--- apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Release.Name }}-chartmuseum spec: strategy: type: Recreate selector: matchLabels: app: {{ .Release.Name }}-chartmuseum replicas: 1 template: metadata: labels: app: {{ .Release.Name }}-chartmuseum use-as-service: {{ .Release.Name }} spec: # Wait before trying to start any container initContainers: - name: wait-for-cert image: busybox command: - sh - -c - until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done volumeMounts: - name: etcletsencrypt mountPath: "/etc/letsencrypt" containers: - name: certbot image: ungleich/ungleich-certbot imagePullPolicy: Always ports: - containerPort: 80 env: - name: ONLYRENEWCERTS value: "yes" - name: DOMAIN value: "{{ tpl .Values.fqdn . }}" - name: EMAIL value: "{{ .Values.email }}" {{ if eq .Values.letsencryptStaging "no" }} - name: STAGING value: "no" {{ end }} volumeMounts: - name: etcletsencrypt mountPath: "/etc/letsencrypt" - name: chartmuseum image: ghcr.io/helm/chartmuseum:v{{ .Chart.AppVersion }} ports: - containerPort: 443 args: - --tls-cert=/etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem - --tls-key=/etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem env: - name: STORAGE value: "local" - name: STORAGE_LOCAL_ROOTDIR value: "/charts" - name: BASIC_AUTH_USER valueFrom: secretKeyRef: name: {{ tpl .Values.identifier . }} key: username - name: BASIC_AUTH_PASS valueFrom: secretKeyRef: name: {{ tpl .Values.identifier . }} key: password volumeMounts: - name: etcletsencrypt mountPath: "/etc/letsencrypt" - name: data mountPath: "/charts" volumes: - name: etcletsencrypt persistentVolumeClaim: claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs - name: data persistentVolumeClaim: claimName: {{ tpl .Values.identifier . }}-data --- apiVersion: v1 kind: Service metadata: name: {{ tpl .Values.identifier . }} labels: app: {{ tpl .Values.identifier . }} spec: type: ClusterIP ports: - port: 80 name: http - port: 443 targetPort: 8080 name: https selector: use-as-service: {{ .Release.Name }} --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ tpl .Values.identifier . }}-letsencrypt-certs spec: accessModes: - ReadWriteMany resources: requests: storage: 50Mi storageClassName: rook-cephfs --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ tpl .Values.identifier . }}-data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: rook-ceph-block # --- # apiVersion: v1 # kind: ConfigMap # metadata: # name: {{ tpl .Values.identifier . }}-nginx-config # data: # default.conf: | # server { # listen 443 ssl; # listen [::]:443 ssl; # server_name {{ tpl .Values.fqdn . }}; # ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; # ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem; # client_max_body_size 256m; # location / { # proxy_pass http://localhost:3000; # } # } --- apiVersion: batch/v1 kind: Job metadata: name: {{ tpl .Values.identifier . }}-getcert spec: template: metadata: labels: app: certbot-letsencrypt-getcert use-as-service: {{ .Release.Name }} spec: restartPolicy: Never containers: - name: certbot image: ungleich/ungleich-certbot imagePullPolicy: Always ports: - containerPort: 80 env: - name: ONLYGETCERT value: "yes" - name: DOMAIN value: "{{ tpl .Values.fqdn . }}" - name: EMAIL value: "{{ .Values.email }}" {{ if eq .Values.letsencryptStaging "no" }} - name: STAGING value: "no" {{ end }} volumeMounts: - name: etcletsencrypt mountPath: "/etc/letsencrypt" volumes: - name: etcletsencrypt persistentVolumeClaim: claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs backoffLimit: 3 --- apiVersion: v1 kind: Secret metadata: name: {{ tpl .Values.identifier . }} annotations: secret-generator.v1.mittwald.de/type: basic-auth