fchinembiri
/
geocrop-platform.
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(nextgen): setup vaultwarden, infisical, and dynamic branch environments

This commit is contained in:
fchinembiri 2026-06-04 13:13:27 +02:00
parent 7c22b94fdb
commit fc17d6fc21
9 changed files with 296 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
k8s/argocd-nextgen.yaml
View File

@ -6,7 +6,7 @@ metadata:
spec:
project: default
source:
repoURL: http://gitea.geocrop.svc.cluster.local:3000/fchinembiri/geocrop-platform..git
repoURL: http://gitea.geocrop.svc.cluster.local:3000/fchinembiri/geocrop-platform.git
targetRevision: HEAD
path: k8s/nextgen
destination:
@ -19,3 +19,70 @@ spec:
syncOptions:
- CreateNamespace=true
- Validate=false
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: nextgen-infisical
namespace: argocd
spec:
project: default
sources:
- repoURL: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/
chart: infisical-standalone
targetRevision: 1.8.0
helm:
valueFiles:
- $values/k8s/nextgen/40-infisical-values.yaml
- repoURL: http://gitea.geocrop.svc.cluster.local:3000/fchinembiri/geocrop-platform.git
targetRevision: HEAD
ref: values
destination:
server: https://kubernetes.default.svc
namespace: nextgen
syncPolicy:
automated:
prune: true
selfHeal: true
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: next-gen-branches
namespace: argocd
spec:
generators:
- scmProvider:
gitea:
owner: fchinembiri
api: http://gitea.geocrop.svc.cluster.local:3000
tokenRef:
secretName: gitea-repo-creds
key: password
allBranches: true
filters:
- repositoryMatch: ^next-gen$
template:
metadata:
name: 'next-gen-{{branch}}'
spec:
project: default
source:
repoURL: http://gitea.geocrop.svc.cluster.local:3000/fchinembiri/geocrop-platform.git
targetRevision: HEAD
path: k8s/nextgen/next-gen-chart
helm:
parameters:
- name: branchName
value: '{{branch}}'
- name: image.tag
value: '{{branch}}'
- name: ingress.host
value: '{{branch}}.next-gen.techarvest.co.zw'
destination:
server: https://kubernetes.default.svc
namespace: nextgen
syncPolicy:
automated:
prune: true
selfHeal: true

88
k8s/nextgen/30-vaultwarden.yaml Normal file
View File

@ -0,0 +1,88 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vaultwarden-pvc
namespace: nextgen
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: local-path
---
apiVersion: v1
kind: Service
metadata:
name: vaultwarden
namespace: nextgen
spec:
selector:
app: vaultwarden
ports:
- port: 80
targetPort: 80
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vaultwarden
namespace: nextgen
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
spec:
tls:
- hosts:
- password.techarvest.co.zw
secretName: password-techarvest-tls
rules:
- host: password.techarvest.co.zw
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vaultwarden
port:
number: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vaultwarden
namespace: nextgen
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: vaultwarden
template:
metadata:
labels:
app: vaultwarden
spec:
containers:
- name: vaultwarden
image: vaultwarden/server:latest
env:
- name: SIGNUPS_ALLOWED
value: "true"
- name: DOMAIN
value: "https://password.techarvest.co.zw"
- name: DATABASE_URL
value: "data/vaultwarden.db"
ports:
- containerPort: 80
volumeMounts:
- name: vaultwarden-data
mountPath: /data
volumes:
- name: vaultwarden-data
persistentVolumeClaim:
claimName: vaultwarden-pvc

36
k8s/nextgen/40-infisical-values.yaml Normal file
View File

@ -0,0 +1,36 @@
# Infisical Helm Chart Values
# Documentation: https://infisical.com/docs/self-hosting/deployment-options/kubernetes-helm
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: secret.techarvest.co.zw
paths:
- path: /
pathType: Prefix
tls:
- secretName: secret-techarvest-tls
hosts:
- secret.techarvest.co.zw
# For a basic self-hosted setup, we can use the sub-charts for PG and Redis
# or connect to external ones. To keep it simple and reliable in nextgen,
# we'll use the built-in sub-charts with persistence enabled.
postgresql:
enabled: true
persistence:
enabled: true
storageClass: local-path
size: 10Gi
redis:
enabled: true
master:
persistence:
enabled: true
storageClass: local-path
size: 2Gi

1
k8s/nextgen/kustomization.yaml
View File

@ -5,3 +5,4 @@ resources:
- 00-namespace.yaml
- 10-postgres.yaml
- 20-mattermost.yaml
- 30-vaultwarden.yaml

6
k8s/nextgen/next-gen-chart/Chart.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v2
name: next-gen-app
description: A generic Helm chart for dynamic branch deployments of the next-gen application.
type: application
version: 0.1.0
appVersion: "1.0.0"

27
k8s/nextgen/next-gen-chart/templates/deployment.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}
labels:
app: {{ .Release.Name }}
branch: {{ .Values.branchName }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ .Release.Name }}
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
resources:
{{- toYaml .Values.resources | nindent 12 }}

27
k8s/nextgen/next-gen-chart/templates/ingress.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if .Values.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Release.Name }}
labels:
app: {{ .Release.Name }}
annotations:
{{- toYaml .Values.ingress.annotations | nindent 4 }}
spec:
ingressClassName: {{ .Values.ingress.className }}
tls:
- hosts:
- {{ .Values.ingress.host | quote }}
secretName: {{ printf "%s-tls" .Release.Name }}
rules:
- host: {{ .Values.ingress.host | quote }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}
port:
number: {{ .Values.service.port }}
{{- end }}

15
k8s/nextgen/next-gen-chart/templates/service.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
labels:
app: {{ .Release.Name }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
app: {{ .Release.Name }}

28
k8s/nextgen/next-gen-chart/values.yaml Normal file
View File

@ -0,0 +1,28 @@
# Default values for next-gen-app.
replicaCount: 1
image:
repository: registry.techarvest.co.zw/next-gen
pullPolicy: IfNotPresent
tag: "latest"
branchName: "main"
service:
type: ClusterIP
port: 3000
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
host: "" # Will be overridden by ApplicationSet
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi