alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 6 Actions 1 Activity

stage for rebuilt

Browse Source
This commit is contained in:
Alex Lebens
2025-02-14 22:05:52 -06:00
parent 91c1b3931d
commit 8b4eee804f
329 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
clusters/cl01tl/platform/gitea/Chart.yaml
View File

@@ -1,37 +0,0 @@
apiVersion: v2
name: gitea
version: 1.0.0
description: Gitea
keywords:
- gitea
- git
- code
home: https://wiki.alexlebens.dev/doc/gitea-OgqW6bQWrW
sources:
- https://github.com/go-gitea/gitea
- https://github.com/cloudflare/cloudflared
- https://github.com/cloudnative-pg/cloudnative-pg
- https://hub.docker.com/r/gitea/gitea
- https://gitea.com/gitea/helm-chart
- https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
- https://github.com/alexlebens/helm-charts/tree/main/charts/postgres-cluster
maintainers:
- name: alexlebens
dependencies:
- name: gitea
version: 10.6.0
repository: https://dl.gitea.io/charts/
- name: cloudflared
alias: cloudflared
repository: http://alexlebens.github.io/helm-charts
version: 1.13.0
- name: app-template
alias: backup
repository: https://bjw-s.github.io/helm-charts/
version: 3.6.1
- name: postgres-cluster
alias: postgres-17-cluster
version: 4.1.4
repository: http://alexlebens.github.io/helm-charts
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/gitea.png
appVersion: 1.22.4

165
clusters/cl01tl/platform/gitea/templates/external-secret.yaml
View File

@@ -1,165 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-admin-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-admin-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: username
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/gitea/auth/admin
metadataPolicy: None
property: username
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/gitea/auth/admin
metadataPolicy: None
property: password
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/gitea
metadataPolicy: None
property: secret
- secretKey: key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/gitea
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/gitea
metadataPolicy: None
property: token
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-backup-s3
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-backup-s3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: backup
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/gitea-backup
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/gitea-backup
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ENDPOINT_URL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/gitea-backup
metadataPolicy: None
property: AWS_ENDPOINT_URL
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/gitea-backup
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-postgresql-17-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-postgresql-17-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: secret

64
clusters/cl01tl/platform/gitea/templates/ingress.yaml
View File

@@ -1,64 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-local
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-local
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
spec:
ingressClassName: traefik
tls:
- hosts:
- gitea.alexlebens.net
secretName: gitea-tls-secret
rules:
- host: gitea.alexlebens.net
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: gitea-http
port:
number: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-tailscale
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-tailscale
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec:
ingressClassName: tailscale
tls:
- hosts:
- gitea-cl01tl
secretName: gitea-cl01tl
rules:
- host: gitea-cl01tl
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: gitea-http
port:
name: http

19
clusters/cl01tl/platform/gitea/templates/persistent-volume-claim.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-nfs-storage-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-nfs-storage-backup
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

19
clusters/cl01tl/platform/gitea/templates/role-binding.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gitea-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-backup
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: backup
app.kubernetes.io/part-of: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gitea-backup
subjects:
- kind: ServiceAccount
name: gitea-backup
namespace: {{ .Release.Namespace }}

27
clusters/cl01tl/platform/gitea/templates/role.yaml
View File

@@ -1,27 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gitea-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-backup
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: backup
app.kubernetes.io/part-of: {{ .Release.Name }}
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
verbs:
- create
- list
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list

182
clusters/cl01tl/platform/gitea/values.yaml
View File

@@ -1,182 +0,0 @@
gitea:
image:
repository: gitea/gitea
tag: 1.23.3
service:
http:
type: ClusterIP
port: 3000
clusterIP: 10.103.160.139
ssh:
type: ClusterIP
port: 2222
clusterIP: 10.103.160.140
ingress:
enabled: false
persistence:
storageClass: ceph-block
extraVolumes:
- name: gitea-nfs-storage-backup
persistentVolumeClaim:
claimName: gitea-nfs-storage-backup
extraVolumeMounts:
- mountPath: /opt/backup
name: gitea-nfs-storage-backup
readOnly: false
gitea:
admin:
existingSecret: gitea-admin-secret
metrics:
enabled: true
serviceMonitor:
enabled: true
oauth:
- name: Authentik
provider: openidConnect
existingSecret: gitea-oidc-secret
autoDiscoverUrl: https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration
iconUrl: https://goauthentik.io/img/icon.png
scopes: "email profile"
config:
APP_NAME: Gitea
server:
PROTOCOL: http
DOMAIN: gitea.alexlebens.dev
ROOT_URL: https://gitea.alexlebens.dev
LOCAL_ROOT_URL: http://gitea-http.gitea.svc.cluster.local:3000
START_SSH_SERVER: true
SSH_DOMAIN: gitea.alexlebens.dev
SSH_PORT: 2222
SSH_LISTEN_PORT: 2222
ENABLE_PPROF: true
LANDING_PAGE: explore
database:
DB_TYPE: postgres
SCHEMA: public
oauth2_client:
ENABLE_AUTO_REGISTRATION: true
service:
REGISTER_MANUAL_CONFIRM: true
SHOW_REGISTRATION_BUTTON: false
ALLOW_ONLY_EXTERNAL_REGISTRATION: true
explore:
REQUIRE_SIGNIN_VIEW: true
webhook:
ALLOWED_HOST_LIST: private
mirror:
DEFAULT_INTERVAL: 10m
additionalConfigFromEnvs:
- name: GITEA__DATABASE__HOST
valueFrom:
secretKeyRef:
name: gitea-postgresql-17-cluster-app
key: host
- name: GITEA__DATABASE__NAME
valueFrom:
secretKeyRef:
name: gitea-postgresql-17-cluster-app
key: dbname
- name: GITEA__DATABASE__USER
valueFrom:
secretKeyRef:
name: gitea-postgresql-17-cluster-app
key: user
- name: GITEA__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: gitea-postgresql-17-cluster-app
key: password
memcached:
enabled: true
redis:
enabled: false
redis-cluster:
enabled: false
postgresql:
enabled: false
postgresql-ha:
enabled: false
mysql:
enabled: false
mariadb:
enabled: false
cloudflared:
existingSecretName: gitea-cloudflared-secret
backup:
global:
fullnameOverride: gitea-backup
controllers:
backup:
type: cronjob
cronjob:
suspend: false
concurrencyPolicy: Forbid
timeZone: US/Central
schedule: 0 4 * * *
startingDeadlineSeconds: 90
successfulJobsHistory: 3
failedJobsHistory: 3
backoffLimit: 3
parallelism: 1
containers:
backup:
image:
repository: bitnami/kubectl
tag: 1.32.1
pullPolicy: IfNotPresent
command:
- sh
args:
- -ec
- |
kubectl exec -it deploy/gitea -n gitea -- rm -f /opt/backup/gitea-backup.zip;
kubectl exec -it deploy/gitea -n gitea -- /app/gitea/gitea dump -c /data/gitea/conf/app.ini --file /opt/backup/gitea-backup.zip;
resources:
requests:
cpu: 100m
memory: 128Mi
s3:
image:
repository: amazon/aws-cli
tag: 2.24.0
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- |
until [ -f /opt/backup/gitea-backup.zip ]; do sleep 5; done;
aws s3 cp /opt/backup/gitea-backup.zip s3://cl01tl-gitea-backups/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
mv /opt/backup/gitea-backup.zip /opt/backup/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
envFrom:
- secretRef:
name: gitea-backup-s3
resources:
requests:
cpu: 100m
memory: 128Mi
serviceAccount:
create: true
persistence:
config:
existingClaim: gitea-nfs-storage-backup
advancedMounts:
backup:
s3:
- path: /opt/backup
readOnly: false
postgres-17-cluster:
mode: standalone
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
endpointURL: https://nyc3.digitaloceanspaces.com
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-17-cluster
endpointCredentials: gitea-postgresql-17-cluster-backup-secret
backupIndex: 1