From bd449faec192346b8ab4f82f087e207107025ea7 Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 05:08:23 +0000 Subject: [PATCH] feat: renovatebot --- compose.yaml | 8 +++---- manifests/bin/createadmin.sh | 33 +++++++++++++++++++++++++++ manifests/bin/deploy.sh | 27 ++++++++-------------- manifests/common/app.yaml | 2 +- manifests/common/createadmin.yaml | 37 +++++++++++++++++++++++++++++++ manifests/common/job.yaml | 12 ++++------ manifests/common/renovate.yaml | 4 ++-- 7 files changed, 90 insertions(+), 33 deletions(-) create mode 100644 manifests/bin/createadmin.sh create mode 100644 manifests/common/createadmin.yaml diff --git a/compose.yaml b/compose.yaml index e2ae670..966146a 100644 --- a/compose.yaml +++ b/compose.yaml @@ -1,7 +1,7 @@ --- services: db: - image: docker.io/postgres:15 + image: docker.io/postgres:17 restart: unless-stopped environment: - POSTGRES_DB=db @@ -20,16 +20,16 @@ services: - POSTGRES_HOST=db - GITEA__database__DB_TYPE=postgres - GITEA__database__HOST=db + - GITEA__database__NAME=db - GITEA__database__USER=db - GITEA__database__PASSWD=db - - GITEA__service__DISABLE_REGISTRATION=true volumes: - - data:/var/lib/gitea/ - config:/etc/gitea/ + - data:/var/lib/gitea/ depends_on: - db volumes: + db: {} config: {} data: {} - db: {} diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh new file mode 100644 index 0000000..0c3c0c9 --- /dev/null +++ b/manifests/bin/createadmin.sh @@ -0,0 +1,33 @@ +#!/bin/bash -e + +function get_token() { + kubectl exec app-0 -- gitea admin user generate-access-token \ + --username "$NAME" \ + --token-name "${NAME^^}" \ + --scopes "$scopes" \ + | awk '{print $NF}' +} + +export NAME="$1" +scopes="$2" +export EMAIL="$NAME@$BASE_URL" +export SECRET="gitea-$NAME" + +if ! kubectl get secret "$SECRET" > /dev/null 2>&1; then + p="$(openssl rand -hex 32)" + kapply common/createadmin.yaml +else + p="$(kgseckey "$SECRET" password)" +fi + +opts=() +if [ -n "$scopes" ]; then + token="$(kgseckey "$SECRET" token || get_token)" + opts+=(--from-literal=token="$token") +fi + +kcreatesec "$SECRET" \ + --from-literal=email="$NAME@$BASE_URL" \ + --from-literal=username="$SECRET" \ + --from-literal=password="$p" \ + "${opts[@]}" diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 8753e74..2f10d1e 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -6,15 +6,15 @@ function kapply() { kubectl apply -f \ <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f") done -} +}; export -f kapply function kcreatesec() { kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f- -} +}; export -f kcreatesec function kcreatecm() { kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f- -} +}; export -f kcreatecm function kgseckey() { local sec="$1"; shift @@ -23,7 +23,7 @@ function kgseckey() { if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then return 1 fi -} +}; export -f kgseckey function kgcmkey() { local cm="$1"; shift @@ -32,7 +32,7 @@ function kgcmkey() { if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then return 1 fi -} +}; export -f kgcmkey kapply common/db.yaml @@ -46,14 +46,6 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)" export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" -GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)" -GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)" - -kcreatesec gitea-admin \ - --from-literal=email="gitea@$BASE_URL" \ - --from-literal=username="$GITEA_USERNAME" \ - --from-literal=password="$GITEA_PASSWORD" - kubectl run --image "$IMAGEAPP" secrets sleep 600 sleep 5 kcreatesec gitea \ @@ -71,15 +63,14 @@ kapply common/job.yaml \ kubectl rollout restart statefulset app -kubectl wait --timeout=5m --for=condition=complete job/createadminuser -sleep 5 +kubectl wait --timeout=5m --for=condition=complete job/migrate + +./manifests/bin/createadmin.sh gitea +./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization' kcreatesec runner \ --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)" -kcreatesec renovate \ - --from-literal=token="$(kgseckey renovate token || kubectl exec app-0 -- gitea admin user generate-access-token --username "$GITEA_USERNAME" --token-name RENOVATE --scopes 'write:repository,read:user,write:issue,read:organization' | grep -o '[a-f0-9]\+$')" - kapply common/runner.yaml common/renovate.yaml kubectl rollout restart statefulset runner diff --git a/manifests/common/app.yaml b/manifests/common/app.yaml index e205f85..f1b54e1 100644 --- a/manifests/common/app.yaml +++ b/manifests/common/app.yaml @@ -5,7 +5,7 @@ metadata: name: app annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.ingress.kubernetes.io/proxy-body-size: "512M" + nginx.ingress.kubernetes.io/proxy-body-size: "8G" spec: ingressClassName: nginx tls: diff --git a/manifests/common/createadmin.yaml b/manifests/common/createadmin.yaml new file mode 100644 index 0000000..7fc761d --- /dev/null +++ b/manifests/common/createadmin.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: "createadmin-$NAME" +spec: + template: + spec: + restartPolicy: Never + containers: + - name: createuser + image: "$IMAGEAPP" + command: + - bash + - -c + - | + gitea admin user change-password --must-change-password=false \ + --username "$NAME" \ + --password "$PASS" 2> /dev/null \ + || gitea admin user create --admin --must-change-password=false \ + --email "$EMAIL" \ + --username "$NAME" \ + --password "$PASS" + volumeMounts: + - name: config + mountPath: /etc/gitea/app.ini + subPath: app.ini + - name: secrets + mountPath: /etc/gitea/secrets/ + volumes: + - name: config + configMap: + name: gitea + - name: secrets + secret: + secretName: gitea + backoffLimit: 4 diff --git a/manifests/common/job.yaml b/manifests/common/job.yaml index 0281b29..bdbe13b 100644 --- a/manifests/common/job.yaml +++ b/manifests/common/job.yaml @@ -2,21 +2,17 @@ apiVersion: batch/v1 kind: Job metadata: - name: createadminuser + name: migrate spec: template: spec: restartPolicy: Never containers: - - name: createadminuser + - name: migrate image: "$IMAGEAPP" - envFrom: - - secretRef: - name: gitea-admin command: - - bash - - -c - - 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" --must-change-password=false 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password" --must-change-password=false; }' + - gitea + - migrate volumeMounts: - name: config mountPath: /etc/gitea/app.ini diff --git a/manifests/common/renovate.yaml b/manifests/common/renovate.yaml index 0167afe..427ee4e 100644 --- a/manifests/common/renovate.yaml +++ b/manifests/common/renovate.yaml @@ -27,10 +27,10 @@ spec: - name: RENOVATE_USERNAME valueFrom: secretKeyRef: - name: gitea-admin + name: gitea-renovate key: username - name: RENOVATE_TOKEN valueFrom: secretKeyRef: - name: runner + name: gitea-renovate key: token