From 405d5daefb672ab73cefbce79f1a6e6d431dbc1a Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Mon, 18 May 2026 03:03:55 +0000 Subject: [PATCH] chore: Update manifests after change --- clusters/cl01tl/manifests/gitea/-.yaml | 1 - .../Cluster-gitea-postgresql-18-cluster.yaml | 66 +++++ .../ConfigMap-gitea-custom-templates.yaml | 12 + ...gitea-gitea-actions-act-runner-config.yaml | 24 ++ ...nfigMap-gitea-meilisearch-environment.yaml | 17 ++ .../ConfigMap-gitea-valkey-init-scripts.yaml | 87 ++++++ ...ap-gitea-valkey-renovate-init-scripts.yaml | 58 ++++ .../gitea/Deployment-gitea-cloudflared.yaml | 60 ++++ .../Deployment-gitea-valkey-renovate.yaml | 117 ++++++++ .../manifests/gitea/Deployment-gitea.yaml | 264 +++++++++++++++++ ...ternalSecret-gitea-cloudflared-secret.yaml | 21 ++ .../ExternalSecret-gitea-meilisearch-key.yaml | 24 ++ .../ExternalSecret-gitea-oidc-authentik.yaml | 22 ++ ...tgresql-18-backup-garage-local-secret.yaml | 29 ++ ...t-gitea-postgresql-18-recovery-secret.yaml | 29 ++ .../ExternalSecret-gitea-runner-secret.yaml | 18 ++ ...ea-shared-storage-backup-secret-local.yaml | 47 +++ .../manifests/gitea/HTTPRoute-gitea.yaml | 26 ++ .../gitea/Ingress-gitea-tailscale.yaml | 29 ++ .../manifests/gitea/Namespace-gitea.yaml | 11 + ...tea-postgresql-18-backup-garage-local.yaml | 33 +++ ...ectStore-gitea-postgresql-18-recovery.yaml | 32 +++ ...rsistentVolumeClaim-gitea-meilisearch.yaml | 19 ++ ...stentVolumeClaim-gitea-shared-storage.yaml | 16 ++ ...stentVolumeClaim-gitea-themes-storage.yaml | 17 ++ ...tentVolumeClaim-gitea-valkey-renovate.yaml | 18 ++ ...Pod-gitea-meilisearch-test-connection.yaml | 18 ++ .../gitea/Pod-gitea-test-connection.yaml | 22 ++ .../gitea/PodMonitor-gitea-postgresql-18.yaml | 19 ++ .../PodMonitor-gitea-valkey-renovate.yaml | 23 ++ .../gitea/PodMonitor-gitea-valkey.yaml | 23 ++ ...sRule-gitea-postgresql-18-alert-rules.yaml | 270 ++++++++++++++++++ ...ea-shared-storage-backup-source-local.yaml | 30 ++ .../PrometheusRule-gitea-valkey-renovate.yaml | 47 +++ .../gitea/PrometheusRule-gitea-valkey.yaml | 47 +++ .../gitea/PrometheusRule-meilisearch.yaml | 29 ++ ...ea-shared-storage-backup-source-local.yaml | 34 +++ ...resql-18-scheduled-backup-live-backup.yaml | 24 ++ .../manifests/gitea/Secret-gitea-init.yaml | 37 +++ .../gitea/Secret-gitea-inline-config.yaml | 62 ++++ .../cl01tl/manifests/gitea/Secret-gitea.yaml | 170 +++++++++++ .../gitea/Service-gitea-cloudflared.yaml | 23 ++ .../manifests/gitea/Service-gitea-http.yaml | 24 ++ .../gitea/Service-gitea-meilisearch.yaml | 22 ++ .../manifests/gitea/Service-gitea-ssh.yaml | 25 ++ .../gitea/Service-gitea-valkey-headless.yaml | 23 ++ .../gitea/Service-gitea-valkey-metrics.yaml | 23 ++ .../gitea/Service-gitea-valkey-read.yaml | 21 ++ ...Service-gitea-valkey-renovate-metrics.yaml | 23 ++ .../gitea/Service-gitea-valkey-renovate.yaml | 21 ++ .../manifests/gitea/Service-gitea-valkey.yaml | 22 ++ .../ServiceAccount-gitea-cloudflared.yaml | 11 + .../ServiceAccount-gitea-meilisearch.yaml | 13 + .../ServiceAccount-gitea-valkey-renovate.yaml | 11 + .../gitea/ServiceAccount-gitea-valkey.yaml | 11 + .../ServiceMonitor-gitea-cloudflared.yaml | 25 ++ .../ServiceMonitor-gitea-meilisearch.yaml | 30 ++ .../ServiceMonitor-gitea-valkey-renovate.yaml | 24 ++ .../gitea/ServiceMonitor-gitea-valkey.yaml | 24 ++ .../manifests/gitea/ServiceMonitor-gitea.yaml | 16 ++ ...fulSet-gitea-gitea-actions-act-runner.yaml | 154 ++++++++++ .../gitea/StatefulSet-gitea-meilisearch.yaml | 95 ++++++ .../gitea/StatefulSet-gitea-valkey.yaml | 133 +++++++++ .../manifests/gitea/TCPRoute-gitea-ssh.yaml | 21 ++ 64 files changed, 2746 insertions(+), 1 deletion(-) delete mode 100644 clusters/cl01tl/manifests/gitea/-.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Cluster-gitea-postgresql-18-cluster.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ConfigMap-gitea-custom-templates.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ConfigMap-gitea-gitea-actions-act-runner-config.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ConfigMap-gitea-meilisearch-environment.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-init-scripts.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-renovate-init-scripts.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Deployment-gitea-cloudflared.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Deployment-gitea-valkey-renovate.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Deployment-gitea.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-cloudflared-secret.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-key.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-authentik.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-postgresql-18-backup-garage-local-secret.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-postgresql-18-recovery-secret.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-runner-secret.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-shared-storage-backup-secret-local.yaml create mode 100644 clusters/cl01tl/manifests/gitea/HTTPRoute-gitea.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Ingress-gitea-tailscale.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Namespace-gitea.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ObjectStore-gitea-postgresql-18-backup-garage-local.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ObjectStore-gitea-postgresql-18-recovery.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-meilisearch.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-shared-storage.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-themes-storage.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-valkey-renovate.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Pod-gitea-meilisearch-test-connection.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Pod-gitea-test-connection.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PodMonitor-gitea-postgresql-18.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey-renovate.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-postgresql-18-alert-rules.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-shared-storage-backup-source-local.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey-renovate.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey.yaml create mode 100644 clusters/cl01tl/manifests/gitea/PrometheusRule-meilisearch.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ReplicationSource-gitea-shared-storage-backup-source-local.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ScheduledBackup-gitea-postgresql-18-scheduled-backup-live-backup.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Secret-gitea-init.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Secret-gitea-inline-config.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Secret-gitea.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Service-gitea-cloudflared.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Service-gitea-http.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Service-gitea-meilisearch.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Service-gitea-ssh.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Service-gitea-valkey-headless.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Service-gitea-valkey-metrics.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Service-gitea-valkey-read.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate-metrics.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate.yaml create mode 100644 clusters/cl01tl/manifests/gitea/Service-gitea-valkey.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-cloudflared.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-meilisearch.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey-renovate.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-cloudflared.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-meilisearch.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey-renovate.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey.yaml create mode 100644 clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea.yaml create mode 100644 clusters/cl01tl/manifests/gitea/StatefulSet-gitea-gitea-actions-act-runner.yaml create mode 100644 clusters/cl01tl/manifests/gitea/StatefulSet-gitea-meilisearch.yaml create mode 100644 clusters/cl01tl/manifests/gitea/StatefulSet-gitea-valkey.yaml create mode 100644 clusters/cl01tl/manifests/gitea/TCPRoute-gitea-ssh.yaml diff --git a/clusters/cl01tl/manifests/gitea/-.yaml b/clusters/cl01tl/manifests/gitea/-.yaml deleted file mode 100644 index 8b1378917..000000000 --- a/clusters/cl01tl/manifests/gitea/-.yaml +++ /dev/null @@ -1 +0,0 @@ - diff --git a/clusters/cl01tl/manifests/gitea/Cluster-gitea-postgresql-18-cluster.yaml b/clusters/cl01tl/manifests/gitea/Cluster-gitea-postgresql-18-cluster.yaml new file mode 100644 index 000000000..06a7faeee --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Cluster-gitea-postgresql-18-cluster.yaml @@ -0,0 +1,66 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: gitea-postgresql-18-cluster + namespace: gitea + labels: + app.kubernetes.io/name: gitea-postgresql-18-cluster + helm.sh/chart: postgres-18-cluster-7.13.2 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "7.13.2" + app.kubernetes.io/managed-by: Helm +spec: + instances: 3 + imageName: "ghcr.io/cloudnative-pg/postgresql:18.3-standard-trixie" + imagePullPolicy: IfNotPresent + postgresUID: 26 + postgresGID: 26 + storage: + size: 10Gi + storageClass: local-path + walStorage: + size: 2Gi + storageClass: local-path + resources: + limits: + hugepages-2Mi: 256Mi + requests: + cpu: 100m + memory: 80Mi + affinity: + enablePodAntiAffinity: true + topologyKey: kubernetes.io/hostname + primaryUpdateMethod: switchover + primaryUpdateStrategy: unsupervised + logLevel: info + enableSuperuserAccess: false + enablePDB: true + postgresql: + parameters: + hot_standby_feedback: "on" + max_slot_wal_keep_size: 2000MB + shared_buffers: 2GB + monitoring: + enablePodMonitor: false + disableDefaultQueries: false + plugins: + - name: barman-cloud.cloudnative-pg.io + enabled: true + isWALArchiver: true + parameters: + barmanObjectName: "gitea-postgresql-18-backup-garage-local" + serverName: "gitea-postgresql-18-backup-1" + bootstrap: + recovery: + database: app + source: gitea-postgresql-18-backup-1 + externalClusters: + - name: gitea-postgresql-18-backup-1 + plugin: + name: barman-cloud.cloudnative-pg.io + enabled: true + isWALArchiver: false + parameters: + barmanObjectName: "gitea-postgresql-18-recovery" + serverName: gitea-postgresql-18-backup-1 diff --git a/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-custom-templates.yaml b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-custom-templates.yaml new file mode 100644 index 000000000..21f432e64 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-custom-templates.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-custom-templates + namespace: gitea + labels: + app.kubernetes.io/name: gitea-custom-templates + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea +data: + header.tmpl: | + diff --git a/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-gitea-actions-act-runner-config.yaml b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-gitea-actions-act-runner-config.yaml new file mode 100644 index 000000000..697c5616a --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-gitea-actions-act-runner-config.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-gitea-actions-act-runner-config + namespace: gitea + labels: + helm.sh/chart: gitea-actions-0.1.0 + app: gitea-actions + app.kubernetes.io/name: gitea-actions + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "0.261.3" + version: "0.261.3" + app.kubernetes.io/managed-by: Helm +data: + config.yaml: | + log: + level: debug + cache: + enabled: true + runner: + labels: + - "ubuntu-latest:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-24.04" + - "ubuntu-latest-slim:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-24.04-slim" + - "ubuntu-js:docker://harbor.alexlebens.net/proxy-ghcr.io/catthehacker/ubuntu:js-24.04" diff --git a/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-meilisearch-environment.yaml b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-meilisearch-environment.yaml new file mode 100644 index 000000000..8a45fd119 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-meilisearch-environment.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-meilisearch-environment + labels: + helm.sh/chart: meilisearch-0.32.0 + app.kubernetes.io/name: meilisearch + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "v1.42.1" + app.kubernetes.io/component: search-engine + app.kubernetes.io/part-of: meilisearch + app.kubernetes.io/managed-by: Helm +data: + MEILI_ENV: "production" + MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: "true" + MEILI_NO_ANALYTICS: "true" + MEILI_EXPERIMENTAL_ENABLE_METRICS: "true" diff --git a/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-init-scripts.yaml b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-init-scripts.yaml new file mode 100644 index 000000000..fe255e968 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-init-scripts.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-valkey-init-scripts + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +data: + init.sh: |- + #!/bin/sh + set -eu + + # Default config paths + VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf} + + LOGFILE="/data/init.log" + DATA_DIR="/data/conf" + + # Logging function (outputs to stderr and file) + log() { + echo "$(date) $1" | tee -a "$LOGFILE" >&2 + } + + # Clean old log if requested + if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then + rm -f "$LOGFILE" + fi + + if [ -f "$LOGFILE" ]; then + log "Detected restart of this instance ($HOSTNAME)" + fi + + log "Creating configuration in $DATA_DIR..." + mkdir -p "$DATA_DIR" + rm -f "$VALKEY_CONFIG" + + + # Base valkey.conf + log "Generating base valkey.conf" + { + echo "port 6379" + echo "protected-mode no" + echo "bind * -::*" + echo "dir /data" + } >>"$VALKEY_CONFIG" + # Replica mode configuration + log "Configuring replication mode" + + # Use POD_INDEX from Kubernetes metadata + POD_INDEX=${POD_INDEX:-0} + IS_MASTER=false + + # Check if this is pod-0 (master) + if [ "$POD_INDEX" = "0" ]; then + IS_MASTER=true + log "This pod (index $POD_INDEX) is configured as MASTER" + else + log "This pod (index $POD_INDEX) is configured as REPLICA" + fi + + # Configure replica settings + if [ "$IS_MASTER" = "false" ]; then + MASTER_HOST="gitea-valkey-0.gitea-valkey-headless.gitea.svc.cluster.local" + MASTER_PORT="6379" + + log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT" + + { + echo "" + echo "# Replica Configuration" + echo "replicaof $MASTER_HOST $MASTER_PORT" + echo "replica-announce-ip gitea-valkey-$POD_INDEX.gitea-valkey-headless.gitea.svc.cluster.local" + } >>"$VALKEY_CONFIG" + fi + + # Append extra configs if present + if [ -f /usr/local/etc/valkey/valkey.conf ]; then + log "Appending /usr/local/etc/valkey/valkey.conf" + cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG" + fi + if [ -d /extravalkeyconfigs ]; then + log "Appending files in /extravalkeyconfigs/" + cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG" + fi diff --git a/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-renovate-init-scripts.yaml b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-renovate-init-scripts.yaml new file mode 100644 index 000000000..eadf01864 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-renovate-init-scripts.yaml @@ -0,0 +1,58 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-valkey-renovate-init-scripts + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +data: + init.sh: |- + #!/bin/sh + set -eu + + # Default config paths + VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf} + + LOGFILE="/data/init.log" + DATA_DIR="/data/conf" + + # Logging function (outputs to stderr and file) + log() { + echo "$(date) $1" | tee -a "$LOGFILE" >&2 + } + + # Clean old log if requested + if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then + rm -f "$LOGFILE" + fi + + if [ -f "$LOGFILE" ]; then + log "Detected restart of this instance ($HOSTNAME)" + fi + + log "Creating configuration in $DATA_DIR..." + mkdir -p "$DATA_DIR" + rm -f "$VALKEY_CONFIG" + + + # Base valkey.conf + log "Generating base valkey.conf" + { + echo "port 6379" + echo "protected-mode no" + echo "bind * -::*" + echo "dir /data" + } >>"$VALKEY_CONFIG" + + # Append extra configs if present + if [ -f /usr/local/etc/valkey/valkey.conf ]; then + log "Appending /usr/local/etc/valkey/valkey.conf" + cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG" + fi + if [ -d /extravalkeyconfigs ]; then + log "Appending files in /extravalkeyconfigs/" + cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG" + fi diff --git a/clusters/cl01tl/manifests/gitea/Deployment-gitea-cloudflared.yaml b/clusters/cl01tl/manifests/gitea/Deployment-gitea-cloudflared.yaml new file mode 100644 index 000000000..cd188711c --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Deployment-gitea-cloudflared.yaml @@ -0,0 +1,60 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitea-cloudflared + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-3.3.1 + namespace: gitea +spec: + revisionHistoryLimit: 3 + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/controller: main + app.kubernetes.io/name: cloudflared + app.kubernetes.io/instance: gitea + template: + metadata: + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: gitea + app.kubernetes.io/name: cloudflared + spec: + enableServiceLinks: false + serviceAccountName: gitea-cloudflared + automountServiceAccountToken: false + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + containers: + - args: + - tunnel + - --protocol + - auto + - --no-autoupdate + - --metrics + - 0.0.0.0:20241 + - run + - --token + - $(CF_MANAGED_TUNNEL_TOKEN) + env: + - name: CF_MANAGED_TUNNEL_TOKEN + valueFrom: + secretKeyRef: + key: cf-tunnel-token + name: gitea-cloudflared-secret + image: cloudflare/cloudflared:2026.5.0@sha256:59bab8d3aceec09bf6bdb07d6beca0225ca5cd7ab79436a87ea97978fe1dc4f9 + imagePullPolicy: IfNotPresent + name: main + resources: + requests: + cpu: 100m + memory: 30Mi diff --git a/clusters/cl01tl/manifests/gitea/Deployment-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/Deployment-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..f59398329 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Deployment-gitea-valkey-renovate.yaml @@ -0,0 +1,117 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + strategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + template: + metadata: + labels: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + annotations: + checksum/initconfig: ec5d1c08a6657961bb2582aeddf9f127 + spec: + automountServiceAccountToken: false + serviceAccountName: gitea-valkey-renovate + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + initContainers: + - name: gitea-valkey-renovate-init + image: docker.io/valkey/valkey:9.0.4@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + command: ["/scripts/init.sh"] + volumeMounts: + - name: valkey-data + mountPath: /data + - name: scripts + mountPath: /scripts + containers: + - name: gitea-valkey-renovate + image: docker.io/valkey/valkey:9.0.4@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193 + imagePullPolicy: IfNotPresent + command: ["valkey-server"] + args: ["/data/conf/valkey.conf"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + env: + - name: VALKEY_LOGLEVEL + value: "notice" + ports: + - name: tcp + containerPort: 6379 + protocol: TCP + startupProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + livenessProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + resources: + requests: + cpu: 10m + memory: 20Mi + volumeMounts: + - name: valkey-data + mountPath: /data + - name: metrics + image: ghcr.io/oliver006/redis_exporter:v1.83.0@sha256:e8c209894d4c0cc55b1259ddd47e0b769ad1ff864b356736ee885462a3b0e48c + imagePullPolicy: "IfNotPresent" + ports: + - name: metrics + containerPort: 9121 + startupProbe: + tcpSocket: + port: metrics + livenessProbe: + tcpSocket: + port: metrics + readinessProbe: + httpGet: + path: / + port: metrics + resources: + requests: + cpu: 1m + memory: 10M + env: + - name: REDIS_ALIAS + value: gitea-valkey-renovate + volumes: + - name: scripts + configMap: + name: gitea-valkey-renovate-init-scripts + defaultMode: 0555 + - name: valkey-data + persistentVolumeClaim: + claimName: gitea-valkey-renovate diff --git a/clusters/cl01tl/manifests/gitea/Deployment-gitea.yaml b/clusters/cl01tl/manifests/gitea/Deployment-gitea.yaml new file mode 100644 index 000000000..91fba25c9 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Deployment-gitea.yaml @@ -0,0 +1,264 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitea + namespace: gitea + annotations: + labels: + helm.sh/chart: gitea-12.6.0 + app: gitea + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "1.26.1" + version: "1.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 3 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 100% + selector: + matchLabels: + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + template: + metadata: + annotations: + checksum/config: 1d046b0cafb712fb3e5553c0b3a474ca01065ef84c46850716aa5ad9f38cef92 + checksum/oauth_0: 03073bf48e66f48f622bd02092a5f93bfd06dbcb5fd833aded3b0d40980be93d + labels: + helm.sh/chart: gitea-12.6.0 + app: gitea + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "1.26.1" + version: "1.26.1" + app.kubernetes.io/managed-by: Helm + spec: + securityContext: + fsGroup: 1000 + initContainers: + - name: init-directories + image: "registry.hub.docker.com/gitea/gitea:1.26.1-rootless" + imagePullPolicy: IfNotPresent + command: + - "/usr/sbinx/init_directory_structure.sh" + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + volumeMounts: + - name: init + mountPath: /usr/sbinx + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + - mountPath: /data/gitea/public/assets/css + name: gitea-themes-storage + readOnly: false + resources: + limits: {} + requests: + cpu: 100m + memory: 128Mi + - name: init-app-ini + image: "registry.hub.docker.com/gitea/gitea:1.26.1-rootless" + imagePullPolicy: IfNotPresent + command: + - "/usr/sbinx/config_environment.sh" + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TMP_EXISTING_ENVS_FILE + value: /tmp/existing-envs + - name: ENV_TO_INI_MOUNT_POINT + value: /env-to-ini-mounts + - name: GITEA__DATABASE__HOST + valueFrom: + secretKeyRef: + key: host + name: gitea-postgresql-18-cluster-app + - name: GITEA__DATABASE__NAME + valueFrom: + secretKeyRef: + key: dbname + name: gitea-postgresql-18-cluster-app + - name: GITEA__DATABASE__USER + valueFrom: + secretKeyRef: + key: user + name: gitea-postgresql-18-cluster-app + - name: GITEA__DATABASE__PASSWD + valueFrom: + secretKeyRef: + key: password + name: gitea-postgresql-18-cluster-app + - name: GITEA__INDEXER__ISSUE_INDEXER_CONN_STR + valueFrom: + secretKeyRef: + key: ISSUE_INDEXER_CONN_STR + name: gitea-meilisearch-key + volumeMounts: + - name: config + mountPath: /usr/sbinx + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + - name: inline-config-sources + mountPath: /env-to-ini-mounts/inlines/ + - mountPath: /data/gitea/public/assets/css + name: gitea-themes-storage + readOnly: false + resources: + limits: {} + requests: + cpu: 100m + memory: 128Mi + - name: configure-gitea + image: "registry.hub.docker.com/gitea/gitea:1.26.1-rootless" + command: + - "/usr/sbinx/configure_gitea.sh" + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 1000 + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: HOME + value: /data/gitea/git + - name: GITEA_OAUTH_KEY_0 + valueFrom: + secretKeyRef: + key: key + name: gitea-oidc-authentik + - name: GITEA_OAUTH_SECRET_0 + valueFrom: + secretKeyRef: + key: secret + name: gitea-oidc-authentik + - name: GITEA_ADMIN_USERNAME + value: "gitea_admin" + - name: GITEA_ADMIN_PASSWORD + value: "r8sA8CPHD9!bt6d" + - name: GITEA_ADMIN_PASSWORD_MODE + value: keepUpdated + volumeMounts: + - name: init + mountPath: /usr/sbinx + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + - mountPath: /data/gitea/public/assets/css + name: gitea-themes-storage + readOnly: false + resources: + limits: {} + requests: + cpu: 100m + memory: 128Mi + terminationGracePeriodSeconds: 60 + containers: + - name: gitea + image: "registry.hub.docker.com/gitea/gitea:1.26.1-rootless" + imagePullPolicy: IfNotPresent + env: + - name: SSH_LISTEN_PORT + value: "22" + - name: SSH_PORT + value: "22" + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TMPDIR + value: /tmp/gitea + - name: HOME + value: /data/gitea/git + ports: + - name: ssh + containerPort: 22 + - name: http + containerPort: 3000 + - name: profiler + containerPort: 6060 + livenessProbe: + failureThreshold: 10 + initialDelaySeconds: 200 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + resources: + requests: + cpu: 1000m + memory: 600Mi + volumeMounts: + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + - mountPath: /data/gitea/public/assets/css + name: gitea-themes-storage + readOnly: true + - mountPath: /data/gitea/templates/custom/header.tmpl + name: gitea-custom-templates + readOnly: true + subPath: header.tmpl + volumes: + - name: init + secret: + secretName: gitea-init + defaultMode: 110 + - name: config + secret: + secretName: gitea + defaultMode: 110 + - name: gitea-themes-storage + persistentVolumeClaim: + claimName: gitea-themes-storage + - configMap: + name: gitea-custom-templates + name: gitea-custom-templates + - name: inline-config-sources + secret: + secretName: gitea-inline-config + - name: temp + emptyDir: {} + - name: data + persistentVolumeClaim: + claimName: gitea-shared-storage diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-cloudflared-secret.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-cloudflared-secret.yaml new file mode 100644 index 000000000..f8ed93674 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-cloudflared-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitea-cloudflared-secret + namespace: gitea + labels: + helm.sh/chart: cloudflared-3.3.1 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "3.3.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea-cloudflared-secret +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: cf-tunnel-token + remoteRef: + key: /cloudflare/tunnels/gitea + property: token diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-key.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-key.yaml new file mode 100644 index 000000000..db81c34c7 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-key.yaml @@ -0,0 +1,24 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitea-meilisearch-key + namespace: gitea + labels: + app.kubernetes.io/name: gitea-meilisearch-key + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + ISSUE_INDEXER_CONN_STR: "http://:{{ .MEILI_MASTER_KEY }}@gitea-meilisearch.gitea:7700/" + data: + - secretKey: MEILI_MASTER_KEY + remoteRef: + key: /cl01tl/gitea/meilisearch + property: master-key diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-authentik.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-authentik.yaml new file mode 100644 index 000000000..69f2454c5 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-authentik.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitea-oidc-authentik + namespace: gitea + labels: + app.kubernetes.io/name: gitea-oidc-authentik + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: secret + remoteRef: + key: /cl01tl/authentik/oidc/gitea + property: secret + - secretKey: key + remoteRef: + key: /cl01tl/authentik/oidc/gitea + property: client diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-postgresql-18-backup-garage-local-secret.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-postgresql-18-backup-garage-local-secret.yaml new file mode 100644 index 000000000..d8b999d4f --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-postgresql-18-backup-garage-local-secret.yaml @@ -0,0 +1,29 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitea-postgresql-18-backup-garage-local-secret + namespace: gitea + labels: + app.kubernetes.io/name: gitea-postgresql-18-backup-garage-local-secret + helm.sh/chart: postgres-18-cluster-7.13.2 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "7.13.2" + app.kubernetes.io/managed-by: Helm +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: ACCESS_REGION + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_REGION + - secretKey: ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_KEY_ID + - secretKey: ACCESS_SECRET_KEY + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-postgresql-18-recovery-secret.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-postgresql-18-recovery-secret.yaml new file mode 100644 index 000000000..65f594972 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-postgresql-18-recovery-secret.yaml @@ -0,0 +1,29 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitea-postgresql-18-recovery-secret + namespace: gitea + labels: + helm.sh/chart: postgres-18-cluster-7.13.2 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "7.13.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea-postgresql-18-recovery-secret +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: ACCESS_REGION + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_REGION + - secretKey: ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_KEY_ID + - secretKey: ACCESS_SECRET_KEY + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-runner-secret.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-runner-secret.yaml new file mode 100644 index 000000000..bc71e8d92 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-runner-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitea-runner-secret + namespace: gitea + labels: + app.kubernetes.io/name: gitea-runner-secret + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: token + remoteRef: + key: /cl01tl/gitea/runner + property: token diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-shared-storage-backup-secret-local.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-shared-storage-backup-secret-local.yaml new file mode 100644 index 000000000..285535c16 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-shared-storage-backup-secret-local.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitea-shared-storage-backup-secret-local + namespace: gitea + labels: + helm.sh/chart: volsync-target-storage-2.0.0 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea-shared-storage-backup-secret-local +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/gitea/gitea-shared-storage" + data: + - secretKey: ENDPOINT + remoteRef: + key: /garage/config + property: ENDPOINT_LOCAL + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /garage/home-infra/volsync-backups + property: RESTIC_PASSWORD_LOCAL + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/gitea/HTTPRoute-gitea.yaml b/clusters/cl01tl/manifests/gitea/HTTPRoute-gitea.yaml new file mode 100644 index 000000000..f1e5178ef --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/HTTPRoute-gitea.yaml @@ -0,0 +1,26 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: gitea + namespace: gitea + labels: + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik + hostnames: + - gitea.alexlebens.net + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - kind: Service + name: gitea-http + port: 3000 diff --git a/clusters/cl01tl/manifests/gitea/Ingress-gitea-tailscale.yaml b/clusters/cl01tl/manifests/gitea/Ingress-gitea-tailscale.yaml new file mode 100644 index 000000000..2f7521ab4 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Ingress-gitea-tailscale.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: gitea-tailscale + namespace: gitea + labels: + app.kubernetes.io/name: gitea-tailscale + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + tailscale.com/proxy-class: no-metrics + annotations: + tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" +spec: + ingressClassName: tailscale + tls: + - hosts: + - gitea-cl01tl + secretName: gitea-cl01tl + rules: + - host: gitea-cl01tl + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: gitea-http + port: + name: http diff --git a/clusters/cl01tl/manifests/gitea/Namespace-gitea.yaml b/clusters/cl01tl/manifests/gitea/Namespace-gitea.yaml new file mode 100644 index 000000000..426528c99 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Namespace-gitea.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gitea + labels: + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/clusters/cl01tl/manifests/gitea/ObjectStore-gitea-postgresql-18-backup-garage-local.yaml b/clusters/cl01tl/manifests/gitea/ObjectStore-gitea-postgresql-18-backup-garage-local.yaml new file mode 100644 index 000000000..93162192b --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ObjectStore-gitea-postgresql-18-backup-garage-local.yaml @@ -0,0 +1,33 @@ +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: gitea-postgresql-18-backup-garage-local + namespace: gitea + labels: + app.kubernetes.io/name: gitea-postgresql-18-backup-garage-local + helm.sh/chart: postgres-18-cluster-7.13.2 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "7.13.2" + app.kubernetes.io/managed-by: Helm +spec: + retentionPolicy: 7d + instanceSidecarConfiguration: + env: + - name: AWS_REQUEST_CHECKSUM_CALCULATION + value: when_required + - name: AWS_RESPONSE_CHECKSUM_VALIDATION + value: when_required + configuration: + destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-18-cluster + endpointURL: http://garage-main.garage:3900 + s3Credentials: + accessKeyId: + name: gitea-postgresql-18-backup-garage-local-secret + key: ACCESS_KEY_ID + secretAccessKey: + name: gitea-postgresql-18-backup-garage-local-secret + key: ACCESS_SECRET_KEY + region: + name: gitea-postgresql-18-backup-garage-local-secret + key: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/gitea/ObjectStore-gitea-postgresql-18-recovery.yaml b/clusters/cl01tl/manifests/gitea/ObjectStore-gitea-postgresql-18-recovery.yaml new file mode 100644 index 000000000..55126ee68 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ObjectStore-gitea-postgresql-18-recovery.yaml @@ -0,0 +1,32 @@ +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: "gitea-postgresql-18-recovery" + namespace: gitea + labels: + helm.sh/chart: postgres-18-cluster-7.13.2 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "7.13.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "gitea-postgresql-18-recovery" +spec: + configuration: + destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-18-cluster + endpointURL: http://garage-main.garage:3900 + wal: + compression: snappy + maxParallel: 1 + data: + compression: snappy + jobs: 1 + s3Credentials: + accessKeyId: + name: gitea-postgresql-18-recovery-secret + key: ACCESS_KEY_ID + secretAccessKey: + name: gitea-postgresql-18-recovery-secret + key: ACCESS_SECRET_KEY + region: + name: gitea-postgresql-18-recovery-secret + key: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-meilisearch.yaml b/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-meilisearch.yaml new file mode 100644 index 000000000..1b03ad5a1 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-meilisearch.yaml @@ -0,0 +1,19 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: gitea-meilisearch + labels: + helm.sh/chart: meilisearch-0.32.0 + app.kubernetes.io/name: meilisearch + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "v1.42.1" + app.kubernetes.io/component: search-engine + app.kubernetes.io/part-of: meilisearch + app.kubernetes.io/managed-by: Helm +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "5Gi" + storageClassName: "ceph-block" diff --git a/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-shared-storage.yaml b/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-shared-storage.yaml new file mode 100644 index 000000000..25d9a34d7 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-shared-storage.yaml @@ -0,0 +1,16 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: gitea-shared-storage + namespace: gitea + annotations: + helm.sh/resource-policy: keep + labels: {} +spec: + accessModes: + - ReadWriteMany + volumeMode: Filesystem + storageClassName: "ceph-filesystem" + resources: + requests: + storage: 40Gi diff --git a/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-themes-storage.yaml b/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-themes-storage.yaml new file mode 100644 index 000000000..0e74321f0 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-themes-storage.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitea-themes-storage + namespace: gitea + labels: + app.kubernetes.io/name: gitea-themes-storage + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea +spec: + volumeMode: Filesystem + storageClassName: ceph-filesystem + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi diff --git a/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..59b4d6de4 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-valkey-renovate.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 1Gi + storageClassName: ceph-block diff --git a/clusters/cl01tl/manifests/gitea/Pod-gitea-meilisearch-test-connection.yaml b/clusters/cl01tl/manifests/gitea/Pod-gitea-meilisearch-test-connection.yaml new file mode 100644 index 000000000..366f10a6f --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Pod-gitea-meilisearch-test-connection.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: gitea-meilisearch-test-connection + labels: + app.kubernetes.io/name: meilisearch + helm.sh/chart: meilisearch-0.32.0 + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['--spider', '--timeout=5', 'gitea-meilisearch:7700'] + restartPolicy: Never diff --git a/clusters/cl01tl/manifests/gitea/Pod-gitea-test-connection.yaml b/clusters/cl01tl/manifests/gitea/Pod-gitea-test-connection.yaml new file mode 100644 index 000000000..70c326d5c --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Pod-gitea-test-connection.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "gitea-test-connection" + namespace: gitea + labels: + helm.sh/chart: gitea-12.6.0 + app: gitea + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "1.26.1" + version: "1.26.1" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: "busybox:latest" + command: ['wget'] + args: ['gitea-http:3000'] + restartPolicy: Never diff --git a/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-postgresql-18.yaml b/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-postgresql-18.yaml new file mode 100644 index 000000000..065b20cb8 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-postgresql-18.yaml @@ -0,0 +1,19 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: gitea-postgresql-18 + namespace: gitea + labels: + app.kubernetes.io/name: gitea-postgresql-18 + helm.sh/chart: postgres-18-cluster-7.13.2 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "7.13.2" + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + cnpg.io/cluster: gitea-postgresql-18 + cnpg.io/podRole: instance + podMetricsEndpoints: + - port: metrics diff --git a/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..5c1b6438c --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey-renovate.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: podmonitor +spec: + podMetricsEndpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - gitea + selector: + matchLabels: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey.yaml b/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey.yaml new file mode 100644 index 000000000..3d493a73e --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: gitea-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: podmonitor +spec: + podMetricsEndpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - gitea + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-postgresql-18-alert-rules.yaml b/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-postgresql-18-alert-rules.yaml new file mode 100644 index 000000000..5ded36860 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-postgresql-18-alert-rules.yaml @@ -0,0 +1,270 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: gitea-postgresql-18-alert-rules + namespace: gitea + labels: + app.kubernetes.io/name: gitea-postgresql-18-alert-rules + helm.sh/chart: postgres-18-cluster-7.13.2 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "7.13.2" + app.kubernetes.io/managed-by: Helm +spec: + groups: + - name: cloudnative-pg/gitea-postgresql-18 + rules: + - alert: CNPGClusterBackendsWaitingWarning + annotations: + summary: CNPG Cluster a backend is waiting for longer than 5 minutes. + description: |- + Pod {{ $labels.pod }} + has been waiting for longer than 5 minutes + expr: | + cnpg_backends_waiting_total{namespace="gitea"} > 300 + for: 1m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterDatabaseDeadlockConflictsWarning + annotations: + summary: CNPG Cluster has over 10 deadlock conflicts. + description: |- + There are over 10 deadlock conflicts in + {{ $labels.pod }} + expr: | + cnpg_pg_stat_database_deadlocks{namespace="gitea"} > 10 + for: 1m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterHACritical + annotations: + summary: CNPG Cluster has no standby replicas! + description: |- + CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe + risk of data loss and downtime if the primary instance fails. + + The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint + will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. + + This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less + instances. The replaced instance may need some time to catch-up with the cluster primary instance. + + This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this + case you may want to silence it. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md + expr: | + max by (job) (cnpg_pg_replication_streaming_replicas{namespace="gitea"} - cnpg_pg_replication_is_wal_receiver_up{namespace="gitea"}) < 1 + for: 5m + labels: + severity: critical + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterHAWarning + annotations: + summary: CNPG Cluster less than 2 standby replicas. + description: |- + CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting + your cluster at risk if another instance fails. The cluster is still able to operate normally, although + the `-ro` and `-r` endpoints operate at reduced capacity. + + This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may + need some time to catch-up with the cluster primary instance. + + This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. + In this case you may want to silence it. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md + expr: | + max by (job) (cnpg_pg_replication_streaming_replicas{namespace="gitea"} - cnpg_pg_replication_is_wal_receiver_up{namespace="gitea"}) < 2 + for: 5m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterHighConnectionsCritical + annotations: + summary: CNPG Instance maximum number of connections critical! + description: |- + CloudNativePG Cluster "gitea/gitea-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of + the maximum number of connections. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md + expr: | + sum by (pod) (cnpg_backends_total{namespace="gitea", pod=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="gitea", pod=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 95 + for: 5m + labels: + severity: critical + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterHighConnectionsWarning + annotations: + summary: CNPG Instance is approaching the maximum number of connections. + description: |- + CloudNativePG Cluster "gitea/gitea-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of + the maximum number of connections. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md + expr: | + sum by (pod) (cnpg_backends_total{namespace="gitea", pod=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="gitea", pod=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 80 + for: 5m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterHighReplicationLag + annotations: + summary: CNPG Cluster high replication lag + description: |- + CloudNativePG Cluster "gitea/gitea-postgresql-18-cluster" is experiencing a high replication lag of + {{`{{`}} $value {{`}}`}}ms. + + High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md + expr: | + max(cnpg_pg_replication_lag{namespace="gitea",pod=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 + for: 5m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterInstancesOnSameNode + annotations: + summary: CNPG Cluster instances are located on the same node. + description: |- + CloudNativePG Cluster "gitea/gitea-postgresql-18-cluster" has {{`{{`}} $value {{`}}`}} + instances on the same node {{`{{`}} $labels.node {{`}}`}}. + + A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md + expr: | + count by (node) (kube_pod_info{namespace="gitea", pod=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"}) > 1 + for: 5m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterLongRunningTransactionWarning + annotations: + summary: CNPG Cluster query is taking longer than 5 minutes. + description: |- + CloudNativePG Cluster Pod {{ $labels.pod }} + is taking more than 5 minutes (300 seconds) for a query. + expr: |- + cnpg_backends_max_tx_duration_seconds{namespace="gitea"} > 300 + for: 1m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterLowDiskSpaceCritical + annotations: + summary: CNPG Instance is running out of disk space! + description: |- + CloudNativePG Cluster "gitea/gitea-postgresql-18-cluster" is running extremely low on disk space. Check attached PVCs! + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md + expr: | + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.9 OR + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR + max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + / + sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + * + on(namespace, persistentvolumeclaim) group_left(volume) + kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"} + ) > 0.9 + for: 5m + labels: + severity: critical + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterLowDiskSpaceWarning + annotations: + summary: CNPG Instance is running out of disk space. + description: |- + CloudNativePG Cluster "gitea/gitea-postgresql-18-cluster" is running low on disk space. Check attached PVCs. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md + expr: | + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.7 OR + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR + max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + / + sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + * + on(namespace, persistentvolumeclaim) group_left(volume) + kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"} + ) > 0.7 + for: 5m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterOffline + annotations: + summary: CNPG Cluster has no running instances! + description: |- + CloudNativePG Cluster "gitea/gitea-postgresql-18-cluster" has no ready instances. + + Having an offline cluster means your applications will not be able to access the database, leading to + potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md + expr: | + (count(cnpg_collector_up{namespace="gitea",pod=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 + for: 5m + labels: + severity: critical + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterPGDatabaseXidAgeWarning + annotations: + summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. + description: |- + Over 300,000,000 transactions from frozen xid + on pod {{ $labels.pod }} + expr: | + cnpg_pg_database_xid_age{namespace="gitea"} > 300000000 + for: 1m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterPGReplicationWarning + annotations: + summary: CNPG Cluster standby is lagging behind the primary. + description: |- + Standby is lagging behind by over 300 seconds (5 minutes) + expr: | + cnpg_pg_replication_lag{namespace="gitea"} > 300 + for: 1m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterReplicaFailingReplicationWarning + annotations: + summary: CNPG Cluster has a replica is failing to replicate. + description: |- + Replica {{ $labels.pod }} + is failing to replicate + expr: | + cnpg_pg_replication_in_recovery{namespace="gitea"} > cnpg_pg_replication_is_wal_receiver_up{namespace="gitea"} + for: 1m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster + - alert: CNPGClusterZoneSpreadWarning + annotations: + summary: CNPG Cluster instances in the same zone. + description: |- + CloudNativePG Cluster "gitea/gitea-postgresql-18-cluster" has instances in the same availability zone. + + A disaster in one availability zone will lead to a potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md + expr: | + 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="gitea", pod=~"gitea-postgresql-18-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 + for: 5m + labels: + severity: warning + namespace: gitea + cnpg_cluster: gitea-postgresql-18-cluster diff --git a/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-shared-storage-backup-source-local.yaml b/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-shared-storage-backup-source-local.yaml new file mode 100644 index 000000000..ca6d18f84 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-shared-storage-backup-source-local.yaml @@ -0,0 +1,30 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: gitea-shared-storage-backup-source-local + namespace: gitea + labels: + helm.sh/chart: volsync-target-storage-2.0.0 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea-shared-storage-backup-source-local +spec: + groups: + - name: volsync.alerts + rules: + - alert: VolSyncBackupPodFailed + expr: | + (kube_pod_container_status_last_terminated_exitcode > 0) + * on(pod, namespace) group_left(owner_name) + kube_pod_owner{owner_kind="Job", owner_name=~"volsync-.*"} + for: 1m + labels: + severity: critical + annotations: + summary: "VolSync Backup Pod failed in {{ $labels.namespace }}" + description: | + A pod for the VolSync backup of PVC 'gitea-shared-storage' failed with exit code {{ $value }}. + Job: {{ $labels.owner_name }} + Namespace: {{ $labels.namespace }} diff --git a/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..33f2f7d6b --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey-renovate.yaml @@ -0,0 +1,47 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey +spec: + groups: + - name: gitea-valkey-renovate + rules: + - alert: ValkeyDown + annotations: + description: Valkey instance {{ $labels.instance }} is down. + summary: Valkey instance {{ $labels.instance }} down + expr: | + redis_up{service="gitea-valkey-renovate-metrics"} == 0 + for: 2m + labels: + severity: error + - alert: ValkeyMemoryHigh + annotations: + description: | + Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. + summary: Valkey instance {{ $labels.instance }} is using too much memory + expr: | + redis_memory_used_bytes{service="gitea-valkey-renovate-metrics"} * 100 + / + redis_memory_max_bytes{service="gitea-valkey-renovate-metrics"} + > 90 <= 100 + for: 2m + labels: + severity: error + - alert: ValkeyKeyEviction + annotations: + description: | + Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. + summary: Valkey instance {{ $labels.instance }} has evicted keys + expr: | + increase(redis_evicted_keys_total{service="gitea-valkey-renovate-metrics"}[5m]) > 0 + for: 1s + labels: + severity: error diff --git a/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey.yaml b/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey.yaml new file mode 100644 index 000000000..c61278a39 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey.yaml @@ -0,0 +1,47 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: gitea-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey +spec: + groups: + - name: gitea-valkey + rules: + - alert: ValkeyDown + annotations: + description: Valkey instance {{ $labels.instance }} is down. + summary: Valkey instance {{ $labels.instance }} down + expr: | + redis_up{service="gitea-valkey-metrics"} == 0 + for: 2m + labels: + severity: error + - alert: ValkeyMemoryHigh + annotations: + description: | + Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. + summary: Valkey instance {{ $labels.instance }} is using too much memory + expr: | + redis_memory_used_bytes{service="gitea-valkey-metrics"} * 100 + / + redis_memory_max_bytes{service="gitea-valkey-metrics"} + > 90 <= 100 + for: 2m + labels: + severity: error + - alert: ValkeyKeyEviction + annotations: + description: | + Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. + summary: Valkey instance {{ $labels.instance }} has evicted keys + expr: | + increase(redis_evicted_keys_total{service="gitea-valkey-metrics"}[5m]) > 0 + for: 1s + labels: + severity: error diff --git a/clusters/cl01tl/manifests/gitea/PrometheusRule-meilisearch.yaml b/clusters/cl01tl/manifests/gitea/PrometheusRule-meilisearch.yaml new file mode 100644 index 000000000..22bdae5ac --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PrometheusRule-meilisearch.yaml @@ -0,0 +1,29 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: meilisearch + namespace: gitea + labels: + app.kubernetes.io/name: meilisearch + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea +spec: + groups: + - name: EmbeddedExporter + rules: + - alert: MeilisearchIndexIsEmpty + expr: meilisearch_index_docs_count == 0 + for: 0m + labels: + severity: warning + annotations: + summary: Meilisearch index is empty (instance {{ $labels.instance }}) + description: "Meilisearch index {{ $labels.index }} has zero documents\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" + - alert: MeilisearchHttpResponseTime + expr: meilisearch_http_response_time_seconds > 0.5 + for: 0m + labels: + severity: warning + annotations: + summary: Meilisearch http response time (instance {{ $labels.instance }}) + description: "Meilisearch http response time is too high\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" diff --git a/clusters/cl01tl/manifests/gitea/ReplicationSource-gitea-shared-storage-backup-source-local.yaml b/clusters/cl01tl/manifests/gitea/ReplicationSource-gitea-shared-storage-backup-source-local.yaml new file mode 100644 index 000000000..14084d0c8 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ReplicationSource-gitea-shared-storage-backup-source-local.yaml @@ -0,0 +1,34 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: gitea-shared-storage-backup-source-local + namespace: gitea + labels: + helm.sh/chart: volsync-target-storage-2.0.0 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea-shared-storage-backup-source-local +spec: + sourcePVC: gitea-shared-storage + trigger: + schedule: 0 0 7 * * * + restic: + pruneIntervalDays: 3 + repository: gitea-shared-storage-backup-secret-local + retain: + daily: 1 + hourly: 1 + monthly: 0 + weekly: 3 + yearly: 0 + moverSecurityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + copyMethod: Snapshot + storageClassName: ceph-filesystem + volumeSnapshotClassName: ceph-filesystem-snapshot + cacheCapacity: 10Gi diff --git a/clusters/cl01tl/manifests/gitea/ScheduledBackup-gitea-postgresql-18-scheduled-backup-live-backup.yaml b/clusters/cl01tl/manifests/gitea/ScheduledBackup-gitea-postgresql-18-scheduled-backup-live-backup.yaml new file mode 100644 index 000000000..a172090c1 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ScheduledBackup-gitea-postgresql-18-scheduled-backup-live-backup.yaml @@ -0,0 +1,24 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: "gitea-postgresql-18-scheduled-backup-live-backup" + namespace: gitea + labels: + app.kubernetes.io/name: "gitea-postgresql-18-scheduled-backup-live-backup" + helm.sh/chart: postgres-18-cluster-7.13.2 + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea + app.kubernetes.io/version: "7.13.2" + app.kubernetes.io/managed-by: Helm +spec: + immediate: true + suspend: false + schedule: "0 0 7 * * *" + backupOwnerReference: self + cluster: + name: gitea-postgresql-18-cluster + method: plugin + pluginConfiguration: + name: barman-cloud.cloudnative-pg.io + parameters: + barmanObjectName: "gitea-postgresql-18-backup-garage-local" diff --git a/clusters/cl01tl/manifests/gitea/Secret-gitea-init.yaml b/clusters/cl01tl/manifests/gitea/Secret-gitea-init.yaml new file mode 100644 index 000000000..c5e0ea931 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Secret-gitea-init.