mirror of
https://github.com/auricom/home-cluster.git
synced 2025-10-02 00:34:25 +02:00
fixup! ♻️ migration externalsecrets
This commit is contained in:
auricom
@@ -6,15 +6,13 @@ metadata:
|
||||
namespace: default
|
||||
data:
|
||||
DB_PORT: "5432"
|
||||
IMMICH_WEB_URL: http://immich-web.default.svc.cluster.local:3000
|
||||
IMMICH_SERVER_URL: http://immich-server.default.svc.cluster.local:3001
|
||||
IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning.default.svc.cluster.local:3003
|
||||
IMMICH_SERVER_URL: http://immich-server.default.svc.cluster.local:3001
|
||||
IMMICH_WEB_URL: http://immich-web.default.svc.cluster.local:3000
|
||||
LOG_LEVEL: verbose
|
||||
REDIS_DBINDEX: "10"
|
||||
REDIS_HOSTNAME: redis.default.svc.cluster.local
|
||||
REDIS_PORT: "6379"
|
||||
TYPESENSE_HOST: immich-typesense.default.svc.cluster.local
|
||||
REDIS_URL: ioredis://eyJkYiI6MTUsInNlbnRpbmVscyI6W3siaG9zdCI6InJlZGlzLW5vZGUtMC5yZWRpcy1oZWFkbGVzcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwicG9ydCI6MjYzNzl9LHsiaG9zdCI6InJlZGlzLW5vZGUtMS5yZWRpcy1oZWFkbGVzcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwicG9ydCI6MjYzNzl9LHsiaG9zdCI6InJlZGlzLW5vZGUtMi5yZWRpcy1oZWFkbGVzcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwicG9ydCI6MjYzNzl9XSwibmFtZSI6InJlZGlzLW1hc3RlciJ9
|
||||
TYPESENSE_DATA_DIR: /config
|
||||
TYPESENSE_HOST: immich-typesense.default.svc.cluster.local
|
||||
# Below are deprecated and can only be set in the Immich Admin settings
|
||||
# OAUTH_ENABLED: "true"
|
||||
# OAUTH_ISSUER_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/.well-known/openid-configuration
|
||||
|
||||
35
kubernetes/apps/default/immich/app/externalsecret.yaml
Normal file
35
kubernetes/apps/default/immich/app/externalsecret.yaml
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: immich
|
||||
namespace: default
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: immich-secret
|
||||
creationPolicy: Owner
|
||||
template:
|
||||
engineVersion: v2
|
||||
data:
|
||||
# App
|
||||
DB_DATABASE_NAME: &dbName immich
|
||||
DB_HOSTNAME: &dbHost postgres-rw.default.svc.cluster.local
|
||||
DB_USERNAME: &dbUser "{{ .POSTGRES_USER }}"
|
||||
DB_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}"
|
||||
JWT_SECRET: "{{ .IMMICH_JWT_SECRET }}"
|
||||
TYPESENSE_API_KEY: "{{ .IMMICH_TYPESENSE_API_KEY }}"
|
||||
# Postgres Init
|
||||
INIT_POSTGRES_DBNAME: *dbName
|
||||
INIT_POSTGRES_HOST: *dbHost
|
||||
INIT_POSTGRES_USER: *dbUser
|
||||
INIT_POSTGRES_PASS: *dbPass
|
||||
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: cloudnative-pg
|
||||
- extract:
|
||||
key: immich
|
||||
@@ -5,10 +5,10 @@ kind: Kustomization
|
||||
namespace: default
|
||||
resources:
|
||||
- ./configmap.yaml
|
||||
- ./externalsecret.yaml
|
||||
- ./microservices
|
||||
- ./machine-learning
|
||||
- ./secret.sops.yaml
|
||||
- ./server
|
||||
- ./typesense
|
||||
- ./volume.yaml
|
||||
- ./volumes.yaml
|
||||
- ./web
|
||||
|
||||
@@ -67,4 +67,4 @@ spec:
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 250Mi
|
||||
memory: 250Mi
|
||||
|
||||
@@ -63,4 +63,4 @@ spec:
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 250Mi
|
||||
memory: 250Mi
|
||||
|
||||
@@ -1,41 +0,0 @@
|
||||
# yamllint disable
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: immich-secret
|
||||
namespace: default
|
||||
type: Opaque
|
||||
stringData:
|
||||
#ENC[AES256_GCM,data:M3l1uxCayw==,iv:Vr0yrJF/xDpqANJSg5VpU0RPxknE3N8HW5NPkZ+Ngko=,tag:5X9qYSGAMJ08DMOdpF/fgg==,type:comment]
|
||||
DB_DATABASE_NAME: ENC[AES256_GCM,data:/1JmFMnq,iv:aycc8Tqv4h95ATSrtTp3uOKkJ7uJ3fF8P9rx99+F+jk=,tag:vgciF1KIzr6lIhbpsL4bwQ==,type:str]
|
||||
DB_HOSTNAME: ENC[AES256_GCM,data:Tx7HFLwCYQjXN79Qu6+vKSIdR1Lxs397mV+Hi0XqlL0/vY5kAg==,iv:xVxuZuEeGdT9Ja7FzfWLFhz/dRxCGAk97893jPEPyzk=,tag:+wOzSIjORLrAKPYD+7vtPQ==,type:str]
|
||||
DB_PASSWORD: ENC[AES256_GCM,data:xGc/+0jUa2FcMKSFyjaxYia1ZnU=,iv:A0i5vPLMXLmqNicsQI6vrlOnR8lEJXOMomABnGMOLAQ=,tag:RXPncaj3YxgdK4UpOp2oCw==,type:str]
|
||||
DB_USERNAME: ENC[AES256_GCM,data:usQAPAXx,iv:/dG1qJr2i1uwarjTn9RcxPt12DbY/gAO+rUdSDqeWNA=,tag:JM3zv0xI+rlX+1ju7kyVxw==,type:str]
|
||||
JWT_SECRET: ENC[AES256_GCM,data:177xddBgbYp4B1xLlfHsGqm1SdW6W7S7Z53ExG3dYw==,iv:LAX2iW9hj/fX7n1g6yWAZOtZNH3xXMSXn9nFoffCkvU=,tag:76Kxh3v7pqazzDJDuVcpNQ==,type:str]
|
||||
TYPESENSE_API_KEY: ENC[AES256_GCM,data:XO+r7yIb3FGzQmJl4826pKYFxlQ=,iv:Ce+Xg5iEdCDYVXxH3+2qZCIfjMtYcjNuVejp5e+vSOE=,tag:Zwvvgt7z+eiq2HTPfMvdKg==,type:str]
|
||||
#ENC[AES256_GCM,data:1+sGdHMiMe3clIg6KVo=,iv:II/LS19frtCXo/niP5/HPaVF6IcYr/FBqddAlKFytA0=,tag:IubpMI5HxdnxZB8mSezASA==,type:comment]
|
||||
POSTGRES_DB: ENC[AES256_GCM,data:NMVSQmNi,iv:/5aMX5er4zqsOVidsnaArmBwRreVPLBE9hn5jNSDkso=,tag:vGJDIQgfCOqUOtYFtlL51w==,type:str]
|
||||
POSTGRES_HOST: ENC[AES256_GCM,data:TpU9sKI32nQJ3pFnas9FjLXNlnAzX73heXQ7EwYVuur5AKQwdw==,iv:/SdWujct0FaDNMpUwk9ImuKDwDKL2oun8I6kPfU+P6s=,tag:LUqHoWf8wMkBM4sKri+5Ew==,type:str]
|
||||
POSTGRES_PASS: ENC[AES256_GCM,data:xnX/vIBKWeIDaUUWnSVI7F3538Q=,iv:K59DXnnGxWbLAQKnzn4EEhY3nLKs6NJQv6qNpF/OwH8=,tag:L5mAlCeNh3J2GlG2udEspA==,type:str]
|
||||
POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:mcsuRKRBTmB/mIlfRY0EGA==,iv:OVLvJemtTQINZ3MzsXUhJ/OJsWAP0iI5/jQDJpzmTug=,tag:MKnEYcpR9Qq7/mks67kQPw==,type:str]
|
||||
POSTGRES_USER: ENC[AES256_GCM,data:G6pSju/U,iv:eVTKbpYCD7hv7y2zYKr6wv6Wsca4QmHwC1MZZmQ8aKA=,tag:17QhReyXRFeL7nULag++Bw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NVpnZE1xaXY3VmEwb24z
|
||||
Z2lLQ1d4NzFUdWdUUWphUkVPK0ljRmMvSGpvCkhjT1pyOE94bXkwQkVpL0Ywa0tv
|
||||
VmVhQzA4WEVqK0lxQUVzUTFidXVrL0UKLS0tIEtJSFNqbkVDZm9Mc3ZCbzJiOXov
|
||||
MGN2VjZaRzhTM3JxeWlVelhvQUhlcTgKIQnk7XcpuK9ZWinZf9s/rYFAeFbF2yXX
|
||||
+afSzOZKXq6ENcnTY/Or0A76wXVpYAJ3yaNsfFhXY0QQw/wwE14cMA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-03-21T20:21:00Z"
|
||||
