add AGENT.md for creating apps

.github/workflows/main.yml

@@ -55,10 +55,12 @@ jobs:
 
       - name: Install dependencies
         run: pnpm install
+        working-directory: operator
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Run tests
+        working-directory: operator
         run: pnpm test
 
   update-release-draft:
@@ -82,7 +84,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Upload Release Asset
-        id: upload-release-asset 
+        id: upload-release-asset
         uses: actions/upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -90,4 +92,4 @@ jobs:
           upload_url: ${{ steps.create-release.outputs.upload_url }}
           asset_path: ./operator.yaml
           asset_name: operator.yaml
-          asset_content_type: application/yaml
+          asset_content_type: application/yaml

.github/workflows/publish-tag.yml

@@ -3,7 +3,7 @@ name: Publish tag
 on:
   push:
     branches:
-      - 'main'
+      - "main"
     tags:
       - "v*"
 
@@ -52,7 +52,7 @@ jobs:
         id: push
         uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
         with:
-          context: .
+          context: ./operator
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
@@ -62,4 +62,4 @@ jobs:
         with:
           subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME}}
           subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          push-to-registry: true

.gitignore

@@ -1,38 +1,2 @@
-# dependencies (bun install)
-node_modules
-
-# output
-out
-dist
-*.tgz
-
-# code coverage
-coverage
-*.lcov
-
-# logs
-logs
-_.log
-report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
-
-# dotenv environment variable files
-.env
-.env.development.local
-.env.test.local
-.env.production.local
-.env.local
-
-# caches
-.eslintcache
-.cache
-*.tsbuildinfo
-
-# IntelliJ based IDEs
-.idea
-
-# Finder (MacOS) folder config
-.DS_Store
-
+/secret.*.yaml
 /data/
-
-/cloudflare.yaml

.python-version

@@ -1 +0,0 @@
-3.13

charts/apps/AGENT.md

@@ -0,0 +1,136 @@
+# Agent Documentation
+
+This document describes how to create a new application chart for the homelab operator.
+
+## Chart Structure
+
+Each application has its own chart located in a directory under `charts/apps`. The chart should contain the following files:
+
+- `Chart.yaml`: The chart metadata.
+- `values.yaml`: The default values for the chart.
+- `templates/`: A directory containing the Kubernetes resource templates.
+
+## Custom Resources
+
+The homelab operator uses several custom resources to manage applications. These resources are defined in the `templates` directory of the chart.
+
+### `PostgresDatabase`
+
+If the application requires a PostgreSQL database, you can create a `PostgresDatabase` resource. The operator will automatically create a database and a secret containing the connection details. The secret will have the same name as the release with a `-pg-connection` postfix.
+
+Example:
+
+```yaml
+# templates/database.yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: PostgresDatabase
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+```
+
+The secret has the following values:
+
+- `database`: name of the created database
+- `host`: the hostname of the postgres server
+- `port`: the port of the postgres server
+- `url`: combined url in the format `postgresql://{user}:{password}@{host}:{port}/{database}`
+
+### `OidcClient`
+
+If the application requires OIDC authentication, you can create an `OidcClient` resource. The operator will automatically create an OIDC client and a secret containing the client ID and secret. The secret will have the same name as the release with a `-client` postfix.
+
+You need to specify the redirect URIs for the OIDC client. The subdomain is taken from the `values.yaml` file.
+
+Example:
+
+```yaml
+# templates/client.yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  redirectUris:
+    - path: /user/oauth2/Authentik/callback
+      subdomain: "{{ .Values.subdomain }}"
+      matchingMode: strict
+```
+
+The secret has the following value:
+
+- `authorization`: Authorization endpoint
+- `clientId`
+- `clientSecret`
+- `configuration`: autodiscovery endpoint
+- `configurationIssuer`: issuer url
+- `endSession`: end session endpoint
+- `jwks`: jwks endpoint
+- `token`: token endpoint
+- `userinfo`: user info endpoint
+
+### `HttpService` and `ExternalHttpService`
+
+To expose the application, you can use either an `HttpService` or an `ExternalHttpService` resource.
+
+- `HttpService`: This will expose the application through the Istio gateway. This is for internal access only.
+- `ExternalHttpService`: This will expose the application through a CloudFlare tunnel. This is for external access.
+
+Both resources take a `subdomain` and a `destination` as parameters. The `destination` is the Kubernetes service to route traffic to.
+
+Example of `HttpService`:
+
+```yaml
+# templates/http-service.yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  subdomain: "{{ .Values.subdomain }}"
+  destination:
+    host: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local"
+    port:
+      number: 80
+```
+
+Example of `ExternalHttpService`:
+
+```yaml
+# templates/external-http-service.yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  subdomain: "{{ .Values.subdomain }}"
+  destination:
+    host: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local"
+    port:
+      number: 80
+```
+
+## `values.yaml`
+
+The `values.yaml` file should contain the following values:
+
+- `globals.environment`: The environment the application is running in (e.g., `prod`, `dev`).
+- `image.repository`: The Docker image repository.
+- `image.tag`: The Docker image tag.
+- `subdomain`: The subdomain for the application.
+
+Example:
+
+```yaml
+# values.yaml
+globals:
+  environment: prod
+image:
+  repository: docker.gitea.com/gitea
+  tag: latest
+subdomain: gitea
+```

charts/apps/coder/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /api/v2/users/oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/coder/templates/deployment.yaml

@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      serviceAccountName: '{{ .Release.Name }}-serviceaccount'
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+          ports:
+            - name: http
+              containerPort: 7080
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /home/coder/.config
+              name: data
+          env:
+            - name: CODER_HTTP_ADDRESS
+              value: '0.0.0.0:7080'
+            - name: CODER_OIDC_ALLOWED_GROUPS
+              value: admin
+            - name: CODER_OIDC_GROUP_FIELD
+              value: groups
+            - name: CODER_ACCESS_URL
+              value: https://coder.olsen.cloud
+            - name: CODER_OIDC_ICON_URL
+              value: https://authentik.olsen.cloud/static/dist/assets/icons/icon.png
+            - name: CODER_DISABLE_PASSWORD_AUTH
+              value: 'true'
+            - name: CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS
+              value: 'false'
+            - name: CODER_OIDC_SIGN_IN_TEXT
+              value: 'Sign in with OIDC'
+            - name: CODER_OIDC_SCOPES
+              value: openid,profile,email,offline_access
+            - name: CODER_OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: configurationIssuer
+            - name: CODER_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientId
+            - name: CODER_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientSecret
+
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'

charts/apps/coder/templates/http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/coder/templates/role.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: '{{ .Release.Name }}-workspace-creator'
+rules:
+  - apiGroups: [''] # "" indicates the core API group (for Pods, PVCs, Services)
+    resources: ['pods', 'pods/exec', 'pods/log', 'persistentvolumeclaims', 'services']
+    verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+  - apiGroups: ['apps'] # For Deployments, StatefulSets
+    resources: ['deployments', 'statefulsets']
+    verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+  - apiGroups: ['networking.k8s.io'] # For Ingresses
+    resources: ['ingresses']
+    verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+  - apiGroups: ['events.k8s.io'] # For events related to workspace activity
+    resources: ['events']
+    verbs: ['create', 'patch', 'update'] # Coder might create events for workspace lifecycle
+  # Add any other resources that Coder workspace templates might create (e.g., secrets, configmaps)
+  # - apiGroups: [""]
+  #   resources: ["secrets", "configmaps"]
+  #   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

charts/apps/coder/templates/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: '{{ .Release.Name }}-workspace-creator-binding'
+  namespace: '{{ .Release.Namespace }}'
+subjects:
+  - kind: ServiceAccount
+    name: '{{ .Release.Name }}-serviceaccount'
+    namespace: '{{ .Release.Namespace }}'
+roleRef:
+  kind: ClusterRole
+  name: '{{ .Release.Name }}-workspace-creator'
+  apiGroup: rbac.authorization.k8s.io

charts/apps/coder/templates/service.yaml

@@ -8,7 +8,7 @@ spec:
   type: ClusterIP
   ports:
     - port: 80
-      targetPort: 3000
+      targetPort: 7080
       protocol: TCP
       name: http
   selector:

charts/apps/coder/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: '{{ .Release.Name }}-serviceaccount'
+  namespace: '{{ .Release.Namespace }}'

charts/apps/coder/values.yaml

@@ -0,0 +1,7 @@
+globals:
+  environment: prod
+image:
+  repository: ghcr.io/coder/coder
+  tag: latest
+  pullPolicy: IfNotPresent
+subdomain: coder

charts/apps/gitea/templates/_runner-deployment.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}-runner'
+  labels:
+    app: '{{ .Release.Name }}-runner'
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}-runner'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}-runner'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}-runner'
+          image: docker.io/gitea/act_runner:latest-dind-rootless
+          env:
+            - name: GITEA_INSTANCE_URL
+              value: '{{ .Release.Name }}'
+            - name: GITEA_RUNNER_NAME
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-runner'
+                  key: registration_token
+            - name: DOCKER_HOST
+              value: tcp://localhost:2376
+            - name: DOCKER_CERT_PATH
+              value: /certs/client
+            - name: DOCKER_TLS_VERIFY
+              value: '1'
+          securityContext:
+            privileged: true

