Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-04-06 10:53:27

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

k8s/apps/furumi-dev/external-secrets.yaml

@@ -20,6 +20,8 @@ spec:
           {{ .session_secret }}
         PG_STRING: |-
           postgres://furumi_dev:{{ .pg_pass }}@psql.psql.svc:5432/furumi_dev
+        PLAYER_API_KEY: |-
+          {{ .player_api_key }}
   data:
     - secretKey: client_id
       sourceRef:
@@ -45,6 +47,14 @@ spec:
       remoteRef:
         key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
         property: fields[2].value
+    - secretKey: player_api_key
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
+        property: fields[3].value
     - secretKey: pg_pass
       sourceRef:
         storeRef:

k8s/apps/furumi-dev/web-player.yaml

@@ -51,6 +51,11 @@ spec:
                 secretKeyRef:
                   name: furumi-ng-creds
                   key: PG_STRING
+            - name: FURUMI_PLAYER_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: PLAYER_API_KEY
             - name: FURUMI_PLAYER_STORAGE_DIR
               value: "/media"
             - name: RUST_LOG

k8s/apps/mtproxy/kustomization.yaml

@@ -5,7 +5,9 @@ resources:
   - ./app.yaml
   - ./rbac.yaml
   - ./daemonset.yaml
+  - ./telemt-daemonset.yaml
   - ./external-secrets.yaml
+  - ./telemt-external-secrets.yaml
   - ./service.yaml
   - ./secret-reader.yaml
 # - ./storage.yaml

k8s/apps/mtproxy/telemt-daemonset.yaml

@@ -0,0 +1,109 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: telemt
+  labels:
+    app: telemt
+spec:
+  selector:
+    matchLabels:
+      app: telemt
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: telemt
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: mtproxy
+                    operator: Exists
+      serviceAccountName: mtproxy
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+        - name: register-proxy
+          image: bitnami/kubectl:latest
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: tgproxy-secret
+                  key: SECRET
+            - name: TELEMT_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: telemt-secret
+                  key: PORT
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -e
+              NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+              SERVER=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.mtproxy}')
+              if [ -z "${SERVER}" ]; then
+                echo "ERROR: node ${NODE_NAME} has no mtproxy label"
+                exit 1
+              fi
+              # Build dd-prefixed secret for TLS mode: dd + secret + hex(tls_domain)
+              DOMAIN_HEX=$(echo -n 'ya.ru' | xxd -p | tr -d '\n')
+              DD_SECRET="dd${SECRET}${DOMAIN_HEX}"
+              LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${DD_SECRET}"
+              echo "Registering telemt: ${SERVER} -> ${LINK}"
+              if kubectl get secret telemt-links -n "${NAMESPACE}" &>/dev/null; then
+                kubectl patch secret telemt-links -n "${NAMESPACE}" \
+                  --type merge -p "{\"stringData\":{\"${SERVER}\":\"${LINK}\"}}"
+              else
+                kubectl create secret generic telemt-links -n "${NAMESPACE}" \
+                  --from-literal="${SERVER}=${LINK}"
+              fi
+              echo "Done"
+      containers:
+        - name: telemt
+          image: ghcr.io/telemt/telemt:latest
+          imagePullPolicy: Always
+          ports:
+            - name: proxy
+              containerPort: 30444
+              protocol: TCP
+            - name: api
+              containerPort: 9091
+              protocol: TCP
+          workingDir: /run/telemt
+          env:
+            - name: RUST_LOG
+              value: info
+          volumeMounts:
+            - name: workdir
+              mountPath: /run/telemt
+            - name: config
+              mountPath: /run/telemt/config.toml
+              subPath: config.toml
+              readOnly: true
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - name: config
+          secret:
+            secretName: telemt-secret
+            items:
+              - key: config.toml
+                path: config.toml
+        - name: workdir
+          emptyDir:
+            medium: Memory
+            sizeLimit: 1Mi

k8s/apps/mtproxy/telemt-external-secrets.yaml

@@ -0,0 +1,57 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: telemt-secret
+spec:
+  target:
+    name: telemt-secret
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        SECRET: |-
+          {{ .secret }}
+        PORT: "30444"
+        config.toml: |
+          [general]
+          use_middle_proxy = true
+          log_level = "normal"
+
+          [general.modes]
+          classic = false
+          secure = false
+          tls = true
+
+          [general.links]
+          show = "*"
+          public_port = 30444
+
+          [server]
+          port = 30444
+
+          [server.api]
+          enabled = true
+          listen = "0.0.0.0:9091"
+          whitelist = ["0.0.0.0/0"]
+
+          [[server.listeners]]
+          ip = "0.0.0.0"
+
+          [censorship]
+          tls_domain = "ya.ru"
+          mask = true
+          tls_emulation = true
+          tls_front_dir = "tlsfront"
+
+          [access.users]
+          user = "{{ .secret }}"
+  data:
+    - secretKey: secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 58a37daf-72d8-430d-86bd-6152aa8f888d
+        property: fields[0].value

k8s/core/authentik/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - app.yaml
   - external-secrets.yaml
   - https-middleware.yaml
+  - outpost-selector-fix.yaml
 # - worker-restart.yaml
 
 helmCharts:

k8s/core/authentik/outpost-selector-fix.yaml

@@ -0,0 +1,81 @@
+## Workaround for authentik bug: embedded outpost controller creates
+## a Service with selectors that don't match the pod labels it sets.
+## Remove this after upgrading to a version with the fix.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "patch"]
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+subjects:
+  - kind: ServiceAccount
+    name: outpost-selector-fix
+    namespace: authentik
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: outpost-selector-fix
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+spec:
+  schedule: "* * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  concurrencyPolicy: Replace
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 300
+      template:
+        spec:
+          serviceAccountName: outpost-selector-fix
+          restartPolicy: OnFailure
+          containers:
+            - name: fix
+              image: bitnami/kubectl:latest
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  SVC="ak-outpost-authentik-embedded-outpost"
+                  # check if endpoints are populated
+                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
+                  if [ -n "$ADDRS" ]; then
+                    echo "Endpoints OK ($ADDRS), nothing to fix"
+                    exit 0
+                  fi
+                  echo "No endpoints for $SVC, patching selector..."
+                  kubectl patch svc "$SVC" -n authentik --type=json -p '[
+                    {"op":"remove","path":"/spec/selector/app.kubernetes.io~1component"},
+                    {"op":"replace","path":"/spec/selector/app.kubernetes.io~1name","value":"authentik-outpost-proxy"}
+                  ]'
+                  echo "Patched. Verifying..."
+                  sleep 2
+                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
+                  if [ -n "$ADDRS" ]; then
+                    echo "Fix confirmed, endpoints: $ADDRS"
+                  else
+                    echo "WARNING: still no endpoints after patch"
+                    exit 1
+                  fi