kimjunte/juntekim.com
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 13

Merge pull request #18 from MealCraft/feature/moredeployments

Browse source 
Feature/moredeployments
This commit is contained in:
Jun-te Kim 2025-12-13 17:04:55 +00:00 committed by GitHub
commit 95de58c577
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 287 additions and 161 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
db/atlas/migrations/0001_init.sql → db/atlas/stripe_invoice/migrations/0001_init.sql
View file

0
db/atlas/migrations/0002_auth.sql → db/atlas/stripe_invoice/migrations/0002_auth.sql
View file

0
db/atlas/migrations/0003_stripe_xero.sql → db/atlas/stripe_invoice/migrations/0003_stripe_xero.sql
View file

87
db/k8s/pgadmin/deployment.yaml Normal file
View file

@ -0,0 +1,87 @@
# ==================================================
# pgAdmin Secret
# ==================================================
apiVersion: v1
kind: Secret
metadata:
name: pgadmin-secret
type: Opaque
stringData:
PGADMIN_DEFAULT_EMAIL: admin@juntekim.com
PGADMIN_DEFAULT_PASSWORD: PersonAppleWinter938
---
# ==================================================
# pgAdmin Deployment (STATELESS)
# ==================================================
apiVersion: apps/v1
kind: Deployment
metadata:
name: pgadmin
spec:
replicas: 1
selector:
matchLabels:
app: pgadmin
template:
metadata:
labels:
app: pgadmin
spec:
containers:
- name: pgadmin
image: dpage/pgadmin4:latest
ports:
- containerPort: 80
envFrom:
- secretRef:
name: pgadmin-secret
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 10
periodSeconds: 10
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 30
periodSeconds: 20
---
# ==================================================
# pgAdmin Service
# ==================================================
apiVersion: v1
kind: Service
metadata:
name: pgadmin
spec:
type: ClusterIP
selector:
app: pgadmin
ports:
- port: 80
targetPort: 80
---
# ==================================================
# Traefik IngressRoute
# ==================================================
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: pgadmin
spec:
entryPoints:
- websecure
routes:
- match: Host(`pgadmin.juntekim.com`)
kind: Rule
services:
- name: pgadmin
port: 80
tls:
certResolver: myresolver

5
db/k8s/secrets/postgres-secret.yaml
View file

@ -7,3 +7,8 @@ stringData:
POSTGRES_USER: postgres POSTGRES_USER: postgres
POSTGRES_PASSWORD: averysecretpasswordPersonAppleWinter938 POSTGRES_PASSWORD: averysecretpasswordPersonAppleWinter938
POSTGRES_DB: stripe_invoice POSTGRES_DB: stripe_invoice
DB_USER: postgres
DB_PASSWORD: averysecretpasswordPersonAppleWinter938
DB_NAME: stripe_invoice
DB_HOST: postgres
DB_PORT: "5432"

224
github_runner/install/install_arc.sh
View file

@ -1,179 +1,81 @@
#!/bin/bash #!/bin/bash
set -ex set -euo pipefail
# ===================================================================== # ==========================================================
# OPTIONAL — MicroK8s setup/reset steps (only use when doing a hard reset) # FIRST SETUP SCRIPT — mist / microk8s
# =====================================================================
# sudo microk8s reset --destroy-storage
# sudo snap remove microk8s
# sudo snap install microk8s --classic
# sudo microk8s enable dns rbac hostpath-storage host-access metrics-server ingress
# sudo microk8s enable metallb:192.168.0.200-192.168.0.220
# #
# # Rebuild kubeconfig for your local user (optional) # PURPOSE:
# microk8s kubectl config view --raw > ~/.kube/config # - Bootstrap a fresh machine
# chmod 600 ~/.kube/config # - Install & configure microk8s
# sudo usermod -aG microk8s $USER # - Enable required core addons
# sudo chown -f -R $USER ~/.kube # - Apply cluster-wide RBAC from YAML
#
# RUN:
# - Once on a fresh host
# - Or again after a full microk8s reset
#
# DOES NOT:
# - Deploy apps
# - Deploy databases
# - Contain RBAC logic inline
#
# All ongoing infra changes should be done via:
# - YAML (db/k8s/**)
# - GitHub Actions
# ==========================================================
NAMESPACE="arc-systems" echo "=== [1/6] Installing microk8s (if needed) ==="
RUNNER_NAME="mealcraft-runners"
# # ===================================================================== if ! command -v microk8s >/dev/null 2>&1; then
# # Remove previous ARC installation (safe even if missing) sudo snap install microk8s --classic
# # ===================================================================== else
# helm uninstall arc -n "${NAMESPACE}" || true echo "microk8s already installed"
# helm uninstall "${RUNNER_NAME}" -n "${NAMESPACE}" || true fi
# echo "=== Installing ARC Scale Set Controller ===" echo "=== [2/6] Adding current user to microk8s group ==="
# helm install arc \ sudo usermod -aG microk8s "$USER"
# --namespace "${NAMESPACE}" \
# --create-namespace \
# oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller
# echo "=== Installing MealCraft Runner Scale Set (NO Docker-in-Docker) ===" # Required so kubectl works without sudo
sudo chown -f -R "$USER" ~/.kube || true
# helm install "${RUNNER_NAME}" \ echo "=== [3/6] Enabling core microk8s addons ==="
# --namespace "${NAMESPACE}" \
# --create-namespace \
# --set runnerScaleSetName="${RUNNER_NAME}" \
# --set githubConfigUrl="https://github.com/MealCraft" \
# --set githubConfigSecret.name="github-secret" \
# --set githubConfigSecret.github_token="$GITHUB_PAT" \
# --set dockerInDockerEnabled=false \
# --set containerMode.type="runner" \
# --set runnerLabels[0]="mealcraft" \
# oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set
# # ===================================================================== # These are the foundations everything else depends on
# # RBAC — IMPORTANT sudo microk8s enable \
# # Grants permissions to the exact ARC runner SA detected earlier. dns \
# # ===================================================================== rbac \
hostpath-storage \
host-access \
metrics-server \
ingress
echo "=== Applying RBAC for all ARC runners + Traefik ===" # Optional: MetalLB (only if you need L2 IPs)
# sudo microk8s enable metallb:192.168.0.200-192.168.0.220
microk8s kubectl apply -f - <<EOF echo "=== [4/6] Waiting for microk8s to be ready ==="
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mealcraft-bootstrap-role
rules:
# ----------------------------------------------------
# Storage
# ----------------------------------------------------
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["*"]
# ---------------------------------------------------- sudo microk8s status --wait-ready
# Core API
# PV, PVC, Namespaces, Secrets, ConfigMaps, Services,
# ServiceAccounts (added for runner + Traefik needs)
# ----------------------------------------------------
- apiGroups: [""]
resources:
- persistentvolumes
- persistentvolumeclaims
- namespaces
- secrets
- configmaps
- services
- serviceaccounts
- endpoints # <-- Traefik requires
- pods # <-- Traefik requires
- nodes # <-- Traefik requires for node discovery
verbs: ["*"]
# ---------------------------------------------------- echo "=== [5/6] Writing kubeconfig for local user ==="
# Apps: Deployments, DaemonSets, RS, StatefulSets
# ----------------------------------------------------
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
verbs: ["*"]
# ---------------------------------------------------- mkdir -p ~/.kube
# Networking & Ingress microk8s kubectl config view --raw > ~/.kube/config
# (Traefik needs watch on ingresses & ingressclasses) chmod 600 ~/.kube/config
# ----------------------------------------------------
- apiGroups: ["networking.k8s.io", "extensions"]
resources: ["ingresses", "ingressclasses", "*"]
verbs: ["*"]
# ---------------------------------------------------- echo "=== [6/6] Applying cluster RBAC (infra deployer role) ==="
# Traefik v1 CRDs (old MicroK8s installs)
# ----------------------------------------------------
- apiGroups: ["traefik.containo.us"]
resources: ["*"]
verbs: ["*"]
# ---------------------------------------------------- # IMPORTANT:
# Traefik v2 CRDs (modern) # RBAC is fully declarative and lives in YAML.
# ---------------------------------------------------- # Extend permissions by editing the YAML — NOT this script.
- apiGroups: ["traefik.io"] microk8s kubectl apply -f db/k8s/rbac/infra-deployer-rbac.yaml
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- traefikservices
- tlsoptions
- tlsstores
- serverstransports
verbs: ["*"]
# ---------------------------------------------------- echo
# CRDs echo "=== Bootstrap complete ==="
# ---------------------------------------------------- echo
- apiGroups: ["apiextensions.k8s.io"] echo "You can now:"
resources: ["customresourcedefinitions"] echo "- Install ARC (GitHub Actions runners)"
verbs: ["*"] echo "- Deploy Postgres via CI"
echo "- Apply CronJobs, Jobs, and Traefik resources"
--- echo
apiVersion: rbac.authorization.k8s.io/v1 echo "This script should NOT be modified for normal infra changes."
kind: ClusterRoleBinding
metadata:
name: mealcraft-bootstrap-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: mealcraft-bootstrap-role
subjects:
- kind: ServiceAccount
name: mealcraft-runners-gha-rs-no-permission
namespace: arc-systems
EOF
microk8s kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-real-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: mealcraft-bootstrap-role
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
EOF
microk8s kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-rbac-fix
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: mealcraft-bootstrap-role
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
EOF
echo "=== ARC installation + RBAC complete ==="

