From 68f44eb5e44bf8db9513441a973ce0f7c36241c9 Mon Sep 17 00:00:00 2001 From: ange Date: Fri, 27 Sep 2024 07:54:02 +0700 Subject: [PATCH 01/20] feat: redis -> valkey --- .env | 2 +- manifests/bin/deploy.sh | 18 ++++++---------- manifests/common/{redis.yaml => valkey.yaml} | 22 ++++++++++---------- 3 files changed, 18 insertions(+), 24 deletions(-) rename manifests/common/{redis.yaml => valkey.yaml} (66%) diff --git a/.env b/.env index 685ef78..15501e1 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ PROD_URL=git.gmoker.com -IMAGEAPP=docker.io/gitea/gitea:1.22.0-rootless +IMAGEAPP=docker.io/gitea/gitea:1.22.2-rootless IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index dd36979..8753e74 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -19,31 +19,25 @@ function kcreatecm() { function kgseckey() { local sec="$1"; shift local key="$1"; shift - local ret - ret="$(kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d)" - if [ "$?" -ne 0 ] || [ -z "$ret" ]; then + if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then return 1 fi - echo "$ret" } function kgcmkey() { - local cm="$1"; shift + local cm="$1"; shift local key="$1"; shift - local ret; - ret="$(kubectl get configmap "$cm" -o jsonpath="{.data.$key}")" - if [ "$?" -ne 0 ] || [ -z "$ret" ]; then + if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then return 1 fi - echo "$ret" } kapply common/db.yaml -export REDIS_HOST=redis +export REDIS_HOST=valkey export REDIS_DB=0 export REDIS_PORT=6379 export POSTGRES_HOST; POSTGRES_HOST="$(kgseckey postgres-app host)" @@ -60,7 +54,7 @@ kcreatesec gitea-admin \ --from-literal=username="$GITEA_USERNAME" \ --from-literal=password="$GITEA_PASSWORD" -kubectl run --image "$IMAGEAPP" secrets sleep 60 +kubectl run --image "$IMAGEAPP" secrets sleep 600 sleep 5 kcreatesec gitea \ --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl exec secrets -- gitea generate secret SECRET_KEY)" \ @@ -72,7 +66,7 @@ kcreatecm gitea \ --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) kapply common/job.yaml \ - common/redis.yaml \ + common/valkey.yaml \ common/app.yaml kubectl rollout restart statefulset app diff --git a/manifests/common/redis.yaml b/manifests/common/valkey.yaml similarity index 66% rename from manifests/common/redis.yaml rename to manifests/common/valkey.yaml index 485d2a8..4df2c6d 100644 --- a/manifests/common/redis.yaml +++ b/manifests/common/valkey.yaml @@ -2,36 +2,36 @@ apiVersion: v1 kind: Service metadata: - name: redis + name: valkey labels: - app: redis + app: valkey spec: selector: - app: redis + app: valkey ports: - - name: redis + - name: valkey port: 6379 --- apiVersion: apps/v1 kind: StatefulSet metadata: - name: redis + name: valkey spec: selector: matchLabels: - app: redis - serviceName: redis + app: valkey + serviceName: valkey replicas: $NB_REPLICAS template: metadata: labels: - app: redis + app: valkey spec: containers: - - name: redis - image: docker.io/redis:latest + - name: valkey + image: docker.io/valkey/valkey:latest ports: - - name: redis + - name: valkey containerPort: 6379 volumeMounts: - name: data -- 2.45.2 From bd449faec192346b8ab4f82f087e207107025ea7 Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 05:08:23 +0000 Subject: [PATCH 02/20] feat: renovatebot --- compose.yaml | 8 +++---- manifests/bin/createadmin.sh | 33 +++++++++++++++++++++++++++ manifests/bin/deploy.sh | 27 ++++++++-------------- manifests/common/app.yaml | 2 +- manifests/common/createadmin.yaml | 37 +++++++++++++++++++++++++++++++ manifests/common/job.yaml | 12 ++++------ manifests/common/renovate.yaml | 4 ++-- 7 files changed, 90 insertions(+), 33 deletions(-) create mode 100644 manifests/bin/createadmin.sh create mode 100644 manifests/common/createadmin.yaml diff --git a/compose.yaml b/compose.yaml index e2ae670..966146a 100644 --- a/compose.yaml +++ b/compose.yaml @@ -1,7 +1,7 @@ --- services: db: - image: docker.io/postgres:15 + image: docker.io/postgres:17 restart: unless-stopped environment: - POSTGRES_DB=db @@ -20,16 +20,16 @@ services: - POSTGRES_HOST=db - GITEA__database__DB_TYPE=postgres - GITEA__database__HOST=db + - GITEA__database__NAME=db - GITEA__database__USER=db - GITEA__database__PASSWD=db - - GITEA__service__DISABLE_REGISTRATION=true volumes: - - data:/var/lib/gitea/ - config:/etc/gitea/ + - data:/var/lib/gitea/ depends_on: - db volumes: + db: {} config: {} data: {} - db: {} diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh new file mode 100644 index 0000000..0c3c0c9 --- /dev/null +++ b/manifests/bin/createadmin.sh @@ -0,0 +1,33 @@ +#!/bin/bash -e + +function get_token() { + kubectl exec app-0 -- gitea admin user generate-access-token \ + --username "$NAME" \ + --token-name "${NAME^^}" \ + --scopes "$scopes" \ + | awk '{print $NF}' +} + +export NAME="$1" +scopes="$2" +export EMAIL="$NAME@$BASE_URL" +export SECRET="gitea-$NAME" + +if ! kubectl get secret "$SECRET" > /dev/null 2>&1; then + p="$(openssl rand -hex 32)" + kapply common/createadmin.yaml +else + p="$(kgseckey "$SECRET" password)" +fi + +opts=() +if [ -n "$scopes" ]; then + token="$(kgseckey "$SECRET" token || get_token)" + opts+=(--from-literal=token="$token") +fi + +kcreatesec "$SECRET" \ + --from-literal=email="$NAME@$BASE_URL" \ + --from-literal=username="$SECRET" \ + --from-literal=password="$p" \ + "${opts[@]}" diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 8753e74..2f10d1e 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -6,15 +6,15 @@ function kapply() { kubectl apply -f \ <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f") done -} +}; export -f kapply function kcreatesec() { kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f- -} +}; export -f kcreatesec function kcreatecm() { kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f- -} +}; export -f kcreatecm function kgseckey() { local sec="$1"; shift @@ -23,7 +23,7 @@ function kgseckey() { if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then return 1 fi -} +}; export -f kgseckey function kgcmkey() { local cm="$1"; shift @@ -32,7 +32,7 @@ function kgcmkey() { if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then return 1 fi -} +}; export -f kgcmkey kapply common/db.yaml @@ -46,14 +46,6 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)" export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" -GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)" -GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)" - -kcreatesec gitea-admin \ - --from-literal=email="gitea@$BASE_URL" \ - --from-literal=username="$GITEA_USERNAME" \ - --from-literal=password="$GITEA_PASSWORD" - kubectl run --image "$IMAGEAPP" secrets sleep 600 sleep 5 kcreatesec gitea \ @@ -71,15 +63,14 @@ kapply common/job.yaml \ kubectl rollout restart statefulset app -kubectl wait --timeout=5m --for=condition=complete job/createadminuser -sleep 5 +kubectl wait --timeout=5m --for=condition=complete job/migrate + +./manifests/bin/createadmin.sh gitea +./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization' kcreatesec runner \ --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)" -kcreatesec renovate \ - --from-literal=token="$(kgseckey renovate token || kubectl exec app-0 -- gitea admin user generate-access-token --username "$GITEA_USERNAME" --token-name RENOVATE --scopes 'write:repository,read:user,write:issue,read:organization' | grep -o '[a-f0-9]\+$')" - kapply common/runner.yaml common/renovate.yaml kubectl rollout restart statefulset runner diff --git a/manifests/common/app.yaml b/manifests/common/app.yaml index e205f85..f1b54e1 100644 --- a/manifests/common/app.yaml +++ b/manifests/common/app.yaml @@ -5,7 +5,7 @@ metadata: name: app annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.ingress.kubernetes.io/proxy-body-size: "512M" + nginx.ingress.kubernetes.io/proxy-body-size: "8G" spec: ingressClassName: nginx tls: diff --git a/manifests/common/createadmin.yaml b/manifests/common/createadmin.yaml new file mode 100644 index 0000000..7fc761d --- /dev/null +++ b/manifests/common/createadmin.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: "createadmin-$NAME" +spec: + template: + spec: + restartPolicy: Never + containers: + - name: createuser + image: "$IMAGEAPP" + command: + - bash + - -c + - | + gitea admin user change-password --must-change-password=false \ + --username "$NAME" \ + --password "$PASS" 2> /dev/null \ + || gitea admin user create --admin --must-change-password=false \ + --email "$EMAIL" \ + --username "$NAME" \ + --password "$PASS" + volumeMounts: + - name: config + mountPath: /etc/gitea/app.ini + subPath: app.ini + - name: secrets + mountPath: /etc/gitea/secrets/ + volumes: + - name: config + configMap: + name: gitea + - name: secrets + secret: + secretName: gitea + backoffLimit: 4 diff --git a/manifests/common/job.yaml b/manifests/common/job.yaml index 0281b29..bdbe13b 100644 --- a/manifests/common/job.yaml +++ b/manifests/common/job.yaml @@ -2,21 +2,17 @@ apiVersion: batch/v1 kind: Job metadata: - name: createadminuser + name: migrate spec: template: spec: restartPolicy: Never containers: - - name: createadminuser + - name: migrate image: "$IMAGEAPP" - envFrom: - - secretRef: - name: gitea-admin command: - - bash - - -c - - 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" --must-change-password=false 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password" --must-change-password=false; }' + - gitea + - migrate volumeMounts: - name: config mountPath: /etc/gitea/app.ini diff --git a/manifests/common/renovate.yaml b/manifests/common/renovate.yaml index 0167afe..427ee4e 100644 --- a/manifests/common/renovate.yaml +++ b/manifests/common/renovate.yaml @@ -27,10 +27,10 @@ spec: - name: RENOVATE_USERNAME valueFrom: secretKeyRef: - name: gitea-admin + name: gitea-renovate key: username - name: RENOVATE_TOKEN valueFrom: secretKeyRef: - name: runner + name: gitea-renovate key: token -- 2.45.2 From 26f48e813285b3f0aaedd43cc9fcec41fe86aec8 Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 05:14:43 +0000 Subject: [PATCH 03/20] fix: chmod +x --- manifests/bin/createadmin.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 manifests/bin/createadmin.sh diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh old mode 100644 new mode 100755 -- 2.45.2 From 56e937a224de98b1c189271c2a0decd5797f98e8 Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 05:26:20 +0000 Subject: [PATCH 04/20] fix: user secret name --- .env | 4 ++-- manifests/bin/createadmin.sh | 2 +- manifests/bin/deploy.sh | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.env b/.env index 15501e1..ea69377 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ PROD_URL=git.gmoker.com -IMAGEAPP=docker.io/gitea/gitea:1.22.2-rootless -IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless +IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless +IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh index 0c3c0c9..3f372e4 100755 --- a/manifests/bin/createadmin.sh +++ b/manifests/bin/createadmin.sh @@ -28,6 +28,6 @@ fi kcreatesec "$SECRET" \ --from-literal=email="$NAME@$BASE_URL" \ - --from-literal=username="$SECRET" \ + --from-literal=username="$NAME" \ --from-literal=password="$p" \ "${opts[@]}" diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 2f10d1e..4ba4027 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -4,7 +4,7 @@ set -o pipefail function kapply() { for f in "$@"; do kubectl apply -f \ - <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f") + <(envsubst "$(env | xargs -0 printf '$%s ')" < "manifests/$f") done }; export -f kapply @@ -55,7 +55,7 @@ kcreatesec gitea \ kubectl delete pod secrets kcreatecm gitea \ - --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) + --from-file=app.ini=<(envsubst "$(env | xargs -0 printf '$%s ')" < config/app.ini) kapply common/job.yaml \ common/valkey.yaml \ -- 2.45.2 From a0e8849beba221e487b36180b39e0eb26c340652 Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 05:27:39 +0000 Subject: [PATCH 05/20] fix: bad xargs -0 --- manifests/bin/deploy.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 4ba4027..2f10d1e 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -4,7 +4,7 @@ set -o pipefail function kapply() { for f in "$@"; do kubectl apply -f \ - <(envsubst "$(env | xargs -0 printf '$%s ')" < "manifests/$f") + <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f") done }; export -f kapply @@ -55,7 +55,7 @@ kcreatesec gitea \ kubectl delete pod secrets kcreatecm gitea \ - --from-file=app.ini=<(envsubst "$(env | xargs -0 printf '$%s ')" < config/app.ini) + --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) kapply common/job.yaml \ common/valkey.yaml \ -- 2.45.2 From 5e83c6fa8933297a95626b10281aa5d5c097eada Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 05:43:37 +0000 Subject: [PATCH 06/20] fix: unstable secret generation --- manifests/bin/deploy.sh | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 2f10d1e..f09219b 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -46,13 +46,20 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)" export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" -kubectl run --image "$IMAGEAPP" secrets sleep 600 -sleep 5 -kcreatesec gitea \ - --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl exec secrets -- gitea generate secret SECRET_KEY)" \ - --from-literal=internal_token="$(kgseckey gitea internal_token || kubectl exec secrets -- gitea generate secret INTERNAL_TOKEN)" \ - --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl exec secrets -- gitea generate secret JWT_SECRET)" -kubectl delete pod secrets +# shellcheck disable=SC1090 +. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash < Date: Sun, 22 Dec 2024 05:45:39 +0000 Subject: [PATCH 07/20] fix: cat instead of CAT --- manifests/bin/deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index f09219b..f72dc70 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -48,7 +48,7 @@ export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" # shellcheck disable=SC1090 . <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash < Date: Sun, 22 Dec 2024 05:50:42 +0000 Subject: [PATCH 08/20] fix: simplify cat < Date: Sun, 22 Dec 2024 05:59:46 +0000 Subject: [PATCH 09/20] fix: kubectl run --- manifests/bin/deploy.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index e30e998..76318a6 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -1,6 +1,7 @@ -#!/bin/bash -ex +#!/bin/bash -e set -o pipefail +set -x function kapply() { for f in "$@"; do kubectl apply -f \ @@ -47,7 +48,7 @@ export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" # shellcheck disable=SC1090,SC2016 -. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- echo SECRET_KEY='$(gitea generate secret SECRET_KEY)' INTERNAL_TOKEN='$(gitea generate secret INTERNAL_TOKEN)' JWT_SECRET='$(gitea generate secret JWT_SECRET)') +. <(kubectl run -i --rm --image "docker.io/gitea/gitea:1.22.6-rootless" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"') kcreate gitea \ --from-literal=secret_key="$(kgseckey gitea secret_key || echo "$SECRET_KEY")" \ -- 2.45.2 From 9463d7610f616fff82cec487cd6e5144d6799792 Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 06:04:30 +0000 Subject: [PATCH 10/20] fix: k8s output on stdout --- manifests/bin/deploy.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 76318a6..51a83aa 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -1,11 +1,9 @@ #!/bin/bash -e set -o pipefail -set -x function kapply() { for f in "$@"; do - kubectl apply -f \ - <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f") + kubectl apply -f <(envsubst < "manifests/$f") done }; export -f kapply @@ -48,7 +46,7 @@ export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" # shellcheck disable=SC1090,SC2016 -. <(kubectl run -i --rm --image "docker.io/gitea/gitea:1.22.6-rootless" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"') +. <(kubectl run -i --rm --image "docker.io/gitea/gitea:1.22.6-rootless" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1) kcreate gitea \ --from-literal=secret_key="$(kgseckey gitea secret_key || echo "$SECRET_KEY")" \ @@ -56,7 +54,7 @@ kcreate gitea \ --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")" kcreatecm gitea \ - --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) + --from-file=app.ini=<(envsubst < config/app.ini) kapply common/job.yaml \ common/valkey.yaml \ -- 2.45.2 From 0a86bed0ce4c8d1f9885f3aabd3556bdb4153c4b Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 06:05:16 +0000 Subject: [PATCH 11/20] fix: typo --- manifests/bin/deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 51a83aa..8198027 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -48,7 +48,7 @@ export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" # shellcheck disable=SC1090,SC2016 . <(kubectl run -i --rm --image "docker.io/gitea/gitea:1.22.6-rootless" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1) -kcreate gitea \ +kcreatesec gitea \ --from-literal=secret_key="$(kgseckey gitea secret_key || echo "$SECRET_KEY")" \ --from-literal=internal_token="$(kgseckey gitea internal_token || echo "$INTERNAL_TOKEN")" \ --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")" -- 2.45.2 From 0fd5175a1d6097dd35e673cc5433f08a616b86be Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 06:15:20 +0000 Subject: [PATCH 12/20] fix: create user from secret instead of env --- manifests/bin/createadmin.sh | 35 ++++++++++++++----------------- manifests/common/createadmin.yaml | 17 ++++++++------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh index 3f372e4..88a38d0 100755 --- a/manifests/bin/createadmin.sh +++ b/manifests/bin/createadmin.sh @@ -2,32 +2,29 @@ function get_token() { kubectl exec app-0 -- gitea admin user generate-access-token \ - --username "$NAME" \ - --token-name "${NAME^^}" \ + --username "$name" \ + --token-name "${name^^}" \ --scopes "$scopes" \ | awk '{print $NF}' } -export NAME="$1" +name="$1" scopes="$2" -export EMAIL="$NAME@$BASE_URL" -export SECRET="gitea-$NAME" +email="$name@$BASE_URL" +secret="gitea-$name" -if ! kubectl get secret "$SECRET" > /dev/null 2>&1; then - p="$(openssl rand -hex 32)" - kapply common/createadmin.yaml -else - p="$(kgseckey "$SECRET" password)" +if ! kubectl get secret "$secret" > /dev/null 2>&1; then + kcreatesec "$secret" \ + --from-literal=email="$email" \ + --from-literal=username="$name" \ + --from-literal=password="$(openssl rand -hex 32)" + SECRET="$secret" kapply common/createadmin.yaml fi -opts=() if [ -n "$scopes" ]; then - token="$(kgseckey "$SECRET" token || get_token)" - opts+=(--from-literal=token="$token") + kcreatesec "$secret" \ + --from-literal=email="$email" \ + --from-literal=username="$name" \ + --from-literal=password="$(kgseckey "$secret" password)" \ + --from-literal=token="$(kgseckey "$secret" token || get_token)" fi - -kcreatesec "$SECRET" \ - --from-literal=email="$NAME@$BASE_URL" \ - --from-literal=username="$NAME" \ - --from-literal=password="$p" \ - "${opts[@]}" diff --git a/manifests/common/createadmin.yaml b/manifests/common/createadmin.yaml index 7fc761d..3afa493 100644 --- a/manifests/common/createadmin.yaml +++ b/manifests/common/createadmin.yaml @@ -10,17 +10,20 @@ spec: containers: - name: createuser image: "$IMAGEAPP" + envFrom: + - secretRef: + name: "$SECRET" command: - bash - -c - | - gitea admin user change-password --must-change-password=false \ - --username "$NAME" \ - --password "$PASS" 2> /dev/null \ - || gitea admin user create --admin --must-change-password=false \ - --email "$EMAIL" \ - --username "$NAME" \ - --password "$PASS" + gitea admin user change-password --must-change-password=false + --username "$username" + --password "$password" + || gitea admin user create --admin --must-change-password=false + --email "$email" + --username "$username" + --password "$password" volumeMounts: - name: config mountPath: /etc/gitea/app.ini -- 2.45.2 From 8ac305f1ccf2f0fc189faf6a38cd13767a00f281 Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 06:23:58 +0000 Subject: [PATCH 13/20] fix: wrong job name --- manifests/bin/createadmin.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh index 88a38d0..477095a 100755 --- a/manifests/bin/createadmin.sh +++ b/manifests/bin/createadmin.sh @@ -18,7 +18,7 @@ if ! kubectl get secret "$secret" > /dev/null 2>&1; then --from-literal=email="$email" \ --from-literal=username="$name" \ --from-literal=password="$(openssl rand -hex 32)" - SECRET="$secret" kapply common/createadmin.yaml + NAME="$name" SECRET="$secret" kapply common/createadmin.yaml fi if [ -n "$scopes" ]; then -- 2.45.2 From 5fc4963f7c20d1739fbea0cc1a7ca3b5fa813f90 Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 06:33:27 +0000 Subject: [PATCH 14/20] fix: runner token not generated on first deploy --- manifests/bin/createadmin.sh | 2 +- manifests/bin/deploy.sh | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh index 477095a..3b2d301 100755 --- a/manifests/bin/createadmin.sh +++ b/manifests/bin/createadmin.sh @@ -1,7 +1,7 @@ #!/bin/bash -e function get_token() { - kubectl exec app-0 -- gitea admin user generate-access-token \ + kubectl exec statefulset/app -- gitea admin user generate-access-token \ --username "$name" \ --token-name "${name^^}" \ --scopes "$scopes" \ diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 8198027..7947f4d 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -62,13 +62,14 @@ kapply common/job.yaml \ kubectl rollout restart statefulset app +kubectl rollout status statefulset app kubectl wait --timeout=5m --for=condition=complete job/migrate ./manifests/bin/createadmin.sh gitea ./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization' kcreatesec runner \ - --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)" + --from-literal=token="$(kgseckey runner token || kubectl exec statefulset/app -- gitea actions generate-runner-token)" kapply common/runner.yaml common/renovate.yaml -- 2.45.2 From 5395428902b8d463f098d699d9ea4abe69cfad2c Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 06:37:39 +0000 Subject: [PATCH 15/20] fix typo --- manifests/common/createadmin.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/manifests/common/createadmin.yaml b/manifests/common/createadmin.yaml index 3afa493..9355cd0 100644 --- a/manifests/common/createadmin.yaml +++ b/manifests/common/createadmin.yaml @@ -16,14 +16,13 @@ spec: command: - bash - -c - - | - gitea admin user change-password --must-change-password=false - --username "$username" - --password "$password" - || gitea admin user create --admin --must-change-password=false - --email "$email" - --username "$username" - --password "$password" + - gitea admin user change-password --must-change-password=false \ + --username "$username" \ + --password "$password" \ + || gitea admin user create --admin --must-change-password=false \ + --email "$email" \ + --username "$username" \ + --password "$password" \ volumeMounts: - name: config mountPath: /etc/gitea/app.ini -- 2.45.2 From db7a6b226d06b95f0dfdb1d4105ce91ed0cfa745 Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 06:47:14 +0000 Subject: [PATCH 16/20] fix: create user from main pod instead of job --- manifests/bin/createadmin.sh | 32 ++++++++++++++----------- manifests/common/createadmin.yaml | 39 ------------------------------- 2 files changed, 19 insertions(+), 52 deletions(-) delete mode 100644 manifests/common/createadmin.yaml diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh index 3b2d301..06321c6 100755 --- a/manifests/bin/createadmin.sh +++ b/manifests/bin/createadmin.sh @@ -12,19 +12,25 @@ name="$1" scopes="$2" email="$name@$BASE_URL" secret="gitea-$name" +passwd="$(kgseckey "$secret" password)" -if ! kubectl get secret "$secret" > /dev/null 2>&1; then - kcreatesec "$secret" \ - --from-literal=email="$email" \ - --from-literal=username="$name" \ - --from-literal=password="$(openssl rand -hex 32)" - NAME="$name" SECRET="$secret" kapply common/createadmin.yaml +if [ -z "$passwd" ]; then + passwd="$(openssl rand -hex 32)" + kubectl exec statefulset/app -- \ + gitea admin user create --admin --must-change-password=false \ + --email "$email" \ + --username "$name" \ + --password "$passwd" fi -if [ -n "$scopes" ]; then - kcreatesec "$secret" \ - --from-literal=email="$email" \ - --from-literal=username="$name" \ - --from-literal=password="$(kgseckey "$secret" password)" \ - --from-literal=token="$(kgseckey "$secret" token || get_token)" -fi +opts=() +[ -n "$scopes" ] && opts+=( + --from-literal=token="$(kgseckey "$secret" token || get_token)" + --from-literal=tokenscopes="$scopes" +) + +kcreatesec "$secret" \ + --from-literal=email="$email" \ + --from-literal=username="$name" \ + --from-literal=password="$passwd" \ + "${opts[@]}" diff --git a/manifests/common/createadmin.yaml b/manifests/common/createadmin.yaml deleted file mode 100644 index 9355cd0..0000000 --- a/manifests/common/createadmin.