diff --git a/infra/overlays/upc-dev/kustomization.yaml b/infra/overlays/upc-dev/kustomization.yaml index fac7510..289efcc 100644 --- a/infra/overlays/upc-dev/kustomization.yaml +++ b/infra/overlays/upc-dev/kustomization.yaml @@ -4,6 +4,8 @@ resources: - ../../base - vaultwarden-postgresql - vaultwarden +- passwordpusher-postgresql +- passwordpusher # No patches needed — base already has "upc-dev" paths # upc-dev is the default/base cluster diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml new file mode 100644 index 0000000..9734af9 --- /dev/null +++ b/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- passwordpusher-postgresql.yaml diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml new file mode 100644 index 0000000..126f49e --- /dev/null +++ b/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: passwordpusher +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: passwordpusher-postgresql + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "0" + labels: + app.kubernetes.io/name: passwordpusher-postgresql + app.kubernetes.io/part-of: security + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + source: + repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git + targetRevision: HEAD + path: infra/overlays/upc-dev/passwordpusher-postgresql/resources + + destination: + server: https://kubernetes.default.svc + namespace: passwordpusher + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - Validate=true + - ServerSideApply=true + + ignoreDifferences: + - group: apps + kind: StatefulSet + jsonPointers: + - /spec/volumeClaimTemplates diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml new file mode 100644 index 0000000..ff9e89d --- /dev/null +++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- postgresql.yaml +- passwordpusher-db-secret-sealed.yaml +- passwordpusher-smtp-secret-sealed.yaml diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml new file mode 100644 index 0000000..a761434 --- /dev/null +++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: passwordpusher-db-creds + namespace: passwordpusher +spec: + encryptedData: + DATABASE_URL: AgBeCVhdJoq18FFbP/8CUFFHBu3cUHisStmqeU3stH33qRgm0sh1Agw87QaiECBlKGp9yEjDVgQEjU/h9vEqs5L13vnzTvzmzEIMy23m1nWEyX6pY06O/ISDD6AVeW73SX6ctgZ4wabv8zZhEQ/GiKTLq8indTrNglINpItUKdjpZ5IhJWNScOkykZdIN/OyJxxzKQ5fM48ZVfL8HnTNQ+sqEJQ/P4CEHVwJQaEuIKsS+P1PKNmOxzI7IB7PegkZwORMKA83r1oufiV5q+/wY2eMujt/PkZxkokj9jdI9ATGwXfOVgPR16BXrKRIKO2AwObL1ter+Y0LnNGxl9gAz8q65b4KHdM//sKSscLo9rPWKq0R0y4octiC1FlQEvsbMZnNntDLR1vBiqRUz5YaoKcEH6nlLpubCrBpIve8f5Ty3w2YUk7k4dpQzITgZqpJirmw5RAY9OIQQldB8NHjfmKkTtlHxW1Bif/yo+XqCKX4+1xh4nbWb6z2VQtUeQHm++ITZokxAV5as/EEZyEfCfqLbQbQkk5xuPpc3B6VjyGNbAIyQQz3Ktx5t2bqa/qf2YQQTVMZaBijHV6jaK3YzyWyheefZAqliF3xUY8mm2zrOAK4+JaKbRKSQzvCzpYtcwxVO5hCV0Wki4qbMXCWbLV0SmUgiJeL/SC/iXSPBmdQIw2P8Pao1gPzhtJl/rGzdw+Nx0VtYeCID8PlsvjUO3oiv3wYFVE/Xb9oYkoQnadOrnBmUNoXATvPLb6bN/cxlZ6c5bDAReY5M5k4Im9XMWDUDiH/9bIk+V8C + pgpassword: AgBneCXX9h7cFbvVcqk9bNSgHqPGpYQmDxDHmI2CdgIPXwogVA/HxGpaR/HnByUwXbk9PBzHuNJHTWB5XtbEgd7EVvhmhNkEuW9cfBpO6RhSYWr4yQsEQ4tRIDicCMnCh3qWFxMJKPxhN4+gB+KY0HxVQXlr/TkPEnHGNILCrwJsSP9JYufYy5xcL25c949X6M2iSi1i8OFDOYC7s72VZmS2iAEIdnY01yDJ/pW5UYNi53rtAYWZ0tzRJbl55NdWeZGJdmKEQ0OvywW50So97R0ceC6QCkBzzRin4IP5dWuWbqm/D9FL4pxUfIvNuXbMd2fGbn1DjgqfeiN9QSfgLeHqMWbFAmelA/ETKGZBJJkp8MQta7PYk30yDo9cD147AnfLSjR74plGCZBFt0tn/8fGE00G70ymo1FPqWqnVMvlrnaWwdgdlKeKbamPWw0Uo6ZHcglFlHq5ke2kEhRG4yFvk8PuuUygHShGe7uQAlWcqLw4H4/WZyy/bBVTyUfmXTg0ArEKdbb7iI/izGgGMv2NtSiV9/DutkiqmrGoc+gO6fYGfUc66XJMpAlH/FUs3Ebqk0ZSIR4j8NyygwgY+1Jm3yuSQCs6+MVH5nrf1VoAYGadMiB40lfmn1FkZwrkdWm+C00/exVqT2dys+AjMfpAFfmGY2LDjSavvqJXKYyX1x/kZ6D+gndhP2FcT9qscnScGjys8JrH + pgusername: AgBUzpTtG8uIRRCjX3xN5UEvCybo2sgMk2v6SwoaO0TDVNMwZNKEjNigWeaD0nOX/gXu14X2KPX12YfXyaag+1CmaprUAVZzQDmF3Rseaz5MzqQnJlYfYdlWM4O+x0j2KLj+hKiw30P0T3IxZyngRw+T5c8hevYA2tXU0dvdmXZhs7L5M1mO1DJcef0tH/170RQ/8klUxaj/reWibK3DNxqCU/BOkJvUMoDkmb+hGlX4i4f0cPWEIYRjjXejDtL+LO7bMxzESqmb8VDPlDiIBvCYyBNdkN/F4ngfIAWxKBiMQTvsD8O7W3qdMDy55qHW3gPZY6ugLEyw/un6MtsaYSBame6kbjjEoy0pyyjB+SGWB6xxUIZ2Lfzflu8rZBnKEi2fkxsIAE71vhnLzcXn0WYjF3Hgh/fWQ6GYqJK9M5Ieiq6WVnWvztvWKuscZmVlHtRO9HtucCyiArvZE2yLRUDwI6NAws4R6gELadfjSECp1CRaOc53MrPHvYjIE/WWq1uI+0f0spaPV09mYEl5qGgcPW7V5ADXcmxIXHqtOfhEevrckILr9U9G/FU2q3ohveUiUUxBaMOzgAJ9mO64oDfLbit2WJqaqmdKy4xiVWwzxVDmWmNKFAs3DHNK7y9QNvYmrbM6370Pw2zsxc89yl0PvqCtzj57uUDh3ohNE3ZrTUHWsHkEniKiSCVRZD5LG9dEJKMD1nE= + template: + metadata: + creationTimestamp: null + name: passwordpusher-db-creds + namespace: passwordpusher diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml new file mode 100644 index 0000000..80c6b67 --- /dev/null +++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: passwordpusher-smtp-creds + namespace: passwordpusher +spec: + encryptedData: + PWP__MAIL_SMTP_PASSWORD: AgBgRYGOS6O5u6WDXxfqkLsVClufJe8O0K3/NBWKEnwKFKd/yeQVnkB/sd2apIFADK6auge+G5uFv9TejWJuqkU3QHbkvmnjnMtinRkt/lh0GrrCygmvzvwTQKCXefeqWHT5yvGtN0z6mLP73yOLoJmAMnZk9/QGHuw9jfuLEDREZ3cSrdYAAIWhospSPpvau2UNN2/yanjhmH0Yux2fZVkwKtDcS6YHFtL+s4VR7wcB/cvMaCX4vSezMtyQJhgHcmFLNHnNjjVdMEQVGMtrZ7XocbWJ0ZkvKotkuOFf/XMq5AM9ZVgaJB9di39JLweqpsfGVQJftgGW/f/edDSlbiOTjDO2cM93xY9OD9T2kts5MkeX1jLD+Q+V0OXL7+nor1jAfv/CwZ5sBibnQFKYaQpCRCw4c4pYX73VjbRsEcTHXJyfUpTJdlw8Jd3yPPL1Uqb6ga5xxUO7YsgfdH4HZYWuLR/x8Pk1Ne/qpctzHZcUkRto6MKPhkK1IW83qSJPGT3wNHgYcx6uMW9f9L/ox7k00GGWZ3Pj79khv9NJ8PXO0thsTuZktjskHYBmZk044CWpSiill0318pCaIXW6mpg5adGbeZLa+LZ9GNxMWP+iOJIcFyYNZs3GmlV08OQ741S2cbumOQhxppJkcWTdpkZrZlAanLa4XZsmW+PXmsujOsMLEuto3PpJxpujYAt3s6Nv7O79FlGqrfisRipdFw== + PWP__MAIL_SMTP_USER_NAME: AgAli4SWEtNSiuRvbhuAYdRtBPpPYQfVp1cjiPXUqX7CxBG6bOdlMFzUPnjmZ3RVDq8UaRbwF1eJisnLt1nRCh5+DzpOXNgiU8ex2uZx7mQPf/nr/5p1HwJHbMZUo6Qieqo8NIwA0fwapQPsLizI90wI2J8f4m4nk4SXb0FW0h23SpulEJV99w92TPdOd/KuovVzEFltWeCWOsaHdVufKDsKLMFc4SNrkBwYxaCkuGnM6zICiLc7+5lF7cza8JukfGXsF12U04CkqgMDOOQG4GNNIeGSOc2GGtngpmYbuKZA1vk8ZnG3K+nVyD12bW2JhvWOBpNSc+29gLbizkNGI8QLhlxet3HznjYal9aqiIR2/glZgIUsnmgwmVg+VpxnM6A/R47sljeIzyzY0dkVxDyG1fDfKiWmXIWQU/7750Ct8XgMsVIkyDGQAK2g8o97a75lSnTngGq88VvTBLCiSEgumhPrMYf4n7ot4tSM1lfGuxmYdrOKXqXNkhBF+jxe27pd4ayCzcXniibZKRqhCozZZkAoYoo+V8tnIlewrTJhzm9THgKL849Df3Va9tI7EOvqHy82FjwTL++jCpUrOe1Emp11WpUJElnn+PUWRJnW02Xz+a0vP+mJMjC1XsylDM78i31a6Tw8Rfu7W4G7yuwzgU9GDCDL6dt7nsGUSNuucZz7CVx2pePFLWJBC8DmcuuWh/UlnrNp8IY/9kC34DAbwuBTQuFhYne1xWSA + template: + metadata: + creationTimestamp: null + name: passwordpusher-smtp-creds + namespace: passwordpusher diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml new file mode 100644 index 0000000..8bca15c --- /dev/null +++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml @@ -0,0 +1,98 @@ +apiVersion: v1 +kind: Service +metadata: + name: passwordpusher-postgresql + namespace: passwordpusher + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: passwordpusher + app.kubernetes.io/component: database +spec: + type: ClusterIP + ports: + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + selector: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: passwordpusher +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: passwordpusher-postgresql + namespace: passwordpusher + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: passwordpusher + app.kubernetes.io/component: database +spec: + serviceName: passwordpusher-postgresql + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: passwordpusher + template: + metadata: + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: passwordpusher + app.kubernetes.io/component: database + spec: + containers: + - name: postgresql + image: postgres:16-alpine + ports: + - name: tcp-postgresql + containerPort: 5432 + env: + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: passwordpusher-db-creds + key: pgusername + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: passwordpusher-db-creds + key: pgpassword + - name: POSTGRES_DB + value: passwordpusher + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + volumeMounts: + - name: data + mountPath: /var/lib/postgresql/data + livenessProbe: + exec: + command: + - sh + - -c + - pg_isready -U "$POSTGRES_USER" -d passwordpusher + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + exec: + command: + - sh + - -c + - pg_isready -U "$POSTGRES_USER" -d passwordpusher + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi diff --git a/infra/overlays/upc-dev/passwordpusher/kustomization.yaml b/infra/overlays/upc-dev/passwordpusher/kustomization.yaml new file mode 100644 index 0000000..46f0c33 --- /dev/null +++ b/infra/overlays/upc-dev/passwordpusher/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- passwordpusher.yaml diff --git a/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml b/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml new file mode 100644 index 0000000..89a24be --- /dev/null +++ b/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml @@ -0,0 +1,43 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: passwordpusher + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "1" + labels: + app.kubernetes.io/name: passwordpusher + app.kubernetes.io/part-of: security + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + sources: + - repoURL: https://pglombardo.github.io/passwordpusher-charts + chart: password-pusher + targetRevision: "1.4.4" + helm: + releaseName: passwordpusher + valueFiles: + - $values/infra/values/base/passwordpusher-values.yaml + - $values/infra/values/upc-dev/passwordpusher-values.yaml + + - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git + targetRevision: HEAD + ref: values + + destination: + server: https://kubernetes.default.svc + namespace: passwordpusher + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - Validate=true + - ServerSideApply=true diff --git a/infra/values/base/passwordpusher-values.yaml b/infra/values/base/passwordpusher-values.yaml new file mode 100644 index 0000000..f168a30 --- /dev/null +++ b/infra/values/base/passwordpusher-values.yaml @@ -0,0 +1,7 @@ +image: + repository: docker.io/pglombardo/pwpush + tag: "release-1.51.0" + +# Disable the bundled postgresql subchart — we run our own StatefulSet +postgresql: + enabled: false diff --git a/infra/values/upc-dev/passwordpusher-values.yaml b/infra/values/upc-dev/passwordpusher-values.yaml new file mode 100644 index 0000000..63c1b2c --- /dev/null +++ b/infra/values/upc-dev/passwordpusher-values.yaml @@ -0,0 +1,50 @@ +env: + PWP__HOST_DOMAIN: pwpush.forteapps.net + PWP__HOST_PROTOCOL: https + PWP__ENABLE_LOGINS: "true" + PWP__ALLOW_ANONYMOUS: "false" + PWP__SIGNUPS_ENABLED: "false" + PWP__MAIL_RAISE_DELIVERY_ERRORS: "false" + PWP__MAIL_SMTP_ADDRESS: smtp.office365.com + PWP__MAIL_SMTP_PORT: "587" + PWP__MAIL_SMTP_AUTHENTICATION: login + PWP__MAIL_SMTP_STARTTLS: "true" + PWP__MAIL_SMTP_DOMAIN: fortedigital.com + PWP__MAIL_SENDER: noreply@fortedigital.com + +envFrom: +- secretRef: + name: passwordpusher-db-creds +- secretRef: + name: passwordpusher-smtp-creds + +ingress: + enabled: true + className: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + gethomepage.dev/enabled: "true" + gethomepage.dev/name: "PasswordPusher" + gethomepage.dev/description: "Share passwords securely with expiring links" + gethomepage.dev/group: "Security" + gethomepage.dev/icon: "passwordpusher" + gethomepage.dev/href: "https://pwpush.forteapps.net" + hosts: + - host: pwpush.forteapps.net + paths: + - path: / + pathType: Prefix + tls: + - secretName: passwordpusher-tls + hosts: + - pwpush.forteapps.net + +resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + +replicaCount: 1