radicale/deploy/k8s/manifest.yaml

---
kind: PersistentVolume
apiVersion: v1
metadata:
  name: pv-nfs-radicale-data
  labels:
    app: radicale
spec:
  storageClassName: "freenas-nfs-manual-csi"
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  mountOptions:
    - nfsvers=4
    - nolock
    - noatime
  csi:
    driver: org.democratic-csi.node-manual
    readOnly: false
    fsType: nfs
    volumeHandle: pv-nfs-radicale-data
    volumeAttributes:
      server: storage-server-lagg.lan
      share: /mnt/r01_1tb/k8s/radicale-data/
      node_attach_driver: nfs
      provisioner_driver: node-manual

---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: pvc-nfs-radicale-data
  namespace: tools
  labels:
    app: radicale
  annotations:
    volume.beta.kubernetes.io/storage-class: "freenas-nfs-manual-csi"
spec:
  storageClassName: freenas-nfs-manual-csi
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  volumeName: pv-nfs-radicale-data

---
kind: SealedSecret
apiVersion: bitnami.com/v1alpha1
metadata:
  name: users
  namespace: tools
spec:
  encryptedData:
    users: AgB1tehjWWGRg5y/R17NLNMXZYozBmeMz8E9KHKcndD8bNNKsN+shBDYX2UGdxyW/wYuHsuA2X3rhWE239IhwKEjLeqpluGEcJMRiVzLeySLjP/xcbLfPncQUnWNszT0dBtnDgqPi0fqzcHIQ8Y4tLPldOSyjw6JMrHWoh/iaIKO8cZ6Y+4qYc3u44+wcO5cPdkMkzDEdVI0KY+VzWaF7yEZvLxLZE0bVYhSywmBWjp2TXoc9TtLCXvm7pvQ19OQ1NrFvRLVh/Z54VsMrrtNlgii+RbQKLty1roOr/gVOAY72MdG8VgX6vV72zSmqaRfOcbM36mQc7u2jgWITwhLF2QSnjs2qsjXGs7Enxyfts30/VvobgbzAolD9Y+cROosiG+Eifa2oH54IAOQnWZJi4+yQE3u7Qs6HqJz+vzlwtzKScLw+ZTGPGmSgdEkt9aYwNFpJVM0kVZj+ibXcD5TvO0lgkGzKbMIlkzIEzZ9orf/O8QdW+a/kMQBGnMv85du8DSWhL52Z75RvcJ6e4gt/h6feIfN6dp848CTDDXgRPzDvw+w2xALqb1csV9arWTpWcutY9MQAmmfV1tmEKUE7+0W2HUSii2GjiCdPlSx42omOlaWuw4oLqFTbrVmsUOyCBrFw2q6QGjKJTBdSELFa7BBPwZ6CAk2TRQDuyoAfAMFzAitbcMQWsoPT6Kr97/8xeDcf7WeyIHzzQTfGZPFBWHJtzyrvWLUKW30toQ7I4xGeZNbYrrq19bVngimj1pr+1Nch0ggy0ITesZA18NZH2itSzcgxvzb+tyidSF/1+LTAE8UdSLUGvGW13/ckg1kJlf7kZ8dPc+b1pQnUKn9w+DbFF74ao+JzdV2U6W3Yfw+Tf6npmyTW4UjZDxb9tB3kibZIWhDL/4j5/k1MgYSfibLb3cnrL/eOA8L69psAyihfineD+1M4meP+w7KbFy0jky2Ohm0/QUn4xogOw==
  template:
    metadata:
      labels:
        app: radicale
      name: users
      namespace: tools
    type: Opaque

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: config
  namespace: tools
  labels:
    app: radicale
data:
  config: |-
    [server]
    hosts = 0.0.0.0:5232

    [storage]
    filesystem_folder = /data/collections

    [web]
    type = internal

    [logging]
    level = info

    [auth]
    type = htpasswd
    htpasswd_filename = /etc/radicale/users
    htpasswd_encryption = bcrypt
    delay = 1
    realm = Radicale - Password Required    

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: radicale
  namespace: tools
  labels:
    app: radicale
spec:
  replicas: 1
  selector:
    matchLabels:
      app: radicale
  template:
    metadata:
      labels:
        app: radicale
    spec:
      securityContext:
        fsGroup: 1000
      containers:
        - name: radicale
          image: "harbor.k8s.lan/k8s/radicale:16"
          resources: {}
          command: ["/bin/sh", "/usr/local/bin/docker-entrypoint.sh"]
          args: ["radicale", "--config", "/config/config"]
          securityContext:
            allowPrivilegeEscalation: false
            runAsUser: 1000
            runAsGroup: 1000
          ports:
            - containerPort: 5232
              protocol: TCP
          volumeMounts:
            - name: collections
              mountPath: /data/collections
            - name: config
              mountPath: /config/config
              subPath: config
              readOnly: true
            - name: users
              mountPath: /etc/radicale/users
              subPath: users
              readOnly: true
      volumes:
        - name: config
          configMap:
            name: config
        - name: users
          secret:
            secretName: users
        - name: collections
          persistentVolumeClaim:
            claimName: pvc-nfs-radicale-data
      imagePullSecrets:
        - name: harbor-registry-creds

---
kind: Service
apiVersion: v1
metadata:
  name: radicale
  namespace: tools
  labels:
    app: radicale
spec:
  selector:
    app: radicale
  type: ClusterIP
  ports:
    - name: dav
      protocol: TCP
      targetPort: 5232
      port: 5232

---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: radicale
  namespace: tools
  labels:
    app: radicale
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |-
      proxy_set_header X-Remote-User $remote_user;      
spec:
  ingressClassName: nginx-public
  rules:
    - host: radicale.theautomation.nl
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: radicale
                port:
                  number: 5232
  tls:
    - hosts:
        - radicale.theautomation.nl
      secretName: cloudflare-tls