innohub/k3s
7
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: innohub:7f83a3e5263aef0a43972de620fbe02f7aa3510b
Branches Tags
innohub:main
..
compare: innohub:main
Branches Tags
innohub:main

71 Commits
7f83a3e526 ... main

Author SHA1 Message Date
Daniel
9d2e2cde20 Testing for RR stuff... 2026-01-16 10:01:33 +01:00
titver968
3bed7c95eb mrknow traefik config 2026-01-15 14:40:49 +01:00
titver968
3379af24f6 mrknow certificate in cert-manager 2026-01-15 14:35:15 +01:00
titver968
19c9a3a5ae wekan and keycloak 2026-01-08 15:49:13 +01:00
titver968
b0d56f2102 wekan and keycloak 2026-01-08 15:44:42 +01:00
titver968
8ea94c3b3d wekan and keycloak 2026-01-08 15:38:53 +01:00
titver968
bdb13cb00a wekantest and keycloak redirect more Variables 2026-01-08 15:24:21 +01:00
titver968
520c545ef4 wekantest and keycloak redirect redirect 2026-01-08 14:59:49 +01:00
titver968
cbf3f58285 wekantest and keycloak redirect redirect 2026-01-08 13:09:44 +01:00
titver968
9848eb1c1b wekantest and keycloak redirect redirect 2026-01-08 13:02:51 +01:00
titver968
f71ee10c63 wekantest and keycloak redirect popup 2026-01-08 12:58:40 +01:00
titver968
6448963486 wekantest and keycloak 2026-01-08 11:59:05 +01:00
titver968
2aae7e8b7e wekantest and keycloak 2026-01-08 11:54:23 +01:00
titver968
6eefb0da8b wekantest and keycloak 2026-01-08 09:58:35 +01:00
titver968
4f8ed26d4d open-webui: warnings fixed 2026-01-07 12:07:29 +01:00
titver968
8dc36f24d9 open-webui: WEBUI_SECRET_KEY added 2026-01-07 12:03:27 +01:00
titver968
6e4daf35ad open-webui: logout redirect URL 2026-01-07 11:54:33 +01:00
titver968
92cf4bdb78 open-webui: logout redirect URL 2026-01-07 11:43:48 +01:00
titver968
569895fb91 open-webui: sso: oidc: realm innohub 2026-01-07 10:50:13 +01:00
titver968
20a9c5b3bb open-webui: sso: oidc: debug 2026-01-07 09:06:17 +01:00
titver968
f5aee6d900 open-webui: sso: oidc: debug 2026-01-07 09:00:48 +01:00
titver968
99670aa277 open-webui: sso: oidc: new config 2026-01-07 08:53:17 +01:00
titver968
9da3941cfc open-webui: sso: oidc: 2026-01-07 08:35:41 +01:00
titver968
5daed5ebd4 deleted old open-webui config file 2026-01-06 10:09:21 +01:00
titver968
17ac7ddd68 open-webui existenceVolume deleted 2026-01-06 09:20:24 +01:00
titver968
2a5133da48 open-webui new version 9 2026-01-06 09:10:04 +01:00
titver968
4631aa1a5a open-webui commented 2026-01-06 09:07:19 +01:00
titver968
e1a6a53c57 back to the old Version 2026-01-06 09:05:03 +01:00
titver968
3efc060d0e open-webui mit helm.chart Konfig 2026-01-06 08:17:14 +01:00
titver968
3bdc7ecaa4 keycloak certifivate nur in cert-manager 2026-01-05 07:56:15 +01:00
titver968
9fdc42a6a3 keycloak certificate in argo-cd 2025-12-30 12:42:56 +01:00
titver968
b910243e2f mantisbt/config_inc.php 2025-12-30 12:25:49 +01:00
titver968
5520c55527 wekantest mongodb image deleted 2025-12-30 07:25:24 +01:00
titver968
519959b991 wekan mongodb tag: 7.0.28 2025-12-29 08:44:03 +01:00
titver968
c902ee862c wekantest mongodb tag: 7.0.28 2025-12-29 08:38:50 +01:00
titver968
f9588b0718 mattermost lets-encrypr Produktion 2025-12-19 09:57:51 +01:00
titver968
7a38ce1774 mantisbt mariadb Readiness 2025-12-19 08:45:46 +01:00
titver968
cc4a9a33cf Wekan und Wekantest die Versionen gewechselt. 2025-12-18 07:53:05 +01:00
titver968
49f4afa55e seaweedfs commented 2025-12-16 23:14:34 +01:00
titver968
daabaabcb2 n8n minio, redis und postgresPassword 2025-12-16 15:00:13 +01:00
titver968
5647295120 enableAdmin 0 2025-12-15 16:07:23 +01:00
titver968
f1efb3a801 enableAdmin 1 2025-12-15 15:33:35 +01:00
titver968
a3b042b104 masterSalt eingetragen 2025-12-15 15:19:02 +01:00
titver968
9bd2f3b8bc enable admin 1 2025-12-15 13:48:47 +01:00
titver968
a71e5ac907 masterSalt Passwort setzten 2025-12-15 13:38:03 +01:00
titver968
84ffea9d59 adminPasswort 2025-12-15 13:22:39 +01:00
titver968
e4ad00b4f3 enableAdmin 0 2025-12-15 12:15:37 +01:00
titver968
1ee0686020 mantisbt V4 more config 2025-12-15 11:54:31 +01:00
titver968
0ae03ae994 mantisbt V4 email configuration added 2025-12-15 11:10:11 +01:00
titver968
0aa3744ba6 mantisbt V4 2025-12-15 10:57:52 +01:00
titver968
8e6c6f72e9 mantisbt V3 mariadb debug 2025-12-15 09:52:38 +01:00
titver968
05e73b6832 mantisbt V3 2025-12-15 09:48:21 +01:00
titver968
581da487ed mantisbt V3 2025-12-15 09:46:12 +01:00
titver968
8ace260f87 mariadb Image tag latest 2025-12-12 12:52:36 +01:00
titver968
0b9f88b7c0 mariadb Image 11.4 auth richtig eingerueckt 2025-12-12 12:49:18 +01:00
titver968
209d0015c1 mariadb Image 11.4 2025-12-12 12:43:57 +01:00
titver968
d329c20444 mantisbt v2 2025-12-12 12:30:43 +01:00
titver968
1641b9bea3 new matisbt App 2025-12-12 11:59:19 +01:00
titver968
2b48963d54 new certificate for matisbt,innovation... 2025-12-12 10:24:39 +01:00
titver968
b8f9370db8 nextcloud redis Timeout 20 S und replicas 2025-12-11 14:45:59 +01:00
titver968
6f36a51451 nextcloud redis standalone 2025-12-11 07:32:03 +01:00
titver968
cf48328090 wekantest dbname 2025-12-10 13:52:49 +01:00
titver968
8b42195f1e added wekantest 2025-12-10 13:49:47 +01:00
titver968
9d8166d49c ohne .idea 2025-12-10 13:47:55 +01:00
titver968
4e21b5e06f gitignore fuer .idea 2025-12-10 13:46:11 +01:00
titver968
b04e96530d wekantest deleted 2025-12-10 13:42:58 +01:00
titver968
fc45280db8 keycloak deleted 2025-12-10 13:41:24 +01:00
titver968
aa1923da06 wekantest added 2025-12-10 13:36:38 +01:00
titver968
fc5f26533d sws3-certificate.yaml deleted 2025-12-10 10:34:30 +01:00
titver968
83f1e5d98f openproject deleted seaweedfs commented 2025-12-10 10:33:02 +01:00
titver968
6d913d015e seaweedfs commented 2025-12-10 10:32:16 +01:00
24 changed files with 831 additions and 384 deletions
Expand all files Collapse all files

1
argocd/apps/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.idea

14
argocd/apps/cert-manager/include/mantisbt-cerficate.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: innovation-hub-niedersachsen.de-mantisbt
namespace: kube-system
spec:
secretName: mantisbt-tls
commonName: 'mantisbt.innovation-hub-niedersachsen.de'
dnsNames:
- 'mantisbt.innovation-hub-niedersachsen.de'
issuerRef:
name: lets-encrypt
kind: ClusterIssuer
group: cert-manager.io

14
argocd/apps/cert-manager/include/mrknow-cerficate.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: innovation-hub-niedersachsen.de-mrknow
namespace: kube-system
spec:
secretName: mrknow-tls
commonName: 'mrknow.innovation-hub-niedersachsen.de'
dnsNames:
- 'mrknow.innovation-hub-niedersachsen.de'
issuerRef:
name: lets-encrypt
kind: ClusterIssuer
group: cert-manager.io

13
argocd/apps/cert-manager/include/rr-certificate.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: rr-cert
namespace: kube-system
spec:
secretName: rr-tls
issuerRef:
name: lets-encrypt
kind: ClusterIssuer
commonName: rr.innovation-hub-niedersachsen.de
dnsNames:
- rr.innovation-hub-niedersachsen.de

14
argocd/apps/cert-manager/include/sws3-cerficate.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: innovation-hub-niedersachsen.sws3
namespace: kube-system
spec:
secretName: sws3.innovation-hub-niedersachsen.de-tls
commonName: 'sws3.innovation-hub-niedersachsen.de'
dnsNames:
- 'sws3.innovation-hub-niedersachsen.de'
issuerRef:
name: lets-encrypt
kind: ClusterIssuer
group: cert-manager.io

14
argocd/apps/cert-manager/include/wekantest-cerficate.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: innovation-hub-niedersachsen.de-wekantest
namespace: kube-system
spec:
secretName: wekantest-tls
commonName: 'wekantest.innovation-hub-niedersachsen.de'
dnsNames:
- 'wekantest.innovation-hub-niedersachsen.de'
issuerRef:
name: lets-encrypt
kind: ClusterIssuer
group: cert-manager.io

42
argocd/apps/keycloak/values-keycloak.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: keycloak-headers
namespace: kube-system
spec:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Port: "443"
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: keycloak
namespace: kube-system
spec:
entryPoints:
- websecure
routes:
- match: Host(`keycloak.innovation-hub-niedersachsen.de`)
kind: Rule
middlewares:
- name: keycloak-headers
services:
- name: keycloak-external
port: 8080
tls:
secretName: keycloak-tls
---
apiVersion: v1
kind: Service
metadata:
name: keycloak-external
namespace: kube-system
spec:
type: ExternalName
externalName: keycloak.innohub.local
ports:
- port: 8080

35
argocd/apps/mantisbt/config_inc.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
$g_hostname = 'mantisbt-mariadb';
$g_db_type = 'mysqli';
$g_database_name = 'mantisbt';
$g_db_username = 'mantisbt';
$g_db_password = 'MantisDBPassword_2024!';
$g_default_timezone = 'Europe/Berlin';
$g_crypto_master_salt = 'shJaiK32W2tABdTZjwRUrZN+90AWLHXaLKiOt1Fwpaw=';
$g_path = 'https://mantisbt.innovation-hub-niedersachsen.de/';
# Email settings
$g_webmaster_email = 'inno-netz@zpd.polizei.niedersachsen.de';
$g_from_email = 'mantisbt@innovation-hub-niedersachsen.de';
$g_return_path_email = 'mantisbt@innovation-hub-niedersachsen.de';
$g_from_name = 'InnoHub MantisBT';
# SMTP Configuration
$g_phpMailer_method = PHPMAILER_METHOD_SMTP;
$g_smtp_host = '192.168.4.125';
$g_smtp_port = 25;
$g_enable_email_notification = ON;
# File upload - match PHP limit
$g_max_file_size = 2000000;
$g_allowed_files = 'png,gif,jpg,jpeg,pdf,doc,docx,xls,xlsx,ppt,pptx,txt,zip,rar,7z';
# Site settings
$g_window_title = 'InnoHub Bug Tracker';
$g_logo_image = 'images/mantis_logo.png';
# Security - disable after installation!
# $g_allow_signup = OFF;

91
argocd/apps/mantisbt/values-mantisbt.yaml Normal file
View File

@@ -0,0 +1,91 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: mantisbt
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: 'https://gitea.innovation-hub-niedersachsen.de/innohub/charts/raw/main/mantisbt'
targetRevision: 0.4.*
chart: mantisbt
helm:
values: |
image:
repository: xlrl/mantisbt
tag: "latest"
ingress:
enabled: true
className: traefik
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: lets-encrypt
hosts:
- mantisbt.innovation-hub-niedersachsen.de
tls:
- secretName: mantisbt-tls
hosts:
- mantisbt.innovation-hub-niedersachsen.de
mantisbt:
enableAdmin: "0"
timezone: "Europe/Berlin"
masterSalt: "shJaiK32W2tABdTZjwRUrZN+90AWLHXaLKiOt1Fwpaw="
persistence:
enabled: true
storageClass: longhorn
size: 10Gi
resources:
requests:
memory: 256Mi
cpu: 100m
limits:
memory: 512Mi
cpu: 500m
mariadb:
enabled: true
image:
tag: "latest"
auth:
database: mantisbt
username: mantisbt
password: "MantisDBPassword_2024!"
rootPassword: "RootDBPassword_2024!"
primary:
persistence:
enabled: true
storageClass: longhorn
size: 8Gi
livenessProbe:
enabled: true
initialDelaySeconds: 120
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
enabled: true
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
destination:
server: 'https://kubernetes.default.svc'
namespace: mantisbt
syncPolicy:
managedNamespaceMetadata:
labels:
pod-security.kubernetes.io/enforce: "privileged"
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

2
argocd/apps/mattermost/mattermnost.yaml
View File

@@ -90,7 +90,7 @@ spec:
secretName: mattermost-tls
annotations:
kubernetes.io/ingress.class: traefik
cert-manager.io/cluster-issuer: lets-encrypt-staging
cert-manager.io/cluster-issuer: lets-encrypt
destination:
server: 'https://kubernetes.default.svc'

165
argocd/apps/mrknow/traefik-mrknow.yaml Normal file
View File

@@ -0,0 +1,165 @@
# =============================================================================
# Traefik IngressRoute Konfiguration für MR.KNOW / BPM Inspire
# =============================================================================
# Anpassen:
# - Host: mrknow.innovation-hub-niedersachsen.de (oder gewünschte Domain)
# - externalName: IP/Hostname des Portainer/Docker Hosts
# - secretName: TLS-Zertifikat Secret
# =============================================================================
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: mrknow-headers
namespace: kube-system
spec:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Port: "443"
---
# =============================================================================
# IngressRoute für InForm (Frontend / Root-Pfad)
# =============================================================================
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: mrknow-inform
namespace: kube-system
spec:
entryPoints:
- websecure
routes:
- match: Host(`mrknow.innovation-hub-niedersachsen.de`) && !PathPrefix(`/insign`) && !PathPrefix(`/inspire`) && !PathPrefix(`/pgadmin`)
kind: Rule
middlewares:
- name: mrknow-headers
services:
- name: mrknow-inform-external
port: 8080
tls:
secretName: mrknow-tls
---
# =============================================================================
# IngressRoute für InSign
# =============================================================================
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: mrknow-insign
namespace: kube-system
spec:
entryPoints:
- websecure
routes:
- match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/insign`)
kind: Rule
middlewares:
- name: mrknow-headers
services:
- name: mrknow-insign-external
port: 8081
tls:
secretName: mrknow-tls
---
# =============================================================================
# IngressRoute für InSpire
# =============================================================================
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: mrknow-inspire
namespace: kube-system
spec:
entryPoints:
- websecure
routes:
- match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/inspire`)
kind: Rule
middlewares:
- name: mrknow-headers
services:
- name: mrknow-inspire-external
port: 8082
tls:
secretName: mrknow-tls
# ---
# =============================================================================
# IngressRoute für PgAdmin (optional)
# =============================================================================
# apiVersion: traefik.io/v1alpha1
# kind: IngressRoute
# metadata:
# name: mrknow-pgadmin
# namespace: kube-system
# spec:
# entryPoints:
# - websecure
# routes:
# - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/pgadmin`)
# kind: Rule
# middlewares:
# - name: mrknow-headers
# services:
# - name: mrknow-pgadmin-external
# port: 5050
# tls:
# secretName: mrknow-tls
---
# =============================================================================
# External Services - Verbindung zum Portainer/Docker Host
# =============================================================================
# WICHTIG: externalName auf den Hostnamen/IP deines Docker-Hosts anpassen!
# =============================================================================
apiVersion: v1
kind: Service
metadata:
name: mrknow-inform-external
namespace: kube-system
spec:
type: ExternalName
externalName: mrknow.innohub.local
ports:
- port: 8080
---
apiVersion: v1
kind: Service
metadata:
name: mrknow-insign-external
namespace: kube-system
spec:
type: ExternalName
externalName: mrknow.innohub.local
ports:
- port: 8081
---
apiVersion: v1
kind: Service
metadata:
name: mrknow-inspire-external
namespace: kube-system
spec:
type: ExternalName
externalName: mrknow.innohub.local
ports:
- port: 8082
---
apiVersion: v1
kind: Service
metadata:
name: mrknow-pgadmin-external
namespace: kube-system
spec:
type: ExternalName
externalName: mrknow.innohub.local
ports:
- port: 5050

6
argocd/apps/n8n/values-n8n.yaml
View File

@@ -34,7 +34,6 @@ spec:
# PostgreSQL Datenbank
db:
type: "postgresdb"
postgresql:
enabled: true
primary:
@@ -48,11 +47,14 @@ spec:
auth:
username: "n8n"
password: "n8n"
postgresPassword: "35PuQG99qi"
database: "n8n"
# MinIO für Binary Data
minio:
enabled: true
rootUser: "vkYCY4YJsFv11E18az7o"
rootPassword: "gOVBJMs5qxABhReVQwe3M43mfS8RsejUJSKOWr5N"
persistence:
enabled: true
storageClass: "longhorn"
@@ -63,6 +65,8 @@ spec:
# Redis für Queue Mode
redis:
enabled: true
auth:
password: "y8GBnBTleK"
master:
persistence:
enabled: true

7
argocd/apps/nextcloud/nextcloud.yaml
View File

@@ -85,6 +85,7 @@ spec:
enabled: true
auth:
password: redisInnoDBUser
# architecture: standalone
master:
extraEnvVars:
- name: REDIS_MASTER_HOST
@@ -92,15 +93,15 @@ spec:
- name: REDIS_MASTER_PORT_NUMBER
value: "6379"
readinessProbe:
timeoutSeconds: 10
replica:
timeoutSeconds: 20
replica:
extraEnvVars:
- name: REDIS_MASTER_HOST
value: "nextcloud-redis-master"
- name: REDIS_MASTER_PORT_NUMBER
value: "6379"
readinessProbe:
timeoutSeconds: 10
timeoutSeconds: 20
postgresql:
enabled: true

57
argocd/apps/open-webui/openwebui.yaml
View File

@@ -1,57 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: open-webui
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: 'https://helm.openwebui.com/'
targetRevision: 8.*.*
helm:
parameters:
- name: serviceAccount.enable
value: 'false'
- name: persistence.size
value: 200Gi
- name: existingClaim
value: "open-webui"
- name: ollama.enabled
value: 'false'
# - name: ollama.persistentVolume.enabled
# value: 'true'
# - name: ollama.persistence.existingClaim
# value: "open-webui-llm-storage"
# - name: ollama.persistenceVolume.size
# value: 200Gi
- name: ingress.class
value: 'traefik'
- name: ingress.enabled
value: 'true'
- name: ingress.host
value: "innollm.innovation-hub-niedersachsen.de"
- name: ingress.tls
value: 'true'
- name: ingress.existingSecret
value: 'innollm-tls'
- name: ingress.annotations.kubernetes\.io\/ingress\.class
value: traefik
- name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
value: 'true'
forceString: true
- name: ingress.annotations.cert-manager\.io\/cluster-issuer
value: lets-encrypt
chart: open-webui
destination:
server: 'https://kubernetes.default.svc'
namespace: open-webui
syncPolicy:
managedNamespaceMetadata:
labels:
pod-security.kubernetes.io/enforce: 'privileged'
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

72
argocd/apps/open-webui/values-openwebui.yaml Normal file
View File

@@ -0,0 +1,72 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: open-webui
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: 'https://helm.openwebui.com/'
targetRevision: 9.*.*
chart: open-webui
helm:
values: |
serviceAccount:
enable: false
persistence:
size: 200Gi
storageClass: longhorn
ollama:
enabled: false
extraEnvVars:
- name: OAUTH_LOGOUT_REDIRECT_URL
value: "https://innollm.innovation-hub-niedersachsen.de/"
- name: ENABLE_OAUTH_LOGOUT
value: "true"
- name: WEBUI_SECRET_KEY
value: "17e027e793724fcbf0400c91374d6960f1beec64b52939c4ee20c1b6faf859ad"
- name: CORS_ALLOW_ORIGIN
value: "https://innollm.innovation-hub-niedersachsen.de"
- name: USER_AGENT
value: "Open-WebUI/InnoHub"
ingress:
enabled: true
class: traefik
host: "innollm.innovation-hub-niedersachsen.de"
tls: true
existingSecret: "innollm-tls"
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: lets-encrypt
sso:
enabled: true
enableSignup: true
mergeAccountsByEmail: false
enableRoleManagement: false
enableGroupManagement: false
oidc:
enabled: true
clientId: "open-webui"
clientSecret: "RFkQ5RDXv6KE4DiQsOq3BJejWFElu90G"
providerUrl: "https://keycloak.innovation-hub-niedersachsen.de/realms/innohub/.well-known/openid-configuration"
providerName: "Keycloak"
destination:
server: 'https://kubernetes.default.svc'
namespace: open-webui
syncPolicy:
managedNamespaceMetadata:
labels:
pod-security.kubernetes.io/enforce: 'privileged'
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

8
argocd/apps/openproject/openproject-ns.yaml
View File

@@ -1,8 +0,0 @@
#apiVersion: v1
#kind: Namespace
#metadata:
# name: openproject
# labels:
# pod-security.kubernetes.io/enforce: privileged
# pod-security.kubernetes.io/audit: privileged
# pod-security.kubernetes.io/warn: privileged

9
argocd/apps/openproject/postgresql-auth.yaml
View File

@@ -1,9 +0,0 @@
#apiVersion: v1
#kind: Secret
#metadata:
# name: postgresql-auth
# namespace: openproject
#type: Opaque
#stringData:
# postgres-password: InnoPG2025
# password: InnoDB2025

126
argocd/apps/openproject/values-openproject.yaml
View File

@@ -1,126 +0,0 @@
#apiVersion: argoproj.io/v1alpha1
#kind: Application
#metadata:
# name: openproject
# finalizers:
# - resources-finalizer.argocd.argoproj.io
#spec:
# project: default
# source:
# repoURL: 'https://charts.openproject.org'
# chart: openproject
# targetRevision: 11.*.*
# helm:
# values: |
# develop: false
#
# environment:
# EMAIL_DELIVERY_METHOD: "smtp"
# SMTP_ADDRESS: "smtp.innohub.local"
# SMTP_PORT: "25"
# SMTP_DOMAIN: "innovation-hub-niedersachsen.de"
# SMTP_AUTHENTICATION: "none"
# SMTP_ENABLE_STARTTLS_AUTO: "false"
#
# cron:
# enabled: false
# environment:
# IMAP_HOST: "smtp.innovation-hub-niedersachsen.de"
# IMAP_PORT: 993
# IMAP_SSL: "true"
# IMAP_USERNAME: "openproject"
# IMAP_PASSWORD: "openproject-imap-password"
# schedule: "*/5 * * * *"
# ingress:
# enabled: true
# ingressClassName: traefik
# annotations:
# kubernetes.io/ingress.class: traefik
# traefik.ingress.kubernetes.io/router.entrypoints: websecure
# traefik.ingress.kubernetes.io/router.tls: "true"
# cert-manager.io/cluster-issuer: lets-encrypt
# host: "openproject.innovation-hub-niedersachsen.de"
# path: /
# pathType: "Prefix"
# tls:
# enabled: true
# secretName: openproject-tls
#
# openproject:
# https: true
# hsts: true
# seed_locale: "de"
# useTmpVolumes: "false"
# admin_user:
# password: "admin"
# password_reset: true
# name: "OpenProject Admin"
# mail: "inno-netz@zpd.polizei.niedersachsen.de"
#
# resources:
# requests:
# memory: "1Gi"
# limits:
# memory: "2Gi"
#
# appInit:
# resources:
# requests:
# memory: "512Mi"
# limits:
# memory: "1Gi"
#
# memcached:
# global:
# readOnlyRootFilesystem: false
#
# containerSecurityContext:
# readOnlyRootFilesystem: false
#
# persistence:
# enabled: false
# accessModes:
# - "ReadWriteOnce"
#
# s3:
# enabled: true
# auth:
# accessKeyId: "K7mNpQ2vRxL9wYtH3Zc8"
# secretAccessKey: "jX9fK2mP5nQ8rT1vW4yZ7bN0cM3hL6gF9dS2aE5k"
# host: "sws3.innovation-hub-niedersachsen.de"
# port: 443
# bucketName: "openproject"
# region: "eu-central-1"
#
# postgresql:
# bundled: true
# auth:
# existingSecret: "postgresql-auth"
# username: "openproject"
# # password: "openproject123"
# # postgresPassword: "postgres123"
# database: "openproject"
# global:
# readOnlyRootFilesystem: false
# primary:
# persistence:
# enabled: true
# size: 8Gi
# service:
# type: ClusterIP
# ports:
# postgresql: 5432
#
# destination:
# server: 'https://kubernetes.default.svc'
# namespace: openproject
#
# syncPolicy:
# managedNamespaceMetadata:
# labels:
# pod-security.kubernetes.io/enforce: "privileged"
# automated:
# selfHeal: true
# prune: true
# syncOptions:
# - CreateNamespace=true

92
argocd/apps/seaweedfs/admin-s3-secrets.yaml
View File

@@ -1,46 +1,46 @@
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: admin-s3-secret
namespace: seaweedfs
labels:
app.kubernetes.io/name: seaweedfs
app.kubernetes.io/component: seaweedfs-s3
stringData:
seaweedfs_s3_config: |
{
"identities": [
{
"name": "tatort",
"credentials": [
{
"accessKey": "wjpKrmaqXra99rX3D61H",
"secretKey": "fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"
}
],
"actions": ["Read", "Write", "Admin"]
},
{
"name": "plane",
"credentials": [
{
"accessKey": "a0ccb47cc0994bf51ecd",
"secretKey": "0d54ee2f943f2a56b8cafc3afe9cb1e2f9fecac2"
}
],
"actions": ["Read", "Write", "Admin"]
},
{
"name": "n8n",
"credentials": [
{
"accessKey": "WPpTwIoSMgrPChsS3rdS",
"secretKey": "C59o3EAhsUKBWj1oiPtiYRq3GhLMFeYDeiMxJ4SW"
}
],
"actions": ["Read", "Write", "Admin"]
}
]
}
#apiVersion: v1
#kind: Secret
#type: Opaque
#metadata:
# name: admin-s3-secret
# namespace: seaweedfs
# labels:
# app.kubernetes.io/name: seaweedfs
# app.kubernetes.io/component: seaweedfs-s3
#
#stringData:
# seaweedfs_s3_config: |
# {
# "identities": [
# {
# "name": "tatort",
# "credentials": [
# {
# "accessKey": "wjpKrmaqXra99rX3D61H",
# "secretKey": "fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"
# }
# ],
# "actions": ["Read", "Write", "Admin"]
# },
# {
# "name": "plane",
# "credentials": [
# {
# "accessKey": "a0ccb47cc0994bf51ecd",
# "secretKey": "0d54ee2f943f2a56b8cafc3afe9cb1e2f9fecac2"
# }
# ],
# "actions": ["Read", "Write", "Admin"]
# },
# {
# "name": "n8n",
# "credentials": [
# {
# "accessKey": "WPpTwIoSMgrPChsS3rdS",
# "secretKey": "C59o3EAhsUKBWj1oiPtiYRq3GhLMFeYDeiMxJ4SW"
# }
# ],
# "actions": ["Read", "Write", "Admin"]
# }
# ]
# }

20
argocd/apps/seaweedfs/seaweedfs-jwt-secret.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: v1
kind: Secret
metadata:
name: seaweedfs-jwt
namespace: seaweedfs
stringData:
jwt.json: |
{
"secret": "inno-super-secret-key"
}
#apiVersion: v1
#kind: Secret
#metadata:
# name: seaweedfs-jwt
# namespace: seaweedfs
#stringData:
# jwt.json: |
# {
# "secret": "inno-super-secret-key"
# }

