Fix

k8s/apps/n8n/deployment-main.yaml

@@ -18,6 +18,7 @@ spec:
         app: n8n
         component: main
     spec:
+      serviceAccountName: n8n
       containers:
       - name: n8n
         image: docker.n8n.io/n8nio/n8n:latest
@@ -25,8 +26,12 @@ spec:
         - containerPort: 5678
           name: http
         env:
+        - name: HOME
+          value: "/home/node"
         - name: N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS
           value: "true"
+        - name: NODES_EXCLUDE
+          value: "[]"
         - name: N8N_HOST
           value: "n8n.hexor.cy"
         - name: N8N_PORT
@@ -70,6 +75,11 @@ spec:
             secretKeyRef:
               name: credentials
               key: encryptionkey
+        - name: N8N_RUNNERS_AUTH_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: credentials
+              key: runnertoken
         volumeMounts:
         - name: n8n-data
           mountPath: /home/node/.n8n
@@ -101,7 +111,7 @@ spec:
         persistentVolumeClaim:
           claimName: n8n-data
       securityContext:
-        runAsUser: 65534
+        runAsUser: 1000
-        runAsGroup: 3000
+        runAsGroup: 1000
         runAsNonRoot: true
-        fsGroup: 3000
+        fsGroup: 1000

k8s/apps/n8n/deployment-worker.yaml

@@ -7,7 +7,7 @@ metadata:
     app: n8n
     component: worker
 spec:
-  replicas: 2
+  replicas: 1
   selector:
     matchLabels:
       app: n8n
@@ -18,11 +18,14 @@ spec:
         app: n8n
         component: worker
     spec:
+      serviceAccountName: n8n
       containers:
       - name: n8n-worker
         image: docker.n8n.io/n8nio/n8n:latest
         command: ["n8n", "worker"]
         env:
+        - name: HOME
+          value: "/home/node"
         - name: N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS
           value: "true"
         - name: N8N_RUNNERS_ENABLED
@@ -35,6 +38,8 @@ spec:
           value: "queue"
         - name: QUEUE_BULL_REDIS_HOST
           value: "n8n-redis"
+        - name: N8N_RUNNERS_TASK_BROKER_URI
+          value: "http://n8n:80"
         - name: NODE_ENV
           value: "production"
         - name: GENERIC_TIMEZONE
@@ -62,6 +67,11 @@ spec:
             secretKeyRef:
               name: credentials
               key: encryptionkey
+        - name: N8N_RUNNERS_AUTH_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: credentials
+              key: runnertoken
         volumeMounts:
         - name: n8n-data
           mountPath: /home/node/.n8n
@@ -87,7 +97,7 @@ spec:
         persistentVolumeClaim:
           claimName: n8n-data
       securityContext:
-        runAsUser: 65534
+        runAsUser: 1000
-        runAsGroup: 3000
+        runAsGroup: 1000
         runAsNonRoot: true
-        fsGroup: 3000
+        fsGroup: 1000

k8s/apps/n8n/external-secrets.yaml

@@ -13,6 +13,7 @@ spec:
         password: "{{ .psql | trim }}"
         username: "n8n"
         encryptionkey: "{{ .enc_pass | trim }}"
+        runnertoken: "{{ .runner_token | trim }}"
   data:
     - secretKey: psql
       sourceRef:
@@ -35,4 +36,15 @@ spec:
         decodingStrategy: None
         metadataPolicy: None
         key: 18c92d73-9637-4419-8642-7f7b308460cb
-        property: fields[0].value
+        property: fields[0].value
+    - secretKey: runner_token
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 18c92d73-9637-4419-8642-7f7b308460cb
+        property: fields[1].value

k8s/apps/n8n/kustomization.yaml

@@ -1,19 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-# Updated: Fixed n8n volume permissions issue
 
 resources:
   - external-secrets.yaml
-  - plain/
+  - storage.yaml
+  - rbac.yaml
+  - redis-deployment.yaml
+  - redis-service.yaml
+  - deployment-main.yaml
+  - deployment-worker.yaml
+  - service.yaml
+  - ingress.yaml
 
 helmCharts:
-# - name: n8n
-#   repo: https://community-charts.github.io/helm-charts
-#   version: 1.16.28
-#   releaseName: n8n
-#   namespace: n8n
-#   valuesFile: values-n8n.yaml
-#   includeCRDs: true
   - name: yacy
     repo: https://gt.hexor.cy/api/packages/ab/helm
     version: 0.1.2
@@ -21,3 +20,6 @@ helmCharts:
     namespace: n8n
     valuesFile: values-yacy.yaml
     includeCRDs: true
+
+commonLabels:
+  app.kubernetes.io/name: n8n

k8s/apps/n8n/plain/kustomization.yaml

@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - storage.yaml
-  - redis-deployment.yaml
-  - redis-service.yaml
-  - deployment-main.yaml
-  - deployment-worker.yaml
-  - service.yaml
-  - ingress.yaml
-
-commonLabels:
-  app.kubernetes.io/name: n8n
-  app.kubernetes.io/instance: n8n-plain

k8s/apps/n8n/plain/storage.yaml

@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: n8n-data
-spec:
-  accessModes:
-    - ReadWriteMany
-  storageClassName: nfs-csi
-  resources:
-    requests:
-      storage: 10Gi

k8s/apps/n8n/rbac.yaml

@@ -1,71 +1,37 @@
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: n8n
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: n8n-readonly
+  name: n8n-clusterrole
 rules:
-- apiGroups: [""]
+- apiGroups:
-  resources: 
+  - ""
-    - pods
-    - services
-    - endpoints
-    - persistentvolumeclaims
-    - persistentvolumes
-    - configmaps
-    - secrets
-    - nodes
-    - namespaces
-    - events
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["apps"]
   resources:
-    - deployments
+  - pods
-    - replicasets
+  - jobs
-    - statefulsets
+  - cronjobs
-    - daemonsets
+  - deployments
-  verbs: ["get", "list", "watch"]
+  - statefulsets
-- apiGroups: ["networking.k8s.io"]
+  verbs:
-  resources:
+  - get
-    - ingresses
+  - list
-    - networkpolicies
+  - watch
-  verbs: ["get", "list", "watch"]
+  - create
-- apiGroups: ["extensions"]
-  resources:
-    - ingresses
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["autoscaling"]
-  resources:
-    - horizontalpodautoscalers
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["batch"]
-  resources:
-    - jobs
-    - cronjobs
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["metrics.k8s.io"]
-  resources:
-    - pods
-    - nodes
-  verbs: ["get", "list"]
-- apiGroups: ["storage.k8s.io"]
-  resources:
-    - storageclasses
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["policy"]
-  resources:
-    - poddisruptionbudgets
-  verbs: ["get", "list", "watch"]
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: n8n-readonly
+  name: n8n-clusterrolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: n8n-readonly
+  name: n8n-clusterrole
 subjects:
 - kind: ServiceAccount
-  name: n8n-readonly
+  name: n8n
   namespace: n8n

k8s/apps/n8n/storage.yaml

@@ -2,11 +2,11 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: n8n-home
+  name: n8n-data
 spec:
   accessModes:
     - ReadWriteMany
-  storageClassName: nfs-csi
+  storageClassName: longhorn
   resources:
     requests:
       storage: 10Gi

k8s/apps/n8n/values-n8n.yaml

@@ -1,86 +0,0 @@
-nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-
-db:
-  type: postgresdb
-
-podSecurityContext:
-  runAsUser: 1000
-  runAsGroup: 1000
-  runAsNonRoot: true
-
-# Configure health probes for slow startup
-main:
-  extraEnvVars: 
-    NODES_EXCLUDE: "[]"
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 512m
-      memory: 512Mi
-  persistence:
-    enabled: true
-    existingClaim: n8n-home
-    mountPath: /home/node/.n8n
-  livenessProbe:
-    httpGet:
-      path: /healthz
-      port: http
-    initialDelaySeconds: 120
-    periodSeconds: 30
-    timeoutSeconds: 10
-    failureThreshold: 6
-  
-  readinessProbe:
-    httpGet:
-      path: /healthz/readiness
-      port: http
-    initialDelaySeconds: 60
-    periodSeconds: 10
-    timeoutSeconds: 5
-    failureThreshold: 10
-
-
-worker:
-  mode: regular
-
-webhook:
-  url: https://n8n.hexor.cy
-
-redis:
-  enabled: true
-
-existingEncryptionKeySecret: credentials
-
-serviceAccount:
-  create: true
-  automount: true
-  annotations: {}
-  name: "n8n-readonly"
-
-externalPostgresql:
-  existingSecret: credentials
-  host: "psql.psql.svc"
-  username: "n8n"
-  database: "n8n"
-
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-
-  hosts:
-    - host: n8n.hexor.cy
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: n8n-tls
-      hosts:
-        - '*.hexor.cy'
-

k8s/apps/n8n/values-yacy.yaml

@@ -21,4 +21,4 @@ yacy:
     network.unit.dhtredundancy.senior: "1"
     index.receive.allow: "false"
     index.distribute.allow: "false"
-    crawl.response.timeout: "10000"
+    crawl.response.timeout: "10000"

k8s/core/longhorn/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: longhorn
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: longhorn
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/longhorn
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+

k8s/core/longhorn/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+#resources:
+#  - app.yaml
+
+helmCharts:
+  - name: longhorn
+    repo: https://charts.longhorn.io
+    version: 1.11.0
+    releaseName: longhorn
+    namespace: longhorn
+    valuesFile: values.yaml
+    includeCRDs: true
+

k8s/core/longhorn/values.yaml

@@ -0,0 +1,4 @@
+longhornUI:
+  replicas: 1
+persistence:
+  reclaimPolicy: "Retain"