reboot git on forgejo

projects/core/manifests/metallb.yaml

@@ -15,7 +15,7 @@ spec:
 apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
-  name: minetest
+  name: git
   namespace: metallb
 spec:
   addresses:
@@ -60,6 +60,15 @@ spec:
     - 192.168.1.11/32
 ---
 apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: virt
+  namespace: metallb
+spec:
+  addresses:
+    - 192.168.1.64/26 #192.168.1.65 - 192.168.1.78
+---
+apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
   name: l2advertisement
@@ -71,3 +80,5 @@ spec:
       - external
       - internal
       - iot
+      - virt
+      - git

projects/forgejo/manifests/netpol.yaml

@@ -0,0 +1,16 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-cnpg-kubeapi
+  namespace: forgejo
+spec:
+  endpointSelector:
+    matchLabels:
+      cnpg.io/cluster: forgejo-db
+  egress:
+  - toEntities:
+    - kube-apiserver
+  - toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP

projects/forgejo/manifests/postgre.yaml

@@ -0,0 +1,71 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: forgejo-db
+  namespace: forgejo
+  annotations:
+    cnpg.io/skipEmptyWalArchiveCheck: enabled
+spec:
+  instances: 1
+  imageName: ghcr.io/cloudnative-pg/postgresql:15
+
+  bootstrap:
+    initdb:
+      database: app
+      owner: app
+
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://forgejo/"
+      endpointURL: "http://s3-minio.s3.svc.cluster.local:9000"
+      s3Credentials:
+        accessKeyId:
+          name: bucket
+          key: accesskey
+        secretAccessKey:
+          name: bucket
+          key: secretkey
+      wal:
+        compression: gzip
+        #encryption: AES256
+      data:
+        compression: gzip
+        #encryption: AES256
+    retentionPolicy: "90d"
+  #
+  resources:
+    requests:
+      memory: "64Mi"
+      cpu: "50m"
+    # limits:
+    #   memory: "1Gi"
+    #   cpu: "1"
+
+  storage:
+    size: 10Gi
+
+  externalClusters:
+    - name: forgejo-db
+      barmanObjectStore:
+        destinationPath: "s3://forgejo/"
+        endpointURL: "http://s3-minio.s3.svc.cluster.local:9000"
+        s3Credentials:
+          accessKeyId:
+            name: bucket
+            key: accesskey
+          secretAccessKey:
+            name: bucket
+            key: secretkey
+        wal:
+          maxParallel: 8
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: forgejo-db-backup
+  namespace: forgejo
+spec:
+  schedule: "0 0 * * * *"
+  backupOwnerReference: self
+  cluster:
+    name: forgejo-db

projects/forgejo/project.yml

@@ -1,5 +1,5 @@
 config:
-  description: Gitea public Git Server
+  description: Forgejo Public Git Server
   networkPolicy:
     groups:
     - internet
@@ -12,10 +12,10 @@ config:
     environment: external
 
 apps:
-- name: gitea
+- name: forgejo
   repoURL: codeberg.org/forgejo-contrib
   chart: forgejo
-  targetRevision: 0.12.0
+  targetRevision: 3.0.0
   secrets:
   - name: admin
     keys:
@@ -28,4 +28,4 @@ apps:
     - accesskey
   - name: redis-auth
     keys:
-    - password
+      - password

