometheus/authentik-application.yaml
View file

@ -3,7 +3,7 @@
.Values.prometheus.ingress.enabled
}}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: authentik-application-prometheus

2
infra-monitoring/templates/repo.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: prometheus-community

2
infra-monitoring/templates/tempo/release.yaml
View file

@ -1,6 +1,6 @@
{{- if .Values.tempo.enabled }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: tempo

2
infra-monitoring/templates/tempo/repo.yaml
View file

@ -1,6 +1,6 @@
{{- if .Values.tempo.enabled }}
---
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: grafana

5
infra-monitoring/values.yaml
View file

@ -98,13 +98,10 @@ alertmanager:
sendResolved: false
homeserver: "https://matrix.org"
userID: "@alert:matrix.org"
# -- message type of alerts in matrix
messageType: "m.notice"
# -- token of matrix reciever (use valuesFrom in flux for it)
token: ""
# -- default room (additional rooms are possible)
default: "!example-room:matrix.org"
# -- additional rooms
#
rooms: {}
# room-name:
# - room: "!example-room-name:matrix.org"

2
infra-trivy/templates/release.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: trivy-operator

2
infra-trivy/templates/repo.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: aqua

2
mycloud-authentik/Chart.yaml
View file

@ -6,4 +6,4 @@ maintainers:
- name: WrenIX
url: https://wrenix.eu
version: 0.1.1
version: 0.1.0

2
mycloud-authentik/README.md
View file

@ -7,7 +7,7 @@ description: "A mycloud components using authentik (for central authentification
# mycloud-authentik
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
A mycloud components using authentik (for central authentification using SSO)

14
mycloud-authentik/blueprints/tenant.gotmpl
View file

@ -2,22 +2,16 @@ version: 1
metadata:
name: myCloud - tenant
entries:
- model: authentik_brands.Brand
- model: authentik_tenants.tenant
identifiers:
domain: "authentik-default"
state: present
attrs:
{{- with .Values.commons.theme }}
{{- with .title }}
branding_title: {{ . | quote }}
branding_title: {{ .title }}
branding_logo: {{ .logo }}
branding_favicon: {{ .favicon }}
{{- end }}
{{- with .logo }}
branding_logo: {{ . | quote }}
{{- end }}
{{- with .favicon }}
branding_favicon: {{ . | quote }}
{{- end }}
{{- end }}{{/* end-with .commons.theme */}}
{{- with .Values.theme.background }}
attributes:
settings:

9
mycloud-authentik/templates/release.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: "{{ .Release.Name }}-hr"
@ -83,7 +83,6 @@ spec:
server:
metrics:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
labels:
@ -133,6 +132,12 @@ spec:
{{- end }}
worker:
metrics:
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
labels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
serviceAccountName: {{ .Release.Name }}
extraContainers:
- name: sidecar-blueprints

2
mycloud-authentik/templates/repo.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: "{{ .Release.Name }}-hr"

2
mycloud-collabora/Chart.yaml
View file

@ -6,4 +6,4 @@ maintainers:
- name: WrenIX
url: https://wrenix.eu
version: 0.1.2
version: 0.1.0

9
mycloud-collabora/README.md
View file

@ -7,7 +7,7 @@ description: "myCloud component to setup collabora"
# mycloud-collabora
![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
myCloud component to setup collabora
@ -52,13 +52,6 @@ myCloud component to setup collabora
|-----|------|---------|-------------|
| commons.masterPassword | string | `"CHANGEME"` | masterPassword to generate secrets |
### Remote font
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| remoteFont.enabled | bool | `true` | remote font setup |
| remoteFont.url | string | `nil` | url to remote font default (set to nextcloud) |
### Other Values
| Key | Type | Default | Description |

40
mycloud-collabora/templates/release.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: "{{ .Release.Name }}-hr"
@ -30,20 +30,7 @@ spec:
collabora:
username: collabora-admin
password: {{ .Values.adminPassword | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "admin_password") | quote }}
extra_params: >
--o:user_interface.mode=tabbed
--o:ssl.enable=false
--o:ssl.termination=true
--o:fetch_update_check=0
{{- if .Values.remoteFont.enabled }}
{{- with .Values.remoteFont.url }}
--o:remote_font_config.url={{ . }}
{{- else }}
--o:remote_font_config.url=https://fs.{{ .Values.commons.ingress.domain }}/apps/richdocuments/settings/fonts.json
{{- end }}
{{- end }}
--o:net.proto=all
extra_params: --o:user_interface.mode=tabbed --o:ssl.termination=true --o:ssl.enable=false
server_name: {{ $host | quote }}
aliasgroups:
{{- range $host, $aliases := .Values.allowedHosts }}
@ -94,26 +81,3 @@ spec:
{{- toYaml .Values.commons.grafana.dashboards.labels | nindent 10 }}
annotations:
{{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 10 }}
serviceAccount:
create: true
podSecurityContext:
fsGroup: 100
securityContext:
allowPrivilegeEscalation: true
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "FOWNER"
- "SYS_CHROOT"

2
mycloud-collabora/templates/repo.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: {{ .Release.Name }}-repo

9
mycloud-collabora/values.yaml
View file

@ -84,15 +84,6 @@ ingress:
# -- adminPassword to access collabora admin platform
adminPassword:
remoteFont:
# -- remote font setup
# @section -- Remote font
enabled: true
# -- url to remote font
# default (set to nextcloud)
# @section -- Remote font
url:
# -- allowed host to use this collabora instance
# if not set we allow defaults (like nextcloud)
# example:

2
mycloud-firefly-iii/templates/authentik-application.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: {{ .Release.Name }}-auth

2
mycloud-firefly-iii/templates/release.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: "{{ .Release.Name }}-hr"

2
mycloud-firefly-iii/templates/repo.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: {{ .Release.Name }}-repo

23
mycloud-git-small/.helmignore
View file

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

9
mycloud-git-small/Chart.yaml
View file

@ -1,9 +0,0 @@
apiVersion: v2
name: mycloud-git-small
description: myCloud component to setup forgjo and codeberg
type: application
maintainers:
- name: WrenIX
url: https://wrenix.eu
version: 0.0.1

