From 9e62b870a1dfe95fb189aab4e245b475bf5e8dac Mon Sep 17 00:00:00 2001
From: James Pace <jpace121@gmail.com>
Date: Fri, 17 Mar 2023 22:24:08 -0400
Subject: [PATCH] Add Kanboard. Really bad notes...

---
 cluster-v2-design.md                          | 79 ++++++++++++++++---
 .../kanboard/manifests/deployment.yaml        | 63 +++++++++++++++
 infra-cluster/kanboard/manifests/ingress.yaml | 21 +++++
 infra-cluster/kanboard/manifests/pvc.yaml     | 12 +++
 infra-cluster/kanboard/manifests/service.yaml | 13 +++
 .../kanboard/namespaces/kanboard.yaml         |  4 +
 .../secrets/kanboard-cookie-sealed.yaml       | 16 ++++
 7 files changed, 195 insertions(+), 13 deletions(-)
 create mode 100644 infra-cluster/kanboard/manifests/deployment.yaml
 create mode 100644 infra-cluster/kanboard/manifests/ingress.yaml
 create mode 100644 infra-cluster/kanboard/manifests/pvc.yaml
 create mode 100644 infra-cluster/kanboard/manifests/service.yaml
 create mode 100644 infra-cluster/kanboard/namespaces/kanboard.yaml
 create mode 100644 infra-cluster/kanboard/secrets/kanboard-cookie-sealed.yaml

diff --git a/cluster-v2-design.md b/cluster-v2-design.md
index 618a564..7bf1380 100644
--- a/cluster-v2-design.md
+++ b/cluster-v2-design.md
@@ -542,13 +542,11 @@ Add to server:
 PublicKey = <>
 AllowedIPs = 10.100.100.7/32
 
-# j7s k3s node
-[Peer]
-PublicKey = <>
-AllowedIPs = 10.100.100.8/32
-
-sudo systemctl restart wg-quick@wg0
-```
+# Add to systemd 
+sudo systemctl enable wg-quick@wg0.service 
+sudo systemctl daemon-reload 
+sudo systemctl start wg-quick@wg0 
+ ```
 
 Tried using nm below, moved to wg-quick for consistency.
 ```
@@ -560,12 +558,7 @@ nmcli con import type wireguard file /etc/wireguard/wg0.conf
 sudo cp wg0.conf /etc/wireguard/wg0.conf
 sudo chown root:root /etc/wireguard/wg0.conf
 wg-quick up wg0
-
-# Add to systemd 
-sudo systemctl enable wg-quick@wg0.service 
-sudo systemctl daemon-reload 
-sudo systemctl start wg-quick@wg0 
- ```
+```
 
 Harbor Login:
 
@@ -586,3 +579,63 @@ configs:
       ca_file: /etc/rancher/k3s/harbor_tls.crt
 ```
 
