CSTF/wild-cloud
1
1
Fork 0
Code Issues 12 Pull Requests Actions Packages Projects 1 Releases 1 Wiki Activity

Adds memcached and openproject apps.

Browse Source
This commit is contained in:
Paul Payne
2025-07-17 13:38:16 -07:00
parent bcf2bca715
commit 7250f08cc5
25 changed files with 876 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
apps/openproject/configmap_core.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
# Source: openproject/templates/secret_core.yaml
apiVersion: "v1"
kind: "ConfigMap"
metadata:
name: "openproject-core"
data:
DATABASE_HOST: "{{ .apps.openproject.dbHostname }}"
DATABASE_PORT: "5432"
DATABASE_URL: "postgresql://{{ .apps.openproject.dbUsername }}@{{ .apps.openproject.dbHostname }}:5432/{{ .apps.openproject.dbName }}"
OPENPROJECT_SEED_ADMIN_USER_PASSWORD_RESET: "{{ .apps.openproject.adminPasswordReset }}"
OPENPROJECT_SEED_ADMIN_USER_NAME: "{{ .apps.openproject.adminUserName }}"
OPENPROJECT_SEED_ADMIN_USER_MAIL: "{{ .apps.openproject.adminUserEmail }}"
OPENPROJECT_HTTPS: "{{ .apps.openproject.https }}"
OPENPROJECT_SEED_LOCALE: "{{ .apps.openproject.seedLocale }}"
OPENPROJECT_HOST__NAME: "{{ .apps.openproject.domain }}"
OPENPROJECT_HSTS: "{{ .apps.openproject.hsts }}"
OPENPROJECT_RAILS__CACHE__STORE: "{{ .apps.openproject.cacheStore }}"
OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "{{ .apps.openproject.railsRelativeUrlRoot }}"
POSTGRES_STATEMENT_TIMEOUT: "{{ .apps.openproject.postgresStatementTimeout }}"
...

9
apps/openproject/configmap_memcached.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
# Source: openproject/templates/secret_memcached.yaml
apiVersion: "v1"
kind: "ConfigMap"
metadata:
name: "openproject-memcached"
data:
OPENPROJECT_CACHE__MEMCACHE__SERVER: "{{ .apps.openproject.memcachedHostname }}:{{ .apps.openproject.memcachedPort }}"
...

51
apps/openproject/db-init-job.yaml Normal file
View File

@@ -0,0 +1,51 @@
apiVersion: batch/v1
kind: Job
metadata:
name: openproject-db-init
labels:
component: db-init
spec:
template:
metadata:
labels:
component: db-init
spec:
containers:
- name: db-init
image: {{ .apps.postgres.image }}
command: ["/bin/bash", "-c"]
args:
- |
PGPASSWORD=${POSTGRES_ADMIN_PASSWORD} psql -h ${DB_HOSTNAME} -U postgres <<EOF
DO \$\$
BEGIN
IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '${DB_USERNAME}') THEN
CREATE USER ${DB_USERNAME} WITH ENCRYPTED PASSWORD '${DB_PASSWORD}';
ELSE
ALTER USER ${DB_USERNAME} WITH ENCRYPTED PASSWORD '${DB_PASSWORD}';
END IF;
END
\$\$;
SELECT 'CREATE DATABASE ${DB_DATABASE_NAME}' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${DB_DATABASE_NAME}')\gexec
ALTER DATABASE ${DB_DATABASE_NAME} OWNER TO ${DB_USERNAME};
GRANT ALL PRIVILEGES ON DATABASE ${DB_DATABASE_NAME} TO ${DB_USERNAME};
EOF
env:
- name: POSTGRES_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secrets
key: password
- name: DB_HOSTNAME
value: "{{ .apps.openproject.dbHostname }}"
- name: DB_DATABASE_NAME
value: "{{ .apps.openproject.dbName }}"
- name: DB_USERNAME
value: "{{ .apps.openproject.dbUsername }}"
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: dbPassword
restartPolicy: OnFailure

23
apps/openproject/ingress.yaml Normal file
View File

@@ -0,0 +1,23 @@
---
# Source: openproject/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: openproject
spec:
tls:
- hosts:
- "{{ .apps.openproject.domain }}"
secretName: "wildcard-wild-cloud-tls"
rules:
- host: "{{ .apps.openproject.domain }}"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: openproject
port:
name: http
...

21
apps/openproject/kustomization.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: openproject
labels:
- includeSelectors: true
pairs:
app: openproject
managedBy: kustomize
partOf: wild-cloud
resources:
- namespace.yaml
- serviceaccount.yaml
- configmap_core.yaml
- configmap_memcached.yaml
- persistentvolumeclaim.yaml
- service.yaml
- db-init-job.yaml
- web-deployment.yaml
- worker-deployment.yaml
- seeder-job.yaml
- ingress.yaml

32
apps/openproject/manifest.yaml Normal file
View File

@@ -0,0 +1,32 @@
name: openproject
description: OpenProject is an open-source project management software that provides comprehensive features for project planning, tracking, and collaboration.
version: 16.1.1
icon: https://www.openproject.org/assets/images/openproject-logo.png
requires:
- name: postgres
- name: memcached
defaultConfig:
serverImage: openproject/openproject:16.1.1-slim
timezone: UTC
serverPort: 8080
storage: 5Gi
dbHostname: postgres.postgres.svc.cluster.local
dbUsername: openproject
dbName: openproject
memcachedHostname: memcached.memcached.svc.cluster.local
memcachedPort: 11211
domain: openproject.{{ .cloud.domain }}
https: true
hsts: true
seedLocale: en
adminUserName: OpenProject Admin
adminUserEmail: '{{ .operator.email }}'
adminPasswordReset: true
postgresStatementTimeout: 120s
tmpVolumesStorage: 2Gi
cacheStore: memcache
railsRelativeUrlRoot: ""
requiredSecrets:
- apps.openproject.dbPassword
- apps.openproject.adminPassword
- apps.postgres.password

4
apps/openproject/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: openproject

12
apps/openproject/persistentvolumeclaim.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
# Source: openproject/templates/persistentvolumeclaim.yaml
apiVersion: "v1"
kind: "PersistentVolumeClaim"
metadata:
name: openproject
spec:
accessModes: [ReadWriteMany]
resources:
requests:
storage: "{{ .apps.openproject.storage }}"
...

138
apps/openproject/seeder-job.yaml Normal file
View File

@@ -0,0 +1,138 @@
---
# Source: openproject/templates/seeder-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: openproject-seeder-1
labels:
component: seeder
spec:
ttlSecondsAfterFinished: 86400
template:
metadata:
labels:
component: seeder
spec:
securityContext:
fsGroup: 1000
volumes:
- name: tmp
# we can't use emptyDir due to the sticky bit issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
ephemeral:
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: {{ .apps.openproject.tmpVolumesStorage }}
- name: app-tmp
# we can't use emptyDir due to the sticky bit / world writable issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
ephemeral:
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: {{ .apps.openproject.tmpVolumesStorage }}
- name: "data"
persistentVolumeClaim:
claimName: openproject
initContainers:
- name: check-db-ready
image: "{{ .apps.postgres.image }}"
imagePullPolicy: Always
command: [
'sh',
'-c',
'until pg_isready -h $DATABASE_HOST -p $DATABASE_PORT -U openproject; do echo "waiting for database $DATABASE_HOST:$DATABASE_PORT"; sleep 2; done;'
]
envFrom:
- configMapRef:
name: openproject-core
- configMapRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: dbPassword
- name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: adminPassword
resources:
limits:
memory: 200Mi
requests:
memory: 200Mi
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: seeder
image: "{{ .apps.openproject.serverImage }}"
imagePullPolicy: Always
args:
- bash
- /app/docker/prod/seeder
envFrom:
- configMapRef:
name: openproject-core
- configMapRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: dbPassword
- name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: adminPassword
resources:
limits:
memory: 512Mi
requests:
memory: 512Mi
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
- name: "data"
mountPath: "/var/openproject/assets"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
restartPolicy: OnFailure

16
apps/openproject/service.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
# Source: openproject/templates/service.yaml
apiVersion: "v1"
kind: "Service"
metadata:
name: openproject
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: http
protocol: TCP
name: http
selector:
component: web
...

7
apps/openproject/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
# Source: openproject/templates/serviceaccount.yaml
apiVersion: "v1"
kind: "ServiceAccount"
metadata:
name: openproject
...

