Lite refactor

Reviewed-on: #57

kubernetes-templates/dashy.yaml

@@ -1,168 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: dashy
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: dashy-sa
-  namespace: dashy
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dashy-role
-  namespace: dashy
-rules:
-- apiGroups: [""]
-  resources: ["pods", "services", "endpoints"]
-  verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dashy-rolebinding
-  namespace: dashy
-subjects:
-- kind: ServiceAccount
-  name: dashy-sa
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dashy-role
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: dashy-config-pv
-  labels:
-    type: local
-spec:
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  local:
-    path: /home/ansible/k3s/makhiwane/dashy
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - lead
-  persistentVolumeReclaimPolicy: Retain
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: dashy-config-pvc
-  namespace: dashy
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  resources:
-    requests:
-      storage: 1Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: dashy-pvc
-  namespace: dashy
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  resources:
-    requests:
-      storage: 1Gi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dashy
-  namespace: dashy
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: dashy
-  template:
-    metadata:
-      labels:
-        app: dashy
-    spec:
-      serviceAccountName: dashy-sa
-      containers:
-        - name: dashy
-          image: lissy93/dashy:latest
-          ports:
-            - containerPort: 8080
-          resources:
-            requests:
-              cpu: "100m"
-              memory: "128Mi"
-            limits:
-              cpu: "250m"
-              memory: "256Mi"
-          volumeMounts:
-            - name: dashy-config
-              mountPath: /app/data
-          startupProbe:
-            httpGet:
-              path: /
-              port: 8080
-            initialDelaySeconds: 300
-            periodSeconds: 10
-            failureThreshold: 18
-            timeoutSeconds: 10
-          readinessProbe:
-            httpGet:
-              path: /
-              port: 8080
-            initialDelaySeconds: 300
-            periodSeconds: 10
-            failureThreshold: 18
-            timeoutSeconds: 10
-      volumes:
-        - name: dashy-config
-          persistentVolumeClaim:
-            claimName: dashy-config-pvc
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: dashy
-  namespace: dashy
-spec:
-  type: ClusterIP
-  selector:
-    app: dashy
-  ports:
-    - name: web
-      protocol: TCP
-      port: 80
-      targetPort: 8080
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: dashy-web
-  namespace: dashy
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`dashboard.apps.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: dashy
-          port: 80
-          scheme: http
-  tls: {}

kubernetes-templates/droneci.yml

@@ -1,331 +1,172 @@
 --- 
-# Namespace for Drone CI
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: droneci
-
+  name: drone-ci
 ---
-# Service Account
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: droneci-sa
-  namespace: droneci
-
+  name: drone-runner-sa
+  namespace: drone-ci
 ---
-# ConfigMap for Drone configuration
-apiVersion: v1
-kind: ConfigMap
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
-  name: droneci-config
-  namespace: droneci
-data:
-  server.domain: "droneci.apps.mngoma.lab"
-  server.proto: "https"
-  server.runnername: "drone-runner"
-  server.runnercapacity: "2"
-  server.runnernetworks: "default"
-  database.type: "postgres"
-  database.host: "192.168.1.137:5432"
-  database.name: "dronecim"
-  gitea.server: "https://gitea.apps.mngoma.lab"
-  gitea.server.internal: "https://gitea-server.gitea.svc.cluster.local"
-
+  name: drone-runner-role
+  namespace: drone-ci
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "pods/log", "secrets"]
+    verbs: ["get", "create", "delete", "list", "watch", "update"]
 ---
-# Secret for Drone credentials
-apiVersion: v1
-kind: Secret
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
-  name: droneci-secret
-  namespace: droneci
-type: Opaque
-data:
-  server.rpctoken: MDFLNlFHTkE4VEMxQjJGVzNGV0JSWDJFNE4=
-  database.username: YXBwX3VzZXI=
-  database.password: MTIzNDU=
-  database.connectstring: cG9zdGdyZXM6Ly9hcHBfdXNlcjoxMjM0NUAxOTIuMTY4LjEuMTM3OjU0MzIvZHJvbmVjaW0/c3NsbW9kZT1kaXNhYmxl
-  gitea.clientid: MGRiNTliZDAtMGI3Ni00ODgxLThhODQtNjI0N2ZlYTExOTcz
-  gitea.clientsecret: Z3RvX3l6bXB6NmJvZG52cmRnMnM1MmVmNWF1c3ozZTYzNGdyeTc0MjJqZ2hwd3ZnbGc2M2JtcnE=
-
+  name: drone-runner-rb
+  namespace: drone-ci
+subjects:
+  - kind: ServiceAccount
+    name: drone-runner-sa
+    namespace: drone-ci
+roleRef:
+  kind: Role
+  name: drone-runner-role
+  apiGroup: rbac.authorization.k8s.io
 ---
-# Persistent Volume for Drone data
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: droneci-pv
-  labels:
-    type: local
-spec:
-  capacity:
-    storage: 5Gi
-  accessModes: ["ReadWriteOnce"]
-  storageClassName: local-pvs
-  local:
-    path: /home/ansible/k3s/makhiwane/droneci
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values: ["lead"]
-  persistentVolumeReclaimPolicy: Retain
-
----
-# Persistent Volume Claim
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: droneci-pvc
-  namespace: droneci
+  name: drone-server-data-pvc
+  namespace: drone-ci
 spec:
-  accessModes: ["ReadWriteOnce"]
-  storageClassName: local-pvs
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: nfs-storage
   resources:
     requests:
       storage: 5Gi
-
 ---
-# Drone Server Deployment
+apiVersion: v1
+kind: Secret
+metadata:
+  name: drone-secrets
+  namespace: drone-ci
+type: Opaque
+stringData:
+  DRONE_RPC_SECRET: "b505b2906ae213070b10d9698cc35e84"
+  DRONE_GITEA_CLIENT_ID: "a9b4a947-0b4c-4782-a5f8-3ed79a4b295d"
+  DRONE_GITEA_CLIENT_SECRET: "gto_ukxcserdy7vei36git4tbuz2tdyez4rb2eo5woownmtyct3lz3aq"
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: drone
-  namespace: droneci
-  labels:
-    app.kubernetes.io/name: drone
+  name: drone-server
+  namespace: drone-ci
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: drone
+      app: drone-server
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: drone
+        app: drone-server
     spec:
-      serviceAccountName: droneci-sa
       hostAliases:
-        - ip: "192.168.1.160"
-          hostnames:
-            - "gitea.apps.mngoma.lab"
+        - ip: "169.255.58.144"
+          hostnames: ["gitea.khongisa.co.za"]
       containers:
-        - name: drone
-          image: drone/drone:latest
+        - name: drone-server
+          image: drone/drone:2
           ports:
             - containerPort: 80
               name: http
           resources:
             requests:
+              cpu: "100m"
               memory: "256Mi"
-              cpu: "250m"
             limits:
-              memory: "512Mi"
               cpu: "500m"
+              memory: "512Mi"
           env:
-            - name: DRONE_SERVER_HOST
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: server.domain
-            - name: DRONE_SERVER_PROTO
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: server.proto
-            - name: DRONE_SERVER_PORT
+            # FIX: Explicitly bind the address to bypass port validation logic
+            - name: DRONE_SERVER_ADDR
               value: ":80"
-            - name: DRONE_TLS_AUTOCERT
-              value: "false"
-            - name: DRONE_LOGS_DEBUG
-              value: "true"
-            - name: DRONE_RPC_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: server.rpctoken
-            - name: DRONE_DATABASE_DRIVER
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: database.type
-            - name: DRONE_DATABASE_DATASOURCE
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: database.connectstring
-            - name: DRONE_DB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: database.username
-            - name: DRONE_DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: database.password
+            - name: DRONE_SERVER_HOST
+              value: "drone.khongisa.co.za"
+            - name: DRONE_SERVER_PROTO
+              value: "https"
             - name: DRONE_GITEA_SERVER
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: gitea.server
+              value: "https://gitea.khongisa.co.za"
+            - name: DRONE_RPC_SECRET
+              valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_RPC_SECRET } }
             - name: DRONE_GITEA_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: gitea.clientid
+              valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_GITEA_CLIENT_ID } }
             - name: DRONE_GITEA_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: gitea.clientsecret
-            - name: DRONE_GITEA_SKIP_VERIFY
-              value: "true"
+              valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_GITEA_CLIENT_SECRET } }
+            - name: DRONE_DATABASE_DRIVER
+              value: "sqlite3"
+            - name: DRONE_DATABASE_DATASOURCE
+              value: "/data/database.sqlite"
           volumeMounts:
-            - name: drone-storage
+            - name: data
               mountPath: /data
       volumes:
-        - name: drone-storage
+        - name: data
           persistentVolumeClaim:
-            claimName: droneci-pvc
-
+            claimName: drone-server-data-pvc
 ---
-# Drone Server Service
-apiVersion: v1
-kind: Service
-metadata:
-  name: drone-server
-  namespace: droneci
-spec:
-  selector:
-    app.kubernetes.io/name: drone
-  ports:
-    - name: http
-      port: 80
-      targetPort: 80
-  type: ClusterIP
-
----
-# Drone Runner Deployment
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: drone-runner
-  namespace: droneci
-  labels:
-    app.kubernetes.io/name: drone-runner
+  namespace: drone-ci
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: drone-runner
+      app: drone-runner
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: drone-runner
+        app: drone-runner
     spec:
-      serviceAccountName: droneci-sa
+      serviceAccountName: drone-runner-sa
       hostAliases:
-        - ip: "192.168.1.160"
-          hostnames:
-            - "droneci.apps.mngoma.lab"
+        - ip: "169.255.58.144"
+          hostnames: ["gitea.khongisa.co.za"]
       containers:
-        - name: runner
+        - name: drone-runner
           image: drone/drone-runner-kube:latest
-          ports:
-            - containerPort: 3000
-          env:
-            # propagate SSL skip and internal Gitea to ephemeral pods
-            - name: DRONE_RUNNER_ENV_VARS
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: gitea.server.internal
-            - name: DRONE_RPC_HOST
-              value: drone-server.droneci.svc.cluster.local
-            - name: DRONE_RPC_PROTO
-              value: "http"
-            - name: DRONE_RPC_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: server.rpctoken
-            - name: DRONE_RUNNER_NAME
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: server.runnername
-            - name: DRONE_RUNNER_CAPACITY
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: server.runnercapacity
-            - name: DRONE_RUNNER_NETWORKS
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: server.runnernetworks
           resources:
             requests:
+              cpu: "100m"
               memory: "128Mi"
-              cpu: "200m"
             limits:
+              cpu: "300m"
               memory: "256Mi"
-              cpu: "400m"
-
+          env:
+            - name: DRONE_RPC_PROTO
+              value: "http"
+            - name: DRONE_RPC_HOST
+              value: "drone-server.drone-ci.svc.cluster.local"
+            - name: DRONE_RPC_SECRET
+              valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_RPC_SECRET } }
+            - name: DRONE_NAMESPACE_DEFAULT
+              value: "drone-ci"
 ---
-# Drone IngressRoute for Traefik
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+apiVersion: v1
+kind: Service
 metadata:
-  name: droneci-web
-  namespace: droneci
+  name: drone-server
+  namespace: drone-ci
 spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`droneci.apps.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: drone-server
+  type: NodePort
+  selector:
+    app: drone-server
+  ports:
+    - name: http
       port: 80
-          scheme: http
-  tls: {}
----
-# ClusterRole for Drone CI Service Account
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: droneci-cluster-role
-rules:
-  - apiGroups: [""] # core API
-    resources: ["pods", "pods/exec", "pods/log", "services", "endpoints", "configmaps", "secrets", "persistentvolumeclaims", "namespaces"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: ["apps"]
-    resources: ["deployments", "replicasets", "statefulsets"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: ["batch"]
-    resources: ["jobs", "cronjobs"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: ["extensions", "networking.k8s.io"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: ["policy"]
-    resources: ["poddisruptionbudgets"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
----
-# ClusterRoleBinding for Drone CI Service Account
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: droneci-cluster-rolebinding
-subjects:
-  - kind: ServiceAccount
-    name: droneci-sa
-    namespace: droneci
-roleRef:
-  kind: ClusterRole
-  name: droneci-cluster-role
-  apiGroup: rbac.authorization.k8s.io
+      targetPort: 80
+      nodePort: 31001

