gitops/plane: fix issuer on ingress
This commit is contained in:
@@ -1,18 +0,0 @@
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: SecretStore
|
||||
metadata:
|
||||
name: vault-backend
|
||||
namespace: external-secrets
|
||||
spec:
|
||||
provider:
|
||||
vault:
|
||||
server: "https://vault.hrajfrisbee.cz:8200"
|
||||
path: "secret"
|
||||
version: "v2"
|
||||
auth:
|
||||
appRole:
|
||||
path: "approle"
|
||||
roleId: "864e352d-2064-2bf9-2c73-dbd676a95368" # or reference a secret
|
||||
secretRef:
|
||||
name: vault-approle
|
||||
key: secret-id
|
||||
@@ -11,11 +11,13 @@ spec:
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: ingress-nginx
|
||||
version: 4.12.0
|
||||
version: 4.14.1
|
||||
values:
|
||||
controller:
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
patch:
|
||||
enabled: false
|
||||
config:
|
||||
annotations-risk-level: "Critical"
|
||||
interval: 5m0s
|
||||
@@ -0,0 +1,19 @@
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: mariadb-operator-crds
|
||||
namespace: mariadb-operator
|
||||
spec:
|
||||
interval: 1h
|
||||
chart:
|
||||
spec:
|
||||
chart: mariadb-operator-crds
|
||||
version: "25.10.*"
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: mariadb-operator
|
||||
namespace: flux-system
|
||||
install:
|
||||
crds: Create
|
||||
upgrade:
|
||||
crds: CreateReplace
|
||||
@@ -0,0 +1,31 @@
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: mariadb-operator
|
||||
namespace: mariadb-operator
|
||||
spec:
|
||||
interval: 1h
|
||||
dependsOn:
|
||||
- name: mariadb-operator-crds
|
||||
chart:
|
||||
spec:
|
||||
chart: mariadb-operator
|
||||
version: "25.10.*"
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: mariadb-operator
|
||||
namespace: flux-system
|
||||
values:
|
||||
# uses built-in cert-controller for webhook TLS (no cert-manager dep)
|
||||
webhook:
|
||||
cert:
|
||||
certManager:
|
||||
enabled: false
|
||||
# disable HA for operator itself (fine for testing)
|
||||
ha:
|
||||
enabled: false
|
||||
# optional: enable metrics
|
||||
metrics:
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
enabled: false
|
||||
@@ -0,0 +1,8 @@
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: mariadb-operator
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 1h
|
||||
url: https://helm.mariadb.com/mariadb-operator
|
||||
4
gitops/home-kubernetes/mariadb-operator/namespace.yaml
Normal file
4
gitops/home-kubernetes/mariadb-operator/namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: mariadb-operator
|
||||
34
gitops/home-kubernetes/next-cloud/externalsecret.yaml
Normal file
34
gitops/home-kubernetes/next-cloud/externalsecret.yaml
Normal file
@@ -0,0 +1,34 @@
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: nextcloud-secrets
|
||||
namespace: nextcloud
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRef:
|
||||
name: vault-backend # or your store
|
||||
kind: ClusterSecretStore
|
||||
target:
|
||||
name: nextcloud-secrets
|
||||
creationPolicy: Owner
|
||||
data:
|
||||
- secretKey: nextcloud-password
|
||||
remoteRef:
|
||||
key: k8s_home/nextcloud/admin
|
||||
property: password
|
||||
- secretKey: nextcloud-username
|
||||
remoteRef:
|
||||
key: k8s_home/nextcloud/admin
|
||||
property: username
|
||||
- secretKey: db-username
|
||||
remoteRef:
|
||||
key: k8s_home/nextcloud/postgres
|
||||
property: db-username
|
||||
- secretKey: postgres-password
|
||||
remoteRef:
|
||||
key: k8s_home/nextcloud/postgres
|
||||
property: password
|
||||
- secretKey: redis-password
|
||||
remoteRef:
|
||||
key: k8s_home/nextcloud/redis
|
||||
property: password
|
||||
263
gitops/home-kubernetes/next-cloud/helmrelease.yaml
Normal file
263
gitops/home-kubernetes/next-cloud/helmrelease.yaml
Normal file
@@ -0,0 +1,263 @@
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: nextcloud
|
||||
namespace: nextcloud
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m # Nextcloud init can be slow
|
||||
chart:
|
||||
spec:
|
||||
chart: nextcloud
|
||||
version: "8.6.0" # Latest as of Jan 2025
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: nextcloud
|
||||
namespace: flux-system
|
||||
interval: 12h
|
||||
install:
|
||||
crds: CreateReplace
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
crds: CreateReplace
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
remediateLastFailure: true
|
||||
# CRITICAL: Suspend during major version upgrades to prevent restart loops
|
||||
# suspend: true
|
||||
values:
|
||||
image:
|
||||
repository: nextcloud
|
||||
tag: 32.0.3-apache # Latest as of Jan 2025. For fresh installs only.
|
||||
# UPGRADE PATH: If upgrading from older version, go sequentially:
|
||||
# 29.x → 30.0.x → 31.0.x → 32.0.x (one major at a time)
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
replicaCount: 1 # >1 requires Redis, see below
|
||||
|
||||
nextcloud:
|
||||
host: nextcloud.lab.home.hrajfrisbee.cz # Substitute or hardcode
|
||||
# existingSecret: nextcloud-admin # Alternative to inline credentials
|
||||
existingSecret:
|
||||
enabled: true
|
||||
secretName: nextcloud-secrets
|
||||
# usernameKey: username
|
||||
passwordKey: nextcloud-password
|
||||
|
||||
username: admin
|
||||
# password set via valuesFrom secret
|
||||
|
||||
|
||||
# PHP tuning - critical for stability
|
||||
phpConfigs:
|
||||
uploadLimit.ini: |
|
||||
upload_max_filesize = 16G
|
||||
post_max_size = 16G
|
||||
max_input_time = 3600
|
||||
max_execution_time = 3600
|
||||
www-conf.ini: |
|
||||
[www]
|
||||
pm = dynamic
|
||||
pm.max_children = 20
|
||||
pm.start_servers = 4
|
||||
pm.min_spare_servers = 2
|
||||
pm.max_spare_servers = 6
|
||||
pm.max_requests = 500
|
||||
memory.ini: |
|
||||
memory_limit = 1G
|
||||
opcache.ini: |
|
||||
opcache.enable = 1
|
||||
opcache.interned_strings_buffer = 32
|
||||
opcache.max_accelerated_files = 10000
|
||||
opcache.memory_consumption = 256
|
||||
opcache.save_comments = 1
|
||||
opcache.revalidate_freq = 60
|
||||
; Set to 0 if using ConfigMap-mounted configs
|
||||
|
||||
configs:
|
||||
# Proxy and overwrite settings - CRITICAL for ingress
|
||||
proxy.config.php: |-
|
||||
<?php
|
||||
$CONFIG = array (
|
||||
'trusted_proxies' => array(
|
||||
0 => '127.0.0.1',
|
||||
1 => '10.0.0.0/8',
|
||||
2 => '172.16.0.0/12',
|
||||
3 => '192.168.0.0/16',
|
||||
),
|
||||
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
|
||||
'overwriteprotocol' => 'https',
|
||||
);
|
||||
|
||||
# Performance and maintenance
|
||||
custom.config.php: |-
|
||||
<?php
|
||||
$CONFIG = array (
|
||||
'default_phone_region' => 'US',
|
||||
'maintenance_window_start' => 1,
|
||||
'filelocking.enabled' => true,
|
||||
'memcache.local' => '\\OC\\Memcache\\APCu',
|
||||
'memcache.distributed' => '\\OC\\Memcache\\Redis',
|
||||
'memcache.locking' => '\\OC\\Memcache\\Redis',
|
||||
'redis' => array(
|
||||
'host' => 'nextcloud-redis-master',
|
||||
'port' => 6379,
|
||||
'password' => getenv('REDIS_PASSWORD'),
|
||||
),
|
||||
);
|
||||
|
||||
extraEnv:
|
||||
- name: REDIS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: nextcloud-secrets
|
||||
key: redis-password
|
||||
|
||||
# Ingress - adjust for your ingress controller
|
||||
ingress:
|
||||
enabled: true
|
||||
className: nginx # or traefik, etc.
