Add openvpn

Reviewed-on: https://git.badhouseplants.net/softplayer/softplayer-apps/pulls/4

.gitignore

@@ -1,2 +1,3 @@
 bin
 custom
+*.tgz

.woodpecker/.helm-workflow.yml

@@ -70,6 +70,7 @@ steps:
             --password $REGISTRY_PASSWORD
       - |
           for chart in $(find charts -maxdepth 1 -mindepth 1 -type d); do
+            helm dependency update $chart
             helm package $chart -d chart-packages;
           done
       - |

charts/mealie/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: softplayer-lib-workload
   repository: oci://git.badhouseplants.net/softplayer
-  version: 0.2.0
-digest: sha256:e6bf909ead48b331a49921e1cf504791fb5ec0a80561d797ae06c7a44ad8a9cd
-generated: "2024-07-15T08:45:21.509772+02:00"
+  version: 0.2.1
+digest: sha256:a3a4a69717a3549841454a0e27a1a9114ea8a03543caf5c0c9a184d5a98f36b4
+generated: "2024-07-15T19:51:29.734002+02:00"

charts/mealie/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: mealie
 description: A Helm chart for running Mealie
 type: application
-version: 0.1.0
+version: 0.3.1
 appVersion: v1.10.2
 maintainers:
   - name: allanger
@@ -10,7 +10,7 @@ maintainers:
     url: https://badhouseplants.net
 dependencies:
   - name: softplayer-lib-workload
-    version: 0.2.0
-    repository: oci://git.badhouseplants.net/softplayer
+    version: 0.2.1
+    repository: oci://registry.badhouseplants.net/softplayer
 annotations:
   allowed_workload_kinds: "Deployment"

charts/mealie/templates/install.yaml

@@ -2,6 +2,5 @@
 {{ include "lib.service" . }}
 {{ include "lib.ingress" . }}
 {{ include "lib.config.env" . }}
-{{ include "lib.config.files" . }}
 {{ include "lib.pvc" . }}
 {{ include "lib.raw" . }}

charts/mealie/values.yaml

@@ -61,11 +61,12 @@ service:
 storage:
   data:
     storageClassName: default
-    size: 1G
+    size: 1Gi
     accessModes:
       - ReadWriteOnce
 env:
   environment:
+    enabled: true
     sensitive: false
     data:
       ALLOW_SIGNUP: true
@@ -77,10 +78,11 @@ env:
       BASE_URL: https://mealie.softplayer.com
       DB_ENGINE: postgres
   secrets:
+    enabled: true
     sensitive: true
     data:
-      POSTGRES_USER: mealie
-      POSTGRES_PASSWORD: mealie
-      POSTGRES_SERVER: postgres
-      POSTGRES_PORT: 5432
-      POSTGRES_DB: mealie
+      POSTGRES_USER: ~
+      POSTGRES_PASSWORD: ~
+      POSTGRES_SERVER: ~
+      POSTGRES_PORT: ~
+      POSTGRES_DB: ~

charts/openvpn/Chart.yaml

@@ -3,8 +3,8 @@ apiVersion: v2
 name: openvpn
 description: A Helm chart for deploying OpenVPN
 type: application
-version: 1.4.0
-appVersion: v2.6.11
+version: 0.0.1
+appVersion: v2.6.5
 
 sources:
   - https://git.badhouseplants.net/allanger/container-openvpn-xor

charts/openvpn/values.yaml

@@ -1,6 +1,6 @@
 # Default values for openvpn-chart.
 image:
-  repository: git.badhouseplants.net/allanger/container-openvpn
+  repository: gitea.badhouseplants.net/allanger/container-openvpn
   pullPolicy: Always
   # -------------------------------------------
   # -- TODO: Switch to proper versions

charts/selenoid/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/selenoid/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: selenoid
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "1.11.3"

charts/selenoid/templates/NOTES.txt

@@ -6,16 +6,16 @@
   {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaultwarden.fullname" . }})
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "selenoid.fullname" . }})
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
   echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "vaultwarden.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "vaultwarden.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+           You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "selenoid.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "selenoid.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
   echo http://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vaultwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "selenoid.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
   export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT

charts/selenoid/templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "vaultwarden.name" -}}
+{{- define "selenoid.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "vaultwarden.fullname" -}}
+{{- define "selenoid.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,36 +26,57 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "vaultwarden.chart" -}}
+{{- define "selenoid.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "vaultwarden.labels" -}}
-helm.sh/chart: {{ include "vaultwarden.chart" . }}
-{{ include "vaultwarden.selectorLabels" . }}
+{{- define "selenoid.labels" -}}
+helm.sh/chart: {{ include "selenoid.chart" . }}
+{{ include "selenoid.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
+{{/*
+Common labels for UI
+*/}}
+{{- define "selenoidUI.labels" -}}
+helm.sh/chart: {{ include "selenoid.chart" . }}
+{{ include "selenoidUI.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+
 {{/*
 Selector labels
 */}}
-{{- define "vaultwarden.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "vaultwarden.name" . }}
+{{- define "selenoid.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "selenoid.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Selector labels for the UI
+*/}}
+{{- define "selenoidUI.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "selenoid.name" . }}-ui
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "vaultwarden.serviceAccountName" -}}
+{{- define "selenoid.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "vaultwarden.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "selenoid.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}

charts/selenoid/templates/selenoid-ui/deployment.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "selenoid.fullname" . }}-ui
+  labels:
+    {{- include "selenoidUI.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "selenoidUI.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "selenoidUI.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: aerokube/selenoid-ui
+          args:
+            - --selenoid-uri 
+            - "http://{{ include "selenoid.fullname" . }}:4444"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          livenessProbe:
+            {{- toYaml .Values.ui.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.ui.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          ports:
+            - containerPort: 8080
+              name: selenoid-ui
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/selenoid/templates/selenoid-ui/ingress.yaml

@@ -0,0 +1,61 @@
+{{- if .Values.ingressUI.enabled -}}
+{{- $fullName := include "selenoid.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingressUI.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingressUI.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingressUI.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-ui
+  labels:
+    {{- include "selenoidUI.labels" . | nindent 4 }}
+  {{- with .Values.ingressUI.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingressUI.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingressUI.className }}
+  {{- end }}
+  {{- if .Values.ingressUI.tls }}
+  tls:
+    {{- range .Values.ingressUI.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingressUI.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}-ui
+                port:
+                  number: 8080
+              {{- else }}
+              serviceName: {{ $fullName }}-ui
+              servicePort: 8080
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}

charts/selenoid/templates/selenoid-ui/network-policies.yaml

@@ -0,0 +1,65 @@
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "selenoid.fullname" . }}
+  labels:
+    {{- include "selenoid.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "selenoid.selectorLabels" . | nindent 6 }}
+  ingress:
+  - {}
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: coredns
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kubedns
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+        - 10.0.0.0/8
+#kind: NetworkPolicy
+#apiVersion: networking.k8s.io/v1
+#metadata:
+#  name: default-deny-all
+#spec:
+#  podSelector: {}
+#  policyTypes:
+#    - Egress
+#    - Ingress
+---
+#kind: NetworkPolicy
+#apiVersion: networking.k8s.io/v1
+#metadata:
+#  name: allow-internet-only
+#spec:
+#  podSelector: {}
+#  policyTypes:
+#  - Egress
+#  egress:
+#  - to:
+#    - ipBlock:
+#        cidr: 0.0.0.0/0
+#        except:
+#        - 10.0.0.0/8
+#        - 192.168.0.0/16
+#        - 172.16.0.0/20
+

charts/selenoid/templates/selenoid-ui/service.yaml

@@ -0,0 +1,16 @@
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "selenoid.fullname" . }}-ui
+  labels:
+    {{- include "selenoidUI.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: 8080
+      targetPort: selenoid-ui
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "selenoidUI.selectorLabels" . | nindent 4 }}

charts/selenoid/templates/selenoid/config.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "selenoid.fullname" . }}-config
+  labels:
+    {{- include "selenoid.labels" . | nindent 4 }}
+data:
+  browsers.json: |
+    {
+    	"chrome": {
+    		"default": "latest",
+    		"versions": {
+    			"latest": {
+    				"image": "selenoid/chrome:latest",
+    				"port": "4444",
+    				"tmpfs": {"/tmp":"size=512m"}
+    			}
+    		}
+    	},
+    	"firefox": {
+    		"default": "latest",
+    		"versions": {
+    			"latest": {
+    				"image": "selenoid/firefox:latest",
+    				"port": "4444",
+    				"path": "/wd/hub",
+    				"tmpfs": {"/tmp":"size=512m"}
+    			}
+    		}
+      }
+    }

