Compare revisions

Janne Mareike Koschinski · Janne Mareike Koschinski · ec9e5aa1 · 2926c90c · 2926c90c · ec9e5aa1
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,6 +8,7 @@ stages:
  - release
 include:
  - /actual/pipeline.yml
+  - /fdroid-repo/pipeline.yml
  - /flood/pipeline.yml
  - /imghost/pipeline.yml
  - /jellyfin/pipeline.yml
@@ -17,6 +18,7 @@ include:
  - /powerdns/pipeline.yml
  - /postgresql/pipeline.yml
  - /quassel/pipeline.yml
+  - /quassel-search/pipeline.yml
  - /restic/pipeline.yml
  - /rtorrent/pipeline.yml
  - /seafile/pipeline.yml
--- a/actual/Chart.yaml
+++ b/actual/Chart.yaml
-apiVersion: v2
-name: actual
-description: Helm Chart for actual
-type: application
-version: 1.1.0
-appVersion: "sha-529c42c-alpine"
--- a/actual/templates/configmap.yaml
+++ b/actual/templates/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "actual-helm.fullname" . }}
-  labels:
-    {{- include "actual-helm.labels" . | nindent 4 }}
-data:
-  "config.json": |-
-    {
-      "mode": "production",
-      "port": 8080,
-      "hostname": "0.0.0.0",
-      "serverFiles": "/data/server-files",
-      "userFiles": "/data/user-files",
-      "sync": "{{ .Values.syncMode }}"
-    }
--- a/fdroid-repo/Chart.yaml
+++ b/fdroid-repo/Chart.yaml
+apiVersion: v2
+name: fdroid-repo
+description: Helm Chart for fdroid-repo
+type: application
+version: 1.0.0
+appVersion: "0.2.0"
--- a/actual/pipeline.yml
+++ b/actual/pipeline.yml
-lint-actual:
+lint-fdroid-repo:
  stage: lint
  rules:
    - changes:
-        - actual/**/*
+        - fdroid-repo/**/*
  script:
-    - helm lint actual
+    - helm lint fdroid-repo

-release-actual:
+release-fdroid-repo:
  stage: release
  needs:
-    - lint-actual
+    - lint-fdroid-repo
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
      changes:
-        - actual/**/*
+        - fdroid-repo/**/*
  script:
    - apk add --no-cache git
    - helm plugin install https://github.com/chartmuseum/helm-push.git
    - helm repo add --username gitlab-ci-token --password $CI_JOB_TOKEN repo ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/stable
-    - helm cm-push actual repo
+    - helm cm-push fdroid-repo repo
--- a/actual/templates/_helpers.tpl
+++ b/actual/templates/_helpers.tpl
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "actual-helm.name" -}}
+{{- define "fdroid-repo-helm.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}

@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "actual-helm.fullname" -}}
+{{- define "fdroid-repo-helm.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "actual-helm.chart" -}}
+{{- define "fdroid-repo-helm.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}

 {{/*
 Common labels
 */}}
-{{- define "actual-helm.labels" -}}
-helm.sh/chart: {{ include "actual-helm.chart" . }}
-{{ include "actual-helm.selectorLabels" . }}
+{{- define "fdroid-repo-helm.labels" -}}
+helm.sh/chart: {{ include "fdroid-repo-helm.chart" . }}
+{{ include "fdroid-repo-helm.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,12 +45,12 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "actual-helm.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "actual-helm.name" . }}
+{{- define "fdroid-repo-helm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "fdroid-repo-helm.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}


