kestra

Author: ildoc

kubernetes/charts/kestra/values.yaml

@@ -1,15 +1,10 @@
 kestra:
-  # L'immagine viene presa automaticamente dalla versione del chart
-  # Non serve specificarla a meno di override necessari
-  
-  # Deploy standalone (tutti i componenti in un unico pod)
-  # Per un homelab questo è perfetto
+  # Deploy standalone per homelab
   deployments:
     standalone:
       enabled: true
       replicaCount: 1
 
-      # Resources (adatta in base al tuo cluster)
       resources:
         limits:
           cpu: 2000m
@@ -18,11 +13,10 @@ kestra:
           cpu: 500m
           memory: 2Gi
 
-      # Strategy per evitare split-brain con SQLite/H2
       strategy:
         type: Recreate
 
-    # Disabilita deployment separati (non servono per homelab)
+    # Disabilita deployment separati
     webserver:
       enabled: false
     executor:
@@ -34,101 +28,55 @@ kestra:
     worker:
       enabled: false
 
-  # Configurazione comune a tutti i deployment
+  # Configurazione comune
   common:
-    # Node selector se hai nodi specifici
-    nodeSelector: {}
-    
-    tolerations: []
-    
-    affinity: {}
-    
-    # Secrets come environment variables
-    # I secrets verranno caricati da External Secrets / Vault
-    extraEnvFrom:
-      - secretRef:
-          name: kestra-secrets
-    
-    # Environment variables aggiuntive
     extraEnv:
       - name: TZ
         value: "Europe/Rome"
+    
+    # Carica secrets per i workflow (accessibili con secret() function)
+    extraSecretEnvFrom:
+      - name: kestra-secrets
+        prefix: SECRET_
 
-  # Configurazione Kestra (ConfigMap)
-  # Questo configura PostgreSQL esterno
+  # Configurazione Kestra
   configuration:
     kestra:
       server:
         base-url: "https://kestra.local.ildoc.it"
 
-      # Repository (metadati workflow, executions, etc.)
       repository:
         type: postgres
 
-      # Queue (task scheduling)
       queue:
         type: postgres
 
-      # Storage per file, logs, outputs
       storage:
         type: local
         local:
           base-path: "/app/storage"
-      
-      # Tasks configuration
-      tasks:
-        tmp-dir:
-          path: "/tmp/kestra-wd/tmp"
 
-  # Secrets Kestra (database credentials)
-  # Questi verranno sovrascritti da External Secrets
-  secrets:
-    kestra:
-      datasources:
-        postgres:
-          # Placeholder - verranno sovrascritti da External Secrets
-          url: jdbc:postgresql://192.168.0.30:5432/kestra_db
-          username: kestra_user
-          password: placeholder
+  # Carica database credentials da External Secret
+  externalSecret:
+    secretName: kestra-db-secret
+    key: application-secrets.yml
 
   # Service Account
   serviceAccount:
     create: true
     automountToken: false
 
-  # Service
-  service:
-    type: ClusterIP
-    port: 8080
-
   # Persistence per storage locale
   persistence:
     enabled: true
     storageClassName: "nfs-csi"
     accessModes:
       - ReadWriteOnce
-    size: 20Gi  # Storage per workflow files, logs, outputs
+    size: 20Gi
 
-  # Docker-in-Docker per eseguire container
-  # Necessario per task come Script con Docker runner
+  # Docker-in-Docker
   dind:
     enabled: true
-    # Modalità rootless (più sicura)
-    mode: 'rootless'
-    
-    image:
-      repository: docker
-      tag: dind-rootless
-      pullPolicy: IfNotPresent
-    
-    securityContext:
-      privileged: true
-      runAsUser: 1000
-      runAsGroup: 1000
-    
-    args:
-      - --log-level=fatal
-      - --group=1000
 
     resources:
       limits:
@@ -139,17 +87,14 @@ kestra:
         memory: 512Mi
 
   # Disabilita servizi non necessari
-  # (PostgreSQL e MinIO sono esterni)
   kafka:
     enabled: false
 
   elasticsearch:
     enabled: false
 
-  # Operator (solo Enterprise Edition)
   operator:
     enabled: false
 
-  # Ingress disabilitato (usiamo HTTPRoute)
   ingress:
     enabled: false

kubernetes/charts/kestra/templates/secrets.yaml renamed to kubernetes/infra/manifests/infra-secrets/kestra-secrets.yaml

@@ -1,64 +1,63 @@
 ---
+# Secret per PostgreSQL ESTERNO (database credentials)
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: vault-kestra-secrets
+  name: kestra-db-secret
   namespace: apps
 spec:
   refreshInterval: "1h"
   secretStoreRef:
-    name: vault-kubernetes-secret-store
+    name: vault-cross-secret-store
     kind: ClusterSecretStore
   target:
-    name: kestra-secrets
+    name: kestra-db-secret
     creationPolicy: Owner
     template:
       engineVersion: v2
       data:
-        # PostgreSQL connection (nel formato che Kestra si aspetta)
+        # File di configurazione per Kestra (database credentials)
         application-secrets.yml: |
           kestra:
             datasources:
               postgres:
                 url: jdbc:postgresql://192.168.0.30:5432/kestra_db
                 driver-class-name: org.postgresql.Driver
-                username: {{ .postgres_username }}
+                username: kestra_user
                 password: {{ .postgres_password }}
-        
-        # Secrets per i workflow (accessibili con secret() function)
-        # External Secrets già gestisce l'encoding, NON serve b64enc
-        SECRET_VAULT_ROLE_ID: "{{ .vault_role_id }}"
-        SECRET_VAULT_SECRET_ID: "{{ .vault_secret_id }}"
-        SECRET_GITLAB_TOKEN: "{{ .gitlab_token }}"
-        SECRET_SLACK_WEBHOOK: "{{ .slack_webhook }}"
-  
   data:
-    - secretKey: postgres_username
-      remoteRef:
-        key: kubernetes/data/apps/kestra
-        property: postgres_username
-    
     - secretKey: postgres_password
       remoteRef:
-        key: kubernetes/data/apps/kestra
+        key: cross/data/apps/kestra
         property: postgres_password
-    
-    - secretKey: vault_role_id
+
+---
+# Secret per workflow (accessibili tramite secret() function)
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: kestra-secrets
+  namespace: apps
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: vault-kubernetes-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: kestra-secrets
+    creationPolicy: Owner
+  data:
+    - secretKey: VAULT_ROLE_ID
       remoteRef:
         key: kubernetes/data/apps/kestra
         property: vault_role_id
 
-    - secretKey: vault_secret_id
+    - secretKey: VAULT_SECRET_ID
       remoteRef:
         key: kubernetes/data/apps/kestra
         property: vault_secret_id
 
-    - secretKey: gitlab_token
+    - secretKey: GITLAB_TOKEN
       remoteRef:
         key: kubernetes/data/apps/kestra
         property: gitlab_token
-    
-    - secretKey: slack_webhook
-      remoteRef:
-        key: kubernetes/data/apps/kestra
-        property: slack_webhook