vynil/domain-incoming
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2024-05-29 13:19:32 +02:00
parent 87eb0314a7
commit a83413a2e9
13 changed files with 6 additions and 1438 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
apps/openproject/check.rhai
View File

@@ -1,13 +0,0 @@
const DOMAIN = config.domain;
fn check_domain() {
assert(have_namespace(`${global::DOMAIN}`), `There is no ${global::DOMAIN} namespace`);
}
fn check_authentik() {
assert(have_namespace(`${global::DOMAIN}-auth`), `There is no ${global::DOMAIN}-auth namespace`);
assert(have_install(`${global::DOMAIN}-auth`, "authentik"), `No authentik installation in ${global::DOMAIN}-auth`);
assert(have_secret(`${global::DOMAIN}-auth`, "authentik"), `No authentik secret in ${global::DOMAIN}-auth`);
}
fn pre_check() {
check_domain();
check_authentik();
}

423
apps/openproject/index.yaml
View File

@@ -1,423 +0,0 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: apps
metadata:
name: openproject
description: null
options:
app_group:
default: apps
examples:
- apps
type: string
backups:
default:
enable: false
endpoint: ''
key_id_key: s3-id
restic_key: bck-password
retention:
db: 30d
keepDaily: 14
keepMonthly: 12
keepWeekly: 6
keepYearly: 12
schedule:
backup: 10 3 * * *
check: 10 5 * * 1
db: 10 3 * * *
prune: 10 1 * * 0
secret_key: s3-secret
secret_name: backup-settings
use_barman: false
examples:
- enable: false
endpoint: ''
key_id_key: s3-id
restic_key: bck-password
retention:
db: 30d
keepDaily: 14
keepMonthly: 12
keepWeekly: 6
keepYearly: 12
schedule:
backup: 10 3 * * *
check: 10 5 * * 1
db: 10 3 * * *
prune: 10 1 * * 0
secret_key: s3-secret
secret_name: backup-settings
use_barman: false
properties:
enable:
default: false
type: boolean
endpoint:
default: ''
type: string
key_id_key:
default: s3-id
type: string
restic_key:
default: bck-password
type: string
retention:
default:
db: 30d
keepDaily: 14
keepMonthly: 12
keepWeekly: 6
keepYearly: 12
properties:
db:
default: 30d
type: string
keepDaily:
default: 14
type: integer
keepMonthly:
default: 12
type: integer
keepWeekly:
default: 6
type: integer
keepYearly:
default: 12
type: integer
type: object
schedule:
default:
backup: 10 3 * * *
check: 10 5 * * 1
db: 10 3 * * *
prune: 10 1 * * 0
properties:
backup:
default: 10 3 * * *
type: string
check:
default: 10 5 * * 1
type: string
db:
default: 10 3 * * *
type: string
prune:
default: 10 1 * * 0
type: string
type: object
secret_key:
default: s3-secret
type: string
secret_name:
default: backup-settings
type: string
use_barman:
default: false
type: boolean
type: object
domain:
default: your-company
examples:
- your-company
type: string
domain_name:
default: your-company.com
examples:
- your-company.com
type: string
hpa:
default:
avg-cpu: 50
max-replicas: 5
min-replicas: 1
examples:
- avg-cpu: 50
max-replicas: 5
min-replicas: 1
properties:
avg-cpu:
default: 50
type: integer
max-replicas:
default: 5
type: integer
min-replicas:
default: 1
type: integer
type: object
images:
default:
app:
pullPolicy: IfNotPresent
registry: docker.io
repository: to-be/defined
tag: v1.0.0
postgresql:
registry: ghcr.io
repository: cloudnative-pg/postgresql
tag: 15.3
redis:
pullPolicy: IfNotPresent
registry: quay.io
repository: opstree/redis
tag: v7.0.12
redis_exporter:
pullPolicy: IfNotPresent
registry: quay.io
repository: opstree/redis-exporter
tag: v1.44.0
examples:
- app:
pullPolicy: IfNotPresent
registry: docker.io
repository: to-be/defined
tag: v1.0.0
postgresql:
registry: ghcr.io
repository: cloudnative-pg/postgresql
tag: 15.3
redis:
pullPolicy: IfNotPresent
registry: quay.io
repository: opstree/redis
tag: v7.0.12
redis_exporter:
pullPolicy: IfNotPresent
registry: quay.io
repository: opstree/redis-exporter
tag: v1.44.0
properties:
app:
default:
pullPolicy: IfNotPresent
registry: docker.io
repository: to-be/defined
tag: v1.0.0
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: docker.io
type: string
repository:
default: to-be/defined
type: string
tag:
default: v1.0.0
type: string
type: object
postgresql:
default:
registry: ghcr.io
repository: cloudnative-pg/postgresql
tag: 15.3
properties:
registry:
default: ghcr.io
type: string
repository:
default: cloudnative-pg/postgresql
type: string
tag:
default: 15.3
type: number
type: object
redis:
default:
pullPolicy: IfNotPresent
registry: quay.io
repository: opstree/redis
tag: v7.0.12
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: quay.io
type: string
repository:
default: opstree/redis
type: string
tag:
default: v7.0.12
type: string
type: object
redis_exporter:
default:
pullPolicy: IfNotPresent
registry: quay.io
repository: opstree/redis-exporter
tag: v1.44.0
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: quay.io
type: string
repository:
default: opstree/redis-exporter
type: string
tag:
default: v1.44.0
type: string
type: object
type: object
ingress_class:
default: traefik
examples:
- traefik
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
language:
default: fr_FR
examples:
- fr_FR
type: string
postgres:
default:
replicas: 1
examples:
- replicas: 1
properties:
replicas:
default: 1
type: integer
type: object
redis:
default:
exporter:
enabled: true
examples:
- exporter:
enabled: true
properties:
exporter:
default:
enabled: true
properties:
enabled:
default: true
type: boolean
type: object
type: object
replicas:
default: 1
examples:
- 1
type: integer
sso_vynil:
default: true
examples:
- true
type: boolean
storage:
default:
postgres:
size: 10Gi
redis:
size: 2Gi
volume:
accessMode: ReadWriteOnce
class: ''
size: 1Gi
type: Filesystem
description: Configure this app storage
examples:
- postgres:
size: 10Gi
redis:
size: 2Gi
volume:
accessMode: ReadWriteOnce
class: ''
size: 1Gi
type: Filesystem
properties:
postgres:
default:
size: 10Gi
properties:
size:
default: 10Gi
type: string
type: object
redis:
default:
size: 2Gi
properties:
size:
default: 2Gi
type: string
type: object
volume:
default:
accessMode: ReadWriteOnce
class: ''
size: 1Gi
type: Filesystem
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
class:
default: ''
type: string
size:
default: 1Gi
type: string
type:
default: Filesystem
enum:
- Filesystem
- Block
type: string
type: object
type: object
sub_domain:
default: to-be-set
examples:
- to-be-set
type: string
timezone:
default: Europe/Paris
examples:
- Europe/Paris
type: string
dependencies:
- dist: null
category: dbo
component: pg
providers:
kubernetes: true
authentik: true
kubectl: true
postgresql: null
mysql: null
restapi: null
http: null
gitea: null
tfaddtype: null

28
apps/openproject/openproject_Ingress.tf
View File

@@ -1,28 +0,0 @@
resource "kubectl_manifest" "Ingress_openproject" {
yaml_body = <<-EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: openproject
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
tls:
- hosts:
- openproject.example.com
secretName: ''
rules:
- host: openproject.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: openproject
port:
name: http
EOF
}

124
apps/openproject/openproject_Job.tf
View File

@@ -1,124 +0,0 @@
resource "kubectl_manifest" "Job_openproject-seeder-20240528164127" {
yaml_body = <<-EOF
apiVersion: batch/v1
kind: Job
metadata:
name: openproject-seeder-20240528164127
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
ttlSecondsAfterFinished: 6000
template:
metadata:
labels:
app.kubernetes.io/name: openproject
helm.sh/chart: openproject-5.1.4
app.kubernetes.io/instance: openproject
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/version: '14'
openproject/process: seeder
spec:
securityContext:
fsGroup: 1000
volumes:
- name: tmp
ephemeral:
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
- name: app-tmp
ephemeral:
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
- name: data
persistentVolumeClaim:
claimName: openproject
initContainers:
- name: check-db-ready
image: docker.io/postgres:13
imagePullPolicy: Always
command:
- sh
- -c
- until pg_isready -h $DATABASE_HOST -p $DATABASE_PORT -U openproject; do echo "waiting for database $DATABASE_HOST:$DATABASE_PORT"; sleep 2; done;
envFrom:
- secretRef:
name: openproject-core
- secretRef:
name: openproject-oidc
- secretRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-postgresql
key: password
resources:
limits:
memory: 200Mi
requests:
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: seeder
image: docker.io/openproject/openproject:14-slim
imagePullPolicy: IfNotPresent
args:
- bash
- /app/docker/prod/seeder
envFrom:
- secretRef:
name: openproject-core
- secretRef:
name: openproject-oidc
- secretRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-postgresql
key: password
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
- name: data
mountPath: /var/openproject/assets
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
restartPolicy: OnFailure
EOF
}

28
apps/openproject/openproject_NetworkPolicy.tf
View File

@@ -1,28 +0,0 @@
resource "kubectl_manifest" "NetworkPolicy_openproject-memcached" {
yaml_body = <<-EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: openproject-memcached
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: openproject
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: memcached
app.kubernetes.io/version: 1.6.24
helm.sh/chart: memcached-6.14.0
policyTypes:
- Ingress
- Egress
egress:
- {}
ingress:
- ports:
- port: 11211
EOF
}

18
apps/openproject/openproject_PersistentVolumeClaim.tf
View File

@@ -1,18 +0,0 @@
resource "kubectl_manifest" "PersistentVolumeClaim_openproject" {
yaml_body = <<-EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: openproject
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
EOF
}

26
apps/openproject/openproject_Pod.tf
View File

@@ -1,26 +0,0 @@
resource "kubectl_manifest" "Pod_openproject-test-connection" {
yaml_body = <<-EOF
apiVersion: v1
kind: Pod
metadata:
name: openproject-test-connection
labels: ${jsonencode(local.common-labels)}
annotations:
helm.sh/hook: test
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
containers:
- name: wget
image: busybox
command:
- wget
args:
- --no-verbose
- --tries=1
- --spider
- openproject:8080/health_check
restartPolicy: Never
EOF
}

79
apps/openproject/openproject_Secret.tf
View File

@@ -1,79 +0,0 @@
resource "kubectl_manifest" "Secret_openproject-postgresql" {
yaml_body = <<-EOF
apiVersion: v1
kind: Secret
metadata:
name: openproject-postgresql
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
ownerReferences: ${jsonencode(var.install_owner)}
type: Opaque
data:
postgres-password: VDQxbmpqeEVnYg==
password: cEhqbUkyQjVYVw==
EOF
}
resource "kubectl_manifest" "Secret_openproject-core" {
yaml_body = <<-EOF
apiVersion: v1
kind: Secret
metadata:
name: openproject-core
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
stringData:
DATABASE_HOST: openproject-postgresql.vynil-ci.svc.cluster.local
DATABASE_PORT: '5432'
DATABASE_URL: postgresql://openproject@openproject-postgresql:5432/openproject
OPENPROJECT_SEED_ADMIN_USER_PASSWORD: admin
OPENPROJECT_SEED_ADMIN_USER_PASSWORD_RESET: 'true'
OPENPROJECT_SEED_ADMIN_USER_NAME: OpenProject Admin
OPENPROJECT_SEED_ADMIN_USER_MAIL: admin@example.net
OPENPROJECT_HTTPS: 'true'
OPENPROJECT_SEED_LOCALE: en
OPENPROJECT_HOST__NAME: openproject.example.com
OPENPROJECT_HSTS: 'true'
OPENPROJECT_RAILS__CACHE__STORE: memcache
OPENPROJECT_RAILS__RELATIVE__URL__ROOT: ''
POSTGRES_STATEMENT_TIMEOUT: 120s
EOF
}
resource "kubectl_manifest" "Secret_openproject-oidc" {
yaml_body = <<-EOF
apiVersion: v1
kind: Secret
metadata:
name: openproject-oidc
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
stringData:
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: Keycloak
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: oidc.host
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_IDENTIFIER: oidc.identifier
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: oidc.secret
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_AUTHORIZATION__ENDPOINT: oidc.authorizationEndpoint
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_TOKEN__ENDPOINT: oidc.tokenEndpoint
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_USERINFO__ENDPOINT: oidc.userinfoEndpoint
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: oidc.endSessionEndpoint
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SCOPE: '[openid email profile]'
EOF
}
resource "kubectl_manifest" "Secret_openproject-memcached" {
yaml_body = <<-EOF
apiVersion: v1
kind: Secret
metadata:
name: openproject-memcached
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
stringData:
OPENPROJECT_CACHE__MEMCACHE__SERVER: openproject-memcached:11211
EOF
}

