+ ADD kubernetes deployment

2025-10-01 07:42:27 +00:00
parent 28c75bf5c0
commit 1e4a5124a6
24 changed files with 543 additions and 24 deletions
--- a/composer.lock
+++ b/composer.lock
@@ -62,16 +62,16 @@
        },
        {
            "name": "aws/aws-sdk-php",
-            "version": "3.356.25",
+            "version": "3.356.29",
            "source": {
                "type": "git",
                "url": "https://github.com/aws/aws-sdk-php.git",
-                "reference": "d78bd3b221890aac679ec3b6cb5abcb01fd42699"
+                "reference": "3e413221956aa969f379ff6fa67a303ce76aad13"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/aws/aws-sdk-php/zipball/d78bd3b221890aac679ec3b6cb5abcb01fd42699",
-                "reference": "d78bd3b221890aac679ec3b6cb5abcb01fd42699",
+                "url": "https://api.github.com/repos/aws/aws-sdk-php/zipball/3e413221956aa969f379ff6fa67a303ce76aad13",
+                "reference": "3e413221956aa969f379ff6fa67a303ce76aad13",
                "shasum": ""
            },
            "require": {
@@ -153,9 +153,9 @@
            "support": {
                "forum": "https://github.com/aws/aws-sdk-php/discussions",
                "issues": "https://github.com/aws/aws-sdk-php/issues",
-                "source": "https://github.com/aws/aws-sdk-php/tree/3.356.25"
+                "source": "https://github.com/aws/aws-sdk-php/tree/3.356.29"
            },
-            "time": "2025-09-24T18:08:25+00:00"
+            "time": "2025-09-30T18:12:45+00:00"
        },
        {
            "name": "composer/installers",
@@ -1318,7 +1318,7 @@
        },
        {
            "name": "roots/wordpress",
-            "version": "6.8.2",
+            "version": "6.8.3",
            "source": {
                "type": "git",
                "url": "https://github.com/roots/wordpress.git",
@@ -1349,7 +1349,7 @@
            ],
            "support": {
                "issues": "https://github.com/roots/wordpress/issues",
-                "source": "https://github.com/roots/wordpress/tree/6.8.2"
+                "source": "https://github.com/roots/wordpress/tree/6.8.3"
            },
            "funding": [
                {
@@ -1428,23 +1428,23 @@
        },
        {
            "name": "roots/wordpress-no-content",
-            "version": "6.8.2",
+            "version": "6.8.3",
            "source": {
                "type": "git",
                "url": "https://github.com/WordPress/WordPress.git",
-                "reference": "6.8.2"
+                "reference": "6.8.3"
            },
            "dist": {
                "type": "zip",
-                "url": "https://downloads.wordpress.org/release/wordpress-6.8.2-no-content.zip",
-                "reference": "6.8.2",
-                "shasum": "7d8dcb839f4754e331d93b86f9adc8c171d81e97"
+                "url": "https://downloads.wordpress.org/release/wordpress-6.8.3-no-content.zip",
+                "reference": "6.8.3",
+                "shasum": "2c34ba506afd8061d96cde50b2c92f109c10d2c8"
            },
            "require": {
                "php": ">= 7.2.24"
            },
            "provide": {
-                "wordpress/core-implementation": "6.8.2"
+                "wordpress/core-implementation": "6.8.3"
            },
            "suggest": {
                "ext-curl": "Performs remote request operations.",
@@ -1495,7 +1495,7 @@
                    "type": "other"
                }
            ],
-            "time": "2025-07-15T15:29:08+00:00"
+            "time": "2025-09-30T18:16:31+00:00"
        },
        {
            "name": "roots/wp-config",
@@ -1966,15 +1966,15 @@
        },
        {
            "name": "wpackagist-plugin/ad-inserter",
-            "version": "2.8.6",
+            "version": "2.8.7",
            "source": {
                "type": "svn",
                "url": "https://plugins.svn.wordpress.org/ad-inserter/",
-                "reference": "tags/2.8.6"
+                "reference": "tags/2.8.7"
            },
            "dist": {
                "type": "zip",
-                "url": "https://downloads.wordpress.org/plugin/ad-inserter.2.8.6.zip"
+                "url": "https://downloads.wordpress.org/plugin/ad-inserter.2.8.7.zip"
            },
            "require": {
                "composer/installers": "^1.0 || ^2.0"
@@ -2220,16 +2220,16 @@
    "packages-dev": [
        {
            "name": "heroku/heroku-buildpack-php",
-            "version": "v274",
+            "version": "v275",
            "source": {
                "type": "git",
                "url": "https://github.com/heroku/heroku-buildpack-php.git",
-                "reference": "0383c0a081ef588c2d562ad4649421a6df669252"
+                "reference": "a1f687c253f74f8d6db74a1410c43966e22cf946"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/heroku/heroku-buildpack-php/zipball/0383c0a081ef588c2d562ad4649421a6df669252",
-                "reference": "0383c0a081ef588c2d562ad4649421a6df669252",
+                "url": "https://api.github.com/repos/heroku/heroku-buildpack-php/zipball/a1f687c253f74f8d6db74a1410c43966e22cf946",
+                "reference": "a1f687c253f74f8d6db74a1410c43966e22cf946",
                "shasum": ""
            },
            "bin": [
@@ -2259,9 +2259,9 @@
            ],
            "support": {
                "issues": "https://github.com/heroku/heroku-buildpack-php/issues",
-                "source": "https://github.com/heroku/heroku-buildpack-php/tree/v274"
+                "source": "https://github.com/heroku/heroku-buildpack-php/tree/v275"
            },
-            "time": "2025-09-19T21:18:10+00:00"
+            "time": "2025-09-30T23:28:36+00:00"
        },
        {
            "name": "roave/security-advisories",
--- a/k8s/build/0-default-lifecycle.yaml
+++ b/k8s/build/0-default-lifecycle.yaml
@@ -0,0 +1,6 @@
+apiVersion: kpack.io/v1alpha2
+kind: ClusterLifecycle
+metadata:
+  name: default-lifecycle
+spec:
+  image: buildpacksio/lifecycle
--- a/k8s/build/0-kpack-service-account.yaml
+++ b/k8s/build/0-kpack-service-account.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kpack-service-account
+  namespace: kpack
+secrets:
+- name: kp-default-registry-creds
+imagePullSecrets:
+- name: kp-default-registry-creds
--- a/k8s/build/1-default-clusterstores.yaml
+++ b/k8s/build/1-default-clusterstores.yaml
@@ -0,0 +1,10 @@
+apiVersion: kpack.io/v1alpha2
+kind: ClusterStore
+metadata:
+  name: default
+spec:
+  serviceAccountRef:
+    name: kpack-service-account
+    namespace: kpack
+  sources:
+    - image: ghcr.io/hvg-dev/test-builder@sha256:3c169742c4d278f9baa79003b1a998d9337cc2050c7845207d8012207c16a1a7
--- a/k8s/build/1-heroku-24-clusterstacks.yaml
+++ b/k8s/build/1-heroku-24-clusterstacks.yaml
@@ -0,0 +1,13 @@
+apiVersion: kpack.io/v1alpha2
+kind: ClusterStack
+metadata:
+  name: heroku-24
+spec:
+  buildImage:
+    image: ghcr.io/hvg-dev/test-builder@sha256:6294ec780aeb492bbcef91884c21d9b5f1fc1f88f6096228ea2e3a640dadef09
+  id: heroku-24
+  runImage:
+    image: ghcr.io/hvg-dev/test-builder@sha256:9a80c7da247decbfb1350c1fb0aa6436d74bde59953751e6193835063ca38e84
+  serviceAccountRef:
+    name: kpack-service-account
+    namespace: kpack
--- a/k8s/build/3-builder-clusterbuilders.yaml
+++ b/k8s/build/3-builder-clusterbuilders.yaml
@@ -0,0 +1,25 @@
+apiVersion: kpack.io/v1alpha2
+kind: ClusterBuilder
+metadata:
+  name: builder
+spec:
+  lifecycle:
+    kind: ClusterLifecycle
+    name: default-lifecycle
+  order:
+    - group:
+        - id: heroku/php
+        - id: heroku/procfile
+    - group:
+        - id: heroku/nodejs
+        - id: heroku/procfile
+  serviceAccountRef:
+    name: kpack-service-account
+    namespace: kpack
+  stack:
+    kind: ClusterStack
+    name: heroku-24
+  store:
+    kind: ClusterStore
+    name: default
+  tag: ghcr.io/hvg-dev/test-builder
--- a/k8s/build/4-hvg-dev-service-account.yaml
+++ b/k8s/build/4-hvg-dev-service-account.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kpack-service-account
+  namespace: hvg-dev
+secrets:
+- name: kp-default-registry-creds
+- name: git-ssh-auth-secret
+imagePullSecrets:
+- name: kp-default-registry-creds
--- a/k8s/build/blog-dev-image.yaml
+++ b/k8s/build/blog-dev-image.yaml
@@ -0,0 +1,20 @@
+apiVersion: kpack.io/v1alpha2
+kind: Image
+metadata:
+  name: blog-dev
+  namespace: hvg-dev
+spec:
+  additionalTags:
+    - ghcr.io/hvg-dev/blog:sha-2bc32b8
+  builder:
+    kind: ClusterBuilder
+    name: builder
+  failedBuildHistoryLimit: 10
+  imageTaggingStrategy: BuildNumber
+  serviceAccountName: kpack-service-account
+  source:
+    git:
+      revision: 2bc32b8f256bd8931d690ab78b08a6e31cab7af0
+      url: git@gitea-ssh.gitea.svc:hvg-dev/blog.git
+  successBuildHistoryLimit: 10
+  tag: ghcr.io/hvg-dev/blog:dev
--- a/k8s/build/blog-main-image.yaml
+++ b/k8s/build/blog-main-image.yaml
@@ -0,0 +1,20 @@
+apiVersion: kpack.io/v1alpha2
+kind: Image
+metadata:
+  name: blog-main
+  namespace: hvg-dev
+spec:
+  additionalTags:
+    - ghcr.io/hvg-dev/blog:sha-b0e1cfc
+  builder:
+    kind: ClusterBuilder
+    name: builder
+  failedBuildHistoryLimit: 10
+  imageTaggingStrategy: BuildNumber
+  serviceAccountName: kpack-service-account
+  source:
+    git:
+      revision: b0e1cfca5205556c738e44b7eb040c5f87dac109
+      url: git@gitea-ssh.gitea.svc:hvg-dev/blog.git
+  successBuildHistoryLimit: 10
+  tag: ghcr.io/hvg-dev/blog:main
--- a/k8s/hvgblog-vcluster.yaml
+++ b/k8s/hvgblog-vcluster.yaml
@@ -0,0 +1,52 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  annotations:
+    helmcharts.cattle.io/managed-by: helm-controller
+  name: hvgblog-vcluster
+  namespace: kube-system
+spec:
+  chart: vcluster
+  createNamespace: true
+  repo: https://charts.loft.sh
+  set:
+    integrations.metricsServer.enabled: "true"
+    sync.toHost.ingresses.enabled: "true"
+    sync.toHost.persistentVolumeClaims.enabled: "true"
+  targetNamespace: hvgblog
+  valuesContent: |
+    controlPlane:
+      distro:
+        k3s:
+          enabled: true
+          extraArgs:
+          - --tls-san=hvgblog-vcluster.hvg.hu
+          image:
+            tag: v1.32.1-k3s1
+      ingress:
+        annotations:
+          cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
+          ingress.kubernetes.io/force-ssl-redirect: "true"
+          kubernetes.io/ingress.class: nginx
+          nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+          nginx.ingress.kubernetes.io/ssl-redirect: "true"
+        enabled: true
+        host: hvgblog-vcluster.hvg.hu
+        pathType: ImplementationSpecific
+        spec:
+          tls:
+          - hosts:
+              - hvgblog-vcluster.hvg.hu
+            secretName: tls-vcluster
+    exportKubeConfig:
+      context: hvgblog-vcluster
+    integrations:
+      metricsServer:
+        enabled: true
+    sync:
+      toHost:
+        ingresses:
+          enabled: true
+        persistentVolumeClaims:
+          enabled: true
+  version: 0.26.0
--- a/k8s/manifests/app/Chart.yaml
+++ b/k8s/manifests/app/Chart.yaml
--- a/k8s/manifests/app/templates/1-db-user.yaml
+++ b/k8s/manifests/app/templates/1-db-user.yaml
@@ -0,0 +1,33 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: "{{ template 'common.robustName' .Release.Name }}-db-pass"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "helm-chart.labels" . | nindent 4 }}
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
+spec:
+  encryptedData:
+    password: {{ .Values.db.sealedPassword | quote }}
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: "true"
+      name: "{{ template 'common.robustName' .Release.Name }}-db-pass"
+      namespace: {{ .Release.Namespace }}
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: User
+metadata:
+  name: "{{ template 'common.robustName' .Release.Name }}-db-user"
+spec:
+  name: {{ .Values.db.username | quote }}
+  mariaDbRef:
+    name: mariadb
+    namespace: default
+  passwordSecretKeyRef:
+    name: "{{ template 'common.robustName' .Release.Name }}-db-pass"
+    key: password
+  # This field is immutable and defaults to 10
+  maxUserConnections: 0
--- a/k8s/manifests/app/templates/2-database.yaml
+++ b/k8s/manifests/app/templates/2-database.yaml
@@ -0,0 +1,14 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: {{ template "common.robustName" .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "helm-chart.labels" . | nindent 4 }}
+spec:
+  name: {{ .Values.db.name | quote }}
+  mariaDbRef:
+    name: mariadb
+    namespace: default
+  characterSet: utf8
+  collate: utf8_general_ci
--- a/k8s/manifests/app/templates/3-db-grant.yaml
+++ b/k8s/manifests/app/templates/3-db-grant.yaml
@@ -0,0 +1,26 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: {{ template "common.robustName" .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "helm-chart.labels" . | nindent 4 }}
+spec:
+  mariaDbRef:
+    name: mariadb
+    namespace: default
+  privileges:
+    - "SELECT"
+    - "INSERT"
+    - "UPDATE"
+    - "DELETE"
+    - "CREATE"
+    - "DROP"
+    - "INDEX"
+    - "ALTER"
+    - "LOCK TABLES"
+    - "EXECUTE"
+  database: {{ .Values.db.name | quote }}
+  table: "*"
+  username: {{ .Values.db.username | quote }}
+  grantOption: true
--- a/k8s/manifests/app/templates/4-db-connection.yaml
+++ b/k8s/manifests/app/templates/4-db-connection.yaml
@@ -0,0 +1,28 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: {{ template "common.robustName" .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "helm-chart.labels" . | nindent 4 }}
+spec:
+  mariaDbRef:
+    name: mariadb
+    namespace: default
+  username: dev
+  passwordSecretKeyRef:
+    name: dev-db-pass
+    key: password
+  database: dev
+  secretName: dev-db-connection
+  secretTemplate:
+    key: dsn
+    usernameKey: DB_USER
+    passwordKey: DB_PASSWORD
+    hostKey: DB_HOST
+    portKey: DB_PORT
+    databaseKey: DB_NAME
+  healthCheck:
+    interval: 60s
+    retryInterval: 30s
+  serviceName: mariadb
--- a/k8s/manifests/app/templates/5-configmap-env.yaml
+++ b/k8s/manifests/app/templates/5-configmap-env.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "common.robustName" .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "helm-chart.labels" . | nindent 4 }}
+data:
+  WP_HOME: "https://{{ .Values.host  }}"
+  WP_SITEURL: "https://{{ .Values.host }}/wp"
+{{- range $key, $val := .Values.env }}
+  {{ $key }}: {{ $val | quote }}
+{{- end }}
--- a/k8s/manifests/app/templates/6-secret-env.yaml
+++ b/k8s/manifests/app/templates/6-secret-env.yaml
@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
+  name: dev-secret-env
+spec:
+  encryptedData:
+
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: "true"
+      name: dev-secret-env
+    type: Opaque
--- a/k8s/manifests/app/templates/7-wp-deployment.yaml
+++ b/k8s/manifests/app/templates/7-wp-deployment.yaml
@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "common.robustName" .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "helm-chart.labels" . | nindent 4 }}
+    app: "{{ template 'common.robustName' .Release.Name }}-app"
+spec:
+  replicas: 1
+# revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: "{{ template 'common.robustName' .Release.Name }}-app"
+  template:
+    metadata:
+      labels:
+        app: "{{ template 'common.robustName' .Release.Name }}-app"
+    spec:
+      imagePullSecrets:
+      - name: github-container-registry
+      containers:
+      - name: "{{ template 'common.robustName' .Release.Name }}-app"
+        image: {{ .Values.image }}
+        imagePullPolicy: Always
+        command:
+        - {{ .Values.command | default "web" | quote }}
+        resources:
+          requests:
+            memory: 128M
+            cpu: 100m
+          limits:
+            memory: 512M
+        ports:
+        - containerPort: 5000
+        envFrom:
+        - configMapRef:
+            name: dev-env
+        - secretRef:
+            name: dev-secret-env
+        - secretRef:
+            name: dev-db-connection
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            httpHeaders:
+            - name: Host
+              value: {{ .Values.host }}
+            - name: X-Forwarded-Proto
+              value: https
+            path: /wp/wp-cron.php?nocache
+            port: 5000
+          initialDelaySeconds: 10
+          periodSeconds: 60
+          successThreshold: 1
+          timeoutSeconds: 30
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            httpHeaders:
+            - name: Host
+              value: {{ .Values.host }}
+            - name: X-Forwarded-Proto
+              value: https
+            path: /?nocache
+            port: 5000
+          initialDelaySeconds: 10
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 30
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "common.robustName" .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "helm-chart.labels" . | nindent 4 }}
+spec:
+  selector:
+    app: "{{ template 'common.robustName' .Release.Name }}-app"
+  ports:
+  - name: wp
+    protocol: TCP
+    port: 5000
+    targetPort: 5000
--- a/k8s/manifests/app/values.yaml
+++ b/k8s/manifests/app/values.yaml
@@ -0,0 +1,36 @@
+
+image: ghcr.io/hvg-dev/blog:dev
+command: web
+
+host: dev.hvgblog.hu
+
+db:
+  name: dev
+  username: dev
+  sealedPassword: AgCjcJj1U6QOlCbQFVrT55D/6NECvZzwXZlQmVbeIW/b//SawiIIrlSnVHkQUYcC8VVswYJ854P1+3HANJriBHBs+fLklVsQytnjC6gktUgPcxuhBgACtOBWco3wyq3MNX5qU2IYevdCd7da31czaTNnLkowF8S7Oqyb4DKQAc1RE7geepJyHUxILGvFSsd3LiPkoI5y+J1IWcThFFU2ACZ247FYAprn/XqozgQcX28yO8U30ejW73TJrvxhKR4UvTlqNDSRh/XNBKre/zqCvKg8aKd+LgwCVegPQnGRMl3Jcw1CyRFDADYLg6YwQ9bRRpN518z3IQOonPL82EOAeXAYU6aTVQz2qwQZkDp7ww0MCknhypUSxfHTQ+FSauXxoweUICAzFP3LQuyoE+LUoUMKyC6tKh9Lsiiks+Y0gRp4Jpj0Rhm/f2wPQZwecN63Sd95pEmruYpsTfA4bqJo2omhdZHeQKLMfZQk4MGNBjGeXkif4NIk5RsOgQHM4Rf3tXOmxKoXRayl6J0ow36/jfxCMQAliiq7SGRcty6Mq7j2ou0MRi19b88fFUynLpxQUK7Ob7ziYmWDBPGwAGg9SLApJYidnpKO+351no58UBhAf+d4cyTI0PURvp9kZhkQNsCHuDFWh9CZ3B5RjJ7D/znkdZELvRWWGde7+qbRb924QfWmCpcmjxT6dOP0qQt4dUChVl/yBraBeWyL0EZtjXGDq/W+mf4AkAYN3fwpb98G
+
+env:
+  PORT: '5000'
+  BLOG_SLUG: dev
+  DB_PREFIX: wp_
+  WP_ENV: production
+  DISABLE_WP_CRON: '1'
+  TZ: 'Europe/Budapest'
+  #GTM_CODE:
+  S3_UPLOADS_BUCKET: hvgblog/dev
+  S3_UPLOADS_BUCKET_URL: https://cdn.hvgblog.hu
+  S3_UPLOADS_ENDPOINT: https://ams3.digitaloceanspaces.com
+  S3_UPLOADS_HTTP_CACHE_CONTROL: '30 * 24 * 60 * 60'
+  S3_UPLOADS_REGION: eu-west-1
+
+sealedSecretEnv:
+  AUTH_KEY: AgCvDJbrBT/ze5NXqfrs4ZCjHkDj6uM19QVVomPy3mLkcDqBoRznD0heGbiWBLu6/kOcV18sw1q7WMwU//6cuU5eZmeYnhZHbNDxGDPE8Nw/UUmoOR9wOc/XozXf4DBK1zLn9ne4xA4lMdlYeJ7WBWPFYyoc0htrbEiB+MAEt8DXvlRooDIZYtitZzBHWrhFLuIhAi2mIA2SQ9V8simzbUU3DM7Wb/DY4Qoa4jP/XTEgcxdtQPzOXFJTlZt5poMqs1/ckrTeo1/9SLrZZTWQPeZlsoISs18J8oeK33ugTNYz51mRoOai0Yhnc2bbN+4WGgtXi6FPjPgFcdjKjul5gdb81Z47RIO8wwsPjnFTSQ1LXtSJ/HiX9uOj1OHUYEH1rIqzaOmxDo23VYParhDsU2QLDIf1S8mJo/WTn4Hb6IAA5Veb7bbudesffgxgMm69qTQrdoPumLaXNX6TnRC5tGM+YaYbBGVsuDxSZUnagEkobgG8D60V58c6mWbZ+k+VZ+0aNGyaLHEAjZDCDxh9/6AkOoqLIaUXOgL7hQ3eX2YAFfBdwIICY82ylC1DqwTxGqpjRP45E2tMHEp8IQHLgvdEChLBXmqPVk0kJF+FJIzdOE+OkLtnAmCD0L3eq2SXRoceISxf0UNVWLwXMYCrvOM2kSrDHT/PhCqtGwaIDWuLXdddXZzECPk5hcLJb+JSYG1yRc6Qc8nezag7hh31pvfFI6PtR4LqlI8xmsHz0RognxQi/MEI6uSJ23/w+4RbjlBBKILoLqkgE+v1mhbAUuMr0Q==
+  AUTH_SALT: AgBX0tOuA235buf6x054X0SmTsyqkjeYuevgDdbWIWqi+AWd9slUnlS2bnBtjYGg4U+fTIbldo2bYuEAHK+TIVOXTxud7+PSYEO+JjtpetHchQBYh0rNjTs8K11uK5mqPBSPVkLJE08U2BNvXXubc7plLerNjW4D44ICvJly7P6CO2Rnrjueg34DB1TnGnD8PANIiUZVTrJOCC/QSodhaerqDvJBuq6qS0q+GEqU4C5kineHyzuQnuGq5lUN6l+Gk2R8vlwLaT36x4MJlxRa/UjQsvbQ6CYRNGnZW1knPsvON/sukpy7BVEVYAnCYnrzRX/8kEgyxMfSePcWOwsG1JkSb1PrcQXftro7xZQjKgdkqacOGnkVd8sKn1n0f0w2iAGhMt2fCn7sf5htnSC5lL0mdBosNv3p1VwrfXIwjDr5Fzs1CHTbb1hJ8282aAGfzLxmGXPucAbk7nSvbD4iVhXmZ91vbWJRKC+DD/9HBdQloEplSKYm3uyTb0qlJzPIUVTNLu9b+yTeBQIckuAYu03NX2WWSVkX1M80YMER0/eNbvec4ZCSUxKWLzjVm+k3ra8ToL5tYrEr65Be/WuK57tMvx25106OHvokc6S0wp5B+VyirLtwXqRSGFBWqQv62hxJQDOySNsi45QzueD/BYxG+tf3QX1+bdc50WlwUHK1UEZuSNb6JnGfvFU1fJEApAZWJaK2odItjaR2dVVDMuW1NsXj4qLpB/CaNYM/B8C4Elg7jyCrwTv/1TaY3IW3j/SVnRstgXTwNjRnM/WCUIJbWA==
+  LOGGED_IN_KEY: AgDU2Ss24Cuw1kthXp2DcKahfQT7apnRWtaoQymBEZMMRpGlvxWMTRRMKAx4N7E0AZdW41QLTpK0ciaI63B0PRD2B6fPVVpoz3ybNlJO/0caIw0yHWL8YSOD7rGw6TkxKrz8lggqRVZerS0tEFT8nLGoqgi+SCsfBhh3u5JQ8QM60WLeWaPvph/QFlSl290+UC2xIVEjk37zQdyXou3goeS3DMjdtze8FiwnmK/XVPsPf2cWZQw0wwAwgIJMVZWhkK2bPOKrMmsdqy4G6YrihcjjRTK/0lGKZ6sEVUsu7NTKgeHGogbu8feA8gpTEuRYP60iFNgwNrCYGmOKCXyw0vSLtxHPE7+cm2pU57GhJCTnOe1Ez9zJZmv0Zc4OEZBAaLbCXoNvoJPskeDBUe7+qcV8ugdtFCxCBtoUolos9UukhAtUWp6+uTv/vjjnCv/7kGGp2fNK8lS1D1ksk1mB0JsnjxKo5pnMHBVhJfk3IfbPLx3yvMaz86wCDKZacm5h9IwsPYEvVzkvWhiOydg3ZRVH7WUE8uJ1+Ojt2+6hlB2cMNNQ5P16fTOmt9vfl9Schlrgo+ku2tU/KPfMs4hHCvvecOskqy9MeTOF5mJllI2gqTlGR2uQ5Hgb/OgH8YOmmycpS+MqKNaTKafvwgN1i0xBaYD8y3hSYeBRTmaHu+Szm8CKEDL8PW4ebJX3a+khJMXkf3UkDjRXjSQhUoFMyRNsHLwAt5mC3asySQue6jOP/mKbZ4c7lH0gx8caDoWrlJFHsDhr79jw3F0gkr4mN+ueAQ==
+  LOGGED_IN_SALT: AgAVoBL1paq14YzaeB9lkvabzo5iDoVN23gvEQAs6CgZUIejtUa2AAkTmQIjVfkb2S7LOdfXIq1lIAPBqSmO5LqfWDh8kuxgz23mTDxYWvVqqbDpiwAgaydokprDm0WEpPdGTyvqsvEk0Gtxq6rqbFXObsfkLCv85FweyfHxh8Gwo+L/e2l1/NUFOkmT5e1j7bkKmTgBUyMEVuWMA6lFVCd3D6vGfOZqS5O5NfzhFnK9U4ZG+55+LlgbFZZltHixs/jpMBms30B/wkRxBzAAGMMCyqVLlqr3bB0HQsobA/PWHAJbGBuFHV1e9XE+7SUlKLTmcmTyxx2cfHiX2XK7Ne3VW3wEtN/4IVeCPpbwCnceXEzK4uhTHH2Hwihewm+xN5uB7SDBLLO3qSLLznapEhgHIj2tPV2i2ftAsIUjzjuPHyFhdFumzXW3QxqOofvruRYqxQAFN1LBvbys6wWLRPkRgEez0/UIiL3xaWnA+r51/cozozNZI+QDgeAACQQguX/Ag7jR+q83Xga1SeYV0HYT9AvRr+UvRQ0NcTG2ObD5JE5rUmFUeRFWIwRh+HqgekDYy359vFds54vHDn/xtOS6Cb6fyr0qX1WygsBtWUV6jf6T59zYg9L2/kr+s1iUTbbBRizJOrRMdr2gswoUWW+THhM+yc/mIL7BCoWoHPBVJ9m5uvqemfy8VOvFHOVxlBnzqIsc5eAvTh4Nqy6hIxISxG8s44RHTLfDfDxWXxI2QVq8NzY91TlBL68fzINf+Bc4vks3CJnssYdinTS9AjQQOg==
+  NONCE_KEY: AgAHwWgpFVXSLcEdHG5USGPhqueGXo163MdqCSSscxXjxw9JXKjDQ13jrsnD0JcZIWnSJnBdJ/H84HgHdaFU9g8CDzL3mXC4s66RM+c7Jw/0VCHM72+3zr5Nw+h6ycLzlE1UmB806nY88t8h4/HKujmu42qSzdFySxC5x6WbnaOqri+H+VHZ57dQfyyNFlp7fum2WnqU+EXoxvbEOMgJaxpwc8iwsmKGwy+aSzE7DTpkt/9fA+T8LiaakwtAwcvo8EnVxBesCe9ioDsA+ZjgI3xOr7OsUPb/NxaGt3VGmVk2d8dcKI6YOiyoLCFjAL1z56922OjScOO0CUo7qq0jPRuUJdouT5S3OpDm3NGCr/yjCz9Mh8anWPKxYX1ZEg2QmPiR//r+94V10A0NP6W9frpiBQhIWDqMprUK/0SpZGX88C4F1FPmOi2RSn6Tl7mwOHpZadLzBLpbY2DY/AyGQO6H0W+MJpXCT65vZJeTDcLMjCNGkVEI9vxvtVedTVkbZNbLS6+ros/HA/0qMI803exlNZEnMMwlHn1Hm4z6ngeBP4KJBUkLYLD3ienwijmiMtqmgkOhGbG2K6r+IdKHrssWeizNrx5TzLXKXzyCyk5I/9jVLhC2AM6tBqxW8TVs2WfKS4RVsNvS55qpjWbVpZb7ei10+RiPA6KaVW4ZmwtDuW8bzD2d1rMd6yJ1SiYQhzUOVjcCCYEz6VWN3R5IZ/3UjpeCWnkQ7Lja+Xm3Asvxg4m41cA3B1S/ckmj+qOr2WgjFu7GymWX8IF0hZXZo1oz2g==
+  NONCE_SALT: AgABajYW5+6c0BPjlcQLPd7v706wd+i8U1hp69+up8PalMtvugwR754mEU/ed7L15U9pTWAf6zGjmuMIZYiFpQVosQl/ggq2LeciT+xBUcrvCxZ/EBCdTl8ig/TgzucVNsR2Y0dCK5Tp7YBTuAIOa0dqyK+v1+LGrgb4PnVQvi18hApBiDX0Txnn5QkGhBaSr7LJuD76KfgY+AZ8Gv95b30pTY2AtYydDJXrtqoDCIXfPcnPf102Hq3na5OfJp2m2N4IUD771tDesb+faeDgk7K/mVcn+kmXB8rIawOQFnaowt5UwbfZ60ppgy1MzQZiiq2pXvMA8F42EnhNUe+C3fPyG7Kl6t7jRo+3mHhz0Dv+o0DO4Iir8r0dTw0MruLqun9YU8pLOv17+BciAxWeG8obJ9Hs5sv9ZPv7wdmlQIX/8fvsxgJgy0cqgH4lWNBD5Em9EyiVAUiRmA6tOosFrlifJMS8F1wfaiNEZ7DxjdSVMrEBtntBO2ndSdrdqNIfUED9ZfIvBxP2UHRS9h4KEyCvxcM8HgWt7htnpiSx/XpFZCJr4meGfaNB1Tv5f40bCFpKmsbK1GXNMKJwOJcV1I2FV6xpp6Ch7tgHlZ/Il7hbQ4JsKav7l93b/Dd2e8y/58Jk3DvBQzrPOWPpQrKxrIOeT8o+HC8PS7jdi5xKJ0g9dR10LkgmW0m/usTdwCLWca/9I7iLxiAF/zRoN+7+8ySxIxnBTaFWykYsIDs+5nsYH6TgXseq9PFnxxtKutMp7EPtnO7vzc4DNtkuouS8oqt+Aw==
+  SECURE_AUTH_KEY: AgBAPzBURABD4yzbUrMr4l4CRD18wu9+o6+wA9UJ6NQ8F+Hn3ddGG8HMpbq/eWwXw4q7SXv7BEU4VVoeuPjTle5ChQJfrdbThjermhjwcEDu8Cgr6jczj9bKEJ6Th3ezXR2jf+gwpvoPbrlk2s+mPJdWnJrAGxkV89KJWTxPuCz2PbZp2ZaxdAbXiGSL2X9KPO1XHYZjpgN1nd4+2BqGnA9B0ozyVChPctYHv1taPdvF0ifMsJDiNu4PpEcq9Ga/hrgmjYEVvxvrA5J+zOs/DaVm68VtJvyQEIw3A6jZNOVC5WFUk7UuCoBhuj9X/6ayZTVjqvtHMhi3BT2pxFT0n7OXAWd8g4MctyX93dBYcmkjqE4aZn1kHndOdvS1E41J+aMjslWgzdCLDqGqzVxgilMbxXxM+AXOeuAzSzo96WzTnIxnX851xdkJEIjBnCedaIXVkXfEWOewE2SOa/7F7JbQAlMwCrNN5/Co45tLNsfolpwy4WQmWJWcI4nZVTOM79kZM9kr6hAYqhHCG6/8MQ/2Vd8fYvTblJKoagEpKhqZK0J7HQpBaneOGhFV/Wn42v8g73HZc2BdxMrj53yq2eHzpe5AQSApn9nNBWhivAR7+jaDWmNYjcsmDzFf5p8MVPsiyT6JZxVjphkKI38/AfUt7WENcGjyXW6I0MwFYvEXgiPUUPQXtMvX6yDscpxGa/aVIin+7BKrZiu12du4jfyr7VyF+hyw90/YSrk/hfehjiTWk844GDMF9K7LSMLR+tWQ47yUyV5rNQ2FsGqGqdKE/Q==
+  SECURE_AUTH_SALT: AgAik1WFY55NqEhYj2zMMQWAbfdQjVRxbFrcz1POUUWthCwUV/A1I9iO2MI9HLfACgpkfZqsvC0WgDjt++Mpu1ZiQ58vYQZDfX/TF7qqonxxlg2HXCOxDi4VBiQ4CTBsSHW0BUzKLjxh/gryYvYmptAhMU7/6UI50q8P7+nkHSCBMV4WLvHRHBpn3OOS3leVN7rARICj+18amk6l0HRVc0+TErqAoxSzrjDVNbzRalsoeOw5OjQCJFhJO27rlAck2rswKu6G8xMM3rY4jzdM1a987jY6iLSxdxKmmIS5PhXnrR5sW9NkpvlzyGfgwv/aazPY7DGqQMr5eDbDqCHF3xkSXnb4DibNmAphN56TJ+E4jm0PWRMSCVy9WmDQS64pusvVXCkrlFHNB2ywfs16E5p8deg0RhWKBmeoJOryDRc+69Ccq0TyNweTYYFDZFfjVBDkfztlCxXqCwNNyPDZQn+0I1Gc77/rsUa6Riqt1rkjDFrLpuWYR+dAIWpR2oEKFHgun8p5/7xGSGLb9glpURc4SkR02D0MzCLlDtt+ugPcV+JwbeCvnmdMvuXtHEQEMuzP4moccG4dXGPkcQyXK1tzlIB/OIKmRjsGKm0+03K1L07RMiRpSTW21KfM+F+fVLlykOB4cGwRMWL+8rUqaPyXbH89rlPLk0o1GBhLCI4q5Yi7pVRb7zD8WzF+kmNjnXf3khM4AKZawESYdy1532JkrldhsUfFFfQE0YfDJI4dE9+nBrZ7Ul8HNf1ORQ860qCSoeRFVNen+EsDHxyaF6Lj
+  S3_UPLOADS_KEY: AgASNFNBXB4SlrioskAAXTkVjpmDTFUVI88/qx0w9LMaW6Xqd2W1LZkwNqNStCeN1XbLX8KBypJ2SDz6jUaXUDFl3K98j4VGcxm7o06kGz6MQFDKPTv3tiSaqS8dJeQBB0pMIWRkbAQUkgRxR7SE5R8bkuKWg3RgvPfX6Po/8+D+vT47xi6Vk04VkCoTw8xiBZu6ZtwENm/57saMK/1n0o9uvEm3NWY/lN7G146wIrpHKqzefWddUK5ddDuJJQdUbQnkHPHC9pUH+6a+86ywBp6ZFg5Tzc7jkq9QryRRUjlh6+/fUHZm9B0IEKgdpKaX+fFVFg+xy6fO8CuV/80aJD12v/9+b6Wd9G2U+LSm1KYBFWoWFEiuW/qoA+WH60PYw0/czOxh6FXZgfcqFFLG1mNpzE0/0MsXrZZzS1pFhG8VCGBmTrDGq6gBCsYZtdY456L7fo/REbAHzJ3B5RATlfCTqrr33nNHX6MZod46vE/123dgeZ/Uaui9pjM9/AQko1KGnIAfmiYMilA+CIupXNr1CgIPlB6Gd8iUdg4Lyko0ahkRfu27O9mx4ATLz4b7YD0jXa9TY+LnyucsySTnSbRkjHIL0JePPMYjGP0+M9q+h5IwttRf2xVMqNkBXngqBOsNoBBWyoe2BfVCedX3wh5B/o9gSQbARNPYR03ZI4XeMiG4MbIwAGvXOm+/Ef3h1RtDq4+q4GtG/oH8UQFzxigr3Qcdt+M=
