catalin/fukuops
1
0
Fork 1
Code Issues Pull requests 2 Releases Packages 1 Activity

wip
Some checks are pending
checks / pre-commit (push) Waiting to run
Details
checks / k8s (push) Waiting to run
Details
checks / tflint (push) Waiting to run
Details

Browse source
This commit is contained in:
cătălin 2026-03-11 10:19:36 +01:00
commit ea6354530d
No known key found for this signature in database
14 changed files with 361 additions and 167 deletions
Download patch file Download diff file Expand all files Collapse all files

77
k8s/argo-apps/miniflux.yaml
View file

@ -9,11 +9,80 @@ spec:
name: ''
namespace: apps-roboces
server: https://kubernetes.default.svc
source:
path: k8s/services/miniflux
sources:
- path: k8s/charts/miniflux
repoURL: https://git.roboces.dev/catalin/fukuops.git
targetRevision: feat/miniflux-helm
helm:
valuesObject:
replicaCount: 3
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 10000
runAsGroup: 10000
capabilities:
drop:
- all
service:
type: LoadBalancer
ingress:
enabled: true
className: "traefik"
hosts:
- host: feeds.roboces.dev
paths:
- path: /
pathType: Prefix
resources:
requests:
cpu: 300m
memory: 300Mi
ephemeral-storage: 2Gi
limits:
cpu: 400m
memory: 500Mi
ephemeral-storage: 4Gi
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 15
timeoutSeconds: 2
successThreshold: 1
failureThreshold: 3
periodSeconds: 10
podDisruptionBudget:
enabled: true
maxUnavailable: 1
env:
RUN_MIGRATIONS: "1"
CREATE_ADMIN: "1"
OAUTH2_PROVIDER: oidc
OAUTH2_REDIRECT_URL: https://feeds.roboces.dev/oauth2/oidc/callback
OAUTH2_OIDC_DISCOVERY_ENDPOINT: https://auth.fukurokuju.dev/application/o/miniflux/
OAUTH2_USER_CREATION: "1"
FETCH_YOUTUBE_WATCH_TIME: "1"
WORKER_POOL_SIZE: "1"
POLLING_FREQUENCY: "120"
BATCH_SIZE: "25"
METRICS_COLLECTOR: "1"
METRICS_ALLOWED_NETWORKS: 10.42.1.0/16
secret:
existingSecretName: miniflux
- path: k8s/services/miniflux
repoURL: https://git.roboces.dev/catalin/fukuops.git
targetRevision: main
sources: []
project: roboces
syncPolicy:
automated: {}
automated:
prune: true
selfHeal: true

6
k8s/charts/miniflux/Chart.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: v2
name: miniflux
description: A Helm chart for Miniflux RSS reader
type: application
version: 0.1.0
appVersion: "2.2.17"

62
k8s/charts/miniflux/templates/_helpers.tpl Normal file
View file

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "miniflux.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "miniflux.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "miniflux.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "miniflux.labels" -}}
helm.sh/chart: {{ include "miniflux.chart" . }}
{{ include "miniflux.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "miniflux.selectorLabels" -}}
app.kubernetes.io/name: {{ include "miniflux.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "miniflux.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "miniflux.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

73
k8s/charts/miniflux/templates/deployment.yaml Normal file
View file

@ -0,0 +1,73 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "miniflux.fullname" . }}
labels:
{{- include "miniflux.labels" . | nindent 4 }}
annotations:
kube-score/ignore: pod-networkpolicy,deployment-has-host-podantiaffinity
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "miniflux.selectorLabels" . | nindent 6 }}
strategy:
rollingUpdate:
maxSurge: 50%
maxUnavailable: 50%
type: RollingUpdate
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "miniflux.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
envFrom:
- secretRef:
name: {{ .Values.secret.existingSecretName | default (include "miniflux.fullname" .) }}
env:
{{- range $key, $value := .Values.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: Always
automountServiceAccountToken: false

45
k8s/charts/miniflux/templates/ingress.yaml Normal file
View file

@ -0,0 +1,45 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "miniflux.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "miniflux.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}

18
k8s/charts/miniflux/templates/poddisruptionbudget.yaml Normal file
View file

@ -0,0 +1,18 @@
{{- if .Values.podDisruptionBudget.enabled -}}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "miniflux.fullname" . }}
labels:
{{- include "miniflux.labels" . | nindent 4 }}
spec:
{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "miniflux.selectorLabels" . | nindent 6 }}
{{- end }}

13
k8s/charts/miniflux/templates/secret.yaml Normal file
View file

@ -0,0 +1,13 @@
{{- if and .Values.secret.enabled (not .Values.secret.existingSecretName) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "miniflux.fullname" . }}
labels:
{{- include "miniflux.labels" . | nindent 4 }}
type: Opaque
stringData:
{{- range $key, $value := .Values.secret.data }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}

15
k8s/charts/miniflux/templates/service.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "miniflux.fullname" . }}
labels:
{{- include "miniflux.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.service.targetPort }}
protocol: TCP
name: http
selector:
{{- include "miniflux.selectorLabels" . | nindent 4 }}

42
k8s/charts/miniflux/values.yaml Normal file
View file

@ -0,0 +1,42 @@
# Configuration is managed in k8s/argo-apps/miniflux.yaml
replicaCount: 1
image:
repository: miniflux/miniflux
pullPolicy: Always
tag: ""
imagePullSecrets: []
podAnnotations: {}
podSecurityContext: {}
securityContext: {}
service:
type: ClusterIP
port: 8888
targetPort: 8080
ingress:
enabled: false
resources: {}
livenessProbe: {}
readinessProbe: {}
autoscaling:
enabled: false
nodeSelector: {}
tolerations: []
affinity: {}
podDisruptionBudget:
enabled: false
env: {}
secret:
enabled: false
existingSecretName: ""
data: {}

