add taskchampion

soerenschneider · soerenschneider · commit 6284eb2e8683 · 2024-10-15T19:55:26.000+01:00
diff --git a/apps/taskchampion/components/istio/istio-virtualservice.yaml b/apps/taskchampion/components/istio/istio-virtualservice.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: "networking.istio.io/v1alpha3"
+kind: "VirtualService"
+metadata:
+  name: "taskchampion"
+spec:
+  hosts:
+    - "taskchampion"
+  gateways:
+    - "istio-system/gateway"
+  http:
+    - match:
+        - uri:
+            prefix: "/"
+      route:
+        - destination:
+            host: "taskchampion"
+            port:
+              number: 80
diff --git a/apps/taskchampion/components/istio/kustomization.yaml b/apps/taskchampion/components/istio/kustomization.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - istio-virtualservice.yaml
+patches:
+  - target:
+      kind: "NetworkPolicy"
+      name: "taskchampion"
+    patch: |-
+      - op: "add"
+        path: "/spec/ingress/0/from/-"
+        value:
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: "istio-system"
+          podSelector:
+            matchLabels:
+              istio: "ingressgateway"
diff --git a/apps/taskchampion/components/pvc/kustomization.yaml b/apps/taskchampion/components/pvc/kustomization.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - taskchampion-pvc.yaml
+patches:
+  - target:
+      kind: Deployment
+      name: taskchampion
+    patch: |-
+      - op: add
+        path: /spec/template/spec/priorityClassName
+        value: prod-default-prio
+      - op: replace
+        path: /spec/template/spec/volumes/0
+        value:
+          name: storage
+          persistentVolumeClaim:
+            claimName: taskchampion
diff --git a/apps/taskchampion/components/pvc/taskchampion-pvc.yaml b/apps/taskchampion/components/pvc/taskchampion-pvc.yaml
@@ -0,0 +1,11 @@
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: taskchampion
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/apps/taskchampion/components/restic-pvc/kustomization.yaml b/apps/taskchampion/components/restic-pvc/kustomization.yaml
@@ -0,0 +1,67 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - ../../../../infra/restic-pvc
+configMapGenerator:
+  - name: "taskd-restic-pvc"
+    behavior: merge  # TODO: https://github.com/kubernetes-sigs/kustomize/issues/4402
+    literals:
+      - "RETENTION_DAYS=7"
+      - "RETENTION_WEEKS=4"
+      - "RETENTION_MONTHS=6"
+      - "RESTIC_TARGETS=/var/taskd"
+      - "RESTIC_BACKUP_ID=taskd"
+patches:
+  - target:
+      kind: "CronJob"
+      name: "restic-pvc-backup"
+    patch: |-
+      - op: "replace"
+        path: "/spec/schedule"
+        value: "5 6 * * *"
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name"
+        value: "taskd"
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsUser"
+        value: 53589
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsGroup"
+        value: 53589
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/spec/securityContext/fsGroup"
+        value: 53589
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsUser"
+        value: 53589
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsGroup"
+        value: 53589
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom"
+        value:
+          - configMapRef:
+              name: "taskd-restic-pvc"
+          - secretRef:
+              name: "taskd-restic-pvc"
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName"
+        value: "taskd"
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/spec/containers/0/volumeMounts/0/mountPath"
+        value: "/var/taskd"
+  - target:
+      kind: "CronJob"
+      name: "restic-pvc-prune"
+    patch: |-
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name"
+        value: "taskd"
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom"
+        value:
+          - configMapRef:
+              name: "taskd-restic-pvc"
+          - secretRef:
+              name: "taskd-restic-pvc"
diff --git a/apps/taskchampion/components/restic-pvc/upsert-secret-taskd-restic-pvc.sh b/apps/taskchampion/components/restic-pvc/upsert-secret-taskd-restic-pvc.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+###########################################################
+# Copy this header
+###########################################################
+
+set -o pipefail
+set -eu
+
+source "$(git rev-parse --show-toplevel)/contrib/variables.sh"
+###########################################################
+
+BACKUP_ID="${K8S_APP_SUB}"
+S3_DIR="restic-${BACKUP_ID}"
+TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]')
+AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id')
+AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret')
+RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}"
+RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})"
+
+kubectl create secret generic "${K8S_SECRET_NAME}" \
+	--from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
+	--from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
+	--from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \
+	--from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \
+  --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \
+	--dry-run=client -o yaml |
+	sops -e --input-type=yaml --output-type=yaml -e \
+	--encrypted-regex '^(data|stringData)$' \
+	--output "${K8S_SECRET_FILE_NAME}" /dev/stdin
diff --git a/apps/taskchampion/deployment.yaml b/apps/taskchampion/deployment.yaml
@@ -0,0 +1,68 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: taskchampion
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: taskchampion
+  template:
+    metadata:
+      labels:
+        app: taskchampion
+        app.kubernetes.io/name: taskchampion
+        app.kubernetes.io/instance: taskchampion-prod
+        app.kubernetes.io/component: taskchampion
+        app.kubernetes.io/part-of: taskchampion
+    spec:
+      securityContext:
+        runAsUser: 53589
+        runAsGroup: 53589
+        fsGroup: 53589
+        runAsNonRoot: true
+        seccompProfile:
+          type: "RuntimeDefault"
+      containers:
+        - name: "taskchampion"
+          image: "ghcr.io/gothenburgbitfactory/taskchampion-sync-server:main@sha256:4798edada4b264cdcc82f1c8ea2389cdd5cde02926f74b2361005438056f5729"
+          imagePullPolicy: "IfNotPresent"
+          ports:
+            - containerPort: 8080
+              name: "taskchampion"
+          resources:
+            requests:
+              memory: "16Mi"
+              cpu: "1m"
+            limits:
+              memory: "32Mi"
+          livenessProbe:
+            tcpSocket:
+              port: "taskchampion"
+            initialDelaySeconds: 15
+            timeoutSeconds: 5
+            failureThreshold: 5
+          readinessProbe:
+            tcpSocket:
+              port: "taskchampion"
+            initialDelaySeconds: 2
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            privileged: false
+            runAsNonRoot: true
+            runAsUser: 53589
+            runAsGroup: 53589
+            capabilities:
+              drop:
+                - "ALL"
+            seccompProfile:
+              type: "RuntimeDefault"
+          volumeMounts:
+            - name: "storage"
+              mountPath: "/var/lib/taskchampion-sync-server"
+      volumes:
+        - name: "storage"
+          emptyDir:
+            sizeLimit: "100Mi"
diff --git a/apps/taskchampion/kustomization.yaml b/apps/taskchampion/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: "kustomize.config.k8s.io/v1beta1"
+kind: "Kustomization"
+resources:
+  - "deployment.yaml"
+  - "service.yaml"
+  - "networkpolicy.yaml"
diff --git a/apps/taskchampion/networkpolicy.yaml b/apps/taskchampion/networkpolicy.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: "networking.k8s.io/v1"
+kind: "NetworkPolicy"
+metadata:
+  name: "taskchampion"
+spec:
+  podSelector: {}
+  policyTypes:
+    - "Egress"
+    - "Ingress"
+  ingress:
+    - ports:
+        - protocol: "TCP"
+          port: "taskchampion"
+      from: []
+  egress: []
diff --git a/apps/taskchampion/service.yaml b/apps/taskchampion/service.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: "v1"
+kind: "Service"
+metadata:
+  name: "taskchampion"
+spec:
+  selector:
+    app: "taskchampion"
+  ports:
+    - protocol: "TCP"
+      port: 80
+      targetPort: "taskchampion"
