init

clusters/cl01tl/applications/freshrss/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: freshrss
+version: 1.0.0
+sources:
+  - https://github.com/FreshRSS/FreshRSS
+  - https://github.com/alexlebens/helm-charts/tree/main/charts/hfreshrss
+dependencies:
+  - name: freshrss
+    version: 0.0.3
+    repository: http://alexlebens.github.io/helm-charts
+  - name: postgres-cluster
+    alias: postgres-16-cluster
+    version: 3.0.0
+    repository: http://alexlebens.github.io/helm-charts    
+appVersion: "1.23.1"

clusters/cl01tl/applications/freshrss/templates/external-secret.yaml

@@ -0,0 +1,94 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: freshrss-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/freshrss
+        metadataPolicy: None
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/freshrss
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: freshrss-install-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: FRESHRSS_INSTALL
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /freshrss/config
+        metadataPolicy: None
+        property: FRESHRSS_INSTALL
+    - secretKey: FRESHRSS_USER
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /freshrss/config
+        metadataPolicy: None
+        property: FRESHRSS_USER
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: freshrss-postgresql-16-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: freshrss-postgresql-16-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-freshrss-postgresql
+        metadataPolicy: None
+        property: access_key
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-freshrss-postgresql
+        metadataPolicy: None
+        property: secret_key

clusters/cl01tl/applications/freshrss/values.yaml

@@ -0,0 +1,42 @@
+freshrss:
+  deployment:
+    env:
+      TZ: US/Central
+      CRON_MIN: 13,43
+      OIDC_ENABLED: 1
+      OIDC_PROVIDER_METADATA_URL: https://authentik.alexlebens.net/application/o/freshrss/.well-known/openid-configuration
+      OIDC_X_FORWARDED_HEADERS: X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host
+      OIDC_SCOPES: openid email profile
+      OIDC_REMOTE_USER_CLAIM: preferred_username
+    envFrom:
+      - secretRef:
+          name: freshrss-oidc-secret
+  ingress:
+    enabled: true
+    className: traefik
+    annotations:
+      traefik.ingress.kubernetes.io/router.entrypoints: websecure
+      traefik.ingress.kubernetes.io/router.tls: "true"
+      cert-manager.io/cluster-issuer: letsencrypt-issuer
+    host: rss.alexlebens.net
+  persistence:
+    config:
+      storageClassName: ceph-block
+      storageSize: 5Gi
+postgres-16-cluster:
+  mode: standalone
+  kubernetesClusterName: cl01tl
+  cluster:
+    walStorage:
+      storageClass: local-path
+    storage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+  backup:
+    enabled: true
+    endpointURL: https://s3.us-east-2.amazonaws.com
+    destinationPath: s3://cl01tl-postgresql-backups/freshrss
+    endpointCredentials: freshrss-postgresql-16-cluster-backup-secret
+    backupIndex: 1
+    retentionPolicy: 14d