From 2403735f42b7170a1552f27fc0f4cbebabf8030c Mon Sep 17 00:00:00 2001 From: Willian Paixao Date: Mon, 13 May 2024 16:01:13 +0200 Subject: [PATCH] install postgres --- kubernetes/apps/database/kustomization.yaml | 6 + kubernetes/apps/database/namespace.yaml | 8 ++ .../database/postgres/app/helmrelease.yaml | 52 +++++++ .../database/postgres/app/kustomization.yaml | 5 + .../postgres/app/postgresql-secret.sops.yaml | 31 ++++ kubernetes/apps/database/postgres/ks.yaml | 21 +++ .../apps/media/immich/app/helmrelease.yaml | 132 ++++-------------- .../media/immich/app/immich-secret.sops.yaml | 30 ++++ .../flux/repositories/helm/immich-charts.yaml | 9 ++ .../flux/repositories/helm/kustomization.yaml | 1 + 10 files changed, 189 insertions(+), 106 deletions(-) create mode 100644 kubernetes/apps/database/kustomization.yaml create mode 100644 kubernetes/apps/database/namespace.yaml create mode 100644 kubernetes/apps/database/postgres/app/helmrelease.yaml create mode 100644 kubernetes/apps/database/postgres/app/kustomization.yaml create mode 100644 kubernetes/apps/database/postgres/app/postgresql-secret.sops.yaml create mode 100644 kubernetes/apps/database/postgres/ks.yaml create mode 100644 kubernetes/apps/media/immich/app/immich-secret.sops.yaml create mode 100644 kubernetes/flux/repositories/helm/immich-charts.yaml diff --git a/kubernetes/apps/database/kustomization.yaml b/kubernetes/apps/database/kustomization.yaml new file mode 100644 index 00000000..3c877742 --- /dev/null +++ b/kubernetes/apps/database/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./postgres/ks.yaml diff --git a/kubernetes/apps/database/namespace.yaml b/kubernetes/apps/database/namespace.yaml new file mode 100644 index 00000000..c526a84a --- /dev/null +++ b/kubernetes/apps/database/namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: database + labels: + kubernetes.io/metadata.name: database + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/database/postgres/app/helmrelease.yaml b/kubernetes/apps/database/postgres/app/helmrelease.yaml new file mode 100644 index 00000000..8b4a32d8 --- /dev/null +++ b/kubernetes/apps/database/postgres/app/helmrelease.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app postgresql + namespace: &namespace database +spec: + interval: 30m + chart: + spec: + chart: postgresql + version: 15.2.12 + sourceRef: + kind: HelmRepository + name: bitnami + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + global: + postgresql: + auth: + existingSecret: postgresql-secret + database: main + image: + repository: bitnami/postgresql + tag: "16.3.0" + primary: + containerSecurityContext: + runAsNonRoot: false + readOnlyRootFilesystem: false + persistence: + enabled: true + type: persistentVolumeClaim + accessMode: ReadWriteOnce + size: 16Gi + metrics: + enabled: true + serviceMonitor: + enabled: true + backup: + enabled: true + cronjob: + storage: + storageClass: longhorn + size: 16Gi diff --git a/kubernetes/apps/database/postgres/app/kustomization.yaml b/kubernetes/apps/database/postgres/app/kustomization.yaml new file mode 100644 index 00000000..dbc604ed --- /dev/null +++ b/kubernetes/apps/database/postgres/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helmrelease.yaml diff --git a/kubernetes/apps/database/postgres/app/postgresql-secret.sops.yaml b/kubernetes/apps/database/postgres/app/postgresql-secret.sops.yaml new file mode 100644 index 00000000..ca7015db --- /dev/null +++ b/kubernetes/apps/database/postgres/app/postgresql-secret.sops.