kubernetes-templates/flame.yml

@@ -1,170 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: flame
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: flame-sa
-  namespace: flame
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: flame-secret
-  namespace: flame
-type: Opaque
-data:
-  app.password: MTIzNDU=
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: flame-role
-  namespace: flame
-rules:
-- apiGroups: [""]
-  resources: ["pods", "services", "endpoints"]
-  verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: flame-rolebinding
-  namespace: flame
-subjects:
-- kind: ServiceAccount
-  name: flame-sa
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: flame-role
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: flame-config-pv
-  labels:
-    type: local
-spec:
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  local:
-    path: /home/ansible/k3s/makhiwane/flame
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - lead
-  persistentVolumeReclaimPolicy: Retain
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: flame-config-pvc
-  namespace: flame
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  resources:
-    requests:
-      storage: 1Gi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: flame
-  namespace: flame
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: flame
-  template:
-    metadata:
-      labels:
-        app: flame
-    spec:
-      serviceAccountName: flame-sa
-      containers:
-        - name: flame
-          image: pawelmalak/flame
-          env:
-            - name: PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: flame-secret
-                  key: app.password
-          ports:
-            - containerPort: 5005
-          resources:
-            requests:
-              cpu: "100m"
-              memory: "128Mi"
-            limits:
-              cpu: "250m"
-              memory: "256Mi"
-          volumeMounts:
-            - name: flame-config
-              mountPath: /app/data
-          startupProbe:
-            httpGet:
-              path: /
-              port: 5005
-            initialDelaySeconds: 60
-            periodSeconds: 10
-            failureThreshold: 10
-            timeoutSeconds: 5
-          readinessProbe:
-            httpGet:
-              path: /
-              port: 5005
-            initialDelaySeconds: 60
-            periodSeconds: 10
-            failureThreshold: 10
-            timeoutSeconds: 5
-      volumes:
-        - name: flame-config
-          persistentVolumeClaim:
-            claimName: flame-config-pvc
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: flame
-  namespace: flame
-spec:
-  type: ClusterIP
-  selector:
-    app: flame
-  ports:
-    - name: web
-      protocol: TCP
-      port: 80
-      targetPort: 5005
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: flame-web
-  namespace: flame
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`dashboard.apps.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: flame
-          port: 80
-          scheme: http
-  tls: {}