216
argocd/apps/seaweedfs/values-seaweedfs.yaml
View File

@@ -1,108 +1,108 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: seaweedfs
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: "https://seaweedfs.github.io/seaweedfs/helm"
chart: seaweedfs
targetRevision: "4.*.*"
helm:
values: |
global:
extraEnvironmentVars:
WEED_CLUSTER_DEFAULT: "sw"
WEED_CLUSTER_SW_MASTER: "seaweedfs-master.seaweedfs:9333"
WEED_CLUSTER_SW_FILER: "seaweedfs-filer.seaweedfs:8888"
master:
enabled: true
replicas: 1
data:
type: existingClaim
claimName: seaweedfs-master-data-longhorn
volume:
enabled: true
replicas: 1
dataDirs:
- name: data1
type: existingClaim
claimName: seaweedfs-volume-data-longhorn
maxVolumes: 0
idx:
type: existingClaim
claimName: seaweedfs-volume-idx-longhorn
filer:
enabled: true
replicas: 1
data:
type: existingClaim
claimName: seaweedfs-filer-data-longhorn
# s3:
# enabled: false
# port: 8333
# domainName: "sws3.innovation-hub-niedersachsen.de"
# allowEmptyFolder: true
# enableAuth: true
# allowDeleteBucketNotEmpty: true
s3:
enabled: true
replicas: 1
port: 8333
enableAuth: true
existingConfigSecret: admin-s3-secret
existingConfigSecretKey: seaweedfs_s3_config
extraEnvironmentVars:
WEED_S3_ALLOWED_ORIGINS: "*"
WEED_FILER: "seaweedfs-filer.seaweedfs.svc.cluster.local:8888"
extraArgs:
- "-allowedOrigins=*"
- "-filer=seaweedfs-filer.seaweedfs:8888"
service:
type: ClusterIP
ports:
- name: http
port: 8333
targetPort: 8333
protocol: TCP
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: "lets-encrypt"
traefik.ingress.kubernetes.io/router.middlewares: seaweedfs-s3-cors@kubernetescrd
host: "sws3.innovation-hub-niedersachsen.de"
hosts:
- host: sws3.innovation-hub-niedersachsen.de
paths:
- path: /
pathType: Prefix
tls:
- secretName: sws3.innovation-hub-niedersachsen.de-tls
hosts:
- sws3.innovation-hub-niedersachsen.de
destination:
server: "https://kubernetes.default.svc"
namespace: seaweedfs
syncPolicy:
managedNamespaceMetadata:
labels:
pod-security.kubernetes.io/enforce: "privileged"
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true
#apiVersion: argoproj.io/v1alpha1
#kind: Application
#metadata:
# name: seaweedfs
# finalizers:
# - resources-finalizer.argocd.argoproj.io
#spec:
# project: default
# source:
# repoURL: "https://seaweedfs.github.io/seaweedfs/helm"
# chart: seaweedfs
# targetRevision: "4.*.*"
# helm:
# values: |
# global:
# extraEnvironmentVars:
# WEED_CLUSTER_DEFAULT: "sw"
# WEED_CLUSTER_SW_MASTER: "seaweedfs-master.seaweedfs:9333"
# WEED_CLUSTER_SW_FILER: "seaweedfs-filer.seaweedfs:8888"
#
# master:
# enabled: true
# replicas: 1
# data:
# type: existingClaim
# claimName: seaweedfs-master-data-longhorn
#
# volume:
# enabled: true
# replicas: 1
# dataDirs:
# - name: data1
# type: existingClaim
# claimName: seaweedfs-volume-data-longhorn
# maxVolumes: 0
# idx:
# type: existingClaim
# claimName: seaweedfs-volume-idx-longhorn
#
# filer:
# enabled: true
# replicas: 1
# data:
# type: existingClaim
# claimName: seaweedfs-filer-data-longhorn
# # s3:
# # enabled: false
# # port: 8333
# # domainName: "sws3.innovation-hub-niedersachsen.de"
# # allowEmptyFolder: true
# # enableAuth: true
# # allowDeleteBucketNotEmpty: true
#
# s3:
# enabled: true
# replicas: 1
# port: 8333
# enableAuth: true
# existingConfigSecret: admin-s3-secret
# existingConfigSecretKey: seaweedfs_s3_config
#
# extraEnvironmentVars:
# WEED_S3_ALLOWED_ORIGINS: "*"
# WEED_FILER: "seaweedfs-filer.seaweedfs.svc.cluster.local:8888"
# extraArgs:
# - "-allowedOrigins=*"
# - "-filer=seaweedfs-filer.seaweedfs:8888"
#
# service:
# type: ClusterIP
# ports:
# - name: http
# port: 8333
# targetPort: 8333
# protocol: TCP
#
# ingress:
# enabled: true
# className: traefik
# annotations:
# traefik.ingress.kubernetes.io/router.entrypoints: websecure
# traefik.ingress.kubernetes.io/router.tls: "true"
# cert-manager.io/cluster-issuer: "lets-encrypt"
# traefik.ingress.kubernetes.io/router.middlewares: seaweedfs-s3-cors@kubernetescrd
# host: "sws3.innovation-hub-niedersachsen.de"
# hosts:
# - host: sws3.innovation-hub-niedersachsen.de
# paths:
# - path: /
# pathType: Prefix
# tls:
# - secretName: sws3.innovation-hub-niedersachsen.de-tls
# hosts:
# - sws3.innovation-hub-niedersachsen.de
#
# destination:
# server: "https://kubernetes.default.svc"
# namespace: seaweedfs
#
# syncPolicy:
# managedNamespaceMetadata:
# labels:
# pod-security.kubernetes.io/enforce: "privileged"
# automated:
# selfHeal: true
# prune: true
# syncOptions:
# - CreateNamespace=true