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: "createadmin-$NAME" -spec: - template: - spec: - restartPolicy: Never - containers: - - name: createuser - image: "$IMAGEAPP" - envFrom: - - secretRef: - name: "$SECRET" - command: - - bash - - -c - - gitea admin user change-password --must-change-password=false \ - --username "$username" \ - --password "$password" \ - || gitea admin user create --admin --must-change-password=false \ - --email "$email" \ - --username "$username" \ - --password "$password" \ - volumeMounts: - - name: config - mountPath: /etc/gitea/app.ini - subPath: app.ini - - name: secrets - mountPath: /etc/gitea/secrets/ - volumes: - - name: config - configMap: - name: gitea - - name: secrets - secret: - secretName: gitea - backoffLimit: 4 -- 2.45.2 From bf3cb015f0d42cb3ce1d195c75985586391af621 Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 06:58:29 +0000 Subject: [PATCH 17/20] debug --- manifests/bin/createadmin.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh index 06321c6..69b33b8 100755 --- a/manifests/bin/createadmin.sh +++ b/manifests/bin/createadmin.sh @@ -23,6 +23,8 @@ if [ -z "$passwd" ]; then --password "$passwd" fi +set -x + opts=() [ -n "$scopes" ] && opts+=( --from-literal=token="$(kgseckey "$secret" token || get_token)" -- 2.45.2 From 6fe60b9e572f698034dba98b5e872b97b46011fd Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 07:05:23 +0000 Subject: [PATCH 18/20] fix: pipefail to catch errors --- manifests/bin/createadmin.sh | 3 +-- manifests/bin/devel.sh | 1 + manifests/bin/prod.sh | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh index 69b33b8..dcefe09 100755 --- a/manifests/bin/createadmin.sh +++ b/manifests/bin/createadmin.sh @@ -1,4 +1,5 @@ #!/bin/bash -e +set -o pipefail function get_token() { kubectl exec statefulset/app -- gitea admin user generate-access-token \ @@ -23,8 +24,6 @@ if [ -z "$passwd" ]; then --password "$passwd" fi -set -x - opts=() [ -n "$scopes" ] && opts+=( --from-literal=token="$(kgseckey "$secret" token || get_token)" diff --git a/manifests/bin/devel.sh b/manifests/bin/devel.sh index 464c4d0..65675aa 100755 --- a/manifests/bin/devel.sh +++ b/manifests/bin/devel.sh @@ -1,4 +1,5 @@ #!/bin/bash -e +set -o pipefail export NB_REPLICAS=1 diff --git a/manifests/bin/prod.sh b/manifests/bin/prod.sh index ea8a78f..142f57f 100755 --- a/manifests/bin/prod.sh +++ b/manifests/bin/prod.sh @@ -1,4 +1,5 @@ #!/bin/bash -e +set -o pipefail # TODO: 3 export NB_REPLICAS=1 -- 2.45.2 From 8d8c2c180e20b7d2d8c0225356ea3f47eaa85e86 Mon Sep 17 00:00:00 2001 From: ange Date: Sun, 22 Dec 2024 07:11:02 +0000 Subject: [PATCH 19/20] fix: crash if password doesn't exist --- manifests/bin/createadmin.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh index dcefe09..8691667 100755 --- a/manifests/bin/createadmin.sh +++ b/manifests/bin/createadmin.sh @@ -13,7 +13,7 @@ name="$1" scopes="$2" email="$name@$BASE_URL" secret="gitea-$name" -passwd="$(kgseckey "$secret" password)" +passwd="$(kgseckey "$secret" password || true)" if [ -z "$passwd" ]; then passwd="$(openssl rand -hex 32)" -- 2.45.2 From 9ca9ea411bddbda24d2a81ce9e52695643ac81e0 Mon Sep 17 00:00:00 2001 From: ange Date: Mon, 23 Dec 2024 02:13:47 +0000 Subject: [PATCH 20/20] fix: hardcoded image name --- manifests/bin/deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 7947f4d..ad2271f 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -46,7 +46,7 @@ export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" # shellcheck disable=SC1090,SC2016 -. <(kubectl run -i --rm --image "docker.io/gitea/gitea:1.22.6-rootless" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1) +. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1) kcreatesec gitea \ --from-literal=secret_key="$(kgseckey gitea secret_key || echo "$SECRET_KEY")" \ -- 2.45.2