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitea-init + namespace: gitea + labels: + helm.sh/chart: gitea-12.6.0 + app: gitea + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "1.26.1" + version: "1.26.1" + app.kubernetes.io/managed-by: Helm +type: Opaque +stringData: + configure_gpg_environment.sh: | + #!/usr/bin/env bash + set -eu + + gpg --batch --import "$TMP_RAW_GPG_KEY" + init_directory_structure.sh: |- + #!/usr/bin/env bash + + set -euo pipefail + # BEGIN: initPreScript + wget https://github.com/catppuccin/gitea/releases/latest/download/catppuccin-gitea.tar.gz; + tar -xvzf catppuccin-gitea.tar.gz -C /data/gitea/public/assets/css; + rm catppuccin-gitea.tar.gz; + # END: initPreScript + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf + + # prepare temp directory structure + mkdir -pv "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" + configure_gitea.sh: "#!/usr/bin/env bash\n\nset -euo pipefail\n\necho '==== BEGIN GITEA CONFIGURATION ===='\n\n{ # try\n gitea migrate\n} || { # catch\n echo \"Gitea migrate might fail due to database connection...This init-container will try again in a few seconds\"\n exit 1\n}\nfunction configure_admin_user() {\n local full_admin_list=$(gitea admin user list --admin)\n local actual_user_table=''\n\n # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line\n local regex=\"(.*)(ID\\s+Username\\s+Email\\s+IsActive.*)\"\n if [[ \"${full_admin_list}\" =~ $regex ]]; then\n actual_user_table=$(echo \"${BASH_REMATCH[2]}\" | tail -n+2) # tail'ing to drop the table headline\n else\n # This code block should never be reached, as long as the output table header remains the same.\n # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.\n\n echo \"ERROR: 'configure_admin_user' was not able to determine the current list of admin users.\"\n echo \" Please review the output of 'gitea admin user list --admin' shown below.\"\n echo \" If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues.\"\n echo \"DEBUG: Output of 'gitea admin user list --admin'\"\n echo \"--\"\n echo \"${full_admin_list}\"\n echo \"--\"\n exit 1\n fi\n\n local ACCOUNT_ID=$(echo \"${actual_user_table}\" | grep -E \"\\s+${GITEA_ADMIN_USERNAME}\\s+\" | awk -F \" \" \"{printf \\$1}\")\n if [[ -z \"${ACCOUNT_ID}\" ]]; then\n local -a create_args\n create_args=(--admin --username \"${GITEA_ADMIN_USERNAME}\" --password \"${GITEA_ADMIN_PASSWORD}\" --email \"gitea@local.domain\")\n if [[ \"${GITEA_ADMIN_PASSWORD_MODE}\" = initialOnlyRequireReset ]]; then\n create_args+=(--must-change-password=true)\n else\n create_args+=(--must-change-password=false)\n fi\n echo \"No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now...\"\n gitea admin user create \"${create_args[@]}\"\n echo '...created.'\n else\n if [[ \"${GITEA_ADMIN_PASSWORD_MODE}\" = keepUpdated ]]; then\n echo \"Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password...\"\n # See https://gitea.com/gitea/helm-gitea/issues/673\n # --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior\n # which acted as if it were provided with =false. If the argument is present in this version of gitea, then we\n # should add it to prevent requiring frequent admin password resets.\n local -a change_args\n change_args=(--username \"${GITEA_ADMIN_USERNAME}\" --password \"${GITEA_ADMIN_PASSWORD}\")\n if gitea admin user change-password --help | grep -F -- '--must-change-password' >/dev/null; then\n change_args+=(--must-change-password=false)\n fi\n gitea admin user change-password \"${change_args[@]}\"\n echo '...password sync done.'\n else\n echo \"Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping.\"\n fi\n fi\n}\n\nconfigure_admin_user\n\nfunction configure_ldap() {\n echo 'no ldap configuration... skipping.'\n}\n\nconfigure_ldap\n\nfunction configure_oauth() {\n local OAUTH_NAME='Authentik'\n local full_auth_list=$(gitea admin auth list --vertical-bars)\n local actual_auth_table=''\n\n # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line\n local regex=\"(.*)(ID\\s+\\|Name\\s+\\|Type\\s+\\|Enabled.*)\"\n if [[ \"${full_auth_list}\" =~ $regex ]]; then\n actual_auth_table=$(echo \"${BASH_REMATCH[2]}\" | tail -n+2) # tail'ing to drop the table headline\n else\n # This code block should never be reached, as long as the output table header remains the same.\n # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.\n\n echo \"ERROR: 'configure_oauth' was not able to determine the current list of authentication sources.\"\n echo \" Please review the output of 'gitea admin auth list --vertical-bars' shown below.\"\n echo \" If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues.\"\n echo \"DEBUG: Output of 'gitea admin auth list --vertical-bars'\"\n echo \"--\"\n echo \"${full_auth_list}\"\n echo \"--\"\n exit 1\n fi\n\n local AUTH_ID=$(echo \"${actual_auth_table}\" | grep -E \"\\|${OAUTH_NAME}\\s+\\|\" | grep -iE '\\|OAuth2\\s+\\|' | awk -F \" \" \"{print \\$1}\")\n\n if [[ -z \"${AUTH_ID}\" ]]; then\n echo \"No oauth configuration found with name '${OAUTH_NAME}'. Installing it now...\"\n gitea admin auth add-oauth --auto-discover-url \"https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration\" --icon-url \"https://goauthentik.io/img/icon.png\" --key \"${GITEA_OAUTH_KEY_0}\" --name \"Authentik\" --provider \"openidConnect\" --scopes \"email profile\" --secret \"${GITEA_OAUTH_SECRET_0}\" \n echo '...installed.'\n else\n echo \"Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings...\"\n gitea admin auth update-oauth --id \"${AUTH_ID}\" --auto-discover-url \"https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration\" --icon-url \"https://goauthentik.io/img/icon.png\" --key \"${GITEA_OAUTH_KEY_0}\" --name \"Authentik\" --provider \"openidConnect\" --scopes \"email profile\" --secret \"${GITEA_OAUTH_SECRET_0}\" \n echo '...sync settings done.'\n fi\n}\n\nconfigure_oauth\n\necho '==== END GITEA CONFIGURATION ===='" diff --git a/clusters/cl01tl/manifests/gitea/Secret-gitea-inline-config.yaml b/clusters/cl01tl/manifests/gitea/Secret-gitea-inline-config.yaml new file mode 100644 index 000000000..043ae8a60 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Secret-gitea-inline-config.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitea-inline-config + namespace: gitea + labels: + helm.sh/chart: gitea-12.6.0 + app: gitea + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "1.26.1" + version: "1.26.1" + app.kubernetes.io/managed-by: Helm +type: Opaque +stringData: + _generals_: APP_NAME=Gitea + actions: ENABLED=true + cache: |- + ADAPTER=redis + ENABLED=true + HOST=redis://gitea-valkey.gitea:6379 + database: |- + DB_TYPE=postgres + SCHEMA=public + explore: REQUIRE_SIGNIN_VIEW=true + indexer: |- + ISSUE_INDEXER_ENABLED=true + ISSUE_INDEXER_TYPE=meilisearch + REPO_INDEXER_ENABLED=false + metrics: ENABLED=true + mirror: DEFAULT_INTERVAL=10m + oauth2_client: ENABLE_AUTO_REGISTRATION=true + queue: |- + CONN_STR=redis://gitea-valkey.gitea:6379 + TYPE=redis + repo-archive: ENABLED=false + repository: ROOT=/data/git/gitea-repositories + security: INSTALL_LOCK=true + server: |- + APP_DATA_PATH=/data + DOMAIN=gitea.alexlebens.dev + ENABLE_PPROF=true + HTTP_PORT=3000 + LANDING_PAGE=explore + LOCAL_ROOT_URL=http://gitea-http.gitea.svc.cluster.local:3000 + PROTOCOL=http + ROOT_URL=https://gitea.alexlebens.dev + SSH_DOMAIN=gitea.alexlebens.net + SSH_LISTEN_PORT=22 + SSH_PORT=22 + START_SSH_SERVER=true + service: |- + ALLOW_ONLY_EXTERNAL_REGISTRATION=true + REGISTER_MANUAL_CONFIRM=true + SHOW_REGISTRATION_BUTTON=false + session: |- + PROVIDER=redis + PROVIDER_CONFIG=redis://gitea-valkey.gitea:6379 + ui: |- + DEFAULT_THEME=gitea-auto + THEMES=gitea-light,gitea-dark,gitea-auto,catppuccin-rosewater-auto,catppuccin-flamingo-auto,catppuccin-pink-auto,catppuccin-mauve-auto,catppuccin-red-auto,catppuccin-maroon-auto,catppuccin-peach-auto,catppuccin-yellow-auto,catppuccin-green-auto,catppuccin-teal-auto,catppuccin-sky-auto,catppuccin-sapphire-auto,catppuccin-blue-auto,catppuccin-lavender-auto,catppuccin-latte-rosewater,catppuccin-latte-flamingo,catppuccin-latte-pink,catppuccin-latte-mauve,catppuccin-latte-red,catppuccin-latte-maroon,catppuccin-latte-peach,catppuccin-latte-yellow,catppuccin-latte-green,catppuccin-latte-teal,catppuccin-latte-sky,catppuccin-latte-sapphire,catppuccin-latte-blue,catppuccin-latte-lavender,catppuccin-frappe-rosewater,catppuccin-frappe-flamingo,catppuccin-frappe-pink,catppuccin-frappe-mauve,catppuccin-frappe-red,catppuccin-frappe-maroon,catppuccin-frappe-peach,catppuccin-frappe-yellow,catppuccin-frappe-green,catppuccin-frappe-teal,catppuccin-frappe-sky,catppuccin-frappe-sapphire,catppuccin-frappe-blue,catppuccin-frappe-lavender,catppuccin-macchiato-rosewater,catppuccin-macchiato-flamingo,catppuccin-macchiato-pink,catppuccin-macchiato-mauve,catppuccin-macchiato-red,catppuccin-macchiato-maroon,catppuccin-macchiato-peach,catppuccin-macchiato-yellow,catppuccin-macchiato-green,catppuccin-macchiato-teal,catppuccin-macchiato-sky,catppuccin-macchiato-sapphire,catppuccin-macchiato-blue,catppuccin-macchiato-lavender,catppuccin-mocha-rosewater,catppuccin-mocha-flamingo,catppuccin-mocha-pink,catppuccin-mocha-mauve,catppuccin-mocha-red,catppuccin-mocha-maroon,catppuccin-mocha-peach,catppuccin-mocha-yellow,catppuccin-mocha-green,catppuccin-mocha-teal,catppuccin-mocha-sky,catppuccin-mocha-sapphire,catppuccin-mocha-blue,catppuccin-mocha-lavender + webhook: ALLOWED_HOST_LIST=private diff --git a/clusters/cl01tl/manifests/gitea/Secret-gitea.yaml b/clusters/cl01tl/manifests/gitea/Secret-gitea.yaml new file mode 100644 index 000000000..431620b39 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Secret-gitea.yaml @@ -0,0 +1,170 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitea + namespace: gitea + labels: + helm.sh/chart: gitea-12.6.0 + app: gitea + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "1.26.1" + version: "1.26.1" + app.kubernetes.io/managed-by: Helm +type: Opaque +stringData: + config_environment.sh: | + #!