Undercloud/undercloud-infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gitea

Browse Source
This commit is contained in:
Gitea Root Administrator
2025-08-27 18:37:54 +02:00
parent b0c5bb4a4d
commit 23ef2ce590
12 changed files with 759 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored
View File

Binary file not shown.

BIN
gitea/.DS_Store vendored Normal file
View File

Binary file not shown.

10
gitea/README.md Normal file
View File

@@ -0,0 +1,10 @@
# Undercloud Gitea
## git
main repo for kubernetes apps
the root url has been changed. check for errors or problems
improvements:
ldap group import (no cli command...)
ldap avatars

47
gitea/adminer.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: adminer
namespace: gitea
labels:
app: adminer
spec:
replicas: 1
selector:
matchLabels:
app: adminer
template:
metadata:
labels:
app: adminer
spec:
containers:
- name: adminer
image: adminer
imagePullPolicy: IfNotPresent
env:
- name: ADMINER_DEFAULT_SERVER
value: db
ports:
- containerPort: 8080
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: adminer
namespace: gitea
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv6
ipFamilyPolicy: SingleStack
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: adminer
sessionAffinity: None
type: ClusterIP

216
gitea/db.yaml Normal file
View File

@@ -0,0 +1,216 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: db
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
# clusterID is the namespace where the rook cluster is running
# If you change this namespace, also change the namespace below where the secret namespaces are defined
clusterID: rook-ceph
# CephFS filesystem name into which the volume shall be created
fsName: gitea
# Ceph pool into which the volume shall be created
# Required for provisionVolume: "true"
pool: gitea-replicated
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
# in the same namespace as the cluster.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
reclaimPolicy: Delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: db
namespace: gitea
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 16Gi
storageClassName: db
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: db
namespace: gitea
labels:
app: db
spec:
replicas: 1
selector:
matchLabels:
app: db
template:
metadata:
labels:
app: db
spec:
containers:
- name: db
image: mariadb:10.5
imagePullPolicy: "IfNotPresent"
ports:
- name: mysql
containerPort: 3306
env:
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: gitea-db
key: root.pw
- name: MARIADB_USER
valueFrom:
secretKeyRef:
name: gitea-db
key: username
optional: false
- name: MARIADB_PASSWORD
valueFrom:
secretKeyRef:
name: gitea-db
key: user.pw
optional: false
- name: MARIADB_DATABASE
value: gitea
#livenessProbe:
# exec:
# command: ["sh", "-c", "exec mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD"]
# initialDelaySeconds: 120
# periodSeconds: 10
# timeoutSeconds: 1
# successThreshold: 1
# failureThreshold: 3
#readinessProbe:
# exec:
# command: ["sh", "-c", "exec mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD"]
# initialDelaySeconds: 30
# periodSeconds: 10
# timeoutSeconds: 1
# successThreshold: 1
# failureThreshold: 3
volumeMounts:
- mountPath: /var/lib/mysql
name: data
volumes:
- name: data
persistentVolumeClaim:
claimName: db
readOnly: false
---
apiVersion: v1
kind: Service
metadata:
name: db
namespace: gitea
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv6
ipFamilyPolicy: SingleStack
ports:
- name: mysql
port: 3306
protocol: TCP
targetPort: 3306
selector:
app: db
sessionAffinity: None
type: ClusterIP
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: db-backup
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
# clusterID is the namespace where the rook cluster is running
# If you change this namespace, also change the namespace below where the secret namespaces are defined
clusterID: rook-ceph
# CephFS filesystem name into which the volume shall be created
fsName: gitea
# Ceph pool into which the volume shall be created
# Required for provisionVolume: "true"
pool: gitea-replicated
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
# in the same namespace as the cluster.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
reclaimPolicy: Delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: db-backup
namespace: gitea
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: db-backup
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: db-backup
namespace: gitea
labels:
app: db-backup
spec:
replicas: 1
selector:
matchLabels:
app: db-backup
template:
metadata:
labels:
app: db-backup
spec:
containers:
- name: db-backup
image: rsprta/mariadb-backup
imagePullPolicy: "IfNotPresent"
env:
- name: CRON_TIMER
value: "@daily"
- name: MARIADB_HOST
value: db
- name: MARIADB_PASSWORD
valueFrom:
secretKeyRef:
name: gitea-db
key: root.pw
- name: MARIADB_USER
value: root
- name: MARIADB_PORT
value: "3306"
volumeMounts:
- mountPath: /backup
name: backup
volumes:
- name: backup
persistentVolumeClaim:
claimName: db-backup
readOnly: false

42
gitea/filesystem.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: ceph.rook.io/v1
kind: CephFilesystem
metadata:
name: gitea
namespace: rook-ceph
spec:
metadataPool:
failureDomain: host
replicated:
size: 3
dataPools:
- name: replicated
failureDomain: host
replicated:
size: 3
preserveFilesystemOnDelete: false
metadataServer:
activeCount: 1
activeStandby: true
placement:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: role
# operator: In
# values:
# - mds-node
tolerations:
- key: node-role.kubernetes.io/storage-node
operator: Exists
effect: NoSchedule
# podAffinity:
# podAntiAffinity:
# topologySpreadConstraints:
#resources:
# limits:
# cpu: "80m"
# memory: "1024Mi"
# requests:
# cpu: "500m"
# memory: "1024Mi"