charts/selenoid/templates/selenoid/deployment.yaml

@@ -0,0 +1,129 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "selenoid.fullname" . }}
+  labels:
+    {{- include "selenoid.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "selenoid.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "selenoid.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          startupProbe:
+            {{- toYaml .Values.startupProbe | nindent 12 }}
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: /etc/selenoid/browsers.json
+              subPath: browsers.json
+            - name: scripts
+              mountPath: /tmp/scripts/selenoid
+              subPath: selenoid
+          command:
+            - sh
+          args:
+            - /tmp/scripts/selenoid
+          ports:
+            - containerPort: 4444
+              name: selenium
+          env:
+            - name: DOCKER_HOST
+              value: tcp://localhost:2375
+        - name: dind
+          image: "{{ .Values.dind.registry }}/{{ .Values.dind.repository }}:{{ .Values.dind.tag }}"
+          imagePullPolicy: {{ .Values.dind.pullPolicy }}
+          command: 
+          {{- range .Values.dind.command }}
+            - {{ . }}
+          {{- end }}
+          args:
+          {{- range .Values.dind.commandArgs }}
+            - {{ . }}
+          {{- end }}
+          {{- with .Values.dind.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          lifecycle:
+            preStop:
+              # wait for all running containers to have stopped, so the last build can finish before the runner is fully stopped.
+              exec:
+                command: ["/bin/sh","-c","while true; do sleep {{ .Values.dind.gracefulShutdownRetryPeriod }}; lastEventTime=$(docker -H tcp://localhost:2375 events --since={{ .Values.dind.gracefulShutdownRetryPeriod }}s --until=1s | wc -l); containersRunning=$(docker -H tcp://localhost:2375 ps -q | wc -l); if [ $containersRunning -eq 0 ]  && [ $lastEventTime -eq 0 ]; then exit 0; fi; echo 'steps/containers running, retry'; done"]
+          livenessProbe:
+            exec:
+              command:
+              - docker
+              - -H 
+              - tcp://localhost:2375
+              - images
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          readinessProbe:
+            exec:
+              command:
+              - docker
+              - -H 
+              - tcp://localhost:2375
+              - images
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          {{- with .Values.dind.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.dind.extraVolumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      volumes:
+        - name: config
+          configMap:   
+            name: {{ include "selenoid.fullname" . }}-config
+        - name: scripts
+          configMap:   
+            name: {{ include "selenoid.fullname" . }}-scripts
+        - name: docker-storage
+          emptyDir: {}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/selenoid/templates/selenoid/ingress.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.ingress.enabled -}}
-{{- $fullName := include "vaultwarden.fullname" . -}}
+{{- $fullName := include "selenoid.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
 {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
   {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
@@ -17,7 +17,7 @@ kind: Ingress
 metadata:
   name: {{ $fullName }}
   labels:
-    {{- include "vaultwarden.labels" . | nindent 4 }}
+    {{- include "selenoidUI.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
@@ -51,10 +51,10 @@ spec:
               service:
                 name: {{ $fullName }}
                 port:
-                  number: {{ $svcPort }}
+                  number: 4444
               {{- else }}
               serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
+              servicePort: 4444
               {{- end }}
           {{- end }}
     {{- end }}

charts/selenoid/templates/selenoid/script-configmap.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "selenoid.fullname" . }}-scripts
+  labels:
+    {{- include "selenoid.labels" . | nindent 4 }}
+data:
+  selenoid: |-
+    #!/usr/bin/sh
+    set -e
+    for i in `seq 0 100`
+      do wget 127.0.0.1:2375/version && break || echo waiting && sleep 5 
+    done
+    # -- This is supposed to get the docker API version
+    sed -E 's/.*"ApiVersion":"?([^,"]*)"?.*/\1/' version
+    images=$(cat /etc/selenoid/browsers.json | grep image | awk '{print $2}' | sed -e "s/\"//g" -e "s/,//g")
+    for image in $images; do
+      wget --header "Content-Type: application/json" \
+        -O - --post-data="-" \
+    	  127.0.0.1:2375/v1.41/images/create?fromImage=$image
+    done
+    /usr/bin/selenoid -listen :4444 -conf /etc/selenoid/browsers.json

charts/selenoid/templates/selenoid/service.yaml

@@ -0,0 +1,16 @@
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "selenoid.fullname" . }}
+  labels:
+    {{- include "selenoid.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: 4444
+      targetPort: selenium
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "selenoid.selectorLabels" . | nindent 4 }}

