Disable NODES_EXCLUDE for n8n

k8s/apps/n8n/kustomization.yaml

@@ -5,6 +5,7 @@ kind: Kustomization
 resources:
   - external-secrets.yaml
   - storage.yaml
+  - rbac.yaml
 
 helmCharts:
   - name: n8n

k8s/apps/n8n/rbac.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: n8n-readonly
+rules:
+- apiGroups: [""]
+  resources: 
+    - pods
+    - services
+    - endpoints
+    - persistentvolumeclaims
+    - persistentvolumes
+    - configmaps
+    - secrets
+    - nodes
+    - namespaces
+    - events
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["apps"]
+  resources:
+    - deployments
+    - replicasets
+    - statefulsets
+    - daemonsets
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["networking.k8s.io"]
+  resources:
+    - ingresses
+    - networkpolicies
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions"]
+  resources:
+    - ingresses
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["autoscaling"]
+  resources:
+    - horizontalpodautoscalers
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["batch"]
+  resources:
+    - jobs
+    - cronjobs
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["metrics.k8s.io"]
+  resources:
+    - pods
+    - nodes
+  verbs: ["get", "list"]
+- apiGroups: ["storage.k8s.io"]
+  resources:
+    - storageclasses
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["policy"]
+  resources:
+    - poddisruptionbudgets
+  verbs: ["get", "list", "watch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: n8n-readonly
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: n8n-readonly
+subjects:
+- kind: ServiceAccount
+  name: n8n-readonly
+  namespace: n8n

k8s/apps/n8n/values-n8n.yaml

@@ -1,10 +1,13 @@
 nodeSelector:
   kubernetes.io/hostname: master.tail2fe2d.ts.net
 
+
 db:
   type: postgresdb
 
 main:
+  extraEnvVars: 
+    NODES_EXCLUDE: "[]"
   resources:
     requests:
       cpu: 100m
@@ -18,8 +21,29 @@ main:
     mountPath: /home/node/.n8n
 
 podSecurityContext:
-  fsGroup: 1000
+  runAsUser: 1000
-  fsGroupChangePolicy: "OnRootMismatch"
+  runAsGroup: 1000
+  runAsNonRoot: true
+
+# Configure health probes for slow startup
+main:
+  livenessProbe:
+    httpGet:
+      path: /healthz
+      port: http
+    initialDelaySeconds: 120
+    periodSeconds: 30
+    timeoutSeconds: 10
+    failureThreshold: 6
+  
+  readinessProbe:
+    httpGet:
+      path: /healthz/readiness
+      port: http
+    initialDelaySeconds: 60
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 10
 
 
 worker:
@@ -33,6 +57,12 @@ redis:
 
 existingEncryptionKeySecret: credentials
 
+serviceAccount:
+  create: true
+  automount: true
+  annotations: {}
+  name: "n8n-readonly"
+
 externalPostgresql:
   existingSecret: credentials
   host: "psql.psql.svc"