feat(jellyfin): Move to new kustomize-optimised config

4fcef980 · Sheogorath · b981971e · 4fcef980 · 4fcef980 · 4fcef980
Verified Commit 4fcef980 authored 1 year ago by Sheogorath
--- a/apps/base/jellyfin/allow-from-ingress.patch.yaml
+++ b/apps/base/jellyfin/allow-from-ingress.patch.yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-ingress
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: jellyfin
\ No newline at end of file
--- a/apps/base/jellyfin/allow-to-public-web.patch.yaml
+++ b/apps/base/jellyfin/allow-to-public-web.patch.yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-public-web
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: jellyfin
\ No newline at end of file
--- a/apps/base/jellyfin/deployment.yaml
+++ b/apps/base/jellyfin/deployment.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jellyfin
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: jellyfin
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: jellyfin
+    spec:
+      serviceAccountName: jellyfin
+      containers:
+      - env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        image: docker.io/jellyfin/jellyfin:10.8.13
+        imagePullPolicy: IfNotPresent
+        name: jellyfin
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: 8096
+        ports:
+        - containerPort: 8096
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /data/media
+          name: media
+          readOnly: False
+        - mountPath: /config/transcodes
+          name: transcodes-tmp
+        - mountPath: /config
+          name: jellyfin-config
+        - mountPath: /cache
+          name: jellyfin-cache
+        resources:
+          requests:
+            amd.com/gpu: 1
+            memory: 2Gi
+            cpu: 100m
+          limits:
+            amd.com/gpu: 1
+            memory: 3.5Gi
+            cpu: "4"
+        securityContext:
+          allowPrivilegeEscalation: false
+      restartPolicy: Always
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: "RuntimeDefault"
+      volumes:
+      - name: transcodes-tmp
+        ephemeral:
+          volumeClaimTemplate:
+            spec:
+              accessModes:
+                - ReadWriteOnce
+              resources:
+                requests:
+                  storage: 50Gi
+      - name: media
+        persistentVolumeClaim:
+          claimName: media
+      - name: jellyfin-config
+        persistentVolumeClaim:
+          claimName: jellyfin-config
+      - name: jellyfin-cache
+        emptyDir:
+          sizeLimit: 500Mi
--- a/apps/base/jellyfin/kustomization.yaml
+++ b/apps/base/jellyfin/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: jellyfin
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - pvc.yaml
+  - service.yaml
+  - serviceaccount.yaml
+  - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
+  - ../../../shared/networkpolicies/deny-by-default-egress.yaml
+  - ../../../shared/networkpolicies/allow-from-ingress.yaml
+  - ../../../shared/networkpolicies/allow-to-public-web.yaml
+patches:
+  - path: allow-from-ingress.patch.yaml
+  - path: allow-to-public-web.patch.yaml
--- a/apps/base/jellyfin/namespace.yaml
+++ b/apps/base/jellyfin/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: jellyfin
\ No newline at end of file
--- a/apps/base/jellyfin/pvc.yaml
+++ b/apps/base/jellyfin/pvc.yaml
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-config
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: media
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
--- a/apps/k8s01/jellyfin/service.yaml
+++ b/apps/k8s01/jellyfin/service.yaml
@@ -2,9 +2,6 @@
 apiVersion: v1
 kind: Service
 metadata:
-  labels:
-    app.kubernetes.io/name: jellyfin
-    app.kubernetes.io/component: jellyfin
  name: jellyfin
 spec:
  ports:
@@ -13,6 +10,5 @@ spec:
    protocol: TCP
    targetPort: 8096
  selector:
-    app.kubernetes.io/name: jellyfin
    app.kubernetes.io/component: jellyfin
  type: ClusterIP
--- a/apps/base/jellyfin/serviceaccount.yaml
+++ b/apps/base/jellyfin/serviceaccount.yaml
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jellyfin
+  namespace: jellyfin
+automountServiceAccountToken: false
\ No newline at end of file
--- a/apps/k8s01/jellyfin/deployment.yaml
+++ b/apps/k8s01/jellyfin/deployment.yaml
---
+- op: add
-apiVersion: apps/v1
+  path: /spec/template/spec/volumes/0
-kind: Deployment
+  value:
-metadata:
+    name: movies
-  name: jellyfin
+    persistentVolumeClaim:
-  labels:
+      claimName: jellyfin-movies
-    app.kubernetes.io/name: jellyfin
+- op: add
-    app.kubernetes.io/component: jellyfin
+  path: /spec/template/spec/volumes/0
-spec:
+  value:
-  strategy:
+    name: shows
-    type: Recreate
+    persistentVolumeClaim:
-  selector:
+      claimName: jellyfin-shows
-    matchLabels:
+- op: add
-      app.kubernetes.io/name: jellyfin
+  path: /spec/template/spec/containers/0/volumeMounts/0
-      app.kubernetes.io/component: jellyfin
+  value:
-  template:
+    mountPath: /data/media/shows
-    metadata:
+    name: shows
-      labels:
+- op: add
-        app.kubernetes.io/name: jellyfin
+  path: /spec/template/spec/containers/0/volumeMounts/0
