diff --git a/clusters/cl01tl/applications/freshrss/Chart.yaml b/clusters/cl01tl/applications/freshrss/Chart.yaml new file mode 100644 index 000000000..8d0556121 --- /dev/null +++ b/clusters/cl01tl/applications/freshrss/Chart.yaml @@ -0,0 +1,33 @@ +apiVersion: v2 +name: freshrss +version: 1.0.0 +description: FreshRSS +keywords: + - freshrss + - rss +home: https://wiki.alexlebens.dev/doc/freshrss-W6nFVTmKJw +sources: + - https://github.com/FreshRSS/FreshRSS + - https://github.com/cloudflare/cloudflared + - https://github.com/cloudnative-pg/cloudnative-pg + - https://hub.docker.com/r/freshrss/freshrss + - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template + - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared + - https://github.com/alexlebens/helm-charts/tree/main/charts/postgres-cluster +maintainers: + - name: alexlebens +dependencies: + - name: app-template + alias: freshrss + repository: https://bjw-s.github.io/helm-charts/ + version: 3.7.1 + - name: cloudflared + alias: cloudflared + repository: http://alexlebens.github.io/helm-charts + version: 1.14.0 + - name: postgres-cluster + alias: postgres-17-cluster + version: 4.2.0 + repository: http://alexlebens.github.io/helm-charts +icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/freshrss.png +appVersion: 1.24.3 diff --git a/clusters/cl01tl/applications/freshrss/templates/external-secret.yaml b/clusters/cl01tl/applications/freshrss/templates/external-secret.yaml new file mode 100644 index 000000000..d905dfadc --- /dev/null +++ b/clusters/cl01tl/applications/freshrss/templates/external-secret.yaml @@ -0,0 +1,192 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: freshrss-install-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: freshrss-install-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ADMIN_EMAIL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/freshrss/config + metadataPolicy: None + property: ADMIN_EMAIL + - secretKey: ADMIN_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/freshrss/config + metadataPolicy: None + property: ADMIN_PASSWORD + - secretKey: ADMIN_API_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/freshrss/config + metadataPolicy: None + property: ADMIN_API_PASSWORD + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: freshrss-oidc-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: OIDC_CLIENT_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/freshrss + metadataPolicy: None + property: client + - secretKey: OIDC_CLIENT_SECRET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/freshrss + metadataPolicy: None + property: secret + - secretKey: OIDC_CLIENT_CRYPTO_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/freshrss + metadataPolicy: None + property: crypto-key + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: freshrss-cloudflared-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: freshrss-cloudflared-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: cf-tunnel-token + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cloudflare/tunnels/freshrss + metadataPolicy: None + property: token + +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: freshrss-data-backup-secret +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: freshrss-data-backup-secret +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: backup +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# secretStoreRef: +# kind: ClusterSecretStore +# name: vault +# target: +# template: +# mergePolicy: Merge +# engineVersion: v2 +# data: +# RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/freshrss/freshrss-data" +# data: +# - secretKey: BUCKET_ENDPOINT +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/volsync/restic/config +# metadataPolicy: None +# property: S3_BUCKET_ENDPOINT +# - secretKey: RESTIC_PASSWORD +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/volsync/restic/config +# metadataPolicy: None +# property: RESTIC_PASSWORD +# - secretKey: AWS_DEFAULT_REGION +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/volsync/restic/config +# metadataPolicy: None +# property: AWS_DEFAULT_REGION +# - secretKey: AWS_ACCESS_KEY_ID +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /digital-ocean/home-infra/volsync-backups +# metadataPolicy: None +# property: access_key +# - secretKey: AWS_SECRET_ACCESS_KEY +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /digital-ocean/home-infra/volsync-backups +# metadataPolicy: None +# property: secret_key + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: freshrss-postgresql-17-cluster-backup-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: freshrss-postgresql-17-cluster-backup-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: database + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/postgres-backups + metadataPolicy: None + property: access + - secretKey: ACCESS_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/postgres-backups + metadataPolicy: None + property: secret diff --git a/clusters/cl01tl/applications/freshrss/templates/replication-source.yaml b/clusters/cl01tl/applications/freshrss/templates/replication-source.yaml new file mode 100644 index 000000000..1145aad49 --- /dev/null +++ b/clusters/cl01tl/applications/freshrss/templates/replication-source.yaml @@ -0,0 +1,37 @@ +# apiVersion: volsync.backube/v1alpha1 +# kind: ReplicationSource +# metadata: +# name: freshrss-data-backup-source +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: freshrss-data-backup-source +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: backup +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# sourcePVC: freshrss-data +# trigger: +# schedule: 0 0 */3 * * +# restic: +# pruneIntervalDays: 14 +# repository: freshrss-data-backup-secret +# retain: +# hourly: 1 +# daily: 1 +# weekly: 1 +# monthly: 2 +# yearly: 4 +# moverSecurityContext: +# runAsUser: 568 +# runAsGroup: 568 +# fsGroup: 568 +# fsGroupChangePolicy: OnRootMismatch +# supplementalGroups: +# - 44 +# - 100 +# - 109 +# - 65539 +# copyMethod: Snapshot +# storageClassName: ceph-block +# volumeSnapshotClassName: ceph-blockpool-snapshot diff --git a/clusters/cl01tl/applications/freshrss/values.yaml b/clusters/cl01tl/applications/freshrss/values.yaml new file mode 100644 index 000000000..5df51f95a --- /dev/null +++ b/clusters/cl01tl/applications/freshrss/values.yaml @@ -0,0 +1,192 @@ +freshrss: + controllers: + main: + type: deployment + replicas: 1 + strategy: Recreate + revisionHistoryLimit: 3 + initContainers: + init-download-extension-1: + securityContext: + runAsUser: 0 + image: + repository: alpine + tag: 3.21.3 + pullPolicy: IfNotPresent + command: + - /bin/sh + - -ec + - | + apk add --no-cache git; + cd /tmp; + git clone -n --depth=1 --filter=tree:0 https://github.com/cn-tools/cntools_FreshRssExtensions.git; + cd cntools_FreshRssExtensions; + git sparse-checkout set --no-cone /xExtension-YouTubeChannel2RssFeed; + git checkout; + rm -rf /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed + cp -r xExtension-YouTubeChannel2RssFeed /var/www/FreshRSS/extensions + chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed + resources: + requests: + cpu: 100m + memory: 128Mi + init-download-extension-2: + securityContext: + runAsUser: 0 + image: + repository: alpine + tag: 3.21.3 + pullPolicy: IfNotPresent + command: + - /bin/sh + - -ec + - | + apk add --no-cache git; + cd /tmp; + git clone -n --depth=1 --filter=tree:0 https://github.com/FreshRSS/Extensions.git; + cd Extensions; + git sparse-checkout set --no-cone /xExtension-ImageProxy; + git checkout; + rm -rf /var/www/FreshRSS/extensions/xExtension-ImageProxy + cp -r xExtension-ImageProxy /var/www/FreshRSS/extensions + chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed + resources: + requests: + cpu: 100m + memory: 128Mi + containers: + main: + image: + repository: freshrss/freshrss + tag: 1.26.0 + pullPolicy: IfNotPresent + env: + - name: PGID + value: "568" + - name: PUID + value: "568" + - name: TZ + value: US/Central + - name: FRESHRSS_ENV + value: production + - name: CRON_MIN + value: 13,43 + - name: BASE_URL + value: https://rss.alexlebens.dev + - name: DB_HOST + valueFrom: + secretKeyRef: + name: freshrss-postgresql-17-cluster-app + key: host + - name: DB_BASE + valueFrom: + secretKeyRef: + name: freshrss-postgresql-17-cluster-app + key: dbname + - name: DB_USER + valueFrom: + secretKeyRef: + name: freshrss-postgresql-17-cluster-app + key: user + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: freshrss-postgresql-17-cluster-app + key: password + - name: FRESHRSS_INSTALL + value: | + --api-enabled + --base-url $(BASE_URL) + --db-base $(DB_BASE) + --db-host $(DB_HOST) + --db-password $(DB_PASSWORD) + --db-type pgsql + --db-user $(DB_USER) + --auth-type http_auth + --default-user admin + --language en + - name: FRESHRSS_USER + value: | + --api-password $(ADMIN_API_PASSWORD) + --email $(ADMIN_EMAIL) + --language en + --password $(ADMIN_PASSWORD) + --user admin + - name: OIDC_ENABLED + value: 1 + - name: OIDC_PROVIDER_METADATA_URL + value: https://auth.alexlebens.dev/application/o/freshrss/.well-known/openid-configuration + - name: OIDC_X_FORWARDED_HEADERS + value: X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host + - name: OIDC_SCOPES + value: openid email profile + - name: OIDC_REMOTE_USER_CLAIM + value: preferred_username + envFrom: + - secretRef: + name: freshrss-oidc-secret + - secretRef: + name: freshrss-install-secret + resources: + requests: + cpu: 10m + memory: 128Mi + serviceAccount: + create: true + service: + main: + controller: main + ports: + http: + port: 80 + targetPort: 80 + protocol: HTTP + persistence: + data: + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 5Gi + retain: true + advancedMounts: + main: + main: + - path: /var/www/FreshRSS/data + readOnly: false + extensions: + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 1Gi + retain: true + advancedMounts: + main: + init-download-extension-1: + - path: /var/www/FreshRSS/extensions + readOnly: false + init-download-extension-2: + - path: /var/www/FreshRSS/extensions + readOnly: false + main: + - path: /var/www/FreshRSS/extensions + readOnly: false +cloudflared: + existingSecretName: freshrss-cloudflared-secret +postgres-17-cluster: + mode: recovery + cluster: + walStorage: + storageClass: local-path + storage: + storageClass: local-path + monitoring: + enabled: true + recovery: + endpointURL: https://nyc3.digitaloceanspaces.com + destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-17-cluster + endpointCredentials: freshrss-postgresql-17-cluster-backup-secret + recoveryIndex: 3 + backup: + enabled: false + endpointURL: https://nyc3.digitaloceanspaces.com + destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-17-cluster + endpointCredentials: freshrss-postgresql-17-cluster-backup-secret + backupIndex: 3