starred/karakeep

Fork 0

mirror of https://github.com/karakeep-app/karakeep.git synced 2026-04-26 08:26:03 +03:00

[PR #862] [MERGED] various Kubernetes deployment improvements #1711

New issue

Closed

opened 2026-03-02 11:58:50 +03:00 by kerem · 0 comments

kerem commented

2026-03-02 11:58:50 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/karakeep-app/karakeep/pull/862
Author: @techtrd
Created: 1/11/2025
Status: ✅ Merged
Merged: 1/19/2025
Merged by: @MohamedBassem

Base: main ← Head: kubernetes-deployment-improvements

📝 Commits (6)

5383204 changed the secrets from configmap to secret object, create ingress instead of loadbalancer.
b9af63b changed the tls secret name in kustomize to a more example name
402cae1 fixed image name in kustomization so the version tag gets replaced properly
e18cadc tags are without v, otherwise we get an imagepullerror
215b24d removed unneccessary parts of the .env.sample
3ad81fe split env and secrets, added documentation, created sample ingress.

📊 Changes

7 files changed (+86 additions, -17 deletions)

View changed files

📝 docs/docs/02-Installation/04-kubernetes.md (+45 -4)
📝 kubernetes/.env_sample (+2 -5)
➕ kubernetes/.secrets_sample (+4 -0)
➕ kubernetes/ingress_sample.yaml (+17 -0)
📝 kubernetes/kustomization.yaml (+10 -5)
📝 kubernetes/meilisearch-deployment.yaml (+3 -1)
📝 kubernetes/web-deployment.yaml (+5 -2)

📄 Description

What has changed?

Changed the secrets from configmap to secret object.

kustomize creates a secret from the .env file containing the three secrets. the Nextauth_URL is defined in the kustomize.yaml and is put into a configMap when kustomize builds the manifests.

Changed web loadbalancer service from loadbalancer to ClusterIP and implemented ingress

This may be opionated but i think it may be better to use the full toolkit of kubernetes and therefore use an ingress object instead of publishing via loadbalancer.

Also the ingress is by default build to use TLS, this might be overkill for homelab use but i think in the long run it would be best to always default to build with tls first, people who are not able to use TLS in their cluster can remove the TLS configuration from the ingress before or after deployment.

Example: I use a basic RKE2 install which comes with an ingress-nginx listening on the node IP but it does not come with a loadbalancer by default or atleast as far as i know.

The Version Tag is now controlled in the kustomize.yaml

Following the kubernetes documentation and best practices we follow at work, i think it is better to put an explicit version in the image tag of the deployment. It should be up to the operator to always keep up to date with the software which is deployed in the cluster.

Maybe this can be improved in other ways, maybe even automated but i'm not knowledgeable enough yet to know of a way to automate it.

What is missing?

There is no TLS cert created during the kustomize build process. I always include my cert with a seperately created secret via kubectl.

The other thing missing is installation documentation, i will create another PR for the README soon.

What and how did i test?

I put the secrets into an .env file and changed the relevant parts in the kustomize.yaml. After that i used kustomize build . > manifests.yaml to create the manifests and applied them with kubectl apply -f manifests.yaml into my local RKE2 node.

i could successfully create a user on the web interface, login and create a node with a news site which also fetched the title and the image. Therefore i concluded that everything works as it should.

Thank you in advance,

Kind regards

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/karakeep-app/karakeep/pull/862 **Author:** [@techtrd](https://github.com/techtrd) **Created:** 1/11/2025 **Status:** ✅ Merged **Merged:** 1/19/2025 **Merged by:** [@MohamedBassem](https://github.com/MohamedBassem) **Base:** `main` ← **Head:** `kubernetes-deployment-improvements` --- ### 📝 Commits (6) - [`5383204`](https://github.com/karakeep-app/karakeep/commit/5383204a9f736c2062622bf9db82bbf7f1255791) changed the secrets from configmap to secret object, create ingress instead of loadbalancer. - [`b9af63b`](https://github.com/karakeep-app/karakeep/commit/b9af63bcb7b72e1c0b5928d7e4e3df3299e85b8a) changed the tls secret name in kustomize to a more example name - [`402cae1`](https://github.com/karakeep-app/karakeep/commit/402cae14186f4dd872b76a78144caaec484b92ad) fixed image name in kustomization so the version tag gets replaced properly - [`e18cadc`](https://github.com/karakeep-app/karakeep/commit/e18cadc686d9691d71c3f4774f33d428a6d83d3e) tags are without v, otherwise we get an imagepullerror - [`215b24d`](https://github.com/karakeep-app/karakeep/commit/215b24d5973a5da3f6126c40ed4eefe6591571e8) removed unneccessary parts of the .env.sample - [`3ad81fe`](https://github.com/karakeep-app/karakeep/commit/3ad81fecfdd34f7ee501e41cd3de60fe412c695a) split env and secrets, added documentation, created sample ingress. ### 📊 Changes **7 files changed** (+86 additions, -17 deletions) <details> <summary>View changed files</summary> 📝 `docs/docs/02-Installation/04-kubernetes.md` (+45 -4) 📝 `kubernetes/.env_sample` (+2 -5) ➕ `kubernetes/.secrets_sample` (+4 -0) ➕ `kubernetes/ingress_sample.yaml` (+17 -0) 📝 `kubernetes/kustomization.yaml` (+10 -5) 📝 `kubernetes/meilisearch-deployment.yaml` (+3 -1) 📝 `kubernetes/web-deployment.yaml` (+5 -2) </details> ### 📄 Description ## What has changed? ### Changed the secrets from configmap to secret object. kustomize creates a secret from the .env file containing the three secrets. the Nextauth_URL is defined in the kustomize.yaml and is put into a configMap when kustomize builds the manifests. ### Changed web loadbalancer service from loadbalancer to ClusterIP and implemented ingress This may be opionated but i think it may be better to use the full toolkit of kubernetes and therefore use an ingress object instead of publishing via loadbalancer. Also the ingress is by default build to use TLS, this might be overkill for homelab use but i think in the long run it would be best to always default to build with tls first, people who are not able to use TLS in their cluster can remove the TLS configuration from the ingress before or after deployment. Example: I use a basic RKE2 install which comes with an ingress-nginx listening on the node IP but it does not come with a loadbalancer by default or atleast as far as i know. ### The Version Tag is now controlled in the kustomize.yaml Following the kubernetes documentation and best practices we follow at work, i think it is better to put an explicit version in the image tag of the deployment. It should be up to the operator to always keep up to date with the software which is deployed in the cluster. Maybe this can be improved in other ways, maybe even automated but i'm not knowledgeable enough yet to know of a way to automate it. ### What is missing? There is no TLS cert created during the kustomize build process. I always include my cert with a seperately created secret via kubectl. The other thing missing is installation documentation, i will create another PR for the README soon. ### What and how did i test? I put the secrets into an .env file and changed the relevant parts in the kustomize.yaml. After that i used `kustomize build . > manifests.yaml` to create the manifests and applied them with `kubectl apply -f manifests.yaml` into my local RKE2 node. i could successfully create a user on the web interface, login and create a node with a news site which also fetched the title and the image. Therefore i concluded that everything works as it should. Thank you in advance, Kind regards --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

kerem

2026-03-02 11:58:50 +03:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/karakeep#1711

No description provided.

Rows
Columns