Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

Compare commits

base: Forte:feature/chibisafe
Branches Tags
Forte:main Forte:fix/drop-duplicate-keycloak-secret Forte:feature/dns01 Forte:feat/forte-drop-infra Forte:feature/ppusher Forte:feature/chibisafe Forte:hotfix/backup Forte:feature/vault-migration Forte:feature/hashicorp-vault Forte:feature/homepage Forte:feature/argocd-rbac Forte:feature/argocd-tls Forte:feature/multi-cloud Forte:feature/karpor Forte:feature/backstage Forte:feature/ai-review Forte:gitea-pages Forte:feature/gitea-docs Forte:feature/multicluster Forte:feature/secret-syncing Forte:feature/smtp Forte:renovate/configure
..
compare: Forte:7716d1657223c1ec2d8283838bb590a85dc0d510
Branches Tags
Forte:main Forte:fix/drop-duplicate-keycloak-secret Forte:feature/dns01 Forte:feat/forte-drop-infra Forte:feature/ppusher Forte:feature/chibisafe Forte:hotfix/backup Forte:feature/vault-migration Forte:feature/hashicorp-vault Forte:feature/homepage Forte:feature/argocd-rbac Forte:feature/argocd-tls Forte:feature/multi-cloud Forte:feature/karpor Forte:feature/backstage Forte:feature/ai-review Forte:gitea-pages Forte:feature/gitea-docs Forte:feature/multicluster Forte:feature/secret-syncing Forte:feature/smtp Forte:renovate/configure

2 Commits
feature/ch ... 7716d16572

Author SHA1 Message Date
Danijel Simeunovic
7716d16572 dns01 2026-05-28 09:28:29 +02:00
Danijel Simeunovic
0582cd9917 policy 2026-05-27 23:23:21 +02:00
12 changed files with 214 additions and 262 deletions
Expand all files Collapse all files

122
cluster-resources/letsencrypt-issuer.yaml
View File

@@ -12,6 +12,18 @@ spec:
privateKeySecretRef: privateKeySecretRef:
name: letsencrypt-staging-key name: letsencrypt-staging-key
solvers: solvers:
# DNS-01 solver for wildcard certificates (*.example.com)
- dns01:
cloudflare:
email: danijels@gmail.com
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
selector:
dnsNames:
- '*.example.com'
- 'example.com'
# HTTP-01 fallback for non-wildcard certificates
- http01: - http01:
ingress: ingress:
class: traefik class: traefik
@@ -30,6 +42,116 @@ spec:
privateKeySecretRef: privateKeySecretRef:
name: letsencrypt-prod-key name: letsencrypt-prod-key
solvers: solvers:
# DNS-01 solver for wildcard certificates (*.example.com)
- dns01:
cloudflare:
email: danijels@gmail.com
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
selector:
dnsNames:
- '*.example.com'
- 'example.com'
# HTTP-01 fallback for non-wildcard certificates
- http01: - http01:
ingress: ingress:
class: traefik class: traefik
# =============================================================================
# DNS PROVIDER EXAMPLES - Uncomment and configure based on your provider:
# =============================================================================
# -----------------------------------------------------------------------------
# Option 1: Cloudflare (recommended - supports API tokens with limited scope)
# -----------------------------------------------------------------------------
# Create secret with: kubectl create secret generic cloudflare-api-token-secret \
# --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
#
# dns01:
# cloudflare:
# email: your-cloudflare-email@example.com
# apiTokenSecretRef:
# name: cloudflare-api-token-secret
# key: api-token
# -----------------------------------------------------------------------------
# Option 2: AWS Route53
# -----------------------------------------------------------------------------
# Create secret with: kubectl create secret generic route53-credentials \
# --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
#
# dns01:
# route53:
# region: us-east-1
# hostedZoneID: ZXXXXXXXXXXXXX # Optional: auto-detected if not specified
# accessKeyID: YOUR_ACCESS_KEY_ID
# secretAccessKeySecretRef:
# name: route53-credentials
# key: secret-access-key
# -----------------------------------------------------------------------------
# Option 3: Azure DNS
# -----------------------------------------------------------------------------
# Create secret with: kubectl create secret generic azuredns-config \
# --from-literal=client-secret=YOUR_CLIENT_SECRET -n cert-manager
#
# dns01:
# azureDNS:
# subscriptionID: YOUR_SUBSCRIPTION_ID
# resourceGroupName: YOUR_RESOURCE_GROUP
# hostedZoneName: example.com
# environment: AzurePublicCloud
# managedIdentity:
# clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID # For AKS with pod identity
# # OR use service principal:
# # clientID: YOUR_SERVICE_PRINCIPAL_CLIENT_ID
# # clientSecretSecretRef:
# # name: azuredns-config
# # key: client-secret
# -----------------------------------------------------------------------------
# Option 4: Google Cloud DNS
# -----------------------------------------------------------------------------
# Create secret with service account JSON key:
# kubectl create secret generic clouddns-service-account \
# --from-file=service-account.json=path/to/key.json -n cert-manager
#
# dns01:
# cloudDNS:
# project: YOUR_GCP_PROJECT_ID
# hostedZoneName: example-com # Managed zone name in Cloud DNS
# serviceAccountSecretRef:
# name: clouddns-service-account
# key: service-account.json
# -----------------------------------------------------------------------------
# Option 5: GoDaddy
# -----------------------------------------------------------------------------
# Requires external webhook: https://github.com/snowdrop/godaddy-webhook
#
# dns01:
# webhook:
# groupName: acme.yourcompany.com
# solverName: godaddy
# config:
# apiKeySecretRef:
# name: godaddy-api-credentials
# key: api-key
# apiSecretSecretRef:
# name: godaddy-api-credentials
# key: api-secret
# -----------------------------------------------------------------------------
# Option 6: Manual/Dynamic DNS (for homelab)
# -----------------------------------------------------------------------------
# Requires RFC2136 provider or external webhook
#
# dns01:
# rfc2136:
# nameserver: your-dns-server.example.com
# tsigKeyName: cert-manager-key
# tsigAlgorithm: HMACSHA256
# tsigSecretSecretRef:
# name: tsig-secret
# key: secret