133
mycloud-git-small/README.md
View file

@ -1,133 +0,0 @@
---
title: "mycloud-git-small"
description: "myCloud component to setup forgjo and codeberg"
---
# mycloud-git-small
![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
myCloud component to setup forgjo and codeberg
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| WrenIX | | <https://wrenix.eu> |
## Values
### Commons
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.auth.host | string | `nil` | default auth.(.Values.commons.ingress.domain) |
| commons.masterPassword | string | `"CHANGEME"` | masterPassword to generate secrets |
### Commons Monitoring
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.grafana.dashboards.annotations | string | `nil` | annotations of grafana dashboard configmap |
| commons.grafana.dashboards.labels | object | `{"grafana_dashboard":"1"}` | labels of grafana dashboard configmap |
| commons.prometheus.monitor.labels | object | `{}` | labels on Pod- and Service-Monitor |
| commons.prometheus.rules.labels | object | `{}` | labels on PrometheusRules |
### Commons helm release
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.helm.release.driftDetection | object | `{}` | driftDetection of FluxCD HelmRelease |
| commons.helm.release.install | object | `{}` | install of FluxCD HelmRelease |
| commons.helm.release.test | object | `{}` | test of FluxCD HelmRelease |
| commons.helm.release.upgrade | object | `{}` | upgrade of FluxCD HelmRelease |
### Commons Ingress
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.ingress.annotations | object | `{"cert-manager.io/cluster-issuer":"letsencrypt-prod"}` | annotations for all ingress objects |
| commons.ingress.domain | string | `"wrenix.eu"` | top domain for all services |
| commons.ingress.tls.enabled | bool | `true` | tls on every ingress |
| commons.ingress.tls.override | list | `[]` | use own definition of tls (e.g. for own or wildcard certificate) |
### Commons mail
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.mail.from | string | `nil` | send from address |
| commons.mail.host | string | `""` | smtp server |
| commons.mail.password | string | `""` | smtp password |
| commons.mail.use_ssl | bool | `false` | smtp server use ssl |
| commons.mail.use_tls | bool | `false` | smtp server use start tls |
| commons.mail.username | string | `""` | smtp username |
### Commons Persistence
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.persistence.hostPath.enabled | bool | `false` | use hostPath instatt of PVC |
| commons.persistence.hostPath.prefix | string | `"/var/lib/mycloud"` | use hostPath under the following path |
| commons.persistence.storageClass | string | `nil` | storageClass of PVC |
### Commons theme
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.theme.favicon | string | `"/static/dist/assets/icons/icon.png"` | favicon everywhere |
| commons.theme.logo | string | `"/static/dist/assets/icons/icon_left_brand.svg"` | logo everywhere |
| commons.theme.title | string | `"myCloud"` | title everywhere |
### Commons Tracing
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.tracing.enabled | bool | `false` | enable tracing on all components |
| commons.tracing.grpc.enabled | bool | `true` | prefer grpc over http |
| commons.tracing.grpc.endpoint | string | `"tempo.monitoring.svc:4317"` | grpc endpoint |
| commons.tracing.grpc.insecure | bool | `true` | allow insecure connection per grpc |
| commons.tracing.http.endpoint | string | `"http://tempo.monitoring.svc:4318/v1/traces"` | http endpoint |
### Other Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| auth.clientID | string | `nil` | OIDC client id (default: "mycloud-git-small"-forgejo) |
| auth.clientSecret | string | `nil` | generated by .Values.commons.masterPassword |
| commons.networkpolicies.enabled | bool | `false` | |
| commons.networkpolicies.from.ingress | list | `[]` | |
| commons.networkpolicies.from.metrics | list | `[]` | |
| commons.networkpolicies.to.database | list | `[]` | |
| commons.networkpolicies.to.dns | list | `[]` | |
| commons.networkpolicies.to.k8sAPI.ports[0].port | int | `6443` | |
| commons.networkpolicies.to.k8sAPI.ports[0].protocol | string | `"TCP"` | |
| commons.networkpolicies.to.k8sAPI.to | list | `[]` | |
| databases.forgejo.host | string | `"mycloud-services-postgresql"` | default is from mysql-services |
| databases.forgejo.name | string | `"git-forgejo"` | |
| databases.forgejo.password | string | `nil` | generated by .Values.commons.masterPassword (equal to mycloud-services) |
| databases.forgejo.username | string | `"git-forgejo"` | |
| databases.woodpecker.host | string | `"mycloud-services-postgresql"` | default is from mysql-services |
| databases.woodpecker.name | string | `"git-woodpecker"` | |
| databases.woodpecker.password | string | `nil` | generated by .Values.commons.masterPassword (equal to mycloud-services) |
| databases.woodpecker.username | string | `"git-woodpecker"` | |
| forgejo | string | `nil` | |
| ingress.forgejo.annotations | string | `nil` | |
| ingress.forgejo.host | string | `nil` | default: git.(Values.commons.ingress.domain) |
| ingress.woodpecker.annotations | string | `nil` | |
| ingress.woodpecker.host | string | `nil` | default: ci.(Values.commons.ingress.domain) |
| init.namespace | string | `"bases"` | |
| init.version | int | `0` | |
| mail.from | string | `nil` | generade by Values.commons.mail.from |
| mail.host | string | `nil` | default Values.commons.mail.host |
| persistence.forgejo.size | string | `"16Gi"` | |
| persistence.forgejo.storageClass | string | `nil` | |
| traefik.enabled | bool | `true` | |
| woodpecker.admins | list | `[]` | admins of woodpecker (manage manuelle) |
| woodpecker.auth.clientID | string | `""` | need to be manuelle set, after setup on forgejo |
| woodpecker.auth.clientSecret | string | `""` | need to be manuelle set, after setup on forgejo |
| woodpecker.jobs.namespace.create | bool | `true` | |
| woodpecker.jobs.namespace.name | string | `"woodpecker"` | |
Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)

