lazorgurl/homelab
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Add Gitea self-hosted git/CI/registry to replace GitHub

Browse Source 
Deploy Gitea via Helm with dedicated CloudNativePG database,
in-cluster Actions runner (DinD), and built-in container registry.
ArgoCD repoURLs updated to use in-cluster Gitea SSH. Preview
ApplicationSet switched from GitHub PR generator to Gitea PR
generator. App images now pull from gitea.coreworlds.io registry.

Remaining setup after deploy: seal runner token, ArgoCD API token,
and registry pull secret once Gitea is running. Add ArgoCD deploy
key to Gitea repo settings.
This commit is contained in:
Julia McGhee
2026-03-21 15:43:30 +00:00
parent 06ae2c7d46
commit f04ecbf5cd
36 changed files with 640 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
.gitea/workflows/ci.yaml Normal file
View File

@@ -0,0 +1,87 @@
name: CI
on:
pull_request:
branches: [main]
push:
branches: [main]
concurrency:
group: ${{ gitea.workflow }}-${{ gitea.ref }}
cancel-in-progress: true
jobs:
changes:
runs-on: ubuntu-latest
outputs:
apps: ${{ steps.filter.outputs.apps }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect changed apps
id: filter
run: |
if [ "${{ gitea.event_name }}" = "pull_request" ]; then
CHANGED=$(git diff --name-only origin/main...HEAD)
else
CHANGED=$(git diff --name-only HEAD~1)
fi
APPS="[]"
for app in web api harness; do
if echo "$CHANGED" | grep -qE "^(apps/${app}/|packages/)"; then
APPS=$(echo "$APPS" | jq -c ". + [\"${app}\"]")
fi
done
echo "apps=$APPS" >> "$GITHUB_OUTPUT"
lint-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm
- run: pnpm install --frozen-lockfile
- run: pnpm turbo lint test
build:
needs: [changes, lint-and-test]
runs-on: ubuntu-latest
if: needs.changes.outputs.apps != '[]'
strategy:
matrix:
app: ${{ fromJson(needs.changes.outputs.apps) }}
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm
- run: pnpm install --frozen-lockfile
- run: pnpm turbo build --filter=@homelab/${{ matrix.app }}
- name: Build Docker image
run: |
docker build \
-t gitea.coreworlds.io/julia/homelab-${{ matrix.app }}:${{ gitea.sha }} \
-t gitea.coreworlds.io/julia/homelab-${{ matrix.app }}:pr-${{ gitea.event.number }} \
apps/${{ matrix.app }}
- name: Push to registry
if: gitea.event_name == 'push' || gitea.event_name == 'pull_request'
run: |
echo "${{ secrets.GITEA_TOKEN }}" | docker login gitea.coreworlds.io -u ${{ gitea.actor }} --password-stdin
docker push gitea.coreworlds.io/julia/homelab-${{ matrix.app }}:${{ gitea.sha }}

64
.gitea/workflows/deploy-preview.yaml Normal file
View File

@@ -0,0 +1,64 @@
name: Deploy Preview
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm
- run: pnpm install --frozen-lockfile
- name: Determine changed apps
id: changes
run: |
APPS=$(pnpm turbo build --filter='...[origin/main]' --dry-run=json | jq -r '[.packages[] | select(startswith("@homelab/")) | sub("@homelab/";"") ] | join(",")')
echo "apps=$APPS" >> "$GITHUB_OUTPUT"
- name: Build and push images
if: steps.changes.outputs.apps != ''
run: |
echo "${{ secrets.GITEA_TOKEN }}" | docker login gitea.coreworlds.io -u ${{ gitea.actor }} --password-stdin
IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}"
for app in "${APPS[@]}"; do
docker build \
-t gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }} \
apps/${app}
docker push gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }}
done
- name: Update image tags in preview overlay
if: steps.changes.outputs.apps != ''
run: |
IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}"
for app in "${APPS[@]}"; do
cd apps/${app}/k8s/overlays/preview
kustomize edit set image gitea.coreworlds.io/julia/homelab-${app}=gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }}
cd -
done
- name: Comment preview URL
uses: actions/github-script@v7
with:
script: |
const { owner, repo } = context.repo;
const issue_number = context.issue.number;
const body = `## Preview Deploy\nNamespace: \`preview-${issue_number}\`\nArgoCD will sync automatically from branch \`${context.payload.pull_request.head.ref}\`.`;
await fetch(`${process.env.GITHUB_API_URL}/repos/${owner}/${repo}/issues/${issue_number}/comments`, {
method: 'POST',
headers: {
'Authorization': `token ${process.env.GITHUB_TOKEN}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({ body })
});

59
.gitea/workflows/deploy-production.yaml Normal file
View File

@@ -0,0 +1,59 @@
name: Deploy Production
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm
- run: pnpm install --frozen-lockfile
- name: Determine changed apps
id: changes
run: |
APPS=$(pnpm turbo build --filter='...[HEAD~1]' --dry-run=json | jq -r '[.packages[] | select(startswith("@homelab/")) | sub("@homelab/";"") ] | join(",")')
echo "apps=$APPS" >> "$GITHUB_OUTPUT"
- name: Build and push images
if: steps.changes.outputs.apps != ''
run: |
echo "${{ secrets.GITEA_TOKEN }}" | docker login gitea.coreworlds.io -u ${{ gitea.actor }} --password-stdin
IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}"
for app in "${APPS[@]}"; do
docker build \
-t gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }} \
-t gitea.coreworlds.io/julia/homelab-${app}:latest \
apps/${app}
docker push gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }}
docker push gitea.coreworlds.io/julia/homelab-${app}:latest
done
- name: Update image tags in production overlay
if: steps.changes.outputs.apps != ''
run: |
IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}"
for app in "${APPS[@]}"; do
cd apps/${app}/k8s/overlays/production
kustomize edit set image gitea.coreworlds.io/julia/homelab-${app}=gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }}
cd -
done
- name: Commit image tag updates
if: steps.changes.outputs.apps != ''
run: |
git config user.name "gitea-actions[bot]"
git config user.email "gitea-actions[bot]@coreworlds.io"
git add apps/*/k8s/overlays/production/
git diff --staged --quiet || git commit -m "deploy: update production images to ${{ gitea.sha }}"
git push

6
CLAUDE.md
View File

@@ -10,7 +10,7 @@ GitOps via ArgoCD, bare-metal provisioning via Ansible, Turborepo for app builds
- **Infrastructure**: k3s, ArgoCD, Ansible
- **Platform**: Traefik, cert-manager, CloudNativePG, Valkey, Longhorn, Sealed Secrets
- **Observability**: kube-prometheus-stack, Loki, Promtail, Grafana
- **CI/CD**: GitHub Actions → ghcr.io → ArgoCD
- **CI/CD**: Gitea Actions → gitea.coreworlds.io registry → ArgoCD
- **Task Runner**: Taskfile (go-task)
## Directory Structure
@@ -28,7 +28,9 @@ GitOps via ArgoCD, bare-metal provisioning via Ansible, Turborepo for app builds
- Secrets are sealed with kubeseal before committing
- Branch deploys create `preview-<PR#>` namespaces automatically
- Use `task <command>` for all operations (see Taskfile.yaml)
- Docker images tagged with git SHA, pushed to ghcr.io
- Docker images tagged with git SHA, pushed to gitea.coreworlds.io registry
- Git hosted on self-hosted Gitea, GitHub is a read-only push mirror
- Gitea Actions runners: in-cluster (amd64), Mac (arm64), Windows (WSL2)
## Common Commands
```bash

34
Taskfile.yaml
View File

@@ -95,6 +95,40 @@ tasks:
cmds:
- kubectl port-forward -n platform svc/homelab-pg-rw 5432:5432
# Gitea
gitea:status:
desc: Check Gitea runners and mirror sync status
cmds:
- |
echo "=== Gitea Runners ==="
curl -s -H "Authorization: token $(kubectl get secret argocd-gitea-token -n argocd -o jsonpath='{.data.token}' | base64 -d)" \
https://gitea.coreworlds.io/api/v1/admin/runners | jq '.[] | {name, online, labels}'
echo ""
echo "=== Mirror Sync ==="
curl -s -H "Authorization: token $(kubectl get secret argocd-gitea-token -n argocd -o jsonpath='{.data.token}' | base64 -d)" \
https://gitea.coreworlds.io/api/v1/repos/julia/homelab | jq '{mirror: .mirror, mirror_updated: .mirror_updated}'
gitea:runner:register:
desc: Register an external Gitea Actions runner
cmds:
- |
echo "Run on the target machine:"
echo " act_runner register --instance https://gitea.coreworlds.io --token <TOKEN> --labels '<labels>'"
echo ""
echo "Labels:"
echo " Mac: macos-arm64:host,arm64:host,self-hosted:host"
echo " Windows: windows:host,wsl2:host,self-hosted:host"
gitea:runner:mac:start:
