INIT(repo): apps setup with all user-facing servic

umami/argocd/umami.yaml

@@ -0,0 +1,50 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: umami
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  
+  sources:
+    - repoURL: https://charts.christianhuth.de
+      chart: umami
+      targetRevision: 6.0.1
+      helm:
+        valueFiles:
+          - $values/umami/helm-values/umami.yaml
+    - repoURL: https://gitea0213.kro.kr/bluemayne/infrastructure.git
+      targetRevision: main
+      ref: values
+    - repoURL: https://gitea0213.kro.kr/bluemayne/infrastructure.git
+      targetRevision: main
+      path: umami
+  
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: analytics
+  
+  ignoreDifferences:
+    # Ignore app-secret data changes in umami-app-secret
+    # Helm chart generates random app-secret value on each sync,
+    # causing ArgoCD to detect it as OutOfSync
+    - group: ""
+      kind: Secret
+      name: umami-app-secret
+      jsonPointers:
+        - /data
+  
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m

umami/helm-values/umami.yaml

@@ -0,0 +1,65 @@
+fullnameOverride: umami
+
+image:
+  tag: postgresql-latest
+
+# Disable PostgreSQL subchart (using external PostgreSQL)
+postgresql:
+  enabled: false
+
+# External database configuration
+externalDatabase:
+  type: postgresql
+  hostname: postgresql-primary.postgresql.svc.cluster.local
+  port: 5432
+  auth:
+    database: umami
+    username: bluemayne
+    # Password is managed via External Secrets Operator (Vault)
+
+# Use existing secret for sensitive data
+database:
+  existingSecret: umami-password
+
+# Environment variables from secret
+envFrom:
+  - secretRef:
+      name: umami-password
+
+ingress:
+  enabled: false  # Will use our main ingress
+
+service:
+  type: ClusterIP
+  port: 3000
+
+resources:
+  requests:
+    cpu: 30m  # Reduced to 30% of original (100m -> 30m)
+    memory: 256Mi
+
+replicaCount: 2
+
+# Autoscaling
+autoscaling:
+  enabled: false
+  minReplicas: 2
+  maxReplicas: 4
+  targetCPUUtilizationPercentage: 80
+
+# Health checks
+livenessProbe:
+  enabled: true
+  httpGet:
+    path: /api/heartbeat
+    port: 3000
+  initialDelaySeconds: 30
+  periodSeconds: 10
+
+readinessProbe:
+  enabled: true
+  httpGet:
+    path: /api/heartbeat
+    port: 3000
+  initialDelaySeconds: 10
+  periodSeconds: 5

umami/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # ArgoCD Application 리소스는 infrastructure/kustomization.yaml에서 관리
+  # - argocd/umami.yaml
+  - vault/umami-password.yaml

umami/vault/umami-password.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: umami-password
+  namespace: analytics
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: umami-password
+    creationPolicy: Owner
+  data:
+    - secretKey: database-url
+      remoteRef:
+        key: analytics/umami
+        property: DATABASE_URL
+    - secretKey: hash-salt
+      remoteRef:
+        key: analytics/umami
+        property: HASH_SALT