Initial commit

This commit is contained in:
Arnaud Delcasse 2021-11-23 08:44:40 +01:00
commit 5295ef0e3a
8 changed files with 274 additions and 0 deletions

30
README.md Normal file
View File

@ -0,0 +1,30 @@
# coopgo/gitea-k8s
[Gitea](https://gitea.io) configuration files for Kubernetes using Kustomize.
Made by [COOPGO](https://coopgo.fr)
## Assumptions
- This is a Kustomize base. Do not apply it on your cluster as is but use overlays instead. See [Off The Shelf Application in Kustomize documentation](https://kubectl.docs.kubernetes.io/guides/config_management/offtheshelf/).
- We didn't want to rely on hacking an ingress controller to redirect port 22 (SSH), or have different domains for HTTPS and SSH. That's why this we directly depend on a loadbalancer service (your K8S cluster will need to support that) handling HTTP/HTTPS/SSH. HTTP and HTTPS requests are sent to a caddy reverse proxy in the same pod as Gitea
- We only deploy 1 replica, that's why we use a Deployment instead of StatefulSet. This might maybe be improved. Feel free to contribute.
- We wanted to store as much as possible (everything configurable like this in Gitea : repo archives, lfs, avatars, etc...) in object storage using the minio storage setting (in our case we use our cloud provider's one). Choices were made regarding this requirements even if you can have a different configuration in your overlay.
- We use [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) for GitOps purpose and choices were made to make this simple with this base.
## How to use it ?
You have an example configuration in the example-overlay folder.
You have to change the configuration values in `gitea-config.yaml` according to your needs. You might want to refer to Gitea documentation for that part.
In our case, we use Bitnami Sealed Secrets. The `gitea-config.yaml` should nor be pushed to a Git repository with credentials (secret keys, ...). Instead, we use Bitnami Sealed Secrets and store an encrypted `sealed-gitea-config.yaml` file. Take a look at https://github.com/bitnami-labs/sealed-secrets to know how to install it on your cluster, then run :
cat gitea-config.yaml | kubeseal --controller-namespace kube-system --controller-name sealed-secrets-controller --format yaml > sealed-gitea-config.yaml
And remove gitea-config.yaml or stire it in another location not shared publicly or with others.
To apply your changes (from within the overlay folder) :
kubectl apply -k .

64
deployment.yaml Normal file
View File

@ -0,0 +1,64 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea
labels:
app: gitea
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: gitea
template:
metadata:
labels:
app: gitea
spec:
containers:
- name: gitea
image: gitea/gitea:1.15.6
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3000
name: https
- containerPort: 2222
name: ssh
volumeMounts:
- name: gitea-data
mountPath: /data
- name: gitea-config
mountPath: /data/gitea/conf
- name: caddy
image: caddy:2.4.6
command: ["caddy", "reverse-proxy", "-to", "localhost:3000"]
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
name: http
- containerPort: 443
name: https
volumeMounts:
- name: gitea-data
mountPath: /data
volumes:
- name: gitea-data
persistentVolumeClaim:
claimName: gitea-data
- name: gitea-config
secret:
secretName: gitea-config
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi

View File

@ -0,0 +1,7 @@
- op: add
path: /spec/template/spec/containers/1/command/-
value: "-from"
- op: add
path: /spec/template/spec/containers/1/command/-
value: "your.domain.com"

View File

@ -0,0 +1,110 @@
apiVersion: v1
kind: Secret
metadata:
name: gitea-config
labels:
app: gitea
type: Opaque
stringData:
app.ini: |-
APP_NAME = Gitea: Git with a cup of tea
RUN_USER = git
RUN_MODE = ; prod
[server]
PROTOCOL = http
DOMAIN = git.example.com
ROOT_URL = https://git.example.com
HTTP_ADDR = 0.0.0.0
HTTP_PORT = 3000
;; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service.
;; In most cases you do not need to change the default value.
;; Alter it only if your SSH server node is not the same as HTTP node.
;; Do not set this variable if PROTOCOL is set to 'unix'.
;LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
;DISABLE_SSH = false
START_SSH_SERVER = true
SSH_PORT = 2222
SSH_LISTEN_PORT = %(SSH_PORT)s
SSH_SERVER_HOST_KEYS=ssh/gitea.rsa, ssh/gogs.rsa
APP_DATA_PATH = /data/gitea
LFS_JWT_SECRET =
[database]
DB_TYPE = postgres
HOST = postgres.yourserver.com ; can use socket e.g. /var/run/postgresql/
NAME = gitea
USER = gitea
PASSWD =
;SCHEMA =
SSL_MODE=require ;either "disable" (default), "require", or "verify-full"
[security]
INSTALL_LOCK = true
SECRET_KEY =
INTERNAL_TOKEN=
[oauth2]
ENABLE = true
JWT_SECRET =
[U2F]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; NOTE: THE DEFAULT VALUES HERE WILL NEED TO BE CHANGED
;; Two Factor authentication with security keys
;; https://developers.yubico.com/U2F/App_ID.html
APP_ID = ; e.g. http://localhost:3000/
;; Comma separated list of trusted facets
TRUSTED_FACETS = ; e.g. http://localhost:3000/
[log]
MODE = console
;; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
LEVEL = Info
ROUTER = console
[git]
;; The path of git executable. If empty, Gitea searches through the PATH environment.
PATH =
[attachment]
ENABLED = true
ALLOWED_TYPES = .docx,.gif,.gz,.jpeg,.jpg,.log,.pdf,.png,.pptx,.txt,.xlsx,.zip
MAX_SIZE = 30
MAX_FILES = 5
STORAGE_TYPE = minio
MINIO_ENDPOINT = s3.fr-par.scw.cloud
MINIO_ACCESS_KEY_ID =
MINIO_SECRET_ACCESS_KEY =
MINIO_BUCKET =
MINIO_LOCATION =
MINIO_BASE_PATH = attachments/
MINIO_USE_SSL = true
[storage]
STORAGE_TYPE = minio
MINIO_ENDPOINT = s3.fr-par.scw.cloud
MINIO_ACCESS_KEY_ID =
MINIO_SECRET_ACCESS_KEY =
MINIO_BUCKET =
MINIO_LOCATION =
MINIO_USE_SSL = true
[storage.repo-archive]
STORAGE_TYPE = minio
MINIO_ENDPOINT = s3.fr-par.scw.cloud
MINIO_ACCESS_KEY_ID =
MINIO_SECRET_ACCESS_KEY =
MINIO_BUCKET =
MINIO_LOCATION =
MINIO_USE_SSL = true
[storage.minio]
STORAGE_TYPE = minio
MINIO_ENDPOINT = s3.fr-par.scw.cloud
MINIO_ACCESS_KEY_ID =
MINIO_SECRET_ACCESS_KEY =
MINIO_BUCKET =
MINIO_LOCATION =
MINIO_USE_SSL = true

View File

@ -0,0 +1,34 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: gitea
bases:
- https://github.com/coopgo/gitea-k8s
# Use Bitnami Sealed Secrets https://github.com/bitnami-labs/sealed-secrets instead of a real secret (or create it with Kustomize's generateSecret https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
resources:
- sealed-gitea-config.yaml
# If you want to override other files for templates for example
#
# configMapGenerator:
# - name: public-files-configmap
# files:
# - public/img/logo.svg
# - name: templates-files-configmap
# files:
# - templates/home.tmpl
patchesJson6902:
- path: service-patch.yaml
target:
version: v1
kind: Service
name: gitea
- path: deployment-patch.yaml
target:
version: v1
group: apps
kind: Deployment
name: gitea

View File

@ -0,0 +1,3 @@
- op: add
path: /spec/loadBalancerIP
value: lb.reserved.ip.address

6
kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yaml
- service.yaml

20
service.yaml Normal file
View File

@ -0,0 +1,20 @@
---
kind: Service
apiVersion: v1
metadata:
name: gitea
spec:
selector:
app: gitea
type: LoadBalancer
ports:
- port: 80
targetPort: 80
name: http
- port: 443
targetPort: 443
name: https
- port: 22
targetPort: 2222
name: ssh