feat(wakapi): add wakapi

kubernetes/apps/default/wakapi/Chart.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/chart.json
+apiVersion: v2
+name: wakapi
+version: 1.0.0
+type: application
+dependencies:
+  - name: app-template
+    version: 3.3.2
+    repository: https://bjw-s.github.io/helm-charts

kubernetes/apps/default/wakapi/application.yaml

@@ -0,0 +1,28 @@
+---
+# yaml-language-server: $schema=https://deedee-ops.github.io/schemas/argoproj.io/application_v1alpha1.json
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: wakapi
+  namespace: argocd
+spec:
+  project: default
+  sources:
+    - repoURL: https://github.com/deedee-ops/home-ops.git
+      targetRevision: master
+      path: kubernetes/apps/default/wakapi
+      plugin:
+        name: argocd-vault-plugin-helm
+  destination:
+    namespace: default
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: restricted
+        pod-security.kubernetes.io/audit: restricted
+        pod-security.kubernetes.io/warn: restricted

kubernetes/apps/default/wakapi/templates/initdb.yaml

@@ -0,0 +1,40 @@
+---
+# yamllint disable rule:line-length
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master-standalone/job.json
+# yamllint enable
+apiVersion: batch/v1
+kind: Job
+metadata:
+  generateName: wakapi-init-db-
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: init-db
+          image: ghcr.io/deedee-ops/postgres-init:16.4
+          volumeMounts:
+            - mountPath: /secrets
+              name: secrets
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: wakapi
+          name: secrets
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault

kubernetes/apps/default/wakapi/templates/secret_class.yaml

@@ -0,0 +1,57 @@
+---
+# yamllint disable rule:line-length
+# yaml-language-server: $schema=https://deedee-ops.github.io/schemas/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json
+# yamllint enable rule:line-length
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: wakapi
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: "-2"
+spec:
+  provider: vault
+  parameters:
+    objects: |
+      # app
+      - objectName: "WAKAPI_DB_USER"
+        secretPath: "kubernetes/data/internal/wakapi"
+        secretKey: "DB_USERNAME"
+      - objectName: "WAKAPI_DB_PASSWORD"
+        secretPath: "kubernetes/data/internal/wakapi"
+        secretKey: "DB_PASSWORD"
+      - objectName: "WAKAPI_DB_HOST"
+        secretPath: "kubernetes/data/internal/cloudnative-pg"
+        secretKey: "HOST"
+      - objectName: "WAKAPI_DB_NAME"
+        secretPath: "kubernetes/data/internal/wakapi"
+        secretKey: "DB_DATABASE"
+      - objectName: "WAKAPI_PASSWORD_SALT"
+        secretPath: "kubernetes/data/internal/wakapi"
+        secretKey: "WAKAPI_PASSWORD_SALT"
+      - objectName: "WAKAPI_MAIL_SENDER"
+        secretPath: "kubernetes/data/internal/base"
+        secretKey: "MAIL_FROM_CLUSTER"
+      # initdb
+      - objectName: "INIT_POSTGRES_USER"
+        secretPath: "kubernetes/data/internal/wakapi"
+        secretKey: "DB_USERNAME"
+      - objectName: "INIT_POSTGRES_PASS"
+        secretPath: "kubernetes/data/internal/wakapi"
+        secretKey: "DB_PASSWORD"
+      - objectName: "INIT_POSTGRES_HOST"
+        secretPath: "kubernetes/data/internal/cloudnative-pg"
+        secretKey: "HOST"
+      - objectName: "INIT_POSTGRES_DBNAME"
+        secretPath: "kubernetes/data/internal/wakapi"
+        secretKey: "DB_DATABASE"
+      - objectName: "INIT_POSTGRES_SUPER_USER"
+        secretPath: "kubernetes/data/internal/cloudnative-pg"
+        secretKey: "SUPERUSER_USERNAME"
+      - objectName: "INIT_POSTGRES_SUPER_PASS"
+        secretPath: "kubernetes/data/internal/cloudnative-pg"
+        secretKey: "SUPERUSER_PASSWORD"
+    roleName: default
+    vaultAddress: https://vault.tools:8200
+    vaultCACertPath: /vault/tls/tls.ca

