Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-02-05 16:03:40

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

k8s/apps/n8n/external-secrets.yaml

@@ -10,8 +10,9 @@ spec:
     template:
       type: Opaque
       data:
-        postgres-password: "{{ .psql | trim }}"
-        N8N_ENCRYPTION_KEY: "{{ .enc_pass | trim }}"
+        password: "{{ .psql | trim }}"
+        username: "n8n"
+        encryptionkey: "{{ .enc_pass | trim }}"
   data:
     - secretKey: psql
       sourceRef:

k8s/apps/n8n/kustomization.yaml

@@ -4,16 +4,16 @@ kind: Kustomization
 
 resources:
   - external-secrets.yaml
-  - storage.yaml
+  - plain/
 
 helmCharts:
-  - name: n8n
-    repo: https://community-charts.github.io/helm-charts
-    version: 1.16.28
-    releaseName: n8n
-    namespace: n8n
-    valuesFile: values-n8n.yaml
-    includeCRDs: true
+# - name: n8n
+#   repo: https://community-charts.github.io/helm-charts
+#   version: 1.16.28
+#   releaseName: n8n
+#   namespace: n8n
+#   valuesFile: values-n8n.yaml
+#   includeCRDs: true
   - name: yacy
     repo: https://gt.hexor.cy/api/packages/ab/helm
     version: 0.1.2

k8s/apps/n8n/plain/deployment-main.yaml

@@ -0,0 +1,109 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: n8n-main
+  labels:
+    app: n8n
+    component: main
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: n8n
+      component: main
+  template:
+    metadata:
+      labels:
+        app: n8n
+        component: main
+    spec:
+      containers:
+      - name: n8n
+        image: docker.n8n.io/n8nio/n8n:latest
+        ports:
+        - containerPort: 5678
+          name: http
+        env:
+        - name: HOME
+          value: "/home/node"
+        - name: N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS
+          value: "true"
+        - name: N8N_HOST
+          value: "n8n.hexor.cy"
+        - name: N8N_PORT
+          value: "5678"
+        - name: N8N_PROTOCOL
+          value: "https"
+        - name: N8N_RUNNERS_ENABLED
+          value: "true"
+        - name: N8N_RUNNERS_MODE
+          value: "external"
+        - name: EXECUTIONS_MODE
+          value: "queue"
+        - name: QUEUE_BULL_REDIS_HOST
+          value: "n8n-redis"
+        - name: NODE_ENV
+          value: "production"
+        - name: WEBHOOK_URL
+          value: "https://n8n.hexor.cy/"
+        - name: GENERIC_TIMEZONE
+          value: "Europe/Moscow"
+        - name: TZ
+          value: "Europe/Moscow"
+        - name: DB_TYPE
+          value: "postgresdb"
+        - name: DB_POSTGRESDB_HOST
+          value: "psql.psql.svc"
+        - name: DB_POSTGRESDB_DATABASE
+          value: "n8n"
+        - name: DB_POSTGRESDB_USER
+          valueFrom:
+            secretKeyRef:
+              name: credentials
+              key: username
+        - name: DB_POSTGRESDB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: credentials
+              key: password
+        - name: N8N_ENCRYPTION_KEY
+          valueFrom:
+            secretKeyRef:
+              name: credentials
+              key: encryptionkey
+        volumeMounts:
+        - name: n8n-data
+          mountPath: /home/node/.n8n
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 512m
+            memory: 512Mi
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: http
+          initialDelaySeconds: 120
+          periodSeconds: 30
+          timeoutSeconds: 10
+          failureThreshold: 6
+        readinessProbe:
+          httpGet:
+            path: /healthz/readiness
+            port: http
+          initialDelaySeconds: 60
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 10
+      volumes:
+      - name: n8n-data
+        persistentVolumeClaim:
+          claimName: n8n-data
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        fsGroup: 1000

k8s/apps/n8n/plain/deployment-worker.yaml

@@ -0,0 +1,95 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: n8n-worker
+  labels:
+    app: n8n
+    component: worker
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: n8n
+      component: worker
+  template:
+    metadata:
+      labels:
+        app: n8n
+        component: worker
+    spec:
+      containers:
+      - name: n8n-worker
+        image: docker.n8n.io/n8nio/n8n:latest
+        command: ["n8n", "worker"]
+        env:
+        - name: HOME
+          value: "/home/node"
+        - name: N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS
+          value: "true"
+        - name: N8N_RUNNERS_ENABLED
+          value: "true"
+        - name: N8N_RUNNERS_MODE
+          value: "external"
+        - name: N8N_PORT
+          value: "80"
+        - name: EXECUTIONS_MODE
+          value: "queue"
+        - name: QUEUE_BULL_REDIS_HOST
+          value: "n8n-redis"
+        - name: NODE_ENV
+          value: "production"
+        - name: GENERIC_TIMEZONE
+          value: "Europe/Moscow"
+        - name: TZ
+          value: "Europe/Moscow"
+        - name: DB_TYPE
+          value: "postgresdb"
+        - name: DB_POSTGRESDB_HOST
+          value: "psql.psql.svc"
+        - name: DB_POSTGRESDB_DATABASE
+          value: "n8n"
+        - name: DB_POSTGRESDB_USER
+          valueFrom:
+            secretKeyRef:
+              name: credentials
+              key: username
+        - name: DB_POSTGRESDB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: credentials
+              key: password
+        - name: N8N_ENCRYPTION_KEY
+          valueFrom:
+            secretKeyRef:
+              name: credentials
+              key: encryptionkey
+        volumeMounts:
+        - name: n8n-data
+          mountPath: /home/node/.n8n
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 1000m
+            memory: 1Gi
+        livenessProbe:
+          exec:
+            command:
+            - /bin/sh
+            - -c
+            - "ps aux | grep '[n]8n worker' || exit 1"
+          initialDelaySeconds: 30
+          periodSeconds: 30
+          timeoutSeconds: 5
+          failureThreshold: 3
+      volumes:
+      - name: n8n-data
+        persistentVolumeClaim:
+          claimName: n8n-data
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        fsGroup: 1000

