Add gitea namespace

README.md

@@ -1,9 +1,40 @@
 # gitea.kosmos.org
 
 This repository contains configuration files and other assets, that are used to
-deploy and operate this Gitea instance. Feel free to [open
-issues](https://gitea.kosmos.org/kosmos/gitea.kosmos.org/issues) for questions,
-suggestions, bugs, to-do items, and whatever else you want to discuss or
-resolve.
+deploy and operate this Gitea instance.
 
-See `doc/` folder for some technical info.
+Feel free to [open issues] for questions, suggestions, bugs, to-do items, and
+whatever else you want to discuss or resolve.
+
+[open issues]: https://gitea.kosmos.org/kosmos/gitea.kosmos.org/issues
+
+## Kubernetes
+
+### Apply changes to resources
+
+```
+kubectl apply -f gitea-db.yaml
+kubectl apply -f gitea-server.yaml
+```
+
+### Write the secrets to the local filesystem
+
+```
+./script/get_secrets
+```
+
+It writes the secrets (currently the app.ini file, as well as auto-generated
+TLS certificates that are only used when no Let's Encrypt cert is available)
+to the `kubernetes/config/` folder. These files are not in Git because they
+contain credentials.
+
+Once you have edited them locally, you need to delete the secrets stored on
+Kubernetes before uploading them again. This is done by this script:
+
+```
+./script/replace_secrets
+```
+
+### Reuse a released persistent volume:
+
+https://github.com/kubernetes/kubernetes/issues/48609#issuecomment-314066616

custom/options/label/Default

@@ -1,11 +0,0 @@
-#db231d bug ; Something is not working
-#76db1d enhancement ; Improving existing functionality
-#1d76db feature ; New functionality
-#db1d76 idea ; Something to consider
-#db1d76 question ; Looking for an answer
-#fbca04 security ; All your base are belong to us
-#1dd5db ui/ux ; User interface, process design, etc.
-#333333 dev environment ; Config, builds, CI, deployment, etc.
-#cccccc duplicate ; This issue or pull request already exists
-#cccccc invalid ; Not a bug
-#cccccc wontfix ; This won't be fixed

custom/options/label/Kosmos

@@ -1,15 +0,0 @@
-#db231d bug ; Something is not working
-#ead746 docs ; Documentation
-#76db1d enhancement ; Improving existing functionality
-#1d76db feature ; New functionality
-#db1d76 idea ; Something to consider
-#db1d76 question ; Looking for an answer
-#fbca04 security ; All your base are belong to us
-#1dd5db ui/ux ; User interface, process design, etc.
-#333333 dev environment ; Config, builds, CI, deployment, etc.
-#008080 kredits-1 ; Small contribution
-#008080 kredits-2 ; Medium contribution
-#008080 kredits-3 ; Large contribution
-#cccccc duplicate ; This issue or pull request already exists
-#cccccc invalid ; Not a bug
-#cccccc wontfix ; This won't be fixed

doc/backup-and-restore.md

@@ -1,28 +0,0 @@
-# Backups
-
-We're using [Velero][1] (formerly Ark) for backing up Kubernetes config and GKE
-resources. It is available as a compiled binary for your platform [on GitHub][2]
-
-The Velero service is running on the Sidamo cluster and was set up using the
-[official docs' GCP instructions][3]. There's a daily backup
-schedule in effect for Gitea (using the label `app=gitea`).
-
-Please refer to Velero's [ Getting Started ][4] doc for all backup and restore
-commands.
-
-## Backup location
-
-Cluster configuration (including all live resources) is backed up to [a Google
-Cloud Storage container][5].
-
-## Persistent volumes
-
-Persistent volumes are just GCE disks. Thus, with the current config, Velero
-creates volume snapshots as native [GCE disk snapshots][6].
-
-[1]: https://velero.io/docs/v1.0.0
-[2]: https://github.com/heptio/velero/releases/tag/v1.0.0
-[3]: https://velero.io/docs/v1.0.0/gcp-config/
-[4]: https://velero.io/docs/v1.0.0/about/
-[5]: https://console.cloud.google.com/storage/browser/sidamo-backups-new?project=fluted-magpie-218106&organizationId=772167872692
-[6]: https://console.cloud.google.com/compute/snapshots?organizationId=772167872692&project=fluted-magpie-218106&tab=snapshots&snapshotssize=50

doc/customizations-image.md

@@ -1,20 +0,0 @@
-## Customizations image
-
-### Build
-
-To create a new Docker image containing our Gitea customizations (label sets,
-styles, page content, etc.):
-
-Edit `packer/custom.json` to increment the tag, then run this script (needs
-[Packer](https://www.packer.io/) in your path)
-
-    ./script/build_customizations_image
-
-### Deploy
-
-Edit `kubernetes/gitea-server.yaml` to use the new tag
-(`image: eu.gcr.io/fluted-magpie-218106/gitea_custom:$VERSION`) and apply the
-change:
-
-    cd kubernetes
-    kubectl apply -f gitea-server.yaml

doc/kubernetes.md

@@ -1,71 +0,0 @@
-# Kubernetes / GKE
-
-This Gitea instance is currently hosted on Google Kubernetes Engine.
-
-## Apply changes to resources
-
-```
-kubectl apply -f gitea-db.yaml
-kubectl apply -f gitea-server.yaml
-```
-
-## Write the secrets to the local filesystem
-
-```
-./script/get_secrets
-```
-
-It writes the secrets (currently the app.ini file, as well as auto-generated
-TLS certificates that are only used when no Let's Encrypt cert is available)
-to the `kubernetes/config/` folder. These files are not in Git because they
-contain credentials.
-
-Once you have edited them locally, you need to delete the secrets stored on
-Kubernetes before uploading them again. This is done by this script:
-
-```
-./script/replace_secrets
-```
-
-## Reuse a released persistent volume:
-
-> When you delete a PVC, corresponding PV becomes `Released`. This PV can contain sensitive data (say credit card numbers) and therefore nobody can ever bind to it, even if it is a PVC with the same name and in the same namespace as the previous one - who knows who's trying to steal the data!
-> 
-> Admin intervention is required here. He has two options:
-> 
->     * Make the PV available to everybody - delete `PV.Spec.ClaimRef`, Such PV can bound to any PVC (assuming that capacity, access mode and selectors match)
-> 
->     * Make the PV available to a specific PVC - pre-fill `PV.Spec.ClaimRef` with a pointer to a PVC. Leave the `PV.Spec.ClaimRef,UID` empty, as the PVC does not to need exist at this point and you don't know PVC's UID. This PV can be bound only to the specified PVC.
-> 
-> 
-> @whitecolor, in your case you should be fine by clearing `PV.Spec.ClaimRef.UID` in the PV. Only the re-created PVC (with any UID) can then use the PV. And it's your responsibility that only the right person can craft appropriate PVC so nobody can steal your data.
-
-https://github.com/kubernetes/kubernetes/issues/48609#issuecomment-314066616
-
-## Update Gitea
-
-### Released version
-
-Change the image for the gitea-server container
-(`kubernetes/gitea-server.yaml`) to `gitea/gitea:TAG`, for example:
-`gitea/gitea:1.7.0-rc2`
-
-### Unreleased version
-
-This is useful to deploy features that are in master but not yet in a release.
-
-    $ docker pull gitea/gitea
-    $ docker tag gitea/gitea:latest kosmosorg/gitea:production
-    $ docker push kosmosorg/gitea
-
-Set the image for the gitea-server container to `kosmosorg/gitea:latest`, or run 
-this command to force a deployment if it is already set to it
-
-    $ kubectl patch deployment gitea-server -p "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"date\":\"`date +'%s'`\"}}}}}"
-
-### Build our own image
-
-At the root of the [https://github.com/go-gitea/gitea](gitea repo)
-
-    $ DOCKER_TAG=production DOCKER_IMAGE=kosmosorg/gitea make docker # builds and tags kosmosorg/gitea:production locally
-    $ docker push kosmosorg/gitea

kubernetes/gitea-db.yaml

@@ -2,8 +2,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: gitea-db
-  labels:
-    app: gitea
+  namespace: gitea
 spec:
   replicas: 1
   strategy:
@@ -12,7 +11,6 @@ spec:
     metadata:
       labels:
         name: gitea-db
-        app: gitea
     spec:
       containers:
       - env:
@@ -32,19 +30,13 @@ spec:
           value: gitea
         image: mariadb:10.3.10
         name: gitea-db
+        resources: {}
         ports:
           - containerPort: 3306
             name: mysql
         volumeMounts:
         - mountPath: /var/lib/mysql
           name: gitea-db-data
-        resources:
-          requests:
-            cpu: 250m
-            memory: 150Mi
-          limits:
-            cpu: 500m
-            memory: 300Mi
       restartPolicy: Always
       volumes:
       - name: gitea-db-data
@@ -55,9 +47,9 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: gitea-db-data
+  namespace: gitea
   labels:
     name: gitea-db-data
-    app: gitea
 spec:
   accessModes:
   - ReadWriteOnce
@@ -69,9 +61,9 @@ apiVersion: v1
 kind: Service
 metadata:
   name: gitea-db
+  namespace: gitea
   labels:
     service: gitea-db
-    app: gitea
 spec:
   selector:
     name: gitea-db

kubernetes/gitea-namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea
+  labels:
+    app: gitea

kubernetes/gitea-server.yaml

@@ -1,52 +1,63 @@
-apiVersion: apps/v1
+apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: gitea-server
-  labels:
-    app: gitea
+  namespace: gitea
 spec:
   replicas: 1
-  selector:
-    matchLabels:
-      app: gitea
   template:
     metadata:
       labels:
         name: gitea-server
-        app: gitea
     spec:
       initContainers:
         - name: init-config
-          # This is a busybox image with our gitea customizations saved to
-          # /custom, built using ./script/build_customizations_image from the
-          # root of the repo
-          image: eu.gcr.io/fluted-magpie-218106/gitea_custom:0.1.2
-          command: [
-            'sh', '-c',
-            'mkdir -p /data/gitea/conf && mkdir -p /data/gitea/https && cp /root/conf/app.ini /data/gitea/conf/app.ini && chown 1000:1000 /data/gitea/conf/app.ini && chmod 660 /data/gitea/conf/app.ini && cp /root/conf/*.pem /data/gitea/https && chmod 600 /data/gitea/https/*.pem && cp -R /custom/* /data/gitea && chown -R 1000:1000 /data/gitea'
-          ]
+          image: busybox
+          command: ['sh', '-c', 'mkdir -p /data/gitea/conf && mkdir -p /data/gitea/https && cp /root/conf/app.ini /data/gitea/conf/app.ini && chown 1000:1000 /data/gitea/conf/app.ini && chmod 660 /data/gitea/conf/app.ini && cp /root/conf/*.pem /data/gitea/https && chmod 600 /data/gitea/https/*.pem && chown -R 1000:1000 /data/gitea']
           volumeMounts:
           - mountPath: /data
             name: gitea-server-data
           - mountPath: /root/conf
             name: config
       containers:
-      - name: gitea-server
-        image: gitea/gitea:1.11.2
+      # This is only used for the initial setup, it does nothing once a app.ini
+      # file exists in the conf/ directory of the data directory
+      # (/data/gitea/conf in our case)
+      - env:
+        - name: DB_HOST
+          value: gitea-db:3306
+        - name: DB_NAME
+          value: gitea
+        - name: DB_PASSWD
+          valueFrom:
+            secretKeyRef:
+              name: gitea-mysql-pass
+              key: password
+        - name: DB_TYPE
+          value: mysql
+        - name: DB_USER
+          value: gitea
+        - name: ROOT_URL
+          value: https://gitea.kosmos.org
+        - name: RUN_MODE
+          value: prod
+        - name: SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: gitea-secret-key
+              key: password
+        - name: SSH_DOMAIN
+          value: gitea.kosmos.org
+        image: 5apps/gitea:latest
+        name: gitea-server
         ports:
         - containerPort: 3000
         - containerPort: 3001
         - containerPort: 22
+        resources: {}
         volumeMounts:
         - mountPath: /data
           name: gitea-server-data
-        resources:
-          requests:
-            cpu: 150m
-            memory: 256Mi
-          limits:
-            cpu: 250m
-            memory: 512Mi
       restartPolicy: Always
       volumes:
       - name: gitea-server-data
@@ -70,22 +81,21 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: gitea-server-data
-  labels:
-    app: gitea
+  namespace: gitea
 spec:
   accessModes:
   - ReadWriteOnce
   resources:
     requests:
-      storage: 20Gi
+      storage: 1Gi
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: gitea-server
+  namespace: gitea
   labels:
     name: gitea-server
-    app: gitea
 spec:
   type: LoadBalancer
   # preserves the client source IP

packer/custom.json

@@ -1,29 +0,0 @@
-{
-  "builders": [{
-    "type": "docker",
-    "image": "busybox",
-    "run_command": ["-d", "-i", "-t", "{{.Image}}", "/bin/sh"],
-    "commit": true
-  }],
-  "provisioners": [
-    {
-      "inline": ["mkdir /custom"],
-      "type": "shell"
-    },
-    {
-      "type": "file",
-      "source": "../custom/",
-      "destination": "/custom"
-    }
-  ],
-  "post-processors": [
-    [
-      {
-        "type": "docker-tag",
-        "repository": "eu.gcr.io/fluted-magpie-218106/gitea_custom",
-        "tag": "0.1.2"
-      },
-      "docker-push"
-    ]
-  ]
-}

script/build_customizations_image

@@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-# fail fast
-set -e
-
-cd packer/
-packer build custom.json
-cd -