This commit is contained in:
2026-01-02 17:31:03 +00:00
parent e6edf654b9
commit 1f6594d1e3
31 changed files with 3459 additions and 51 deletions
@@ -0,0 +1,54 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: gohoarder-config
namespace: default
data:
config.yaml: |
server:
host: "0.0.0.0"
port: 8080
read_timeout: 30s
write_timeout: 30s
cache:
max_size_bytes: 10737418240 # 10GB
default_ttl: 24h
cleanup_interval: 1h
storage:
backend: filesystem
path: /var/lib/gohoarder/cache
metadata:
backend: sqlite
connection: /var/lib/gohoarder/gohoarder.db
security:
enabled: true
providers:
- osv
- github
severity_threshold: medium
block_on_vulnerability: false
rescan_interval: 24h
handlers:
npm:
enabled: true
upstream_registry: "https://registry.npmjs.org"
pypi:
enabled: true
upstream_index: "https://pypi.org/simple"
go:
enabled: true
upstream_proxy: "https://proxy.golang.org"
checksum_db: "https://sum.golang.org"
# Path to git credentials file (mounted from Secret)
git_credentials_file: /etc/gohoarder/git-credentials.json
logging:
level: info
format: json
@@ -0,0 +1,502 @@
# GoHoarder - Kubernetes Deployment (All-in-One)
# This manifest deploys all GoHoarder services under a single ingress
#
# Usage:
# kubectl create namespace gohoarder
# kubectl apply -f deployment-all-in-one.yaml -n gohoarder
#
# Prerequisites:
# - Kubernetes 1.19+
# - Ingress controller (nginx, traefik, etc.)
# - Persistent volume provisioner
# - Optional: cert-manager for TLS certificates
---
# Namespace
apiVersion: v1
kind: Namespace
metadata:
name: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: namespace
---
# ConfigMap for application configuration
apiVersion: v1
kind: ConfigMap
metadata:
name: gohoarder-config
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: config
data:
# Add your configuration here or mount from a file
# config.yaml: |
# server:
# port: 8080
# ...
---
# PersistentVolumeClaim for cache storage
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gohoarder-cache
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: storage
spec:
accessModes:
- ReadWriteMany # Multiple pods can access for scanner + server
resources:
requests:
storage: 100Gi
# storageClassName: your-storage-class # Specify your storage class
---
# PersistentVolumeClaim for metadata storage
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gohoarder-metadata
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: storage
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
# storageClassName: your-storage-class
---
# Deployment - Application Server
apiVersion: apps/v1
kind: Deployment
metadata:
name: gohoarder-server
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: server
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: server
template:
metadata:
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: server
spec:
containers:
- name: server
image: ghcr.io/lukaszraczylo/gohoarder-server:latest
imagePullPolicy: Always
ports:
- name: http
containerPort: 8080
protocol: TCP
- name: metrics
containerPort: 9090
protocol: TCP
env:
- name: CONFIG_FILE
value: /config/config.yaml
- name: STORAGE_BACKEND
value: filesystem
- name: STORAGE_PATH
value: /data/cache
- name: DB_PATH
value: /data/metadata/gohoarder.db
- name: LOG_LEVEL
value: info
- name: LOG_FORMAT
value: json
volumeMounts:
- name: cache
mountPath: /data/cache
- name: metadata
mountPath: /data/metadata
- name: config
mountPath: /config
readOnly: true
livenessProbe:
exec:
command:
- /usr/local/bin/gohoarder
- version
initialDelaySeconds: 5
periodSeconds: 30
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 2000m
memory: 2Gi
volumes:
- name: cache
persistentVolumeClaim:
claimName: gohoarder-cache
- name: metadata
persistentVolumeClaim:
claimName: gohoarder-metadata
- name: config
configMap:
name: gohoarder-config
---
# Service - Application Server
apiVersion: v1
kind: Service
metadata:
name: gohoarder-server
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: server
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
protocol: TCP
- name: metrics
port: 9090
targetPort: metrics
protocol: TCP
selector:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: server
---
# Deployment - Frontend
apiVersion: apps/v1
kind: Deployment
metadata:
name: gohoarder-frontend
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: frontend
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: frontend
template:
metadata:
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: frontend
spec:
containers:
- name: frontend
image: ghcr.io/lukaszraczylo/gohoarder-frontend:latest
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
protocol: TCP
env:
- name: API_BASE_URL
value: /api
- name: APP_VERSION
value: "1.0.0"
- name: APP_NAME
value: GoHoarder
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 30
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
---
# Service - Frontend
apiVersion: v1
kind: Service
metadata:
name: gohoarder-frontend
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: frontend
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: frontend
---
# Deployment - Scanner (Optional)
apiVersion: apps/v1
kind: Deployment
metadata:
name: gohoarder-scanner
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: scanner
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: scanner
template:
metadata:
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: scanner
spec:
containers:
- name: scanner
image: ghcr.io/lukaszraczylo/gohoarder-scanner:latest
imagePullPolicy: Always
env:
- name: CONFIG_FILE
value: /config/config.yaml
- name: SCANNER_MODE
value: "true"
- name: SCANNER_WORKERS
value: "4"
- name: LOG_LEVEL
value: info
volumeMounts:
- name: cache
mountPath: /data/cache
readOnly: true
- name: metadata
mountPath: /data/metadata
- name: config
mountPath: /config
readOnly: true
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 4Gi
volumes:
- name: cache
persistentVolumeClaim:
claimName: gohoarder-cache
- name: metadata
persistentVolumeClaim:
claimName: gohoarder-metadata
- name: config
configMap:
name: gohoarder-config
---
# Deployment - Gateway (Nginx Reverse Proxy)
apiVersion: apps/v1
kind: Deployment
metadata:
name: gohoarder-gateway
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: gateway
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: gateway
template:
metadata:
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: gateway
spec:
containers:
- name: gateway
image: ghcr.io/lukaszraczylo/gohoarder-gateway:latest
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
protocol: TCP
env:
- name: BACKEND_HOST
value: gohoarder-server
- name: BACKEND_PORT
value: "8080"
- name: FRONTEND_HOST
value: gohoarder-frontend
- name: FRONTEND_PORT
value: "80"
- name: SERVER_NAME
value: hoarder.i.raczylo.com
livenessProbe:
httpGet:
path: /health
port: 80
initialDelaySeconds: 5
periodSeconds: 30
readinessProbe:
httpGet:
path: /health
port: 80
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
---
# Service - Gateway
apiVersion: v1
kind: Service
metadata:
name: gohoarder-gateway
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: gateway
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: gateway
---
# Ingress - Expose via domain
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gohoarder
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: ingress
annotations:
# Nginx ingress annotations
nginx.ingress.kubernetes.io/proxy-body-size: "500m"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
# Enable CORS if needed
# nginx.ingress.kubernetes.io/enable-cors: "true"
# TLS/SSL configuration (uncomment if using cert-manager)
# cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx # Adjust based on your ingress controller
rules:
- host: hoarder.i.raczylo.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gohoarder-gateway
port:
number: 80
# Uncomment for HTTPS/TLS
# tls:
# - hosts:
# - hoarder.i.raczylo.com
# secretName: gohoarder-tls
---
# HorizontalPodAutoscaler - Server
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: gohoarder-server
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: server
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: gohoarder-server
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
---
# HorizontalPodAutoscaler - Gateway
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: gohoarder-gateway
namespace: gohoarder
labels:
app.kubernetes.io/name: gohoarder
app.kubernetes.io/component: gateway
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: gohoarder-gateway
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
+104
View File
@@ -0,0 +1,104 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: gohoarder
namespace: default
labels:
app: gohoarder
spec:
replicas: 2
selector:
matchLabels:
app: gohoarder
template:
metadata:
labels:
app: gohoarder
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: gohoarder
image: gohoarder:latest
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8080
protocol: TCP
env:
- name: CONFIG_FILE
value: /etc/gohoarder/config.yaml
volumeMounts:
# Configuration file
- name: config
mountPath: /etc/gohoarder/config.yaml
subPath: config.yaml
readOnly: true
# Git credentials (pattern-based)
- name: git-credentials
mountPath: /etc/gohoarder/git-credentials.json
subPath: credentials.json
readOnly: true
# Persistent storage for cache
- name: cache
mountPath: /var/lib/gohoarder/cache
# Persistent storage for metadata database
- name: metadata
mountPath: /var/lib/gohoarder
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "2Gi"
cpu: "1000m"
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /health/ready
port: http
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 3
volumes:
# ConfigMap with application configuration
- name: config
configMap:
name: gohoarder-config
# Secret with git credentials
- name: git-credentials
secret:
secretName: gohoarder-git-credentials
defaultMode: 0400 # Read-only for owner
# PersistentVolumeClaim for cache
- name: cache
persistentVolumeClaim:
claimName: gohoarder-cache-pvc
# PersistentVolumeClaim for metadata
- name: metadata
persistentVolumeClaim:
claimName: gohoarder-metadata-pvc
+29
View File
@@ -0,0 +1,29 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gohoarder-cache-pvc
namespace: default
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
# Uncomment and set your storage class if needed
# storageClassName: fast-ssd
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gohoarder-metadata-pvc
namespace: default
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
# Uncomment and set your storage class if needed
# storageClassName: standard
@@ -0,0 +1,61 @@
apiVersion: v1
kind: Secret
metadata:
name: gohoarder-git-credentials
namespace: default
type: Opaque
stringData:
credentials.json: |
{
"credentials": [
{
"pattern": "github.com/mycompany/*",
"host": "github.com",
"username": "oauth2",
"token": "ghp_REPLACE_WITH_YOUR_GITHUB_TOKEN",
"fallback": false
},
{
"pattern": "github.com/external-vendor/*",
"host": "github.com",
"username": "oauth2",
"token": "ghp_REPLACE_WITH_VENDOR_TOKEN",
"fallback": false
},
{
"pattern": "gitlab.com/backend-team/*",
"host": "gitlab.com",
"username": "oauth2",
"token": "glpat_REPLACE_WITH_GITLAB_TOKEN",
"fallback": false
},
{
"pattern": "*",
"host": "*",
"username": "oauth2",
"token": "ghp_REPLACE_WITH_DEFAULT_READONLY_TOKEN",
"fallback": true
}
]
}
---
# Example using External Secrets Operator (ESO)
# Uncomment and configure if you're using ESO
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: gohoarder-git-credentials
# namespace: default
# spec:
# refreshInterval: 1h
# secretStoreRef:
# name: vault-backend # Your SecretStore name
# kind: SecretStore
# target:
# name: gohoarder-git-credentials
# creationPolicy: Owner
# data:
# - secretKey: credentials.json
# remoteRef:
# key: secret/gohoarder/git-credentials
# property: credentials.json
+44
View File
@@ -0,0 +1,44 @@
apiVersion: v1
kind: Service
metadata:
name: gohoarder
namespace: default
labels:
app: gohoarder
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: http
protocol: TCP
name: http
selector:
app: gohoarder
---
# Optional: Ingress for external access
# Uncomment and configure based on your ingress controller
# apiVersion: networking.k8s.io/v1
# kind: Ingress
# metadata:
# name: gohoarder
# namespace: default
# annotations:
# nginx.ingress.kubernetes.io/proxy-body-size: "500m"
# nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
# spec:
# ingressClassName: nginx
# rules:
# - host: gohoarder.example.com
# http:
# paths:
# - path: /
# pathType: Prefix
# backend:
# service:
# name: gohoarder
# port:
# name: http
# tls:
# - hosts:
# - gohoarder.example.com
# secretName: gohoarder-tls