diff --git a/config.tfvars b/config.tfvars index b0e4b08c..a2993be3 100644 Binary files a/config.tfvars and b/config.tfvars differ diff --git a/stacks/novelapp/main.tf b/stacks/novelapp/main.tf new file mode 100644 index 00000000..925d7abc --- /dev/null +++ b/stacks/novelapp/main.tf @@ -0,0 +1,158 @@ +variable "tls_secret_name" { + type = string + sensitive = true +} + +resource "kubernetes_namespace" "novelapp" { + metadata { + name = "novelapp" + labels = { + "istio-injection" : "disabled" + tier = local.tiers.aux + } + } +} + +module "tls_secret" { + source = "../../modules/kubernetes/setup_tls_secret" + namespace = kubernetes_namespace.novelapp.metadata[0].name + tls_secret_name = var.tls_secret_name +} + +resource "kubernetes_persistent_volume_claim" "novelapp-data" { + metadata { + name = "novelapp-data" + namespace = kubernetes_namespace.novelapp.metadata[0].name + } + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "iscsi-truenas" + resources { + requests = { + storage = "1Gi" + } + } + } +} + +resource "kubernetes_deployment" "novelapp" { + metadata { + name = "novelapp" + namespace = kubernetes_namespace.novelapp.metadata[0].name + labels = { + app = "novelapp" + tier = local.tiers.aux + } + } + lifecycle { + ignore_changes = [ + spec[0].template[0].spec[0].container[0].image, + ] + } + spec { + replicas = 1 + strategy { + type = "Recreate" + } + selector { + match_labels = { + app = "novelapp" + } + } + template { + metadata { + labels = { + app = "novelapp" + } + } + spec { + volume { + name = "data" + persistent_volume_claim { + claim_name = kubernetes_persistent_volume_claim.novelapp-data.metadata[0].name + } + } + container { + image = "viktorbarzin/novelapp:1" + name = "novelapp" + image_pull_policy = "Always" + env { + name = "NODE_ENV" + value = "production" + } + env { + name = "DB_PATH" + value = "/app/data/novelapp.db" + } + env { + name = "DISABLE_BROWSER_SCRAPING" + value = "true" + } + env { + name = "PORT" + value = "3000" + } + volume_mount { + name = "data" + mount_path = "/app/data" + } + port { + container_port = 3000 + } + resources { + requests = { + memory = "64Mi" + cpu = "10m" + } + limits = { + memory = "128Mi" + } + } + } + } + } + } +} + +resource "kubernetes_service" "novelapp" { + metadata { + name = "novelapp" + namespace = kubernetes_namespace.novelapp.metadata[0].name + labels = { + "app" = "novelapp" + } + } + + spec { + selector = { + app = "novelapp" + } + port { + name = "http" + port = 80 + target_port = 3000 + } + } +} + +module "ingress" { + source = "../../modules/kubernetes/ingress_factory" + namespace = kubernetes_namespace.novelapp.metadata[0].name + name = "novelapp" + tls_secret_name = var.tls_secret_name + + extra_annotations = { + "gethomepage.dev/enabled" = "true" + "gethomepage.dev/name" = "NovelApp" + "gethomepage.dev/description" = "Web novel tracker" + "gethomepage.dev/icon" = "mdi-book-open-page-variant" + "gethomepage.dev/group" = "Other" + "gethomepage.dev/pod-selector" = "" + } +} + +# Sealed Secrets — encrypted secrets safe to commit to git +resource "kubernetes_manifest" "sealed_secrets" { + for_each = fileset(path.module, "sealed-*.yaml") + manifest = yamldecode(file("${path.module}/${each.value}")) +} diff --git a/stacks/novelapp/secrets b/stacks/novelapp/secrets new file mode 120000 index 00000000..ca54a7cf --- /dev/null +++ b/stacks/novelapp/secrets @@ -0,0 +1 @@ +../../secrets \ No newline at end of file diff --git a/stacks/novelapp/terragrunt.hcl b/stacks/novelapp/terragrunt.hcl new file mode 100644 index 00000000..f4c920ab --- /dev/null +++ b/stacks/novelapp/terragrunt.hcl @@ -0,0 +1,13 @@ +include "root" { + path = find_in_parent_folders() +} + +dependency "platform" { + config_path = "../platform" + skip_outputs = true +} + +dependency "vault" { + config_path = "../vault" + skip_outputs = true +}