diff --git a/apps/homer/base/deployment.yaml b/apps/homer/base/deployment.yaml index 66329dc..d44f063 100644 --- a/apps/homer/base/deployment.yaml +++ b/apps/homer/base/deployment.yaml @@ -13,8 +13,6 @@ spec: metadata: labels: app.kubernetes.io/name: homer - rpi5.cluster.policy/egress-world: "true" - rpi5.cluster.policy/ingress-world: "true" spec: securityContext: runAsUser: 1000 diff --git a/infrastructures/renovate/base/configmap.yaml b/infrastructures/renovate/base/configmap.yaml new file mode 100644 index 0000000..e1b5d92 --- /dev/null +++ b/infrastructures/renovate/base/configmap.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: renovate-config-js + namespace: renovate + labels: + app.kubernetes.io/name: renovate +data: + config.js: | + module.exports = { + // Enter self-hosted configuration options here. + // https://docs.renovatebot.com/self-hosted-configuration/ + } diff --git a/infrastructures/renovate/base/deployment.yaml b/infrastructures/renovate/base/deployment.yaml new file mode 100644 index 0000000..10f1ff3 --- /dev/null +++ b/infrastructures/renovate/base/deployment.yaml @@ -0,0 +1,132 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: renovate + namespace: renovate + labels: + app.kubernetes.io/name: renovate +spec: + selector: + matchLabels: + app.kubernetes.io/name: renovate + template: + metadata: + labels: + app.kubernetes.io/name: renovate + spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: renovate + image: ghcr.io/mend/renovate-ce:7.5.0-full + securityContext: + allowPrivilegeEscalation: false + env: + - name: MEND_RNV_ACCEPT_TOS + value: y + - name: MEND_RNV_LICENSE_KEY + valueFrom: + secretKeyRef: + name: renovate-secrets + key: renovate_license_key + - name: MEND_RNV_PLATFORM + value: github + - name: MEND_RNV_ENDPOINT + value: "https://api.github.com/" + - name: MEND_RNV_DATA_HANDLER_TYPE + value: "postgresql" + - name: PGDATABASE + valueFrom: + secretKeyRef: + name: renovate-secrets + key: db_pg_database + - name: PGUSER + valueFrom: + secretKeyRef: + name: renovate-secrets + key: db_pg_user + - name: PGPORT + value: "5432" + - name: PGHOST + valueFrom: + secretKeyRef: + name: renovate-secrets + key: db_pg_host + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: renovate-secrets + key: db_pg_password + - name: MEND_RNV_GITHUB_APP_ID + value: "938218" + - name: RNV_GITHUB_PEM_FILE_PATH + value: "/usr/src/app/rpi5-cluster-renovate.2024-07-05.private-key.pem" + - name: MEND_RNV_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + name: renovate-secrets + key: github_app_webhook_secret + - name: MEND_RNV_ADMIN_API_ENABLED + value: "true" + - name: MEND_RNV_SERVER_API_SECRET + valueFrom: + secretKeyRef: + name: renovate-secrets + key: server_api_secret + - name: GITHUB_COM_TOKEN + valueFrom: + secretKeyRef: + name: renovate-secrets + key: github_pat + - name: MEND_RNV_AUTODISCOVER_FILTER + value: "3dwardch3ng/home-cluster-ops" + - name: MEND_RNV_ENQUEUE_JOBS_ON_STARTUP + value: "enabled" + - name: MEND_RNV_LOG_HISTORY_DIR + value: "/logs" + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health + port: http + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + readinessProbe: + httpGet: + path: /health + port: http + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + volumeMounts: + - name: renovate-config-js-volume + mountPath: /usr/src/app/config.js + subPath: config.js + - name: renovate-cache-volume + mountPath: /tmp/renovate + - name: renovate-logs + mountPath: /logs + - name: renovate-gh-app-pem + mountPath: /usr/src/app/rpi5-cluster-renovate.2024-07-05.private-key.pem + volumes: + - name: renovate-config-js-volume + configMap: + name: renovate-config-js + - name: renovate-cache-volume + emptyDir: {} + - name: renovate-logs + hostPath: + path: /mnt/nfs/AppData/renovate/logs + type: Directory + - name: renovate-gh-app-pem + hostPath: + path: /mnt/nfs/AppData/renovate/key/rpi5-cluster-renovate.2024-07-05.private-key.pem + type: File diff --git a/infrastructures/renovate/base/kustomization.yaml b/infrastructures/renovate/base/kustomization.yaml new file mode 100644 index 0000000..6291140 --- /dev/null +++ b/infrastructures/renovate/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - configmap.yaml + - deployment.yaml + - service.yaml \ No newline at end of file diff --git a/infrastructures/renovate/base/service.yaml b/infrastructures/renovate/base/service.yaml new file mode 100644 index 0000000..373c039 --- /dev/null +++ b/infrastructures/renovate/base/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: renovate + namespace: renovate + labels: + app.kubernetes.io/name: renovate +spec: + type: ClusterIP + ports: + - port: 8899 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: renovate diff --git a/infrastructures/renovate/env/k3s-cluster/config.json b/infrastructures/renovate/env/k3s-cluster/config.json new file mode 100644 index 0000000..051b637 --- /dev/null +++ b/infrastructures/renovate/env/k3s-cluster/config.json @@ -0,0 +1,12 @@ +{ + "appName": "renovate", + "userGivenName": "renovate", + "namespace": "renovate", + "destNamespace": "renovate", + "destServer": "https://kubernetes.default.svc", + "srcPath": "infrastructures/renovate/env/k3s-cluster", + "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git", + "srcTargetRevision": "", + "labels": null, + "annotations": null +} \ No newline at end of file diff --git a/infrastructures/renovate/env/k3s-cluster/ingress.yaml b/infrastructures/renovate/env/k3s-cluster/ingress.yaml new file mode 100644 index 0000000..1c9428f --- /dev/null +++ b/infrastructures/renovate/env/k3s-cluster/ingress.