diff --git a/apps/forgejo/.gitignore b/apps/forgejo/.gitignore new file mode 100644 index 0000000..711a39c --- /dev/null +++ b/apps/forgejo/.gitignore @@ -0,0 +1 @@ +charts/ \ No newline at end of file diff --git a/k8s/roles/gitea/templates/values.forgejo.yml.j2 b/apps/forgejo/config/values.forgejo.yaml similarity index 90% rename from k8s/roles/gitea/templates/values.forgejo.yml.j2 rename to apps/forgejo/config/values.forgejo.yaml index 3fc11c1..1765443 100644 --- a/k8s/roles/gitea/templates/values.forgejo.yml.j2 +++ b/apps/forgejo/config/values.forgejo.yaml @@ -8,6 +8,7 @@ service: ingress: enabled: true + apiVersion: networking.k8s.io/v1 annotations: gethomepage.dev/description: where to code goes to gethomepage.dev/enabled: "true" @@ -34,6 +35,9 @@ persistence: storageClass: hcloud-volumes gitea: + additionalConfigSources: + - secret: + secretName: forgejo-credentials admin: existingSecret: forgejo-admin-credentials metrics: @@ -71,8 +75,6 @@ gitea: storage: STORAGE_TYPE: minio MINIO_ENDPOINT: minio.minio.svc.cluster.local:9000 - MINIO_ACCESS_KEY_ID: "{{ minio.rootUser }}" - MINIO_SECRET_ACCESS_KEY: "{{ minio.rootPassword }}" MINIO_BUCKET: gitea MINIO_LOCATION: us-east-1 MINIO_USE_SSL: 'false' @@ -82,8 +84,6 @@ gitea: MAX_FILES: 15 STORAGE_TYPE: minio MINIO_ENDPOINT: minio.minio.svc.cluster.local:9000 - MINIO_ACCESS_KEY_ID: "{{ minio.rootUser }}" - MINIO_SECRET_ACCESS_KEY: "{{ minio.rootPassword }}" MINIO_BUCKET: gitea MINIO_LOCATION: us-east-1 MINIO_USE_SSL: 'false' @@ -92,7 +92,6 @@ gitea: HOST: postgres-15-postgresql.postgres.svc.cluster.local:5432 NAME: gitea USER: gitea - PASSWD: "{{ gitea.dbPassword }}" log_sql: "false" metrics: ENABLED: true diff --git a/apps/forgejo/kustomization.yaml b/apps/forgejo/kustomization.yaml new file mode 100644 index 0000000..60ec866 --- /dev/null +++ b/apps/forgejo/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: forgejo + +commonLabels: + app.kubernetes.io/instance: icb4dc0de + app.kubernetes.io/managed-by: kustomize + +helmCharts: + - name: forgejo + repo: oci://codeberg.org/forgejo-contrib + releaseName: forgejo + namespace: forgejo + version: "0.13.0" + valuesFile: config/values.forgejo.yaml + +generators: + - ./secret-generator.yaml \ No newline at end of file diff --git a/apps/forgejo/resources/admin-credentials.enc.yaml b/apps/forgejo/resources/admin-credentials.enc.yaml new file mode 100644 index 0000000..36d4190 --- /dev/null +++ b/apps/forgejo/resources/admin-credentials.enc.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Secret +metadata: + name: forgejo-admin-credentials +type: Opaque +stringData: + password: ENC[AES256_GCM,data:c7XwM+a8OHXU7yovRfvX,iv:LX/dP8QxQoRus/MGijpXO0t0PjFeAtB6iTBa2OlIceg=,tag:RJuxiISXnMQdkt44avhL3w==,type:str] + username: ENC[AES256_GCM,data:tkl0o85yyf41vPc=,iv:1zdcy3qhMmpFLP8BsNHJ+YBRbtDBWt8xtxSvNAuBMiM=,tag:1Cui9dcneiyAZb8y7zFWCA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N2dUTE8rVVF4SVV0Z2Q5 + aGZRdkI0QVc3N1BJRnN4dVpWRkxKa3Q1MkNBCmI3V1JiSzhEdk4rYzNNUFp0YklV + Y2dCSERmRXNMZGdldUg2emdrdGs0L0kKLS0tIFo1R3F1RFpoQXJ1WXdYMGErSGIv + UjBUODZudEVLOHJrbFBRNVJlYXVrb2cKwC13RKJZkF3bFA9AlXARfr03T0cKaCOR + RvtRKKHoS1iW095l1l2T+aSoPiAi1BdYBLuaH7fl6RhFW8q6veR64Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBc3JJbVJPVUl4ZklaT2FU + RjBUb3NmTEVBTldEd2Q2Q0sxVjcxS1ViSkNzCnloUjB3ZVBmVmJDTmJpQ1JsbHdZ + cnpHU2VSTmFETHIyR0oxbUM3ei8wbGcKLS0tIFp6TUJHTzJpQzMydlo3YVoxQVBW + RldtRnI1YnBMTGt0SVN3OGt3empNRG8K72vZ0rxA2jUsqiqoWoYZyTWDwcJl+lhV + SVvbq6wtz5tMqsPY3zFyfehaLqRR21ADZhbJgWMNvUcqpJ1YJCznhA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-26T20:22:36Z" + mac: ENC[AES256_GCM,data:IBwGNRBOlZwXyL/m4NuwbQzh+Pdaitr7JBmJam1hrbGx//yFyrlcthLnCpxHRvxJ6+y05NZdzvSDiUILQeQGZ9kR7wjWxypBRV6tJw1k9kZ5tEiz/MMPLyXvTVr7jcv1lXV70qRzT/ZodMSwWyQz9t0rQchTdyUxA7wOxg6wqfE=,iv:U0hOm2Htxxi6ZZYLHPkgizaGHbPwi0ZMuUwyOmf15fs=,tag:RijQRWYqiEcprayxpVH91w==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/apps/forgejo/resources/credentials.enc.yaml b/apps/forgejo/resources/credentials.enc.yaml new file mode 100644 index 0000000..ad63607 --- /dev/null +++ b/apps/forgejo/resources/credentials.enc.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Secret +metadata: + name: forgejo-credentials +type: Opaque +stringData: + database: ENC[AES256_GCM,data:XnZgkrfXpUElOMMqXKSYn4tFNPcKznUZ/U+ZKWnioqC3,iv:s6cwX7Pcic4GSdJUkAp79VZmTjWvaMQGRpRBLym7G+U=,tag:yzSUbsiG9hpTQhkXLK3ZsA==,type:str] + attachment: ENC[AES256_GCM,data:pdNzbwfjEFKk4XBNA+/mKKy/SWQD1cFnu8JuEsZfIoRUM3u6qmcw0Hc8H1epsE+YcLpjfIxM7SLGS+pSaYBHSCltyk4IoJ0kPOetAwg+JcHorzUawKbPTOfRzgZFuSG/x7fze3I3RabWA+hpqM/+8ioVe8ecMRqxiyf8iA==,iv:fs9AzB8mkd4p5yVvaoPh4Hf9RMYv2b6l0dj+sMajhqo=,tag:gIvxxD40wFQH7WhzMWkcZw==,type:str] + storage: ENC[AES256_GCM,data:ESAb9DiIldMUINDnK/xMt8DmFbuFnumHSoDVGS9HBABkKBfb5zKvqNXLq9NIm4KGNKojAoy+axgZwv1sAFZNMLTuDQNOczEJ9yPyr3IbuQHXWKpyDyN6nlY26FLH0ib6JuL6n15s67IaFPYuFa1ukfQn9IRTKnwmY8OK+w==,iv:tmQ4Xtl3rmI/mhBPlTbsVL5yTrDbHZlIc+I4Dx1SeP4=,tag:SWqOxnHg3yE1H8mrroAOtg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM0lPdlVhQWp0ZlNtdnZn + QWREaDF0NGtkVmx4UHhhNXJEbW55SHdtcWlnCisxcFRzR3BzUXk1L05DYXgxRHpU + Q2QwbzlLVzdiS2Q4RlpBUnlLTmptbnMKLS0tIGx2OTFiUlRmZkNyRzFVbEhqVFQ0 + c3NZQkYvbzFDM2hjcmVvbHJ6S3dLUkUK/ye/CGkeP+fyAR4SWzxvHYXfQUv1Trit + mW0DaG99PWGF3PuxjPRAVm/nZw7dRNtQkrqx88lSdObkMSq2pMwarw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlb2E3eGpqTFB1VExiNXNm + VXpRbjc1RmllaU1LSFdRZnpvWnZoWmR4RDJjCkJIRmdieXNzRGIzNnhuclg3LzRh + QU9tRnFzY0JHQWFvNWM3UEI2YmliRW8KLS0tIHNNemVzdmNrektDK0V0MHVSYjl3 + bHk2WG41aDdPeWVJR0NjRWZOVnVMS2cKLZZt2VNc5XdqW9Cknr2Re7pW2+s5CSYj + hQyzCSAPp8hN9mietVqzX3eyFf9ngYJ96TjvBd+2dduxchxAEoi4tQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-30T09:24:54Z" + mac: ENC[AES256_GCM,data:pE1MqMtsOmDcpI2N2BK++JLwENVMiN6fhjiqfqsjg0iq90nmmdm55Ot8AW9TK1EHdjBpghMjoIJoF4hI72RPnc6DunZPE/q5LZrTnW37do+EmF+KzSFz4goDovkj9KvAcyjY8b3PobpwX7wtNvRjaUqy1pr6WJZjntkHTojUUSg=,iv:CAGiBKa/ydi4n51dbSxqC9pJ5Wlh87rk9tiJYCoFmTg=,tag:v4ZvCi77mhVjZ90QNtscsQ==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/apps/forgejo/secret-generator.yaml b/apps/forgejo/secret-generator.yaml new file mode 100644 index 0000000..6c58297 --- /dev/null +++ b/apps/forgejo/secret-generator.yaml @@ -0,0 +1,12 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + # Specify a name + name: hedgedoc-config-secret-generator + annotations: + config.kubernetes.io/function: | + exec: + path: ksops +files: + - ./resources/credentials.enc.yaml + - ./resources/admin-credentials.enc.yaml \ No newline at end of file diff --git a/k8s/configure_cluster.yaml b/k8s/configure_cluster.yaml index 690b5e0..a962cda 100644 --- a/k8s/configure_cluster.yaml +++ b/k8s/configure_cluster.yaml @@ -7,6 +7,5 @@ - role: postgres - role: hcloud - role: minio - - role: gitea - role: fider - role: nextcloud diff --git a/k8s/roles/drone/tasks/main.yml b/k8s/roles/drone/tasks/main.yml deleted file mode 100644 index 2bd2ffc..0000000 --- a/k8s/roles/drone/tasks/main.yml +++ /dev/null @@ -1,198 +0,0 @@ ---- -- name: Create Drone namespace - kubernetes.core.k8s: - name: drone - api_version: v1 - kind: Namespace - state: present - definition: - metadata: - labels: - prometheus: default - -- name: Create additional namespaces - kubernetes.core.k8s: - name: "{{ item }}" - api_version: v1 - kind: Namespace - state: present - definition: - metadata: - labels: - prometheus: default - loop: - - inetmock - - blog - - buildr - -- name: Create Drone server secret - kubernetes.core.k8s: - state: present - definition: - apiVersion: v1 - kind: Secret - metadata: - name: drone-secrets - namespace: drone - data: - DRONE_RPC_SECRET: "{{ drone.rpc.secret | b64encode }}" - DRONE_GITEA_CLIENT_ID: "{{ drone.auth.clientId | b64encode }}" - DRONE_GITEA_CLIENT_SECRET: "{{ drone.auth.clientSecret | b64encode }}" - DRONE_GITEA_SERVER: "{{ 'https://code.icb4dc0.de' | b64encode }}" - DRONE_DATABASE_DATASOURCE: "{{ 'postgres://%s:%s@postgres-15-postgresql.postgres.svc.cluster.local:5432/drone?sslmode=disable' | format(drone.db.user, drone.db.password) | b64encode }}" - DRONE_DATABASE_SECRET: "{{ drone.db.secret | b64encode }}" - DRONE_COOKIE_SECRET: "{{ drone.cookie.secret | b64encode }}" - AWS_ACCESS_KEY_ID: "{{ minio.rootUser | b64encode }}" - AWS_SECRET_ACCESS_KEY: "{{ minio.rootPassword | b64encode }}" - -- name: Create Drone runner secret - kubernetes.core.k8s: - state: present - definition: - apiVersion: v1 - kind: Secret - metadata: - name: drone-runner-secrets - namespace: drone - data: - DRONE_RPC_SECRET: "{{ drone.rpc.secret | b64encode }}" - -- name: Create Drone service account - kubernetes.core.k8s: - state: present - definition: - apiVersion: v1 - kind: ServiceAccount - metadata: - name: drone-deploy - namespace: drone - -- name: Create Drone deploy secret - kubernetes.core.k8s: - state: present - definition: - apiVersion: v1 - kind: Secret - metadata: - name: drone-deploy - namespace: drone - annotations: - kubernetes.io/service-account.name: drone-deploy - type: kubernetes.io/service-account-token - -- name: Create Drone deployment cluster role - kubernetes.core.k8s: - state: present - definition: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: drone-deploy - rules: - - apiGroups: [""] - resources: - - secrets - - configmaps - - pods - - services - - persistentvolumeclaims - - serviceaccounts - verbs: ["*"] - - apiGroups: ["apps"] - resources: - - replicasets - - deployments - - statefulsets - verbs: ["*"] - - apiGroups: ["batch"] - resources: - - jobs - - cronjobs - verbs: ["*"] - - apiGroups: ["autoscaling"] - resources: - - horizontalpodautoscalers - verbs: ["*"] - - apiGroups: ["networking.k8s.io"] - resources: - - ingresses - verbs: ["*"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: - - roles - - rolebindings - verbs: ["*"] - - apiGroups: ["monitoring.coreos.com"] - resources: - - podmonitors - - servicemonitors - verbs: ["*"] - - -- name: Create Drone deploy role bindings - kubernetes.core.k8s: - state: present - definition: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: drone-deploy-{{ item }} - namespace: "{{ item }}" - subjects: - - kind: ServiceAccount - name: drone-deploy - namespace: drone - roleRef: - kind: ClusterRole - name: drone-deploy - apiGroup: rbac.authorization.k8s.io - loop: - - blog - - inetmock - - buildr - -- name: Add Drone chart repo - kubernetes.core.helm_repository: - name: drone - repo_url: https://charts.drone.io - -- name: Add enapter chart repo - kubernetes.core.helm_repository: - name: enapter - repo_url: https://enapter.github.io/charts/ - -- name: Deploy KeyDB - kubernetes.core.helm: - name: drone-session-cache - chart_ref: enapter/keydb - release_namespace: drone - chart_version: "0.48.0" - update_repo_cache: true - release_values: "{{ lookup('template', 'values.keydb.yml.j2') | from_yaml }}" - -- name: Deploy Drone chart - kubernetes.core.helm: - name: drone - chart_ref: drone/drone - release_namespace: drone - chart_version: "0.6.3" - update_repo_cache: true - release_values: "{{ lookup('template', 'values.drone.yml.j2') | from_yaml }}" - -- name: Deploy Drone runner chart - kubernetes.core.helm: - name: drone-kube-runner-x86-64 - chart_ref: drone/drone-runner-docker - release_namespace: drone - chart_version: 0.6.0 - update_repo_cache: true - release_values: "{{ lookup('template', 'values.drone-runner-docker.x86_64.yml.j2') | from_yaml }}" - -- name: Deploy Drone runner chart - kubernetes.core.helm: - name: drone-kube-runner-arm64 - chart_ref: drone/drone-runner-docker - release_namespace: drone - chart_version: 0.6.0 - update_repo_cache: true - release_values: "{{ lookup('template', 'values.drone-runner-docker.arm64.yml.j2') | from_yaml }}" \ No newline at end of file diff --git a/k8s/roles/drone/templates/values.drone-runner-docker.arm64.yml.j2 b/k8s/roles/drone/templates/values.drone-runner-docker.arm64.yml.j2 deleted file mode 100644 index fe7db1a..0000000 --- a/k8s/roles/drone/templates/values.drone-runner-docker.arm64.yml.j2 +++ /dev/null @@ -1,29 +0,0 @@ -image: - tag: 1.8.3 - -replicaCount: 4 - -extraSecretNamesForEnvFrom: - - drone-runner-secrets - -env: - DRONE_RUNNER_PRIVILEGED_IMAGES: code.icb4dc0.de/inetmock/inetmock - DRONE_RPC_HOST: drone.drone.svc.cluster.local:8080 - DRONE_RPC_PROTO: http - DRONE_RUNNER_CAPACITY: 1 - -affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - drone-runner-docker - topologyKey: kubernetes.io/hostname - -nodeSelector: - kubernetes.io/arch: arm64 \ No newline at end of file diff --git a/k8s/roles/drone/templates/values.drone-runner-docker.x86_64.yml.j2 b/k8s/roles/drone/templates/values.drone-runner-docker.x86_64.yml.j2 deleted file mode 100644 index e110a53..0000000 --- a/k8s/roles/drone/templates/values.drone-runner-docker.x86_64.yml.j2 +++ /dev/null @@ -1,27 +0,0 @@ -image: - tag: 1.8.3 - -extraSecretNamesForEnvFrom: - - drone-runner-secrets - -env: - DRONE_RUNNER_PRIVILEGED_IMAGES: code.icb4dc0.de/inetmock/inetmock - DRONE_RPC_HOST: drone.drone.svc.cluster.local:8080 - DRONE_RPC_PROTO: http - DRONE_RUNNER_CAPACITY: 1 - -affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - drone-runner-docker - topologyKey: kubernetes.io/hostname - -nodeSelector: - kubernetes.io/arch: amd64 \ No newline at end of file diff --git a/k8s/roles/drone/templates/values.drone.yml.j2 b/k8s/roles/drone/templates/values.drone.yml.j2 deleted file mode 100644 index 8e4b8bb..0000000 --- a/k8s/roles/drone/templates/values.drone.yml.j2 +++ /dev/null @@ -1,42 +0,0 @@ -image: - tag: 2.20.0 - -ingress: - enabled: true - annotations: - gethomepage.dev/description: CI/CD system - gethomepage.dev/enabled: "true" - gethomepage.dev/group: Apps - gethomepage.dev/icon: drone.png - gethomepage.dev/name: Drone CI/CD - hosts: - - host: drone.icb4dc0.de - paths: - - path: / - pathType: Prefix - -service: - port: 8080 - -persistentVolume: - enabled: false - -extraSecretNamesForEnvFrom: - - drone-secrets - -env: - ## REQUIRED: Set the user-visible Drone hostname, sans protocol. - ## Ref: https://docs.drone.io/installation/reference/drone-server-host/ - ## - DRONE_SERVER_HOST: "drone.icb4dc0.de" - DRONE_SERVER_PROTO: https - - DRONE_DATABASE_DRIVER: postgres - DRONE_GIT_ALWAYS_AUTH: true - - DRONE_S3_ENDPOINT: http://minio.minio.svc.cluster.local:9000 - DRONE_S3_BUCKET: drone - DRONE_S3_PATH_STYLE: true - AWS_DEFAULT_REGION: us-east-1 - AWS_REGION: us-east-1 - DRONE_REDIS_CONNECTION: redis://drone-session-cache-keydb:6379 \ No newline at end of file diff --git a/k8s/roles/drone/templates/values.keydb.yml.j2 b/k8s/roles/drone/templates/values.keydb.yml.j2 deleted file mode 100644 index 3059dd4..0000000 --- a/k8s/roles/drone/templates/values.keydb.yml.j2 +++ /dev/null @@ -1,31 +0,0 @@ -imageRepository: code.icb4dc0.de/prskr/infrastructure/keydb -imageTag: v6.3.2 - -podDisruptionBudget: - enabled: true -persistentVolume: - enabled: false - -resources: - requests: - cpu: 10m - memory: 60Mi - limits: - cpu: 100m - memory: 128Mi - -serviceMonitor: - enabled: true - labels: - prometheus: default - -exporter: - enabled: true - imageTag: v1.51.0 - resources: - requests: - cpu: 50m - memory: 50Mi - limits: - cpu: 150m - memory: 100Mi \ No newline at end of file diff --git a/k8s/roles/gitea/tasks/main.yml b/k8s/roles/gitea/tasks/main.yml deleted file mode 100644 index fa91309..0000000 --- a/k8s/roles/gitea/tasks/main.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: Create forgejo namespace - kubernetes.core.k8s: - name: forgejo - api_version: v1 - kind: Namespace - state: present - definition: - metadata: - labels: - prometheus: default - -- name: Create Forgejo admin credentials - kubernetes.core.k8s: - state: present - definition: - apiVersion: v1 - kind: Secret - metadata: - name: forgejo-admin-credentials - namespace: forgejo - data: - username: "{{ gitea.adminUser | b64encode }}" - password: "{{ gitea.adminPassword | b64encode }}" - -- name: Deploy Forgejo chart - kubernetes.core.helm: - name: forgejo - chart_ref: oci://codeberg.org/forgejo-contrib/forgejo - release_namespace: forgejo - release_state: present - chart_version: 0.13.0 - release_values: "{{ lookup('template', 'values.forgejo.yml.j2') | from_yaml }}"