0
mycloud-git-small/_docs.gotmpl
View file

73
mycloud-git-small/templates/authentik-application.yaml
View file

@ -1,73 +0,0 @@
{{ $name := printf "%s-forgejo" .Release.Name }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ .Release.Name }}-auth
spec:
chart:
spec:
sourceRef:
kind: GitRepository
name: "wrenix-helm-charts"
namespace: "flux-system"
chart: "./authentik-application"
reconcileStrategy: "Revision"
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
values:
{{- $host := .Values.ingress.host | default (printf "git.%s" .Values.commons.ingress.domain) }}
blueprint:
authentik:
domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}"
provider:
type: "oidc"
name: {{ $name }}
oidc:
clientType: "confidential"
redirectURL: "https://{{ $host }}/user/oauth2/authentik/callback"
clientID: {{ .Values.auth.clientID | default $name | quote }}
clientSecret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "git-forgejo" "auth.clientSecret") | quote }}
signingKey: "authentik Self-signed Certificate"
scopes:
- name: "authentik default OAuth Mapping: OpenID 'openid'"
- name: "authentik default OAuth Mapping: OpenID 'email'"
- name: "authentik gitea OAuth Mapping: OpenID 'gitea'"
scope_name: gitea
expression: |-
groups = [group.name for group in user.ak_groups.all()]
gitea = {}
if user.is_superuser:
gitea = "admin"
if "admin" not in groups:
groups.append("admin")
else:
gitea = "user"
return {
"nickname": request.user.username,
"groups": groups,
"gitea": gitea
}
groups:
- slug: "mycloud - users"
bindID: "cefc0c13-49fa-4374-a909-e201a88a473b"
application:
policyEngineMode: "any"
openInNewTab: true
publisher: "WrenIX's myCloud"
slug: {{ $name }}
group: "Communication"
name: "Forgejo"
launchURL: "https://{{ $host }}"
icon: "https://{{ $host }}/assets/img/logo.png"
description: "With GoToSocial, you can keep in touch with your friends, post, read, and share images and articles. All without being tracked or advertised to!"

14
mycloud-git-small/templates/configmap_init_crd.yaml
View file

@ -1,14 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-init
namespace: "{{ .Values.init.namespace }}"
data:
{{- if and
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor")
}}
init: "-1"
{{- else }}
init: "{{ add1 .Values.init.version }}"
{{- end }}

158
mycloud-git-small/templates/forgejo/release.yaml
View file

@ -1,158 +0,0 @@
{{ $name := printf "%s-forgejo" .Release.Name }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ $name }}-hr
spec:
chartRef:
kind: OCIRepository
name: "{{ .Release.Name }}-forgejo"
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
valuesFrom:
- kind: Secret
name: {{ $name }}
valuesKey: "DATABASE_PASSWD"
targetPath: "gitea.config.database.PASSWD"
- kind: Secret
name: {{ $name }}
valuesKey: "MAILER_PASSWD"
targetPath: "gitea.config.mailer.PASSWD"
values:
{{- $host := .Values.ingress.host | default (printf "git.%s" .Values.commons.ingress.domain) }}
redis-cluster:
enabled: false
redis:
enabled: true
replica:
# just one replica
replicaCount: {{ .Values.commons.redis.replicas }}
metrics:
enabled: true
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
prometheusRule:
# empty rules
enabled: false
# {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
rules: []
postgresql-ha:
enabled: false
gitea:
admin:
username: false
password: false
config:
APP_NAME: {{ .Values.commons.theme.title | quote }}
database:
DB_TYPE: postgres
HOST: {{ .Values.databases.forgejo.host | quote }}
USER: {{ .Values.databases.forgejo.username | quote }}
NAME: {{ .Values.databases.forgejo.name | quote }}
mailer:
ENABLED: true
PROTOCOL: "smtp+starttls"
SMTP_ADDR: {{ .Values.mail.host | default .Values.commons.mail.host | quote }}
SMTP_PORT: 587
USER: {{ .Values.commons.mail.username | quote }}
FROM: {{ .Values.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "git" .Values.commons.mail.from) | quote }}
server:
LFS_START_SERVER: true
openid:
ENABLE_OPENID_SIGNUP: false
oauth2_client:
OPENID_CONNECT_SCOPES: "email gitea"
ENABLE_AUTO_REGISTRATION: true
USERNAME: nickname
UPDATE_AVATAR: true
ACCOUNT_LINKING: disabled
service:
DISABLE_REGISTRATION: true
ALLOW_ONLY_EXTERNAL_REGISTRATION: true
picture:
DISABLE_GRAVATAR: true
ENABLE_FEDERATED_AVATAR: true
federation:
ENABLED: true
oauth:
- name: "authentik"
provider: "openidConnect"
autoDiscoverUrl: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/{{ $name }}/"
existingSecret: {{ $name }}
scopes: "email gitea"
groupClaimName: groups
adminGroup: admin
metrics:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
labels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
ingress:
enabled: true
annotations:
{{- with .Values.commons.ingress.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ingress.forgejo.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
hosts:
- host: "{{ $host }}"
paths:
- path: /
pathType: Prefix
{{- if .Values.commons.ingress.tls.enabled }}
tls:
{{- with .Values.commons.ingress.tls.override }}
{{- toYaml . | nindent 8 }}
{{- else }}
- secretName: "mycloud-forgejo-cert"
hosts:
- "{{ $host }}"
{{- end }}
{{- end }}
{{- if .Values.commons.persistence.hostPath.enabled }}
# TODO has no effect
extraInitContainers:
- name: "take-ownership"
image: "alpine:3"
command: ["chown", "-R", "1000:1000", "/data" ]
volumeMounts:
- name: "data"
mountPath: /data
extraVolumes:
- name: data
hostPath:
path: "{{ .Values.commons.persistence.hostPath.prefix }}/git-small/forgejo"
type: Directory
{{- end }}
persistence:
enabled: true
{{- with .Values.persistence.forgejo }}
size: {{ .size }}
{{- with .storageClass | default $.Values.commons.persistence.storageClass }}
storageClass: {{ . }}
{{- end }}
{{- if $.Values.commons.persistence.hostPath.enabled }}
create: false
mount: false
{{- end }}
{{- end }}

10
mycloud-git-small/templates/forgejo/repo.yaml
View file

@ -1,10 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: "{{ .Release.Name }}-forgejo"
spec:
url: oci://code.forgejo.org/forgejo-helm/forgejo
interval: 5m
ref:
semver: "^11.0.1"

12
mycloud-git-small/templates/forgejo/secret.yaml
View file

@ -1,12 +0,0 @@
{{- $name := printf "%s-forgejo" .Release.Name }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $name | quote }}
data:
DATABASE_PASSWD: {{ .Values.databases.forgejo.password | default (derivePassword 1 "long" .Values.commons.masterPassword "git-forgejo" "database_password" | b64enc) | b64enc }}
MAILER_PASSWD: {{ .Values.commons.mail.password | b64enc }}
# for OIDC
key: {{ .Values.auth.clientID | default $name | b64enc }}
secret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "git-forgejo" "auth.clientSecret") | b64enc }}

16
mycloud-git-small/templates/forgejo/traefik.yaml
View file

@ -1,16 +0,0 @@
{{- if .Values.traefik.enabled }}
{{- $host := .Values.ingress.host | default (printf "git.%s" .Values.commons.ingress.domain) }}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: {{ .Release.Name }}-forgejo
spec:
entryPoints:
- ssh
routes:
- match: "HostSNI(`*`)"
services:
- name: {{ .Release.Name }}-forgejo-hr-ssh
port: 22
{{- end }}

8
mycloud-git-small/templates/woodpecker/jobs/namespace.yaml
View file

@ -1,8 +0,0 @@
{{- with .Values.woodpecker.jobs.namespace }}
{{- if .create }}
apiVersion: v1
kind: Namespace
metadata:
name: {{ .name }}
{{- end }}
{{- end }}

141
mycloud-git-small/templates/woodpecker/release.yaml
View file

@ -1,141 +0,0 @@
{{- $name := printf "%s-woodpecker" .Release.Name }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ $name | quote }}
spec:
chartRef:
kind: OCIRepository
name: {{ $name | quote }}
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
values:
{{- $hostCI := .Values.ingress.woodpecker.host | default (printf "ci.%s" .Values.commons.ingress.domain) }}
{{- $hostGit := .Values.ingress.woodpecker.host | default (printf "git.%s" .Values.commons.ingress.domain) }}
agent:
replicaCount: 1
env:
WOODPECKER_MAX_WORKFLOWS: 4
WOODPECKER_BACKEND_K8S_NAMESPACE: {{ .Values.woodpecker.jobs.namespace.name }}
WOODPECKER_BACKEND_K8S_STORAGE_RWX: false
WOODPECKER_BACKEND_K8S_POD_LABELS_ALLOW_FROM_STEP: true
WOODPECKER_BACKEND_K8S_POD_LABELS: |
{
"app.kubernetes.io/name": "server",
"app.kubernetes.io/instance": "{{.Release.Namespace }}-{{ $name }}",
"app.kubernetes.io/component": "job"
}
WOODPECKER_SERVER: "{{ $name }}-server:9000"
{{- if .Values.commons.networkpolicies.enabled }}
networkPolicy:
enabled: true
egress:
enabled: true
dns:
{{- toYaml .Values.commons.networkpolicies.to.dns | nindent 12 }}
apiserver:
{{- toYaml .Values.commons.networkpolicies.to.k8sAPI | nindent 12 }}
server:
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: server
app.kubernetes.io/instance: {{ $name }}
{{- end }}
persistentVolume:
enabled: false
server:
env:
WOODPECKER_OPEN: "true"
WOODPECKER_HOST: {{ printf "https://%s" $hostCI | quote }}
WOODPECKER_FORGEJO: "true"
WOODPECKER_FORGEJO_URL: {{ printf "https://%s" $hostGit | quote }}
WOODPECKER_ADMIN: {{ join "," .Values.woodpecker.admins | quote }}
WOODPECKER_DATABASE_DRIVER: postgres
WOODPECKER_LOG_FILE: "stdout"
podAnnotations:
config-hash: {{ include (print $.Template.BasePath "/woodpecker/secret.yaml") . | sha256sum }}
extraSecretNamesForEnvFrom:
- {{ $name }}
metrics:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }}
prometheus:
podmonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }}
labels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
rules:
enabled: true
labels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
grafana:
dashboards:
enabled: true
labels:
{{- toYaml .Values.commons.grafana.dashboards.labels | nindent 12 }}
annotations:
{{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 12 }}
ingress:
enabled: true
annotations:
{{- with .Values.commons.ingress.annotations }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.ingress.woodpecker.annotations }}
{{- toYaml . | nindent 10 }}
{{- end }}
hosts:
- host: {{ $hostCI }}
paths:
- path: /
{{- if .Values.commons.ingress.tls.enabled }}
tls:
{{- with .Values.commons.ingress.tls.override }}
{{- toYaml . | nindent 10 }}
{{- else }}
- secretName: "mycloud-woodpecker-cert"
hosts:
- "{{ $hostCI }}"
{{- end }}
{{- end }}
{{- if .Values.commons.networkpolicies.enabled }}
networkPolicy:
enabled: true
ingress:
http:
{{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 12 }}
metrics:
{{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 12 }}
grpc:
- podSelector:
matchLabels:
app.kubernetes.io/name: agent
app.kubernetes.io/instance: "{{ .Release.Name }}-woodpecker"
egress:
enabled: true
dns:
{{- toYaml .Values.commons.networkpolicies.to.dns | nindent 12 }}
database:
{{- with .Values.commons.networkpolicies.to.database }}
{{- toYaml . | nindent 12 }}
{{- end }}
extra:
{{/* need to call git instance*/}}
- ports:
- port: 443
protocol: TCP
to:
{{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 16 }}
{{- end }}
persistentVolume:
enabled: false

10
mycloud-git-small/templates/woodpecker/repo.yaml
View file

@ -1,10 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: "{{ .Release.Name }}-woodpecker"
spec:
url: oci://ghcr.io/woodpecker-ci/helm/woodpecker
interval: 10m
ref:
semver: "^2.0.0"

13
mycloud-git-small/templates/woodpecker/secret.yaml
View file

@ -1,13 +0,0 @@
{{- $name := printf "%s-woodpecker" .Release.Name }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $name | quote }}
data:
{{- with .Values.databases.woodpecker }}
{{- $db_pass := .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "git-woodpecker" "database_password" | b64enc) }}
WOODPECKER_DATABASE_DATASOURCE: {{ printf "postgres://%s:%s@%s/%s?sslmode=disable" .username $db_pass .host .name | b64enc }}
{{- end }}
WOODPECKER_FORGEJO_CLIENT: {{ .Values.woodpecker.auth.clientID | b64enc }}
WOODPECKER_FORGEJO_SECRET: {{ .Values.woodpecker.auth.clientSecret | b64enc }}

