From f231efb04e2e04274a3476871395129be996c2e4 Mon Sep 17 00:00:00 2001 From: ange Date: Mon, 23 Dec 2024 02:44:15 +0000 Subject: [PATCH] feat: renovatebot (#2) Reviewed-on: https://git.gmoker.com/gmoker/gitea/pulls/2 --- .env | 4 +- compose.yaml | 8 +-- app.ini => config/app.ini | 15 ++++- diff.sh | 4 +- manifests/bin/createadmin.sh | 37 +++++++++++ manifests/bin/deploy.sh | 68 ++++++++++---------- manifests/bin/devel.sh | 1 + manifests/bin/prod.sh | 5 +- manifests/common/app.yaml | 8 +-- manifests/common/job.yaml | 18 ++---- manifests/common/renovate.yaml | 36 +++++++++++ manifests/common/runner.yaml | 2 +- manifests/common/{redis.yaml => valkey.yaml} | 22 +++---- 13 files changed, 153 insertions(+), 75 deletions(-) rename app.ini => config/app.ini (99%) create mode 100755 manifests/bin/createadmin.sh create mode 100644 manifests/common/renovate.yaml rename manifests/common/{redis.yaml => valkey.yaml} (66%) diff --git a/.env b/.env index 10e521d..ea69377 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ PROD_URL=git.gmoker.com -IMAGEAPP=docker.io/gitea/gitea:1.22.0-rc1-rootless -IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless +IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless +IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless diff --git a/compose.yaml b/compose.yaml index e2ae670..966146a 100644 --- a/compose.yaml +++ b/compose.yaml @@ -1,7 +1,7 @@ --- services: db: - image: docker.io/postgres:15 + image: docker.io/postgres:17 restart: unless-stopped environment: - POSTGRES_DB=db @@ -20,16 +20,16 @@ services: - POSTGRES_HOST=db - GITEA__database__DB_TYPE=postgres - GITEA__database__HOST=db + - GITEA__database__NAME=db - GITEA__database__USER=db - GITEA__database__PASSWD=db - - GITEA__service__DISABLE_REGISTRATION=true volumes: - - data:/var/lib/gitea/ - config:/etc/gitea/ + - data:/var/lib/gitea/ depends_on: - db volumes: + db: {} config: {} data: {} - db: {} diff --git a/app.ini b/config/app.ini similarity index 99% rename from app.ini rename to config/app.ini index 32f85a3..349d8d1 100644 --- a/app.ini +++ b/config/app.ini @@ -540,10 +540,10 @@ ENABLED = false ;; ;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate ;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512. -;JWT_SECRET = +JWT_SECRET = ;; ;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one -;JWT_SECRET_URI = file:/etc/gitea/oauth2_jwt_secret +JWT_SECRET_URI = file:/etc/gitea/secrets/oauth2_jwt_secret ;; ;; Lifetime of an OAuth2 access token in seconds ;ACCESS_TOKEN_EXPIRATION_TIME = 3600 @@ -2035,6 +2035,17 @@ ENABLED = true ;; or only create new users if UPDATE_EXISTING is set to false ;UPDATE_EXISTING = true +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Cleanup expired actions assets +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.cleanup_actions] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = true +;RUN_AT_START = true +;SCHEDULE = @midnight + ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Clean-up deleted branches diff --git a/diff.sh b/diff.sh index 59ed8cf..7f6eb72 100755 --- a/diff.sh +++ b/diff.sh @@ -2,6 +2,6 @@ URL='https://raw.githubusercontent.com' REPO='go-gitea/gitea' -TAG="v$(awk -F: '/^IMAGEAPP/{sub("-rootless", ""); print $2}' .env)" +TAG="release/v$(awk -F: '/^IMAGEAPP/{sub(".[0-9]+-rootless", ""); print $2}' .env)" -$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" app.ini +$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" config/app.ini diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh new file mode 100755 index 0000000..8691667 --- /dev/null +++ b/manifests/bin/createadmin.sh @@ -0,0 +1,37 @@ +#!