5 files changed, 102 insertions, 0 deletions

diff --git a/kubernetes/namespaces/default/pixels/README.md b/kubernetes/namespaces/default/pixels/README.md
new file mode 100644
index 0000000..10e4a5d
--- /dev/null
+++ b/kubernetes/namespaces/default/pixels/README.md
@@ -0,0 +1,25 @@
+# Pixels
+
+The deployment for the [Pixels project](https://git.pydis.com/pixels-v2), hosted at https://pixels.pythondiscord.com.
+
+## Secret
+
+It requires a `pixels-env` secret with the following entries:
+
+| Environment   | Description                                                                                             |
+|---------------|---------------------------------------------------------------------------------------------------------|
+| AUTH_URL      | A Discord OAuth2 URL with scopes: identify & guilds.members.read                                        |
+| BASE_URL      | Where the root endpoint can be found                                                                    |
+| CLIENT_ID     | Discord Oauth2 client ID                                                                                |
+| CLIENT_SECRET | Discord Oauth2 client secret                                                                            |
+| DATABASE_URL  | Postgres database URL.                                                                                  |
+| FORCE_LOGIN   | Whether to requires authorization for all endpoints beside the login page, and limits access to helpers |
+| GUILD_ID      | The guild to check for user roles in                                                                    |
+| HELPERS_ROLE  | Helpers role ID                                                                                         |
+| JWT_SECRET    | 32 byte (64 digit hex string) secret for encoding tokens. Any value can be used.                        |
+| LOG_LEVEL     | What level to log at                                                                                    |
+| MOD_ROLE      | Moderator role ID                                                                                       |
+| PRODUCTION    | Whether the app is in production                                                                        |
+| REDIS_URL     | Redis storage URL                                                                                       |
+| SENTRY_DSN    | The Sentry DSN to send sentry events to                                                                 |
+| WEBHOOK_URL   | The webhook to periodically post the canvas state to                                                    |
diff --git a/kubernetes/namespaces/default/pixels/deployment.yaml b/kubernetes/namespaces/default/pixels/deployment.yaml
new file mode 100644
index 0000000..7775216
--- /dev/null
+++ b/kubernetes/namespaces/default/pixels/deployment.yaml
@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pixels
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pixels
+  template:
+    metadata:
+      labels:
+        app: pixels
+    spec:
+      containers:
+        - name: pixels
+          image: ghcr.io/python-discord/pixels:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8000
+          envFrom:
+            - secretRef:
+                name: pixels-env
+          startupProbe:
+            httpGet:
+              path: /health
+              port: 8000
+              httpHeaders:
+                - name: Host
+                  value: pixels.pythondiscord.com
+            failureThreshold: 15
+            periodSeconds: 2
+            timeoutSeconds: 5
+            initialDelaySeconds: 10
+          securityContext:
+            readOnlyRootFilesystem: true
+      imagePullSecrets:
+        - name: ghcr-pull-secret
+      securityContext:
+        fsGroup: 2000
+        runAsUser: 1000
+        runAsNonRoot: true
diff --git a/kubernetes/namespaces/default/pixels/ingress.yaml b/kubernetes/namespaces/default/pixels/ingress.yaml
new file mode 100644
index 0000000..bfc0ada
--- /dev/null
+++ b/kubernetes/namespaces/default/pixels/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+  name: pixels
+spec:
+  tls:
+  - hosts:
+      - "*.pythondiscord.com"
+    secretName: pythondiscord.com-tls
+  rules:
+  - host: pixels.pythondiscord.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: pixels
+            port:
+              number: 80
diff --git a/kubernetes/namespaces/default/pixels/secrets.yaml b/kubernetes/namespaces/default/pixels/secrets.yaml
new file mode 100644
index 0000000..b3c77cd
--- /dev/null
+++ b/kubernetes/namespaces/default/pixels/secrets.yaml
diff --git a/kubernetes/namespaces/default/pixels/service.yaml b/kubernetes/namespaces/default/pixels/service.yaml
new file mode 100644
index 0000000..41860a1
--- /dev/null
+++ b/kubernetes/namespaces/default/pixels/service.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pixels
+spec:
+  selector:
+    app: pixels
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8000