202
mycloud-git-small/values.yaml
View file

@ -1,202 +0,0 @@
init:
version: 0
namespace: "bases"
commons:
# -- masterPassword to generate secrets
# @section -- Commons
masterPassword: "CHANGEME"
auth:
# -- default auth.(.Values.commons.ingress.domain)
# @section -- Commons
host:
theme:
# -- title everywhere
# @section -- Commons theme
title: myCloud
# -- logo everywhere
# @section -- Commons theme
logo: /static/dist/assets/icons/icon_left_brand.svg
# -- favicon everywhere
# @section -- Commons theme
favicon: /static/dist/assets/icons/icon.png
mail:
# -- smtp server
# @section -- Commons mail
host: ""
# -- smtp username
# @section -- Commons mail
username: ""
# -- smtp password
# @section -- Commons mail
password: ""
# -- send from address
# @section -- Commons mail
from:
# -- smtp server use start tls
# @section -- Commons mail
use_tls: false
# -- smtp server use ssl
# @section -- Commons mail
use_ssl: false
persistence:
# -- storageClass of PVC
# @section -- Commons Persistence
storageClass:
hostPath:
# -- use hostPath instatt of PVC
# @section -- Commons Persistence
enabled: false
# -- use hostPath under the following path
# @section -- Commons Persistence
prefix: "/var/lib/mycloud"
helm:
release:
# -- install of FluxCD HelmRelease
# @section -- Commons helm release
install: {}
# -- test of FluxCD HelmRelease
# @section -- Commons helm release
test: {}
# -- upgrade of FluxCD HelmRelease
# @section -- Commons helm release
upgrade: {}
# -- driftDetection of FluxCD HelmRelease
# @section -- Commons helm release
driftDetection: {}
ingress:
# -- top domain for all services
# @section -- Commons Ingress
domain: "wrenix.eu"
# -- annotations for all ingress objects
# @section -- Commons Ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
tls:
# -- tls on every ingress
# @section -- Commons Ingress
enabled: true
# -- use own definition of tls (e.g. for own or wildcard certificate)
# @section -- Commons Ingress
override: []
networkpolicies:
enabled: false
from:
ingress: []
metrics: []
to:
dns: []
k8sAPI:
ports:
- port: 6443
protocol: TCP
to: []
database: []
prometheus:
monitor:
# -- labels on Pod- and Service-Monitor
# @section -- Commons Monitoring
labels: {}
rules:
# -- labels on PrometheusRules
# @section -- Commons Monitoring
labels: {}
grafana:
dashboards:
# -- labels of grafana dashboard configmap
# @section -- Commons Monitoring
labels:
grafana_dashboard: "1"
# -- annotations of grafana dashboard configmap
# @section -- Commons Monitoring
annotations:
tracing:
# -- enable tracing on all components
# @section -- Commons Tracing
enabled: false
http:
# -- http endpoint
# @section -- Commons Tracing
endpoint: "http://tempo.monitoring.svc:4318/v1/traces"
grpc:
# -- prefer grpc over http
# @section -- Commons Tracing
enabled: true
# -- allow insecure connection per grpc
# @section -- Commons Tracing
insecure: true
# -- grpc endpoint
# @section -- Commons Tracing
endpoint: "tempo.monitoring.svc:4317"
auth:
# -- OIDC client id (default: "mycloud-git-small"-forgejo)
clientID:
# -- generated by .Values.commons.masterPassword
clientSecret:
ingress:
forgejo:
# -- default: git.(Values.commons.ingress.domain)
host:
annotations:
woodpecker:
# -- default: ci.(Values.commons.ingress.domain)
host:
annotations:
traefik:
enabled: true
databases:
forgejo:
# -- default is from mysql-services
host: mycloud-services-postgresql
name: git-forgejo
username: git-forgejo
# -- generated by .Values.commons.masterPassword (equal to mycloud-services)
password:
woodpecker:
# -- default is from mysql-services
host: mycloud-services-postgresql
name: git-woodpecker
username: git-woodpecker
# -- generated by .Values.commons.masterPassword (equal to mycloud-services)
password:
mail:
# -- generade by Values.commons.mail.from
from:
# -- default Values.commons.mail.host
host:
persistence:
forgejo:
storageClass:
size: 16Gi
woodpecker:
auth:
# -- need to be manuelle set, after setup on forgejo
clientID: ""
# -- need to be manuelle set, after setup on forgejo
clientSecret: ""
# -- admins of woodpecker (manage manuelle)
admins: []
jobs:
namespace:
create: true
name: "woodpecker"
forgejo:

2
mycloud-gotosocial/templates/authentik-application.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: {{ .Release.Name }}-auth

2
mycloud-gotosocial/templates/release.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: "{{ .Release.Name }}-hr"

2
mycloud-matrix/Chart.yaml
View file

@ -6,4 +6,4 @@ maintainers:
- name: WrenIX
url: https://wrenix.eu
version: 0.1.2
version: 0.1.1

8
mycloud-matrix/README.md
View file

@ -7,7 +7,7 @@ description: "myCloud component to setup matrix"
# mycloud-matrix
![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
myCloud component to setup matrix
@ -126,12 +126,6 @@ myCloud component to setup matrix
| databases.slidingSync.username | string | `"matrix-sliding-sync"` | |
| ingress.authenticationService.annotations | object | `{}` | |
| ingress.authenticationService.host | string | `nil` | default: auth.matrix.(.commons.ingress.domain) |
| ingress.cinny.annotations | object | `{}` | |
| ingress.cinny.enabled | bool | `false` | |
| ingress.cinny.featuredCommunities.rooms | list | `[]` | add rooms to featured communites in cinny |
| ingress.cinny.featuredCommunities.servers | list | `[]` | add servers to featured communites in cinny |
| ingress.cinny.featuredCommunities.spaces | list | `[]` | set spaces as featured communites in cinny |
| ingress.cinny.host | string | `nil` | default: cinny.(.commons.ingress.domain) |
| ingress.element.annotations | object | `{}` | |
| ingress.element.config.features.feature_location_share_live | bool | `true` | |
| ingress.element.config.features.feature_new_room_decoration_ui | bool | `true` | |

