@vaharoni/devops 1.0.47

package/src/target-templates/.devops/infra/hetzner/cert-manager.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: $CLOUDFLARE_API_TOKEN
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-dns01
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: $EMAIL_ADDRESS
+    privateKeySecretRef:
+      name: letsencrypt-dns01-private-key
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token

package/src/target-templates/.devops/infra/hetzner/harbor-cert.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tls-secret
+  namespace: harbor
+spec:
+  secretName: tls-secret
+  issuerRef:
+    name: letsencrypt-dns01
+    kind: ClusterIssuer
+  commonName: $REGISTRY_DOMAIN
+  dnsNames:
+  - $REGISTRY_DOMAIN

package/src/target-templates/.devops/infra/hetzner/harbor-values.yaml

@@ -0,0 +1,76 @@
+expose:
+  type: ingress
+  ingress:
+    hosts:
+      core: $REGISTRY_DOMAIN
+  tls:
+    certSource: secret
+    secret:
+      secretName: tls-secret
+externalURL: https://$REGISTRY_DOMAIN
+persistence:
+  enabled: true
+  persistentVolumeClaim:
+    registry:
+      storageClass: "hcloud-volumes"
+      accessMode: ReadWriteOnce
+      size: 20Gi
+    jobservice:
+      storageClass: "hcloud-volumes"
+      accessMode: ReadWriteOnce
+      size: 5Gi
+    chartmuseum:
+      storageClass: "hcloud-volumes"
+      accessMode: ReadWriteOnce
+      size: 5Gi
+database:
+  internal:
+    livenessProbe:
+      timeoutSeconds: 5
+    readinessProbe:
+      timeoutSeconds: 5
+core:
+  livenessProbe:
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 3
+  readinessProbe:
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 3
+jobservice:
+  livenessProbe:
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 3
+  readinessProbe:
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 3
+registry:
+  registry:
+    livenessProbe:
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 3
+    readinessProbe:
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 3
+  controller:
+    livenessProbe:
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 3
+    readinessProbe:
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 3

package/src/target-templates/.devops/infra/hetzner/hcloud-config.yaml

@@ -0,0 +1,113 @@
+---
+cluster_name: changeme
+kubeconfig_path: "./config/kubeconfig"
+k3s_version: v1.32.2+k3s1
+
+networking:
+  ssh:
+    port: 22
+    use_agent: false # set to true if your key has a passphrase
+    public_key_path: "~/.ssh/id_hcloud.pub"
+    private_key_path: "~/.ssh/id_hcloud"
+  allowed_networks:
+    ssh:
+      - 0.0.0.0/0
+    api: # this will firewall port 6443 on the nodes
+      - 0.0.0.0/0
+  public_network:
+    ipv4: true
+    ipv6: true
+  private_network:
+    enabled: true
+    subnet: 10.0.0.0/16
+    existing_network_name: ""
+  cni:
+    enabled: true
+    encryption: false
+    mode: flannel
+
+  # cluster_cidr: 10.244.0.0/16 # optional: a custom IPv4/IPv6 network CIDR to use for pod IPs
+  # service_cidr: 10.43.0.0/16 # optional: a custom IPv4/IPv6 network CIDR to use for service IPs. Warning, if you change this, you should also change cluster_dns!
+  # cluster_dns: 10.43.0.10 # optional: IPv4 Cluster IP for coredns service. Needs to be an address from the service_cidr range
+
+
+# manifests:
+#   cloud_controller_manager_manifest_url: "https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.23.0/ccm-networks.yaml"
+#   csi_driver_manifest_url: "https://raw.githubusercontent.com/hetznercloud/csi-driver/v2.12.0/deploy/kubernetes/hcloud-csi.yml"
+#   system_upgrade_controller_deployment_manifest_url: "https://github.com/rancher/system-upgrade-controller/releases/download/v0.14.2/system-upgrade-controller.yaml"
+#   system_upgrade_controller_crd_manifest_url: "https://github.com/rancher/system-upgrade-controller/releases/download/v0.14.2/crd.yaml"
+#   cluster_autoscaler_manifest_url: "https://raw.githubusercontent.com/kubernetes/autoscaler/master/cluster-autoscaler/cloudprovider/hetzner/examples/cluster-autoscaler-run-on-master.yaml"
+#   cluster_autoscaler_container_image_tag: "v1.32.0"
+
+# datastore:
+#   mode: etcd # etcd (default) or external
+#   external_datastore_endpoint: postgres://....
+
+schedule_workloads_on_masters: false
+
+# image: rocky-9 # optional: default is ubuntu-24.04
+# autoscaling_image: 103908130 # optional, defaults to the `image` setting
+# snapshot_os: microos # optional: specified the os type when using a custom snapshot
+
+masters_pool:
+  instance_type: cpx21
+  instance_count: 1 # for HA; you can also create a single master cluster for dev and testing (not recommended for production)
+  locations: # You can choose a single location for single master clusters or if you prefer to have all masters in the same location. For regional clusters (which are only available in the eu-central network zone), each master needs to be placed in a separate location.
+    # - fsn1
+    # - hel1
+    - nbg1
+
+worker_node_pools:
+- name: small-static
+  instance_type: cx32
+  instance_count: 2
+  location: nbg1
+  # image: debian-11
+  # labels:
+  #   - key: purpose
+  #     value: blah
+  # taints:
+  #   - key: something
+  #     value: value1:NoSchedule
+# - name: medium-autoscaled
+#   instance_type: cpx31
+#   location: fsn1
+#   autoscaling:
+#     enabled: true
+#     min_instances: 0
+#     max_instances: 3
+
+embedded_registry_mirror:
+  enabled: false # Enables fast p2p distribution of container images between nodes for faster pod startup. Check if your k3s version is compatible before enabling this option. You can find more information at https://docs.k3s.io/installation/registry-mirror
+
+protect_against_deletion: true
+
+create_load_balancer_for_the_kubernetes_api: false # Just a heads up: right now, we can’t limit access to the load balancer by IP through the firewall. This feature hasn’t been added by Hetzner yet.
+
+# additional_packages:
+# - somepackage
+
+# post_create_commands:
+# - apt update
+# - apt upgrade -y
+# - apt autoremove -y
+
+# kube_api_server_args:
+# - arg1
+# - ...
+# kube_scheduler_args:
+# - arg1
+# - ...
+# kube_controller_manager_args:
+# - arg1
+# - ...
+# kube_cloud_controller_manager_args:
+# - arg1
+# - ...
+# kubelet_args:
+# - arg1
+# - ...
+# kube_proxy_args:
+# - arg1
+# - ...
+# api_server_hostname: k8s.example.com # optional: DNS for the k8s API LoadBalancer. After the script has run, create a DNS record with the address of the API LoadBalancer.

package/src/target-templates/.devops/infra/hetzner/ingress-nginx-annotations.yaml

@@ -0,0 +1,49 @@
+# INSTALLATION
+# 1. Install Helm: https://helm.sh/docs/intro/install/
+# 2. Add ingress-nginx Helm repo: helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+# 3. Update information of available charts: helm repo update
+# 4. Install ingress-nginx:
+# helm upgrade --install \
+# ingress-nginx ingress-nginx/ingress-nginx \
+# --set controller.ingressClassResource.default=true \ # Remove this line if you don’t want Nginx to be the default Ingress Controller
+# -f ./ingress-nginx-annotations.yaml \
+# --namespace ingress-nginx \
+# --create-namespace
+
+# LIST of all ANNOTATIONS: https://github.com/hetznercloud/hcloud-cloud-controller-manager/blob/master/internal/annotation/load_balancer.go
+
+controller:
+  kind: DaemonSet
+  service:
+    annotations:
+      # Germany:
+      # - nbg1 (Nuremberg)
+      # - fsn1 (Falkenstein)
+      # Finland:
+      # - hel1 (Helsinki)
+      # USA:
+      # - ash (Ashburn, Virginia)
+      # Without this, the load balancer won’t be provisioned and will stay in "pending" state.
+      # You can check this state using "kubectl get svc -n ingress-nginx"
+      load-balancer.hetzner.cloud/location: nbg1
+
+      # Name of the load balancer. This name will appear in your Hetzner cloud console under "Your project -> Load Balancers".
+      # NOTE: This is NOT the load balancer created automatically for HA clusters. You need to specify a different name here to create a separate load balancer for ingress Nginx.
+      load-balancer.hetzner.cloud/name: ingress-lb
+
+      # Ensures communication between the load balancer and cluster nodes happens through the private network.
+      load-balancer.hetzner.cloud/use-private-ip: "true"
+
+      # [ START: Use these annotations if you care about seeing the actual client IP ]
+      # "uses-proxyprotocol" enables the proxy protocol on the load balancer so that the ingress controller and applications can see the real client IP.
+      # "hostname" is needed if you use cert-manager (LetsEncrypt SSL certificates). It fixes HTTP01 challenges for cert-manager (https://cert-manager.io/docs/).
+      # Check this link for more details: https://github.com/compumike/hairpin-proxy
+      # In short: the easiest fix provided by some providers (including Hetzner) is to configure the load balancer to use a hostname instead of an IP.
+      load-balancer.hetzner.cloud/uses-proxyprotocol: 'true'
+
+      # 1. "yourDomain.com" must be correctly configured in DNS to point to the Nginx load balancer; otherwise, certificate provisioning won’t work.
+      # 2. If you use multiple domains, specify any one.
+      # load-balancer.hetzner.cloud/hostname: yourDomain.com
+      # [ END: Use these annotations if you care about seeing the actual client IP ]
+
+      load-balancer.hetzner.cloud/http-redirect-https: 'false'

package/src/target-templates/.devops/infra/hetzner/ingress-nginx-configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  # Do not change the name - this is required by the Nginx Ingress Controller
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+data:
+  use-proxy-protocol: "true"

package/src/target-templates/.devops/infra/hetzner/retain-storage-class.yaml

@@ -0,0 +1,8 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: hcloud-volumes-retain
+provisioner: csi.hetzner.cloud
+reclaimPolicy: Retain
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true

package/src/target-templates/.devops/infra/monitoring-ingress.yaml

@@ -0,0 +1,62 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grafana
+  namespace: monitoring
+  labels:
+    app: grafana
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: grafana.$APEX_DOMAIN
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: prometheus-grafana
+                port:
+                  number: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: prometheus
+  namespace: monitoring
+  labels:
+    app: prometheus
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: prometheus.$APEX_DOMAIN
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: prometheus-kube-prometheus-prometheus
+                port:
+                  number: 9090
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: alerts
+  namespace: monitoring
+  labels:
+    app: alerts
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: alerts.$APEX_DOMAIN
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: prometheus-kube-prometheus-alertmanager
+                port:
+                  number: 9093

package/src/target-templates/.devops/infra/stackgres-ui-ingress.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: stackgres-ui-workaround-svc
+  labels:
+    app: stackgres
+  namespace: stackgres
+spec:
+  selector:
+    stackgres.io/restapi: "true"
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 9080
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: stackgres-ui
+  namespace: stackgres
+  labels:
+    app: stackgres
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: db.$APEX_DOMAIN
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: stackgres-ui-workaround-svc
+                port:
+                  number: 80

package/src/target-templates/.devops/infra/test.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tmp
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hello-kubernetes-first
+  namespace: tmp
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 8080
+  selector:
+    app: hello-kubernetes-first
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hello-kubernetes-first
+  namespace: tmp
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: hello-kubernetes-first
+  template:
+    metadata:
+      labels:
+        app: hello-kubernetes-first
+    spec:
+      containers:
+      - name: hello-kubernetes
+        image: paulbouwer/hello-kubernetes:1.10
+        ports:
+        - containerPort: 8080
+        env:
+        - name: MESSAGE
+          value: Hello from the first deployment!
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hello-kubernetes-ingress
+  namespace: tmp
+spec:
+  ingressClassName: "nginx"
+  rules:
+  - host: $TEST_HOST
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: hello-kubernetes-first
+            port:
+              number: 80          

package/src/target-templates/.devops/manifests/_index.yaml

@@ -0,0 +1,21 @@
+# db-migrate is a required entry that is hard-coded in the devops-cli
+# The debug template used per image is dynamic and can be configured in images.yaml
+# The deployment template used per application is dynamic and can be configured in its package.json
+
+db-migrate: 
+  - db-migrate-job.yaml.hb
+debug-console:
+  - deployment-debug.yaml.hb
+cron-jobs:
+  - cron-jobs.yaml.hb
+backend-process:
+  - deployment-process.yaml.hb
+internal-service:
+  - deployment-web.yaml.hb
+  - service.yaml.hb
+external-service:
+  - deployment-web.yaml.hb
+  - service.yaml.hb
+  - ingress.yaml.hb
+prefect:
+  - prefect.yaml.hb

