infra/terraform: add k8s module file for my portfolio

- added k8s module file for my portfolio manifest

infra/terraform/.gitignore

@@ -1,5 +1,6 @@
 .env
-.terraform/
+**/.env
-.terraform.lock.hcl
+**/.terraform/
-terraform.tfstate
+**/.terraform.lock.hcl
-terraform.tfstate.backup
+**/terraform.tfstate
+**/terraform.tfstate.backup

infra/terraform/README.md

@@ -35,3 +35,5 @@ tofu init
 tofu plan
 tofu apply
 ```
+
+## Kubernetes and Helm

infra/terraform/kubernetes/backend.tf

@@ -0,0 +1,14 @@
+terraform {
+  backend "s3" {
+    bucket                      = "terraform-state" # Name of the MinIO bucket
+    key                         = "proxmox/terraform.tfstate" # Path to the state file in the bucket
+    endpoint                    = var.minio_endpoint # MinIO API endpoint
+    access_key                  = var.minio_access_key # MinIO access key
+    secret_key                  = var.minio_secret_key # MinIO secret key
+    region                      = "us-east-1" # Arbitrary region (MinIO ignores this)
+    skip_credentials_validation = true # Skip AWS-specific credential checks
+    skip_metadata_api_check     = true # Skip AWS metadata API checks
+    skip_region_validation      = true # Skip AWS region validation
+    use_path_style              = true # Use path-style URLs[](http://<host>/<bucket>)
+  }
+}

infra/terraform/kubernetes/main.tf

@@ -0,0 +1,22 @@
+terraform {
+    required_providers {
+        kubernetes = {
+        source  = "hashicorp/kubernetes"
+        version = "2.37.1"
+        }
+        helm = {
+            source  = "hashicorp/helm"
+            version = "3.0.2"
+        }
+    }
+}
+
+provider "kubernetes" {
+    config_path = "~/.kube/config"
+}
+
+provider "helm" {
+    kubernetes {
+        config_path = "~/.kube/config"
+    }
+}

infra/terraform/kubernetes/portfolio.tf

@@ -0,0 +1,50 @@
+resource "kubernetes_namespace" "portfolio" {
+  metadata {
+    name = "my-portfolio"
+  }
+}
+
+resource "kubernetes_secret" "docker_secret" {
+  metadata {
+    name      = "docker-registry-credentials"
+    namespace = "my-portfolio"
+  }
+
+  type = "kubernetes.io/dockerconfigjson"
+
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "${var.docker_registry_host}" = {
+          username = var.docker_username
+          password = var.docker_password
+          auth     = base64encode("${var.docker_username}:${var.docker_password}")
+        }
+      }
+    })
+  }
+
+  depends_on = [kubernetes_namespace.portfolio]
+}
+
+locals {
+  # Read and process the YAML file with placeholders
+  manifest_content = templatefile("../../../kubernetes/my-portfolio/portfolioManifest.yaml", {
+    PORTFOLIO_HOST  = var.portfolio_host
+    DOCKER_REGISTRY_HOST = var.docker_registry_host
+  })
+  # Split into individual documents
+  manifest_documents = split("---", replace(local.manifest_content, "/\\n\\s*\\n/", "---"))
+}
+
+resource "kubernetes_manifest" "portfolio_manifest" {
+  for_each = { for i, doc in local.manifest_documents : i => doc if trimspace(doc) != "" }
+
+  manifest = yamldecode(each.value)
+
+  field_manager {
+    force_conflicts = true
+  }
+
+  depends_on = [kubernetes_namespace.portfolio]
+}

infra/terraform/kubernetes/variables.tf

@@ -0,0 +1,35 @@
+# variables for minio backend configuration
+variable "minio_access_key" {
+  description = "MinIO access key"
+  type        = string
+}
+
+variable "minio_secret_key" {
+  description = "MinIO secret key"
+  type        = string
+}
+
+variable "minio_endpoint" {
+  description = "MinIO API endpoint"
+  type        = string
+}
+
+variable "portfolio_host" {
+  description = "Host for the portfolio application"
+  type        = string
+}
+
+variable "docker_registry_host" {
+  description = "Host for the Docker registry"
+  type        = string
+}
+
+variable "docker_username" {
+  description = "Docker registry username"
+  type        = string
+}
+
+variable "docker_password" {
+  description = "Docker registry password"
+  type        = string
+}

kubernetes/README.md

@@ -213,7 +213,7 @@ registry.
 kubectl create namespace my-portfolio
 
 source .env
-kubectl create secret docker-registry my-registry-secret \
+kubectl create secret docker-registry docker-registry-credentials \
   --docker-server="$DOCKER_REGISTRY_HOST" \
   --docker-username="$DOCKER_USER" \
   --docker-password="$DOCKER_PASSWORD" \
@@ -611,9 +611,10 @@ envsubst < gitea/configMap.yaml | kubectl apply -n gitea -f -
 
 helm upgrade --install gitea gitea-charts/gitea -f gitea/values.yaml \
   --namespace gitea \
+  --version 10.0.0 \
   --atomic \
   --set ingress.hosts[0].host=$GITEA_HOST \
-  --set ingress.tls[0].hosts[0]=$DNSNAME  \
+  --set ingress.tls[0].hosts[0]=$GITEA_HOST  \
   --set gitea.admin.username=$GITEA_USER \
   --set gitea.admin.password=$GITEA_PASSWORD \
   --set gitea.admin.email=$GITEA_EMAIL \

kubernetes/gitea/values.yaml

@@ -15,6 +15,7 @@ gitea:
     email: email
 
 image:
+  registry: ghcr.io
   repository: gitea
   tag: 1.23.7
 
@@ -45,13 +46,17 @@ resources:
 
 ingress:
   enabled: true
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    cert-manager.io/cluster-issuer: "acme-issuer"
   hosts:
     - host: git.example.com
       paths:
         - path: /
           pathType: Prefix
   tls:
-    - secretName: wildcard-cert-secret
+    - secretName: gitea-tls-cert
       hosts:
         - "*.example.com"
 

kubernetes/my-portfolio/portfolioManifest.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: portfolio-app
+  namespace: my-portfolio
   labels:
     app: portfolio-app
 spec:
@@ -15,7 +16,7 @@ spec:
         app: portfolio-app
     spec:
       imagePullSecrets:
-        - name: my-registry-secret
+        - name: docker-registry-credentials
       containers:
         - name: portfolio-app
           image: "${DOCKER_REGISTRY_HOST}/taqi/portfolio/my-portfolio-app:latest"
@@ -29,6 +30,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: portfolio-app-svc
+  namespace: my-portfolio
 spec:
   type: ClusterIP
   ports:
@@ -42,6 +44,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: portfolio
+  namespace: my-portfolio
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     cert-manager.io/cluster-issuer: "acme-issuer"