+Kanboard:
+
+Get PV Name:
+```
+kubectl describe pvc kanboard-pvc --context k3s
+```
+Use PV name to locate directory:
+```
+kubectl describe pv pvc-89a4265c-b39c-4628-9e6b-df091fae4fd8 --context k3s
+```
+
+Can tell on `k3s-node1` at `/var/lib/rancher/k3s/storage/pvc-89a4265c-b39c-4628-9e6b-df091fae4fd8_default_kanboard-pvc`
+
+
+```
+ssh jimmy@192.168.1.135
+sudo su
+cd /var/lib/rancher/k3s/storage/pvc-89a4265c-b39c-4628-9e6b-df091fae4fd8_default_kanboard-pvc
+tar cvpzf /home/jimmy/kanboard-pvc.tar.gz .
+exit
+cd ~
+sudo chown jimmy:jimmy kanboard-pvc.tar.gz
+exit
+scp jimmy@192.168.1.135:~/kanboard-pvc.tar.gz /tmp/kanboard-pvc.tar.gz
+```
+Apply PVC.
+Want: `volumeBindingMode: Immediate`
+```
+kubectl apply manifests --context infra
+<wait til pvc exists>
+<delete everyone but pvc>
+kubectl describe pvc kanboard-pvc --context infra --namespace kanboard
+kubectl describe pv pvc-fe710c38-52ce-495b-bb8d-bea48222a21b --namespace kanboard
+```
+
+```
+scp /tmp/kanboard-pvc.tar.gz jimmy@192.168.1.112:.
+ssh jimmy@192.168.1.112
+sudo su
+chown root:root ./kanboard-pvc.tar.gz
+cd /var/lib/rancher/k3s/storage/pvc-fe710c38-52ce-495b-bb8d-bea48222a21b_kanboard_kanboard-pvc
+rm -rf *
+tar xpvzf /home/jimmy/kanboard-pvc.tar.gz
+exit
+exit
+kubectl apply -f manifests/
+```
+Make secret:
+```
+cat kanboard-cookie.yaml | kubeseal --format yaml > kanboard-cookie-sealed.yaml
+```
+
+Where should I proxy to?
+```
+kubectl -n ingress-nginx get svc
+ngress-nginx-controller             LoadBalancer   10.45.94.103    192.168.1.112   80:31566/TCP,443:32594/TCP   23d
+```
+> 10.100.100.7:31566
+
+
diff --git a/infra-cluster/kanboard/manifests/deployment.yaml b/infra-cluster/kanboard/manifests/deployment.yaml
new file mode 100644
index 0000000..24c25a9
--- /dev/null
+++ b/infra-cluster/kanboard/manifests/deployment.yaml
@@ -0,0 +1,63 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kanboard-deployment
+  namespace: kanboard
+  labels:
+    app: kanboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kanboard
+  template:
+    metadata:
+      labels:
+        app: kanboard
+    spec:
+      containers:
+      - name: oauth-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
+        args:
+        - --cookie-secret=`$COOKIE_SECRET`
+        - --cookie-secure=false
+        - --email-domain=*
+        - --provider=keycloak-oidc
+        - --client-id=kanboard
+        - --client-secret=oT6dMBS87jc385utLumMoffJ9MqLEGRY
+        - --redirect-url=https://kanboard.jpace121.net
+        - --oidc-issuer-url=https://auth.jpace121.net/realms/jpace121-main
+        - --reverse-proxy=true
+        - --upstream=http://localhost:80/
+        - --http-address=0.0.0.0:8080
+        ports:
+        - containerPort: 8080
+        env:
+        - name: COOKIE_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: kanboard-cookie
+              key: cookie-secret
+      - name: kanboard-app
+        image: harbor.internal.jpace121.net/k8s/kanboard:latest
+        ports:
+        - containerPort: 80
+        - containerPort: 443
+        env:
+        - name: DATABASE_URL
+          value: "postgres://postgres:jdsjkksksklw@localhost/kanboard"
+      - name: kanboard-db
+        image: docker.io/library/postgres:bullseye
+        env:
+        - name: POSTGRES_DB
+          value: "kanboard"
+        - name: POSTGRES_PASSWORD
+          value: "jdsjkksksklw"
+        volumeMounts:
+        - name: db-storage
+          mountPath: "/var/lib/postgresql/data"
+      volumes:
+      - name: db-storage
+        persistentVolumeClaim:
+          claimName: kanboard-pvc
\ No newline at end of file
diff --git a/infra-cluster/kanboard/manifests/ingress.yaml b/infra-cluster/kanboard/manifests/ingress.yaml
new file mode 100644
index 0000000..9b24d4b
--- /dev/null
+++ b/infra-cluster/kanboard/manifests/ingress.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kanboard-ingress
+  namespace: kanboard
+  annotations:
+     nginx.ingress.kubernetes.io/proxy-buffering: "on"
+     nginx.ingress.kubernetes.io/proxy-buffer-size: "512k"
+spec:
+  rules:
+  - host: kanboard.jpace121.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: kanboard-service
+            port:
+              number: 80
\ No newline at end of file
diff --git a/infra-cluster/kanboard/manifests/pvc.yaml b/infra-cluster/kanboard/manifests/pvc.yaml
new file mode 100644
index 0000000..5ea2198
--- /dev/null
+++ b/infra-cluster/kanboard/manifests/pvc.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: kanboard-pvc
+  namespace: kanboard
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
diff --git a/infra-cluster/kanboard/manifests/service.yaml b/infra-cluster/kanboard/manifests/service.yaml
new file mode 100644
index 0000000..fe53a37
--- /dev/null
+++ b/infra-cluster/kanboard/manifests/service.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kanboard-service
+  namespace: kanboard
+spec:
+  selector:
+    app: kanboard
+  ports:
+    - protocol: TCP
+      targetPort: 8080
+      port: 80
\ No newline at end of file
diff --git a/infra-cluster/kanboard/namespaces/kanboard.yaml b/infra-cluster/kanboard/namespaces/kanboard.yaml
new file mode 100644
index 0000000..8a4613c
--- /dev/null
+++ b/infra-cluster/kanboard/namespaces/kanboard.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kanboard
diff --git a/infra-cluster/kanboard/secrets/kanboard-cookie-sealed.yaml b/infra-cluster/kanboard/secrets/kanboard-cookie-sealed.yaml
new file mode 100644
index 0000000..1925c36
--- /dev/null
+++ b/infra-cluster/kanboard/secrets/kanboard-cookie-sealed.yaml
@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: kanboard-cookie
+  namespace: kanboard
+spec:
+  encryptedData:
+    cookie-secret: AgAV5rJbI4+pdtEBSOXZOI77dov8AZH0ejLbP+3FZt0B4ebYcpytB5oLYpHL7n9d/cvUdIn1MmM44CQ4Fc7nlrspIdFm9P2U9t1ElIt6LeqcE1A65lRm2xHvKQ+HIBSRE8uhwJZQqX+4i88/zhc1z+jTjr9bBwxpm402sFRND4a/3X8UWtcj2/dQUMPGe84Q23SjzGg9pYFEphWZ4Pt6dVBpKy7pPenHKk/F2zhHpVy+4GfC61Ho8enbj7avBVWpj5zoW0R1bphRClbYTRKyHyIqEvgqgW2N8Wo9AVvQ0GzZw5nyIFW3vIkivNzVTjufXIQV5RdPECaCJfnK06WIe3STMTHsJ1m+igacAXNSui6L6g37dO0DpMTcMQCBWL4c0cCgOfBhhIQy6zCcpI/MJBcWOI55c1E1zrxMDJxlskQjh9A01wwWGQfT5qm2PXO5j1hARe1aUmBJvhzzQnoVJB+2RxFnZjJTzdCOXkr1a4gQB03xXOZlrxGy3HpIPDFQCOWfxEn8pKjzl1dufkhpH14pyKfyWheSpufQNtjcZ9WrcDQvifmaIjCLkDZ4QiuQXCKlPuNLHoYVeTR7et8RO3DFm292t2PXQ115wIZ57vR+PqInOu0X33cK3kr7bSyTbJsZSJRWj7UkiHhGKs5L69ohfFfam539jtlU69XVKvTW05oeDDh2CtIYGbCDUvLIzAUAY5BJYTueAaBTp6o4KczQVbWW7AZSJy6XqaTZte3CDRh+7SOaJa/eNIEkJQ==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: kanboard-cookie
+      namespace: kanboard
+    type: Opaque
+