357
gitea/gitea.yaml Normal file
View File

@@ -0,0 +1,357 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: app-ini
namespace: gitea
data:
# file-like keys
app.ini: |
APP_NAME = Gitea: Undercloud Code Repository
RUN_MODE = prod
RUN_USER = git
[repository]
ROOT = /data/git/repositories
ENABLE_PUSH_CREATE_USER=true
ENABLE_PUSH_CREATE_ORG=true
ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET=false
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
DOMAIN = localhost
SSH_DOMAIN = localhost
HTTP_PORT = 3000
ROOT_URL = https://gitea.undercloud.cf/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = LvgbTqg7kmthqjp39gQcTr1nhNgi13A7CNAPOmZHeAc
OFFLINE_MODE = false
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD =
LOG_SQL = false
SCHEMA =
SSL_MODE = disable
CHARSET = utf8
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
ENABLE_FEDERATED_AVATAR = false
[attachment]
PATH = /data/gitea/attachments
[log]
MODE = console
LEVEL = info
ROUTER = console
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
SECRET_KEY =
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2NzI2MTA0MzB9.MnlX0rQXUl9QQTc2Hy878Tp2SqKRCDwcl9Y6rX2d4t0
PASSWORD_HASH_ALGO = pbkdf2
[service]
DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[lfs]
PATH = /data/git/lfs
[mailer]
ENABLED = false
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
[repository.pull-request]
DEFAULT_MERGE_STYLE = merge
[repository.signing]
DEFAULT_TRUST_MODEL = committer
[metrics]
ENABLED=true
---
apiVersion: v1
kind: ConfigMap
metadata:
name: startup
namespace: gitea
data:
startup.sh: |
#!/bin/sh
echo "startup..."
if test ! -f "/data/startup.ran"; then
echo "waiting 60s for startup..."
sleep 60s
echo "writing pw to files"
echo $SHODAN_PW > /data/shodan.pw
echo $ARGOCD_PW > /data/argocd.pw
echo $GITEA_PW > /data/gitea.pw
echo "creating users..."
echo $ARGOCD_PW
su git -c 'echo $ARGOCD_PW'
su git -c 'SHODAN_PW=`cat /data/shodan.pw` && gitea admin user create --username shodan --admin --password $SHODAN_PW --email thrawn235@gmail.com'
su git -c 'ARGOCD_PW=`cat /data/argocd.pw` && gitea admin user create --username argocd --password $ARGOCD_PW --email argocd@undercloud.cf --must-change-password=false'
su git -c 'GITEA_PW=`cat /data/gitea.pw` && gitea admin auth add-ldap --name ldap --security-protocol StartTLS --host ldap.undercloud.cf. --port 389 --user-search-base "ou=users,dc=undercloud,dc=cf" --user-filter "(&(objectClass=person)(uid=%s))" --admin-filter "(&(memberOf=cn=gitea-admins,ou=groups,dc=undercloud,dc=cf))" --email-attribute mail --avatar-attribute jpegPhoto --synchronize-users --skip-tls-verify --username-attribute uid --bind-dn "cn=gitea,ou=serviceaccounts,ou=users,dc=undercloud,dc=cf" --bind-password $GITEA_PW --attributes-in-bind --firstname-attribute cn --surname-attribute sn'
sleep 30s
echo "wget tea..."
wget http://aux-balancer.undercloud.cf.:3000/undercloud/kube-binaries/raw/branch/main/tea
echo "wget ctea..."
wget http://aux-balancer.undercloud.cf.:3000/undercloud/kube-binaries/raw/branch/main/ctea
chmod +x tea
chmod +x ctea
#echo "using tea to create login..."
#./tea login add --url http://localhost:3000 -i --user shodan --password $SHODAN_PW
#./tea login default localhost:3000
echo "creating undercloud organisation"
sleep 30s
#./tea organization create undercloud
./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 CreateOrg undercloud
sleep 5s
echo "creating undercloud team"
./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 CreateTeam undercloud undercloud
sleep 5s
echo "add argocd to undercloud team"
./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 AddUserToTeam undercloud undercloud argocd
sleep 5s
echo "cloning k8aux-apps"
execline-cd /data git clone http://aux-balancer.undercloud.cf.:3000/undercloud/k8aux-apps.git
execline-cd /data/k8aux-apps rm -Rf .git
execline-cd /data/k8aux-apps git init
execline-cd /data/k8aux-apps git config --global user.email "thrawn235@gmail.com"
execline-cd /data/k8aux-apps git config --global user.name "shodan"
execline-cd /data/k8aux-apps git add .
execline-cd /data/k8aux-apps git commit -m "upload"
echo "push k8aux-apps to localhost"
execline-cd /data/k8aux-apps git push http://shodan:$SHODAN_PW@localhost:3000/undercloud/k8aux-apps.git --all
echo "delete local copy..."
#execline-cd /data rm -Rf k8aux-apps
echo "create PushMirror.."
./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 AddPushMirror undercloud k8aux-apps "http://aux1.undercloud.cf.:3000/undercloud/k8aux-apps.git" shodan $SHODAN_PW 1h0m0s
./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 AddPushMirror undercloud k8aux-apps "http://aux2.undercloud.cf.:3000/undercloud/k8aux-apps.git" shodan $SHODAN_PW 1h0m0s
echo "create startup.ran file..."
touch /data/startup.ran
else
echo "startup ran already!"
fi
echo "startup done."
#exit 123
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: gitea
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
# clusterID is the namespace where the rook cluster is running
# If you change this namespace, also change the namespace below where the secret namespaces are defined
clusterID: rook-ceph
# CephFS filesystem name into which the volume shall be created
fsName: gitea
# Ceph pool into which the volume shall be created
# Required for provisionVolume: "true"
pool: gitea-replicated
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
# in the same namespace as the cluster.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
reclaimPolicy: Delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea
namespace: gitea
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 32Gi
storageClassName: gitea
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea
namespace: gitea
labels:
app: gitea
spec:
replicas: 1
selector:
matchLabels:
app: gitea
template:
metadata:
labels:
app: gitea
spec:
initContainers:
- name: copyappini
image: gitea/gitea:1.19
command: ["bash", "-c", "mkdir -p /data/gitea/conf && cp -f /copy/app.ini /data/gitea/conf/app.ini"]
volumeMounts:
- mountPath: /data
name: data
- mountPath: /copy
name: app-ini
containers:
- name: gitea
image: gitea/gitea:1.19
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3000
- containerPort: 22
#lifecycle:
# postStart:
# exec:
# command:
# - "/bin/startup.sh"
env:
- name: USER_UID
value: "1000"
- name: USER_GID
value: "1000"
- name: GITEA__database__DB_TYPE
value: mysql
- name: GITEA__database__HOST
value: db:3306
- name: GITEA__database__NAME
value: gitea
- name: GITEA__database__USER
valueFrom:
secretKeyRef:
name: gitea-db
key: username
optional: false
- name: GITEA__database__PASSWD
valueFrom:
secretKeyRef:
name: gitea-db
key: user.pw
optional: false
- name: SHODAN_PW
valueFrom:
secretKeyRef:
name: shodan
key: pw
optional: false
- name: ARGOCD_PW
valueFrom:
secretKeyRef:
name: argocd-user
key: pw
optional: false
- name: GITEA_PW
valueFrom:
secretKeyRef:
name: gitea-user
key: pw
optional: false
livenessProbe:
httpGet:
path: /api/healthz
port: http
initialDelaySeconds: 200
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 10
volumeMounts:
- mountPath: /data
name: data
- mountPath: /bin/startup.sh
name: startup
subPath: startup.sh
volumes:
- name: data
persistentVolumeClaim:
claimName: gitea
readOnly: false
- name: app-ini
configMap:
name: app-ini
items:
- key: "app.ini"
path: "app.ini"
- name: startup
configMap:
name: startup
defaultMode: 0700
items:
- key: "startup.sh"
path: "startup.sh"
---
apiVersion: v1
kind: Service
metadata:
name: gitea
namespace: gitea
labels:
app: gitea
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
ports:
- name: http
port: 3000
protocol: TCP
targetPort: 3000
- name: ssh
port: 22
protocol: TCP
targetPort: 22
selector:
app: gitea
sessionAffinity: None
type: ClusterIP

25
gitea/ingress.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea
namespace: gitea
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- gitea.undercloud.cf
secretName: gitea-tls
rules:
- host: gitea.undercloud.cf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea
port:
number: 3000

6
gitea/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: gitea
labels:
prometheus: prometheus

37
gitea/secrets.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: v1
kind: Secret
metadata:
name: gitea-db
namespace: gitea
type: Opaque
data:
root.pw: dGhpc2lzYXB3
username: Z2l0ZWE=
user.pw: YW5kYW5vdGVyb25l
---
apiVersion: v1
kind: Secret
metadata:
name: shodan
namespace: gitea
type: Opaque
data:
pw: NElzVGhlTWluZEtpbGxlcg==
---
apiVersion: v1
kind: Secret
metadata:
name: argocd-user
namespace: gitea
type: Opaque
data:
pw: dW5zZWN1cmVwdw==
---
apiVersion: v1
kind: Secret
metadata:
name: gitea-user
namespace: gitea
type: Opaque
data:
pw: Z2l0ZWFzZWN1cmVQVw==

19
gitea/service-monitor.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: gitea-metrics
namespace: gitea
labels:
team: undercloud
spec:
#namespaceSelector:
# matchNames:
# - argocd-metrics
selector:
matchLabels:
app: gitea
endpoints:
- port: http
#path: /metrics
interval: 5s

BIN
terraform/.DS_Store vendored Normal file
View File

Binary file not shown.