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: renovate-ingress + namespace: renovate + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/use-regex: "true" +spec: + ingressClassName: nginx + rules: + - host: "renovate.cluster.edward.sydney" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: renovate + port: + number: 8899 \ No newline at end of file diff --git a/infrastructures/renovate/env/k3s-cluster/kustomization.yaml b/infrastructures/renovate/env/k3s-cluster/kustomization.yaml new file mode 100644 index 0000000..3ea3085 --- /dev/null +++ b/infrastructures/renovate/env/k3s-cluster/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../base + - ./ingress.yaml \ No newline at end of file diff --git a/resources/app-secrets/env/k3s-cluster/templates/renovate.yaml b/resources/app-secrets/env/k3s-cluster/templates/renovate.yaml new file mode 100644 index 0000000..105d4bf --- /dev/null +++ b/resources/app-secrets/env/k3s-cluster/templates/renovate.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: renovate-secrets + namespace: renovate +spec: + encryptedData: + db_pg_database: AgC9bsUKqidEBZsWZ+VzEegYKbSGmObOej5zUjbeNcPfm3QsfK1JvUII+CAibgDs91c4XYBZ2RYCle/dn/MxgeACNc0uj458cpCFexr/EowaTMi0PIMR9abb23nU4I4onq1QAwVbcakG/WeojdryDDt7azW3096c6yjdcIW28aiaVYnLhK9QljDiD3o2+EsN0XnhJDISDRLZA/LvJ6dBoWQUqErYtUElqm/ClXLvIEcfV13rGq4+mXnAxOSJLCiw8GDgbPhbFVWKngB3JrkerdpHB6UlQLm6lcMgFbTr7ubWTmd01yHcKE/ra0exjAqGP5nLoqFWmxThAueicmOwWeOVN3Gr0pZ+k1vlCHMGqZ2NzwOoQDnhAKb88sSJCR+hLnRgQ2rQ7CrCcJOMrrUojE7XBt3eMFfc57A/pnccgTEpkrrxXzWhOnvNMx2JBECnRFDAh74CHgBVWvXW32lqj2Dqy5bnQBua4yDsnDCKSdirZvb6v2BTYgQH6BDXh2UA6bG7XwSdAmP6tm6p4pxNlfrJdEkH1C7tOF0cYLZgeP+2xPbgdfAreH6+zFL35I991+7ypNG18ZXmn+hFsrOjYB6KO8SIRlptpwW0vxghFWrb5nAkh3oIliz6SMsV0UNWg21MQIiX29we6Np/suWjklgCdIXlsAlGobe1FCbXTMOntiIJFAmLuPbXpHJIXs/CCPXOHloBtmtEMg== + db_pg_host: AgDAfk296c+WQv7uo+EcCfMUjnK6xQMzy1ZLHdxgSVDvOXeDRgJXia5eF2vPJEcHFBO65XUnTiwd+K5b2SIr4iAaStHS/Uy3vTlMM8ospBjq3kgmtHps2xIBEgdJu3Xur/nU+G38uChEs1+asKKMob/J3hWNJ9d3gKMQ1cnL/H8PEiTUw6XXzusiZWqQtzau26xxuC7UIT9+dMiORSnL3TxrqO898lVMfvJPzL4ElTn0sbOrzgPJp1z1y9lx7+TJXl8RnIPL01Ja3geDvAas9zeN6CP+L6WhKEndOxdhi6KIAwRSpuuIAv5QJnS9nPAgFWKxEJn/50WmWCVebmhQujo+98nxQHqPu+/roGgckt06RFrUWurqtttkBza9nES3qhdH871bQYiacPclXc1fy2Jep/8SH1nx7cuB9xxelpNNLi5RhttEcBSTOQCU+WqW7GSp8NGZ5HCWmJJ+Hn1/fMMkUZE85mAADy+WttKaF+sfeXpuXcBBcAYrZXA9P9Qe4C5ObJyoTgwX67N+6+vW06Mr1Co/ldvp0uF+h0wLjby1l/SW6ldziLhJe9Ws1fc0YpUxc5FwwL6VSlJ0PHnPQ14TYLnREzm3fJsJ0JLIxWFgjVWYqlx3A04qg4U06wpq/t3OevNQJuAEZtir2wBJ+NVRBxAuNDQCE24/TsrsshSD/uuKTQY29kSSOF7OQ/54QGCWCEvmQiGAVSUjQFaqXLgoBENToWoU95frvuViKcMa48J81+lfvejq/NBh + db_pg_password: AgArAPYy0EDOnahIFpv8hSQQy4f+3lgfJIHGcdDjKbydYsHKRywJFrBmWjvJxYSCz9ggHQ/zxGCZuaCBSc27dG9id8rYV1g0DQcnJYlbTFLux8rlJrj/cgRggOmRGzTytBv1r8BScJ1I+wJRKiZ5kPLaLPPcn4UGue8QrNDgtohPF8n3AdxijkNaehJlcAc3hhyx/eJgRBf6nvYMfheAF2v3vnOt+GikWhscaYaDN0CS/leajnPFZTJgVufw45a6eKlI/+dVehCzn1O3UW5VK38cVfwuDbB1NfGzhCFKRf2+3Oz9rHAtEJS0U3SjDROlsZqpQcucpWtRrjsUqlyWs5phF2lXou23G+i/mHAUhtGGoNZcaH3/rHSgbcqHSWQye3wqmLhIYVoeq65suQbkXUjebBVcqPxoSqFWFB7UY/FiGCSaVpcQFdeqb5c3tGYxgbG3hBQS7ohmhY6pHJXEYWTIUE2PpRVoRLs27yPooDXjrYrbUfoXrH84HDY1E2P/z2RG3naeOWTt9h7XfsaJJ4tZ0PgwixrMf5eiF8z3gfTvBT1226pdTNtgJRRM74/gMYyRCFSqu8K5YEqCQ2f5w9WogxTVQtHxPVdbzqrPjc2KEw3g8efI26q5KxBY7C1gx1Qur9zexjhdqfzllJRMuouIBCMak9p0dTTq+V6TWeQuS7r70jJKWI6cWDg+fuugC2bbkHKZ/1JuSJHLq2lC+iohfHZZnP1v18U= + db_pg_user: AgDC+jHDrkGWmDggC1TSamAnm94sXqPRKJcuuV6hbfFzkxcqHiCbJ1qLCMpytpDZIg4/qmHHvwTPuThG73QlF/ExGOmdG9lQKEUnKmCgCUr5CSqzTPVlx9ZcmOnpoJ6XKoo5t3860JFHoFVdsnqQgBMN+5ttFxfrqAGToixLqaQeJMtt8kG0BdfefQukFmYr/fIU6OT7te9u09KRLt3g+65TULutS64zD5zAtFjH0It8N2K0TbrPece51oROyMa+FL1YNPVjkaMxb0VyyASH1s+hNfbm6LdLIOzc9zF8CGiiqZkclKi0vv6TwjwJIFx8mtfPz3wOuOzwvsVJxJAQwdpwSxfF6i+vcMJZxc+pFrmsG4YUicom/4JrFM8ZSEC01fbeEA+3XFyC18qkbU95QSxPxuolp5SgMqeY2viT52svyksRCYgHYNPnS1U9VMpEqWo6jR2m3Jv7kkGsdXB1kcBbY4CGa1LDEBL59Np9yyU5//0IhOMJGP72ekqB6PSJtcyTvdTOeRKnzzSf1kppws9xTTzym3td5uLEfmoJ5XmfDQp5oX4+m0Qqn+K0CfZWBWe4yv8EnHhbF3mJBkCDmgqRlCFnLxSn/tpTE1pyVZPc41wzVZnlB74E6C+SnEDP2Icw1vYyYk+XGeOItJgy7C5xDC/ly4NbxxXfK+ku0pQMM/Fi0Hx6S7yOKiWmeAZj9AhMLOPc3/uvGLDM9zri + github_app_webhook_secret: AgDfvVN7ZTppYl4a0eaIPV5VlXvHR+0foUjw7bdapmUAysBXOKOy13loWPgwmkJ7uJwU+gqKazA3NvhU243HMpZmqYl0GfrwsK2nRTLcncdOVgFlmvbqLI7f61jnKY5xlPazbGJRFMjkEwY4Q3GPszc73xmm6JyLtAT4eFSYmqnTXzGhmBo4awCpIcHDq3Vl7rtOEwmpJNs7/q2ADzjh5TSV1OSQkHl6HQuG4la7MiWaDuMS6aJAvmSRVPKSHhgaoT+gcCFBBP/aozojIon6/7+VxcHyaYxg6rOGyO+NRx2YvrPUnDMmjgES/3FPsmfYZICD6aqdsGRlBtqkqfkXxM9ckWez0Mc0xbOXNRWqrTXZjVXPQnbA3079orUpDUOEtkLZu5tlQJx08MIDKOD1n5wWZjv1uL4ENFI20T3iF3Z//k/4t6noil8ov7i4nVgkIWTp+quScQe+Mo2QHg78NIvQqHMNUmx5iIl6va5x1Tr1S8HHmhMT11mzkfttihB3GNFX2qQqhEB6KuR9veGIR+zp8TZkOt2E5JjwbwZVFto4JAR1y88etOjt8UxWJ3LMg7YutdrfzRKmv8kVrtlZPEV4MTVpKAIqivX0gEZZtYaoYDNMrTjsNN4M4di/aqMDIDvzLAIkpn2jdy46vi5FweLaEQnejvgKerOoFMkSHWFXHBpAMu38iIjdajQkjXHVzlvWuA5C956kjOp4+p0B2ANgFGbboQ54SAU= + github_pat: AgAxuzPdsIdAKTDXcUbAyWtMaNzQQH05VV2pPzNtZbDVbRJRxSmEjVVP+4wwPyJ9JUHr5MAAOdslN1H21DWod6F/kYlEtnYM7bxMfEnm6I6MeDbYj0x4P/nZZM9feFEep8ClGlGnovUBYGTQwFCef/aIPvtqXcFzGmsOypVbxpOfJLnRWuknSooM8J2WcJXheOUe1Pif7ykI14yxGR0vwj7HEdBKG3a2AtQDHMdCqQCdCzJPuMmxICaEALmk2zdkphwpzXr+h8+5p3jkH0pLN7b7B6+VXOz9b67EUKgK/s3vtuEAUkAJEfZxuDTcULIqekblst+cwDJP34ZK31nS/lZbZw7BEmlfvsbYEIJ0/H5qORGsfSGunUPdhY1tWZkeUw6AEtQm6zhtlVRXjQajXKB7QWABXG2f4HWzzji9pJTAdSHGsc7iBfA0rAhjkqemHH9vU0wWGJNOxGwYRsaltEYfv86+VMp9BqI4WBJ/8Q22tcfzDBm+NI1iFHNaQS/74uP/z6l3NDo48LAh0bS8oxuV7mK8hZLFofJRyoTlZIfhlIXwVzpJvhhVm/r/EwPUDzb4AAdUOvbCmct50fDx4rsEVmAsRchw/Li9AcXROMojqQJCXNnqGdNEtWRKEEC2e9DjcySl/aMv6ueOvTeSU8BysF+tm9kY4JZyGB455HsRC7JyVDsoRCIdbopHsy2L+wBUdfLjwwjRo0uLvODgHys5mq05b2qwdfBFOqwnS6R+oGaEFhgbWpv9 + renovate_license_key: AgBaJ06JDSwHD28vj6Hg8SSGJQB9Y5hssSDRIKnvYxfmuDNSJhmMTtQunXHHfcJwAdQQ84zogeBhbX95KCIeZN2A7o5D/YoKSMdqbg3Wx/G54YKTIBjh/wgA06BNR36JNSLaMYU8iRF2COcSe6jCQqzQ+g7Anw4Iyjr900waMCAJHKRfwQV5RcMliI6sMcuKsDKkq6pmqg9wk452VBJTXTvXc2BlQdkcNIlv0n7EAv3y17Hc70zQX6pyVvnyaHRsBuc3auCWbgEfVc99b2Vlff2ru+lE4kxri7ToyxUzMbhwBzGsi93CIXLTinP8yJjSEXjgt+uss4ySzvDxLbbjkQqhdU1vfLxhdw2ZdSc6U8eVYKrYSctpQY1Bg31/hjny4LXH7pN9Z1GEf2hCU4cDPXXHpwD2di/czqu5APEia49ZmcGLmu/62zaMDnRfHuZ4hRlTEWjfyuu3kD3HBRXTjKLzlergdXxCaLt4tQh7FiaIscPQc3TPxxZrIwzV1bW73HiYoPNZxh0b7d2GqCTW/VQxYpOt1UozDDtgQ832dYh7YXJ0hSDzMy4PHPc6b3gz23V9t7L2xAGkBfJJb1QQdhNApydteXUX9xRFfIXyUKXpb7cbpk5Zw3nB1Fj8leGuPKvNp0nCo/0iMHIv7D4BlQeBsS0ADFT88nyNDdRXTbJZlmNYd+BXqKU9AzHkLPUgoAyBIqLg6dclE53ZRUNTJ5iIQ6dbmCxP462krP0qgu80XjuYiSmXqbF+5lRZ6esNOx7MIc6qj4WnoFlBb63OWg2goySSc0W14y8yf8wt5vrxHZ7Zt8qWE/ZJ1VddbOkEZWQITFYASkhqlYa3x6jRNXuciMRAaUHWRHLiRJv0RusbUxp7da/UR+HNHnu+jrE7QM31ISyyzMYSFgVA2Z/XDKyp+EljlNW98DncZEdMpKvpalT2o1/IlCfwyv9XaMYaQSGdCLDtuNkiJCVRIw6i3Gh9RZMxiXc= + server_api_secret: AgDlmhguOY0KH6IpnTCpzH/HP5ut8PE7cFLOr9iDtoe0fsHKAig0HaFCd3aZximwZnu2aSIL30lnIS/qM/qimADKeLkXX5zNgbyZSmV0RomjUochqQ6VxpUUwbsb6KBvPfuJJ27wnwHt8ZehC0ECXA1f/FIUW4PcKuwK7vdRmyfO2PmVThqFSsDscycnWGyaaObXNBM/uuXD+KziIUtlJbYx9oHot6ofkC10CEmQ9v2WdNDiZPjrnSx1OOkWG6uVw0HE6wOHpbWHw66ox1LDNNMmEGo1Enko/6IpL1gDC7tTBthhyrEvQUxiUSq7XqLO+LBxYAHe5WeEaLObOSgRubLPKIuEz4cPJ3/KbBGfbkq91kRGVYjzPbxugGNCECiaY8wsxReubzVXphnPUEqq758+D5otTy5GuxNxFDcJBzyYzrHLMLTI4kDyD2IMqh3VmL0NsqNCx/nVyLeAOgi2bFtBDtVYPWlmqTWVdBgrjQ5ddIAH9Nz9acB7iex1pn4U4zCoVMPkzD+7mw6sSokKZz7fyNLMpuSpe+LfFyZvdgiho13eaq5CVgjJZW7kX2ne0hnc20YRhnKnKrkRa2N98qCQiX3wiTidStLVXQ1+AIe5vV3mYIZsikZGhQ5cTVIeN1jfu/nLRfZkOaEYwekvbIB3IwvN6P2oj4iokdlQFkTobCg67OIxRTPbScDsPM6yzpySUzqBsERvm542VyYnzOZA1OFW9z92BxE= + template: + metadata: + annotations: + argocd.argoproj.io/sync-options: Prune=false + sealedsecrets.bitnami.com/cluster-wide: "true" + sealedsecrets.bitnami.com/managed: "true" + creationTimestamp: null + name: renovate-secrets + namespace: renovate + type: Opaque