diff --git a/kubernetes/apps/default/cloudnative-pg/cluster/backups/external-backup.yaml b/kubernetes/apps/default/cloudnative-pg/cluster/backups/external-backup.yaml index 7c0df78ae..c98bf8652 100644 --- a/kubernetes/apps/default/cloudnative-pg/cluster/backups/external-backup.yaml +++ b/kubernetes/apps/default/cloudnative-pg/cluster/backups/external-backup.yaml @@ -20,7 +20,7 @@ spec: - name: POSTGRES_HOST value: ${POSTGRES_HOST} - name: POSTGRES_DB - value: "authelia,drone,freshrss,gitea,invidious,joplin,lychee,paperless,recipes,semaphore,sharry,outline,vaultwarden,vikunja,wallabag" + value: "authelia,drone,freshrss,gitea,invidious,joplin,lychee,paperless,semaphore,sharry,tandoor,outline,vaultwarden,vikunja,wallabag" - name: POSTGRES_USER valueFrom: secretKeyRef: diff --git a/kubernetes/apps/default/tandoor/app/backups/replicationsource.yaml b/kubernetes/apps/default/tandoor/app/backups/replicationsource.yaml index d9adfb1c7..55adc4d35 100644 --- a/kubernetes/apps/default/tandoor/app/backups/replicationsource.yaml +++ b/kubernetes/apps/default/tandoor/app/backups/replicationsource.yaml @@ -17,9 +17,9 @@ spec: volumeSnapshotClassName: csi-ceph-blockpool storageClassName: rook-ceph-block moverSecurityContext: - runAsUser: 70 - runAsGroup: 70 - fsGroup: 70 + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 retain: daily: 10 within: 3d diff --git a/kubernetes/apps/default/tandoor/app/config/nginx-config b/kubernetes/apps/default/tandoor/app/config/nginx-config index 28ecf826b..c783f8e7d 100644 --- a/kubernetes/apps/default/tandoor/app/config/nginx-config +++ b/kubernetes/apps/default/tandoor/app/config/nginx-config @@ -1,10 +1,11 @@ +pid /tmp/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; server { - listen 80; + listen 8080; server_name _; client_max_body_size 128M; # serve media files @@ -15,11 +16,5 @@ http { location /static/ { alias /static/; } - # pass requests for dynamic content to gunicorn - location / { - proxy_set_header Host $host; - proxy_set_header REMOTE-USER $http_x_authentik_username; - proxy_pass http://localhost:8080; - } } } diff --git a/kubernetes/apps/default/tandoor/app/helmrelease.yaml b/kubernetes/apps/default/tandoor/app/helmrelease.yaml index e3451937d..eae5c675e 100644 --- a/kubernetes/apps/default/tandoor/app/helmrelease.yaml +++ b/kubernetes/apps/default/tandoor/app/helmrelease.yaml @@ -27,17 +27,33 @@ spec: uninstall: keepHistory: false values: + controller: + annotations: + reloader.stakater.com/auto: "true" image: repository: vabene1111/recipes - tag: "1.4.8" + tag: 1.4.8 envFrom: - secretRef: - name: *app + name: tandoor-secret + command: + - /opt/recipes/venv/bin/gunicorn + - -b + - :8888 + - --access-logfile + - "-" + - --error-logfile + - "-" + - --log-level + - INFO + - recipes.wsgi service: main: ports: http: - port: 80 + port: &port 8888 + nginx: + port: &port2 8080 ingress: main: enabled: true @@ -46,13 +62,16 @@ spec: hajimari.io/icon: mdi:chef-hat hosts: - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" - paths: + paths: &paths - path: / - pathType: Prefix + - path: /media + service: + port: *port2 + - path: /static + service: + port: *port2 - host: &host2 "recipes.