apps/base/temporal/repository.yaml

@@ -1,8 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
-  name: temporal
+  name: podinfo
   namespace: futureporn
 spec:
   interval: 5m
-  url: https://charts.lemontech.engineering
+  url: https://stefanprodan.github.io/podinfo

charts/fp/templates-staging/uwu-ingress.yaml

@@ -0,0 +1,48 @@
+## Utility ingress (named uwu to make it non-specific) is used for several backend or development services.
+## We do this to save money, as every VKE ingress cost us $10/month
+## We route to different services by path
+
+
+
+{{ if eq .Values.managedBy "Helm" }} 
+
+# ---
+# apiVersion: networking.k8s.io/v1
+# kind: Ingress
+# metadata:
+#   name: uwu-ingress
+#   namespace: futureporn
+#   annotations:
+#     cert-manager.io/cluster-issuer: "letsencrypt-staging"
+#     nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+#     # If you encounter a redirect loop or are getting a 307 response code
+#     # then you need to force the nginx ingress to connect to the backend using HTTPS.
+#     nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+# spec:
+#   ingressClassName: nginx
+#   rules:
+#   - host: uwu.sbtp.xyz
+#     http:
+#       paths:
+#       - path: /piko
+#         pathType: Prefix
+#         backend:
+#           service:
+#             name: piko
+#             port:
+#               name: https
+#       - path: /windmill
+#         pathType: Prefix
+#         backend:
+#           service:
+#             name: windmmill-app
+#             port:
+#               name: https
+#   tls:
+#   - hosts:
+#     - uwu.sbtp.xyz
+#     secretName: uwu-tls
+
+
+
+{{ end }}

charts/windmill/README.md

@@ -0,0 +1,3 @@
+windmill helm chart is pulled in via ../../helmsman.yaml.
+
+This folder is here just to hold our values.yaml file for configuring windmill.

charts/windmill/values.yaml

@@ -0,0 +1,96 @@
+# windmill root values block
+windmill:
+  # domain as shown in browser, this is used together with `baseProtocol` as part of the BASE_URL environment variable in app and worker container and in the ingress resource, if enabled
+  baseDomain: windmill2.sbtp.xyz
+  baseProtocol: https
+  # postgres URI, pods will crashloop if database is unreachable, sets DATABASE_URL environment variable in app and worker container
+  databaseUrl: postgres://postgres:windmill@windmill-postgresql/windmill?sslmode=disable
+  # replica for the application app
+  appReplicas: 2
+  # replicas for the workers, jobs are executed on the workers
+  lspReplicas: 2
+  workerGroups:
+    # The default worker group is the one that will execute jobs with any taggs  except the native ones. Windmill has a default worker group configuration for it
+    - name: "default"
+      replicas: 2
+      # -- Annotations to apply to the pods
+      annotations: {}
+
+      # -- Labels to apply to the pods
+      labels: {}
+
+      # -- Node selector to use for scheduling the pods
+      nodeSelector: {}
+
+      # -- Tolerations to apply to the pods
+      tolerations: []
+
+      # -- Affinity rules to apply to the pods
+      affinity: {}
+
+      # -- Resource limits and requests for the pods
+      resources:
+        requests:
+          memory: "1028Mi"
+          cpu: "500m"
+        limits:
+          memory: "2048Mi"
+          cpu: "1000m"
+
+      # -- Extra environment variables to apply to the pods
+      extraEnv: []
+
+      # -- Extra sidecar containers
+      extraContainers: []
+
+    # Thenative worker group will only execute native jobs. Windmill has a default worker group configuration for it
+    - name: "native"
+      replicas: 3
+      # -- Resource limits and requests for the pods
+      resources:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "256Mi"
+          cpu: "200m"
+
+      # -- Extra environment variables to apply to the pods
+      extraEnv: []
+
+      # -- Extra sidecar containers
+      extraContainers: []
+
+    - name: "gpu"
+      replicas: 0
+
+  # Use those to override the tag or image used for the app and worker containers. Windmill uses the same image for both.
+  # By default, if enterprise is enable, the image is set to ghcr.io/windmill-labs/windmill-ee, otherwise the image is set to ghcr.io/windmill-labs/windmill
+  #tag: "mytag"
+  #image: "ghcr.io/windmill-labs/windmill"
+
+# enable postgres (bitnami) on kubernetes
+postgresql:
+  enabled: true
+  primary:
+    persistence:
+      size: 40Gi
+# enable minio (bitnami) on kubernetes
+minio:
+  enabled: false
+
+# Configure Ingress
+ingress:
+  className: "nginx"
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+  tls:
+  - hosts:
+    - windmill2.sbtp.xyz
+    secretName: windmill-tls
+
+# enable enterprise features
+enterprise:
+  # -- enable windmill enterprise, requires license key.
+  enabled: false

helmfile.yaml

@@ -0,0 +1,44 @@
+repositories:
+- name: jetstack
+  url: https://charts.jetstack.io
+
+- name: vultr
+  url: https://vultr.github.io/helm-charts
+
+- name: emberstack
+  url: https://emberstack.github.io/helm-charts
+
+
+releases:
+  - name: reflector
+    namespace: default
+    chart: emberstack/reflector
+
+  - name: cert-manager
+    namespace: cert-manager
+    chart: jetstack/cert-manager
+    set:
+      - name: installCRDs
+        value: true
+    values:
+      - charts/fp/values-prod.yaml
+
+  - name: cert-manager-webhook-vultr
+    namespace: cert-manager
+    chart: vultr/cert-manager-webhook-vultr
+    dependencies:
+    - version: ~v1.14.4
+      chart: jetstack/cert-manager
+    needs:
+      - cert-manager/cert-manager
+
+  - name: fp
+    namespace: default
+    chart: charts/fp
+    values:
+      - charts/fp/values-prod.yaml
+    dependencies:
+    - version: ~v1.14.4
+      chart: jetstack/cert-manager
+    needs:
+      - cert-manager/cert-manager

helmsman.argocd.yaml

@@ -0,0 +1,47 @@
+namespaces:
+  default:
+  cert-manager:
+  ingress-nginx:
+  argocd:
+
+helmRepos:
+  jetstack: https://charts.jetstack.io
+  emberstack: https://emberstack.github.io/helm-charts
+  vultr: https://vultr.github.io/helm-charts
+  ingress-nginx: https://kubernetes.github.io/ingress-nginx
+  argo: https://argoproj.github.io/argo-helm
+
+apps:
+  argodeps:
+    namespace: default
+    chart: "charts/argodeps"
+    enabled: true
+    version: "1.0.0"
+  argo:
+    namespace: argocd
+    chart: argo/argo-cd
+    enabled: true
+    version: "6.7.13"
+    valuesFile: "values/argocd.yaml"
+  ingress-nginx:
+    namespace: ingress-nginx
+    chart: "ingress-nginx/ingress-nginx"
+    enabled: true
+    version: "4.10.0"
+  cert-manager-webhook-vultr:
+    namespace: cert-manager
+    chart: vultr/cert-manager-webhook-vultr
+    enabled: true
+    version: "1.0.0"
+  cert-manager:
+    namespace: "cert-manager"
+    chart: "jetstack/cert-manager"
+    enabled: true
+    version: "1.14.4"
+  reflector:
+    namespace: "default"
+    chart: "emberstack/reflector"
+    enabled: true
+    version: "7.1.262"
+  
+

helmsman.fp.yaml

@@ -0,0 +1,56 @@
+namespaces:
+  default:
+  cert-manager:
+  ingress-nginx:
+  metrics-server:
+  kcert:
+  windmill:
+
+helmRepos:
+  jetstack: https://charts.jetstack.io
+  emberstack: https://emberstack.github.io/helm-charts
+  vultr: https://vultr.github.io/helm-charts
+  ingress-nginx: https://kubernetes.github.io/ingress-nginx
+  metrics-server: https://kubernetes-sigs.github.io/metrics-server
+  windmill: https://windmill-labs.github.io/windmill-helm-charts
+
+apps:
+  windmill:
+    namespace: windmill
+    chart: "windmill/windmill"
+    enabled: true
+    version: "2.0.167"
+    valuesFile: "./charts/windmill/values.yaml"
+  metrics-server:
+    namespace: metrics-server
+    chart: "metrics-server/metrics-server"
+    enabled: true
+    version: "3.12.1"
+  ingress-nginx:
+    namespace: ingress-nginx
+    chart: "ingress-nginx/ingress-nginx"
+    enabled: true
+    version: "4.10.0"
+  fp:
+    namespace: "default"
+    chart: "charts/fp"
+    enabled: true
+    version: "0.0.1"
+    valuesFile: "./charts/fp/values-prod.yaml"
+  cert-manager-webhook-vultr:
+    namespace: cert-manager
+    chart: vultr/cert-manager-webhook-vultr
+    enabled: true
+    version: "1.0.0"
+  cert-manager:
+    namespace: "cert-manager"
+    chart: "jetstack/cert-manager"
+    enabled: true
+    version: "1.14.4"
+  reflector:
+    namespace: "default"
+    chart: "emberstack/reflector"
+    enabled: true
+    version: "7.1.262"
+  
+

helmsman.nothing.yaml

@@ -0,0 +1,6 @@
+namespaces:
+  default:
+
+helmRepos:
+
+apps:

scripts/k8s-secrets.sh

@@ -6,6 +6,25 @@ kubectl --namespace futureporn delete secret uwu-auth --ignore-not-found
 kubectl --namespace futureporn create secret generic uwu-auth \
 --from-literal=auth=${CHISEL_AUTH}
 
+kubectl --namespace futureporn delete secret windmill-postgresql --ignore-not-found
+## we do this so helm can adopt our pre-made secret @see https://github.com/helm/helm/pull/7649
+cat <<EOF | kubectl --namespace futureporn create -f-
+---
+data:
+  postgres-password: $(echo -n $WINDMILL_POSTGRES_PASSWORD | base64)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: windmill-postgresql
+  namespace: futureporn
+  annotations:
+    meta.helm.sh/release-namespace: futureporn
+    meta.helm.sh/release-name: postgresql
+  labels:
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/instance: postgresql
+type: Opaque
+EOF
 
 kubectl --namespace futureporn delete secret frp --ignore-not-found
 kubectl --namespace futureporn create secret generic frp \