Merge branch 'master' into feature/4-label_sets

Closes #18

.gitignore

@@ -1 +1 @@
-/kubernetes/config/
+/kubernetes/custom/config/

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "vendor/ark"]
+	path = vendor/ark
+	url = git@github.com:heptio/ark.git

README.md

@@ -7,34 +7,3 @@ Feel free to [open issues] for questions, suggestions, bugs, to-do items, and
 whatever else you want to discuss or resolve.
 
 [open issues]: https://gitea.kosmos.org/kosmos/gitea.kosmos.org/issues
-
-## Kubernetes
-
-### Apply changes to resources
-
-```
-kubectl apply -f gitea-db.yaml
-kubectl apply -f gitea-server.yaml
-```
-
-### Write the secrets to the local filesystem
-
-```
-./script/get_secrets
-```
-
-It writes the secrets (currently the app.ini file, as well as auto-generated
-TLS certificates that are only used when no Let's Encrypt cert is available)
-to the `kubernetes/config/` folder. These files are not in Git because they
-contain credentials.
-
-Once you have edited them locally, you need to delete the secrets stored on
-Kubernetes before uploading them again. This is done by this script:
-
-```
-./script/replace_secrets
-```
-
-### Reuse a released persistent volume:
-
-https://github.com/kubernetes/kubernetes/issues/48609#issuecomment-314066616

doc/backup-and-restore.md

@@ -0,0 +1,36 @@
+# Backups
+
+We're using [Ark][1] for backing up Kubernetes config and GKE resources. It is
+available as a Git submodule in the `vendor/` folder (incl. the `ark`
+executable).
+
+In order to initialize and update submodules in your local repo, run once:
+
+    git submodule update --init
+
+Then, to fetch/update the modules, run:
+
+    git submodule update
+
+The Ark service is running on the Sidamo cluster and was set up using the
+[official docs' GCP instructions and config files][4]. There's a daily backup
+schedule in effect for Gitea (using the label `app=gitea`).
+
+Please refer to Ark's [ Getting Started ][5] doc for all backup and restore
+commands.
+
+## Backup location
+
+Cluster configuration (including all live resources) is backed up to [a Google
+Cloud Storage container][3].
+
+## Persistent volumes
+
+Persistent volumes are just GCE disks. Thus, with the current config, Ark
+creates volume snapshots as native [GCE disk snapshots][2].
+
+[1]: https://heptio.github.io/ark/v0.10.0
+[2]: https://console.cloud.google.com/compute/snapshots?organizationId=772167872692&project=fluted-magpie-218106&tab=snapshots&snapshotssize=50
+[3]: https://console.cloud.google.com/storage/browser/sidamo-backups?project=fluted-magpie-218106&organizationId=772167872692
+[4]: https://heptio.github.io/ark/v0.10.0/gcp-config
+[5]: https://heptio.github.io/ark/v0.10.0/get-started

