From fc17d6fc2178309158fb2280f0c0bf9d52c1706d Mon Sep 17 00:00:00 2001 From: fchinembiri Date: Thu, 4 Jun 2026 13:13:27 +0200 Subject: [PATCH] feat(nextgen): setup vaultwarden, infisical, and dynamic branch environments --- k8s/argocd-nextgen.yaml | 69 ++++++++++++++- k8s/nextgen/30-vaultwarden.yaml | 88 +++++++++++++++++++ k8s/nextgen/40-infisical-values.yaml | 36 ++++++++ k8s/nextgen/kustomization.yaml | 1 + k8s/nextgen/next-gen-chart/Chart.yaml | 6 ++ .../next-gen-chart/templates/deployment.yaml | 27 ++++++ .../next-gen-chart/templates/ingress.yaml | 27 ++++++ .../next-gen-chart/templates/service.yaml | 15 ++++ k8s/nextgen/next-gen-chart/values.yaml | 28 ++++++ 9 files changed, 296 insertions(+), 1 deletion(-) create mode 100644 k8s/nextgen/30-vaultwarden.yaml create mode 100644 k8s/nextgen/40-infisical-values.yaml create mode 100644 k8s/nextgen/next-gen-chart/Chart.yaml create mode 100644 k8s/nextgen/next-gen-chart/templates/deployment.yaml create mode 100644 k8s/nextgen/next-gen-chart/templates/ingress.yaml create mode 100644 k8s/nextgen/next-gen-chart/templates/service.yaml create mode 100644 k8s/nextgen/next-gen-chart/values.yaml diff --git a/k8s/argocd-nextgen.yaml b/k8s/argocd-nextgen.yaml index bafb2a5..cd70fb9 100644 --- a/k8s/argocd-nextgen.yaml +++ b/k8s/argocd-nextgen.yaml @@ -6,7 +6,7 @@ metadata: spec: project: default source: - repoURL: http://gitea.geocrop.svc.cluster.local:3000/fchinembiri/geocrop-platform..git + repoURL: http://gitea.geocrop.svc.cluster.local:3000/fchinembiri/geocrop-platform.git targetRevision: HEAD path: k8s/nextgen destination: @@ -19,3 +19,70 @@ spec: syncOptions: - CreateNamespace=true - Validate=false +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: nextgen-infisical + namespace: argocd +spec: + project: default + sources: + - repoURL: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/ + chart: infisical-standalone + targetRevision: 1.8.0 + helm: + valueFiles: + - $values/k8s/nextgen/40-infisical-values.yaml + - repoURL: http://gitea.geocrop.svc.cluster.local:3000/fchinembiri/geocrop-platform.git + targetRevision: HEAD + ref: values + destination: + server: https://kubernetes.default.svc + namespace: nextgen + syncPolicy: + automated: + prune: true + selfHeal: true +--- +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: next-gen-branches + namespace: argocd +spec: + generators: + - scmProvider: + gitea: + owner: fchinembiri + api: http://gitea.geocrop.svc.cluster.local:3000 + tokenRef: + secretName: gitea-repo-creds + key: password + allBranches: true + filters: + - repositoryMatch: ^next-gen$ + template: + metadata: + name: 'next-gen-{{branch}}' + spec: + project: default + source: + repoURL: http://gitea.geocrop.svc.cluster.local:3000/fchinembiri/geocrop-platform.git + targetRevision: HEAD + path: k8s/nextgen/next-gen-chart + helm: + parameters: + - name: branchName + value: '{{branch}}' + - name: image.tag + value: '{{branch}}' + - name: ingress.host + value: '{{branch}}.next-gen.techarvest.co.zw' + destination: + server: https://kubernetes.default.svc + namespace: nextgen + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/k8s/nextgen/30-vaultwarden.yaml b/k8s/nextgen/30-vaultwarden.yaml new file mode 100644 index 0000000..7a0df1f --- /dev/null +++ b/k8s/nextgen/30-vaultwarden.yaml @@ -0,0 +1,88 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: vaultwarden-pvc + namespace: nextgen +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: local-path +--- +apiVersion: v1 +kind: Service +metadata: + name: vaultwarden + namespace: nextgen +spec: + selector: + app: vaultwarden + ports: + - port: 80 + targetPort: 80 + type: ClusterIP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: vaultwarden + namespace: nextgen + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/proxy-body-size: "100m" +spec: + tls: + - hosts: + - password.techarvest.co.zw + secretName: password-techarvest-tls + rules: + - host: password.techarvest.co.zw + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: vaultwarden + port: + number: 80 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vaultwarden + namespace: nextgen +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: vaultwarden + template: + metadata: + labels: + app: vaultwarden + spec: + containers: + - name: vaultwarden + image: vaultwarden/server:latest + env: + - name: SIGNUPS_ALLOWED + value: "true" + - name: DOMAIN + value: "https://password.techarvest.co.zw" + - name: DATABASE_URL + value: "data/vaultwarden.db" + ports: + - containerPort: 80 + volumeMounts: + - name: vaultwarden-data + mountPath: /data + volumes: + - name: vaultwarden-data + persistentVolumeClaim: + claimName: vaultwarden-pvc diff --git a/k8s/nextgen/40-infisical-values.yaml b/k8s/nextgen/40-infisical-values.yaml new file mode 100644 index 0000000..437a6a1 --- /dev/null +++ b/k8s/nextgen/40-infisical-values.yaml @@ -0,0 +1,36 @@ +# Infisical Helm Chart Values +# Documentation: https://infisical.com/docs/self-hosting/deployment-options/kubernetes-helm + +ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: secret.techarvest.co.zw + paths: + - path: / + pathType: Prefix + tls: + - secretName: secret-techarvest-tls + hosts: + - secret.techarvest.co.zw + +# For a basic self-hosted setup, we can use the sub-charts for PG and Redis +# or connect to external ones. To keep it simple and reliable in nextgen, +# we'll use the built-in sub-charts with persistence enabled. + +postgresql: + enabled: true + persistence: + enabled: true + storageClass: local-path + size: 10Gi + +redis: + enabled: true + master: + persistence: + enabled: true + storageClass: local-path + size: 2Gi diff --git a/k8s/nextgen/kustomization.yaml b/k8s/nextgen/kustomization.yaml index 68bed7e..55404a3 100644 --- a/k8s/nextgen/kustomization.yaml +++ b/k8s/nextgen/kustomization.yaml @@ -5,3 +5,4 @@ resources: - 00-namespace.yaml - 10-postgres.yaml - 20-mattermost.yaml + - 30-vaultwarden.yaml diff --git a/k8s/nextgen/next-gen-chart/Chart.yaml b/k8s/nextgen/next-gen-chart/Chart.yaml new file mode 100644 index 0000000..0d87858 --- /dev/null +++ b/k8s/nextgen/next-gen-chart/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: next-gen-app +description: A generic Helm chart for dynamic branch deployments of the next-gen application. +type: application +version: 0.1.0 +appVersion: "1.0.0" diff --git a/k8s/nextgen/next-gen-chart/templates/deployment.yaml b/k8s/nextgen/next-gen-chart/templates/deployment.yaml new file mode 100644 index 0000000..ad68c9d --- /dev/null +++ b/k8s/nextgen/next-gen-chart/templates/deployment.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }} + labels: + app: {{ .Release.Name }} + branch: {{ .Values.branchName }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }} + spec: + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + resources: + {{- toYaml .Values.resources | nindent 12 }} diff --git a/k8s/nextgen/next-gen-chart/templates/ingress.yaml b/k8s/nextgen/next-gen-chart/templates/ingress.yaml new file mode 100644 index 0000000..7c4f8cf --- /dev/null +++ b/k8s/nextgen/next-gen-chart/templates/ingress.yaml @@ -0,0 +1,27 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Release.Name }} + labels: + app: {{ .Release.Name }} + annotations: + {{- toYaml .Values.ingress.annotations | nindent 4 }} +spec: + ingressClassName: {{ .Values.ingress.className }} + tls: + - hosts: + - {{ .Values.ingress.host | quote }} + secretName: {{ printf "%s-tls" .Release.Name }} + rules: + - host: {{ .Values.ingress.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ .Release.Name }} + port: + number: {{ .Values.service.port }} +{{- end }} diff --git a/k8s/nextgen/next-gen-chart/templates/service.yaml b/k8s/nextgen/next-gen-chart/templates/service.yaml new file mode 100644 index 0000000..250fcd6 --- /dev/null +++ b/k8s/nextgen/next-gen-chart/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }} + labels: + app: {{ .Release.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + app: {{ .Release.Name }} diff --git a/k8s/nextgen/next-gen-chart/values.yaml b/k8s/nextgen/next-gen-chart/values.yaml new file mode 100644 index 0000000..f39a789 --- /dev/null +++ b/k8s/nextgen/next-gen-chart/values.yaml @@ -0,0 +1,28 @@ +# Default values for next-gen-app. +replicaCount: 1 + +image: + repository: registry.techarvest.co.zw/next-gen + pullPolicy: IfNotPresent + tag: "latest" + +branchName: "main" + +service: + type: ClusterIP + port: 3000 + +ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + host: "" # Will be overridden by ApplicationSet + +resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi