prskr/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

refactor: deploy Forgejo with kustomize and SOPS
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Peter 2023-10-30 10:32:01 +01:00
parent 2578e6951d
commit a31774336f
No known key found for this signature in database
13 changed files with 111 additions and 366 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apps/forgejo/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
charts/

9
k8s/roles/gitea/templates/values.forgejo.yml.j2 → apps/forgejo/config/values.forgejo.yaml
View file

@ -8,6 +8,7 @@ service:
ingress: ingress:
enabled: true enabled: true
apiVersion: networking.k8s.io/v1
annotations: annotations:
gethomepage.dev/description: where to code goes to gethomepage.dev/description: where to code goes to
gethomepage.dev/enabled: "true" gethomepage.dev/enabled: "true"
@ -34,6 +35,9 @@ persistence:
storageClass: hcloud-volumes storageClass: hcloud-volumes
gitea: gitea:
additionalConfigSources:
- secret:
secretName: forgejo-credentials
admin: admin:
existingSecret: forgejo-admin-credentials existingSecret: forgejo-admin-credentials
metrics: metrics:
@ -71,8 +75,6 @@ gitea:
storage: storage:
STORAGE_TYPE: minio STORAGE_TYPE: minio
MINIO_ENDPOINT: minio.minio.svc.cluster.local:9000 MINIO_ENDPOINT: minio.minio.svc.cluster.local:9000
MINIO_ACCESS_KEY_ID: "{{ minio.rootUser }}"
MINIO_SECRET_ACCESS_KEY: "{{ minio.rootPassword }}"
MINIO_BUCKET: gitea MINIO_BUCKET: gitea
MINIO_LOCATION: us-east-1 MINIO_LOCATION: us-east-1
MINIO_USE_SSL: 'false' MINIO_USE_SSL: 'false'
@ -82,8 +84,6 @@ gitea:
MAX_FILES: 15 MAX_FILES: 15
STORAGE_TYPE: minio STORAGE_TYPE: minio
MINIO_ENDPOINT: minio.minio.svc.cluster.local:9000 MINIO_ENDPOINT: minio.minio.svc.cluster.local:9000
MINIO_ACCESS_KEY_ID: "{{ minio.rootUser }}"
MINIO_SECRET_ACCESS_KEY: "{{ minio.rootPassword }}"
MINIO_BUCKET: gitea MINIO_BUCKET: gitea
MINIO_LOCATION: us-east-1 MINIO_LOCATION: us-east-1
MINIO_USE_SSL: 'false' MINIO_USE_SSL: 'false'
@ -92,7 +92,6 @@ gitea:
HOST: postgres-15-postgresql.postgres.svc.cluster.local:5432 HOST: postgres-15-postgresql.postgres.svc.cluster.local:5432
NAME: gitea NAME: gitea
USER: gitea USER: gitea
PASSWD: "{{ gitea.dbPassword }}"
log_sql: "false" log_sql: "false"
metrics: metrics:
ENABLED: true ENABLED: true

19
apps/forgejo/kustomization.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: forgejo
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
helmCharts:
- name: forgejo
repo: oci://codeberg.org/forgejo-contrib
releaseName: forgejo
namespace: forgejo
version: "0.13.0"
valuesFile: config/values.forgejo.yaml
generators:
- ./secret-generator.yaml

37
apps/forgejo/resources/admin-credentials.enc.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: v1
kind: Secret
metadata:
name: forgejo-admin-credentials
type: Opaque
stringData:
password: ENC[AES256_GCM,data:c7XwM+a8OHXU7yovRfvX,iv:LX/dP8QxQoRus/MGijpXO0t0PjFeAtB6iTBa2OlIceg=,tag:RJuxiISXnMQdkt44avhL3w==,type:str]
username: ENC[AES256_GCM,data:tkl0o85yyf41vPc=,iv:1zdcy3qhMmpFLP8BsNHJ+YBRbtDBWt8xtxSvNAuBMiM=,tag:1Cui9dcneiyAZb8y7zFWCA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N2dUTE8rVVF4SVV0Z2Q5
aGZRdkI0QVc3N1BJRnN4dVpWRkxKa3Q1MkNBCmI3V1JiSzhEdk4rYzNNUFp0YklV
Y2dCSERmRXNMZGdldUg2emdrdGs0L0kKLS0tIFo1R3F1RFpoQXJ1WXdYMGErSGIv
UjBUODZudEVLOHJrbFBRNVJlYXVrb2cKwC13RKJZkF3bFA9AlXARfr03T0cKaCOR
RvtRKKHoS1iW095l1l2T+aSoPiAi1BdYBLuaH7fl6RhFW8q6veR64Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBc3JJbVJPVUl4ZklaT2FU
RjBUb3NmTEVBTldEd2Q2Q0sxVjcxS1ViSkNzCnloUjB3ZVBmVmJDTmJpQ1JsbHdZ
cnpHU2VSTmFETHIyR0oxbUM3ei8wbGcKLS0tIFp6TUJHTzJpQzMydlo3YVoxQVBW
RldtRnI1YnBMTGt0SVN3OGt3empNRG8K72vZ0rxA2jUsqiqoWoYZyTWDwcJl+lhV
SVvbq6wtz5tMqsPY3zFyfehaLqRR21ADZhbJgWMNvUcqpJ1YJCznhA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-26T20:22:36Z"
mac: ENC[AES256_GCM,data:IBwGNRBOlZwXyL/m4NuwbQzh+Pdaitr7JBmJam1hrbGx//yFyrlcthLnCpxHRvxJ6+y05NZdzvSDiUILQeQGZ9kR7wjWxypBRV6tJw1k9kZ5tEiz/MMPLyXvTVr7jcv1lXV70qRzT/ZodMSwWyQz9t0rQchTdyUxA7wOxg6wqfE=,iv:U0hOm2Htxxi6ZZYLHPkgizaGHbPwi0ZMuUwyOmf15fs=,tag:RijQRWYqiEcprayxpVH91w==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

38
apps/forgejo/resources/credentials.enc.yaml Normal file
View file

@ -0,0 +1,38 @@
apiVersion: v1
kind: Secret
metadata:
name: forgejo-credentials
type: Opaque
stringData:
database: ENC[AES256_GCM,data:XnZgkrfXpUElOMMqXKSYn4tFNPcKznUZ/U+ZKWnioqC3,iv:s6cwX7Pcic4GSdJUkAp79VZmTjWvaMQGRpRBLym7G+U=,tag:yzSUbsiG9hpTQhkXLK3ZsA==,type:str]
attachment: ENC[AES256_GCM,data:pdNzbwfjEFKk4XBNA+/mKKy/SWQD1cFnu8JuEsZfIoRUM3u6qmcw0Hc8H1epsE+YcLpjfIxM7SLGS+pSaYBHSCltyk4IoJ0kPOetAwg+JcHorzUawKbPTOfRzgZFuSG/x7fze3I3RabWA+hpqM/+8ioVe8ecMRqxiyf8iA==,iv:fs9AzB8mkd4p5yVvaoPh4Hf9RMYv2b6l0dj+sMajhqo=,tag:gIvxxD40wFQH7WhzMWkcZw==,type:str]
storage: ENC[AES256_GCM,data:ESAb9DiIldMUINDnK/xMt8DmFbuFnumHSoDVGS9HBABkKBfb5zKvqNXLq9NIm4KGNKojAoy+axgZwv1sAFZNMLTuDQNOczEJ9yPyr3IbuQHXWKpyDyN6nlY26FLH0ib6JuL6n15s67IaFPYuFa1ukfQn9IRTKnwmY8OK+w==,iv:tmQ4Xtl3rmI/mhBPlTbsVL5yTrDbHZlIc+I4Dx1SeP4=,tag:SWqOxnHg3yE1H8mrroAOtg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM0lPdlVhQWp0ZlNtdnZn
QWREaDF0NGtkVmx4UHhhNXJEbW55SHdtcWlnCisxcFRzR3BzUXk1L05DYXgxRHpU
Q2QwbzlLVzdiS2Q4RlpBUnlLTmptbnMKLS0tIGx2OTFiUlRmZkNyRzFVbEhqVFQ0
c3NZQkYvbzFDM2hjcmVvbHJ6S3dLUkUK/ye/CGkeP+fyAR4SWzxvHYXfQUv1Trit
mW0DaG99PWGF3PuxjPRAVm/nZw7dRNtQkrqx88lSdObkMSq2pMwarw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlb2E3eGpqTFB1VExiNXNm
VXpRbjc1RmllaU1LSFdRZnpvWnZoWmR4RDJjCkJIRmdieXNzRGIzNnhuclg3LzRh
QU9tRnFzY0JHQWFvNWM3UEI2YmliRW8KLS0tIHNNemVzdmNrektDK0V0MHVSYjl3
bHk2WG41aDdPeWVJR0NjRWZOVnVMS2cKLZZt2VNc5XdqW9Cknr2Re7pW2+s5CSYj
hQyzCSAPp8hN9mietVqzX3eyFf9ngYJ96TjvBd+2dduxchxAEoi4tQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-30T09:24:54Z"
mac: ENC[AES256_GCM,data:pE1MqMtsOmDcpI2N2BK++JLwENVMiN6fhjiqfqsjg0iq90nmmdm55Ot8AW9TK1EHdjBpghMjoIJoF4hI72RPnc6DunZPE/q5LZrTnW37do+EmF+KzSFz4goDovkj9KvAcyjY8b3PobpwX7wtNvRjaUqy1pr6WJZjntkHTojUUSg=,iv:CAGiBKa/ydi4n51dbSxqC9pJ5Wlh87rk9tiJYCoFmTg=,tag:v4ZvCi77mhVjZ90QNtscsQ==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

12
apps/forgejo/secret-generator.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: hedgedoc-config-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/credentials.enc.yaml
- ./resources/admin-credentials.enc.yaml

1
k8s/configure_cluster.yaml
View file

@ -7,6 +7,5 @@
- role: postgres - role: postgres
- role: hcloud - role: hcloud
- role: minio - role: minio
- role: gitea
- role: fider - role: fider
- role: nextcloud - role: nextcloud

198
k8s/roles/drone/tasks/main.yml
View file

@ -1,198 +0,0 @@
---
- name: Create Drone namespace
kubernetes.core.k8s:
name: drone
api_version: v1
kind: Namespace
state: present
definition:
metadata:
labels:
prometheus: default
- name: Create additional namespaces
kubernetes.core.k8s:
name: "{{ item }}"
api_version: v1
kind: Namespace
state: present
definition:
metadata:
labels:
prometheus: default
loop:
- inetmock
- blog
- buildr
- name: Create Drone server secret
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: drone-secrets
namespace: drone
data:
DRONE_RPC_SECRET: "{{ drone.rpc.secret | b64encode }}"
DRONE_GITEA_CLIENT_ID: "{{ drone.auth.clientId | b64encode }}"
DRONE_GITEA_CLIENT_SECRET: "{{ drone.auth.clientSecret | b64encode }}"
DRONE_GITEA_SERVER: "{{ 'https://code.icb4dc0.de' | b64encode }}"
DRONE_DATABASE_DATASOURCE: "{{ 'postgres://%s:%s@postgres-15-postgresql.postgres.svc.cluster.local:5432/drone?sslmode=disable' | format(drone.db.user, drone.db.password) | b64encode }}"
DRONE_DATABASE_SECRET: "{{ drone.db.secret | b64encode }}"
DRONE_COOKIE_SECRET: "{{ drone.cookie.secret | b64encode }}"
AWS_ACCESS_KEY_ID: "{{ minio.rootUser | b64encode }}"
AWS_SECRET_ACCESS_KEY: "{{ minio.rootPassword | b64encode }}"
- name: Create Drone runner secret
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: drone-runner-secrets
namespace: drone
data:
DRONE_RPC_SECRET: "{{ drone.rpc.secret | b64encode }}"
- name: Create Drone service account
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: drone-deploy
namespace: drone
- name: Create Drone deploy secret
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: drone-deploy
namespace: drone
annotations:
kubernetes.io/service-account.name: drone-deploy
type: kubernetes.io/service-account-token
- name: Create Drone deployment cluster role
kubernetes.core.k8s:
state: present
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: drone-deploy
rules:
- apiGroups: [""]
resources:
- secrets
- configmaps
- pods
- services
- persistentvolumeclaims
- serviceaccounts
verbs: ["*"]
- apiGroups: ["apps"]
resources:
- replicasets
- deployments
- statefulsets
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
- apiGroups: ["autoscaling"]
resources:
- horizontalpodautoscalers
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources:
- ingresses
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources:
- roles
- rolebindings
verbs: ["*"]
- apiGroups: ["monitoring.coreos.com"]
resources:
- podmonitors
- servicemonitors
verbs: ["*"]
- name: Create Drone deploy role bindings
kubernetes.core.k8s:
state: present
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: drone-deploy-{{ item }}
namespace: "{{ item }}"
subjects:
- kind: ServiceAccount
name: drone-deploy
namespace: drone
roleRef:
kind: ClusterRole
name: drone-deploy
apiGroup: rbac.authorization.k8s.io
loop:
- blog
- inetmock
- buildr
- name: Add Drone chart repo
kubernetes.core.helm_repository:
name: drone
repo_url: https://charts.drone.io
- name: Add enapter chart repo
kubernetes.core.helm_repository:
name: enapter
repo_url: https://enapter.github.io/charts/
- name: Deploy KeyDB
kubernetes.core.helm:
name: drone-session-cache
chart_ref: enapter/keydb
release_namespace: drone
chart_version: "0.48.0"
update_repo_cache: true
release_values: "{{ lookup('template', 'values.keydb.yml.j2') | from_yaml }}"
- name: Deploy Drone chart
kubernetes.core.helm:
name: drone
chart_ref: drone/drone
release_namespace: drone
chart_version: "0.6.3"
update_repo_cache: true
release_values: "{{ lookup('template', 'values.drone.yml.j2') | from_yaml }}"
- name: Deploy Drone runner chart
kubernetes.core.helm:
name: drone-kube-runner-x86-64
chart_ref: drone/drone-runner-docker
release_namespace: drone
chart_version: 0.6.0
update_repo_cache: true
release_values: "{{ lookup('template', 'values.drone-runner-docker.x86_64.yml.j2') | from_yaml }}"
- name: Deploy Drone runner chart
kubernetes.core.helm:
name: drone-kube-runner-arm64
chart_ref: drone/drone-runner-docker
release_namespace: drone
chart_version: 0.6.0
update_repo_cache: true
release_values: "{{ lookup('template', 'values.drone-runner-docker.arm64.yml.j2') | from_yaml }}"

