diff --git a/kustomization.yaml b/kustomization.yaml index 6d5c65e..023f8c6 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -11,3 +11,4 @@ resources: - headlamp/argocd.yaml - immich/argocd.yaml - crafty/argocd.yaml + - mas/argocd.yaml diff --git a/mas/argocd.yaml b/mas/argocd.yaml new file mode 100644 index 0000000..164b79c --- /dev/null +++ b/mas/argocd.yaml @@ -0,0 +1,35 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: mas + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: https://github.com/K3S-HOME/applications.git + targetRevision: main + path: mas + destination: + server: https://kubernetes.default.svc + namespace: mas + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + managedNamespaceMetadata: + labels: + goldilocks.fairwinds.com/enabled: 'true' + revisionHistoryLimit: 10 diff --git a/mas/deployment.yaml b/mas/deployment.yaml new file mode 100644 index 0000000..c23d3d8 --- /dev/null +++ b/mas/deployment.yaml @@ -0,0 +1,83 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mas + labels: + app: mas +spec: + replicas: 1 + selector: + matchLabels: + app: mas + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + revisionHistoryLimit: 3 + template: + metadata: + labels: + app: mas + spec: + hostPID: true + serviceAccountName: mas + imagePullSecrets: + - name: ghcr-secret + containers: + - name: mas + image: ghcr.io/mayne0213/mas:latest + imagePullPolicy: Always + securityContext: + privileged: true + ports: + - containerPort: 8000 + name: http + env: + - name: ANTHROPIC_API_KEY + valueFrom: + secretKeyRef: + name: mas-api-keys + key: anthropic-api-key + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: postgresql-password + key: password + - name: CHAINLIT_DATABASE_URL + value: "postgresql://bluemayne:$(POSTGRES_PASSWORD)@postgresql-rw.postgresql.svc.cluster.local:5432/mas" + - name: DATABASE_URL + value: "postgresql://bluemayne:$(POSTGRES_PASSWORD)@postgresql-rw.postgresql.svc.cluster.local:5432/mas" + - name: POSTGRES_HOST + value: "postgresql-rw.postgresql.svc.cluster.local" + - name: POSTGRES_PORT + value: "5432" + - name: POSTGRES_USER + value: "bluemayne" + - name: GITEA_TOKEN + valueFrom: + secretKeyRef: + name: mas-api-keys + key: gitea-token + optional: true + - name: REDIS_URL + value: "redis://redis:6379/0" + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 1Gi + livenessProbe: + httpGet: + path: / + port: 8000 + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8000 + initialDelaySeconds: 10 + periodSeconds: 5 + restartPolicy: Always diff --git a/mas/external-secret.yaml b/mas/external-secret.yaml new file mode 100644 index 0000000..b1626ee --- /dev/null +++ b/mas/external-secret.yaml @@ -0,0 +1,39 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: mas-api-keys +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: mas-api-keys + creationPolicy: Owner + data: + - secretKey: anthropic-api-key + remoteRef: + key: mas/api-keys + property: ANTHROPIC_API_KEY + - secretKey: gitea-token + remoteRef: + key: mas/api-keys + property: GITEA_TOKEN +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: postgresql-password +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: postgresql-password + creationPolicy: Owner + data: + - secretKey: password + remoteRef: + key: databases/postgresql + property: PASSWORD diff --git a/mas/ingress.yaml b/mas/ingress.yaml new file mode 100644 index 0000000..13b2d19 --- /dev/null +++ b/mas/ingress.yaml @@ -0,0 +1,35 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: mas-ingress + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia@kubernetescrd +spec: + ingressClassName: traefik + tls: + - hosts: + - mas0213.kro.kr + - www.mas0213.kro.kr + secretName: mas-tls + rules: + - host: mas0213.kro.kr + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: mas + port: + number: 8000 + - host: www.mas0213.kro.kr + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: mas + port: + number: 8000 diff --git a/mas/kustomization.yaml b/mas/kustomization.yaml new file mode 100644 index 0000000..9c60046 --- /dev/null +++ b/mas/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: mas +resources: +- deployment.yaml +- service.yaml +- ingress.yaml +- external-secret.yaml +- rbac.yaml diff --git a/mas/rbac.yaml b/mas/rbac.yaml new file mode 100644 index 0000000..be2baa0 --- /dev/null +++ b/mas/rbac.yaml @@ -0,0 +1,109 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mas +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: mas-viewer +rules: +- apiGroups: [""] + resources: + - pods + - pods/log + - services + - endpoints + - namespaces + - nodes + - persistentvolumeclaims + - configmaps + verbs: ["get", "list", "watch"] +- apiGroups: ["apps"] + resources: + - deployments + - statefulsets + - daemonsets + - replicasets + verbs: ["get", "list", "watch"] +- apiGroups: ["batch"] + resources: + - jobs + - cronjobs + verbs: ["get", "list", "watch"] +- apiGroups: ["networking.k8s.io"] + resources: + - ingresses + verbs: ["get", "list", "watch"] +- apiGroups: ["argoproj.io"] + resources: + - applications + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - pods/status + - services/status + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: mas-viewer-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas-viewer +subjects: +- kind: ServiceAccount + name: mas + namespace: mas +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: mas-writer +rules: +- apiGroups: [""] + resources: + - pods + - services + - configmaps + - secrets + verbs: ["create", "update", "patch", "delete"] +- apiGroups: ["apps"] + resources: + - deployments + - statefulsets + - daemonsets + - replicasets + verbs: ["create", "update", "patch", "delete"] +- apiGroups: ["networking.k8s.io"] + resources: + - ingresses + verbs: ["create", "update", "patch", "delete"] +- apiGroups: ["batch"] + resources: + - jobs + - cronjobs + verbs: ["create", "update", "patch", "delete"] +- apiGroups: [""] + resources: + - namespaces + verbs: ["create", "update", "patch"] +- apiGroups: ["argoproj.io"] + resources: + - applications + verbs: ["create", "update", "patch", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: mas-writer-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas-writer +subjects: +- kind: ServiceAccount + name: mas + namespace: mas diff --git a/mas/service.yaml b/mas/service.yaml new file mode 100644 index 0000000..844fa86 --- /dev/null +++ b/mas/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: mas + labels: + app: mas +spec: + type: ClusterIP + ports: + - port: 8000 + targetPort: 8000 + protocol: TCP + name: http + selector: + app: mas