mirror of
https://github.com/nold360/hive-apps
synced 2024-12-22 13:01:21 +00:00
reboot git on forgejo
This commit is contained in:
parent
7c989308df
commit
737592e324
7 changed files with 301 additions and 7 deletions
|
@ -15,7 +15,7 @@ spec:
|
|||
apiVersion: metallb.io/v1beta1
|
||||
kind: IPAddressPool
|
||||
metadata:
|
||||
name: minetest
|
||||
name: git
|
||||
namespace: metallb
|
||||
spec:
|
||||
addresses:
|
||||
|
@ -60,6 +60,15 @@ spec:
|
|||
- 192.168.1.11/32
|
||||
---
|
||||
apiVersion: metallb.io/v1beta1
|
||||
kind: IPAddressPool
|
||||
metadata:
|
||||
name: virt
|
||||
namespace: metallb
|
||||
spec:
|
||||
addresses:
|
||||
- 192.168.1.64/26 #192.168.1.65 - 192.168.1.78
|
||||
---
|
||||
apiVersion: metallb.io/v1beta1
|
||||
kind: L2Advertisement
|
||||
metadata:
|
||||
name: l2advertisement
|
||||
|
@ -71,3 +80,5 @@ spec:
|
|||
- external
|
||||
- internal
|
||||
- iot
|
||||
- virt
|
||||
- git
|
||||
|
|
16
projects/forgejo/manifests/netpol.yaml
Normal file
16
projects/forgejo/manifests/netpol.yaml
Normal file
|
@ -0,0 +1,16 @@
|
|||
apiVersion: "cilium.io/v2"
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-cnpg-kubeapi
|
||||
namespace: forgejo
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: forgejo-db
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
- toPorts:
|
||||
- ports:
|
||||
- port: "6443"
|
||||
protocol: TCP
|
71
projects/forgejo/manifests/postgre.yaml
Normal file
71
projects/forgejo/manifests/postgre.yaml
Normal file
|
@ -0,0 +1,71 @@
|
|||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Cluster
|
||||
metadata:
|
||||
name: forgejo-db
|
||||
namespace: forgejo
|
||||
annotations:
|
||||
cnpg.io/skipEmptyWalArchiveCheck: enabled
|
||||
spec:
|
||||
instances: 1
|
||||
imageName: ghcr.io/cloudnative-pg/postgresql:15
|
||||
|
||||
bootstrap:
|
||||
initdb:
|
||||
database: app
|
||||
owner: app
|
||||
|
||||
backup:
|
||||
barmanObjectStore:
|
||||
destinationPath: "s3://forgejo/"
|
||||
endpointURL: "http://s3-minio.s3.svc.cluster.local:9000"
|
||||
s3Credentials:
|
||||
accessKeyId:
|
||||
name: bucket
|
||||
key: accesskey
|
||||
secretAccessKey:
|
||||
name: bucket
|
||||
key: secretkey
|
||||
wal:
|
||||
compression: gzip
|
||||
#encryption: AES256
|
||||
data:
|
||||
compression: gzip
|
||||
#encryption: AES256
|
||||
retentionPolicy: "90d"
|
||||
#
|
||||
resources:
|
||||
requests:
|
||||
memory: "64Mi"
|
||||
cpu: "50m"
|
||||
# limits:
|
||||
# memory: "1Gi"
|
||||
# cpu: "1"
|
||||
|
||||
storage:
|
||||
size: 10Gi
|
||||
|
||||
externalClusters:
|
||||
- name: forgejo-db
|
||||
barmanObjectStore:
|
||||
destinationPath: "s3://forgejo/"
|
||||
endpointURL: "http://s3-minio.s3.svc.cluster.local:9000"
|
||||
s3Credentials:
|
||||
accessKeyId:
|
||||
name: bucket
|
||||
key: accesskey
|
||||
secretAccessKey:
|
||||
name: bucket
|
||||
key: secretkey
|
||||
wal:
|
||||
maxParallel: 8
|
||||
---
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: ScheduledBackup
|
||||
metadata:
|
||||
name: forgejo-db-backup
|
||||
namespace: forgejo
|
||||
spec:
|
||||
schedule: "0 0 * * * *"
|
||||
backupOwnerReference: self
|
||||
cluster:
|
||||
name: forgejo-db
|
|
@ -1,5 +1,5 @@
|
|||
config:
|
||||
description: Gitea public Git Server
|
||||
description: Forgejo Public Git Server
|
||||
networkPolicy:
|
||||
groups:
|
||||
- internet
|
||||
|
@ -12,10 +12,10 @@ config:
|
|||
environment: external
|
||||
|
||||
apps:
|
||||
- name: gitea
|
||||
- name: forgejo
|
||||
repoURL: codeberg.org/forgejo-contrib
|
||||
chart: forgejo
|
||||
targetRevision: 0.12.0
|
||||
targetRevision: 3.0.0
|
||||
secrets:
|
||||
- name: admin
|
||||
keys:
|
||||
|
@ -28,4 +28,4 @@ apps:
|
|||
- accesskey
|
||||
- name: redis-auth
|
||||
keys:
|
||||
- password
|
||||
- password
|
196
projects/forgejo/values/forgejo.yml
Normal file
196
projects/forgejo/values/forgejo.yml
Normal file
|
@ -0,0 +1,196 @@
|
|||
global:
|
||||
hostAliases: []
|
||||
# - ip: 192.168.137.2
|
||||
# hostnames:
|
||||
# - example.com
|
||||
|
||||
strategy:
|
||||
type: 'RollingUpdate'
|
||||
rollingUpdate:
|
||||
maxSurge: '100%'
|
||||
maxUnavailable: 0
|
||||
|
||||
image:
|
||||
registry: codeberg.org
|
||||
repository: forgejo/forgejo
|
||||
tag: "1.21"
|
||||
rootless: true
|
||||
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
|
||||
## @param containerSecurityContext Security context
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
# Add the SYS_CHROOT capability for root and rootless images if you intend to
|
||||
# run pods on nodes that use the container runtime cri-o. Otherwise, you will
|
||||
# get an error message from the SSH server that it is not possible to read from
|
||||
# the repository.
|
||||
# https://gitea.com/gitea/helm-chart/issues/161
|
||||
add:
|
||||
- SYS_CHROOT
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
|
||||
service:
|
||||
ssh:
|
||||
type: LoadBalancer
|
||||
port: 2222
|
||||
annotations:
|
||||
metallb.universe.tf/address-pool: git
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
className: ingress-external
|
||||
labels:
|
||||
environment: external
|
||||
annotations:
|
||||
kubernetes.io/tls-acme: "true"
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
external-dns.alpha.kubernetes.io/hostname: git.nold.in
|
||||
external-dns.alpha.kubernetes.io/target: nold.in
|
||||
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
|
||||
hosts:
|
||||
- host: git.nold.in
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: gitea-tls
|
||||
hosts:
|
||||
- git.nold.in
|
||||
|
||||
|
||||
## @section deployment
|
||||
#
|
||||
## @param resources Kubernetes resources
|
||||
resources:
|
||||
{}
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
# requests:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
## @param signing.enabled Enable commit/action signing
|
||||
## @param signing.gpgHome GPG home directory
|
||||
## @param signing.privateKey Inline private gpg key for signed Forgejo actions
|
||||
## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
|
||||
signing:
|
||||
enabled: false
|
||||
gpgHome: /data/git/.gnupg
|
||||
privateKey: ''
