Merge pull request #236 from razorsk8jz/helm-charts

Helm-Charts

Author: 0xfurai

charts/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: peekaping
+version: 1.0.0
+dependencies:
+- name: redis
+  version: 24.0.0
+  repository: oci://registry-1.docker.io/bitnamicharts
+  condition: redis.enabled
+
+- name: postgresql
+  version: 18.1.13
+  repository: oci://registry-1.docker.io/bitnamicharts
+  condition: postgresql.enabled

charts/templates/api-deploy.yaml

@@ -0,0 +1,117 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-api
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-api
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/component: api
+spec:
+  replicas: {{ .Values.api.replicaCount }}
+
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-api
+
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-api
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/name: {{ .Release.Name }}
+        app.kubernetes.io/component: api
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+      
+      {{- if .Values.api.apparmor.enabled }}
+        container.apparmor.security.beta.kubernetes.io/{{ .Release.Name }}-api: runtime/default
+      {{- end }}
+
+    spec:
+      # Run with a dedicated ServiceAccount (create below)
+      serviceAccountName: {{ .Release.Name }}-sa
+      automountServiceAccountToken: false
+
+      # Spread replicas across nodes/azs if possible
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: {{ .Release.Name }}-api
+
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10001
+        runAsGroup: 10001
+        fsGroup: 10001
+        seccompProfile:
+          type: RuntimeDefault
+
+      containers:
+        - name: {{ .Release.Name }}-api
+          image: {{ .Values.api.image.repository }}:{{ .Values.api.image.tag }}
+          imagePullPolicy: {{ .Values.api.image.pullPolicy }}
+
+          envFrom:
+            - configMapRef:
+                name: {{ .Release.Name }}-config
+            {{- if .Values.config.existingSecret }}
+            - secretRef:
+                name: {{ .Values.config.existingSecret }}
+            {{- end }}
+
+          ports:
+            - containerPort: {{ .Values.api.service.port }}
+              name: http
+
+          # Resource requests/limits to prevent noisy neighbor + OOM loops
+          resources:
+            requests:
+              cpu: {{ .Values.api.resources.requests.cpu }}
+              memory: {{ .Values.api.resources.requests.memory }}
+            limits:
+              cpu: {{ .Values.api.resources.limits.cpu }}
+              memory: {{ .Values.api.resources.limits.memory }}
+
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            privileged: false
+            capabilities:
+              drop: ["ALL"]
+
+          readinessProbe:
+            httpGet:
+              path: {{ .Values.api.probes.path }}
+              port: {{ .Values.api.service.port }}
+            initialDelaySeconds: {{ .Values.api.probes.readiness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.api.probes.readiness.periodSeconds }}
+            timeoutSeconds: {{ .Values.api.probes.readiness.timeoutSeconds }}
+            failureThreshold: {{ .Values.api.probes.readiness.failureThreshold }}
+
+          livenessProbe:
+            httpGet:
+              path: {{ .Values.api.probes.path }}
+              port: {{ .Values.api.service.port }}
+            initialDelaySeconds: {{ .Values.api.probes.liveness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.api.probes.liveness.periodSeconds }}
+            timeoutSeconds: {{ .Values.api.probes.liveness.timeoutSeconds }}
+            failureThreshold: {{ .Values.api.probes.liveness.failureThreshold }}
+
+          startupProbe:
+            httpGet:
+              path: {{ .Values.api.probes.path }}
+              port: {{ .Values.api.service.port }}
+            failureThreshold: {{ .Values.api.probes.startup.failureThreshold }}
+            periodSeconds: {{ .Values.api.probes.startup.periodSeconds }}

charts/templates/api-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: {{ .Release.Name }}-api
+  ports:
+    - name: http
+      port: {{ .Values.api.service.port }}
+      targetPort: {{ .Values.api.service.port }}

charts/templates/config.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-config
+  namespace: {{ .Release.Namespace }}
+data:
+  {{- range $k, $v := .Values.config.env }}
+  {{ $k }}: {{ $v | quote }}
+  {{- end }}

charts/templates/gateway.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.istio.gateway.enabled }}
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: {{ .Release.Name }}-gateway
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    istio: {{ .Values.istio.gateway.selector }}   # must match labels on istio-ingressgateway pods
+  servers:
+  - port:
+      number: {{ .Values.istio.gateway.port }}
+      name: {{ .Values.istio.gateway.name }}
+      protocol: {{ .Values.istio.gateway.protocol }}
+    hosts:
+    - {{ .Values.ingress.host }}
+{{- end }}

