install postgres

willianpaixao · May 14, 2024 · 2403735 · 2403735
1 parent d4b6d4d
commit 2403735
Show file tree

Hide file tree

Showing 10 changed files with 189 additions and 106 deletions.
diff --git a/kubernetes/apps/database/kustomization.yaml b/kubernetes/apps/database/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./postgres/ks.yaml
diff --git a/kubernetes/apps/database/namespace.yaml b/kubernetes/apps/database/namespace.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: database
+  labels:
+    kubernetes.io/metadata.name: database
+    kustomize.toolkit.fluxcd.io/prune: disabled
diff --git a/kubernetes/apps/database/postgres/app/helmrelease.yaml b/kubernetes/apps/database/postgres/app/helmrelease.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app postgresql
+  namespace: &namespace database
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: postgresql
+      version: 15.2.12
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    global:
+      postgresql:
+        auth:
+          existingSecret: postgresql-secret
+          database: main
+    image:
+      repository: bitnami/postgresql
+      tag: "16.3.0"
+    primary:
+      containerSecurityContext:
+        runAsNonRoot: false
+        readOnlyRootFilesystem: false
+      persistence:
+        enabled: true
+        type: persistentVolumeClaim
+        accessMode: ReadWriteOnce
+        size: 16Gi
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+    backup:
+      enabled: true
+      cronjob:
+        storage:
+          storageClass: longhorn
+          size: 16Gi
diff --git a/kubernetes/apps/database/postgres/app/kustomization.yaml b/kubernetes/apps/database/postgres/app/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrelease.yaml
diff --git a/kubernetes/apps/database/postgres/app/postgresql-secret.sops.yaml b/kubernetes/apps/database/postgres/app/postgresql-secret.sops.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: postgresql-secret
+    namespace: database
+    creationTimestamp: "2024-05-13T13:57:19Z"
+    uid: e128cd7f-59ac-48f1-8a39-c23618239268
+type: Opaque
+data:
+    password: ENC[AES256_GCM,data:baJEArjpxp4QcTSz/fjoaaGRbKLSogOp/RJDpFzylbiRNxrkTQITbeH6euo=,iv:OmjcsrYsECOlR/T/wVy0ABt/kjOJsfXwhhvSUeMTJm4=,tag:jTIbSoKO740UC4/ItkGkRA==,type:str]
+    postgres-password: ENC[AES256_GCM,data:25thpO2WeTaYYWGOQ6CImChVanfJN5p7Br9wdH4sJ92bNWJnqC/PacJdrQU=,iv:ZxLCbi8B5/LW0NgXRm2iS42VOmN8SV4PZhztUrk4IYU=,tag:HyRM8WnKt7Gh8kiZEK3KfA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17ary36xtm566uptguuhsj7xmuqzyz06ce54tcf6p3mge2thphqfs3gln40
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbzkxVyt6ek5pTGQwK0Ez
+            ZXQrd3pRMjVnUFRCazUxaEY2K1pTRFg2bm1vCjBjYjlvVVMzSWFheDZWRnZmcGpp
+            cVh2UU11dXRPc3FRN2R0YVViT2pQQXMKLS0tIGVibkxlcWxXUnFQcDFmZXJmdkd1
+            SStycTUxMUY3TTRNS2wrc1J3blRielEKnq+VPDIzCiYAF3TzXEF6vxuavddXB2Rv
+            0ndgAfG+CnL92adpH8YOlB4V/EWxjDdHTwPR8MbgB6zxtb0FOEyjEg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-13T14:25:48Z"
+    mac: ENC[AES256_GCM,data:zUNpn95cbNxrnyCgRoIw1PyOw4kXemMUj2Q0/LdRFt/ojyTIXx99ExVYsyNQBMuqTYfqc+XD7De6cg0BhEkBkstgDvgfKRJq/btQBsIzLWRgRUNUdPStVJx30Ylqp+qp1jyJtD5ID+uuHUy3eqIs4fbnXDueR4lolgetUNxlDCI=,iv:0ZIGOfCNaTgRc71pFf1rIv37+Z2BfuGl/SEhm55zssg=,tag:Ktq8xNxzu0UCYde/Arx7uw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
diff --git a/kubernetes/apps/database/postgres/ks.yaml b/kubernetes/apps/database/postgres/ks.yaml
@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app postgres
+  namespace: flux-system
+spec:
+  targetNamespace: database
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/database/postgres/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 15m
diff --git a/kubernetes/apps/media/immich/app/helmrelease.yaml b/kubernetes/apps/media/immich/app/helmrelease.yaml
@@ -1,5 +1,4 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
@@ -9,12 +8,12 @@ spec:
   interval: 30m
   chart:
     spec:
-      chart: app-template
-      version: 3.1.0
+      chart: immich
+      version: 0.6.0
       sourceRef:
         kind: HelmRepository
         namespace: flux-system
-        name: bjw-s
+        name: immich-charts
   install:
     remediation:
       retries: 3
@@ -24,106 +23,27 @@ spec:
       strategy: rollback
       retries: 3
   values:
-    defaultPodOptions:
-      enableServiceLinks: false
-    controllers:
-      server:
-        annotations:
-          reloader.stakater.com/auto: "true"
-        pod:
-          securityContext:
-            runAsUser: 2000
-            runAsGroup: 2000
-            runAsNonRoot: true
-            fsGroup: 2000
-            fsGroupChangePolicy: "OnRootMismatch"
-        containers:
-          app:
-            image:
-              repository: ghcr.io/immich-app/immich-server
-              tag: v1.103.1@sha256:10761af14a6145353169042f29d2e49943de75b57a5d19251b365fe0d41ee15a
-              pullPolicy: IfNotPresent
-            command: [./start-server.sh]
-            env: &env
-              TZ: ${TIMEZONE}
-            securityContext:
-              allowPrivilegeEscalation: false
-              readOnlyRootFilesystem: true
-              capabilities:
-                drop:
-                  - ALL
-      microservices:
-        containers:
-          app:
-            image:
-              repository: ghcr.io/immich-app/immich-server
-              tag: v1.103.1@sha256:10761af14a6145353169042f29d2e49943de75b57a5d19251b365fe0d41ee15a
-              pullPolicy: IfNotPresent
-            command: [./start-microservices.sh]
-            env: *env
-            securityContext:
-              readOnlyRootFilesystem: true
-      machine-learning:
-        containers:
-          app:
-            image:
-              repository: ghcr.io/immich-app/immich-machine-learning
-              tag: v1.103.1@sha256:708ff677ab952dda9d7cb9343a6d650a6ac02a4e6c7447015f9df95c780cfc42
-              pullPolicy: IfNotPresent
-            securityContext:
-              readOnlyRootFilesystem: true
-    service:
-      immich:
-        controller: immich
-        enabled: false
-      machine-learning:
-        controller: machine-learning
-        ports:
-          http:
-            port: 3003
-      server:
+    postgresql:
+      enabled: true
+    immich:
+      metrics:
         enabled: true
-        controller: server
-        ports:
-          http:
-            port: 3001
-    ingress:
-      immich:
-        enabled: true
-        annotations:
-          nginx.ingress.kubernetes.io/proxy-body-size: "0"
-        hosts:
-          - host: &host immich.${SECRET_DOMAIN}
-            paths:
-              - path: /
-                service:
-                  identifier: server
-                  port: http
-        tls:
-          - hosts:
-              - *host
-    persistence:
-      upload:
-        enabled: true
-        type: nfs
-        server: ${NFS_SERVER}
-        path: /photos
-        advancedMounts:
-          server:
-            app:
-              - path: /usr/src/app/upload
-          microservices:
-            app:
-              - path: /usr/src/app/upload
-      model-cache:
-        enabled: true
-        type: persistentVolumeClaim
-        accessMode: ReadWriteOnce
-        size: 8Gi
-        advancedMounts:
-          machine-learning:
-            app:
-              - path: /cache
-      tmp:
-        enabled: true
-        type: emptyDir
+      persistence:
+        library:
+          existingClaim: immich-nfs
+    server:
+      ingress:
+        main:
+          enabled: true
+          annotations:
+            nginx.ingress.kubernetes.io/proxy-body-size: "0"
+          hosts:
+            - host: &host immich.${SECRET_DOMAIN}
+              paths:
+                - path: /
+                  service:
+                    identifier: server
+                    port: http
+          tls:
+            - hosts:
+                - *host
diff --git a/kubernetes/apps/media/immich/app/immich-secret.sops.yaml b/kubernetes/apps/media/immich/app/immich-secret.sops.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: immich-secret
+    namespace: media
+    creationTimestamp: "2024-05-13T14:31:11Z"
+    uid: 41abc95e-b44b-4eae-9e87-bccb48ff2a46
+type: Opaque
+data:
+    postgres-password: ENC[AES256_GCM,data:1TuQpzQ2MmE9lpz2hY/vONsBZgioVJ7HfcgAQuJKiRH8uvdPF/OY8hOGd9Q=,iv:j35UQMdN2VWBpSanWtEcsAnXrDB9NDf4HaM/5JzjbNY=,tag:HSEZ5KhpnWMCP/8tBGJ/SA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17ary36xtm566uptguuhsj7xmuqzyz06ce54tcf6p3mge2thphqfs3gln40
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSXJkb1ZWaGdYZUhYTisx
+            T2w3cmsxcDYwWE9RNW5OVnNYM3RiRE9zaG5rClBFK0FBaWxrQ25ycVZDdDFVQi9O
+            dW51SC8yVmE1VGVCWFVyd1NOWDRkSU0KLS0tIGN3RFJQZlhMQUVNWFRsZCt0RFo3
+            Y1pybUVpUzhDejdpNVByMUtMMlNMODQKlo+r8aYU3obAQpVZXvADuiDKoP0ZIAEd
+            BXEmTMwZbpq4I0fr+OzMrJCm60h7QVyXvnA79NOwbsUQXr5tQ9Xhig==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-13T14:32:04Z"
+    mac: ENC[AES256_GCM,data:x7Y0qYF472DrvL6pJAySIfbYKyUcXhS1pSWf1NeGoO3ACdq/kX3aSxV97/zwDbrshHAade73jtCnuCN73Mn1BnOsdg23sLa0U4xS/wUEf8DLfwWGUhqrR3nlLOjJ756NOtFOZt0H0hL2zA04+I4Vrmn9gqQtHqAXWaHBRoS1QDk=,iv:stUHRLer1H3eeOc4s+k63UkIzzM1bNMS8tazZe6x/Nk=,tag:3sS1Z+KFWyPh/GobVtsFmA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
diff --git a/kubernetes/flux/repositories/helm/immich-charts.yaml b/kubernetes/flux/repositories/helm/immich-charts.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: immich-charts
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://immich-app.github.io/immich-charts
diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
   - ./bjw-s.yaml
   - ./cilium.yaml
   - ./external-dns.yaml
+  - ./immich-charts.yaml
   - ./ingress-nginx.yaml
   - ./jetstack.yaml
   - ./k8s-gateway.yaml