Superset, IRC

Liana64 · Jan 18, 2025 · 806dcb2 · 806dcb2
1 parent 4f5bb9b
commit 806dcb2
Show file tree

Hide file tree

Showing 11 changed files with 225 additions and 2 deletions.
diff --git a/kubernetes/main/apps/communications/thelounge/app/helmrelease.yaml b/kubernetes/main/apps/communications/thelounge/app/helmrelease.yaml
@@ -25,6 +25,46 @@ spec:
   values:
     controllers:
       thelounge:
+        annotations:
+          configmap.reloader.stakater.com/reload: irc-dnsdist
+          secret.reloader.stakater.com/reload: irc-secret
+        initContainers:
+          dnsdist:
+            image:
+              repository: docker.io/powerdns/dnsdist-19
+              tag: 1.9.8
+            restartPolicy: Always
+          gluetun:
+            dependsOn:
+              - dnsdist
+            image:
+              repository: ghcr.io/qdm12/gluetun
+              tag: v3.40.0
+            env:
+              DOT: "off"
+              DNS_ADDRESS: "127.0.0.2"
+              VPN_SERVICE_PROVIDER: custom
+              VPN_TYPE: wireguard
+              VPN_INTERFACE: wg0
+              WIREGUARD_ENDPOINT_PORT: 51820
+              VPN_PORT_FORWARDING: on
+              VPN_PORT_FORWARDING_PROVIDER: protonvpn
+              FIREWALL_INPUT_PORTS: 8080
+              FIREWALL_OUTBOUND_SUBNETS: ${NODE_CIDR},${CLUSTER_CIDR},${SERVICE_CIDR}
+            envFrom:
+              - secretRef:
+                  name: irc-secret
+            resources:
+              limits:
+                squat.ai/tun: "1"
+            restartPolicy: Always
+            securityContext:
+              runAsUser: 0
+              runAsGroup: 0
+              allowPrivilegeEscalation: true
+              capabilities:
+                add:
+                  - NET_ADMIN
         containers:
           app:
             image:
@@ -42,6 +82,16 @@ spec:
                 cpu: 10m
               limits:
                 memory: 512Mi
+            securityContext:
+              runAsUser: 2000
+              runAsGroup: 2000
+              runAsNonRoot: true
+              fsGroup: 2000
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop:
+                  - ALL
     ingress:
       app:
         className: traefik
@@ -53,7 +103,7 @@ spec:
           gethomepage.dev/description: IRC client
           gethomepage.dev/icon: thelounge
         hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+          - host: &host "irc.${SECRET_INTERNAL_DOMAIN}"
             paths:
               - path: /
                 service:
@@ -70,4 +120,9 @@ spec:
             port: 9000
     persistence:
       config:
-        existingClaim: *app
+        storageClass: cluster-nvme
+        accessMode: ReadWriteOnce
+        size: 256Mi
+        retain: true
+        globalMounts:
+          - path: /config
diff --git a/kubernetes/main/apps/communications/thelounge/app/kustomization.yaml b/kubernetes/main/apps/communications/thelounge/app/kustomization.yaml
@@ -3,4 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./secret.sops.yaml
   - ./helmrelease.yaml
diff --git a/kubernetes/main/apps/communications/thelounge/app/secret.sops.yaml b/kubernetes/main/apps/communications/thelounge/app/secret.sops.yaml
@@ -0,0 +1,31 @@
+# yamllint disable
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+  name: irc-secret
+stringData:
+  WIREGUARD_ENDPOINT_IP: ENC[AES256_GCM,data:L0Km8PRH23HP2soqM+A=,iv:2L9waxy0ZQ6xYHu9C3VOfnSuxcWcoElXHl+REKvjlqU=,tag:s4F7DDDYgHraliivvx8UMw==,type:str]
+  WIREGUARD_PUBLIC_KEY: ENC[AES256_GCM,data:KG+E5NxLscTzLWYHxACWvvAEZsGPYv9BCjVoPh4t3fuMnl1zNf+ckhzjFxw=,iv:eSXEOlkel7wC5HeDmJp2nvuFsLoskxt9th0lYI5B3hg=,tag:ijHKqrqUXynh53IifeM8TQ==,type:str]
+  WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:WJwIXM2ehL0nQ0NrXGulCepdpCrC6UvT08Nkp4GJYccMuEardSbY+b4OqC0=,iv:Y+NmxZSjqN2VBann1Q7AsB6HHbJhM1Bfg5byyVep4IM=,tag:RXxifTUgq+DwGFbgt+RAcA==,type:str]
+  WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:rKuoOFr7xaBzZjY=,iv:eOEu2B6NT88gnWqR5rbgcW8q70CUU1LZy5CGJiRVdnc=,tag:/9bX904RXRNddk9Rm6VRuQ==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dVVvSWFCb29Qd3RhQnJl
+        Y2hMZ2VWT2FIeFFsSTQrcUVYdW5tNnloUTJRCkxaQkhqTGJQMVNRMnBNTnVrVkZn
+        Y3hCSVNzd1ZoWWdJT25VRWVIclFvUVkKLS0tIDBVYWROdjJ0RzJBOGZlQVlIVmw0
+        dldzbjZmTTZaNzRGL2FJNVVFc2JlNU0K5ODkmnPyBUZVwxY1kG2Axrku41bGiwfP
+        iznEhnNjsQMbqNpmQLfQtWSxavHwzlhHvopYX4M304emQPWIcdE3bg==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2025-01-18T19:47:50Z"
+  mac: ENC[AES256_GCM,data:z78uISRVIGHJ/ymShD1NOw8dglJ5cP3DWON8k86FXMIU8lX/CGGcf+LSpp5kqqiClqy8/Mnbtowb9Nb8xyiZLoPEE4g0ms8m/oxs1/f5J5KFi+UyVYzqye9teoShMHnLbDBjImA3hPbTw1Jv+lQGfoUS0Lc9fwOXEyFIdOqrExA=,iv:ElH4aZ1a8XsXjZs/lk+cisiqo9YTO7TcanW2Po3SaD0=,tag:ZSdQ0PCAoQg8jM1YOM2gDg==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  version: 3.9.3
diff --git a/kubernetes/main/apps/data-science/kustomization.yaml b/kubernetes/main/apps/data-science/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  #- ./superset/ks.yaml
diff --git a/kubernetes/main/apps/data-science/namespace.yaml b/kubernetes/main/apps/data-science/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: data-science
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
diff --git a/kubernetes/main/apps/data-science/superset/app/helmrelease.yaml b/kubernetes/main/apps/data-science/superset/app/helmrelease.yaml
@@ -0,0 +1,51 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app superset
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: *app
+      version: 0.12.6
+      sourceRef:
+        kind: HelmRepository
+        name: *app
+        namespace: flux-system
+  values:
+    deploymentAnnotations:
+      reloader.stakater.com/auto: "true"
+
+    ingress:
+      enabled: true
+      ingressClassName: traefik
+      annotations:
+        gethomepage.dev/enabled: "true"
+        gethomepage.dev/name: Apache Superset
+        gethomepage.dev/group: Services
+        gethomepage.dev/icon: superset
+      hosts:
+        - &host "superset.${SECRET_INTERNAL_DOMAIN}"
+      tls:
+        - secretName: superset-tls
+          hosts:
+            - *host
+
+    postgresql:
+      enabled: false
+
+    redis:
+      enabled: false
+
+    envFromSecret: superset-secret
+    supersetNode:
+      connections:
+        redis_host: dragonfly.database.svc.cluster.local
+        redis_port: "6379"
+        db_host: postgres-1-rw.database.svc.cluster.local
+        db_port: "5432"
+        db_user: superset
+        db_pass: "${SECRET_POSTGRES_PASSWORD}"