package/src/target-templates/.devops/manifests/cron-jobs.yaml.hb

@@ -0,0 +1,55 @@
+{{#each cronJobs}}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  labels:
+    app: {{../app_name}}
+    env: {{../monorepo_env}}
+  name: {{name}}
+  namespace: {{../namespace}}
+spec:
+  schedule: "{{cron}}"
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 86400
+      template:
+        spec:
+          volumes:
+            - name: secret-injection-hook
+              secret:
+                secretName: {{../env_secret_name}}
+          containers:
+            - image: {{../image_path}}
+              name: {{name}}
+              command:
+                - ./node-exec.sh
+              args:
+                - ./devops
+                - internal-curl
+                {{#each curl}}
+                - {{this}}
+                {{/each}}
+              env:
+                - name: MONOREPO_ENV
+                  value: {{../monorepo_env}}
+                - name: MONOREPO_NAMESPACE
+                  value: {{../namespace}}
+                - name: IS_KUBERNETES
+                  value: 'true'
+                - name: MONOREPO_BASE_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{../env_secret_name}}
+                      key: {{../env_base_secret_key}}
+              volumeMounts:
+                - name: secret-injection-hook
+                  mountPath: /etc/kubernetes/secrets
+                  readOnly: true
+              resources:
+                requests:
+                  memory: 250Mi
+          restartPolicy: Never
+{{#unless @last}}
+---
+{{/unless}}
+{{/each}}

package/src/target-templates/.devops/manifests/db-migrate-job.yaml.hb

@@ -0,0 +1,42 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{db_migrate_job_name}}
+  namespace: {{namespace}}
+  labels:
+    env: {{monorepo_env}}
+spec:
+  template:
+    spec:
+      volumes:
+        - name: secret-injection-hook
+          secret:
+            secretName: {{env_secret_name}}
+      containers:
+        - name: db-migrate-job
+          image: {{image_path}}
+          args:
+            - db
+            - migrate-deploy
+          env:
+            - name: MONOREPO_ENV
+              value: {{monorepo_env}}
+            - name: MONOREPO_NAMESPACE
+              value: {{namespace}}
+            - name: IS_KUBERNETES
+              value: 'true'
+            - name: MONOREPO_BASE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{env_secret_name}}
+                  key: {{env_base_secret_key}}
+          volumeMounts:
+            - name: secret-injection-hook
+              mountPath: /etc/kubernetes/secrets
+              readOnly: true
+          resources:
+            requests:
+              memory: 100Mi
+      restartPolicy: Never
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 3600

package/src/target-templates/.devops/manifests/deployment-debug.yaml.hb

@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{debug_pod_name}}
+    env: {{monorepo_env}}
+  name: {{debug_pod_name}}
+  namespace: {{namespace}}
+spec:
+  selector:
+    matchLabels:
+      app: {{debug_pod_name}}
+  template:
+    metadata:
+      labels:
+        app: {{debug_pod_name}}
+        env: {{monorepo_env}}
+    spec:
+      volumes:
+        - name: secret-injection-hook
+          secret:
+            secretName: {{env_secret_name}}
+      containers:
+        - image: {{image_path}}
+          name: {{debug_pod_name}}
+          env:
+            - name: MONOREPO_ENV
+              value: {{monorepo_env}}
+            - name: MONOREPO_NAMESPACE
+              value: {{namespace}}
+            - name: IS_KUBERNETES
+              value: 'true'
+            - name: MONOREPO_BASE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{env_secret_name}}
+                  key: {{env_base_secret_key}}
+          volumeMounts:
+            - name: secret-injection-hook
+              mountPath: /etc/kubernetes/secrets
+              readOnly: true
+          resources:
+            requests:
+              memory: 250Mi

package/src/target-templates/.devops/manifests/deployment-process.yaml.hb

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{app_name}}
+    env: {{monorepo_env}}
+  name: {{app_name}}
+  namespace: {{namespace}}
+spec:
+  replicas: {{replicas}}
+  selector:
+    matchLabels:
+      app: {{app_name}}
+  template:
+    metadata:
+      labels:
+        app: {{app_name}}
+        env: {{monorepo_env}}
+    spec:
+      volumes:
+        - name: secret-injection-hook
+          secret:
+            secretName: {{env_secret_name}}
+      containers:
+        - image: {{image_path}}
+          name: {{app_name}}
+          args:
+            - "{{project_name}}"
+          env:
+            - name: MONOREPO_ENV
+              value: {{monorepo_env}}
+            - name: MONOREPO_NAMESPACE
+              value: {{namespace}}
+            - name: IS_KUBERNETES
+              value: 'true'
+            - name: MONOREPO_BASE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{env_secret_name}}
+                  key: {{env_base_secret_key}}
+          volumeMounts:
+            - name: secret-injection-hook
+              mountPath: /etc/kubernetes/secrets
+              readOnly: true
+          resources:
+            requests:
+              memory: 250Mi