diff --git a/README.md b/README.md index 85d3374..b06fc11 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ There is a [dedicated chatroom](https://matrix.to/#/#forgejo-ci:matrix.org). A m - Setting up a new [K8S/DRBD/NFS k8s node](k8s.md) - Setting up a new [LXC/DRBD Host](lxc.md) - Managing services with a [LXC/DRBD/nginx stack](drbd-nginx-lxc.md) +- Installing a [Forgejo instance in the K8S cluster](k8s-forgejo.md) - Installing a [Forgejo runner in an LXC container](runner-lxc.md) - Managing the [Octopuce host](octopuce.md) diff --git a/k8s-forgejo.md b/k8s-forgejo.md new file mode 100644 index 0000000..772e1f8 --- /dev/null +++ b/k8s-forgejo.md @@ -0,0 +1,48 @@ +## Forgejo + +[forgejo](https://code.forgejo.org/forgejo-helm/forgejo-helm) configuration in [ingress](https://code.forgejo.org/forgejo-helm/forgejo-helm#ingress) for the reverse proxy (`traefik`) to route the domain and for the ACME issuer (`cert-manager`) to obtain a certificate. And in [service](https://code.forgejo.org/forgejo-helm/forgejo-helm#service) for the `ssh` port to be bound to the desired IPs of the load balancer (`metallb`). + +``` +ingress: + enabled: true + annotations: + # https://cert-manager.io/docs/usage/ingress/#supported-annotations + # https://github.com/cert-manager/cert-manager/issues/2239 + cert-manager.io/cluster-issuer: letsencrypt-http + cert-manager.io/private-key-algorithm: ECDSA + cert-manager.io/private-key-size: 384 + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: websecure + tls: + - hosts: + - t1.forgejo.org + secretName: tls-forgejo-t1-ingress-http + hosts: + - host: t1.forgejo.org + paths: + - path: / + pathType: Prefix + +service: + http: + type: ClusterIP + ipFamilyPolicy: PreferDualStack + port: 3000 + ssh: + type: LoadBalancer + annotations: + metallb.universe.tf/loadBalancerIPs: 188.40.16.47,2a01:4f8:fff2:48::2 + metallb.universe.tf/allow-shared-ip: "key-to-share-failover" + ipFamilyPolicy: PreferDualStack + port: 2222 +``` + +[Instruct the forgejo pod](https://code.forgejo.org/forgejo-helm/forgejo-helm#persistence) to use the `forgejo-data` pvc. + +```yaml +persistence: + enabled: true + create: false + claimName: forgejo-data +``` + diff --git a/k8s.md b/k8s.md index 25caf17..bb4933e 100644 --- a/k8s.md +++ b/k8s.md @@ -98,46 +98,7 @@ For the first node `./setup.sh setup_k8s`. For nodes joining the cluster `./setu - NFS storage class `./setup.sh setup_k8s_nfs` -## Forgejo - -[forgejo](https://code.forgejo.org/forgejo-helm/forgejo-helm) configuration in [ingress](https://code.forgejo.org/forgejo-helm/forgejo-helm#ingress) for the reverse proxy (`traefik`) to route the domain and for the ACME issuer (`cert-manager`) to obtain a certificate. And in [service](https://code.forgejo.org/forgejo-helm/forgejo-helm#service) for the `ssh` port to be bound to the desired IPs of the load balancer (`metallb`). - -``` -ingress: - enabled: true - annotations: - # https://cert-manager.io/docs/usage/ingress/#supported-annotations - # https://github.com/cert-manager/cert-manager/issues/2239 - cert-manager.io/cluster-issuer: letsencrypt-http - cert-manager.io/private-key-algorithm: ECDSA - cert-manager.io/private-key-size: 384 - kubernetes.io/ingress.class: traefik - traefik.ingress.kubernetes.io/router.entrypoints: websecure - tls: - - hosts: - - t1.forgejo.org - secretName: tls-forgejo-t1-ingress-http - hosts: - - host: t1.forgejo.org - paths: - - path: / - pathType: Prefix - -service: - http: - type: ClusterIP - ipFamilyPolicy: PreferDualStack - port: 3000 - ssh: - type: LoadBalancer - annotations: - metallb.universe.tf/loadBalancerIPs: 188.40.16.47,2a01:4f8:fff2:48::2 - metallb.universe.tf/allow-shared-ip: "key-to-share-failover" - ipFamilyPolicy: PreferDualStack - port: 2222 -``` - -# K8S NFS storage creation +## K8S NFS storage creation Define the 20GB `forgejo-data` pvc owned by user id 1000. @@ -145,35 +106,26 @@ Define the 20GB `forgejo-data` pvc owned by user id 1000. ./setup.sh setup_k8s_pvc forgejo-data 20Gi 1000 ``` -[Instruct the forgejo pod](https://code.forgejo.org/forgejo-helm/forgejo-helm#persistence) to use the `forgejo-data` pvc. +# Disaster recovery and maintenance -```yaml -persistence: - enabled: true - create: false - claimName: forgejo-data -``` - - Disaster recovery and maintenance - -# When a machine or disk is scheduled for replacement. +## When a machine or disk is scheduled for replacement. * `kubectl drain hetzner05` # evacuate all the pods out of the node to be shutdown * `kubectl taint nodes hetzner05 key1=value1:NoSchedule` # prevent any pod from being created there (metallb speaker won't be drained, for instance) * `kubectl delete node hetzner05` # let the cluster know it no longer exists so a new one by the same name can replace it -# Routing the failover IP +## Routing the failover IP When the machine to which the failover IP (failover.forgejo.org) is routed is unavailable or to be shutdown, to the [Hetzner server panel](https://robot.hetzner.com/server), to the IPs tab and change the route of the failover IP to another node. All nodes are configured with the failover IP, there is nothing else to do. -# Manual boot operations +## Manual boot operations -## On the machine that runs the NFS server +### On the machine that runs the NFS server * `sudo drbdadm primary r1` # Switch the DRBD to primary * `sudo mount /precious` # DRBD volume shared via NFS * `sudo ip addr add 10.53.101.100/24 dev enp5s0.4001` # add NFS server IP -## On the other machines +### On the other machines * `sudo ip addr del 10.53.101.100/24 dev enp5s0.4001` # remove NFS server IP