mac: ENC[AES256_GCM,data:EVvr8WqxjdY+RHvO8F0aqV2qnSyZRLJSDpvwKyvRgj32c9UUFbEQQiSn7Ie6oIRpE6mhl/QRAqvkvChBEVVi3/oyuo2wUH4pqmm6udTOpmAGbABcpQyH0ecxP/ZHgPDNlm8I67qsKTSM8pV7Pmi3MedmgISRXwZ4uFFHM7iX4Bs=,iv:5TOjAc6MlTyLw4YKTcqRySBXcgHHm9sHewLzD9fHDq0=,tag:ZB00nS0d+dQgUw4qRC/vzw==,type:str]
|
||||
pgp: []
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.7.3
|
||||
@@ -39,26 +39,6 @@ spec:
|
||||
name: &configMap immich-configmap
|
||||
- secretRef:
|
||||
name: &secret immich-secret
|
||||
env:
|
||||
- name: POSTGRES_HOST
|
||||
value: ${POSTGRES_HOST}
|
||||
- name: POSTGRES_DB
|
||||
value: immich-secret
|
||||
- name: POSTGRES_SUPER_PASS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: postgres-superuser
|
||||
key: password
|
||||
- name: POSTGRES_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-secret
|
||||
key: DB_USERNAME
|
||||
- name: POSTGRES_PASS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-secret
|
||||
key: DB_PASSWORD
|
||||
controller:
|
||||
replicas: 2
|
||||
strategy: RollingUpdate
|
||||
|
||||
@@ -68,4 +68,4 @@ spec:
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 250Mi
|
||||
memory: 250Mi
|
||||
|
||||
@@ -13,6 +13,7 @@ spec:
|
||||
nfs:
|
||||
server: ${LOCAL_LAN_TRUENAS}
|
||||
path: /mnt/storage/apps/immich
|
||||
mountOptions: ["nfsvers=4.2", "nconnect=8", "hard", "noatime"]
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
@@ -42,4 +43,4 @@ spec:
|
||||
storageClassName: rook-ceph-block
|
||||
resources:
|
||||
requests:
|
||||
storage: 10Gi
|
||||
storage: 1Gi
|
||||
@@ -60,7 +60,7 @@ spec:
|
||||
nignx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
||||
hosts:
|
||||
- host: &host photos.devbu.io
|
||||
- host: &host photos.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
@@ -87,4 +87,4 @@ spec:
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 250Mi
|
||||
memory: 250Mi
|
||||
|
||||
@@ -9,30 +9,15 @@ metadata:
|
||||
substitution.flux.home.arpa/enabled: "true"
|
||||
spec:
|
||||
dependsOn:
|
||||
- name: cluster-apps-cloudnative-pg-app
|
||||
- name: cluster-apps-cloudnative-pg-cluster
|
||||
- name: cluster-apps-external-secrets-stores
|
||||
- name: cluster-apps-redis
|
||||
path: ./kubernetes/apps/default/immich/app
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: home-ops-kubernetes
|
||||
healthChecks:
|
||||
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
name: immich-microservices
|
||||
namespace: default
|
||||
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
name: immich-server
|
||||
namespace: default
|
||||
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
name: immich-typesense
|
||||
namespace: default
|
||||
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
name: immich-web
|
||||
namespace: default
|
||||
wait: false # no flux ks dependents
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
||||
Reference in New Issue
Block a user