fix: hardcoded image name

.env

@@ -1,3 +1,3 @@
 PROD_URL=git.gmoker.com
-IMAGEAPP=docker.io/gitea/gitea:1.22.0-rc1-rootless
-IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless
+IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless
+IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless

compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
   db:
-    image: docker.io/postgres:15
+    image: docker.io/postgres:17
     restart: unless-stopped
     environment:
       - POSTGRES_DB=db
@@ -20,16 +20,16 @@ services:
       - POSTGRES_HOST=db
       - GITEA__database__DB_TYPE=postgres
       - GITEA__database__HOST=db
+      - GITEA__database__NAME=db
       - GITEA__database__USER=db
       - GITEA__database__PASSWD=db
-      - GITEA__service__DISABLE_REGISTRATION=true
     volumes:
-      - data:/var/lib/gitea/
       - config:/etc/gitea/
+      - data:/var/lib/gitea/
     depends_on:
       - db
 
 volumes:
+  db: {}
   config: {}
   data: {}
-  db: {}

config/app.ini

@@ -540,10 +540,10 @@ ENABLED = false
 ;;
 ;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
 ;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512.
-;JWT_SECRET =
+JWT_SECRET =
 ;;
 ;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one
-;JWT_SECRET_URI = file:/etc/gitea/oauth2_jwt_secret
+JWT_SECRET_URI = file:/etc/gitea/secrets/oauth2_jwt_secret
 ;;
 ;; Lifetime of an OAuth2 access token in seconds
 ;ACCESS_TOKEN_EXPIRATION_TIME = 3600
@@ -2035,6 +2035,17 @@ ENABLED = true
 ;;   or only create new users if UPDATE_EXISTING is set to false
 ;UPDATE_EXISTING = true
 
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Cleanup expired actions assets
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;[cron.cleanup_actions]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;ENABLED = true
+;RUN_AT_START = true
+;SCHEDULE = @midnight
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Clean-up deleted branches

diff.sh

@@ -2,6 +2,6 @@
 
 URL='https://raw.githubusercontent.com'
 REPO='go-gitea/gitea'
-TAG="v$(awk -F: '/^IMAGEAPP/{sub("-rootless", ""); print $2}' .env)"
+TAG="release/v$(awk -F: '/^IMAGEAPP/{sub(".[0-9]+-rootless", ""); print $2}' .env)"
 
-$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" app.ini
+$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" config/app.ini

manifests/bin/createadmin.sh

@@ -0,0 +1,37 @@
+#!/bin/bash -e
+set -o pipefail
+
+function get_token() {
+    kubectl exec statefulset/app -- gitea admin user generate-access-token \
+            --username "$name" \
+            --token-name "${name^^}" \
+            --scopes "$scopes" \
+        | awk '{print $NF}'
+}
+
+name="$1"
+scopes="$2"
+email="$name@$BASE_URL"
+secret="gitea-$name"
+passwd="$(kgseckey "$secret" password || true)"
+
+if [ -z "$passwd" ]; then
+    passwd="$(openssl rand -hex 32)"
+    kubectl exec statefulset/app -- \
+        gitea admin user create --admin --must-change-password=false \
+            --email "$email" \
+            --username "$name" \
+            --password "$passwd"
+fi
+
+opts=()
+[ -n "$scopes" ] && opts+=(
+    --from-literal=token="$(kgseckey "$secret" token || get_token)"
+    --from-literal=tokenscopes="$scopes"
+)
+
+kcreatesec "$secret" \
+    --from-literal=email="$email" \
+    --from-literal=username="$name" \
+    --from-literal=password="$passwd" \
+    "${opts[@]}"

manifests/bin/deploy.sh

@@ -3,37 +3,40 @@ set -o pipefail
 
 function kapply() {
     for f in "$@"; do
-        kubectl apply -f \
-            <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
+        kubectl apply -f <(envsubst < "manifests/$f")
     done
-}
+}; export -f kapply
 
 function kcreatesec() {
     kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
-}
+}; export -f kcreatesec
 
 function kcreatecm() {
     kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
-}
+}; export -f kcreatecm
 
 function kgseckey() {
     local sec="$1"; shift
     local key="$1"; shift
 
-    kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d
-}
+    if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
+        return 1
+    fi
+}; export -f kgseckey
 
 function kgcmkey() {
-    local cm="$1"; shift
+    local cm="$1";  shift
     local key="$1"; shift
 
-    kubectl get configmap "$cm" -o jsonpath="{.data.$key}"
-}
+    if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
+        return 1
+    fi
+}; export -f kgcmkey
 
 
 kapply common/db.yaml
 
-export REDIS_HOST=redis
+export REDIS_HOST=valkey
 export REDIS_DB=0
 export REDIS_PORT=6379
 export POSTGRES_HOST;     POSTGRES_HOST="$(kgseckey postgres-app host)"
@@ -42,37 +45,32 @@ export POSTGRES_DB;       POSTGRES_DB="$(kgseckey postgres-app dbname)"
 export POSTGRES_USER;     POSTGRES_USER="$(kgseckey postgres-app user)"
 export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"
 
-export GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)"
-export GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)"
+# shellcheck disable=SC1090,SC2016
+. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1)
 
-kcreatesec gitea-admin \
-    --from-literal=email="gitea@$BASE_URL" \
-    --from-literal=username="$GITEA_USERNAME" \
-    --from-literal=password="$GITEA_PASSWORD"
+kcreatesec gitea \
+    --from-literal=secret_key="$(kgseckey gitea secret_key               || echo "$SECRET_KEY")" \
+    --from-literal=internal_token="$(kgseckey gitea internal_token       || echo "$INTERNAL_TOKEN")" \
+    --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")"
 
