Initial commit
This commit is contained in:
commit
5295ef0e3a
|
@ -0,0 +1,30 @@
|
|||
# coopgo/gitea-k8s
|
||||
|
||||
[Gitea](https://gitea.io) configuration files for Kubernetes using Kustomize.
|
||||
|
||||
Made by [COOPGO](https://coopgo.fr)
|
||||
|
||||
## Assumptions
|
||||
|
||||
- This is a Kustomize base. Do not apply it on your cluster as is but use overlays instead. See [Off The Shelf Application in Kustomize documentation](https://kubectl.docs.kubernetes.io/guides/config_management/offtheshelf/).
|
||||
- We didn't want to rely on hacking an ingress controller to redirect port 22 (SSH), or have different domains for HTTPS and SSH. That's why this we directly depend on a loadbalancer service (your K8S cluster will need to support that) handling HTTP/HTTPS/SSH. HTTP and HTTPS requests are sent to a caddy reverse proxy in the same pod as Gitea
|
||||
- We only deploy 1 replica, that's why we use a Deployment instead of StatefulSet. This might maybe be improved. Feel free to contribute.
|
||||
- We wanted to store as much as possible (everything configurable like this in Gitea : repo archives, lfs, avatars, etc...) in object storage using the minio storage setting (in our case we use our cloud provider's one). Choices were made regarding this requirements even if you can have a different configuration in your overlay.
|
||||
- We use [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) for GitOps purpose and choices were made to make this simple with this base.
|
||||
|
||||
## How to use it ?
|
||||
|
||||
You have an example configuration in the example-overlay folder.
|
||||
|
||||
You have to change the configuration values in `gitea-config.yaml` according to your needs. You might want to refer to Gitea documentation for that part.
|
||||
|
||||
In our case, we use Bitnami Sealed Secrets. The `gitea-config.yaml` should nor be pushed to a Git repository with credentials (secret keys, ...). Instead, we use Bitnami Sealed Secrets and store an encrypted `sealed-gitea-config.yaml` file. Take a look at https://github.com/bitnami-labs/sealed-secrets to know how to install it on your cluster, then run :
|
||||
|
||||
cat gitea-config.yaml | kubeseal --controller-namespace kube-system --controller-name sealed-secrets-controller --format yaml > sealed-gitea-config.yaml
|
||||
|
||||
And remove gitea-config.yaml or stire it in another location not shared publicly or with others.
|
||||
|
||||
To apply your changes (from within the overlay folder) :
|
||||
|
||||
kubectl apply -k .
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: gitea
|
||||
labels:
|
||||
app: gitea
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gitea
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gitea
|
||||
spec:
|
||||
containers:
|
||||
- name: gitea
|
||||
image: gitea/gitea:1.15.6
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
name: https
|
||||
- containerPort: 2222
|
||||
name: ssh
|
||||
volumeMounts:
|
||||
- name: gitea-data
|
||||
mountPath: /data
|
||||
- name: gitea-config
|
||||
mountPath: /data/gitea/conf
|
||||
- name: caddy
|
||||
image: caddy:2.4.6
|
||||
command: ["caddy", "reverse-proxy", "-to", "localhost:3000"]
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- containerPort: 80
|
||||
name: http
|
||||
- containerPort: 443
|
||||
name: https
|
||||
volumeMounts:
|
||||
- name: gitea-data
|
||||
mountPath: /data
|
||||
volumes:
|
||||
- name: gitea-data
|
||||
persistentVolumeClaim:
|
||||
claimName: gitea-data
|
||||
- name: gitea-config
|
||||
secret:
|
||||
secretName: gitea-config
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: gitea-data
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 10Gi
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/1/command/-
|
||||
value: "-from"
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/1/command/-
|
||||
value: "your.domain.com"
|
|
@ -0,0 +1,110 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: gitea-config
|
||||
labels:
|
||||
app: gitea
|
||||
type: Opaque
|
||||
stringData:
|
||||
app.ini: |-
|
||||
APP_NAME = Gitea: Git with a cup of tea
|
||||
RUN_USER = git
|
||||
RUN_MODE = ; prod
|
||||
|
||||
[server]
|
||||
PROTOCOL = http
|
||||
DOMAIN = git.example.com
|
||||
ROOT_URL = https://git.example.com
|
||||
HTTP_ADDR = 0.0.0.0
|
||||
HTTP_PORT = 3000
|
||||
;; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service.
|
||||
;; In most cases you do not need to change the default value.
|
||||
;; Alter it only if your SSH server node is not the same as HTTP node.
|
||||
;; Do not set this variable if PROTOCOL is set to 'unix'.
