Reviewed-on: #2
This commit is contained in:
parent
41d089f0dc
commit
f231efb04e
4
.env
4
.env
@ -1,3 +1,3 @@
|
|||||||
PROD_URL=git.gmoker.com
|
PROD_URL=git.gmoker.com
|
||||||
IMAGEAPP=docker.io/gitea/gitea:1.22.0-rc1-rootless
|
IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless
|
||||||
IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless
|
IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
services:
|
services:
|
||||||
db:
|
db:
|
||||||
image: docker.io/postgres:15
|
image: docker.io/postgres:17
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
environment:
|
environment:
|
||||||
- POSTGRES_DB=db
|
- POSTGRES_DB=db
|
||||||
@ -20,16 +20,16 @@ services:
|
|||||||
- POSTGRES_HOST=db
|
- POSTGRES_HOST=db
|
||||||
- GITEA__database__DB_TYPE=postgres
|
- GITEA__database__DB_TYPE=postgres
|
||||||
- GITEA__database__HOST=db
|
- GITEA__database__HOST=db
|
||||||
|
- GITEA__database__NAME=db
|
||||||
- GITEA__database__USER=db
|
- GITEA__database__USER=db
|
||||||
- GITEA__database__PASSWD=db
|
- GITEA__database__PASSWD=db
|
||||||
- GITEA__service__DISABLE_REGISTRATION=true
|
|
||||||
volumes:
|
volumes:
|
||||||
- data:/var/lib/gitea/
|
|
||||||
- config:/etc/gitea/
|
- config:/etc/gitea/
|
||||||
|
- data:/var/lib/gitea/
|
||||||
depends_on:
|
depends_on:
|
||||||
- db
|
- db
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
|
db: {}
|
||||||
config: {}
|
config: {}
|
||||||
data: {}
|
data: {}
|
||||||
db: {}
|
|
||||||
|
@ -540,10 +540,10 @@ ENABLED = false
|
|||||||
;;
|
;;
|
||||||
;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
|
;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
|
||||||
;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512.
|
;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512.
|
||||||
;JWT_SECRET =
|
JWT_SECRET =
|
||||||
;;
|
;;
|
||||||
;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one
|
;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one
|
||||||
;JWT_SECRET_URI = file:/etc/gitea/oauth2_jwt_secret
|
JWT_SECRET_URI = file:/etc/gitea/secrets/oauth2_jwt_secret
|
||||||
;;
|
;;
|
||||||
;; Lifetime of an OAuth2 access token in seconds
|
;; Lifetime of an OAuth2 access token in seconds
|
||||||
;ACCESS_TOKEN_EXPIRATION_TIME = 3600
|
;ACCESS_TOKEN_EXPIRATION_TIME = 3600
|
||||||
@ -2035,6 +2035,17 @@ ENABLED = true
|
|||||||
;; or only create new users if UPDATE_EXISTING is set to false
|
;; or only create new users if UPDATE_EXISTING is set to false
|
||||||
;UPDATE_EXISTING = true
|
;UPDATE_EXISTING = true
|
||||||
|
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
;; Cleanup expired actions assets
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
;[cron.cleanup_actions]
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
;ENABLED = true
|
||||||
|
;RUN_AT_START = true
|
||||||
|
;SCHEDULE = @midnight
|
||||||
|
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
;; Clean-up deleted branches
|
;; Clean-up deleted branches
|
4
diff.sh
4
diff.sh
@ -2,6 +2,6 @@
|
|||||||
|
|
||||||
URL='https://raw.githubusercontent.com'
|
URL='https://raw.githubusercontent.com'
|
||||||
REPO='go-gitea/gitea'
|
REPO='go-gitea/gitea'
|
||||||
TAG="v$(awk -F: '/^IMAGEAPP/{sub("-rootless", ""); print $2}' .env)"
|
TAG="release/v$(awk -F: '/^IMAGEAPP/{sub(".[0-9]+-rootless", ""); print $2}' .env)"
|
||||||
|
|
||||||
$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" app.ini
|
$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" config/app.ini
|
||||||
|
37
manifests/bin/createadmin.sh
Executable file
37
manifests/bin/createadmin.sh
Executable file
@ -0,0 +1,37 @@
|
|||||||
|
#!/bin/bash -e
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
function get_token() {
|
||||||
|
kubectl exec statefulset/app -- gitea admin user generate-access-token \
|
||||||
|
--username "$name" \
|
||||||
|
--token-name "${name^^}" \
|
||||||
|
--scopes "$scopes" \
|
||||||
|
| awk '{print $NF}'
|
||||||
|
}
|
||||||
|
|
||||||
|
name="$1"
|
||||||
|
scopes="$2"
|
||||||
|
email="$name@$BASE_URL"
|
||||||
|
secret="gitea-$name"
|
||||||
|
passwd="$(kgseckey "$secret" password || true)"
|
||||||
|
|
||||||
|
if [ -z "$passwd" ]; then
|
||||||
|
passwd="$(openssl rand -hex 32)"
|
||||||
|
kubectl exec statefulset/app -- \
|
||||||
|
gitea admin user create --admin --must-change-password=false \
|
||||||
|
--email "$email" \
|
||||||
|
--username "$name" \
|
||||||
|
--password "$passwd"
|
||||||
|
fi
|
||||||
|
|
||||||
|
opts=()
|
||||||
|
[ -n "$scopes" ] && opts+=(
|
||||||
|
--from-literal=token="$(kgseckey "$secret" token || get_token)"
|
||||||
|
--from-literal=tokenscopes="$scopes"
|
||||||
|
)
|
||||||
|
|
||||||
|
kcreatesec "$secret" \
|
||||||
|
--from-literal=email="$email" \
|
||||||
|
--from-literal=username="$name" \
|
||||||
|
--from-literal=password="$passwd" \
|
||||||
|
"${opts[@]}"
|
@ -3,37 +3,40 @@ set -o pipefail
|
|||||||
|
|
||||||
function kapply() {
|
function kapply() {
|
||||||
for f in "$@"; do
|
for f in "$@"; do
|
||||||
kubectl apply -f \
|
kubectl apply -f <(envsubst < "manifests/$f")
|
||||||
<(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
|
|
||||||
done
|
done
|
||||||
}
|
}; export -f kapply
|
||||||
|
|
||||||
function kcreatesec() {
|
function kcreatesec() {
|
||||||
kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
|
kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
|
||||||
}
|
}; export -f kcreatesec
|
||||||
|
|
||||||
function kcreatecm() {
|
function kcreatecm() {
|
||||||
kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
|
kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
|
||||||
}
|
}; export -f kcreatecm
|
||||||
|
|
||||||
function kgseckey() {
|
function kgseckey() {
|
||||||
local sec="$1"; shift
|
local sec="$1"; shift
|
||||||
local key="$1"; shift
|
local key="$1"; shift
|
||||||
|
|
||||||
kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d
|
if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
|
||||||
}
|
return 1
|
||||||
|
fi
|
||||||
|
}; export -f kgseckey
|
||||||
|
|
||||||
function kgcmkey() {
|
function kgcmkey() {
|
||||||
local cm="$1"; shift
|
local cm="$1"; shift
|
||||||
local key="$1"; shift
|
local key="$1"; shift
|
||||||
|
|
||||||
kubectl get configmap "$cm" -o jsonpath="{.data.$key}"
|
if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
|
||||||
}
|
return 1
|
||||||
|
fi
|
||||||
|
}; export -f kgcmkey
|
||||||
|
|
||||||
|
|
||||||
kapply common/db.yaml
|
kapply common/db.yaml
|
||||||
|
|
||||||
export REDIS_HOST=redis
|
export REDIS_HOST=valkey
|
||||||
export REDIS_DB=0
|
export REDIS_DB=0
|
||||||
export REDIS_PORT=6379
|
export REDIS_PORT=6379
|
||||||
export POSTGRES_HOST; POSTGRES_HOST="$(kgseckey postgres-app host)"
|
export POSTGRES_HOST; POSTGRES_HOST="$(kgseckey postgres-app host)"
|
||||||
@ -42,37 +45,32 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)"
|
|||||||
export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)"
|
export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)"
|
||||||
export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"
|
export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"
|
||||||
|
|
||||||
export GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)"
|
# shellcheck disable=SC1090,SC2016
|
||||||
export GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)"
|
. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1)
|
||||||
|
|
||||||
kcreatesec gitea-admin \
|
kcreatesec gitea \
|
||||||
--from-literal=email="gitea@$BASE_URL" \
|