40
cluster-resources/policies/label-checker.yaml
View File

@@ -1,40 +0,0 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
annotations:
policies.kyverno.io/title: Require Labels
policies.kyverno.io/category: Best Practices
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod, Label
policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
spec:
validationFailureAction: Audit
background: true
rules:
- name: check-for-labels
skipBackgroundRequests: true
exclude:
any:
- resources:
namespaces:
- kube-system
- istio-system
- argocd
- cert-manager
- monitoring
- secrets
- kyverno
match:
any:
- resources:
kinds:
- Pod
validate:
message: The label `app.kubernetes.io/name` is required.
allowExistingViolations: true
pattern:
metadata:
labels:
app.kubernetes.io/name: "?*"

92
cluster-resources/wildcard-certificate-example.yaml Normal file
View File

@@ -0,0 +1,92 @@
---
# Example: Wildcard Certificate for *.example.com
# This creates a certificate that covers ALL subdomains of example.com
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-example-com
namespace: default # Change to your application's namespace
spec:
# The secret where the TLS certificate will be stored
secretName: wildcard-example-com-tls
# Use the production issuer (use letsencrypt-staging for testing)
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
# DNS names this certificate will cover
# Both wildcard AND apex domain are recommended
dnsNames:
- '*.example.com' # Covers: app.example.com, api.example.com, etc.
- 'example.com' # Also include apex domain explicitly
# Optional: Configure certificate duration and renewal
duration: 2160h0m0s # 90 days (Let's Encrypt default)
renewBefore: 720h0m0s # Renew 30 days before expiry
# Optional: Private key settings
privateKey:
algorithm: RSA
encoding: PKCS1
size: 4096
---
# Example: Using the wildcard certificate with a Traefik IngressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-ingress
namespace: default
spec:
entryPoints:
- websecure
routes:
# Match any subdomain - the wildcard cert covers all of them
- match: Host(`app.example.com`) || Host(`api.example.com`) || Host(`www.example.com`)
kind: Rule
services:
- name: my-service
port: 80
tls:
# Reference the secret created by the Certificate
secretName: wildcard-example-com-tls
---
# Example: Using wildcard certificate with standard Kubernetes Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
namespace: default
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- '*.example.com'
- 'example.com'
secretName: wildcard-example-com-tls
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80

50
docs/REFERENCE.md
View File

@@ -1109,56 +1109,6 @@ storage:
- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret - `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
- `vaultwarden-tls` — auto-managed by cert-manager - `vaultwarden-tls` — auto-managed by cert-manager
### Chibisafe
**Chart**: `l4gdev/chibisafe`
**Version**: 0.1.1 (app latest)
**Namespace**: `chibisafe`
**Purpose**: Self-hosted file upload and sharing service.
**Configuration**:
```yaml
# infra/overlays/upc-dev/chibisafe/ + infra/values/
ingress:
enabled: true
className: "traefik"
hosts:
- host: chibisafe.forteapps.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: chibisafe-tls
hosts:
- chibisafe.forteapps.net
persistence:
database:
enabled: true # SQLite, 1Gi
uploads:
enabled: true # User files, 10Gi
```
**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80). Auth sidecar injected via Kyverno policy (OIDC mode, port 9001).
**Ingress**: IngressRoute (not chart's built-in Ingress) targeting sidecar port 9001 directly. Chart's `ingress.enabled: false`. Separate cert-manager Certificate resource for TLS.
**Why IngressRoute**: Chart hardcodes Service `targetPort: http` → Caddy port 80. Cannot override via values. IngressRoute bypasses Service, routes directly to sidecar pod port.
**TLS**: cert-manager Certificate resource with `letsencrypt-prod` ClusterIssuer.
**Storage**: SQLite database (1Gi PVC) + uploads (10Gi PVC), both ReadWriteOnce — single replica only.
**SSO**: Keycloak OIDC via `forte` realm (client ID: `chibisafe`). Self-service client config Secret (`keycloak-client-chibisafe`) triggers registrar to create KC client and sync credentials to `chibisafe-oidc-credentials`.
**Endpoints**:
- Web UI: `https://chibisafe.forteapps.net`
**Secrets**:
- `chibisafe-tls` — auto-managed by cert-manager
- `chibisafe-oidc-credentials` (registrar-managed) — OIDC client ID + secret
### AI Code Review (ai-review) ### AI Code Review (ai-review)
**Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`) **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)