doc/kubernetes.md

@@ -0,0 +1,71 @@
+# Kubernetes / GKE
+
+This Gitea instance is currently hosted on Google Kubernetes Engine.
+
+## Apply changes to resources
+
+```
+kubectl apply -f gitea-db.yaml
+kubectl apply -f gitea-server.yaml
+```
+
+## Write the secrets to the local filesystem
+
+```
+./script/get_secrets
+```
+
+It writes the secrets (currently the app.ini file, as well as auto-generated
+TLS certificates that are only used when no Let's Encrypt cert is available)
+to the `kubernetes/config/` folder. These files are not in Git because they
+contain credentials.
+
+Once you have edited them locally, you need to delete the secrets stored on
+Kubernetes before uploading them again. This is done by this script:
+
+```
+./script/replace_secrets
+```
+
+## Reuse a released persistent volume:
+
+> When you delete a PVC, corresponding PV becomes `Released`. This PV can contain sensitive data (say credit card numbers) and therefore nobody can ever bind to it, even if it is a PVC with the same name and in the same namespace as the previous one - who knows who's trying to steal the data!
+> 
+> Admin intervention is required here. He has two options:
+> 
+>     * Make the PV available to everybody - delete `PV.Spec.ClaimRef`, Such PV can bound to any PVC (assuming that capacity, access mode and selectors match)
+> 
+>     * Make the PV available to a specific PVC - pre-fill `PV.Spec.ClaimRef` with a pointer to a PVC. Leave the `PV.Spec.ClaimRef,UID` empty, as the PVC does not to need exist at this point and you don't know PVC's UID. This PV can be bound only to the specified PVC.
+> 
+> 
+> @whitecolor, in your case you should be fine by clearing `PV.Spec.ClaimRef.UID` in the PV. Only the re-created PVC (with any UID) can then use the PV. And it's your responsibility that only the right person can craft appropriate PVC so nobody can steal your data.
+
+https://github.com/kubernetes/kubernetes/issues/48609#issuecomment-314066616
+
+## Update Gitea
+
+### Released version
+
+Change the image for the gitea-server container
+(`kubernetes/gitea-server.yaml`) to `gitea/gitea:TAG`, for example:
+`gitea/gitea:1.7.0-rc2`
+
+### Unreleased version
+
+This is useful to deploy features that are in master but not yet in a release.
+
+    $ docker pull gitea/gitea
+    $ docker tag gitea/gitea:latest kosmosorg/gitea:production
+    $ docker push kosmosorg/gitea
+
+Set the image for the gitea-server container to `kosmosorg/gitea:latest`, or run 
+this command to force a deployment if it is already set to it
+
+    $ kubectl patch deployment gitea-server -p "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"date\":\"`date +'%s'`\"}}}}}"
+
+### Build our own image
+
+At the root of the [https://github.com/go-gitea/gitea](gitea repo)
+
+    $ DOCKER_TAG=production DOCKER_IMAGE=kosmosorg/gitea make docker # builds and tags kosmosorg/gitea:production locally
+    $ docker push kosmosorg/gitea

kubernetes/custom/options/label/Default

@@ -0,0 +1,11 @@
+#db231d bug ; Something is not working
+#76db1d enhancement ; Improving existing functionality
+#1d76db feature ; New functionality
+#db1d76 idea ; Something to consider
+#db1d76 question ; Looking for an answer
+#fbca04 security ; All your base are belong to us
+#1dd5db ui/ux ; User interface, process design, etc.
+#333333 dev environment ; Config, builds, CI, deployment, etc.
+#cccccc duplicate ; This issue or pull request already exists
+#cccccc invalid ; Not a bug
+#cccccc wontfix ; This won't be fixed

kubernetes/custom/options/label/Kosmos

@@ -0,0 +1,14 @@
+#db231d bug ; Something is not working
+#76db1d enhancement ; Improving existing functionality
+#1d76db feature ; New functionality
+#db1d76 idea ; Something to consider
+#db1d76 question ; Looking for an answer
+#fbca04 security ; All your base are belong to us
+#1dd5db ui/ux ; User interface, process design, etc.
+#333333 dev environment ; Config, builds, CI, deployment, etc.
+#008080 kredits-1 ; Small contribution
+#008080 kredits-2 ; Medium contribution
+#008080 kredits-3 ; Large contribution
+#cccccc duplicate ; This issue or pull request already exists
+#cccccc invalid ; Not a bug
+#cccccc wontfix ; This won't be fixed

kubernetes/gitea-db.yaml

@@ -2,6 +2,8 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: gitea-db
+  labels:
+    app: gitea
 spec:
   replicas: 1
   strategy:
@@ -10,6 +12,7 @@ spec:
     metadata:
       labels:
         name: gitea-db
+        app: gitea
     spec:
       containers:
       - env:
@@ -48,6 +51,7 @@ metadata:
   name: gitea-db-data
   labels:
     name: gitea-db-data
+    app: gitea
 spec:
   accessModes:
   - ReadWriteOnce
@@ -61,6 +65,7 @@ metadata:
   name: gitea-db
   labels:
     service: gitea-db
+    app: gitea
 spec:
   selector:
     name: gitea-db

kubernetes/gitea-server.yaml

@@ -2,58 +2,40 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: gitea-server
+  labels:
+    app: gitea
 spec:
   replicas: 1
   template:
     metadata:
       labels:
         name: gitea-server
+        app: gitea
     spec:
       initContainers:
         - name: init-config
           image: busybox
-          command: ['sh', '-c', 'mkdir -p /data/gitea/conf && mkdir -p /data/gitea/https && cp /root/conf/app.ini /data/gitea/conf/app.ini && chown 1000:1000 /data/gitea/conf/app.ini && chmod 660 /data/gitea/conf/app.ini && cp /root/conf/*.pem /data/gitea/https && chmod 600 /data/gitea/https/*.pem && chown -R 1000:1000 /data/gitea']
+          command: [
+            'sh', '-c',
+            'mkdir -p /data/gitea/conf && mkdir -p /data/gitea/https && mkdir -p /data/gitea/options/label && cp /root/conf/app.ini /data/gitea/conf/app.ini && chown 1000:1000 /data/gitea/conf/app.ini && chmod 660 /data/gitea/conf/app.ini && cp /root/conf/*.pem /data/gitea/https && chmod 600 /data/gitea/https/*.pem && cp /root/options/label/* /data/gitea/options/label/ && chown -R 1000:1000 /data/gitea'
+          ]
           volumeMounts:
           - mountPath: /data
             name: gitea-server-data
           - mountPath: /root/conf
             name: config
+          # The labels have been created as a ConfigMap from local files using this command:
+          #
+          # kubectl create configmap gitea-options-label --from-file=custom/options/label/
+          - mountPath: /root/options/label
+            name: label
       containers:
-      # This is only used for the initial setup, it does nothing once a app.ini
-      # file exists in the conf/ directory of the data directory
-      # (/data/gitea/conf in our case)
-      - env:
-        - name: DB_HOST
-          value: gitea-db:3306
-        - name: DB_NAME
-          value: gitea
-        - name: DB_PASSWD
-          valueFrom:
-            secretKeyRef:
-              name: gitea-mysql-pass
-              key: password
-        - name: DB_TYPE
-          value: mysql
-        - name: DB_USER
-          value: gitea
-        - name: ROOT_URL
-          value: https://gitea.kosmos.org
-        - name: RUN_MODE
-          value: prod
-        - name: SECRET_KEY
-          valueFrom:
-            secretKeyRef:
-              name: gitea-secret-key
-              key: password
-        - name: SSH_DOMAIN
-          value: gitea.kosmos.org
-        image: 5apps/gitea:latest
-        name: gitea-server
+      - name: gitea-server
+        image: gitea/gitea:1.7.2
         ports:
         - containerPort: 3000
         - containerPort: 3001
         - containerPort: 22
-        resources: {}
         volumeMounts:
         - mountPath: /data
           name: gitea-server-data
@@ -75,17 +57,22 @@ spec:
             - key: key.pem
               path: key.pem
               mode: 256
+      - name: label
+        configMap:
+          name: gitea-options-label
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: gitea-server-data
+  labels:
+    app: gitea
 spec:
   accessModes:
   - ReadWriteOnce
   resources:
     requests:
-      storage: 1Gi
+      storage: 20Gi
 ---
 apiVersion: v1
 kind: Service
@@ -93,6 +80,7 @@ metadata:
   name: gitea-server
   labels:
     name: gitea-server
+    app: gitea
 spec:
   type: LoadBalancer
   # preserves the client source IP

script/get_secrets

@@ -7,7 +7,7 @@ secret = `kubectl get secret gitea-config -o yaml`
 yaml = YAML.load(secret)
 
 yaml['data'].each do |key, data|
-  filename = File.join('kubernetes', 'config', key)
+  filename = File.join('kubernetes', 'custom', 'config', key)
   File.open(filename, "w+") do |f|
     puts "Writing #{filename}"
     f.write Base64.decode64(data)

script/replace_secrets

@@ -2,8 +2,8 @@
 
 # Delete the gitea-config secrets
 kubectl delete secret gitea-config
-# Replace it from the local files in kubernetes/config/* (acquired by running
+# Replace it from the local files in kubernetes/custom/config/* (acquired by running
 # ./script/get_secrets)
-kubectl create secret generic gitea-config --from-file=cert.pem=kubernetes/config/cert.pem --from-file=key.pem=kubernetes/config/key.pem --from-file=app.ini=kubernetes/config/app.ini
+kubectl create secret generic gitea-config --from-file=cert.pem=kubernetes/custom/config/cert.pem --from-file=key.pem=kubernetes/custom/config/key.pem --from-file=app.ini=kubernetes/custom/config/app.ini
 # Force the pod to restart by patching the deployment resource
 kubectl patch deployment gitea-server -p "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"date\":\"`date +'%s'`\"}}}}}"