feat: windmill

2025-09-17 18:24:14 +02:00 · 2024-07-15 15:30:47 +02:00
parent 0652e6c1d8
commit edb94a4751
11 changed files with 258 additions and 2 deletions
--- a/kubernetes/apps/default/authelia/app/config/configuration.yaml
+++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml
@@ -1,6 +1,4 @@
 ---
 # Genereate client_secret
 # https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
 authentication_backend:
  ldap:
    address: ldap://lldap.default.svc.cluster.local:5389
@@ -82,6 +80,8 @@ identity_providers:
      endpoints: [authorization, token, revocation, introspection]
      allowed_origins_from_client_redirect_uris: true
    clients:
    # Genereate client_secret
    # https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
      - client_id: freshrss
        client_name: freshrss
        client_secret: "$${FRESHRSS_OAUTH_DIGEST}"
@@ -151,3 +151,10 @@ identity_providers:
        redirect_uris: ['https://pgadmin.${SECRET_EXTERNAL_DOMAIN}/oauth2/authorize']
        userinfo_signed_response_alg: none
        token_endpoint_auth_method: client_secret_basic
      - client_id: windmill
        client_name: Windmill
        client_secret: '$${WINDMILL_OAUTH_CLIENT_SECRET}'
        authorization_policy: 'two_factor'
        redirect_uris: ['https://windmill.${SECRET_EXTERNAL_DOMAIN}/user/login_callback/authelia']
        scopes: [openid, profile, groups, email]
        userinfo_signed_response_alg: none
--- a/kubernetes/apps/default/authelia/app/externalsecret.yaml
+++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml
@@ -43,6 +43,8 @@ spec:
        PAPERLESS_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        KOMGA_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        KOMGA_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        WINDMILL_OAUTH_CLIENT_SECRET: "{{ .WINDMILL_OAUTH_CLIENT_SECRET }}"
        WINDMILL_OAUTH_DIGEST: "{{ .WINDMILL_OAUTH_DIGEST }}"
        SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
        # Postgres Init
        INIT_POSTGRES_DBNAME: *dbName
--- a/kubernetes/apps/default/kustomization.yaml
+++ b/kubernetes/apps/default/kustomization.yaml
@@ -56,6 +56,7 @@ resources:
  - ./unifi/ks.yaml
  - ./vaultwarden/ks.yaml
  - ./vikunja/ks.yaml
  - ./windmill/ks.yaml
  - ./zigbee2mqtt/ks.yaml
  - ./zwave-js-ui/ks.yaml
  # Default resources
--- a/kubernetes/apps/default/mailrise/app/mailrise.yaml
+++ b/kubernetes/apps/default/mailrise/app/mailrise.yaml
@@ -10,3 +10,8 @@ configs:
      title_template: "KRESUS"
    urls:
      - !env_var PUSHOVER_KRESUS
  windmill@mailrise.home.arpa:
    mailrise:
      title_template: "WINDMILL"
    urls:
      - !env_var PUSHOVER_WINDMILL
--- a/kubernetes/apps/default/windmill/app/externalsecret.yaml
+++ b/kubernetes/apps/default/windmill/app/externalsecret.yaml
@@ -0,0 +1,29 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: windmill
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: windmill-secret
    template:
      engineVersion: v2
      data:
        # App
        WINDMILL_POSTGRES_URL: "postgres://{{ .WINDMILL__POSTGRES_USER }}:{{ .WINDMILL__POSTGRES_PASS }}@postgres16-rw.database.svc.cluster.local/windmill"
        # Postgres Init
        INIT_POSTGRES_DBNAME: windmill
        INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local
        INIT_POSTGRES_USER: "{{ .WINDMILL__POSTGRES_USER }}"
        INIT_POSTGRES_PASS: "{{ .WINDMILL__POSTGRES_PASS }}"
        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
  dataFrom:
    - extract:
        key: cloudnative-pg
    - extract:
        key: windmill
--- a/kubernetes/apps/default/windmill/app/helmrelease.yaml
+++ b/kubernetes/apps/default/windmill/app/helmrelease.yaml
@@ -0,0 +1,97 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: &app windmill
 spec:
  interval: 30m
  chart:
    spec:
      chart: windmill
      version: 2.0.234
      sourceRef:
        kind: HelmRepository
        name: windmill
        namespace: flux-system
  install:
    remediation:
      retries: 3
  upgrade:
    cleanupOnFail: true
    remediation:
      strategy: rollback
      retries: 3
  uninstall:
    keepHistory: false
  values:
    windmill:
      app:
        annotations:
          reloader.stakater.com/auto: "true"
        initContainers:
          - name: init-db
            image: ghcr.io/onedr0p/postgres-init:16
            envFrom:
              - secretRef:
                  name: &secret windmill-secret
          - name: init-grants
            image: ghcr.io/onedr0p/postgres-init:16
            command:
              - /bin/bash
              - -c
              - |
                #!/bin/bash
                set -o errexit
                set -o nounset
                /var/run/grants.sh
            envFrom:
              - secretRef:
                  name: *secret
            volumeMounts:
              - name: grants
                readOnly: true
                subPath: grants.sh
                mountPath: /var/run/grants.sh
        volumes:
          - name: grants
            configMap:
              name: windmill-grants
              defaultMode: 509
      baseDomain: &host "windmill.${SECRET_EXTERNAL_DOMAIN}"
      baseProtocol: https
      appReplicas: 1
      lspReplicas: 1
      multiplayerReplicas: 1
      workerGroups:
        - name: default
          replicas: 2
          resources:
            requests:
              memory: 1028Mi
              cpu: 500m
            limits:
              memory: 2048Mi
        - name: native
          replicas: 1
          resources:
            requests:
              memory: 128Mi
              cpu: 100m
            limits:
              memory: 256Mi
    ingress:
      enabled: true
      className: nginx
      tls:
        - hosts:
            - *host
    postgresql:
      enabled: false
  valuesFrom:
    - kind: Secret
      name: *secret
      valuesKey: WINDMILL_POSTGRES_URL
      targetPath: windmill.databaseUrl
--- a/kubernetes/apps/default/windmill/app/kustomization.yaml
+++ b/kubernetes/apps/default/windmill/app/kustomization.yaml
@@ -0,0 +1,17 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
  - ./externalsecret.yaml
  - ./helmrelease.yaml
  - ../../../../templates/gatus/guarded
 configMapGenerator:
  - name: windmill-grants
    files:
      - ./scripts/grants.sh
 generatorOptions:
  disableNameSuffixHash: true
  annotations:
    kustomize.toolkit.fluxcd.io/substitute: disabled
--- a/kubernetes/apps/default/windmill/app/scripts/grants.sh
+++ b/kubernetes/apps/default/windmill/app/scripts/grants.sh
@@ -0,0 +1,60 @@
 #!/usr/bin/env bash
 export INIT_POSTGRES_SUPER_USER=${INIT_POSTGRES_SUPER_USER:-postgres}
 export INIT_POSTGRES_PORT=${INIT_POSTGRES_PORT:-5432}
 if [[ -z "${INIT_POSTGRES_HOST}"       ||
      -z "${INIT_POSTGRES_SUPER_PASS}" ||
      -z "${INIT_POSTGRES_USER}"       ||
      -z "${INIT_POSTGRES_PASS}"       ||
      -z "${INIT_POSTGRES_DBNAME}"
 ]]; then
    printf "\e[1;32m%-6s\e[m\n" "Invalid configuration - missing a required environment variable"
    [[ -z "${INIT_POSTGRES_HOST}" ]]       && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_HOST: unset"
    [[ -z "${INIT_POSTGRES_SUPER_PASS}" ]] && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_SUPER_PASS: unset"
    [[ -z "${INIT_POSTGRES_USER}" ]]       && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_USER: unset"
    [[ -z "${INIT_POSTGRES_PASS}" ]]       && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_PASS: unset"
    [[ -z "${INIT_POSTGRES_DBNAME}" ]]     && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_DBNAME: unset"
    exit 1
 fi
 # These env are for the psql CLI
 export PGHOST="${INIT_POSTGRES_HOST}"
 export PGUSER="${INIT_POSTGRES_SUPER_USER}"
 export PGPASSWORD="${INIT_POSTGRES_SUPER_PASS}"
 export PGPORT="${INIT_POSTGRES_PORT}"
 until pg_isready; do
    printf "\e[1;32m%-6s\e[m\n" "Waiting for Host '${PGHOST}' on port '${PGPORT}' ..."
    sleep 1
 done
 for dbname in ${INIT_POSTGRES_DBNAME}; do
    printf "\e[1;32m%-6s\e[m\n" "Update User Privileges on Database ..."
    psql --dbname ${dbname} -c "
        DO \$\$
    BEGIN
        IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'windmill_user') THEN
            CREATE ROLE windmill_user;
        END IF;
    END
    \$\$;
    DO \$\$
    BEGIN
        IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'windmill_admin') THEN
            CREATE ROLE windmill_admin WITH BYPASSRLS;
        END IF;
    END
    \$\$;
    GRANT ALL ON ALL TABLES IN SCHEMA public TO windmill_user;
    GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO windmill_user;
    ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO windmill_user;
    ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO windmill_user;
    GRANT windmill_user TO windmill_admin;
    GRANT windmill_admin TO ${INIT_POSTGRES_USER};
    GRANT windmill_user TO ${INIT_POSTGRES_USER};
    GRANT USAGE ON SCHEMA public TO windmill_admin;
    GRANT USAGE ON SCHEMA public TO windmill_user;"
 done
--- a/kubernetes/apps/default/windmill/ks.yaml
+++ b/kubernetes/apps/default/windmill/ks.yaml
@@ -0,0 +1,27 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: &app windmill
  namespace: flux-system
 spec:
  targetNamespace: default
  commonMetadata:
    labels:
      app.kubernetes.io/name: *app
  dependsOn:
    - name: external-secrets-stores
  path: ./kubernetes/apps/default/windmill/app
  prune: true
  sourceRef:
    kind: GitRepository
    name: home-ops-kubernetes
  wait: false
  interval: 30m
  retryInterval: 1m
  timeout: 5m
  postBuild:
    substitute:
      APP: *app
      GATUS_SUBDOMAIN: sh
--- a/kubernetes/flux/repositories/helm/kustomization.yaml
+++ b/kubernetes/flux/repositories/helm/kustomization.yaml
@@ -32,4 +32,5 @@ resources:
  - ./stakater.yaml
  - ./stevehipwell.yaml
  - ./vector.yaml
  - ./windmill.yaml
  - ./xenitab.yaml
--- a/kubernetes/flux/repositories/helm/windmill.yaml
+++ b/kubernetes/flux/repositories/helm/windmill.yaml
@@ -0,0 +1,10 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: windmill
  namespace: flux-system
 spec:
  interval: 2h
  url: https://windmill-labs.github.io/windmill-helm-charts/