bjw-s-labs · bjw-s · Sep 30, 2024 · Sep 30, 2024 · Sep 30, 2024 · Sep 30, 2024
diff --git a/kubernetes/main/apps/media/piped/app/externalsecret.yaml b/kubernetes/main/apps/media/piped/app/externalsecret.yaml
@@ -3,19 +3,32 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: piped-db
+  name: piped
 spec:
   refreshInterval: 1m
   secretStoreRef:
     name: crunchy-pgo-secrets
     kind: ClusterSecretStore
   target:
-    name: piped-db-secret
+    name: piped-secret
     template:
       type: Opaque
       data:
-        user: '{{ index . "user" }}'
-        password: '{{ index . "password" }}'
+        config.properties: |
+          API_URL: https://piped-api.bjw-s.dev
+          COMPROMISED_PASSWORD_CHECK: true
+          DISABLE_REGISTRATION: true
+          FEED_RETENTION: 30
+          FRONTEND_URL: https://piped.bjw-s.dev
+          HTTP_WORKERS: 4
+          MATRIX_SERVER: https://matrix-client.matrix.org
+          PORT: 8080
+          PROXY_PART: https://piped-proxy.bjw-s.dev
+          SENTRY_DSN:
+          hibernate.connection.driver_class: org.postgresql.Driver
+          hibernate.connection.url: jdbc:postgresql://{{ index . "host" }}:5432/{{ index . "dbname" }}
+          hibernate.connection.username: {{ index . "user" }}
+          hibernate.connection.password: {{ index . "password" }}
   dataFrom:
     - extract:
         key: postgres-pguser-piped
diff --git a/kubernetes/main/apps/media/piped/app/helmrelease.yaml b/kubernetes/main/apps/media/piped/app/helmrelease.yaml
@@ -1,103 +1,191 @@
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: piped
 spec:
   chart:
     spec:
-      chart: piped
-      version: 6.0.2
+      chart: app-template
+      version: 3.4.0
       interval: 30m
       sourceRef:
         kind: HelmRepository
-        name: piped
+        name: bjw-s
+        namespace: flux-system
   interval: 30m
   values:
-    automountServiceAccountToken: false
+    defaultPodOptions:
+      automountServiceAccountToken: false
 
-    postgresql:
-      enabled: false
+    controllers:
+      backend:
+        strategy: RollingUpdate
+        annotations:
+          secret.reloader.stakater.com/reload: piped-secret
 
-    backend:
-      annotations:
-        configmap.reloader.stakater.com/reload: piped-backend-config
-      config:
-        PORT: 8080
-        HTTP_WORKERS: 4
-        API_URL: https://piped-api.bjw-s.dev
-        PROXY_PART: "https://piped-proxy.bjw-s.dev"
-        DISABLE_REGISTRATION: true
-        database:
-          connection_url: jdbc:postgresql://postgres-primary.database.svc.cluster.local:5432/piped
-          driver_class: org.postgresql.Driver
-          secret:
-            name: piped-db-secret
-            username: user
-            password: password
-      podSecurityContext:
-        runAsUser: &uid 1000
-        runAsGroup: *uid
-        fsGroup: *uid
-        fsGroupChangePolicy: Always
-      resources:
-        requests:
-          cpu: 10m
-          memory: 500Mi
-        limits:
-          memory: 2000Mi
+        pod:
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            fsGroupChangePolicy: "OnRootMismatch"
+
+        containers:
+          app:
+            image:
+              repository: 1337kavin/piped
+              tag: latest@sha256:e9938cdda0745c4986d4add0f255777d3989849b851f290d94a4ab2b21c25384
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+            resources:
+              requests:
+                cpu: 10m
+                memory: 500Mi
+              limits:
+                memory: 2000Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+              seccompProfile:
+                type: RuntimeDefault
+
+      frontend:
+        strategy: RollingUpdate
+        containers:
+          app:
+            image:
+              repository: 1337kavin/piped-frontend
+              tag: latest@sha256:52b25c68813c8586acd76b6bddf83da4a509b0d83b5ad27c2bd8358a657080ba
+            command:
+              - /bin/ash
+              - -c
+            args:
+              - |
+                sed -i s/pipedapi.kavin.rocks/$BACKEND_HOSTNAME/g /usr/share/nginx/html/assets/* &&
+                sed -i 's/80;/8080;/g' /etc/nginx/conf.d/default.conf &&
+                sed -i 's/worker_processes  auto;/worker_processes  4;/g' /etc/nginx/nginx.conf &&
+                /docker-entrypoint.sh nginx -g 'daemon off;'
+            env:
+              BACKEND_HOSTNAME: piped-api.bjw-s.dev
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+            resources:
+              requests:
+                cpu: 10m
+                memory: 32Mi
+              limits:
+                memory: 256Mi
 
-    frontend:
-      env:
-        BACKEND_HOSTNAME: piped-api.bjw-s.dev
-      args:
-        - -c
-        - |
-            sed -i s/pipedapi.kavin.rocks/$BACKEND_HOSTNAME/g /usr/share/nginx/html/assets/* &&
-            sed -i 's/80;/8080;/g' /etc/nginx/conf.d/default.conf &&
-            /docker-entrypoint.sh nginx -g 'daemon off;'
-      service:
-        main:
-          ports:
-            http:
-              port: 8080
-      resources:
-        requests:
-          cpu: 10m
-          memory: 32Mi
-        limits:
-          memory: 256Mi
+      ytproxy:
+        strategy: RollingUpdate
+        pod:
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            fsGroupChangePolicy: "OnRootMismatch"
+
+        containers:
+          app:
+            image:
+              repository: 1337kavin/piped-proxy
+              tag: latest@sha256:9a0547e412cbb87e0dc8c94a44ea81811541c9d1535b57a9a144901662df94b7
+            command:
+              - /app/piped-proxy
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+            resources:
+              requests:
+                cpu: 10m
+                memory: 500Mi
+              limits:
+                memory: 2000Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+              seccompProfile:
+                type: RuntimeDefault
+
+    service:
+      backend:
+        controller: backend
+        ports:
+          http:
+            port: 8080
+      frontend:
+        controller: frontend
+        ports:
+          http:
+            port: 8080
+      ytproxy:
+        controller: ytproxy
+        ports:
+          http:
+            port: 8080
 
     ingress:
-      main:
-        ingressClassName: "internal-nginx"
+      backend:
         annotations:
           external-dns.alpha.kubernetes.io/target: ingress-int.bjw-s.dev
           nginx.ingress.kubernetes.io/enable-cors: "true"
           nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.bjw-s.dev, https://piped-api.bjw-s.dev, https://piped-proxy.bjw-s.dev"
+        className: "internal-nginx"
         hosts:
-          - host: piped.bjw-s.dev
+          - host: piped-api.bjw-s.dev
             paths:
-              - path: "/"
-
-      backend:
-        ingressClassName: "internal-nginx"
+              - path: /
+                service:
+                  identifier: backend
+                  port: http
+      frontend:
         annotations:
           external-dns.alpha.kubernetes.io/target: ingress-int.bjw-s.dev
           nginx.ingress.kubernetes.io/enable-cors: "true"
           nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.bjw-s.dev, https://piped-api.bjw-s.dev, https://piped-proxy.bjw-s.dev"
+        className: "internal-nginx"
         hosts:
-          - host: piped-api.bjw-s.dev
+          - host: piped.bjw-s.dev
             paths:
-              - path: "/"
-
+              - path: /
+                service:
+                  identifier: frontend
+                  port: http
       ytproxy:
-        ingressClassName: "internal-nginx"
         annotations:
           external-dns.alpha.kubernetes.io/target: ingress-int.bjw-s.dev
           nginx.ingress.kubernetes.io/enable-cors: "true"
           nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.bjw-s.dev, https://piped-api.bjw-s.dev, https://piped-proxy.bjw-s.dev"
+        className: "internal-nginx"
         hosts:
           - host: piped-proxy.bjw-s.dev
             paths:
-              - path: "/"
+              - path: /
+                service:
+                  identifier: ytproxy
+                  port: http
+
+    persistence:
+      config:
+        type: secret
+        name: piped-secret
+        advancedMounts:
+          backend:
+            app:
+              - path: /app/config.properties
+                subPath: config.properties
+                readOnly: true
diff --git a/kubernetes/main/apps/media/piped/app/helmrepository.yaml b/kubernetes/main/apps/media/piped/app/helmrepository.yaml
diff --git a/kubernetes/main/apps/media/piped/app/kustomization.yaml b/kubernetes/main/apps/media/piped/app/kustomization.yaml
@@ -4,5 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./externalsecret.yaml
-  - ./helmrepository.yaml
   - ./helmrelease.yaml