feat(mealie): deploy

jfroy · jfroy · commit c88cc0789569 · 2026-02-24T23:55:00.000-08:00
diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml
@@ -23,6 +23,7 @@ resources:
   - ./karakeep/ks.yaml
   # - ./mediamanager/ks.yaml
   - ./media-smb/ks.yaml
+  - ./mealie/ks.yaml
   - ./memos/ks.yaml
   - ./miniflux/ks.yaml
   # - ./netbox/ks.yaml
diff --git a/kubernetes/apps/default/mealie/app/externalsecret.yaml b/kubernetes/apps/default/mealie/app/externalsecret.yaml
@@ -0,0 +1,67 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: mealie
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: mealie
+  dataFrom:
+    - extract:
+        key: mealie
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: mealie-db
+spec:
+  refreshInterval: "0"
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: mealie-db
+    template:
+      data:
+        POSTGRES_USER: mealie
+        POSTGRES_PASSWORD: "{{ .DB_PASSWORD }}"
+        POSTGRES_SERVER: pg18vc-rw.database.svc.cluster.local
+        POSTGRES_PORT: "5432"
+        POSTGRES_DB: mealie
+        # --
+        INIT_POSTGRES_DBNAME: mealie
+        INIT_POSTGRES_HOST: pg18vc-rw.database.svc.cluster.local
+        INIT_POSTGRES_PASS: "{{ .DB_PASSWORD }}"
+        INIT_POSTGRES_USER: mealie
+  dataFrom:
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: Password
+          name: password32
+      rewrite:
+        - regexp:
+            source: "password"
+            target: "DB_PASSWORD"
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: mealie-initdb
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: mealie-initdb
+  data:
+    - secretKey: INIT_POSTGRES_SUPER_PASS
+      remoteRef:
+        key: cnpg-pg18vc
+        property: password
diff --git a/kubernetes/apps/default/mealie/app/helmrelease.yaml b/kubernetes/apps/default/mealie/app/helmrelease.yaml
@@ -0,0 +1,108 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s-labs/helm-charts/refs/heads/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mealie
+spec:
+  interval: 1h
+  chartRef:
+    kind: OCIRepository
+    name: app-template
+    namespace: flux-system
+  driftDetection:
+    mode: enabled
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  values:
+    controllers:
+      mealie:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          init-db:
+            image:
+              repository: ghcr.io/home-operations/postgres-init
+              tag: 18.2.0@sha256:ae89578925b480f5972f237dda2f7a37efe36aff500d3e7bd1d3a6a3181e4191
+            envFrom:
+              - secretRef:
+                  name: mealie-db
+              - secretRef:
+                  name: mealie-initdb
+        containers:
+          mealie:
+            image:
+              repository: ghcr.io/mealie-recipes/mealie
+              tag: v3.11.0@sha256:d99fc2844c04288526d6cbecc9ac1b6c32d8ea6054236d56857107bbaf70ea5c
+            env:
+              ALLOW_PASSWORD_LOGIN: "true"
+              ALLOW_SIGNUP: "false"
+              API_PORT: &port 9000
+              BASE_URL: https://mealie.kantai.xyz
+              DB_ENGINE: postgres
+              OIDC_ADMIN_GROUP: mealie_admins
+              OIDC_AUTH_ENABLED: "true"
+              OIDC_CONFIGURATION_URL: https://pid.kantai.xyz/.well-known/openid-configuration
+              OIDC_PROVIDER_NAME: Pocket ID
+              OIDC_REMEMBER_ME: "true"
+              OIDC_SIGNUP_ENABLED: "true"
+              OPENAI_MODEL: gpt-5-mini
+              TZ: America/Los_Angeles
+            envFrom:
+              - secretRef:
+                  name: mealie
+              - secretRef:
+                  name: mealie-db
+            probes:
+              liveness: &probe
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /api/app/about
+                    port: *port
+              readiness: *probe
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities: { drop: ["ALL"] }
+              readOnlyRootFilesystem: true
+        pod:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 911
+            runAsGroup: 911
+            fsGroup: 911
+            fsGroupChangePolicy: OnRootMismatch
+    persistence:
+      data:
+        existingClaim: "${APP}"
+        advancedMounts:
+          mealie:
+            mealie:
+              - path: /app/data
+    route:
+      mealie:
+        hostnames:
+          - mealie.kantai.xyz
+        parentRefs:
+          - name: envoy-internal
+            namespace: network
+        rules:
+          - backendRefs:
+              - identifier: mealie
+                port: *port
+            matches:
+              - path:
+                  type: PathPrefix
+                  value: /
+    service:
+      mealie:
+        controller: mealie
+        ports:
+          http:
+            port: *port
diff --git a/kubernetes/apps/default/mealie/app/kustomization.yaml b/kubernetes/apps/default/mealie/app/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
diff --git a/kubernetes/apps/default/mealie/ks.yaml b/kubernetes/apps/default/mealie/ks.yaml
@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app mealie
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  components:
+    - ../../../../components/volsync
+  path: ./kubernetes/apps/default/mealie/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  interval: 1h
+  retryInterval: 2m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app
+      VOLSYNC_CAPACITY: 100Mi