8
infra/overlays/upc-dev/chibisafe/auth-oidc-secret.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: auth-oidc
namespace: chibisafe
type: Opaque
stringData:
cookie-secret: "gtwkoUMSp1wJa2o5Fo5CNByR8+kTocJOOuywuLexRO4="

43
infra/overlays/upc-dev/chibisafe/chibisafe.yaml
View File

@@ -1,43 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: chibisafe
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "1"
labels:
app.kubernetes.io/name: chibisafe
app.kubernetes.io/part-of: storage
app.kubernetes.io/managed-by: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: https://l4gdev.github.io/helm-charts
chart: chibisafe
targetRevision: "0.1.1"
helm:
releaseName: chibisafe
valueFiles:
- $values/infra/values/base/chibisafe-values.yaml
- $values/infra/values/upc-dev/chibisafe-values.yaml
- repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
targetRevision: HEAD
ref: values
destination:
server: https://kubernetes.default.svc
namespace: chibisafe
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- Validate=true
- ServerSideApply=true

36
infra/overlays/upc-dev/chibisafe/ingressroute.yaml
View File

@@ -1,36 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: chibisafe-tls
namespace: chibisafe
spec:
secretName: chibisafe-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- chibisafe.forteapps.net
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: chibisafe
namespace: chibisafe
annotations:
gethomepage.dev/enabled: "false"
gethomepage.dev/name: "Chibisafe"
gethomepage.dev/description: "File upload & sharing"
gethomepage.dev/group: "Storage"
gethomepage.dev/icon: "chibisafe"
gethomepage.dev/href: "https://chibisafe.forteapps.net"
spec:
entryPoints:
- websecure
routes:
- match: Host(`chibisafe.forteapps.net`)
kind: Rule
services:
- name: chibisafe
port: 9001
tls:
secretName: chibisafe-tls

21
infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: keycloak-client-chibisafe
namespace: chibisafe
labels:
keycloak.forteapps.net/client-config: "true"
stringData:
client.json: |
{
"clientId": "chibisafe",
"name": "Chibisafe",
"redirectUris": ["https://chibisafe.forteapps.net/*"],
"webOrigins": ["https://chibisafe.forteapps.net"],
"protocolMappers": [],
"secret": {
"namespace": "chibisafe",
"name": "chibisafe-oidc-credentials",
"keys": { "clientId": "client-id", "clientSecret": "client-secret" }
}
}

7
infra/overlays/upc-dev/chibisafe/kustomization.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- chibisafe.yaml
- keycloak-client-config.yaml
- ingressroute.yaml
- auth-oidc-secret.yaml

1
infra/overlays/upc-dev/kustomization.yaml
View File

@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ../../base - ../../base
- chibisafe
- vaultwarden-postgresql - vaultwarden-postgresql
- vaultwarden - vaultwarden

45
infra/values/base/chibisafe-values.yaml
View File

@@ -1,45 +0,0 @@
replicaCount: 1
frontend:
image:
repository: chibisafe/chibisafe
tag: "latest"
pullPolicy: IfNotPresent
backend:
image:
repository: chibisafe/chibisafe-server
tag: "latest"
pullPolicy: IfNotPresent
caddy:
image:
repository: caddy
tag: "2-alpine"
pullPolicy: IfNotPresent
persistence:
database:
enabled: true
size: 1Gi
accessModes:
- ReadWriteOnce
uploads:
enabled: true
size: 10Gi
accessModes:
- ReadWriteOnce
logs:
enabled: false
service:
type: ClusterIP
port: 80
networkPolicy:
enabled: false
podDisruptionBudget:
enabled: false

11
infra/values/upc-dev/chibisafe-values.yaml
View File

@@ -1,11 +0,0 @@
podAnnotations:
policies.forteapps.io/auth: "true"
policies.forteapps.io/auth-type: "oidc"
policies.forteapps.io/auth-oidc-authority: "https://id.forteapps.net/realms/forte"
policies.forteapps.io/auth-oidc-client-id: "chibisafe"
policies.forteapps.io/auth-oidc-callback-path: "https://chibisafe.forteapps.net/auth/callback"
policies.forteapps.io/auth-oidc-credentials-secret: "chibisafe-oidc-credentials"
# Ingress disabled — using IngressRoute to target sidecar port directly
ingress:
enabled: false