feat: renovatebot #2
4
.env
4
.env
@ -1,3 +1,3 @@
|
||||
PROD_URL=git.gmoker.com
|
||||
IMAGEAPP=docker.io/gitea/gitea:1.22.0-rootless
|
||||
IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless
|
||||
IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless
|
||||
IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless
|
||||
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
services:
|
||||
db:
|
||||
image: docker.io/postgres:15
|
||||
image: docker.io/postgres:17
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- POSTGRES_DB=db
|
||||
@ -20,16 +20,16 @@ services:
|
||||
- POSTGRES_HOST=db
|
||||
- GITEA__database__DB_TYPE=postgres
|
||||
- GITEA__database__HOST=db
|
||||
- GITEA__database__NAME=db
|
||||
- GITEA__database__USER=db
|
||||
- GITEA__database__PASSWD=db
|
||||
- GITEA__service__DISABLE_REGISTRATION=true
|
||||
volumes:
|
||||
- data:/var/lib/gitea/
|
||||
- config:/etc/gitea/
|
||||
- data:/var/lib/gitea/
|
||||
depends_on:
|
||||
- db
|
||||
|
||||
volumes:
|
||||
db: {}
|
||||
config: {}
|
||||
data: {}
|
||||
db: {}
|
||||
|
37
manifests/bin/createadmin.sh
Executable file
37
manifests/bin/createadmin.sh
Executable file
@ -0,0 +1,37 @@
|
||||
#!/bin/bash -e
|
||||
set -o pipefail
|
||||
|
||||
function get_token() {
|
||||
kubectl exec statefulset/app -- gitea admin user generate-access-token \
|
||||
--username "$name" \
|
||||
--token-name "${name^^}" \
|
||||
--scopes "$scopes" \
|
||||
| awk '{print $NF}'
|
||||
}
|
||||
|
||||
name="$1"
|
||||
scopes="$2"
|
||||
email="$name@$BASE_URL"
|
||||
secret="gitea-$name"
|
||||
passwd="$(kgseckey "$secret" password || true)"
|
||||
|
||||
if [ -z "$passwd" ]; then
|
||||
passwd="$(openssl rand -hex 32)"
|
||||
kubectl exec statefulset/app -- \
|
||||
gitea admin user create --admin --must-change-password=false \
|
||||
--email "$email" \
|
||||
--username "$name" \
|
||||
--password "$passwd"
|
||||
fi
|
||||
|
||||
opts=()
|
||||
[ -n "$scopes" ] && opts+=(
|
||||
--from-literal=token="$(kgseckey "$secret" token || get_token)"
|
||||
--from-literal=tokenscopes="$scopes"
|
||||
)
|
||||
|
||||
kcreatesec "$secret" \
|
||||
--from-literal=email="$email" \
|
||||
--from-literal=username="$name" \
|
||||
--from-literal=password="$passwd" \
|
||||
"${opts[@]}"
|
@ -3,47 +3,40 @@ set -o pipefail
|
||||
|
||||
function kapply() {
|
||||
for f in "$@"; do
|
||||
kubectl apply -f \
|
||||
<(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
|
||||
kubectl apply -f <(envsubst < "manifests/$f")
|
||||
done
|
||||
}
|
||||
}; export -f kapply
|
||||
|
||||
function kcreatesec() {
|
||||
kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
|
||||
}
|
||||
}; export -f kcreatesec
|
||||
|
||||
function kcreatecm() {
|
||||
kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
|
||||
}
|
||||
}; export -f kcreatecm
|
||||
|
||||
function kgseckey() {
|
||||
local sec="$1"; shift
|
||||
local key="$1"; shift
|
||||
local ret
|
||||
|
||||
ret="$(kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d)"
|
||||
if [ "$?" -ne 0 ] || [ -z "$ret" ]; then
|
||||
if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
|
||||
return 1
|
||||
fi
|
||||
echo "$ret"
|
||||
}
|
||||
}; export -f kgseckey
|
||||
|
||||
function kgcmkey() {
|
||||
local cm="$1"; shift
|
||||
local cm="$1"; shift
|
||||
local key="$1"; shift
|
||||
local ret;
|
||||
|
||||
ret="$(kubectl get configmap "$cm" -o jsonpath="{.data.$key}")"
|
||||
if [ "$?" -ne 0 ] || [ -z "$ret" ]; then
|
||||
if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
|
||||
return 1
|
||||
fi
|
||||
echo "$ret"
|
||||
}
|
||||
}; export -f kgcmkey
|
||||
|
||||
|
||||
kapply common/db.yaml
|
||||
|
||||
export REDIS_HOST=redis
|
||||
export REDIS_HOST=valkey
|
||||
export REDIS_DB=0
|
||||
export REDIS_PORT=6379
|
||||
export POSTGRES_HOST; POSTGRES_HOST="$(kgseckey postgres-app host)"
|
||||
@ -52,39 +45,31 @@ export POSTGRES_DB; POSTGRES_DB="$(kgseckey postgres-app dbname)"
|
||||
export POSTGRES_USER; POSTGRES_USER="$(kgseckey postgres-app user)"
|
||||
export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"
|
||||
|
||||
GITEA_USERNAME="$(kgseckey gitea-admin username || echo gitea)"
|
||||
GITEA_PASSWORD="$(kgseckey gitea-admin password || openssl rand -hex 32)"
|
||||
# shellcheck disable=SC1090,SC2016
|
||||
. <(kubectl run -i --rm --image "$IMAGEAPP" secrets -- bash <<< 'echo SECRET_KEY="$(gitea generate secret SECRET_KEY)" INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)" JWT_SECRET="$(gitea generate secret JWT_SECRET)"' | head -n1)
|
||||
|
||||
kcreatesec gitea-admin \
|
||||
--from-literal=email="gitea@$BASE_URL" \
|
||||
--from-literal=username="$GITEA_USERNAME" \
|
||||
--from-literal=password="$GITEA_PASSWORD"
|
||||
|
||||
kubectl run --image "$IMAGEAPP" secrets sleep 60
|
||||
sleep 5
|
||||
kcreatesec gitea \
|
||||
--from-literal=secret_key="$(kgseckey gitea secret_key || kubectl exec secrets -- gitea generate secret SECRET_KEY)" \
|
||||
--from-literal=internal_token="$(kgseckey gitea internal_token || kubectl exec secrets -- gitea generate secret INTERNAL_TOKEN)" \
|
||||
--from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || kubectl exec secrets -- gitea generate secret JWT_SECRET)"
|
||||
kubectl delete pod secrets
|
||||
--from-literal=secret_key="$(kgseckey gitea secret_key || echo "$SECRET_KEY")" \
|
||||
--from-literal=internal_token="$(kgseckey gitea internal_token || echo "$INTERNAL_TOKEN")" \
|
||||
--from-literal=oauth2_jwt_secret="$(kgseckey gitea oauth2_jwt_secret || echo "$JWT_SECRET")"
|
||||
|
||||
kcreatecm gitea \
|
||||
--from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < config/app.ini)
|
||||
--from-file=app.ini=<(envsubst < config/app.ini)
|
||||
|
||||
kapply common/job.yaml \
|
||||
common/redis.yaml \
|
||||
common/valkey.yaml \
|
||||
common/app.yaml
|
||||
|
||||
kubectl rollout restart statefulset app
|
||||
|
||||
kubectl wait --timeout=5m --for=condition=complete job/createadminuser
|
||||
sleep 5
|
||||
kubectl rollout status statefulset app
|
||||
kubectl wait --timeout=5m --for=condition=complete job/migrate
|
||||
|
||||
./manifests/bin/createadmin.sh gitea
|
||||
./manifests/bin/createadmin.sh renovate 'write:repository,read:user,write:issue,read:organization'
|
||||
|
||||
kcreatesec runner \
|
||||
--from-literal=token="$(kgseckey runner token || kubectl exec app-0 -- gitea actions generate-runner-token)"
|
||||
|
||||
kcreatesec renovate \
|
||||
--from-literal=token="$(kgseckey renovate token || kubectl exec app-0 -- gitea admin user generate-access-token --username "$GITEA_USERNAME" --token-name RENOVATE --scopes 'write:repository,read:user,write:issue,read:organization' | grep -o '[a-f0-9]\+$')"
|
||||
--from-literal=token="$(kgseckey runner token || kubectl exec statefulset/app -- gitea actions generate-runner-token)"
|
||||
|
||||
kapply common/runner.yaml common/renovate.yaml
|
||||
|
||||
|
@ -1,4 +1,5 @@
|
||||
#!/bin/bash -e
|
||||
set -o pipefail
|
||||
|
||||
export NB_REPLICAS=1
|
||||
|
||||
|
@ -1,4 +1,5 @@
|
||||
#!/bin/bash -e
|
||||
set -o pipefail
|
||||
|
||||
# TODO: 3
|
||||
export NB_REPLICAS=1
|
||||
|
@ -5,7 +5,7 @@ metadata:
|
||||
name: app
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "512M"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "8G"
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
tls:
|
||||
|
@ -2,21 +2,17 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: createadminuser
|
||||
name: migrate
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
containers:
|
||||
- name: createadminuser
|
||||
- name: migrate
|
||||
image: "$IMAGEAPP"
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: gitea-admin
|
||||
command:
|
||||
- bash
|
||||
- -c
|
||||
- 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" --must-change-password=false 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password" --must-change-password=false; }'
|
||||
- gitea
|
||||
- migrate
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/gitea/app.ini
|
||||
|
@ -27,10 +27,10 @@ spec:
|
||||
- name: RENOVATE_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-admin
|
||||
name: gitea-renovate
|
||||
key: username
|
||||
- name: RENOVATE_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: runner
|
||||
name: gitea-renovate
|
||||
key: token
|
||||
|
@ -2,36 +2,36 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: redis
|
||||
name: valkey
|
||||
labels:
|
||||
app: redis
|
||||
app: valkey
|
||||
spec:
|
||||
selector:
|
||||
app: redis
|
||||
app: valkey
|
||||
ports:
|
||||
- name: redis
|
||||
- name: valkey
|
||||
port: 6379
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: redis
|
||||
name: valkey
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: redis
|
||||
serviceName: redis
|
||||
app: valkey
|
||||
serviceName: valkey
|
||||
replicas: $NB_REPLICAS
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: redis
|
||||
app: valkey
|
||||
spec:
|
||||
containers:
|
||||
- name: redis
|
||||
image: docker.io/redis:latest
|
||||
- name: valkey
|
||||
image: docker.io/valkey/valkey:latest
|
||||
ports:
|
||||
- name: redis
|
||||
- name: valkey
|
||||
containerPort: 6379
|
||||
volumeMounts:
|
||||
- name: data
|
Loading…
Reference in New Issue
Block a user