FEAT(mas): add multi-agent system application

- ArgoCD Application for mas namespace
- Deployment with privileged container, hostPID for K8s access
- RBAC: ServiceAccount, ClusterRoles (viewer/writer)
- ExternalSecrets for API keys and PostgreSQL password
- Ingress at mas0213.kro.kr with Authelia SSO

kustomization.yaml

@@ -11,3 +11,4 @@ resources:
   - headlamp/argocd.yaml
   - immich/argocd.yaml
   - crafty/argocd.yaml
+  - mas/argocd.yaml

mas/argocd.yaml

@@ -0,0 +1,35 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mas
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  sources:
+  - repoURL: https://github.com/K3S-HOME/applications.git
+    targetRevision: main
+    path: mas
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: mas
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - PrunePropagationPolicy=foreground
+    - PruneLast=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+    managedNamespaceMetadata:
+      labels:
+        goldilocks.fairwinds.com/enabled: 'true'
+  revisionHistoryLimit: 10

mas/deployment.yaml

@@ -0,0 +1,83 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mas
+  labels:
+    app: mas
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mas
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 1
+  revisionHistoryLimit: 3
+  template:
+    metadata:
+      labels:
+        app: mas
+    spec:
+      hostPID: true
+      serviceAccountName: mas
+      imagePullSecrets:
+      - name: ghcr-secret
+      containers:
+      - name: mas
+        image: ghcr.io/mayne0213/mas:latest
+        imagePullPolicy: Always
+        securityContext:
+          privileged: true
+        ports:
+        - containerPort: 8000
+          name: http
+        env:
+        - name: ANTHROPIC_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: mas-api-keys
+              key: anthropic-api-key
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: postgresql-password
+              key: password
+        - name: CHAINLIT_DATABASE_URL
+          value: "postgresql://bluemayne:$(POSTGRES_PASSWORD)@postgresql-rw.postgresql.svc.cluster.local:5432/mas"
+        - name: DATABASE_URL
+          value: "postgresql://bluemayne:$(POSTGRES_PASSWORD)@postgresql-rw.postgresql.svc.cluster.local:5432/mas"
+        - name: POSTGRES_HOST
+          value: "postgresql-rw.postgresql.svc.cluster.local"
+        - name: POSTGRES_PORT
+          value: "5432"
+        - name: POSTGRES_USER
+          value: "bluemayne"
+        - name: GITEA_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: mas-api-keys
+              key: gitea-token
+              optional: true
+        - name: REDIS_URL
+          value: "redis://redis:6379/0"
+        resources:
+          requests:
+            memory: 256Mi
+            cpu: 100m
+          limits:
+            memory: 1Gi
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8000
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8000
+          initialDelaySeconds: 10
+          periodSeconds: 5
+      restartPolicy: Always

mas/external-secret.yaml

@@ -0,0 +1,39 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: mas-api-keys
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: mas-api-keys
+    creationPolicy: Owner
+  data:
+  - secretKey: anthropic-api-key
+    remoteRef:
+      key: mas/api-keys
+      property: ANTHROPIC_API_KEY
+  - secretKey: gitea-token
+    remoteRef:
+      key: mas/api-keys
+      property: GITEA_TOKEN
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: postgresql-password
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: postgresql-password
+    creationPolicy: Owner
+  data:
+  - secretKey: password
+    remoteRef:
+      key: databases/postgresql
+      property: PASSWORD

mas/ingress.yaml

@@ -0,0 +1,35 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mas-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia@kubernetescrd
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - mas0213.kro.kr
+    - www.mas0213.kro.kr
+    secretName: mas-tls
+  rules:
+  - host: mas0213.kro.kr
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: mas
+            port:
+              number: 8000
+  - host: www.mas0213.kro.kr
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: mas
+            port:
+              number: 8000

mas/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: mas
+resources:
+- deployment.yaml
+- service.yaml
+- ingress.yaml
+- external-secret.yaml
+- rbac.yaml

mas/rbac.yaml

@@ -0,0 +1,109 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mas
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: mas-viewer
+rules:
+- apiGroups: [""]
+  resources:
+  - pods
+  - pods/log
+  - services
+  - endpoints
+  - namespaces
+  - nodes
+  - persistentvolumeclaims
+  - configmaps
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["apps"]
+  resources:
+  - deployments
+  - statefulsets
+  - daemonsets
+  - replicasets
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["batch"]
+  resources:
+  - jobs
+  - cronjobs
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["networking.k8s.io"]
+  resources:
+  - ingresses
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["argoproj.io"]
+  resources:
+  - applications
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources:
+  - pods/status
+  - services/status
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: mas-viewer-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mas-viewer
+subjects:
+- kind: ServiceAccount
+  name: mas
+  namespace: mas
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: mas-writer
+rules:
+- apiGroups: [""]
+  resources:
+  - pods
+  - services
+  - configmaps
+  - secrets
+  verbs: ["create", "update", "patch", "delete"]
+- apiGroups: ["apps"]
+  resources:
+  - deployments
+  - statefulsets
+  - daemonsets
+  - replicasets
+  verbs: ["create", "update", "patch", "delete"]
+- apiGroups: ["networking.k8s.io"]
+  resources:
+  - ingresses
+  verbs: ["create", "update", "patch", "delete"]
+- apiGroups: ["batch"]
+  resources:
+  - jobs
+  - cronjobs
+  verbs: ["create", "update", "patch", "delete"]
+- apiGroups: [""]
+  resources:
+  - namespaces
+  verbs: ["create", "update", "patch"]
+- apiGroups: ["argoproj.io"]
+  resources:
+  - applications
+  verbs: ["create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: mas-writer-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mas-writer
+subjects:
+- kind: ServiceAccount
+  name: mas
+  namespace: mas

mas/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mas
+  labels:
+    app: mas
+spec:
+  type: ClusterIP
+  ports:
+  - port: 8000
+    targetPort: 8000
+    protocol: TCP
+    name: http
+  selector:
+    app: mas