gmoker/gitea
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: renovatebot (#2)
All checks were successful
/ deploy (push) Successful in 19s
Details

Browse Source 
Reviewed-on: #2
This commit is contained in:
ange 2024-12-23 02:44:15 +00:00
parent 41d089f0dc
commit f231efb04e
13 changed files with 153 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.env
View File

@ -1,3 +1,3 @@
PROD_URL=git.gmoker.com PROD_URL=git.gmoker.com
IMAGEAPP=docker.io/gitea/gitea:1.22.0-rc1-rootless IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless
IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless

8
compose.yaml
View File

@ -1,7 +1,7 @@
--- ---
services: services:
db: db:
image: docker.io/postgres:15 image: docker.io/postgres:17
restart: unless-stopped restart: unless-stopped
environment: environment:
- POSTGRES_DB=db - POSTGRES_DB=db
@ -20,16 +20,16 @@ services:
- POSTGRES_HOST=db - POSTGRES_HOST=db
- GITEA__database__DB_TYPE=postgres - GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=db - GITEA__database__HOST=db
- GITEA__database__NAME=db
- GITEA__database__USER=db - GITEA__database__USER=db
- GITEA__database__PASSWD=db - GITEA__database__PASSWD=db
- GITEA__service__DISABLE_REGISTRATION=true
volumes: volumes:
- data:/var/lib/gitea/
- config:/etc/gitea/ - config:/etc/gitea/
- data:/var/lib/gitea/
depends_on: depends_on:
- db - db
volumes: volumes:
db: {}
config: {} config: {}
data: {} data: {}
db: {}

15
app.ini → config/app.ini
View File

@ -540,10 +540,10 @@ ENABLED = false
;; ;;
;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate ;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512. ;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512.
;JWT_SECRET = JWT_SECRET =
;; ;;
;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one ;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one
;JWT_SECRET_URI = file:/etc/gitea/oauth2_jwt_secret JWT_SECRET_URI = file:/etc/gitea/secrets/oauth2_jwt_secret
;; ;;
;; Lifetime of an OAuth2 access token in seconds ;; Lifetime of an OAuth2 access token in seconds
;ACCESS_TOKEN_EXPIRATION_TIME = 3600 ;ACCESS_TOKEN_EXPIRATION_TIME = 3600
@ -2035,6 +2035,17 @@ ENABLED = true
;; or only create new users if UPDATE_EXISTING is set to false ;; or only create new users if UPDATE_EXISTING is set to false
;UPDATE_EXISTING = true ;UPDATE_EXISTING = true
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Cleanup expired actions assets
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[cron.cleanup_actions]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;ENABLED = true
;RUN_AT_START = true
;SCHEDULE = @midnight
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Clean-up deleted branches ;; Clean-up deleted branches

4
diff.sh
View File

@ -2,6 +2,6 @@
URL='https://raw.githubusercontent.com' URL='https://raw.githubusercontent.com'
REPO='go-gitea/gitea' REPO='go-gitea/gitea'
TAG="v$(awk -F: '/^IMAGEAPP/{sub("-rootless", ""); print $2}' .env)" TAG="release/v$(awk -F: '/^IMAGEAPP/{sub(".[0-9]+-rootless", ""); print $2}' .env)"
$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" app.ini $EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" config/app.ini

37
manifests/bin/createadmin.sh Executable file
View File

@ -0,0 +1,37 @@
#!/bin/bash -e
set -o pipefail
function get_token() {
kubectl exec statefulset/app -- gitea admin user generate-access-token \
--username "$name" \
--token-name "${name^^}" \
--scopes "$scopes" \
| awk '{print $NF}'
}
name="$1"
scopes="$2"
email="$name@$BASE_URL"
secret="gitea-$name"
passwd="$(kgseckey "$secret" password || true)"
if [ -z "$passwd" ]; then
passwd="$(openssl rand -hex 32)"
kubectl exec statefulset/app -- \
gitea admin user create --admin --must-change-password=false \
--email "$email" \
--username "$name" \
--password "$passwd"
fi
opts=()
[ -n "$scopes" ] && opts+=(
--from-literal=token="$(kgseckey "$secret" token || get_token)"
--from-literal=tokenscopes="$scopes"
)
kcreatesec "$secret" \
--from-literal=email="$email" \
--from-literal=username="$name" \
--from-literal=password="$passwd" \
"${opts[@]}"

