From a406d28ab8888f1ce8f00fd5f89fc1fe90220307 Mon Sep 17 00:00:00 2001 From: Tyler Perkins Date: Sat, 27 Jan 2024 11:41:22 -0500 Subject: [PATCH] Add sealed secret --- immich/helmrelease-immich.yaml | 110 +++++++++++++++++++++++++++++++++ immich/sealed-secret.yaml | 16 +++++ 2 files changed, 126 insertions(+) create mode 100644 immich/helmrelease-immich.yaml create mode 100644 immich/sealed-secret.yaml diff --git a/immich/helmrelease-immich.yaml b/immich/helmrelease-immich.yaml new file mode 100644 index 0000000..edd6c37 --- /dev/null +++ b/immich/helmrelease-immich.yaml @@ -0,0 +1,110 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: immich + namespace: postgresql-system +spec: + chart: + spec: + chart: immich + sourceRef: + kind: HelmRepository + name: immich + namespace: flux-system + interval: 15m0s + timeout: 5m + releaseName: immich + values: + ## This chart relies on the common library chart from bjw-s + ## You can find it at https://github.com/bjw-s/helm-charts/tree/main/charts/library/common + ## Refer there for more detail about the supported values + + # These entries are shared between all the Immich components + + env: + REDIS_HOSTNAME: 'redis-master.redis-system.svc.cluster.local' + DB_HOSTNAME: "postgresql.postgresql-system.svc.cluster.local" + DB_USERNAME: "{{ .Values.postgresql.global.postgresql.auth.username }}" + DB_DATABASE_NAME: "{{ .Values.postgresql.global.postgresql.auth.database }}" + # -- You should provide your own secret outside of this helm-chart and use `postgresql.global.postgresql.auth.existingSecret` to provide credentials to the postgresql instance + # See Secret in immich directory + DB_PASSWORD: "{{ .Values.postgresql.global.postgresql.auth.password }}" + IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}' + + image: + tag: v1.91.4 + + immich: + persistence: + # Main data store for all photos shared between different components. + library: + # Automatically creating the library volume is not supported by this chart + # You have to specify an existing PVC to use + existingClaim: + + # Dependencies + + postgresql: + enabled: false + image: + repository: tensorchord/pgvecto-rs + tag: pg14-v0.1.11 + global: + postgresql: + auth: + existingSecret: immich-secret + primary: + initdb: + scripts: + create-extensions.sql: | + CREATE EXTENSION cube; + CREATE EXTENSION earthdistance; + CREATE EXTENSION vectors; + + redis: + enabled: false + architecture: standalone + auth: + enabled: false + + # Immich components + + server: + enabled: true + image: + repository: ghcr.io/immich-app/immich-server + pullPolicy: IfNotPresent + + ingress: + main: + enabled: false + annotations: + # proxy-body-size is set to 0 to remove the body limit on file uploads + nginx.ingress.kubernetes.io/proxy-body-size: "0" + hosts: + - host: immich.local + paths: + - path: "/" + tls: [] + + microservices: + enabled: true + image: + repository: ghcr.io/immich-app/immich-server + pullPolicy: IfNotPresent + + machine-learning: + enabled: true + image: + repository: ghcr.io/immich-app/immich-machine-learning + pullPolicy: IfNotPresent + env: + TRANSFORMERS_CACHE: /cache + persistence: + cache: + enabled: true + size: 10Gi + # Optional: Set this to pvc to avoid downloading the ML models every start. + type: emptyDir + accessMode: ReadWriteMany + # storageClass: your-class diff --git a/immich/sealed-secret.yaml b/immich/sealed-secret.yaml new file mode 100644 index 0000000..b8d3ad1 --- /dev/null +++ b/immich/sealed-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: immich-secret + namespace: immich-ns +spec: + encryptedData: + database: AgA+Vgab29fZ+NPF1PxzvcT3StAlEiOOKO77tYH+IgfKhdK7wTP4q+OVdV6gWPahK1ssZ8lPISml1HDMPx/IIlCYHmp1xi+wtoOgvyOGq5/8czupMQ4dLwiMVWFyRnCUm94119dCA9KImIqyhrNZ/FebqrcqvykI3h8/XDGCZujjMlHhnhRSUF3AohL3cW72tnZkDeSKebp1Mkmi0LEij2v0/+dZXuIEsfLPVHgxJKvCfPX7ND3TigBlFsa1VQOSZY19MI283rS9keqX0pFP+h0LAT6iGw/4p9fOjVYPNZySVn/z/XXcxnKjO477edJp9TGb+xd1m/kSmUhKF2w58jkKoZMlUwwCxteh9H1zj9rHMQfSmVG+tg9j5WoSsfIaWbDIFIf91l07XSwa8MGJ91NE6nvHEgf7C/OtZ52SjHTKEielLHsvTPRn2lIi14P9tMadI1z11POTf416CIcB2fXzuu619FHARSJseBpBLYwPM5pSpF0XKqTl7mW0kypa46kikjGou6CuJWhrFkh8Yqpth6hfsIV0BkLxXUpoWW9/dMQztfnuB7OvogNUJRTn+g9tzGLyY5bWddokV9s6uxyyaDAi9wPe48HRhX6bGwOgEPdprV5VRSuXu7A2g2YGYsxvvsEr9dXZA3rY9dW63wAzIhydxO8i0+9JHd9CMKohj60S5Llh402p4fDm3JIXchpeNwJzyo4= + password: AgC68pWUzY4eghLcYSxEkwVtBL7BlQ8ytG11hk8NuGcPK+B9kA0VFtw5gFTYMIb0UL95O0BN/L7A6O7oXZm6skWlwOaYmUUOhdCnws1vRA7RamA+gWiT6qV+aFVdeiWLm2pgTdwquqB/Ky2/K3FF2tLoA2Gmp+uGGbet8txMb5RlCWA5jdb6xqsszCFu8NKpcb85kaRtBAP1AzXwWWnP1E+ITM8FjsL1QXlwkxra/uChN99w6Sc66GR8VUb3M3lmtv26AX2hHhqOeWNNJzIbWpmThS+DuluopF4UF+rEixTnR5jBtl8Let6ZA/UwgZ0sfBOijFLyoSFK0ly0f1p3bDH7jtgL2f7OQNPv/VkY6RKi5LViE20m2fYKmt2Fx+FdrIAw64jK3fhLuWF9MKuHOLhgbcrpCvuIMcR1P+/TEPoOrwLy8qzSyGlHZlYHo2m16FqdHqvwHF2vd3A2OnblBx8RN51Hxr0PaRb11FxGQSdQgVU4IoQp0GlvDrhzRXHU1g4G7BnG7+fQpFHujw5QB0rrSLP8WgfWkdYOo6E7xF5EXZ+E2vWsRPRJ2bkVH0mywIo8BC1e7WCR28uLK29e2kBMxiwzDxu+7x/g8rbXxLZGVakEhvZMlWPUSBpcU6rEdW1x7+TEJCGxxBUf3/e6K60MqvOQIe3gRrevY8DddkCFbi6+ZIPmTpd95K9MwnwDDWub+CzKZaWBn6+23NMiBkMa2mgFIWn0QMxEtazTWwJITw== + username: AgA/sz7ukcLAtrSfiGncgMC/VkekQYAYhUmsVTR/sS9di8gv98+pBZbC2i1CC+Qy0yagVEmpstqD46AlkI4d/38S1YLoEolJomEn8KUcdvle7RXK5d+HXSDQCbWdhdhJsbw094rLd2pPzJ1ykVpJglbg+Ec9pzydorjS5LA8vXyujmH3YXW3OU2GCI+B8rgiedetlP6zyZciKuSNd/yDPB7cYzch0lmheGHREulvAzXE6xPv4hiyZtY0FA26zjixtQjW/CJnmwzD6/F1MBZWXtColxZob6I9I5DY4zGawNgS8n4qF/bRoIr75LYkD77KEfBWba5QkQcfnvsEmJWKFmMBchdrM8+wHulgElzTRn8HIfaslk6Aq9RBasXEBDtumBgLiOVCr4TNNX6RHNooyF6uc+Ms4zTdTsibBmMs3X0W8ON1qZx+oXf5M7QW3x+rz+cl7o1TQUsGaHeAcLjh1xGJWddSo1gRL8kqX7wlVucm2LZwIwdWnGT+Bp97FJmJ+R+xgjrmzy9lhboSK58LnpHk65psIngp0XCZ6b3pNrKbDc7H/v8EAjElSAhTGwX7nIwZ4jGCdgPICcX0FtWW17nlJIXJoHmQL08fPa7dqqkpx2JgLQ2E19TywfItxxRApYtRP2AXuf53XLiyQjDgo6STldASysj4MgpJti0lKZNUQkK2QedaXKhyLO3/n53SADSac+P8s0E= + template: + metadata: + creationTimestamp: null + name: immich-secret + namespace: immich-ns