diff --git a/.DS_Store b/.DS_Store index ad5287b..c333061 100644 Binary files a/.DS_Store and b/.DS_Store differ diff --git a/gitea/.DS_Store b/gitea/.DS_Store new file mode 100644 index 0000000..5008ddf Binary files /dev/null and b/gitea/.DS_Store differ diff --git a/gitea/README.md b/gitea/README.md new file mode 100644 index 0000000..01213f9 --- /dev/null +++ b/gitea/README.md @@ -0,0 +1,10 @@ +# Undercloud Gitea +## git + +main repo for kubernetes apps + +the root url has been changed. check for errors or problems + +improvements: +ldap group import (no cli command...) +ldap avatars diff --git a/gitea/adminer.yaml b/gitea/adminer.yaml new file mode 100644 index 0000000..587c847 --- /dev/null +++ b/gitea/adminer.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: adminer + namespace: gitea + labels: + app: adminer +spec: + replicas: 1 + selector: + matchLabels: + app: adminer + template: + metadata: + labels: + app: adminer + spec: + containers: + - name: adminer + image: adminer + imagePullPolicy: IfNotPresent + env: + - name: ADMINER_DEFAULT_SERVER + value: db + ports: + - containerPort: 8080 + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + name: adminer + namespace: gitea +spec: + internalTrafficPolicy: Cluster + ipFamilies: + - IPv6 + ipFamilyPolicy: SingleStack + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: adminer + sessionAffinity: None + type: ClusterIP diff --git a/gitea/db.yaml b/gitea/db.yaml new file mode 100644 index 0000000..bcecde9 --- /dev/null +++ b/gitea/db.yaml @@ -0,0 +1,216 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: db +# Change "rook-ceph" provisioner prefix to match the operator namespace if needed +provisioner: rook-ceph.cephfs.csi.ceph.com +parameters: + # clusterID is the namespace where the rook cluster is running + # If you change this namespace, also change the namespace below where the secret namespaces are defined + clusterID: rook-ceph + + # CephFS filesystem name into which the volume shall be created + fsName: gitea + + # Ceph pool into which the volume shall be created + # Required for provisionVolume: "true" + pool: gitea-replicated + + # The secrets contain Ceph admin credentials. These are generated automatically by the operator + # in the same namespace as the cluster. + csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph + csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph + csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node + csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph + +reclaimPolicy: Delete +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: db + namespace: gitea +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 16Gi + storageClassName: db +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: db + namespace: gitea + labels: + app: db +spec: + replicas: 1 + selector: + matchLabels: + app: db + template: + metadata: + labels: + app: db + spec: + containers: + - name: db + image: mariadb:10.5 + imagePullPolicy: "IfNotPresent" + ports: + - name: mysql + containerPort: 3306 + env: + - name: MARIADB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: gitea-db + key: root.pw + - name: MARIADB_USER + valueFrom: + secretKeyRef: + name: gitea-db + key: username + optional: false + - name: MARIADB_PASSWORD + valueFrom: + secretKeyRef: + name: gitea-db + key: user.pw + optional: false + - name: MARIADB_DATABASE + value: gitea + #livenessProbe: + # exec: + # command: ["sh", "-c", "exec mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD"] + # initialDelaySeconds: 120 + # periodSeconds: 10 + # timeoutSeconds: 1 + # successThreshold: 1 + # failureThreshold: 3 + #readinessProbe: + # exec: + # command: ["sh", "-c", "exec mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD"] + # initialDelaySeconds: 30 + # periodSeconds: 10 + # timeoutSeconds: 1 + # successThreshold: 1 + # failureThreshold: 3 + volumeMounts: + - mountPath: /var/lib/mysql + name: data + volumes: + - name: data + persistentVolumeClaim: + claimName: db + readOnly: false +--- +apiVersion: v1 +kind: Service +metadata: + name: db + namespace: gitea +spec: + internalTrafficPolicy: Cluster + ipFamilies: + - IPv6 + ipFamilyPolicy: SingleStack + ports: + - name: mysql + port: 3306 + protocol: TCP + targetPort: 3306 + selector: + app: db + sessionAffinity: None + type: ClusterIP +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: db-backup +# Change "rook-ceph" provisioner prefix to match the operator namespace if needed +provisioner: rook-ceph.cephfs.csi.ceph.com +parameters: + # clusterID is the namespace where the rook cluster is running + # If you change this namespace, also change the namespace below where the secret namespaces are defined + clusterID: rook-ceph + + # CephFS filesystem name into which the volume shall be created + fsName: gitea + + # Ceph pool into which the volume shall be created + # Required for provisionVolume: "true" + pool: gitea-replicated + + # The secrets contain Ceph admin credentials. These are generated automatically by the operator + # in the same namespace as the cluster. + csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph + csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph + csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node + csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph + +reclaimPolicy: Delete +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: db-backup + namespace: gitea +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: db-backup +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: db-backup + namespace: gitea + labels: + app: db-backup +spec: + replicas: 1 + selector: + matchLabels: + app: db-backup + template: + metadata: + labels: + app: db-backup + spec: + containers: + - name: db-backup + image: rsprta/mariadb-backup + imagePullPolicy: "IfNotPresent" + env: + - name: CRON_TIMER + value: "@daily" + - name: MARIADB_HOST + value: db + - name: MARIADB_PASSWORD + valueFrom: + secretKeyRef: + name: gitea-db + key: root.pw + - name: MARIADB_USER + value: root + - name: MARIADB_PORT + value: "3306" + volumeMounts: + - mountPath: /backup + name: backup + volumes: + - name: backup + persistentVolumeClaim: + claimName: db-backup + readOnly: false \ No newline at end of file diff --git a/gitea/filesystem.yaml b/gitea/filesystem.yaml new file mode 100644 index 0000000..47e5898 --- /dev/null +++ b/gitea/filesystem.yaml @@ -0,0 +1,42 @@ +apiVersion: ceph.rook.io/v1 +kind: CephFilesystem +metadata: + name: gitea + namespace: rook-ceph +spec: + metadataPool: + failureDomain: host + replicated: + size: 3 + dataPools: + - name: replicated + failureDomain: host + replicated: + size: 3 + preserveFilesystemOnDelete: false + metadataServer: + activeCount: 1 + activeStandby: true + placement: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: role + # operator: In + # values: + # - mds-node + tolerations: + - key: node-role.kubernetes.io/storage-node + operator: Exists + effect: NoSchedule + # podAffinity: + # podAntiAffinity: + # topologySpreadConstraints: + #resources: + # limits: + # cpu: "80m" + # memory: "1024Mi" + # requests: + # cpu: "500m" + # memory: "1024Mi" \ No newline at end of file diff --git a/gitea/gitea.yaml b/gitea/gitea.yaml new file mode 100644 index 0000000..a019cf4 --- /dev/null +++ b/gitea/gitea.yaml @@ -0,0 +1,357 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-ini + namespace: gitea +data: + # file-like keys + app.ini: | + APP_NAME = Gitea: Undercloud Code Repository + RUN_MODE = prod + RUN_USER = git + + [repository] + ROOT = /data/git/repositories + ENABLE_PUSH_CREATE_USER=true + ENABLE_PUSH_CREATE_ORG=true + ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET=false + + [repository.local] + LOCAL_COPY_PATH = /data/gitea/tmp/local-repo + + [repository.upload] + TEMP_PATH = /data/gitea/uploads + + [server] + APP_DATA_PATH = /data/gitea + DOMAIN = localhost + SSH_DOMAIN = localhost + HTTP_PORT = 3000 + ROOT_URL = https://gitea.undercloud.cf/ + DISABLE_SSH = false + SSH_PORT = 22 + SSH_LISTEN_PORT = 22 + LFS_START_SERVER = true + LFS_JWT_SECRET = LvgbTqg7kmthqjp39gQcTr1nhNgi13A7CNAPOmZHeAc + OFFLINE_MODE = false + + [database] + PATH = /data/gitea/gitea.db + DB_TYPE = sqlite3 + HOST = localhost:3306 + NAME = gitea + USER = root + PASSWD = + LOG_SQL = false + SCHEMA = + SSL_MODE = disable + CHARSET = utf8 + + [indexer] + ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve + + [session] + PROVIDER_CONFIG = /data/gitea/sessions + PROVIDER = file + + [picture] + AVATAR_UPLOAD_PATH = /data/gitea/avatars + REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars + ENABLE_FEDERATED_AVATAR = false + + [attachment] + PATH = /data/gitea/attachments + + [log] + MODE = console + LEVEL = info + ROUTER = console + ROOT_PATH = /data/gitea/log + + [security] + INSTALL_LOCK = true + SECRET_KEY = + REVERSE_PROXY_LIMIT = 1 + REVERSE_PROXY_TRUSTED_PROXIES = * + INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2NzI2MTA0MzB9.MnlX0rQXUl9QQTc2Hy878Tp2SqKRCDwcl9Y6rX2d4t0 + PASSWORD_HASH_ALGO = pbkdf2 + + [service] + DISABLE_REGISTRATION = false + REQUIRE_SIGNIN_VIEW = false + REGISTER_EMAIL_CONFIRM = false + ENABLE_NOTIFY_MAIL = false + ALLOW_ONLY_EXTERNAL_REGISTRATION = false + ENABLE_CAPTCHA = false + DEFAULT_KEEP_EMAIL_PRIVATE = false + DEFAULT_ALLOW_CREATE_ORGANIZATION = true + DEFAULT_ENABLE_TIMETRACKING = true + NO_REPLY_ADDRESS = noreply.localhost + + [lfs] + PATH = /data/git/lfs + + [mailer] + ENABLED = false + + [openid] + ENABLE_OPENID_SIGNIN = true + ENABLE_OPENID_SIGNUP = true + + [repository.pull-request] + DEFAULT_MERGE_STYLE = merge + + [repository.signing] + DEFAULT_TRUST_MODEL = committer + + [metrics] + ENABLED=true +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: startup + namespace: gitea +data: + startup.sh: | + #!/bin/sh + echo "startup..." + if test ! -f "/data/startup.ran"; then + echo "waiting 60s for startup..." + sleep 60s + echo "writing pw to files" + echo $SHODAN_PW > /data/shodan.pw + echo $ARGOCD_PW > /data/argocd.pw + echo $GITEA_PW > /data/gitea.pw + echo "creating users..." + echo $ARGOCD_PW + su git -c 'echo $ARGOCD_PW' + su git -c 'SHODAN_PW=`cat /data/shodan.pw` && gitea admin user create --username shodan --admin --password $SHODAN_PW --email thrawn235@gmail.com' + su git -c 'ARGOCD_PW=`cat /data/argocd.pw` && gitea admin user create --username argocd --password $ARGOCD_PW --email argocd@undercloud.cf --must-change-password=false' + su git -c 'GITEA_PW=`cat /data/gitea.pw` && gitea admin auth add-ldap --name ldap --security-protocol StartTLS --host ldap.undercloud.cf. --port 389 --user-search-base "ou=users,dc=undercloud,dc=cf" --user-filter "(&(objectClass=person)(uid=%s))" --admin-filter "(&(memberOf=cn=gitea-admins,ou=groups,dc=undercloud,dc=cf))" --email-attribute mail --avatar-attribute jpegPhoto --synchronize-users --skip-tls-verify --username-attribute uid --bind-dn "cn=gitea,ou=serviceaccounts,ou=users,dc=undercloud,dc=cf" --bind-password $GITEA_PW --attributes-in-bind --firstname-attribute cn --surname-attribute sn' + + sleep 30s + echo "wget tea..." + wget http://aux-balancer.undercloud.cf.:3000/undercloud/kube-binaries/raw/branch/main/tea + echo "wget ctea..." + wget http://aux-balancer.undercloud.cf.:3000/undercloud/kube-binaries/raw/branch/main/ctea + chmod +x tea + chmod +x ctea + #echo "using tea to create login..." + #./tea login add --url http://localhost:3000 -i --user shodan --password $SHODAN_PW + #./tea login default localhost:3000 + echo "creating undercloud organisation" + sleep 30s + #./tea organization create undercloud + ./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 CreateOrg undercloud + sleep 5s + echo "creating undercloud team" + ./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 CreateTeam undercloud undercloud + sleep 5s + echo "add argocd to undercloud team" + ./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 AddUserToTeam undercloud undercloud argocd + sleep 5s + echo "cloning k8aux-apps" + execline-cd /data git clone http://aux-balancer.undercloud.cf.:3000/undercloud/k8aux-apps.git + execline-cd /data/k8aux-apps rm -Rf .git + execline-cd /data/k8aux-apps git init + execline-cd /data/k8aux-apps git config --global user.email "thrawn235@gmail.com" + execline-cd /data/k8aux-apps git config --global user.name "shodan" + execline-cd /data/k8aux-apps git add . + execline-cd /data/k8aux-apps git commit -m "upload" + echo "push k8aux-apps to localhost" + execline-cd /data/k8aux-apps git push http://shodan:$SHODAN_PW@localhost:3000/undercloud/k8aux-apps.git --all + echo "delete local copy..." + #execline-cd /data rm -Rf k8aux-apps + echo "create PushMirror.." + ./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 AddPushMirror undercloud k8aux-apps "http://aux1.undercloud.cf.:3000/undercloud/k8aux-apps.git" shodan $SHODAN_PW 1h0m0s + ./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 AddPushMirror undercloud k8aux-apps "http://aux2.undercloud.cf.:3000/undercloud/k8aux-apps.git" shodan $SHODAN_PW 1h0m0s + echo "create startup.ran file..." + touch /data/startup.ran + else + echo "startup ran already!" + fi + echo "startup done." + #exit 123 +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: gitea +# Change "rook-ceph" provisioner prefix to match the operator namespace if needed +provisioner: rook-ceph.cephfs.csi.ceph.com +parameters: + # clusterID is the namespace where the rook cluster is running + # If you change this namespace, also change the namespace below where the secret namespaces are defined + clusterID: rook-ceph + + # CephFS filesystem name into which the volume shall be created + fsName: gitea + + # Ceph pool into which the volume shall be created + # Required for provisionVolume: "true" + pool: gitea-replicated + + # The secrets contain Ceph admin credentials. These are generated automatically by the operator + # in the same namespace as the cluster. + csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph + csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph + csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node + csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph + +reclaimPolicy: Delete +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitea + namespace: gitea +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 32Gi + storageClassName: gitea +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitea + namespace: gitea + labels: + app: gitea +spec: + replicas: 1 + selector: + matchLabels: + app: gitea + template: + metadata: + labels: + app: gitea + spec: + initContainers: + - name: copyappini + image: gitea/gitea:1.19 + command: ["bash", "-c", "mkdir -p /data/gitea/conf && cp -f /copy/app.ini /data/gitea/conf/app.ini"] + volumeMounts: + - mountPath: /data + name: data + - mountPath: /copy + name: app-ini + containers: + - name: gitea + image: gitea/gitea:1.19 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3000 + - containerPort: 22 + #lifecycle: + # postStart: + # exec: + # command: + # - "/bin/startup.sh" + env: + - name: USER_UID + value: "1000" + - name: USER_GID + value: "1000" + - name: GITEA__database__DB_TYPE + value: mysql + - name: GITEA__database__HOST + value: db:3306 + - name: GITEA__database__NAME + value: gitea + - name: GITEA__database__USER + valueFrom: + secretKeyRef: + name: gitea-db + key: username + optional: false + - name: GITEA__database__PASSWD + valueFrom: + secretKeyRef: + name: gitea-db + key: user.pw + optional: false + - name: SHODAN_PW + valueFrom: + secretKeyRef: + name: shodan + key: pw + optional: false + - name: ARGOCD_PW + valueFrom: + secretKeyRef: + name: argocd-user + key: pw + optional: false + - name: GITEA_PW + valueFrom: + secretKeyRef: + name: gitea-user + key: pw + optional: false + livenessProbe: + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 200 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /bin/startup.sh + name: startup + subPath: startup.sh + volumes: + - name: data + persistentVolumeClaim: + claimName: gitea + readOnly: false + - name: app-ini + configMap: + name: app-ini + items: + - key: "app.ini" + path: "app.ini" + - name: startup + configMap: + name: startup + defaultMode: 0700 + items: + - key: "startup.sh" + path: "startup.sh" +--- +apiVersion: v1 +kind: Service +metadata: + name: gitea + namespace: gitea + labels: + app: gitea +spec: + internalTrafficPolicy: Cluster + ipFamilies: + - IPv6 + - IPv4 + ipFamilyPolicy: PreferDualStack + ports: + - name: http + port: 3000 + protocol: TCP + targetPort: 3000 + - name: ssh + port: 22 + protocol: TCP + targetPort: 22 + selector: + app: gitea + sessionAffinity: None + type: ClusterIP diff --git a/gitea/ingress.yaml b/gitea/ingress.yaml new file mode 100644 index 0000000..acab523 --- /dev/null +++ b/gitea/ingress.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: gitea + namespace: gitea + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt + +spec: + tls: + - hosts: + - gitea.undercloud.cf + secretName: gitea-tls + rules: + - host: gitea.undercloud.cf + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: gitea + port: + number: 3000 \ No newline at end of file diff --git a/gitea/namespace.yaml b/gitea/namespace.yaml new file mode 100644 index 0000000..153c038 --- /dev/null +++ b/gitea/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gitea + labels: + prometheus: prometheus \ No newline at end of file diff --git a/gitea/secrets.yaml b/gitea/secrets.yaml new file mode 100644 index 0000000..c5f078f --- /dev/null +++ b/gitea/secrets.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitea-db + namespace: gitea +type: Opaque +data: + root.pw: dGhpc2lzYXB3 + username: Z2l0ZWE= + user.pw: YW5kYW5vdGVyb25l +--- +apiVersion: v1 +kind: Secret +metadata: + name: shodan + namespace: gitea +type: Opaque +data: + pw: NElzVGhlTWluZEtpbGxlcg== +--- +apiVersion: v1 +kind: Secret +metadata: + name: argocd-user + namespace: gitea +type: Opaque +data: + pw: dW5zZWN1cmVwdw== +--- +apiVersion: v1 +kind: Secret +metadata: + name: gitea-user + namespace: gitea +type: Opaque +data: + pw: Z2l0ZWFzZWN1cmVQVw== \ No newline at end of file diff --git a/gitea/service-monitor.yaml b/gitea/service-monitor.yaml new file mode 100644 index 0000000..f38f8c9 --- /dev/null +++ b/gitea/service-monitor.yaml @@ -0,0 +1,19 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: gitea-metrics + namespace: gitea + labels: + team: undercloud +spec: + #namespaceSelector: + # matchNames: + # - argocd-metrics + selector: + matchLabels: + app: gitea + endpoints: + - port: http + #path: /metrics + interval: 5s + diff --git a/terraform/.DS_Store b/terraform/.DS_Store new file mode 100644 index 0000000..1848649 Binary files /dev/null and b/terraform/.DS_Store differ