Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-04-06 11:24:57

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

k8s/apps/furumi-dev/external-secrets.yaml

@@ -20,6 +20,8 @@ spec:
           {{ .session_secret }}
         PG_STRING: |-
           postgres://furumi_dev:{{ .pg_pass }}@psql.psql.svc:5432/furumi_dev
+        PLAYER_API_KEY: |-
+          {{ .player_api_key }}
   data:
     - secretKey: client_id
       sourceRef:
@@ -45,6 +47,14 @@ spec:
       remoteRef:
         key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
         property: fields[2].value
+    - secretKey: player_api_key
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
+        property: fields[3].value
     - secretKey: pg_pass
       sourceRef:
         storeRef:

k8s/apps/furumi-dev/web-player.yaml

@@ -51,6 +51,11 @@ spec:
                 secretKeyRef:
                   name: furumi-ng-creds
                   key: PG_STRING
+            - name: FURUMI_PLAYER_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: PLAYER_API_KEY
             - name: FURUMI_PLAYER_STORAGE_DIR
               value: "/media"
             - name: RUST_LOG

k8s/apps/mtproxy/kustomization.yaml

@@ -5,7 +5,11 @@ resources:
   - ./app.yaml
   - ./rbac.yaml
   - ./daemonset.yaml
+  - ./telemt-daemonset.yaml
   - ./external-secrets.yaml
+  - ./telemt-external-secrets.yaml
+  - ./telemt-service.yaml
+  - ./telemt-servicemonitor.yaml
   - ./service.yaml
   - ./secret-reader.yaml
 # - ./storage.yaml

k8s/apps/mtproxy/secret-reader.yaml

@@ -23,7 +23,7 @@ spec:
         imagePullPolicy: Always
         args:
           - "--secrets"
-          - "mtproxy-links"
+          - "mtproxy-links,telemt-links"
           - "--namespace"
           - "mtproxy"
           - "--port"

k8s/apps/mtproxy/telemt-daemonset.yaml

@@ -0,0 +1,115 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: telemt
+  labels:
+    app: telemt
+spec:
+  selector:
+    matchLabels:
+      app: telemt
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: telemt
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: mtproxy
+                    operator: Exists
+      serviceAccountName: mtproxy
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+        - name: register-proxy
+          image: bitnami/kubectl:latest
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: tgproxy-secret
+                  key: SECRET
+            - name: TELEMT_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: telemt-secret
+                  key: PORT
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -e
+              NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+              SERVER=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.mtproxy}')
+              if [ -z "${SERVER}" ]; then
+                echo "ERROR: node ${NODE_NAME} has no mtproxy label"
+                exit 1
+              fi
+              # Build ee-prefixed secret: ee + secret + hex(tls_domain)
+              # "ya.ru" = 79612e7275
+              EE_SECRET="ee${SECRET}79612e7275"
+              LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${EE_SECRET}"
+              echo "Registering telemt: ${SERVER} -> ${LINK}"
+              if kubectl get secret telemt-links -n "${NAMESPACE}" &>/dev/null; then
+                kubectl patch secret telemt-links -n "${NAMESPACE}" \
+                  --type merge -p "{\"stringData\":{\"${SERVER}\":\"${LINK}\"}}"
+              else
+                kubectl create secret generic telemt-links -n "${NAMESPACE}" \
+                  --from-literal="${SERVER}=${LINK}"
+              fi
+              echo "Done"
+      containers:
+        - name: telemt
+          image: ghcr.io/telemt/telemt:latest
+          imagePullPolicy: Always
+          ports:
+            - name: proxy
+              containerPort: 30444
+              protocol: TCP
+            - name: api
+              containerPort: 9091
+              protocol: TCP
+          workingDir: /run/telemt
+          env:
+            - name: RUST_LOG
+              value: info
+          volumeMounts:
+            - name: workdir
+              mountPath: /run/telemt
+            - name: config
+              mountPath: /run/telemt/config.toml
+              subPath: config.toml
+              readOnly: true
+            - name: etcdir
+              mountPath: /etc/telemt
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - name: config
+          secret:
+            secretName: telemt-secret
+            items:
+              - key: config.toml
+                path: config.toml
+        - name: workdir
+          emptyDir:
+            medium: Memory
+            sizeLimit: 1Mi
+        - name: etcdir
+          emptyDir:
+            medium: Memory
+            sizeLimit: 1Mi

k8s/apps/mtproxy/telemt-external-secrets.yaml

@@ -0,0 +1,59 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: telemt-secret
+spec:
+  target:
+    name: telemt-secret
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        SECRET: |-
+          {{ .secret }}
+        PORT: "30444"
+        config.toml: |
+          [general]
+          use_middle_proxy = true
+          log_level = "normal"
+
+          [general.modes]
+          classic = false
+          secure = false
+          tls = true
+
+          [general.links]
+          show = "*"
+          public_port = 30444
+
+          [server]
+          port = 30444
+          metrics_port = 9090
+          metrics_whitelist = ["0.0.0.0/0"]
+
+          [server.api]
+          enabled = true
+          listen = "0.0.0.0:9091"
+          whitelist = ["0.0.0.0/0"]
+
+          [[server.listeners]]
+          ip = "0.0.0.0"
+
+          [censorship]
+          tls_domain = "ya.ru"
+          mask = true
+          tls_emulation = true
+          tls_front_dir = "tlsfront"
+
+          [access.users]
+          user = "{{ .secret }}"
+  data:
+    - secretKey: secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 58a37daf-72d8-430d-86bd-6152aa8f888d
+        property: fields[0].value

k8s/apps/mtproxy/telemt-service.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: telemt-metrics
+  labels:
+    app: telemt
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    app: telemt
+  ports:
+    - port: 9090
+      targetPort: 9090
+      protocol: TCP
+      name: metrics

k8s/apps/mtproxy/telemt-servicemonitor.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: telemt-metrics
+  labels:
+    app: telemt
+    release: prometheus
+spec:
+  selector:
+    matchLabels:
+      app: telemt
+  endpoints:
+    - port: metrics
+      path: /metrics
+      interval: 30s
+      scrapeTimeout: 10s
+      honorLabels: true
+  namespaceSelector:
+    matchNames:
+      - mtproxy