29
k8s/roles/drone/templates/values.drone-runner-docker.arm64.yml.j2
View file

@ -1,29 +0,0 @@
image:
tag: 1.8.3
replicaCount: 4
extraSecretNamesForEnvFrom:
- drone-runner-secrets
env:
DRONE_RUNNER_PRIVILEGED_IMAGES: code.icb4dc0.de/inetmock/inetmock
DRONE_RPC_HOST: drone.drone.svc.cluster.local:8080
DRONE_RPC_PROTO: http
DRONE_RUNNER_CAPACITY: 1
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- drone-runner-docker
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/arch: arm64

27
k8s/roles/drone/templates/values.drone-runner-docker.x86_64.yml.j2
View file

@ -1,27 +0,0 @@
image:
tag: 1.8.3
extraSecretNamesForEnvFrom:
- drone-runner-secrets
env:
DRONE_RUNNER_PRIVILEGED_IMAGES: code.icb4dc0.de/inetmock/inetmock
DRONE_RPC_HOST: drone.drone.svc.cluster.local:8080
DRONE_RPC_PROTO: http
DRONE_RUNNER_CAPACITY: 1
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- drone-runner-docker
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/arch: amd64

42
k8s/roles/drone/templates/values.drone.yml.j2
View file

@ -1,42 +0,0 @@
image:
tag: 2.20.0
ingress:
enabled: true
annotations:
gethomepage.dev/description: CI/CD system
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: drone.png
gethomepage.dev/name: Drone CI/CD
hosts:
- host: drone.icb4dc0.de
paths:
- path: /
pathType: Prefix
service:
port: 8080
persistentVolume:
enabled: false
extraSecretNamesForEnvFrom:
- drone-secrets
env:
## REQUIRED: Set the user-visible Drone hostname, sans protocol.
## Ref: https://docs.drone.io/installation/reference/drone-server-host/
##
DRONE_SERVER_HOST: "drone.icb4dc0.de"
DRONE_SERVER_PROTO: https
DRONE_DATABASE_DRIVER: postgres
DRONE_GIT_ALWAYS_AUTH: true
DRONE_S3_ENDPOINT: http://minio.minio.svc.cluster.local:9000
DRONE_S3_BUCKET: drone
DRONE_S3_PATH_STYLE: true
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
DRONE_REDIS_CONNECTION: redis://drone-session-cache-keydb:6379

31
k8s/roles/drone/templates/values.keydb.yml.j2
View file

@ -1,31 +0,0 @@
imageRepository: code.icb4dc0.de/prskr/infrastructure/keydb
imageTag: v6.3.2
podDisruptionBudget:
enabled: true
persistentVolume:
enabled: false
resources:
requests:
cpu: 10m
memory: 60Mi
limits:
cpu: 100m
memory: 128Mi
serviceMonitor:
enabled: true
labels:
prometheus: default
exporter:
enabled: true
imageTag: v1.51.0
resources:
requests:
cpu: 50m
memory: 50Mi
limits:
cpu: 150m
memory: 100Mi

33
k8s/roles/gitea/tasks/main.yml
View file

@ -1,33 +0,0 @@
---
- name: Create forgejo namespace
kubernetes.core.k8s:
name: forgejo
api_version: v1
kind: Namespace
state: present
definition:
metadata:
labels:
prometheus: default
- name: Create Forgejo admin credentials
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: forgejo-admin-credentials
namespace: forgejo
data:
username: "{{ gitea.adminUser | b64encode }}"
password: "{{ gitea.adminPassword | b64encode }}"
- name: Deploy Forgejo chart
kubernetes.core.helm:
name: forgejo
chart_ref: oci://codeberg.org/forgejo-contrib/forgejo
release_namespace: forgejo
release_state: present
chart_version: 0.13.0
release_values: "{{ lookup('template', 'values.forgejo.yml.j2') | from_yaml }}"