reboot git on forgejo

This commit is contained in:
nold 2024-02-10 21:19:43 +01:00
parent 7c989308df
commit 737592e324
7 changed files with 301 additions and 7 deletions

View file

@ -15,7 +15,7 @@ spec:
apiVersion: metallb.io/v1beta1 apiVersion: metallb.io/v1beta1
kind: IPAddressPool kind: IPAddressPool
metadata: metadata:
name: minetest name: git
namespace: metallb namespace: metallb
spec: spec:
addresses: addresses:
@ -60,6 +60,15 @@ spec:
- 192.168.1.11/32 - 192.168.1.11/32
--- ---
apiVersion: metallb.io/v1beta1 apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: virt
namespace: metallb
spec:
addresses:
- 192.168.1.64/26 #192.168.1.65 - 192.168.1.78
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement kind: L2Advertisement
metadata: metadata:
name: l2advertisement name: l2advertisement
@ -71,3 +80,5 @@ spec:
- external - external
- internal - internal
- iot - iot
- virt
- git

View file

@ -0,0 +1,16 @@
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: allow-cnpg-kubeapi
namespace: forgejo
spec:
endpointSelector:
matchLabels:
cnpg.io/cluster: forgejo-db
egress:
- toEntities:
- kube-apiserver
- toPorts:
- ports:
- port: "6443"
protocol: TCP

View file

@ -0,0 +1,71 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: forgejo-db
namespace: forgejo
annotations:
cnpg.io/skipEmptyWalArchiveCheck: enabled
spec:
instances: 1
imageName: ghcr.io/cloudnative-pg/postgresql:15
bootstrap:
initdb:
database: app
owner: app
backup:
barmanObjectStore:
destinationPath: "s3://forgejo/"
endpointURL: "http://s3-minio.s3.svc.cluster.local:9000"
s3Credentials:
accessKeyId:
name: bucket
key: accesskey
secretAccessKey:
name: bucket
key: secretkey
wal:
compression: gzip
#encryption: AES256
data:
compression: gzip
#encryption: AES256
retentionPolicy: "90d"
#
resources:
requests:
memory: "64Mi"
cpu: "50m"
# limits:
# memory: "1Gi"
# cpu: "1"
storage:
size: 10Gi
externalClusters:
- name: forgejo-db
barmanObjectStore:
destinationPath: "s3://forgejo/"
endpointURL: "http://s3-minio.s3.svc.cluster.local:9000"
s3Credentials:
accessKeyId:
name: bucket
key: accesskey
secretAccessKey:
name: bucket
key: secretkey
wal:
maxParallel: 8
---
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: forgejo-db-backup
namespace: forgejo
spec:
schedule: "0 0 * * * *"
backupOwnerReference: self
cluster:
name: forgejo-db

View file

@ -1,5 +1,5 @@
config: config:
description: Gitea public Git Server description: Forgejo Public Git Server
networkPolicy: networkPolicy:
groups: groups:
- internet - internet
@ -12,10 +12,10 @@ config:
environment: external environment: external
apps: apps:
- name: gitea - name: forgejo
repoURL: codeberg.org/forgejo-contrib repoURL: codeberg.org/forgejo-contrib
chart: forgejo chart: forgejo
targetRevision: 0.12.0 targetRevision: 3.0.0
secrets: secrets:
- name: admin - name: admin
keys: keys:
@ -28,4 +28,4 @@ apps:
- accesskey - accesskey
- name: redis-auth - name: redis-auth
keys: keys:
- password - password