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Secret +metadata: + name: postgresql-secret + namespace: database + creationTimestamp: "2024-05-13T13:57:19Z" + uid: e128cd7f-59ac-48f1-8a39-c23618239268 +type: Opaque +data: + password: ENC[AES256_GCM,data:baJEArjpxp4QcTSz/fjoaaGRbKLSogOp/RJDpFzylbiRNxrkTQITbeH6euo=,iv:OmjcsrYsECOlR/T/wVy0ABt/kjOJsfXwhhvSUeMTJm4=,tag:jTIbSoKO740UC4/ItkGkRA==,type:str] + postgres-password: ENC[AES256_GCM,data:25thpO2WeTaYYWGOQ6CImChVanfJN5p7Br9wdH4sJ92bNWJnqC/PacJdrQU=,iv:ZxLCbi8B5/LW0NgXRm2iS42VOmN8SV4PZhztUrk4IYU=,tag:HyRM8WnKt7Gh8kiZEK3KfA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17ary36xtm566uptguuhsj7xmuqzyz06ce54tcf6p3mge2thphqfs3gln40 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbzkxVyt6ek5pTGQwK0Ez + ZXQrd3pRMjVnUFRCazUxaEY2K1pTRFg2bm1vCjBjYjlvVVMzSWFheDZWRnZmcGpp + cVh2UU11dXRPc3FRN2R0YVViT2pQQXMKLS0tIGVibkxlcWxXUnFQcDFmZXJmdkd1 + SStycTUxMUY3TTRNS2wrc1J3blRielEKnq+VPDIzCiYAF3TzXEF6vxuavddXB2Rv + 0ndgAfG+CnL92adpH8YOlB4V/EWxjDdHTwPR8MbgB6zxtb0FOEyjEg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-13T14:25:48Z" + mac: ENC[AES256_GCM,data:zUNpn95cbNxrnyCgRoIw1PyOw4kXemMUj2Q0/LdRFt/ojyTIXx99ExVYsyNQBMuqTYfqc+XD7De6cg0BhEkBkstgDvgfKRJq/btQBsIzLWRgRUNUdPStVJx30Ylqp+qp1jyJtD5ID+uuHUy3eqIs4fbnXDueR4lolgetUNxlDCI=,iv:0ZIGOfCNaTgRc71pFf1rIv37+Z2BfuGl/SEhm55zssg=,tag:Ktq8xNxzu0UCYde/Arx7uw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kubernetes/apps/database/postgres/ks.yaml b/kubernetes/apps/database/postgres/ks.yaml new file mode 100644 index 00000000..10a039a4 --- /dev/null +++ b/kubernetes/apps/database/postgres/ks.yaml @@ -0,0 +1,21 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app postgres + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/database/postgres/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 15m diff --git a/kubernetes/apps/media/immich/app/helmrelease.yaml b/kubernetes/apps/media/immich/app/helmrelease.yaml index b74b581f..ad4b292a 100644 --- a/kubernetes/apps/media/immich/app/helmrelease.yaml +++ b/kubernetes/apps/media/immich/app/helmrelease.yaml @@ -1,5 +1,4 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json apiVersion: helm.toolkit.fluxcd.io/v2beta2 kind: HelmRelease metadata: @@ -9,12 +8,12 @@ spec: interval: 30m chart: spec: - chart: app-template - version: 3.1.0 + chart: immich + version: 0.6.0 sourceRef: kind: HelmRepository namespace: flux-system - name: bjw-s + name: immich-charts install: remediation: retries: 3 @@ -24,106 +23,27 @@ spec: strategy: rollback retries: 3 values: - defaultPodOptions: - enableServiceLinks: false - controllers: - server: - annotations: - reloader.stakater.com/auto: "true" - pod: - securityContext: - runAsUser: 2000 - runAsGroup: 2000 - runAsNonRoot: true - fsGroup: 2000 - fsGroupChangePolicy: "OnRootMismatch" - containers: - app: - image: - repository: ghcr.io/immich-app/immich-server - tag: v1.103.1@sha256:10761af14a6145353169042f29d2e49943de75b57a5d19251b365fe0d41ee15a - pullPolicy: IfNotPresent - command: [./start-server.sh] - env: &env - TZ: ${TIMEZONE} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - microservices: - containers: - app: - image: - repository: ghcr.io/immich-app/immich-server - tag: v1.103.1@sha256:10761af14a6145353169042f29d2e49943de75b57a5d19251b365fe0d41ee15a - pullPolicy: IfNotPresent - command: [./start-microservices.sh] - env: *env - securityContext: - readOnlyRootFilesystem: true - machine-learning: - containers: - app: - image: - repository: ghcr.io/immich-app/immich-machine-learning - tag: v1.103.1@sha256:708ff677ab952dda9d7cb9343a6d650a6ac02a4e6c7447015f9df95c780cfc42 - pullPolicy: IfNotPresent - securityContext: - readOnlyRootFilesystem: true - service: - immich: - controller: immich - enabled: false - machine-learning: - controller: machine-learning - ports: - http: - port: 3003 - server: + postgresql: + enabled: true + immich: + metrics: enabled: true - controller: server - ports: - http: - port: 3001 - ingress: - immich: - enabled: true - annotations: - nginx.ingress.kubernetes.io/proxy-body-size: "0" - hosts: - - host: &host immich.${SECRET_DOMAIN} - paths: - - path: / - service: - identifier: server - port: http - tls: - - hosts: - - *host - persistence: - upload: - enabled: true - type: nfs - server: ${NFS_SERVER} - path: /photos - advancedMounts: - server: - app: - - path: /usr/src/app/upload - microservices: - app: - - path: /usr/src/app/upload - model-cache: - enabled: true - type: persistentVolumeClaim - accessMode: ReadWriteOnce - size: 8Gi - advancedMounts: - machine-learning: - app: - - path: /cache - tmp: - enabled: true - type: emptyDir + persistence: + library: + existingClaim: immich-nfs + server: + ingress: + main: + enabled: true + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: "0" + hosts: + - host: &host immich.${SECRET_DOMAIN} + paths: + - path: / + service: + identifier: server + port: http + tls: + - hosts: + - *host diff --git a/kubernetes/apps/media/immich/app/immich-secret.sops.yaml b/kubernetes/apps/media/immich/app/immich-secret.sops.yaml new file mode 100644 index 00000000..bb964c84 --- /dev/null +++ b/kubernetes/apps/media/immich/app/immich-secret.sops.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Secret +metadata: + name: immich-secret + namespace: media + creationTimestamp: "2024-05-13T14:31:11Z" + uid: 41abc95e-b44b-4eae-9e87-bccb48ff2a46 +type: Opaque +data: + postgres-password: ENC[AES256_GCM,data:1TuQpzQ2MmE9lpz2hY/vONsBZgioVJ7HfcgAQuJKiRH8uvdPF/OY8hOGd9Q=,iv:j35UQMdN2VWBpSanWtEcsAnXrDB9NDf4HaM/5JzjbNY=,tag:HSEZ5KhpnWMCP/8tBGJ/SA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17ary36xtm566uptguuhsj7xmuqzyz06ce54tcf6p3mge2thphqfs3gln40 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSXJkb1ZWaGdYZUhYTisx + T2w3cmsxcDYwWE9RNW5OVnNYM3RiRE9zaG5rClBFK0FBaWxrQ25ycVZDdDFVQi9O + dW51SC8yVmE1VGVCWFVyd1NOWDRkSU0KLS0tIGN3RFJQZlhMQUVNWFRsZCt0RFo3 + Y1pybUVpUzhDejdpNVByMUtMMlNMODQKlo+r8aYU3obAQpVZXvADuiDKoP0ZIAEd + BXEmTMwZbpq4I0fr+OzMrJCm60h7QVyXvnA79NOwbsUQXr5tQ9Xhig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-13T14:32:04Z" + mac: ENC[AES256_GCM,data:x7Y0qYF472DrvL6pJAySIfbYKyUcXhS1pSWf1NeGoO3ACdq/kX3aSxV97/zwDbrshHAade73jtCnuCN73Mn1BnOsdg23sLa0U4xS/wUEf8DLfwWGUhqrR3nlLOjJ756NOtFOZt0H0hL2zA04+I4Vrmn9gqQtHqAXWaHBRoS1QDk=,iv:stUHRLer1H3eeOc4s+k63UkIzzM1bNMS8tazZe6x/Nk=,tag:3sS1Z+KFWyPh/GobVtsFmA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kubernetes/flux/repositories/helm/immich-charts.yaml b/kubernetes/flux/repositories/helm/immich-charts.yaml new file mode 100644 index 00000000..375cc951 --- /dev/null +++ b/kubernetes/flux/repositories/helm/immich-charts.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: immich-charts + namespace: flux-system +spec: + interval: 1h + url: https://immich-app.github.io/immich-charts diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index b8e25171..520fd42e 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -5,6 +5,7 @@ resources: - ./bjw-s.yaml - ./cilium.yaml - ./external-dns.yaml + - ./immich-charts.yaml - ./ingress-nginx.yaml - ./jetstack.yaml - ./k8s-gateway.yaml