charts/apps/gitea/templates/deployment.yaml

@@ -22,6 +22,9 @@ spec:
             - name: http
               containerPort: 3000
               protocol: TCP
+            - name: ssh
+              containerPort: 22
+              protocol: TCP
           livenessProbe:
             tcpSocket:
               port: http
@@ -40,8 +43,8 @@ spec:
               value: '1000'
             - name: GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_PASSWORD
               value: 'true'
-            - name: GITEA__service__ENABLE_BASIC_AUTHENTICATION
-              value: 'true'
+            #- name: GITEA__service__ENABLE_BASIC_AUTHENTICATION
+            #  value: 'true'
             - name: GITEA__service__ENABLE_PASSWORD_SIGNIN_FORM
               value: 'false'
             - name: GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE

charts/apps/gitea/templates/service.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 3000
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}-ssh'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 2202
+      targetPort: 22
+      protocol: TCP
+      name: ssh
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/harbor/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: monitoring

charts/apps/harbor/templates/helm.yaml

@@ -0,0 +1,38 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  interval: 1h
+  url: https://helm.goharbor.io
+
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  chart:
+    spec:
+      chart: harbor
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        apiVersion: source.toolkit.fluxcd.io/v1
+        kind: HelmRepository
+        name: '{{ .Release.Name }}'
+        namespace: '{{ .Release.Namespace }}'
+  interval: 1h
+  values:
+    persistence:
+      persistentVolumeClaim:
+        registry:
+          storageClass: '{{ .Values.globals.environment }}'
+        jobservice:
+          jobLog:
+            storageClass: '{{ .Values.globals.environment }}'
+        database:
+          storageClass: '{{ .Values.globals.environment }}'
+        redis:
+          storageClass: '{{ .Values.globals.environment }}'
+        trivy:
+          storageClass: '{{ .Values.globals.environment }}'

charts/apps/harbor/templates/http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/harbor/values.yaml

@@ -0,0 +1,3 @@
+globals:
+  environment: prod
+subdomain: harbor

charts/apps/headscale/templates/service.yaml

@@ -11,9 +11,22 @@ spec:
       targetPort: 8080
       protocol: TCP
       name: http
-    - name: wireguard-udp # TODO: should this be a LB service?
-      port: 41641
-      targetPort: 41641
-      protocol: UDP
+  selector:
+    app: '{{ .Release.Name }}'
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}-headscale'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 41641
+      targetPort: 41641
+      protocol: UDP
+      name: wireguard-udp
   selector:
     app: '{{ .Release.Name }}'

charts/apps/openwebui/Chart.yaml

@@ -1,3 +1,3 @@
 apiVersion: v2
 version: 1.0.0
-name: root
+name: openwebui

charts/apps/openwebui/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/root/templates/apps.yaml

@@ -1,33 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: homelab-apps
-  namespace: '{{ .Values.env }}-argo'
-spec:
-  generators:
-    - git:
-      repoURL: '{{ .Values.repo }}'
-      revision: '{{ .Values.ref }}'
-      directories:
-        - path: charts/apps/*
-          include: '.*'
-          exclude: '.*.disabled'
-  template:
-    metadata:
-      name: '{{`{{path.basename}}`}}'
-    spec:
-      project: default
-      source:
-        repoURL: '{{ .Values.repo }}'
-        targetRevision: '{{ .Values.ref }}'
-        path: charts/apps/{{`{{path.basename}}`}}
-        helm:
-          values: |
-            globals: {{ .Values.globals | toYaml | nindent 14 }}
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: '{{ .Values.globals.env }}'
-      syncPolicy:
-        automated:
-          prune: true
-          selfHeal: true

charts/apps/root/templates/root.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: homelab-root
-  namespace: '{{ .Values.globals.env }}-argo'
-spec:
-  project: default
-  source:
-    repoURL: '{{ .Values.repo }}'
-    targetRevision: '{{ .Values.ref }}'
-    path: charts/root
-    helm:
-      valueFiles:
-        - values.yaml
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: '{{ .Values.globals.env }}-argo'
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true

charts/apps/root/values.yaml

@@ -1,4 +0,0 @@
-globals:
-  env: prod
-repo: https://github.com/morten-olsen/homelab-operator.git
-ref: HEAD