-{{- define "actual-helm.sslPath" -}}
+{{- define "fdroid-repo-helm.sslPath" -}}
 /certs
 {{- end }}
--- a/fdroid-repo/templates/cronjob.yaml
+++ b/fdroid-repo/templates/cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "fdroid-repo-helm.fullname" . }}
+  labels:
+    {{- include "fdroid-repo-helm.labels" . | nindent 4 }}
+spec:
+  concurrencyPolicy: Forbid
+  schedule: "{{ .Values.schedule }}"
+  jobTemplate:
+    metadata:
+      {{- with .Values.jobAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "fdroid-repo-helm.labels" . | nindent 8 }}
+    spec:
+      template:
+        metadata:
+          {{- with .Values.podAnnotations }}
+          annotations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          labels:
+            {{- include "fdroid-repo-helm.labels" . | nindent 12 }}
+        spec:
+          restartPolicy: OnFailure
+          {{- with .Values.imagePullSecrets }}
+          imagePullSecrets:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          securityContext:
+            {{- toYaml .Values.podSecurityContext | nindent 12 }}
+          volumes:
+            - name: secret
+              secret:
+                secretName: "{{ include "fdroid-repo-helm.fullname" . }}"
+                defaultMode: 0600
+            - name: metadata
+              emptyDir: {}
+            - name: builds
+              emptyDir: {}
+            - name: repo
+              {{- toYaml .Values.volume | nindent 14 }}
+            - name: tmp
+              emptyDir: {}
+            - name: workdir
+              emptyDir: {}
+          initContainers:
+            - name: git
+              securityContext:
+                {{- toYaml .Values.jobSecurityContext | nindent 16 }}
+              image: "{{ .Values.git.repository }}:{{ .Values.git.tag | default "latest" }}"
+              imagePullPolicy: {{ .Values.git.pullPolicy }}
+              volumeMounts:
+                - mountPath: /metadata
+                  name: metadata
+              args:
+                - "clone"
+                - "{{ .Values.fdroid.metadata }}"
+                - "/metadata"
+              resources:
+                {{- toYaml .Values.resources | nindent 16 }}
+            - name: s3
+              securityContext:
+                {{- toYaml .Values.securityContext | nindent 16 }}
+              image: "{{ .Values.s3.repository }}:{{ .Values.s3.tag | default "latest" }}"
+              imagePullPolicy: {{ .Values.s3.pullPolicy }}
+              env:
+                - name: MC_HOST_s3
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "fdroid-repo-helm.fullname" . }}
+                      key: storage
+              volumeMounts:
+                - mountPath: /builds
+                  name: builds
+                - mountPath: /.mc
+                  name: tmp
+              args:
+                - "mirror"
+                - "{{ .Values.fdroid.builds.path }}"
+                - "/builds"
+                - "--preserve"
+                {{ if .Values.fdroid.builds.exclude }}
+                - "--exclude={{ .Values.fdroid.builds.exclude }}"
+                {{ end }}
+              resources:
+                {{- toYaml .Values.resources | nindent 16 }}
+          containers:
+            - name: build
+              securityContext:
+                {{- toYaml .Values.securityContext | nindent 16 }}
+              image: "{{ .Values.build.repository }}:{{ .Values.build.tag | default .Chart.AppVersion }}"
+              imagePullPolicy: {{ .Values.build.pullPolicy }}
+              workingDir: "/workdir"
+              resources:
+                {{- toYaml .Values.resources | nindent 16 }}
+              volumeMounts:
+                - mountPath: "/metadata"
+                  name: metadata
+                - mountPath: "/builds"
+                  name: builds
+                - mountPath: "/fdroid" # permission error
+                  name: repo
+                - mountPath: "/workdir"
+                  name: workdir # failed to set times
+                - mountPath: "/workdir/keystore.bks"
+                  name: secret
+                  subPath: keystore
+                - mountPath: "/workdir/config.yml"
+                  name: secret
+                  subPath: config # should be 0600
+          {{- with .Values.nodeSelector }}
+          nodeSelector:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.affinity }}
+          affinity:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.tolerations }}
+          tolerations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
--- a/actual/templates/deployment.yaml
+++ b/actual/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "actual-helm.fullname" . }}
+  name: {{ include "fdroid-repo-helm.fullname" . }}
  labels:
-    {{- include "actual-helm.labels" . | nindent 4 }}
+    {{- include "fdroid-repo-helm.labels" . | nindent 4 }}
 spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
-      {{- include "actual-helm.selectorLabels" . | nindent 6 }}
+      {{- include "fdroid-repo-helm.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      {{- with .Values.podAnnotations }}
@@ -16,7 +16,7 @@ spec:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
-        {{- include "actual-helm.selectorLabels" . | nindent 8 }}
+        {{- include "fdroid-repo-helm.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
@@ -25,41 +25,35 @@ spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      volumes:
-        - name: data
-          {{- .Values.volume | nindent 10 }}
-        - name: config
-          configMap:
-            name: {{ include "actual-helm.fullname" . }}
+        - name: repo
+          {{- toYaml .Values.volume | nindent 10 }}
      containers:
        - name: {{ .Chart.Name }}
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: "{{ .Values.nginx.repository }}:{{ .Values.nginx.tag | default "latest" }}"
+          imagePullPolicy: {{ .Values.nginx.pullPolicy }}
          ports:
            - name: http
-              containerPort: 8080
+              containerPort: 80
              protocol: TCP
          startupProbe:
            httpGet:
-              path: /
              port: http
+              path: /fdroid/repo/index.xml
          livenessProbe:
            httpGet:
-              path: /
              port: http
+              path: /fdroid/repo/index.xml
          readinessProbe:
            httpGet:
-              path: /
              port: http
+              path: /fdroid/repo/index.xml
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
-            - mountPath: "/app/config.json"
-              name: config
-              subPath: "config.json"
-            - mountPath: "/data"
-              name: data
+            - mountPath: "/usr/share/nginx/html/fdroid"
+              name: repo
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}