kubernetes/apps/default/wakapi/values.yaml

@@ -0,0 +1,135 @@
+---
+# yaml-language-server: $schema=https://deedee-ops.github.io/schemas/custom/bjw-s-apptemplate.json
+app-template:
+  defaultPodOptions:
+    securityContext:
+      fsGroup: 65000
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
+
+  controllers:
+    wakapi:
+      annotations:
+        reloader.stakater.com/auto: "true"
+
+      containers:
+        app:
+          image:
+            repository: ghcr.io/deedee-ops/wakapi
+            tag: 2.11.2@sha256:b1ba92f6342fd34dbfe02ad4e77a14a14a7f45ce902242541a45b3cd3031ace6
+            pullPolicy: IfNotPresent
+
+          env:
+            ENVIRONMENT: prod
+            WAKAPI_LEADERBOARD_ENABLED: "false"
+            WAKAPI_IMPORT_ENABLED: "true"
+            WAKAPI_SUPPORT_CONTACT: "<path:kubernetes/data/internal/base#MAIL_FROM_CLUSTER>"
+            WAKAPI_DATA_RETENTION_MONTHS: "-1"
+            WAKAPI_MAX_INACTIVE_MONTHS: "-1"
+            WAKAPI_PORT: 3000
+            WAKAPI_LISTEN_IPV4: 0.0.0.0
+            WAKAPI_LISTEN_IPV6: "-"
+            WAKAPI_LISTEN_SOCKET: "-"
+            WAKAPI_BASE_PATH: "/"
+            WAKAPI_PUBLIC_URL: "https://wakapi.<path:kubernetes/data/internal/base#ROOT_DOMAIN>"
+            WAKAPI_PASSWORD_SALT: "<path:kubernetes/data/internal/wakapi#WAKAPI_PASSWORD_SALT>"
+            WAKAPI_ALLOW_SIGNUP: "false"
+            WAKAPI_INVITE_CODES: "false"
+            WAKAPI_DISABLE_FRONTPAGE: "true"
+            WAKAPI_EXPOSE_METRICS: "false"
+            # disabled for now, @see https://github.com/muety/wakapi/issues/665
+            WAKAPI_TRUSTED_HEADER_AUTH: "false"
+            WAKAPI_TRUSTED_HEADER_AUTH_KEY: "Remote-User"
+            WAKAPI_TRUST_REVERSE_PROXY_IPS: "172.16.0.0/12"
+            # ---
+            WAKAPI_DB_TYPE: postgres
+            WAKAPI_DB_PORT: 5432
+            WAKAPI_MAIL_ENABLED: "true"
+            WAKAPI_MAIL_SMTP_HOST: "smtp-relay.networking.svc.cluster.local"
+            WAKAPI_MAIL_SMTP_PORT: 25
+            WAKAPI_MAIL_SMTP_TLS: "false"
+            WAKAPI_SENTRY_TRACING: "false"
+            WAKAPI_QUICK_START: "false"
+            WAKAPI_ENABLE_PPROF: "false"
+
+            TZ: Europe/Warsaw
+
+          securityContext:
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+
+          probes:
+            startup: &probes
+              enabled: true
+              custom: true
+              spec:
+                httpGet:
+                  path: /api/health
+                  port: 3000
+            readiness: *probes
+            liveness: *probes
+
+          resources:
+            requests:
+              cpu: 10m
+              memory: 100Mi
+            limits:
+              memory: 750Mi
+
+  service:
+    app:
+      controller: wakapi
+      ports:
+        http:
+          port: 3000
+
+  ingress:
+    wakapi:
+      className: internal
+      annotations:
+        gethomepage.dev/enabled: "true"
+        gethomepage.dev/group: Apps
+        gethomepage.dev/name: Wakapi
+        gethomepage.dev/icon: wakapi.png
+        gethomepage.dev/description: Coding Time Tracker
+      hosts:
+        - host: "wakapi.<path:kubernetes/data/internal/base#ROOT_DOMAIN>"
+          paths:
+            - path: /
+              pathType: Prefix
+              service:
+                identifier: app
+                port: 3000
+      tls:
+        - hosts:
+            - "wakapi.<path:kubernetes/data/internal/base#ROOT_DOMAIN>"
+    api:
+      className: internal
+      annotations:
+        nginx.ingress.kubernetes.io/enable-global-auth: "false"
+      hosts:
+        - host: "wakapi.<path:kubernetes/data/internal/base#ROOT_DOMAIN>"
+          paths:
+            - path: /api
+              pathType: Prefix
+              service:
+                identifier: app
+                port: 3000
+      tls:
+        - hosts:
+            - "wakapi.<path:kubernetes/data/internal/base#ROOT_DOMAIN>"
+
+  persistence:
+    secrets:
+      type: custom
+      volumeSpec:
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: wakapi