132
github_runner/install/rbac.yaml Normal file
View file

@ -0,0 +1,132 @@
# =========================================================
# ClusterRole: Infra Deployer
#
# Used by:
# - GitHub ARC runners
# - Infrastructure deployment workflows
#
# Allows managing:
# - Postgres
# - Jobs / CronJobs (migrations, backups)
# - Traefik resources
# - Storage primitives
#
# Extend this file when infra needs grow.
# =========================================================
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: infra-deployer-role
rules:
# -----------------------------------------------------
# Core Kubernetes resources
# -----------------------------------------------------
- apiGroups: [""]
resources:
- pods
- services
- endpoints
- configmaps
- secrets
- namespaces
- serviceaccounts
- persistentvolumes
- persistentvolumeclaims
- nodes
verbs: ["*"]
# -----------------------------------------------------
# Apps (Deployments, StatefulSets, etc.)
# -----------------------------------------------------
- apiGroups: ["apps"]
resources:
- deployments
- statefulsets
- daemonsets
- replicasets
verbs: ["*"]
# -----------------------------------------------------
# Batch workloads (THIS FIXES YOUR ISSUE)
# Jobs + CronJobs for:
# - DB backups
# - Atlas migrations
# -----------------------------------------------------
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
# -----------------------------------------------------
# Networking & Ingress
# -----------------------------------------------------
- apiGroups: ["networking.k8s.io", "extensions"]
resources:
- ingresses
- ingressclasses
verbs: ["*"]
# -----------------------------------------------------
# Traefik CRDs (v1 + v2)
# -----------------------------------------------------
- apiGroups: ["traefik.containo.us"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["traefik.io"]
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- traefikservices
- tlsoptions
- tlsstores
- serverstransports
verbs: ["*"]
# -----------------------------------------------------
# CRD management (required for Traefik & others)
# -----------------------------------------------------
- apiGroups: ["apiextensions.k8s.io"]
resources:
- customresourcedefinitions
verbs: ["*"]
---
# =========================================================
# ClusterRoleBinding: Bind Infra Deployer to ARC runners
# =========================================================
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: infra-deployer-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: infra-deployer-role
subjects:
- kind: ServiceAccount
name: mealcraft-runners-gha-rs-no-permission
namespace: arc-systems
---
# =========================================================
# ClusterRoleBinding: Bind same role to Traefik
# (Traefik needs wide read/watch permissions)
# =========================================================
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: infra-deployer-traefik-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: infra-deployer-role
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default