kubernetes-templates/gitea.yml

@@ -1,208 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: gitea
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: gitea-sa
-  namespace: gitea
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: gitea-config
-  namespace: gitea
-data:
-  server.domain: "gitea.apps.mngoma.lab"
-  server.rooturl: "https://gitea.apps.mngoma.lab"
-  database.type: "postgres"
-  database.host: "192.168.1.137:5432"
-  database.name: "giteam"
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: gitea-secret
-  namespace: gitea
-type: Opaque
-data:
-  database.username: YXBwX3VzZXI=
-  database.password: MTIzNDU=
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: gitea-role
-  namespace: gitea
-rules:
-- apiGroups: [""]
-  resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "configmaps", "secrets"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: gitea-rolebinding
-  namespace: gitea
-subjects:
-- kind: ServiceAccount
-  name: gitea-sa
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: gitea-role
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: gitea-pv
-  labels:
-    type: local
-spec:
-  capacity:
-    storage: 5Gi
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  local:
-    path: /home/ansible/k3s/makhiwane/gitea
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - lead
-  persistentVolumeReclaimPolicy: Retain
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: gitea-pvc
-  namespace: gitea
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  resources:
-    requests:
-      storage: 5Gi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: gitea
-  namespace: gitea
-  labels:
-    app.kubernetes.io/name: gitea-server
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: gitea-server
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: gitea-server
-    spec:
-      serviceAccountName: gitea-sa
-      containers:
-        - name: gitea
-          image: gitea/gitea:latest
-          ports:
-            - containerPort: 3000
-            - containerPort: 22
-          volumeMounts:
-            - name: gitea-data
-              mountPath: /data
-          env:
-            - name: USER_UID
-              value: "1000"
-            - name: USER_GID
-              value: "1000"
-            - name: GITEA_SERVER_ROOT_URL
-              valueFrom:
-                configMapKeyRef:
-                  name: gitea-config
-                  key: server.rooturl
-            - name: GITEA_SERVER_DOMAIN
-              valueFrom:
-                configMapKeyRef:
-                  name: gitea-config
-                  key: server.domain
-            - name: GITEA__database__TYPE
-              valueFrom:
-                configMapKeyRef:
-                  name: gitea-config
-                  key: database.type
-            - name: GITEA__database__HOST
-              valueFrom:
-                configMapKeyRef:
-                  name: gitea-config
-                  key: database.host
-            - name: GITEA__database__USER
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-secret
-                  key: database.username
-            - name: GITEA__database__PASSWD
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-secret
-                  key: database.password
-            - name: GITEA__database__NAME
-              valueFrom:
-                configMapKeyRef:
-                  name: gitea-config
-                  key: database.name
-          resources:
-            requests:
-              memory: "512Mi"
-              cpu: "250m"
-            limits:
-              memory: "2Gi"
-              cpu: "500m"
-      volumes:
-        - name: gitea-data
-          persistentVolumeClaim:
-            claimName: gitea-pvc
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: gitea-server
-  namespace: gitea
-spec:
-  selector:
-    app.kubernetes.io/name: gitea-server
-  ports:
-    - name: http
-      protocol: TCP
-      port: 3000
-      targetPort: 3000
-    - name: ssh
-      protocol: TCP
-      port: 22
-      targetPort: 22
-  type: ClusterIP
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: gitea-web
-  namespace: gitea
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`gitea.apps.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: gitea-server
-          port: 3000
-          scheme: http
-  tls: {}

kubernetes-templates/mongodb.yml

@@ -1,166 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: mongodb
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: mongodb-secret
-  namespace: mongodb
-type: Opaque
-data:
-  root.username: YWRtaW4=
-  root.password: bGpUMTkx
-  username: YXBwdXNlcg==
-  password: VTNlNzRy
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: mongodb-config
-  namespace: mongodb
-data:
-  database.name: "appdb"
-  database.replicaset: "primary"
-  database.port: "27017"
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: mongodb-sa
-  namespace: mongodb
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: mongodb-role
-  namespace: mongodb
-rules:
-- apiGroups: [""]
-  resources: ["pods", "services", "persistentvolumeclaims", "configmaps", "secrets"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: mongodb-rolebinding
-  namespace: mongodb
-subjects:
-- kind: ServiceAccount
-  name: mongodb-sa
-  namespace: mongodb
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: mongodb-role
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: mongodb-pv
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  local:
-    path: /home/ansible/k3s/makhiwane/mongodb
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - lead
-  persistentVolumeReclaimPolicy: Retain
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: mongodb-pvc
-  namespace: mongodb
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  resources:
-    requests:
-      storage: 10Gi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: mongodb
-  namespace: mongodb
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: mongodb
-  template:
-    metadata:
-      labels:
-        app: mongodb
-    spec:
-      serviceAccountName: mongodb-sa
-      containers:
-      - name: mongodb
-        image: mongo:6
-        env:
-        - name: MONGO_INITDB_ROOT_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: mongodb-secret
-              key: root.username
-        - name: MONGO_INITDB_ROOT_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: mongodb-secret
-              key: root.password
-        - name: MONGO_INITDB_DATABASE
-          valueFrom:
-            configMapKeyRef:
-              name: mongodb-config
-              key: database.name
-        ports:
-        - containerPort: 27017
-        volumeMounts:
-        - mountPath: /data/db
-          name: mongodb-data
-      volumes:
-      - name: mongodb-data
-        persistentVolumeClaim:
-          claimName: mongodb-pvc
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: mongodb
-  namespace: mongodb
-spec:
-  type: ClusterIP
-  selector:
-    app: mongodb
-  ports:
-    - port: 27017
-      targetPort: 27017
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: mongodb-ingress
-  namespace: mongodb
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`mongodb.database.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: mongodb
-          port: 27017
-  tls: {}

kubernetes-templates/portainer.yml

@@ -1,127 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: portainer
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: portainer-sa
-  namespace: portainer
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: portainer-admin-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: portainer-sa
-  namespace: portainer
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: portainer-pv
-  labels:
-    type: local
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  local:
-    path: /home/ansible/k3s/makhiwane/portainer
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - lead
-  persistentVolumeReclaimPolicy: Retain
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: portainer-pvc
-  namespace: portainer
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  resources:
-    requests:
-      storage: 10Gi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: portainer
-  namespace: portainer
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: portainer
-  template:
-    metadata:
-      labels:
-        app: portainer
-    spec:
-      serviceAccountName: portainer-sa
-      containers:
-        - name: portainer
-          image: portainer/portainer-ce:2.33.2
-          ports:
-            - containerPort: 9000
-            - containerPort: 9443
-          volumeMounts:
-            - name: data
-              mountPath: /data
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: portainer-pvc
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: portainer
-  namespace: portainer
-spec:
-  type: ClusterIP
-  selector:
-    app: portainer
-  ports:
-    - name: http
-      protocol: TCP
-      port: 9000
-      targetPort: 9000
-    - name: https
-      protocol: TCP
-      port: 9443
-      targetPort: 9443
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: portainer-dashboard
-  namespace: portainer
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`portainer.apps.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: portainer
-          port: 9000
-          scheme: http
-  tls: {}

kubernetes-templates/postgresql.yml

@@ -1,149 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: postgresql
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: postgresql-secret
-  namespace: postgresql
-type: Opaque
-data:
-  username: cm9vdA==
-  password: Mmh2MTdL
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: postgresql-sa
-  namespace: postgresql
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: postgresql-role
-  namespace: postgresql
-rules:
-- apiGroups: [""]
-  resources: ["pods", "services", "persistentvolumeclaims", "configmaps", "secrets"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: postgresql-rolebinding
-  namespace: postgresql
-subjects:
-- kind: ServiceAccount
-  name: postgresql-sa
-  namespace: postgresql
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: postgresql-role
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: postgresql-pv
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  local:
-    path: /home/ansible/k3s/makhiwane/postgresql
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - lead
-  persistentVolumeReclaimPolicy: Retain
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: postgresql-pvc
-  namespace: postgresql
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  resources:
-    requests:
-      storage: 10Gi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: postgresql
-  namespace: postgresql
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: postgresql
-  template:
-    metadata:
-      labels:
-        app: postgresql
-    spec:
-      serviceAccountName: postgresql-sa
-      containers:
-      - name: postgresql
-        image: postgres:16
-        env:
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: postgresql-secret
-              key: username
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: postgresql-secret
-              key: password
-        ports:
-        - containerPort: 5432
-        volumeMounts:
-        - mountPath: /var/lib/postgresql/data
-          name: postgresql-data
-      volumes:
-      - name: postgresql-data
-        persistentVolumeClaim:
-          claimName: postgresql-pvc
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: postgresql
-  namespace: postgresql
-spec:
-  type: ClusterIP
-  selector:
-    app: postgresql
-  ports:
-    - port: 5432
-      targetPort: 5432
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: postgresql-ingress
-  namespace: postgresql
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`postgresql.database.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: postgresql
-          port: 5432
-  tls: {}

kubernetes-templates/redis.yml

@@ -1,107 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: redis
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: redis-secret
-  namespace: redis
-type: Opaque
-data:
-  username: YWRtaW4=
-  password: NjI4akZL
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: redis-sa
-  namespace: redis
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: redis-role
-  namespace: redis
-rules:
-- apiGroups: [""]
-  resources: ["pods", "services"]
-  verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: redis-rolebinding
-  namespace: redis
-subjects:
-- kind: ServiceAccount
-  name: redis-sa
-  namespace: redis
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: redis-role
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: redis
-  namespace: redis
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: redis
-  template:
-    metadata:
-      labels:
-        app: redis
-    spec:
-      serviceAccountName: redis-sa
-      containers:
-      - name: redis
-        image: redis:7
-        ports:
-        - containerPort: 6379
-        env:
-        - name: REDIS_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: redis-secret
-              key: username
-        - name: REDIS_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: redis-secret
-              key: password
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: redis
-  namespace: redis
-spec:
-  type: ClusterIP
-  selector:
-    app: redis
-  ports:
-    - port: 6379
-      targetPort: 6379
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: redis-ingress
-  namespace: redis
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`redis.database.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: redis
-          port: 6379
-  tls: {}

kubernetes-templates/registry-ui.yml

@@ -1,163 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: registry-ui
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: registry-credentials
-  namespace: registry-ui
-type: Opaque
-data:
-  username: YXBwX3VzZXI=
-  password: MTIzNDU=
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: registry-ui-pv
-  namespace: registry-ui
-spec:
-  capacity:
-    storage: 2Gi
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  local:
-    path: /home/ansible/k3s/makhiwane/registry-ui
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - lead
-  persistentVolumeReclaimPolicy: Retain
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: registry-ui-pvc
-  namespace: registry-ui
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  resources:
-    requests:
-      storage: 2Gi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: registry-ui
-  namespace: registry-ui
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: registry-ui
-  template:
-    metadata:
-      labels:
-        app: registry-ui
-    spec:
-      containers:
-        - name: registry-ui
-          image: joxit/docker-registry-ui:main
-          ports:
-            - containerPort: 80
-          env:
-            - name: SINGLE_REGISTRY
-              value: "true"
-            - name: REGISTRY_TITLE
-              value: "Docker Registry UI"
-            - name: DELETE_IMAGES
-              value: "true"
-            - name: SHOW_CONTENT_DIGEST
-              value: "true"
-            - name: SHOW_CATALOG_NB_TAGS
-              value: "true"
-            - name: CATALOG_MIN_BRANCHES
-              value: "1"
-            - name: CATALOG_MAX_BRANCHES
-              value: "1"
-            - name: TAGLIST_PAGE_SIZE
-              value: "100"
-            - name: REGISTRY_SECURED
-              value: "false"
-            - name: CATALOG_ELEMENTS_LIMIT
-              value: "1000"
-            - name: NGINX_PROXY_PASS_URL
-              value: "http://registry-server.registry.svc.cluster.local:5000"
-            - name: REGISTRY_AUTH_USER
-              valueFrom:
-                secretKeyRef:
-                  name: registry-credentials
-                  key: username
-            - name: REGISTRY_AUTH_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: registry-credentials
-                  key: password
-          volumeMounts:
-            - name: registry-ui-data
-              mountPath: /data
-          resources:
-            requests:
-              memory: "256Mi"
-              cpu: "250m"
-            limits:
-              memory: "512Mi"
-              cpu: "500m"
-      volumes:
-        - name: registry-ui-data
-          persistentVolumeClaim:
-            claimName: registry-ui-pvc
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: registry-ui
-  namespace: registry-ui
-spec:
-  selector:
-    app: registry-ui
-  ports:
-    - port: 80
-      targetPort: 80
-  type: ClusterIP
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: registry-ui-ingress
-  namespace: registry-ui
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`registry-ui.apps.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: registry-ui
-          port: 80
-  tls: {}
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: registry-ui-insecure
-  namespace: registry-ui
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`registry-ui.apps.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: registry-ui
-          port: 80

kubernetes-templates/registry.yml

@@ -1,170 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: registry
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: registry-pv
-  namespace: registry
-spec:
-  capacity:
-    storage: 20Gi
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  local:
-    path: /home/ansible/k3s/makhiwane/registry
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - lead
-  persistentVolumeReclaimPolicy: Retain
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: registry-pvc
-  namespace: registry
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  resources:
-    requests:
-      storage: 20Gi
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: registry-http-secret
-  namespace: registry
-type: Opaque
-data:
-  http-secret: ZDlmOTNjOGEyMmQ2NDMyZWE4YTMwYTBkNDc5ZjBhMWY=
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: registry-basic-auth
-  namespace: registry
-type: Opaque
-data:
-  users: YXBwX3VzZXI6JGFwcjEkMTIzNDUk
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: registry
-  namespace: registry
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: registry
-  template:
-    metadata:
-      labels:
-        app: registry
-    spec:
-      containers:
-        - name: registry
-          image: registry:2.8.2
-          ports:
-            - containerPort: 5000
-              name: http
-          env:
-            - name: REGISTRY_STORAGE_DELETE_ENABLED
-              value: "true"
-            - name: REGISTRY_HTTP_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: registry-http-secret
-                  key: http-secret
-            - name: REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin
-              value: '["https://registry-ui.apps.mngoma.lab","https://registry.apps.mngoma.lab"]'
-            - name: REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods
-              value: '["HEAD","GET","OPTIONS","DELETE","PUT","POST"]'
-            - name: REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials
-              value: '["true"]'
-            - name: REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers
-              value: '["Authorization","Accept","Cache-Control","Content-Type","X-Requested-With"]'
-            - name: REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers
-              value: '["Docker-Content-Digest"]'
-          volumeMounts:
-            - name: registry-data
-              mountPath: /var/lib/registry
-          resources:
-            requests:
-              memory: "256Mi"
-              cpu: "250m"
-            limits:
-              memory: "512Mi"
-              cpu: "500m"
-      volumes:
-        - name: registry-data
-          persistentVolumeClaim:
-            claimName: registry-pvc
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: registry-server
-  namespace: registry
-spec:
-  selector:
-    app: registry
-  ports:
-    - name: http
-      port: 5000
-      targetPort: 5000
-  type: ClusterIP
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: registry-server-ingress
-  namespace: registry
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`registry.apps.mngoma.lab`)
-      kind: Rule
-      middlewares:
-        - name: registry-basic-auth
-      services:
-        - name: registry-server
-          port: 5000
-  tls: {}
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: registry-server-insecure
-  namespace: registry
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`registry.apps.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: registry-server
-          port: 5000
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: registry-basic-auth
-  namespace: registry
-spec:
-  basicAuth:
-    secret: registry-basic-auth
-    removeHeader: true

kubernetes-templates/semaphoreui.yml

@@ -5,6 +5,36 @@ metadata:
   name: semaphore
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: semaphore-sa
+  namespace: semaphore
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: semaphore-role
+  namespace: semaphore
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "secrets", "configmaps"]
+    verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: semaphore-rb
+  namespace: semaphore
+subjects:
+  - kind: ServiceAccount
+    name: semaphore-sa
+    namespace: semaphore
+roleRef:
+  kind: Role
+  name: semaphore-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: semaphore-data-pvc
@@ -27,8 +57,8 @@ data:
   db-password: c2VYbk42RGt1cFJaN0Y=
   admin-password: QmxhY2tzdGFyMkBob21l
   access-key-encryption: NHZKMm1LMnBMNW5COHhSMnpRN3dFM3RZNnVJMG9QOWE=
-  id_ed25519: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNEbkRQMDZzbmM0Q2k3M0ZPSW1nTmszTWJsc25vNTNoajZYRDJTSzE1ZFpiQUFBQUpnZWwvMndIcGY5CnNBQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDRG5EUDA2c25jNENpNzNGT0ltZ05rM01ibHNubzUzaGo2WEQyU0sxNWRaYkEKQUFBRUJUaHFjcnNXZWVVWnpFeVdWWmJoRGlKZE9FQkZYSkg4NXNhMUNjK1dXQ0krY00vVHF5ZHpnS0x2Y1U0aWFBMlRjeAp1V3llam5lR1BwY1BaSXJYbDFsc0FBQUFEbXRvZDJWNmFVQkVRVkpMVTFWT0FRSURCQVVHQnc9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0=
-  id_ed25519.pub: c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9jTS9UcXlkemdLTHZjVTRpYUEyVGN4dVd5ZWpuZUdQcGNQWklyWGwxbHMga2h3ZXppQERBUktTVU4=
+  id_ed25519: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNEbkRQMDZzbmM0Q2k3M0ZPSW1nTmszTWJsc25vNTNoajZYRDJTSzE1ZFpiQUFBQUpnZWwvMndIcGY5CnNBQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDRG5EUDA2c25jNENpNzNGT0ltZ05rM01ibHNubzUzaGo2WEQyU0sxNWRaYkEKQUFBRUJUaHFjcnNXZWVVWnpFeVdWWmJoRGlKZE9FQkZYSkg4NXNhMUNjK1dXQ0krY00vVHF5ZHpnS0x2Y1U0aWFBMlRjeAp1V3llam5lR1BwY1BaSXJYbDFsc0FBQUFEbXRvZDJWNmFVQkVRVkpMVTFWT0FRSURCQVVHQnc9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K
+  id_ed25519.pub: c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9jTS9UcXlkemdLTHZjVTRpYUEyVGN4dVd5ZWpuZUdQcGNQWklyWGwxbHMga2h3ZXppQERBUktTVU4K
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -58,6 +88,7 @@ spec:
       labels:
         app: semaphore
     spec:
+      serviceAccountName: semaphore-sa
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -75,6 +106,16 @@ spec:
         fsGroup: 1001
         fsGroupChangePolicy: "Always"
 