charts/templates/ingester-deploy.yaml

@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-ingester
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-ingester
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/component: ingester
+spec:
+  replicas: {{ .Values.ingester.replicaCount }}
+
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-ingester
+
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-ingester
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/name: {{ .Release.Name }}
+        app.kubernetes.io/component: ingester
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+        {{- if .Values.ingester.apparmor.enabled }}
+        container.apparmor.security.beta.kubernetes.io/{{ .Release.Name }}-ingester: runtime/default
+        {{- end }}
+
+    spec:
+      serviceAccountName: {{ .Release.Name }}-sa
+      automountServiceAccountToken: false
+
+      # Spread replicas across nodes/azs if possible
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: {{ .Release.Name }}-ingester
+
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10001
+        runAsGroup: 10001
+        fsGroup: 10001
+        seccompProfile:
+          type: RuntimeDefault
+
+      containers:
+        - name: {{ .Release.Name }}-ingester
+          image: {{ .Values.ingester.image.repository }}:{{ .Values.ingester.image.tag }}
+          imagePullPolicy: {{ .Values.ingester.image.pullPolicy }}
+
+          envFrom:
+            - configMapRef:
+                name: {{ .Release.Name }}-config
+            {{- if .Values.config.existingSecret }}
+            - secretRef:
+                name: {{ .Values.config.existingSecret }}
+            {{- end }}
+
+          # Resource requests/limits to prevent noisy neighbor + OOM loops          
+          resources:
+            requests:
+              cpu: {{ .Values.ingester.resources.requests.cpu }}
+              memory: {{ .Values.ingester.resources.requests.memory }}
+            limits:
+              cpu: {{ .Values.ingester.resources.limits.cpu }}
+              memory: {{ .Values.ingester.resources.limits.memory }}
+
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            privileged: false
+            capabilities:
+              drop: ["ALL"]

charts/templates/ingress.yaml

@@ -0,0 +1,57 @@
+{{ if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+{{- with .Values.ingress.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ .Release.Name }}-ingress
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/component: ingress
+  name: {{ .Release.Name }}-ingress
+  namespace: {{ .Values.ingress.namespace | default .Release.Namespace }}
+spec:
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  rules:
+  - host: {{ .Values.ingress.host }}
+    http:
+      paths:
+      {{- if not .Values.istio.virtualservice.enabled }}
+      - path: /api
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ .Release.Name }}-api
+            port:
+              number: {{ .Values.api.service.port }}
+      - path: /socket.io
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ .Release.Name }}-api
+            port:
+              number: {{ .Values.api.service.port }}
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ .Release.Name }}-web
+            port:
+              number: {{ .Values.web.service.port }}
+      {{- end }}
+      {{- if .Values.istio.virtualservice.enabled }}
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ .Values.istio.ingress.name }}
+            port:
+              number: {{ .Values.istio.ingress.port }}
+      {{- end }}
+  tls:
+  - hosts:
+    - {{ .Values.ingress.host }}
+{{ end }}

charts/templates/migrate-job.yaml

@@ -0,0 +1,69 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-migrate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: migrate
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/component: migrate
+spec:
+  backoffLimit: {{ .Values.migrate.backoffLimit }}
+  activeDeadlineSeconds: {{ .Values.migrate.activeDeadlineSeconds }}
+  ttlSecondsAfterFinished: {{ .Values.migrate.ttlSecondsAfterFinished }}
+
+  template:
+    metadata:
+      labels:
+        app: migrate
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/name: {{ .Release.Name }}
+        app.kubernetes.io/component: migrate
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+        {{- if .Values.migrate.apparmor.enabled }}
+        container.apparmor.security.beta.kubernetes.io/{{ .Release.Name }}-migrate: runtime/default
+        {{- end }}
+    spec:
+      restartPolicy: OnFailure
+
+      serviceAccountName: {{ .Release.Name }}-sa
+      automountServiceAccountToken: false
+
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10001
+        runAsGroup: 10001
+        fsGroup: 10001
+        seccompProfile:
+          type: RuntimeDefault
+
+      containers:
+        - name: {{ .Release.Name }}-migrate
+          image: {{ .Values.migrate.image.repository }}:{{ .Values.migrate.image.tag }}
+          imagePullPolicy: {{ .Values.migrate.image.pullPolicy }}
+
+          envFrom:
+            - configMapRef:
+                name: {{ .Release.Name }}-config
+            {{- if .Values.config.existingSecret }}
+            - secretRef:
+                name: {{ .Values.config.existingSecret }}
+            {{- end }}
+
+          resources:
+            requests:
+              cpu: {{ .Values.migrate.resources.requests.cpu }}
+              memory: {{ .Values.migrate.resources.requests.memory }}
+            limits:
+              cpu: {{ .Values.migrate.resources.limits.cpu }}
+              memory: {{ .Values.migrate.resources.limits.memory }}
+
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            privileged: false
+            capabilities:
+              drop: ["ALL"]