Skip to content

Commit 928cc92

Browse files
taletale
committed
chore: k8s stuff that doesn't suck
1 parent 094cd07 commit 928cc92

45 files changed

Lines changed: 644 additions & 494 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.sops.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
creation_rules:
2+
- path_regex: "^k8s/.*\\.sops\\.yaml$"
3+
encrypted_regex: "^(data|stringData)$"
4+
age: >-
5+
age1694wse79axvlhlll9te66wqx0xzqcwu0age2dewtdfv9mu07jfxq0wmlzr

k8s/00-namespace.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
apiVersion: v1
2+
kind: Namespace
3+
metadata:
4+
name: canister
5+
labels:
6+
name: canister

k8s/api/1-config.yaml

Lines changed: 0 additions & 14 deletions
This file was deleted.

k8s/api/1-secret.sops.yaml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
apiVersion: v1
2+
data:
3+
CANISTER_API_ENDPOINT: ENC[AES256_GCM,data:XWga+SR+lyGGMJHfedU5AhhthWi3UmLf4WzopvWLZtVr2x+9,iv:3AsoPcb6NEqHaLSCZH+hbX6mTV9QxGDPpIngf+GUV+0=,tag:YGJu9NPr9nTRegVuwoIZqQ==,type:str]
4+
CANISTER_DATABASE_URL: ENC[AES256_GCM,data:28lblbnR9v7ALaF1Q7tj+/eJMUG0m621QodfuNx9L3axYaWMvnMUQBFCCEWHiJQ7gjjgXFwHhaqk5rAGHvyAHeFkYJa/mB8BZC8cotOCdNksdBDMXB31ujfHKt2OI9qaccWYmS1zFmLxDR3XtPu6og==,iv:d0NRJK2otYs2FVYxIUQG06lgrv6JX8G9KyRUCFr0Ypo=,tag:2e9Jzh3oNpaHBKxlEgoaRg==,type:str]
5+
CANISTER_DOCS_ENDPOINT: ENC[AES256_GCM,data:avKQE2qX8XsqmRAGdnsljN0bKn83x3FAuZrxDe7GufY=,iv:sxCIFS6bK69k69gBEomfqNQl97bkwAx8z35uD5N7OKY=,tag:K18gM8vNW12mx2v1vUD5UQ==,type:str]
6+
CANISTER_META_CODE: ENC[AES256_GCM,data:pmwBVRM5UHw=,iv:9wF70RKIUQSh1ii8Wyn+H92bgKoMBuXmZ4a6JXFmRhQ=,tag:S9zvAjHja0h+iDgvRL2w2g==,type:str]
7+
CANISTER_META_COPYRIGHT: ENC[AES256_GCM,data:lxLKqQIQYX9LR6pJAMyIONZfrLl9Ne/NV+ss4FGuT3w=,iv:3tEb+0VrexgVZUTnOVZM8VgnVAHgJlyUK1qCZBBOFM4=,tag:O6onxiyxuqMDE6Ho1UAuvg==,type:str]
8+
CANISTER_META_EMAIL: ENC[AES256_GCM,data:AVcvKa8jvk4cH42rnhlDmeJjlaAYhSJ3j6+T7A==,iv:AtWeMbN++S31XGuWzPDo/zCiJJwWQ6Qxc5s67M2sJKI=,tag:wZC5aiKP8kvfYZgCAu4FUg==,type:str]
9+
CANISTER_META_NAME: ENC[AES256_GCM,data:dRZlmq4lf/v+H0XO,iv:3MgrhHTHbj4BbOrdF2HnrnNvFykGysi73ILWhHkTweI=,tag:RPv+216SSTNE4Xtw/E+ehA==,type:str]
10+
CANISTER_OPENAPI_ID: ENC[AES256_GCM,data:NAPqJGGvoFcfCqrSw6hS+NIMv+CuEVQs9EEv3mTz85zhP3/G48ScMOH9NjDha4Qo,iv:faIUHbtwmaDWrrMSJFILLQ1jm2aEObo6pq883+psK74=,tag:1ZxLM9ZWQwM8p03LF3PO7A==,type:str]
11+
CANISTER_OPENAPI_TOKEN: ENC[AES256_GCM,data:npFzAMfugU3Z3wiIy2zhAHBM7Ohnl7oDxrr1VhXJIpFolJ2YCNKKdho0yu4=,iv:ns4LJixvCEy5Q/C0dUXideSm/RD5JXPctOFp2ivsKM0=,tag:8t71PychccNtYiI4j8Ww3A==,type:str]
