Add documentation for Leantime deployment and 1Password setup

Co-authored-by: SRF-Audio <16975040+SRF-Audio@users.noreply.github.com>

Author: Copilot

argocd/apps/apps/leantime.yml

@@ -16,18 +16,18 @@ spec:
       valuesObject:
         image:
           tag: "3.6.0"
-        
+
         persistence:
           enabled: true
           storageClass: "nfs-synology-retain"
           size: 10Gi
-        
+
         service:
           type: ClusterIP
-        
+
         ingress:
           enabled: false
-        
+
         app:
           sitename: "Leantime"
           leanSessionSecure: "true"
@@ -41,7 +41,7 @@ spec:
             expiration: 28800
           email:
             enabled: false
-        
+
         # Configure MariaDB subchart to use 1Password-managed secret
         mariadb:
           enabled: true
@@ -51,11 +51,11 @@ spec:
             # Use secret created by 1Password Operator
             # The secret must have keys: mariadb-root-password, mariadb-password
             existingSecret: "leantime-db"
-  
+
   destination:
     server: https://kubernetes.default.svc
     namespace: apps-leantime
-  
+
   syncPolicy:
     automated:
       prune: true

docs/leantime-deployment.md

@@ -0,0 +1,177 @@
+# Leantime Deployment via ArgoCD
+
+This deployment follows the GitOps-first pattern using ArgoCD to deploy Leantime directly from its upstream Git repository.
+
+## Overview
+
+- **Application**: Leantime - Project management for lean teams
+- **Deployment Method**: ArgoCD Helm-from-Git
+- **Upstream Repo**: https://github.com/Leantime/leantime.git
+- **Chart Version**: v3.6.0 (pinned)
+- **Namespace**: apps-leantime
+- **Access**: Tailscale-only via Ingress
+- **Secrets**: 1Password Operator
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│  ArgoCD Root App (argocd/root.yml)                          │
+│  Discovers all apps in argocd/apps/** recursively           │
+└─────────────────────────────────────────────────────────────┘
+                            │
+      ┌─────────────────────┼─────────────────────┐
+      │                     │                     │
+      ▼                     ▼                     ▼
+┌───────────────┐   ┌───────────────┐   ┌───────────────┐
+│ leantime-     │   │ leantime      │   │ leantime-     │
+│ secrets       │   │               │   │ ingress       │
+│ (wave 10)     │   │ (wave 20)     │   │ (wave 30)     │
+└───────────────┘   └───────────────┘   └───────────────┘
+      │                     │                     │
+      │                     │                     │
+      ▼                     ▼                     ▼
+┌───────────────┐   ┌───────────────┐   ┌───────────────┐
+│ 1Password     │   │ Helm Chart    │   │ Tailscale     │
+│ Operator      │   │ from Git      │   │ Ingress       │
+│ creates       │   │ leantime/     │   │ + Homepage    │
+│ Secrets       │   │ leantime.git  │   │ annotations   │
+└───────────────┘   └───────────────┘   └───────────────┘
+```
+
+## Files Created
+
+### ArgoCD Applications
+- `argocd/apps/apps/leantime-secrets.yml` - Deploys 1Password CRDs (sync-wave 10)
+- `argocd/apps/apps/leantime.yml` - Deploys Leantime Helm chart (sync-wave 20)
+- `argocd/apps/apps/leantime-ingress.yml` - Deploys Tailscale ingress (sync-wave 30)
+
+### Kubernetes Manifests
+- `k8s/leantime_secrets/` - OnePasswordItem CRDs and kustomization
+  - `onepassword-db.yml` - Database credentials
+  - `onepassword-app.yml` - App secrets (reserved for future use)
+  - `kustomization.yml` - Kustomize manifest
+  - `README.md` - Setup instructions
+
+- `k8s/leantime_ingress/` - Tailscale ingress with Homepage annotations
+  - `ingress.yml` - Ingress resource
+
+## Prerequisites
+
+Before deploying, ensure the following are in place:
+
+1. **ArgoCD** is installed and the root app is configured
+2. **Tailscale Operator** is deployed and configured
+3. **1Password Operator** is deployed and configured