|
||||
;LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
|
||||
;DISABLE_SSH = false
|
||||
START_SSH_SERVER = true
|
||||
SSH_PORT = 2222
|
||||
SSH_LISTEN_PORT = %(SSH_PORT)s
|
||||
SSH_SERVER_HOST_KEYS=ssh/gitea.rsa, ssh/gogs.rsa
|
||||
APP_DATA_PATH = /data/gitea
|
||||
LFS_JWT_SECRET =
|
||||
|
||||
[database]
|
||||
DB_TYPE = postgres
|
||||
HOST = postgres.yourserver.com ; can use socket e.g. /var/run/postgresql/
|
||||
NAME = gitea
|
||||
USER = gitea
|
||||
PASSWD =
|
||||
;SCHEMA =
|
||||
SSL_MODE=require ;either "disable" (default), "require", or "verify-full"
|
||||
|
||||
[security]
|
||||
INSTALL_LOCK = true
|
||||
SECRET_KEY =
|
||||
INTERNAL_TOKEN=
|
||||
|
||||
[oauth2]
|
||||
ENABLE = true
|
||||
JWT_SECRET =
|
||||
|
||||
[U2F]
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;;
|
||||
;; NOTE: THE DEFAULT VALUES HERE WILL NEED TO BE CHANGED
|
||||
;; Two Factor authentication with security keys
|
||||
;; https://developers.yubico.com/U2F/App_ID.html
|
||||
APP_ID = ; e.g. http://localhost:3000/
|
||||
;; Comma separated list of trusted facets
|
||||
TRUSTED_FACETS = ; e.g. http://localhost:3000/
|
||||
|
||||
[log]
|
||||
MODE = console
|
||||
;; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
|
||||
LEVEL = Info
|
||||
ROUTER = console
|
||||
[git]
|
||||
;; The path of git executable. If empty, Gitea searches through the PATH environment.
|
||||
PATH =
|
||||
|
||||
[attachment]
|
||||
ENABLED = true
|
||||
ALLOWED_TYPES = .docx,.gif,.gz,.jpeg,.jpg,.log,.pdf,.png,.pptx,.txt,.xlsx,.zip
|
||||
MAX_SIZE = 30
|
||||
MAX_FILES = 5
|
||||
STORAGE_TYPE = minio
|
||||
MINIO_ENDPOINT = s3.fr-par.scw.cloud
|
||||
MINIO_ACCESS_KEY_ID =
|
||||
MINIO_SECRET_ACCESS_KEY =
|
||||
MINIO_BUCKET =
|
||||
MINIO_LOCATION =
|
||||
MINIO_BASE_PATH = attachments/
|
||||
MINIO_USE_SSL = true
|
||||
|
||||
[storage]
|
||||
STORAGE_TYPE = minio
|
||||
MINIO_ENDPOINT = s3.fr-par.scw.cloud
|
||||
MINIO_ACCESS_KEY_ID =
|
||||
MINIO_SECRET_ACCESS_KEY =
|
||||
MINIO_BUCKET =
|
||||
MINIO_LOCATION =
|
||||
MINIO_USE_SSL = true
|
||||
|
||||
[storage.repo-archive]
|
||||
STORAGE_TYPE = minio
|
||||
MINIO_ENDPOINT = s3.fr-par.scw.cloud
|
||||
MINIO_ACCESS_KEY_ID =
|
||||
MINIO_SECRET_ACCESS_KEY =
|
||||
MINIO_BUCKET =
|
||||
MINIO_LOCATION =
|
||||
MINIO_USE_SSL = true
|
||||
|
||||
[storage.minio]
|
||||
STORAGE_TYPE = minio
|
||||
MINIO_ENDPOINT = s3.fr-par.scw.cloud
|
||||
MINIO_ACCESS_KEY_ID =
|
||||
MINIO_SECRET_ACCESS_KEY =
|
||||
MINIO_BUCKET =
|
||||
MINIO_LOCATION =
|
||||
MINIO_USE_SSL = true
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: gitea
|
||||
|
||||
bases:
|
||||
- https://github.com/coopgo/gitea-k8s
|
||||
|
||||
# Use Bitnami Sealed Secrets https://github.com/bitnami-labs/sealed-secrets instead of a real secret (or create it with Kustomize's generateSecret https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
|
||||
resources:
|
||||
- sealed-gitea-config.yaml
|
||||
|
||||
# If you want to override other files for templates for example
|
||||
#
|
||||
# configMapGenerator:
|
||||
# - name: public-files-configmap
|
||||
# files:
|
||||
# - public/img/logo.svg
|
||||
# - name: templates-files-configmap
|
||||
# files:
|
||||
# - templates/home.tmpl
|
||||
|
||||
patchesJson6902:
|
||||
- path: service-patch.yaml
|
||||
target:
|
||||
version: v1
|
||||
kind: Service
|
||||
name: gitea
|
||||
- path: deployment-patch.yaml
|
||||
target:
|
||||
version: v1
|
||||
group: apps
|
||||
kind: Deployment
|
||||
name: gitea
|
|
@ -0,0 +1,3 @@
|
|||
- op: add
|
||||
path: /spec/loadBalancerIP
|
||||
value: lb.reserved.ip.address
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- deployment.yaml
|
||||
- service.yaml
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: gitea
|
||||
spec:
|
||||
selector:
|
||||
app: gitea
|
||||
type: LoadBalancer
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 80
|
||||
name: http
|
||||
- port: 443
|
||||
targetPort: 443
|
||||
name: https
|
||||
- port: 22
|
||||
targetPort: 2222
|
||||
name: ssh
|
||||
|
Loading…
Reference in New Issue