+        db_name: superset
diff --git a/kubernetes/main/apps/data-science/superset/app/kustomization.yaml b/kubernetes/main/apps/data-science/superset/app/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml
diff --git a/kubernetes/main/apps/data-science/superset/app/secret.sops.yaml b/kubernetes/main/apps/data-science/superset/app/secret.sops.yaml
@@ -0,0 +1,33 @@
+# yamllint disable
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+  name: superset-secret
+stringData:
+  SUPERSET_SECRET: ENC[AES256_GCM,data:8axejEwSNutDAzYKqtd9UCsTQr5LTSJLQXp9CcUJFqZX3gyoUijgnxANBc1Nn4YhSA==,iv:88TZthTQKmA3tuvO7YUtYhFQhleGRpDzkUjXnDsbpl4=,tag:eLoU7Hs9pbpqPTg4u4nbLg==,type:str]
+  SECRET_POSTGRES_PASSWORD: ENC[AES256_GCM,data:3xpCaXrdZTUs0Wua2m1YlLdwjSVE2A37kQ0+F5PfQlY=,iv:omYdjQDE0GwoDT/KHkw/1bCe1D4JKNtVEiFlUVePrgI=,tag:02wodg1BfUCMk2SR9png0g==,type:str]
+  DB_HOST: ENC[AES256_GCM,data:6qB9lsUcbOPlGyTZODEGb2CSUjxdZFIvtn/uAGtkSgR9BWUkpZz1ig==,iv:yFK6z6WayTc/MFEyM+us/eWoLokyQy99gEDlUZWq1NA=,tag:w4x60YQ5yvbPreIqYXMfZg==,type:str]
+  DB_PORT: ENC[AES256_GCM,data:1z95Zg==,iv:wIh0MLtojnya25D4EdMp2NBF8pPRVgKA1E2pCwMTJM0=,tag:kxqx1nYyBbNiveGtg4jaLw==,type:int]
+  REDIS_HOST: ENC[AES256_GCM,data:/LdjkUT4C/TzJV9nTzga5QfnNDqcJAME5tTSD7BO4sn56fe9,iv:6l2vJAuv99uwmm6R90phIZbWY+nXRfCPAwrx1XFesjE=,tag:+K4rMoLgfcsRlfuF761Brg==,type:str]
+  REDIS_PORT: ENC[AES256_GCM,data:zR7Nig==,iv:B3GyoJZqRAGYZ99RPTXC4LJzwwRlLdNlbXJoOMz6G/8=,tag:uiWlBN1kK+RDZueAaVK9tg==,type:int]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNDJROVpsQmlTaktvbjJY
+        bzZYZXowMzJqdmZZbzRHR2VTSXJtZG1MTlZnCjQ0MVdnSXgzZEVPUm1TNEdsb1RV
+        NTBhWjlYK0dDQVExRHBPcmw5OEdKK2cKLS0tIGR4Q3RhZ1M5SU9kODZydHpUL0Ri
+        akU2b2tOZjFHQjA3SFJweHU4eU9iNjAKUZ1x/7GNPNqk3Fp6dOReQ9E/Wnq0R6Pw
+        oxekWYUJNTtW/i9DWkURx0t/OJLi5gjJtU/f12Uil+NtigNlrFuWJg==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2025-01-13T19:37:03Z"
+  mac: ENC[AES256_GCM,data:imOAqIagwTagQnH6+WJQNrpupP7bGlFjW7/EOwD3YLE3J3V3PvagsiI3S2LPskteeXNtmWUVrEZO9nG642DeAUR25hPuPQmp6Abs1a7IvQSM5zWOoVleZz2jQfRH2MRfx/9949Qt70L1QtCJ+DvQsILKJYhmhCIczxuS7PTh8qg=,iv:jFWyFNe51guwtP6PAIyckwSrTG5j8VP16e0yiwAjdm4=,tag:VC64CcbqQn4/QY+wuVIb3g==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  version: 3.9.3
diff --git a/kubernetes/main/apps/data-science/superset/ks.yaml b/kubernetes/main/apps/data-science/superset/ks.yaml
@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app superset
+  namespace: flux-system
+spec:
+  targetNamespace: data-science
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/data-science/superset/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: k8s-gitops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
diff --git a/kubernetes/main/flux/repositories/helm/kustomization.yaml b/kubernetes/main/flux/repositories/helm/kustomization.yaml
@@ -24,6 +24,7 @@ resources:
   - ./postfinance.yaml
   - ./prometheus-community.yaml
   - ./rook-ceph.yaml
+  - ./superset.yaml
   - ./spegel.yaml
   - ./stakater.yaml
   - ./teleport.yaml

diff --git a/kubernetes/main/flux/repositories/helm/superset.yaml b/kubernetes/main/flux/repositories/helm/superset.yaml
@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: superset
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://apache.github.io/superset