80
mycloud-matrix/templates/clients/cinny.yaml
View file

@ -1,80 +0,0 @@
{{- if .Values.ingress.cinny.enabled }}
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: "{{ .Release.Name }}-cinny"
spec:
url: oci://codeberg.org/wrenix/helm-charts/cinny
interval: 10m
ref:
semver: "^0.2.1"
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: "{{ .Release.Name }}-cinny"
spec:
chartRef:
kind: OCIRepository
name: "{{ .Release.Name }}-cinny"
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
values:
{{- $host := .Values.ingress.cinny.host | default (printf "cinny.%s" .Values.commons.ingress.domain) }}
config:
defaultHomeserver: 0
homeserverList:
- {{ include "mycloud-matrix.domain" . | quote }}
featuredCommunities:
spaces:
{{- toYaml .Values.ingress.cinny.featuredCommunities.spaces | nindent 10 }}
rooms:
{{- toYaml .Values.ingress.cinny.featuredCommunities.rooms | nindent 10 }}
servers:
{{- with .Values.ingress.cinny.featuredCommunities.server }}
{{- toYaml . | nindent 10 }}
{{- else }}
- {{ include "mycloud-matrix.domain" . | quote }}
{{- end }}
{{- if .Values.commons.networkpolicies.enabled }}
networkPolicy:
enabled: true
ingress:
http:
{{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 10 }}
egress:
enabled: true
{{- end }}
ingress:
enabled: true
annotations:
{{- with .Values.commons.ingress.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ingress.cinny.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
hosts:
- host: {{ $host | quote }}
paths:
- path: /
pathType: ImplementationSpecific
{{- if .Values.commons.ingress.tls.enabled }}
tls:
{{- with .Values.commons.ingress.tls.override }}
{{- toYaml . | nindent 8 }}
{{- else }}
- secretName: "{{ .Release.Name }}-cinny-cert"
hosts:
- "{{ $host }}"
{{- end }}
{{- end }}
{{- end }}

5
mycloud-matrix/templates/clients/element.yaml
View file

@ -1,6 +1,6 @@
{{- if .Values.ingress.element.enabled }}
---
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: "{{ .Release.Name }}-element-web"
@ -29,9 +29,6 @@ spec:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
values:
image:
repository: ghcr.io/element-hq/element-web
tag: v1.11.99
{{- $host := .Values.ingress.element.host | default (printf "element.%s" .Values.commons.ingress.domain) }}
defaultServer:
url: https://{{ include "mycloud-matrix.host.server" . }}

2
mycloud-matrix/templates/server/authentication-service.yaml
View file

@ -29,7 +29,7 @@ spec:
url: oci://codeberg.org/wrenix/helm-charts/matrix-authentication-service
interval: 10m
ref:
semver: "^0.0.11"
semver: "^0.0.7"
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease

20
mycloud-matrix/templates/server/synapse.yaml
View file

@ -93,7 +93,6 @@ spec:
client_id: 0000000000000000000SYNAPSE
client_auth_method: client_secret_basic
account_management_url: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/account/"
msc4108_enabled: true
{{- else }}
oidc_providers:
- idp_id: mycloud
@ -295,25 +294,6 @@ spec:
database: {{ .name | quote }}
{{- end }}
redis:
enabled: true
replica:
# just one replica
replicaCount: {{ .Values.commons.redis.replicas }}
metrics:
enabled: true
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
prometheusRule:
# empty rules
enabled: false
# {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
rules: []
prometheus:
podmonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }}

12
mycloud-matrix/values.yaml
View file

@ -208,18 +208,6 @@ ingress:
# -- default: hydrogen.(.commons.ingress.domain)
host:
annotations: {}
cinny:
enabled: false
# -- default: cinny.(.commons.ingress.domain)
host:
annotations: {}
featuredCommunities:
# -- set spaces as featured communites in cinny
spaces: []
# -- add rooms to featured communites in cinny
rooms: []
# -- add servers to featured communites in cinny
servers: []
livekit:
enabled: false
# -- default: sfu.call.(.commons.ingress.domain)

2
mycloud-nextcloud/Chart.yaml
View file

@ -6,4 +6,4 @@ maintainers:
- name: WrenIX
url: https://wrenix.eu
version: 0.1.1
version: 0.1.0

3
mycloud-nextcloud/README.md
View file

@ -7,7 +7,7 @@ description: "myCloud component to setup nextcloud"
# mycloud-nextcloud
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
myCloud component to setup nextcloud
@ -131,7 +131,6 @@ myCloud component to setup nextcloud
| persistence.main.pvc | string | `"nextcloud"` | |
| persistence.main.size | string | `"8Gi"` | |
| quota | string | `nil` | default quota for an user |
| replica.nextcliud | int | `1` | |
| theme.color | string | `nil` | set theme color in nextcloud |
Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)

2
mycloud-nextcloud/templates/authentik-application.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: {{ .Release.Name }}-auth

29
mycloud-nextcloud/templates/networkpolicy.yaml
View file

@ -91,4 +91,33 @@ spec:
protocol: UDP
to:
{{- toYaml .Values.commons.networkpolicies.to.dns | nindent 8 }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Release.Name }}-redis
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: master
app.kubernetes.io/instance: {{ .Release.Name }}-hr
app.kubernetes.io/name: redis
policyTypes:
- Ingress
- Egress
ingress:
- ports:
- port: 6379
protocol: TCP
from:
- podSelector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: {{ .Release.Name }}-hr
app.kubernetes.io/name: nextcloud
- ports:
- port: 9121
protocol: TCP
from:
{{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 8 }}
{{- end }}

20
mycloud-nextcloud/templates/release.yaml
View file

@ -1,5 +1,5 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: "{{ .Release.Name }}-hr"
@ -26,7 +26,6 @@ spec:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
values:
replicaCount: {{ .Values.replica.nextcloud }}
{{- $host := .Values.ingress.host | default (printf "fs.%s" .Values.commons.ingress.domain) }}
nextcloud:
update: true
@ -212,14 +211,9 @@ spec:
notifyPush:
enabled: true
autoSetup: true
image:
registry: "ghcr.io"
metrics:
enabled: true
info:
apps: true
update: true
prometheus:
serviceMonitor:
@ -272,18 +266,6 @@ spec:
additionalLabels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
rules: []
networkPolicy:
allowExternal: false
allowExternalEgress: false
metrics:
allowExternal: false
{{- with .Values.commons.networkpolicies.from.metrics }}
{{- $nsMetrics := first . }}
ingressNSMatchLabels:
{{- toYaml $nsMetrics.namespaceSelector.matchLabels | nindent 12 }}
ingressNSPodMatchLabels:
{{- toYaml $nsMetrics.podSelector.matchLabels | nindent 12 }}
{{- end }}
{{- $pvHelper := (or .Values.commons.persistence.hostPath.enabled) }}
{{- $storageClass := $pvHelper | ternary "manual" .Values.commons.persistence.storageClass }}

3
mycloud-nextcloud/values.yaml
View file

@ -116,9 +116,6 @@ chart:
ref:
branch: main
replica:
nextcliud: 1
# -- generated by .Values.commons.masterPassword
adminPassword:

23
mycloud-paperless/.helmignore
View file

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

9
mycloud-paperless/Chart.yaml
View file

@ -1,9 +0,0 @@
apiVersion: v2
name: mycloud-paperless
description: A Helm chart for Kubernetes
type: application
maintainers:
- name: WrenIX
url: https://wrenix.eu
version: 0.1.0

117
mycloud-paperless/README.md
View file

@ -1,117 +0,0 @@
---
title: "mycloud-paperless"
description: "A Helm chart for Kubernetes"
---
# mycloud-paperless
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
A Helm chart for Kubernetes
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| WrenIX | | <https://wrenix.eu> |
## Values
### Commons
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.auth.host | string | `nil` | default auth.(.Values.commons.ingress.domain) |
| commons.masterPassword | string | `"CHANGEME"` | masterPassword to generate secrets |
### Commons Monitoring
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.grafana.dashboards.annotations | object | `{}` | annotations of grafana dashboard configmap |
| commons.grafana.dashboards.labels | object | `{}` | labels of grafana dashboard configmap |
| commons.prometheus.monitor.labels | object | `{}` | labels on Pod- and Service-Monitor |
| commons.prometheus.rules.labels | object | `{}` | labels on PrometheusRules |
### Commons helm release
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.helm.release.driftDetection | object | `{}` | driftDetection of FluxCD HelmRelease |
| commons.helm.release.install | object | `{}` | install of FluxCD HelmRelease |
| commons.helm.release.test | object | `{}` | test of FluxCD HelmRelease |
| commons.helm.release.upgrade | object | `{}` | upgrade of FluxCD HelmRelease |
### Commons Ingress
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.ingress.annotations | object | `{"cert-manager.io/cluster-issuer":"letsencrypt-prod"}` | annotations for all ingress objects |
| commons.ingress.domain | string | `"wrenix.eu"` | top domain for all services |
| commons.ingress.tls.enabled | bool | `true` | tls on every ingress |
| commons.ingress.tls.override | list | `[]` | use own definition of tls (e.g. for own or wildcard certificate) |
### Commons mail
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.mail.from | string | `nil` | send from address |
| commons.mail.host | string | `nil` | smtp server |
| commons.mail.password | string | `nil` | smtp password |
| commons.mail.use_ssl | bool | `false` | smtp server use ssl |
| commons.mail.use_tls | bool | `false` | smtp server use start tls |
| commons.mail.username | string | `nil` | smtp username |
### Commons Persistence
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.persistence.hostPath.enabled | bool | `false` | use hostPath instatt of PVC |
| commons.persistence.hostPath.prefix | string | `"/var/lib/mycloud"` | use hostPath under the following path |
| commons.persistence.storageClass | string | `nil` | storageClass of PVC |
### Commons theme
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.theme.title | string | `"myCloud"` | title everywhere |
### Other Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| auth.clientID | string | `nil` | generated by .Values.commons.masterPassword |
| auth.clientSecret | string | `nil` | generated by .Values.commons.masterPassword |
| auth.extra | string | `nil` | in format of paperless |
| commons.auth.authentik.backend | string | `"authentik-server"` | |
| commons.auth.authentik.domain | string | `""` | |
| commons.auth.enabled | bool | `false` | |
| commons.auth.namespace | string | `""` | |
| commons.auth.type | string | `"authentik"` | |
| commons.networkpolicies.enabled | bool | `false` | |
| commons.networkpolicies.from.ingress | list | `[]` | |
| commons.networkpolicies.from.metrics | list | `[]` | |
| commons.networkpolicies.to.database | list | `[]` | |
| commons.networkpolicies.to.dns | list | `[]` | |
| commons.networkpolicies.to.smtp | list | `[]` | |
| database.host | string | `"mycloud-services-postgresql"` | default is from mysql-services |
| database.name | string | `"paperless"` | |
| database.password | string | `nil` | generated by .Values.commons.masterPassword (equal to mycloud-services) |
| database.username | string | `"paperless"` | |
| env.PAPERLESS_DISABLE_REGULAR_LOGIN | bool | `true` | |
| env.PAPERLESS_OCR_LANGUAGE | string | `"deu"` | |
| env.PAPERLESS_REDIRECT_LOGIN_TO_SSO | bool | `true` | |
| env.PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS | bool | `true` | |
| env.PAPERLESS_SOCIAL_AUTO_SIGNUP | bool | `true` | |
| ingress.annotations | object | `{}` | |
| ingress.host | string | `nil` | default: paperless.(Values.commons.ingress.domain) |
| init.namespace | string | `"bases"` | |
| init.version | int | `0` | |
| mail.from | string | `nil` | generade by Values.commons.mail.from |
| mail.host | string | `nil` | default Values.commons.mail.host |
| persistence.size | string | `"16Gi"` | |
| persistence.storageClass | string | `nil` | |
Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)

0
mycloud-paperless/_docs.gotmpl
View file

56
mycloud-paperless/templates/authentik-application.yaml
View file

@ -1,56 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ .Release.Name }}-auth
spec:
chart:
spec:
sourceRef:
kind: GitRepository
name: "wrenix-helm-charts"
namespace: "flux-system"
chart: "./authentik-application"
reconcileStrategy: "Revision"
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
values:
{{- $host := .Values.ingress.host | default (printf "paperless.%s" .Values.commons.ingress.domain) }}
blueprint:
authentik:
domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}"
provider:
type: "oidc"
name: "Paperless"
oidc:
clientType: "confidential"
redirectURL: "https://{{ $host }}/accounts/oidc/mycloud/login/callback/"
clientID: {{ .Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientID") | quote }}
clientSecret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientSecret") | quote }}
signingKey: "authentik Self-signed Certificate"
scopes:
- name: "authentik default OAuth Mapping: OpenID 'openid'"
- name: "authentik default OAuth Mapping: OpenID 'email'"
- name: "authentik default OAuth Mapping: OpenID 'profile'"
groups:
- slug: "mycloud - users"
bindID: "cefc0c13-49fa-4374-a909-e201a88a473b"
application:
policyEngineMode: "any"
openInNewTab: true
publisher: "WrenIX's myCloud"
slug: "mycloud-paperless"
group: "Office"
name: "Paperless"
launchURL: "https://{{ $host }}/"
icon: "https://{{ $host }}/favicon.ico"
description: "A document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper."