/bin/bash -e +set -o pipefail + +function get_token() { + kubectl exec statefulset/app -- gitea admin user generate-access-token \ + --username "$name" \ + --token-name "${name^^}" \ + --scopes "$scopes" \ + | awk '{print $NF}' +} + +name="$1" +scopes="$2" +email="$name@$BASE_URL" +secret="gitea-$name" +passwd="$(kgseckey "$secret" password || true)" + +if [ -z "$passwd" ]; then + passwd="$(openssl rand -hex 32)" + kubectl exec statefulset/app -- \ + gitea admin user create --admin --must-change-password=false \ + --email "$email" \ + --username "$name" \ + --password "$passwd" +fi + +opts=() +[ -n "$scopes" ] && opts+=( + --from-literal=token="$(kgseckey "$secret" token || get_token)" + --from-literal=tokenscopes="$scopes" +) + +kcreatesec "$secret" \ + --from-literal=email="$email" \ + --from-literal=username="$name" \ + --from-literal=password="$passwd" \ + "${opts[@]}" diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 2b92530..ad2271f 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -3,37 +3,40 @@ set -o pipefail function kapply() { for f in "$@"; do - kubectl apply -f \ - <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f") + kubectl apply -f <(envsubst < "manifests/$f") done -} +}; export -f kapply function kcreatesec() { kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f- -} +}; export -f kcreatesec function kcreatecm() { kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f- -} +}; export -f kcreatecm function kgseckey() { local sec="$1"; shift local key="$1"; shift - kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d -} + if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then + return 1 + fi +}; export -f kgseckey function kgcmkey() { - local cm="$1"; shift + local cm="$1"; shift local key="$1"; shift - kubectl get configmap "$cm" -o jsonpath="{.data.$key}" -} + if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then + return 1 + fi +}; export -f kgcmkey kapply common/db.yaml -export REDIS_HOST=redis +export REDIS_HOST=valkey export REDIS_DB=0 export REDIS_PORT=6379 export POSTGRES_HOST; POSTGRES_HOST="$(kgseckey postgres-app host)" @@ -42,37 +45,32 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)" export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" -export GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)" -export GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)" +# shellcheck disable=SC1090,SC2016 +. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1) -kcreatesec gitea-admin \ - --from-literal=email="gitea@$BASE_URL" \ - --from-literal=username="$GITEA_USERNAME" \ - --from-literal=password="$GITEA_PASSWORD" +kcreatesec gitea \ + --from-literal=secret_key="$(kgseckey gitea secret_key || echo "$SECRET_KEY")" \ + --from-literal=internal_token="$(kgseckey gitea internal_token || echo "$INTERNAL_TOKEN")" \ + --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")" -kcreatesec gitea-secrets \ - --from-literal=secret_key="$(kgseckey gitea-secrets secret_key || openssl rand -hex 32)" \ - --from-literal=internal_token="$(kgseckey gitea-secrets internal_token || openssl rand -hex 32)" - -kcreatecm gitea-config \ - --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < app.ini) +kcreatecm gitea \ + --from-file=app.ini=<(envsubst < config/app.ini) kapply common/job.yaml \ - common/redis.yaml \ + common/valkey.yaml \ common/app.yaml kubectl rollout restart statefulset app -kubectl rollout status sts app +kubectl rollout status statefulset app +kubectl wait --timeout=5m --for=condition=complete job/migrate -for i in {0..9}; do - RUNNER_TOKEN="$(kubectl exec app-0 -- curl -sS "http://$GITEA_USERNAME:$GITEA_PASSWORD@app/api/v1/admin/runners/registration-token" | jq -r '.token // empty' || true)" +./manifests/bin/createadmin.sh gitea +./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization' - if [ -n "$RUNNER_TOKEN" ]; then - kcreatesec runner-secret --from-literal=token="$RUNNER_TOKEN" - kapply common/runner.yaml - kubectl rollout restart statefulset runner - break - fi - sleep 5 -done +kcreatesec runner \ + --from-literal=token="$(kgseckey runner token || kubectl exec statefulset/app -- gitea actions generate-runner-token)" + +kapply common/runner.yaml common/renovate.yaml + +kubectl rollout restart statefulset runner diff --git a/manifests/bin/devel.sh b/manifests/bin/devel.sh index 464c4d0..65675aa 100755 --- a/manifests/bin/devel.sh +++ b/manifests/bin/devel.sh @@ -1,4 +1,5 @@ #!