99
apps/openproject/openproject_Service.tf
View File

@@ -1,99 +0,0 @@
resource "kubectl_manifest" "Service_openproject-memcached" {
yaml_body = <<-EOF
apiVersion: v1
kind: Service
metadata:
name: openproject-memcached
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
type: ClusterIP
ports:
- name: memcache
port: 11211
targetPort: memcache
nodePort: null
selector:
app.kubernetes.io/instance: openproject
app.kubernetes.io/name: memcached
EOF
}
resource "kubectl_manifest" "Service_openproject-postgresql" {
yaml_body = <<-EOF
apiVersion: v1
kind: Service
metadata:
name: openproject-postgresql
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
type: ClusterIP
sessionAffinity: None
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
nodePort: null
selector:
app.kubernetes.io/instance: openproject
app.kubernetes.io/name: postgresql
app.kubernetes.io/component: primary
EOF
}
resource "kubectl_manifest" "Service_openproject" {
yaml_body = <<-EOF
apiVersion: v1
kind: Service
metadata:
name: openproject
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
type: ClusterIP
sessionAffinity: ClientIP
sessionAffinityConfig:
clientIP:
timeoutSeconds: 10800
ports:
- port: 8080
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: openproject
app.kubernetes.io/instance: openproject
openproject/process: web
EOF
}
resource "kubectl_manifest" "Service_openproject-postgresql-hl" {
yaml_body = <<-EOF
apiVersion: v1
kind: Service
metadata:
name: openproject-postgresql-hl
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
annotations:
service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true'
ownerReferences: ${jsonencode(var.install_owner)}
spec:
type: ClusterIP
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
selector:
app.kubernetes.io/instance: openproject
app.kubernetes.io/name: postgresql
app.kubernetes.io/component: primary
EOF
}

25
apps/openproject/openproject_rbac.tf
View File

@@ -1,25 +0,0 @@
resource "kubectl_manifest" "ServiceAccount_openproject" {
yaml_body = <<-EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: openproject
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
EOF
}
resource "kubectl_manifest" "ServiceAccount_openproject-memcached" {
yaml_body = <<-EOF
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: false
metadata:
name: openproject-memcached
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
ownerReferences: ${jsonencode(var.install_owner)}
EOF
}

