Compare commits
1 Commits
master
...
dev/kubern
Author | SHA1 | Date |
---|---|---|
Basti | 199b3e94cf |
41
README.md
41
README.md
|
@ -1,9 +1,40 @@
|
|||
# gitea.kosmos.org
|
||||
|
||||
This repository contains configuration files and other assets, that are used to
|
||||
deploy and operate this Gitea instance. Feel free to [open
|
||||
issues](https://gitea.kosmos.org/kosmos/gitea.kosmos.org/issues) for questions,
|
||||
suggestions, bugs, to-do items, and whatever else you want to discuss or
|
||||
resolve.
|
||||
deploy and operate this Gitea instance.
|
||||
|
||||
See `doc/` folder for some technical info.
|
||||
Feel free to [open issues] for questions, suggestions, bugs, to-do items, and
|
||||
whatever else you want to discuss or resolve.
|
||||
|
||||
[open issues]: https://gitea.kosmos.org/kosmos/gitea.kosmos.org/issues
|
||||
|
||||
## Kubernetes
|
||||
|
||||
### Apply changes to resources
|
||||
|
||||
```
|
||||
kubectl apply -f gitea-db.yaml
|
||||
kubectl apply -f gitea-server.yaml
|
||||
```
|
||||
|
||||
### Write the secrets to the local filesystem
|
||||
|
||||
```
|
||||
./script/get_secrets
|
||||
```
|
||||
|
||||
It writes the secrets (currently the app.ini file, as well as auto-generated
|
||||
TLS certificates that are only used when no Let's Encrypt cert is available)
|
||||
to the `kubernetes/config/` folder. These files are not in Git because they
|
||||
contain credentials.
|
||||
|
||||
Once you have edited them locally, you need to delete the secrets stored on
|
||||
Kubernetes before uploading them again. This is done by this script:
|
||||
|
||||
```
|
||||
./script/replace_secrets
|
||||
```
|
||||
|
||||
### Reuse a released persistent volume:
|
||||
|
||||
https://github.com/kubernetes/kubernetes/issues/48609#issuecomment-314066616
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
#db231d bug ; Something is not working
|
||||
#76db1d enhancement ; Improving existing functionality
|
||||
#1d76db feature ; New functionality
|
||||
#db1d76 idea ; Something to consider
|
||||
#db1d76 question ; Looking for an answer
|
||||
#fbca04 security ; All your base are belong to us
|
||||
#1dd5db ui/ux ; User interface, process design, etc.
|
||||
#333333 dev environment ; Config, builds, CI, deployment, etc.
|
||||
#cccccc duplicate ; This issue or pull request already exists
|
||||
#cccccc invalid ; Not a bug
|
||||
#cccccc wontfix ; This won't be fixed
|
|
@ -1,15 +0,0 @@
|
|||
#db231d bug ; Something is not working
|
||||
#ead746 docs ; Documentation
|
||||
#76db1d enhancement ; Improving existing functionality
|
||||
#1d76db feature ; New functionality
|
||||
#db1d76 idea ; Something to consider
|
||||
#db1d76 question ; Looking for an answer
|
||||
#fbca04 security ; All your base are belong to us
|
||||
#1dd5db ui/ux ; User interface, process design, etc.
|
||||
#333333 dev environment ; Config, builds, CI, deployment, etc.
|
||||
#008080 kredits-1 ; Small contribution
|
||||
#008080 kredits-2 ; Medium contribution
|
||||
#008080 kredits-3 ; Large contribution
|
||||
#cccccc duplicate ; This issue or pull request already exists
|
||||
#cccccc invalid ; Not a bug
|
||||
#cccccc wontfix ; This won't be fixed
|
|
@ -1,28 +0,0 @@
|
|||
# Backups
|
||||
|
||||
We're using [Velero][1] (formerly Ark) for backing up Kubernetes config and GKE
|
||||
resources. It is available as a compiled binary for your platform [on GitHub][2]
|
||||
|
||||
The Velero service is running on the Sidamo cluster and was set up using the
|
||||
[official docs' GCP instructions][3]. There's a daily backup
|
||||
schedule in effect for Gitea (using the label `app=gitea`).
|
||||
|
||||
Please refer to Velero's [ Getting Started ][4] doc for all backup and restore
|
||||
commands.
|
||||
|
||||
## Backup location
|
||||
|
||||
Cluster configuration (including all live resources) is backed up to [a Google
|
||||
Cloud Storage container][5].
|
||||
|
||||
## Persistent volumes
|
||||
|
||||
Persistent volumes are just GCE disks. Thus, with the current config, Velero
|
||||
creates volume snapshots as native [GCE disk snapshots][6].
|
||||
|
||||
[1]: https://velero.io/docs/v1.0.0
|
||||
[2]: https://github.com/heptio/velero/releases/tag/v1.0.0
|
||||
[3]: https://velero.io/docs/v1.0.0/gcp-config/
|
||||
[4]: https://velero.io/docs/v1.0.0/about/
|
||||
[5]: https://console.cloud.google.com/storage/browser/sidamo-backups-new?project=fluted-magpie-218106&organizationId=772167872692
|
||||
[6]: https://console.cloud.google.com/compute/snapshots?organizationId=772167872692&project=fluted-magpie-218106&tab=snapshots&snapshotssize=50
|
|
@ -1,20 +0,0 @@
|
|||
## Customizations image
|
||||
|
||||
### Build
|
||||
|
||||
To create a new Docker image containing our Gitea customizations (label sets,
|
||||
styles, page content, etc.):
|
||||
|
||||
Edit `packer/custom.json` to increment the tag, then run this script (needs
|
||||
[Packer](https://www.packer.io/) in your path)
|
||||
|
||||
./script/build_customizations_image
|
||||
|
||||
### Deploy
|
||||
|
||||
Edit `kubernetes/gitea-server.yaml` to use the new tag
|
||||
(`image: eu.gcr.io/fluted-magpie-218106/gitea_custom:$VERSION`) and apply the
|
||||
change:
|
||||
|
||||
cd kubernetes
|
||||
kubectl apply -f gitea-server.yaml
|
|
@ -1,71 +0,0 @@
|
|||
# Kubernetes / GKE
|
||||
|
||||
This Gitea instance is currently hosted on Google Kubernetes Engine.
|
||||
|
||||
## Apply changes to resources
|
||||
|
||||
```
|
||||
kubectl apply -f gitea-db.yaml
|
||||
kubectl apply -f gitea-server.yaml
|
||||
```
|
||||
|
||||
## Write the secrets to the local filesystem
|
||||
|
||||
```
|
||||
./script/get_secrets
|
||||
```
|
||||
|
||||
It writes the secrets (currently the app.ini file, as well as auto-generated
|
||||
TLS certificates that are only used when no Let's Encrypt cert is available)
|
||||
to the `kubernetes/config/` folder. These files are not in Git because they
|
||||
contain credentials.
|
||||
|
||||
Once you have edited them locally, you need to delete the secrets stored on
|
||||
Kubernetes before uploading them again. This is done by this script:
|
||||
|
||||
```
|
||||
./script/replace_secrets
|
||||
```
|
||||
|
||||
## Reuse a released persistent volume:
|
||||
|
||||
> When you delete a PVC, corresponding PV becomes `Released`. This PV can contain sensitive data (say credit card numbers) and therefore nobody can ever bind to it, even if it is a PVC with the same name and in the same namespace as the previous one - who knows who's trying to steal the data!
|
||||
>
|
||||
> Admin intervention is required here. He has two options:
|
||||
>
|
||||
> * Make the PV available to everybody - delete `PV.Spec.ClaimRef`, Such PV can bound to any PVC (assuming that capacity, access mode and selectors match)
|
||||
>
|
||||
> * Make the PV available to a specific PVC - pre-fill `PV.Spec.ClaimRef` with a pointer to a PVC. Leave the `PV.Spec.ClaimRef,UID` empty, as the PVC does not to need exist at this point and you don't know PVC's UID. This PV can be bound only to the specified PVC.
|
||||
>
|
||||
>
|
||||
> @whitecolor, in your case you should be fine by clearing `PV.Spec.ClaimRef.UID` in the PV. Only the re-created PVC (with any UID) can then use the PV. And it's your responsibility that only the right person can craft appropriate PVC so nobody can steal your data.
|
||||
|
||||
https://github.com/kubernetes/kubernetes/issues/48609#issuecomment-314066616
|
||||
|
||||
## Update Gitea
|
||||
|
||||
### Released version
|
||||
|
||||
Change the image for the gitea-server container
|
||||
(`kubernetes/gitea-server.yaml`) to `gitea/gitea:TAG`, for example:
|
||||
`gitea/gitea:1.7.0-rc2`
|
||||
|
||||
### Unreleased version
|
||||
|
||||
This is useful to deploy features that are in master but not yet in a release.
|
||||
|
||||
$ docker pull gitea/gitea
|
||||
$ docker tag gitea/gitea:latest kosmosorg/gitea:production
|
||||
$ docker push kosmosorg/gitea
|
||||
|
||||
Set the image for the gitea-server container to `kosmosorg/gitea:latest`, or run
|
||||
this command to force a deployment if it is already set to it
|
||||
|
||||
$ kubectl patch deployment gitea-server -p "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"date\":\"`date +'%s'`\"}}}}}"
|
||||
|
||||
### Build our own image
|
||||
|
||||
At the root of the [https://github.com/go-gitea/gitea](gitea repo)
|
||||
|
||||
$ DOCKER_TAG=production DOCKER_IMAGE=kosmosorg/gitea make docker # builds and tags kosmosorg/gitea:production locally
|
||||
$ docker push kosmosorg/gitea
|
|
@ -2,8 +2,7 @@ apiVersion: extensions/v1beta1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
name: gitea-db
|
||||
labels:
|
||||
app: gitea
|
||||
namespace: gitea
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
|
@ -12,7 +11,6 @@ spec:
|
|||
metadata:
|
||||
labels:
|
||||
name: gitea-db
|
||||
app: gitea
|
||||
spec:
|
||||
containers:
|
||||
- env:
|
||||
|
@ -32,19 +30,13 @@ spec:
|
|||
value: gitea
|
||||
image: mariadb:10.3.10
|
||||
name: gitea-db
|
||||
resources: {}
|
||||
ports:
|
||||
- containerPort: 3306
|
||||
name: mysql
|
||||
volumeMounts:
|
||||
- mountPath: /var/lib/mysql
|
||||
name: gitea-db-data
|
||||
resources:
|
||||
requests:
|
||||
cpu: 250m
|
||||
memory: 150Mi
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 300Mi
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
- name: gitea-db-data
|
||||
|
@ -55,9 +47,9 @@ apiVersion: v1
|
|||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: gitea-db-data
|
||||
namespace: gitea
|
||||
labels:
|
||||
name: gitea-db-data
|
||||
app: gitea
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
|
@ -69,9 +61,9 @@ apiVersion: v1
|
|||
kind: Service
|
||||
metadata:
|
||||
name: gitea-db
|
||||
namespace: gitea
|
||||
labels:
|
||||
service: gitea-db
|
||||
app: gitea
|
||||
spec:
|
||||
selector:
|
||||
name: gitea-db
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: gitea
|
||||
labels:
|
||||
app: gitea
|
|
@ -1,52 +1,63 @@
|
|||
apiVersion: apps/v1
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: gitea-server
|
||||
labels:
|
||||
app: gitea
|
||||
namespace: gitea
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gitea
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
name: gitea-server
|
||||
app: gitea
|
||||
spec:
|
||||
initContainers:
|
||||
- name: init-config
|
||||
# This is a busybox image with our gitea customizations saved to
|
||||
# /custom, built using ./script/build_customizations_image from the
|
||||
# root of the repo
|
||||
image: eu.gcr.io/fluted-magpie-218106/gitea_custom:0.1.2
|
||||
command: [
|
||||
'sh', '-c',
|
||||
'mkdir -p /data/gitea/conf && mkdir -p /data/gitea/https && cp /root/conf/app.ini /data/gitea/conf/app.ini && chown 1000:1000 /data/gitea/conf/app.ini && chmod 660 /data/gitea/conf/app.ini && cp /root/conf/*.pem /data/gitea/https && chmod 600 /data/gitea/https/*.pem && cp -R /custom/* /data/gitea && chown -R 1000:1000 /data/gitea'
|
||||
]
|
||||
image: busybox
|
||||
command: ['sh', '-c', 'mkdir -p /data/gitea/conf && mkdir -p /data/gitea/https && cp /root/conf/app.ini /data/gitea/conf/app.ini && chown 1000:1000 /data/gitea/conf/app.ini && chmod 660 /data/gitea/conf/app.ini && cp /root/conf/*.pem /data/gitea/https && chmod 600 /data/gitea/https/*.pem && chown -R 1000:1000 /data/gitea']
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: gitea-server-data
|
||||
- mountPath: /root/conf
|
||||
name: config
|
||||
containers:
|
||||
- name: gitea-server
|
||||
image: gitea/gitea:1.11.2
|
||||
# This is only used for the initial setup, it does nothing once a app.ini
|
||||
# file exists in the conf/ directory of the data directory
|
||||
# (/data/gitea/conf in our case)
|
||||
- env:
|
||||
- name: DB_HOST
|
||||
value: gitea-db:3306
|
||||
- name: DB_NAME
|
||||
value: gitea
|
||||
- name: DB_PASSWD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-mysql-pass
|
||||
key: password
|
||||
- name: DB_TYPE
|
||||
value: mysql
|
||||
- name: DB_USER
|
||||
value: gitea
|
||||
- name: ROOT_URL
|
||||
value: https://gitea.kosmos.org
|
||||
- name: RUN_MODE
|
||||
value: prod
|
||||
- name: SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-secret-key
|
||||
key: password
|
||||
- name: SSH_DOMAIN
|
||||
value: gitea.kosmos.org
|
||||
image: 5apps/gitea:latest
|
||||
name: gitea-server
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
- containerPort: 3001
|
||||
- containerPort: 22
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: gitea-server-data
|
||||
resources:
|
||||
requests:
|
||||
cpu: 150m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
cpu: 250m
|
||||
memory: 512Mi
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
- name: gitea-server-data
|
||||
|
@ -70,22 +81,21 @@ apiVersion: v1
|
|||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: gitea-server-data
|
||||
labels:
|
||||
app: gitea
|
||||
namespace: gitea
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 20Gi
|
||||
storage: 1Gi
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: gitea-server
|
||||
namespace: gitea
|
||||
labels:
|
||||
name: gitea-server
|
||||
app: gitea
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
# preserves the client source IP
|
||||
|
|
|
@ -1,29 +0,0 @@
|
|||
{
|
||||
"builders": [{
|
||||
"type": "docker",
|
||||
"image": "busybox",
|
||||
"run_command": ["-d", "-i", "-t", "{{.Image}}", "/bin/sh"],
|
||||
"commit": true
|
||||
}],
|
||||
"provisioners": [
|
||||
{
|
||||
"inline": ["mkdir /custom"],
|
||||
"type": "shell"
|
||||
},
|
||||
{
|
||||
"type": "file",
|
||||
"source": "../custom/",
|
||||
"destination": "/custom"
|
||||
}
|
||||
],
|
||||
"post-processors": [
|
||||
[
|
||||
{
|
||||
"type": "docker-tag",
|
||||
"repository": "eu.gcr.io/fluted-magpie-218106/gitea_custom",
|
||||
"tag": "0.1.2"
|
||||
},
|
||||
"docker-push"
|
||||
]
|
||||
]
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
# fail fast
|
||||
set -e
|
||||
|
||||
cd packer/
|
||||
packer build custom.json
|
||||
cd -
|
Reference in New Issue