From 2b901c0222bf8c2d50c675e25605a5720c210169 Mon Sep 17 00:00:00 2001 From: alexlebens Date: Sat, 24 Aug 2024 14:22:57 -0500 Subject: [PATCH] convert to env, add minio --- .../directus/templates/external-secret.yaml | 2 +- .../cl01tl/applications/homepage/values.yaml | 6 + clusters/cl01tl/applications/ryot/Chart.yaml | 6 + .../ryot/templates/external-secret.yaml | 188 ++++++++ clusters/cl01tl/applications/ryot/values.yaml | 426 +++++++----------- 5 files changed, 352 insertions(+), 276 deletions(-) diff --git a/clusters/cl01tl/applications/directus/templates/external-secret.yaml b/clusters/cl01tl/applications/directus/templates/external-secret.yaml index 2b5b65d16..98b3ee439 100644 --- a/clusters/cl01tl/applications/directus/templates/external-secret.yaml +++ b/clusters/cl01tl/applications/directus/templates/external-secret.yaml @@ -160,7 +160,7 @@ spec: remoteRef: conversionStrategy: Default decodingStrategy: None - key: /cl01tl/outline/minio/config + key: /cl01tl/directus/minio/config metadataPolicy: None property: root-config.env diff --git a/clusters/cl01tl/applications/homepage/values.yaml b/clusters/cl01tl/applications/homepage/values.yaml index 8aba459cd..34668e868 100644 --- a/clusters/cl01tl/applications/homepage/values.yaml +++ b/clusters/cl01tl/applications/homepage/values.yaml @@ -476,6 +476,12 @@ homepage: href: https://minio-directus-cl01tl.boreal-beaufort.ts.net siteMonitor: http://minio-directus-console.directus:9090 statusStyle: dot + - Object Storage (Ryot): + icon: minio.png + description: Minio Tenant + href: https://minio-ryot-cl01tl.boreal-beaufort.ts.net + siteMonitor: http://minio-ryot-console.ryot:9090 + statusStyle: dot - Sonarr: - Sonarr: icon: sonarr.png diff --git a/clusters/cl01tl/applications/ryot/Chart.yaml b/clusters/cl01tl/applications/ryot/Chart.yaml index 1d3d2569b..50f59cfec 100644 --- a/clusters/cl01tl/applications/ryot/Chart.yaml +++ b/clusters/cl01tl/applications/ryot/Chart.yaml @@ -8,9 +8,11 @@ keywords: home: https://wiki.alexlebens.dev/doc/ryot-hIylymbPGj sources: - https://github.com/IgnisDa/ryot + - https://github.com/minio/operator - https://github.com/cloudnative-pg/cloudnative-pg - https://github.com/ignisda/ryot/pkgs/container/ryot - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template + - https://github.com/minio/operator/tree/master/helm/tenant - https://github.com/alexlebens/helm-charts/charts/postgres-cluster maintainers: - name: alexlebens @@ -19,6 +21,10 @@ dependencies: alias: ryot repository: https://bjw-s.github.io/helm-charts/ version: 3.3.2 + - name: tenant + version: 6.0.1 + alias: minio + repository: https://operator.min.io/ - name: postgres-cluster alias: postgres-16-cluster version: 3.9.0 diff --git a/clusters/cl01tl/applications/ryot/templates/external-secret.yaml b/clusters/cl01tl/applications/ryot/templates/external-secret.yaml index f42aba0d1..d0313915c 100644 --- a/clusters/cl01tl/applications/ryot/templates/external-secret.yaml +++ b/clusters/cl01tl/applications/ryot/templates/external-secret.yaml @@ -1,5 +1,193 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret +metadata: + name: ryot-key-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ryot-key-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: google_books + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/ryot/key + metadataPolicy: None + property: google_books + - secretKey: tmdb + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/ryot/key + metadataPolicy: None + property: tmdb + - secretKey: listennotes + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/ryot/key + metadataPolicy: None + property: listennotes + - secretKey: admin_token + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/ryot/key + metadataPolicy: None + property: admin_token + - secretKey: jwt_secret + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/ryot/key + metadataPolicy: None + property: jwt_secret + - secretKey: twitch_client_id + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/ryot/key + metadataPolicy: None + property: twitch_client_id + - secretKey: twitch_client_secret + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/ryot/key + metadataPolicy: None + property: twitch_client_secret + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: ryot-oidc-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ryot-oidc-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: client_id + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/ryot + metadataPolicy: None + property: client + - secretKey: client_secret + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/ryot + metadataPolicy: None + property: secret + - secretKey: issuer_url + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/ryot + metadataPolicy: None + property: issuer_url + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: ryot-minio-user-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ryot-minio-user-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: database + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/ryot/minio/auth + metadataPolicy: None + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/ryot/minio/auth + metadataPolicy: None + property: AWS_SECRET_ACCESS_KEY + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: ryot-minio-root-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ryot-minio-root-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: database + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: config.env + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/ryot/minio/config + metadataPolicy: None + property: root-config.env + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: ryot-minio-config-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ryot-minio-config-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: database + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: config.env + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/ryot/minio/config + metadataPolicy: None + property: config.env + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret metadata: name: ryot-postgresql-16-cluster-backup-secret namespace: {{ .Release.Namespace }} diff --git a/clusters/cl01tl/applications/ryot/values.yaml b/clusters/cl01tl/applications/ryot/values.yaml index 19daa4ab9..f07d4e2b5 100644 --- a/clusters/cl01tl/applications/ryot/values.yaml +++ b/clusters/cl01tl/applications/ryot/values.yaml @@ -14,281 +14,125 @@ ryot: env: - name: TZ value: US/Central + - name: AUDIO_BOOKS_AUDIBLE_LOCAL + value: us + - name: BOOKS_GOOGLE_BOOKS_API_KEY + valueFrom: + secretKeyRef: + name: ryot-key-secret + key: google_books + - name: BOOKS_OPENLIBRARY_COVER_IMAGE_SIZE + value: "M" - name: DATABASE_URL valueFrom: secretKeyRef: name: ryot-postgresql-16-cluster-app key: uri + - name: BOOKS_OPENLIBRARY_COVER_IMAGE_SIZE + value: "M" + - name: DISABLE_TELEMETRY + value: true + - name: FILE_STORAGE_S3_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: ryot-minio-user-secret + key: AWS_ACCESS_KEY_ID + - name: FILE_STORAGE_S3_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: ryot-minio-user-secret + key: AWS_SECRET_ACCESS_KEY + - name: FILE_STORAGE_S3_BUCKET_NAME + value: ryot + - name: FILE_STORAGE_S3_REGION + value: us-east-1 + - name: FILE_STORAGE_S3_URL + value: https://ryot-storage-cl01tl.boreal-beaufort.ts.net + - name: FRONTEND_DASHBOARD_MESSAGE + value: Ryot + - name: FRONTEND_OIDC_BUTTON_LABEL + value: Authentik Login + - name: FRONTEND_URL + value: https://ryot-cl01tl.boreal-beaufort.ts.net + - name: INTEGRATION_SYNC_EVERY_MINUTES + value: 5 + - name: MEDIA_MONITORING_REMOVE_AFTER_DAYS + value: 30 + - name: MOVIES_AND_SHOWS_TMDB_ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: ryot-key-secret + key: tmdb + - name: MOVIES_AND_SHOWS_TMDB_LOCALE + value: en + - name: PODCASTS_ITUNES_LOCALE + value: en_us + - name: PODCASTS_LISTENNOTES_API_TOKEN + valueFrom: + secretKeyRef: + name: ryot-key-secret + key: listennotes + - name: SCHEDULER_RATE_LIMIT_NUM + value: 5 + - name: SERVER_ADMIN_ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: ryot-key-secret + key: admin_token + - name: SERVER_OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: ryot-oidc-secret + key: client_id + - name: SERVER_OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: ryot-oidc-secret + key: client_secret + - name: SERVER_OIDC_ISSUER_URL + valueFrom: + secretKeyRef: + name: ryot-oidc-secret + key: issuer_url + - name: SERVER_DISABLE_BACKGROUND_JOBS + value: false + - name: SERVER_GRAPHQL_PLAYGROUND_ENABLED + value: true + - name: SERVER_MAX_FILE_SIZE + value: 70 + - name: SERVER_PROGRESS_UPDATE_THRESHOLD + value: 2 + - name: SERVER_SLEEP_BEFORE_STARTUP_SECONDS + value: 0 + - name: USERS_ALLOW_REGISTRATION + value: true + - name: USERS_DISABLE_LOCAL_AUTH + value: false + - name: USERS_JWT_SECRET + valueFrom: + secretKeyRef: + name: ryot-key-secret + key: jwt_secret + - name: USERS_TOKEN_VALID_FOR_DAYS + value: 90 + - name: VIDEO_GAMES_IGDB_IMAGE_SIZE + value: t_original + - name: VIDEO_GAMES_TWITCH_CLIENT_ID + valueFrom: + secretKeyRef: + name: ryot-key-secret + key: twitch_client_id + - name: VIDEO_GAMES_TWITCH_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: ryot-key-secret + key: twitch_client_secret resources: requests: cpu: 100m memory: 256Mi serviceAccount: create: true - configMaps: - config: - enabled: true - data: - ryot.yaml: | - # Settings related to anime and manga. - anime_and_manga: - # Settings related to Anilist. - anilist: - # Whether to prefer the english name for media from this source. - # @deprecated - # @envvar ANIME_AND_MANGA_ANILIST_PREFER_ENGLISH - prefer_english: false - - # The preferred language for media from this source. - # @envvar ANIME_AND_MANGA_ANILIST_PREFERRED_LANGUAGE - preferred_language: "native" - - # Settings related to MAL. - mal: - # The client ID to be used for the MAL API. - # @envvar ANIME_AND_MANGA_MAL_CLIENT_ID - client_id: "" - - # Settings related to MangaUpdates. - manga_updates: {} - - # Settings related to audio books. - audio_books: - # Settings related to Audible. - audible: - # Settings related to locale for making requests Audible. - # @envvar AUDIO_BOOKS_AUDIBLE_LOCALE - locale: "us" - - # Settings related to books. - books: - # Settings related to Google Books. - google_books: - # The API key to be used for the Google Books API. - # @envvar BOOKS_GOOGLE_BOOKS_API_KEY - api_key: "" - - # Whether to pass the raw query string to the search API. - # @envvar BOOKS_GOOGLE_BOOKS_PASS_RAW_QUERY - pass_raw_query: false - - # Settings related to Openlibrary. - openlibrary: - # The image sizes to fetch from Openlibrary. - # @envvar BOOKS_OPENLIBRARY_COVER_IMAGE_SIZE - cover_image_size: "M" - - # The database related settings. - database: - # The Postgres database connection string. - # Format described in https://www.sea-ql.org/SeaORM/docs/install-and-config/connection/#postgres. - # @envvar DATABASE_URL - url: "" - - # Whether to disable telemetry. - # @envvar DISABLE_TELEMETRY - disable_telemetry: false - - # Settings related to exercises. - exercise: {} - - # Settings related to file storage. - file_storage: - # The access key ID for the S3 compatible file storage. **Required** to - # enable file storage. - # @envvar FILE_STORAGE_S3_ACCESS_KEY_ID - s3_access_key_id: "" - - # The name of the S3 compatible bucket. **Required** to enable file storage. - # @envvar FILE_STORAGE_S3_BUCKET_NAME - s3_bucket_name: "" - - # The region for the S3 compatible file storage. - # @envvar FILE_STORAGE_S3_REGION - s3_region: "us-east-1" - - # The secret access key for the S3 compatible file storage. **Required** - # to enable file storage. - # @envvar FILE_STORAGE_S3_SECRET_ACCESS_KEY - s3_secret_access_key: "" - - # The URL for the S3 compatible file storage. - # @envvar FILE_STORAGE_S3_URL - s3_url: "" - - # Settings related to frontend storage. - frontend: - # A message to be displayed on the dashboard. - # @envvar FRONTEND_DASHBOARD_MESSAGE - dashboard_message: "" - - # The button label for OIDC authentication. - # @envvar FRONTEND_OIDC_BUTTON_LABEL - oidc_button_label: "Continue with OpenID Connect" - - # The number of items to display in a list view. - # @envvar FRONTEND_PAGE_SIZE - page_size: 20 - - # Settings related to Umami analytics. - umami: - # @envvar FRONTEND_UMAMI_DOMAINS - domains: "" - - # For example: https://umami.is/script.js. - # @envvar FRONTEND_UMAMI_SCRIPT_URL - script_url: "" - - # @envvar FRONTEND_UMAMI_WEBSITE_ID - website_id: "" - - # Used as the base URL when generating item links for the frontend. - # @envvar FRONTEND_URL - url: "https://pro.ryot.io" - - # Settings related to external integrations. - integration: - # Sync data from push and yank based integrations every `n` minutes. - # @envvar INTEGRATION_SYNC_EVERY_MINUTES - sync_every_minutes: 5 - - # Settings related to media. - media: - # Number of days after which a media should be removed from the Monitoring collection. - # @envvar MEDIA_MONITORING_REMOVE_AFTER_DAYS - monitoring_remove_after_days: 30 - - # Settings related to movies and shows. - movies_and_shows: - # Settings related to TMDB. - tmdb: - # The access token for the TMDB API. - # @envvar MOVIES_AND_SHOWS_TMDB_ACCESS_TOKEN - access_token: "" - - # The locale to use for making requests to TMDB API. - # @envvar MOVIES_AND_SHOWS_TMDB_LOCALE - locale: "en" - - # Settings related to podcasts. - podcasts: - # Settings related to iTunes. - itunes: - # The locale to use for making requests to iTunes API. - # @envvar PODCASTS_ITUNES_LOCALE - locale: "en_us" - - # Settings related to Listennotes. - listennotes: - # The access token for the Listennotes API. - # @envvar PODCASTS_LISTENNOTES_API_TOKEN - api_token: "" - - # Settings related to scheduler. - scheduler: - # The number of jobs to process every 5 seconds when updating metadata in - # the background. - # @envvar SCHEDULER_RATE_LIMIT_NUM - rate_limit_num: 5 - - # Settings related to server. - server: - # An access token that can be used for admin operations. - # @envvar SERVER_ADMIN_ACCESS_TOKEN - admin_access_token: "" - - # An array of URLs for CORS. - # @envvar SERVER_CORS_ORIGINS - cors_origins: [] - - # Disable all background jobs. - # @envvar SERVER_DISABLE_BACKGROUND_JOBS - disable_background_jobs: false - - # Whether the graphql playground will be enabled. - # @envvar SERVER_GRAPHQL_PLAYGROUND_ENABLED - graphql_playground_enabled: true - - # The maximum file size in MB for user uploads. - # @envvar SERVER_MAX_FILE_SIZE - max_file_size: 70 - - # The OIDC related settings. - oidc: - # @envvar SERVER_OIDC_CLIENT_ID - client_id: "" - - # @envvar SERVER_OIDC_CLIENT_SECRET - client_secret: "" - - # @envvar SERVER_OIDC_ISSUER_URL - issuer_url: "" - - # The hours in which a media can be marked as seen again for a user. This - # is used so that the same media can not be used marked as started when - # it has been already marked as seen in the last `n` hours. - # @envvar SERVER_PROGRESS_UPDATE_THRESHOLD - progress_update_threshold: 2 - - # Number of seconds to sleep before starting the server. - # @envvar SERVER_SLEEP_BEFORE_STARTUP_SECONDS - sleep_before_startup_seconds: 0 - - # The mailer related settings. - smtp: - # @envvar SERVER_SMTP_MAILBOX - mailbox: "Ryot " - - # @envvar SERVER_SMTP_PASSWORD - password: "" - - # @envvar SERVER_SMTP_SERVER - server: "" - - # @envvar SERVER_SMTP_USER - user: "" - - # Settings related to users. - users: - # Whether new users will be allowed to sign up to this instance. - # @envvar USERS_ALLOW_REGISTRATION - allow_registration: true - - # Whether to disable local user authentication completely. - # @envvar USERS_DISABLE_LOCAL_AUTH - disable_local_auth: false - - # The secret used for generating JWT tokens. - # @envvar USERS_JWT_SECRET - jwt_secret: "" - - # The number of days till login authentication token is valid. - # @envvar USERS_TOKEN_VALID_FOR_DAYS - token_valid_for_days: 90 - - # Settings related to video games. - video_games: - # Settings related to IGDB. - igdb: - # The image sizes to fetch from IGDB. - # @envvar VIDEO_GAMES_IGDB_IMAGE_SIZE - image_size: "t_original" - - # Settings related to Twitch. - twitch: - # The client ID issues by Twitch. **Required** to enable video games - # tracking. [More information](/docs/guides/video-games.md). - # @envvar VIDEO_GAMES_TWITCH_CLIENT_ID - client_id: "" - - # The client secret issued by Twitch. **Required** to enable video games - # tracking. - # @envvar VIDEO_GAMES_TWITCH_CLIENT_SECRET - client_secret: "" - - # Settings related to visual novels. - visual_novels: {} - service: main: controller: main @@ -312,18 +156,50 @@ ryot: tls: - hosts: - ryot-cl01tl - persistence: - config: +minio: + existingSecret: + name: ryot-minio-root-secret + tenant: + name: minio-ryot + configuration: + name: ryot-minio-config-secret + pools: + - servers: 3 + name: pool + volumesPerServer: 2 + size: 10Gi + storageClassName: ceph-block + mountPath: /export + subPath: /data + metrics: enabled: true - type: configMap - name: ryot-config - advancedMounts: - main: - main: - - path: /home/ryot/config/ryot.yaml - readOnly: true - mountPropagation: None - subPath: ryot.yaml + port: 9000 + protocol: http + certificate: + requestAutoCert: false + ingress: + api: + enabled: true + ingressClassName: tailscale + annotations: + tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" + tls: + - secretName: ryot-storage-cl01tl + hosts: + - ryot-storage-cl01tl + host: ryot-storage-cl01tl + path: / + pathType: Prefix + console: + enabled: true + ingressClassName: tailscale + tls: + - secretName: minio-ryot-cl01tl + hosts: + - minio-ryot-cl01tl + host: minio-ryot-cl01tl + path: / + pathType: Prefix postgres-16-cluster: mode: standalone cluster: