From 834dda8a79f51e6b58f7ab2d2a7063de821a3ce0 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 15 May 2024 19:14:47 +0200 Subject: [PATCH 01/24] fix: gitea admin no must-change-password --- manifests/common/job.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/common/job.yaml b/manifests/common/job.yaml index 9bf186f..106e68d 100644 --- a/manifests/common/job.yaml +++ b/manifests/common/job.yaml @@ -16,7 +16,7 @@ spec: command: - bash - -c - - 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password"; }' + - 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" --must-change-password=false 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password" --must-change-password=false; }' volumeMounts: - name: config mountPath: /etc/gitea/app.ini -- 2.45.2 From 6c4f952fb887d669eebe1c91e7eb98bfd3a814a1 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 15 May 2024 19:15:01 +0200 Subject: [PATCH 02/24] feat: prod ssh service --- manifests/bin/prod.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/bin/prod.sh b/manifests/bin/prod.sh index bd12c83..b8e13b9 100755 --- a/manifests/bin/prod.sh +++ b/manifests/bin/prod.sh @@ -5,4 +5,4 @@ export NB_REPLICAS=1 . ./manifests/bin/deploy.sh -#kapply prod/ssh.yaml +kapply prod/ssh.yaml -- 2.45.2 From 65e575b98387b61416949cc9873fe757b0dd7418 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 15 May 2024 23:40:08 +0200 Subject: [PATCH 03/24] feat: rename cm gitea-config -> gitea --- manifests/bin/deploy.sh | 2 +- manifests/common/app.yaml | 4 +--- manifests/common/job.yaml | 4 +--- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 2b92530..5288b75 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -54,7 +54,7 @@ kcreatesec gitea-secrets \ --from-literal=secret_key="$(kgseckey gitea-secrets secret_key || openssl rand -hex 32)" \ --from-literal=internal_token="$(kgseckey gitea-secrets internal_token || openssl rand -hex 32)" -kcreatecm gitea-config \ +kcreatecm gitea \ --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < app.ini) kapply common/job.yaml \ diff --git a/manifests/common/app.yaml b/manifests/common/app.yaml index f0a71ed..e9a7990 100644 --- a/manifests/common/app.yaml +++ b/manifests/common/app.yaml @@ -68,16 +68,14 @@ spec: - name: config mountPath: /etc/gitea/app.ini subPath: app.ini - readOnly: true - name: secrets mountPath: /etc/gitea/secrets/ - readOnly: true securityContext: fsGroup: 1000 volumes: - name: config configMap: - name: gitea-config + name: gitea - name: secrets secret: secretName: gitea-secrets diff --git a/manifests/common/job.yaml b/manifests/common/job.yaml index 106e68d..e602597 100644 --- a/manifests/common/job.yaml +++ b/manifests/common/job.yaml @@ -21,14 +21,12 @@ spec: - name: config mountPath: /etc/gitea/app.ini subPath: app.ini - readOnly: true - name: secrets mountPath: /etc/gitea/secrets/ - readOnly: true volumes: - name: config configMap: - name: gitea-config + name: gitea - name: secrets secret: secretName: gitea-secrets -- 2.45.2 From 3a96e92229cb5b45ca8f3004667715de49bb828e Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 15 May 2024 23:55:56 +0200 Subject: [PATCH 04/24] fix: only ssh.yaml in prod --- manifests/bin/prod.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/bin/prod.sh b/manifests/bin/prod.sh index b8e13b9..ea8a78f 100755 --- a/manifests/bin/prod.sh +++ b/manifests/bin/prod.sh @@ -5,4 +5,6 @@ export NB_REPLICAS=1 . ./manifests/bin/deploy.sh -kapply prod/ssh.yaml +if [ "$GITHUB_REF_NAME" = prod ]; then + kapply prod/ssh.yaml +fi -- 2.45.2 From a05a7594898069870748a5c45939711daa8f80e7 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 22 May 2024 18:15:31 +0200 Subject: [PATCH 05/24] feat: renovatebot --- app.ini => config/app.ini | 0 manifests/bin/deploy.sh | 24 +++++++++++------------- manifests/common/renovate.yaml | 31 +++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+), 13 deletions(-) rename app.ini => config/app.ini (100%) create mode 100644 manifests/common/renovate.yaml diff --git a/app.ini b/config/app.ini similarity index 100% rename from app.ini rename to config/app.ini diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 5288b75..f11015f 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -42,8 +42,8 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)" export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" -export GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)" -export GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)" +GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)" +GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)" kcreatesec gitea-admin \ --from-literal=email="gitea@$BASE_URL" \ @@ -55,7 +55,7 @@ kcreatesec gitea-secrets \ --from-literal=internal_token="$(kgseckey gitea-secrets internal_token || openssl rand -hex 32)" kcreatecm gitea \ - --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < app.ini) + --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) kapply common/job.yaml \ common/redis.yaml \ @@ -65,14 +65,12 @@ kubectl rollout restart statefulset app kubectl rollout status sts app -for i in {0..9}; do - RUNNER_TOKEN="$(kubectl exec app-0 -- curl -sS "http://$GITEA_USERNAME:$GITEA_PASSWORD@app/api/v1/admin/runners/registration-token" | jq -r '.token // empty' || true)" +RUNNER_TOKEN="$(kgseckey runner-secret token || kubectl exec app-0 -- gitea actions generate-runner-token)" +kcreatesec runner-secret --from-literal=token="$RUNNER_TOKEN" - if [ -n "$RUNNER_TOKEN" ]; then - kcreatesec runner-secret --from-literal=token="$RUNNER_TOKEN" - kapply common/runner.yaml - kubectl rollout restart statefulset runner - break - fi - sleep 5 -done +RENOVATE_TOKEN="$(kgseckey renovate-secret token || kubectl exec app-0 -- gitea admin user generate-access-token --username "$GITEA_USERNAME" --token-name RENOVATE --scopes 'write:repository,read:user,write:issue,read:organization' | grep -o '[a-f0-9]\+$')" +kcreatesec renovate-secret --from-literal=token="$RENOVATE_TOKEN" + +kapply common/runner.yaml common/renovate.yaml + +kubectl rollout restart statefulset runner diff --git a/manifests/common/renovate.yaml b/manifests/common/renovate.yaml new file mode 100644 index 0000000..159e02c --- /dev/null +++ b/manifests/common/renovate.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: renovate +spec: + schedule: '0 0 * * 1' + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + restartPolicy: Never + containers: + - name: renovate + image: docker.io/renovate/renovate:slim + imagePullPolicy: Always + env: + - name: LOG_LEVEL + value: debug + - name: RENOVATE_AUTODISCOVER + value: 'true' + - name: RENOVATE_PLATFORM + value: gitea + - name: RENOVATE_ENDPOINT + value: "https://$BASE_URL/api/v1" + - name: RENOVATE_TOKEN + valueFrom: + secretKeyRef: + name: runner-secret + key: token -- 2.45.2 From d61eb9dffd1fadcf097b8a8cc47742c8c64cef46 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 22 May 2024 18:21:43 +0200 Subject: [PATCH 06/24] fix: remove -secret from secrets --- manifests/bin/deploy.sh | 14 +++++++------- manifests/common/app.yaml | 2 +- manifests/common/job.yaml | 2 +- manifests/common/renovate.yaml | 2 +- manifests/common/runner.yaml | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index f11015f..fd314cc 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -50,9 +50,9 @@ kcreatesec gitea-admin \ --from-literal=username="$GITEA_USERNAME" \ --from-literal=password="$GITEA_PASSWORD" -kcreatesec gitea-secrets \ - --from-literal=secret_key="$(kgseckey gitea-secrets secret_key || openssl rand -hex 32)" \ - --from-literal=internal_token="$(kgseckey gitea-secrets internal_token || openssl rand -hex 32)" +kcreatesec gitea \ + --from-literal=secret_key="$(kgseckey gitea secret_key || openssl rand -hex 32)" \ + --from-literal=internal_token="$(kgseckey gitea internal_token || openssl rand -hex 32)" kcreatecm gitea \ --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) @@ -65,11 +65,11 @@ kubectl rollout restart statefulset app kubectl rollout status sts app -RUNNER_TOKEN="$(kgseckey runner-secret token || kubectl exec app-0 -- gitea actions generate-runner-token)" -kcreatesec runner-secret --from-literal=token="$RUNNER_TOKEN" +kcreatesec runner \ + --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)" -RENOVATE_TOKEN="$(kgseckey renovate-secret token || kubectl exec app-0 -- gitea admin user generate-access-token --username "$GITEA_USERNAME" --token-name RENOVATE --scopes 'write:repository,read:user,write:issue,read:organization' | grep -o '[a-f0-9]\+$')" -kcreatesec renovate-secret --from-literal=token="$RENOVATE_TOKEN" +kcreatesec renovate \ + --from-literal=token="$(kgseckey renovate token || kubectl exec app-0 -- gitea admin user generate-access-token --username "$GITEA_USERNAME" --token-name RENOVATE --scopes 'write:repository,read:user,write:issue,read:organization' | grep -o '[a-f0-9]\+$')" kapply common/runner.yaml common/renovate.yaml diff --git a/manifests/common/app.yaml b/manifests/common/app.yaml index e9a7990..e205f85 100644 --- a/manifests/common/app.yaml +++ b/manifests/common/app.yaml @@ -78,7 +78,7 @@ spec: name: gitea - name: secrets secret: - secretName: gitea-secrets + secretName: gitea volumeClaimTemplates: - metadata: name: data diff --git a/manifests/common/job.yaml b/manifests/common/job.yaml index e602597..0281b29 100644 --- a/manifests/common/job.yaml +++ b/manifests/common/job.yaml @@ -29,5 +29,5 @@ spec: name: gitea - name: secrets secret: - secretName: gitea-secrets + secretName: gitea backoffLimit: 4 diff --git a/manifests/common/renovate.yaml b/manifests/common/renovate.yaml index 159e02c..9b175d9 100644 --- a/manifests/common/renovate.yaml +++ b/manifests/common/renovate.yaml @@ -27,5 +27,5 @@ spec: - name: RENOVATE_TOKEN valueFrom: secretKeyRef: - name: runner-secret + name: runner key: token diff --git a/manifests/common/runner.yaml b/manifests/common/runner.yaml index 19fea4c..7bd276f 100644 --- a/manifests/common/runner.yaml +++ b/manifests/common/runner.yaml @@ -36,7 +36,7 @@ spec: - name: GITEA_RUNNER_REGISTRATION_TOKEN valueFrom: secretKeyRef: - name: runner-secret + name: runner key: token volumeMounts: - name: data -- 2.45.2 From 9370a6707a0f7ca60b379dd7a7c49fda016ebaaf Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 22 May 2024 18:25:15 +0200 Subject: [PATCH 07/24] fix: gitea admin timeout on init --- manifests/bin/deploy.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index fd314cc..79f6704 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -51,7 +51,7 @@ kcreatesec gitea-admin \ --from-literal=password="$GITEA_PASSWORD" kcreatesec gitea \ - --from-literal=secret_key="$(kgseckey gitea secret_key || openssl rand -hex 32)" \ + --from-literal=secret_key="$(kgseckey gitea secret_key || openssl rand -hex 32)" \ --from-literal=internal_token="$(kgseckey gitea internal_token || openssl rand -hex 32)" kcreatecm gitea \ @@ -63,7 +63,7 @@ kapply common/job.yaml \ kubectl rollout restart statefulset app -kubectl rollout status sts app +kubectl wait --for=condition=complete job kcreatesec runner \ --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)" -- 2.45.2 From 5c620af282eba2da6b98fca26260ad538a158fd7 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 22 May 2024 18:28:31 +0200 Subject: [PATCH 08/24] fix: kubectl wait needs resource name --- manifests/bin/deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 79f6704..4634df0 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -63,7 +63,7 @@ kapply common/job.yaml \ kubectl rollout restart statefulset app -kubectl wait --for=condition=complete job +kubectl wait --for=condition=complete job/createadminuser kcreatesec runner \ --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)" -- 2.45.2 From b280a390642da205d2cb5bb75faf6085e2570a78 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 22 May 2024 18:30:19 +0200 Subject: [PATCH 09/24] fix: kubectl-wait timeout too short --- manifests/bin/deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 4634df0..fb8a6bc 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -63,7 +63,7 @@ kapply common/job.yaml \ kubectl rollout restart statefulset app -kubectl wait --for=condition=complete job/createadminuser +kubectl wait --timeout=5m --for=condition=complete job/createadminuser kcreatesec runner \ --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)" -- 2.45.2 From 9d25d4c8c12245a78d88a4adc4f4f9e3e2d63851 Mon Sep 17 00:00:00 2001 From: ange Date: Thu, 23 May 2024 11:59:32 +0200 Subject: [PATCH 10/24] fix: RENOVATE_USERNAME gitea --- manifests/common/renovate.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/manifests/common/renovate.yaml b/manifests/common/renovate.yaml index 9b175d9..0167afe 100644 --- a/manifests/common/renovate.yaml +++ b/manifests/common/renovate.yaml @@ -24,6 +24,11 @@ spec: value: gitea - name: RENOVATE_ENDPOINT value: "https://$BASE_URL/api/v1" + - name: RENOVATE_USERNAME + valueFrom: + secretKeyRef: + name: gitea-admin + key: username - name: RENOVATE_TOKEN valueFrom: secretKeyRef: -- 2.45.2 From d2c2fbec8b84bc4ec39057fe35975f93a9c7bdc0 Mon Sep 17 00:00:00 2001 From: ange Date: Mon, 27 May 2024 22:41:51 +0200 Subject: [PATCH 11/24] bump: 1.22.0 --- .env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.env b/.env index 10e521d..685ef78 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ PROD_URL=git.gmoker.com -IMAGEAPP=docker.io/gitea/gitea:1.22.0-rc1-rootless +IMAGEAPP=docker.io/gitea/gitea:1.22.0-rootless IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless -- 2.45.2 From d645f3f7ff7a0790cc05b99eef84bb4c094dbed0 Mon Sep 17 00:00:00 2001 From: ange Date: Tue, 4 Jun 2024 18:37:19 +0200 Subject: [PATCH 12/24] fix: oauth2_jwt_secret mandatory --- config/app.ini | 15 +++++++++++++-- diff.sh | 4 ++-- manifests/bin/deploy.sh | 3 ++- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/config/app.ini b/config/app.ini index 32f85a3..349d8d1 100644 --- a/config/app.ini +++ b/config/app.ini @@ -540,10 +540,10 @@ ENABLED = false ;; ;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate ;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512. -;JWT_SECRET = +JWT_SECRET = ;; ;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one -;JWT_SECRET_URI = file:/etc/gitea/oauth2_jwt_secret +JWT_SECRET_URI = file:/etc/gitea/secrets/oauth2_jwt_secret ;; ;; Lifetime of an OAuth2 access token in seconds ;ACCESS_TOKEN_EXPIRATION_TIME = 3600 @@ -2035,6 +2035,17 @@ ENABLED = true ;; or only create new users if UPDATE_EXISTING is set to false ;UPDATE_EXISTING = true +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Cleanup expired actions assets +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.cleanup_actions] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = true +;RUN_AT_START = true +;SCHEDULE = @midnight + ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Clean-up deleted branches diff --git a/diff.sh b/diff.sh index 59ed8cf..7f6eb72 100755 --- a/diff.sh +++ b/diff.sh @@ -2,6 +2,6 @@ URL='https://raw.githubusercontent.com' REPO='go-gitea/gitea' -TAG="v$(awk -F: '/^IMAGEAPP/{sub("-rootless", ""); print $2}' .env)" +TAG="release/v$(awk -F: '/^IMAGEAPP/{sub(".[0-9]+-rootless", ""); print $2}' .env)" -$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" app.ini +$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" config/app.ini diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index fb8a6bc..7264461 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -52,7 +52,8 @@ kcreatesec gitea-admin \ kcreatesec gitea \ --from-literal=secret_key="$(kgseckey gitea secret_key || openssl rand -hex 32)" \ - --from-literal=internal_token="$(kgseckey gitea internal_token || openssl rand -hex 32)" + --from-literal=internal_token="$(kgseckey gitea internal_token || openssl rand -hex 32)" \ + --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || openssl rand -hex 32)" kcreatecm gitea \ --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) -- 2.45.2 From bf464fb09c74dafa2f03b1c69592d627fda6816c Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 5 Jun 2024 11:43:54 +0200 Subject: [PATCH 13/24] fix: empty field if secret exists without field --- manifests/bin/deploy.sh | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 7264461..7b0a5bc 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -19,15 +19,25 @@ function kcreatecm() { function kgseckey() { local sec="$1"; shift local key="$1"; shift + local ret - kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d + ret="$(kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d)" + if [ "$?" -eq 0 ] || [ -z "$ret" ]; then + return 1 + fi + echo "$ret" } function kgcmkey() { local cm="$1"; shift local key="$1"; shift + local ret; - kubectl get configmap "$cm" -o jsonpath="{.data.$key}" + ret="$(kubectl get configmap "$cm" -o jsonpath="{.data.$key}")" + if [ "$?" -eq 0 ] || [ -z "$ret" ]; then + return 1 + fi + echo "$ret" } -- 2.45.2 From 7f325085c4953fa39b171e61ed69b9b0069fd8bb Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 5 Jun 2024 11:45:48 +0200 Subject: [PATCH 14/24] fix: bad return value --- manifests/bin/deploy.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 7b0a5bc..9c4dc9d 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -22,7 +22,7 @@ function kgseckey() { local ret ret="$(kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d)" - if [ "$?" -eq 0 ] || [ -z "$ret" ]; then + if [ "$?" -ne 0 ] || [ -z "$ret" ]; then return 1 fi echo "$ret" @@ -34,7 +34,7 @@ function kgcmkey() { local ret; ret="$(kubectl get configmap "$cm" -o jsonpath="{.data.$key}")" - if [ "$?" -eq 0 ] || [ -z "$ret" ]; then + if [ "$?" -ne 0 ] || [ -z "$ret" ]; then return 1 fi echo "$ret" -- 2.45.2 From 35c78dd84761e2bf3fee647af1b2664382e2b64e Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 5 Jun 2024 12:30:32 +0200 Subject: [PATCH 15/24] fix: secrets generated with gitea-cli --- manifests/bin/deploy.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 9c4dc9d..2ca31e4 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -61,9 +61,9 @@ kcreatesec gitea-admin \ --from-literal=password="$GITEA_PASSWORD" kcreatesec gitea \ - --from-literal=secret_key="$(kgseckey gitea secret_key || openssl rand -hex 32)" \ - --from-literal=internal_token="$(kgseckey gitea internal_token || openssl rand -hex 32)" \ - --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || openssl rand -hex 32)" + --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl run -i --rm --image "$IMAGEAPP" "$RANDOM" gitea generate secret SECRET_KEY)" \ + --from-literal=internal_token="$(kgseckey gitea internal_token || kubectl run -i --rm --image "$IMAGEAPP" "$RANDOM" gitea generate secret INTERNAL_TOKEN)" \ + --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl run -i --rm --image "$IMAGEAPP" "$RANDOM" gitea generate secret JWT_SECRET)" kcreatecm gitea \ --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) -- 2.45.2 From caf66eefc2911ce6ab87aa2c91d9fecab83e0135 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 5 Jun 2024 12:36:44 +0200 Subject: [PATCH 16/24] fix: simplify token generation --- manifests/bin/deploy.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 2ca31e4..29c5680 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -60,10 +60,11 @@ kcreatesec gitea-admin \ --from-literal=username="$GITEA_USERNAME" \ --from-literal=password="$GITEA_PASSWORD" +kubectl run --image "$IMAGEAPP" secrets sleep 60 & &> /dev/null kcreatesec gitea \ - --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl run -i --rm --image "$IMAGEAPP" "$RANDOM" gitea generate secret SECRET_KEY)" \ - --from-literal=internal_token="$(kgseckey gitea internal_token || kubectl run -i --rm --image "$IMAGEAPP" "$RANDOM" gitea generate secret INTERNAL_TOKEN)" \ - --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl run -i --rm --image "$IMAGEAPP" "$RANDOM" gitea generate secret JWT_SECRET)" + --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl exec secrets gitea generate secret SECRET_KEY)" \ + --from-literal=internal_token="$(kgseckey gitea internal_token || kubectl exec secrets gitea generate secret INTERNAL_TOKEN)" \ + --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl exec secrets gitea generate secret JWT_SECRET)" kcreatecm gitea \ --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) -- 2.45.2 From ab2c428d9dbc6d5e59ad8988fbe9451f3cc2db7e Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 5 Jun 2024 12:38:53 +0200 Subject: [PATCH 17/24] fix: typo --- manifests/bin/deploy.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 29c5680..2f0b941 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -62,9 +62,9 @@ kcreatesec gitea-admin \ kubectl run --image "$IMAGEAPP" secrets sleep 60 & &> /dev/null kcreatesec gitea \ - --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl exec secrets gitea generate secret SECRET_KEY)" \ - --from-literal=internal_token="$(kgseckey gitea internal_token || kubectl exec secrets gitea generate secret INTERNAL_TOKEN)" \ - --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl exec secrets gitea generate secret JWT_SECRET)" + --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl exec secrets -- gitea generate secret SECRET_KEY)" \ + --from-literal=internal_token="$(kgseckey gitea internal_token || kubectl exec secrets -- gitea generate secret INTERNAL_TOKEN)" \ + --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl exec secrets -- gitea generate secret JWT_SECRET)" kcreatecm gitea \ --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) -- 2.45.2 From 546681e5a88da0ddd6abf8f767046b775a171046 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 5 Jun 2024 12:40:45 +0200 Subject: [PATCH 18/24] fix: wait for pod before exec commands --- manifests/bin/deploy.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 2f0b941..4083bdf 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -61,6 +61,7 @@ kcreatesec gitea-admin \ --from-literal=password="$GITEA_PASSWORD" kubectl run --image "$IMAGEAPP" secrets sleep 60 & &> /dev/null +kubectl wait --timeout=5m --for=condition=ready pod secrets kcreatesec gitea \ --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl exec secrets -- gitea generate secret SECRET_KEY)" \ --from-literal=internal_token="$(kgseckey gitea internal_token || kubectl exec secrets -- gitea generate secret INTERNAL_TOKEN)" \ -- 2.45.2 From ae810fcd69f9371e0efbf48755eeff2e09aa2496 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 5 Jun 2024 12:43:45 +0200 Subject: [PATCH 19/24] fix: add sleep before wait to ensure pod exists --- manifests/bin/deploy.