12+
CANISTER_PIRACY_URL: ENC[AES256_GCM,data:adLDVccrH/w90WRCU296yc27vsvc37p9D0496ARiLftTEAqClpEswpk1biBC+Oo7XFAQqKWPs/8LfhsCN9eJ0Cmc37c=,iv:g6/bdTImHBZKBVBpKZ9vtPg4NixH2bKdhG0kgFcod5E=,tag:G5BNxs8jJY+yxfGLdLqheA==,type:str]
13+
CANISTER_PRIVACY_ENDPOINT: ENC[AES256_GCM,data:NmZf34boMbA5idsJrpJitMOvTgWrKEDW177KUq5ZpWd4SJZJ,iv:kEcT7qf3XQT+O0PRNm1XxiCy4WGVTpvr97YjWrR7e/8=,tag:YJ7P/07MJ92JIOERfr1b8w==,type:str]
14+
CANISTER_PRIVACY_UPDATED: ENC[AES256_GCM,data:b2xff9f+w6JqMNzuGVV0/g==,iv:bAAG+dP5edbYDrqLDX2/AxmLEVrMRcrNXBYX28dlrHs=,tag:HrQFlkBlQxgKn2xCxQNLRg==,type:str]
15+
CANISTER_SENTRY_DSN: ENC[AES256_GCM,data:0Z9Obd5zvJjzCa8OdEoWwFkjawvY0USGmyS0UKwcK7Oik1Tx4dXfH5nyeHurB5fnB3m4oKqCECV2A8i2rrUugXQpXLh/cD64jrAFgdlKl22Gx5KSJa04W/zleyYQ8wXcAVDX3gzz9xv9wMJ0ob0aGA==,iv:YJvfguYpRefw6Hnwmf2Noo3SyRa0CwPEFrUwO0C5j7k=,tag:Wv2kB2LUasTZvlXToz10uQ==,type:str]
16+
CANISTER_TYPESENSE_API_KEY: ENC[AES256_GCM,data:cjVqeX6IqjE=,iv:XC838vbNcklDWM8WMWH9Hsg3Ai1fGcZpg6TUdduk3Sw=,tag:ZY2QKeL4iyfWVGcIeEnLCA==,type:str]
17+
CANISTER_TYPESENSE_URL: ENC[AES256_GCM,data:1lLMKz5smgDgLw81fyVTm8lXWqfP3fVWCG3gK4xbpU4u9JqRXEe4tQ==,iv:4wqjAKy1TM2B/C653odcyigncEHBR29nIsoM1vaLr5k=,tag:Atu1eHr5ga5oErlPj7+iqA==,type:str]
18+
CANISTER_VECTOR_URL: ENC[AES256_GCM,data:AKNMbp1ZOtJcU1liND6ZDWkG3JwSV9hW,iv:3Iw6HHWMELAcCdsgJDTe8INFJ/Hoh/OyOPJtWJRK5Sw=,tag:pDojRGhtO+vlayQCBC0f3A==,type:str]
19+
kind: Secret
20+
metadata:
21+
name: api-kv
22+
namespace: canister
23+
type: Opaque
24+
sops:
25+
age:
26+
- recipient: age1694wse79axvlhlll9te66wqx0xzqcwu0age2dewtdfv9mu07jfxq0wmlzr
27+
enc: |
28+
-----BEGIN AGE ENCRYPTED FILE-----
29+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUlpBbi9Yck91Mk9CaUVs
30+
d1VyMnF1T2FiRERxWTN2WVd6R0pCQUMzNnowCkZNTlVEY29Jd3NFcWhvZHlIV3d3
31+
a1A2Z25nbVJTbUhXYmNRcnJrVmtSNlkKLS0tIGR0TVNxWmw4elFPK0JpbkE1bTBO
32+
aWtBLzF5YXZDQ2cvK2ZKTTZubjVRWjAKYi4uIQfsv2xHVImEPSch4sUQsVnsxQOR
33+
TWyliRnaMUKzujf0w1KWCTxAPV9HEcFv95nRSgLsAimk54oGdCjnZA==
34+
-----END AGE ENCRYPTED FILE-----
35+
lastmodified: "2026-05-22T15:16:34Z"
36+
mac: ENC[AES256_GCM,data:LQxq8JFddHtFVZgsTXSRfO1bYY/+v8G/yDIgO8GJCDP2N2tw86w3hO7G9q4OHtSIJtCWO55t0fNpcr+lcUQRwF8QyW/mEdqo8snMXLea5mI1IryyWY2CShsxMQU48sVsD2yWY5P1rAlrjvmR4hCZjbUePZCstt+FYjmYufVHGXs=,iv:keSfisudbb3D4D/aO+DV6kl8CBkner0E4EvIMIqtQLM=,tag:QCaw3nkl0IMM1dmWRR0sxw==,type:str]
37+
encrypted_regex: ^(data|stringData)$
38+
version: 3.10.2

k8s/api/2-deployment.yaml

Lines changed: 39 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,15 @@ kind: Deployment
33
metadata:
44
name: api
55
namespace: canister
6+
labels:
7+
app: com.tale.canister.api
68
spec:
79
replicas: 2
10+
strategy:
11+
type: RollingUpdate
12+
rollingUpdate:
13+
maxSurge: 1
14+
maxUnavailable: 0
815
selector:
916
matchLabels:
1017
app: com.tale.canister.api
@@ -13,19 +20,37 @@ spec:
1320
labels:
1421
app: com.tale.canister.api
1522
spec:
16-
restartPolicy: Always
1723
containers:
18-
- name: api
19-
image: ghcr.io/cnstr/api:latest
20-
imagePullPolicy: Always
21-
ports:
2224
- name: api
23-
containerPort: 3000
24-
env:
25-
- name: POD_NAME
26-
valueFrom:
27-
fieldRef:
28-
fieldPath: metadata.name
29-
envFrom:
30-
- secretRef:
31-
name: api-kv
25+
image: ghcr.io/cnstr/api:latest
26+
imagePullPolicy: Always
27+
ports:
28+
- name: http
29+
containerPort: 3000
30+
env:
31+
- name: POD_NAME
32+
valueFrom:
33+
fieldRef:
34+
fieldPath: metadata.name
35+
envFrom:
36+
- secretRef:
37+
name: api-kv
38+
readinessProbe:
39+
httpGet:
40+
path: /v2/healthz
41+
port: 3000
42+
initialDelaySeconds: 5
43+
periodSeconds: 10
44+
livenessProbe:
45+
httpGet:
46+
path: /v2/healthz
47+
port: 3000
48+
initialDelaySeconds: 15
49+
periodSeconds: 20
50+
resources:
51+
requests:
52+
cpu: 100m
53+
memory: 128Mi
54+
limits:
55+
cpu: 500m
56+
memory: 512Mi

k8s/api/3-service.yaml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,12 @@ kind: Service
33
metadata:
44
name: api
55
namespace: canister
6+
labels:
7+
app: com.tale.canister.api
68
spec:
7-
ports:
8-
- port: 3000
9-
targetPort: 3000
109
selector:
1110
app: com.tale.canister.api
11+
ports:
12+
- name: http
13+
port: 3000
14+
targetPort: 3000

k8s/api/4-ingress.yaml

Lines changed: 0 additions & 25 deletions
This file was deleted.

