From 379addec5e46bcd9a5c815eca9afc13374bed41b Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Sun, 27 Jun 2021 19:23:49 +0200 Subject: [PATCH] ++gitea updates --- apps/gitea/Chart.yaml | 4 +- apps/gitea/templates/NOTES.txt | 22 -- apps/gitea/templates/_helpers.tpl | 62 ------ apps/gitea/templates/deployment.yaml | 208 +++++++++++++----- apps/gitea/templates/hpa.yaml | 28 --- apps/gitea/templates/ingress.yaml | 61 ----- apps/gitea/templates/service.yaml | 15 -- apps/gitea/templates/serviceaccount.yaml | 12 - .../templates/tests/test-connection.yaml | 6 +- apps/gitea/values.yaml | 88 +------- apps/haproxy/haproxy.cfg | 20 +- 11 files changed, 177 insertions(+), 349 deletions(-) delete mode 100644 apps/gitea/templates/NOTES.txt delete mode 100644 apps/gitea/templates/_helpers.tpl delete mode 100644 apps/gitea/templates/hpa.yaml delete mode 100644 apps/gitea/templates/ingress.yaml delete mode 100644 apps/gitea/templates/service.yaml delete mode 100644 apps/gitea/templates/serviceaccount.yaml diff --git a/apps/gitea/Chart.yaml b/apps/gitea/Chart.yaml index fa28899..707f50e 100644 --- a/apps/gitea/Chart.yaml +++ b/apps/gitea/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: gitea -description: A Helm chart for Kubernetes +description: ungleich managed gitea # A chart can be either an 'application' or a 'library' chart. # @@ -21,4 +21,4 @@ version: 0.1.0 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.16.0" +appVersion: "1.14" diff --git a/apps/gitea/templates/NOTES.txt b/apps/gitea/templates/NOTES.txt deleted file mode 100644 index 8611d58..0000000 --- a/apps/gitea/templates/NOTES.txt +++ /dev/null @@ -1,22 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gitea.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "gitea.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gitea.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gitea.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT -{{- end }} diff --git a/apps/gitea/templates/_helpers.tpl b/apps/gitea/templates/_helpers.tpl deleted file mode 100644 index 8b1ee58..0000000 --- a/apps/gitea/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "gitea.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "gitea.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gitea.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "gitea.labels" -}} -helm.sh/chart: {{ include "gitea.chart" . }} -{{ include "gitea.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "gitea.selectorLabels" -}} -app.kubernetes.io/name: {{ include "gitea.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "gitea.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "gitea.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/apps/gitea/templates/deployment.yaml b/apps/gitea/templates/deployment.yaml index c61f9b1..6f6f633 100644 --- a/apps/gitea/templates/deployment.yaml +++ b/apps/gitea/templates/deployment.yaml @@ -1,61 +1,171 @@ +--- apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "gitea.fullname" . }} - labels: - {{- include "gitea.labels" . | nindent 4 }} + name: {{ .Release.Name }}-gitea spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} selector: matchLabels: - {{- include "gitea.selectorLabels" . | nindent 6 }} + app: {{ .Release.Name }}-gitea + replicas: 1 template: metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} labels: - {{- include "gitea.selectorLabels" . | nindent 8 }} + app: {{ .Release.Name }}-gitea + use-as-service: {{ .Release.Name }} spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gitea.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + initContainers: + - name: wait-for-cert + image: busybox + command: + - sh + - -c + - until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done + volumeMounts: + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + # This container will only start *after* the cert has been placed + - name: nginx + image: nginx:1.21-alpine ports: - - name: http - containerPort: 80 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} + - containerPort: 443 + volumeMounts: + - name: nginx-config + mountPath: "/etc/nginx/conf.d/" + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" + - name: gitea + image: gitea/gitea:1.14 + ports: + - containerPort: 22 + - containerPort: 3000 + env: + - name: USER_UID + value: "1000" + - name: USER_GID + value: "1000" + volumeMounts: + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" + - name: data + mountPath: "/data" + volumes: + - name: etcletsencrypt + persistentVolumeClaim: + claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs + - name: data + persistentVolumeClaim: + claimName: {{ tpl .Values.identifier . }}-data + - name: nginx-config + configMap: + name: {{ tpl .Values.identifier . }}-nginx-config + + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tpl .Values.identifier . }} + labels: + app: {{ tpl .Values.identifier . }} +spec: + type: ClusterIP + ports: + - port: 22 + name: ssh + # Required for letsencrypt + - port: 80 + name: http + - port: 443 + name: https + selector: + use-as-service: {{ .Release.Name }} +# --- +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: {{ tpl .Values.identifier . }}-giteaconfig +# data: +# {{ tpl (.Files.Glob "gitea/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ tpl .Values.identifier . }}-letsencrypt-certs +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 50Mi + storageClassName: rook-cephfs +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ tpl .Values.identifier . }}-data +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 100Mi + storageClassName: rook-cephfs +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ tpl .Values.identifier . }}-getcert +spec: + template: + metadata: + labels: + app: certbot-letsencrypt-getcert + use-as-service: {{ .Release.Name }} + spec: + restartPolicy: Never + containers: + - name: certbot + image: ungleich/ungleich-certbot + ports: + - containerPort: 80 + env: + - name: DOMAIN + value: "{{ tpl .Values.fqdn . }}" + - name: EMAIL + value: "{{ .Values.email }}" + {{ if eq .Values.letsencryptStaging "no" }} + - name: STAGING + value: "no" + {{ end }} + volumeMounts: + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" + volumes: + - name: etcletsencrypt + persistentVolumeClaim: + claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs + backoffLimit: 3 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-nginx-config +data: + default.conf: | + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ .Release.Name }}-{{ .Values.serviceName }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}; + + ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem; + + client_max_body_size 256m; + + location / { + proxy_pass http://localhost:3000; + } + } diff --git a/apps/gitea/templates/hpa.yaml b/apps/gitea/templates/hpa.yaml deleted file mode 100644 index 22007bd..0000000 --- a/apps/gitea/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gitea.fullname" . }} - labels: - {{- include "gitea.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "gitea.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/apps/gitea/templates/ingress.yaml b/apps/gitea/templates/ingress.yaml deleted file mode 100644 index 07475cf..0000000 --- a/apps/gitea/templates/ingress.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "gitea.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }} - port: - number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/apps/gitea/templates/service.yaml b/apps/gitea/templates/service.yaml deleted file mode 100644 index 19a244a..0000000 --- a/apps/gitea/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gitea.fullname" . }} - labels: - {{- include "gitea.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "gitea.selectorLabels" . | nindent 4 }} diff --git a/apps/gitea/templates/serviceaccount.yaml b/apps/gitea/templates/serviceaccount.yaml deleted file mode 100644 index 331f084..0000000 --- a/apps/gitea/templates/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gitea.serviceAccountName" . }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/apps/gitea/templates/tests/test-connection.yaml b/apps/gitea/templates/tests/test-connection.yaml index 6e96893..62718c7 100644 --- a/apps/gitea/templates/tests/test-connection.yaml +++ b/apps/gitea/templates/tests/test-connection.yaml @@ -1,9 +1,7 @@ apiVersion: v1 kind: Pod metadata: - name: "{{ include "gitea.fullname" . }}-test-connection" - labels: - {{- include "gitea.labels" . | nindent 4 }} + name: "{{ tpl .Values.identifier . }}-test-connection" annotations: "helm.sh/hook": test spec: @@ -11,5 +9,5 @@ spec: - name: wget image: busybox command: ['wget'] - args: ['{{ include "gitea.fullname" . }}:{{ .Values.service.port }}'] + args: ['{{ tpl .Values.fqdn . }}'] restartPolicy: Never diff --git a/apps/gitea/values.yaml b/apps/gitea/values.yaml index 986ba1c..aef81ae 100644 --- a/apps/gitea/values.yaml +++ b/apps/gitea/values.yaml @@ -1,82 +1,8 @@ -# Default values for gitea. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +clusterDomain: c2.k8s.ooo +email: technik@ungleich.ch +letsencryptStaging: "yes" -replicaCount: 1 - -image: - repository: nginx - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: ClusterIP - port: 80 - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} +# This is how the service and the data volumes are named - i.e. the +# persistent thing +identifier: "{{ .Release.Name }}" +fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" diff --git a/apps/haproxy/haproxy.cfg b/apps/haproxy/haproxy.cfg index 8aa3ab3..619c2a4 100644 --- a/apps/haproxy/haproxy.cfg +++ b/apps/haproxy/haproxy.cfg @@ -24,22 +24,18 @@ defaults timeout http-keep-alive 10s timeout check 10s -frontend http - bind :80 +frontend f_http + bind ipv6@:80 mode http - option httplog http-request do-resolve(txn.myip,mydns,ipv6) hdr(Host),lower -# http-request capture var(txn.myip) len 255 - use_backend b_503 unless { var(txn.myip) -m found } - default_backend http + # if DNS resolving did not work + # use_backend b_503 unless { var(txn.myip) -m found } -# dummy backend -backend b_503 - mode http + default_backend b_http -backend http +backend b_http mode http http-request deny unless { hdr(host) -i c2.k8s.ooo } http-request set-dst var(txn.myip) @@ -47,9 +43,8 @@ backend http # # HTTPs frontend f_https - bind :443 + bind ipv6@:443 mode tcp - option tcplog tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } @@ -64,6 +59,5 @@ backend b_https tcp-request content set-dst var(txn.myip) server tcp_https ipv6@* -# tcp-request capture var(txn.myip) len 255 # tcp-request connection deny unless { hdr(host) -i c2.k8s.ooo } # use_backend b_503 unless { var(txn.myip) -m found }