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 4083bdf..0f2a59d 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -61,6 +61,7 @@ kcreatesec gitea-admin \ --from-literal=password="$GITEA_PASSWORD" kubectl run --image "$IMAGEAPP" secrets sleep 60 & &> /dev/null +sleep 5 kubectl wait --timeout=5m --for=condition=ready pod secrets kcreatesec gitea \ --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl exec secrets -- gitea generate secret SECRET_KEY)" \ -- 2.45.2 From fae31e705deabb3671deda065d478155b9dfb248 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 5 Jun 2024 12:48:17 +0200 Subject: [PATCH 20/24] fix: auto rm temporary pod --- manifests/bin/deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 0f2a59d..aba9ce7 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -60,7 +60,7 @@ kcreatesec gitea-admin \ --from-literal=username="$GITEA_USERNAME" \ --from-literal=password="$GITEA_PASSWORD" -kubectl run --image "$IMAGEAPP" secrets sleep 60 & &> /dev/null +kubectl run --rm --image "$IMAGEAPP" secrets sleep 60 & &> /dev/null sleep 5 kubectl wait --timeout=5m --for=condition=ready pod secrets kcreatesec gitea \ -- 2.45.2 From cb6513b6a3ca4bb7c72fc95e3590e6a22fec4f96 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 5 Jun 2024 12:49:20 +0200 Subject: [PATCH 21/24] fix: kubectl run --rm needs --attach --- manifests/bin/deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index aba9ce7..d9fedd3 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -60,7 +60,7 @@ kcreatesec gitea-admin \ --from-literal=username="$GITEA_USERNAME" \ --from-literal=password="$GITEA_PASSWORD" -kubectl run --rm --image "$IMAGEAPP" secrets sleep 60 & &> /dev/null +kubectl run --rm --attach --image "$IMAGEAPP" secrets sleep 60 & &> /dev/null sleep 5 kubectl wait --timeout=5m --for=condition=ready pod secrets kcreatesec gitea \ -- 2.45.2 From dab5e38df18d4912598b0748fe7af6238e7ad9e5 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 5 Jun 2024 12:51:45 +0200 Subject: [PATCH 22/24] feat: add sleep before runner token --- manifests/bin/deploy.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index d9fedd3..5d97176 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -78,6 +78,7 @@ kapply common/job.yaml \ kubectl rollout restart statefulset app kubectl wait --timeout=5m --for=condition=complete job/createadminuser +sleep 5 kcreatesec runner \ --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)" -- 2.45.2 From 79b027fe07db83539a100866f8fc0e32487c7649 Mon Sep 17 00:00:00 2001 From: ange Date: Wed, 5 Jun 2024 13:42:26 +0200 Subject: [PATCH 23/24] fix: autodelete pod secrets doesn't work --- manifests/bin/deploy.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 5d97176..dd36979 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -60,13 +60,13 @@ kcreatesec gitea-admin \ --from-literal=username="$GITEA_USERNAME" \ --from-literal=password="$GITEA_PASSWORD" -kubectl run --rm --attach --image "$IMAGEAPP" secrets sleep 60 & &> /dev/null +kubectl run --image "$IMAGEAPP" secrets sleep 60 sleep 5 -kubectl wait --timeout=5m --for=condition=ready pod secrets kcreatesec gitea \ --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl exec secrets -- gitea generate secret SECRET_KEY)" \ --from-literal=internal_token="$(kgseckey gitea internal_token || kubectl exec secrets -- gitea generate secret INTERNAL_TOKEN)" \ --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl exec secrets -- gitea generate secret JWT_SECRET)" +kubectl delete pod secrets kcreatecm gitea \ --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) -- 2.45.2 From 02ad10ea6da2514f4acc7d6a76d55d88723af78b Mon Sep 17 00:00:00 2001 From: ange Date: Mon, 23 Dec 2024 02:14:57 +0000 Subject: [PATCH 24/24] feat: renovatebot (#1) Reviewed-on: https://git.gmoker.com/gmoker/gitea/pulls/1 --- .env | 4 +- compose.yaml | 8 +-- manifests/bin/createadmin.sh | 37 ++++++++++++ manifests/bin/deploy.sh | 61 ++++++++------------ manifests/bin/devel.sh | 1 + manifests/bin/prod.sh | 1 + manifests/common/app.yaml | 2 +- manifests/common/job.yaml | 12 ++-- manifests/common/renovate.yaml | 4 +- manifests/common/{redis.yaml => valkey.yaml} | 22 +++---- 10 files changed, 86 insertions(+), 66 deletions(-) create mode 100755 manifests/bin/createadmin.sh rename manifests/common/{redis.yaml => valkey.yaml} (66%) diff --git a/.env b/.env index 685ef78..ea69377 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ PROD_URL=git.gmoker.com -IMAGEAPP=docker.io/gitea/gitea:1.22.0-rootless -IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless +IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless +IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless diff --git a/compose.yaml b/compose.yaml index e2ae670..966146a 100644 --- a/compose.yaml +++ b/compose.yaml @@ -1,7 +1,7 @@ --- services: db: - image: docker.io/postgres:15 + image: docker.io/postgres:17 restart: unless-stopped environment: - POSTGRES_DB=db @@ -20,16 +20,16 @@ services: - POSTGRES_HOST=db - GITEA__database__DB_TYPE=postgres - GITEA__database__HOST=db + - GITEA__database__NAME=db - GITEA__database__USER=db - GITEA__database__PASSWD=db - - GITEA__service__DISABLE_REGISTRATION=true volumes: - - data:/var/lib/gitea/ - config:/etc/gitea/ + - data:/var/lib/gitea/ depends_on: - db volumes: + db: {} config: {} data: {} - db: {} diff --git a/manifests/bin/createadmin.sh b/manifests/bin/createadmin.sh new file mode 100755 index 0000000..8691667 --- /dev/null +++ b/manifests/bin/createadmin.sh @@ -0,0 +1,37 @@ +#!/bin/bash -e +set -o pipefail + +function get_token() { + kubectl exec statefulset/app -- gitea admin user generate-access-token \ + --username "$name" \ + --token-name "${name^^}" \ + --scopes "$scopes" \ + | awk '{print $NF}' +} + +name="$1" +scopes="$2" +email="$name@$BASE_URL" +secret="gitea-$name" +passwd="$(kgseckey "$secret" password || true)" + +if [ -z "$passwd" ]; then + passwd="$(openssl rand -hex 32)" + kubectl exec statefulset/app -- \ + gitea admin user create --admin --must-change-password=false \ + --email "$email" \ + --username "$name" \ + --password "$passwd" +fi + +opts=() +[ -n "$scopes" ] && opts+=( + --from-literal=token="$(kgseckey "$secret" token || get_token)" + --from-literal=tokenscopes="$scopes" +) + +kcreatesec "$secret" \ + --from-literal=email="$email" \ + --from-literal=username="$name" \ + --from-literal=password="$passwd" \ + "${opts[@]}" diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index dd36979..ad2271f 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -3,47 +3,40 @@ set -o pipefail function kapply() { for f in "$@"; do - kubectl apply -f \ - <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f") + kubectl apply -f <(envsubst < "manifests/$f") done -} +}; export -f kapply function kcreatesec() { kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f- -} +}; export -f kcreatesec function kcreatecm() { kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f- -} +}; export -f kcreatecm function kgseckey() { local sec="$1"; shift local key="$1"; shift - local ret - ret="$(kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d)" - if [ "$?" -ne 0 ] || [ -z "$ret" ]; then + if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then return 1 fi - echo "$ret" -} +}; export -f kgseckey function kgcmkey() { - local cm="$1"; shift + local cm="$1"; shift local key="$1"; shift - local ret; - ret="$(kubectl get configmap "$cm" -o jsonpath="{.data.$key}")" - if [ "$?" -ne 0 ] || [ -z "$ret" ]; then + if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then return 1 fi - echo "$ret" -} +}; export -f kgcmkey kapply common/db.yaml -export REDIS_HOST=redis +export REDIS_HOST=valkey export REDIS_DB=0 export REDIS_PORT=6379 export POSTGRES_HOST; POSTGRES_HOST="$(kgseckey postgres-app host)" @@ -52,39 +45,31 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)" export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)" export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)" -GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)" -GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)" +# shellcheck disable=SC1090,SC2016 +. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1) -kcreatesec gitea-admin \ - --from-literal=email="gitea@$BASE_URL" \ - --from-literal=username="$GITEA_USERNAME" \ - --from-literal=password="$GITEA_PASSWORD" - -kubectl run --image "$IMAGEAPP" secrets sleep 60 -sleep 5 kcreatesec gitea \ - --from-literal=secret_key="$(kgseckey gitea secret_key || kubectl exec secrets -- gitea generate secret SECRET_KEY)" \ - --from-literal=internal_token="$(kgseckey gitea internal_token || kubectl exec secrets -- gitea generate secret INTERNAL_TOKEN)" \ - --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl exec secrets -- gitea generate secret JWT_SECRET)" -kubectl delete pod secrets + --from-literal=secret_key="$(kgseckey gitea secret_key || echo "$SECRET_KEY")" \ + --from-literal=internal_token="$(kgseckey gitea internal_token || echo "$INTERNAL_TOKEN")" \ + --from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")" kcreatecm gitea \ - --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini) + --from-file=app.ini=<(envsubst < config/app.ini) kapply common/job.yaml \ - common/redis.yaml \ + common/valkey.yaml \ common/app.yaml kubectl rollout restart statefulset app -kubectl wait --timeout=5m --for=condition=complete job/createadminuser -sleep 5 +kubectl rollout status statefulset app +kubectl wait --timeout=5m --for=condition=complete job/migrate + +./manifests/bin/createadmin.sh gitea +./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization' kcreatesec runner \ - --from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)" - -kcreatesec renovate \ - --from-literal=token="$(kgseckey renovate token || kubectl exec app-0 -- gitea admin user generate-access-token --username "$GITEA_USERNAME" --token-name RENOVATE --scopes 'write:repository,read:user,write:issue,read:organization' | grep -o '[a-f0-9]\+$')" + --from-literal=token="$(kgseckey runner token || kubectl exec statefulset/app -- gitea actions generate-runner-token)" kapply common/runner.yaml common/renovate.yaml diff --git a/manifests/bin/devel.sh b/manifests/bin/devel.sh index 464c4d0..65675aa 100755 --- a/manifests/bin/devel.sh +++ b/manifests/bin/devel.sh @@ -1,4 +1,5 @@ #!/bin/bash -e +set -o pipefail export NB_REPLICAS=1 diff --git a/manifests/bin/prod.sh b/manifests/bin/prod.sh index ea8a78f..142f57f 100755 --- a/manifests/bin/prod.sh +++ b/manifests/bin/prod.sh @@ -1,4 +1,5 @@ #!/bin/bash -e +set -o pipefail # TODO: 3 export NB_REPLICAS=1 diff --git a/manifests/common/app.yaml b/manifests/common/app.yaml index e205f85..f1b54e1 100644 --- a/manifests/common/app.yaml +++ b/manifests/common/app.yaml @@ -5,7 +5,7 @@ metadata: name: app annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.ingress.kubernetes.io/proxy-body-size: "512M" + nginx.ingress.kubernetes.io/proxy-body-size: "8G" spec: ingressClassName: nginx tls: diff --git a/manifests/common/job.yaml b/manifests/common/job.yaml index 0281b29..bdbe13b 100644 --- a/manifests/common/job.yaml +++ b/manifests/common/job.yaml @@ -2,21 +2,17 @@ apiVersion: batch/v1 kind: Job metadata: - name: createadminuser + name: migrate spec: template: spec: restartPolicy: Never containers: - - name: createadminuser + - name: migrate image: "$IMAGEAPP" - envFrom: - - secretRef: - name: gitea-admin command: - - bash - - -c - - 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" --must-change-password=false 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password" --must-change-password=false; }' + - gitea + - migrate volumeMounts: - name: config mountPath: /etc/gitea/app.ini diff --git a/manifests/common/renovate.yaml b/manifests/common/renovate.yaml index 0167afe..427ee4e 100644 --- a/manifests/common/renovate.yaml +++ b/manifests/common/renovate.yaml @@ -27,10 +27,10 @@ spec: - name: RENOVATE_USERNAME valueFrom: secretKeyRef: - name: gitea-admin + name: gitea-renovate key: username - name: RENOVATE_TOKEN valueFrom: secretKeyRef: - name: runner + name: gitea-renovate key: token diff --git a/manifests/common/redis.yaml b/manifests/common/valkey.yaml similarity index 66% rename from manifests/common/redis.yaml rename to manifests/common/valkey.yaml index 485d2a8..4df2c6d 100644 --- a/manifests/common/redis.yaml +++ b/manifests/common/valkey.yaml @@ -2,36 +2,36 @@ apiVersion: v1 kind: Service metadata: - name: redis + name: valkey labels: - app: redis + app: valkey spec: selector: - app: redis + app: valkey ports: - - name: redis + - name: valkey port: 6379 --- apiVersion: apps/v1 kind: StatefulSet metadata: - name: redis + name: valkey spec: selector: matchLabels: - app: redis - serviceName: redis + app: valkey + serviceName: valkey replicas: $NB_REPLICAS template: metadata: labels: - app: redis + app: valkey spec: containers: - - name: redis - image: docker.io/redis:latest + - name: valkey + image: docker.io/valkey/valkey:latest ports: - - name: redis + - name: valkey containerPort: 6379 volumeMounts: - name: data -- 2.45.2