--- apiVersion: v1 kind: Namespace metadata: name: tandoor-system --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/instance: tandoor app.kubernetes.io/name: tandoor app.kubernetes.io/version: "2.5" name: tandoor namespace: tandoor-system spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: tandoor app.kubernetes.io/name: tandoor strategy: type: Recreate template: metadata: labels: app.kubernetes.io/instance: tandoor app.kubernetes.io/name: tandoor app.kubernetes.io/version: "2.5" spec: initContainers: - name: create-superuser image: vabene1111/recipes:2.6.9 workingDir: /opt/recipes command: - /bin/sh - -c - | . /opt/recipes/venv/bin/activate echo "Waiting for database..." while ! python -c "import socket; socket.create_connection(('postgresql-rw.database-system.svc.cluster.local', 5432), timeout=5)" 2>/dev/null; do sleep 2 done echo "Database is ready. Running migrations..." python manage.py migrate --noinput echo "Collecting static files..." python manage.py collectstatic --noinput echo "Creating superuser if not exists..." python manage.py shell -c " from django.contrib.auth import get_user_model User = get_user_model() import os username = os.environ.get('DJANGO_SUPERUSER_USERNAME', 'admin') if not User.objects.filter(username=username).exists(): User.objects.create_superuser( username=username, email=os.environ.get('DJANGO_SUPERUSER_EMAIL', ''), password=os.environ.get('DJANGO_SUPERUSER_PASSWORD', 'admin') ) print(f'Superuser {username} created successfully') else: print(f'Superuser {username} already exists') " volumeMounts: - name: staticfiles mountPath: /opt/recipes/staticfiles env: - name: DB_ENGINE value: django.db.backends.postgresql # Database - using shared PostgreSQL in database-system namespace - name: POSTGRES_HOST value: postgresql-rw.database-system.svc.cluster.local - name: POSTGRES_PORT value: "5432" - name: POSTGRES_DB value: tandoor - name: POSTGRES_USER valueFrom: secretKeyRef: name: tandoor-db key: username - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: tandoor-db key: password - name: SECRET_KEY valueFrom: secretKeyRef: name: tandoor-app key: secret-key - name: DJANGO_SUPERUSER_USERNAME valueFrom: secretKeyRef: name: tandoor-admin key: username - name: DJANGO_SUPERUSER_PASSWORD valueFrom: secretKeyRef: name: tandoor-admin key: password - name: DJANGO_SUPERUSER_EMAIL valueFrom: secretKeyRef: name: tandoor-admin key: email containers: - name: tandoor image: vabene1111/recipes:2.6.9 imagePullPolicy: IfNotPresent env: - name: TZ value: Europe/Budapest - name: DEBUG value: "0" - name: ALLOWED_HOSTS value: "*" - name: CSRF_TRUSTED_ORIGINS value: "https://tandoor.dooplex.hu,https://tandoor.home" - name: SECURE_PROXY_SSL_HEADER value: "HTTP_X_FORWARDED_PROTO,https" - name: DB_ENGINE value: django.db.backends.postgresql # Database - using shared PostgreSQL in database-system namespace - name: POSTGRES_HOST value: postgresql-rw.database-system.svc.cluster.local - name: POSTGRES_PORT value: "5432" - name: POSTGRES_DB value: tandoor - name: POSTGRES_USER valueFrom: secretKeyRef: name: tandoor-db key: username - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: tandoor-db key: password - name: SECRET_KEY valueFrom: secretKeyRef: name: tandoor-app key: secret-key - name: GUNICORN_MEDIA value: "1" - name: ENABLE_SIGNUP value: "0" - name: ENABLE_METRICS value: "1" - name: TANDOOR_PORT value: "8080" - name: SOCIAL_PROVIDERS value: "allauth.socialaccount.providers.openid_connect" - name: SOCIALACCOUNT_PROVIDERS value: '{"openid_connect":{"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"y7Mv9stcPZYAGz5QQyzFO9KBFjXHG6OWhLNWPMHL","secret":"tSbRKbfnUigzibKaJpAAwJoF8JLXazssydS6WLoAGCD3hGqZ3ceK5SUvSAEcncQCImZaMmsepO3zwfgIO3huA4GRCHS5NzLGm0L2Ifz60PGKW0htr54u12pWOUBJc6dG","settings":{"server_url":"https://authentik.dooplex.hu/application/o/tandoor/.well-known/openid-configuration"}}]}}' ports: - containerPort: 8080 name: http protocol: TCP livenessProbe: httpGet: path: / port: http initialDelaySeconds: 60 periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 5 readinessProbe: httpGet: path: / port: http initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 resources: limits: cpu: "1" memory: 2Gi requests: cpu: 100m memory: 256Mi volumeMounts: - name: staticfiles mountPath: /opt/recipes/staticfiles - name: mediafiles mountPath: /opt/recipes/mediafiles volumes: - name: staticfiles persistentVolumeClaim: claimName: tandoor-staticfiles - name: mediafiles hostPath: path: /mnt/4_hdd/data/tandoor/mediafiles type: DirectoryOrCreate --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/instance: tandoor app.kubernetes.io/name: tandoor app.kubernetes.io/version: "2.5" name: tandoor namespace: tandoor-system spec: type: ClusterIP ports: - name: http port: 8080 protocol: TCP targetPort: http selector: app.kubernetes.io/instance: tandoor app.kubernetes.io/name: tandoor --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: tandoor.dooplex.hu,tandoor.home nginx.ingress.kubernetes.io/proxy-body-size: 128m nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | set $geo_allowed 0; if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } if ($geoip2_country_code = "HU") { set $geo_allowed 1; } if ($geo_allowed = 0) { return 403 "Access restricted to Hungary"; } labels: app.kubernetes.io/instance: tandoor app.kubernetes.io/name: tandoor name: tandoor namespace: tandoor-system spec: ingressClassName: nginx-internal rules: - host: tandoor.dooplex.hu http: paths: - backend: service: name: tandoor port: number: 8080 path: / pathType: Prefix - host: tandoor.home http: paths: - backend: service: name: tandoor port: number: 8080 path: / pathType: Prefix tls: - hosts: - tandoor.dooplex.hu secretName: tandoor-tls --- apiVersion: v1 kind: PersistentVolumeClaim metadata: labels: app.kubernetes.io/instance: tandoor app.kubernetes.io/name: tandoor name: tandoor-staticfiles namespace: tandoor-system spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: longhorn