Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-02-11 19:49:35

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

k8s/apps/mtproxy/daemonset.yaml

@@ -23,8 +23,48 @@ spec:
               - matchExpressions:
                   - key: mtproxy
                     operator: Exists
+      serviceAccountName: mtproxy
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+        - name: register-proxy
+          image: bitnami/kubectl:latest
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: tgproxy-secret
+                  key: SECRET
+            - name: PORT
+              valueFrom:
+                secretKeyRef:
+                  name: tgproxy-secret
+                  key: PORT
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -e
+              NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+              SERVER=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.mtproxy}')
+              if [ -z "${SERVER}" ]; then
+                echo "ERROR: node ${NODE_NAME} has no mtproxy label"
+                exit 1
+              fi
+              LINK="tg://proxy?server=${SERVER}&port=${PORT}&secret=${SECRET}"
+              echo "Registering: ${SERVER} -> ${LINK}"
+              if kubectl get secret mtproxy-links -n "${NAMESPACE}" &>/dev/null; then
+                kubectl patch secret mtproxy-links -n "${NAMESPACE}" \
+                  --type merge -p "{\"stringData\":{\"${SERVER}\":\"${LINK}\"}}"
+              else
+                kubectl create secret generic mtproxy-links -n "${NAMESPACE}" \
+                  --from-literal="${SERVER}=${LINK}"
+              fi
+              echo "Done"
       containers:
         - name: mtproxy
           image: ultradesu/mtproxy:v0.02

k8s/apps/mtproxy/external-secrets.yaml

@@ -12,7 +12,7 @@ spec:
       data:
         SECRET: |-
           {{ .secret }}
-        PORT: 30443
+        PORT: "30443"
   data:
     - secretKey: secret
       sourceRef:

k8s/apps/mtproxy/kustomization.yaml

@@ -3,7 +3,9 @@ kind: Kustomization
 
 resources:
   - ./app.yaml
+  - ./rbac.yaml
   - ./daemonset.yaml
   - ./external-secrets.yaml
+  - ./service.yaml
+  - ./secret-reader.yaml
 # - ./storage.yaml
-# - ./service.yaml

k8s/apps/mtproxy/rbac.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mtproxy
+  labels:
+    app: mtproxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: mtproxy-node-reader
+  labels:
+    app: mtproxy
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: mtproxy-node-reader
+  labels:
+    app: mtproxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mtproxy-node-reader
+subjects:
+  - kind: ServiceAccount
+    name: mtproxy
+    namespace: mtproxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: mtproxy-secret-manager
+  labels:
+    app: mtproxy
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: mtproxy-secret-manager
+  labels:
+    app: mtproxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mtproxy-secret-manager
+subjects:
+  - kind: ServiceAccount
+    name: mtproxy

k8s/apps/mtproxy/secret-reader.yaml

@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: secret-reader
+  labels:
+    app: secret-reader
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secret-reader
+  template:
+    metadata:
+      labels:
+        app: secret-reader
+    spec:
+      serviceAccountName: mtproxy
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+      - name: secret-reader
+        image: ultradesu/k8s-secrets:0.2.1
+        imagePullPolicy: Always
+        args:
+          - "--secrets"
+          - "mtproxy-links"
+          - "--namespace"
+          - "mtproxy"
+          - "--port"
+          - "3000"
+        ports:
+        - containerPort: 3000
+          name: http
+        env:
+        - name: RUST_LOG
+          value: "info"
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "50m"
+          limits:
+            memory: "128Mi"
+            cpu: "150m"
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 10
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL

k8s/apps/mtproxy/service.yaml

@@ -2,15 +2,15 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: mtproxy
+  name: secret-reader
+  labels:
+    app: secret-reader
 spec:
-  type: LoadBalancer
+  type: ClusterIP
   selector:
-    app: mtproxy
+    app: secret-reader
   ports:
-    - name: proxy
+  - port: 80
-      port: 30443
+    targetPort: 3000
-      targetPort: 30443
     protocol: TCP
-      nodePort: 30443
+    name: http
-