Browse Source

Add initial Kubernetes config files

This includes all the resources currently running on https://gitea.kosmos.org

It sets up a persistent data volume for the MySQL database, one for the
Gitea data, that Gitea calls the custom folder (config, attachment,
avatars, logs, etc). We mount that persistent data volume as
/data/gitea. It also creates a Let's Encrypt certificate for
gitea.kosmos.org, also saved to the custom folder.

This also includes two scripts:

* `./script/get_secrets` downloads the secrets to the local filesystem so
they can be edited
* `./script/replace_secrets` deletes the remote secrets and creates them
again from the local ones in kubernetes/config/*

Closes #6
pull/7/head
greg 3 years ago
parent
commit
4c463adcda
  1. 1
      .gitignore
  2. 31
      README.md
  3. 0
      kubernetes/config/.gitkeep
  4. 69
      kubernetes/gitea-db.yaml
  5. 111
      kubernetes/gitea-server.yaml
  6. 15
      script/get_secrets
  7. 7
      script/replace_secrets

1
.gitignore

@ -0,0 +1 @@
/kubernetes/config/

31
README.md

@ -7,3 +7,34 @@ Feel free to [open issues] for questions, suggestions, bugs, to-do items, and
whatever else you want to discuss or resolve.
[open issues]: https://gitea.kosmos.org/kosmos/gitea.kosmos.org/issues
## Kubernetes
### Apply changes to resources
```
kubectl apply -f gitea-db.yaml
kubectl apply -f gitea-server.yaml
```
### Write the secrets to the local filesystem
```
./script/get_secrets
```
It writes the secrets (currently the app.ini file, as well as auto-generated
TLS certificates that are only used when no Let's Encrypt cert is available)
to the `kubernetes/config/` folder. These files are not in Git because they
contain credentials.
Once you have edited them locally, you need to delete the secrets stored on
Kubernetes before uploading them again. This is done by this script:
```
./script/replace_secrets
```
### Reuse a released persistent volume:
https://github.com/kubernetes/kubernetes/issues/48609#issuecomment-314066616

0
kubernetes/config/.gitkeep

69
kubernetes/gitea-db.yaml

@ -0,0 +1,69 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: gitea-db
spec:
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
name: gitea-db
spec:
containers:
- env:
- name: MYSQL_DATABASE
value: gitea
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-pass
key: password
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: gitea-mysql-pass
key: password
- name: MYSQL_USER
value: gitea
image: mariadb:10.3.10
name: gitea-db
resources: {}
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- mountPath: /var/lib/mysql
name: gitea-db-data
restartPolicy: Always
volumes:
- name: gitea-db-data
persistentVolumeClaim:
claimName: gitea-db-data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-db-data
labels:
name: gitea-db-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: gitea-db
labels:
service: gitea-db
spec:
selector:
name: gitea-db
type: ClusterIP
ports:
- port: 3306

111
kubernetes/gitea-server.yaml

@ -0,0 +1,111 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: gitea-server
spec:
replicas: 1
template:
metadata:
labels:
name: gitea-server
spec:
initContainers:
- name: init-config
image: busybox
command: ['sh', '-c', 'mkdir -p /data/gitea/conf && mkdir -p /data/gitea/https && cp /root/conf/app.ini /data/gitea/conf/app.ini && chown 1000:1000 /data/gitea/conf/app.ini && chmod 660 /data/gitea/conf/app.ini && cp /root/conf/*.pem /data/gitea/https && chmod 600 /data/gitea/https/*.pem && chown -R 1000:1000 /data/gitea']
volumeMounts:
- mountPath: /data
name: gitea-server-data
- mountPath: /root/conf
name: config
containers:
# This is only used for the initial setup, it does nothing once a app.ini
# file exists in the conf/ directory of the data directory
# (/data/gitea/conf in our case)
- env:
- name: DB_HOST
value: gitea-db:3306
- name: DB_NAME
value: gitea
- name: DB_PASSWD
valueFrom:
secretKeyRef:
name: gitea-mysql-pass
key: password
- name: DB_TYPE
value: mysql
- name: DB_USER
value: gitea
- name: ROOT_URL
value: https://gitea.kosmos.org
- name: RUN_MODE
value: prod
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: gitea-secret-key
key: password
- name: SSH_DOMAIN
value: gitea.kosmos.org
image: 5apps/gitea:latest
name: gitea-server
ports:
- containerPort: 3000
- containerPort: 3001
- containerPort: 22
resources: {}
volumeMounts:
- mountPath: /data
name: gitea-server-data
restartPolicy: Always
volumes:
- name: gitea-server-data
persistentVolumeClaim:
claimName: gitea-server-data
- name: config
secret:
secretName: gitea-config
items:
- key: app.ini
path: app.ini
mode: 256
- key: cert.pem
path: cert.pem
mode: 256
- key: key.pem
path: key.pem
mode: 256
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-server-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: gitea-server
labels:
name: gitea-server
spec:
type: LoadBalancer
# preserves the client source IP
externalTrafficPolicy: Local
ports:
- name: "ssh"
port: 22
targetPort: 22
- name: "http"
port: 80
targetPort: 3001
- name: "https"
port: 443
targetPort: 3000
selector:
name: gitea-server

15
script/get_secrets

@ -0,0 +1,15 @@
#!/usr/bin/env ruby
require 'yaml'
require 'base64'
secret = `kubectl get secret gitea-config -o yaml`
yaml = YAML.load(secret)
yaml['data'].each do |key, data|
filename = File.join('kubernetes', 'config', key)
File.open(filename, "w+") do |f|
puts "Writing #{filename}"
f.write Base64.decode64(data)
end
end

7
script/replace_secrets

@ -0,0 +1,7 @@
#!/usr/bin/env sh
# Delete the gitea-config secrets
kubectl delete secret gitea-config
# Replace it from the local files in kubernetes/config/* (acquired by running
# ./script/get_secrets)
kubectl create secret generic gitea-config --from-file=cert.pem=kubernetes/config/cert.pem --from-file=key.pem=kubernetes/config/key.pem --from-file=app.ini=kubernetes/config/app.ini
Loading…
Cancel
Save