96
k8s/services/miniflux/deployment.yaml
View file

@ -1,96 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: miniflux-deployment
namespace: apps-roboces
labels:
app.kubernetes.io/name: miniflux
app.kubernetes.io/managed-by: argo
app.kubernetes.io/version: 2.2.13
annotations:
kube-score/ignore: pod-networkpolicy,deployment-has-host-podantiaffinity
spec:
selector:
matchLabels:
app.kubernetes.io/name: miniflux
replicas: 3
strategy:
rollingUpdate:
maxSurge: 50%
maxUnavailable: 50%
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/name: miniflux
app.kubernetes.io/version: 2.2.13
spec:
containers:
- name: miniflux
image: miniflux/miniflux:2.2.13
imagePullPolicy: Always
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 10000
runAsGroup: 10000
capabilities:
drop:
- all
resources:
requests:
cpu: 300m
memory: 300Mi
ephemeral-storage: 2Gi
limits:
cpu: 400m
memory: 500Mi
ephemeral-storage: 4Gi
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 15
timeoutSeconds: 2
successThreshold: 1
failureThreshold: 3
periodSeconds: 10
envFrom:
- secretRef:
name: miniflux
env:
- name: RUN_MIGRATIONS
value: '1'
- name: CREATE_ADMIN
value: '1'
- name: OAUTH2_PROVIDER
value: oidc
- name: OAUTH2_REDIRECT_URL
value: https://feeds.roboces.dev/oauth2/oidc/callback
- name: OAUTH2_OIDC_DISCOVERY_ENDPOINT
value: https://auth.fukurokuju.dev/application/o/miniflux/
- name: OAUTH2_USER_CREATION
value: '1'
- name: FETCH_YOUTUBE_WATCH_TIME
value: '1'
- name: WORKER_POOL_SIZE
value: '1'
- name: POLLING_FREQUENCY
value: '120'
- name: BATCH_SIZE
value: '25'
- name: METRICS_COLLECTOR
value: '1'
- name: METRICS_ALLOWED_NETWORKS
value: 10.42.1.0/16
restartPolicy: Always
automountServiceAccountToken: false

21
k8s/services/miniflux/ingress.yaml
View file

@ -1,21 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: miniflux
namespace: apps-roboces
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: traefik
rules:
- host: feeds.roboces.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: miniflux-service
port:
number: 8888

11
k8s/services/miniflux/poddisruptionbudget.yaml
View file

@ -1,11 +0,0 @@
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: miniflux-pdb
namespace: apps-roboces
spec:
selector:
matchLabels:
app.kubernetes.io/name: miniflux
maxUnavailable: 1

10
k8s/services/miniflux/sealedsecrets.yaml
View file

@ -1,10 +1,9 @@
# yamllint disable rule:line-length
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: miniflux
annotations:
sealedsecrets.bitnami.com/cluster-wide: 'true'
name: miniflux-secrets
namespace: apps-roboces
spec:
encryptedData:
@ -15,6 +14,5 @@ spec:
OAUTH2_CLIENT_SECRET: AgBX99LPH02S5NgguyWm9cj7NDgafTzygg5qkv1GG2Z23fe7ebuH9AQmvV0LQKZx6NosZsH/mG5d3etrc+zQXfsuzGfp5ubzlSwJOfFjUQDBc+h91IKJLmTgLSCYWkt5hrxMp2sAqzDQ+uFQr7VF7hA1G79HTKSd4NzLFLas967ft0Rgqm7hOSnPbE8lqoWOy+WezjzdmHfNqqFFdyYy8X5G18gEglaBta/cYzorSwESv/oZhuQK+RaNeyb8bShWrbw5NVudAYidWTouuZxp21bv4wYYzqFi4Lzwn57bYLFf5L/1JhVklWsF7cWLSVRQch86kgScV8gp9DK5OI+g7xKI9fwM4v7D8JkujC3pp0ONtLku0Wv/498J4yqWf43ZNyqBi7HiX/4jl4Rwy2J3IDN2Uj18GR1FxS8TgWI4NChugIzmuYKywk7fKd+2NxulOe9X8dtflLLiSuwOWkIzWMB8MYOtR+RqJVLyEA2GZaKRtskiRGfzPYcacj/FHRHwWuO2uuXQhHSZetcW+YjOCmwm+q7WKbH0wRpMoMOIeMwQJ9Tew0NgOepOrtwkx0mj0qdNu5O0HvQU3tCxt7wKLN9hk6zt50iWFnoloQCjK1CmTVr01JoIhKh+LUH+sHVt5dtW0LVR1+757uh35/DYqdTK4KcHQEGf8Cf08yfAv5ZyfTluBxp35iORsVCm63Py7txVaBwoJO1qg5Hmpvj0G7woBPC2V/0DOJJ0+QAGqtrFvbNTcRORS3G6mmKwJObA1WsqWifdBLArrF52Z+9vncLxHw/ty2/++R4ljISrkAMQilrfNc9xqNeG+KE+PSRfQFS1Kc/lcotJLgbbpUjr/bOwB+8TuG1EHXBRINgcWXFcXw==
template:
metadata:
creationTimestamp: null
name: miniflux
name: miniflux-secrets
namespace: apps-roboces

19
k8s/services/miniflux/service.yaml
View file

@ -1,19 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: miniflux-service
namespace: apps-roboces
labels:
app.kubernetes.io/name: miniflux
app.kubernetes.io/managed-by: argo
app.kubernetes.io/version: 2.2.13
spec:
selector:
app.kubernetes.io/name: miniflux
type: LoadBalancer
ports:
- name: miniflux-service
protocol: TCP
port: 8888
targetPort: 8080