68
manifests/bin/deploy.sh
View File

@ -3,37 +3,40 @@ set -o pipefail
function kapply() { function kapply() {
for f in "$@"; do for f in "$@"; do
kubectl apply -f \ kubectl apply -f <(envsubst < "manifests/$f")
<(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
done done
} }; export -f kapply
function kcreatesec() { function kcreatesec() {
kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f- kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
} }; export -f kcreatesec
function kcreatecm() { function kcreatecm() {
kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f- kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
} }; export -f kcreatecm
function kgseckey() { function kgseckey() {
local sec="$1"; shift local sec="$1"; shift
local key="$1"; shift local key="$1"; shift
kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
} return 1
fi
}; export -f kgseckey
function kgcmkey() { function kgcmkey() {
local cm="$1"; shift local cm="$1"; shift
local key="$1"; shift local key="$1"; shift
kubectl get configmap "$cm" -o jsonpath="{.data.$key}" if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
} return 1
fi
}; export -f kgcmkey
kapply common/db.yaml kapply common/db.yaml
export REDIS_HOST=redis export REDIS_HOST=valkey
export REDIS_DB=0 export REDIS_DB=0
export REDIS_PORT=6379 export REDIS_PORT=6379
export POSTGRES_HOST; POSTGRES_HOST="$(kgseckey postgres-app host)" export POSTGRES_HOST; POSTGRES_HOST="$(kgseckey postgres-app host)"
@ -42,37 +45,32 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)"
export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)"
export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"
export GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)" # shellcheck disable=SC1090,SC2016
export GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)" . <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1)
kcreatesec gitea-admin \ kcreatesec gitea \
--from-literal=email="gitea@$BASE_URL" \ --from-literal=secret_key="$(kgseckey gitea secret_key || echo "$SECRET_KEY")" \
--from-literal=username="$GITEA_USERNAME" \ --from-literal=internal_token="$(kgseckey gitea internal_token || echo "$INTERNAL_TOKEN")" \
--from-literal=password="$GITEA_PASSWORD" --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")"
kcreatesec gitea-secrets \ kcreatecm gitea \
--from-literal=secret_key="$(kgseckey gitea-secrets secret_key || openssl rand -hex 32)" \ --from-file=app.ini=<(envsubst < config/app.ini)
--from-literal=internal_token="$(kgseckey gitea-secrets internal_token || openssl rand -hex 32)"
kcreatecm gitea-config \
--from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < app.ini)
kapply common/job.yaml \ kapply common/job.yaml \
common/redis.yaml \ common/valkey.yaml \
common/app.yaml common/app.yaml
kubectl rollout restart statefulset app kubectl rollout restart statefulset app
kubectl rollout status sts app kubectl rollout status statefulset app
kubectl wait --timeout=5m --for=condition=complete job/migrate
for i in {0..9}; do ./manifests/bin/createadmin.sh gitea
RUNNER_TOKEN="$(kubectl exec app-0 -- curl -sS "http://$GITEA_USERNAME:$GITEA_PASSWORD@app/api/v1/admin/runners/registration-token" | jq -r '.token // empty' || true)" ./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization'
if [ -n "$RUNNER_TOKEN" ]; then kcreatesec runner \
kcreatesec runner-secret --from-literal=token="$RUNNER_TOKEN" --from-literal=token="$(kgseckey runner token || kubectl exec statefulset/app -- gitea actions generate-runner-token)"
kapply common/runner.yaml
kubectl rollout restart statefulset runner kapply common/runner.yaml common/renovate.yaml
break
fi kubectl rollout restart statefulset runner
sleep 5
done

1
manifests/bin/devel.sh
View File

@ -1,4 +1,5 @@
#!/bin/bash -e #!/bin/bash -e
set -o pipefail
export NB_REPLICAS=1 export NB_REPLICAS=1

5
manifests/bin/prod.sh
View File

@ -1,8 +1,11 @@
#!/bin/bash -e #!/bin/bash -e
set -o pipefail
# TODO: 3 # TODO: 3
export NB_REPLICAS=1 export NB_REPLICAS=1
. ./manifests/bin/deploy.sh . ./manifests/bin/deploy.sh
#kapply prod/ssh.yaml if [ "$GITHUB_REF_NAME" = prod ]; then
kapply prod/ssh.yaml
fi

8
manifests/common/app.yaml
View File

@ -5,7 +5,7 @@ metadata:
name: app name: app
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/proxy-body-size: "512M" nginx.ingress.kubernetes.io/proxy-body-size: "8G"
spec: spec:
ingressClassName: nginx ingressClassName: nginx
tls: tls:
@ -68,19 +68,17 @@ spec:
- name: config - name: config
mountPath: /etc/gitea/app.ini mountPath: /etc/gitea/app.ini
subPath: app.ini subPath: app.ini
readOnly: true
- name: secrets - name: secrets
mountPath: /etc/gitea/secrets/ mountPath: /etc/gitea/secrets/
readOnly: true
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
volumes: volumes:
- name: config - name: config
configMap: configMap:
name: gitea-config name: gitea
- name: secrets - name: secrets
secret: secret:
secretName: gitea-secrets secretName: gitea
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:
name: data name: data

18
manifests/common/job.yaml
View File

@ -2,34 +2,28 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: createadminuser name: migrate
spec: spec:
template: template:
spec: spec:
restartPolicy: Never restartPolicy: Never
containers: containers:
- name: createadminuser - name: migrate
image: "$IMAGEAPP" image: "$IMAGEAPP"
envFrom:
- secretRef:
name: gitea-admin
command: command:
- bash - gitea
- -c - migrate
- 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password"; }'
volumeMounts: volumeMounts:
- name: config - name: config
mountPath: /etc/gitea/app.ini mountPath: /etc/gitea/app.ini
subPath: app.ini subPath: app.ini
readOnly: true
- name: secrets - name: secrets
mountPath: /etc/gitea/secrets/ mountPath: /etc/gitea/secrets/
readOnly: true
volumes: volumes:
- name: config - name: config
configMap: configMap:
name: gitea-config name: gitea
- name: secrets - name: secrets
secret: secret:
secretName: gitea-secrets secretName: gitea
backoffLimit: 4 backoffLimit: 4

36
manifests/common/renovate.yaml Normal file
View File

@ -0,0 +1,36 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: renovate
spec:
schedule: '0 0 * * 1'
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
restartPolicy: Never
containers:
- name: renovate
image: docker.io/renovate/renovate:slim
imagePullPolicy: Always
env:
- name: LOG_LEVEL
value: debug
- name: RENOVATE_AUTODISCOVER
value: 'true'
- name: RENOVATE_PLATFORM
value: gitea
- name: RENOVATE_ENDPOINT
value: "https://$BASE_URL/api/v1"
- name: RENOVATE_USERNAME
valueFrom:
secretKeyRef:
name: gitea-renovate
key: username
- name: RENOVATE_TOKEN
valueFrom:
secretKeyRef:
name: gitea-renovate
key: token

2
manifests/common/runner.yaml
View File

@ -36,7 +36,7 @@ spec:
- name: GITEA_RUNNER_REGISTRATION_TOKEN - name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: runner-secret name: runner
key: token key: token
volumeMounts: volumeMounts:
- name: data - name: data

22
manifests/common/redis.yaml → manifests/common/valkey.yaml
View File

@ -2,36 +2,36 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: redis name: valkey
labels: labels:
app: redis app: valkey
spec: spec:
selector: selector:
app: redis app: valkey
ports: ports:
- name: redis - name: valkey
port: 6379 port: 6379
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: redis name: valkey
spec: spec:
selector: selector:
matchLabels: matchLabels:
app: redis app: valkey
serviceName: redis serviceName: valkey
replicas: $NB_REPLICAS replicas: $NB_REPLICAS
template: template:
metadata: metadata:
labels: labels:
app: redis app: valkey
spec: spec:
containers: containers:
- name: redis - name: valkey
image: docker.io/redis:latest image: docker.io/valkey/valkey:latest
ports: ports:
- name: redis - name: valkey
containerPort: 6379 containerPort: 6379
volumeMounts: volumeMounts:
- name: data - name: data