Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

Compare commits

base: Forte:21fb50ba00b4e3dcfa5580c0d7ba0e503fece89c
Branches Tags
Forte:main Forte:fix/drop-duplicate-keycloak-secret Forte:feature/dns01 Forte:feat/forte-drop-infra Forte:feature/ppusher Forte:feature/chibisafe Forte:hotfix/backup Forte:feature/vault-migration Forte:feature/hashicorp-vault Forte:feature/homepage Forte:feature/argocd-rbac Forte:feature/argocd-tls Forte:feature/multi-cloud Forte:feature/karpor Forte:feature/backstage Forte:feature/ai-review Forte:gitea-pages Forte:feature/gitea-docs Forte:feature/multicluster Forte:feature/secret-syncing Forte:feature/smtp Forte:renovate/configure
..
compare: Forte:feat/forte-drop-infra
Branches Tags
Forte:main Forte:fix/drop-duplicate-keycloak-secret Forte:feature/dns01 Forte:feat/forte-drop-infra Forte:feature/ppusher Forte:feature/chibisafe Forte:hotfix/backup Forte:feature/vault-migration Forte:feature/hashicorp-vault Forte:feature/homepage Forte:feature/argocd-rbac Forte:feature/argocd-tls Forte:feature/multi-cloud Forte:feature/karpor Forte:feature/backstage Forte:feature/ai-review Forte:gitea-pages Forte:feature/gitea-docs Forte:feature/multicluster Forte:feature/secret-syncing Forte:feature/smtp Forte:renovate/configure

43 Commits
21fb50ba00 ... feat/forte

Author SHA1 Message Date
Sten
94c7924e65 docs(infra): pg backup & restore runbook for forte-drop
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 5s
Details 
Covers: nightly backup mechanism, listing backups, manual trigger,
full restore procedure (2-pod mc-download + psql-pipe), verification,
object-data note, and a disaster-scenario recovery table.
 2026-05-29 10:31:09 +02:00
Sten
dd9819bdbe feat(infra): drop in-cluster minio, add pg backup + PVC protection
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 7s
Details 
PROD: object storage moves to UpCloud Managed Object Storage (existing
drops bucket) instead of single-node in-cluster MinIO — durable,
UpCloud-replicated, no PVC to back up.

- Remove forte-drop-minio StatefulSet entirely.
- Add forte-drop-pg-backup CronJob: nightly pg_dump -> gzip -> upload to
  s3://drops/_pgbackups/ (collision-proof prefix), 30-day retention.
  Reuses forte-drop-secrets S3 creds (app user has s3:* on drops).
- PVC prune/delete protection on the postgres volumeClaimTemplate.
 2026-05-29 09:28:51 +02:00
Sten
178bf8cc78 fix(infra): un-own forte-drop namespace from postgres app
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 6s
Details 
Follow-up to 47d1f1e — the previous commit only updated postgres'
securityContext; this drops the explicit Namespace resource as the
Codex review flagged. Both apps still get the namespace created via
syncOptions: CreateNamespace=true.
 2026-05-28 16:13:31 +02:00
Sten
47d1f1ec39 fix(infra): drop bad postgres securityContext + un-own shared namespace
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 6s
Details 
Address Codex review on PR #17:

[P1] Postgres official image's entrypoint requires root to chown a
fresh PVC, then drops to the postgres user via gosu. Forcing
runAsNonRoot+runAsUser=999 blocks the chown and initdb fails on a
fresh volume. Drop the securityContext; matches the existing
vaultwarden-postgresql pattern.

[P2] The forte-drop namespace was declared as a managed resource
in the postgres Application. Since minio lives in the same
namespace from a separate Application, an Argo prune of the pg
app would delete the namespace and cascade-delete minio. Remove
the Namespace resource; rely on syncOptions: CreateNamespace=true
on both apps (already set).
 2026-05-28 16:13:08 +02:00
Sten
69848e42f0 fix(infra): pin minio/mc tags + add postgres securityContext + harden bootstrap script
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 15s
Details 
Address ai-review feedback on PR #17:
- Pin quay.io/minio/minio and mc to specific RELEASE tags (Renovate
  will bump). 'latest' is unpredictable in GitOps.
- Bootstrap script: set -e -> set -euo pipefail.
- Postgres container: runAsNonRoot, uid/gid 999, drop ALL caps,
  no privilege escalation. Matches PSS restricted profile.
 2026-05-28 16:05:48 +02:00
Sten
416615a9e0 feat(infra): add forte-drop sealed secrets
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 5s
Details 
Pg and minio credentials sealed against upc-dev sealed-secrets-controller.
 2026-05-28 15:56:24 +02:00
Sten
3ce93017f9 feat(infra): forte-drop postgres + minio for upc-dev
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 34s
Details 
Two new ArgoCD Applications:
- forte-drop-postgresql: in-cluster Postgres 16 StatefulSet, 5Gi PVC,
  POSTGRES_DB=drops, creds from forte-drop-pg-creds SealedSecret.
- forte-drop-minio: in-cluster MinIO StatefulSet, 20Gi PVC, bootstrap
  Job creates the 'drops' bucket post-sync, creds from
  forte-drop-minio-creds SealedSecret.

Both live in namespace 'forte-drop'. Mirrors the Vaultwarden pattern.

