Piotr Dobrowolski | 7ad415f | 2022-04-30 12:55:26 +0200 | [diff] [blame] | 1 | # kubectl -n paperless create secret generic paperless-proxy --from-literal=cookie_secret=$(pwgen 32 1) --from-literal=oidc_secret=... |
| 2 | # kubectl -n paperless create secret generic paperless --from-literal=postgres_password=$(pwgen 32 1) --from-literal=redis_password=$(pwgen 32 1) --from-literal=secret_key=$(pwgen 32 1) |
| 3 | |
| 4 | # There is no way of handling superusers (Admin panel access) automatically when |
| 5 | # using OAuth2-Proxy, thus we need to run the following command to mark the |
| 6 | # first user as such: |
| 7 | # kubectl -n paperless exec -it deploy/paperless -c paperless -- python ./manage.py shell -c "from django.contrib.auth.models import User; u = User.objects.get_by_natural_key('informatic'); u.is_superuser = True; u.is_staff = True; u.save()" |
| 8 | |
| 9 | local kube = import "../../kube/kube.libsonnet"; |
| 10 | local postgres = import "../../kube/postgres.libsonnet"; |
| 11 | local redis = import "../../kube/redis.libsonnet"; |
| 12 | |
| 13 | { |
| 14 | local app = self, |
| 15 | local cfg = self.cfg, |
| 16 | |
| 17 | cfg:: { |
| 18 | namespace: "paperless", |
| 19 | domain: "paperless.hackerspace.pl", |
| 20 | |
| 21 | images: { |
| 22 | paperless: "registry.k0.hswaw.net/informatic/paperless-ngx@sha256:78b17e3050f7edea1e8c659c433ebcb6365bb93280a2698e3322075f988b1f41", |
| 23 | proxy: "quay.io/oauth2-proxy/oauth2-proxy:v7.2.1", |
| 24 | }, |
| 25 | |
| 26 | storageClassName: "waw-hdd-redundant-3", |
| 27 | }, |
| 28 | |
| 29 | ns: kube.Namespace(cfg.namespace), |
| 30 | |
| 31 | redis: redis { |
| 32 | cfg+: { |
| 33 | namespace: cfg.namespace, |
| 34 | storageClassName: cfg.storageClassName, |
| 35 | appName: "paperless", |
| 36 | image: "redis:6.0", |
| 37 | password: { secretKeyRef: { name: "paperless", key: "redis_password" } }, |
| 38 | }, |
| 39 | }, |
| 40 | |
| 41 | postgres: postgres { |
| 42 | cfg+: { |
| 43 | namespace: cfg.namespace, |
| 44 | appName: "paperless", |
| 45 | database: "paperless", |
| 46 | username: "paperless", |
| 47 | |
| 48 | password: { secretKeyRef: { name: "paperless", key: "postgres_password" } }, |
| 49 | storageClassName: cfg.storageClassName, |
| 50 | storageSize: "20Gi", |
| 51 | }, |
| 52 | bouncer: {}, |
| 53 | }, |
| 54 | |
| 55 | dataVolume: app.ns.Contain(kube.PersistentVolumeClaim("paperless-data")) { |
| 56 | spec+: { |
| 57 | storageClassName: cfg.storageClassName, |
| 58 | accessModes: [ "ReadWriteOnce" ], |
| 59 | resources: { |
| 60 | requests: { |
| 61 | storage: "100Gi", |
| 62 | }, |
| 63 | }, |
| 64 | }, |
| 65 | }, |
| 66 | |
| 67 | deploy: app.ns.Contain(kube.Deployment("paperless")) { |
| 68 | spec+: { |
| 69 | replicas: 1, |
| 70 | template+: { |
| 71 | spec+: { |
| 72 | volumes_: { |
| 73 | data: kube.PersistentVolumeClaimVolume(app.dataVolume), |
| 74 | }, |
| 75 | |
| 76 | securityContext: { |
| 77 | runAsUser: 1000, |
| 78 | runAsGroup: 1000, |
| 79 | fsGroup: 1000, |
| 80 | }, |
| 81 | |
| 82 | default_container:: "auth", |
| 83 | containers_: { |
| 84 | auth: kube.Container("authproxy") { |
| 85 | image: cfg.images.proxy, |
| 86 | ports_: { |
| 87 | http: { containerPort: 8001 }, |
| 88 | }, |
| 89 | |
| 90 | env_: { |
| 91 | OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:8000", |
| 92 | OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:8001", |
| 93 | |
| 94 | OAUTH2_PROXY_COOKIE_SECRET: { secretKeyRef: { name: "paperless-proxy", key: "cookie_secret" } }, |