+  S3_UPLOADS_SECRET: AgANZgOk9NWB7DGFPt0ovHX9ZjT4Sz4cqmx3/MveZORX6yuRaGPHapMnA3f0rgc90c3Z+2z9VlMgINsoJg11DLb/wTNnGcSIW/rmvIH7o+///qk94QbSvUp0kc6VgE7kEZhGU/nzsAd0Ak+8reEh17fNPH6yNf4TtkeICfi4onX64SxEcNmuIcpGTTBeJ300eKgKlTeTuGuN/+/cOn0VPj456nv6nlvag9eRfAcSy6Qo4t0gfvRTbML5zTXDGXArfCCWhMxtoos1KbD48WNlWU/t6d6bODNSaMMsjgIAgY3mkwrUGvuSQV5BAAU2eIgtvAFASXHVLThIt8gqaktappgCJQmLK2d922BYV/ifJMFjp6t0+dd4lsjSmDNQxKr2cjz9DLqdmcpJ3U/W+pKPefb5Na+iOOhzQXSsSTUV4J0pVjdXqnGILX+CSgs8aH+Ax1eLAciGIcajGV6C70GYhVIyMkvC9mmY+QboJBd5eidemIz73APP6yTuKFVO8zsn+CmQ+r65FhjNFzRYTcWpt8k000phtlJvRI9AJ0auhPpGe8rWEA5VcMwlfW0BFbfCT4lkEEirPXUvFhfRohu4Kl0CZkVvRHVhf0q9LU0MEPqjQDPf/xYLP7gVYTD5wYo5aZVCS4FXn3qY8ehucJCJT1X6XjZff2Ym2f4VHC21I3bjOOJrX7gPhAlITEoCcumzaOwWf7iBMQVBQkMo1uscsTZy3YG/OKi7B8Oy36QTMl1enSSX8U3XS/AoSdvSjQ==
--- a/k8s/manifests/dev-application.yaml
+++ b/k8s/manifests/dev-application.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dev.hvgblog.hu
+  namespace: hvg-dev
+spec:
+  project: dev
+  source:
+    repoURL: 'ssh://git@ssh.github.com:443/hvg-dev/blog.git'
+    path: k8s/manifests/app
+    targetRevision: HEAD
+    helm:
+      releaseName: hvgblog-dev-wp
+      parameters: []
+      valueFiles: []
+  destination:
+    name: https://hvgblog-vcluster.hvg.hu
+    namespace: dev
+  ignoreDifferences: []
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: false
+    syncOptions:
+    - CreateNamespace=true
--- a/k8s/manifests/sys/0-namespace.yaml
+++ b/k8s/manifests/sys/0-namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: site-system
--- a/k8s/manifests/sys/default/mariadb.yaml
+++ b/k8s/manifests/sys/default/mariadb.yaml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mariadb-my-cnf
+  namespace: default
+data:
+  config: |
+    [mariadb]
+    bind-address=*
+    default_storage_engine=InnoDB
+    binlog_format=row
+    innodb_autoinc_lock_mode=2
+    wait_timeout=30
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: MariaDB
+metadata:
+  name: mariadb
+  namespace: default
+spec:
+  image: mariadb:11.8.2
+  imagePullPolicy: IfNotPresent
+  myCnfConfigMapKeyRef:
+    key: config
+    name: mariadb-my-cnf
+  port: 3306
+  replicas: 1
+  resources:
+    limits:
+      cpu: 200m
+      memory: 1024M
+    requests:
+      cpu: 50m
+      memory: 128M
+  rootPasswordSecretKeyRef:
+    key: password
+    name: mariadb-root-pass
+    generate: true
+  storage:
+    size: 1Gi
--- a/k8s/manifests/sys/mariadb-operator.yaml
+++ b/k8s/manifests/sys/mariadb-operator.yaml
@@ -0,0 +1,22 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: mariadb-operator-crds
+  namespace: site-system
+spec:
+  chart: mariadb-operator-crds
+  repo: https://mariadb-operator.github.io/mariadb-operator
+  version: 25.8.3
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: mariadb-operator
+  namespace: site-system
+spec:
+  chart: mariadb-operator
+  repo: https://mariadb-operator.github.io/mariadb-operator
+  targetNamespace: site-system
+  version: 25.8.3
+  valuesContent: |
+    fullnameOverride: mariadb-operator
--- a/k8s/manifests/sys/sealed-secrets.yaml
+++ b/k8s/manifests/sys/sealed-secrets.yaml
@@ -0,0 +1,12 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: sealed-secrets
+  namespace: site-system
+spec:
+  repo: https://bitnami-labs.github.io/sealed-secrets
+  chart: sealed-secrets
+  targetNamespace: kube-system
+  version: 2.11.0
+  valuesContent: |
+    fullnameOverride: sealed-secrets-controller