14
mycloud-paperless/templates/configmap_init_crd.yaml
View file

@ -1,14 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-init
namespace: "{{ .Values.init.namespace }}"
data:
{{- if and
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor")
}}
init: "-1"
{{- else }}
init: "{{ add1 .Values.init.version }}"
{{- end }}

185
mycloud-paperless/templates/release.yaml
View file

@ -1,185 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: "{{ .Release.Name }}-ngx"
spec:
chart:
spec:
sourceRef:
kind: GitRepository
name: "wrenix-helm-charts"
namespace: "flux-system"
chart: "./paperless-ngx"
reconcileStrategy: "Revision"
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
valuesFrom:
- name: {{ .Release.Name }}
kind: Secret
valuesKey: "DB_PASS"
targetPath: "config.database.pass"
- name: {{ .Release.Name }}
kind: Secret
valuesKey: "ADMIN_PASS"
targetPath: "env.PAPERLESS_ADMIN_PASSWORD"
- name: {{ .Release.Name }}
kind: Secret
valuesKey: "EMAIL_PASS"
targetPath: "env.PAPERLESS_EMAIL_HOST_PASSWORD"
optional: true
- name: {{ .Release.Name }}
kind: Secret
valuesKey: "oidc"
values:
{{- $host := .Values.ingress.host | default (printf "paperless.%s" .Values.commons.ingress.domain) }}
config:
redis:
prefix: {{ .Release.Name }}
database:
engine: postgres
host: {{ .Values.database.host | quote }}
name: {{ .Values.database.name | quote }}
user: {{ .Values.database.username | quote }}
apps: allauth.socialaccount.providers.openid_connect
oidcProviders:
openid_connect:
OAUTH_PKCE_ENABLED: true
env:
PAPERLESS_APP_TITLE: {{ .Values.commons.theme.title }}
PAPERLESS_ADMIN_USER: admin
PAPERLESS_EMAIL_HOST: {{ .Values.mail.host | default .Values.commons.mail.host | quote }}
PAPERLESS_EMAIL_PORT: 587
PAPERLESS_EMAIL_HOST_USER: {{ .Values.commons.mail.username | quote }}
PAPERLESS_EMAIL_FROM: {{ .Values.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "paperless" .Values.commons.mail.from) | quote }}
PAPERLESS_EMAIL_USE_TLS: true
{{- with .Values.env }}
{{- toYaml . | nindent 6 }}
{{- end }}
podLabels:
"{{ .Release.Name }}-ngx-redis-client": "true"
postgresql:
enabled: false
redis:
metrics:
enabled: true
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
prometheusRule:
# empty rules
enabled: false
# {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
rules: []
networkPolicy:
allowExternal: false
allowExternalEgress: false
metrics:
allowExternal: false
{{- with .Values.commons.networkpolicies.from.metrics }}
{{- $nsMetrics := first . }}
ingressNSMatchLabels:
{{- toYaml $nsMetrics.namespaceSelector.matchLabels | nindent 12 }}
ingressNSPodMatchLabels:
{{- toYaml $nsMetrics.podSelector.matchLabels | nindent 12 }}
{{- end }}
networkPolicy:
enabled: true
ingress:
http:
{{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 12 }}
metrics:
{{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 12 }}
egress:
enabled: true
dns:
{{- toYaml .Values.commons.networkpolicies.to.dns | nindent 10 }}
database:
- ports:
- port: 6379
protocol: TCP
to:
- podSelector:
matchLabels:
app.kubernetes.io/instance: "{{ .Release.Name }}-ngx"
app.kubernetes.io/name: redis
app.kubernetes.io/component: master
{{- with .Values.commons.networkpolicies.to.database }}
{{- toYaml . | nindent 10 }}
{{- end }}
extra:
- ports:
- port: 443
protocol: TCP
to:
{{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 14 }}
{{- with .Values.commons.networkpolicies.to.smtp }}
{{- toYaml . | nindent 10 }}
{{- end }}
ingress:
enabled: true
annotations:
{{- with .Values.commons.ingress.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ingress.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
hosts:
- host: "{{ $host }}"
paths:
- path: /
pathType: Prefix
{{- if .Values.commons.ingress.tls.enabled }}
tls:
{{- with .Values.commons.ingress.tls.override }}
{{- toYaml . | nindent 8 }}
{{- else }}
- secretName: "mycloud-paperless-cert"
hosts:
- "{{ $host }}"
{{- end }}
{{- end }}
persistence:
enabled: true
size: {{ .Values.persistence.size }}
{{- with .Values.persistence.storageClass | default .Values.commons.persistence.storageClass }}
storageClass: {{ . }}
{{- end }}
{{- if .Values.commons.persistence.hostPath.enabled }}
hostPath: "{{ .Values.commons.persistence.hostPath.prefix }}/paperless"
{{- end }}
prometheus:
servicemonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
labels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
rules:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 10 }}
grafana:
dashboards:
enabled: true
labels:
{{- toYaml .Values.commons.grafana.dashboards.labels | nindent 10 }}
annotations:
{{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 10 }}

29
mycloud-paperless/templates/secret.yaml
View file

@ -1,29 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}
data:
DB_PASS: {{ .Values.database.password | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "database_password" | b64enc) | b64enc }}
{{- with .Values.commons.mail.password }}
EMAIL_PASS: {{ . | b64enc }}
{{- end }}
ADMIN_PASS: {{ .Values.auth.admin | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "admin_password" | b64enc) | b64enc }}
# - "authentik Admins"
oidc: {{ toYaml (dict
"config" (dict
"oidcProviders" (dict
"openid_connect" (dict
"APPS" (list (dict
"provider_id" "mycloud"
"name" .Values.commons.theme.title
"client_id" (.Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientID"))
"secret" (.Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientSecret"))
"settings" (dict
"server_url" (printf "https://%s/application/o/mycloud-paperless/.well-known/openid-configuration" (.Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain)))
)
) .Values.auth.extra | compact)
)
)
)
) | b64enc }}

Some files were not shown because too many files have changed in this diff Show more