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "16G"
|
||||
nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
|
||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
|
||||
nginx.ingress.kubernetes.io/server-snippet: |
|
||||
server_tokens off;
|
||||
proxy_hide_header X-Powered-By;
|
||||
rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
|
||||
rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
|
||||
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||||
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
|
||||
location = /.well-known/carddav {
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
}
|
||||
location = /.well-known/caldav {
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
}
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
tls:
|
||||
- secretName: nextcloud-tls
|
||||
hosts:
|
||||
- nextcloud.lab.home.hrajfrisbee.cz
|
||||
|
||||
# PostgreSQL - strongly recommended over MariaDB for Nextcloud
|
||||
postgresql:
|
||||
enabled: true
|
||||
global:
|
||||
postgresql:
|
||||
auth:
|
||||
username: nextcloud
|
||||
database: nextcloud
|
||||
existingSecret: nextcloud-secrets
|
||||
secretKeys:
|
||||
userPasswordKey: postgres-password
|
||||
primary:
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 8Gi
|
||||
storageClass: "" # Use default or specify
|
||||
resources:
|
||||
requests:
|
||||
memory: 256Mi
|
||||
cpu: 100m
|
||||
limits:
|
||||
memory: 512Mi
|
||||
|
||||
# Redis - required for file locking and sessions
|
||||
redis:
|
||||
enabled: true
|
||||
auth:
|
||||
enabled: true
|
||||
existingSecret: nextcloud-secrets
|
||||
existingSecretPasswordKey: redis-password
|
||||
architecture: standalone
|
||||
master:
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 1Gi
|
||||
|
||||
# Disable built-in databases we're not using
|
||||
mariadb:
|
||||
enabled: false
|
||||
internalDatabase:
|
||||
enabled: false
|
||||
|
||||
externalDatabase:
|
||||
enabled: true
|
||||
type: postgresql
|
||||
host: nextcloud-postgresql # Service name created by subchart
|
||||
user: nextcloud
|
||||
database: nextcloud
|
||||
existingSecret:
|
||||
enabled: true
|
||||
secretName: nextcloud-secrets
|
||||
passwordKey: postgres-password
|
||||
|
||||
# Cron job - CRITICAL: never use AJAX cron
|
||||
cronjob:
|
||||
enabled: true
|
||||
schedule: "*/5 * * * *"
|
||||
resources:
|
||||
requests:
|
||||
memory: 256Mi
|
||||
cpu: 50m
|
||||
limits:
|
||||
memory: 512Mi
|
||||
|
||||
# Main persistence
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "" # Specify your storage class
|
||||
size: 100Gi
|
||||
accessMode: ReadWriteOnce
|
||||
# nextcloudData - separate PVC for user data (recommended)
|
||||
nextcloudData:
|
||||
enabled: true
|
||||
storageClass: ""
|
||||
size: 500Gi
|
||||
accessMode: ReadWriteOnce
|
||||
|
||||
# Resource limits - tune based on usage
|
||||
resources:
|
||||
requests:
|
||||
cpu: 200m
|
||||
memory: 512Mi
|
||||
limits:
|
||||
memory: 2Gi
|
||||
|
||||
# Liveness/Readiness - tuned to prevent upgrade restart loops
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 30
|
||||
timeoutSeconds: 10
|
||||
failureThreshold: 6
|
||||
successThreshold: 1
|
||||
readinessProbe:
|
||||
enabled: true
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 30
|
||||
timeoutSeconds: 10
|
||||
failureThreshold: 6
|
||||
