ci: deploy kitchenowl via flux cd (kitchen.patanix.de, 5GiB PVC, SOPS)

apps/kitchenowl/certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kitchenowl-tls
+  namespace: kitchenowl
+spec:
+  secretName: kitchenowl-tls
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  commonName: kitchen.patanix.de
+  dnsNames:
+    - kitchen.patanix.de

apps/kitchenowl/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kitchenowl
+  namespace: kitchenowl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kitchenowl
+  template:
+    metadata:
+      labels:
+        app: kitchenowl
+    spec:
+      containers:
+        - name: kitchenowl
+          image: 'tombursch/kitchenowl:latest'
+          env:
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: kitchenowl-secret
+                  key: KO_SECRET_KEY
+            - name: DB_TYPE
+              value: sqlite
+          volumeMounts:
+            - name: data
+              mountPath: /data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: kitchenowl-data

apps/kitchenowl/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kitchenowl
+  namespace: kitchenowl
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-dns
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: kitchen.patanix.de
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: kitchenowl
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - kitchen.patanix.de
+      secretName: kitchenowl-tls

apps/kitchenowl/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - secret.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - certificate.yaml

apps/kitchenowl/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kitchenowl

apps/kitchenowl/pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: kitchenowl-data
+  namespace: kitchenowl
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: local-path

apps/kitchenowl/secret.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: kitchenowl-secret
+    namespace: kitchenowl
+type: Opaque
+stringData:
+    KO_SECRET_KEY: ENC[AES256_GCM,data:9Q4K1DMvJRDl72Q=,iv:DF3FaHwmLfSrN50L8O7/iUyXsF+ENEYIz5d3P7ZHbqk=,tag:JOzYcvIZNlRdimX5PLPV0A==,type:str]
+    KO_DB_PASSWORD: ENC[AES256_GCM,data:MeDzLSRNGDxuSKlZ/H5TKw==,iv:zJyTUJ5FqVYYAuSjTgPmvdRjHPSyjWZLm1su3o2siLg=,tag:iqvmA98wtmDDOPHcLpFLrw==,type:str]
+sops:
+    lastmodified: "2025-05-25T18:48:06Z"
+    mac: ENC[AES256_GCM,data:Yf4i9CMEsEY33d2R2JU56ghEpC7qlOQLC4f956f92mAls+fTfekzC1vpeMOHDup+4si3eBYdXKBMLnj0vuIcL5QSTRHLQgzAwRguqXEw/CL6zXD6cHwTyPbxWTLIob2NovIBonHVhIIKkaai2QGnJyrPN6EaTmXRMlYE5wKocxc=,iv:JVpj6i3ZtQMQ0JaoL5+fe8ZMi3ozG5xTcxSc9D9Drvg=,tag:Zw8jA5abHLkIIapS/tHRjg==,type:str]
+    pgp:
+        - created_at: "2025-05-25T18:48:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklARAAmE6dV/SfdGurYL0RPTJ1J3BTmiGzd9BemsyIjoBtRaOS
+            bNa5woXTpGO+48QWztiuWOEoIx5RlZNFmtF/zFHSvsuZX9uW4TMQdPQRE4HOJBG8
+            ZxByyDyowLmvjH7O7U6BoFw9rlyiAxYknO96gGcKCtJAaHgpmnqzcDzyRicAB615
+            04AlR+ZQwbiI/FKO11tV8mlxnR4AiEpyVpggD8zV1pHjnuzZPSLx40vpyhqU5edT
+            U8ii22xlxO306ANsO5Kk/J14Dg0aiLZrLGON07Am0CIbrPewUh5cvDWbeBuMPC60
+            CbrA905lI5RrrjGMIEf5qs2z0S+W4RxcrB4gUAhauKqwx/iUj8s2UGZXunzz44jI
+            ylepfhmJmh0lCYpZZGV9vfw0Qnat/dzVWXyeS1BfOMMcksyiVLqPpvg7me6Bdlrd
+            SZ5FzLCnN9p+2OFO/wmUVMiIbYie8Del6FVvEZRxeKHCGXE0qWY/YLdvBTye4gWB
+            03/mqaxnoJS+HpwNk/H8tmmrzHaabiRxIcv7Sd7QUNLMDZZkusBDbMevASgE2gyu
+            5QkOZ28sMvYuyeDl97KJfS6QottLB6EPa8fjHREdfhHSe+vhvb5/v1irsKuaZnvc
+            FtnrdWYAlBMYRCHVeE595xW9HG2xWKdBlpY7z0b2R5wyrffxObuUChK6tD06N/7U
+            aAEJAhBJUGnyEpEtLGU18J9W5i0HVVxV96ArGvm2+2/5jzwH9/vcJrG06sSoCpvA
+            Su7QnsOau+wKD7eBw9BcNTIkERr1ggCYha9en+zYCdt2DGHIpOrqCQ2tF0+JkgD1
+            Pz17gB922Z4A
+            =+7KI
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/kitchenowl/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kitchenowl
+  namespace: kitchenowl
+spec:
+  selector:
+    app: kitchenowl
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080

apps/kustomization.yaml

@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - home-assistant/
+  - kitchenowl/

clusters/production/cert-manager.yaml

@@ -1,4 +1,3 @@
-# Datei: infrastructure/kustomization-cert-manager.yaml
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

clusters/production/kitchenowl.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: kitchenowl
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ../../infrastructure/apps/kitchenowl
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+

clusters/production/kustomization.yaml

@@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - cert-manager.yaml
+  - kitchenowl.yaml
   - ../../infrastructure
   - ../../apps