charts/selenoid/todo.md

@@ -0,0 +1,3 @@
+Network policies should 
+
+Let the selenoid pod access the internet without letting access internal services

charts/selenoid/values.yaml

@@ -0,0 +1,168 @@
+# Default values for selenoid.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: aerokube/selenoid
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+dind:
+  ## The official docker (dind) image, change tag to use a different version.
+  ## ref: https://hub.docker.com/r/library/docker/tags/
+  ##
+  registry: docker.io
+  repository: docker
+  tag: 20-dind
+  pullPolicy: IfNotPresent
+  command:
+    - "dockerd"
+  commandArgs:
+    - "--host"
+    - "tcp://localhost:2375"
+  securityContext:
+    privileged: true
+  ## If you have declared extra volumes, mount them here, per the Pod Container's
+  ## "volumeMounts" section of dind container
+  ##
+  extraVolumeMounts: []
+    #    - name: storage
+    #      mountPath: /var/lib/docker
+    #      subPath: docker
+  resources:
+    {}
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+  gracefulShutdownRetryPeriod: 60
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: true
+  className: ""
+  annotations:
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: selenoid.badhouseplants.net
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: 
+    - secretName: selenoid.badhouseplants.net
+      hosts:
+        - selenoid.badhouseplants.net
+ingressUI:
+  enabled: true
+  className: ""
+  annotations:
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: selenoid-ui.badhouseplants.net
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: 
+    - secretName: selenoid-ui.badhouseplants.net
+      hosts:
+        - selenoid-ui.badhouseplants.net
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+startupProbe:
+  failureThreshold: 50
+  periodSeconds: 10
+  tcpSocket:
+    port: 4444
+livenessProbe:
+  tcpSocket:
+    port: 4444
+readinessProbe:
+  tcpSocket:
+    port: 4444
+ui:
+  livenessProbe:
+    tcpSocket:
+      port: 8080
+  readinessProbe:
+    tcpSocket:
+      port: 8080
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+# Additional volumes on the output Deployment definition.
+volumes: []
+# -name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: []
+# - name: foo
+#   mountPath: "/etc/foo"
+#   readOnly: true
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

charts/team-fortress-2/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: team-fortress-2
 description: A Helm chart for running a Team Fortress 2 server
 type: application
-version: 0.1.1
+version: 0.1.2
 appVersion: "latest"
 maintainers:
   - name: allanger

charts/vaultwarden/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: softplayer-lib-workload
+  repository: oci://git.badhouseplants.net/softplayer
+  version: 0.2.1
+digest: sha256:a3a4a69717a3549841454a0e27a1a9114ea8a03543caf5c0c9a184d5a98f36b4
+generated: "2024-07-15T19:54:46.672967+02:00"

charts/vaultwarden/Chart.yaml

@@ -2,12 +2,18 @@ apiVersion: v2
 name: vaultwarden
 description: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
 type: application
-version: 1.2.0
-appVersion: 1.30.5
+version: 2.1.0
+appVersion: 1.31.0
 maintainers:
   - name: allanger
     email: allanger@zohomail.com
     url: https://badhouseplants.net
+dependencies:
+  - name: softplayer-lib-workload
+    version: 0.2.1
+    repository: oci://registry.badhouseplants.net/softplayer
+annotations:
+  allowed_workload_kinds: "Deployment"
 sources:
   - https://github.com/dani-garcia/vaultwarden/tree/main
 keywords:

charts/vaultwarden/templates/configmap.yaml

@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "vaultwarden.fullname" . }}
-  labels:
-    {{- include "vaultwarden.labels" . | nindent 4 }}
-data:
-  DOMAIN: {{ .Values.vaultwarden.domain | quote }}
-  {{- if and .Values.vaultwarden.smtp.host .Values.vaultwarden.smtp.from | quote }}
-  SMTP_HOST: {{ .Values.vaultwarden.smtp.host | quote }}
-  SMTP_SECURITY: {{ .Values.vaultwarden.smtp.security | quote }}
-  SMTP_PORT: {{ .Values.vaultwarden.smtp.port | quote }}
-  {{- if .Values.vaultwarden.smtp.authMechanism }}
-  SMTP_AUTH_MECHANISM: {{ .Values.vaultwarden.smtp.authMechanism | quote }}
-  {{- end }}
-  SMTP_FROM: {{ .Values.vaultwarden.smtp.from | quote }}
-  SMTP_FROM_NAME: {{ default "Vaultwarden" .Values.vaultwarden.smtp.fromName | quote }}
-  SMTP_DEBUG: {{ .Values.vaultwarden.smtp.debug | quote }}
-  SMTP_ACCEPT_INVALID_HOSTNAMES: {{ .Values.vaultwarden.smtp.acceptInvalidHostnames | quote }}
-  SMTP_ACCEPT_INVALID_CERTS: {{ .Values.vaultwarden.smtp.acceptInvalidCerts | quote }}
-  SMTP_USERNAME: {{ .Values.vaultwarden.smtp.username | quote }}
-  {{- end }}
-  {{- if .Values.vaultwarden.websocket.enabled }}
-  WEBSOCKET_ENABLED: "true"
-  WEBSOCKET_ADDRESS: {{ .Values.vaultwarden.websocket.address | quote }}
-  WEBSOCKET_PORT: {{ .Values.vaultwarden.websocket.port | quote }}
-  {{- end }}
-  DATA_FOLDER: {{ .Values.vaultwarden.storage.dataDir | quote }}
-  ROCKET_PORT: {{ .Values.vaultwarden.rocket.port | quote }}
-  ROCKET_WORKERS: {{ .Values.vaultwarden.rocket.workers | quote }}
-  SHOW_PASSWORD_HINT: {{ .Values.vaultwarden.showPassHint | quote }}
-  SIGNUPS_ALLOWED: {{ .Values.vaultwarden.signupsAllowed | quote }}
-  INVITATIONS_ALLOWED: {{ .Values.vaultwarden.invitationsAllowed | quote }}
-  SIGNUPS_DOMAINS_WHITELIST: {{ .Values.vaultwarden.signupDomains | quote }}
-  SIGNUPS_VERIFY: {{ .Values.vaultwarden.signupsVerify | quote }}
-  WEB_VAULT_ENABLED: {{ .Values.vaultwarden.webVaultEnabled | quote }}
-  {{- if .Values.vaultwarden.logging.enabled }}
-  LOG_FILE: {{ .Values.vaultwarden.logging.logfile | quote }}
-  LOG_LEVEL: {{ .Values.vaultwarden.logging.loglevel | quote }}
-  {{- end }}
-  DB_CONNECTION_RETRIES: {{ .Values.vaultwarden.database.connectionRetries | quote }}
-  DATABASE_MAX_CONNS: {{ .Values.vaultwarden.database.maxConnections | quote }}
-  # -------------------------------------------------------------------
-  ORG_GROUPS_ENABLED: {{ .Values.vaultwarden.organizations.enabled | quote }}
-  ORG_EVENTS_ENABLED: {{ .Values.vaultwarden.organizations.orgEvents | quote }}
-  ORG_CREATION_USERS: {{ .Values.vaultwarden.organizations.crationUsers | quote }}

charts/vaultwarden/templates/deployment.yaml

@@ -1,96 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "vaultwarden.fullname" . }}
-  labels:
-    {{- include "vaultwarden.labels" . | nindent 4 }}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      {{- include "vaultwarden.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
-        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
-      {{- end }}
-      labels:
-        {{- include "vaultwarden.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      {{- if .Values.vaultwarden.storage.enabled }}
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: {{ include "vaultwarden.fullname" . }}
-      {{- end }}
-      containers:
-        - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          ports:
-            - name: http
-              containerPort: {{ .Values.service.port }}
-              protocol: TCP
-          livenessProbe:
-            exec:
-              command:
-                - sh 
-                - /healthcheck.sh
-          readinessProbe:
-            exec:
-              command:
-                - sh 
-                - /healthcheck.sh
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-          envFrom:
-            - configMapRef:
-                name: {{ include "vaultwarden.fullname" . }}
-          env:
-            {{- if or (.Values.vaultwarden.smtp.password.value) (.Values.vaultwarden.smtp.password.existingSecretKey )}}
-            - name: SMTP_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.vaultwarden.smtp.password.existingSecret | default ( printf "%s-smtp" ( include "vaultwarden.fullname" . )) }}
-                  key: {{ default "SMTP_PASSWORD" .Values.vaultwarden.smtp.password.existingSecretKey }}
-            {{- end }}
-            - name: ADMIN_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.vaultwarden.adminToken.existingSecret | default ( printf "%s-admin-token" ( include "vaultwarden.fullname" . )) }}
-                  key: {{ default "ADMIN_TOKEN" .Values.vaultwarden.adminToken.existingSecretKey }}
-            {{- if ne "default" .Values.vaultwarden.database.type }}
-            - name: DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.vaultwarden.database.existingSecret | default ( printf "%s-db-creds" ( include "vaultwarden.fullname" . ))  }}
-                  key: {{ default "DATABASE_URL" .Values.vaultwarden.database.existingSecretKey }}
-            {{- end }}
-          {{- if .Values.vaultwarden.storage.enabled }}
-          volumeMounts:
-            - mountPath: {{ .Values.vaultwarden.storage.dataDir }}
-              name: data
-          {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

charts/vaultwarden/templates/install.yaml

@@ -0,0 +1,6 @@
+{{ include "lib.workload" . }}
+{{ include "lib.service" . }}
+{{ include "lib.ingress" . }}
+{{ include "lib.config.env" . }}
+{{ include "lib.pvc" . }}
+{{ include "lib.raw" . }}

charts/vaultwarden/templates/pvc.yaml

@@ -1,15 +0,0 @@
-{{- if .Values.vaultwarden.storage.enabled }}
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "vaultwarden.fullname" . }}
-  labels:
-    {{- include "vaultwarden.labels" . | nindent 4 }}
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: {{ .Values.vaultwarden.storage.size }}
-  storageClassName: {{ .Values.vaultwarden.storage.class }}
-{{- end }}

charts/vaultwarden/templates/secret.yaml

@@ -1,38 +0,0 @@
-{{- if not .Values.vaultwarden.adminToken.existingSecret }}  
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: {{ include "vaultwarden.fullname" . }}-admin-token
-  labels:
-    {{- include "vaultwarden.labels" . | nindent 4 }}
-data:
-  ADMIN_TOKEN: {{ .Values.vaultwarden.adminToken.value | b64enc | quote }}
-{{- end }}
-
-{{- if not .Values.vaultwarden.database.existingSecret }}  
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: {{ include "vaultwarden.fullname" . }}-db-creds
-  labels:
-    {{- include "vaultwarden.labels" . | nindent 4 }}
-data:
-  DATABASE_URL: {{ .Values.vaultwarden.database.connectionString | b64enc | quote }}
-{{- end }}
-
-{{- if not .Values.vaultwarden.smtp.password.existingSecret  }}  
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: {{ include "vaultwarden.fullname" . }}-smtp
-  labels:
-    {{- include "vaultwarden.labels" . | nindent 4 }}
-data:
-  SMTP_PASSWORD: {{ .Values.vaultwarden.smtp.password.value | b64enc | quote }}
-{{- end }}

charts/vaultwarden/templates/service.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "vaultwarden.fullname" . }}
-  labels:
-    {{- include "vaultwarden.labels" . | nindent 4 }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "vaultwarden.selectorLabels" . | nindent 4 }}

charts/vaultwarden/values.yaml

@@ -1,106 +1,114 @@
-image:
-  repository: registry.hub.docker.com/vaultwarden/server
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: ""
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-podAnnotations: {}
-podSecurityContext: {}
-# fsGroup: 2000
+---
+workload:
+  kind: Deployment
+  strategy:
+    type: RollingUpdate
+  containers:
+    vaultwarden:
+      image:
+        registry: registry.hub.docker.com
+        repository: vaultwarden/server
+        tag:
+        pullPolicy: Always
+      ports:
+        - vaultwarden
+      mounts:
+        storage:
+          data:
+            path: /app/data/
+          # logs:
+            # path: /app/logs
+      envFrom:
+        - environment
+        - secrets
+      livenessProbe:
+        exec:
+          command:
+            - sh
+            - /healthcheck.sh
+      readinessProbe:
+        exec:
+          command:
+            - sh
+            - /healthcheck.sh
+        initialDelaySeconds: 10
+        periodSeconds: 10
 
-securityContext: {}
-# capabilities:
-#   drop:
-#   - ALL
-# readOnlyRootFilesystem: true
-# runAsNonRoot: true
-# runAsUser: 1000
+ingress:
+  main:
+    class: traefik
+    annotations:
+      annotation: test
+    rules:
+      - hosts: vaultwarden.softplayer.net
+        http:
+          paths:
+            - backend:
+                service:
+                  name: '{{ include "chart.fullname" $ }}'
+                  port: 8080
+    tls:
+      - hosts:
+          - vaultwarden.softplayer.net
+        secretName: vaultwarden.softplayer.net
 
 service:
   type: ClusterIP
+  ports:
+    vaultwarden:
       port: 8080
-ingress:
-  enabled: false
-  className: ""
-  annotations: {}
-  # kubernetes.io/ingress.class: nginx
-  # kubernetes.io/tls-acme: "true"
-  hosts:
-    - host: chart-example.local
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
-resources: {}
-# We usually recommend not to specify default resources and to leave this as a conscious
-# choice for the user. This also increases chances charts run on environments with little
-# resources, such as Minikube. If you do want to specify resources, uncomment the following
-# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-# limits:
-#   cpu: 100m
-#   memory: 128Mi
-# requests:
-#   cpu: 100m
-#   memory: 128Mi
+      targetPort: 8080
+      protocol: TCP
 
-nodeSelector: {}
-tolerations: []
-affinity: {}
-vaultwarden:
-  smtp:
-    host: ""
-    security: "starttls"
-    port: 25
-    from: vaultwarden@badhouseplants.net
-    fromName: vaultwarden
-    username: vaultwarden
-    password:
-      value: "VerySecurePassword"
-      existingSecret: ""
-      existingSecretKey: ""
-    authMechanism: "Plain"
-    acceptInvalidHostnames: "false"
-    acceptInvalidCerts: "false"
-    debug: false
-  adminToken:
-    existingSecret: ""
-    existingSecretKey: ""
-    value: "R@ndomToken$tring"
-  domain: "https://badhouseplants.vaultwarden.com"
-  websocket:
-    enabled: true
-    address: "0.0.0.0"
-    port: 3012
-  rocket:
-    port: "8080"
-    workers: "10"
-  webVaultEnabled: "true"
-  signupsAllowed: true
-  invitationsAllowed: true
-  signupDomains: "https://badhouseplants.vaultwarden.com"
-  signupsVerify: "true"
-  showPassHint: "false"
-  database:
-    connectionString: "data/db.sqlite3"
-    existingSecret: ""
-    existingSecretKey: ""
-    connectionRetries: 15
-    maxConnections: 10
-  storage:
-    enabled: false
+storage:
+  data:
+    storageClassName: default
     size: 1Gi
-    class: default
-    dataDir: /data
-  logging:
-    enabled: false
-    logfile: "/data/vaultwarden.log"
-    loglevel: "warn"
-  organizations:
-    enabled: false
-    orgEvents: false  # -- ORG_GROUPS_ENABLED
-    crationUsers: ""  # -- ORG_CREATION_USERS
+    accessModes:
+      - ReadWriteOnce
+  # logs:
+  # storageClassName: default
+  # size: 1G
+  # accessModes:
+  # - ReadWriteOnce
+
+# -- Please have a look here: https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
+env:
+  environment:
+    enabled: true
+    sensitive: false
+    data:
+      DOMAIN: vaultwarden.softplayer.net
+      SMTP_HOST: ~
+      SMTP_SECURITY: startls
+      SMTP_PORT: 587
+      SMTP_AUTH_MECHANISM: Plain
+      SMTP_FROM: vaultwarden@softplayer.net
+      SMTP_FROM_NAME: Soft Player
+      SMTP_DEBUG: false
+      SMTP_ACCEPT_INVALID_HOSTNAMES: false
+      SMTP_ACCEPT_INVALID_CERTS: false
+      SMTP_USERNAME: ~
+      DATA_FOLDER: /app/data/
+      ROCKET_PORT: 8080
+      SHOW_PASSWORD_HINT: true
+      SIGNUPS_ALLOWED: false
+      INVITATIONS_ALLOWED: true
+      SIGNUPS_DOMAINS_WHITELIST: "*"
+      SIGNUPS_VERIFY: true
+      WEB_VAULT_ENABLED: true
+      LOG_FILE: /app/logs
+      LOG_LEVEL: info
+      DB_CONNECTION_RETRIES: 10
+      DATABASE_MAX_CONNS: 10
+      ORG_GROUPS_ENABLED: true
+      ORG_EVENTS_ENABLED: true
+      ORG_CREATION_USERS: ""
+
+  secrets:
+    enabled: true
+    sensitive: true
+    data:
+      ADMIN_TOKEN: "R@ndomToken$tring"
+      DATABASE_URL: ~
+      SMTP_PASSWORD: ~