feat: renovatebot (#1)

Reviewed-on: #1
2024-12-23 02:14:57 +00:00 · 2024-12-23 02:14:57 +00:00 · 02ad10ea6d
commit 02ad10ea6d
parent 79b027fe07
10 changed files with 86 additions and 66 deletions
--- a/.env
+++ b/.env
@ -1,3 +1,3 @@
 PROD_URL=git.gmoker.com
-IMAGEAPP=docker.io/gitea/gitea:1.22.0-rootless
+IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless
-IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless
+IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless
--- a/compose.yaml
+++ b/compose.yaml
@ -1,7 +1,7 @@
 ---
 services:
  db:
-    image: docker.io/postgres:15
+    image: docker.io/postgres:17
    restart: unless-stopped
    environment:
      - POSTGRES_DB=db
@ -20,16 +20,16 @@ services:
      - POSTGRES_HOST=db
      - GITEA__database__DB_TYPE=postgres
      - GITEA__database__HOST=db
      - GITEA__database__NAME=db
      - GITEA__database__USER=db
      - GITEA__database__PASSWD=db
      - GITEA__service__DISABLE_REGISTRATION=true
    volumes:
      - data:/var/lib/gitea/
      - config:/etc/gitea/
      - data:/var/lib/gitea/
    depends_on:
      - db
 volumes:
  db: {}
  config: {}
  data: {}
  db: {}
--- a/manifests/bin/createadmin.sh
+++ b/manifests/bin/createadmin.sh
@ -0,0 +1,37 @@
 #!/bin/bash -e
 set -o pipefail
 function get_token() {
    kubectl exec statefulset/app -- gitea admin user generate-access-token \
            --username "$name" \
            --token-name "${name^^}" \
            --scopes "$scopes" \
        | awk '{print $NF}'
 }
 name="$1"
 scopes="$2"
 email="$name@$BASE_URL"
 secret="gitea-$name"
 passwd="$(kgseckey "$secret" password || true)"
 if [ -z "$passwd" ]; then
    passwd="$(openssl rand -hex 32)"
    kubectl exec statefulset/app -- \
        gitea admin user create --admin --must-change-password=false \
            --email "$email" \
            --username "$name" \
            --password "$passwd"
 fi
 opts=()
 [ -n "$scopes" ] && opts+=(
    --from-literal=token="$(kgseckey "$secret" token || get_token)"
    --from-literal=tokenscopes="$scopes"
 )
 kcreatesec "$secret" \
    --from-literal=email="$email" \
    --from-literal=username="$name" \
    --from-literal=password="$passwd" \
    "${opts[@]}"
--- a/manifests/bin/deploy.sh
+++ b/manifests/bin/deploy.sh
@ -3,47 +3,40 @@ set -o pipefail
 function kapply() {
    for f in "$@"; do
-        kubectl apply -f \
+        kubectl apply -f <(envsubst < "manifests/$f")
            <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
    done
-}
+}; export -f kapply
 function kcreatesec() {
    kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
-}
+}; export -f kcreatesec
 function kcreatecm() {
    kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
-}
+}; export -f kcreatecm
 function kgseckey() {
    local sec="$1"; shift
    local key="$1"; shift
    local ret
-    ret="$(kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d)"
+    if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
    if [ "$?" -ne 0 ] || [ -z "$ret" ]; then
        return 1
    fi
-    echo "$ret"
+}; export -f kgseckey
 }
 function kgcmkey() {
-    local cm="$1"; shift
+    local cm="$1";  shift
    local key="$1"; shift
    local ret;
-    ret="$(kubectl get configmap "$cm" -o jsonpath="{.data.$key}")"
+    if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
    if [ "$?" -ne 0 ] || [ -z "$ret" ]; then
        return 1
    fi
-    echo "$ret"
+}; export -f kgcmkey
 }
 kapply common/db.yaml
-export REDIS_HOST=redis
+export REDIS_HOST=valkey
 export REDIS_DB=0
 export REDIS_PORT=6379
 export POSTGRES_HOST;     POSTGRES_HOST="$(kgseckey postgres-app host)"
@ -52,39 +45,31 @@ export POSTGRES_DB;       POSTGRES_DB="$(kgseckey postgres-app dbname)"
 export POSTGRES_USER;     POSTGRES_USER="$(kgseckey postgres-app user)"
 export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"
-GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)"
+# shellcheck disable=SC1090,SC2016
-GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)"
+. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1)
 kcreatesec gitea-admin \
    --from-literal=email="gitea@$BASE_URL" \
    --from-literal=username="$GITEA_USERNAME" \
    --from-literal=password="$GITEA_PASSWORD"
 kubectl run --image "$IMAGEAPP" secrets sleep 60
 sleep 5
 kcreatesec gitea \
-    --from-literal=secret_key="$(kgseckey gitea secret_key               || kubectl exec secrets -- gitea generate secret SECRET_KEY)" \
+    --from-literal=secret_key="$(kgseckey gitea secret_key               || echo "$SECRET_KEY")" \
-    --from-literal=internal_token="$(kgseckey gitea internal_token       || kubectl exec secrets -- gitea generate secret INTERNAL_TOKEN)" \
+    --from-literal=internal_token="$(kgseckey gitea internal_token       || echo "$INTERNAL_TOKEN")" \
-    --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl exec secrets -- gitea generate secret JWT_SECRET)"
+    --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")"
 kubectl delete pod secrets
 kcreatecm gitea \
-    --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini)
+    --from-file=app.ini=<(envsubst < config/app.ini)
 kapply common/job.yaml \
-    common/redis.yaml \
+    common/valkey.yaml \
    common/app.yaml
 kubectl rollout restart statefulset app
-kubectl wait --timeout=5m --for=condition=complete job/createadminuser
+kubectl rollout status statefulset app
-sleep 5
+kubectl wait --timeout=5m --for=condition=complete job/migrate
 ./manifests/bin/createadmin.sh gitea
 ./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization'
 kcreatesec runner \
-    --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)"
+    --from-literal=token="$(kgseckey runner token || kubectl exec statefulset/app -- gitea actions generate-runner-token)"
 kcreatesec renovate \
    --from-literal=token="$(kgseckey renovate token || kubectl exec app-0 -- gitea admin user generate-access-token --username "$GITEA_USERNAME" --token-name RENOVATE --scopes 'write:repository,read:user,write:issue,read:organization' | grep -o '[a-f0-9]\+$')"
 kapply common/runner.yaml common/renovate.yaml
--- a/manifests/bin/devel.sh
+++ b/manifests/bin/devel.sh
@ -1,4 +1,5 @@
 #!/bin/bash -e
 set -o pipefail
 export NB_REPLICAS=1
--- a/manifests/bin/prod.sh
+++ b/manifests/bin/prod.sh
@ -1,4 +1,5 @@
 #!/bin/bash -e
 set -o pipefail
 # TODO: 3
 export NB_REPLICAS=1
--- a/manifests/common/app.yaml
+++ b/manifests/common/app.yaml
@ -5,7 +5,7 @@ metadata:
  name: app
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/proxy-body-size: "512M"
+    nginx.ingress.kubernetes.io/proxy-body-size: "8G"
 spec:
  ingressClassName: nginx
  tls:
--- a/manifests/common/job.yaml
+++ b/manifests/common/job.yaml
@ -2,21 +2,17 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: createadminuser
+  name: migrate
 spec:
  template:
    spec:
      restartPolicy: Never
      containers:
-        - name: createadminuser
+        - name: migrate
          image: "$IMAGEAPP"
          envFrom:
            - secretRef:
                name: gitea-admin
          command:
-            - bash
+            - gitea
-            - -c
+            - migrate
            - 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" --must-change-password=false 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password" --must-change-password=false; }'
          volumeMounts:
            - name: config
              mountPath: /etc/gitea/app.ini
--- a/manifests/common/renovate.yaml
+++ b/manifests/common/renovate.yaml
@ -27,10 +27,10 @@ spec:
                - name: RENOVATE_USERNAME
                  valueFrom:
                    secretKeyRef:
-                      name: gitea-admin
+                      name: gitea-renovate
                      key: username
                - name: RENOVATE_TOKEN
                  valueFrom:
                    secretKeyRef:
-                      name: runner
+                      name: gitea-renovate
                      key: token
--- a/manifests/common/valkey.yaml
+++ b/manifests/common/valkey.yaml
@ -2,36 +2,36 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: redis
+  name: valkey
  labels:
-    app: redis
+    app: valkey
 spec:
  selector:
-    app: redis
+    app: valkey
  ports:
-    - name: redis
+    - name: valkey
      port: 6379
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: redis
+  name: valkey
 spec:
  selector:
    matchLabels:
-      app: redis
+      app: valkey
-  serviceName: redis
+  serviceName: valkey
  replicas: $NB_REPLICAS
  template:
    metadata:
      labels:
-        app: redis
+        app: valkey
    spec:
      containers:
-        - name: redis
+        - name: valkey
-          image: docker.io/redis:latest
+          image: docker.io/valkey/valkey:latest
          ports:
-            - name: redis
+            - name: valkey
              containerPort: 6379
          volumeMounts:
            - name: data