Add naas-portal Helm chart for K8s deployment

Migrate PaaS portal from Docker control-plane to K8s with:
- Dedicated Helm chart (Deployment, Service, Ingress, PVC, RBAC, NetworkPolicy)
- Domain: georgepaas.duckdns.org with TLS via cert-manager
- In-cluster ServiceAccount bound to naas-manager ClusterRole
- Longhorn PVC for SQLite persistence
- ArgoCD auto-sync application

argocd-apps/naas-portal.yaml

@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: naas-portal
+  namespace: argocd
+  labels:
+    app.kubernetes.io/part-of: naas
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: http://10.10.10.1:3000/claude/k8s-apps.git
+    targetRevision: main
+    path: charts/naas-portal
+    helm:
+      valueFiles:
+        - ../../environments/prod/naas-portal.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: prod
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false

charts/naas-portal/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: naas-portal
+description: PaaS Portal — self-service Kubernetes platform
+version: 1.0.0
+appVersion: "1.0"

charts/naas-portal/templates/_helpers.tpl

@@ -0,0 +1,12 @@
+{{- define "naas-portal.fullname" -}}
+naas-portal
+{{- end -}}
+
+{{- define "naas-portal.labels" -}}
+app.kubernetes.io/name: naas-portal
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "naas-portal.selectorLabels" -}}
+app: naas-portal
+{{- end -}}

charts/naas-portal/templates/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: naas-portal
+  labels:
+    {{- include "naas-portal.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: naas-manager
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "naas-portal.fullname" . }}
+    namespace: {{ .Release.Namespace }}

charts/naas-portal/templates/deployment.yaml

@@ -0,0 +1,95 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "naas-portal.fullname" . }}
+  labels:
+    {{- include "naas-portal.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "naas-portal.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "naas-portal.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "naas-portal.fullname" . }}
+      automountServiceAccountToken: true
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: naas-portal
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.containerPort }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /api/health
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /api/health
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ALL]
+          env:
+            {{- range $key, $value := .Values.env }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            - name: GITEA_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secretName }}
+                  key: gitea-token
+            - name: GITEA_ADMIN_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secretName }}
+                  key: gitea-admin-token
+            - name: KEYCLOAK_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secretName }}
+                  key: keycloak-client-secret
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secretName }}
+                  key: keycloak-admin-password
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secretName }}
+                  key: secret-key
+          volumeMounts:
+            - name: data
+              mountPath: /app/data
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ include "naas-portal.fullname" . }}-data
+        - name: tmp
+          emptyDir: {}

charts/naas-portal/templates/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "naas-portal.fullname" . }}
+  labels:
+    {{- include "naas-portal.labels" . | nindent 4 }}
+  annotations:
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.clusterIssuer }}
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ include "naas-portal.fullname" . }}-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "naas-portal.fullname" . }}
+                port:
+                  number: 80

charts/naas-portal/templates/networkpolicy.yaml

@@ -0,0 +1,51 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "naas-portal.fullname" . }}
+  labels:
+    {{- include "naas-portal.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "naas-portal.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Allow traffic from ingress-nginx controller
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx
+      ports:
+        - port: {{ .Values.containerPort }}
+          protocol: TCP
+  egress:
+    # DNS
+    - to: []
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    # K8s API server
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+      ports:
+        - port: 6443
+          protocol: TCP
+    # Gitea on control plane (10.10.10.1:3000)
+    - to:
+        - ipBlock:
+            cidr: 10.10.10.1/32
+      ports:
+        - port: 3000
+          protocol: TCP
+    # HTTPS — Keycloak and other external services
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+      ports:
+        - port: 443
+          protocol: TCP

charts/naas-portal/templates/pvc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "naas-portal.fullname" . }}-data
+  labels:
+    {{- include "naas-portal.labels" . | nindent 4 }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: {{ .Values.persistence.storageClass }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size }}

charts/naas-portal/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "naas-portal.fullname" . }}
+  labels:
+    {{- include "naas-portal.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  selector:
+    {{- include "naas-portal.selectorLabels" . | nindent 4 }}
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http

charts/naas-portal/templates/serviceaccount.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "naas-portal.fullname" . }}
+  labels:
+    {{- include "naas-portal.labels" . | nindent 4 }}

charts/naas-portal/values.yaml

@@ -0,0 +1,38 @@
+image:
+  registry: "10.10.10.1:3000"
+  repository: "claude/naas-portal"
+  tag: "v1.0"
+  pullPolicy: IfNotPresent
+
+replicaCount: 1
+containerPort: 8080
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 128Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+ingress:
+  host: "georgepaas.duckdns.org"
+  clusterIssuer: "letsencrypt-prod"
+
+persistence:
+  size: 500Mi
+  storageClass: longhorn
+
+secretName: "naas-portal-secrets"
+
+env:
+  GITEA_URL: "http://10.10.10.1:3000"
+  KEYCLOAK_URL: "https://keycloak.georgepet.duckdns.org"
+  KEYCLOAK_REALM: "infrastructure"
+  KEYCLOAK_CLIENT_ID: "naas-portal"
+  K8S_API_EXTERNAL: "https://185.47.204.231:6443"
+  PORTAL_URL: "https://georgepaas.duckdns.org"
+  DB_PATH: "/app/data/naas.db"
+
+imagePullSecrets:
+  - name: gitea-registry

environments/prod/naas-portal.yaml

@@ -0,0 +1,16 @@
+image:
+  registry: "10.10.10.1:3000"
+  repository: "claude/naas-portal"
+  tag: "v1.0"
+
+ingress:
+  host: "georgepaas.duckdns.org"
+
+env:
+  GITEA_URL: "http://10.10.10.1:3000"
+  KEYCLOAK_URL: "https://keycloak.georgepet.duckdns.org"
+  KEYCLOAK_REALM: "infrastructure"
+  KEYCLOAK_CLIENT_ID: "naas-portal"
+  K8S_API_EXTERNAL: "https://185.47.204.231:6443"
+  PORTAL_URL: "https://georgepaas.duckdns.org"
+  DB_PATH: "/app/data/naas.db"