--from-literal=secret_key="$(kgseckey gitea secret_key || echo "$SECRET_KEY")" \
|
||||||
--from-literal=username="$GITEA_USERNAME" \
|
--from-literal=internal_token="$(kgseckey gitea internal_token || echo "$INTERNAL_TOKEN")" \
|
||||||
--from-literal=password="$GITEA_PASSWORD"
|
--from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")"
|
||||||
|
|
||||||
kcreatesec gitea-secrets \
|
kcreatecm gitea \
|
||||||
--from-literal=secret_key="$(kgseckey gitea-secrets secret_key || openssl rand -hex 32)" \
|
--from-file=app.ini=<(envsubst < config/app.ini)
|
||||||
--from-literal=internal_token="$(kgseckey gitea-secrets internal_token || openssl rand -hex 32)"
|
|
||||||
|
|
||||||
kcreatecm gitea-config \
|
|
||||||
--from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < app.ini)
|
|
||||||
|
|
||||||
kapply common/job.yaml \
|
kapply common/job.yaml \
|
||||||
common/redis.yaml \
|
common/valkey.yaml \
|
||||||
common/app.yaml
|
common/app.yaml
|
||||||
|
|
||||||
kubectl rollout restart statefulset app
|
kubectl rollout restart statefulset app
|
||||||
|
|
||||||
kubectl rollout status sts app
|
kubectl rollout status statefulset app
|
||||||
|
kubectl wait --timeout=5m --for=condition=complete job/migrate
|
||||||
|
|
||||||
for i in {0..9}; do
|
./manifests/bin/createadmin.sh gitea
|
||||||
RUNNER_TOKEN="$(kubectl exec app-0 -- curl -sS "http://$GITEA_USERNAME:$GITEA_PASSWORD@app/api/v1/admin/runners/registration-token" | jq -r '.token // empty' || true)"
|
./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization'
|
||||||
|
|
||||||
|
kcreatesec runner \
|
||||||
|
--from-literal=token="$(kgseckey runner token || kubectl exec statefulset/app -- gitea actions generate-runner-token)"
|
||||||
|
|
||||||
|
kapply common/runner.yaml common/renovate.yaml
|
||||||
|
|
||||||
if [ -n "$RUNNER_TOKEN" ]; then
|
|
||||||
kcreatesec runner-secret --from-literal=token="$RUNNER_TOKEN"
|
|
||||||
kapply common/runner.yaml
|
|
||||||
kubectl rollout restart statefulset runner
|
kubectl rollout restart statefulset runner
|
||||||
break
|
|
||||||
fi
|
|
||||||
sleep 5
|
|
||||||
done
|
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
export NB_REPLICAS=1
|
export NB_REPLICAS=1
|
||||||
|
|
||||||
|
@ -1,8 +1,11 @@
|
|||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
# TODO: 3
|
# TODO: 3
|
||||||
export NB_REPLICAS=1
|
export NB_REPLICAS=1
|
||||||
|
|
||||||
. ./manifests/bin/deploy.sh
|
. ./manifests/bin/deploy.sh
|
||||||
|
|
||||||
#kapply prod/ssh.yaml
|
if [ "$GITHUB_REF_NAME" = prod ]; then
|
||||||
|
kapply prod/ssh.yaml
|
||||||
|
fi
|
||||||
|
@ -5,7 +5,7 @@ metadata:
|
|||||||
name: app
|
name: app
|
||||||
annotations:
|
annotations:
|
||||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||||
nginx.ingress.kubernetes.io/proxy-body-size: "512M"
|
nginx.ingress.kubernetes.io/proxy-body-size: "8G"
|
||||||
spec:
|
spec:
|
||||||
ingressClassName: nginx
|
ingressClassName: nginx
|
||||||
tls:
|
tls:
|
||||||
@ -68,19 +68,17 @@ spec:
|
|||||||
- name: config
|
- name: config
|
||||||
mountPath: /etc/gitea/app.ini
|
mountPath: /etc/gitea/app.ini
|
||||||
subPath: app.ini
|
subPath: app.ini
|
||||||
readOnly: true
|
|
||||||
- name: secrets
|
- name: secrets
|
||||||
mountPath: /etc/gitea/secrets/
|
mountPath: /etc/gitea/secrets/
|
||||||
readOnly: true
|
|
||||||
securityContext:
|
securityContext:
|
||||||
fsGroup: 1000
|
fsGroup: 1000
|
||||||
volumes:
|
volumes:
|
||||||
- name: config
|
- name: config
|
||||||
configMap:
|
configMap:
|
||||||
name: gitea-config
|
name: gitea
|
||||||
- name: secrets
|
- name: secrets
|
||||||
secret:
|
secret:
|
||||||
secretName: gitea-secrets
|
secretName: gitea
|
||||||
volumeClaimTemplates:
|
volumeClaimTemplates:
|
||||||
- metadata:
|
- metadata:
|
||||||
name: data
|
name: data
|