desc: Start Gitea runner on Mac (run on Mac)
cmds:
- act_runner daemon
gitea:runner:mac:stop:
desc: Stop Gitea runner on Mac (run on Mac)
cmds:
- pkill act_runner || true
# Linting
lint:ansible:
desc: Lint Ansible playbooks

4
apps/api/k8s/base/deployment.yaml
View File

@@ -15,10 +15,10 @@ spec:
app: api
spec:
imagePullSecrets:
- name: ghcr-pull-secret
- name: gitea-pull-secret
containers:
- name: api
image: ghcr.io/lazorgurl/homelab-api:latest
image: gitea.coreworlds.io/julia/homelab-api:latest
ports:
- containerPort: 4000
name: http

14
apps/api/k8s/base/ghcr-pull-secret-sealed.yaml
View File

@@ -1,14 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: ghcr-pull-secret
namespace: apps
spec:
encryptedData:
.dockerconfigjson: AgB7twUw+WM+H96XJQlZNqTTY5uweBab7NfDuK/CEFJ7062A6+1U3ZRGRhA1QXJJBnITlRT6rNAlVmhGw4aEPWeGeBzutpBcOT2JytQY0NbVf1cpTIkNv8ca/oUQMKbTEbCZ6lBcX2NzJjkTQI/MrN+bH7yCfgWKJUFxy6h41go37RlBj+G3uso4wQ7mTEV6dNIPw/vFfHyygDK4XUmYV6tFfVkYC/wPBxUlQvQqjKFvCVcNm7cog9vJqdRmiRgwUqehzHnGIqiUH+0Da6kwxs3+Rw9blFB4PBSDSa0YVUVvAvW2QpE8ZvfoAbj79x7i2fl8gDO3176vTkzen1hZl5TtIk+Hr2GChFkiNslOXKgsJVuWISQtnaTA4j9aOE8kona7zzE6J7vTQOmnlVSGHDjY/TAHjnB7qsodl6Vma6FLShcbG75E2+iAhJzxgbu2gLMcLFD8CuHNSur5rfnnhDeYhedQIyf4qcocXgL0yO+/NTv2hH76cfFPsn2dAwwwL6iVJWvFgA7pywAD0jr8r7PMLRZjQrJxOu1vqgXPMo2656A7yD9Mk87Z8W0g7LgP9XKITxwIW5B47kEdOkifwP/doazgsHs153eZSmbN8oVXXM4EGrAPMOJs+MVt9/pBcKA8Ct5QuCHpSKBZVWVOVbT1r2jFY+b7jHWb2zg93WYP8kU+ZN8a1D52h0zKgb9nTBn6qaDK2gSRCj0CSl11JVUynVAA60ZSHalQriZV2+ZAo1SHx4/uMhOpnJVU9mY9sIbXrMCJTGtWgyOlAg1UpdOefCJyfxEihm+n82Xp12fqmKjiptXgQX5YHF9stpo3VKOPpxfk6kfMIRh9ckuD3JXS3xJZV/7t/dSHXc0NsZxp/FTbP31pAcgWXS4s9qF681IyjXx3IGnxcyd16ADtXCvVfjDCZZceNWatxb7SABQg2F7h
template:
metadata:
name: ghcr-pull-secret
namespace: apps
type: kubernetes.io/dockerconfigjson

22
apps/api/k8s/base/gitea-pull-secret-sealed.yaml Normal file
View File

@@ -0,0 +1,22 @@
# PLACEHOLDER: Re-seal with Gitea registry credentials
# kubectl create secret docker-registry gitea-pull-secret \
# --namespace apps \
# --docker-server=gitea.coreworlds.io \
# --docker-username=julia \
# --docker-password=<token> \
# --dry-run=client -o yaml | kubeseal --format yaml \
# --controller-namespace kube-system --controller-name sealed-secrets-helm
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: gitea-pull-secret
namespace: apps
spec:
encryptedData:
.dockerconfigjson: PLACEHOLDER_SEAL_ME
template:
metadata:
name: gitea-pull-secret
namespace: apps
type: kubernetes.io/dockerconfigjson

2
apps/api/k8s/base/kustomization.yaml
View File

@@ -4,6 +4,6 @@ resources:
- deployment.yaml
- service.yaml
- ingress.yaml
- ghcr-pull-secret-sealed.yaml
- gitea-pull-secret-sealed.yaml
- api-secrets-sealed.yaml
- servicemonitor.yaml

4
apps/api/k8s/overlays/production/kustomization.yaml
View File

@@ -14,6 +14,6 @@ patches:
kind: Deployment
name: api
images:
- name: ghcr.io/lazorgurl/homelab-api
newName: ghcr.io/lazorgurl/homelab-api
- name: gitea.coreworlds.io/julia/homelab-api
newName: gitea.coreworlds.io/julia/homelab-api
newTag: da95687db90d2790cac12ad2e66fa16388712871

4
apps/harness/k8s/base/deployment.yaml
View File

@@ -15,10 +15,10 @@ spec:
app: harness
spec:
imagePullSecrets:
- name: ghcr-pull-secret
- name: gitea-pull-secret
containers:
- name: harness
image: ghcr.io/lazorgurl/homelab-harness:latest
image: gitea.coreworlds.io/julia/homelab-harness:latest
ports:
- containerPort: 3100
env:

4
apps/harness/k8s/overlays/production/kustomization.yaml
View File

@@ -14,6 +14,6 @@ patches:
kind: Deployment
name: harness
images:
- name: ghcr.io/lazorgurl/homelab-harness
newName: ghcr.io/lazorgurl/homelab-harness
- name: gitea.coreworlds.io/julia/homelab-harness
newName: gitea.coreworlds.io/julia/homelab-harness
newTag: latest

4
apps/web/k8s/base/deployment.yaml
View File

@@ -15,10 +15,10 @@ spec:
app: web
spec:
imagePullSecrets:
- name: ghcr-pull-secret
- name: gitea-pull-secret
containers:
- name: web
image: ghcr.io/lazorgurl/homelab-web:latest
image: gitea.coreworlds.io/julia/homelab-web:latest
ports:
- containerPort: 3000
resources:

14
apps/web/k8s/base/ghcr-pull-secret-sealed.yaml
