feat(immich): deploy Immich photo server with S3 storage and traefik-external gateway #154

Open
opened 2026-05-24 12:03:14 +10:00 by unkinben · 0 comments
Owner

Overview

Deploy Immich self-hosted photo/video backup server to the k8s cluster.

Requirements

  • Helm chart: oci://ghcr.io/immich-app/immich-charts/immich (latest: 0.12.0)
  • Namespace: immich
  • ArgoCD project: platform or aitooling (TBD)
  • Gateway: traefik-external gatewayclass (external internet access)
  • Storage:
    • Blob/library storage: S3/Ceph-RGW bucket (like stalwart — use radosgw.service.consul)
    • PostgreSQL: CNPG cluster with tensorchord/cloudnative-vectorchord image (required for vector search)
    • Redis: deploy in-cluster or use existing
  • Autoscaling: HPA for immich-server and immich-machine-learning
  • Secrets: VaultStaticSecret for postgres-credentials, s3-credentials

Implementation notes

  • CNPG cluster should use tensorchord/cloudnative-vectorchord PostgreSQL image (not standard cloudnative-pg) — immich requires pgvector/vectorchord extension
  • S3 bucket needs to be pre-created in Ceph-RGW (immich-library or similar)
  • Add immich docker images to apps/base/artifactapi/resources/conf.d/remote-docker.yaml in a separate PR before deploying
  • Add helm chart to apps/base/artifactapi/resources/conf.d/remote-helm.yaml in a separate PR
  • Gateway should use traefik-external (not traefik-internal) for internet-accessible URL
  • External DNS hostname: photos.k8s.syd1.au.unkin.net or immich.k8s.syd1.au.unkin.net (TBD)

Files to create

  • apps/base/immich/ — full kustomization base
  • apps/overlays/au-syd1/immich/kustomization.yaml
  • Vault secrets at kubernetes/namespace/immich/default/{postgres-credentials,s3-credentials}
  • Update ApplicationSet to include immich overlay

References

## Overview Deploy [Immich](https://immich.app/) self-hosted photo/video backup server to the k8s cluster. ## Requirements - **Helm chart**: `oci://ghcr.io/immich-app/immich-charts/immich` (latest: `0.12.0`) - **Namespace**: `immich` - **ArgoCD project**: platform or aitooling (TBD) - **Gateway**: `traefik-external` gatewayclass (external internet access) - **Storage**: - Blob/library storage: S3/Ceph-RGW bucket (like stalwart — use `radosgw.service.consul`) - PostgreSQL: CNPG cluster with `tensorchord/cloudnative-vectorchord` image (required for vector search) - Redis: deploy in-cluster or use existing - **Autoscaling**: HPA for immich-server and immich-machine-learning - **Secrets**: VaultStaticSecret for postgres-credentials, s3-credentials ## Implementation notes - CNPG cluster should use `tensorchord/cloudnative-vectorchord` PostgreSQL image (not standard cloudnative-pg) — immich requires pgvector/vectorchord extension - S3 bucket needs to be pre-created in Ceph-RGW (`immich-library` or similar) - Add immich docker images to `apps/base/artifactapi/resources/conf.d/remote-docker.yaml` in a **separate PR** before deploying - Add helm chart to `apps/base/artifactapi/resources/conf.d/remote-helm.yaml` in a **separate PR** - Gateway should use `traefik-external` (not `traefik-internal`) for internet-accessible URL - External DNS hostname: `photos.k8s.syd1.au.unkin.net` or `immich.k8s.syd1.au.unkin.net` (TBD) ## Files to create - `apps/base/immich/` — full kustomization base - `apps/overlays/au-syd1/immich/kustomization.yaml` - Vault secrets at `kubernetes/namespace/immich/default/{postgres-credentials,s3-credentials}` - Update ApplicationSet to include immich overlay ## References - Chart README: https://github.com/immich-app/immich-charts/blob/main/README.md - Immich docs: https://immich.app/docs
Sign in to join this conversation.
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#154