/usr/bin/env bash + set -euo pipefail + + function env2ini::log() { + printf "${1}\n" + } + + function env2ini::read_config_to_env() { + local section="${1}" + local line="${2}" + + if [[ -z "${line}" ]]; then + # skip empty line + return + fi + + # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line + local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)" + + if [[ -z "${setting}" ]]; then + env2ini::log ' ! invalid setting' + exit 1 + fi + + local value='' + local regex="^${setting}(\s*)=(\s*)(.*)" + if [[ $line =~ $regex ]]; then + value="${BASH_REMATCH[3]}" + else + env2ini::log ' ! invalid setting' + exit 1 + fi + + env2ini::log " + '${setting}'" + + if [[ -z "${section}" ]]; then + export "GITEA____${setting^^}=${value}" # '^^' makes the variable content uppercase + return + fi + + local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches + masked_section="${masked_section//-/_0X2D_}" + + export "GITEA__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase + } + + function env2ini::reload_preset_envs() { + env2ini::log "Reloading preset envs..." + + while read -r line; do + if [[ -z "${line}" ]]; then + # skip empty line + return + fi + + # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line + local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)" + + if [[ -z "${setting}" ]]; then + env2ini::log ' ! invalid setting' + exit 1 + fi + + local value='' + local regex="^${setting}(\s*)=(\s*)(.*)" + if [[ $line =~ $regex ]]; then + value="${BASH_REMATCH[3]}" + else + env2ini::log ' ! invalid setting' + exit 1 + fi + + env2ini::log " + '${setting}'" + + export "${setting^^}=${value}" # '^^' makes the variable content uppercase + done < "$TMP_EXISTING_ENVS_FILE" + + rm $TMP_EXISTING_ENVS_FILE + } + + function env2ini::process_config_file() { + local config_file="${1}" + local section="$(basename "${config_file}")" + + if [[ $section == '_generals_' ]]; then + env2ini::log " [ini root]" + section='' + else + env2ini::log " ${section}" + fi + + while read -r line; do + env2ini::read_config_to_env "${section}" "${line}" + done < <(awk 1 "${config_file}") # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading + } + + function env2ini::load_config_sources() { + local path="${1}" + + if [[ -d "${path}" ]]; then + env2ini::log "Processing $(basename "${path}")..." + + while read -d '' configFile; do + env2ini::process_config_file "${configFile}" + done < <(find "${path}" -type l -not -name '..data' -print0) + + env2ini::log "\n" + fi + } + + function env2ini::generate_initial_secrets() { + # These environment variables will either be + # - overwritten with user defined values, + # - initially used to set up Gitea + # Anyway, they won't harm existing app.ini files + + export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) + export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) + export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) + export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET) + + env2ini::log "...Initial secrets generated\n" + } + + # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs + env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE + + # MUST BE CALLED BEFORE OTHER CONFIGURATION + env2ini::generate_initial_secrets + + env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/" + env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/" + + # load existing envs to override auto generated envs + env2ini::reload_preset_envs + + env2ini::log "=== All configuration sources loaded ===\n" + + # safety to prevent rewrite of secret keys if an app.ini already exists + if [ -f ${GITEA_APP_INI} ]; then + env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:' + env2ini::log ' - security.INTERNAL_TOKEN' + env2ini::log ' - security.SECRET_KEY' + env2ini::log ' - oauth2.JWT_SECRET' + env2ini::log ' - server.LFS_JWT_SECRET' + + unset GITEA__SECURITY__INTERNAL_TOKEN + unset GITEA__SECURITY__SECRET_KEY + unset GITEA__OAUTH2__JWT_SECRET + unset GITEA__SERVER__LFS_JWT_SECRET + fi + + gitea config edit-ini --apply-env --config "$GITEA_APP_INI" --out "$GITEA_APP_INI" + assertions: "" diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-cloudflared.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-cloudflared.yaml new file mode 100644 index 000000000..a699da0a8 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-cloudflared.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-cloudflared + labels: + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cloudflared + app.kubernetes.io/service: gitea-cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-3.3.1 + namespace: gitea +spec: + type: ClusterIP + ports: + - port: 20241 + targetPort: 20241 + protocol: TCP + name: metrics + selector: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: gitea + app.kubernetes.io/name: cloudflared diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-http.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-http.yaml new file mode 100644 index 000000000..492f4b92b --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-http.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-http + namespace: gitea + labels: + helm.sh/chart: gitea-12.6.0 + app: gitea + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "1.26.1" + version: "1.26.1" + app.kubernetes.io/managed-by: Helm + annotations: {} +spec: + type: ClusterIP + clusterIP: 10.103.160.139 + ports: + - name: http + port: 3000 + targetPort: 3000 + selector: + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-meilisearch.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-meilisearch.yaml new file mode 100644 index 000000000..f9f1f280a --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-meilisearch.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-meilisearch + labels: + helm.sh/chart: meilisearch-0.32.0 + app.kubernetes.io/name: meilisearch + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "v1.42.1" + app.kubernetes.io/component: search-engine + app.kubernetes.io/part-of: meilisearch + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 7700 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: meilisearch + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-ssh.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-ssh.yaml new file mode 100644 index 000000000..6aaa0ad2a --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-ssh.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-ssh + namespace: gitea + labels: + helm.sh/chart: gitea-12.6.0 + app: gitea + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "1.26.1" + version: "1.26.1" + app.kubernetes.io/managed-by: Helm + annotations: {} +spec: + type: ClusterIP + clusterIP: 10.103.160.140 + ports: + - name: ssh + port: 22 + targetPort: 22 + protocol: TCP + selector: + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-headless.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-headless.yaml new file mode 100644 index 000000000..edff414d4 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-headless.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-valkey-headless + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: headless +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-metrics.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-metrics.yaml new file mode 100644 index 000000000..01eb6d5ca --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-metrics.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-valkey-metrics + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: metrics + app.kubernetes.io/part-of: valkey + annotations: +spec: + type: ClusterIP + ports: + - name: metrics + port: 9121 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-read.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-read.yaml new file mode 100644 index 000000000..a02032906 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-read.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-valkey-read + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: read +spec: + type: ClusterIP + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate-metrics.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate-metrics.yaml new file mode 100644 index 000000000..53d94936a --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate-metrics.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-valkey-renovate-metrics + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: metrics + app.kubernetes.io/part-of: valkey + annotations: +spec: + type: ClusterIP + ports: + - name: metrics + port: 9121 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..d35356e13 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: primary +spec: + type: ClusterIP + ports: + - port: 6379 + targetPort: tcp + protocol: TCP + name: tcp + selector: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-valkey.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey.yaml new file mode 100644 index 000000000..3018dcc26 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: primary +spec: + type: ClusterIP + ports: + - port: 6379 + targetPort: tcp + protocol: TCP + name: tcp + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + statefulset.kubernetes.io/pod-name: gitea-valkey-0 diff --git a/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-cloudflared.yaml b/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-cloudflared.yaml new file mode 100644 index 000000000..8a8db068e --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-cloudflared.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gitea-cloudflared + labels: + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-3.3.1 + namespace: gitea diff --git a/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-meilisearch.yaml b/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-meilisearch.yaml new file mode 100644 index 000000000..e3564f1ad --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-meilisearch.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gitea-meilisearch + labels: + helm.sh/chart: meilisearch-0.32.0 + app.kubernetes.io/name: meilisearch + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "v1.42.1" + app.kubernetes.io/component: search-engine + app.kubernetes.io/part-of: meilisearch + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..389901694 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey-renovate.