Add initial Kubernetes config files
This includes all the resources currently running on https://gitea.kosmos.org It sets up a persistent data volume for the MySQL database, one for the Gitea data, that Gitea calls the custom folder (config, attachment, avatars, logs, etc). We mount that persistent data volume as /data/gitea. It also creates a Let's Encrypt certificate for gitea.kosmos.org, also saved to the custom folder. This also includes two scripts: * `./script/get_secrets` downloads the secrets to the local filesystem so they can be edited * `./script/replace_secrets` deletes the remote secrets and creates them again from the local ones in kubernetes/config/* Closes #6
This commit is contained in:
parent
bdc9294260
commit
4c463adcda
|
@ -0,0 +1 @@
|
||||||
|
/kubernetes/config/
|
31
README.md
31
README.md
|
@ -7,3 +7,34 @@ Feel free to [open issues] for questions, suggestions, bugs, to-do items, and
|
||||||
whatever else you want to discuss or resolve.
|
whatever else you want to discuss or resolve.
|
||||||
|
|
||||||
[open issues]: https://gitea.kosmos.org/kosmos/gitea.kosmos.org/issues
|
[open issues]: https://gitea.kosmos.org/kosmos/gitea.kosmos.org/issues
|
||||||
|
|
||||||
|
## Kubernetes
|
||||||
|
|
||||||
|
### Apply changes to resources
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl apply -f gitea-db.yaml
|
||||||
|
kubectl apply -f gitea-server.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
### Write the secrets to the local filesystem
|
||||||
|
|
||||||
|
```
|
||||||
|
./script/get_secrets
|
||||||
|
```
|
||||||
|
|
||||||
|
It writes the secrets (currently the app.ini file, as well as auto-generated
|
||||||
|
TLS certificates that are only used when no Let's Encrypt cert is available)
|
||||||
|
to the `kubernetes/config/` folder. These files are not in Git because they
|
||||||
|
contain credentials.
|
||||||
|
|
||||||
|
Once you have edited them locally, you need to delete the secrets stored on
|
||||||
|
Kubernetes before uploading them again. This is done by this script:
|
||||||
|
|
||||||
|
```
|
||||||
|
./script/replace_secrets
|
||||||
|
```
|
||||||
|
|
||||||
|
### Reuse a released persistent volume:
|
||||||
|
|
||||||
|
https://github.com/kubernetes/kubernetes/issues/48609#issuecomment-314066616
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
apiVersion: extensions/v1beta1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: gitea-db
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
strategy:
|
||||||
|
type: Recreate
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
name: gitea-db
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- env:
|
||||||
|
- name: MYSQL_DATABASE
|
||||||
|
value: gitea
|
||||||
|
- name: MYSQL_ROOT_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mysql-pass
|
||||||
|
key: password
|
||||||
|
- name: MYSQL_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: gitea-mysql-pass
|
||||||
|
key: password
|
||||||
|
- name: MYSQL_USER
|
||||||
|
value: gitea
|
||||||
|
image: mariadb:10.3.10
|
||||||
|
name: gitea-db
|
||||||
|
resources: {}
|
||||||
|
ports:
|
||||||
|
- containerPort: 3306
|
||||||
|
name: mysql
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /var/lib/mysql
|
||||||
|
name: gitea-db-data
|
||||||
|
restartPolicy: Always
|
||||||
|
volumes:
|
||||||
|
- name: gitea-db-data
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: gitea-db-data
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: gitea-db-data
|
||||||
|
labels:
|
||||||
|
name: gitea-db-data
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 1Gi
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: gitea-db
|
||||||
|
labels:
|
||||||
|
service: gitea-db
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
name: gitea-db
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- port: 3306
|
|
@ -0,0 +1,111 @@
|
||||||
|
apiVersion: extensions/v1beta1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: gitea-server
