Compare commits
66 Commits
dev/kubern
...
master
Author | SHA1 | Date |
---|---|---|
Râu Cao | 91755e8744 | |
Basti | ee6ec82157 | |
Râu Cao | fa11c50687 | |
Basti | 21e158737d | |
Râu Cao | 515b4a4483 | |
Basti | a3c1b2d1f7 | |
Râu Cao | 2ab0db6c2a | |
Basti | d6d70af0ad | |
Râu Cao | 75881c4c3f | |
Basti | 3cd4b3102c | |
Râu Cao | 11ae884dea | |
Basti | 6785287227 | |
Râu Cao | d4784e9787 | |
Basti | da278556ed | |
Basti | 4dd0f4b844 | |
Basti | b6894598a6 | |
Râu Cao | 972bbedb87 | |
Râu Cao | db396d6ee1 | |
Basti | d821e02dec | |
Râu Cao | 2f02ddb79d | |
Greg | 90cb219d79 | |
Greg | 9c36ebeb14 | |
gregkare | 5f3b80ab9e | |
Basti | b00931352f | |
Greg | f8d964f8d2 | |
Râu Cao | 810482c755 | |
Greg | 4e225ab1af | |
Râu Cao | 1f6e0b7d57 | |
Greg | a3fa72bb56 | |
gregkare | 9f4a5b452c | |
Basti | 12fc74d8ff | |
gregkare | 1d69fad451 | |
Greg | f73c58d7ee | |
gregkare | 68771a8e61 | |
gregkare | e3de3af82f | |
Basti | 490248909b | |
Greg | e0741b4438 | |
Greg | 8050126d2d | |
Greg | b5bbc5fa34 | |
Basti | 915fd7db8a | |
Greg | bbfa3f2964 | |
Greg | 0a60d8831c | |
Greg | cc6f31b4b9 | |
Greg | 069502d056 | |
Greg | 278e6a9cd7 | |
Greg | eba722992f | |
Greg | 871d47fff8 | |
Râu Cao | 9ef15325cc | |
Basti | 526f4b9035 | |
Râu Cao | 43ad6f842b | |
Basti | 21238a032d | |
Greg | 34068bc7ac | |
Basti | 28b73f88a8 | |
Greg | 8a2d491e45 | |
gregkare | 8073861775 | |
Greg | 78bccff685 | |
Basti | cef013a40a | |
Basti | 3692204ce4 | |
Basti | a16143a3f4 | |
Basti | c3bf234cba | |
Basti | 9e8370f577 | |
Râu Cao | 8496b19ec5 | |
Râu Cao | 4a43305a35 | |
gregkare | 8bb6bddb00 | |
Greg | bf62157f26 | |
Basti | 0cf7ba527e |
41
README.md
41
README.md
|
@ -1,40 +1,9 @@
|
|||
# gitea.kosmos.org
|
||||
|
||||
This repository contains configuration files and other assets, that are used to
|
||||
deploy and operate this Gitea instance.
|
||||
deploy and operate this Gitea instance. Feel free to [open
|
||||
issues](https://gitea.kosmos.org/kosmos/gitea.kosmos.org/issues) for questions,
|
||||
suggestions, bugs, to-do items, and whatever else you want to discuss or
|
||||
resolve.
|
||||
|
||||
Feel free to [open issues] for questions, suggestions, bugs, to-do items, and
|
||||
whatever else you want to discuss or resolve.
|
||||
|
||||
[open issues]: https://gitea.kosmos.org/kosmos/gitea.kosmos.org/issues
|
||||
|
||||
## Kubernetes
|
||||
|
||||
### Apply changes to resources
|
||||
|
||||
```
|
||||
kubectl apply -f gitea-db.yaml
|
||||
kubectl apply -f gitea-server.yaml
|
||||
```
|
||||
|
||||
### Write the secrets to the local filesystem
|
||||
|
||||
```
|
||||
./script/get_secrets
|
||||
```
|
||||
|
||||
It writes the secrets (currently the app.ini file, as well as auto-generated
|
||||
TLS certificates that are only used when no Let's Encrypt cert is available)
|
||||
to the `kubernetes/config/` folder. These files are not in Git because they
|
||||
contain credentials.
|
||||
|
||||
Once you have edited them locally, you need to delete the secrets stored on
|
||||
Kubernetes before uploading them again. This is done by this script:
|
||||
|
||||
```
|
||||
./script/replace_secrets
|
||||
```
|
||||
|
||||
### Reuse a released persistent volume:
|
||||
|
||||
https://github.com/kubernetes/kubernetes/issues/48609#issuecomment-314066616
|
||||
See `doc/` folder for some technical info.
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
#db231d bug ; Something is not working
|
||||
#76db1d enhancement ; Improving existing functionality
|
||||
#1d76db feature ; New functionality
|
||||
#db1d76 idea ; Something to consider
|
||||
#db1d76 question ; Looking for an answer
|
||||
#fbca04 security ; All your base are belong to us
|
||||
#1dd5db ui/ux ; User interface, process design, etc.
|
||||
#333333 dev environment ; Config, builds, CI, deployment, etc.
|
||||
#cccccc duplicate ; This issue or pull request already exists
|
||||
#cccccc invalid ; Not a bug
|
||||
#cccccc wontfix ; This won't be fixed
|
|
@ -0,0 +1,15 @@
|
|||
#db231d bug ; Something is not working
|
||||
#ead746 docs ; Documentation
|
||||
#76db1d enhancement ; Improving existing functionality
|
||||
#1d76db feature ; New functionality
|
||||
#db1d76 idea ; Something to consider
|
||||
#db1d76 question ; Looking for an answer
|
||||
#fbca04 security ; All your base are belong to us
|
||||
#1dd5db ui/ux ; User interface, process design, etc.
|
||||
#333333 dev environment ; Config, builds, CI, deployment, etc.
|
||||
#008080 kredits-1 ; Small contribution
|
||||
#008080 kredits-2 ; Medium contribution
|
||||
#008080 kredits-3 ; Large contribution
|
||||
#cccccc duplicate ; This issue or pull request already exists
|
||||
#cccccc invalid ; Not a bug
|
||||
#cccccc wontfix ; This won't be fixed
|
|
@ -0,0 +1,28 @@
|
|||
# Backups
|
||||
|
||||
We're using [Velero][1] (formerly Ark) for backing up Kubernetes config and GKE
|
||||
resources. It is available as a compiled binary for your platform [on GitHub][2]
|
||||
|
||||
The Velero service is running on the Sidamo cluster and was set up using the
|
||||
[official docs' GCP instructions][3]. There's a daily backup
|
||||
schedule in effect for Gitea (using the label `app=gitea`).
|
||||
|
||||
Please refer to Velero's [ Getting Started ][4] doc for all backup and restore
|
||||
commands.
|
||||
|
||||
## Backup location
|
||||
|
||||
Cluster configuration (including all live resources) is backed up to [a Google
|
||||
Cloud Storage container][5].
|
||||
|
||||
## Persistent volumes
|
||||
|
||||
Persistent volumes are just GCE disks. Thus, with the current config, Velero
|
||||
creates volume snapshots as native [GCE disk snapshots][6].
|
||||
|
||||
[1]: https://velero.io/docs/v1.0.0
|
||||
[2]: https://github.com/heptio/velero/releases/tag/v1.0.0
|
||||
[3]: https://velero.io/docs/v1.0.0/gcp-config/
|
||||
[4]: https://velero.io/docs/v1.0.0/about/
|
||||
[5]: https://console.cloud.google.com/storage/browser/sidamo-backups-new?project=fluted-magpie-218106&organizationId=772167872692
|
||||
[6]: https://console.cloud.google.com/compute/snapshots?organizationId=772167872692&project=fluted-magpie-218106&tab=snapshots&snapshotssize=50
|
|
@ -0,0 +1,20 @@
|
|||
## Customizations image
|
||||
|
||||
### Build
|
||||
|
||||
To create a new Docker image containing our Gitea customizations (label sets,
|
||||
styles, page content, etc.):
|
||||
|
||||
Edit `packer/custom.json` to increment the tag, then run this script (needs
|
||||
[Packer](https://www.packer.io/) in your path)
|
||||
|
||||
./script/build_customizations_image
|
||||
|
||||
### Deploy
|
||||
|
||||
Edit `kubernetes/gitea-server.yaml` to use the new tag
|
||||
(`image: eu.gcr.io/fluted-magpie-218106/gitea_custom:$VERSION`) and apply the
|
||||
change:
|
||||
|
||||
cd kubernetes
|
||||
kubectl apply -f gitea-server.yaml
|
|
@ -0,0 +1,71 @@
|
|||
# Kubernetes / GKE
|
||||
|
||||
This Gitea instance is currently hosted on Google Kubernetes Engine.
|
||||
|
||||
## Apply changes to resources
|
||||
|
||||
```
|
||||
kubectl apply -f gitea-db.yaml
|
||||
kubectl apply -f gitea-server.yaml
|
||||
```
|
||||
|
||||
## Write the secrets to the local filesystem
|
||||
|
||||
```
|
||||
./script/get_secrets
|
||||
```
|
||||
|
||||
It writes the secrets (currently the app.ini file, as well as auto-generated
|
||||
TLS certificates that are only used when no Let's Encrypt cert is available)
|
||||
to the `kubernetes/config/` folder. These files are not in Git because they
|
||||
contain credentials.
|
||||
|
||||
Once you have edited them locally, you need to delete the secrets stored on
|
||||
Kubernetes before uploading them again. This is done by this script:
|
||||
|
||||
```
|
||||
./script/replace_secrets
|
||||
```
|
||||
|
||||
## Reuse a released persistent volume:
|
||||
|
||||
> When you delete a PVC, corresponding PV becomes `Released`. This PV can contain sensitive data (say credit card numbers) and therefore nobody can ever bind to it, even if it is a PVC with the same name and in the same namespace as the previous one - who knows who's trying to steal the data!
|
||||
>
|
||||
> Admin intervention is required here. He has two options:
|
||||
>
|
||||
> * Make the PV available to everybody - delete `PV.Spec.ClaimRef`, Such PV can bound to any PVC (assuming that capacity, access mode and selectors match)
|
||||
>
|
||||
> * Make the PV available to a specific PVC - pre-fill `PV.Spec.ClaimRef` with a pointer to a PVC. Leave the `PV.Spec.ClaimRef,UID` empty, as the PVC does not to need exist at this point and you don't know PVC's UID. This PV can be bound only to the specified PVC.
|
||||
>
|
||||
>
|
||||
> @whitecolor, in your case you should be fine by clearing `PV.Spec.ClaimRef.UID` in the PV. Only the re-created PVC (with any UID) can then use the PV. And it's your responsibility that only the right person can craft appropriate PVC so nobody can steal your data.
|
||||
|
||||
https://github.com/kubernetes/kubernetes/issues/48609#issuecomment-314066616
|
||||
|
||||
## Update Gitea
|
||||
|
||||
### Released version
|
||||
|
||||
Change the image for the gitea-server container
|
||||
(`kubernetes/gitea-server.yaml`) to `gitea/gitea:TAG`, for example:
|
||||
`gitea/gitea:1.7.0-rc2`
|
||||
|
||||
### Unreleased version
|
||||
|
||||
This is useful to deploy features that are in master but not yet in a release.
|
||||
|
||||
$ docker pull gitea/gitea
|
||||
$ docker tag gitea/gitea:latest kosmosorg/gitea:production
|
||||
$ docker push kosmosorg/gitea
|
||||
|
||||
Set the image for the gitea-server container to `kosmosorg/gitea:latest`, or run
|
||||
this command to force a deployment if it is already set to it
|
||||
|
||||
$ kubectl patch deployment gitea-server -p "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"date\":\"`date +'%s'`\"}}}}}"
|
||||
|
||||
### Build our own image
|
||||
|
||||
At the root of the [https://github.com/go-gitea/gitea](gitea repo)
|
||||
|
||||
$ DOCKER_TAG=production DOCKER_IMAGE=kosmosorg/gitea make docker # builds and tags kosmosorg/gitea:production locally
|
||||
$ docker push kosmosorg/gitea
|
|
@ -2,6 +2,8 @@ apiVersion: extensions/v1beta1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
name: gitea-db
|
||||
labels:
|
||||
app: gitea
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
|
@ -10,6 +12,7 @@ spec:
|
|||
metadata:
|
||||
labels:
|
||||
name: gitea-db
|
||||
app: gitea
|
||||
spec:
|
||||
containers:
|
||||
- env:
|
||||
|
@ -29,13 +32,19 @@ spec:
|
|||
value: gitea
|
||||
image: mariadb:10.3.10
|
||||
name: gitea-db
|
||||
resources: {}
|
||||
ports:
|
||||
- containerPort: 3306
|
||||
name: mysql
|
||||
volumeMounts:
|
||||
- mountPath: /var/lib/mysql
|
||||
name: gitea-db-data
|
||||
resources:
|
||||
requests:
|
||||
cpu: 250m
|
||||
memory: 150Mi
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 300Mi
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
- name: gitea-db-data
|
||||
|
@ -48,6 +57,7 @@ metadata:
|
|||
name: gitea-db-data
|
||||
labels:
|
||||
name: gitea-db-data
|
||||
app: gitea
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
|
@ -61,6 +71,7 @@ metadata:
|
|||
name: gitea-db
|
||||
labels:
|
||||
service: gitea-db
|
||||
app: gitea
|
||||
spec:
|
||||
selector:
|
||||
name: gitea-db
|
||||
|
|
|
@ -1,62 +1,52 @@
|
|||
apiVersion: extensions/v1beta1
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: gitea-server
|
||||
labels:
|
||||
app: gitea
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gitea
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
name: gitea-server
|
||||
app: gitea
|
||||
spec:
|
||||
initContainers:
|
||||
- name: init-config
|
||||
image: busybox
|
||||
command: ['sh', '-c', 'mkdir -p /data/gitea/conf && mkdir -p /data/gitea/https && cp /root/conf/app.ini /data/gitea/conf/app.ini && chown 1000:1000 /data/gitea/conf/app.ini && chmod 660 /data/gitea/conf/app.ini && cp /root/conf/*.pem /data/gitea/https && chmod 600 /data/gitea/https/*.pem && chown -R 1000:1000 /data/gitea']
|
||||
# This is a busybox image with our gitea customizations saved to
|
||||
# /custom, built using ./script/build_customizations_image from the
|
||||
# root of the repo
|
||||
image: eu.gcr.io/fluted-magpie-218106/gitea_custom:0.1.2
|
||||
command: [
|
||||
'sh', '-c',
|
||||
'mkdir -p /data/gitea/conf && mkdir -p /data/gitea/https && cp /root/conf/app.ini /data/gitea/conf/app.ini && chown 1000:1000 /data/gitea/conf/app.ini && chmod 660 /data/gitea/conf/app.ini && cp /root/conf/*.pem /data/gitea/https && chmod 600 /data/gitea/https/*.pem && cp -R /custom/* /data/gitea && chown -R 1000:1000 /data/gitea'
|
||||
]
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: gitea-server-data
|
||||
- mountPath: /root/conf
|
||||
name: config
|
||||
containers:
|
||||
# This is only used for the initial setup, it does nothing once a app.ini
|
||||
# file exists in the conf/ directory of the data directory
|
||||
# (/data/gitea/conf in our case)
|
||||
- env:
|
||||
- name: DB_HOST
|
||||
value: gitea-db:3306
|
||||
- name: DB_NAME
|
||||
value: gitea
|
||||
- name: DB_PASSWD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-mysql-pass
|
||||
key: password
|
||||
- name: DB_TYPE
|
||||
value: mysql
|
||||
- name: DB_USER
|
||||
value: gitea
|
||||
- name: ROOT_URL
|
||||
value: https://gitea.kosmos.org
|
||||
- name: RUN_MODE
|
||||
value: prod
|
||||
- name: SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-secret-key
|
||||
key: password
|
||||
- name: SSH_DOMAIN
|
||||
value: gitea.kosmos.org
|
||||
image: 5apps/gitea:latest
|
||||
name: gitea-server
|
||||
- name: gitea-server
|
||||
image: gitea/gitea:1.11.2
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
- containerPort: 3001
|
||||
- containerPort: 22
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: gitea-server-data
|
||||
resources:
|
||||
requests:
|
||||
cpu: 150m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
cpu: 250m
|
||||
memory: 512Mi
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
- name: gitea-server-data
|
||||
|
@ -80,12 +70,14 @@ apiVersion: v1
|
|||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: gitea-server-data
|
||||
labels:
|
||||
app: gitea
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
storage: 20Gi
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
|
@ -93,6 +85,7 @@ metadata:
|
|||
name: gitea-server
|
||||
labels:
|
||||
name: gitea-server
|
||||
app: gitea
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
# preserves the client source IP
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
{
|
||||
"builders": [{
|
||||
"type": "docker",
|
||||
"image": "busybox",
|
||||
"run_command": ["-d", "-i", "-t", "{{.Image}}", "/bin/sh"],
|
||||
"commit": true
|
||||
}],
|
||||
"provisioners": [
|
||||
{
|
||||
"inline": ["mkdir /custom"],
|
||||
"type": "shell"
|
||||
},
|
||||
{
|
||||
"type": "file",
|
||||
"source": "../custom/",
|
||||
"destination": "/custom"
|
||||
}
|
||||
],
|
||||
"post-processors": [
|
||||
[
|
||||
{
|
||||
"type": "docker-tag",
|
||||
"repository": "eu.gcr.io/fluted-magpie-218106/gitea_custom",
|
||||
"tag": "0.1.2"
|
||||
},
|
||||
"docker-push"
|
||||
]
|
||||
]
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
#!/usr/bin/env bash
|
||||
# fail fast
|
||||
set -e
|
||||
|
||||
cd packer/
|
||||
packer build custom.json
|
||||
cd -
|
Reference in New Issue