1
0
forked from k-space/kube
kube/freescout/application.yml

306 lines
9.0 KiB
YAML

# yamllint disable rule:line-length
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: freescout
namespace: freescout
spec:
displayName: Freescout Middleware
uri: 'https://freescout.k-space.ee'
allowedGroups:
- k-space:floor
headerMapping:
email: Remote-Email
groups: Remote-Groups
name: Remote-Name
user: Remote-User
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: freescout
namespace: freescout
spec:
displayName: Freescout
uri: https://freescout.k-space.ee
redirectUris:
- https://freescout.k-space.ee/oauth_callback
allowedGroups:
- k-space:floor
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
availableScopes:
- openid
- profile
pkce: false
secretRefreshPod:
apiVersion: v1
kind: Pod
spec:
volumes:
- name: tmp
emptyDir: {}
initContainers:
- name: jq
image: >-
alpine/k8s:1.24.16@sha256:06f8942d87fa17b40795bb9a8eff029a9be3fc3c9bcc13d62071de4cc3324153
command:
- /bin/bash
- '-c'
- >-
rm -fv /tmp/update.sql; jq
'{"name":"oauth.client_id","value":$ENV.OIDC_CLIENT_ID} | "UPDATE
options SET value=\(.value|tostring|@sh) WHERE
name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql; jq
'{"name":"oauth.client_secret","value":$ENV.OIDC_CLIENT_SECRET} |
"UPDATE options SET value=\(.value|tostring|@sh) WHERE
name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql; jq
'{"name":"oauth.auth_url","value":$ENV.OIDC_IDP_AUTH_URI} |
"UPDATE options SET value=\(.value + "?scope=openid+profile"
|tostring|@sh) WHERE name=\(.name|tostring|@sh) LIMIT 1;"' -n -r
>> /tmp/update.sql; jq
'{"name":"oauth.token_url","value":$ENV.OIDC_IDP_TOKEN_URI} |
"UPDATE options SET value=\(.value|tostring|@sh) WHERE
name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql; jq
'{"name":"oauth.user_url","value":$ENV.OIDC_IDP_USERINFO_URI}
| "UPDATE options SET value=\(.value|tostring|@sh) WHERE
name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql;
cat /tmp/update.sql
envFrom:
- secretRef:
name: oidc-client-freescout-owner-secrets
resources: {}
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
containers:
- name: mysql
image: mysql
command:
- /bin/bash
- '-c'
- >-
mysql -u kspace_freescout kspace_freescout -h 172.20.36.1
-p${MYSQL_PWD} < /tmp/update.sql
env:
- name: MYSQL_PWD
valueFrom:
secretKeyRef:
name: freescout-secrets
key: DB_PASS
resources: {}
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
restartPolicy: OnFailure
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: freescout
namespace: freescout
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
traefik.ingress.kubernetes.io/router.middlewares: freescout-freescout@kubernetescrd
spec:
rules:
- host: freescout.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: freescout
port:
number: 80
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: v1
kind: Service
metadata:
name: freescout
namespace: freescout
spec:
type: ClusterIP
selector:
app: freescout
ports:
- protocol: TCP
port: 80
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: freescout
namespace: freescout
labels:
app: freescout
spec:
revisionHistoryLimit: 0
selector:
matchLabels:
app: freescout
replicas: 1
template:
metadata:
labels:
app: freescout
spec:
containers:
- name: freescout
image: harbor.k-space.ee/k-space/freescout
ports:
- containerPort: 8080
env:
- name: DISPLAY_ERRORS
value: 'true'
- name: SITE_URL
value: 'https://freescout.k-space.ee'
- name: APP_URL
value: 'https://freescout.k-space.ee'
- name: DB_HOST
value: mariadb.infra.k-space.ee
- name: DB_PORT
value: "3306"
- name: DB_DATABASE
value: kspace_freescout
- name: DB_USERNAME
value: kspace_freescout
- name: ADMIN_EMAIL
value: lauri@k-space.ee
- name: ADMIN_PASS
value: Salakala1!
- name: TIMEZONE
value: Europe/Tallinn
- name: FREESCOUT_ATTACHMENTS_DRIVER
value: s3
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: freescout-secrets
key: DB_PASS
- name: AWS_USE_PATH_STYLE_ENDPOINT
value: "true"
- name: AWS_BUCKET
valueFrom:
secretKeyRef:
name: miniobucket-attachments-owner-secrets
key: BUCKET_NAME
- name: APP_KEY
valueFrom:
secretKeyRef:
name: freescout-app
key: APP_KEY
envFrom:
- secretRef:
name: miniobucket-attachments-owner-secrets
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: freescout-cron
namespace: freescout
spec:
schedule: "0,30 * * * *" # Should be every minute in theory, keeps hanging
jobTemplate:
spec:
activeDeadlineSeconds: 1800 # this is unholy https://github.com/freescout-helpdesk/freescout/blob/dist/app/Console/Kernel.php
ttlSecondsAfterFinished: 100
template:
spec:
containers:
- name: freescout-cron
image: harbor.k-space.ee/k-space/freescout
imagePullPolicy: Always
command:
- php
- artisan
- schedule:run
env:
- name: DISPLAY_ERRORS
value: 'true'
- name: SITE_URL
value: 'https://freescout.k-space.ee'
- name: APP_URL
value: 'https://freescout.k-space.ee'
- name: DB_HOST
value: mariadb.infra.k-space.ee
- name: DB_PORT
value: "3306"
- name: DB_DATABASE
value: kspace_freescout
- name: DB_USERNAME
value: kspace_freescout
- name: ADMIN_EMAIL
value: lauri@k-space.ee
- name: ADMIN_PASS
value: Salakala1!
- name: TIMEZONE
value: Europe/Tallinn
- name: FREESCOUT_ATTACHMENTS_DRIVER
value: s3
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: freescout-secrets
key: DB_PASS
- name: AWS_USE_PATH_STYLE_ENDPOINT
value: "true"
- name: AWS_BUCKET
valueFrom:
secretKeyRef:
name: miniobucket-attachments-owner-secrets
key: BUCKET_NAME
- name: APP_KEY
valueFrom:
secretKeyRef:
name: freescout-app
key: APP_KEY
envFrom:
- secretRef:
name: miniobucket-attachments-owner-secrets
restartPolicy: Never
---
apiVersion: codemowers.cloud/v1beta1
kind: MinioBucketClaim
metadata:
name: attachments
namespace: freescout
spec:
capacity: 10Gi
class: external
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: freescout
namespace: freescout
spec:
groups:
- name: freescout
rules:
- alert: FreescoutSyncBroken
expr: time() - wildduck_last_login{email=~"(info|accounting)@k-space.ee"} > 300
for: 10m
labels:
severity: warning
annotations:
summary: Freescout mailbox synchronization is broken