Sealed secrets are added in a follow-up commit by the maintainer:
  kubeseal --fetch-cert > pub.pem
  kubeseal --cert pub.pem --format yaml < private/forte-drop-pg-creds.yaml > \
    infra/overlays/upc-dev/forte-drop-postgresql/resources/forte-drop-pg-creds-sealed.yaml
  kubeseal --cert pub.pem --format yaml < private/forte-drop-minio-creds.yaml > \
    infra/overlays/upc-dev/forte-drop-minio/resources/forte-drop-minio-creds-sealed.yaml
 2026-05-28 14:33:19 +02:00
Danijel Simeunovic
0582cd9917 policy 2026-05-27 23:23:21 +02:00
Danijel Simeunovic
c49d03d7f7 onlySSO 2026-05-16 23:04:11 +02:00
Danijel Simeunovic
d47dba2ae5 signups 2026-05-16 22:12:04 +02:00
Danijel Simeunovic
cf9eb47ecf script fix 2026-05-16 22:08:56 +02:00
Danijel Simeunovic
3eca723f05 diffs 2026-05-16 22:05:02 +02:00
Danijel Simeunovic
f36996da11 script fix 2026-05-16 21:57:44 +02:00
Danijel Simeunovic
6bf7db21d0 registrar error 2026-05-16 21:55:44 +02:00
Danijel Simeunovic
2641d55784 scopes 2026-05-16 21:53:36 +02:00
Danijel Simeunovic
117297effc sso vw 2026-05-16 21:47:59 +02:00
Danijel Simeunovic
fda90f9e01 adminToken enc 2026-05-16 21:34:34 +02:00
Danijel Simeunovic
1124377d97 adminToken 2026-05-16 21:29:14 +02:00
Danijel Simeunovic
c0710b89bb no signup 2026-05-16 21:15:38 +02:00
Danijel Simeunovic
d7bda18aea domain 2026-05-16 21:11:17 +02:00
Danijel Simeunovic
2796e1b9d3 name 2026-05-16 21:09:04 +02:00
Danijel Simeunovic
d7a0c26117 icon 2026-05-16 21:08:36 +02:00
Danijel Simeunovic
693f2f9168 homepage 2026-05-16 21:07:29 +02:00
Danijel Simeunovic
2509ef062c domain restriction 2026-05-16 20:58:00 +02:00
Danijel Simeunovic
957757e557 host 2026-05-16 20:51:44 +02:00
Danijel Simeunovic
070799da05 bitw 2026-05-16 20:49:25 +02:00
Danijel Simeunovic
1a2817e537 domain fix 2026-05-16 20:42:17 +02:00
Danijel Simeunovic
b47b0035f5 smtp auth 2026-05-16 20:38:21 +02:00
Danijel Simeunovic
d3fac4d43e smtp port 2026-05-16 20:34:22 +02:00
Danijel Simeunovic
c37bd3ef04 from 2026-05-16 20:30:32 +02:00
Danijel Simeunovic
ad661ba3dd allow signup 2026-05-16 20:27:36 +02:00
Danijel Simeunovic
a9625f96e6 db secrets 2026-05-16 20:23:58 +02:00
Danijel Simeunovic
cb64edc927 cleanup 2026-05-16 20:18:48 +02:00
Danijel Simeunovic
ac1c242fb9 kust 2026-05-16 20:17:14 +02:00
Danijel Simeunovic
4b29c07fd6 secret 2026-05-16 20:15:37 +02:00
Danijel Simeunovic
52732626e5 ignorediffs 2026-05-16 20:10:19 +02:00
Danijel Simeunovic
8634436dd4 StatefulSet 2026-05-16 20:07:17 +02:00
Danijel Simeunovic
a8baa169e9 secrets vw 2026-05-16 20:00:22 +02:00
Danijel Simeunovic
73ef3a6e12 pg fix 2026-05-16 19:49:38 +02:00
Danijel Simeunovic
302705d374 icon 2026-05-16 19:45:19 +02:00
Danijel Simeunovic
f3286ef77e homepage vw 2026-05-16 19:44:17 +02:00
Danijel Simeunovic
74f4f86770 vw apps 2026-05-16 19:34:42 +02:00
Danijel Simeunovic
f2c56156bf vw postgres 2026-05-16 18:10:14 +02:00
22 changed files with 663 additions and 88 deletions
Expand all files Collapse all files

40
cluster-resources/policies/label-checker.yaml
View File

@@ -1,40 +0,0 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
annotations:
policies.kyverno.io/title: Require Labels
policies.kyverno.io/category: Best Practices
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod, Label
policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
spec:
validationFailureAction: Audit
background: true
rules:
- name: check-for-labels
skipBackgroundRequests: true
exclude:
any:
- resources:
namespaces:
- kube-system
- istio-system
- argocd
- cert-manager
- monitoring
- secrets
- kyverno
match:
any:
- resources:
kinds:
- Pod
validate:
message: The label `app.kubernetes.io/name` is required.
allowExistingViolations: true
pattern:
metadata:
labels:
app.kubernetes.io/name: "?*"

10
docs/REFERENCE.md
View File

@@ -1074,7 +1074,7 @@ dind:
**Configuration**:
```yaml
# infra/overlays/upc-dev/vaultwarden/ + infra/values/
domain: "https://vaultwarden.forteapps.net"
domain: "https://bitwarden.forteapps.net"
ingress:
enabled: true
@@ -1087,6 +1087,7 @@ ingress:
database:
type: postgresql
host: vaultwarden-postgresql # StatefulSet in overlay
existingSecret: prod-db-creds
storage:
@@ -1096,11 +1097,16 @@ storage:
**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
**SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled.
**Endpoints**:
- Web UI: `https://bitwarden.forteapps.net`
**Database**: Separate ArgoCD Application `vaultwarden-postgresql` (sync-wave `"0"`) deploys PostgreSQL 16 StatefulSet + SealedSecret before Vaultwarden (wave `"1"`). 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
**Secrets**:
- `prod-db-creds` — PostgreSQL credentials + SMTP credentials
- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
- `vaultwarden-tls` — auto-managed by cert-manager
### AI Code Review (ai-review)

4
infra/base/keycloak/keycloak.yaml
View File

@@ -43,10 +43,6 @@ spec:
- ServerSideApply=true
ignoreDifferences:
- group: batch
kind: CronJob
jsonPointers:
- /spec/jobTemplate/spec/template/spec/containers/0/args
- group: apps
kind: StatefulSet
jsonPointers:

143
infra/overlays/upc-dev/forte-drop-postgresql/RESTORE.md Normal file
View File

@@ -0,0 +1,143 @@
# forte-drop Postgres — backup & restore runbook
## What gets backed up
A CronJob (`forte-drop-pg-backup`, namespace `forte-drop`) runs nightly at **02:00 UTC**:
1. `pg_dump` of the `drops` database → gzip.
2. Upload to **UpCloud Managed Object Storage**: `s3://drops/_pgbackups/forte-drop-<TS>.sql.gz`
(the `_pgbackups/` prefix is collision-proof: app slugs match `/^[a-z0-9][a-z0-9-]{0,62}$/`
and can never start with `_`).
3. Retention: dumps older than **30 days** are pruned.
S3 creds come from the `forte-drop-secrets` Secret (`S3_ENDPOINT` / `S3_KEY` / `S3_SECRET`).
Postgres creds from `forte-drop-pg-creds` (`pgusername` / `pgpassword`).
> **Object storage is the durable tier.** App data + DB backups both live in UpCloud
> Managed Object Storage (replicated by UpCloud). The in-cluster Postgres PVC is the
> live working copy; the nightly dump is the recovery point. The PVC carries
> `Prune=false,Delete=false` so ArgoCD never deletes it.