successThreshold: 1
|
||||
startupProbe:
|
||||
enabled: true
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 30
|
||||
timeoutSeconds: 10
|
||||
failureThreshold: 30 # 15 minutes for upgrades
|
||||
|
||||
# Security context - avoid fsGroup recursive chown
|
||||
securityContext:
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
podSecurityContext:
|
||||
fsGroup: 33 # www-data
|
||||
|
||||
# Metrics - optional but recommended
|
||||
metrics:
|
||||
enabled: false # Enable if you have Prometheus
|
||||
# serviceMonitor:
|
||||
# enabled: true
|
||||
8
gitops/home-kubernetes/next-cloud/helmrepository.yaml
Normal file
8
gitops/home-kubernetes/next-cloud/helmrepository.yaml
Normal file
@@ -0,0 +1,8 @@
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: nextcloud
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 24h
|
||||
url: https://nextcloud.github.io/helm/
|
||||
7
gitops/home-kubernetes/next-cloud/namespace.yaml
Normal file
7
gitops/home-kubernetes/next-cloud/namespace.yaml
Normal file
@@ -0,0 +1,7 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: nextcloud
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: baseline
|
||||
pod-security.kubernetes.io/warn: restricted
|
||||
@@ -33,7 +33,7 @@ spec:
|
||||
rabbitmqHost: "plane-mq.lab.home.hrajfrisbee.cz" # optional
|
||||
ingressClass: nginx
|
||||
ingress_annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-production
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/auth"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/start?rd=$scheme://$host$escaped_request_uri"
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,Authorization"
|
||||
|
||||
30
gitops/home-kubernetes/seafile/externalsecret.yaml
Normal file
30
gitops/home-kubernetes/seafile/externalsecret.yaml
Normal file
@@ -0,0 +1,30 @@
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: seafile-secret
|
||||
namespace: seafile
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRef:
|
||||
name: vault-backend # or your store
|
||||
kind: ClusterSecretStore
|
||||
target:
|
||||
name: seafile-secret
|
||||
creationPolicy: Owner
|
||||
data:
|
||||
- secretKey: JWT_PRIVATE_KEY
|
||||
remoteRef:
|
||||
key: k8s_home/seafile
|
||||
property: JWT_PRIVATE_KEY
|
||||
- secretKey: SEAFILE_MYSQL_DB_PASSWORD
|
||||
remoteRef:
|
||||
key: k8s_home/seafile
|
||||
property: SEAFILE_MYSQL_DB_PASSWORD
|
||||
- secretKey: INIT_SEAFILE_ADMIN_PASSWORD
|
||||
remoteRef:
|
||||
key: k8s_home/seafile
|
||||
property: INIT_SEAFILE_ADMIN_PASSWORD
|
||||
- secretKey: INIT_SEAFILE_MYSQL_ROOT_PASSWORD
|
||||
remoteRef:
|
||||
key: k8s_home/seafile
|
||||
property: INIT_SEAFILE_MYSQL_ROOT_PASSWORD
|
||||
114
gitops/home-kubernetes/seafile/helmrelease.yaml
Normal file
114
gitops/home-kubernetes/seafile/helmrelease.yaml
Normal file
@@ -0,0 +1,114 @@
|
||||
# apps/seafile/helmrelease.yaml
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: seafile
|
||||
namespace: seafile
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: ce
|
||||
version: "13.0.2"
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: seafile
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
remediation:
|
||||
retries: 3
|
||||
|
||||
# Post-render patches
|
||||
postRenderers:
|
||||
- kustomize:
|
||||
patches:
|
||||
# Remove imagePullSecrets from all Deployments
|
||||
- target:
|
||||
kind: Deployment
|
||||
patch: |
|
||||
- op: remove
|
||||
path: /spec/template/spec/imagePullSecrets
|
||||
# Remove from StatefulSets (MariaDB, etc.)
|
||||
- target:
|
||||
kind: StatefulSet
|
||||
patch: |
|
||||
- op: remove
|
||||
path: /spec/template/spec/imagePullSecrets
|
||||
# Remove from Pods if any
|
||||
- target:
|
||||
kind: Pod
|
||||
patch: |
|
||||
- op: remove
|
||||
path: /spec/imagePullSecrets
|
||||
values:
|
||||
seafile:
|
||||
initMode: true
|
||||
|
||||
# The following are the configurations of seafile container
|
||||
configs:
|
||||
image: seafileltd/seafile-mc:13.0-latest
|
||||
seafileDataVolume:
|
||||
storage: 10Gi
|
||||
|
||||
# The following are environments of seafile services
|
||||
env:
|
||||
# for Seafile server
|
||||
TIME_ZONE: "UTC"
|
||||
SEAFILE_LOG_TO_STDOUT: "true"
|
||||
SITE_ROOT: "/"
|
||||
SEAFILE_SERVER_HOSTNAME: "seafile.lab.home.hrajfrisbee.cz"
|
||||
SEAFILE_SERVER_PROTOCOL: "https"
|
||||
|
||||
# for database
|
||||
SEAFILE_MYSQL_DB_HOST: "seafile-mariadb"
|
||||
SEAFILE_MYSQL_DB_PORT: "3306"
|
||||
SEAFILE_MYSQL_DB_USER: "seafile"
|
||||
#SEAFILE_MYSQL_DB_CCNET_DB_NAME: "ccnet-db"
|
||||
#SEAFILE_MYSQL_DB_SEAFILE_DB_NAME: "seafile-db"
|
||||
#SEAFILE_MYSQL_DB_SEAHUB_DB_NAME: "seahub-db"
|
||||
|
||||
# for cache
|
||||
CACHE_PROVIDER: "redis"
|
||||
|
||||
## for redis
|
||||
REDIS_HOST: "redis"
|
||||
REDIS_PORT: "6379"
|
||||
|
||||
## for memcached
|
||||
#MEMCACHED_HOST: ""
|
||||
#MEMCACHED_PORT: "11211"
|
||||
|
||||
# for notification
|
||||
ENABLE_NOTIFICATION_SERVER: "false"
|
||||
NOTIFICATION_SERVER_URL: ""
|
||||
|
||||
# for seadoc
|
||||
ENABLE_SEADOC: "false"
|
||||
SEADOC_SERVER_URL: "" # only valid in ENABLE_SEADOC = true
|
||||
|
||||
# for Seafile AI
|
||||
ENABLE_SEAFILE_AI: "false"
|
||||
SEAFILE_AI_SERVER_URL: ""
|
||||
|
||||
# for Metadata server
|
||||
MD_FILE_COUNT_LIMIT: "100000"
|
||||
|
||||
# initialization (only valid in first-time deployment and initMode = true)
|
||||
|
||||
## for Seafile admin
|
||||
INIT_SEAFILE_ADMIN_EMAIL: "kacerr.cz@gmail.com"
|
||||
|
||||
# if you are using another secret name / key for seafile or mysql, please make correct the following fields:
|
||||
#secretsMap:
|
||||
# DB_ROOT_PASSWD: # Env's name
|
||||
# secret: seafile-secret # secret's name, `seafile-secret` if not specify
|
||||
# key: INIT_SEAFILE_MYSQL_ROOT_PASSWORD # secret's key, `Env's name` if not specify
|
||||
|
||||
# extra configurations
|
||||
extraResources: {}
|
||||
extraEnv: []
|
||||
extraVolumes: []
|
||||
8
gitops/home-kubernetes/seafile/helmrepository.yaml
Normal file
8
gitops/home-kubernetes/seafile/helmrepository.yaml
Normal file
@@ -0,0 +1,8 @@
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: seafile
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 1h
|
||||
url: https://haiwen.github.io/seafile-helm-chart/repo
|
||||
35
gitops/home-kubernetes/seafile/ingress.yaml
Normal file
35
gitops/home-kubernetes/seafile/ingress.yaml
Normal file
@@ -0,0 +1,35 @@
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
meta.helm.sh/release-name: seafile
|
||||
meta.helm.sh/release-namespace: seafile
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "100m" # 0 = unlimited, or "500m"
|
||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
|
||||
nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
|
||||
labels:
|
||||
app.kubernetes.io/component: app
|
||||
app.kubernetes.io/instance: seafile
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: seafile
|
||||
name: seafile
|
||||
namespace: seafile
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
rules:
|
||||
- host: seafile.lab.home.hrajfrisbee.cz
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: seafile
|
||||
port:
|
||||
number: 80
|
||||
path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- seafile.lab.home.hrajfrisbee.cz
|
||||
secretName: seafile-tls
|
||||
@@ -0,0 +1,10 @@
|
||||
apiVersion: k8s.mariadb.com/v1alpha1
|
||||
kind: Database
|
||||
metadata:
|
||||
name: ccnet-db
|
||||
namespace: seafile
|
||||
spec:
|
||||
mariaDbRef:
|
||||
name: seafile-mariadb
|
||||
characterSet: utf8mb4
|
||||
collate: utf8mb4_general_ci
|
||||
@@ -0,0 +1,10 @@
|
||||
apiVersion: k8s.mariadb.com/v1alpha1
|
||||
kind: Database
|
||||
metadata:
|
||||
name: seafile-db
|
||||
namespace: seafile
|
||||
spec:
|
||||
mariaDbRef:
|
||||
name: seafile-mariadb
|
||||
characterSet: utf8mb4
|
||||
collate: utf8mb4_general_ci
|
||||
@@ -0,0 +1,10 @@
|
||||
apiVersion: k8s.mariadb.com/v1alpha1
|
||||
kind: Database
|
||||
metadata:
|
||||
name: seahub-db
|
||||
namespace: seafile
|
||||
spec:
|
||||
mariaDbRef:
|
||||
name: seafile-mariadb
|
||||
characterSet: utf8mb4
|
||||
collate: utf8mb4_general_ci
|
||||
61
gitops/home-kubernetes/seafile/mariadb-grant-seafile.yaml
Normal file
61
gitops/home-kubernetes/seafile/mariadb-grant-seafile.yaml
Normal file
@@ -0,0 +1,61 @@
|
||||
apiVersion: k8s.mariadb.com/v1alpha1
|
||||
kind: Grant
|
||||
metadata:
|
||||
name: all-privileges
|
||||
spec:
|
||||
mariaDbRef:
|
||||
name: seafile-mariadb
|
||||
username: seafile
|
||||
database: "*"
|
||||
table: "*"
|
||||
privileges:
|
||||
- ALL PRIVILEGES
|
||||
grantOption: true
|
||||
# ---
|
||||
# apiVersion: k8s.mariadb.com/v1alpha1
|
||||
# kind: Grant
|
||||
# metadata:
|
||||
# name: seafile-grant
|
||||
# namespace: seafile
|
||||
# spec:
|
||||
# mariaDbRef:
|
||||
# name: seafile-mariadb
|
||||
# privileges:
|
||||
# - ALL PRIVILEGES
|
||||
# database: seafile-db
|
||||
# table: "*"
|
||||
# username: seafile
|
||||
# host: "%"
|
||||
# grantOption: false
|
||||
# ---
|
||||
# apiVersion: k8s.mariadb.com/v1alpha1
|
||||
# kind: Grant
|
||||
# metadata:
|
||||
# name: seahub-grant
|
||||
# namespace: seafile
|
||||
# spec:
|
||||
# mariaDbRef:
|
||||
# name: seafile-mariadb
|
||||
# privileges:
|
||||
# - ALL PRIVILEGES
|
||||
# database: seahub-db
|
||||
# table: "*"
|
||||
# username: seafile
|
||||
# host: "%"
|
||||
# grantOption: false
|
||||
# ---
|
||||
# apiVersion: k8s.mariadb.com/v1alpha1
|
||||
# kind: Grant
|
||||
# metadata:
|
||||
# name: ccnet-grant
|
||||
# namespace: seafile
|
||||
# spec:
|
||||
# mariaDbRef:
|
||||
# name: seafile-mariadb
|
||||
# privileges:
|
||||
# - ALL PRIVILEGES
|
||||
# database: ccnet-db
|
||||
# table: "*"
|
||||
# username: seafile
|
||||
# host: "%"
|
||||
# grantOption: false
|
||||
13
gitops/home-kubernetes/seafile/mariadb-user.yaml
Normal file
13
gitops/home-kubernetes/seafile/mariadb-user.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
apiVersion: k8s.mariadb.com/v1alpha1
|
||||
kind: User
|
||||
metadata:
|
||||
name: seafile
|
||||
namespace: seafile
|
||||
spec:
|
||||