-kcreatesec gitea-secrets \
-    --from-literal=secret_key="$(kgseckey gitea-secrets secret_key || openssl rand -hex 32)"  \
-    --from-literal=internal_token="$(kgseckey gitea-secrets internal_token || openssl rand -hex 32)"
-
-kcreatecm gitea-config \
-    --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < app.ini)
+kcreatecm gitea \
+    --from-file=app.ini=<(envsubst < config/app.ini)
 
 kapply common/job.yaml \
-    common/redis.yaml \
+    common/valkey.yaml \
     common/app.yaml
 
 kubectl rollout restart statefulset app
 
-kubectl rollout status sts app
+kubectl rollout status statefulset app
+kubectl wait --timeout=5m --for=condition=complete job/migrate
 
-for i in {0..9}; do
-    RUNNER_TOKEN="$(kubectl exec app-0 -- curl -sS "http://$GITEA_USERNAME:$GITEA_PASSWORD@app/api/v1/admin/runners/registration-token" | jq -r '.token // empty' || true)"
+./manifests/bin/createadmin.sh gitea
+./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization'
 
-    if [ -n "$RUNNER_TOKEN" ]; then
-        kcreatesec runner-secret --from-literal=token="$RUNNER_TOKEN"
-        kapply common/runner.yaml
-        kubectl rollout restart statefulset runner
-        break
-    fi
-    sleep 5
-done
+kcreatesec runner \
+    --from-literal=token="$(kgseckey runner token || kubectl exec statefulset/app -- gitea actions generate-runner-token)"
+
+kapply common/runner.yaml common/renovate.yaml
+
+kubectl rollout restart statefulset runner

manifests/bin/devel.sh

@@ -1,4 +1,5 @@
 #!/bin/bash -e
+set -o pipefail
 
 export NB_REPLICAS=1
 

manifests/bin/prod.sh

@@ -1,8 +1,11 @@
 #!/bin/bash -e
+set -o pipefail
 
 # TODO: 3
 export NB_REPLICAS=1
 
 . ./manifests/bin/deploy.sh
 
-#kapply prod/ssh.yaml
+if [ "$GITHUB_REF_NAME" = prod ]; then
+    kapply prod/ssh.yaml
+fi

manifests/common/app.yaml

@@ -5,7 +5,7 @@ metadata:
   name: app
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/proxy-body-size: "512M"
+    nginx.ingress.kubernetes.io/proxy-body-size: "8G"
 spec:
   ingressClassName: nginx
   tls:
@@ -68,19 +68,17 @@ spec:
             - name: config
               mountPath: /etc/gitea/app.ini
               subPath: app.ini
-              readOnly: true
             - name: secrets
               mountPath: /etc/gitea/secrets/
-              readOnly: true
       securityContext:
         fsGroup: 1000
       volumes:
         - name: config
           configMap:
-            name: gitea-config
+            name: gitea
         - name: secrets
           secret:
-            secretName: gitea-secrets
+            secretName: gitea
   volumeClaimTemplates:
     - metadata:
         name: data

manifests/common/job.yaml

@@ -2,34 +2,28 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: createadminuser
+  name: migrate
 spec:
   template:
     spec:
       restartPolicy: Never
       containers:
-        - name: createadminuser
+        - name: migrate
           image: "$IMAGEAPP"
-          envFrom:
-            - secretRef:
-                name: gitea-admin
           command:
-            - bash
-            - -c
-            - 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password"; }'
+            - gitea
+            - migrate
           volumeMounts:
             - name: config
               mountPath: /etc/gitea/app.ini
               subPath: app.ini
-              readOnly: true
             - name: secrets
               mountPath: /etc/gitea/secrets/
-              readOnly: true
       volumes:
         - name: config
           configMap:
-            name: gitea-config
+            name: gitea
         - name: secrets
           secret:
-            secretName: gitea-secrets
+            secretName: gitea
   backoffLimit: 4

manifests/common/renovate.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: renovate
+spec:
+  schedule: '0 0 * * 1'
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: Never
+          containers:
+            - name: renovate
+              image: docker.io/renovate/renovate:slim
+              imagePullPolicy: Always
+              env:
+                - name: LOG_LEVEL
+                  value: debug
+                - name: RENOVATE_AUTODISCOVER
+                  value: 'true'
+                - name: RENOVATE_PLATFORM
+                  value: gitea
+                - name: RENOVATE_ENDPOINT
+                  value: "https://$BASE_URL/api/v1"
+                - name: RENOVATE_USERNAME
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-renovate
+                      key: username
+                - name: RENOVATE_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-renovate
+                      key: token

manifests/common/runner.yaml

@@ -36,7 +36,7 @@ spec:
             - name: GITEA_RUNNER_REGISTRATION_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: runner-secret
+                  name: runner
                   key: token
           volumeMounts:
             - name: data

manifests/common/valkey.yaml

@@ -2,36 +2,36 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: redis
+  name: valkey
   labels:
-    app: redis
+    app: valkey
 spec:
   selector:
-    app: redis
+    app: valkey
   ports:
-    - name: redis
+    - name: valkey
       port: 6379
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: redis
+  name: valkey
 spec:
   selector:
     matchLabels:
-      app: redis
-  serviceName: redis
+      app: valkey
+  serviceName: valkey
   replicas: $NB_REPLICAS
   template:
     metadata:
       labels:
-        app: redis
+        app: valkey
     spec:
       containers:
-        - name: redis
-          image: docker.io/redis:latest
+        - name: valkey
+          image: docker.io/valkey/valkey:latest
           ports:
-            - name: redis
+            - name: valkey
               containerPort: 6379
           volumeMounts:
             - name: data