test migrate radarr to helm

kubernetes/apps/production/arr/radarr/deployment.yaml

@@ -1,59 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-    name: radarr
-    namespace: arr
-    labels:
-        app: radarr
-spec:
-    replicas: 1
-    selector:
-        matchLabels:
-            app: radarr
-    template:
-        metadata:
-            labels:
-                app: radarr
-        spec:
-            securityContext:
-                runAsUser: 65534
-                runAsGroup: 65534
-                fsGroup: 65534
-                fsGroupChangePolicy: OnRootMismatch
-            containers:
-                - name: radarr
-                  image: ghcr.io/onedr0p/radarr:rolling@sha256:f63ab1d9875d81f1b6d7cd69427749451d2fab981e39ffb8d9071c2e21041170
-                  imagePullPolicy: IfNotPresent
-                  resources:
-                    requests:
-                        memory: 512Mi
-                        cpu: 100m
-                    limits:
-                        memory: 2Gi
-                        cpu: 500m
-                  volumeMounts:
-                    - mountPath: /config
-                      name: radarr
-                    - mountPath: /data
-                      name: nas
-            volumes:
-                - name: nas
-                  nfs:
-                    path: /mnt/thePool/thePoolShare
-                    server: 10.0.0.10
-                - name: radarr
-                  persistentVolumeClaim:
-                    claimName: radarr
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: radarr
-  namespace: arr
-spec:
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 3Gi
-  storageClassName: longhorn

kubernetes/apps/production/arr/radarr/helmrelease.yaml

@@ -0,0 +1,116 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app radarr
+  namespace: arr
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.7.1
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+
+  values:
+    global:
+      fullnameOverride: *app
+      namespace: arr
+
+    controllers:
+      radarr:
+        enabled: true
+        type: statefulset
+
+        replicas: 1
+
+        statefulset:
+          volumeClaimTemplates:
+            - name: config
+              accessMode: ReadWriteMany
+              size: 3Gi
+              storageClass: longhorn
+              globalMounts:
+                - path: /config
+
+        pod:
+          securityContext:
+            runAsUser: 65534
+            runAsGroup: &group 65534
+            fsGroup: *group
+            fsGroupChangePolicy: "OnRootMismatch"
+
+        containers:
+          app:
+            image:
+              repository: ghcr.io/onedr0p/radarr
+              tag: 5.18.4.9674
+              pullPolicy: IfNotPresent
+            env:
+              TZ: "${TZ}"
+              RADARR__INSTANCE_NAME: *app
+              RADARR__PORT: &port 7878
+              RADARR__APPLICATION_URL: "https://radarr.${LOCAL_DOMAIN}"
+              RADARR__THEME: dark
+              RADARR__LOG_LEVEL: info
+
+            probes:
+              liveness:
+                enabled: false
+
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+
+            resources:
+              requests:
+                cpu: 50m
+                memory: 200Mi
+              limits:
+                memory: 400Mi
+
+    service:
+      app:
+        primary: true
+        controller: radarr
+        ports:
+          http:
+            port: *port
+
+    ingress:
+      internal:
+        enabled: true
+        className: nginx
+        hosts:
+          - host: "radarr.${LOCAL_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts:
+              - "radarr.${LOCAL_DOMAIN}"
+            secretName: local-mafyuh-dev-production-tls
+
+    persistence:
+      data:
+        enabled: true
+        type: nfs
+        server: "${NAS_IP}"
+        path: /mnt/thePool/thePoolShare
+        globalMounts:
+          - path: /data

kubernetes/apps/production/arr/radarr/ingress.yaml

@@ -1,22 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: radarr
-  namespace: arr
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: "radarr.local.mafyuh.dev"
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: headless-radarr
-                port:
-                  number: 7878
-  tls:
-    - hosts:
-        - "radarr.local.mafyuh.dev"
-      secretName: local-mafyuh-dev-production-tls

kubernetes/apps/production/arr/radarr/kustomization.yaml

@@ -1,6 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - deployment.yaml
-  - service.yaml
-  - ingress.yaml
+  - helmrelease.yaml

kubernetes/apps/production/arr/radarr/service.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: headless-radarr
-  namespace: arr
-spec:
-  selector:
-    app: radarr
-  ports:
-    - port: 7878
-      targetPort: 7878
-      protocol: TCP
-  type: ClusterIP

kubernetes/apps/production/cert-manager/issuers/secret-cf-token.yaml

@@ -5,7 +5,7 @@ metadata:
     namespace: cert-manager
 type: Opaque
 stringData:
-    cloudflare-token: ENC[AES256_GCM,data:QDWamL3h0NLZzezOq5Sxo64K+7nivtl2pmpCbWk6rUFzKXJR7ym6Mg==,iv:Uf6v8dHRvx7dFs9ES5e+YWIo12WtrrXqK1xJ8z/gOO4=,tag:6undZMM8eDXXRp12cRX+dA==,type:str]
+    cloudflare-token: ENC[AES256_GCM,data:9I2VZBJrnat4TZ50fEVGS+N2ba6OVUvJWodhZhHCMMQm3scJ9Rqgvg==,iv:u3yKtpXWObitpJ92Brd9VceIAjgCaXQ92J/VIgrN7SE=,tag:iJEGLae7Uvj+5PtkmKfYkw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,14 +15,14 @@ sops:
         - recipient: age18z6wevr8ze5azvq7nfty3l29s7887l8n5mefr64avhlthtr4uvnqw90nfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRzV5Sy80OGJGQXRiNkND
-            azlFZG1CNllYbG5kQ0VHRXNhbjdRcEN6TUU0Ckc2RjMza2laWS9Zb21tNmE0eUw3
-            RG9SclYrWEFxYWs2ck95VWQ3MlJDUlEKLS0tIDg0dXYxZUFlUTNiQ2VWUElIdU1J
-            ajRYUzRGREhIenNjdnlwMmtvVCthTHMKI74UwAsVX1QKQSez4E+Ks9VAF2QwbRDa
-            rO/PdBYJK+MwCptCEiinxaSc5BDAyE0wYiC6Tmldz6ZHYTv1ADe21Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSTBHMlNiaU1qMDdqdUtB
+            UkF4QmxwYURFWHVqeW1VRE4reXRGQVNzS25rCnlzOFNFUFprUzJET0Q2ZktkM3ZT
+            NHFYeFpKMW9Za2V5dGZ1NFRHeCt4azgKLS0tIFpIM3I3bmgyQ25nUUZCVWh0ZDd1
+            cWpzK3FuTC9McXdMUERvSUtVVzE0KzAKmU4J3YzOr5Xcr8eGtMoUJIT87biX/pkh
+            IHrrhcfYWr2JZY5BqC1AK6EN3+uNFqrKIs7MrV0Ogb5X02BP/9D77w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-08T18:43:20Z"
-    mac: ENC[AES256_GCM,data:fuTN6KncxLvzw7o3ENVYKCIcmxDDbvOeIyfn/H1M5rtw3C8WiRnuz4XviYTh2y6EHv9FGEOI5RiRmtEtqiux7xn81DBobmAdgl/RFsrMsKus0SVpGn4PmZYfO/8R9xknyX93fbYicnahYpM3aHvwQx1njK64ywN+Hp0U+PZfMoQ=,iv:4EgN+gBOwkNty9uPSb1/wDOKTEHUUEtkeDEJDkB2/EE=,tag:Meb79CBfm3tot4vKf1OOmg==,type:str]
+    lastmodified: "2025-02-18T02:56:04Z"
+    mac: ENC[AES256_GCM,data:InOhXZOhW9mkXv7pYOxihCDbdswQyuC6g5xzb/0dBhq+j4tRz6MUGMyducc3WiPybMaCsBi7X50tOrcRhe4CyH//nr6N8xKaKhxQYgxt47QOakHhGPtNvyBCw4au21KF34ZIEN0jRKVryCYj2X3WD3tNT9jFn4FfgLUx6xx9WYg=,iv:FtkgRp7Ib5DLib0y617mdeVy/EHWKKNcG18wbR/lAdM=,tag:i+TFxjplYuRT1ZhqXfXeBw==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.9.4

kubernetes/cluster/production/charts/bjw-s-chart.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: bjw-s
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://bjw-s.github.io/helm-charts
+  timeout: 3m

kubernetes/cluster/production/charts/kustomization.yaml

@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - flux.yaml
-  - qbitty-secrets.yaml
+- bjw-s-chart.yaml

kubernetes/cluster/production/config/cluster-config.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+    name: cluster-config
+    namespace: flux-system
+data:
+    TZ: "America/New_York"

kubernetes/cluster/production/config/cluster-secrets.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cluster-secrets
+    namespace: flux-system
+data:
+    PUBLIC_DOMAIN: ENC[AES256_GCM,data:M+nn0P7olNwEyc+3XUM37g==,iv:EHupf7+9evYWrJZNFGe/I0sgcocs0UnU2j5gcCsoMqs=,tag:9N7R8sgfA5y/ePoD/tepFw==,type:str]
+    LOCAL_DOMAIN: ENC[AES256_GCM,data:7ljyWJK8kOADFW5/uk9aNaRf7dnoTSqU,iv:ppr7vv8W2EfnF3b5rYBSXND/qNdQwZPEIMjAgae81+A=,tag:s7wybl3msr0RMyAAEej2jA==,type:str]
+    NAS_IP: ENC[AES256_GCM,data:z04M4Xe8lekw4zEqB6a2YQ==,iv:Qwgy94CR+jBvhCTOPa4dxxai0cidGt9BnSReUwedol8=,tag:Qnm/pxGTdMUUE59aOqObOg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18z6wevr8ze5azvq7nfty3l29s7887l8n5mefr64avhlthtr4uvnqw90nfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUWmVDYWFUM2g1Z3A4L09y
+            VlJGNVNIb0o5ZkoyMXRLMFVDVjNtbllIVWhjClRaaDNPblI3amNSTjFXSmtJZ1kz
+            dVRqa05yZnJhblFaUW1IbnB5RXMyMzAKLS0tIGtyMnV4ZXlWclBRa1UrVkNPV0dh
+            UnJqT1FORU5SaGNTK0Y3V3RYMlRjeEkKQOfr3ruilfkb8lfuWrQaeB44b9nf+TSq
+            QgvmCElVNleZ369lr92ZfNQXgIehuVQku3h8xElXtL0SyZmRrbKneg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-18T03:04:17Z"
+    mac: ENC[AES256_GCM,data:kwxezyC/r2vsbCXAU6yGAjpzOQHuQZQvRDAl53ZT59DP9+P3rL+eRG6mpKPuack1TvlcQddUgFEMXxoilPcpiZpG967fLQlBIN+e61bGBsHiHT7zHcnudi33ZruAG1E/Fsx3qk/aQBak+C2j9JzuaApaDWx8Oboxkm4/Ks+wHI8=,iv:hOdZy2E3JmWX82jJAl8XalI4FaCVHfxBMWg7R2liWeA=,tag:on3NuJJTxp1+SEKsSnGYgA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4

kubernetes/cluster/production/config/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster-config.yaml
+  - qbitty-secrets.yaml
+  - cluster-secrets.yaml

kubernetes/cluster/production/flux-system/apps.yaml

@@ -17,4 +17,6 @@ spec:
   postBuild:
     substituteFrom:
       - kind: ConfigMap
-        name: cluster-config
+        name: cluster-config
+      - kind: Secret
+        name: cluster-secrets

kubernetes/cluster/production/flux-system/secrets.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: flux-system
 spec:
   interval: 5m
-  path: "./kubernetes/secrets"  
+  path: "./kubernetes/cluster/production/config"  
   sourceRef:
     kind: GitRepository
     name: flux-system 
@@ -14,3 +14,9 @@ spec:
     secretRef:
       name: sops-age
   prune: true
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-config
+      - kind: Secret
+        name: cluster-secrets

kubernetes/cluster/production/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- charts/
+- config/
+- flux-system/

kubernetes/kustomization.yaml

@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - apps/
-- cluster/production/flux-system/
+- cluster/production/

kubernetes/secrets/flux.yaml

@@ -1,28 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-    name: cluster-config
-    namespace: flux-system
-data:
-    LOCAL_DOMAIN: ENC[AES256_GCM,data:+MFh6JbregTAyBjQgfhjPQ==,iv:P6/9sySKhAjWKi8F09rEQ9RqyfMZRdSrGOHgfNI5ZNM=,tag:8ExXSkOegf97uqZAto310g==,type:str]
-    PUBLIC_DOMAIN: ENC[AES256_GCM,data:13kMLOeH00D7eXgdgWoRpA==,iv:0ptiPvI9v6rpupeIAe1R+5CkVvWIQjivJGNPJfr3MjI=,tag:WqyDKGxqFX/o2wK7Z9/i3A==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age18z6wevr8ze5azvq7nfty3l29s7887l8n5mefr64avhlthtr4uvnqw90nfs
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SXZ6TUdZTzJFMTg2cGQr
-            cktvVEhkL1krdm95cGpxcDAzc2t1VkxrbHdVCmRYQXoxNnA5YUdTS0tkNzA3MnJr
-            ZVZtKzhoaTVKTjBrdk1nb2RrMXRTL1UKLS0tIEdkTzlTOXRxak4xQ0tuam1PL2hw
-            M3RsQnNodHgvdU00YVA1cGZobVBLY1EKsLe8q0/W+OnSJ4sEnt4Xnw0eMUNLf9gG
-            zHXUoROb6nlqh03SH2SFoJuzc7jRYqHOOxXjnRcQcSTnyBi0jIT9/A==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-17T05:27:24Z"
-    mac: ENC[AES256_GCM,data:CdZrObeqXr+iJ2E9l5UGp0h9gZI7F3le9fj5zbHe4WjaS+HEPr9yaExG5AEpyLkW4BzjHoaLjFxbshec8PheWcWCEMIwIoJPRcI9ld7se01nz/SC7DJWT66otj7TZIwzi6/DmCVpsoXL2bYskmaExOk2l7DlijQ7lkevJupOKMI=,iv:CChtQxUUXIiSqmK99F5fQlvdmrjshWNoh7xSgrzxFto=,tag:Ph3SByrtOyNVBM4XcmH2Wg==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.9.4