564
apps/openproject/openproject_workload.tf
View File

@@ -1,564 +0,0 @@
resource "kubectl_manifest" "Deployment_openproject-worker-default" {
yaml_body = <<-EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: openproject-worker-default
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: openproject
app.kubernetes.io/instance: openproject
openproject/process: worker-default
template:
metadata:
annotations:
checksum/env-core: a4294db8b065a4d77e098d233e1b73e5ad4557890fd69436ba8fc7c2daf7a181
checksum/env-memcached: f4f558dde2e4422edc31e686317ce225beea60a136cbb9459cfca7d1f5548be6
checksum/env-oidc: 2a3d493b7fac498a180683454c58815e0a3bc6319adaf87d6e1eb459db3a8c04
checksum/env-s3: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/env-environment: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
labels:
app.kubernetes.io/name: openproject
helm.sh/chart: openproject-5.1.4
app.kubernetes.io/instance: openproject
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/version: '14'
openproject/process: worker-default
spec:
securityContext:
fsGroup: 1000
serviceAccountName: openproject
volumes:
- name: tmp
ephemeral:
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
- name: app-tmp
ephemeral:
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
- name: data
persistentVolumeClaim:
claimName: openproject
initContainers:
- name: wait-for-db
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: docker.io/openproject/openproject:14-slim
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: openproject-core
- secretRef:
name: openproject-oidc
- secretRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-postgresql
key: password
command:
- bash
- /app/docker/prod/wait-for-db
containers:
- name: openproject
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: docker.io/openproject/openproject:14-slim
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: openproject-core
- secretRef:
name: openproject-oidc
- secretRef:
name: openproject-memcached
command:
- bash
- /app/docker/prod/worker
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-postgresql
key: password
- name: QUEUE
value: ''
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
- name: data
mountPath: /var/openproject/assets
resources:
limits:
cpu: '4'
memory: 4Gi
requests:
cpu: 250m
memory: 512Mi
EOF
}
resource "kubectl_manifest" "Deployment_openproject-web" {
yaml_body = <<-EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: openproject-web
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: openproject
app.kubernetes.io/instance: openproject
openproject/process: web
template:
metadata:
annotations:
checksum/env-core: a4294db8b065a4d77e098d233e1b73e5ad4557890fd69436ba8fc7c2daf7a181
checksum/env-memcached: f4f558dde2e4422edc31e686317ce225beea60a136cbb9459cfca7d1f5548be6
checksum/env-oidc: 2a3d493b7fac498a180683454c58815e0a3bc6319adaf87d6e1eb459db3a8c04
checksum/env-s3: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/env-environment: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
labels:
app.kubernetes.io/name: openproject
helm.sh/chart: openproject-5.1.4
app.kubernetes.io/instance: openproject
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/version: '14'
openproject/process: web
spec:
securityContext:
fsGroup: 1000
serviceAccountName: openproject
volumes:
- name: tmp
ephemeral:
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
- name: app-tmp
ephemeral:
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
- name: data
persistentVolumeClaim:
claimName: openproject
initContainers:
- name: wait-for-db
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: docker.io/openproject/openproject:14-slim
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: openproject-core
- secretRef:
name: openproject-oidc
- secretRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-postgresql
key: password
command:
- bash
- /app/docker/prod/wait-for-db
containers:
- name: openproject
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: docker.io/openproject/openproject:14-slim
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: openproject-core
- secretRef:
name: openproject-oidc
- secretRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-postgresql
key: password
command:
- bash
- /app/docker/prod/web
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
- name: data
mountPath: /var/openproject/assets
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
httpGet:
path: /health_checks/default
port: 8080
httpHeaders:
- name: Host
value: localhost
initialDelaySeconds: 120
timeoutSeconds: 3
periodSeconds: 30
failureThreshold: 3
successThreshold: 1
readinessProbe:
httpGet:
path: /health_checks/default
port: 8080
httpHeaders:
- name: Host
value: localhost
initialDelaySeconds: 30
timeoutSeconds: 3
periodSeconds: 15
failureThreshold: 30
successThreshold: 1
resources:
limits:
cpu: '4'
memory: 4Gi
requests:
cpu: 250m
memory: 512Mi
EOF
}
resource "kubectl_manifest" "StatefulSet_openproject-postgresql" {
yaml_body = <<-EOF
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: openproject-postgresql
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
replicas: 1
serviceName: openproject-postgresql-hl
updateStrategy:
rollingUpdate: {}
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/instance: openproject
app.kubernetes.io/name: postgresql
app.kubernetes.io/component: primary
template:
metadata:
name: openproject-postgresql
labels:
app.kubernetes.io/instance: openproject
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: 15.4.0
helm.sh/chart: postgresql-12.12.10
app.kubernetes.io/component: primary
spec:
serviceAccountName: default
affinity:
podAffinity: null
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/instance: openproject
app.kubernetes.io/name: postgresql
app.kubernetes.io/component: primary
topologyKey: kubernetes.io/hostname
weight: 1
nodeAffinity: null
securityContext:
fsGroup: 1001
hostNetwork: false
hostIPC: false
containers:
- name: postgresql
image: docker.io/bitnami/postgresql:15.4.0-debian-11-r45
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsGroup: 0
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
env:
- name: BITNAMI_DEBUG
value: 'false'
- name: POSTGRESQL_PORT_NUMBER
value: '5432'
- name: POSTGRESQL_VOLUME_DIR
value: /bitnami/postgresql
- name: PGDATA
value: /bitnami/postgresql/data
- name: POSTGRES_USER
value: openproject
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-postgresql
key: password
- name: POSTGRES_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-postgresql
key: postgres-password
- name: POSTGRES_DATABASE
value: openproject
- name: POSTGRESQL_ENABLE_LDAP
value: no
- name: POSTGRESQL_ENABLE_TLS
value: no
- name: POSTGRESQL_LOG_HOSTNAME
value: 'false'
- name: POSTGRESQL_LOG_CONNECTIONS
value: 'false'
- name: POSTGRESQL_LOG_DISCONNECTIONS
value: 'false'
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
value: off
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
value: error
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
value: pgaudit
ports:
- name: tcp-postgresql
containerPort: 5432
livenessProbe:
failureThreshold: 6
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "openproject" -d "dbname=openproject" -h 127.0.0.1 -p 5432
readinessProbe:
failureThreshold: 6
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
exec:
command:
- /bin/sh
- -c
- -e
- |
exec pg_isready -U "openproject" -d "dbname=openproject" -h 127.0.0.1 -p 5432
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
resources:
limits: {}
requests:
cpu: 250m
memory: 256Mi
volumeMounts:
- name: dshm
mountPath: /dev/shm
- name: data
mountPath: /bitnami/postgresql
volumes:
- name: dshm
emptyDir:
medium: Memory
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
EOF
}
resource "kubectl_manifest" "Deployment_openproject-memcached" {
yaml_body = <<-EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: openproject-memcached
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
selector:
matchLabels:
app.kubernetes.io/instance: openproject
app.kubernetes.io/name: memcached
replicas: 1
strategy:
rollingUpdate: {}
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/instance: openproject
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: memcached
app.kubernetes.io/version: 1.6.24
helm.sh/chart: memcached-6.14.0
annotations: null
spec:
automountServiceAccountToken: false
affinity:
podAffinity: null
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/instance: openproject
app.kubernetes.io/name: memcached
topologyKey: kubernetes.io/hostname
weight: 1
nodeAffinity: null
securityContext:
fsGroup: 1001
fsGroupChangePolicy: Always
supplementalGroups: []
sysctls: []
serviceAccountName: openproject-memcached
containers:
- name: memcached
image: docker.io/bitnami/memcached:1.6.24-debian-12-r0
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
env:
- name: BITNAMI_DEBUG
value: 'false'
- name: MEMCACHED_PORT_NUMBER
value: '11211'
ports:
- name: memcache
containerPort: 11211
livenessProbe:
failureThreshold: 6
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
tcpSocket:
port: memcache
readinessProbe:
failureThreshold: 6
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
tcpSocket:
port: memcache
volumeMounts:
- name: empty-dir
mountPath: /opt/bitnami/memcached/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
volumes:
- name: empty-dir
emptyDir: {}
EOF
}