View File

@@ -1,14 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: ghcr-pull-secret
namespace: apps
spec:
encryptedData:
.dockerconfigjson: AgB7twUw+WM+H96XJQlZNqTTY5uweBab7NfDuK/CEFJ7062A6+1U3ZRGRhA1QXJJBnITlRT6rNAlVmhGw4aEPWeGeBzutpBcOT2JytQY0NbVf1cpTIkNv8ca/oUQMKbTEbCZ6lBcX2NzJjkTQI/MrN+bH7yCfgWKJUFxy6h41go37RlBj+G3uso4wQ7mTEV6dNIPw/vFfHyygDK4XUmYV6tFfVkYC/wPBxUlQvQqjKFvCVcNm7cog9vJqdRmiRgwUqehzHnGIqiUH+0Da6kwxs3+Rw9blFB4PBSDSa0YVUVvAvW2QpE8ZvfoAbj79x7i2fl8gDO3176vTkzen1hZl5TtIk+Hr2GChFkiNslOXKgsJVuWISQtnaTA4j9aOE8kona7zzE6J7vTQOmnlVSGHDjY/TAHjnB7qsodl6Vma6FLShcbG75E2+iAhJzxgbu2gLMcLFD8CuHNSur5rfnnhDeYhedQIyf4qcocXgL0yO+/NTv2hH76cfFPsn2dAwwwL6iVJWvFgA7pywAD0jr8r7PMLRZjQrJxOu1vqgXPMo2656A7yD9Mk87Z8W0g7LgP9XKITxwIW5B47kEdOkifwP/doazgsHs153eZSmbN8oVXXM4EGrAPMOJs+MVt9/pBcKA8Ct5QuCHpSKBZVWVOVbT1r2jFY+b7jHWb2zg93WYP8kU+ZN8a1D52h0zKgb9nTBn6qaDK2gSRCj0CSl11JVUynVAA60ZSHalQriZV2+ZAo1SHx4/uMhOpnJVU9mY9sIbXrMCJTGtWgyOlAg1UpdOefCJyfxEihm+n82Xp12fqmKjiptXgQX5YHF9stpo3VKOPpxfk6kfMIRh9ckuD3JXS3xJZV/7t/dSHXc0NsZxp/FTbP31pAcgWXS4s9qF681IyjXx3IGnxcyd16ADtXCvVfjDCZZceNWatxb7SABQg2F7h
template:
metadata:
name: ghcr-pull-secret
namespace: apps
type: kubernetes.io/dockerconfigjson

22
apps/web/k8s/base/gitea-pull-secret-sealed.yaml Normal file
View File

@@ -0,0 +1,22 @@
# PLACEHOLDER: Re-seal with Gitea registry credentials
# kubectl create secret docker-registry gitea-pull-secret \
# --namespace apps \
# --docker-server=gitea.coreworlds.io \
# --docker-username=julia \
# --docker-password=<token> \
# --dry-run=client -o yaml | kubeseal --format yaml \
# --controller-namespace kube-system --controller-name sealed-secrets-helm
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: gitea-pull-secret
namespace: apps
spec:
encryptedData:
.dockerconfigjson: PLACEHOLDER_SEAL_ME
template:
metadata:
name: gitea-pull-secret
namespace: apps
type: kubernetes.io/dockerconfigjson

2
apps/web/k8s/base/kustomization.yaml
View File

@@ -4,4 +4,4 @@ resources:
- deployment.yaml
- service.yaml
- ingress.yaml
- ghcr-pull-secret-sealed.yaml
- gitea-pull-secret-sealed.yaml

4
apps/web/k8s/overlays/production/kustomization.yaml
View File

@@ -14,6 +14,6 @@ patches:
kind: Deployment
name: web
images:
- name: ghcr.io/lazorgurl/homelab-web
newName: ghcr.io/lazorgurl/homelab-web
- name: gitea.coreworlds.io/julia/homelab-web
newName: gitea.coreworlds.io/julia/homelab-web
newTag: da95687db90d2790cac12ad2e66fa16388712871

2
infra/kubernetes/argocd/app-of-apps.yaml
View File

@@ -8,7 +8,7 @@ metadata:
spec:
project: default
source:
repoURL: git@github.com:lazorgurl/homelab.git
repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
targetRevision: main
path: infra/kubernetes/argocd
destination:

4
infra/kubernetes/argocd/appsets/apps.yaml
View File

@@ -8,7 +8,7 @@ spec:
goTemplateOptions: ["missingkey=error"]
generators:
- git:
repoURL: git@github.com:lazorgurl/homelab.git
repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
revision: main
directories:
- path: apps/*/k8s/overlays/production
@@ -18,7 +18,7 @@ spec:
spec:
project: default
source:
repoURL: git@github.com:lazorgurl/homelab.git
repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
targetRevision: main
path: "{{ .path.path }}"
destination:

4
infra/kubernetes/argocd/appsets/platform.yaml
View File

@@ -8,7 +8,7 @@ spec:
goTemplateOptions: ["missingkey=error"]
generators:
- git:
repoURL: git@github.com:lazorgurl/homelab.git
repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
revision: main
directories:
- path: infra/kubernetes/platform/*
@@ -18,7 +18,7 @@ spec:
spec:
project: default
source:
repoURL: git@github.com:lazorgurl/homelab.git
repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
targetRevision: main
path: "{{ .path.path }}"
destination:

10
infra/kubernetes/argocd/appsets/previews.yaml
View File

@@ -8,9 +8,13 @@ spec:
goTemplateOptions: ["missingkey=error"]
generators:
- pullRequest:
github:
owner: lazorgurl
gitea:
owner: julia
repo: homelab
api: http://gitea-http.platform.svc:3000
tokenRef:
secretName: argocd-gitea-token
key: token
requeueAfterSeconds: 60
template:
metadata:
@@ -18,7 +22,7 @@ spec:
spec:
project: default
source:
repoURL: git@github.com:lazorgurl/homelab.git
repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
targetRevision: "{{ .branch }}"
path: apps/*/k8s/overlays/preview
kustomize:

17
infra/kubernetes/argocd/argocd-gitea-repo-sealed.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: argocd-gitea-repo
namespace: argocd
spec:
encryptedData:
sshPrivateKey: AgCF7JM8/SG7P9QziuakXwRkDjfTRdOgu+Qk7OcEqrZGcXmZ4mivymYkBnD4jWR0eEg+ZN4FUmhYX04eFbYJX4HyqfvC4nPlofP3E58JlWYd8khr5mkai9XLK2v3zRs3hMAJASCNBfJdKYcgpoY0G8qFe7RddemoBlqugD+xyiEKcgc349w0W69CdBRpXTG2jcvwgeaWFABMvZdZj6SIkxonpcPZTh5TuXFRjByqvWGfIu1n3pitQ1jAcQ9zogezMrYVQ/aqWFWuEoV1hc5C7cslSNC5L+r790M630yNyFuhaESkrUGEACjb6uY0/BfqW3iW5jOYkk8OEpQ+ZU0PiEREHBrz1xL+1p1mtf+4j2yBIBPkKqiuUNeKIeDF6uF22SIfZukJfYkQlmZp7V41bt1kU3I29RgLlBEsQgr3l1yPFTwI0MFBr5IJZEnPjqPiFdItZCtwUknyqEmzXUZOtjHfOCXqKmeJob99XqLGK3pUpYL2GXJMCS57C1CIkwBUG08DpUIga0NldYT8ihTiXh+4JpcWSy+mS6Oqr+KbU0o/MwpZk6ZeAan4ctM28vh5Zv4vdkISiVNmuxP2vyEnQIBmBRxKfs6059jRZ5yJIyWlP5VPnI1aZkJAhj+nxo9pCakHdC5tlqXWJB7jvBonELK/Xqgi8aU/HYnjQL7CoaCr37ld3GHmT6J30PYtPUWaAKuBy1CQKsg3O0WU4gGLsjERql3UCjIx1fsww4xw4aHPeyrNMRURhkZXDJHUs5NWeoAd8EPAPAJ774tU44fPkQ+apDJKHkD1WOtle159GRqHqfCkEwkthFuq2fTDj/km4w4x6r3HtuXG+yvI5gVgelQxmL12zb8B4DlEBRh06nVujXCbSHfMDVu2j8xYF/yLBkrN7FE+VMbYPQiw5dbLNvmOoxn+O0m/ayyunbcWO8rYsr1FVnOFK9jv+extjirESHDb06xkZodt87X5OGSrYziM+e/IZWznJHxvmpMnRMJKxWLQ/adSPZQsFfmPf7NuOjta75glVWhnvbA2qSaaOUI5H+o23yNDA7eLZTyBeTPW/ms2nsL1mAOmJYpbzkMHX4pQRD9E/zPeNgXp+fsLWfimuyXc46CWQwFPUHF28d0SS0DG8e2gqdjUYTw/scuvI1dQbhFmIlM4hUKqEoKPTPskHlaoOs2Sm6bn1pPrQ6NLNPSpZ6S10S1Bd54CP35Y+VnZxi8vGrRG4U0M+7O7GYGiF0v2hqmxT1Xiz/g=
type: AgAUNa57yRMSeMyoGBVn4xTGQTWd1XC0sO870PMf3m+53crp5iO2kOGFdvBcOSox8BbUez1Zg/m+ugQ2D1OdNjaPEZhmLmKwPFwSxFDI/s/YkwJRoUWEC7sBI5AjLccViWvw2ggqy6Mskjx2wH8WGs5p4uxufEc/3agV4Eu6kSFHkwUHfqy07p3BRF033s9NX2KprHIX+yFm1M27fbNEVGc+vzYnarbeCdk4noFZmuhFj3MkPkHlrayRIFhegOPcpp7/nioG8W+CpWWQgCMkVa5BuU0XdaAOfcd03JeO4l7A3GPn2DcOEjGf5C+CWO1HSAdT4+pMxFsagtLRyxEuc0e9I7xYsf4LslMGDlzMqiL8f9RXs2+Apcvku8DjkMiso+i8WPBHS8MkHIB0r4uAASUvPrfbd9hLTVTd7gUJfxXZhm8JBWgHf3ga2YaBtfrxvonhl5ns+YaODzK1NMW891oj5FvuHke26uqT1LRMTK0dQrazX5CeBik47GZiq58r/LJgmbArqseI2wi7frcIglCF2bcWUAaoZ0eWy15UVSKlwBYvtYcHj7BrYzyt1VlQ2bnW0Hmtan1wmEQ2RVuzWl59FLgNMv3pqNcgW77sUcCP1naSTYAnmhjw0f+te4r7ZNnH+RNpfQAIctj/x61z7mzY7zuDPVammQlGW3NzMclZK9OQ2fFzlj1n44M1wfOmFgvYMA8=
url: AgB6CwiasFG/1p3V4dx5JdLnG/E7wOtOJQ/Y8qKciyNn1LSBoDVTiD/DpbClt4xmNuX1DvDKDmhIOcHnj8MYSwKSdMVTVypl4wXyuJkupB+lV4dbAChC6NwsY08uuSbpA3aQfUmQrlYGwknlbXKNHCcVP3wnquWckXwJH4Mgt2dCTbQ1Tuiz1aCFZgljs1HwT5sZFqXWSZNdqvw62B4wOwXOrtHIPZSE4pUUFeFl6uev+HHue8xou24kQR9h3+suZWex5ntT9zRbjtO/HxnH8zTx9rtGZ3lkNVNfn6jo55jP8SQF9RHTFewkIbBa1YPGSChEkHTTR/UTcIraHNX6iT2nKNlwMfcq/i6Pjoj9CUsXa1pBT8ol/cf7HymXARssOwPgwihLdgXkFGB9ZzK/qlr9VQis0kpqcj42TlubNMcYcRyMIsFleaJf2wrmgp5N3IU/CDpMf3ube7iK+UPPCyoqEvo2CE6pUEYLb1FAT4DfvxD8yBBofnIQSQLfW0jscKxwpXSnw+6jERtQTUj/qhsRqXV1/ZsPP8PWbMY3SQ2pBWokUxFgtE5a9uHb4LN7qfAczllt9hn1F6jReC2HPRq3OY14TiSSASCnx7FfM+Fo0QaRNfxel4P/AT2zvbOBx2uy6X0KDd66V9KHxRptBAdc4KvP05T7PpvO/c3NY76q9NhwxVmcNkg08Mu/qPmt75W6O2pUcBB1q8Qauqa1TGPxzBZykS0Xu7P/LCfEONgAkmk3F7W3gGt0n+rtA7Y6FRHcpYpW0ft8
template:
metadata:
name: argocd-gitea-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository

15
infra/kubernetes/argocd/argocd-gitea-token-sealed.yaml Normal file
View File

@@ -0,0 +1,15 @@
# PLACEHOLDER: Re-seal with Gitea API token for PR generator
# ./scripts/seal-secret.sh argocd-gitea-token argocd token=<gitea-api-token>
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: argocd-gitea-token
namespace: argocd
spec:
encryptedData:
token: PLACEHOLDER_SEAL_ME
template:
metadata:
name: argocd-gitea-token
namespace: argocd

2
infra/kubernetes/argocd/kustomization.yaml
View File

@@ -8,6 +8,8 @@ resources:
- appsets/platform.yaml
- appsets/apps.yaml
- appsets/previews.yaml
- argocd-gitea-repo-sealed.yaml
- argocd-gitea-token-sealed.yaml
- servicemonitor.yaml
patches:
- target:

44
infra/kubernetes/platform/gitea-pg/cluster.yaml Normal file
View File

@@ -0,0 +1,44 @@
# Prerequisites: CloudNativePG operator must be installed first.
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: gitea-pg
namespace: platform
spec:
instances: 1
primaryUpdateStrategy: unsupervised
storage:
storageClass: longhorn-nvme
size: 5Gi
postgresql:
parameters:
max_connections: "100"
shared_buffers: 128MB
effective_cache_size: 256MB
work_mem: 4MB
bootstrap:
initdb:
database: gitea
owner: gitea
secret:
name: gitea-pg-credentials
backup:
barmanObjectStore:
destinationPath: s3://gitea-pg-backups/
endpointURL: http://minio.platform.svc:9000
s3Credentials:
accessKeyId:
name: pg-backup-s3-credentials
key: ACCESS_KEY_ID
secretAccessKey:
name: pg-backup-s3-credentials
key: SECRET_ACCESS_KEY
retentionPolicy: "30d"
monitoring:
enablePodMonitor: true

14
infra/kubernetes/platform/gitea-pg/gitea-pg-credentials-sealed.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: gitea-pg-credentials
namespace: platform
spec:
encryptedData:
password: AgCOM3lECbwltUOFNj4QZtwaPR+jBO+1L16Si8YETh5B5cC5eArOPpHGMQ7yK7ov9X+S/iIhPiolyHrQb7Tw3kSX/NHj933YHx1bITf1i5wF1LKRDbsw4XXox6bsG+GITMhUxtlVYdfY0OdoStHSpjGDHChHDHL74BjgdMS/jBSQGyicOXH6RYYH3/N7QeiwDmTAFrkhNp0DPQXG/xJ7Qi+lp9PR7ddwFZ5B1R2bVRB3KhwtMbPs4Qlo22tJh+khGgBv2yuWXB13Eu1QWOTTL58qRbwjPMB+jNMdyvGq/bWzulkIyjn17ijGn4R1XMJNyhsLSphnrqceDHyT5RroryO6cxMkFn06ZJ9xSk9GqTm4b8Rf7Hq5vvzVpeZ2MBxBO4teOyuWPED0SL4eAp36DOmczSHM1U7Uyq4sYgHJjYwnFjviaw0kmS/nhL2ZBpsuXpSd2qh2fJlZzp+pW6i54Ckvggt7ukMqT8XaENTYHLVD1uqCBwTiOJpB8VqpKXpnOLvGj44NAkub3t5ScNFzQtVcR+25zT3YaIr8g1SRoxmlPWqLcDsqnqCowYU95Vah3VWWytEToax5J3iNWRFByjNucRWHFssNsnKEXGZOuyG0tIQ1U2a/uPx7yiz1sCaxnSkai6es3GTX7Azi7OOWio5jGYJpF9iNRsHlRH8FadhjkGiIj7EUl858AfX8EPzXaMvyEMcgpOzxsanItwmMBhsVO38t1AN2Q/xbkNJBOX8=
username: AgB551yjCY/y0tZFq7gj4iCBmyvHZqEu9kwwqWrLMUUqMfQ3p+3hpprEJROt+Egixz7LTX5iv/YcJLLMsAJJSws70+Cm0l3buRPeVLuL5aQ1xCLOAHLrimg432eVnQ+FuEXxZhOWXfimZFNSW5IsyLabtt4SsSoA99WD4srZmfXcQCbIS1lO9fPNtLyvOp2o1BtYAstW5NOHE+/bEDAQoyAAn3ZQ5k59xjlBrLSlC6xt/QoivEiA20YBYnwaaLDpxEI1hpsFf9Jp9NC0nJfuFnBKnIuxhcU5tWyfxGmnpWtVQ1t5TgsktuxjBE65fXIqEYQOu2J2OPbjMjVyS1maNTj6s9OZgFi1gsNG8oRxoaVgs5lyDOzkJTtbGmSua09UEY7Lux4PWxQsc2P11sPA9zCJgPF7kN+sGXrx2WrQ01qE7z7p67rvLGAgXH4js0hUXaa57Ip+2tk0qQUUySENv0ufPCG9zOe3zkMh9c844HoJoZ1y+s3QoD7veLMS5UlLrNF9U888yGQtpwaxTb9EBGwvfiXwRO4C0r6ylm/nqroQrS073NKee4+CP/B1N6sMVp6/476eAmpgEn2Gb/TP601PxIXS76HKCn9yJ8+Y9JWCQ4rhLOR6q8SbNMmCch6W9wSoKVL8PYP5n2453Ie3Npd4YlBzu5P24yhWzmqdoUwKuNIPGsemFNoU4pYHJtn0h7E1/ovS8Q==
template:
metadata:
name: gitea-pg-credentials
namespace: platform

5
infra/kubernetes/platform/gitea-pg/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cluster.yaml
- gitea-pg-credentials-sealed.yaml

75
infra/kubernetes/platform/gitea-runner/deployment.yaml Normal file
View File

@@ -0,0 +1,75 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea-runner
namespace: platform
labels:
app: gitea-runner
spec:
replicas: 1
selector:
matchLabels:
app: gitea-runner
template:
metadata:
labels:
app: gitea-runner
spec:
containers:
- name: runner
image: gitea/act_runner:latest
env:
- name: GITEA_INSTANCE_URL
value: http://gitea-http.platform.svc:3000
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: gitea-runner-token
key: token
- name: GITEA_RUNNER_LABELS
value: "ubuntu-latest:docker://node:20-bookworm,linux/amd64:docker://node:20-bookworm,cluster:docker://node:20-bookworm"
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_TLS_VERIFY
value: "1"
- name: DOCKER_CERT_PATH
value: /certs/client
volumeMounts:
- name: docker-certs
mountPath: /certs/client
readOnly: true
- name: runner-data
mountPath: /data
resources:
requests:
memory: 256Mi
cpu: 200m
limits:
memory: 1Gi
- name: dind
image: docker:dind
securityContext:
privileged: true
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
volumeMounts:
- name: docker-certs
mountPath: /certs
- name: dind-storage
mountPath: /var/lib/docker
resources:
requests:
memory: 512Mi
cpu: 500m
limits:
memory: 4Gi
volumes:
- name: docker-certs
emptyDir: {}
- name: runner-data
emptyDir: {}
- name: dind-storage
emptyDir: {}

15
infra/kubernetes/platform/gitea-runner/gitea-runner-token-sealed.yaml Normal file
View File

@@ -0,0 +1,15 @@
# PLACEHOLDER: Generate token from Gitea admin panel, then re-seal with:
# ./scripts/seal-secret.sh gitea-runner-token platform token=<registration-token>
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: gitea-runner-token
namespace: platform
spec:
encryptedData:
token: PLACEHOLDER_SEAL_ME
template:
metadata:
name: gitea-runner-token
namespace: platform

5
infra/kubernetes/platform/gitea-runner/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yaml
- gitea-runner-token-sealed.yaml

77
infra/kubernetes/platform/gitea/application.yaml Normal file
View File

@@ -0,0 +1,77 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: gitea-helm
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "1"
spec:
project: default
source:
repoURL: https://dl.gitea.com/charts/
chart: gitea
targetRevision: 10.6.0
helm:
valuesObject:
# Disable bundled dependencies — we use external DB and Valkey
postgresql:
enabled: false
postgresql-ha:
enabled: false
redis-cluster:
enabled: false
redis:
enabled: false
gitea:
admin:
existingSecret: gitea-admin-credentials
config:
database:
DB_TYPE: postgres
HOST: gitea-pg-rw.platform.svc:5432
NAME: gitea
USER: gitea
PASSWD:
_secret: gitea-pg-credentials
_key: password
cache:
ADAPTER: redis
HOST: redis://valkey.platform.svc:6379/0
session:
PROVIDER: redis
PROVIDER_CONFIG: redis://valkey.platform.svc:6379/1
server:
DOMAIN: gitea.coreworlds.io
ROOT_URL: https://gitea.coreworlds.io
SSH_DOMAIN: gitea.coreworlds.io
SSH_PORT: 2222
SSH_LISTEN_PORT: 2222
actions:
ENABLED: true
DEFAULT_ACTIONS_URL: github
packages:
ENABLED: true
persistence:
enabled: true
storageClass: longhorn-nvme
size: 20Gi
service:
http:
type: ClusterIP
port: 3000
ssh:
type: NodePort
port: 2222
nodePort: 30022
destination:
server: https://kubernetes.default.svc
namespace: platform
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

15
infra/kubernetes/platform/gitea/gitea-admin-credentials-sealed.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: gitea-admin-credentials
namespace: platform
spec:
encryptedData:
email: AgCUJ0iYfg51FPWXoSXTzpMk3ReEZudIevqdAPHGtLiK6lMEe0bmhjcjEvB2hokfZvSunRcdUi7a1w7ADsqNe6E2rhbnuHs9pZ6cRsY6ugYPj5BPShK+5rSS2Q4mnG/XjU9/qk73TheV2aaWMWRcZSicsbOddpl+f9OVMoG7lqwfwbO+ooW++2r7avmx2lqx2Cw7fr8rBqojxh3lRMjO2emcvPZj/H+tNiguNFecicKl9c0I8fE1lJZXNOUGpj12dvr0zUuCoZW9lGMGa4gbDH9mntvx+VG2P3dO866gcOwtdN/Ra7JuddG+ipV3plp8woYqY9DDsHY2HHqXEOTPXIvihQilAfPBCMS2tC6Qu/bOISVK7D79iV2aYYiPXKKKIYaa0JuUHA8vI+RAuDdvpwzGqFHJ5WuYS7v4eN2ASOj5COufwKDeq9g83hbL6khT7HzUeEqk6cfZCeWliZCi/Nndgh0a7Y64YpvIcGWO2zuNhf0HRtnoVbvym1TTfORhWEUcR3wX7RuEE1l74MY86g6UuqsQIVtV5YnMqn45X3/HolyjEl77R4IF64MVyqa7+b3NErMrlv0WzFhyBGDQYyGc+7mRTfkapn1RSvOfP+HRntKZTHVQSg8AvE9qSockqhj3Di0AsbYqlhvCfuPqHDEbF72+6r4Nf0vwk4R5iSNS4xL0cFOa5s64QSFmsn140D2F7YKWqsXR7+oKn4H7SvXmzczL
password: AgB7JW83nITsjEE9/0IBogh9DoZy/5VRhmmDkhh20O1IMfxLiSCcWa4N06hTWKZNN9+w1ISbwu4MQqOQF2P2v5gJa7m9Ofb82H0mzBWyXqNHWAmZrH/FWVy18Z8ZR7vTr2c0WnD2awXKcVxxwA2NREHLSC8N1MTKaCKkqA1F4ICSmWsaOK6F9drJOej7m7QlgQ5kBMgGgAy5UmZEOLrIFn4w7qMg68o7OSBSrcjSYbLUJwvAY58Alaa+8cfsqpmaDvLEvKM+13d+B2qfduGla9lKL++alN4Jz3g3BJplQw7x2vdui2uNvMMiCEzlAZVfLdnVk0N+vnCUUWpYodTKjagC19yhNl+dPEweYnM3/bUIciwuhr6LinFy5HpOABZSlVkuGmYoSQldDTu+XmLXW5glPl9NcCSL4c8NQ6dWXy3SzBxIEKZoWzRs/uW+yNvLx8Dh4SApRObKiBmRmiPwQT1JqNzjccdjt/RUOxWYfqfAp0eJePmT+3uqjAaYC6eutFV61clFbmmTJq73FBjPL0j5gIG3Q/ujWvot7QTfGk6GUYflz3J5gkU/rTWp6M/rRTQ4DV0GEozz25dvN1mQcT9ic2NmvN7jO0xNb76wAw2SYzzwEyMZpT259dFcyZL7XQuf1nqagdUiqfQwpiMW6ANQhojuM/x8CxdgPFmcAHD/21ypYOXZTipkdLd9cD+tRsjhk6cq1rx/G7TamiRaU0B424V1djbe/xsFCfaMyiNSfg==
username: AgB6BwW09UpcuuaSleENE6cSq7scTB0i0TJenoV9Jj0XPWiMY+PV+S5evntouQejSd8ULcHs7A3g1Gmz3VofQiHck/V1+BJQByEbm4W3s5xn1rVnAfSHiApS7EaJwOEvUIPVmah/f7oKttHyOSEs7C0jTVbZViHoJemNo1KR+PE3+N1g4Gvse6/4LsoQ9+OTRZ1HDGKA8XybpZhrcNE/iSC9yqAxw4hblHnSsUSo9zDz7erz6MUwmz/ExBwLqIdOp5FUL6DEjdnOucXFW6Fi0v1iKOjqz1SPqnFFrRvqR6WK9aYS2iOYQVre5WosdQokV843mc6akjyJ4lvqL27h3vpJsHmfETbhVO/UBLyUMXOVnXNHBeJU0sjDz1wkM+Ffsjm8R+nG/99PUpTNzZfSWRPdpCyUWJP2n31TfeUteYubfQOZTtjMZWAZjcR9KB7grku5rNMSTyg9QTOhqsi0gxPTQ5KWeN3JRf5G+rCInRmISw8YMHqnIIUZrTuQSgxzXmN9TPXqjxhyWZcPtR3w7W51xwqPyBp4whdA8W8NTcUOSP1lgUWJroevPGz0bfOxnudq6W8myhtlALF39KNnJZMbn8v9ND6UJkOZ8X1OxiupwmwV8rrd9+8vQ2d601/u35gwJqXkMzZ8SaWTH6nh1iM37fqerrp6KKqQ21QSBPIXjLls9zm99XdDjEYqHcytCUlBnK9ZDg==
template:
metadata:
name: gitea-admin-credentials
namespace: platform

5
infra/kubernetes/platform/gitea/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- application.yaml
- gitea-admin-credentials-sealed.yaml

13
infra/kubernetes/platform/traefik/certificate-internal.yaml
View File

@@ -49,3 +49,16 @@ spec:
kind: ClusterIssuer
dnsNames:
- harness.coreworlds.io
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gitea-tls
namespace: platform
spec:
secretName: gitea-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
dnsNames:
- gitea.coreworlds.io

19
infra/kubernetes/platform/traefik/ingressroute-gitea.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: gitea
namespace: platform
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
entryPoints:
- websecure
routes:
- match: Host(`gitea.coreworlds.io`)
kind: Rule
services:
- name: gitea-http
namespace: platform
port: 3000
tls:
secretName: gitea-tls

1
infra/kubernetes/platform/traefik/kustomization.yaml
View File

@@ -8,5 +8,6 @@ resources:
- ingressroute-grafana.yaml
- ingressroute-longhorn.yaml
- ingressroute-harness.yaml
- ingressroute-gitea.yaml
- certificate-internal.yaml
- servicemonitor.yaml