feat: renovatebot (#1)

Reviewed-on: #1
2024-12-23 02:14:57 +00:00 · 2024-12-23 02:14:57 +00:00 · 02ad10ea6d
commit 02ad10ea6d
parent 79b027fe07
10 changed files with 86 additions and 66 deletions
--- a/.env
+++ b/.env
@ -1,3 +1,3 @@
 PROD_URL=git.gmoker.com
-IMAGEAPP=docker.io/gitea/gitea:1.22.0-rootless
-IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless
+IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless
+IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless
--- a/compose.yaml
+++ b/compose.yaml
@ -1,7 +1,7 @@
 ---
 services:
  db:
-    image: docker.io/postgres:15
+    image: docker.io/postgres:17
    restart: unless-stopped
    environment:
      - POSTGRES_DB=db
@ -20,16 +20,16 @@ services:
      - POSTGRES_HOST=db
      - GITEA__database__DB_TYPE=postgres
      - GITEA__database__HOST=db
+      - GITEA__database__NAME=db
      - GITEA__database__USER=db
      - GITEA__database__PASSWD=db
-      - GITEA__service__DISABLE_REGISTRATION=true
    volumes:
-      - data:/var/lib/gitea/
      - config:/etc/gitea/
+      - data:/var/lib/gitea/
    depends_on:
      - db

 volumes:
+  db: {}
  config: {}
  data: {}
-  db: {}
--- a/manifests/bin/createadmin.sh
+++ b/manifests/bin/createadmin.sh
@ -0,0 +1,37 @@
+#!/bin/bash -e
+set -o pipefail
+
+function get_token() {
+    kubectl exec statefulset/app -- gitea admin user generate-access-token \
+            --username "$name" \
+            --token-name "${name^^}" \
+            --scopes "$scopes" \
+        | awk '{print $NF}'
+}
+
+name="$1"
+scopes="$2"
+email="$name@$BASE_URL"
+secret="gitea-$name"
+passwd="$(kgseckey "$secret" password || true)"
+
+if [ -z "$passwd" ]; then
+    passwd="$(openssl rand -hex 32)"
+    kubectl exec statefulset/app -- \
+        gitea admin user create --admin --must-change-password=false \
+            --email "$email" \
+            --username "$name" \
+            --password "$passwd"
+fi
+
+opts=()
+[ -n "$scopes" ] && opts+=(
+    --from-literal=token="$(kgseckey "$secret" token || get_token)"
+    --from-literal=tokenscopes="$scopes"
+)
+
+kcreatesec "$secret" \
+    --from-literal=email="$email" \
+    --from-literal=username="$name" \
+    --from-literal=password="$passwd" \
+    "${opts[@]}"
--- a/manifests/bin/deploy.sh
+++ b/manifests/bin/deploy.sh
@ -3,47 +3,40 @@ set -o pipefail

 function kapply() {
    for f in "$@"; do
-        kubectl apply -f \
-            <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
+        kubectl apply -f <(envsubst < "manifests/$f")
    done
-}
+}; export -f kapply

 function kcreatesec() {
    kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
-}
+}; export -f kcreatesec

 function kcreatecm() {
    kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
-}
+}; export -f kcreatecm

 function kgseckey() {
    local sec="$1"; shift
    local key="$1"; shift
-    local ret

-    ret="$(kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d)"
-    if [ "$?" -ne 0 ] || [ -z "$ret" ]; then
+    if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
        return 1
    fi
-    echo "$ret"
-}
+}; export -f kgseckey

 function kgcmkey() {
-    local cm="$1"; shift
+    local cm="$1";  shift
    local key="$1"; shift
-    local ret;

-    ret="$(kubectl get configmap "$cm" -o jsonpath="{.data.$key}")"
-    if [ "$?" -ne 0 ] || [ -z "$ret" ]; then
+    if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
        return 1
    fi
-    echo "$ret"
-}
+}; export -f kgcmkey


 kapply common/db.yaml

-export REDIS_HOST=redis
+export REDIS_HOST=valkey
 export REDIS_DB=0
 export REDIS_PORT=6379
 export POSTGRES_HOST;     POSTGRES_HOST="$(kgseckey postgres-app host)"
@ -52,39 +45,31 @@ export POSTGRES_DB;       POSTGRES_DB="$(kgseckey postgres-app dbname)"
 export POSTGRES_USER;     POSTGRES_USER="$(kgseckey postgres-app user)"
 export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"

-GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)"
-GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)"
+# shellcheck disable=SC1090,SC2016
+. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1)