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
name: gitea-server
|
||||||
|
spec:
|
||||||
|
initContainers:
|
||||||
|
- name: init-config
|
||||||
|
image: busybox
|
||||||
|
command: ['sh', '-c', 'mkdir -p /data/gitea/conf && mkdir -p /data/gitea/https && cp /root/conf/app.ini /data/gitea/conf/app.ini && chown 1000:1000 /data/gitea/conf/app.ini && chmod 660 /data/gitea/conf/app.ini && cp /root/conf/*.pem /data/gitea/https && chmod 600 /data/gitea/https/*.pem && chown -R 1000:1000 /data/gitea']
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /data
|
||||||
|
name: gitea-server-data
|
||||||
|
- mountPath: /root/conf
|
||||||
|
name: config
|
||||||
|
containers:
|
||||||
|
# This is only used for the initial setup, it does nothing once a app.ini
|
||||||
|
# file exists in the conf/ directory of the data directory
|
||||||
|
# (/data/gitea/conf in our case)
|
||||||
|
- env:
|
||||||
|
- name: DB_HOST
|
||||||
|
value: gitea-db:3306
|
||||||
|
- name: DB_NAME
|
||||||
|
value: gitea
|
||||||
|
- name: DB_PASSWD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: gitea-mysql-pass
|
||||||
|
key: password
|
||||||
|
- name: DB_TYPE
|
||||||
|
value: mysql
|
||||||
|
- name: DB_USER
|
||||||
|
value: gitea
|
||||||
|
- name: ROOT_URL
|
||||||
|
value: https://gitea.kosmos.org
|
||||||
|
- name: RUN_MODE
|
||||||
|
value: prod
|
||||||
|
- name: SECRET_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: gitea-secret-key
|
||||||
|
key: password
|
||||||
|
- name: SSH_DOMAIN
|
||||||
|
value: gitea.kosmos.org
|
||||||
|
image: 5apps/gitea:latest
|
||||||
|
name: gitea-server
|
||||||
|
ports:
|
||||||
|
- containerPort: 3000
|
||||||
|
- containerPort: 3001
|
||||||
|
- containerPort: 22
|
||||||
|
resources: {}
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /data
|
||||||
|
name: gitea-server-data
|
||||||
|
restartPolicy: Always
|
||||||
|
volumes:
|
||||||
|
- name: gitea-server-data
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: gitea-server-data
|
||||||
|
- name: config
|
||||||
|
secret:
|
||||||
|
secretName: gitea-config
|
||||||
|
items:
|
||||||
|
- key: app.ini
|
||||||
|
path: app.ini
|
||||||
|
mode: 256
|
||||||
|
- key: cert.pem
|
||||||
|
path: cert.pem
|
||||||
|
mode: 256
|
||||||
|
- key: key.pem
|
||||||
|
path: key.pem
|
||||||
|
mode: 256
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: gitea-server-data
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 1Gi
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: gitea-server
|
||||||
|
labels:
|
||||||
|
name: gitea-server
|
||||||
|
spec:
|
||||||
|
type: LoadBalancer
|
||||||
|
# preserves the client source IP
|
||||||
|
externalTrafficPolicy: Local
|
||||||
|
ports:
|
||||||
|
- name: "ssh"
|
||||||
|
port: 22
|
||||||
|
targetPort: 22
|
||||||
|
- name: "http"
|
||||||
|
port: 80
|
||||||
|
targetPort: 3001
|
||||||
|
- name: "https"
|
||||||
|
port: 443
|
||||||
|
targetPort: 3000
|
||||||
|
selector:
|
||||||
|
name: gitea-server
|
|
@ -0,0 +1,15 @@
|
||||||
|
#!/usr/bin/env ruby
|
||||||
|
|
||||||
|
require 'yaml'
|
||||||
|
require 'base64'
|
||||||
|
|
||||||
|
secret = `kubectl get secret gitea-config -o yaml`
|
||||||
|
yaml = YAML.load(secret)
|
||||||
|
|
||||||
|
yaml['data'].each do |key, data|
|
||||||
|
filename = File.join('kubernetes', 'config', key)
|
||||||
|
File.open(filename, "w+") do |f|
|
||||||
|
puts "Writing #{filename}"
|
||||||
|
f.write Base64.decode64(data)
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
# Delete the gitea-config secrets
|
||||||
|
kubectl delete secret gitea-config
|
||||||
|
# Replace it from the local files in kubernetes/config/* (acquired by running
|
||||||
|
# ./script/get_secrets)
|
||||||
|
kubectl create secret generic gitea-config --from-file=cert.pem=kubernetes/config/cert.pem --from-file=key.pem=kubernetes/config/key.pem --from-file=app.ini=kubernetes/config/app.ini
|
Reference in New Issue