--- a/fdroid-repo/templates/ingress.yaml
+++ b/fdroid-repo/templates/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "fdroid-repo-helm.fullname" . }}
+  labels:
+    {{- include "fdroid-repo-helm.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.ingress.annotations | toYaml | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.class }}
+  rules:
+    - host: "{{ .Values.ingress.host }}"
+      http:
+        paths:
+          - backend:
+              service:
+                name: {{ include "fdroid-repo-helm.fullname" . }}
+                port:
+                  name: http
+            path: "{{ .Values.ingress.path }}(.*)"
+            pathType: ImplementationSpecific
+          - backend:
+              service:
+                name: {{ include "fdroid-repo-helm.fullname" . }}
+                port:
+                  name: http
+            path: "{{ .Values.ingress.path }}(?:fdroid/repo|fdroid|repo|archive)(/.*|$)"
+            pathType: ImplementationSpecific
--- a/fdroid-repo/templates/secret.yaml
+++ b/fdroid-repo/templates/secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "fdroid-repo-helm.fullname" . }}
+  labels:
+    {{- include "fdroid-repo-helm.labels" . | nindent 4 }}
+data:
+  keystore: "{{ .Values.fdroid.keystore }}"
+stringData:
+  storage: "https://{{ .Values.fdroid.builds.access_key}}:{{.Values.fdroid.builds.secret_key}}@{{.Values.fdroid.builds.host}}"
+  config: |-
+    {{- toYaml .Values.fdroid.config | nindent 4 }}
+    local_copy_dir: /fdroid/
+    keystore: /workdir/keystore.bks
--- a/actual/templates/service.yaml
+++ b/actual/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "actual-helm.fullname" . }}
+  name: {{ include "fdroid-repo-helm.fullname" . }}
  labels:
-    {{- include "actual-helm.labels" . | nindent 4 }}
+    {{- include "fdroid-repo-helm.labels" . | nindent 4 }}
 spec:
  type: {{ .Values.service.type }}
  ports:
@@ -12,4 +12,4 @@ spec:
      protocol: TCP
      name: http
  selector:
-    {{- include "actual-helm.selectorLabels" . | nindent 4 }}
+    {{- include "fdroid-repo-helm.selectorLabels" . | nindent 4 }}
--- a/fdroid-repo/values.yaml
+++ b/fdroid-repo/values.yaml
+replicaCount: 1
+
+nginx:
+  repository: nginx
+  pullPolicy: IfNotPresent
+  tag: ""
+
+git:
+  repository: alpine/git
+  pullPolicy: IfNotPresent
+  tag: ""
+
+s3:
+  repository: minio/mc
+  pullPolicy: IfNotPresent
+  tag: ""
+
+build:
+  repository: k8r.eu/justjanne/fdroid-repo
+  pullPolicy: Always
+  tag: ""
+
+schedule: "*/15 * * * *"
+
+fdroid:
+  metadata: https://github.com/example/example
+  config:
+      repo_url: "https://repo.example.tld/fdroid/repo"
+      repo_name: "Example F-Droid Repo"
+      repo_icon: "fdroid-icon.png"
+      repo_description: "Example repository"
+
+      archive_url: "https://repo.example.tld/fdroid/archive"
+      archive_name: "Example F-Droid Repo Archive"
+      archive_icon: "fdroid-icon.png"
+      archive_description: "Example repository archive"
+      archive_older: 10
+
+      repo_keyalias: "repo.example.tld"
+      keydname: "CN=repo.example.tld"
+      keypass: "pass"
+      keystorepass: "pass"
+  builds:
+    path: "s3/bucket/folder"
+    host: "s3.example.tld"
+    access_key: "username"
+    secret_key: "token"
+    exclude: ""
+  keystore: "" # base64-encoded keystore
+
+volume: {}
+  #emptyDir: {}
+
+imagePullSecrets: [ ]
+nameOverride: ""
+fullnameOverride: ""
+
+service:
+  type: ClusterIP
+
+ingress:
+  host: "repo.example.tld"
+  path: "/"
+  origins: [ ]
+  class: "nginx"
+  annotations: {}
+
+jobAnnotations: { }
+
+podAnnotations: { }
+
+podSecurityContext:
+  fsGroup: 2000
+
+securityContext: {}
+
+jobSecurityContext:
+  capabilities:
+    drop:
+      - ALL
+  runAsNonRoot: true
+  runAsUser: 1000
+
+resources:
+  limits: {}
+  requests: {}
+
+nodeSelector: { }
+
+tolerations: [ ]
+
+affinity: { }
--- a/jellyfin/Chart.yaml
+++ b/jellyfin/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: jellyfin
 description: Helm Chart for Jellyfin
 type: application
-version: 1.2.0
-appVersion: "10.8.7"
+version: 1.3.0
+appVersion: "10.8.10"
--- a/mastodon/Chart.yaml
+++ b/mastodon/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: mastodon
 description: Helm Chart for mastodon
 type: application
-version: 0.4.0
-appVersion: "v4.0"
+version: 0.4.2
+appVersion: "v4.1"
--- a/mastodon/templates/replicaset-tootctl.yaml
+++ b/mastodon/templates/replicaset-tootctl.yaml
 apiVersion: apps/v1
-kind: ReplicaSet
+kind: Deployment
 metadata:
  name: {{ include "mastodon-helm.fullname" . }}-tootctl
  labels:
    component: tootctl
    {{- include "mastodon-helm.labels" . | nindent 4 }}
 spec:
+  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      component: tootctl
-      {{- include "mastodon-helm.labels" . | nindent 6 }}
+      {{- include "mastodon-helm.selectorLabels" . | nindent 6 }}
  template:
    metadata:
-      name: {{ include "mastodon-helm.fullname" . }}-tootctl
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
      labels:
        component: tootctl
-        {{- include "mastodon-helm.labels" . | nindent 8 }}
+        {{- include "mastodon-helm.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:

