homelab-manifests/tandoor-system/tandoor.yaml

---
apiVersion: v1
kind: Namespace
metadata:
  name: tandoor-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/instance: tandoor
    app.kubernetes.io/name: tandoor
    app.kubernetes.io/version: 2.3.6
  name: tandoor
  namespace: tandoor-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: tandoor
      app.kubernetes.io/name: tandoor
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: tandoor
        app.kubernetes.io/name: tandoor
        app.kubernetes.io/version: 2.3.6
    spec:
      initContainers:
      - name: create-superuser
        image: vabene1111/recipes:2.3.6
        workingDir: /opt/recipes
        command:
        - /bin/sh
        - -c
        - |
          . /opt/recipes/venv/bin/activate
          echo "Waiting for database..."
          while ! python -c "import socket; socket.create_connection(('postgresql-rw.database-system.svc.cluster.local', 5432), timeout=5)" 2>/dev/null; do
            sleep 2
          done
          echo "Database is ready. Running migrations..."
          python manage.py migrate --noinput
          echo "Collecting static files..."
          python manage.py collectstatic --noinput
          echo "Creating superuser if not exists..."
          python manage.py shell -c "
          from django.contrib.auth import get_user_model
          User = get_user_model()
          import os
          username = os.environ.get('DJANGO_SUPERUSER_USERNAME', 'admin')
          if not User.objects.filter(username=username).exists():
              User.objects.create_superuser(
                  username=username,
                  email=os.environ.get('DJANGO_SUPERUSER_EMAIL', ''),
                  password=os.environ.get('DJANGO_SUPERUSER_PASSWORD', 'admin')
              )
              print(f'Superuser {username} created successfully')
          else:
              print(f'Superuser {username} already exists')
          "
        volumeMounts:
        - name: staticfiles
          mountPath: /opt/recipes/staticfiles
        env:
        - name: DB_ENGINE
          value: django.db.backends.postgresql
        # Database - using shared PostgreSQL in database-system namespace
        - name: POSTGRES_HOST
          value: postgresql-rw.database-system.svc.cluster.local
        - name: POSTGRES_PORT
          value: "5432"
        - name: POSTGRES_DB
          value: tandoor
        - name: POSTGRES_USER
          valueFrom:
            secretKeyRef:
              name: tandoor-db
              key: username
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: tandoor-db
              key: password
        - name: SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: tandoor-app
              key: secret-key
        - name: DJANGO_SUPERUSER_USERNAME
          valueFrom:
            secretKeyRef:
              name: tandoor-admin
              key: username
        - name: DJANGO_SUPERUSER_PASSWORD
          valueFrom:
            secretKeyRef:
              name: tandoor-admin
              key: password
        - name: DJANGO_SUPERUSER_EMAIL
          valueFrom:
            secretKeyRef:
              name: tandoor-admin
              key: email
      containers:
      - name: tandoor
        image: vabene1111/recipes:2.3.6
        imagePullPolicy: IfNotPresent
        env:
        - name: TZ
          value: Europe/Budapest
        - name: DEBUG
          value: "0"
        - name: ALLOWED_HOSTS
          value: "*"
        - name: CSRF_TRUSTED_ORIGINS
          value: "https://tandoor.dooplex.hu,https://tandoor.home"
        - name: SECURE_PROXY_SSL_HEADER
          value: "HTTP_X_FORWARDED_PROTO,https"
        - name: DB_ENGINE
          value: django.db.backends.postgresql
        # Database - using shared PostgreSQL in database-system namespace
        - name: POSTGRES_HOST
          value: postgresql-rw.database-system.svc.cluster.local
        - name: POSTGRES_PORT
          value: "5432"
        - name: POSTGRES_DB
          value: tandoor
        - name: POSTGRES_USER
          valueFrom:
            secretKeyRef:
              name: tandoor-db
              key: username
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: tandoor-db
              key: password
        - name: SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: tandoor-app
              key: secret-key
        - name: GUNICORN_MEDIA
          value: "1"
        - name: ENABLE_SIGNUP
          value: "0"
        - name: ENABLE_METRICS
          value: "1"
        - name: TANDOOR_PORT
          value: "8080"
        - name: SOCIAL_PROVIDERS
          value: "allauth.socialaccount.providers.openid_connect"
        - name: SOCIALACCOUNT_PROVIDERS
          value: '{"openid_connect":{"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"y7Mv9stcPZYAGz5QQyzFO9KBFjXHG6OWhLNWPMHL","secret":"tSbRKbfnUigzibKaJpAAwJoF8JLXazssydS6WLoAGCD3hGqZ3ceK5SUvSAEcncQCImZaMmsepO3zwfgIO3huA4GRCHS5NzLGm0L2Ifz60PGKW0htr54u12pWOUBJc6dG","settings":{"server_url":"https://authentik.dooplex.hu/application/o/tandoor/.well-known/openid-configuration"}}]}}'
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        livenessProbe:
          httpGet:
            path: /
            port: http
          initialDelaySeconds: 60
          periodSeconds: 30
          timeoutSeconds: 10
          failureThreshold: 5
        readinessProbe:
          httpGet:
            path: /
            port: http
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3
        resources:
          limits:
            cpu: "1"
            memory: 1Gi
          requests:
            cpu: 100m
            memory: 256Mi
        volumeMounts:
        - name: staticfiles
          mountPath: /opt/recipes/staticfiles
        - name: mediafiles
          mountPath: /opt/recipes/mediafiles
      volumes:
      - name: staticfiles
        persistentVolumeClaim:
          claimName: tandoor-staticfiles
      - name: mediafiles
        hostPath:
          path: /mnt/4_hdd/data/tandoor/mediafiles
          type: DirectoryOrCreate
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/instance: tandoor
    app.kubernetes.io/name: tandoor
    app.kubernetes.io/version: 2.3.6
  name: tandoor
  namespace: tandoor-system
spec:
  type: ClusterIP
  ports:
  - name: http
    port: 8080
    protocol: TCP
    targetPort: http
  selector:
    app.kubernetes.io/instance: tandoor
    app.kubernetes.io/name: tandoor
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    external-dns.alpha.kubernetes.io/hostname: tandoor.dooplex.hu,tandoor.home
    nginx.ingress.kubernetes.io/proxy-body-size: 128m
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  labels:
    app.kubernetes.io/instance: tandoor
    app.kubernetes.io/name: tandoor
  name: tandoor
  namespace: tandoor-system
spec:
  ingressClassName: nginx-internal
  rules:
  - host: tandoor.dooplex.hu
    http:
      paths:
      - backend:
          service:
            name: tandoor
            port:
              number: 8080
        path: /
        pathType: Prefix
  - host: tandoor.home
    http:
      paths:
      - backend:
          service:
            name: tandoor
            port:
              number: 8080
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - tandoor.dooplex.hu
    secretName: tandoor-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  labels:
    app.kubernetes.io/instance: tandoor
    app.kubernetes.io/name: tandoor
  name: tandoor-staticfiles
  namespace: tandoor-system
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn