diff --git a/configs/litestream.yml b/configs/litestream/vaultwarden.yml similarity index 100% rename from configs/litestream.yml rename to configs/litestream/vaultwarden.yml diff --git a/configs/litestream/wlm.yml b/configs/litestream/wlm.yml new file mode 100644 index 0000000..194d2d4 --- /dev/null +++ b/configs/litestream/wlm.yml @@ -0,0 +1,8 @@ +dbs: + - path: wlm/db.sqlite3 + replicas: + - type: sftp + host: ${LITESTREAM_USERNAME}.your-storagebox.de + user: ${LITESTREAM_USERNAME} + password: ${LITESTREAM_PASSWORD} + path: / \ No newline at end of file diff --git a/rapps/registry.yml b/rapps/registry.yml index b81f21f..2808ce3 100644 --- a/rapps/registry.yml +++ b/rapps/registry.yml @@ -13,8 +13,8 @@ spec: mountPath: "/var/lib/registry" resources: limits: - memory: "128Mi" - cpu: "500m" + memory: "256Mi" + cpu: "2" requests: memory: "64Mi" cpu: "100m" diff --git a/rapps/vaultwarden.yml b/rapps/vaultwarden.yml index 6b87aa5..924a3fe 100644 --- a/rapps/vaultwarden.yml +++ b/rapps/vaultwarden.yml @@ -1,12 +1,13 @@ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: vaultwarden - namespace: default spec: selector: matchLabels: app: vaultwarden + serviceName: vaultwarden + replicas: 1 template: metadata: labels: @@ -19,10 +20,6 @@ spec: - name: config configMap: name: vaultwarden - - name: data - persistentVolumeClaim: - claimName: vaultwarden-data - initContainers: - name: init-litestream image: litestream/litestream:sha-565f7a4 @@ -55,15 +52,15 @@ spec: requests: memory: "64Mi" cpu: "100m" + ports: + - containerPort: 80 + name: web volumeMounts: - name: data mountPath: /data - name: config mountPath: /data/config.json subPath: vaultwarden.json - ports: - - containerPort: 80 - - name: litestream image: litestream/litestream:sha-565f7a4 args: ['replicate'] @@ -94,17 +91,15 @@ spec: requests: memory: "64Mi" cpu: "100m" ---- -apiVersion: v1 -kind: Service -metadata: - name: vaultwarden -spec: - selector: - app: vaultwarden - ports: - - port: 80 - targetPort: 80 + + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 1Gi --- apiVersion: v1 kind: PersistentVolumeClaim diff --git a/wlm/deployment.yml b/wlm/deployment.yml new file mode 100644 index 0000000..bfdfa25 --- /dev/null +++ b/wlm/deployment.yml @@ -0,0 +1,150 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mc-invites + namespace: default +spec: + selector: + matchLabels: + app: mc-invites + serviceName: mc-invites + template: + metadata: + labels: + app: mc-invites + spec: + volumes: + - name: litestream-config + configMap: + name: litestream + initContainers: + - name: init-litestream + image: litestream/litestream:0.3.8 + args: ['restore', '-if-db-not-exists', '-if-replica-exists', '-v', 'wlm/db.sqlite3'] + volumeMounts: + - name: data + mountPath: /wlm + - name: litestream-config + mountPath: /etc/litestream.yml + subPath: litestream-config.yml + env: + - name: LITESTREAM_USERNAME + valueFrom: + secretKeyRef: + name: litestream + key: username + - name: LITESTREAM_PASSWORD + valueFrom: + secretKeyRef: + name: litestream + key: password + + containers: + - name: backend + image: icr.gmem.ca/wlm:latest + imagePullPolicy: Always + resources: + limits: + memory: "128Mi" + cpu: "500m" + requests: + memory: "64Mi" + cpu: "100m" + volumeMounts: + - name: data + mountPath: /wlm + env: + - name: WLM_DATABASE_PATH + value: "/wlm/db.sqlite3" + - name: AZURE_OAUTH_CLIENT_ID + valueFrom: + secretKeyRef: + name: mc-invites-oauth + key: client-id + optional: false + - name: AZURE_OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: mc-invites-oauth + key: client-secret + optional: false + ports: + - containerPort: 8080 + + - name: litestream + image: litestream/litestream:0.3.8 + args: ['replicate'] + volumeMounts: + - name: data + mountPath: /data + - name: litestream-config + mountPath: /etc/litestream.yml + subPath: litestream-config.yml + env: + - name: LITESTREAM_USERNAME + valueFrom: + secretKeyRef: + name: litestream + key: username + - name: LITESTREAM_PASSWORD + valueFrom: + secretKeyRef: + name: litestream + key: password + ports: + - name: metrics + containerPort: 9090 + resources: + limits: + memory: "128Mi" + cpu: "500m" + requests: + memory: "64Mi" + cpu: "100m" + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mc-invites-frontend +spec: + selector: + matchLabels: + app: mc-invites-frontend + replicas: 1 + template: + metadata: + labels: + app: mc-invites-frontend + spec: + containers: + - name: frontend + image: icr.gmem.ca/wlm-svelte:latest + imagePullPolicy: Always + resources: + limits: + memory: "128Mi" + cpu: "500m" + requests: + memory: "64Mi" + cpu: "100m" + ports: + - containerPort: 3000 +--- +apiVersion: v1 +kind: Service +metadata: + name: mc-invites-frontend +spec: + selector: + app: mc-invites-frontend + ports: + - port: 3000 + targetPort: 3000 diff --git a/wlm/ingress.yml b/wlm/ingress.yml new file mode 100644 index 0000000..2eae216 --- /dev/null +++ b/wlm/ingress.yml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: mc-inv-ingress + annotations: + cert-manager.io/issuer: "letsencrypt-prod" + namespace: default + +spec: + tls: + - hosts: + - mc.gmem.ca + secretName: mc-inv-tls + rules: + - host: mc.gmem.ca + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: mc-invites-frontend + port: + number: 3000 + - path: /api + pathType: Prefix + backend: + service: + name: mc-invites + port: + number: 8080 diff --git a/wlm/issuer.yml b/wlm/issuer.yml new file mode 100644 index 0000000..d28db2c --- /dev/null +++ b/wlm/issuer.yml @@ -0,0 +1,20 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: letsencrypt-prod + namespace: default + +spec: + acme: + # The ACME server URL + server: https://acme-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: mc-invites@gmem.ca + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-pro + # Enable the HTTP-01 challenge provider + solvers: + - http01: + ingress: + class: traefik \ No newline at end of file diff --git a/wlm/service.yml b/wlm/service.yml new file mode 100644 index 0000000..fb8fb44 --- /dev/null +++ b/wlm/service.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: mc-invites + namespace: default + +spec: + selector: + app: mc-invites + ports: + - port: 8080 + targetPort: 8080 + name: api + - port: 80 + targetPort: 3000 + name: frontend diff --git a/wlm/statefulset.yml b/wlm/statefulset.yml new file mode 100644 index 0000000..d69d06f --- /dev/null +++ b/wlm/statefulset.yml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mystatefulset +spec: + selector: + matchLabels: + app: myapp + serviceName: + replicas: 2 + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: myapp + image: k8s.gcr.io/nginx-slim:0.8 + ports: + - containerPort: 80 + name: web + volumeMounts: + - name: www + mountPath: /usr/share/nginx/html + volumeClaimTemplates: + - metadata: + name: www + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 1Gi