--- a/mastodon/values.yaml
+++ b/mastodon/values.yaml
@@ -6,7 +6,7 @@ fullnameOverride: ""

 web:
  repository: tootsuite/mastodon
-  pullPolicy: IfNotPresent
+  pullPolicy: Always
  tag: ""
  resources:
    limits:
@@ -18,7 +18,7 @@ web:

 streaming:
  repository: tootsuite/mastodon
-  pullPolicy: IfNotPresent
+  pullPolicy: Always
  tag: ""
  resources:
    limits:
@@ -30,7 +30,7 @@ streaming:

 sidekiq:
  repository: tootsuite/mastodon
-  pullPolicy: IfNotPresent
+  pullPolicy: Always
  tag: ""
  resources:
    limits:

--- a/postgresql/Chart.yaml
+++ b/postgresql/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: postgresql
 description: Helm Chart for postgresql
 type: application
-version: 1.3.0
+version: 1.4.0
 appVersion: "15"
--- a/postgresql/templates/secret.yaml
+++ b/postgresql/templates/secret.yaml
@@ -8,14 +8,5 @@ metadata:
  labels:
    {{- include "postgresql-helm.labels" . | nindent 4 }}
 type: Opaque
-data:
-  {{ if empty .Values.postgresPassword }}
-  # retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result
-  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $fullname) | default dict }}
-  {{- $secretData := (get $secretObj "data") | default dict }}
-  # set $secret to existing secret data or generate a random one when not exists
-  {{- $secretValue := (get $secretData $fullname) | default (randAlphaNum 48 | b64enc) }}
-  postgres-password: {{ $secretValue | quote }}
-  {{ else }}
+stringData:
  postgres-password: "{{ .Values.postgresPassword }}"
-  {{ end }}
--- a/postgresql/templates/service.yaml
+++ b/postgresql/templates/service.yaml
@@ -2,6 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "postgresql-helm.fullname" . }}
+  {{ if .Values.exporter.enabled }}
+  annotations:
+    prometheus.io/path: "/metrics"
+    prometheus.io/port: "9187"
+    prometheus.io/scrape: "true"
+  {{ end }}
  labels:
    {{- include "postgresql-helm.labels" . | nindent 4 }}
 spec:
@@ -11,5 +17,11 @@ spec:
      targetPort: sql
      protocol: TCP
      name: sql
+    {{ if .Values.exporter.enabled }}
+    - port: 9187
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+    {{ end }}
  selector:
    {{- include "postgresql-helm.selectorLabels" . | nindent 4 }}
--- a/postgresql/templates/statefulset.yaml
+++ b/postgresql/templates/statefulset.yaml
@@ -62,7 +62,7 @@ spec:
              command:
                - sh
                - -c
-                - exec pg_isready --host localhost
+                - pg_isready --host localhost && psql -c "ALTER USER postgres WITH PASSWORD '${POSTGRES_PASSWORD}';"
          livenessProbe:
            exec:
              command:
@@ -93,6 +93,43 @@ spec:
              name: certs
              subPath: tls.key
            {{- end }}
+        {{ if .Values.exporter.enabled }}
+        - name: exporter
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.exporter.repository }}:{{ .Values.exporter.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: PG_EXPORTER_AUTO_DISCOVER_DATABASES
+              value: "true"
+            - name: DATA_SOURCE_URI
+              value: "localhost"
+            - name: DATA_SOURCE_USER
+              value: "postgres"
+            - name: DATA_SOURCE_PASS
+              valueFrom:
+                secretKeyRef:
+                  key: "postgres-password"
+                  name: {{ include "postgresql-helm.fullname" . }}
+          ports:
+            - name: metrics
+              containerPort: 9187
+              protocol: TCP
+          startupProbe:
+            httpGet:
+              port: metrics
+              path: /metrics
+          livenessProbe:
+            httpGet:
+              port: metrics
+              path: /metrics
+          readinessProbe:
+            httpGet:
+              port: metrics
+              path: /metrics
+          resources:
+            {{- toYaml .Values.exporter.resources | nindent 12 }}
+        {{ end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
No results found