diff --git a/demo/juicefs/app_of_apps/external_secrets_app.yaml b/demo/juicefs/app_of_apps/external_secrets_app.yaml new file mode 100644 index 000000000..66e8a6487 --- /dev/null +++ b/demo/juicefs/app_of_apps/external_secrets_app.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: juicefs-external-secrets-app-set + namespace: argocd +spec: + goTemplate: true + # generator allows us to source specific values from an external k8s secret + generators: + - plugin: + configMapRef: + name: secret-var-plugin-generator + input: + parameters: + secret_vars: + - global_external_secrets + - juicefs_s3_credentials_bitwarden_id + - juicefs_s3_backups_credentials_bitwarden_id + - juicefs_valkey_credentials_bitwarden_id + template: + metadata: + name: juicefs-external-secrets + annotations: + argocd.argoproj.io/sync-wave: "1" + spec: + project: juicefs + + # where to put this argocd application + destination: + server: https://kubernetes.default.svc + namespace: juicefs + + # how to sync this argocd application + syncPolicy: + syncOptions: + - ApplyOutOfSyncOnly=true + automated: + prune: true + selfHeal: true + + # where to source this argocd application + source: + repoURL: 'https://github.com/small-hack/argocd-apps.git' + path: demo/juicefs/external_secrets/ + targetRevision: finish-juicefs + helm: + valuesObject: + provider: '{{ .global_external_secrets }}' + juicefs_valkey_bitwarden_id: '{{ .juicefs_valkey_credentials_bitwarden_id }}' + juicefs_s3_backups_credentials_bitwarden_id: '{{ .juicefs_s3_backups_credentials_bitwarden_id }}' + juicefs_s3_admin_credentials_bitwarden_id: '{{ .juicefs_s3_credentials_bitwarden_id }}' diff --git a/demo/juicefs/app_of_apps/juicefs_argocd_appset.yaml b/demo/juicefs/app_of_apps/juicefs_argocd_appset.yaml index 43bce8897..394cb934d 100644 --- a/demo/juicefs/app_of_apps/juicefs_argocd_appset.yaml +++ b/demo/juicefs/app_of_apps/juicefs_argocd_appset.yaml @@ -17,15 +17,11 @@ spec: input: parameters: secret_vars: - - juicefs_valkey_password - - juicefs_valkey_url - - juicefs_valkey_port - - juicefs_s3_key_id - - juicefs_s3_secret_key - juicefs_s3_bucket_url - juicefs_s3_dshboard_url - global_cluster_issuer - vouch_hostname + - juicefs_hostname template: metadata: name: juicefs-csi-driver-app @@ -48,9 +44,7 @@ spec: enabled: true # Basic auth for dashboard auth: - enabled: true - username: admin - password: admin + existingSecret: "" ingress: enabled: true @@ -70,31 +64,19 @@ spec: proxy_set_header X-User $user; proxy_set_header X-Email $email; hosts: - - host: "{{ .juicefs_s3_dshboard_url }}" + - host: "{{ .juicefs_hostname }}" paths: - path: / pathType: ImplementationSpecific tls: - secretName: juicefs-tls hosts: - - "{{ .juicefs_s3_dshboard_url }}" + - "{{ .juicefs_hostname }}" storageClasses: - - name: "juicefs-sc" - enabled: true - reclaimPolicy: Delete - allowVolumeExpansion: true - backend: - name: "juicefs" - metaurl: "redis://:{{ .juicefs_valkey_password }}@{{ .juicefs_valkey_url }}:{{ .juicefs_valkey_port }}/1" - storage: "s3" - bucket: "{{ .juicefs_s3_bucket_url }}" - accessKey: {{ .juicefs_s3_key_id }} - secretKey: {{ .juicefs_s3_secret_key }} - envs: "" - configs: "" - trashDays: "" - formatOptions: "" + - name: "juicefs" + enabled: false + syncPolicy: syncOptions: - CreateNamespace=true diff --git a/demo/juicefs/app_of_apps/pvc_appset.yaml b/demo/juicefs/app_of_apps/pvc_appset.yaml index 867e931eb..bfc962440 100644 --- a/demo/juicefs/app_of_apps/pvc_appset.yaml +++ b/demo/juicefs/app_of_apps/pvc_appset.yaml @@ -19,12 +19,12 @@ spec: - juicefs_s3_backup_endpoint - juicefs_s3_backup_bucket - juicefs_s3_backup_region - - juicefs_s3_pvc_capacity + - juicefs_valkey_pvc_size - juicefs_pvc_backup_schedule - juicefs_valkey_pvc_storage_class template: metadata: - name: grafana-stack-s3-pvc + name: juicefs-s3-pvc annotations: argocd.argoproj.io/sync-wave: "1" spec: @@ -41,11 +41,11 @@ spec: source: repoURL: https://github.com/small-hack/argocd-apps.git path: s3_persistence_and_backups/ - targetRevision: main + targetRevision: finish-juicefs helm: valuesObject: provider: juicefs - pvc_capacity: '{{ .juicefs_s3_pvc_capacity }}' + pvc_capacity: '{{ .juicefs_valkey_pvc_size }}' pvc_storageClassName: '{{ .juicefs_valkey_pvc_storage_class }}' seaweedfs: diff --git a/demo/juicefs/app_of_apps/valkey_application_set.yaml b/demo/juicefs/app_of_apps/valkey_application_set.yaml index e3ef23943..c614f6bdb 100644 --- a/demo/juicefs/app_of_apps/valkey_application_set.yaml +++ b/demo/juicefs/app_of_apps/valkey_application_set.yaml @@ -2,7 +2,7 @@ apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: - name: valkey-app-set + name: juicefs-valkey-app-set namespace: argocd annotations: # wait till after secrets are populated in sync wave 1 @@ -17,14 +17,15 @@ spec: input: parameters: secret_vars: - - global_storage_class + - juicefs_valkey_pvc_storage_class + - juicefs_valkey_pvc_size template: metadata: - name: valkey-app + name: juicefs-valkey-app annotations: argocd.argoproj.io/sync-wave: "2" spec: - project: valkey + project: juicefs # the sync policy for this Argo CD Application syncPolicy: @@ -38,58 +39,102 @@ spec: # where this Argo CD Application should be deployed destination: server: https://kubernetes.default.svc - namespace: valkey + namespace: juicefs # where we should get the source of this Argo CD Application source: repoURL: 'registry-1.docker.io' - chart: bitnamicharts/valkey - targetRevision: 3.0.30 + chart: bitnamicharts/valkey-cluster + targetRevision: 3.0.24 helm: # helm parameter overrides valuesObject: - fullnameOverride: "valkey" - global: - storageClass: "{{ .global_storage_class }}" + storageClass: "{{ .juicefs_valkey_pvc_storage_class }}" - # for auth, we get the valkey credentials from an ExternalSecret - auth: - enabled: true - existingSecret: "valkey-credentials" - existingSecretPasswordKey: "password" + fullnameOverride: "juicefs-valkey" + + usePassword: true + existingSecret: "juicefs-valkey-credentials" + existingSecretPasswordKey: "password" - # TLS settings tls: enabled: false authClients: true autoGenerated: false - # primary (control plane) configuration - primary: - persistence: - enabled: true - existingClaim: "valkey-primary" - - # valkey replica configuration - replica: - persistence: - enabled: true - existingClaim: "valkey-replica" + service: + ports: + valkey: 6379 + type: ClusterIP + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: Cluster + persistence: + enabled: true + path: /bitnami/valkey/data + annotations: + k8up.io/backup: "true" + accessModes: + - ReadWriteOnce + size: "{{ .juicefs_valkey_pvc_size }}" - # persistnent volume retention policy for the StatefulSet persistentVolumeClaimRetentionPolicy: enabled: true whenScaled: Retain whenDeleted: Retain - metrics: - # we use a grafana exporter that logs into valkey directly - enabled: false + valkey: + configmap: | + maxmemory 6gb + maxmemory-policy allkeys-lru + appendfsync everysec + + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: 0 + + podManagementPolicy: Parallel + automountServiceAccountToken: false + hostNetwork: false + useAOFPersistence: "no" + + containerPorts: + valkey: 6379 + bus: 16379 - # definitions: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - # Options: nano, micro, small, medium, large, xlarge, 2xlarge - # default: nano - resourcesPreset: "small" + # definitions: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + # Options: nano, micro, small, medium, large, xlarge, 2xlarge + # default: nano + #resourcesPreset: "micro" + resources: + requests: + cpu: 100m + memory: 1Gi + limits: + cpu: 2000m + memory: 10Gi + cluster: + init: true + nodes: 6 + replicas: 1 + externalAccess: + enabled: false + hostMode: false + service: + disableLoadBalancerIP: false + type: LoadBalancer + port: 6379 + loadBalancerIP: [] + loadBalancerSourceRanges: [] + + metrics: + enabled: true + resourcesPreset: "small" + serviceMonitor: + enabled: true + interval: 10s + scrapeTimeout: 5s diff --git a/demo/juicefs/external_secrets/Chart.yaml b/demo/juicefs/external_secrets/Chart.yaml index 46deb9ea0..df02e6114 100644 --- a/demo/juicefs/external_secrets/Chart.yaml +++ b/demo/juicefs/external_secrets/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -name: nextcloud-eso-bitwarden-chart -description: A Helm chart for JuiceFS External Secrets using the Bitwarden ESO provider on Kubernetes +name: juicefs-eso-chart +description: A Helm chart for JuiceFS External Secrets using the Bitwarden ESO provider on Kubernetes # A chart can be either an 'application' or a 'library' chart. # @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.0.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/demo/juicefs/external_secrets/README.md b/demo/juicefs/external_secrets/README.md new file mode 100644 index 000000000..823140092 --- /dev/null +++ b/demo/juicefs/external_secrets/README.md @@ -0,0 +1,21 @@ +# grafana-stack-eso-chart + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +A Helm chart for Grafana Monitoring Stack External Secrets using the Bitwarden ESO provider on Kubernetes + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| lokiValkeyCredentialsBitwardenID | string | `""` | valkey Credentials for loki | +| oidcCredentialsBitwardenID | string | `""` | grafana OIDC Credentials | +| provider | string | `""` | if this is not set to "bitwarden", we will not actually deploy any templates we may support other secret providers in the future | +| s3AdminCredentialsBitwardenID | string | `""` | existing kubernetes secret with s3 admin credentials | +| s3BackupCredentialsBitwardenID | string | `""` | existing kubernetes secret with s3 credentials for the remote backups | +| s3LokiCredentialsBitwardenID | string | `""` | existing kubernetes secret with s3 loki credentials | +| s3MimirCredentialsBitwardenID | string | `""` | existing kubernetes secret with s3 mimir credentials | +| s3_provider | string | `"seaweedfs"` | if set to seaweedfs we deploy a policy secret. can also be minio | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/demo/juicefs/external_secrets/templates/juicefs_storage_class_secret.yaml b/demo/juicefs/external_secrets/templates/juicefs_storage_class_secret.yaml new file mode 100644 index 000000000..1e6bf6612 --- /dev/null +++ b/demo/juicefs/external_secrets/templates/juicefs_storage_class_secret.yaml @@ -0,0 +1,62 @@ +{{- if eq .Values.provider "bitwarden" }} +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: juicefs-storage-class-credentials + namespace: juicefs + labels: + juicefs.com/validate-secret: "true" +spec: + target: + name: juicefs-storage-class-credentials + deletionPolicy: Delete + template: + type: Opaque + data: + name: juicefs + metaurl: |- + {{ `{{ .valkeyUrl }}`}} + access-key: |- + {{ `{{ .accessKeyId }}` }} + secret-key: |- + {{ `{{ .secretAccessKey }}` }} + bucket:: |- + {{ `{{ .bucket }}` }} + data: + - secretKey: accessKeyId + sourceRef: + storeRef: + name: bitwarden-login + kind: ClusterSecretStore + remoteRef: + key: {{ .Values.juicefs_s3_admin_credentials_bitwarden_id }} + property: username + + - secretKey: secretAccessKey + sourceRef: + storeRef: + name: bitwarden-login + kind: ClusterSecretStore + remoteRef: + key: {{ .Values.juicefs_s3_admin_credentials_bitwarden_id }} + property: password + + - secretKey: bucket + sourceRef: + storeRef: + name: bitwarden-fields + kind: ClusterSecretStore + remoteRef: + key: {{ .Values.juicefs_s3_admin_credentials_bitwarden_id }} + property: bucket + + - secretKey: metaurl + sourceRef: + storeRef: + name: bitwarden-fields + kind: ClusterSecretStore + remoteRef: + key: {{ .Values.juicefs_valkey_bitwarden_id }} + property: metaurl +{{- end }} diff --git a/demo/juicefs/external_secrets/templates/redis_credentials.yaml b/demo/juicefs/external_secrets/templates/juicefs_valkey_credentials.yaml similarity index 78% rename from demo/juicefs/external_secrets/templates/redis_credentials.yaml rename to demo/juicefs/external_secrets/templates/juicefs_valkey_credentials.yaml index f90fd843e..c7ad5e437 100644 --- a/demo/juicefs/external_secrets/templates/redis_credentials.yaml +++ b/demo/juicefs/external_secrets/templates/juicefs_valkey_credentials.yaml @@ -3,16 +3,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: juicefs-redis-password + name: juicefs-valkey-credentials spec: target: # Name for the secret to be created on the cluster - name: juicefs-redis-password + name: juicefs-valkey-credentials deletionPolicy: Delete template: type: Opaque data: - redis-password: |- + password: |- {{ `{{ .password }}` }} data: # Key given to the secret to be created on the cluster @@ -22,6 +22,6 @@ spec: name: bitwarden-login kind: ClusterSecretStore remoteRef: - key: juicefs-redis-password + key: {{ .Values.juicefs_valkey_bitwarden_id }} property: password {{- end }} diff --git a/demo/juicefs/external_secrets/templates/s3-credentials.yaml b/demo/juicefs/external_secrets/templates/s3-credentials.yaml deleted file mode 100644 index 9d3cef01d..000000000 --- a/demo/juicefs/external_secrets/templates/s3-credentials.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if eq .Values.provider "bitwarden" }} ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: juicefs-s3-credentials - namespace: juicefs -spec: - target: - name: juicefs-s3-credentials - deletionPolicy: Delete - template: - type: Opaque - data: - S3_USER: |- - {{ `{{ .accessKey }}` }} - S3_PASSWORD: |- - {{ `{{ .secretKey }}` }} - data: - - secretKey: accessKey - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: juicefs-s3-credentials - property: username - - - secretKey: secretKey - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: juicefs-s3-credentials - property: password -{{- end }} diff --git a/demo/juicefs/external_secrets/templates/s3_backup_credentials.yaml b/demo/juicefs/external_secrets/templates/s3_backup_credentials.yaml new file mode 100644 index 000000000..cdaae449b --- /dev/null +++ b/demo/juicefs/external_secrets/templates/s3_backup_credentials.yaml @@ -0,0 +1,48 @@ +{{- if eq .Values.provider "bitwarden" }} +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: s3-backups-credentials + namespace: juicefs +spec: + target: + name: s3-backups-credentials + deletionPolicy: Delete + template: + type: Opaque + data: + accessKeyId: |- + {{ `{{ .accessKeyId }}` }} + secretAccessKey: |- + {{ `{{ .secretAccessKey }}` }} + resticRepoPassword: |- + {{ `{{ .resticRepoPass }}` }} + data: + - secretKey: accessKeyId + sourceRef: + storeRef: + name: bitwarden-login + kind: ClusterSecretStore + remoteRef: + key: {{ .Values.juicefs_s3_backups_credentials_bitwarden_id }} + property: username + + - secretKey: secretAccessKey + sourceRef: + storeRef: + name: bitwarden-login + kind: ClusterSecretStore + remoteRef: + key: {{ .Values.juicefs_s3_backups_credentials_bitwarden_id }} + property: password + + - secretKey: resticRepoPass + sourceRef: + storeRef: + name: bitwarden-fields + kind: ClusterSecretStore + remoteRef: + key: {{ .Values.juicefs_s3_backups_credentials_bitwarden_id }} + property: resticRepoPassword +{{- end }} diff --git a/demo/juicefs/external_secrets/values.yaml b/demo/juicefs/external_secrets/values.yaml index 8c92e9a9f..caa1ad1eb 100644 --- a/demo/juicefs/external_secrets/values.yaml +++ b/demo/juicefs/external_secrets/values.yaml @@ -1,9 +1,15 @@ -# Use external secrets. Set to bitwarden to use this chart. other providers may be supported in the future +# -- if this is not set to "bitwarden", we will not actually deploy any templates +# we may support other secret providers in the future provider: "bitwarden" # -- if set to seaweedfs we deploy a policy secret. can also be minio s3_provider: "seaweedfs" -# -- existing kubernetes secret with s3 postgres credentials -s3CredentialsBitwardenID: "juicefs-s3-credentials" +# -- existing kubernetes secret with s3 admin credentials +juicefs_s3_admin_credentials_bitwarden_id: "" +# -- existing kubernetes secret with s3 credentials for the remote backups +juicefs_s3_backups_credentials_bitwarden_id: "" + +# -- valkey Credentials for loki +juicefs_valkey_bitwarden_id: "" diff --git a/demo/juicefs/persistence/seaweedfs_data_pvc.yaml b/demo/juicefs/persistence/seaweedfs_data_pvc.yaml deleted file mode 100644 index 0fe0079c1..000000000 --- a/demo/juicefs/persistence/seaweedfs_data_pvc.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: swfs-volume-data -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 100Gi ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: swfs-master-data -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: swfs-filer-data -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi diff --git a/gotosocial/storage/seaweedfs/seaweedfs_argocd_appset.yaml b/gotosocial/storage/seaweedfs/seaweedfs_argocd_appset.yaml index db32631a6..9f85b3b7b 100644 --- a/gotosocial/storage/seaweedfs/seaweedfs_argocd_appset.yaml +++ b/gotosocial/storage/seaweedfs/seaweedfs_argocd_appset.yaml @@ -58,7 +58,7 @@ spec: certificates: alphacrds: false monitoring: - enabled: false + enabled: true gatewayHost: null gatewayPort: null enableReplication: false diff --git a/s3_persistence_and_backups/templates/juicefs_valkey_pvc.yaml b/s3_persistence_and_backups/templates/juicefs_valkey_pvc.yaml index fb1ee6583..23654b2b9 100644 --- a/s3_persistence_and_backups/templates/juicefs_valkey_pvc.yaml +++ b/s3_persistence_and_backups/templates/juicefs_valkey_pvc.yaml @@ -3,7 +3,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: - name: juicefs-valkey-primary + name: valkey-data-juicefs-valkey-0 annotations: k8up.io/backup: "true" spec: @@ -17,7 +17,63 @@ spec: kind: PersistentVolumeClaim apiVersion: v1 metadata: - name: juicefs-valkey-replica + name: valkey-data-juicefs-valkey-1 + annotations: + k8up.io/backup: "true" +spec: + storageClassName: {{ .Values.pvc_storageClassName }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.pvc_capacity }} +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: valkey-data-juicefs-valkey-2 + annotations: + k8up.io/backup: "true" +spec: + storageClassName: {{ .Values.pvc_storageClassName }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.pvc_capacity }} +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: valkey-data-juicefs-valkey-3 + annotations: + k8up.io/backup: "true" +spec: + storageClassName: {{ .Values.pvc_storageClassName }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.pvc_capacity }} +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: valkey-data-juicefs-valkey-4 + annotations: + k8up.io/backup: "true" +spec: + storageClassName: {{ .Values.pvc_storageClassName }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.pvc_capacity }} +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: valkey-data-juicefs-valkey-5 annotations: k8up.io/backup: "true" spec: