Reviewed-on: #2
This commit is contained in:
parent
41d089f0dc
commit
f231efb04e
4
.env
4
.env
@ -1,3 +1,3 @@
|
||||
PROD_URL=git.gmoker.com
|
||||
IMAGEAPP=docker.io/gitea/gitea:1.22.0-rc1-rootless
|
||||
IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless
|
||||
IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless
|
||||
IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
services:
|
||||
db:
|
||||
image: docker.io/postgres:15
|
||||
image: docker.io/postgres:17
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- POSTGRES_DB=db
|
||||
@ -20,16 +20,16 @@ services:
|
||||
- POSTGRES_HOST=db
|
||||
- GITEA__database__DB_TYPE=postgres
|
||||
- GITEA__database__HOST=db
|
||||
- GITEA__database__NAME=db
|
||||
- GITEA__database__USER=db
|
||||
- GITEA__database__PASSWD=db
|
||||
- GITEA__service__DISABLE_REGISTRATION=true
|
||||
volumes:
|
||||
- data:/var/lib/gitea/
|
||||
- config:/etc/gitea/
|
||||
- data:/var/lib/gitea/
|
||||
depends_on:
|
||||
- db
|
||||
|
||||
volumes:
|
||||
db: {}
|
||||
config: {}
|
||||
data: {}
|
||||
db: {}
|
||||
|
||||
@ -540,10 +540,10 @@ ENABLED = false
|
||||
;;
|
||||
;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
|
||||
;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512.
|
||||
;JWT_SECRET =
|
||||
JWT_SECRET =
|
||||
;;
|
||||
;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one
|
||||
;JWT_SECRET_URI = file:/etc/gitea/oauth2_jwt_secret
|
||||
JWT_SECRET_URI = file:/etc/gitea/secrets/oauth2_jwt_secret
|
||||
;;
|
||||
;; Lifetime of an OAuth2 access token in seconds
|
||||
;ACCESS_TOKEN_EXPIRATION_TIME = 3600
|
||||
@ -2035,6 +2035,17 @@ ENABLED = true
|
||||
;; or only create new users if UPDATE_EXISTING is set to false
|
||||
;UPDATE_EXISTING = true
|
||||
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;; Cleanup expired actions assets
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;[cron.cleanup_actions]
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;ENABLED = true
|
||||
;RUN_AT_START = true
|
||||
;SCHEDULE = @midnight
|
||||
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;; Clean-up deleted branches
|
||||
4
diff.sh
4
diff.sh
@ -2,6 +2,6 @@
|
||||
|
||||
URL='https://raw.githubusercontent.com'
|
||||
REPO='go-gitea/gitea'
|
||||
TAG="v$(awk -F: '/^IMAGEAPP/{sub("-rootless", ""); print $2}' .env)"
|
||||
TAG="release/v$(awk -F: '/^IMAGEAPP/{sub(".[0-9]+-rootless", ""); print $2}' .env)"
|
||||
|
||||
$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" app.ini
|
||||
$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" config/app.ini
|
||||
|
||||
37
manifests/bin/createadmin.sh
Executable file
37
manifests/bin/createadmin.sh
Executable file
@ -0,0 +1,37 @@
|
||||
#!/bin/bash -e
|
||||
set -o pipefail
|
||||
|
||||
function get_token() {
|
||||
kubectl exec statefulset/app -- gitea admin user generate-access-token \
|
||||
--username "$name" \
|
||||
--token-name "${name^^}" \
|
||||
--scopes "$scopes" \
|
||||
| awk '{print $NF}'
|
||||
}
|
||||
|
||||
name="$1"
|
||||
scopes="$2"
|
||||
email="$name@$BASE_URL"
|
||||
secret="gitea-$name"
|
||||
passwd="$(kgseckey "$secret" password || true)"
|
||||
|
||||
if [ -z "$passwd" ]; then
|
||||
passwd="$(openssl rand -hex 32)"
|
||||
kubectl exec statefulset/app -- \
|
||||
gitea admin user create --admin --must-change-password=false \
|
||||
--email "$email" \
|
||||
--username "$name" \
|
||||
--password "$passwd"
|
||||
fi
|
||||
|
||||
opts=()
|
||||
[ -n "$scopes" ] && opts+=(
|
||||
--from-literal=token="$(kgseckey "$secret" token || get_token)"
|
||||
--from-literal=tokenscopes="$scopes"
|
||||
)
|
||||
|
||||
kcreatesec "$secret" \
|
||||
--from-literal=email="$email" \
|
||||
--from-literal=username="$name" \
|
||||
--from-literal=password="$passwd" \
|
||||
"${opts[@]}"
|
||||
@ -3,37 +3,40 @@ set -o pipefail
|
||||
|
||||
function kapply() {
|
||||
for f in "$@"; do
|
||||
kubectl apply -f \
|
||||
<(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
|
||||
kubectl apply -f <(envsubst < "manifests/$f")
|
||||
done
|
||||
}
|
||||
}; export -f kapply
|
||||
|
||||
function kcreatesec() {
|
||||
kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
|
||||
}
|
||||
}; export -f kcreatesec
|
||||
|
||||
function kcreatecm() {
|
||||
kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
|
||||
}
|
||||
}; export -f kcreatecm
|
||||
|
||||
function kgseckey() {
|
||||
local sec="$1"; shift
|
||||
local key="$1"; shift
|
||||
|
||||
kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d
|
||||
}
|
||||
if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
|
||||
return 1
|
||||
fi
|
||||
}; export -f kgseckey
|
||||
|
||||
function kgcmkey() {
|
||||
local cm="$1"; shift
|
||||
local cm="$1"; shift
|
||||
local key="$1"; shift
|
||||
|
||||
kubectl get configmap "$cm" -o jsonpath="{.data.$key}"
|
||||
}
|
||||
if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
|
||||
return 1
|
||||
fi
|
||||
}; export -f kgcmkey
|
||||
|
||||
|
||||
kapply common/db.yaml
|
||||
|
||||
export REDIS_HOST=redis
|
||||
export REDIS_HOST=valkey
|
||||
export REDIS_DB=0
|
||||
export REDIS_PORT=6379
|
||||
export POSTGRES_HOST; POSTGRES_HOST="$(kgseckey postgres-app host)"
|
||||
@ -42,37 +45,32 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)"
|
||||
export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)"
|
||||
export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"
|
||||
|
||||
export GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)"
|
||||
export GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)"
|
||||
# shellcheck disable=SC1090,SC2016
|
||||
. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1)
|
||||
|
||||
kcreatesec gitea-admin \
|
||||
--from-literal=email="gitea@$BASE_URL" \
|
||||
--from-literal=username="$GITEA_USERNAME" \
|
||||
--from-literal=password="$GITEA_PASSWORD"
|
||||
kcreatesec gitea \
|
||||
--from-literal=secret_key="$(kgseckey gitea secret_key || echo "$SECRET_KEY")" \
|
||||
--from-literal=internal_token="$(kgseckey gitea internal_token || echo "$INTERNAL_TOKEN")" \
|
||||
--from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")"
|
||||
|
||||
kcreatesec gitea-secrets \
|
||||
--from-literal=secret_key="$(kgseckey gitea-secrets secret_key || openssl rand -hex 32)" \
|
||||
--from-literal=internal_token="$(kgseckey gitea-secrets internal_token || openssl rand -hex 32)"
|
||||
|
||||
kcreatecm gitea-config \
|
||||
--from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < app.ini)
|
||||
kcreatecm gitea \
|
||||
--from-file=app.ini=<(envsubst < config/app.ini)
|
||||
|
||||
kapply common/job.yaml \
|
||||
common/redis.yaml \
|
||||
common/valkey.yaml \
|
||||
common/app.yaml
|
||||
|
||||
kubectl rollout restart statefulset app
|
||||
|
||||
kubectl rollout status sts app
|
||||
kubectl rollout status statefulset app
|
||||
kubectl wait --timeout=5m --for=condition=complete job/migrate
|
||||
|
||||
for i in {0..9}; do
|
||||
RUNNER_TOKEN="$(kubectl exec app-0 -- curl -sS "http://$GITEA_USERNAME:$GITEA_PASSWORD@app/api/v1/admin/runners/registration-token" | jq -r '.token // empty' || true)"
|
||||
./manifests/bin/createadmin.sh gitea
|
||||
./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization'
|
||||
|
||||
if [ -n "$RUNNER_TOKEN" ]; then
|
||||
kcreatesec runner-secret --from-literal=token="$RUNNER_TOKEN"
|
||||
kapply common/runner.yaml
|
||||
kubectl rollout restart statefulset runner
|
||||
break
|
||||
fi
|
||||
sleep 5
|
||||
done
|
||||
kcreatesec runner \
|
||||
--from-literal=token="$(kgseckey runner token || kubectl exec statefulset/app -- gitea actions generate-runner-token)"
|
||||
|
||||
kapply common/runner.yaml common/renovate.yaml
|
||||
|
||||
kubectl rollout restart statefulset runner
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
#!/bin/bash -e
|
||||
set -o pipefail
|
||||
|
||||
export NB_REPLICAS=1
|
||||