## Prerequisites
```bash
export KUBECONFIG=~/Downloads/dev-fd-no-svg1_kubeconfig.yaml
# Confirm the namespace + DB pod are up:
kubectl -n forte-drop get pods -l app.kubernetes.io/name=postgresql
```
## List available backups
```bash
# Run an ephemeral mc pod with the app's S3 creds:
kubectl -n forte-drop run mc-list --rm -it --restart=Never \
--image=quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z \
--overrides='{"spec":{"containers":[{"name":"mc","image":"quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z","command":["sh","-c","mc alias set obj \"$S3_ENDPOINT\" \"$S3_KEY\" \"$S3_SECRET\" >/dev/null && mc ls obj/drops/_pgbackups/"],"envFrom":[{"secretRef":{"name":"forte-drop-secrets"}}]}]}}'
```
## Manually trigger a backup (before risky changes)
```bash
kubectl -n forte-drop create job --from=cronjob/forte-drop-pg-backup pg-backup-manual-$(date +%s)
# Watch:
kubectl -n forte-drop get jobs -l app.kubernetes.io/component=backup
kubectl -n forte-drop logs -l app.kubernetes.io/component=backup --tail=40
```
## Restore a dump
> **Destructive.** This overwrites the live `drops` database. Take a fresh manual
> backup first (above) and confirm with whoever owns the data before proceeding.
### 1. Pick the dump to restore
List backups (above), choose `forte-drop-<TS>.sql.gz`.
### 2. Run a restore pod that pulls the dump and pipes it into Postgres
```bash
DUMP="forte-drop-20260530T020000Z.sql.gz" # <-- set to the chosen file
kubectl -n forte-drop run pg-restore --rm -it --restart=Never \
--image=postgres:16-alpine \
--overrides='{
"spec": {
"containers": [{
"name": "restore",
"image": "postgres:16-alpine",
"command": ["sh","-c","set -euo pipefail; \
apk add --no-cache curl >/dev/null; \
# download via mc is simpler — use a 2-step instead (see note). \
echo placeholder"],
"envFrom": [
{"secretRef":{"name":"forte-drop-pg-creds"}},
{"secretRef":{"name":"forte-drop-secrets"}}
]
}]
}
}'
```
**Simpler 2-pod approach (recommended — avoids cramming mc + psql in one image):**
```bash
DUMP="forte-drop-20260530T020000Z.sql.gz"
# (a) Download the dump from object storage to a local file:
kubectl -n forte-drop run mc-get --rm -it --restart=Never \
--image=quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z \
--overrides='{"spec":{"containers":[{"name":"mc","image":"quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z","command":["sh","-c","mc alias set obj \"$S3_ENDPOINT\" \"$S3_KEY\" \"$S3_SECRET\" >/dev/null && mc cat obj/drops/_pgbackups/'"$DUMP"'"],"envFrom":[{"secretRef":{"name":"forte-drop-secrets"}}]}]}}' \
> /tmp/$DUMP
# (b) Pipe it into the live Postgres via the service:
gunzip -c /tmp/$DUMP | kubectl -n forte-drop run pg-restore --rm -i --restart=Never \
--image=postgres:16-alpine \
--overrides='{"spec":{"containers":[{"name":"psql","image":"postgres:16-alpine","stdin":true,"command":["sh","-c","PGPASSWORD=\"$pgpassword\" psql -h forte-drop-postgresql.forte-drop.svc -U \"$pgusername\" -d drops"],"env":[{"name":"pgusername","valueFrom":{"secretKeyRef":{"name":"forte-drop-pg-creds","key":"pgusername"}}},{"name":"pgpassword","valueFrom":{"secretKeyRef":{"name":"forte-drop-pg-creds","key":"pgpassword"}}}]}]}}'
```
> The app's schema is created idempotently on boot (`CREATE TABLE IF NOT EXISTS` +
> `ALTER TABLE ... ADD COLUMN IF NOT EXISTS` in `src/repo/pg.ts`), and `pg_dump`
> output includes the data. For a clean restore into a fresh DB this just works.
> To restore over an existing DB with conflicting rows, drop/recreate the `drops`
> database first (coordinate downtime — scale the web Deployment to 0 during the
> restore so the app isn't writing).
### 3. Verify
```bash
kubectl -n forte-drop run pg-check --rm -it --restart=Never \
--image=postgres:16-alpine \
--env="PGPASSWORD=$(kubectl -n forte-drop get secret forte-drop-pg-creds -o jsonpath='{.data.pgpassword}' | base64 -d)" \
--command -- psql -h forte-drop-postgresql.forte-drop.svc -U drops -d drops \
-c "SELECT count(*) AS drops FROM drops;" -c "SELECT count(*) AS view_hits FROM view_hits;"
```
### 4. Bring the app back
```bash
# If you scaled web to 0 for the restore:
kubectl -n forte-drop scale deploy/forte-drop --replicas=2
```
## Object data (uploaded drop files)
Drop files live in `s3://drops/<slug>/...` in the same managed bucket. They are
**not** part of the pg backup (the dump only holds metadata). Object storage is
UpCloud-managed/replicated, so no separate file backup is configured. If a
file-level backup is later required, mirror the bucket to a second bucket/region:
```bash
mc mirror --overwrite obj/drops/ backup-target/drops-mirror/
```
(Exclude `_pgbackups/` from the app-data mirror if you split them.)
## Disaster scenarios
| Scenario | Recovery |
|---|---|
| Postgres pod crash / reschedule | StatefulSet reattaches the PVC; ~12 min downtime; no data loss. |
| PVC lost / corrupted | Recreate StatefulSet, restore latest nightly dump (above). Data since last dump is lost. |
| Accidental `drops` table data loss | Restore latest dump; or `pg_restore` a single table from a dump. |
| Namespace deleted | PVC has `Prune=false,Delete=false`; recreate Applications, PVC re-binds, app recovers. Backups in object storage are independent. |
| Object storage bucket lost | UpCloud-managed (replicated). If the IAM key is rotated, update `forte-drop-secrets` (re-seal). |

40
infra/overlays/upc-dev/forte-drop-postgresql/forte-drop-postgresql.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: forte-drop-postgresql
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "0"
labels:
app.kubernetes.io/name: forte-drop-postgresql
app.kubernetes.io/part-of: apps
app.kubernetes.io/managed-by: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
targetRevision: HEAD
path: infra/overlays/upc-dev/forte-drop-postgresql/resources
destination:
server: https://kubernetes.default.svc
namespace: forte-drop
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- Validate=true
- ServerSideApply=true
ignoreDifferences:
- group: apps
kind: StatefulSet
jsonPointers:
- /spec/volumeClaimTemplates

4
infra/overlays/upc-dev/forte-drop-postgresql/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- forte-drop-postgresql.yaml

14
infra/overlays/upc-dev/forte-drop-postgresql/resources/forte-drop-pg-creds-sealed.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: forte-drop-pg-creds
namespace: forte-drop
spec:
encryptedData:
pgpassword: AgBYokuQRCTmPGC8soB7n8W39nmSAZDTV97i77NmdMh5ndaZNtCtXxhMcpM2z8kaGv2tCWIh47dr38a5tGPZ0TsmeEQOF9Rbbtq1fyR7pJwT8S+N2Z2zu354wNWQlltEAVvTvthe2wTer/BpyRofeSZprxihmfNpuHUP8rLsnIXln5tOWDzJ8hnRWoYZFITaihC2qrJj/kFE0Rfdcmzt1tSq3jCB/rWijVaJF9XSh4rzQoqZDiUNjDPUjyERILw59JWU4zf9OKcqNHDnmpXBR4LSjLhd9waN6ElEzO4gGcVaHISKrTwewX1ONwPHDnw6lqkQObyBPx8aUsGzxLkUhNDtvIYDkB4BKWP5Qu4bNcSztIbrxi6l7Lr/DWC9qTbKm1/p83rc6r8VqRMURUyQg8/vBlCHOIUbZ8DM1OfNlMd8gvcSkaxEVIdCDUjguCvE3cGyG4cqv2unllZQ+9417WwLNJecT6x1EL3nQyAlK5c9vUIbcVyaFlbSUcGB7xmPgZrZ6/3RDyOH6Tmew1ssV9gLvdaehscUE0fjnnFnJpczkwdyxIOSNLIkjlWetCKEbhowJbzk05h3M2p6XQQOuNTnsYjAADMGD72GUgAQlY8KXmDELtv09KELcXbeYS4gABPpMrVmvZymq8lqQ13Py8o+cIqbrU5V86WxASTfQ5gMo/ymYabuhTBIapcnaKR1dFCCfu8deh5f2HJ6/1NjdWR+XvEshg+EF5OkTUInukX4vA==
pgusername: AgCs6vyQ8CIv5OneP/jMltIPGdZQbpq/BFmQM1mkBD61Ve+anzve5K0Gkg+zsNfbZf0pOPAXtu4C4aL1Lwv7gqpoe4Hp/UEb/X9uLfJ1b8ZitmM1XsPmmSiCskHjrc2BLkAvfrVIXkHc3LOY2uZ/E5stc6Ss2WFE8/uzzVXW0B8fdEK0criludQ8iwR1gypulEcDNomXgkK/1gmmCWosUcVv4jDMDhqBD+b9WYnBB6J73gUclWVMvYDFdNas2PuoRzu5Twc9TAZrTxN5lvLOXAonOo0YiUbUhEC83sfMWYDT5/9OxqcJhAxtgFe9j83MpCwLSwfeLZm7UsUapWDb60MxPJLGvoGD/ZOhkeYt/YCZYROa57TMslVIL5YU1KCiNWvtRjIqnvdiBxI7MRvPUfAoawS4ktT5PDhTTfrixFbaF95jul2kKBXV+OYB1UNsFhcCgZx9rzYRt4lNmBv4m4HeXIp3EYY8VlGLQ45BVVqjJ4QkISvb7ifQWH1aPMQllj+J3GwW0KJN0dEgsh1LT+C7W5I5mq461NOTF1eih/XRBeuPoLlgApxiGXvFCTx8lji2/JIdOaqcg29hdabSprxa0YMStChi2pbtHhRzAuFCp8mInGt8Q406vu67Y4/51yuwI40YeDVu0lf010TB+/v2Zy3OrNyjlqrD5JNynsLuRl3UhuAKC14Xhg/MiDLvTzfsYE8aog==
template:
metadata:
name: forte-drop-pg-creds
namespace: forte-drop

6
infra/overlays/upc-dev/forte-drop-postgresql/resources/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- postgresql.yaml
- forte-drop-pg-creds-sealed.yaml
- pg-backup-cronjob.yaml

93
infra/overlays/upc-dev/forte-drop-postgresql/resources/pg-backup-cronjob.yaml Normal file
View File

@@ -0,0 +1,93 @@
# Nightly logical backup of the forte-drop Postgres → UpCloud Managed Object Storage.
# Dumps to s3://drops/_pgbackups/ (the `_` prefix is collision-proof: app slugs match
# /^[a-z0-9][a-z0-9-]{0,62}$/ and can never start with `_`). Retains 30 days.
#
# Pod shape: initContainer pg_dump → shared emptyDir → mc upload + retention prune.
# Both images pinned. S3 creds reuse forte-drop-secrets (the app's UpCloud user has
# s3:* on the drops bucket). PG creds from forte-drop-pg-creds.
apiVersion: batch/v1
kind: CronJob
metadata:
name: forte-drop-pg-backup
namespace: forte-drop
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: forte-drop
app.kubernetes.io/component: backup
spec:
schedule: "0 2 * * *" # 02:00 UTC daily
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
backoffLimit: 2
template:
metadata:
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: forte-drop
app.kubernetes.io/component: backup
spec:
restartPolicy: Never
securityContext:
runAsNonRoot: true
runAsUser: 65532
fsGroup: 65532
volumes:
- name: work
emptyDir: {}
initContainers:
- name: dump
image: postgres:16-alpine
command:
- sh
- -c
- |
set -euo pipefail
TS=$(date -u +%Y%m%dT%H%M%SZ)
echo "dumping to /work/forte-drop-${TS}.sql.gz"
PGPASSWORD="$PGPASSWORD" pg_dump \
-h forte-drop-postgresql.forte-drop.svc \
-p 5432 -U "$PGUSER" -d drops \
--no-owner --no-privileges \
| gzip -9 > "/work/forte-drop-${TS}.sql.gz"
echo "dump complete: $(ls -lh /work/)"
env:
- name: PGUSER
valueFrom:
secretKeyRef: { name: forte-drop-pg-creds, key: pgusername }
- name: PGPASSWORD
valueFrom:
secretKeyRef: { name: forte-drop-pg-creds, key: pgpassword }
volumeMounts:
- name: work
mountPath: /work
containers:
- name: upload
image: quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z
command:
- sh
- -c
- |
set -euo pipefail
mc alias set obj "$S3_ENDPOINT" "$S3_KEY" "$S3_SECRET"
mc cp /work/*.sql.gz "obj/${S3_BUCKET}/_pgbackups/"
echo "uploaded. pruning backups older than 30d:"
mc rm --recursive --force --older-than 30d "obj/${S3_BUCKET}/_pgbackups/" || true
echo "backup retention pass complete"
env:
- name: S3_ENDPOINT
valueFrom:
secretKeyRef: { name: forte-drop-secrets, key: S3_ENDPOINT }
- name: S3_BUCKET
value: "drops"
- name: S3_KEY
valueFrom:
secretKeyRef: { name: forte-drop-secrets, key: S3_KEY }
- name: S3_SECRET
valueFrom:
secretKeyRef: { name: forte-drop-secrets, key: S3_SECRET }
volumeMounts:
- name: work
mountPath: /work

105
infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml Normal file
View File

@@ -0,0 +1,105 @@
apiVersion: v1
kind: Service
metadata:
name: forte-drop-postgresql
namespace: forte-drop
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: forte-drop
app.kubernetes.io/component: database
spec:
type: ClusterIP
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
selector:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: forte-drop
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: forte-drop-postgresql
namespace: forte-drop
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: forte-drop
app.kubernetes.io/component: database
spec:
serviceName: forte-drop-postgresql
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: forte-drop
template:
metadata:
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: forte-drop
app.kubernetes.io/component: database
spec:
containers:
