-
Notifications
You must be signed in to change notification settings - Fork 0
/
helmrelease.yaml
130 lines (122 loc) · 4 KB
/
helmrelease.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.6.0/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: tandoor
namespace: tandoor
spec:
chart:
spec:
chart: app-template
version: 3.6.0
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
namespace: flux-system
name: bjw-s
interval: 1h
driftDetection:
mode: enabled
values:
controllers:
tandoor:
strategy: RollingUpdate
containers:
app:
image:
repository: ghcr.io/tandoorrecipes/recipes
tag: 1.5.27@sha256:05561e2f4b0f808337477bfdf5db087e4e21e7bea77ad05e13ada589bd76701d
env:
TZ: America/Chicago
SECRET_KEY: ${secret_key}
GUNICORN_WORKERS: "1"
FRACTION_PREF_DEFAULT: "1"
DEBUG: "0"
DB_ENGINE: django.db.backends.postgresql
POSTGRES_HOST: postgresql-rw
POSTGRES_DB: tandoor
POSTGRES_USER: tandoor
POSTGRES_PASSWORD:
secretKeyRef:
name: postgresql-app
key: password
S3_ENDPOINT_URL: ${s3_url}
S3_ACCESS_KEY: ${s3_access_key}
S3_SECRET_ACCESS_KEY: ${s3_secret_key}
S3_BUCKET_NAME: tandoor
S3_REGION_NAME: us-central-1
OAUTH_ID: authentik
OAUTH_NAME: Authentik
OAUTH_SERVER_URL: https://${oauth_host}/application/o/tandoor-recipes/.well-known/openid-configuration
OAUTH_CLIENT_ID: ${oauth_client_id}
OAUTH_CLIENT_SECRET: ${oauth_client_secret}
SOCIAL_PROVIDERS: allauth.socialaccount.providers.openid_connect
# language=json
SOCIALACCOUNT_PROVIDERS:
value: |-
{"openid_connect":{"SERVERS":[{"id": "$(OAUTH_ID)","name": "$(OAUTH_NAME)","server_url": "$(OAUTH_SERVER_URL)","token_auth_method": "client_secret_basic","APP": {"client_id": "$(OAUTH_CLIENT_ID)","secret": "$(OAUTH_CLIENT_SECRET)"}}]}}
dependsOn: OAUTH_ID
probes:
startup:
enabled: true
spec:
failureThreshold: 30
periodSeconds: 5
liveness:
enabled: true
readiness:
enabled: true
securityContext:
readOnlyRootFilesystem: true
pod:
enableServiceLinks: false
labels:
policy.gabe565.com/egress-namespace: "true"
policy.gabe565.com/egress-world: "true"
policy.gabe565.com/ingress-ingress: "true"
securityContext:
runAsUser: 65534
runAsGroup: 65534
fsGroup: 65534
service:
tandoor:
controller: tandoor
ports:
http:
port: 8080
persistence:
static:
enabled: true
type: emptyDir
globalMounts:
- path: /opt/recipes/staticfiles
subPath: staticfiles
- path: /opt/recipes/cookbook/static/django_js_reverse
subPath: django_js_reverse
tmp:
enabled: true
type: emptyDir
ingress:
tandoor:
enabled: true
hosts:
- host: ${app_url}
paths:
- path: /
service: &svc
identifier: tandoor
port: http
tls: &tls
- secretName: ${certificate_name}
hosts:
- ${app_url}
redirect-login:
enabled: true
annotations:
nginx.ingress.kubernetes.io/temporal-redirect: https://${app_url}/accounts/oidc/authentik/login
hosts:
- host: ${app_url}
paths:
- path: /accounts/login
service: *svc
tls: *tls