apps/immich/ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: immich
+  name: immich
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.org/client-max-body-size: "0"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: immich.lumpiasty.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: immich-server
+                port:
+                  number: 2283
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - immich.lumpiasty.xyz
+      secretName: immich-ingress

apps/immich/kustomization.yaml

@@ -4,5 +4,7 @@ resources:
   - namespace.yaml
   - volume.yaml
   - redis.yaml
+  - postgres-password.yaml
   - postgres-cluster.yaml
-  # - release.yaml
+  - release.yaml
+  - ingress.yaml

apps/immich/postgres-cluster.yaml

@@ -2,7 +2,7 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: immich-postgres
+  name: immich-db
   namespace: immich
 spec:
   imageName: ghcr.io/tensorchord/cloudnative-vectorchord:14-0.4.3
@@ -12,3 +12,21 @@ spec:
   storage:
     size: 10Gi
     storageClass: mayastor-single-hdd
+  bootstrap:
+    initdb:
+      # Defaults of immich chart
+      database: immich
+      owner: immich
+
+  # We need to create custom role because default one does not allow to set up
+  # vectorchord extension
+  managed:
+    roles:
+      - name: immich
+        createdb: true
+        login: true
+        superuser: true
+        # We need to manually create secret
+        # https://github.com/cloudnative-pg/cloudnative-pg/issues/3788
+        passwordSecret:
+          name: immich-db-immich

apps/immich/postgres-password.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: immich-password
+  namespace: immich
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: immich
+  namespace: immich
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: immich
+    serviceAccount: immich-password
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: immich-db
+  namespace: immich
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: immich-db
+
+  destination:
+    create: true
+    name: immich-db-immich
+    type: kubernetes.io/basic-auth
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: immich

apps/immich/release.yaml

@@ -2,12 +2,11 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: immich
+  name: secustor
   namespace: immich
 spec:
   interval: 24h
-  type: "oci"
-  url: oci://ghcr.io/immich-app/immich-charts
+  url: https://secustor.dev/helm-charts
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
@@ -19,21 +18,53 @@ spec:
   chart:
     spec:
       chart: immich
-      version: 0.9.3
+      version: 0.6.8
       sourceRef:
         kind: HelmRepository
-        name: immich
+        name: secustor
   values:
-    immich:
-      persistence:
-        library:
-          existingClaim: library
+    common:
+      config:
+        vecotrExtension: vectorchord
+      postgres:
+        host: immich-db-rw
+        existingSecret:
+          enabled: true
+          secretName: immich-db-immich
+          usernameKey: username
+          passwordKey: password
+      redis:
+        host: redis-master
+        existingSecret:
+          enabled: true
+          secretName: redis
+          passwordKey: redis-password
 
-    redis:
+    server:
+      volumeMounts:
+        - mountPath: /usr/src/app/upload
+          name: uploads
+      volumes:
+        - name: uploads
+          persistentVolumeClaim:
+            claimName: library
+
+    machineLearning:
       enabled: true
 
-    postgresql:
-      global:
-        postgresql:
-          auth:
-            existingSecret:
+    ingress:
+      # Ingress definition is broken in chart (reference to wrong port value)
+      # Supplying our own separate ingress.yaml
+      enabled: false
+      className: nginx
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+      hosts:
+        - host: immich.lumpiasty.xyz
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - immich.lumpiasty.xyz
+          secretName: immich-ingress

vault/kubernetes-roles/immich.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - immich-password
+bound_service_account_namespaces:
+  - immich
+token_policies:
+  - immich

vault/policy/immich.hcl

@@ -0,0 +1,4 @@
+
+path "secret/data/immich-db" {
+    capabilities = ["read"]
+}