34
argocd/apps/wekan/values-wekan.yaml
View File

@@ -9,7 +9,7 @@ spec:
source:
repoURL: 'https://wekan.github.io/charts/'
chart: wekan
targetRevision: 8.*.*
targetRevision: 7.97.0
helm:
values: |
replicaCount: 1
@@ -21,6 +21,36 @@ spec:
value: smtp://192.168.4.125:25?ignoreTLS=true&tls={rejectUnauthorized:false}&secure=false
- name: MAIL_FROM
value: Noreplay admin@innovation-hub-niedersachsen.de
- name: OAUTH2_ENABLED
value: "true"
- name: OAUTH2_LOGIN_STYLE
value: "redirect"
- name: OAUTH2_CLIENT_ID
value: "wekan"
- name: OAUTH2_SERVER_URL
value: "https://keycloak.innovation-hub-niedersachsen.de"
- name: OAUTH2_AUTH_ENDPOINT
value: "/realms/innohub/protocol/openid-connect/auth"
- name: OAUTH2_USERINFO_ENDPOINT
value: "/realms/innohub/protocol/openid-connect/userinfo"
- name: OAUTH2_TOKEN_ENDPOINT
value: "/realms/innohub/protocol/openid-connect/token"
- name: OAUTH2_SECRET
value: "vp1kG3WgUdPCUAWvECZbAmBdST6Vgm0I"
- name: OAUTH2_ID_MAP
value: "sub"
- name: OAUTH2_USERNAME_MAP
value: "preferred_username"
- name: OAUTH2_EMAIL_MAP
value: "email"
- name: OAUTH2_FULLNAME_MAP
value: "name"
- name: OAUTH2_ADFS_ENABLED
value: "false"
- name: OAUTH2_B2C_ENABLED
value: "false"
- name: OAUTH2_REQUEST_PERMISSIONS
value: "openid profile email"
end_point: wekan.innovation-hub-niedersachsen.de
root_url: https://wekan.innovation-hub-niedersachsen.de
@@ -62,6 +92,8 @@ spec:
mongodb:
enabled: true
image:
tag: 7.0.28
storage:
className: longhorn
nodeSelector:

110
argocd/apps/wekantest/values-wekantest.yaml Normal file
View File

@@ -0,0 +1,110 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: wekantest
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: 'https://wekan.github.io/charts/'
chart: wekan
targetRevision: 8.*.*
helm:
values: |
replicaCount: 1
dbname: wekan
env:
- name: MONGO_URL
value: mongodb://wekantest-mongodb:27017/wekan
- name: MAIL_URL
value: smtp://192.168.4.125:25?ignoreTLS=true&tls={rejectUnauthorized:false}&secure=false
- name: MAIL_FROM
value: Noreplay admin@innovation-hub-niedersachsen.de
- name: OAUTH2_ENABLED
value: "true"
- name: OAUTH2_LOGIN_STYLE
value: "redirect"
- name: OAUTH2_CLIENT_ID
value: "wekantest"
- name: OAUTH2_SERVER_URL
value: "https://keycloak.innovation-hub-niedersachsen.de"
- name: OAUTH2_AUTH_ENDPOINT
value: "/realms/innohub/protocol/openid-connect/auth"
- name: OAUTH2_USERINFO_ENDPOINT
value: "/realms/innohub/protocol/openid-connect/userinfo"
- name: OAUTH2_TOKEN_ENDPOINT
value: "/realms/innohub/protocol/openid-connect/token"
- name: OAUTH2_SECRET
value: "cOJpL4jiiA6OL8fFqA3lb4KCbxjjl7AQ"
- name: OAUTH2_ID_MAP
value: "sub"
- name: OAUTH2_USERNAME_MAP
value: "preferred_username"
- name: OAUTH2_EMAIL_MAP
value: "email"
- name: OAUTH2_FULLNAME_MAP
value: "name"
- name: OAUTH2_ADFS_ENABLED
value: "false"
- name: OAUTH2_B2C_ENABLED
value: "false"
- name: OAUTH2_REQUEST_PERMISSIONS
value: "openid profile email"
end_point: wekantest.innovation-hub-niedersachsen.de
root_url: https://wekantest.innovation-hub-niedersachsen.de
# Probe-Einstellungen anpassen
livenessProbe:
enabled: true
initialDelaySeconds: 60
periodSeconds: 15
timeoutSeconds: 10
failureThreshold: 5
readinessProbe:
enabled: true
initialDelaySeconds: 20
periodSeconds: 15
timeoutSeconds: 10
failureThreshold: 3
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: lets-encrypt
hosts:
- wekantest.innovation-hub-niedersachsen.de
tls:
- secretName: wekantest-tls
hosts:
- wekantest.innovation-hub-niedersachsen.de
route:
enabled: false
sharedDataFolder:
enabled: true
storageClass: longhorn
mongodb:
enabled: true
storage:
className: longhorn
nodeSelector:
kubernetes.io/hostname: k3s-prod
destination:
server: 'https://kubernetes.default.svc'
namespace: wekantest
syncPolicy:
managedNamespaceMetadata:
labels:
pod-security.kubernetes.io/enforce: "privileged"
automated:
prune: true
syncOptions:
- CreateNamespace=true

53
config/rr/rr-ingressroute.yaml Normal file
View File

@@ -0,0 +1,53 @@
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rr-stripprefix
namespace: kube-system
spec:
stripPrefix:
prefixes:
- /
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: rr-transport
namespace: kube-system
spec:
insecureSkipVerify: true
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: rr-external
namespace: kube-system
annotations:
cert-manager.io/cluster-issuer: "lets-encrypt"
spec:
entryPoints:
- websecure
routes:
- match: Host(`rr.innovation-hub-niedersachsen.de`)
kind: Rule
services:
- name: rr-external-service
port: 5173
scheme: http
serversTransport: rr-transport
middlewares:
- name: rr-stripprefix
tls:
secretName: rr-tls
---
apiVersion: v1
kind: Service
metadata:
name: rr-external-service
namespace: kube-system
spec:
type: ExternalName
externalName: 192-168-4-106.nip.io
ports:
- port: 5173
targetPort: 5173