-kcreatesec gitea-admin \
-    --from-literal=email="gitea@$BASE_URL" \
-    --from-literal=username="$GITEA_USERNAME" \
-    --from-literal=password="$GITEA_PASSWORD"
-
-kubectl run --image "$IMAGEAPP" secrets sleep 60
-sleep 5
 kcreatesec gitea \
-    --from-literal=secret_key="$(kgseckey gitea secret_key               || kubectl exec secrets -- gitea generate secret SECRET_KEY)" \
-    --from-literal=internal_token="$(kgseckey gitea internal_token       || kubectl exec secrets -- gitea generate secret INTERNAL_TOKEN)" \
-    --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl exec secrets -- gitea generate secret JWT_SECRET)"
-kubectl delete pod secrets
+    --from-literal=secret_key="$(kgseckey gitea secret_key               || echo "$SECRET_KEY")" \
+    --from-literal=internal_token="$(kgseckey gitea internal_token       || echo "$INTERNAL_TOKEN")" \
+    --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")"

 kcreatecm gitea \
-    --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini)
+    --from-file=app.ini=<(envsubst < config/app.ini)

 kapply common/job.yaml \
-    common/redis.yaml \
+    common/valkey.yaml \
    common/app.yaml

 kubectl rollout restart statefulset app

-kubectl wait --timeout=5m --for=condition=complete job/createadminuser
-sleep 5
+kubectl rollout status statefulset app
+kubectl wait --timeout=5m --for=condition=complete job/migrate
+
+./manifests/bin/createadmin.sh gitea
+./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization'

 kcreatesec runner \
-    --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)"
-
-kcreatesec renovate \
-    --from-literal=token="$(kgseckey renovate token || kubectl exec app-0 -- gitea admin user generate-access-token --username "$GITEA_USERNAME" --token-name RENOVATE --scopes 'write:repository,read:user,write:issue,read:organization' | grep -o '[a-f0-9]\+$')"
+    --from-literal=token="$(kgseckey runner token || kubectl exec statefulset/app -- gitea actions generate-runner-token)"

 kapply common/runner.yaml common/renovate.yaml

--- a/manifests/bin/devel.sh
+++ b/manifests/bin/devel.sh
@ -1,4 +1,5 @@
 #!/bin/bash -e
+set -o pipefail

 export NB_REPLICAS=1

--- a/manifests/bin/prod.sh
+++ b/manifests/bin/prod.sh
@ -1,4 +1,5 @@
 #!/bin/bash -e
+set -o pipefail

 # TODO: 3
 export NB_REPLICAS=1
--- a/manifests/common/app.yaml
+++ b/manifests/common/app.yaml
@ -5,7 +5,7 @@ metadata:
  name: app
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/proxy-body-size: "512M"
+    nginx.ingress.kubernetes.io/proxy-body-size: "8G"
 spec:
  ingressClassName: nginx
  tls:
--- a/manifests/common/job.yaml
+++ b/manifests/common/job.yaml
@ -2,21 +2,17 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: createadminuser
+  name: migrate
 spec:
  template:
    spec:
      restartPolicy: Never
      containers:
-        - name: createadminuser
+        - name: migrate
          image: "$IMAGEAPP"
-          envFrom:
-            - secretRef:
-                name: gitea-admin
          command:
-            - bash
-            - -c
-            - 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" --must-change-password=false 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password" --must-change-password=false; }'
+            - gitea
+            - migrate
          volumeMounts:
            - name: config
              mountPath: /etc/gitea/app.ini
--- a/manifests/common/renovate.yaml
+++ b/manifests/common/renovate.yaml
@ -27,10 +27,10 @@ spec:
                - name: RENOVATE_USERNAME
                  valueFrom:
                    secretKeyRef:
-                      name: gitea-admin
+                      name: gitea-renovate
                      key: username
                - name: RENOVATE_TOKEN
                  valueFrom:
                    secretKeyRef:
-                      name: runner
+                      name: gitea-renovate
                      key: token
--- a/manifests/common/valkey.yaml
+++ b/manifests/common/valkey.yaml
@ -2,36 +2,36 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: redis
+  name: valkey
  labels:
-    app: redis
+    app: valkey
 spec:
  selector:
-    app: redis
+    app: valkey
  ports:
-    - name: redis
+    - name: valkey
      port: 6379
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: redis
+  name: valkey
 spec:
  selector:
    matchLabels:
-      app: redis
-  serviceName: redis
+      app: valkey
+  serviceName: valkey
  replicas: $NB_REPLICAS
  template:
    metadata:
      labels:
-        app: redis
+        app: valkey
    spec:
      containers:
-        - name: redis
-          image: docker.io/redis:latest
+        - name: valkey
+          image: docker.io/valkey/valkey:latest
          ports:
-            - name: redis
+            - name: valkey
              containerPort: 6379
          volumeMounts:
            - name: data