adapt networkpolicy and restic

Author: soerenschneider

apps/miniflux/README.md

@@ -0,0 +1,24 @@
+# miniflux
+
+## secrets
+Secret referenced from miniflux is named `miniflux`
+
+### env vars
+| Name           | Description              | Example                                                | Required |
+|----------------|--------------------------|--------------------------------------------------------|----------|
+| DATABASE_URL   | Postgres DSN             | postgres://miniflux:secret@db/miniflux?sslmode=disable | yes      |
+| ADMIN_USERNAME | Admin username to create | miniflux                                               | no       |
+| ADMIN_PASSWORD | Admin password           | secret123                                              | no       |
+
+
+## configmaps
+Configmap that is referenced by default is named `miniflux` and is created by kustomize configMapGenerator.
+
+| Name           | Description       | Example | Required |
+|----------------|-------------------|---------|----------|
+| RUN_MIGRATIONS | Run db migrations | 1       | no       |
+| CREATE_ADMIN   | Create admin user | 1       | no       |
+
+
+## external links
+- https://miniflux.app/docs/docker.html

apps/miniflux/components/postgres-pvc/postgres-pvc.yaml

@@ -2,10 +2,10 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: mealie-postgres
+  name: "miniflux-postgres"
 spec:
   accessModes:
-    - ReadWriteOnce
+    - "ReadWriteOnce"
   resources:
     requests:
-      storage: 1Gi
+      storage: "512Mi"

apps/miniflux/components/postgres/README.md

@@ -0,0 +1,19 @@
+# miniflux-postgres
+
+## secrets
+
+Secret references is named `miniflux-postgres`
+
+### env variables
+
+| Name              | Description                        | Example   | Required |
+|-------------------|------------------------------------|-----------|----------|
+| POSTGRES_USER     | User to create to access Postgres  | miniflux  | no       |
+| POSTGRES_PASSWORD | Password for user to be created    | secret123 | yes      |
+| POSTGRES_DB       | Name of the database to be created | miniflux  | no       |
+
+### configmap
+
+| Name              | Description                        | Example   | Required |
+|-------------------|------------------------------------|-----------|----------|
+| POSTGRES_DB       | Name of the database to be created | miniflux  | no       |

apps/miniflux/components/postgres/kustomization.yaml

@@ -4,3 +4,16 @@ kind: Component
 resources:
   - postgres-deployment.yaml
   - postgres-service.yaml
+  - networkpolicy.yaml
+patches:
+  - target:
+      kind: "NetworkPolicy"
+      name: "miniflux"
+    patch: |-
+      - op: "add"
+        path: "/spec/egress/-"
+        value:
+          to:
+            - podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: postgres

apps/miniflux/components/postgres/networkpolicy.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: postgres
+spec:
+  podSelector:
+    matchLabels:
+      app: postgres
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: postgres
+      from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: miniflux

apps/miniflux/components/postgres/postgres-deployment.yaml

@@ -38,7 +38,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: postgres
-          image: postgres:16.7
+          image: postgres:17.4
           securityContext:
             runAsUser: 999
             runAsGroup: 999
@@ -69,7 +69,6 @@ spec:
           resources:
             limits:
               memory: "1Gi"
-              cpu: "500m"
             requests:
               memory: "256Mi"
               cpu: "50m"

apps/miniflux/components/restic-postgres/kustomization.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - ../../../../infra/restic-postgres
+patches:
+  - target:
+      kind: "CronJob"
+    patch: |
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom"
+        value:
+          - configMapRef:
+              name: "miniflux-restic-postgres"
+          - secretRef:
+              name: "miniflux-restic-postgres"
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name"
+        value: "miniflux"
+  - target:
+      kind: "CronJob"
+      name: "restic-postgres-backup"
+    patch: |
+      - op: "replace"
+        path: "/spec/schedule"
+        value: "5 6 * * *"
+      - op: "replace"
+        path: "/spec/jobTemplate/spec/template/spec/containers/0/env/0/valueFrom/secretKeyRef/name"
+        value: "miniflux-postgres"
+      - op: "add"
+        path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom/-"
+        value:
+          secretRef:
+            name: "miniflux-postgres"
+  - target:
+      kind: "CronJob"
+      name: "restic-postgres-prune"
+    patch: |-
+      - op: "replace"
+        path: "/spec/schedule"
+        value: "5 22 * * *"
+  - target:
+      kind: "NetworkPolicy"
+      name: "postgres"
+    patch: |-
+      - op: "add"
+        path: "/spec/ingress/-"
+        value:
+          ports:
+            - protocol: "TCP"
+              port: "postgres"
+          from:
+            - podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: "restic"

apps/miniflux/deployment.yaml

@@ -4,6 +4,7 @@ kind: Deployment
 metadata:
   name: miniflux
   labels:
+    name: miniflux
     app.kubernetes.io/name: miniflux
     app.kubernetes.io/instance: miniflux-prod
     app.kubernetes.io/component: server

apps/miniflux/kustomization.yaml

@@ -7,5 +7,5 @@ resources:
   - networkpolicy.yaml
 configMapGenerator:
   - name: miniflux
-    files:
-      - miniflux.properties
+    literals:
+      - RUN_MIGRATIONS=1

apps/miniflux/networkpolicy.yaml

@@ -4,7 +4,9 @@ kind: NetworkPolicy
 metadata:
   name: miniflux
 spec:
-  podSelector: {}
+  podSelector:
+    matchLabels:
+      app: miniflux
   policyTypes:
     - Ingress
     - Egress
@@ -22,13 +24,9 @@ spec:
   egress:
     - to:
         - ipBlock:
-            cidr: 192.168.0.0/16
-      ports:
-        - port: 5432
-          protocol: TCP
-    - to:
+            cidr: 0.0.0.0/0
         - ipBlock:
-            cidr: 192.168.0.0/16
+            cidr: ::/0
       ports:
         - port: 443
           protocol: TCP
@@ -49,10 +47,3 @@ spec:
           podSelector:
             matchLabels:
               k8s-app: kube-dns
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              name: keycloak
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/name: keycloak