||||||
|
@ -2,34 +2,28 @@
|
|||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
name: createadminuser
|
name: migrate
|
||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
restartPolicy: Never
|
restartPolicy: Never
|
||||||
containers:
|
containers:
|
||||||
- name: createadminuser
|
- name: migrate
|
||||||
image: "$IMAGEAPP"
|
image: "$IMAGEAPP"
|
||||||
envFrom:
|
|
||||||
- secretRef:
|
|
||||||
name: gitea-admin
|
|
||||||
command:
|
command:
|
||||||
- bash
|
- gitea
|
||||||
- -c
|
- migrate
|
||||||
- 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password"; }'
|
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config
|
- name: config
|
||||||
mountPath: /etc/gitea/app.ini
|
mountPath: /etc/gitea/app.ini
|
||||||
subPath: app.ini
|
subPath: app.ini
|
||||||
readOnly: true
|
|
||||||
- name: secrets
|
- name: secrets
|
||||||
mountPath: /etc/gitea/secrets/
|
mountPath: /etc/gitea/secrets/
|
||||||
readOnly: true
|
|
||||||
volumes:
|
volumes:
|
||||||
- name: config
|
- name: config
|
||||||
configMap:
|
configMap:
|
||||||
name: gitea-config
|
name: gitea
|
||||||
- name: secrets
|
- name: secrets
|
||||||
secret:
|
secret:
|
||||||
secretName: gitea-secrets
|
secretName: gitea
|
||||||
backoffLimit: 4
|
backoffLimit: 4
|
||||||
|
36
manifests/common/renovate.yaml
Normal file
36
manifests/common/renovate.yaml
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: CronJob
|
||||||
|
metadata:
|
||||||
|
name: renovate
|
||||||
|
spec:
|
||||||
|
schedule: '0 0 * * 1'
|
||||||
|
concurrencyPolicy: Forbid
|
||||||
|
jobTemplate:
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
restartPolicy: Never
|
||||||
|
containers:
|
||||||
|
- name: renovate
|
||||||
|
image: docker.io/renovate/renovate:slim
|
||||||
|
imagePullPolicy: Always
|
||||||
|
env:
|
||||||
|
- name: LOG_LEVEL
|
||||||
|
value: debug
|
||||||
|
- name: RENOVATE_AUTODISCOVER
|
||||||
|
value: 'true'
|
||||||
|
- name: RENOVATE_PLATFORM
|
||||||
|
value: gitea
|
||||||
|
- name: RENOVATE_ENDPOINT
|
||||||
|
value: "https://$BASE_URL/api/v1"
|
||||||
|
- name: RENOVATE_USERNAME
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: gitea-renovate
|
||||||
|
key: username
|
||||||
|
- name: RENOVATE_TOKEN
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: gitea-renovate
|
||||||
|
key: token
|
@ -36,7 +36,7 @@ spec:
|
|||||||
- name: GITEA_RUNNER_REGISTRATION_TOKEN
|
- name: GITEA_RUNNER_REGISTRATION_TOKEN
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: runner-secret
|
name: runner
|
||||||
key: token
|
key: token
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: data
|
- name: data
|
||||||
|
@ -2,36 +2,36 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: redis
|
name: valkey
|
||||||
labels:
|
labels:
|
||||||
app: redis
|
app: valkey
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
app: redis
|
app: valkey
|
||||||
ports:
|
ports:
|
||||||
- name: redis
|
- name: valkey
|
||||||
port: 6379
|
port: 6379
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: StatefulSet
|
kind: StatefulSet
|
||||||
metadata:
|
metadata:
|
||||||
name: redis
|
name: valkey
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: redis
|
app: valkey
|
||||||
serviceName: redis
|
serviceName: valkey
|
||||||
replicas: $NB_REPLICAS
|
replicas: $NB_REPLICAS
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: redis
|
app: valkey
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: redis
|
- name: valkey
|
||||||
image: docker.io/redis:latest
|
image: docker.io/valkey/valkey:latest
|
||||||
ports:
|
ports:
|
||||||
- name: redis
|
- name: valkey
|
||||||
containerPort: 6379
|
containerPort: 6379
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: data
|
- name: data
|
Loading…
Reference in New Issue
Block a user