k8s/apps/n8n/plain/ingress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: n8n
+  labels:
+    app: n8n
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - n8n.hexor.cy
+    secretName: n8n-tls
+  rules:
+  - host: n8n.hexor.cy
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: n8n
+            port:
+              number: 80

k8s/apps/n8n/plain/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - storageclass.yaml
+  - storage.yaml
+  - redis-deployment.yaml
+  - redis-service.yaml
+  - deployment-main.yaml
+  - deployment-worker.yaml
+  - service.yaml
+  - ingress.yaml
+
+commonLabels:
+  app.kubernetes.io/name: n8n
+  app.kubernetes.io/instance: n8n-plain

k8s/apps/n8n/plain/redis-deployment.yaml

@@ -0,0 +1,57 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: n8n-redis
+  labels:
+    app: redis
+    component: n8n
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+      component: n8n
+  template:
+    metadata:
+      labels:
+        app: redis
+        component: n8n
+    spec:
+      containers:
+      - name: redis
+        image: redis:7-alpine
+        ports:
+        - containerPort: 6379
+          name: redis
+        command:
+        - redis-server
+        - --appendonly
+        - "yes"
+        - --save
+        - "900 1"
+        volumeMounts:
+        - name: redis-data
+          mountPath: /data
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 200m
+            memory: 256Mi
+        livenessProbe:
+          tcpSocket:
+            port: 6379
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          exec:
+            command:
+            - redis-cli
+            - ping
+          initialDelaySeconds: 5
+          periodSeconds: 5
+      volumes:
+      - name: redis-data
+        emptyDir: {}

k8s/apps/n8n/plain/redis-service.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: n8n-redis
+  labels:
+    app: redis
+    component: n8n
+spec:
+  selector:
+    app: redis
+    component: n8n
+  ports:
+  - name: redis
+    port: 6379
+    targetPort: 6379
+    protocol: TCP
+  type: ClusterIP

k8s/apps/n8n/plain/service.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: n8n
+  labels:
+    app: n8n
+spec:
+  selector:
+    app: n8n
+    component: main
+  ports:
+  - name: http
+    port: 80
+    targetPort: 5678
+    protocol: TCP
+  type: ClusterIP

k8s/apps/n8n/plain/storage.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: n8n-data
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: nfs-csi-n8n
+  resources:
+    requests:
+      storage: 10Gi

k8s/apps/n8n/plain/storageclass.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: nfs-csi-n8n
+provisioner: nfs.csi.k8s.io
+parameters:
+  server: nas.homenet
+  share: /mnt/storage/Storage/PVC
+  mountPermissions: "0755"
+reclaimPolicy: Retain
+volumeBindingMode: Immediate
+mountOptions:
+  - uid=1000
+  - gid=1000
+  - file_mode=0755
+  - dir_mode=0755

k8s/apps/n8n/rbac.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: n8n-readonly
+rules:
+- apiGroups: [""]
+  resources: 
+    - pods
+    - services
+    - endpoints
+    - persistentvolumeclaims
+    - persistentvolumes
+    - configmaps
+    - secrets
+    - nodes
+    - namespaces
+    - events
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["apps"]
+  resources:
+    - deployments
+    - replicasets
+    - statefulsets
+    - daemonsets
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["networking.k8s.io"]
+  resources:
+    - ingresses
+    - networkpolicies
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions"]
+  resources:
+    - ingresses
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["autoscaling"]
+  resources:
+    - horizontalpodautoscalers
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["batch"]
+  resources:
+    - jobs
+    - cronjobs
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["metrics.k8s.io"]
+  resources:
+    - pods
+    - nodes
+  verbs: ["get", "list"]
+- apiGroups: ["storage.k8s.io"]
+  resources:
+    - storageclasses
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["policy"]
+  resources:
+    - poddisruptionbudgets
+  verbs: ["get", "list", "watch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: n8n-readonly
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: n8n-readonly
+subjects:
+- kind: ServiceAccount
+  name: n8n-readonly
+  namespace: n8n

k8s/apps/n8n/values-n8n.yaml

@@ -1,10 +1,19 @@
 nodeSelector:
   kubernetes.io/hostname: master.tail2fe2d.ts.net
 
+
 db:
   type: postgresdb
 
+podSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true
+
+# Configure health probes for slow startup
 main:
+  extraEnvVars: 
+    NODES_EXCLUDE: "[]"
   resources:
     requests:
       cpu: 100m
@@ -16,10 +25,23 @@ main:
     enabled: true
     existingClaim: n8n-home
     mountPath: /home/node/.n8n
-
-podSecurityContext:
-  fsGroup: 1000
-  fsGroupChangePolicy: "OnRootMismatch"
+  livenessProbe:
+    httpGet:
+      path: /healthz
+      port: http
+    initialDelaySeconds: 120
+    periodSeconds: 30
+    timeoutSeconds: 10
+    failureThreshold: 6
+  
+  readinessProbe:
+    httpGet:
+      path: /healthz/readiness
+      port: http
+    initialDelaySeconds: 60
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 10
 
 
 worker:
@@ -33,6 +55,12 @@ redis:
 
 existingEncryptionKeySecret: credentials
 
+serviceAccount:
+  create: true
+  automount: true
+  annotations: {}
+  name: "n8n-readonly"
+
 externalPostgresql:
   existingSecret: credentials
   host: "psql.psql.svc"