khuedoan.com / cloudlab
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: setup staging Temporal with CNPG

Khue Doan babd31f8 32554194

+269
+6
platform/staging/dex.yaml
··· 51 51 KHUEDOAN_PASSWORD_HASH: vault:secret/data/dex/auth#KHUEDOAN_PASSWORD_HASH 52 52 ACTUALBUDGET_CLIENT_SECRET: vault:secret/data/actualbudget/auth#client_secret 53 53 FORGEJO_CLIENT_SECRET: vault:secret/data/forgejo/oauth#secret 54 + TEMPORAL_CLIENT_SECRET: vault:secret/data/temporal/oauth#client_secret 54 55 --- 55 56 apiVersion: helm.toolkit.fluxcd.io/v2 56 57 kind: HelmRelease ··· 112 113 redirectURIs: 113 114 - "https://code.staging.khuedoan.com/user/oauth2/SSO/callback" 114 115 secretEnv: FORGEJO_CLIENT_SECRET 116 + - id: temporal 117 + name: Temporal 118 + redirectURIs: 119 + - "https://temporal.staging.khuedoan.com/auth/sso/callback" 120 + secretEnv: TEMPORAL_CLIENT_SECRET 115 121 podAnnotations: 116 122 istio.io/dataplane-mode: ambient 117 123 resources:
+5
platform/staging/namespaces.yaml
··· 39 39 kind: Namespace 40 40 forceRename: istio-system 41 41 spec: {} 42 + temporal: 43 + apiVersion: v1 44 + kind: Namespace 45 + forceRename: temporal 46 + spec: {}
+246
platform/staging/temporal.yaml
··· 1 + apiVersion: source.toolkit.fluxcd.io/v1 2 + kind: HelmRepository 3 + metadata: 4 + name: temporal 5 + namespace: flux-system 6 + spec: 7 + type: oci 8 + interval: 1h 9 + url: oci://registry.registry.svc.cluster.local:5000/vendor/charts/temporal 10 + --- 11 + apiVersion: helm.toolkit.fluxcd.io/v2 12 + kind: HelmRelease 13 + metadata: 14 + name: temporal-secrets 15 + namespace: flux-system 16 + spec: 17 + interval: 30m 18 + dependsOn: 19 + - name: platform-namespaces 20 + - name: vault 21 + - name: vault-secrets-webhook 22 + releaseName: temporal-secrets 23 + targetNamespace: temporal 24 + install: 25 + createNamespace: true 26 + remediation: 27 + retries: -1 28 + chart: 29 + spec: 30 + chart: app-template 31 + version: 4.6.0 32 + sourceRef: 33 + kind: HelmRepository 34 + name: app-template 35 + values: 36 + rawResources: 37 + temporal-db-app: 38 + apiVersion: v1 39 + kind: Secret 40 + forceRename: temporal-db-app 41 + annotations: 42 + vault.security.banzaicloud.io/vault-addr: http://vault.vault.svc.cluster.local:8200 43 + vault.security.banzaicloud.io/vault-role: default 44 + vault.security.banzaicloud.io/vault-path: kubernetes 45 + spec: 46 + type: kubernetes.io/basic-auth 47 + stringData: 48 + username: temporal 49 + password: vault:secret/data/temporal/postgresql#password 50 + temporal-web: 51 + apiVersion: v1 52 + kind: Secret 53 + forceRename: temporal-web 54 + annotations: 55 + vault.security.banzaicloud.io/vault-addr: http://vault.vault.svc.cluster.local:8200 56 + vault.security.banzaicloud.io/vault-role: default 57 + vault.security.banzaicloud.io/vault-path: kubernetes 58 + spec: 59 + stringData: 60 + TEMPORAL_AUTH_CLIENT_SECRET: vault:secret/data/temporal/oauth#client_secret 61 + --- 62 + apiVersion: helm.toolkit.fluxcd.io/v2 63 + kind: HelmRelease 64 + metadata: 65 + name: temporal-postgres 66 + namespace: flux-system 67 + spec: 68 + interval: 30m 69 + dependsOn: 70 + - name: platform-namespaces 71 + - name: cnpg 72 + - name: temporal-secrets 73 + releaseName: temporal-postgres 74 + targetNamespace: temporal 75 + install: 76 + createNamespace: true 77 + remediation: 78 + retries: -1 79 + chart: 80 + spec: 81 + chart: app-template 82 + version: 4.6.0 83 + sourceRef: 84 + kind: HelmRepository 85 + name: app-template 86 + values: 87 + rawResources: 88 + cluster: 89 + apiVersion: postgresql.cnpg.io/v1 90 + kind: Cluster 91 + forceRename: temporal-postgres 92 + spec: 93 + spec: 94 + imageName: >- 95 + registry.registry.svc.cluster.local/vendor/images/cloudnative-pg/postgresql:17.6-system-trixie 96 + instances: 1 97 + bootstrap: 98 + initdb: 99 + database: temporal 100 + owner: temporal 101 + secret: 102 + name: temporal-db-app 103 + storage: 104 + size: 5Gi 105 + visibility-database: 106 + apiVersion: postgresql.cnpg.io/v1 107 + kind: Database 108 + forceRename: temporal-visibility 109 + spec: 110 + spec: 111 + cluster: 112 + name: temporal-postgres 113 + name: temporal_visibility 114 + owner: temporal 115 + --- 116 + apiVersion: helm.toolkit.fluxcd.io/v2 117 + kind: HelmRelease 118 + metadata: 119 + name: temporal 120 + namespace: flux-system 121 + spec: 122 + interval: 30m 123 + dependsOn: 124 + - name: dex 125 + - name: temporal-secrets 126 + - name: temporal-postgres 127 + chart: 128 + spec: 129 + chart: temporal 130 + version: 0.58.0 131 + sourceRef: 132 + kind: HelmRepository 133 + name: temporal 134 + releaseName: temporal 135 + targetNamespace: temporal 136 + install: 137 + createNamespace: true 138 + remediation: 139 + retries: -1 140 + values: 141 + additionalLabels: 142 + istio.io/dataplane-mode: ambient 143 + cassandra: 144 + enabled: false 145 + mysql: 146 + enabled: false 147 + elasticsearch: 148 + enabled: false 149 + prometheus: 150 + enabled: false 151 + grafana: 152 + enabled: false 153 + schema: 154 + createDatabase: 155 + enabled: false 156 + server: 157 + replicaCount: 1 158 + config: 159 + namespaces: 160 + create: true 161 + namespace: 162 + - name: default 163 + retention: 3d 164 + persistence: 165 + defaultStore: default 166 + default: 167 + driver: sql 168 + sql: 169 + driver: postgres12 170 + host: temporal-postgres-rw 171 + port: 5432 172 + database: temporal 173 + user: temporal 174 + existingSecret: temporal-db-app 175 + visibility: 176 + driver: sql 177 + sql: 178 + driver: postgres12 179 + host: temporal-postgres-rw 180 + port: 5432 181 + database: temporal_visibility 182 + user: temporal 183 + existingSecret: temporal-db-app 184 + web: 185 + additionalEnv: 186 + - name: TEMPORAL_DISABLE_WRITE_ACTIONS 187 + value: "true" 188 + - name: TEMPORAL_AUTH_ENABLED 189 + value: "true" 190 + - name: TEMPORAL_AUTH_PROVIDER_URL 191 + value: "https://dex.staging.khuedoan.com" 192 + - name: TEMPORAL_AUTH_ISSUER_URL 193 + value: "https://dex.staging.khuedoan.com" 194 + - name: TEMPORAL_AUTH_CLIENT_ID 195 + value: "temporal" 196 + - name: TEMPORAL_AUTH_CALLBACK_URL 197 + value: "https://temporal.staging.khuedoan.com/auth/sso/callback" 198 + - name: TEMPORAL_AUTH_SCOPES 199 + value: "openid,profile,email" 200 + additionalEnvSecretName: temporal-web 201 + --- 202 + apiVersion: helm.toolkit.fluxcd.io/v2 203 + kind: HelmRelease 204 + metadata: 205 + name: temporal-config 206 + namespace: flux-system 207 + spec: 208 + interval: 30m 209 + dependsOn: 210 + - name: platform-namespaces 211 + - name: istio-gateway 212 + - name: temporal 213 + releaseName: temporal-config 214 + targetNamespace: temporal 215 + install: 216 + createNamespace: true 217 + remediation: 218 + retries: -1 219 + chart: 220 + spec: 221 + chart: app-template 222 + version: 4.6.0 223 + sourceRef: 224 + kind: HelmRepository 225 + name: app-template 226 + values: 227 + rawResources: 228 + temporal-route: 229 + apiVersion: gateway.networking.k8s.io/v1 230 + kind: HTTPRoute 231 + forceRename: temporal 232 + spec: 233 + spec: 234 + parentRefs: 235 + - name: gateway 236 + namespace: istio-system 237 + hostnames: 238 + - temporal.staging.khuedoan.com 239 + rules: 240 + - matches: 241 + - path: 242 + type: PathPrefix 243 + value: / 244 + backendRefs: 245 + - name: temporal-web 246 + port: 8080
+12
settings.yaml
··· 24 24 secret/actualbudget/auth: 25 25 client_secret: 26 26 type: random 27 + secret/temporal/oauth: 28 + client_secret: 29 + type: random 30 + secret/temporal/postgresql: 31 + password: 32 + type: random 27 33 secret/dex/auth: 28 34 ADMIN_PASSWORD_HASH: 29 35 type: manual ··· 58 64 chart: dex 59 65 versions: 60 66 - 0.23.0 67 + vendor/charts/temporal: 68 + kind: chart 69 + repo_url: https://go.temporal.io/helm-charts 70 + chart: temporal 71 + versions: 72 + - 0.58.0 61 73 vendor/images/dexidp/dex: 62 74 kind: image 63 75 source: ghcr.io/dexidp/dex