From 26332c82e1c36a69c8677c4a412d6f21841b940f Mon Sep 17 00:00:00 2001
From: Lumpiasty <arek.dzski@gmail.com>
Date: Tue, 5 May 2026 20:37:21 +0200
Subject: [PATCH] add kaneo app

---
 apps/kaneo/kustomization.yaml          |  8 +++
 apps/kaneo/namespace.yaml              |  4 ++
 apps/kaneo/oauth-secret.yaml           | 43 ++++++++++++++
 apps/kaneo/postgres-cluster.yaml       | 16 ++++++
 apps/kaneo/postgres-volume.yaml        | 33 +++++++++++
 apps/kaneo/release.yaml                | 78 ++++++++++++++++++++++++++
 apps/kustomization.yaml                |  1 +
 vault/kubernetes-auth-roles/kaneo.yaml |  6 ++
 vault/policy/kaneo.hcl                 |  3 +
 9 files changed, 192 insertions(+)
 create mode 100644 apps/kaneo/kustomization.yaml
 create mode 100644 apps/kaneo/namespace.yaml
 create mode 100644 apps/kaneo/oauth-secret.yaml
 create mode 100644 apps/kaneo/postgres-cluster.yaml
 create mode 100644 apps/kaneo/postgres-volume.yaml
 create mode 100644 apps/kaneo/release.yaml
 create mode 100644 vault/kubernetes-auth-roles/kaneo.yaml
 create mode 100644 vault/policy/kaneo.hcl

diff --git a/apps/kaneo/kustomization.yaml b/apps/kaneo/kustomization.yaml
new file mode 100644
index 0000000..95cf7ac
--- /dev/null
+++ b/apps/kaneo/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - oauth-secret.yaml
+  - postgres-volume.yaml
+  - postgres-cluster.yaml
+  - release.yaml
diff --git a/apps/kaneo/namespace.yaml b/apps/kaneo/namespace.yaml
new file mode 100644
index 0000000..bce1a5c
--- /dev/null
+++ b/apps/kaneo/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kaneo
diff --git a/apps/kaneo/oauth-secret.yaml b/apps/kaneo/oauth-secret.yaml
new file mode 100644
index 0000000..eb10a76
--- /dev/null
+++ b/apps/kaneo/oauth-secret.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kaneo-secret
+  namespace: kaneo
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: kaneo
+  namespace: kaneo
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: kaneo
+    serviceAccount: kaneo-secret
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: kaneo-authentik
+  namespace: kaneo
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: authentik/kaneo
+
+  destination:
+    create: true
+    name: kaneo-authentik
+    type: Opaque
+    transformation:
+      excludeRaw: true
+      templates:
+        client_id:
+          text: '{{ get .Secrets "client_id" }}'
+        client_secret:
+          text: '{{ get .Secrets "client_secret" }}'
+
+  vaultAuthRef: kaneo
diff --git a/apps/kaneo/postgres-cluster.yaml b/apps/kaneo/postgres-cluster.yaml
new file mode 100644
index 0000000..20e5a53
--- /dev/null
+++ b/apps/kaneo/postgres-cluster.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: kaneo-db
+  namespace: kaneo
+spec:
+  instances: 1
+
+  storage:
+    pvcTemplate:
+      storageClassName: ssd-lvmpv
+      resources:
+        requests:
+          storage: 10Gi
+      volumeName: kaneo-db-1
diff --git a/apps/kaneo/postgres-volume.yaml b/apps/kaneo/postgres-volume.yaml
new file mode 100644
index 0000000..5d987e5
--- /dev/null
+++ b/apps/kaneo/postgres-volume.yaml
@@ -0,0 +1,33 @@
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: kaneo-db-1
+  namespace: openebs
+spec:
+  capacity: 10Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-ssd$
+  volGroup: openebs-ssd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: kaneo-db-1
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ssd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: kaneo-db-1
+---
+# PVCs are dynamically created by the Postgres operator
diff --git a/apps/kaneo/release.yaml b/apps/kaneo/release.yaml
new file mode 100644
index 0000000..dae143c
--- /dev/null
+++ b/apps/kaneo/release.yaml
@@ -0,0 +1,78 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: kaneo
+  namespace: kaneo
+spec:
+  interval: 24h
+  url: https://github.com/usekaneo/kaneo.git
+  ref:
+    tag: v2.7.1
+  ignore: |
+    # exclude all
+    /*
+    # include charts directory
+    !/charts/    
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: kaneo
+  namespace: kaneo
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: ./charts/kaneo
+      sourceRef:
+        kind: GitRepository
+        name: kaneo
+  values:
+    ingress:
+      enabled: true
+      className: nginx-ingress
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /$1
+        cert-manager.io/cluster-issuer: letsencrypt
+      hosts:
+        - host: kaneo.lumpiasty.xyz
+          paths:
+            - path: /?(.*)
+              pathType: ImplementationSpecific
+              service: web
+              port: 80
+            - path: /api/?(.*)
+              pathType: ImplementationSpecific
+              service: api
+              port: 1337
+      tls:
+        - secretName: kaneo-ingress
+          hosts:
+            - kaneo.lumpiasty.xyz
+    
+    postgresql:
+      enabled: false
+    
+    kaneo:
+      env:
+        database:
+          external:
+            enabled: true
+            existingSecret:
+              enabled: true
+              name: kaneo-db-app
+              passwordKey: uri
+      extraEnv:
+        - name: CUSTOM_OAUTH_DISCOVERY_URL
+          value: https://authentik.lumpiasty.xyz/application/o/kaneo/.well-known/openid-configuration
+        - name: CUSTOM_OAUTH_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: kaneo-authentik
+              key: client_id
+        - name: CUSTOM_OAUTH_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: kaneo-authentik
+              key: client_secret
diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml
index 1170486..441fab6 100644
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@@ -13,3 +13,4 @@ resources:
   - openwebui
   - woodpecker
   - meridian
+  - kaneo
diff --git a/vault/kubernetes-auth-roles/kaneo.yaml b/vault/kubernetes-auth-roles/kaneo.yaml
new file mode 100644
index 0000000..db155d4
--- /dev/null
+++ b/vault/kubernetes-auth-roles/kaneo.yaml
@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - kaneo-secret
+bound_service_account_namespaces:
+  - kaneo
+token_policies:
+  - kaneo
diff --git a/vault/policy/kaneo.hcl b/vault/policy/kaneo.hcl
new file mode 100644
index 0000000..a68ae72
--- /dev/null
+++ b/vault/policy/kaneo.hcl
@@ -0,0 +1,3 @@
+path "secret/data/authentik/kaneo" {
+    capabilities = ["read"]
+}