-        app.kubernetes.io/component: jellyfin
+  value:
-    spec:
+    mountPath: /data/media/movies
-      containers:
+    name: movies
-      - env:
\ No newline at end of file
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: spec.nodeName
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        image: docker.io/jellyfin/jellyfin:10.8.13
-        imagePullPolicy: IfNotPresent
-        name: jellyfin
-        readinessProbe:
-          httpGet:
-            path: /health
-            port: 8096
-        ports:
-        - containerPort: 8096
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /data/media/shows
-          name: shows
-        - mountPath: /data/media/movies
-          name: movies
-        - mountPath: /data/media
-          name: media
-          readOnly: False
-        - mountPath: /config/transcodes
-          name: transcodes-tmp
-        - mountPath: /config
-          name: jellyfin-config
-        - mountPath: /cache
-          name: jellyfin-cache
-        resources:
-          requests:
-            amd.com/gpu: 1
-            memory: 2Gi
-            cpu: 100m
-          limits:
-            amd.com/gpu: 1
-            memory: 3.5Gi
-            cpu: "4"
-        securityContext:
-          allowPrivilegeEscalation: false
-      restartPolicy: Always
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-        seccompProfile:
-          type: "RuntimeDefault"
-      volumes:
-      - name: transcodes-tmp
-        ephemeral:
-          volumeClaimTemplate:
-            spec:
-              accessModes:
-                - ReadWriteOnce
-              resources:
-                requests:
-                  storage: 50Gi
-      - name: movies
-        persistentVolumeClaim:
-          claimName: jellyfin-movies
-      - name: shows
-        persistentVolumeClaim:
-          claimName: jellyfin-shows
-      - name: media
-        persistentVolumeClaim:
-          claimName: media
-      - name: jellyfin-config
-        persistentVolumeClaim:
-          claimName: jellyfin-config
-      - name: jellyfin-cache
-        emptyDir:
-          sizeLimit: 500Mi
--- a/apps/k8s01/jellyfin/kustomization.yaml
+++ b/apps/k8s01/jellyfin/kustomization.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: jellyfin
+commonLabels:
+  app.kubernetes.io/name: jellyfin
+  app.kubernetes.io/instance: jellyfin
 resources:
-  - namespace.yaml
+  - ../../base/jellyfin
  - pv.yaml
  - pvc.yaml
-  - deployment.yaml
-  - service.yaml
  - certificate.yaml
  - ingress.yaml
  - slo.yaml
-  - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
-  - ../../../shared/networkpolicies/deny-by-default-egress.yaml
-  - ../../../shared/networkpolicies/allow-from-ingress.yaml
-  - ../../../shared/networkpolicies/allow-to-public-web.yaml
  - ../../../shared/resourcequotas/default.yaml
-patchesStrategicMerge:
-  - networkpolicy.yaml
+patches:
\ No newline at end of file
+  - path: deployment.yaml
+    target:
+      kind: Deployment
+      group: apps
+      version: v1
+      name: jellyfin
\ No newline at end of file
--- a/apps/k8s01/jellyfin/namespace.yaml
+++ b/apps/k8s01/jellyfin/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: jellyfin
-  labels:
-    pod-security.kubernetes.io/audit: restricted
-    pod-security.kubernetes.io/enforce: baseline
-    pod-security.kubernetes.io/warn: restricted
-    pod-security.kubernetes.io/audit-version: v1.26
-    pod-security.kubernetes.io/enforce-version: v1.23
-    pod-security.kubernetes.io/warn-version: v1.26
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: flux-reconciler
-  namespace: jellyfin
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: flux-reconciler
-  namespace: jellyfin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-  - kind: ServiceAccount
-    name: flux-reconciler
-    namespace: jellyfin
--- a/apps/k8s01/jellyfin/networkpolicy.yaml
+++ b/apps/k8s01/jellyfin/networkpolicy.yaml
---
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: allow-from-ingress
-  labels:
-    app.kubernetes.io/name: jellyfin
-    app.kubernetes.io/component: jellyfin
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: jellyfin
-      app.kubernetes.io/component: jellyfin
---
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: allow-to-public-web
-  labels:
-    app.kubernetes.io/name: jellyfin
-    app.kubernetes.io/component: jellyfin
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: jellyfin
-      app.kubernetes.io/component: jellyfin
\ No newline at end of file
--- a/apps/k8s01/jellyfin/pvc.yaml
+++ b/apps/k8s01/jellyfin/pvc.yaml
@@ -31,31 +31,3 @@ spec:
    requests:
      storage: 2Ti
  volumeName: jellyfin-shows
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: jellyfin-config
-  labels:
-    app.kubernetes.io/name: jellyfin
-    app.kubernetes.io/component: jellyfin
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 10Gi
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: media
-  labels:
-    app.kubernetes.io/name: jellyfin
-    app.kubernetes.io/component: jellyfin
-spec:
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 10Gi