RAILIANCE-WP-0002 T05+T06 done: vergabe-teilnahme is live at https://vergabe-teilnahme.whywhynot.de
Thin Helm chart in charts/vergabe-teilnahme (Deployment + Service), plain values overlay in helm/vergabe-teilnahme-values.yaml, ingress + cert-manager TLS in manifests/vergabe-teilnahme-ingress.yaml. Makefile targets vergabe-dry-run|deploy|ingress-deploy|status|migrate|seed|superuser|logs. Secrets stay in K8s (vergabe-app-credentials + vergabe-teilnahme-env) — no SOPS needed. Live: pod Running 1/1, /health/ 200 ok, /ausschreibungen/dashboard/ renders Übersicht, /admin/login/ renders Django admin (German). cert-manager issued vergabe-teilnahme-tls in ~35s. Workplan T07 (migrate+seed+smoke) marked in_progress; migrate completed inline (10+ apps migrated) so the dashboard would render. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
17
charts/vergabe-teilnahme/Chart.yaml
Normal file
17
charts/vergabe-teilnahme/Chart.yaml
Normal file
@@ -0,0 +1,17 @@
|
||||
apiVersion: v2
|
||||
name: vergabe-teilnahme
|
||||
description: |
|
||||
Vergabe Teilnahme — internal Django tender/bid management web app.
|
||||
Single-instance v1 deployment; HA and canary are deferred.
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: "0.1.0"
|
||||
keywords:
|
||||
- django
|
||||
- vergabe
|
||||
- railiance
|
||||
home: https://gitea.coulomb.social/coulomb/vergabe-teilnahme
|
||||
sources:
|
||||
- https://gitea.coulomb.social/coulomb/vergabe-teilnahme
|
||||
maintainers:
|
||||
- name: railiance-apps
|
||||
28
charts/vergabe-teilnahme/templates/_helpers.tpl
Normal file
28
charts/vergabe-teilnahme/templates/_helpers.tpl
Normal file
@@ -0,0 +1,28 @@
|
||||
{{/*
|
||||
Chart name + release name produce a unique resource name.
|
||||
*/}}
|
||||
{{- define "vergabe.fullname" -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- printf "%s" $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "vergabe.labels" -}}
|
||||
app.kubernetes.io/name: {{ include "vergabe.fullname" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
app.kubernetes.io/part-of: railiance-apps
|
||||
helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "vergabe.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "vergabe.fullname" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "vergabe.image" -}}
|
||||
{{- if not .Values.image.tag -}}
|
||||
{{- fail "image.tag is required — pin it in helm/vergabe-teilnahme-values.yaml" -}}
|
||||
{{- end -}}
|
||||
{{- printf "%s:%s" .Values.image.repository .Values.image.tag -}}
|
||||
{{- end -}}
|
||||
81
charts/vergabe-teilnahme/templates/deployment.yaml
Normal file
81
charts/vergabe-teilnahme/templates/deployment.yaml
Normal file
@@ -0,0 +1,81 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "vergabe.fullname" . }}
|
||||
labels: {{- include "vergabe.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels: {{- include "vergabe.selectorLabels" . | nindent 6 }}
|
||||
strategy:
|
||||
type: RollingUpdate
|
||||
rollingUpdate:
|
||||
maxSurge: 1
|
||||
maxUnavailable: 0
|
||||
template:
|
||||
metadata:
|
||||
labels: {{- include "vergabe.selectorLabels" . | nindent 8 }}
|
||||
spec:
|
||||
securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: app
|
||||
image: {{ include "vergabe.image" . | quote }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: {{ .Values.service.targetPort }}
|
||||
protocol: TCP
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: {{ .Values.envSecretName | quote }}
|
||||
env:
|
||||
{{- range $k, $v := .Values.env }}
|
||||
- name: {{ $k }}
|
||||
value: {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.probes.enabled }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: {{ .Values.probes.path }}
|
||||
port: {{ .Values.probes.port }}
|
||||
httpHeaders:
|
||||
- name: Host
|
||||
value: {{ .Values.probes.hostHeader | quote }}
|
||||
initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.probes.readiness.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }}
|
||||
failureThreshold: {{ .Values.probes.readiness.failureThreshold }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: {{ .Values.probes.path }}
|
||||
port: {{ .Values.probes.port }}
|
||||
httpHeaders:
|
||||
- name: Host
|
||||
value: {{ .Values.probes.hostHeader | quote }}
|
||||
initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }}
|
||||
failureThreshold: {{ .Values.probes.liveness.failureThreshold }}
|
||||
{{- end }}
|
||||
resources: {{- toYaml .Values.resources | nindent 12 }}
|
||||
{{- if .Values.persistence.media.enabled }}
|
||||
volumeMounts:
|
||||
- name: media
|
||||
mountPath: /app/media
|
||||
{{- end }}
|
||||
{{- if .Values.persistence.media.enabled }}
|
||||
volumes:
|
||||
- name: media
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ include "vergabe.fullname" . }}-media
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector: {{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity: {{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations: {{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
27
charts/vergabe-teilnahme/templates/service.yaml
Normal file
27
charts/vergabe-teilnahme/templates/service.yaml
Normal file
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "vergabe.fullname" . }}
|
||||
labels: {{- include "vergabe.labels" . | nindent 4 }}
|
||||
spec:
|
||||
type: {{ .Values.service.type }}
|
||||
ports:
|
||||
- port: {{ .Values.service.port }}
|
||||
targetPort: {{ .Values.service.targetPort }}
|
||||
protocol: TCP
|
||||
name: http
|
||||
selector: {{- include "vergabe.selectorLabels" . | nindent 4 }}
|
||||
{{- if .Values.persistence.media.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: {{ include "vergabe.fullname" . }}-media
|
||||
labels: {{- include "vergabe.labels" . | nindent 4 }}
|
||||
spec:
|
||||
storageClassName: {{ .Values.persistence.media.storageClass }}
|
||||
accessModes: [{{ .Values.persistence.media.accessMode }}]
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.persistence.media.size }}
|
||||
{{- end }}
|
||||
71
charts/vergabe-teilnahme/values.yaml
Normal file
71
charts/vergabe-teilnahme/values.yaml
Normal file
@@ -0,0 +1,71 @@
|
||||
image:
|
||||
repository: gitea.coulomb.social/coulomb/vergabe-teilnahme
|
||||
tag: "" # required; pinned via helm/vergabe-teilnahme-values.yaml
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
replicaCount: 1 # v1 is single-instance; HA is deferred (RAILIANCE-WP-0002 Notes)
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
targetPort: 8000
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
cpu: 1000m
|
||||
memory: 1Gi
|
||||
|
||||
# Env from the K8s Secret created out-of-band (vergabe-teilnahme-env).
|
||||
# Holds SECRET_KEY + DATABASE_URL. Created by the operator with kubectl
|
||||
# create secret generic vergabe-teilnahme-env --from-literal=...
|
||||
envSecretName: vergabe-teilnahme-env
|
||||
|
||||
# Non-secret env injected directly into the Deployment.
|
||||
env:
|
||||
DJANGO_SETTINGS_MODULE: vergabe_teilnahme.settings.prod
|
||||
ALLOWED_HOSTS: vergabe-teilnahme.whywhynot.de,localhost
|
||||
CSRF_TRUSTED_ORIGINS: https://vergabe-teilnahme.whywhynot.de
|
||||
|
||||
probes:
|
||||
enabled: true
|
||||
path: /health/
|
||||
port: 8000
|
||||
hostHeader: vergabe-teilnahme.whywhynot.de # must be in ALLOWED_HOSTS
|
||||
liveness:
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 30
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 3
|
||||
readiness:
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 3
|
||||
|
||||
# PVC for media uploads is deferred — Django MEDIA is in-pod ephemeral
|
||||
# for v1. Switch to true + a storageClass once media uploads land.
|
||||
persistence:
|
||||
media:
|
||||
enabled: false
|
||||
storageClass: local-path
|
||||
size: 5Gi
|
||||
accessMode: ReadWriteOnce
|
||||
|
||||
podSecurityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 999 # matches the 'app' user in the Dockerfile
|
||||
runAsGroup: 999
|
||||
fsGroup: 999
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: false # whitenoise + collectstatic write to /app
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
|
||||
nodeSelector: {}
|
||||
tolerations: []
|
||||
affinity: {}
|
||||
Reference in New Issue
Block a user