+4. **1Password Items** are created in the HomeLab vault:
+   - Item: `Leantime Database` with fields:
+     - `mariadb-root-password`
+     - `mariadb-password`
+   - Item: `Leantime App Secrets` (can be empty for now)
+
+5. **Storage Class** `nfs-synology-retain` is available in the cluster
+
+## Deployment Details
+
+### Secrets (Sync-Wave 10)
+
+The `leantime-secrets` application deploys OnePasswordItem CRDs that reference items in 1Password. The 1Password Operator materializes these as Kubernetes Secrets:
+
+- `leantime-db`: Contains MariaDB credentials
+- `leantime-app`: Reserved for future app-level secrets
+
+### Application (Sync-Wave 20)
+
+The `leantime` application uses ArgoCD's Helm-from-Git feature to render the chart directly from the upstream repository:
+
+**Source Configuration**:
+- Repository: `https://github.com/Leantime/leantime.git`
+- Revision: `v3.6.0` (immutable tag)
+- Path: `helm`
+
+**Key Helm Values**:
+- Image tag pinned to `3.6.0`
+- Persistence enabled with `nfs-synology-retain` storage class (10Gi)
+- Built-in ingress disabled
+- MariaDB subchart configured to use `existingSecret: leantime-db`
+- Session password set to a generated secure value
+
+**Chart Limitations**:
+The upstream Leantime chart does not support `existingSecret` for application-level secrets (session password, SMTP). The session password is therefore included in the Helm values as a generated secure random value. Database credentials properly use the MariaDB subchart's `existingSecret` feature.
+
+### Ingress (Sync-Wave 30)
+
+The `leantime-ingress` application deploys a Tailscale Ingress that:
+
+- Uses `ingressClassName: tailscale`
+- Exposes Leantime at `leantime.rohu-shark.ts.net` (MagicDNS)
+- Routes to the Leantime service on port 80
+- Includes Homepage annotations for service discovery:
+  - Name: "Leantime"
+  - Group: "Apps"
+  - Icon: "leantime.png"
+
+## Access
+
+Once deployed, Leantime will be accessible only from devices on your Tailnet at:
+
+**URL**: https://leantime.rohu-shark.ts.net/
+
+The service will also appear on your Homepage dashboard in the "Apps" group.
+
+## Security
+
+- ✅ No secrets in Git
+- ✅ Database credentials managed by 1Password
+- ✅ No public ingress (Tailscale-only)
+- ✅ Immutable upstream version pinned (v3.6.0)
+- ⚠️  Session password in Helm values (chart limitation)
+
+## Verification
+
+After ArgoCD syncs all three applications:
+
+```bash
+# Check ArgoCD application status
+kubectl get applications -n argocd | grep leantime
+
+# Check secrets created by 1Password Operator
+kubectl get secrets -n apps-leantime
+
+# Check the Leantime deployment
+kubectl get deployments -n apps-leantime
+
+# Check the MariaDB statefulset
+kubectl get statefulsets -n apps-leantime
+
+# Check the Tailscale ingress
+kubectl get ingress -n apps-leantime
+
+# Check Tailscale proxy device
+kubectl get pods -n apps-leantime | grep ts-
+```
+
+All applications should show as `Synced` and `Healthy` in ArgoCD.
+
+## Troubleshooting
+
+### Application won't sync
+- Verify 1Password items exist in the HomeLab vault
+- Check ArgoCD application events: `kubectl describe application leantime -n argocd`
+
+### Database connection issues
+- Verify secrets were created: `kubectl get secrets -n apps-leantime`
+- Check secret keys: `kubectl get secret leantime-db -n apps-leantime -o yaml`
+- Ensure keys `mariadb-root-password` and `mariadb-password` are present
+
+### Ingress not accessible
+- Verify Tailscale Operator is running
+- Check ingress status: `kubectl describe ingress leantime -n apps-leantime`
+- Look for Tailscale proxy pod: `kubectl get pods -n apps-leantime`
+- Check MagicDNS resolution from a Tailnet device
+
+## Future Improvements
+
+1. If the upstream chart adds `existingSecret` support for app secrets, update to use `leantime-app` secret
+2. Consider enabling SMTP for email notifications (would need additional 1Password fields)
+3. Evaluate S3 storage for user files instead of NFS PVCs

docs/onepassword-migration-notes.md

@@ -99,3 +99,70 @@ See `k8s/crafty_controller/onepassworditem-crafty-default-json.yml` and `argocd/
 | Cluster Primitives | ✅ | ✅ | ❓ | No secret dependencies |
 | PostgreSQL | ✅ | ✅ | ❓ | Already using OnePassword CRDs |
 | Redis | ✅ | ✅ | ❓ | Already using OnePassword CRDs |
+| Leantime | ✅ | ✅ | ❌ | Requires 1Password items setup (see below) |
+
+---
+
+### 6. Leantime (`argocd/apps/apps/leantime.yml`)
+
+**Status**: OnePassword CRDs created, requires 1Password vault setup
+
+**Current State**: New deployment using GitOps-first approach:
+- ArgoCD Application points directly at upstream Leantime Git repository
+- Helm chart rendered from `https://github.com/Leantime/leantime.git` at tag `v3.6.0`
+- Exposed only on Tailnet via Tailscale Ingress
+- Homepage discovery via ingress annotations
+
+**Required 1Password Items**:
+
+The Leantime OnePassword operator requires two items in the `HomeLab` vault:
+
+1. **`Leantime Database`** (referenced by `leantime-db` secret)
+   - Must contain the following fields that will be mapped to secret keys:
+     - `mariadb-root-password`: Root password for MariaDB
+     - `mariadb-password`: Password for the `leantime` database user
+   - Used by the MariaDB subchart via `mariadb.auth.existingSecret`
+
+2. **`Leantime App Secrets`** (referenced by `leantime-app` secret)
+   - Reserved for future use if the upstream chart adds support for existingSecret on app-level secrets
+   - Currently not used (session password is in Helm values due to chart limitations)
+
+**Deployment Structure**:
+- `argocd/apps/apps/leantime-secrets.yml` (sync-wave 10) → deploys OnePasswordItem CRDs
+- `argocd/apps/apps/leantime.yml` (sync-wave 20) → deploys Helm chart from upstream Git
+- `argocd/apps/apps/leantime-ingress.yml` (sync-wave 30) → deploys Tailscale ingress with Homepage annotations
+
+**Chart Limitations**:
+- The Leantime Helm chart does not support `existingSecret` for app-level secrets (session password, SMTP, etc.)
+- Session password is currently set in `valuesObject` as a generated secure random value
+- Database credentials use the MariaDB subchart's `existingSecret` feature successfully
+
+**Migration Path**: N/A (new deployment)
+
+**Sync Waves**: 
+- Secrets: 10
+- Application: 20  
+- Ingress: 30
+
+**1Password Setup Instructions**:
+
+Before syncing the Leantime applications, create these items in 1Password:
+
+```bash
+# In 1Password web UI or CLI:
+# Vault: HomeLab
+# Item 1: "Leantime Database"
+#   - Add field: mariadb-root-password = <generate secure password>
+#   - Add field: mariadb-password = <generate secure password>
+#
+# Item 2: "Leantime App Secrets" 
+#   - Can be empty for now (reserved for future use)
+```
+
+**Verification**:
+After ArgoCD syncs the `leantime-secrets` application:
+```bash
+kubectl get secrets -n apps-leantime
+# Should show: leantime-db, leantime-app
+```
+

k8s/leantime_secrets/README.md

@@ -0,0 +1,52 @@
+# Leantime Secrets - 1Password Setup
+
+This directory contains OnePasswordItem CRDs that reference secrets in the HomeLab vault.
+
+## Required 1Password Items
+
+Before deploying Leantime, create the following items in 1Password:
+
+### 1. Leantime Database (`Leantime Database`)
+
+**Vault**: HomeLab  
+**Item Name**: `Leantime Database`
+
+**Required Fields**:
+- `mariadb-root-password`: Root password for the MariaDB database
+- `mariadb-password`: Password for the `leantime` database user
+
+These fields will be materialized by the 1Password Operator into a Kubernetes Secret named `leantime-db` in the `apps-leantime` namespace.
+
+### 2. Leantime App Secrets (`Leantime App Secrets`)
+
+**Vault**: HomeLab  
+**Item Name**: `Leantime App Secrets`
+
+**Status**: Reserved for future use. Can be empty or contain placeholder values for now.
+
+**Note**: The upstream Leantime Helm chart does not currently support `existingSecret` for application-level secrets (session password, SMTP credentials, etc.). This OnePasswordItem is created for future extensibility.
+
+## Verification
+
+After ArgoCD syncs the `leantime-secrets` application (sync-wave 10), verify the secrets were created:
+
+```bash
+kubectl get onepassworditems -n apps-leantime
+kubectl get secrets -n apps-leantime
+```
+
+You should see:
+- OnePasswordItems: `leantime-db`, `leantime-app`
+- Secrets: `leantime-db`, `leantime-app` (created by 1Password Operator)
+
+## Integration
+
+The `leantime-db` secret is consumed by the MariaDB subchart in the Leantime Helm deployment via:
+
+```yaml
+mariadb:
+  auth:
+    existingSecret: "leantime-db"
+```
+
+This ensures database credentials are never stored in Git or ArgoCD manifests.