From f04ecbf5cdfc0b7784b6409557f83e3f2c20f561 Mon Sep 17 00:00:00 2001 From: Julia McGhee Date: Sat, 21 Mar 2026 15:43:30 +0000 Subject: [PATCH] Add Gitea self-hosted git/CI/registry to replace GitHub Deploy Gitea via Helm with dedicated CloudNativePG database, in-cluster Actions runner (DinD), and built-in container registry. ArgoCD repoURLs updated to use in-cluster Gitea SSH. Preview ApplicationSet switched from GitHub PR generator to Gitea PR generator. App images now pull from gitea.coreworlds.io registry. Remaining setup after deploy: seal runner token, ArgoCD API token, and registry pull secret once Gitea is running. Add ArgoCD deploy key to Gitea repo settings. --- .gitea/workflows/ci.yaml | 87 +++++++++++++++++++ .gitea/workflows/deploy-preview.yaml | 64 ++++++++++++++ .gitea/workflows/deploy-production.yaml | 59 +++++++++++++ CLAUDE.md | 6 +- Taskfile.yaml | 34 ++++++++ apps/api/k8s/base/deployment.yaml | 4 +- .../api/k8s/base/ghcr-pull-secret-sealed.yaml | 14 --- .../k8s/base/gitea-pull-secret-sealed.yaml | 22 +++++ apps/api/k8s/base/kustomization.yaml | 2 +- .../overlays/production/kustomization.yaml | 4 +- apps/harness/k8s/base/deployment.yaml | 4 +- .../overlays/production/kustomization.yaml | 4 +- apps/web/k8s/base/deployment.yaml | 4 +- .../web/k8s/base/ghcr-pull-secret-sealed.yaml | 14 --- .../k8s/base/gitea-pull-secret-sealed.yaml | 22 +++++ apps/web/k8s/base/kustomization.yaml | 2 +- .../overlays/production/kustomization.yaml | 4 +- infra/kubernetes/argocd/app-of-apps.yaml | 2 +- infra/kubernetes/argocd/appsets/apps.yaml | 4 +- infra/kubernetes/argocd/appsets/platform.yaml | 4 +- infra/kubernetes/argocd/appsets/previews.yaml | 10 ++- .../argocd/argocd-gitea-repo-sealed.yaml | 17 ++++ .../argocd/argocd-gitea-token-sealed.yaml | 15 ++++ infra/kubernetes/argocd/kustomization.yaml | 2 + .../kubernetes/platform/gitea-pg/cluster.yaml | 44 ++++++++++ .../gitea-pg/gitea-pg-credentials-sealed.yaml | 14 +++ .../platform/gitea-pg/kustomization.yaml | 5 ++ .../platform/gitea-runner/deployment.yaml | 75 ++++++++++++++++ .../gitea-runner-token-sealed.yaml | 15 ++++ .../platform/gitea-runner/kustomization.yaml | 5 ++ .../platform/gitea/application.yaml | 77 ++++++++++++++++ .../gitea/gitea-admin-credentials-sealed.yaml | 15 ++++ .../platform/gitea/kustomization.yaml | 5 ++ .../traefik/certificate-internal.yaml | 13 +++ .../platform/traefik/ingressroute-gitea.yaml | 19 ++++ .../platform/traefik/kustomization.yaml | 1 + 36 files changed, 640 insertions(+), 52 deletions(-) create mode 100644 .gitea/workflows/ci.yaml create mode 100644 .gitea/workflows/deploy-preview.yaml create mode 100644 .gitea/workflows/deploy-production.yaml delete mode 100644 apps/api/k8s/base/ghcr-pull-secret-sealed.yaml create mode 100644 apps/api/k8s/base/gitea-pull-secret-sealed.yaml delete mode 100644 apps/web/k8s/base/ghcr-pull-secret-sealed.yaml create mode 100644 apps/web/k8s/base/gitea-pull-secret-sealed.yaml create mode 100644 infra/kubernetes/argocd/argocd-gitea-repo-sealed.yaml create mode 100644 infra/kubernetes/argocd/argocd-gitea-token-sealed.yaml create mode 100644 infra/kubernetes/platform/gitea-pg/cluster.yaml create mode 100644 infra/kubernetes/platform/gitea-pg/gitea-pg-credentials-sealed.yaml create mode 100644 infra/kubernetes/platform/gitea-pg/kustomization.yaml create mode 100644 infra/kubernetes/platform/gitea-runner/deployment.yaml create mode 100644 infra/kubernetes/platform/gitea-runner/gitea-runner-token-sealed.yaml create mode 100644 infra/kubernetes/platform/gitea-runner/kustomization.yaml create mode 100644 infra/kubernetes/platform/gitea/application.yaml create mode 100644 infra/kubernetes/platform/gitea/gitea-admin-credentials-sealed.yaml create mode 100644 infra/kubernetes/platform/gitea/kustomization.yaml create mode 100644 infra/kubernetes/platform/traefik/ingressroute-gitea.yaml diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml new file mode 100644 index 0000000..cf7b98c --- /dev/null +++ b/.gitea/workflows/ci.yaml @@ -0,0 +1,87 @@ +name: CI + +on: + pull_request: + branches: [main] + push: + branches: [main] + +concurrency: + group: ${{ gitea.workflow }}-${{ gitea.ref }} + cancel-in-progress: true + +jobs: + changes: + runs-on: ubuntu-latest + outputs: + apps: ${{ steps.filter.outputs.apps }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Detect changed apps + id: filter + run: | + if [ "${{ gitea.event_name }}" = "pull_request" ]; then + CHANGED=$(git diff --name-only origin/main...HEAD) + else + CHANGED=$(git diff --name-only HEAD~1) + fi + APPS="[]" + for app in web api harness; do + if echo "$CHANGED" | grep -qE "^(apps/${app}/|packages/)"; then + APPS=$(echo "$APPS" | jq -c ". + [\"${app}\"]") + fi + done + echo "apps=$APPS" >> "$GITHUB_OUTPUT" + + lint-and-test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: pnpm/action-setup@v4 + + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: pnpm + + - run: pnpm install --frozen-lockfile + + - run: pnpm turbo lint test + + build: + needs: [changes, lint-and-test] + runs-on: ubuntu-latest + if: needs.changes.outputs.apps != '[]' + strategy: + matrix: + app: ${{ fromJson(needs.changes.outputs.apps) }} + steps: + - uses: actions/checkout@v4 + + - uses: pnpm/action-setup@v4 + + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: pnpm + + - run: pnpm install --frozen-lockfile + + - run: pnpm turbo build --filter=@homelab/${{ matrix.app }} + + - name: Build Docker image + run: | + docker build \ + -t gitea.coreworlds.io/julia/homelab-${{ matrix.app }}:${{ gitea.sha }} \ + -t gitea.coreworlds.io/julia/homelab-${{ matrix.app }}:pr-${{ gitea.event.number }} \ + apps/${{ matrix.app }} + + - name: Push to registry + if: gitea.event_name == 'push' || gitea.event_name == 'pull_request' + run: | + echo "${{ secrets.GITEA_TOKEN }}" | docker login gitea.coreworlds.io -u ${{ gitea.actor }} --password-stdin + docker push gitea.coreworlds.io/julia/homelab-${{ matrix.app }}:${{ gitea.sha }} diff --git a/.gitea/workflows/deploy-preview.yaml b/.gitea/workflows/deploy-preview.yaml new file mode 100644 index 0000000..a145d97 --- /dev/null +++ b/.gitea/workflows/deploy-preview.yaml @@ -0,0 +1,64 @@ +name: Deploy Preview + +on: + pull_request: + types: [opened, synchronize, reopened] + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: pnpm/action-setup@v4 + + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: pnpm + + - run: pnpm install --frozen-lockfile + + - name: Determine changed apps + id: changes + run: | + APPS=$(pnpm turbo build --filter='...[origin/main]' --dry-run=json | jq -r '[.packages[] | select(startswith("@homelab/")) | sub("@homelab/";"") ] | join(",")') + echo "apps=$APPS" >> "$GITHUB_OUTPUT" + + - name: Build and push images + if: steps.changes.outputs.apps != '' + run: | + echo "${{ secrets.GITEA_TOKEN }}" | docker login gitea.coreworlds.io -u ${{ gitea.actor }} --password-stdin + IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}" + for app in "${APPS[@]}"; do + docker build \ + -t gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }} \ + apps/${app} + docker push gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }} + done + + - name: Update image tags in preview overlay + if: steps.changes.outputs.apps != '' + run: | + IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}" + for app in "${APPS[@]}"; do + cd apps/${app}/k8s/overlays/preview + kustomize edit set image gitea.coreworlds.io/julia/homelab-${app}=gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }} + cd - + done + + - name: Comment preview URL + uses: actions/github-script@v7 + with: + script: | + const { owner, repo } = context.repo; + const issue_number = context.issue.number; + const body = `## Preview Deploy\nNamespace: \`preview-${issue_number}\`\nArgoCD will sync automatically from branch \`${context.payload.pull_request.head.ref}\`.`; + await fetch(`${process.env.GITHUB_API_URL}/repos/${owner}/${repo}/issues/${issue_number}/comments`, { + method: 'POST', + headers: { + 'Authorization': `token ${process.env.GITHUB_TOKEN}`, + 'Content-Type': 'application/json' + }, + body: JSON.stringify({ body }) + }); diff --git a/.gitea/workflows/deploy-production.yaml b/.gitea/workflows/deploy-production.yaml new file mode 100644 index 0000000..8b90eca --- /dev/null +++ b/.gitea/workflows/deploy-production.yaml @@ -0,0 +1,59 @@ +name: Deploy Production + +on: + push: + branches: [main] + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: pnpm/action-setup@v4 + + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: pnpm + + - run: pnpm install --frozen-lockfile + + - name: Determine changed apps + id: changes + run: | + APPS=$(pnpm turbo build --filter='...[HEAD~1]' --dry-run=json | jq -r '[.packages[] | select(startswith("@homelab/")) | sub("@homelab/";"") ] | join(",")') + echo "apps=$APPS" >> "$GITHUB_OUTPUT" + + - name: Build and push images + if: steps.changes.outputs.apps != '' + run: | + echo "${{ secrets.GITEA_TOKEN }}" | docker login gitea.coreworlds.io -u ${{ gitea.actor }} --password-stdin + IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}" + for app in "${APPS[@]}"; do + docker build \ + -t gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }} \ + -t gitea.coreworlds.io/julia/homelab-${app}:latest \ + apps/${app} + docker push gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }} + docker push gitea.coreworlds.io/julia/homelab-${app}:latest + done + + - name: Update image tags in production overlay + if: steps.changes.outputs.apps != '' + run: | + IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}" + for app in "${APPS[@]}"; do + cd apps/${app}/k8s/overlays/production + kustomize edit set image gitea.coreworlds.io/julia/homelab-${app}=gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }} + cd - + done + + - name: Commit image tag updates + if: steps.changes.outputs.apps != '' + run: | + git config user.name "gitea-actions[bot]" + git config user.email "gitea-actions[bot]@coreworlds.io" + git add apps/*/k8s/overlays/production/ + git diff --staged --quiet || git commit -m "deploy: update production images to ${{ gitea.sha }}" + git push diff --git a/CLAUDE.md b/CLAUDE.md index 6dce295..4d2b170 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -10,7 +10,7 @@ GitOps via ArgoCD, bare-metal provisioning via Ansible, Turborepo for app builds - **Infrastructure**: k3s, ArgoCD, Ansible - **Platform**: Traefik, cert-manager, CloudNativePG, Valkey, Longhorn, Sealed Secrets - **Observability**: kube-prometheus-stack, Loki, Promtail, Grafana -- **CI/CD**: GitHub Actions → ghcr.io → ArgoCD +- **CI/CD**: Gitea Actions → gitea.coreworlds.io registry → ArgoCD - **Task Runner**: Taskfile (go-task) ## Directory Structure @@ -28,7 +28,9 @@ GitOps via ArgoCD, bare-metal provisioning via Ansible, Turborepo for app builds - Secrets are sealed with kubeseal before committing - Branch deploys create `preview-` namespaces automatically - Use `task ` for all operations (see Taskfile.yaml) -- Docker images tagged with git SHA, pushed to ghcr.io +- Docker images tagged with git SHA, pushed to gitea.coreworlds.io registry +- Git hosted on self-hosted Gitea, GitHub is a read-only push mirror +- Gitea Actions runners: in-cluster (amd64), Mac (arm64), Windows (WSL2) ## Common Commands ```bash diff --git a/Taskfile.yaml b/Taskfile.yaml index 14b7722..e8a1932 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -95,6 +95,40 @@ tasks: cmds: - kubectl port-forward -n platform svc/homelab-pg-rw 5432:5432 + # Gitea + gitea:status: + desc: Check Gitea runners and mirror sync status + cmds: + - | + echo "=== Gitea Runners ===" + curl -s -H "Authorization: token $(kubectl get secret argocd-gitea-token -n argocd -o jsonpath='{.data.token}' | base64 -d)" \ + https://gitea.coreworlds.io/api/v1/admin/runners | jq '.[] | {name, online, labels}' + echo "" + echo "=== Mirror Sync ===" + curl -s -H "Authorization: token $(kubectl get secret argocd-gitea-token -n argocd -o jsonpath='{.data.token}' | base64 -d)" \ + https://gitea.coreworlds.io/api/v1/repos/julia/homelab | jq '{mirror: .mirror, mirror_updated: .mirror_updated}' + + gitea:runner:register: + desc: Register an external Gitea Actions runner + cmds: + - | + echo "Run on the target machine:" + echo " act_runner register --instance https://gitea.coreworlds.io --token --labels ''" + echo "" + echo "Labels:" + echo " Mac: macos-arm64:host,arm64:host,self-hosted:host" + echo " Windows: windows:host,wsl2:host,self-hosted:host" + + gitea:runner:mac:start: + desc: Start Gitea runner on Mac (run on Mac) + cmds: + - act_runner daemon + + gitea:runner:mac:stop: + desc: Stop Gitea runner on Mac (run on Mac) + cmds: + - pkill act_runner || true + # Linting lint:ansible: desc: Lint Ansible playbooks diff --git a/apps/api/k8s/base/deployment.yaml b/apps/api/k8s/base/deployment.yaml index a7b9f59..6a420df 100644 --- a/apps/api/k8s/base/deployment.yaml +++ b/apps/api/k8s/base/deployment.yaml @@ -15,10 +15,10 @@ spec: app: api spec: imagePullSecrets: - - name: ghcr-pull-secret + - name: gitea-pull-secret containers: - name: api - image: ghcr.io/lazorgurl/homelab-api:latest + image: gitea.coreworlds.io/julia/homelab-api:latest ports: - containerPort: 4000 name: http diff --git a/apps/api/k8s/base/ghcr-pull-secret-sealed.yaml b/apps/api/k8s/base/ghcr-pull-secret-sealed.yaml deleted file mode 100644 index 0f044d6..0000000 --- a/apps/api/k8s/base/ghcr-pull-secret-sealed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: ghcr-pull-secret - namespace: apps -spec: - encryptedData: - .dockerconfigjson: AgB7twUw+WM+H96XJQlZNqTTY5uweBab7NfDuK/CEFJ7062A6+1U3ZRGRhA1QXJJBnITlRT6rNAlVmhGw4aEPWeGeBzutpBcOT2JytQY0NbVf1cpTIkNv8ca/oUQMKbTEbCZ6lBcX2NzJjkTQI/MrN+bH7yCfgWKJUFxy6h41go37RlBj+G3uso4wQ7mTEV6dNIPw/vFfHyygDK4XUmYV6tFfVkYC/wPBxUlQvQqjKFvCVcNm7cog9vJqdRmiRgwUqehzHnGIqiUH+0Da6kwxs3+Rw9blFB4PBSDSa0YVUVvAvW2QpE8ZvfoAbj79x7i2fl8gDO3176vTkzen1hZl5TtIk+Hr2GChFkiNslOXKgsJVuWISQtnaTA4j9aOE8kona7zzE6J7vTQOmnlVSGHDjY/TAHjnB7qsodl6Vma6FLShcbG75E2+iAhJzxgbu2gLMcLFD8CuHNSur5rfnnhDeYhedQIyf4qcocXgL0yO+/NTv2hH76cfFPsn2dAwwwL6iVJWvFgA7pywAD0jr8r7PMLRZjQrJxOu1vqgXPMo2656A7yD9Mk87Z8W0g7LgP9XKITxwIW5B47kEdOkifwP/doazgsHs153eZSmbN8oVXXM4EGrAPMOJs+MVt9/pBcKA8Ct5QuCHpSKBZVWVOVbT1r2jFY+b7jHWb2zg93WYP8kU+ZN8a1D52h0zKgb9nTBn6qaDK2gSRCj0CSl11JVUynVAA60ZSHalQriZV2+ZAo1SHx4/uMhOpnJVU9mY9sIbXrMCJTGtWgyOlAg1UpdOefCJyfxEihm+n82Xp12fqmKjiptXgQX5YHF9stpo3VKOPpxfk6kfMIRh9ckuD3JXS3xJZV/7t/dSHXc0NsZxp/FTbP31pAcgWXS4s9qF681IyjXx3IGnxcyd16ADtXCvVfjDCZZceNWatxb7SABQg2F7h - template: - metadata: - name: ghcr-pull-secret - namespace: apps - type: kubernetes.io/dockerconfigjson diff --git a/apps/api/k8s/base/gitea-pull-secret-sealed.yaml b/apps/api/k8s/base/gitea-pull-secret-sealed.yaml new file mode 100644 index 0000000..b44fc39 --- /dev/null +++ b/apps/api/k8s/base/gitea-pull-secret-sealed.yaml @@ -0,0 +1,22 @@ +# PLACEHOLDER: Re-seal with Gitea registry credentials +# kubectl create secret docker-registry gitea-pull-secret \ +# --namespace apps \ +# --docker-server=gitea.coreworlds.io \ +# --docker-username=julia \ +# --docker-password= \ +# --dry-run=client -o yaml | kubeseal --format yaml \ +# --controller-namespace kube-system --controller-name sealed-secrets-helm +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: gitea-pull-secret + namespace: apps +spec: + encryptedData: + .dockerconfigjson: PLACEHOLDER_SEAL_ME + template: + metadata: + name: gitea-pull-secret + namespace: apps + type: kubernetes.io/dockerconfigjson diff --git a/apps/api/k8s/base/kustomization.yaml b/apps/api/k8s/base/kustomization.yaml index 03e36c4..141d9d6 100644 --- a/apps/api/k8s/base/kustomization.yaml +++ b/apps/api/k8s/base/kustomization.yaml @@ -4,6 +4,6 @@ resources: - deployment.yaml - service.yaml - ingress.yaml - - ghcr-pull-secret-sealed.yaml + - gitea-pull-secret-sealed.yaml - api-secrets-sealed.yaml - servicemonitor.yaml diff --git a/apps/api/k8s/overlays/production/kustomization.yaml b/apps/api/k8s/overlays/production/kustomization.yaml index b2eb87c..4040380 100644 --- a/apps/api/k8s/overlays/production/kustomization.yaml +++ b/apps/api/k8s/overlays/production/kustomization.yaml @@ -14,6 +14,6 @@ patches: kind: Deployment name: api images: -- name: ghcr.io/lazorgurl/homelab-api - newName: ghcr.io/lazorgurl/homelab-api +- name: gitea.coreworlds.io/julia/homelab-api + newName: gitea.coreworlds.io/julia/homelab-api newTag: da95687db90d2790cac12ad2e66fa16388712871 diff --git a/apps/harness/k8s/base/deployment.yaml b/apps/harness/k8s/base/deployment.yaml index a4d0af0..caa67eb 100644 --- a/apps/harness/k8s/base/deployment.yaml +++ b/apps/harness/k8s/base/deployment.yaml @@ -15,10 +15,10 @@ spec: app: harness spec: imagePullSecrets: - - name: ghcr-pull-secret + - name: gitea-pull-secret containers: - name: harness - image: ghcr.io/lazorgurl/homelab-harness:latest + image: gitea.coreworlds.io/julia/homelab-harness:latest ports: - containerPort: 3100 env: diff --git a/apps/harness/k8s/overlays/production/kustomization.yaml b/apps/harness/k8s/overlays/production/kustomization.yaml index 4a80628..cedd22d 100644 --- a/apps/harness/k8s/overlays/production/kustomization.yaml +++ b/apps/harness/k8s/overlays/production/kustomization.yaml @@ -14,6 +14,6 @@ patches: kind: Deployment name: harness images: -- name: ghcr.io/lazorgurl/homelab-harness - newName: ghcr.io/lazorgurl/homelab-harness +- name: gitea.coreworlds.io/julia/homelab-harness + newName: gitea.coreworlds.io/julia/homelab-harness newTag: latest diff --git a/apps/web/k8s/base/deployment.yaml b/apps/web/k8s/base/deployment.yaml index 71f60f4..02a506e 100644 --- a/apps/web/k8s/base/deployment.yaml +++ b/apps/web/k8s/base/deployment.yaml @@ -15,10 +15,10 @@ spec: app: web spec: imagePullSecrets: - - name: ghcr-pull-secret + - name: gitea-pull-secret containers: - name: web - image: ghcr.io/lazorgurl/homelab-web:latest + image: gitea.coreworlds.io/julia/homelab-web:latest ports: - containerPort: 3000 resources: diff --git a/apps/web/k8s/base/ghcr-pull-secret-sealed.yaml b/apps/web/k8s/base/ghcr-pull-secret-sealed.yaml deleted file mode 100644 index 0f044d6..0000000 --- a/apps/web/k8s/base/ghcr-pull-secret-sealed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: ghcr-pull-secret - namespace: apps -spec: - encryptedData: - .dockerconfigjson: AgB7twUw+WM+H96XJQlZNqTTY5uweBab7NfDuK/CEFJ7062A6+1U3ZRGRhA1QXJJBnITlRT6rNAlVmhGw4aEPWeGeBzutpBcOT2JytQY0NbVf1cpTIkNv8ca/oUQMKbTEbCZ6lBcX2NzJjkTQI/MrN+bH7yCfgWKJUFxy6h41go37RlBj+G3uso4wQ7mTEV6dNIPw/vFfHyygDK4XUmYV6tFfVkYC/wPBxUlQvQqjKFvCVcNm7cog9vJqdRmiRgwUqehzHnGIqiUH+0Da6kwxs3+Rw9blFB4PBSDSa0YVUVvAvW2QpE8ZvfoAbj79x7i2fl8gDO3176vTkzen1hZl5TtIk+Hr2GChFkiNslOXKgsJVuWISQtnaTA4j9aOE8kona7zzE6J7vTQOmnlVSGHDjY/TAHjnB7qsodl6Vma6FLShcbG75E2+iAhJzxgbu2gLMcLFD8CuHNSur5rfnnhDeYhedQIyf4qcocXgL0yO+/NTv2hH76cfFPsn2dAwwwL6iVJWvFgA7pywAD0jr8r7PMLRZjQrJxOu1vqgXPMo2656A7yD9Mk87Z8W0g7LgP9XKITxwIW5B47kEdOkifwP/doazgsHs153eZSmbN8oVXXM4EGrAPMOJs+MVt9/pBcKA8Ct5QuCHpSKBZVWVOVbT1r2jFY+b7jHWb2zg93WYP8kU+ZN8a1D52h0zKgb9nTBn6qaDK2gSRCj0CSl11JVUynVAA60ZSHalQriZV2+ZAo1SHx4/uMhOpnJVU9mY9sIbXrMCJTGtWgyOlAg1UpdOefCJyfxEihm+n82Xp12fqmKjiptXgQX5YHF9stpo3VKOPpxfk6kfMIRh9ckuD3JXS3xJZV/7t/dSHXc0NsZxp/FTbP31pAcgWXS4s9qF681IyjXx3IGnxcyd16ADtXCvVfjDCZZceNWatxb7SABQg2F7h - template: - metadata: - name: ghcr-pull-secret - namespace: apps - type: kubernetes.io/dockerconfigjson diff --git a/apps/web/k8s/base/gitea-pull-secret-sealed.yaml b/apps/web/k8s/base/gitea-pull-secret-sealed.yaml new file mode 100644 index 0000000..b44fc39 --- /dev/null +++ b/apps/web/k8s/base/gitea-pull-secret-sealed.yaml @@ -0,0 +1,22 @@ +# PLACEHOLDER: Re-seal with Gitea registry credentials +# kubectl create secret docker-registry gitea-pull-secret \ +# --namespace apps \ +# --docker-server=gitea.coreworlds.io \ +# --docker-username=julia \ +# --docker-password= \ +# --dry-run=client -o yaml | kubeseal --format yaml \ +# --controller-namespace kube-system --controller-name sealed-secrets-helm +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: gitea-pull-secret + namespace: apps +spec: + encryptedData: + .dockerconfigjson: PLACEHOLDER_SEAL_ME + template: + metadata: + name: gitea-pull-secret + namespace: apps + type: kubernetes.io/dockerconfigjson diff --git a/apps/web/k8s/base/kustomization.yaml b/apps/web/k8s/base/kustomization.yaml index bd998d0..ce7de71 100644 --- a/apps/web/k8s/base/kustomization.yaml +++ b/apps/web/k8s/base/kustomization.yaml @@ -4,4 +4,4 @@ resources: - deployment.yaml - service.yaml - ingress.yaml - - ghcr-pull-secret-sealed.yaml + - gitea-pull-secret-sealed.yaml diff --git a/apps/web/k8s/overlays/production/kustomization.yaml b/apps/web/k8s/overlays/production/kustomization.yaml index 93c4c69..7d15e4e 100644 --- a/apps/web/k8s/overlays/production/kustomization.yaml +++ b/apps/web/k8s/overlays/production/kustomization.yaml @@ -14,6 +14,6 @@ patches: kind: Deployment name: web images: -- name: ghcr.io/lazorgurl/homelab-web - newName: ghcr.io/lazorgurl/homelab-web +- name: gitea.coreworlds.io/julia/homelab-web + newName: gitea.coreworlds.io/julia/homelab-web newTag: da95687db90d2790cac12ad2e66fa16388712871 diff --git a/infra/kubernetes/argocd/app-of-apps.yaml b/infra/kubernetes/argocd/app-of-apps.yaml index ae9124d..bb6c450 100644 --- a/infra/kubernetes/argocd/app-of-apps.yaml +++ b/infra/kubernetes/argocd/app-of-apps.yaml @@ -8,7 +8,7 @@ metadata: spec: project: default source: - repoURL: git@github.com:lazorgurl/homelab.git + repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git targetRevision: main path: infra/kubernetes/argocd destination: diff --git a/infra/kubernetes/argocd/appsets/apps.yaml b/infra/kubernetes/argocd/appsets/apps.yaml index e05985f..e4144cd 100644 --- a/infra/kubernetes/argocd/appsets/apps.yaml +++ b/infra/kubernetes/argocd/appsets/apps.yaml @@ -8,7 +8,7 @@ spec: goTemplateOptions: ["missingkey=error"] generators: - git: - repoURL: git@github.com:lazorgurl/homelab.git + repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git revision: main directories: - path: apps/*/k8s/overlays/production @@ -18,7 +18,7 @@ spec: spec: project: default source: - repoURL: git@github.com:lazorgurl/homelab.git + repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git targetRevision: main path: "{{ .path.path }}" destination: diff --git a/infra/kubernetes/argocd/appsets/platform.yaml b/infra/kubernetes/argocd/appsets/platform.yaml index e49a888..8b95c80 100644 --- a/infra/kubernetes/argocd/appsets/platform.yaml +++ b/infra/kubernetes/argocd/appsets/platform.yaml @@ -8,7 +8,7 @@ spec: goTemplateOptions: ["missingkey=error"] generators: - git: - repoURL: git@github.com:lazorgurl/homelab.git + repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git revision: main directories: - path: infra/kubernetes/platform/* @@ -18,7 +18,7 @@ spec: spec: project: default source: - repoURL: git@github.com:lazorgurl/homelab.git + repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git targetRevision: main path: "{{ .path.path }}" destination: diff --git a/infra/kubernetes/argocd/appsets/previews.yaml b/infra/kubernetes/argocd/appsets/previews.yaml index 1bc4e74..2ac2c41 100644 --- a/infra/kubernetes/argocd/appsets/previews.yaml +++ b/infra/kubernetes/argocd/appsets/previews.yaml @@ -8,9 +8,13 @@ spec: goTemplateOptions: ["missingkey=error"] generators: - pullRequest: - github: - owner: lazorgurl + gitea: + owner: julia repo: homelab + api: http://gitea-http.platform.svc:3000 + tokenRef: + secretName: argocd-gitea-token + key: token requeueAfterSeconds: 60 template: metadata: @@ -18,7 +22,7 @@ spec: spec: project: default source: - repoURL: git@github.com:lazorgurl/homelab.git + repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git targetRevision: "{{ .branch }}" path: apps/*/k8s/overlays/preview kustomize: diff --git a/infra/kubernetes/argocd/argocd-gitea-repo-sealed.yaml b/infra/kubernetes/argocd/argocd-gitea-repo-sealed.yaml new file mode 100644 index 0000000..470897f --- /dev/null +++ b/infra/kubernetes/argocd/argocd-gitea-repo-sealed.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: argocd-gitea-repo + namespace: argocd +spec: + encryptedData: + sshPrivateKey: AgCF7JM8/SG7P9QziuakXwRkDjfTRdOgu+Qk7OcEqrZGcXmZ4mivymYkBnD4jWR0eEg+ZN4FUmhYX04eFbYJX4HyqfvC4nPlofP3E58JlWYd8khr5mkai9XLK2v3zRs3hMAJASCNBfJdKYcgpoY0G8qFe7RddemoBlqugD+xyiEKcgc349w0W69CdBRpXTG2jcvwgeaWFABMvZdZj6SIkxonpcPZTh5TuXFRjByqvWGfIu1n3pitQ1jAcQ9zogezMrYVQ/aqWFWuEoV1hc5C7cslSNC5L+r790M630yNyFuhaESkrUGEACjb6uY0/BfqW3iW5jOYkk8OEpQ+ZU0PiEREHBrz1xL+1p1mtf+4j2yBIBPkKqiuUNeKIeDF6uF22SIfZukJfYkQlmZp7V41bt1kU3I29RgLlBEsQgr3l1yPFTwI0MFBr5IJZEnPjqPiFdItZCtwUknyqEmzXUZOtjHfOCXqKmeJob99XqLGK3pUpYL2GXJMCS57C1CIkwBUG08DpUIga0NldYT8ihTiXh+4JpcWSy+mS6Oqr+KbU0o/MwpZk6ZeAan4ctM28vh5Zv4vdkISiVNmuxP2vyEnQIBmBRxKfs6059jRZ5yJIyWlP5VPnI1aZkJAhj+nxo9pCakHdC5tlqXWJB7jvBonELK/Xqgi8aU/HYnjQL7CoaCr37ld3GHmT6J30PYtPUWaAKuBy1CQKsg3O0WU4gGLsjERql3UCjIx1fsww4xw4aHPeyrNMRURhkZXDJHUs5NWeoAd8EPAPAJ774tU44fPkQ+apDJKHkD1WOtle159GRqHqfCkEwkthFuq2fTDj/km4w4x6r3HtuXG+yvI5gVgelQxmL12zb8B4DlEBRh06nVujXCbSHfMDVu2j8xYF/yLBkrN7FE+VMbYPQiw5dbLNvmOoxn+O0m/ayyunbcWO8rYsr1FVnOFK9jv+extjirESHDb06xkZodt87X5OGSrYziM+e/IZWznJHxvmpMnRMJKxWLQ/adSPZQsFfmPf7NuOjta75glVWhnvbA2qSaaOUI5H+o23yNDA7eLZTyBeTPW/ms2nsL1mAOmJYpbzkMHX4pQRD9E/zPeNgXp+fsLWfimuyXc46CWQwFPUHF28d0SS0DG8e2gqdjUYTw/scuvI1dQbhFmIlM4hUKqEoKPTPskHlaoOs2Sm6bn1pPrQ6NLNPSpZ6S10S1Bd54CP35Y+VnZxi8vGrRG4U0M+7O7GYGiF0v2hqmxT1Xiz/g= + type: AgAUNa57yRMSeMyoGBVn4xTGQTWd1XC0sO870PMf3m+53crp5iO2kOGFdvBcOSox8BbUez1Zg/m+ugQ2D1OdNjaPEZhmLmKwPFwSxFDI/s/YkwJRoUWEC7sBI5AjLccViWvw2ggqy6Mskjx2wH8WGs5p4uxufEc/3agV4Eu6kSFHkwUHfqy07p3BRF033s9NX2KprHIX+yFm1M27fbNEVGc+vzYnarbeCdk4noFZmuhFj3MkPkHlrayRIFhegOPcpp7/nioG8W+CpWWQgCMkVa5BuU0XdaAOfcd03JeO4l7A3GPn2DcOEjGf5C+CWO1HSAdT4+pMxFsagtLRyxEuc0e9I7xYsf4LslMGDlzMqiL8f9RXs2+Apcvku8DjkMiso+i8WPBHS8MkHIB0r4uAASUvPrfbd9hLTVTd7gUJfxXZhm8JBWgHf3ga2YaBtfrxvonhl5ns+YaODzK1NMW891oj5FvuHke26uqT1LRMTK0dQrazX5CeBik47GZiq58r/LJgmbArqseI2wi7frcIglCF2bcWUAaoZ0eWy15UVSKlwBYvtYcHj7BrYzyt1VlQ2bnW0Hmtan1wmEQ2RVuzWl59FLgNMv3pqNcgW77sUcCP1naSTYAnmhjw0f+te4r7ZNnH+RNpfQAIctj/x61z7mzY7zuDPVammQlGW3NzMclZK9OQ2fFzlj1n44M1wfOmFgvYMA8= + url: AgB6CwiasFG/1p3V4dx5JdLnG/E7wOtOJQ/Y8qKciyNn1LSBoDVTiD/DpbClt4xmNuX1DvDKDmhIOcHnj8MYSwKSdMVTVypl4wXyuJkupB+lV4dbAChC6NwsY08uuSbpA3aQfUmQrlYGwknlbXKNHCcVP3wnquWckXwJH4Mgt2dCTbQ1Tuiz1aCFZgljs1HwT5sZFqXWSZNdqvw62B4wOwXOrtHIPZSE4pUUFeFl6uev+HHue8xou24kQR9h3+suZWex5ntT9zRbjtO/HxnH8zTx9rtGZ3lkNVNfn6jo55jP8SQF9RHTFewkIbBa1YPGSChEkHTTR/UTcIraHNX6iT2nKNlwMfcq/i6Pjoj9CUsXa1pBT8ol/cf7HymXARssOwPgwihLdgXkFGB9ZzK/qlr9VQis0kpqcj42TlubNMcYcRyMIsFleaJf2wrmgp5N3IU/CDpMf3ube7iK+UPPCyoqEvo2CE6pUEYLb1FAT4DfvxD8yBBofnIQSQLfW0jscKxwpXSnw+6jERtQTUj/qhsRqXV1/ZsPP8PWbMY3SQ2pBWokUxFgtE5a9uHb4LN7qfAczllt9hn1F6jReC2HPRq3OY14TiSSASCnx7FfM+Fo0QaRNfxel4P/AT2zvbOBx2uy6X0KDd66V9KHxRptBAdc4KvP05T7PpvO/c3NY76q9NhwxVmcNkg08Mu/qPmt75W6O2pUcBB1q8Qauqa1TGPxzBZykS0Xu7P/LCfEONgAkmk3F7W3gGt0n+rtA7Y6FRHcpYpW0ft8 + template: + metadata: + name: argocd-gitea-repo + namespace: argocd + labels: + argocd.argoproj.io/secret-type: repository diff --git a/infra/kubernetes/argocd/argocd-gitea-token-sealed.yaml b/infra/kubernetes/argocd/argocd-gitea-token-sealed.yaml new file mode 100644 index 0000000..92ee988 --- /dev/null +++ b/infra/kubernetes/argocd/argocd-gitea-token-sealed.yaml @@ -0,0 +1,15 @@ +# PLACEHOLDER: Re-seal with Gitea API token for PR generator +# ./scripts/seal-secret.sh argocd-gitea-token argocd token= +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: argocd-gitea-token + namespace: argocd +spec: + encryptedData: + token: PLACEHOLDER_SEAL_ME + template: + metadata: + name: argocd-gitea-token + namespace: argocd diff --git a/infra/kubernetes/argocd/kustomization.yaml b/infra/kubernetes/argocd/kustomization.yaml index fd47e22..17f2325 100644 --- a/infra/kubernetes/argocd/kustomization.yaml +++ b/infra/kubernetes/argocd/kustomization.yaml @@ -8,6 +8,8 @@ resources: - appsets/platform.yaml - appsets/apps.yaml - appsets/previews.yaml + - argocd-gitea-repo-sealed.yaml + - argocd-gitea-token-sealed.yaml - servicemonitor.yaml patches: - target: diff --git a/infra/kubernetes/platform/gitea-pg/cluster.yaml b/infra/kubernetes/platform/gitea-pg/cluster.yaml new file mode 100644 index 0000000..0bda725 --- /dev/null +++ b/infra/kubernetes/platform/gitea-pg/cluster.yaml @@ -0,0 +1,44 @@ +# Prerequisites: CloudNativePG operator must be installed first. +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: gitea-pg + namespace: platform +spec: + instances: 1 + primaryUpdateStrategy: unsupervised + + storage: + storageClass: longhorn-nvme + size: 5Gi + + postgresql: + parameters: + max_connections: "100" + shared_buffers: 128MB + effective_cache_size: 256MB + work_mem: 4MB + + bootstrap: + initdb: + database: gitea + owner: gitea + secret: + name: gitea-pg-credentials + + backup: + barmanObjectStore: + destinationPath: s3://gitea-pg-backups/ + endpointURL: http://minio.platform.svc:9000 + s3Credentials: + accessKeyId: + name: pg-backup-s3-credentials + key: ACCESS_KEY_ID + secretAccessKey: + name: pg-backup-s3-credentials + key: SECRET_ACCESS_KEY + retentionPolicy: "30d" + + monitoring: + enablePodMonitor: true diff --git a/infra/kubernetes/platform/gitea-pg/gitea-pg-credentials-sealed.yaml b/infra/kubernetes/platform/gitea-pg/gitea-pg-credentials-sealed.yaml new file mode 100644 index 0000000..08fb6d0 --- /dev/null +++ b/infra/kubernetes/platform/gitea-pg/gitea-pg-credentials-sealed.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: gitea-pg-credentials + namespace: platform +spec: + encryptedData: + password: AgCOM3lECbwltUOFNj4QZtwaPR+jBO+1L16Si8YETh5B5cC5eArOPpHGMQ7yK7ov9X+S/iIhPiolyHrQb7Tw3kSX/NHj933YHx1bITf1i5wF1LKRDbsw4XXox6bsG+GITMhUxtlVYdfY0OdoStHSpjGDHChHDHL74BjgdMS/jBSQGyicOXH6RYYH3/N7QeiwDmTAFrkhNp0DPQXG/xJ7Qi+lp9PR7ddwFZ5B1R2bVRB3KhwtMbPs4Qlo22tJh+khGgBv2yuWXB13Eu1QWOTTL58qRbwjPMB+jNMdyvGq/bWzulkIyjn17ijGn4R1XMJNyhsLSphnrqceDHyT5RroryO6cxMkFn06ZJ9xSk9GqTm4b8Rf7Hq5vvzVpeZ2MBxBO4teOyuWPED0SL4eAp36DOmczSHM1U7Uyq4sYgHJjYwnFjviaw0kmS/nhL2ZBpsuXpSd2qh2fJlZzp+pW6i54Ckvggt7ukMqT8XaENTYHLVD1uqCBwTiOJpB8VqpKXpnOLvGj44NAkub3t5ScNFzQtVcR+25zT3YaIr8g1SRoxmlPWqLcDsqnqCowYU95Vah3VWWytEToax5J3iNWRFByjNucRWHFssNsnKEXGZOuyG0tIQ1U2a/uPx7yiz1sCaxnSkai6es3GTX7Azi7OOWio5jGYJpF9iNRsHlRH8FadhjkGiIj7EUl858AfX8EPzXaMvyEMcgpOzxsanItwmMBhsVO38t1AN2Q/xbkNJBOX8= + username: AgB551yjCY/y0tZFq7gj4iCBmyvHZqEu9kwwqWrLMUUqMfQ3p+3hpprEJROt+Egixz7LTX5iv/YcJLLMsAJJSws70+Cm0l3buRPeVLuL5aQ1xCLOAHLrimg432eVnQ+FuEXxZhOWXfimZFNSW5IsyLabtt4SsSoA99WD4srZmfXcQCbIS1lO9fPNtLyvOp2o1BtYAstW5NOHE+/bEDAQoyAAn3ZQ5k59xjlBrLSlC6xt/QoivEiA20YBYnwaaLDpxEI1hpsFf9Jp9NC0nJfuFnBKnIuxhcU5tWyfxGmnpWtVQ1t5TgsktuxjBE65fXIqEYQOu2J2OPbjMjVyS1maNTj6s9OZgFi1gsNG8oRxoaVgs5lyDOzkJTtbGmSua09UEY7Lux4PWxQsc2P11sPA9zCJgPF7kN+sGXrx2WrQ01qE7z7p67rvLGAgXH4js0hUXaa57Ip+2tk0qQUUySENv0ufPCG9zOe3zkMh9c844HoJoZ1y+s3QoD7veLMS5UlLrNF9U888yGQtpwaxTb9EBGwvfiXwRO4C0r6ylm/nqroQrS073NKee4+CP/B1N6sMVp6/476eAmpgEn2Gb/TP601PxIXS76HKCn9yJ8+Y9JWCQ4rhLOR6q8SbNMmCch6W9wSoKVL8PYP5n2453Ie3Npd4YlBzu5P24yhWzmqdoUwKuNIPGsemFNoU4pYHJtn0h7E1/ovS8Q== + template: + metadata: + name: gitea-pg-credentials + namespace: platform diff --git a/infra/kubernetes/platform/gitea-pg/kustomization.yaml b/infra/kubernetes/platform/gitea-pg/kustomization.yaml new file mode 100644 index 0000000..e343943 --- /dev/null +++ b/infra/kubernetes/platform/gitea-pg/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cluster.yaml + - gitea-pg-credentials-sealed.yaml diff --git a/infra/kubernetes/platform/gitea-runner/deployment.yaml b/infra/kubernetes/platform/gitea-runner/deployment.yaml new file mode 100644 index 0000000..b00ba86 --- /dev/null +++ b/infra/kubernetes/platform/gitea-runner/deployment.yaml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitea-runner + namespace: platform + labels: + app: gitea-runner +spec: + replicas: 1 + selector: + matchLabels: + app: gitea-runner + template: + metadata: + labels: + app: gitea-runner + spec: + containers: + - name: runner + image: gitea/act_runner:latest + env: + - name: GITEA_INSTANCE_URL + value: http://gitea-http.platform.svc:3000 + - name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: gitea-runner-token + key: token + - name: GITEA_RUNNER_LABELS + value: "ubuntu-latest:docker://node:20-bookworm,linux/amd64:docker://node:20-bookworm,cluster:docker://node:20-bookworm" + - name: DOCKER_HOST + value: tcp://localhost:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/client + volumeMounts: + - name: docker-certs + mountPath: /certs/client + readOnly: true + - name: runner-data + mountPath: /data + resources: + requests: + memory: 256Mi + cpu: 200m + limits: + memory: 1Gi + + - name: dind + image: docker:dind + securityContext: + privileged: true + env: + - name: DOCKER_TLS_CERTDIR + value: /certs + volumeMounts: + - name: docker-certs + mountPath: /certs + - name: dind-storage + mountPath: /var/lib/docker + resources: + requests: + memory: 512Mi + cpu: 500m + limits: + memory: 4Gi + + volumes: + - name: docker-certs + emptyDir: {} + - name: runner-data + emptyDir: {} + - name: dind-storage + emptyDir: {} diff --git a/infra/kubernetes/platform/gitea-runner/gitea-runner-token-sealed.yaml b/infra/kubernetes/platform/gitea-runner/gitea-runner-token-sealed.yaml new file mode 100644 index 0000000..52816ef --- /dev/null +++ b/infra/kubernetes/platform/gitea-runner/gitea-runner-token-sealed.yaml @@ -0,0 +1,15 @@ +# PLACEHOLDER: Generate token from Gitea admin panel, then re-seal with: +# ./scripts/seal-secret.sh gitea-runner-token platform token= +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: gitea-runner-token + namespace: platform +spec: + encryptedData: + token: PLACEHOLDER_SEAL_ME + template: + metadata: + name: gitea-runner-token + namespace: platform diff --git a/infra/kubernetes/platform/gitea-runner/kustomization.yaml b/infra/kubernetes/platform/gitea-runner/kustomization.yaml new file mode 100644 index 0000000..5945673 --- /dev/null +++ b/infra/kubernetes/platform/gitea-runner/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - gitea-runner-token-sealed.yaml diff --git a/infra/kubernetes/platform/gitea/application.yaml b/infra/kubernetes/platform/gitea/application.yaml new file mode 100644 index 0000000..cb0fa0a --- /dev/null +++ b/infra/kubernetes/platform/gitea/application.yaml @@ -0,0 +1,77 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: gitea-helm + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "1" +spec: + project: default + source: + repoURL: https://dl.gitea.com/charts/ + chart: gitea + targetRevision: 10.6.0 + helm: + valuesObject: + # Disable bundled dependencies — we use external DB and Valkey + postgresql: + enabled: false + postgresql-ha: + enabled: false + redis-cluster: + enabled: false + redis: + enabled: false + + gitea: + admin: + existingSecret: gitea-admin-credentials + config: + database: + DB_TYPE: postgres + HOST: gitea-pg-rw.platform.svc:5432 + NAME: gitea + USER: gitea + PASSWD: + _secret: gitea-pg-credentials + _key: password + cache: + ADAPTER: redis + HOST: redis://valkey.platform.svc:6379/0 + session: + PROVIDER: redis + PROVIDER_CONFIG: redis://valkey.platform.svc:6379/1 + server: + DOMAIN: gitea.coreworlds.io + ROOT_URL: https://gitea.coreworlds.io + SSH_DOMAIN: gitea.coreworlds.io + SSH_PORT: 2222 + SSH_LISTEN_PORT: 2222 + actions: + ENABLED: true + DEFAULT_ACTIONS_URL: github + packages: + ENABLED: true + + persistence: + enabled: true + storageClass: longhorn-nvme + size: 20Gi + + service: + http: + type: ClusterIP + port: 3000 + ssh: + type: NodePort + port: 2222 + nodePort: 30022 + destination: + server: https://kubernetes.default.svc + namespace: platform + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra/kubernetes/platform/gitea/gitea-admin-credentials-sealed.yaml b/infra/kubernetes/platform/gitea/gitea-admin-credentials-sealed.yaml new file mode 100644 index 0000000..81a145a --- /dev/null +++ b/infra/kubernetes/platform/gitea/gitea-admin-credentials-sealed.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: gitea-admin-credentials + namespace: platform +spec: + encryptedData: + email: AgCUJ0iYfg51FPWXoSXTzpMk3ReEZudIevqdAPHGtLiK6lMEe0bmhjcjEvB2hokfZvSunRcdUi7a1w7ADsqNe6E2rhbnuHs9pZ6cRsY6ugYPj5BPShK+5rSS2Q4mnG/XjU9/qk73TheV2aaWMWRcZSicsbOddpl+f9OVMoG7lqwfwbO+ooW++2r7avmx2lqx2Cw7fr8rBqojxh3lRMjO2emcvPZj/H+tNiguNFecicKl9c0I8fE1lJZXNOUGpj12dvr0zUuCoZW9lGMGa4gbDH9mntvx+VG2P3dO866gcOwtdN/Ra7JuddG+ipV3plp8woYqY9DDsHY2HHqXEOTPXIvihQilAfPBCMS2tC6Qu/bOISVK7D79iV2aYYiPXKKKIYaa0JuUHA8vI+RAuDdvpwzGqFHJ5WuYS7v4eN2ASOj5COufwKDeq9g83hbL6khT7HzUeEqk6cfZCeWliZCi/Nndgh0a7Y64YpvIcGWO2zuNhf0HRtnoVbvym1TTfORhWEUcR3wX7RuEE1l74MY86g6UuqsQIVtV5YnMqn45X3/HolyjEl77R4IF64MVyqa7+b3NErMrlv0WzFhyBGDQYyGc+7mRTfkapn1RSvOfP+HRntKZTHVQSg8AvE9qSockqhj3Di0AsbYqlhvCfuPqHDEbF72+6r4Nf0vwk4R5iSNS4xL0cFOa5s64QSFmsn140D2F7YKWqsXR7+oKn4H7SvXmzczL + password: AgB7JW83nITsjEE9/0IBogh9DoZy/5VRhmmDkhh20O1IMfxLiSCcWa4N06hTWKZNN9+w1ISbwu4MQqOQF2P2v5gJa7m9Ofb82H0mzBWyXqNHWAmZrH/FWVy18Z8ZR7vTr2c0WnD2awXKcVxxwA2NREHLSC8N1MTKaCKkqA1F4ICSmWsaOK6F9drJOej7m7QlgQ5kBMgGgAy5UmZEOLrIFn4w7qMg68o7OSBSrcjSYbLUJwvAY58Alaa+8cfsqpmaDvLEvKM+13d+B2qfduGla9lKL++alN4Jz3g3BJplQw7x2vdui2uNvMMiCEzlAZVfLdnVk0N+vnCUUWpYodTKjagC19yhNl+dPEweYnM3/bUIciwuhr6LinFy5HpOABZSlVkuGmYoSQldDTu+XmLXW5glPl9NcCSL4c8NQ6dWXy3SzBxIEKZoWzRs/uW+yNvLx8Dh4SApRObKiBmRmiPwQT1JqNzjccdjt/RUOxWYfqfAp0eJePmT+3uqjAaYC6eutFV61clFbmmTJq73FBjPL0j5gIG3Q/ujWvot7QTfGk6GUYflz3J5gkU/rTWp6M/rRTQ4DV0GEozz25dvN1mQcT9ic2NmvN7jO0xNb76wAw2SYzzwEyMZpT259dFcyZL7XQuf1nqagdUiqfQwpiMW6ANQhojuM/x8CxdgPFmcAHD/21ypYOXZTipkdLd9cD+tRsjhk6cq1rx/G7TamiRaU0B424V1djbe/xsFCfaMyiNSfg== + username: AgB6BwW09UpcuuaSleENE6cSq7scTB0i0TJenoV9Jj0XPWiMY+PV+S5evntouQejSd8ULcHs7A3g1Gmz3VofQiHck/V1+BJQByEbm4W3s5xn1rVnAfSHiApS7EaJwOEvUIPVmah/f7oKttHyOSEs7C0jTVbZViHoJemNo1KR+PE3+N1g4Gvse6/4LsoQ9+OTRZ1HDGKA8XybpZhrcNE/iSC9yqAxw4hblHnSsUSo9zDz7erz6MUwmz/ExBwLqIdOp5FUL6DEjdnOucXFW6Fi0v1iKOjqz1SPqnFFrRvqR6WK9aYS2iOYQVre5WosdQokV843mc6akjyJ4lvqL27h3vpJsHmfETbhVO/UBLyUMXOVnXNHBeJU0sjDz1wkM+Ffsjm8R+nG/99PUpTNzZfSWRPdpCyUWJP2n31TfeUteYubfQOZTtjMZWAZjcR9KB7grku5rNMSTyg9QTOhqsi0gxPTQ5KWeN3JRf5G+rCInRmISw8YMHqnIIUZrTuQSgxzXmN9TPXqjxhyWZcPtR3w7W51xwqPyBp4whdA8W8NTcUOSP1lgUWJroevPGz0bfOxnudq6W8myhtlALF39KNnJZMbn8v9ND6UJkOZ8X1OxiupwmwV8rrd9+8vQ2d601/u35gwJqXkMzZ8SaWTH6nh1iM37fqerrp6KKqQ21QSBPIXjLls9zm99XdDjEYqHcytCUlBnK9ZDg== + template: + metadata: + name: gitea-admin-credentials + namespace: platform diff --git a/infra/kubernetes/platform/gitea/kustomization.yaml b/infra/kubernetes/platform/gitea/kustomization.yaml new file mode 100644 index 0000000..0a02a6f --- /dev/null +++ b/infra/kubernetes/platform/gitea/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - application.yaml + - gitea-admin-credentials-sealed.yaml diff --git a/infra/kubernetes/platform/traefik/certificate-internal.yaml b/infra/kubernetes/platform/traefik/certificate-internal.yaml index be82dbd..d4c49ac 100644 --- a/infra/kubernetes/platform/traefik/certificate-internal.yaml +++ b/infra/kubernetes/platform/traefik/certificate-internal.yaml @@ -49,3 +49,16 @@ spec: kind: ClusterIssuer dnsNames: - harness.coreworlds.io +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gitea-tls + namespace: platform +spec: + secretName: gitea-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + dnsNames: + - gitea.coreworlds.io diff --git a/infra/kubernetes/platform/traefik/ingressroute-gitea.yaml b/infra/kubernetes/platform/traefik/ingressroute-gitea.yaml new file mode 100644 index 0000000..239d071 --- /dev/null +++ b/infra/kubernetes/platform/traefik/ingressroute-gitea.yaml @@ -0,0 +1,19 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: gitea + namespace: platform + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production +spec: + entryPoints: + - websecure + routes: + - match: Host(`gitea.coreworlds.io`) + kind: Rule + services: + - name: gitea-http + namespace: platform + port: 3000 + tls: + secretName: gitea-tls diff --git a/infra/kubernetes/platform/traefik/kustomization.yaml b/infra/kubernetes/platform/traefik/kustomization.yaml index 4285e74..411efe8 100644 --- a/infra/kubernetes/platform/traefik/kustomization.yaml +++ b/infra/kubernetes/platform/traefik/kustomization.yaml @@ -8,5 +8,6 @@ resources: - ingressroute-grafana.yaml - ingressroute-longhorn.yaml - ingressroute-harness.yaml + - ingressroute-gitea.yaml - certificate-internal.yaml - servicemonitor.yaml