/bin/bash -e +set -o pipefail export NB_REPLICAS=1 diff --git a/manifests/bin/prod.sh b/manifests/bin/prod.sh index bd12c83..142f57f 100755 --- a/manifests/bin/prod.sh +++ b/manifests/bin/prod.sh @@ -1,8 +1,11 @@ #!/bin/bash -e +set -o pipefail # TODO: 3 export NB_REPLICAS=1 . ./manifests/bin/deploy.sh -#kapply prod/ssh.yaml +if [ "$GITHUB_REF_NAME" = prod ]; then + kapply prod/ssh.yaml +fi diff --git a/manifests/common/app.yaml b/manifests/common/app.yaml index f0a71ed..f1b54e1 100644 --- a/manifests/common/app.yaml +++ b/manifests/common/app.yaml @@ -5,7 +5,7 @@ metadata: name: app annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.ingress.kubernetes.io/proxy-body-size: "512M" + nginx.ingress.kubernetes.io/proxy-body-size: "8G" spec: ingressClassName: nginx tls: @@ -68,19 +68,17 @@ spec: - name: config mountPath: /etc/gitea/app.ini subPath: app.ini - readOnly: true - name: secrets mountPath: /etc/gitea/secrets/ - readOnly: true securityContext: fsGroup: 1000 volumes: - name: config configMap: - name: gitea-config + name: gitea - name: secrets secret: - secretName: gitea-secrets + secretName: gitea volumeClaimTemplates: - metadata: name: data diff --git a/manifests/common/job.yaml b/manifests/common/job.yaml index 9bf186f..bdbe13b 100644 --- a/manifests/common/job.yaml +++ b/manifests/common/job.yaml @@ -2,34 +2,28 @@ apiVersion: batch/v1 kind: Job metadata: - name: createadminuser + name: migrate spec: template: spec: restartPolicy: Never containers: - - name: createadminuser + - name: migrate image: "$IMAGEAPP" - envFrom: - - secretRef: - name: gitea-admin command: - - bash - - -c - - 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password"; }' + - gitea + - migrate volumeMounts: - name: config mountPath: /etc/gitea/app.ini subPath: app.ini - readOnly: true - name: secrets mountPath: /etc/gitea/secrets/ - readOnly: true volumes: - name: config configMap: - name: gitea-config + name: gitea - name: secrets secret: - secretName: gitea-secrets + secretName: gitea backoffLimit: 4 diff --git a/manifests/common/renovate.yaml b/manifests/common/renovate.yaml new file mode 100644 index 0000000..427ee4e --- /dev/null +++ b/manifests/common/renovate.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: renovate +spec: + schedule: '0 0 * * 1' + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + restartPolicy: Never + containers: + - name: renovate + image: docker.io/renovate/renovate:slim + imagePullPolicy: Always + env: + - name: LOG_LEVEL + value: debug + - name: RENOVATE_AUTODISCOVER + value: 'true' + - name: RENOVATE_PLATFORM + value: gitea + - name: RENOVATE_ENDPOINT + value: "https://$BASE_URL/api/v1" + - name: RENOVATE_USERNAME + valueFrom: + secretKeyRef: + name: gitea-renovate + key: username + - name: RENOVATE_TOKEN + valueFrom: + secretKeyRef: + name: gitea-renovate + key: token diff --git a/manifests/common/runner.yaml b/manifests/common/runner.yaml index 19fea4c..7bd276f 100644 --- a/manifests/common/runner.yaml +++ b/manifests/common/runner.yaml @@ -36,7 +36,7 @@ spec: - name: GITEA_RUNNER_REGISTRATION_TOKEN valueFrom: secretKeyRef: - name: runner-secret + name: runner key: token volumeMounts: - name: data diff --git a/manifests/common/redis.yaml b/manifests/common/valkey.yaml similarity index 66% rename from manifests/common/redis.yaml rename to manifests/common/valkey.yaml index 485d2a8..4df2c6d 100644 --- a/manifests/common/redis.yaml +++ b/manifests/common/valkey.yaml @@ -2,36 +2,36 @@ apiVersion: v1 kind: Service metadata: - name: redis + name: valkey labels: - app: redis + app: valkey spec: selector: - app: redis + app: valkey ports: - - name: redis + - name: valkey port: 6379 --- apiVersion: apps/v1 kind: StatefulSet metadata: - name: redis + name: valkey spec: selector: matchLabels: - app: redis - serviceName: redis + app: valkey + serviceName: valkey replicas: $NB_REPLICAS template: metadata: labels: - app: redis + app: valkey spec: containers: - - name: redis - image: docker.io/redis:latest + - name: valkey + image: docker.io/valkey/valkey:latest ports: - - name: redis + - name: valkey containerPort: 6379 volumeMounts: - name: data