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey.yaml b/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey.yaml new file mode 100644 index 000000000..bf11b8103 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gitea-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-cloudflared.yaml b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-cloudflared.yaml new file mode 100644 index 000000000..be049e0ae --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-cloudflared.yaml @@ -0,0 +1,25 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: gitea-cloudflared + labels: + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-3.3.1 + namespace: gitea +spec: + jobLabel: app.kubernetes.io/name + namespaceSelector: + matchNames: + - gitea + selector: + matchLabels: + app.kubernetes.io/instance: gitea + app.kubernetes.io/name: cloudflared + endpoints: + - interval: 30s + path: /metrics + port: metrics + scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-meilisearch.yaml b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-meilisearch.yaml new file mode 100644 index 000000000..9e220a45e --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-meilisearch.yaml @@ -0,0 +1,30 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: gitea-meilisearch + namespace: gitea + labels: + helm.sh/chart: meilisearch-0.32.0 + app.kubernetes.io/name: meilisearch + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "v1.42.1" + app.kubernetes.io/component: search-engine + app.kubernetes.io/part-of: meilisearch + app.kubernetes.io/managed-by: Helm +spec: + jobLabel: gitea + namespaceSelector: + matchNames: + - gitea + selector: + matchLabels: + app.kubernetes.io/name: meilisearch + app.kubernetes.io/instance: gitea + endpoints: + - port: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + bearerTokenSecret: + name: gitea-meilisearch-key + key: MEILI_MASTER_KEY diff --git a/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..20a4d48e8 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey-renovate.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: service-monitor +spec: + endpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - gitea + selector: + matchLabels: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey.yaml b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey.yaml new file mode 100644 index 000000000..1dc544c15 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: gitea-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: service-monitor +spec: + endpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - gitea + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea.yaml b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea.yaml new file mode 100644 index 000000000..040682426 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea.yaml @@ -0,0 +1,16 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: gitea + namespace: gitea + labels: + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea +spec: + selector: + matchLabels: + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + endpoints: + - port: http diff --git a/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-gitea-actions-act-runner.yaml b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-gitea-actions-act-runner.yaml new file mode 100644 index 000000000..d52f68b6e --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-gitea-actions-act-runner.yaml @@ -0,0 +1,154 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + helm.sh/chart: gitea-actions-0.1.0 + app: gitea-actions-act-runner + app.kubernetes.io/name: gitea-actions-act-runner + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "0.261.3" + version: "0.261.3" + app.kubernetes.io/managed-by: Helm + annotations: + name: gitea-gitea-actions-act-runner + namespace: gitea +spec: + replicas: 6 + selector: + matchLabels: + app.kubernetes.io/name: gitea-actions-act-runner + app.kubernetes.io/instance: gitea + template: + metadata: + annotations: + checksum/config: 6a9d82ad20f62c2e827a0639a2122bcb195c331a21688599f9fa9bbfd96be37a + labels: + helm.sh/chart: gitea-actions-0.1.0 + app: gitea-actions-act-runner + app.kubernetes.io/name: gitea-actions-act-runner + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "0.261.3" + version: "0.261.3" + app.kubernetes.io/managed-by: Helm + spec: + restartPolicy: Always + initContainers: + - name: init-gitea + image: "docker.io/busybox:1.37.0@sha256:1487d0af5f52b4ba31c7e465126ee2123fe3f2305d638e7827681e7cf6c83d5e" + command: + - sh + - -c + - | + echo 'Trying to reach Gitea on http://gitea-http.gitea:3000' + until timeout 10 wget --no-check-certificate --spider http://gitea-http.gitea:3000; do + sleep 3 + echo "Trying again in 3 seconds..." + done + echo "Gitea has been reached!" + - name: dind + image: "docker.io/docker:29.5.0-dind@sha256:8e3fae900cbfbdc14e8abca89a9e44363065cb535f34a09283c59cc0dde2de20" + restartPolicy: Always + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + startupProbe: + exec: + command: + - /usr/bin/test + - -S + - /var/run/docker.sock + livenessProbe: + exec: + command: + - /usr/bin/test + - -S + - /var/run/docker.sock + resources: + limits: + ephemeral-storage: 15Gi + requests: + ephemeral-storage: 2Gi + volumeMounts: + - mountPath: /var/run/ + name: docker-socket + - mountPath: /var/lib/docker + name: docker-vol + containers: + - name: act-runner + image: "docker.io/gitea/act_runner:0.6.1@sha256:b5c35d6bdbb9bb25e531230bfc7cc663cb751406cbec90a2a891b85fea54de86" + imagePullPolicy: IfNotPresent + workingDir: /data + env: + - name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "gitea-runner-secret" + key: "token" + - name: GITEA_INSTANCE_URL + value: http://gitea-http.gitea:3000 + - name: CONFIG_FILE + value: /actrunner/config.yaml + - name: TZ + value: America/Chicago + resources: + limits: + ephemeral-storage: 15Gi + requests: + ephemeral-storage: 2Gi + volumeMounts: + - mountPath: /actrunner/config.yaml + name: act-runner-config + subPath: config.yaml + - mountPath: /var/run/docker.sock + name: docker-socket + subPath: docker.sock + - mountPath: /data + name: data-act-runner + - mountPath: /workspace + name: workspace-vol + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - gitea-actions-act-runner + topologyKey: kubernetes.io/hostname + weight: 100 + volumes: + - name: act-runner-config + configMap: + name: gitea-gitea-actions-act-runner-config + - name: docker-socket + emptyDir: {} + - ephemeral: + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi + storageClassName: ceph-block + name: workspace-vol + - ephemeral: + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 50Gi + storageClassName: ceph-block + name: docker-vol + volumeClaimTemplates: + - metadata: + name: data-act-runner + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 10Gi diff --git a/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-meilisearch.yaml b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-meilisearch.yaml new file mode 100644 index 000000000..2be9d3cfc --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-meilisearch.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: gitea-meilisearch + labels: + helm.sh/chart: meilisearch-0.32.0 + app.kubernetes.io/name: meilisearch + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "v1.42.1" + app.kubernetes.io/component: search-engine + app.kubernetes.io/part-of: meilisearch + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + serviceName: gitea-meilisearch + selector: + matchLabels: + app.kubernetes.io/name: meilisearch + app.kubernetes.io/instance: gitea + template: + metadata: + labels: + helm.sh/chart: meilisearch-0.32.0 + app.kubernetes.io/name: meilisearch + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "v1.42.1" + app.kubernetes.io/component: search-engine + app.kubernetes.io/part-of: meilisearch + app.kubernetes.io/managed-by: Helm + annotations: + checksum/config: d3bf0c4ecf25fba4c09c449d0ab9d3009cf932f951f23092f6db1b039dbc9778 + spec: + serviceAccountName: gitea-meilisearch + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + volumes: + - name: tmp + emptyDir: {} + - name: data + persistentVolumeClaim: + claimName: gitea-meilisearch + containers: + - name: meilisearch + image: "getmeili/meilisearch:v1.42.1" + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: tmp + mountPath: /tmp + - name: data + mountPath: /meili_data + envFrom: + - configMapRef: + name: gitea-meilisearch-environment + - secretRef: + name: gitea-meilisearch-key + ports: + - name: http + containerPort: 7700 + protocol: TCP + startupProbe: + httpGet: + path: /health + port: http + periodSeconds: 1 + initialDelaySeconds: 1 + failureThreshold: 60 + timeoutSeconds: 1 + livenessProbe: + httpGet: + path: /health + port: http + periodSeconds: 10 + initialDelaySeconds: 0 + timeoutSeconds: 10 + readinessProbe: + httpGet: + path: /health + port: http + periodSeconds: 10 + initialDelaySeconds: 0 + timeoutSeconds: 10 + resources: + requests: + cpu: 10m + memory: 150Mi diff --git a/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-valkey.yaml b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-valkey.yaml new file mode 100644 index 000000000..85e3566a6 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-valkey.yaml @@ -0,0 +1,133 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: gitea-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: gitea-valkey-headless + replicas: 3 + podManagementPolicy: OrderedReady + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + volumeClaimTemplates: + - metadata: + name: valkey-data + spec: + accessModes: + - ReadWriteOnce + storageClassName: "ceph-block" + resources: + requests: + storage: "20Gi" + template: + metadata: + labels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: gitea + annotations: + checksum/initconfig: "88e964ad8690829ad09a86ad90173244" + spec: + automountServiceAccountToken: false + serviceAccountName: gitea-valkey + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + initContainers: + - name: gitea-valkey-init + image: docker.io/valkey/valkey:9.0.4@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + command: ["/scripts/init.sh"] + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + volumeMounts: + - name: valkey-data + mountPath: /data + - name: scripts + mountPath: /scripts + containers: + - name: gitea-valkey + image: docker.io/valkey/valkey:9.0.4@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193 + imagePullPolicy: IfNotPresent + command: ["valkey-server"] + args: ["/data/conf/valkey.conf"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + - name: VALKEY_LOGLEVEL + value: "notice" + ports: + - name: tcp + containerPort: 6379 + protocol: TCP + startupProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + livenessProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + resources: + requests: + cpu: 20m + memory: 1Gi + volumeMounts: + - name: valkey-data + mountPath: /data + - name: metrics + image: ghcr.io/oliver006/redis_exporter:v1.83.0@sha256:e8c209894d4c0cc55b1259ddd47e0b769ad1ff864b356736ee885462a3b0e48c + imagePullPolicy: "IfNotPresent" + ports: + - name: metrics + containerPort: 9121 + startupProbe: + tcpSocket: + port: metrics + livenessProbe: + tcpSocket: + port: metrics + readinessProbe: + httpGet: + path: / + port: metrics + resources: + requests: + cpu: 1m + memory: 10M + env: + - name: REDIS_ALIAS + value: gitea-valkey + volumes: + - name: scripts + configMap: + name: gitea-valkey-init-scripts + defaultMode: 0555 diff --git a/clusters/cl01tl/manifests/gitea/TCPRoute-gitea-ssh.yaml b/clusters/cl01tl/manifests/gitea/TCPRoute-gitea-ssh.yaml new file mode 100644 index 000000000..375447900 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/TCPRoute-gitea-ssh.yaml @@ -0,0 +1,21 @@ +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TCPRoute +metadata: + name: gitea-ssh + namespace: gitea + labels: + app.kubernetes.io/name: gitea-ssh + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: gitea +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik + sectionName: ssh + rules: + - backendRefs: + - kind: Service + name: gitea-ssh + port: 22