| 95 | |
| 96 | OAUTH2_PROXY_PROVIDER: "oidc", |
| 97 | OAUTH2_PROXY_OIDC_ISSUER_URL: "https://sso.hackerspace.pl", |
| 98 | OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true", |
| 99 | |
| 100 | OAUTH2_PROXY_CLIENT_ID: "b4859334-140b-432a-81f6-8f3e135e021a", |
| 101 | OAUTH2_PROXY_CLIENT_SECRET: { secretKeyRef: { name: "paperless-proxy", key: "oidc_secret" } }, |
| 102 | |
| 103 | OAUTH2_PROXY_EMAIL_DOMAINS: "*", |
| 104 | OAUTH2_PROXY_ALLOWED_GROUPS: "zarzad", |
| 105 | |
| 106 | # Security considerations: |
| 107 | # |
| 108 | # * OAuth2-Proxy *will* strip X-Forwarded-User |
| 109 | # header from requests passed through to |
| 110 | # endpoint, preventing authentication bypass |
| 111 | # |
| 112 | # * OAuth2-Proxy *will not* strip Authorization |
| 113 | # header - that can either be a user token, |
| 114 | # or a username/password pair. Former can only |
| 115 | # be generated by staff/superuser in Admin |
| 116 | # panel, and the latter will not work for our |
| 117 | # OAuth2 autogenerated users since these do |
| 118 | # not have any password set |
| 119 | OAUTH2_PROXY_SKIP_AUTH_ROUTES: "^/api/.*", |
| 120 | }, |
| 121 | }, |
| 122 | |
| 123 | paperless: kube.Container("paperless") { |
| 124 | image: cfg.images.paperless, |
| 125 | resources: { |
| 126 | requests: { cpu: "500m", memory: "1024M" }, |
| 127 | limits: { cpu: "4", memory: "6144M" }, |
| 128 | }, |
| 129 | env_: { |
| 130 | PAPERLESS_PORT: "8000", |
| 131 | |
| 132 | PAPERLESS_SECRET_KEY: { secretKeyRef: { name: "paperless", key: "secret_key" } }, |
| 133 | |
| 134 | A_REDIS_PASSWORD: app.redis.cfg.password, |
| 135 | PAPERLESS_REDIS: "redis://:$(A_REDIS_PASSWORD)@redis:6379", |
| 136 | |
| 137 | PAPERLESS_DBHOST: "postgres", |
| 138 | PAPERLESS_DBNAME: app.postgres.cfg.database, |
| 139 | PAPERLESS_DBUSER: app.postgres.cfg.username, |
| 140 | PAPERLESS_DBPASS: app.postgres.cfg.password, |
| 141 | |
| 142 | PAPERLESS_ENABLE_HTTP_REMOTE_USER: "true", |
| 143 | PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME: "HTTP_X_FORWARDED_USER", |
| 144 | |
| 145 | PAPERLESS_OCR_LANGUAGE: "pol", |
| 146 | PAPERLESS_OCR_MODE: "force", |
| 147 | PAPERLESS_DATE_ORDER: "YMD", |
| 148 | }, |
| 149 | |
| 150 | volumeMounts: [ |
| 151 | { name: "data", mountPath: "/usr/src/paperless/data", subPath: "data" }, |
| 152 | { name: "data", mountPath: "/usr/src/paperless/media", subPath: "media" }, |
| 153 | { name: "data", mountPath: "/usr/src/paperless/consume", subPath: "consume" }, |
| 154 | ], |
| 155 | }, |
| 156 | }, |
| 157 | }, |
| 158 | }, |
| 159 | }, |
| 160 | }, |
| 161 | |
| 162 | service: app.ns.Contain(kube.Service("paperless")) { |
| 163 | target_pod:: app.deploy.spec.template, |
| 164 | }, |
| 165 | |
| 166 | ingress: app.ns.Contain(kube.Ingress("paperless")) { |
| 167 | metadata+: { |
| 168 | annotations+: { |
| 169 | "kubernetes.io/tls-acme": "true", |
Piotr Dobrowolski | 7e84106 | 2023-04-23 11:36:15 +0200 | [diff] [blame] | 170 | "cert-manager.io/cluster-issuer": "letsencrypt-prod", |
Piotr Dobrowolski | 7ad415f | 2022-04-30 12:55:26 +0200 | [diff] [blame] | 171 | "nginx.ingress.kubernetes.io/proxy-body-size": "0", |
| 172 | }, |
| 173 | }, |
| 174 | spec+: { |
| 175 | tls: [ { hosts: [ cfg.domain ], secretName: "paperless-tls" } ], |
| 176 | rules: [ |
| 177 | { |
| 178 | host: cfg.domain, |
| 179 | http: { |
| 180 | paths: [ |
| 181 | { path: "/", backend: app.service.name_port }, |
| 182 | ], |
| 183 | }, |
| 184 | }, |
| 185 | ], |
| 186 | }, |
| 187 | } |
| 188 | } |