kestra

Author: ildoc

kubernetes/charts/archived/kestra/Chart.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v2
+name: kestra
+version: 1.0.0
+dependencies:
+  - name: kestra
+    version: "1.0.4"  # Ultima versione stabile di Kestra 1.0
+    repository: https://helm.kestra.io/

kubernetes/charts/archived/kestra/templates/httproute.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: kestra-route
+  namespace: apps
+spec:
+  parentRefs:
+    - name: cilium-gateway
+      namespace: kube-system
+      sectionName: https
+  hostnames:
+    - "kestra.local.ildoc.it"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: kestra
+          port: 8080

kubernetes/charts/archived/kestra/templates/secrets.yaml

@@ -0,0 +1,64 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-kestra-secrets
+  namespace: apps
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: vault-kubernetes-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: kestra-secrets
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        # PostgreSQL connection (nel formato che Kestra si aspetta)
+        application-secrets.yml: |
+          kestra:
+            datasources:
+              postgres:
+                url: jdbc:postgresql://192.168.0.30:5432/kestra_db
+                driver-class-name: org.postgresql.Driver
+                username: {{ .postgres_username }}
+                password: {{ .postgres_password }}
+        
+        # Secrets per i workflow (accessibili con secret() function)
+        # External Secrets già gestisce l'encoding, NON serve b64enc
+        SECRET_VAULT_ROLE_ID: "{{ .vault_role_id }}"
+        SECRET_VAULT_SECRET_ID: "{{ .vault_secret_id }}"
+        SECRET_GITLAB_TOKEN: "{{ .gitlab_token }}"
+        SECRET_SLACK_WEBHOOK: "{{ .slack_webhook }}"
+  
+  data:
+    - secretKey: postgres_username
+      remoteRef:
+        key: kubernetes/data/apps/kestra
+        property: postgres_username
+    
+    - secretKey: postgres_password
+      remoteRef:
+        key: kubernetes/data/apps/kestra
+        property: postgres_password
+    
+    - secretKey: vault_role_id
+      remoteRef:
+        key: kubernetes/data/apps/kestra
+        property: vault_role_id
+    
+    - secretKey: vault_secret_id
+      remoteRef:
+        key: kubernetes/data/apps/kestra
+        property: vault_secret_id
+    
+    - secretKey: gitlab_token
+      remoteRef:
+        key: kubernetes/data/apps/kestra
+        property: gitlab_token
+    
+    - secretKey: slack_webhook
+      remoteRef:
+        key: kubernetes/data/apps/kestra
+        property: slack_webhook

kubernetes/charts/archived/kestra/values.yaml

@@ -0,0 +1,155 @@
+kestra:
+  # L'immagine viene presa automaticamente dalla versione del chart
+  # Non serve specificarla a meno di override necessari
+  
+  # Deploy standalone (tutti i componenti in un unico pod)
+  # Per un homelab questo è perfetto
+  deployments:
+    standalone:
+      enabled: true
+      replicaCount: 1
+      
+      # Resources (adatta in base al tuo cluster)
+      resources:
+        limits:
+          cpu: 2000m
+          memory: 4Gi
+        requests:
+          cpu: 500m
+          memory: 2Gi
+      
+      # Strategy per evitare split-brain con SQLite/H2
+      strategy:
+        type: Recreate
+    
+    # Disabilita deployment separati (non servono per homelab)
+    webserver:
+      enabled: false
+    executor:
+      enabled: false
+    indexer:
+      enabled: false
+    scheduler:
+      enabled: false
+    worker:
+      enabled: false
+
+  # Configurazione comune a tutti i deployment
+  common:
+    # Node selector se hai nodi specifici
+    nodeSelector: {}
+    
+    tolerations: []
+    
+    affinity: {}
+    
+    # Secrets come environment variables
+    # I secrets verranno caricati da External Secrets / Vault
+    extraEnvFrom:
+      - secretRef:
+          name: kestra-secrets
+    
+    # Environment variables aggiuntive
+    extraEnv:
+      - name: TZ
+        value: "Europe/Rome"
+
+  # Configurazione Kestra (ConfigMap)
+  # Questo configura PostgreSQL esterno
+  configuration:
+    kestra:
+      server:
+        base-url: "https://kestra.local.ildoc.it"
+      
+      # Repository (metadati workflow, executions, etc.)
+      repository:
+        type: postgres
+      
+      # Queue (task scheduling)
+      queue:
+        type: postgres
+      
+      # Storage per file, logs, outputs
+      storage:
+        type: local
+        local:
+          base-path: "/app/storage"
+      
+      # Tasks configuration
+      tasks:
+        tmp-dir:
+          path: "/tmp/kestra-wd/tmp"
+
+  # Secrets Kestra (database credentials)
+  # Questi verranno sovrascritti da External Secrets
+  secrets:
+    kestra:
+      datasources:
+        postgres:
+          # Placeholder - verranno sovrascritti da External Secrets
+          url: jdbc:postgresql://192.168.0.30:5432/kestra_db
+          username: kestra_user
+          password: placeholder
+
+  # Service Account
+  serviceAccount:
+    create: true
+    automountToken: false
+
+  # Service
+  service:
+    type: ClusterIP
+    port: 8080
+
+  # Persistence per storage locale
+  persistence:
+    enabled: true
+    storageClassName: "nfs-csi"
+    accessModes:
+      - ReadWriteOnce
+    size: 20Gi  # Storage per workflow files, logs, outputs
+
+  # Docker-in-Docker per eseguire container
+  # Necessario per task come Script con Docker runner
+  dind:
+    enabled: true
+    # Modalità rootless (più sicura)
+    mode: 'rootless'
+    
+    image:
+      repository: docker
+      tag: dind-rootless
+      pullPolicy: IfNotPresent
+    
+    securityContext:
+      privileged: true
+      runAsUser: 1000
+      runAsGroup: 1000
+    
+    args:
+      - --log-level=fatal
+      - --group=1000
+    
+    resources:
+      limits:
+        cpu: 1000m
+        memory: 2Gi
+      requests:
+        cpu: 100m
+        memory: 512Mi
+
+  # Disabilita servizi non necessari
+  # (PostgreSQL e MinIO sono esterni)
+  kafka:
+    enabled: false
+  
+  elasticsearch:
+    enabled: false
+  
+  # Operator (solo Enterprise Edition)
+  operator:
+    enabled: false
+
+  # Ingress disabilitato (usiamo HTTPRoute)
+  ingress:
+    enabled: false