kube/etherpad/application.yml

---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
  name: etherpad
spec:
  displayName: Etherpad
  uri: 'https://pad.k-space.ee/'
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: etherpad
  namespace: etherpad
spec:
  # Etherpad does NOT support running multiple replicas due to
  # in-application caching https://github.com/ether/etherpad-lite/issues/3680
  revisionHistoryLimit: 0
  replicas: 1
  serviceName: etherpad
  selector:
    matchLabels:
      app: etherpad
  template:
    metadata:
      labels:
        app: etherpad
    spec:
      containers:
        - name: etherpad
          image: mirror.gcr.io/etherpad/etherpad:2
          securityContext:
            # Etherpad writes session key during start
            readOnlyRootFilesystem: false
            runAsNonRoot: true
            runAsUser: 5001
          ports:
            - containerPort: 9001
          env:
            - name: MINIFY
              value: 'false'
            - name: DB_TYPE
              value: mysql
            - name: DB_HOST
              value: 172.20.36.1
            - name: DB_NAME
              value: kspace_etherpad
            - name: DB_USER
              value: kspace_etherpad
            - name: PAD_OPTIONS_NO_COLORS
              value: "true"
            - name: PAD_OPTIONS_USE_MONOSPACE_FONT
              value: "true"
            - name: PAD_OPTIONS_SHOW_CHAT
              value: "false"
            - name: TRUST_PROXY
              value: "true"
            - name: ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: application-secrets
                  key: ADMIN_PASSWORD
            - name: DB_PASS
              valueFrom:
                secretKeyRef:
                  name: mariadb-secrets
                  key: MYSQL_PASSWORD
---
apiVersion: v1
kind: Service
metadata:
  name: etherpad
  namespace: etherpad
spec:
  type: ClusterIP
  selector:
    app: etherpad
  ports:
    - protocol: TCP
      port: 9001
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: etherpad
  namespace: etherpad
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
  rules:
    - host: pad.k-space.ee
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: etherpad
                port:
                  number: 9001
  tls:
    - hosts:
        - "*.k-space.ee"
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: etherpad
  namespace: etherpad
spec:
  podSelector:
    matchLabels:
      app: etherpad
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik
      ports:
        - port: 9001
          protocol: TCP
  egress:
    - ports:
        - port: 3306
          protocol: TCP
      to:
        - ipBlock:
            cidr: 172.20.36.1/32