- name: postgresql
image: postgres:16-alpine
# NOTE: no securityContext. The official postgres image's entrypoint must
# start as root to chown a fresh /var/lib/postgresql/data, then drops to
# the postgres user (uid 70 in alpine) via gosu. Forcing runAsNonRoot here
# breaks initdb on a fresh PVC. Matches the vaultwarden-postgresql pattern.
ports:
- name: tcp-postgresql
containerPort: 5432
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: forte-drop-pg-creds
key: pgusername
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: forte-drop-pg-creds
key: pgpassword
- name: POSTGRES_DB
value: drops
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
livenessProbe:
exec:
command:
- sh
- -c
- pg_isready -U "$POSTGRES_USER" -d drops
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command:
- sh
- -c
- pg_isready -U "$POSTGRES_USER" -d drops
initialDelaySeconds: 5
periodSeconds: 5
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeClaimTemplates:
- metadata:
name: data
annotations:
argocd.argoproj.io/sync-options: Prune=false,Delete=false
spec:
accessModes:
- ReadWriteOnce
storageClassName: upcloud-block-storage-maxiops
resources:
requests:
storage: 5Gi

2
infra/overlays/upc-dev/kustomization.yaml
View File

@@ -2,7 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
- vaultwarden-postgresql
- vaultwarden
- forte-drop-postgresql
# No patches needed — base already has "upc-dev" paths
# upc-dev is the default/base cluster

4
infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- vaultwarden-postgresql.yaml

5
infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- postgresql.yaml
- vaultwarden-db-secret-sealed.yaml

98
infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml Normal file
View File

@@ -0,0 +1,98 @@
apiVersion: v1
kind: Service
metadata:
name: vaultwarden-postgresql
namespace: vaultwarden
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/component: database
spec:
type: ClusterIP
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
selector:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: vaultwarden
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vaultwarden-postgresql
namespace: vaultwarden
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/component: database
spec:
serviceName: vaultwarden-postgresql
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: vaultwarden
template:
metadata:
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/component: database
spec:
containers:
- name: postgresql
image: postgres:16-alpine
ports:
- name: tcp-postgresql
containerPort: 5432
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: prod-db-creds
key: pgusername
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: prod-db-creds
key: pgpassword
- name: POSTGRES_DB
value: vaultwarden
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
livenessProbe:
exec:
command:
- sh
- -c
- pg_isready -U "$POSTGRES_USER" -d vaultwarden
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command:
- sh
- -c
- pg_isready -U "$POSTGRES_USER" -d vaultwarden
initialDelaySeconds: 5
periodSeconds: 5
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi

20
infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: prod-db-creds
namespace: vaultwarden
spec:
encryptedData:
DATABASE_URL: AgAy1d//kBevUqZxB5KAXd+qxm8QykNxp5J1QP7Y30XCpE8hldPXF+NIx3w0B0PUyMAVsa+JrBmCMtzgibddIJqqF2upu/8EYxJZNusrJPOi47g3VcZIg1WyxoFfffH6jwhzv69TE/T8WGBXmWbD2vr+XWjE24Q+lgwLut0mocVfihUjpuYq0WDjgJx7pqLnY1VatTwgSkAv1uRRVqdi7e1M5isDNEpdItCbEoWwdvZhG5JIMAA/2vecY4/vEne3cg46lJAkv4ueZNATG6DOXGgQgz6h7zCKSGS1xTfGr+4A2V2/vSYpQ/r8Td37mlseoBvwN4H5O+FgHrVREm7N6aafDariYd+ZfqUIGObsZIXhxhDmAM96pjtP8ehYVwq1srWTU+SUewEmwLFWhVP1UFnTB5vgIuOWoKjHlS7dSUpStpw2u7/mQ6vhRhEaDqY6cNzJgM9hipQM/pt5an7z4ovWVeAeK8InGzKU+uxOpv/oxmi9N54B+5O4DVZC+BIbFXchxDvqivRcZrTK+CNjHjkk4We5MvN0qlhSuCYOGzEVaQ192yHciDoncw58D7fG4NicT2AcCJDVIwRGG05wqKal7g61g7Qg16oqdZIauKIU7ChSgBk7Xv33biZ4ZPe+JoSEmp9izJ8R7yyNO3KJgqH7iQ2UQzXDUqhfTr6w/oIdFST8sQtEIo7o1Z5JoXpzd4R1gVkcPWqtbbB22iRrDJsofeW+yvgGqyZLsWT2bKuDMLUn3GiqvaHaeQ9AbhNBnl6Qth3X8heBm2Zle1xxapFktisPwBQC7FDlukgvkiAOO7BywVI0+ITU4KLLOAftVqHmZ4fgDDqNFg8=
SMTP_PASSWORD: AgCbhM99+DbSTCcuxtcccOrZq99GjR51B5SkW6DNxz1jW2q4lgc6o21+gHEGGAamRDg/mWyu2UBBNgEzrW024558qP6SjVPwJclWhNZHyL4R4MCA0kv/kqNa43na2j3pq7kzT0MrqPAXD8IJrtYPxr+ngiuo7MCRef/TzEfwbwK+KgkeB1g+9ErwHWr5tU1B+3yAn5tfNeHmGFrLX230mra2ie+ntNx9kn80mb5TYoJ/mSaX7wv4bqZGEHkg7isXrMoMROXLBepCvP0zi3ta+SKJjHy73TvhKSzo7/ZHxapHw3oaazdpKJobeolWB7SziWsbXfT0gYYim3LrcieQeb7hhN3OAvSYx1Z/3UefEE1o3GFEzK1UV9ISwU/mBjMDZWyM7dK9lSbuPGvbpKU1jjP8qZWQP5v2SIT6Nb5TQgNeATdO3RkjoviqRzjJfpuu+oe5paXNeEIUSTskL7HuUjWj13DX1zDqQWTR1/Tb9ntxRtgIoAl2ymDsOednurnJeX71OJ3G++Oc8b5P2EkNQuEwaYb9raNHqZkCXeRpQVyEGIUh9sAGZUplUJSues/Jw25WuFoNBfMi/F022Mkvfnp/s0J+QrMIxSRvqiWS+7hODknvE3Zf2DI+DKClWxspfv084DAkOSV1Lq9fqNy/bKoJR/5MVHmxbW6teza6zXBnwn2nk+2DZ8IU20P15aVdtKR2zG9u8hnrqWrTQHTdvzb34WKjC0km4/MaIGKvboyw
SMTP_USERNAME: AgCijAuSvlGeMME1FyPXQdOTGKktyXfT8tjBK/ozt3X8O5hebFVvM61hNLDQTe9V/O/NLw6P1wbV4V+wtztqLs9TPDyq9L3D9JUEDjh97gWxVf7nFf8/d24F0PJoR8srKp3onb7+Rx02318RUp+gp7YsXbK6YBfkaOsoD08UgrFY3ARnP4eIirRICNCdouPgKkh038yAWcQDA20GBN2faJlQSejS4cr8WAa/ME1fRe40Q4tewgiX7hK5BWjt2eoovLrPzcHvbgTbfjwUWvmeiSicnF+VLrc3M56aKML2xuAggBk4vKtla/Af1pJfjv+Ut2z6VzECfIth12yQa6kIvKOE8aa3o/6oKLRJQRO8rQOOmLiInR+jQxrOmYw+OzkON07nBIeBon7nKYSIMiBt68kXKWJ9ZDexF7WGOHsFgUo4hA/z/c/Ccg6XHgxFt7uXZYLyziihQXy33zIsvu0rXOaczT5j3NJIhO60jz2Q8ig9JuWhd7+Dnd9EFMC0WJOM9kjpxeSjg4MYjH7VGnnEDF2GAQTlwDn5HwZJXRQFHfdCiHS5CCpfmak9MtIC9uoIsbPAnEhdTC20wDvIGlR5O4JGlQRyirKKmCdT1MJt8zi5d+EVQiicVZLGGD6nsqCNchvFYcx+glMYqWWsmyS6M+uVaYa/Fb/n+0QR6GNCF3Qi7voMJf2bFxFDk78fk76MG919XPQVAG/FPliNyWJJ7gEM+j/rDYuSrul14duV
adminToken: AgCVSgRK39WksTX6GogBvMZtPMd4XzMFkKSPhjTCm8pllzuc88pS2LXHxyGDWVLf+GZXRTCNrf5JLPst8/GTvOX17J9scRAjmhoyVVgzFNbcqGI/czLf9vH6JnhorMmUHxS+kWBm3oLZjhW3f/9vq0xzSbut87VDsyenaK4EcFLrYnfVRlMrwxL9oxPPTeB+Wah/uGoyLNfc7MMLK+/sUma4RO61VJ8YvmLUnwYNFosUcbF2B9hXMSzKKCJ+ihXYIdNIz2YWdMmj7a3D+Mor5x4jIjC+tunT4Zge5L1mx0i92KPgPkP48jKxayIZ/FxnYej+ggU6PmdYD1B6wgUbgLQV6ccwysjHce7ICvGWiM+PozFWI1qEVKqtNgp3kwInThD63Hyub9Euj0g/SE/nZcwy8DuIEhsLpLSdvxDT2lCps0VdXcb01kuta/3i4vgozSBvdIL1FrQKPLqF5+6ZEQ6BdZDkgxVqQ845WZoGbfqIyI03BMvsx/8HB5c+0Y0w0C6DRpEW55T9yRTZqzvqWUOpXy5/L2Nc9G4PCUK3lY0QPIFlPCBDl+cKgfP/XvKhMFcFpwp/Ssd0o+RhgOMBHJ5qk7RxAN1k2Y6Tkros39eUKWbM6UQ97LjrAdLcgJKX86ZkEChdeeKOnSxRmqHFXx5m4Wa6syixjipeQPwybCYQA9TgNBv0lToA7gi+lcVvXkoAgYIeB9Cp0j8UVEwdgvwWp8YgkpuWhPCAafhboH8qGhHhVfKADmlB05vUItZ0eoEVv7D9SqUTFueUmoZXwo67uyMLZhQo7eGr9+k8hiesCoEm11HCTa4DvF9zE54zgkyt0TMsKAEKmX47zJwnw76zidZC/K9e
pgpassword: AgCeQLwzajVBHW+o1ZSAcfbcJXny5K7UxxMfjud0j3hm9qx3TlLaFJrNoWd4XCuHAW1Ybl23ynWm+8kpXfZv95bXGkl0jZIm989MlAJQYKcaSTdhIM6Bkl3Cbr8kTVj2yrylGPJ96QISKNoiV7IetU82t8f21kxjyrNwt4lQEwWRFjW45jozb32qFXRkTioJ1WKaeJkyRSHWn7nLVitqZ4QjZzoN9AC7cUDOY/FffEiz7QRYSf6xaVPqQfCeH6QVtfmwtU5qNTcthOW0+/LQKpkg8i2nuoAsyOe7tsOYCENbDGkLckNTns2oPvDnH5eA8F5VDlnyJtROlwKjWfTC2zjazZynpA6cBH9XzX3Pg9P45G5HJ/4TVSUbTMCSVrbW8Ec+zdA2P4l3ytfVM2ER4N2/bQrUEVW2/ngDzhsKllmOPEN/M7b/VTed7U1xyJHsoT+AJEqVJO/vFBRxpI/ZacD+m5kWf3sp1SUWSgkUi+YWH8xuRurM2/kiUGwwUXu5ZMumjpMTkJBfX4NYRezq0DCsgaXdO2yI4xTfAysj78UikdU0PKyAXPcT8y55kJQ1jECszFauyeSYh0FpLu/XAmeB8dunlBqgISLszwnnman0/ThLeo96MFo6WPXoAeMTy8+GfTSH5tkmm8TVD7A+gRHprfFS66eY5Zi38OPU+VGRJS1J8yLSD2cNvCFR/sz1Br9VV7IySx1S+HvbEd7BwmdWrIoEcVUwIAD/U0Uxbw4sr7wLQ2wFQjDil4VItA==
pgusername: AgAcgel8GpdRVThE9i4EfFwcJYHEPnCyi4jHEaAltn4VMtub6hvhtH+ihxS97AhK6kgrTLEgtlfb07n1EZ3AK18A+ci9P5ulP0GgwMrMt1yxiHliqInvZPNb8vWC/2f2lZm7EFrBvYqMFRPV10YygtkW3Kku8h31l0xc2/DUKqZ2hMymIjx7hupabUOhnPJeF+IxVhTcsAa6SjhppX1ED0R/Im73pxTxbfLQETkHd5KcB4h6RLIPvuNiG5uftkPP8qjJqFIhNew+0IxMrsTzJbyLx90vqI6LHHtsrNDAsOHqWGnyZqIdkK+Bagm84VlpBfIdz8Fs0YqzBQaZts4+QXByzkcQZBDy11Hg9FCjdUVk3VgVLDQj+hL+aWTeJ0Iui4zW4LMSB0Dk0ZQeQa4BtwuDllky5GUA7sLmkbceAWymBNzNXSOeeAi1qfR6h6rNnh0x5yOnSN8soReNaCEYBSa8HjUamvuzu4yn+fKOJyI50QEJ7hKLXLaqyiNpa5bJw4FQvGM7qESkZW2BZLEvkq4mlKjzvSm891DozA44Zy1s/3CvytFsUtaWmquSvqqHWUxqEEemJ8zOCFXEYo1TjEfkYIUipM5KJ+PrpQGTgjdnL8FbAv3r3NG7DoucQtVeJJVeaBqOZcfEQw4Xz15grsdjggFunhmz+ZjWjgEwV4G/dCmeus3SBWJWLMOoPWCvBWrQZRQq9KVj
template:
metadata:
creationTimestamp: null
name: prod-db-creds
namespace: vaultwarden

46
infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml Normal file
View File

@@ -0,0 +1,46 @@
apiVersion: v1
kind: Namespace
metadata:
name: vaultwarden
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vaultwarden-postgresql
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "0"
labels:
app.kubernetes.io/name: vaultwarden-postgresql
app.kubernetes.io/part-of: security
app.kubernetes.io/managed-by: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
targetRevision: HEAD
path: infra/overlays/upc-dev/vaultwarden-postgresql/resources
destination:
server: https://kubernetes.default.svc
