gmoker/gitea
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: renovatebot
Some checks failed
/ deploy (push) Failing after 2m48s
Details

Browse Source
This commit is contained in:
ange 2024-12-22 05:08:23 +00:00
parent 68f44eb5e4
commit bd449faec1
Signed by: ange
GPG Key ID: 9E0C4157BB7BEB1D
7 changed files with 90 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
compose.yaml
View File

@ -1,7 +1,7 @@
--- ---
services: services:
db: db:
image: docker.io/postgres:15 image: docker.io/postgres:17
restart: unless-stopped restart: unless-stopped
environment: environment:
- POSTGRES_DB=db - POSTGRES_DB=db
@ -20,16 +20,16 @@ services:
- POSTGRES_HOST=db - POSTGRES_HOST=db
- GITEA__database__DB_TYPE=postgres - GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=db - GITEA__database__HOST=db
- GITEA__database__NAME=db
- GITEA__database__USER=db - GITEA__database__USER=db
- GITEA__database__PASSWD=db - GITEA__database__PASSWD=db
- GITEA__service__DISABLE_REGISTRATION=true
volumes: volumes:
- data:/var/lib/gitea/
- config:/etc/gitea/ - config:/etc/gitea/
- data:/var/lib/gitea/
depends_on: depends_on:
- db - db
volumes: volumes:
db: {}
config: {} config: {}
data: {} data: {}
db: {}

33
manifests/bin/createadmin.sh Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash -e
function get_token() {
kubectl exec app-0 -- gitea admin user generate-access-token \
--username "$NAME" \
--token-name "${NAME^^}" \
--scopes "$scopes" \
| awk '{print $NF}'
}
export NAME="$1"
scopes="$2"
export EMAIL="$NAME@$BASE_URL"
export SECRET="gitea-$NAME"
if ! kubectl get secret "$SECRET" > /dev/null 2>&1; then
p="$(openssl rand -hex 32)"
kapply common/createadmin.yaml
else
p="$(kgseckey "$SECRET" password)"
fi
opts=()
if [ -n "$scopes" ]; then
token="$(kgseckey "$SECRET" token || get_token)"
opts+=(--from-literal=token="$token")
fi
kcreatesec "$SECRET" \
--from-literal=email="$NAME@$BASE_URL" \
--from-literal=username="$SECRET" \
--from-literal=password="$p" \
"${opts[@]}"

27
manifests/bin/deploy.sh
View File

@ -6,15 +6,15 @@ function kapply() {
kubectl apply -f \ kubectl apply -f \
<(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f") <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
done done
} }; export -f kapply
function kcreatesec() { function kcreatesec() {
kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f- kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
} }; export -f kcreatesec
function kcreatecm() { function kcreatecm() {
kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f- kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
} }; export -f kcreatecm
function kgseckey() { function kgseckey() {
local sec="$1"; shift local sec="$1"; shift
@ -23,7 +23,7 @@ function kgseckey() {
if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
return 1 return 1
fi fi
} }; export -f kgseckey
function kgcmkey() { function kgcmkey() {
local cm="$1"; shift local cm="$1"; shift
@ -32,7 +32,7 @@ function kgcmkey() {
if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
return 1 return 1
fi fi
} }; export -f kgcmkey
kapply common/db.yaml kapply common/db.yaml
@ -46,14 +46,6 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)"
export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)"
export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"
GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)"
GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)"
kcreatesec gitea-admin \
--from-literal=email="gitea@$BASE_URL" \
--from-literal=username="$GITEA_USERNAME" \
--from-literal=password="$GITEA_PASSWORD"
kubectl run --image "$IMAGEAPP" secrets sleep 600 kubectl run --image "$IMAGEAPP" secrets sleep 600
sleep 5 sleep 5
kcreatesec gitea \ kcreatesec gitea \
@ -71,15 +63,14 @@ kapply common/job.yaml \
kubectl rollout restart statefulset app kubectl rollout restart statefulset app
kubectl wait --timeout=5m --for=condition=complete job/createadminuser kubectl wait --timeout=5m --for=condition=complete job/migrate
sleep 5
./manifests/bin/createadmin.sh gitea
./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization'
kcreatesec runner \ kcreatesec runner \
--from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)" --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)"
kcreatesec renovate \
--from-literal=token="$(kgseckey renovate token || kubectl exec app-0 -- gitea admin user generate-access-token --username "$GITEA_USERNAME" --token-name RENOVATE --scopes 'write:repository,read:user,write:issue,read:organization' | grep -o '[a-f0-9]\+$')"
kapply common/runner.yaml common/renovate.yaml kapply common/runner.yaml common/renovate.yaml
kubectl rollout restart statefulset runner kubectl rollout restart statefulset runner

2
manifests/common/app.yaml
View File

@ -5,7 +5,7 @@ metadata:
name: app name: app
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/proxy-body-size: "512M" nginx.ingress.kubernetes.io/proxy-body-size: "8G"
spec: spec:
ingressClassName: nginx ingressClassName: nginx
tls: tls:

37
manifests/common/createadmin.yaml Normal file
View File

@ -0,0 +1,37 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: "createadmin-$NAME"
spec:
template:
spec:
restartPolicy: Never
containers:
- name: createuser
image: "$IMAGEAPP"
command:
- bash
- -c
- |
gitea admin user change-password --must-change-password=false \
--username "$NAME" \
--password "$PASS" 2> /dev/null \
|| gitea admin user create --admin --must-change-password=false \
--email "$EMAIL" \
--username "$NAME" \
--password "$PASS"
volumeMounts:
- name: config
mountPath: /etc/gitea/app.ini
subPath: app.ini
- name: secrets
mountPath: /etc/gitea/secrets/
volumes:
- name: config
configMap:
name: gitea
- name: secrets
secret:
secretName: gitea
backoffLimit: 4

12
manifests/common/job.yaml
View File

@ -2,21 +2,17 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: createadminuser name: migrate
spec: spec:
template: template:
spec: spec:
restartPolicy: Never restartPolicy: Never
containers: containers:
- name: createadminuser - name: migrate
image: "$IMAGEAPP" image: "$IMAGEAPP"
envFrom:
- secretRef:
name: gitea-admin
command: command:
- bash - gitea
- -c - migrate
- 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" --must-change-password=false 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password" --must-change-password=false; }'
volumeMounts: volumeMounts:
- name: config - name: config
mountPath: /etc/gitea/app.ini mountPath: /etc/gitea/app.ini

4
manifests/common/renovate.yaml
View File

@ -27,10 +27,10 @@ spec:
- name: RENOVATE_USERNAME - name: RENOVATE_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: gitea-admin name: gitea-renovate
key: username key: username
- name: RENOVATE_TOKEN - name: RENOVATE_TOKEN
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: runner name: gitea-renovate
key: token key: token