+      initContainers:
+        - name: fix-ssh-permissions
+          image: busybox:latest
+          # We ensure the directory exists and has 700. 
+          # We don't touch the files yet because they are mounted by the main container.
+          command: ["sh", "-c", "mkdir -p /home/semaphore/.ssh && chmod 700 /home/semaphore/.ssh"]
+          volumeMounts:
+            - name: semaphore-persistent-storage
+              mountPath: /home/semaphore
+
       containers:
         - name: semaphore
           image: semaphoreui/semaphore:latest
@@ -116,25 +157,25 @@ spec:
           volumeMounts:
             - name: semaphore-persistent-storage
               mountPath: /home/semaphore
-              subPath: home
             - name: semaphore-persistent-storage
               mountPath: /tmp/semaphore
               subPath: tmp
-            - name: ssh-keys-secret
+            - name: ssh-keys-volume
               mountPath: /home/semaphore/.ssh/id_ed25519
               subPath: id_ed25519
-            - name: ssh-keys-secret
+              readOnly: true
+            - name: ssh-keys-volume
               mountPath: /home/semaphore/.ssh/id_ed25519.pub
               subPath: id_ed25519.pub
-
+              readOnly: true
       volumes:
         - name: semaphore-persistent-storage
           persistentVolumeClaim:
             claimName: semaphore-data-pvc
-        - name: ssh-keys-secret
+        - name: ssh-keys-volume
           secret:
             secretName: semaphore-secrets
-            defaultMode: 384
+            defaultMode: 384 # 0600
             items:
               - key: id_ed25519
                 path: id_ed25519

kubernetes-templates/vaultwarden.yml

@@ -0,0 +1,123 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vaultwarden
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vaultwarden-data-pvc
+  namespace: vaultwarden
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: nfs-storage
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vaultwarden-auth
+  namespace: vaultwarden
+type: Opaque
+data:
+  admin-token: N2YyZmE1NjY4ZTViZGE0OGQxZTIzODcyMzEzOTBlNGM=
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vaultwarden-config
+  namespace: vaultwarden
+data:
+  SIGNUPS_ALLOWED: "false"
+  DOMAIN: "https://vault.khongisa.co.za"
+  ROCKET_PROFILE: "release"
+  ROCKET_ADDRESS: "0.0.0.0"
+  ROCKET_PORT: "80"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vaultwarden
+  namespace: vaultwarden
+  labels:
+    app: vaultwarden
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: vaultwarden
+  template:
+    metadata:
+      labels:
+        app: vaultwarden
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: DoesNotExist
+      containers:
+        - name: vaultwarden
+          image: vaultwarden/server:latest
+          ports:
+            - containerPort: 80
+              name: http
+          env:
+            - name: ADMIN_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: vaultwarden-auth
+                  key: admin-token
+            - name: SIGNUPS_ALLOWED
+              valueFrom:
+                configMapKeyRef:
+                  name: vaultwarden-config
+                  key: SIGNUPS_ALLOWED
+            - name: DOMAIN
+              valueFrom:
+                configMapKeyRef:
+                  name: vaultwarden-config
+                  key: DOMAIN
+            - name: ROCKET_PORT
+              valueFrom:
+                configMapKeyRef:
+                  name: vaultwarden-config
+                  key: ROCKET_PORT
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+          volumeMounts:
+            - name: vaultwarden-storage
+              mountPath: /data
+      volumes:
+        - name: vaultwarden-storage
+          persistentVolumeClaim:
+            claimName: vaultwarden-data-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vaultwarden-service
+  namespace: vaultwarden
+spec:
+  type: NodePort
+  selector:
+    app: vaultwarden
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: 80
+      nodePort: 32085