|
||||
|
||||
@ -1,8 +1,11 @@
|
||||
#!/bin/bash -e
|
||||
set -o pipefail
|
||||
|
||||
# TODO: 3
|
||||
export NB_REPLICAS=1
|
||||
|
||||
. ./manifests/bin/deploy.sh
|
||||
|
||||
#kapply prod/ssh.yaml
|
||||
if [ "$GITHUB_REF_NAME" = prod ]; then
|
||||
kapply prod/ssh.yaml
|
||||
fi
|
||||
|
||||
@ -5,7 +5,7 @@ metadata:
|
||||
name: app
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "512M"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "8G"
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
tls:
|
||||
@ -68,19 +68,17 @@ spec:
|
||||
- name: config
|
||||
mountPath: /etc/gitea/app.ini
|
||||
subPath: app.ini
|
||||
readOnly: true
|
||||
- name: secrets
|
||||
mountPath: /etc/gitea/secrets/
|
||||
readOnly: true
|
||||
securityContext:
|
||||
fsGroup: 1000
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: gitea-config
|
||||
name: gitea
|
||||
- name: secrets
|
||||
secret:
|
||||
secretName: gitea-secrets
|
||||
secretName: gitea
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: data
|
||||
|
||||
@ -2,34 +2,28 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: createadminuser
|
||||
name: migrate
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
containers:
|
||||
- name: createadminuser
|
||||
- name: migrate
|
||||
image: "$IMAGEAPP"
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: gitea-admin
|
||||
command:
|
||||
- bash
|
||||
- -c
|
||||
- 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password"; }'
|
||||
- gitea
|
||||
- migrate
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/gitea/app.ini
|
||||
subPath: app.ini
|
||||
readOnly: true
|
||||
- name: secrets
|
||||
mountPath: /etc/gitea/secrets/
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: gitea-config
|
||||
name: gitea
|
||||
- name: secrets
|
||||
secret:
|
||||
secretName: gitea-secrets
|
||||
secretName: gitea
|
||||
backoffLimit: 4
|
||||
|
||||
36
manifests/common/renovate.yaml
Normal file
36
manifests/common/renovate.yaml
Normal file
@ -0,0 +1,36 @@
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: renovate
|
||||
spec:
|
||||
schedule: '0 0 * * 1'
|
||||
concurrencyPolicy: Forbid
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
containers:
|
||||
- name: renovate
|
||||
image: docker.io/renovate/renovate:slim
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: LOG_LEVEL
|
||||
value: debug
|
||||
- name: RENOVATE_AUTODISCOVER
|
||||
value: 'true'
|
||||
- name: RENOVATE_PLATFORM
|
||||
value: gitea
|
||||
- name: RENOVATE_ENDPOINT
|
||||
value: "https://$BASE_URL/api/v1"
|
||||
- name: RENOVATE_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-renovate
|
||||
key: username
|
||||
- name: RENOVATE_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-renovate
|
||||
key: token
|
||||
@ -36,7 +36,7 @@ spec:
|
||||
- name: GITEA_RUNNER_REGISTRATION_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: runner-secret
|
||||
name: runner
|
||||
key: token
|
||||
volumeMounts:
|
||||
- name: data
|
||||
|
||||
@ -2,36 +2,36 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: redis
|
||||
name: valkey
|
||||
labels:
|
||||
app: redis
|
||||
app: valkey
|
||||
spec:
|
||||
selector:
|
||||
app: redis
|
||||
app: valkey
|
||||
ports:
|
||||
- name: redis
|
||||
- name: valkey
|
||||
port: 6379
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: redis
|
||||
name: valkey
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: redis
|
||||
serviceName: redis
|
||||
app: valkey
|
||||
serviceName: valkey
|
||||
replicas: $NB_REPLICAS
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: redis
|
||||
app: valkey
|
||||
spec:
|
||||
containers:
|
||||
- name: redis
|
||||
image: docker.io/redis:latest
|
||||
- name: valkey
|
||||
image: docker.io/valkey/valkey:latest
|
||||
ports:
|
||||
- name: redis
|
||||
- name: valkey
|
||||
containerPort: 6379
|
||||
volumeMounts:
|
||||
- name: data
|
||||
Loading…
Reference in New Issue
Block a user