k8s/api/6-httproute.yaml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
apiVersion: gateway.networking.k8s.io/v1
2+
kind: HTTPRoute
3+
metadata:
4+
name: api
5+
namespace: canister
6+
spec:
7+
parentRefs:
8+
- name: canister-gw
9+
namespace: envoy-gateway-system
10+
sectionName: https-canister
11+
hostnames:
12+
- api.canister.me
13+
rules:
14+
- matches:
15+
- path:
16+
type: PathPrefix
17+
value: /v2
18+
backendRefs:
19+
- name: api
20+
port: 3000

k8s/api/7-httproute-proxy.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
apiVersion: gateway.networking.k8s.io/v1
2+
kind: HTTPRoute
3+
metadata:
4+
name: api-proxy
5+
namespace: canister
6+
spec:
7+
parentRefs:
8+
- name: canister-gw
9+
namespace: envoy-gateway-system
10+
sectionName: https-tale-api
11+
hostnames:
12+
- api.tale.me
13+
rules:
14+
- matches:
15+
- path:
16+
type: PathPrefix
17+
value: /v4/canister-services
18+
filters:
19+
- type: URLRewrite
20+
urlRewrite:
21+
path:
22+
type: ReplacePrefixMatch
23+
replacePrefixMatch: /v2
24+
backendRefs:
25+
- name: api
26+
port: 3000

k8s/cert-manager/cf-apikey.sops.yaml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
apiVersion: v1
2+
kind: Secret
3+
metadata:
4+
name: cloudflare-api-token-secret
5+
namespace: cert-manager
6+
type: Opaque
7+
stringData:
8+
api-token: ENC[AES256_GCM,data:HIHlScUjitBV49D7uFJqrYBpjt1sqrxqijWzxXNAbx/4PEXkR2/BLB6D9aO0MFddY7hYdQg=,iv:TmsZVck/R0omy5AfrJTFuyJLFEHbborE/qe33aAwb88=,tag:1Mc+ilqIT7TCrHMLMnG+wQ==,type:str]
9+
sops:
10+
age:
11+
- recipient: age1694wse79axvlhlll9te66wqx0xzqcwu0age2dewtdfv9mu07jfxq0wmlzr
12+
enc: |
13+
-----BEGIN AGE ENCRYPTED FILE-----
14+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNUxZRHFnWTRLWmVnRU11
15+
d0FORXFlS1ZiVVN2eDZzbjBsbGVhS3B4ejFnClNXZ2pZKzEvTy8ra054eGdoaktW
16+
d1d5VjhtQmxad2RDTW45c3ZRdEdaR00KLS0tIGtWanFaMzNnWDlKVVVhQjE5YVFX
17+
YmU3ZGxRTC9xSG5GLzQzVnh6bHNLT0UK2pcZExXExQicMim75M2TCdzvPFJKoTMW
18+
YHMDR2vfcSJFP9zj0bMwbIVEdbKSJeJduBHwG/vyO7EUuSU5XzRlGg==
19+
-----END AGE ENCRYPTED FILE-----
20+
lastmodified: "2026-05-22T16:15:05Z"
21+
mac: ENC[AES256_GCM,data:SN/IKiZYiK21wimDU6HLrjRCzcsVQllpHAK6rsaZSTgMf8+CVdR7vehsNsEfOrWpanXBkxvPIIY3aljckdeXcinaWIig+W5GnnG1+YTsvzm1XU3rlcyNo45hl3mmOGjMlKZKE8WQ3mwOHKYS1AR6AiF84EIgsRSJozwQ69vBHMk=,iv:giX097khvRQbQzLiaWjVS+5IUs66DFCoYZNhUdB19yc=,tag:vwAMPqEjdAxdMvpIfSpj9Q==,type:str]
22+
encrypted_regex: ^(data|stringData)$
23+
version: 3.10.2

0 commit comments

Comments
 (0)