mariaDbRef:
|
||||
name: seafile-mariadb
|
||||
passwordSecretKeyRef:
|
||||
name: seafile-secret
|
||||
key: SEAFILE_MYSQL_DB_PASSWORD
|
||||
maxUserConnections: 20
|
||||
host: "%"
|
||||
33
gitops/home-kubernetes/seafile/mariadb.yaml
Normal file
33
gitops/home-kubernetes/seafile/mariadb.yaml
Normal file
@@ -0,0 +1,33 @@
|
||||
apiVersion: k8s.mariadb.com/v1alpha1
|
||||
kind: MariaDB
|
||||
metadata:
|
||||
name: seafile-mariadb
|
||||
namespace: seafile
|
||||
spec:
|
||||
rootPasswordSecretKeyRef:
|
||||
name: seafile-secret
|
||||
key: INIT_SEAFILE_MYSQL_ROOT_PASSWORD
|
||||
|
||||
image: mariadb:11.4
|
||||
|
||||
port: 3306
|
||||
|
||||
storage:
|
||||
size: 10Gi
|
||||
# storageClassName: your-storage-class
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
memory: 1Gi
|
||||
|
||||
myCnf: |
|
||||
[mariadb]
|
||||
bind-address=*
|
||||
default_storage_engine=InnoDB
|
||||
binlog_format=row
|
||||
innodb_autoinc_lock_mode=2
|
||||
innodb_buffer_pool_size=256M
|
||||
max_allowed_packet=256M
|
||||
39
gitops/home-kubernetes/seafile/memcached.yaml
Normal file
39
gitops/home-kubernetes/seafile/memcached.yaml
Normal file
@@ -0,0 +1,39 @@
|
||||
# apiVersion: apps/v1
|
||||
# kind: Deployment
|
||||
# metadata:
|
||||
# name: seafile-memcached
|
||||
# namespace: seafile
|
||||
# spec:
|
||||
# replicas: 1
|
||||
# selector:
|
||||
# matchLabels:
|
||||
# app: seafile-memcached
|
||||
# template:
|
||||
# metadata:
|
||||
# labels:
|
||||
# app: seafile-memcached
|
||||
# spec:
|
||||
# containers:
|
||||
# - name: memcached
|
||||
# image: memcached:1.6-alpine
|
||||
# args: ["-m", "128"] # 128MB memory limit
|
||||
# ports:
|
||||
# - containerPort: 11211
|
||||
# resources:
|
||||
# requests:
|
||||
# memory: 64Mi
|
||||
# cpu: 25m
|
||||
# limits:
|
||||
# memory: 192Mi
|
||||
# ---
|
||||
# apiVersion: v1
|
||||
# kind: Service
|
||||
# metadata:
|
||||
# name: seafile-memcached
|
||||
# namespace: seafile
|
||||
# spec:
|
||||
# selector:
|
||||
# app: seafile-memcached
|
||||
# ports:
|
||||
# - port: 11211
|
||||
# targetPort: 11211
|
||||
67
gitops/home-kubernetes/seafile/my-values.yaml.src
Normal file
67
gitops/home-kubernetes/seafile/my-values.yaml.src
Normal file
@@ -0,0 +1,67 @@
|
||||
seafile:
|
||||
initMode: true
|
||||
|
||||
# The following are the configurations of seafile container
|
||||
configs:
|
||||
image: seafileltd/seafile-mc:13.0-latest
|
||||
seafileDataVolume:
|
||||
storage: 10Gi
|
||||
|
||||
# The following are environments of seafile services
|
||||
env:
|
||||
# for Seafile server
|
||||
TIME_ZONE: "UTC"
|
||||
SEAFILE_LOG_TO_STDOUT: "true"
|
||||
SITE_ROOT: "/"
|
||||
SEAFILE_SERVER_HOSTNAME: "seafile.lab.home.hrajfrisbee.cz"
|
||||
SEAFILE_SERVER_PROTOCOL: "https"
|
||||
|
||||
# for database
|
||||
SEAFILE_MYSQL_DB_HOST: "seafile-mariadb"
|
||||
SEAFILE_MYSQL_DB_PORT: "3306"
|
||||
SEAFILE_MYSQL_DB_USER: "seafile"
|
||||
SEAFILE_MYSQL_DB_CCNET_DB_NAME: "ccnet-db"
|
||||
SEAFILE_MYSQL_DB_SEAFILE_DB_NAME: "seafile-db"
|
||||
SEAFILE_MYSQL_DB_SEAHUB_DB_NAME: "seahub-db"
|
||||
|
||||
# for cache
|
||||
CACHE_PROVIDER: "redis"
|
||||
|
||||
## for redis
|
||||
REDIS_HOST: "redis"
|
||||
REDIS_PORT: "6379"
|
||||
|
||||
## for memcached
|
||||
#MEMCACHED_HOST: ""
|
||||
#MEMCACHED_PORT: "11211"
|
||||
|
||||
# for notification
|
||||
ENABLE_NOTIFICATION_SERVER: "false"