kubernetes-templates/vscode.yml

@@ -0,0 +1,151 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vscode
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vscode-admin-sa
+  namespace: vscode
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vscode-admin-binding
+subjects:
+  - kind: ServiceAccount
+    name: vscode-admin-sa
+    namespace: vscode
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vscode-data-pvc
+  namespace: vscode
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: nfs-storage
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vscode-auth
+  namespace: vscode
+type: Opaque
+data:
+  vscode-password: YWRtaW4= 
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vscode-config
+  namespace: vscode
+data:
+  CODE_SERVER_ARGS: "--auth password"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vscode
+  namespace: vscode
+  labels:
+    app: vscode
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vscode
+  template:
+    metadata:
+      labels:
+        app: vscode
+    spec:
+      serviceAccountName: vscode-admin-sa
+      terminationGracePeriodSeconds: 60
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: DoesNotExist
+      securityContext:
+        runAsUser: 1000
+        fsGroup: 1000
+      containers:
+        - name: vscode
+          image: codercom/code-server:latest
+          ports:
+            - containerPort: 8080
+              name: http
+            - containerPort: 3000
+              name: node-dev
+            - containerPort: 5000
+              name: dotnet-dev
+          env:
+            - name: PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: vscode-auth
+                  key: vscode-password
+            - name: ARGS
+              valueFrom:
+                configMapKeyRef:
+                  name: vscode-config
+                  key: CODE_SERVER_ARGS
+            - name: ASPNETCORE_URLS
+              value: "http://0.0.0.0:5000"
+          volumeMounts:
+            - name: vscode-storage
+              mountPath: /home/coder
+      volumes:
+        - name: vscode-storage
+          persistentVolumeClaim:
+            claimName: vscode-data-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vscode-service
+  namespace: vscode
+spec:
+  type: NodePort
+  selector:
+    app: vscode
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8080
+      targetPort: 8080
+      nodePort: 33000
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vscode-dev-service
+  namespace: vscode
+spec:
+  type: NodePort
+  selector:
+    app: vscode
+  ports:
+    - name: node-dev
+      protocol: TCP
+      port: 3000
+      targetPort: 3000
+      nodePort: 33001
+    - name: dotnet-dev
+      protocol: TCP
+      port: 5000
+      targetPort: 5000
+      nodePort: 33002

kubernetes-templates/wandbox.yml

@@ -1,181 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: wandbox
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: wandbox-sa
-  namespace: wandbox
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: wandbox-role
-  namespace: wandbox
-rules:
-- apiGroups: [""]
-  resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "configmaps", "secrets"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: wandbox-rolebinding
-  namespace: wandbox
-subjects:
-- kind: ServiceAccount
-  name: wandbox-sa
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: wandbox-role
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: wandbox-config
-  namespace: wandbox
-data:
-  wandbox.domain: "wandbox.apps.mngoma.lab"
-  wandbox.rooturl: "https://wandbox.apps.mngoma.lab"
-  wandbox.port: "5000"
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: wandbox-secret
-  namespace: wandbox
-type: Opaque
-data:
-  api.key: cG1HeW9xUlBCYW1qdndRV2FRbzZWME9CdmJLS3BFS1RhWlF0bDRndUhMSGpYQlZwc0Y3dnJPZXhXMTNIRWFDRg==
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: wandbox-pv
-  labels:
-    type: local
-spec:
-  capacity:
-    storage: 5Gi
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  local:
-    path: /home/ansible/k3s/makhiwane/wandbox
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - lead
-  persistentVolumeReclaimPolicy: Retain
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: wandbox-pvc
-  namespace: wandbox
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: local-pvs
-  resources:
-    requests:
-      storage: 5Gi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wandbox
-  namespace: wandbox
-  labels:
-    app.kubernetes.io/name: wandbox
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: wandbox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: wandbox
-    spec:
-      serviceAccountName: wandbox-sa
-      containers:
-      - name: wandbox
-        image: melpon/wandbox:latest
-        ports:
-          - containerPort: 5000
-        env:
-          - name: WANDBOX_PORT
-            valueFrom:
-              configMapKeyRef:
-                name: wandbox-config
-                key: wandbox.port
-          - name: WANDBOX_ROOTURL
-            valueFrom:
-              configMapKeyRef:
-                name: wandbox-config
-                key: wandbox.rooturl
-          - name: WANDBOX_DOMAIN
-            valueFrom:
-              configMapKeyRef:
-                name: wandbox-config
-                key: wandbox.domain
-          - name: API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: wandbox-secret
-                key: api.key
-        volumeMounts:
-          - name: wandbox-data
-            mountPath: /data
-        resources:
-          requests:
-            memory: "256Mi"
-            cpu: "250m"
-          limits:
-            memory: "1Gi"
-            cpu: "500m"
-      volumes:
-        - name: wandbox-data
-          persistentVolumeClaim:
-            claimName: wandbox-pvc
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: wandbox-service
-  namespace: wandbox
-spec:
-  selector:
-    app.kubernetes.io/name: wandbox
-  ports:
-    - name: http
-      protocol: TCP
-      port: 80
-      targetPort: 5000
-  type: ClusterIP
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: wandbox-web
-  namespace: wandbox
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`wandbox.apps.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: wandbox-service
-          port: 80
-          scheme: http
-  tls: {}

kubernetes-templates/whoami.yml

@@ -10,29 +10,6 @@ metadata:
   name: whoami-sa
   namespace: whoami
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: whoami-role
-  namespace: whoami
-rules:
-- apiGroups: [""]
-  resources: ["pods", "services"]
-  verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: whoami-rolebinding
-  namespace: whoami
-subjects:
-- kind: ServiceAccount
-  name: whoami-sa
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: whoami-role
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -52,6 +29,13 @@ spec:
       containers:      
         - name: whoami
           image: traefik/whoami
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 50m
+              memory: 64Mi
           ports:
             - containerPort: 80
 ---
@@ -61,7 +45,7 @@ metadata:
   name: whoami
   namespace: whoami
 spec:
-  type: ClusterIP
+  type: NodePort
   selector:
     app: whoami
   ports:
@@ -69,20 +53,4 @@ spec:
       protocol: TCP
       port: 80
       targetPort: 80
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: whoami-web
-  namespace: whoami
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`whoami.apps.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: whoami
-          port: 80
-          scheme: http
-  tls: {}
+      nodePort: 31002