initial: action/site-publish @v1

2026-05-06 08:07:28 -05:00
commit d01c3bcc43
15 changed files with 1087 additions and 0 deletions
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ site }}
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@code.fritzlab.net/fritzlab/apps.git
+    targetRevision: main
+    path: sjc001/websites/{{ site }}/manifests
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: {{ namespace }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ site_k8s }}-tls
+  namespace: {{ namespace }}
+spec:
+  secretName: {{ site_k8s }}-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+  - {{ domain }}
+{%- for alias in aliases %}
+  - {{ alias }}
+{%- endfor %}
@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ site_k8s }}
+  namespace: {{ namespace }}
+  labels:
+    app: {{ site_k8s }}
+spec:
+  replicas: {{ replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: {{ site_k8s }}
+  template:
+    metadata:
+      labels:
+        app: {{ site_k8s }}
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532
+        runAsGroup: 65532
+        fsGroup: 65532
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: {{ site_k8s }}
+        image: {{ image }}:latest
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: http
+          containerPort: {{ port }}
+        resources:
+          requests:
+            memory: 64Mi
+            cpu: 50m
+          limits:
+            memory: 256Mi
+        livenessProbe:
+          httpGet: {path: {{ health_path }}, port: http}
+          periodSeconds: 30
+          timeoutSeconds: 3
+        readinessProbe:
+          httpGet: {path: {{ health_path }}, port: http}
+          periodSeconds: 10
+          timeoutSeconds: 3
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop: ["ALL"]
@@ -0,0 +1,41 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ site_k8s }}
+  namespace: {{ namespace }}
+{%- if site_type != "docker" %}
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: retry-upstream@file
+{%- endif %}
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - {{ domain }}
+{%- for alias in aliases %}
+    - {{ alias }}
+{%- endfor %}
+    secretName: {{ site_k8s }}-tls
+  rules:
+  - host: {{ domain }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ site_k8s }}
+            port:
+              number: 80
+{%- for alias in aliases %}
+  - host: {{ alias }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ site_k8s }}
+            port:
+              number: 80
+{%- endfor %}
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+{% if site_type == "docker" %}
+- deployment.yaml
+{% endif %}
+- service.yaml
+- ingress.yaml
+- certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ site_k8s }}
+  namespace: {{ namespace }}
+spec:
+  clusterIP: None
+  selector:
+    app: {{ site_k8s }}
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ site_k8s }}
+  namespace: {{ namespace }}
+spec:
+  type: ExternalName
+  externalName: garage.storage.svc.k8s.sjc001.fritzlab.net
+  ports:
+  - port: 80
+    targetPort: 80