add ingress factory stub [ci skip]

2025-01-14 20:12:26 +00:00 · 2025-01-14 20:12:26 +00:00 · 8713946352
commit 8713946352
parent 4a1106bad9
6 changed files with 294 additions and 0 deletions
--- a/main.tf
+++ b/main.tf
@ -98,6 +98,7 @@ variable "cloudflare_non_proxied_names" {}
 variable "cloudflare_tunnel_token" {}
 variable "owntracks_credentials" {}
 variable "dawarich_database_password" {}
+variable "tandoor_database_password" {}

 # data "terraform_remote_state" "foo" {
 #   backend = "kubernetes"
@ -406,6 +407,9 @@ module "kubernetes_cluster" {
  owntracks_credentials = var.owntracks_credentials

  dawarich_database_password = var.dawarich_database_password
+
+  tandoor_database_password = var.tandoor_database_password
+  tandoor_email_password    = var.mailserver_accounts["info@viktorbarzin.me"]
 }


--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@ -0,0 +1,113 @@
+
+variable "name" { type = string } // must match service name; translates to host
+variable "namespace" { type = string }
+variable "external_name" {
+  type    = string
+  default = null
+}
+variable "port" {
+  default = "80"
+}
+variable "tls_secret_name" {}
+variable "backend_protocol" {
+  default = "HTTP"
+}
+variable "protected" {
+  type    = bool
+  default = false
+}
+variable "ingress_path" {
+  type    = list(string)
+  default = ["/"]
+}
+variable "max_body_size" {
+  type    = string
+  default = "50m"
+}
+variable "use_proxy_protocol" {
+  type    = bool
+  default = true
+}
+variable "proxy_timeout" {
+  type    = number
+  default = 60
+}
+variable "extra_annotations" {
+  default = {}
+}
+
+
+resource "kubernetes_service" "proxied-service" {
+  count = var.external_name == null ? 0 : 1
+  metadata {
+    name      = var.name
+    namespace = var.namespace
+    labels = {
+      "app" = var.name
+    }
+  }
+
+  spec {
+    type          = var.external_name != null ? "ExternalName" : "ClusterIP"
+    external_name = var.name
+
+    port {
+      name        = "${var.name}-web"
+      port        = var.port
+      protocol    = "TCP"
+      target_port = var.port
+    }
+  }
+}
+
+resource "kubernetes_ingress_v1" "proxied-ingress" {
+  metadata {
+    name      = var.name
+    namespace = var.namespace
+    annotations = merge({
+      "kubernetes.io/ingress.class"                  = "nginx"
+      "nginx.ingress.kubernetes.io/backend-protocol" = "${var.backend_protocol}"
+
+      "nginx.ingress.kubernetes.io/auth-url" : var.protected ? "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx" : null
+      "nginx.ingress.kubernetes.io/auth-signin" : var.protected ? "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri" : null
+      "nginx.ingress.kubernetes.io/auth-snippet" : var.protected ? "proxy_set_header X-Forwarded-Host $http_host;" : null
+
+      "nginx.ingress.kubernetes.io/proxy-body-size" : var.max_body_size
+      "nginx.ingress.kubernetes.io/use-proxy-protocol" : var.use_proxy_protocol
+      "nginx.ingress.kubernetes.io/proxy-connect-timeout" : var.proxy_timeout
+      "nginx.ingress.kubernetes.io/proxy-send-timeout" : var.proxy_timeout
+      "nginx.ingress.kubernetes.io/proxy-read-timeout" : var.proxy_timeout
+
+    }, var.extra_annotations)
+  }
+
+  spec {
+    tls {
+      hosts       = ["${var.name}.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "${var.name}.viktorbarzin.me"
+      http {
+        dynamic "path" {
+          # for_each = { for pr in var.ingress_path : pr => pr }
+          for_each = var.ingress_path
+
+          content {
+            path = path.value
+            backend {
+              service {
+
+                name = var.name
+                port {
+                  number = var.port
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@ -77,6 +77,8 @@ variable "cloudflare_proxied_names" {}
 variable "cloudflare_non_proxied_names" {}
 variable "owntracks_credentials" {}
 variable "dawarich_database_password" {}
+variable "tandoor_database_password" {}
+variable "tandoor_email_password" {}

 resource "null_resource" "core_services" {
  # List all the core modules that must be provisioned first
@ -575,3 +577,9 @@ module "changedetection" {
  source          = "./changedetection"
  tls_secret_name = var.tls_secret_name
 }
+module "tandoor" {
+  source                    = "./tandoor"
+  tls_secret_name           = var.tls_secret_name
+  tandoor_database_password = var.tandoor_database_password
+  tandoor_email_password    = var.tandoor_email_password
+}
--- a/modules/kubernetes/tandoor/main.tf
+++ b/modules/kubernetes/tandoor/main.tf
@ -0,0 +1,169 @@
+variable "tls_secret_name" {}
+variable "tandoor_database_password" {}
+variable "tandoor_email_password" {}
+
+resource "kubernetes_namespace" "tandoor" {
+  metadata {
+    name = "tandoor"
+    labels = {
+      "istio-injection" : "disabled"
+    }
+  }
+}
+resource "random_password" "secret_key" {
+  length  = 128
+  special = false
+}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "tandoor"
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_deployment" "tandoor" {
+  metadata {
+    name      = "tandoor"
+    namespace = "tandoor"
+    labels = {
+      app = "tandoor"
+    }
+  }
+  spec {
+    replicas = 1
+    strategy {
+      type = "Recreate"
+    }
+    selector {
+      match_labels = {
+        app = "tandoor"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "tandoor"
+        }
+      }
+      spec {
+        container {
+          name              = "recipes"
+          image             = "vabene1111/recipes"
+          image_pull_policy = "IfNotPresent"
+          env {
+            name  = "SECRET_KEY"
+            value = base64encode(random_password.secret_key.result)
+          }
+          env {
+            name  = "DB_ENGINE"
+            value = "django.db.backends.postgresql"
+          }
+          env {
+            name  = "POSTGRES_HOST"
+            value = "postgresql.dbaas.svc.cluster.local"
+          }
+          env {
+            name  = "POSTGRES_PORT"
+            value = 5432
+          }
+          env {
+            name  = "POSTGRES_USER"
+            value = "tandoor"
+          }
+          env {
+            name  = "POSTGRES_PASSWORD"
+            value = var.tandoor_database_password
+          }
+          env {
+            name  = "TANDOOR_PORT"
+            value = 8080
+          }
+          env {
+            name  = "ENABLE_SIGNUP"
+            value = 1
+          }
+          env {
+            name  = "ALLOWED_HOSTS"
+            value = "tandoor.viktorbarzin.me"
+          }
+          env {
+            name  = "POSTGRES_DB"
+            value = "tandoor"
+          }
+          env {
+            name  = "EMAIL_HOST"
+            value = "mail.viktorbarzin.me"
+          }
+          env {
+            name  = "EMAIL_HOST_USER"
+            value = "info@viktorbarzin.me"
+          }
+          env {
+            name  = "EMAIL_HOST_PASSWORD"
+            value = var.tandoor_email_password
+          }
+          env {
+            name  = "EMAIL_USE_TLS"
+            value = "1"
+          }
+          env {
+            name  = "DEFAULT_FROM_EMAIL"
+            value = "info@viktorbarzin.me"
+          }
+          env {
+            name  = "EMAIL_PORT"
+            value = 587
+          }
+          port {
+            name           = "http"
+            container_port = 8080
+            protocol       = "TCP"
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/opt/recipes/mediafiles"
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/opt/recipes/staticfiles"
+          }
+        }
+
+        volume {
+          name = "data"
+          nfs {
+            path   = "/mnt/main/tandoor"
+            server = "10.0.10.15"
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "tandoor" {
+  metadata {
+    name      = "tandoor"
+    namespace = "tandoor"
+    labels = {
+      "app" = "tandoor"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "tandoor"
+    }
+    port {
+      port        = 80
+      target_port = 8080
+    }
+  }
+}
+
+module "ingress" {
+  source          = "../ingress_factory"
+  namespace       = "tandoor"
+  name            = "tandoor"
+  tls_secret_name = var.tls_secret_name
+}
--- a/terraform.tfstate
+++ b/terraform.tfstate
--- a/terraform.tfvars
+++ b/terraform.tfvars