Move pixels to pixels namespace

Also add a pull secret for the new namespace

5 files changed, 82 insertions, 0 deletions

diff --git a/kubernetes/namespaces/pixels/pixels-modsite/README.md b/kubernetes/namespaces/pixels/pixels-modsite/README.md
new file mode 100644
index 0000000..ee95650
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels-modsite/README.md
@@ -0,0 +1,13 @@
+# Pixels
+
+The deployment for the [Pixels modsite project](https://git.pydis.com/pixels-modsite), hosted at https://pixels-modsite.pythondiscord.com.
+
+This mod site will give Discord mods easy access to moderation actions for the pixels event.
+
+## Secret
+
+It requires a `pixels-modsite-env` secret with the following entries:
+
+| Environment       | Description                                                     |
+|-------------------|-----------------------------------------------------------------|
+| DISCORD_BOT_TOKEN | The Discord bot token to use to check roles of users logging in |
diff --git a/kubernetes/namespaces/pixels/pixels-modsite/deployment.yaml b/kubernetes/namespaces/pixels/pixels-modsite/deployment.yaml
new file mode 100644
index 0000000..cba1381
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels-modsite/deployment.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pixels-modsite
+  namespace: pixels
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pixels-modsite
+  template:
+    metadata:
+      labels:
+        app: pixels-modsite
+    spec:
+      containers:
+        - name: pixels-modsite
+          image: ghcr.io/python-discord/pixels-modsite:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 3000
+          envFrom:
+            - secretRef:
+                name: pixels-modsite-env
+          securityContext:
+            readOnlyRootFilesystem: true
+      imagePullSecrets:
+        - name: ghcr-pull-secret
+      securityContext:
+        fsGroup: 2000
+        runAsUser: 1000
+        runAsNonRoot: true
diff --git a/kubernetes/namespaces/pixels/pixels-modsite/ingress.yaml b/kubernetes/namespaces/pixels/pixels-modsite/ingress.yaml
new file mode 100644
index 0000000..7992344
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels-modsite/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+  name: pixels-modsite
+  namespace: pixels
+spec:
+  tls:
+  - hosts:
+      - "*.pythondiscord.com"
+    secretName: pythondiscord.com-tls
+  rules:
+  - host: pixels-modsite.pythondiscord.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: pixels-modsite
+            port:
+              number: 80
diff --git a/kubernetes/namespaces/pixels/pixels-modsite/secrets.yaml b/kubernetes/namespaces/pixels/pixels-modsite/secrets.yaml
new file mode 100644
index 0000000..70b80ad
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels-modsite/secrets.yaml
diff --git a/kubernetes/namespaces/pixels/pixels-modsite/service.yaml b/kubernetes/namespaces/pixels/pixels-modsite/service.yaml
new file mode 100644
index 0000000..1326a9a
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels-modsite/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pixels-modsite
+  namespace: pixels
+spec:
+  selector:
+    app: pixels-modsite
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 3000