181
apps/openproject/web-deployment.yaml Normal file
View File

@@ -0,0 +1,181 @@
---
# Source: openproject/templates/web-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: openproject-web
labels:
openproject/process: web
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
component: web
template:
metadata:
annotations:
# annotate pods with env value checksums so changes trigger re-deployments
checksum/env-core: f2b092f43e1c4c37ec21840d9fbca6bd40dc514094fce97e682a1ec202ba5e45
checksum/env-memcached: ff6b5c8eeeea9c2c34b0799a614f9d252c79257f7cc1a89f56d5ee0fd5664fd4
checksum/env-oidc: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/env-s3: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/env-environment: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
labels:
component: web
spec:
securityContext:
fsGroup: 1000
serviceAccountName: openproject
volumes:
- name: tmp
# we can't use emptyDir due to the sticky bit issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
ephemeral:
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: {{ .apps.openproject.tmpVolumesStorage }}
- name: app-tmp
# we can't use emptyDir due to the sticky bit / world writable issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
ephemeral:
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: {{ .apps.openproject.tmpVolumesStorage }}
- name: "data"
persistentVolumeClaim:
claimName: openproject
initContainers:
- name: wait-for-db
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: {{ .apps.openproject.serverImage }}
imagePullPolicy: Always
envFrom:
- configMapRef:
name: openproject-core
- configMapRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: dbPassword
- name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: adminPassword
args:
- /app/docker/prod/wait-for-db
resources:
limits:
memory: 1Gi
requests:
memory: 512Mi
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
containers:
- name: "openproject"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: {{ .apps.openproject.serverImage }}
imagePullPolicy: Always
envFrom:
- configMapRef:
name: openproject-core
- configMapRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: dbPassword
- name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: adminPassword
args:
- /app/docker/prod/web
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
- name: "data"
mountPath: "/var/openproject/assets"
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
httpGet:
path: "/health_checks/default"
port: 8080
httpHeaders:
# required otherwise health check will return 404 because health check is done using the Pod IP, which may cause issues with downstream variants
- name: Host
value: localhost
initialDelaySeconds: 120
timeoutSeconds: 3
periodSeconds: 30
failureThreshold: 3
successThreshold: 1
readinessProbe:
httpGet:
path: "/health_checks/default"
port: 8080
httpHeaders:
# required otherwise health check will return 404 because health check is done using the Pod IP, which may cause issues with downstream variants
- name: Host
value: localhost
initialDelaySeconds: 30
timeoutSeconds: 3
periodSeconds: 15
failureThreshold: 30
successThreshold: 1
resources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: 250m
memory: 512Mi

151
apps/openproject/worker-deployment.yaml Normal file
View File

@@ -0,0 +1,151 @@
---
# Source: openproject/templates/worker-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: openproject-worker-default
labels:
openproject/process: worker-default
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
component: worker
template:
metadata:
annotations:
# annotate pods with env value checksums so changes trigger re-deployments
checksum/env-core: f2b092f43e1c4c37ec21840d9fbca6bd40dc514094fce97e682a1ec202ba5e45
checksum/env-memcached: ff6b5c8eeeea9c2c34b0799a614f9d252c79257f7cc1a89f56d5ee0fd5664fd4
checksum/env-oidc: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/env-s3: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/env-environment: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
labels:
component: worker
spec:
securityContext:
fsGroup: 1000
serviceAccountName: openproject
volumes:
- name: tmp
# we can't use emptyDir due to the sticky bit issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
ephemeral:
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: {{ .apps.openproject.tmpVolumesStorage }}
- name: app-tmp
# we can't use emptyDir due to the sticky bit / world writable issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
ephemeral:
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: {{ .apps.openproject.tmpVolumesStorage }}
- name: "data"
persistentVolumeClaim:
claimName: openproject
initContainers:
- name: wait-for-db
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: {{ .apps.openproject.serverImage }}
imagePullPolicy: Always
envFrom:
- configMapRef:
name: openproject-core
- configMapRef:
name: openproject-memcached
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: dbPassword
- name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: adminPassword
args:
- bash
- /app/docker/prod/wait-for-db
resources:
limits:
memory: 1Gi
requests:
memory: 512Mi
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
containers:
- name: "openproject"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: {{ .apps.openproject.serverImage }}
imagePullPolicy: Always
envFrom:
- configMapRef:
name: openproject-core
- configMapRef:
name: openproject-memcached
args:
- bash
- /app/docker/prod/worker
env:
- name: OPENPROJECT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: openproject-secrets
key: dbPassword
- name: "OPENPROJECT_GOOD_JOB_QUEUES"
value: ""
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
- name: "data"
mountPath: "/var/openproject/assets"
resources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: 250m
memory: 512Mi