--- apiVersion: v1 kind: Namespace metadata: name: fc-media labels: app.kubernetes.io/name: fc-media app.kubernetes.io/part-of: flowercore --- apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: media-oidc-client namespace: fc-media labels: app.kubernetes.io/name: fc-media-web app.kubernetes.io/part-of: flowercore spec: itemPath: "vaults/IAmWorkin/items/media-oidc-client" --- apiVersion: v1 kind: ConfigMap metadata: name: fc-media-config namespace: fc-media labels: app.kubernetes.io/name: fc-media-web app.kubernetes.io/part-of: flowercore data: appsettings.Production.json: | { "DatabaseProvider": "Sqlite", "ConnectionStrings": { "Sqlite": "Data Source=/data/media.db" }, "FlowerCore": { "Auth": { "Enabled": true, "Oidc": { "Authority": "https://id.iamworkin.lan/application/o/media/", "ClientId": "media", "ClientSecret": "", "Audience": "media", "RequireHttpsMetadata": true } }, "Tenant": { "JwtClaimsEnabled": false, "DefaultTenantHosts": [ "media.iamworkin.lan" ] } }, "Media": { "LibraryRoot": "/media/library", "Sources": [ { "Name": "BlueJayNAS Video", "Driver": "Nfs", "MountedPath": "/media/library", "RemotePath": "nfs://10.0.58.3/volume1/video", "IsEnabled": true, "IsDefault": true, "Notes": "Synology NFS media share mounted read-only inside the cluster." } ], "GeneratedRoot": "/data/generated", "TranscodeRoot": "/data/transcodes", "InboxPath": "/media/inbox", "InboxScanIntervalMinutes": 5, "ScanOnStartup": false, "ComputeChecksums": false, "FfmpegCommand": "ffmpeg", "FfprobeCommand": "ffprobe", "Hls": { "MaxConcurrentJobs": 1 }, "DefaultViewerName": "BlueJay", "Dlna": { "IsEnabled": true, "MulticastAddress": "239.255.255.250", "Port": 1900, "DiscoveryTimeoutSeconds": 2, "DescriptionFetchTimeoutSeconds": 2, "MaxResponsesPerSearchTarget": 32, "SearchTargets": [ "urn:schemas-upnp-org:device:MediaRenderer:1", "urn:schemas-upnp-org:device:MediaServer:1" ] } } } --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: fc-media-data namespace: fc-media labels: app.kubernetes.io/name: fc-media-web app.kubernetes.io/part-of: flowercore spec: accessModes: - ReadWriteOnce resources: requests: storage: 20Gi storageClassName: longhorn --- apiVersion: apps/v1 kind: Deployment metadata: name: fc-media-web namespace: fc-media labels: app: fc-media-web app.kubernetes.io/name: fc-media-web app.kubernetes.io/part-of: flowercore spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: fc-media-web template: metadata: labels: app: fc-media-web app.kubernetes.io/name: fc-media-web app.kubernetes.io/part-of: flowercore annotations: prometheus.io/scrape: "true" prometheus.io/port: "5200" prometheus.io/path: "/metrics" flowercore.io/healthz-auth-policy: "allow-anonymous" spec: nodeSelector: kubernetes.io/hostname: rke2-server containers: - name: fc-media-web image: localhost/fc-media-web:v20260604-oidc-proper imagePullPolicy: Never ports: - containerPort: 5200 name: http env: - name: ASPNETCORE_ENVIRONMENT value: Production - name: ASPNETCORE_URLS value: http://+:5200 - name: FlowerCore__Auth__Enabled value: "true" - name: FlowerCore__Auth__Oidc__Enabled value: "true" - name: FlowerCore__Auth__Oidc__Audience value: "media" - name: FlowerCore__Auth__Oidc__ClientId valueFrom: secretKeyRef: name: media-oidc-client key: client_id optional: true - name: FlowerCore__Auth__Oidc__ClientSecret valueFrom: secretKeyRef: name: media-oidc-client key: client_secret optional: true - name: FlowerCore__Auth__Oidc__Authority valueFrom: secretKeyRef: name: media-oidc-client key: issuer_url optional: true resources: requests: cpu: 500m memory: 1Gi limits: cpu: "4" memory: 4Gi volumeMounts: - name: config mountPath: /app/appsettings.Production.json subPath: appsettings.Production.json readOnly: true - name: data mountPath: /data - name: transcodes mountPath: /data/transcodes - name: media-library mountPath: /media/library readOnly: true - name: media-inbox mountPath: /media/inbox startupProbe: httpGet: path: /healthz port: 5200 httpHeaders: - name: X-Forwarded-Proto value: https failureThreshold: 18 periodSeconds: 10 readinessProbe: httpGet: path: /healthz port: 5200 httpHeaders: - name: X-Forwarded-Proto value: https initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: httpGet: path: /healthz port: 5200 httpHeaders: - name: X-Forwarded-Proto value: https initialDelaySeconds: 30 periodSeconds: 30 volumes: - name: config configMap: name: fc-media-config - name: data persistentVolumeClaim: claimName: fc-media-data - name: transcodes nfs: server: 10.0.58.3 path: /volume1/kubernetes/fc-media-transcodes - name: media-inbox nfs: server: 10.0.58.3 path: /volume1/kubernetes/fc-media-inbox - name: media-library nfs: server: 10.0.58.3 path: /volume1/video readOnly: true --- apiVersion: v1 kind: Service metadata: name: fc-media-web namespace: fc-media labels: app: fc-media-web app.kubernetes.io/name: fc-media-web app.kubernetes.io/part-of: flowercore spec: type: ClusterIP selector: app: fc-media-web ports: - port: 5200 targetPort: 5200 protocol: TCP name: http --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: fc-media-tls namespace: fc-media labels: app.kubernetes.io/name: fc-media-web app.kubernetes.io/part-of: flowercore spec: secretName: fc-media-tls issuerRef: name: step-ca-acme kind: ClusterIssuer dnsNames: - media.iamworkin.lan --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: fc-media-web namespace: fc-media labels: app.kubernetes.io/name: fc-media-web app.kubernetes.io/part-of: flowercore spec: entryPoints: - websecure routes: - match: Host(`media.iamworkin.lan`) kind: Rule services: - name: fc-media-web port: 5200 tls: secretName: fc-media-tls