added using general node pool and overlays for auth or no_auth

affinity7software · affinity7software · commit 8584b1f603e8 · 2025-08-03T13:10:45.000+01:00
this assumes an internal treafik class templating of namespace, cluster and dns zone. this can be built with K8s-build and deployed with K8s-deploy.
diff --git a/k8s/base/deployment.yaml b/k8s/base/deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: k8s-restart
+  namespace: kube-system
 spec:
   replicas: 1
   selector:
@@ -12,22 +13,12 @@ spec:
       labels:
         app: k8s-restart
     spec:
-      serviceAccountName: k8s-restart
       containers:
       - name: k8s-restart
         image: ghcr.io/gitopsmanager/k8s-restart:latest
         ports:
         - containerPort: 80
         env:
         - name: ENABLE_BASIC_AUTH
-          value: "true"
-        - name: BASIC_AUTH_USER
-          valueFrom:
-            secretKeyRef:
-              name: k8s-restart-auth
-              key: user
-        - name: BASIC_AUTH_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: k8s-restart-auth
-              key: password
+          value: "false"
+
diff --git a/k8s/base/ingress.yaml b/k8s/base/ingress.yaml
@@ -2,14 +2,40 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: k8s-restart
+  namespace: ${NAMESPACE}
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-redirect-to-https@kubernetescrd
 spec:
   rules:
-  - http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: k8s-restart
-            port:
-              number: 80
+    - host: ${CLUSTER_NAME}-${NAMESPACE}-k8s-restart.${DNS_ZONE}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: k8s-restart
+                port:
+                  number: 80
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: k8s-restart-ingressroute
+  namespace: ${NAMESPACE}
+  annotations:
+    kubernetes.io/ingress.class: traefik-internal
+    traefik.ingress.kubernetes.io/logs: "true"
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`${CLUSTER_NAME}-${NAMESPACE}-k8s-restart.${DNS_ZONE}`)
+      kind: Rule
+      services:
+        - name: k8s-restart
+          port: 80
+  tls: {}
+
diff --git a/k8s/base/k8s-restart-auth.yaml b/k8s/base/k8s-restart-auth.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: k8s-restart-auth
+  namespace: kube-system  
+type: Opaque
+data:
+  user: YWRtaW4=
+  password: Q2hhbmdlIE1l
diff --git a/k8s/base/service.yaml b/k8s/base/service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: k8s-restart
+  namespace: kube-system
 spec:
   selector:
     app: k8s-restart
diff --git a/k8s/overlays/auth/affinity-taint-patch.yaml b/k8s/overlays/auth/affinity-taint-patch.yaml
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k8s-restart
+spec:
+  template:
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: sku
+                    operator: In
+                    values:
+                      - general
+      tolerations:
+        - key: "sku"
+          operator: "Equal"
+          value: "general"
+          effect: "NoSchedule"
diff --git a/k8s/overlays/auth/env-secret-patch.yaml b/k8s/overlays/auth/env-secret-patch.yaml
@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k8s-restart
+spec:
+  template:
+    spec:
+      containers:
+        - name: k8s-restart
+          env:
+            - name: ENABLE_BASIC_AUTH
+              value: "true"
+            - name: BASIC_AUTH_USER
+              valueFrom:
+                secretKeyRef:
+                  name: k8s-restart-auth
+                  key: user
+            - name: BASIC_AUTH_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: k8s-restart-auth
+                  key: password
diff --git a/k8s/overlays/auth/kustomization.yaml b/k8s/overlays/auth/kustomization.yaml
@@ -0,0 +1,12 @@
+resources:
+  - ../base
+
+patches:
+  - path: affinity-taint-patch.yaml
+    target:
+      kind: Deployment
+      name: k8s-restart
+  - path: env-secret-patch.yaml
+    target:
+      kind: Deployment
+      name: k8s-restart
diff --git a/k8s/overlays/no-auth/affinity-taint-patch.yaml b/k8s/overlays/no-auth/affinity-taint-patch.yaml
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k8s-restart
+spec:
+  template:
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: sku
+                    operator: In
+                    values:
+                      - general
+      tolerations:
+        - key: "sku"
+          operator: "Equal"
+          value: "general"
+          effect: "NoSchedule"
diff --git a/k8s/overlays/no-auth/kustomization.yaml b/k8s/overlays/no-auth/kustomization.yaml
@@ -0,0 +1,8 @@
+resources:
+  - ../base
+
+patches:
+  - path: affinity-taint-patch.yaml
+    target:
+      kind: Deployment
+      name: k8s-restart
