From a84b856bc5260aedc46736b7e75bd0c041616935 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 26 Dec 2025 19:23:29 +0000 Subject: [PATCH 1/3] Initial plan From 312efdbae4221d9dad82ffc14ef56fc05c0b5dd2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 26 Dec 2025 19:31:54 +0000 Subject: [PATCH 2/3] fix: Apply Kubernetes best practices for homelab environment - Fix cert-manager cloudflare secret annotations (incorrect annotation keys) - Add missing kustomization.yaml for jellyfin - Add runAsNonRoot to jellyfin deployment securityContext - Add health probes (liveness/readiness) to jellyfin deployment - Add port names to jellyfin deployment containers - Add DirectoryOrCreate type to jellyfin hostPath volumes - Include secrets.yaml in argocd kustomization.yaml - Standardize HTTPRoute API versions to v1 (jellyfin, immich) - Update argocd-root-application.yaml sync policy to match standard - Remove resource limits from node_exporter (per repo guidelines) - Remove leftover immich todo.txt - Update kustomization files to use 'labels' instead of deprecated 'commonLabels' Co-authored-by: jackweinbender <1544859+jackweinbender@users.noreply.github.com> --- kubernetes/argocd/kustomization.yaml | 1 + .../bootstrap/argocd-root-application.yaml | 26 +++++++++++-------- .../cert-manager/cloudflare-api-token.yaml | 6 ++--- kubernetes/immich/httproute.yaml | 2 +- kubernetes/immich/kustomization.yaml | 8 +++--- kubernetes/immich/todo.txt | 1 - kubernetes/jellyfin/deployment.yaml | 18 +++++++++++++ kubernetes/jellyfin/httproute.yaml | 2 +- kubernetes/jellyfin/kustomization.yaml | 15 +++++++++++ kubernetes/otel-operator/node_exporter.yaml | 7 ----- kubernetes/redis/kustomization.yaml | 8 +++--- 11 files changed, 64 insertions(+), 30 deletions(-) delete mode 100644 kubernetes/immich/todo.txt create mode 100644 kubernetes/jellyfin/kustomization.yaml diff --git a/kubernetes/argocd/kustomization.yaml b/kubernetes/argocd/kustomization.yaml index bae93ca..71efed7 100644 --- a/kubernetes/argocd/kustomization.yaml +++ b/kubernetes/argocd/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization resources: - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml - httproute.yaml + - secrets.yaml patches: - target: diff --git a/kubernetes/bootstrap/argocd-root-application.yaml b/kubernetes/bootstrap/argocd-root-application.yaml index 9e6b35d..573a101 100644 --- a/kubernetes/bootstrap/argocd-root-application.yaml +++ b/kubernetes/bootstrap/argocd-root-application.yaml @@ -5,14 +5,18 @@ metadata: namespace: argocd spec: project: system -source: - repoURL: git@github.com:jackweinbender/infrastructure.git - path: kubernetes/argo-applications - targetRevision: HEAD -destination: - server: https://kubernetes.default.svc - namespace: argocd -syncPolicy: - automated: {} - syncOptions: - - CreateNamespace=true + source: + repoURL: git@github.com:jackweinbender/infrastructure.git + path: kubernetes/argo-applications + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + syncOptions: + - CreateNamespace=true + - Validate=true + - Prune=true + automated: + prune: true + selfHeal: true diff --git a/kubernetes/cert-manager/cloudflare-api-token.yaml b/kubernetes/cert-manager/cloudflare-api-token.yaml index 06531a8..db151fd 100644 --- a/kubernetes/cert-manager/cloudflare-api-token.yaml +++ b/kubernetes/cert-manager/cloudflare-api-token.yaml @@ -5,7 +5,7 @@ metadata: namespace: cert-manager annotations: argocd.argoproj.io/sync-options: "Force=true,Replace=true" - k8s-secret-sync.weinbender.io/provider: "op" - k8s-secret-sync.weinbender.io/secret-key: "api-token" - k8s-secret-sync.weinbender.io/ref: "op://microk8s/cloudflare-auth-weinbenderio/credential" + "k8s-secret-sync.weinbender.io/provider-name": "op" + "k8s-secret-sync.weinbender.io/secret-key": "api-token" + "k8s-secret-sync.weinbender.io/provider-ref": "op://microk8s/cloudflare-auth-weinbenderio/credential" type: Opaque diff --git a/kubernetes/immich/httproute.yaml b/kubernetes/immich/httproute.yaml index 39c7f2a..198ed7d 100644 --- a/kubernetes/immich/httproute.yaml +++ b/kubernetes/immich/httproute.yaml @@ -1,4 +1,4 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 +apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: immich diff --git a/kubernetes/immich/kustomization.yaml b/kubernetes/immich/kustomization.yaml index ee13567..011f886 100644 --- a/kubernetes/immich/kustomization.yaml +++ b/kubernetes/immich/kustomization.yaml @@ -12,6 +12,8 @@ resources: - service-ml.yaml - httproute.yaml -commonLabels: - app.kubernetes.io/name: immich - app.kubernetes.io/part-of: immich +labels: + - pairs: + app.kubernetes.io/name: immich + app.kubernetes.io/part-of: immich + includeSelectors: false diff --git a/kubernetes/immich/todo.txt b/kubernetes/immich/todo.txt deleted file mode 100644 index 84627ea..0000000 --- a/kubernetes/immich/todo.txt +++ /dev/null @@ -1 +0,0 @@ -TODO: I need to add vector extension (and others) for immich \ No newline at end of file diff --git a/kubernetes/jellyfin/deployment.yaml b/kubernetes/jellyfin/deployment.yaml index d25e799..3fd8112 100644 --- a/kubernetes/jellyfin/deployment.yaml +++ b/kubernetes/jellyfin/deployment.yaml @@ -16,6 +16,7 @@ spec: securityContext: # these settings ensure that Jellyfin runs with the correct user and group IDs # which are necessary for file permissions on the host system + runAsNonRoot: true runAsUser: 101000 runAsGroup: 110000 fsGroup: 110000 @@ -24,7 +25,9 @@ spec: image: jellyfin/jellyfin:latest ports: - containerPort: 8096 + name: http - containerPort: 8920 + name: https volumeMounts: - name: jellyfin-config mountPath: /config @@ -32,13 +35,28 @@ spec: mountPath: /cache - name: jellyfin-media mountPath: /media + livenessProbe: + httpGet: + path: /health + port: 8096 + initialDelaySeconds: 30 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /health + port: 8096 + initialDelaySeconds: 10 + periodSeconds: 10 volumes: - name: jellyfin-config hostPath: path: /home/nas/shared/pvcs/jellyfin-config + type: DirectoryOrCreate - name: jellyfin-cache hostPath: path: /home/nas/shared/pvcs/jellyfin-cache + type: DirectoryOrCreate - name: jellyfin-media hostPath: path: /home/nas/media + type: DirectoryOrCreate diff --git a/kubernetes/jellyfin/httproute.yaml b/kubernetes/jellyfin/httproute.yaml index a99d9b1..7887279 100644 --- a/kubernetes/jellyfin/httproute.yaml +++ b/kubernetes/jellyfin/httproute.yaml @@ -1,4 +1,4 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 +apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: jellyfin diff --git a/kubernetes/jellyfin/kustomization.yaml b/kubernetes/jellyfin/kustomization.yaml new file mode 100644 index 0000000..ac9a962 --- /dev/null +++ b/kubernetes/jellyfin/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: jellyfin + +resources: + - deployment.yaml + - service.yaml + - httproute.yaml + +labels: + - pairs: + app.kubernetes.io/name: jellyfin + app.kubernetes.io/part-of: jellyfin + includeSelectors: false diff --git a/kubernetes/otel-operator/node_exporter.yaml b/kubernetes/otel-operator/node_exporter.yaml index 229f536..9aa21fb 100644 --- a/kubernetes/otel-operator/node_exporter.yaml +++ b/kubernetes/otel-operator/node_exporter.yaml @@ -29,13 +29,6 @@ spec: ports: - containerPort: 9100 protocol: TCP - resources: - limits: - cpu: 250m - memory: 180Mi - requests: - cpu: 102m - memory: 180Mi volumeMounts: - mountPath: /host/sys mountPropagation: HostToContainer diff --git a/kubernetes/redis/kustomization.yaml b/kubernetes/redis/kustomization.yaml index 1f99667..bbe84b3 100644 --- a/kubernetes/redis/kustomization.yaml +++ b/kubernetes/redis/kustomization.yaml @@ -9,6 +9,8 @@ resources: - deployment.yaml - service.yaml -commonLabels: - app.kubernetes.io/name: redis - app.kubernetes.io/part-of: infrastructure +labels: + - pairs: + app.kubernetes.io/name: redis + app.kubernetes.io/part-of: infrastructure + includeSelectors: false From b0a9e89370c02f5bede09c765483280ebfaccf28 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 26 Dec 2025 19:33:41 +0000 Subject: [PATCH 3/3] fix: Improve jellyfin probe configuration per code review - Increase readiness probe periodSeconds to 15s (less aggressive for media server) - Add failureThreshold: 3 to both probes for better reliability Co-authored-by: jackweinbender <1544859+jackweinbender@users.noreply.github.com> --- kubernetes/jellyfin/deployment.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kubernetes/jellyfin/deployment.yaml b/kubernetes/jellyfin/deployment.yaml index 3fd8112..a746e07 100644 --- a/kubernetes/jellyfin/deployment.yaml +++ b/kubernetes/jellyfin/deployment.yaml @@ -41,12 +41,14 @@ spec: port: 8096 initialDelaySeconds: 30 periodSeconds: 30 + failureThreshold: 3 readinessProbe: httpGet: path: /health port: 8096 initialDelaySeconds: 10 - periodSeconds: 10 + periodSeconds: 15 + failureThreshold: 3 volumes: - name: jellyfin-config hostPath: