diff --git a/gitea/gitea-admin-secret.enc.yaml b/gitea/gitea-admin-secret.enc.yaml new file mode 100644 index 0000000..1c67760 --- /dev/null +++ b/gitea/gitea-admin-secret.enc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitea-admin-secret + namespace: gitea +stringData: + username: ENC[AES256_GCM,data:3i59iz9U,iv:m4dkqidSA6zIQcCcsutPHaAnEyU81zEyjkKanwX2hbA=,tag:Smx08HGp8xQvY3cPZtw3eg==,type:str] + password: ENC[AES256_GCM,data:ByuQHlvQ+EDqX+MKb5HlEum7Hlw=,iv:IwD25SMziMFHo5DxoBrt6O1f+9UtP7MqRqoTskoESJE=,tag:AeHmmeWi5SUGbAeaf5LmUA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXNFQyNXViaEZkNk1SeWY5 + Yk5mTyttWmpVUjQ5WlV6Y0dXTTU3KzJ0d0ZFCjZMM1FGTTJlWmhCa3puNHNVZHRu + S2RtYzR5eUtPa2RNZkI0TmZlR1E5eHcKLS0tIHlpZmMwZDMvL0hsbWhXdnpoS0t3 + eDRhMGZlZ0hZSkhwdHVYci9DV3FxQVkKAnD9tzGFWwvl6W3JhLF5vRjZ8RCN4EcH + GHUGCqJnnJzHO/MWaUQm+J/D9NQLusU74UjK/VWQ0qusia57w5raDQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-28T21:32:07Z" + mac: ENC[AES256_GCM,data:wEIvCSQWvOuEX09mVWgoULlbWD3DXS0+QkH5+SMNA3zm+srgni55H8LHpR2X1c5YWYMbqbwyy8oOL48+oqvTbfhsEeu8QMCd04ZwPxnVcGxrkG9XV7gx3HBNRCLZmDdtINs2i/wRJEyIypKXuTCSV26okHUQXdLvBuAH2zFuNVQ=,iv:m5OFflAhDz/mmFjw5AxM1/VQr5qIuFDn0M24tQh6RQA=,tag:PScMxHtfANIHiB0//mYpuA==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/gitea/ingress.yaml b/gitea/ingress.yaml new file mode 100755 index 0000000..a4d8ae7 --- /dev/null +++ b/gitea/ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: gitea-web-ingress + namespace: gitea +spec: + entryPoints: + - websecure + routes: + - match: Host(`git.namesny.com`) + kind: Rule + services: + - name: gitea-http + port: 3000 diff --git a/gitea/kustomization.yaml b/gitea/kustomization.yaml new file mode 100755 index 0000000..8fab9f1 --- /dev/null +++ b/gitea/kustomization.yaml @@ -0,0 +1,28 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: gitea + +resources: +- namespace.yaml +- ingress.yaml +- runner-pvc.yaml +- runner-deployment.yaml + +generators: +- secret-generator.yaml + +helmCharts: +- name: gitea + releaseName: gitea + version: 9.6.0 + repo: https://dl.gitea.io/charts/ + namespace: gitea + valuesMerge: merge + valuesFile: values.yaml +- name: renovate + releaseName: renovate + version: 37.68.3 + repo: https://docs.renovatebot.com/helm-charts + namespace: gitea + valuesFile: renovate-bot-values.yaml + diff --git a/gitea/namespace.yaml b/gitea/namespace.yaml new file mode 100755 index 0000000..d884423 --- /dev/null +++ b/gitea/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gitea \ No newline at end of file diff --git a/gitea/renovate-bot-secret.enc.yaml b/gitea/renovate-bot-secret.enc.yaml new file mode 100644 index 0000000..0c0171b --- /dev/null +++ b/gitea/renovate-bot-secret.enc.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Secret +metadata: + name: renovate-bot-secret + namespace: gitea +stringData: + RENOVATE_AUTODISCOVER: ENC[AES256_GCM,data:20/nNkA=,iv:o6OgPwx03/U7kHbO4WBh1HVLAdr8HBsWWGRlrIx3ZvE=,tag:7BpQuJpwI20Jqlf0zrVqBA==,type:str] + RENOVATE_ENDPOINT: ENC[AES256_GCM,data:PfAFF87I1COu9aGUf8uxPbzaUeyYvFpHmlK5DuP6,iv:JUgHIzaTSjCGpGucftT9AzFB7Gclwau8y9o2cbEJ2XU=,tag:52QvbgdaJRVTB5ARW0gn2Q==,type:str] + RENOVATE_GIT_AUTHOR: ENC[AES256_GCM,data:5tCkXdiheQkI293yf7Fh0Tb1kvWtDXHTIikP21IJQgFUyw==,iv:L1x3FDp6m/oJRq4Gcp3lusUF8Fufx+wWUVUQeYerDGk=,tag:h2XSao9P/wDHTpPRhEzVuQ==,type:str] + RENOVATE_PLATFORM: ENC[AES256_GCM,data:5bRuvgQ=,iv:m2RtjwWANMCNjXaEmzZc8QZKff5oxy+cVazmM0Qs6bE=,tag:Zp+2HLlEJgSZB0U2xRS2uw==,type:str] + RENOVATE_TOKEN: ENC[AES256_GCM,data:lPV9X8pZsSHzb7xFLuQ0Ixg5EaBgsuEmCFvXSkmxImUnImAKWINjBw==,iv:/hkxQNNqLcH/pbYs/Mn4P9FW1/DOIOKAUEjZNutoZok=,tag:Pd/NCxYZRJVaUiWT9FaMcA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0NWRIZnROK3dkY0xMa1ha + cXBINWpXU000YXQ5QW0zMjllRnlzOEJoRlVZClhCUWhqK0M4bTVqNjBFR05LU1NP + ejJaaHJSc003Q0V6UlpzWFdCTnd5RVEKLS0tIDllcVhFUE51Z1VsOGVJZ216TVdE + eVhjc2VlOVROOC9oakF3K29nODdEM0EKZkIo+FdHZAyQ9ogoK9994B0q5lkWWXOw + EgXamhJ800zjy9zFeO6bxPMsgPze1iNshhlV7HjT8uh+qs5laCqatg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-28T21:31:06Z" + mac: ENC[AES256_GCM,data:O/Vw1S40Dz0g6Fo9K87iCIFh3TSNW4/f+mWNnbjPpjehj1+JbOovpchjizI1c+OZ++/rqlow8Ib/yesMDdPd16ErkyHgINMBtLuqfUYJ1WSwg52Rp5zfZP7eSXHTeqcGuuASIfzEcclZ/5QIPeiSOJG5iSAl/MDeNte6/YwEqQo=,iv:lieOLB5tOP4XagOr+cRWQZQC00EHz9UUcx7e2uwUjpU=,tag:JJ4YgTKMCZtujAJfi+TcxA==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/gitea/renovate-bot-values.yaml b/gitea/renovate-bot-values.yaml new file mode 100755 index 0000000..bc1f0db --- /dev/null +++ b/gitea/renovate-bot-values.yaml @@ -0,0 +1,12 @@ +renovate: + config : | + { + "repositories": ["Cluster/k3s-configs"] + } + persistence: + cache: + enabled: true + storageClass: retain-local-path +existingSecret: renovate-bot-secret +apiVersionOverrides: + cronjob: 'batch/v1' diff --git a/gitea/runner-deployment.yaml b/gitea/runner-deployment.yaml new file mode 100755 index 0000000..7d19496 --- /dev/null +++ b/gitea/runner-deployment.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: act-runner + name: act-runner + namespace: gitea +spec: + replicas: 1 + selector: + matchLabels: + app: act-runner + strategy: {} + template: + metadata: + creationTimestamp: null + labels: + app: act-runner + spec: + restartPolicy: Always + volumes: + - name: runner-data + persistentVolumeClaim: + claimName: act-runner-vol + securityContext: + fsGroup: 1001 + containers: + - name: runner + image: gitea/act_runner:nightly-dind-rootless + imagePullPolicy: Always + env: + - name: DOCKER_HOST + value: unix:///var/run/user/1000/docker.sock + - name: GITEA_INSTANCE_URL + value: http://gitea-http.gitea.svc.cluster.local:3000 + - name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: runner-secret + key: token + securityContext: + privileged: true + volumeMounts: + - name: runner-data + mountPath: /data diff --git a/gitea/runner-pvc.yaml b/gitea/runner-pvc.yaml new file mode 100755 index 0000000..0884069 --- /dev/null +++ b/gitea/runner-pvc.yaml @@ -0,0 +1,12 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: act-runner-vol + namespace: gitea +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: retain-local-path diff --git a/gitea/runner-secret.enc.yaml b/gitea/runner-secret.enc.yaml new file mode 100644 index 0000000..94f0502 --- /dev/null +++ b/gitea/runner-secret.enc.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +metadata: + name: runner-secret + namespace: gitea +stringData: + token: ENC[AES256_GCM,data:L4knV26n07ITqEAiiCtI+bMDyDV5XbbxwCyimir1F9KIpveWuE8MwA==,iv:H+qTTGqo3MALmJ583kqQyXGCeVxBzoh8c9+CqLEUzZI=,tag:WzQcxgtmSuVyNet9J2qTHg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrODNya2FReElkL1dwa01p + OXZvWURJY0YwOGkzb1l5bGhZVGVSRmRvOUR3Cm0zdWVHMk9LbG1wc0pqSnZvM0Ft + dlVMYzljUHB5TmZFREVoWjJZSmhIMG8KLS0tIHl3SVc1Ky9aei9sS0UzRTQ0Qklp + dVBWa3BPK1pBaUxKRnB1REVkM2NuaDAKFL93pbjyy2kDGgZTDlC+/7azF7rggUXY + Vf3oSu6u+i/AEPJzmi7iX1FBM+Tag9A3Q5zIfo/8L9XI+uqpX4HcUg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-28T21:32:44Z" + mac: ENC[AES256_GCM,data:PeEdV0W+anjtndAxAQSEa/4TFHaawKTbBqJbFoHPPsd60+q5XHXdxokTk1szENrdDC3f0cZ6xAdCIW5oyaGUICd1hrOVGyhMN84SbP/KP+P9lkFICD1AXNhVXHa0U6G9UdvP5gFVhDV2k1LdRNkjmHkpn6hpUijlZc7+LIfXiKI=,iv:yS5af3UBRlNMdqmvSfimDFRTw5LevPo3iA9b4SNKisM=,tag:xD4h8kABvH1xZqOMTn15fQ==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/gitea/secret-generator.yaml b/gitea/secret-generator.yaml new file mode 100644 index 0000000..bf81b2e --- /dev/null +++ b/gitea/secret-generator.yaml @@ -0,0 +1,12 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: gitea-secret-generator + annotations: + config.kubernetes.io/function: | + exec: + path: ksops +files: +- ./gitea-admin-secret.enc.yaml +- ./renovate-bot-secret.enc.yaml +- ./runner-secret.enc.yaml diff --git a/gitea/values.yaml b/gitea/values.yaml new file mode 100755 index 0000000..9040a5b --- /dev/null +++ b/gitea/values.yaml @@ -0,0 +1,65 @@ +redis-cluster: + enabled: false +postgresql-ha: + enabled: false +postgresql: + enabled: true + primary: + persistence: + storageClass: retain-local-path + +persistence: + enabled: true + storageClass: retain-local-path + +image: + rootless: true + +gitea: + admin: + existingSecret: gitea-admin-secret + email: "matus@namesny.com" + config: + actions: + ENABLED: true + federation: + ENABLED: true + database: + DB_TYPE: postgres + session: + PROVIDER: db + cache: + ADAPTER: memory + queue: + TYPE: level + server: + BUILTIN_SSH_SERVER_USER: git + ROOT_URL: https://git.namesny.com + DOMAIN: git.namesny.com + SSH_CREATE_AUTHORIZED_KEYS_FILE: false + LANDING_PAGE: explore + service: + REGISTER_MANUAL_CONFIRM: true + indexer: + ISSUE_INDEXER_TYPE: bleve + REPO_INDEXER_ENABLED: true + +service: + http: + type: ClusterIP + port: 3000 + clusterIP: + ssh: + type: ClusterIP + port: 22 + +podSecurityContext: + fsGroup: 1001 + +containerSecurityContext: + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + +test: + enabled: false