6
apps/openproject/template.rhai
View File

@@ -1,6 +0,0 @@
const DEST=dest;
fn post_template() {
save_to_tf(`${global::DEST}/conditions.tf`, "conditions", #{
have_podmonitors: have_crd("podmonitors.monitoring.coreos.com"),
});
}

11
apps/taiga/taiga_ConfigMap.tf
View File

@@ -77,16 +77,17 @@ resource "kubectl_manifest" "cm_scripts" {
postconfig.sh: |-
#!/usr/bin/env bash
export PATH="/opt/venv/bin/:$PATH" TAIGA_URL="http://${module.service.name}" TAIGA_SITES_DOMAIN="${module.service.name}" TAIGA_SITES_SCHEME=http
DIRNAME=$(dirname $0)
. $DIRNAME/certs.sh
sleep 5
if ! python 'manage.py' 'dumpdata' users.user|grep -q '"is_superuser": true';then
python manage.py createsuperuser --noinput
fi
if [ $(python manage.py dumpdata projects.projecttemplate|wc -c) -lt 1000 ];then
python manage.py loaddata initial_project_templates
else
echo "skipping loading initial templates : already here"
fi
if ! python 'manage.py' 'dumpdata' users.user|grep -q '"is_superuser": true';then
python manage.py createsuperuser --noinput
else
python 'manage.py' 'dumpdata' users.user
fi
EOF
}