View file

@ -0,0 +1,196 @@
global:
hostAliases: []
# - ip: 192.168.137.2
# hostnames:
# - example.com
strategy:
type: 'RollingUpdate'
rollingUpdate:
maxSurge: '100%'
maxUnavailable: 0
image:
registry: codeberg.org
repository: forgejo/forgejo
tag: "1.21"
rootless: true
podSecurityContext:
fsGroup: 1000
## @param containerSecurityContext Security context
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# Add the SYS_CHROOT capability for root and rootless images if you intend to
# run pods on nodes that use the container runtime cri-o. Otherwise, you will
# get an error message from the SSH server that it is not possible to read from
# the repository.
# https://gitea.com/gitea/helm-chart/issues/161
add:
- SYS_CHROOT
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
service:
ssh:
type: LoadBalancer
port: 2222
annotations:
metallb.universe.tf/address-pool: git
ingress:
enabled: true
className: ingress-external
labels:
environment: external
annotations:
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt
external-dns.alpha.kubernetes.io/hostname: git.nold.in
external-dns.alpha.kubernetes.io/target: nold.in
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
hosts:
- host: git.nold.in
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea-tls
hosts:
- git.nold.in
## @section deployment
#
## @param resources Kubernetes resources
resources:
{}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## @param signing.enabled Enable commit/action signing
## @param signing.gpgHome GPG home directory
## @param signing.privateKey Inline private gpg key for signed Forgejo actions
## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
signing:
enabled: false
gpgHome: /data/git/.gnupg
privateKey: ''
# privateKey: |-
# -----BEGIN PGP PRIVATE KEY BLOCK-----
# ...
# -----END PGP PRIVATE KEY BLOCK-----
existingSecret: ''
## @section Gitea
#
gitea:
admin:
existingSecret: admin
metrics:
enabled: false
serviceMonitor:
enabled: false
# additionalLabels:
# prometheus-release: prom1
# Either specify inline `key` and `secret` or refer to them via `existingSecret`
## @param gitea.oauth OAuth configuration
oauth:
[]
# - name: 'OAuth 1'
# provider:
# key:
# secret:
# existingSecret:
# autoDiscoverUrl:
# useCustomUrls:
# customAuthUrl:
# customTokenUrl:
# customProfileUrl:
# customEmailUrl:
## @param gitea.config.server.SSH_PORT SSH port for rootlful Forgejo image
## @param gitea.config.server.SSH_LISTEN_PORT SSH port for rootless Forgejo image
config:
APP_NAME: "Let's forge some forks"
webhook:
ALLOWED_HOST_LIST: argocd-server.argocd.svc.cluster.local
ui:
DEFAULT_THEME: arc-green
repository:
DEFAULT_BRANCH: main
server:
LFS_START_SERVER: true
PROTOCOL: http
DOMAIN: git.nold.in
ROOT_URL: https://git.nold.in
database:
DB_TYPE: postgres
NAME: app
HOST: forgejo-db-rw.forgejo.svc.cluster.local:5432
service:
DISABLE_REGISTRATION: true
lfs:
STORAGE_TYPE: local
picture:
DISABLE_GRAVATAR: true
metrics:
ENABLED: false
api:
ENABLE_SWAGGER: false
oauth:
ENABLE: false
proxy:
PROXY_ENABLED: true
PROXY_URL: "http://proxy-squid.proxy.svc.cluster.local:3128"
PROXY_HOSTS: "github.com"
actions:
DEFAULT_ACTIONS_URL: self
additionalConfigFromEnvs:
- name: FORGEJO__database__PASSWD
valueFrom:
secretKeyRef:
name: forgejo-db-app
key: password
- name: FORGEJO__database__USER
valueFrom:
secretKeyRef:
name: forgejo-db-app
key: username
## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Forgejo image.
ssh:
logLevel: 'INFO'
redis-cluster:
enabled: true
usePassword: false
cluster:
nodes: 3 # default: 6
replicas: 0 # default: 1
postgresql-ha:
enabled: false
postgresql:
enabled: false
## @param test.enabled Set it to false to disable test-connection Pod.
## @param test.image.name Image name for the wget container used in the test-connection Pod.
## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
checkDeprecation: true
test:
enabled: false

View file

@ -81,7 +81,7 @@ networkPolicy:
- to: - to:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
app.heqet.gnu.one/name: gitea app.heqet.gnu.one/name: forgejo
ports: ports:
- port: 2222 - port: 2222
protocol: TCP protocol: TCP
@ -108,7 +108,7 @@ networkPolicy:
to: to:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
app.heqet.gnu.one/name: minio app.heqet.gnu.one/name: s3
allow-ingress-traffic: allow-ingress-traffic:
podSelector: {} podSelector: {}