projects/forgejo/values/forgejo.yml

@@ -0,0 +1,196 @@
+global:
+  hostAliases: []
+  # - ip: 192.168.137.2
+  #   hostnames:
+  #   - example.com
+
+strategy:
+  type: 'RollingUpdate'
+  rollingUpdate:
+    maxSurge: '100%'
+    maxUnavailable: 0
+
+image:
+  registry: codeberg.org
+  repository: forgejo/forgejo
+  tag: "1.21"
+  rootless: true
+
+podSecurityContext:
+  fsGroup: 1000
+
+## @param containerSecurityContext Security context
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  # Add the SYS_CHROOT capability for root and rootless images if you intend to
+  # run pods on nodes that use the container runtime cri-o. Otherwise, you will
+  # get an error message from the SSH server that it is not possible to read from
+  # the repository.
+  # https://gitea.com/gitea/helm-chart/issues/161
+    add:
+      - SYS_CHROOT
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 1000
+  runAsNonRoot: true
+  runAsUser: 1000
+
+service:
+  ssh:
+    type: LoadBalancer
+    port: 2222
+    annotations:
+      metallb.universe.tf/address-pool: git
+
+ingress:
+  enabled: true
+  className: ingress-external
+  labels:
+    environment: external
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    cert-manager.io/cluster-issuer: letsencrypt
+    external-dns.alpha.kubernetes.io/hostname: git.nold.in
+    external-dns.alpha.kubernetes.io/target: nold.in
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+  hosts:
+    - host: git.nold.in
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: gitea-tls
+      hosts:
+        - git.nold.in
+
+
+## @section deployment
+#
+## @param resources Kubernetes resources
+resources:
+  {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+## @param signing.enabled Enable commit/action signing
+## @param signing.gpgHome GPG home directory
+## @param signing.privateKey Inline private gpg key for signed Forgejo actions
+## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
+signing:
+  enabled: false
+  gpgHome: /data/git/.gnupg
+  privateKey: ''
+  # privateKey: |-
+  #   -----BEGIN PGP PRIVATE KEY BLOCK-----
+  #   ...
+  #   -----END PGP PRIVATE KEY BLOCK-----
+  existingSecret: ''
+
+## @section Gitea
+#
+gitea:
+  admin:
+    existingSecret: admin
+
+  metrics:
+    enabled: false
+    serviceMonitor:
+      enabled: false
+      #  additionalLabels:
+      #    prometheus-release: prom1
+
+  # Either specify inline `key` and `secret` or refer to them via `existingSecret`
+  ## @param gitea.oauth OAuth configuration
+  oauth:
+    []
+    # - name: 'OAuth 1'
+    #   provider:
+    #   key:
+    #   secret:
+    #   existingSecret:
+    #   autoDiscoverUrl:
+    #   useCustomUrls:
+    #   customAuthUrl:
+    #   customTokenUrl:
+    #   customProfileUrl:
+    #   customEmailUrl:
+
+  ## @param gitea.config.server.SSH_PORT SSH port for rootlful Forgejo image
+  ## @param gitea.config.server.SSH_LISTEN_PORT SSH port for rootless Forgejo image
+
+  config:
+    APP_NAME: "Let's forge some forks"
+    webhook:
+      ALLOWED_HOST_LIST: argocd-server.argocd.svc.cluster.local
+    ui:
+      DEFAULT_THEME: arc-green
+    repository:
+      DEFAULT_BRANCH: main
+    server:
+      LFS_START_SERVER: true
+      PROTOCOL: http
+      DOMAIN: git.nold.in
+      ROOT_URL: https://git.nold.in
+    database:
+      DB_TYPE: postgres
+      NAME: app
+      HOST: forgejo-db-rw.forgejo.svc.cluster.local:5432
+    service:
+      DISABLE_REGISTRATION: true
+    lfs:
+      STORAGE_TYPE: local
+    picture:
+      DISABLE_GRAVATAR: true
+    metrics:
+      ENABLED: false
+    api:
+      ENABLE_SWAGGER: false
+    oauth:
+      ENABLE: false
+    proxy:
+      PROXY_ENABLED: true
+      PROXY_URL: "http://proxy-squid.proxy.svc.cluster.local:3128"
+      PROXY_HOSTS: "github.com"
+    actions:
+      DEFAULT_ACTIONS_URL: self
+
+  additionalConfigFromEnvs:
+    - name: FORGEJO__database__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: forgejo-db-app
+          key: password
+    - name: FORGEJO__database__USER
+      valueFrom:
+        secretKeyRef:
+          name: forgejo-db-app
+          key: username
+
+  ## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Forgejo image.
+  ssh:
+    logLevel: 'INFO'
+
+redis-cluster:
+  enabled: true
+  usePassword: false
+  cluster:
+    nodes: 3 # default: 6
+    replicas: 0 # default: 1
+
+postgresql-ha:
+  enabled: false
+postgresql:
+  enabled: false
+## @param test.enabled Set it to false to disable test-connection Pod.
+## @param test.image.name Image name for the wget container used in the test-connection Pod.
+## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
+checkDeprecation: true
+test:
+  enabled: false

resources/networkpolicy.yml

@@ -81,7 +81,7 @@ networkPolicy:
       - to:
         - namespaceSelector:
             matchLabels:
-              app.heqet.gnu.one/name: gitea
+              app.heqet.gnu.one/name: forgejo
         ports:
         - port: 2222
           protocol: TCP
@@ -108,7 +108,7 @@ networkPolicy:
         to:
         - namespaceSelector:
             matchLabels:
-              app.heqet.gnu.one/name: minio
+              app.heqet.gnu.one/name: s3
 
     allow-ingress-traffic:
       podSelector: {}