|
||||
NOTIFICATION_SERVER_URL: ""
|
||||
|
||||
# for seadoc
|
||||
ENABLE_SEADOC: "false"
|
||||
SEADOC_SERVER_URL: "" # only valid in ENABLE_SEADOC = true
|
||||
|
||||
# for Seafile AI
|
||||
ENABLE_SEAFILE_AI: "false"
|
||||
SEAFILE_AI_SERVER_URL: ""
|
||||
|
||||
# for Metadata server
|
||||
MD_FILE_COUNT_LIMIT: "100000"
|
||||
|
||||
# initialization (only valid in first-time deployment and initMode = true)
|
||||
|
||||
## for Seafile admin
|
||||
INIT_SEAFILE_ADMIN_EMAIL: "kacerr.cz@gmail.com"
|
||||
|
||||
# if you are using another secret name / key for seafile or mysql, please make correct the following fields:
|
||||
#secretsMap:
|
||||
# DB_ROOT_PASSWD: # Env's name
|
||||
# secret: seafile-secret # secret's name, `seafile-secret` if not specify
|
||||
# key: INIT_SEAFILE_MYSQL_ROOT_PASSWORD # secret's key, `Env's name` if not specify
|
||||
|
||||
# extra configurations
|
||||
extraResources: {}
|
||||
extraEnv: []
|
||||
extraVolumes: []
|
||||
6
gitops/home-kubernetes/seafile/namespace.yaml
Normal file
6
gitops/home-kubernetes/seafile/namespace.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
labels:
|
||||
kubernetes.io/metadata.name: seafile
|
||||
name: seafile
|
||||
4
gitops/home-kubernetes/seafile/readme.md
Normal file
4
gitops/home-kubernetes/seafile/readme.md
Normal file
@@ -0,0 +1,4 @@
|
||||
## deployment
|
||||
|
||||
it looks like seafile deployment is not "straightforward" it first has to be started in `initialization mode` - `initMode: true` and after initialization switched into `normal` mode.
|
||||
|
||||
84
gitops/home-kubernetes/seafile/redis-full-deployment.yaml
Normal file
84
gitops/home-kubernetes/seafile/redis-full-deployment.yaml
Normal file
@@ -0,0 +1,84 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: redis-config
|
||||
namespace: seafile
|
||||
data:
|
||||
redis.conf: |
|
||||
maxmemory 128mb
|
||||
maxmemory-policy allkeys-lru
|
||||
appendonly yes
|
||||
appendfsync everysec
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: redis
|
||||
namespace: seafile
|
||||
labels:
|
||||
app: redis
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: redis
|
||||
strategy:
|
||||
type: Recreate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: redis
|
||||
spec:
|
||||
containers:
|
||||
- name: redis
|
||||
image: redis:7-alpine
|
||||
args:
|
||||
- redis-server
|
||||
- /etc/redis/redis.conf
|
||||
ports:
|
||||
- containerPort: 6379
|
||||
name: redis
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 64Mi
|
||||
limits:
|
||||
memory: 256Mi
|
||||
volumeMounts:
|
||||
- name: redis-config
|
||||
mountPath: /etc/redis
|
||||
- name: redis-data
|
||||
mountPath: /data
|
||||
livenessProbe:
|
||||
exec:
|
||||
command: [redis-cli, ping]
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
exec:
|
||||
command: [redis-cli, ping]
|
||||
initialDelaySeconds: 3
|
||||
periodSeconds: 5
|
||||
volumes:
|
||||
- name: redis-config
|
||||
configMap:
|
||||
name: redis-config
|
||||
- name: redis-data
|
||||
emptyDir: {}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: redis
|
||||
namespace: seafile
|
||||
labels:
|
||||
app: redis
|
||||
spec:
|
||||
selector:
|
||||
app: redis
|
||||
ports:
|
||||
- port: 6379
|
||||
targetPort: 6379
|
||||
name: redis
|
||||
type: ClusterIP
|
||||
Reference in New Issue
Block a user