docs: Various Kubernetes deployment improvements (hoarder-app#862)

* changed the secrets from configmap to secret object, create ingress instead of loadbalancer.

Implemented the generation of a secret from the .env file and then put as environment variables into the deployments.
Nextauth_URL is now set in the kustomization file and is then generated into a configmap and put as an env into the deployments.
Opionated change: the web service is now a clusterIP Service and an ingress object is included.

* changed the tls secret name in kustomize to a more example name

* fixed image name in kustomization so the version tag gets replaced properly

* tags are without v, otherwise we get an imagepullerror

* removed unneccessary parts of the .env.sample

* split env and secrets, added documentation, created sample ingress.

changed the default from ingress back to Loadbalancer.
Added Documentation on how to change to ingress and add TLS Support.

split env to secret and env file which have to be configured before deploying.

Author: techtrd

docs/docs/02-Installation/04-kubernetes.md

@@ -10,15 +10,20 @@
 
 You can clone the repository and copy the `/kubernetes` directory into another directory of your choice.
 
-### 2. Populate the environment variables
+### 2. Populate the environment variables and secrets
 
-To configure the app, edit the configuration in `.env`.
+To configure the app, copy the `.env_sample` to `.env` and change to your specific needs.
 
-
-You **should** change the random strings. You can use `openssl rand -base64 36` to generate the random strings. You should also change the `NEXTAUTH_URL` variable to point to your server address.
+You should also change the `NEXTAUTH_URL` variable to point to your server address.
 
 Using `HOARDER_VERSION=release` will pull the latest stable version. You might want to pin the version instead to control the upgrades (e.g. `HOARDER_VERSION=0.10.0`). Check the latest versions [here](https://github.com/hoarder-app/hoarder/pkgs/container/hoarder-web).
 
+To see all available configuration options check the [documentation](https://docs.hoarder.app/configuration).
+
+To configure the neccessary secrets for the application copy the `.secrets_sample` file to `.secrets` and change the sample secrets to your generated secrets.
+
+> Note: You **should** change the random strings. You can use `openssl rand -base64 36` to generate the random strings. 
+
 ### 3. Setup OpenAI
 
 To enable automatic tagging, you'll need to configure OpenAI. This is optional though but highly recommended.
@@ -56,16 +61,52 @@ make deploy
 
 ### 5. Access the service
 
+#### via LoadBalancer IP
+
 By default, these manifests expose the application as a LoadBalancer Service. You can run `kubectl get services` to identify the IP of the loadbalancer for your service.
 
 Then visit `http://<loadbalancer-ip>:3000` and you should be greated with the Sign In page.
 
 > Note: Depending on your setup you might want to expose the service via an Ingress, or have a different means to access it.
 
+#### Via Ingress
+
+If you want to use an ingress, you can customize the sample ingress in the kubernetes folder and change the host to the DNS name of your choice.
+
+After that you have to configure the web service to the type ClusterIP so it is only reachable via the ingress.
+
+If you have already deployed the service you can patch the web service to the type ClusterIP with the following command:
+
+` kubectl -n hoarder patch service web -p '{"spec":{"type":"ClusterIP"}}' `
+
+Afterwards you can apply the ingress and access the service via your chosen URL.
+
+#### Setting up HTTPS access to the Service
+
+To access hoarder securely you can configure the ingress to use a preconfigured TLS certificate. This requires that you already have the needed files, namely your .crt and .key file, on hand.
+
+After you have deployed the hoarder manifests you can deploy your certificate for hoarder in the `hoarder` namespace with this example command. You can name the secret however you want. But be aware that the secret name in the ingress definition has to match the secret name.
+
+` $ kubectl --namespace hoarder create secret tls hoarder-web-tls --cert=/path/to/crt --key=/path/to/key `
+
+If the secret is successfully created you can now configure the Ingress to use TLS via this changes to the spec:
+
+```` yaml
+ spec:
+  tls:
+  - hosts:
+      - hoarder.example.com
+    secretName: hoarder-web-tls
+````
+
+> Note: Be aware that the hosts have to match between the tls spec and the HTTP spec.
+
 ### [Optional] 6. Setup quick sharing extensions
 
 Go to the [quick sharing page](/quick-sharing) to install the mobile apps and the browser extensions. Those will help you hoard things faster!
 
 ## Updating
 
 Edit the `HOARDER_VERSION` variable in the `kustomization.yaml` file and run `make clean deploy`.
+
+If you have chosen `release` as the image tag you can also destroy the web pod, since the deployment has an ImagePullPolicy set to always the pod always pulls the image from the registry, this way we can ensure that the newest release image is pulled.

kubernetes/.env_sample

@@ -1,6 +1,3 @@
-HOARDER_VERSION=release
-# Use `openssl rand -base64 36` to generate the random strings
-NEXTAUTH_SECRET=generated_secret
-MEILI_MASTER_KEY=generated_secret
+# Put your configuration options here
 NEXTAUTH_URL=http://localhost:3000
-NEXT_PUBLIC_SECRET="my-super-duper-secret-string"
+HOARDER_VERSION=release

kubernetes/.secrets_sample

@@ -0,0 +1,4 @@
+# Use `openssl rand -base64 36` to generate the random strings
+NEXTAUTH_SECRET=generated_secret
+MEILI_MASTER_KEY=generated_secret
+NEXT_PUBLIC_SECRET="my-super-duper-secret-string"

kubernetes/ingress_sample.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hoarder-web-ingress
+  namespace: hoarder
+spec:
+  rules:
+  - host: "hoarder.example.com"
+    http:
+      paths:
+      - path: "/"
+        pathType: Prefix
+        backend:
+          service:
+            name: "web"
+            port:
+              number: 3000

kubernetes/kustomization.yaml

@@ -3,10 +3,15 @@ kind: Kustomization
 
 namespace: hoarder
 
-configMapGenerator:
+secretGenerator:
 - envs:
-  - .env
-  name: hoarder-env
+  - .secrets
+  name: hoarder-secrets
+
+configMapGenerator:
+  - envs:
+    - .env
+    name: hoarder-configuration
 
 resources:
 - namespace.yaml
@@ -23,7 +28,7 @@ replacements:
 - source:
     fieldPath: data.HOARDER_VERSION
     kind: ConfigMap
-    name: hoarder-env
+    name: hoarder-configuration
     version: v1
   targets:
   - fieldPaths:
@@ -35,4 +40,4 @@ replacements:
       group: apps
       kind: Deployment
       name: web
-      version: v1
+      version: v1

kubernetes/meilisearch-deployment.yaml

@@ -22,8 +22,10 @@ spec:
             - mountPath: /meili_data
               name: meilisearch
           envFrom:
+            - secretRef:
+                name: hoarder-secrets
             - configMapRef:
-                name: hoarder-env
+                name: hoarder-configuration
       volumes:
         - name: meilisearch
           persistentVolumeClaim:

kubernetes/web-deployment.yaml

@@ -14,7 +14,8 @@ spec:
     spec:
       containers:
         - name: web
-          image: ghcr.io/hoarder-app/hoarder:HOARDER_VERSION_PLACEHOLDER
+          image: ghcr.io/hoarder-app/hoarder
+          imagePullPolicy: Always
           ports:
             - containerPort: 3000
           env:
@@ -29,8 +30,10 @@ spec:
             - mountPath: /data
               name: data
           envFrom:
+            - secretRef:
+                name: hoarder-secrets
             - configMapRef:
-                name: hoarder-env
+                name: hoarder-configuration
       volumes:
         - name: data
           persistentVolumeClaim: