diff --git a/updatebot/config.yml b/updatebot/config.yml new file mode 100644 index 0000000..31b5ec9 --- /dev/null +++ b/updatebot/config.yml @@ -0,0 +1,71 @@ +repo: + url: https://git.pyrocufflink.net/infra/kubernetes + token_file: /run/secrets/updatebot/gitea.token + +projects: +- name: home-assistant + kind: kustomize + images: + - name: home-assistant + image: ghcr.io/home-assistant/home-assistant + source: + kind: github + organization: home-assistant + repo: core + - name: whisper + image: docker.io/rhasspy/wyoming-whisper + source: + kind: docker + namespace: rhasspy + repository: wyoming-whisper + - name: piper + image: docker.io/rhasspy/wyoming-piper + source: + kind: docker + namespace: rhasspy + repository: wyoming-piper + - name: zigbee2mqtt + image: docker.io/koenkk/zigbee2mqtt + source: + kind: github + organization: Koenkk + repo: zigbee2mqtt + - name: zwavejs2mqtt + image: docker.io/zwavejs/zwave-js-ui + source: + kind: github + organization: zwave-js + repo: zwave-js-ui + +- name: firefly-iii + kind: kustomize + images: + - name: firefly-iii + image: docker.io/fireflyiii/core + tag_format: version-{version} + source: + kind: github + organization: firefly-iii + repo: firefly-iii + +- name: paperless-ngx + kind: kustomize + images: + - name: paperless-ngx + image: ghcr.io/paperless-ngx/paperless-ngx + source: + kind: github + organization: paperless-ngx + repo: paperless-ngx + - name: gotenberg + image: docker.io/gotenberg/gotenberg + source: + kind: github + organization: gotenberg + repo: gotenberg + - name: tika + image: docker.io/apache/tika + source: + kind: docker + namespace: apache + repository: tika diff --git a/updatebot/kustomization.yaml b/updatebot/kustomization.yaml index 7391cf8..cdb8faa 100644 --- a/updatebot/kustomization.yaml +++ b/updatebot/kustomization.yaml @@ -8,28 +8,27 @@ labels: app.kubernetes.io/component: updatebot app.kubernetes.io/instance: updatebot app.kubernetes.io/part-of: updatebot + includeTemplates: true resources: - namespace.yaml +- rbac.yaml - updatebot.yaml - secrets.yaml configMapGenerator: - name: updatebot-projects files: - - home-assistant.toml=projects/home-assistant.toml - - firefly-iii.toml=projects/firefly-iii.toml - - paperless-ngx.toml=projects/paperless-ngx.toml + - config.yml options: disableNameSuffixHash: true + labels: + app.kubernetes.io/name: updatebot-projects - name: ssh-known-hosts files: - ssh_known_hosts options: disableNameSuffixHash: true - ---- -images: -- image: git.pyrocufflink.net/infra/updatebot - newTag: dev + labels: + app.kubernetes.io/name: ssh-known-hosts diff --git a/updatebot/projects/firefly-iii.toml b/updatebot/projects/firefly-iii.toml deleted file mode 100644 index be1ee0f..0000000 --- a/updatebot/projects/firefly-iii.toml +++ /dev/null @@ -1,13 +0,0 @@ -[repo] -url = "https://git.pyrocufflink.net/infra/kubernetes" -token_file = "/run/secrets/updatebot/gitea.token" - -[projects.firefly-iii] -kind = "kustomize" -image = "docker.io/fireflyiii/core" -tag_format = "version-{version}" - -[projects.firefly-iii.source] -kind = "github" -organization = "firefly-iii" -repo = "firefly-iii" diff --git a/updatebot/projects/home-assistant.toml b/updatebot/projects/home-assistant.toml deleted file mode 100644 index a01ae16..0000000 --- a/updatebot/projects/home-assistant.toml +++ /dev/null @@ -1,52 +0,0 @@ -[repo] -url = "https://git.pyrocufflink.net/infra/kubernetes" -token_file = "/run/secrets/updatebot/gitea.token" - -[projects.home-assistant] -kind = "kustomize" -image = "ghcr.io/home-assistant/home-assistant" - -[projects.home-assistant.source] -kind = "github" -organization = "home-assistant" -repo = "core" - -[projects.whisper] -kind = "kustomize" -path = "home-assistant" -image = "docker.io/rhasspy/wyoming-whisper" - -[projects.whisper.source] -kind = "docker" -namespace = "rhasspy" -repository = "wyoming-whisper" - -[projects.piper] -kind = "kustomize" -path = "home-assistant" -image = "docker.io/rhasspy/wyoming-piper" - -[projects.piper.source] -kind = "docker" -namespace = "rhasspy" -repository = "wyoming-piper" - -[projects.zigbee2mqtt] -kind = "kustomize" -path = "home-assistant" -image = "docker.io/koenkk/zigbee2mqtt" - -[projects.zigbee2mqtt.source] -kind = "github" -organization = "Koenkk" -repo = "zigbee2mqtt" - -[projects.zwavejs2mqtt] -kind = "kustomize" -path = "home-assistant" -image = "docker.io/zwavejs/zwave-js-ui" - -[projects.zwavejs2mqtt.source] -kind = "github" -organization = "zwave-js" -repo = "zwave-js-ui" diff --git a/updatebot/projects/paperless-ngx.toml b/updatebot/projects/paperless-ngx.toml deleted file mode 100644 index aabee4a..0000000 --- a/updatebot/projects/paperless-ngx.toml +++ /dev/null @@ -1,32 +0,0 @@ -[repo] -url = "https://git.pyrocufflink.net/infra/kubernetes" -token_file = "/run/secrets/updatebot/gitea.token" - -[projects.paperless-ngx] -kind = "kustomize" -image = "ghcr.io/paperless-ngx/paperless-ngx" - -[projects.paperless-ngx.source] -kind = "github" -organization = "paperless-ngx" -repo = "paperless-ngx" - -[projects.gotenberg] -kind = "kustomize" -path = "paperless-ngx" -image = "docker.io/gotenberg/gotenberg" - -[projects.gotenberg.source] -kind = "github" -organization = "gotenberg" -repo = "gotenberg" - -[projects.tika] -kind = "kustomize" -path = "paperless-ngx" -image = "docker.io/apache/tika" - -[projects.tika.source] -kind = "docker" -namespace = "apache" -repository = "tika" diff --git a/updatebot/rbac.yaml b/updatebot/rbac.yaml new file mode 100644 index 0000000..fdac5d5 --- /dev/null +++ b/updatebot/rbac.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: updatebot + labels: + app.kubernetes.io/name: updatebot + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: updatebot + labels: + app.kubernetes.io/name: updatebot +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - patch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: updatebot + labels: + app.kubernetes.io/name: updatebot +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: updatebot +subjects: +- kind: ServiceAccount + name: updatebot diff --git a/updatebot/updatebot.yaml b/updatebot/updatebot.yaml index 705f67e..c6bc555 100644 --- a/updatebot/updatebot.yaml +++ b/updatebot/updatebot.yaml @@ -1,9 +1,9 @@ apiVersion: batch/v1 kind: CronJob metadata: - name: updatebot-home-assistant + name: updatebot labels: &labels - app.kubernetes.io/name: updatebot-home-assistant + app.kubernetes.io/name: updatebot spec: schedule: 32 6 * * 1 timeZone: America/Chicago @@ -18,9 +18,7 @@ spec: containers: - name: updatebot image: git.pyrocufflink.net/infra/updatebot - args: - - --branch-name - - updatebot/home-assistant + imagePullPolicy: Always securityContext: readOnlyRootFilesystem: true volumeMounts: @@ -28,146 +26,9 @@ spec: name: ssh-known-hosts readOnly: true subPath: ssh_known_hosts - - mountPath: /home/bot/.config/updatebot/config.toml + - mountPath: /home/bot/.config/updatebot name: updatebot-config readOnly: true - subPath: home-assistant.toml - - mountPath: /home/bot/.ssh - name: updatebot-ssh - readOnly: true - - mountPath: /run/secrets/updatebot - name: updatebot-secrets - readOnly: true - - mountPath: /tmp - name: tmp - subPath: tmp - nodeSelector: - kubernetes.io/arch: amd64 - securityContext: - runAsNonRoot: true - fsGroup: 25167 - volumes: - - name: ssh-known-hosts - configMap: - name: ssh-known-hosts - - name: tmp - emptyDir: - medium: Memory - - name: updatebot-config - configMap: - name: updatebot-projects - - name: updatebot-secrets - secret: - secretName: updatebot - defaultMode: 0640 - - name: updatebot-ssh - secret: - secretName: updatebot-ssh - defaultMode: 0640 - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: updatebot-firefly-iii - labels: &labels - app.kubernetes.io/name: updatebot-firefly-iii -spec: - schedule: 33 6 * * 1 - timeZone: America/Chicago - concurrencyPolicy: Forbid - jobTemplate: - spec: - template: - metadata: - labels: *labels - spec: - restartPolicy: Never - containers: - - name: updatebot - image: git.pyrocufflink.net/infra/updatebot - args: - - --branch-name - - updatebot/firefly-iii - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /etc/ssh/ssh_known_hosts - name: ssh-known-hosts - readOnly: true - subPath: ssh_known_hosts - - mountPath: /home/bot/.config/updatebot/config.toml - name: updatebot-config - readOnly: true - subPath: firefly-iii.toml - - mountPath: /home/bot/.ssh - name: updatebot-ssh - readOnly: true - - mountPath: /run/secrets/updatebot - name: updatebot-secrets - readOnly: true - - mountPath: /tmp - name: tmp - subPath: tmp - nodeSelector: - kubernetes.io/arch: amd64 - securityContext: - runAsNonRoot: true - fsGroup: 25167 - volumes: - - name: ssh-known-hosts - configMap: - name: ssh-known-hosts - - name: tmp - emptyDir: - medium: Memory - - name: updatebot-config - configMap: - name: updatebot-projects - - name: updatebot-secrets - secret: - secretName: updatebot - defaultMode: 0640 - - name: updatebot-ssh - secret: - secretName: updatebot-ssh - defaultMode: 0640 - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: updatebot-paperless-ngx - labels: &labels - app.kubernetes.io/name: updatebot-paperless-ngx -spec: - schedule: 34 6 * * 1 - timeZone: America/Chicago - concurrencyPolicy: Forbid - jobTemplate: - spec: - template: - metadata: - labels: *labels - spec: - restartPolicy: Never - containers: - - name: updatebot - image: git.pyrocufflink.net/infra/updatebot - args: - - --branch-name - - updatebot/paperless-ngx - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /etc/ssh/ssh_known_hosts - name: ssh-known-hosts - readOnly: true - subPath: ssh_known_hosts - - mountPath: /home/bot/.config/updatebot/config.toml - name: updatebot-config - readOnly: true - subPath: paperless-ngx.toml - mountPath: /home/bot/.ssh name: updatebot-ssh readOnly: true @@ -177,12 +38,27 @@ spec: - mountPath: /tmp name: tmp subPath: tmp + - mountPath: /usr/bin/diff + name: diff + readOnly: true + - mountPath: /usr/bin/kubectl + name: kubectl + readOnly: true nodeSelector: kubernetes.io/arch: amd64 securityContext: runAsNonRoot: true fsGroup: 25167 + serviceAccountName: updatebot volumes: + - name: diff + hostPath: + path: /usr/bin/diff + type: File + - name: kubectl + hostPath: + path: /usr/bin/kubectl + type: File - name: ssh-known-hosts configMap: name: ssh-known-hosts