|
||||
# privateKey: |-
|
||||
# -----BEGIN PGP PRIVATE KEY BLOCK-----
|
||||
# ...
|
||||
# -----END PGP PRIVATE KEY BLOCK-----
|
||||
existingSecret: ''
|
||||
|
||||
## @section Gitea
|
||||
#
|
||||
gitea:
|
||||
admin:
|
||||
existingSecret: admin
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
enabled: false
|
||||
# additionalLabels:
|
||||
# prometheus-release: prom1
|
||||
|
||||
# Either specify inline `key` and `secret` or refer to them via `existingSecret`
|
||||
## @param gitea.oauth OAuth configuration
|
||||
oauth:
|
||||
[]
|
||||
# - name: 'OAuth 1'
|
||||
# provider:
|
||||
# key:
|
||||
# secret:
|
||||
# existingSecret:
|
||||
# autoDiscoverUrl:
|
||||
# useCustomUrls:
|
||||
# customAuthUrl:
|
||||
# customTokenUrl:
|
||||
# customProfileUrl:
|
||||
# customEmailUrl:
|
||||
|
||||
## @param gitea.config.server.SSH_PORT SSH port for rootlful Forgejo image
|
||||
## @param gitea.config.server.SSH_LISTEN_PORT SSH port for rootless Forgejo image
|
||||
|
||||
config:
|
||||
APP_NAME: "Let's forge some forks"
|
||||
webhook:
|
||||
ALLOWED_HOST_LIST: argocd-server.argocd.svc.cluster.local
|
||||
ui:
|
||||
DEFAULT_THEME: arc-green
|
||||
repository:
|
||||
DEFAULT_BRANCH: main
|
||||
server:
|
||||
LFS_START_SERVER: true
|
||||
PROTOCOL: http
|
||||
DOMAIN: git.nold.in
|
||||
ROOT_URL: https://git.nold.in
|
||||
database:
|
||||
DB_TYPE: postgres
|
||||
NAME: app
|
||||
HOST: forgejo-db-rw.forgejo.svc.cluster.local:5432
|
||||
service:
|
||||
DISABLE_REGISTRATION: true
|
||||
lfs:
|
||||
STORAGE_TYPE: local
|
||||
picture:
|
||||
DISABLE_GRAVATAR: true
|
||||
metrics:
|
||||
ENABLED: false
|
||||
api:
|
||||
ENABLE_SWAGGER: false
|
||||
oauth:
|
||||
ENABLE: false
|
||||
proxy:
|
||||
PROXY_ENABLED: true
|
||||
PROXY_URL: "http://proxy-squid.proxy.svc.cluster.local:3128"
|
||||
PROXY_HOSTS: "github.com"
|
||||
actions:
|
||||
DEFAULT_ACTIONS_URL: self
|
||||
|
||||
additionalConfigFromEnvs:
|
||||
- name: FORGEJO__database__PASSWD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: forgejo-db-app
|
||||
key: password
|
||||
- name: FORGEJO__database__USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: forgejo-db-app
|
||||
key: username
|
||||
|
||||
## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Forgejo image.
|
||||
ssh:
|
||||
logLevel: 'INFO'
|
||||
|
||||
redis-cluster:
|
||||
enabled: true
|
||||
usePassword: false
|
||||
cluster:
|
||||
nodes: 3 # default: 6
|
||||
replicas: 0 # default: 1
|
||||
|
||||
postgresql-ha:
|
||||
enabled: false
|
||||
postgresql:
|
||||
enabled: false
|
||||
## @param test.enabled Set it to false to disable test-connection Pod.
|
||||
## @param test.image.name Image name for the wget container used in the test-connection Pod.
|
||||
## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
|
||||
checkDeprecation: true
|
||||
test:
|
||||
enabled: false
|
|
@ -81,7 +81,7 @@ networkPolicy:
|
|||
- to:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
app.heqet.gnu.one/name: gitea
|
||||
app.heqet.gnu.one/name: forgejo
|
||||
ports:
|
||||
- port: 2222
|
||||
protocol: TCP
|
||||
|
@ -108,7 +108,7 @@ networkPolicy:
|
|||
to:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
app.heqet.gnu.one/name: minio
|
||||
app.heqet.gnu.one/name: s3
|
||||
|
||||
allow-ingress-traffic:
|
||||
podSelector: {}
|
||||
|
|
Loading…
Reference in a new issue