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: / - pathType: Prefix + paths: *paths tls: - hosts: - *host @@ -70,32 +89,70 @@ spec: volumeSpec: configMap: name: *app + django-js-reverse: + enabled: true + type: emptyDir + mountPath: /opt/recipes/cookbook/static/django_js_reverse static: enabled: true mountPath: /opt/recipes/staticfiles type: emptyDir + cache: + enabled: true + mountPath: /mnt/cache + type: emptyDir podSecurityContext: - runAsUser: 0 + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" podAnnotations: configMap.reloader.stakater.com/reload: *app secret.reloader.stakater.com/reload: *app - securityContext: - runAsUser: 65534 resources: requests: cpu: 100m memory: 256Mi limits: memory: 512Mi + initContainers: + init-migrate: + image: vabene1111/recipes:1.4.8 + env: + - name: DB_ENGINE + value: django.db.backends.postgresql_psycopg2 + - name: POSTGRES_HOST + value: ${POSTGRES_HOST} + - name: POSTGRES_PORT + value: ${POSTGRES_PORT} + - name: POSTGRES_DB + value: tandoor + envFrom: + - secretRef: + name: tandoor-secret + command: + - sh + - -c + - | + set -e + source /opt/recipes/venv/bin/activate + echo "Updating database" + python3 /opt/recipes/manage.py migrate + python3 /opt/recipes/manage.py collectstatic_js_reverse + python3 /opt/recipes/manage.py collectstatic --noinput + volumeMounts: + - name: django-js-reverse + mountPath: /opt/recipes/cookbook/static/django_js_reverse + - name: static + mountPath: /opt/recipes/staticfiles additionalContainers: nginx: name: nginx - image: nginx:1.23.4 + image: nginxinc/nginx-unprivileged:1.22.1-alpine imagePullPolicy: IfNotPresent ports: - - name: http - containerPort: 80 - protocol: TCP + - name: nginx + containerPort: *port2 volumeMounts: - name: nginx-config readOnly: true @@ -105,3 +162,5 @@ spec: mountPath: /media - name: static mountPath: /static + - name: cache + mountPath: /var/cache/nginx diff --git a/kubernetes/apps/default/tandoor/app/patches/env.yaml b/kubernetes/apps/default/tandoor/app/patches/env.yaml index b7d68f8c3..8d221e310 100644 --- a/kubernetes/apps/default/tandoor/app/patches/env.yaml +++ b/kubernetes/apps/default/tandoor/app/patches/env.yaml @@ -13,10 +13,10 @@ spec: DB_ENGINE: django.db.backends.postgresql_psycopg2 POSTGRES_HOST: ${POSTGRES_HOST} POSTGRES_PORT: ${POSTGRES_PORT} - POSTGRES_DB: recipes + POSTGRES_DB: tandoor GUNICORN_MEDIA: "0" TIMEZONE: ${TIMEZONE} - TANDOOR_PORT: 8080 + TANDOOR_PORT: 8888 FRACTION_PREF_DEFAULT: "0" COMMENT_PREF_DEFAULT: "1" SHOPPING_MIN_AUTOSYNC_INTERVAL: "5" diff --git a/kubernetes/apps/default/tandoor/app/patches/postgres.yaml b/kubernetes/apps/default/tandoor/app/patches/postgres.yaml index 973871092..d99f7a157 100644 --- a/kubernetes/apps/default/tandoor/app/patches/postgres.yaml +++ b/kubernetes/apps/default/tandoor/app/patches/postgres.yaml @@ -14,7 +14,7 @@ spec: - name: POSTGRES_HOST value: ${POSTGRES_HOST} - name: POSTGRES_DB - value: recipes + value: tandoor - name: POSTGRES_SUPER_PASS valueFrom: secretKeyRef: @@ -23,10 +23,10 @@ spec: - name: POSTGRES_USER valueFrom: secretKeyRef: - name: tandoor + name: tandoor-secret key: POSTGRES_USER - name: POSTGRES_PASS valueFrom: secretKeyRef: - name: tandoor + name: tandoor-secret key: POSTGRES_PASSWORD diff --git a/kubernetes/apps/default/tandoor/app/secret.sops.yaml b/kubernetes/apps/default/tandoor/app/secret.sops.yaml index 9ba965e1e..997c0db64 100644 --- a/kubernetes/apps/default/tandoor/app/secret.sops.yaml +++ b/kubernetes/apps/default/tandoor/app/secret.sops.yaml @@ -2,13 +2,13 @@ apiVersion: v1 kind: Secret metadata: - name: tandoor + name: tandoor-secret namespace: default type: Opaque stringData: - SECRET_KEY: ENC[AES256_GCM,data:Em/RAzEFrQ0vSHrTUAe2CfWii49IVRZkZQt9czp41j0=,iv:cF+q2+E9gtF5LKP974Y5o/MOrdxcvfe8VXUqHhP46Mc=,tag:RlY7ciWvKsZl5S/ljUc9GA==,type:str] - POSTGRES_USER: ENC[AES256_GCM,data:2l2CmdToJg==,iv:lP3yvRedxN3L8sheO71sI5BNOBIEAnQ+QoAm5j4pyyc=,tag:b0yimiebuxKE/PIjhpWr6g==,type:str] - POSTGRES_PASSWORD: ENC[AES256_GCM,data:eGkJzNO6i0vARiw3XXK87g==,iv:iVwOOiTuwI3aK+zdDIZotgLCvbyvYC7sl8vuhyMSyUg=,tag:Vix0RHru20p0fj0a5LH9Sw==,type:str] + SECRET_KEY: ENC[AES256_GCM,data:Q6F1yVx9o5l+NGOYDe+m6DH/v1MxJQCSKT89IVwjqYI=,iv:KAkiYOyzD+i4ybTb19cIUaZlLq9/Hkda9c9ksf+FQrg=,tag:5nEYJe8JnrwScW2a8+dekw==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:FYYcjxl00w==,iv:Qhyu+2pCDrLynJVKb88olLiG1S9mmSVJgdsWuBu2iPQ=,tag:XngsCKqqnv/eZUN715cY5A==,type:str] + POSTGRES_PASSWORD: ENC[AES256_GCM,data:7nRBJj4SN//W6kcD4RwDOw==,iv:uTlW+I/H72vTlUIH7m9AVqRKSA+XMAQoJLGcu5cFFFM=,tag:tkeMqZVP8NHgyH4aOWSlFw==,type:str] sops: kms: [] gcp_kms: [] @@ -18,14 +18,14 @@ sops: - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2 - akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC - Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT - Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq - DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TlpyT0RXNHdBVHBKVkJo + dGhPZDgvTHlOVHJ5d3JDeEZhd2NmQUxVdURrCkZKTWVPK2Y0L3NWVDJCbHRUYVQ2 + MGVuRXdSMHZzSFFpOHFNa2laNEF5T1EKLS0tIGcvVDBRWTJPeVJzVTg2ZzNRdTFJ + VjJ5ZzIyNE9OMGVVcFBiOWRjazFGYkUK8wW2HI/BuiFMAyOV/BABZkE+L6qLVAuE + LM+b1l2q79np70ostH7Jmox9KP4QsMLYxDhjse/ygS5e8oQRbb1oTg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-17T09:12:23Z" - mac: ENC[AES256_GCM,data:aftbkgTFye4mvKE2cT8ygQ76Ybx8Lt5dd9moHJgdMqRzQZBeOctMlaMD2Jm7EY0psuAUkGz4+OS5pv7HJ2/1/rVYNqMsLSpoIYs236te0F58BS1yjHHi1YPNsfhdskPBs6e7xONQTrwQ9Swp/jynosNvuchDCBufxDVk5WG8auo=,iv:JjmbM44EKp6Suw/B2VLLcBZmsfxNuA6OZPaUoWQDvVo=,tag:X1Cuo0XvgmyOWiOQxIZiKg==,type:str] + lastmodified: "2023-04-11T21:32:22Z" + mac: ENC[AES256_GCM,data:y+O9Ry6ybIm1hmfZspcyiJPzjGDa89e2Qa+oMj+qsye6T6Y3k0JRn/POGkrxHCsw05exKMa3+8ldQQgHewdiiv1TOJ3Xwap377AtYlId+hBfwyfPG1VtnBNu4pHDe919f6q7DNRJbaQscmZgFuZYRMyIeI+rBNT7slGuvAWwAjc=,iv:4DFc9cJ9BaDwv/E3ZVBFwf82879ePff6BoOryRBn0Oo=,tag:n870pnOy32XnELnZzyukvQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3