diff --git a/apps/freshrss.yaml b/apps/freshrss.yaml new file mode 100644 index 0000000..95b4ff4 --- /dev/null +++ b/apps/freshrss.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: freshrss + namespace: argocd +spec: + project: default + destination: + server: https://kubernetes.default.svc + namespace: freshrss + syncPolicy: + automated: + prune: true + selfHeal: false + syncOptions: + - CreateNamespace=true + source: + repoURL: https://github.com/zoriya/snow + targetRevision: HEAD + path: charts/freshrss diff --git a/apps/postgres/cluster.yaml b/apps/postgres/cluster.yaml index 595d84f..47fc01e 100644 --- a/apps/postgres/cluster.yaml +++ b/apps/postgres/cluster.yaml @@ -46,3 +46,6 @@ spec: - name: kyoo login: true disablePastword: true + - name: freshrss + login: true + disablePassword: true diff --git a/charts/freshrss/database.yaml b/charts/freshrss/database.yaml new file mode 100644 index 0000000..6212f3c --- /dev/null +++ b/charts/freshrss/database.yaml @@ -0,0 +1,37 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: freshrss-db + namespace: postgres +spec: + name: freshrss + owner: freshrss + cluster: + name: postgres-cluster +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgres-freshrss +spec: + secretName: postgres-freshrss + usages: + - client auth + commonName: freshrss + issuerRef: + name: postgres-ca + kind: ClusterIssuer + group: cert-manager.io +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: freshrss-config +data: + config.custom.php: | + [ + 'connection_uri_params' => 'sslmode=verify-full;sslcert=/pg/tls.crt;sslkey=/pg/tls.key;sslrootcert=/pg/ca.crt', + ], + ]; diff --git a/charts/freshrss/deploy.yaml b/charts/freshrss/deploy.yaml new file mode 100644 index 0000000..d68a45e --- /dev/null +++ b/charts/freshrss/deploy.yaml @@ -0,0 +1,97 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: freshrss +spec: + selector: + matchLabels: + app.kubernetes.io/name: freshrss + template: + metadata: + labels: + app.kubernetes.io/name: freshrss + spec: + containers: + - name: freshrss + image: docker.io/freshrss/freshrss:1.28.1 + env: + - name: TZ + value: UTC + - name: CRON_MIN + value: "1,31" + - name: BASE_URL + value: https://freshrss.sdg.moe + - name: LISTEN + value: "8080" + - name: PGSSLMODE + value: verify-full + - name: PGSSLCERT + value: /pg/tls.crt + - name: PGSSLKEY + value: /pg/tls.key + - name: PGSSLROOTCERT + value: /pg/ca.crt + - name: FRESHRSS_INSTALL + value: --api-enabled --auth-type http_auth --db-base freshrss --db-host postgres-cluster-rw.postgres --db-type pgsql --db-user freshrss --default-user admin --language en + - name: OIDC_ENABLED + value: "1" + - name: OIDC_PROVIDER_METADATA_URL + value: https://authentik.sdg.moe/application/o/freshrss/.well-known/openid-configuration + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: freshrss-oidc + key: clientId + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: freshrss-oidc + key: clientSecret + - name: OIDC_CLIENT_CRYPTO_KEY + valueFrom: + secretKeyRef: + name: freshrss-oidc-crypto + key: key + - name: OIDC_SCOPES + value: openid profile email + - name: OIDC_REMOTE_USER_CLAIM + value: preferred_username + - name: OIDC_X_FORWARDED_HEADERS + value: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto + ports: + - name: http + containerPort: 8080 + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + volumeMounts: + - name: freshrss-data + mountPath: /var/www/FreshRSS/data + - name: freshrss-extensions + mountPath: /var/www/FreshRSS/extensions + - name: postgres-cert + mountPath: /pg + - name: freshrss-config + mountPath: /var/www/FreshRSS/data/config.custom.php + subPath: config.custom.php + volumes: + - name: freshrss-data + persistentVolumeClaim: + claimName: freshrss-data + - name: freshrss-extensions + persistentVolumeClaim: + claimName: freshrss-extensions + - name: postgres-cert + secret: + secretName: postgres-freshrss + defaultMode: 0640 + - name: freshrss-config + configMap: + name: freshrss-config + securityContext: + fsGroup: 33 diff --git a/charts/freshrss/ingress.yaml b/charts/freshrss/ingress.yaml new file mode 100644 index 0000000..76784f2 --- /dev/null +++ b/charts/freshrss/ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: freshrss + annotations: + cert-manager.io/cluster-issuer: letsencrypt + acme.cert-manager.io/http01-edit-in-place: "true" +spec: + ingressClassName: cilium + rules: + - host: freshrss.sdg.moe + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: freshrss + port: + number: 80 + tls: + - hosts: + - freshrss.sdg.moe + secretName: freshrss-tls diff --git a/charts/freshrss/kustomization.yaml b/charts/freshrss/kustomization.yaml new file mode 100644 index 0000000..6402e59 --- /dev/null +++ b/charts/freshrss/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +labels: +- includeSelectors: true + pairs: + app.kubernetes.io/name: freshrss + +resources: +- deploy.yaml +- svc.yaml +- ingress.yaml +- database.yaml +- pvc.yaml +- oidc.yaml diff --git a/charts/freshrss/oidc.yaml b/charts/freshrss/oidc.yaml new file mode 100644 index 0000000..4fb84fc --- /dev/null +++ b/charts/freshrss/oidc.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: freshrss-oidc +spec: + refreshInterval: 24h + secretStoreRef: + name: bitwarden + kind: ClusterSecretStore + dataFrom: + - extract: + key: freshrss-sso +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: freshrss-oidc-crypto +spec: + refreshPolicy: CreatedOnce + target: + template: + engineVersion: v2 + data: + key: "{{ .password }}" + dataFrom: + - sourceRef: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: ClusterGenerator + name: password diff --git a/charts/freshrss/pvc.yaml b/charts/freshrss/pvc.yaml new file mode 100644 index 0000000..93dad95 --- /dev/null +++ b/charts/freshrss/pvc.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: freshrss-data +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: freshrss-extensions +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/charts/freshrss/svc.yaml b/charts/freshrss/svc.yaml new file mode 100644 index 0000000..e76121e --- /dev/null +++ b/charts/freshrss/svc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: freshrss +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: freshrss + ports: + - name: http + port: 80 + targetPort: http