diff --git a/.env b/.env index 685ef78..ea69377 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ PROD_URL=git.gmoker.com -IMAGEAPP=docker.io/gitea/gitea:1.22.0-rootless -IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless +IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless +IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless diff --git a/compose.yaml b/compose.yaml index e2ae670..966146a 100644 --- a/compose.yaml +++ b/compose.yaml @@ -1,7 +1,7 @@ --- services: db: - image: docker.io/postgres:15 + image: docker.io/postgres:17 restart: unless-stopped environment: - POSTGRES_DB=db @@ -20,16 +20,16 @@ services: - POSTGRES_HOST=db - GITEA__database__DB_TYPE=postgres - GITEA__database__HOST=db + - GITEA__database__NAME=db - GITEA__database__USER=db - GITEA__database__PASSWD=db - - GITEA__service__DISABLE_REGISTRATION=true volumes: - - data:/var/lib/gitea/ - config:/etc/gitea/ + - data:/var/lib/gitea/ depends_on: - db volumes: + db: {} config: {} data: {} - db: {} diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh new file mode 100755 index 0000000..8691667 --- /dev/null +++ b/manifests/bin/createadmin.sh @@ -0,0 +1,37 @@ +#!/bin/bash -e +set -o pipefail + +function get_token() { + kubectl exec statefulset/app -- gitea admin user generate-access-token \ + --username "$name" \ + --token-name "${name^^}" \ + --scopes "$scopes" \ + | awk '{print $NF}' +} + +name="$1" +scopes="$2" +email="$name@$BASE_URL" +secret="gitea-$name" +passwd="$(kgseckey "$secret" password || true)" + +if [ -z "$passwd" ]; then + passwd="$(openssl rand -hex 32)" + kubectl exec statefulset/app -- \ + gitea admin user create --admin --must-change-password=false \ + --email "$email" \ + --username "$name" \ + --password "$passwd" +fi + +opts=() +[ -n "$scopes" ] && opts+=( + --from-literal=token="$(kgseckey "$secret" token || get_token)" + --from-literal=tokenscopes="$scopes" +) + +kcreatesec "$secret" \ + --from-literal=email="$email" \ + --from-literal=username="$name" \ + --from-literal=password="$passwd" \ + "${opts[@]}" diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index dd36979..ad2271f 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -3,47 +3,40 @@ set -o pipefail function kapply() { for f in "$@"; do - kubectl apply -f \ - <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f") + kubectl apply -f <(envsubst < "manifests/$f") done -} +}; export -f kapply function kcreatesec() { kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f- -} +}; export -f kcreatesec function kcreatecm() { kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f- -} +}; export -f kcreatecm function kgseckey() { local sec="$1"; shift local key="$1"; shift - local ret - ret="$(kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d)" - if [ "$?" -ne 0 ] || [ -z "$ret" ]; then + if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then return 1 fi - echo "$ret" -} +}; export -f kgseckey function kgcmkey() { - local cm="$1"; shift + local cm="$1"; shift local key="$1"; shift - local ret; - ret="$(kubectl get configmap "$cm" -o jsonpath="{.data.$key}")" - if [ "$?" -ne 0 ] || [ -z "$ret" ]; then + if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then return 1 fi - echo "$ret" -} +}; export -f kgcmkey kapply common/db.yaml -export REDIS_HOST=redis +export REDIS_HOST=valkey export REDIS_DB=0 export REDIS_PORT=6379 export POSTGRES_HOST; POSTGRES_HOST="$(kgseckey postgres-app host)" @@ -52,39 +45,31 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)" export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" -GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)" -GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)" +# shellcheck disable=SC1090,SC2016 +. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1) -kcreatesec gitea-admin \ - --from-literal=email="gitea@$BASE_URL" \ - --from-literal=username="$GITEA_USERNAME" \ - --from-literal=password="$GITEA_PASSWORD" - -kubectl run --image "$IMAGEAPP" secrets sleep 60 -sleep 5 kcreatesec gitea \ - --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl exec secrets -- gitea generate secret SECRET_KEY)" \ - --from-literal=internal_token="$(kgseckey gitea internal_token || kubectl exec secrets -- gitea generate secret INTERNAL_TOKEN)" \ - --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl exec secrets -- gitea generate secret JWT_SECRET)" -kubectl delete pod secrets + --from-literal=secret_key="$(kgseckey gitea secret_key || echo "$SECRET_KEY")" \ + --from-literal=internal_token="$(kgseckey gitea internal_token || echo "$INTERNAL_TOKEN")" \ + --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")" kcreatecm gitea \ - --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) + --from-file=app.ini=<(envsubst < config/app.ini) kapply common/job.yaml \ - common/redis.yaml \ + common/valkey.yaml \ common/app.yaml kubectl rollout restart statefulset app -kubectl wait --timeout=5m --for=condition=complete job/createadminuser -sleep 5 +kubectl rollout status statefulset app +kubectl wait --timeout=5m --for=condition=complete job/migrate + +./manifests/bin/createadmin.sh gitea +./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization' kcreatesec runner \ - --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)" - -kcreatesec renovate \ - --from-literal=token="$(kgseckey renovate token || kubectl exec app-0 -- gitea admin user generate-access-token --username "$GITEA_USERNAME" --token-name RENOVATE --scopes 'write:repository,read:user,write:issue,read:organization' | grep -o '[a-f0-9]\+$')" + --from-literal=token="$(kgseckey runner token || kubectl exec statefulset/app -- gitea actions generate-runner-token)" kapply common/runner.yaml common/renovate.yaml diff --git a/manifests/bin/devel.sh b/manifests/bin/devel.sh index 464c4d0..65675aa 100755 --- a/manifests/bin/devel.sh +++ b/manifests/bin/devel.sh @@ -1,4 +1,5 @@ #!/bin/bash -e +set -o pipefail export NB_REPLICAS=1 diff --git a/manifests/bin/prod.sh b/manifests/bin/prod.sh index ea8a78f..142f57f 100755 --- a/manifests/bin/prod.sh +++ b/manifests/bin/prod.sh @@ -1,4 +1,5 @@ #!/bin/bash -e +set -o pipefail # TODO: 3 export NB_REPLICAS=1 diff --git a/manifests/common/app.yaml b/manifests/common/app.yaml index e205f85..f1b54e1 100644 --- a/manifests/common/app.yaml +++ b/manifests/common/app.yaml @@ -5,7 +5,7 @@ metadata: name: app annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.ingress.kubernetes.io/proxy-body-size: "512M" + nginx.ingress.kubernetes.io/proxy-body-size: "8G" spec: ingressClassName: nginx tls: diff --git a/manifests/common/job.yaml b/manifests/common/job.yaml index 0281b29..bdbe13b 100644 --- a/manifests/common/job.yaml +++ b/manifests/common/job.yaml @@ -2,21 +2,17 @@ apiVersion: batch/v1 kind: Job metadata: - name: createadminuser + name: migrate spec: template: spec: restartPolicy: Never containers: - - name: createadminuser + - name: migrate image: "$IMAGEAPP" - envFrom: - - secretRef: - name: gitea-admin command: - - bash - - -c - - 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" --must-change-password=false 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password" --must-change-password=false; }' + - gitea + - migrate volumeMounts: - name: config mountPath: /etc/gitea/app.ini diff --git a/manifests/common/renovate.yaml b/manifests/common/renovate.yaml index 0167afe..427ee4e 100644 --- a/manifests/common/renovate.yaml +++ b/manifests/common/renovate.yaml @@ -27,10 +27,10 @@ spec: - name: RENOVATE_USERNAME valueFrom: secretKeyRef: - name: gitea-admin + name: gitea-renovate key: username - name: RENOVATE_TOKEN valueFrom: secretKeyRef: - name: runner + name: gitea-renovate key: token diff --git a/manifests/common/redis.yaml b/manifests/common/valkey.yaml similarity index 66% rename from manifests/common/redis.yaml rename to manifests/common/valkey.yaml index 485d2a8..4df2c6d 100644 --- a/manifests/common/redis.yaml +++ b/manifests/common/valkey.yaml @@ -2,36 +2,36 @@ apiVersion: v1 kind: Service metadata: - name: redis + name: valkey labels: - app: redis + app: valkey spec: selector: - app: redis + app: valkey ports: - - name: redis + - name: valkey port: 6379 --- apiVersion: apps/v1 kind: StatefulSet metadata: - name: redis + name: valkey spec: selector: matchLabels: - app: redis - serviceName: redis + app: valkey + serviceName: valkey replicas: $NB_REPLICAS template: metadata: labels: - app: redis + app: valkey spec: containers: - - name: redis - image: docker.io/redis:latest + - name: valkey + image: docker.io/valkey/valkey:latest ports: - - name: redis + - name: valkey containerPort: 6379 volumeMounts: - name: data