Deploy docmost on sandbox

apps/docmost/base/docmost-pdb.yaml

@@ -0,0 +1,9 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: docmost-pdb
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: docmost

apps/docmost/base/docmost-pv.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: docmost-pv
+spec:
+  capacity:
+    storage: 10Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Delete
+  storageClassName: local-path
+  local:
+    path: /mnt/docmost/docmost-pv
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: disktype
+              operator: In
+              values:
+                - ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: docmost-pv-claim
+spec:
+  accessModes: [ReadWriteMany]
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: local-path

apps/docmost/base/docmost-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: docmost
+spec:
+  ports:
+    - name: http
+      port: 3000
+      targetPort: 3000
+  clusterIP: None
+  selector:
+    app: docmost

apps/docmost/base/docmost-statefulset.yaml

@@ -0,0 +1,80 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: docmost
+  annotations:
+    kube-score/ignore: pod-networkpolicy, pod-probes, container-security-context-readonlyrootfilesystem, container-security-context-privileged, container-security-context-user-group-id, container-image-tag
+spec:
+  serviceName: docmost
+  replicas: 2
+  selector:
+    matchLabels:
+      app: docmost
+  template:
+    metadata:
+      labels:
+        app: docmost
+    spec:
+      containers:
+        - env:
+            - name: APP_URL
+              value: https://wiki.sandbox.etsmtl.club
+            - name: REDIS_URL
+              value: redis://redis.docmost.svc.cluster.local:6379
+          image: docmost/docmost:0.21.0
+          name: docmost
+          imagePullPolicy: Always
+          envFrom:
+            - secretRef:
+                name: docmost-secrets
+          ports:
+            - containerPort: 3000
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /app/data/storage
+              name: docmost-pv-claim
+          resources:
+            requests:
+              cpu: 250m
+              memory: 500Mi
+              ephemeral-storage: 256Mi
+            limits:
+              cpu: 1000m
+              memory: 1Gi
+              ephemeral-storage: 1Gi
+          securityContext:
+            runAsUser: 10001
+            runAsGroup: 10001
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 3000
+            initialDelaySeconds: 30
+            periodSeconds: 10
+      imagePullSecrets:
+        - name: dockerhub-pull
+      initContainers:
+        - name: init-permissions
+          image: busybox
+          command: ["/bin/sh", "-c"]
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "64Mi"
+              ephemeral-storage: "64Mi"
+            limits:
+              cpu: "100m"
+              memory: "128Mi"
+              ephemeral-storage: "128Mi"
+          args:
+            - chown -R 10001:10001 /app/data/storage;
+              chmod -R 770 /app/data/storage;
+          volumeMounts:
+            - mountPath: /app/data/storage
+              name: docmost-pv-claim
+      restartPolicy: Always

apps/docmost/base/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - docmost-service.yaml
+  - docmost-statefulset.yaml
+  - redis-service.yaml
+  - redis-statefulset.yaml
+  - docmost-pdb.yaml
+  - docmost-pv.yaml
+  - redis-pv.yaml

apps/docmost/base/redis-pv.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: redis-pv
+spec:
+  capacity:
+    storage: 5Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Delete
+  storageClassName: local-path
+  local:
+    path: /mnt/redis/redis-pv
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: disktype
+              operator: In
+              values:
+                - ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: redis-pv-claim
+spec:
+  accessModes: [ReadWriteMany]
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: local-path

apps/docmost/base/redis-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+spec:
+  ports:
+    - port: 6379
+      targetPort: 6379
+  clusterIP: None
+  selector:
+    app: redis

apps/docmost/base/redis-statefulset.yaml

@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+  annotations:
+    kube-score/ignore: pod-networkpolicy, pod-probes-identical
+spec:
+  serviceName: redis
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      securityContext:
+        fsGroup: 1000
+      containers:
+        - name: redis
+          image: redis:7.2.4
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 6379
+          volumeMounts:
+            - name: redis-pv-claim
+              mountPath: /data
+          resources:
+            requests:
+              cpu: 250m
+              memory: 500Mi
+              ephemeral-storage: 256Mi
+            limits:
+              cpu: 1000m
+              memory: 1Gi
+              ephemeral-storage: 1Gi
+          livenessProbe:
+            exec:
+              command:
+                - redis-cli
+                - ping
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          readinessProbe:
+            exec:
+              command:
+                - redis-cli
+                - ping
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          securityContext:
+            runAsUser: 10001
+            runAsGroup: 10001
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+      imagePullSecrets:
+        - name: dockerhub-pull

apps/docmost/docmost.argoapp.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: docmost
+  namespace: argocd
+spec:
+  destination:
+    namespace: docmost
+    server: https://cedille.kubernetes.omni.siderolabs.io?cluster=k8s-cedille-sandbox
+  project: k8s-cedille-sandbox
+  source:
+    path: apps/docmost/prod
+    repoURL: https://github.com/ClubCedille/k8s-cedille-sandbox.git
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

apps/docmost/prod/httpproxy.yaml

@@ -0,0 +1,19 @@
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: docmost
+spec:
+  virtualhost:
+    fqdn: wiki.sandbox.etsmtl.club
+    tls:
+      secretName: tls-delegation/sandbox-tls
+  routes:
+    - conditions:
+        - prefix: /
+      enableWebsockets: true
+      services:
+        - name: docmost
+          port: 3000
+      timeoutPolicy:
+        idle: 600s
+        response: 600s

apps/docmost/prod/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+metadata:
+  namespace: docmost
+resources:
+  - httpproxy.yaml
+  - postgres.yaml
+  - ../base

apps/docmost/prod/manual-backup.yaml

@@ -0,0 +1,12 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Backup
+metadata:
+  name: cnpg-backup-docmost
+  namespace: docmost
+spec:
+  backupOwnerReference: self
+  cluster:
+    name: postgresql-docmost
+  method: plugin
+  pluginConfiguration:
+    name: barman-cloud.cloudnative-pg.io

apps/docmost/prod/postgres.yaml

@@ -0,0 +1,14 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgresql-docmost
+spec:
+  imageName: ghcr.io/cloudnative-pg/postgresql:17.2
+  instances: 1
+  bootstrap:
+    initdb:
+      database: docmost
+      owner: docmost
+  storage:
+    size: 15Gi
+    storageClass: cephfs