namespace: vaultwarden
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- Validate=true
- ServerSideApply=true
ignoreDifferences:
- group: apps
kind: StatefulSet
jsonPointers:
- /spec/volumeClaimTemplates

21
infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v1
kind: Secret
metadata:
name: keycloak-client-vaultwarden
namespace: vaultwarden
labels:
keycloak.forteapps.net/client-config: "true"
stringData:
client.json: |
{
"clientId": "vaultwarden",
"name": "Vaultwarden",
"redirectUris": ["https://vaultwarden.forteapps.net/*"],
"webOrigins": ["https://vaultwarden.forteapps.net"],
"protocolMappers": [],
"secret": {
"namespace": "vaultwarden",
"name": "vaultwarden-oidc-credentials",
"keys": { "clientId": "client-id", "clientSecret": "client-secret" }
}
}

2
infra/overlays/upc-dev/vaultwarden/kustomization.yaml
View File

@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- vaultwarden.yaml
- vaultwarden-db-secret-sealed.yaml
- keycloak-client-config.yaml

18
infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml
View File

@@ -1,18 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: prod-db-creds
namespace: vaultwarden
spec:
encryptedData:
SMTP_PASSWORD: AgARC3vcVD2SC8GUry5SYylyiS39eKQUFAjqT4dpXQsoJX7QSLfd7Ta68BURg8Q5e2zWdzIl+nrUyBy/4TMXeHjSUhcfsH0RY2logMuTn96kV/V7YKm1Zw394hrJ3uroB7iFkf/TwiXuwFS1QvppxlpXNWVClHs+r0aW3vD2s7ViFxFqcPYGfNKlGvW2aLU6XER/TUXCffoSmHgl0wut5UaZEo+321AAaqcmk90Te/Pv4oU0SfFGn/+14zDR3VT4s6u8rgYQcSB23p2f3X3+8tCLgSLclyzSXAVfclMBYCuCtOzFjgXOQLoYfW3WW48KqsFKsoZsI/dop8L/y2P78xGJ5gYNiVcH6vEMfOr6wOTISyXqQIi3a/KZcNSY4ZZ7kH13aqru3Fpb4XAGjcmEEfWfOQ9IcPBj6Yh9pNOhxlQHPqXR9zrwx//iXdH2bsbEJ2vNHQhU9uc4t3dO1VnLO/icvMr3CFEuaB4mFDThVrPGOEi5s1YKPTHb1j8B92WSy6aNmNro0977cbbJs/linNox3rNa20kzQPfU2pdlC31vIcpMCM7vtUnx16QHyjUNe/whFqIbSG3mE19jbjIvGo0d7jhBWZYQin+m1MRv/Tv8VjzYe6FciIFX33pNTWkwkvFq+s8eQcyruWCe5hLlF361FklqXcSh1tMyqcfOScNRPxUPlWumkGPDmonULJPkmAs7eJmxKlvinrAPs8eiP7c/1SPW6FdMmxT7sq/27TII
SMTP_USERNAME: AgC1Zsv5l5Wbrq7VZC2U55+0/LQvZEbsmlxq2O5Z+Xp/admdqptEBGlLKEdIn7CmyBzvmrmWasmN4NJPJHoeLWn7SgsoULTu1UQ3W9kgcrXUJ52dwOrYLMJUxJuh+OD9HEJejfOMksc2rSM69I4NUc+NXaDSZOo+gzldWzBN7nCa778NcnMgJxVcT4gqjTIRB9EOrCo4f3ldFJzVJW7qNnxurN0UZQ51y+nj+4z2R+LvfOJ1BT5YQC+nmx80HVBMdQWK5WO4QdxCtenXfiFDNcGK3MK/Exd+kubOWse85CMt2dR0GWuIfIOp+t4XQXfb1pxhTibh/fGae9dD0RpSX1c8hobkpXaDJIYeb7ZQF5J6Zf68fgCn0YircY1hB4yF7uX5CQL1yv76M4tM9yuOn5FTJaIG6byWn/RsHZ7KPIUSd1mOce9ZqfTkKzvC/wfX45UMhPEsdXF9o67mAtOpdmBGrmeDD+7GwPwKXz3JgDovlGtzvLvMZ27+x1dpC8LrcAjcKXXGKczbs3L2Pc+tymd9dis36RvlFLEgQG32ffQu5vQXqGcoSEnlZ0l39qoU9EItkA5kp0isGiJI46hJtAdTTNr0roymvrfDyLXpAvXTQYaVMC7/8KVb2r3kIPKtnsDuU2A57ceiqtdWQgUarPn4F0O3SaCnprmTm2thgCgQOkW7BGlN3CCsVboZUIOlFr7CwTswB9ZI6tzOj2WsUOhriTfIuXv3kyrFCspo
pgpassword: AgB7F1Nvm2sjBOneDFux2mc/qni32jaq+KccTWkS7UZWWgA37owrE/XvDSOXZ0ZkrpBfhvCnsrh7/mbVnZYNWCd/GgxI2txnkp9MxW5JLpJiaZZmzznI229BgG9I08vg6ciuUS+bvRw9XJFD7SAmgeA3NaDKAHRNIhu3CFEKQJANity+pKHY1zK6gX6ubmllFtjEJg2pijM3EeSNuXdAFXZlsYIJMqFzlvQrb4MV7qeqsvW2qMeJBElMnas60l3JgeUYtsIwh6720m6FFKGXYQLm4cKbByC0M1C0/Nfwnd9j+xgIgyXharQFmgyp1qQBM+MAHxnHoHCE3V9cJqy1nCy33M16YYsZGOuAkHB9ks9I7NxGAKKjAIm5DccW7zbYINzTQKAUYIF/VhVosHv0thAHjfuH7fGzSmo9BHrLTQE3tO5RF40X2GgKFxP/R5lA+dCtR2QBNot0DaL2TEJoPc0czSYPY5y92FDOQ1j9jvcet18tkJN+bzCKwiG+BxtD0eH+tv1EAZTwvyl43xlU3E3RwWgSmOWcusMrn92fhsHwNFs9mMeeM8qeAVq4xUkatbKoijHm6q03tMgp2T6iT3EoVNLzWz+754mLQxt6serkBS8U7Mkxwpfitf64ANLaQyMF8t9Rao0c8Q/ZkIl9TEczbCPX3DvlnsoSPKDMWGB9gTzKbvvH0+Gcxxs+LZFigE7SQ20kYMlQpD8uo15ufWpMSGmFJxvto55fYgA0+wJmqe18ERy1QjxCqQYG7A==
pgusername: AgAvYmIjfz5UbstZli9gpc77rc+oAft7NYIHFrSClyV0Ugt6UU+icMMlLbU92roy7J9XUHuWoXoK5vh0y/XeF95ce1VJC0/zvMK2OXmpfERbyNvyCpwzCFtzYJ4LO7yOi8PAPstzuziqnvLt+GLCwk1enU+IWHI7G2A/qIeWEww5+Y5a4WevVrchp0Wh87PdJ88IT5EiF7qBT2ipbcSoB+Gon962nbw8+pnFedmRcUQcdOf0tQBBZOl5TUVJ6mn4WIY8u6/yOwACMlUXQ553rxXYwGKyTRjI0KbTWwpgeCJiqokyrw/RcShD6qJvZGePdq6rNmmkELOHCPo9z/WvXQIDHbuPldvcglyHuN2w4tsBcGukbmjitwS6wxYD0vp3er3FI9+0tRnD9zlkLiUpcaLi9Rrm7NPS/JP1dbGcHz7fJNXgbMZRGRx3DjV73Qnz6YHvOHT4g6BI2+9JytriRKSOJk/FlDCINgrO+6zMrbxKzBTW3+FK1cc41sJ9zClbV603wsMgtkmB1sZL4xcLmq5wOuk19uO9TsK0Xnf+ajuFUkQm42DVxtTZ9HObLnP8eygn1WiMDv3ks6W7HIpJTpc2YJVU/Pg/kTeQgBKS0JRTkzpJFPHV2UrkLTr0U6ToPYOb2SWBnPI+Lp3cTOeUsbKOylBzx4uUJGoZUL5pAorjd5tDHJhMyMm589m5J3mGMXuhXO1cWg80
template:
metadata:
creationTimestamp: null
name: prod-db-creds
namespace: vaultwarden

6
infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml
View File

@@ -1,9 +1,3 @@
apiVersion: v1
kind: Namespace
metadata:
name: vaultwarden
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:

33
infra/values/base/keycloak-values.yaml
View File

@@ -505,10 +505,10 @@ extraDeploy:
CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"')
# Check if credential Secret already exists in target namespace
CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \
CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \
"${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")
"${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}" || echo "000")
# Skip if hash matches and credential Secret exists
if [ "$CONFIG_HASH" = "$EXISTING_HASH" ] && [ "$CRED_EXISTS" = "200" ]; then
@@ -528,44 +528,47 @@ extraDeploy:
publicClient: false,
redirectUris: .redirectUris,
webOrigins: .webOrigins,
defaultClientScopes: .defaultClientScopes,
protocolMappers: (.protocolMappers // [])
}')
} | with_entries(select(.value != null))')
# Check if client already exists
EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
| jq -r '.[0].id // empty')
EXISTING_RESPONSE=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" || true)
EXISTING=$(echo "$EXISTING_RESPONSE" | jq -r '.[0].id // empty' 2>/dev/null || true)
if [ -n "$EXISTING" ]; then
echo " Updating existing Keycloak client (uuid: ${EXISTING})"
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
RESPONSE=$(curl -s -w "\n%{http_code}" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-X PUT -d "$KC_CLIENT" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}")
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}" || true)
HTTP_CODE=$(echo "$RESPONSE" | tail -1)
RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "200" ]; then
echo " ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
echo " ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
continue
fi
CLIENT_UUID="$EXISTING"
else
echo " Creating new Keycloak client '${CLIENT_ID}'"
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
RESPONSE=$(curl -s -w "\n%{http_code}" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-X POST -d "$KC_CLIENT" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients" || true)
HTTP_CODE=$(echo "$RESPONSE" | tail -1)
RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
if [ "$HTTP_CODE" != "201" ]; then
echo " ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
echo " ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
continue
fi
# Fetch the newly created client's UUID
CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
| jq -r '.[0].id')
| jq -r '.[0].id' || true)
fi
# Sync credentials to target namespace

37
infra/values/upc-dev/vaultwarden-values.yaml
View File

@@ -1,6 +1,16 @@
adminToken:
existingSecret: "prod-db-creds"
existingSecretKey: "adminToken"
domain: "https://vaultwarden.forteapps.net"
signupsAllowed: false
resourceType: StatefulSet
database:
type: postgresql
host: vaultwarden-postgresql
port: "5432"
dbName: vaultwarden
existingSecret: prod-db-creds
existingSecretKey: DATABASE_URL
existingSecretUserKey: pgusername
existingSecretPasswordKey: pgpassword
ingress:
@@ -8,9 +18,15 @@ ingress:
class: "traefik"
tls: true
tlsSecret: vaultwarden-tls
hostname: bitwarden.forteapps.net
hostname: vaultwarden.forteapps.net
additionalAnnotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "VaultWarden"
gethomepage.dev/description: "Password management"
gethomepage.dev/group: "Security"
gethomepage.dev/icon: "vaultwarden"
gethomepage.dev/href: "https://vaultwarden.forteapps.net"
replicas: 1
# Multi-Attach error for volume "pvc-102ec9a4-dccd-4cba-bb4b-650f7d934c81" Volume is already used by pod(s) vaultwarden-7f568875c7-m9cgs
@@ -23,8 +39,12 @@ service:
smtp:
host: smtp.office365.com
from: no-reply@forteapps.net
security: starttls
port: 587
authMechanism: "Login"
from: noreply@fortedigital.com
fromName: "Forte Bitwarden Administrator"
debug: true
existingSecret: prod-db-creds
username:
existingSecretKey: SMTP_USERNAME
@@ -47,3 +67,16 @@ storage:
path: /files
keepPvc: true
accessMode: "ReadWriteOnce"
sso:
enabled: true
existingSecret: vaultwarden-oidc-credentials
authority: "https://id.forteapps.net/realms/forte"
scopes: "email profile"
onlySSO: true
pkce: true
signupsMatchEmail: true
clientId:
existingSecretKey: client-id
clientSecret:
existingSecretKey: client-secret