1
0
Fork 0
mirror of https://code.forgejo.org/infrastructure/documentation synced 2024-12-21 20:53:51 +00:00

k8s forgejo instance helpers

This commit is contained in:
Earl Warren 2024-10-20 18:05:04 +02:00
parent f84b863480
commit 8f0057787a
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
5 changed files with 141 additions and 42 deletions

1
.gitignore vendored
View file

@ -1,3 +1,4 @@
*~
k3s-host/secrets.sh
k3s-host/variables.sh
k8s-forgejo/*-secrets.yml

View file

@ -1,48 +1,23 @@
## Forgejo
# Forgejo k8s instance
[forgejo](https://code.forgejo.org/forgejo-helm/forgejo-helm) configuration in [ingress](https://code.forgejo.org/forgejo-helm/forgejo-helm#ingress) for the reverse proxy (`traefik`) to route the domain and for the ACME issuer (`cert-manager`) to obtain a certificate. And in [service](https://code.forgejo.org/forgejo-helm/forgejo-helm#service) for the `ssh` port to be bound to the desired IPs of the load balancer (`metallb`).
[forgejo](https://code.forgejo.org/forgejo-helm/forgejo-helm) configuration in [ingress](https://code.forgejo.org/forgejo-helm/forgejo-helm#ingress) for the reverse proxy (`traefik`) to route the domain and for the ACME issuer (`cert-manager`) to obtain a certificate. And in [service](https://code.forgejo.org/forgejo-helm/forgejo-helm#service) for the `ssh` port to be bound to the desired IPs of the load balancer (`metallb`). A [PVC](https://code.forgejo.org/forgejo-helm/forgejo-helm#persistence) is created on the networked storage.
```
ingress:
enabled: true
annotations:
# https://cert-manager.io/docs/usage/ingress/#supported-annotations
# https://github.com/cert-manager/cert-manager/issues/2239
cert-manager.io/cluster-issuer: letsencrypt-http
cert-manager.io/private-key-algorithm: ECDSA
cert-manager.io/private-key-size: 384
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
tls:
- hosts:
- t1.forgejo.org
secretName: tls-forgejo-t1-ingress-http
hosts:
- host: t1.forgejo.org
paths:
- path: /
pathType: Prefix
## Secrets
service:
http:
type: ClusterIP
ipFamilyPolicy: PreferDualStack
port: 3000
ssh:
type: LoadBalancer
annotations:
metallb.universe.tf/loadBalancerIPs: 188.40.16.47,2a01:4f8:fff2:48::2
metallb.universe.tf/allow-shared-ip: "key-to-share-failover"
ipFamilyPolicy: PreferDualStack
port: 2222
```
### New
[Instruct the forgejo pod](https://code.forgejo.org/forgejo-helm/forgejo-helm#persistence) to use the `forgejo-data` pvc.
- `cp forgejo-secrets.yml.example $name-secrets.yml`
- edit
- `kubectl create secret generic forgejo-$name-secrets --from-file=value=$name-secrets.yml`
```yaml
persistence:
enabled: true
create: false
claimName: forgejo-data
```
### Existing
- `kubectl get secret forgejo-$name-secrets -o json | jq -r '.data.value' | base64 -d > $name-secrets.yml`
## Storage
- `../k3s-host/setup.sh setup_k8s_pvc forgejo-$name 4Gi 1000`
## Pod
- `../k3s-host/subst.sh forgejo-values.yml | helm upgrade forgejo-$name -f - -f $name-values.yml -f $name-secrets.yml oci://code.forgejo.org/forgejo-helm/forgejo --atomic --wait --install`

View file

@ -0,0 +1,6 @@
gitea:
admin:
password: "***"
config:
mailer:
PASSWD: "***"

View file

@ -0,0 +1,36 @@
strategy:
type: 'Recreate'
ingress:
enabled: true
annotations:
# https://cert-manager.io/docs/usage/ingress/#supported-annotations
# https://github.com/cert-manager/cert-manager/issues/2239
cert-manager.io/cluster-issuer: letsencrypt-http
cert-manager.io/private-key-algorithm: ECDSA
cert-manager.io/private-key-size: 384
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
service:
http:
type: ClusterIP
ipFamilyPolicy: PreferDualStack
port: 3000
ssh:
type: LoadBalancer
annotations:
metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6
metallb.universe.tf/allow-shared-ip: "key-to-share-failover"
ipFamilyPolicy: PreferDualStack
redis-cluster:
enabled: false
postgresql:
enabled: false
postgresql-ha:
enabled: false
persistence:
enabled: true
create: false

View file

@ -0,0 +1,81 @@
image:
registry: codeberg.org
repository: forgejo-experimental/forgejo
tag: '8.0-test'
rootless: false
ingress:
tls:
- hosts:
- next.forgejo.org
secretName: tls-forgejo-next-ingress-http
hosts:
- host: next.forgejo.org
paths:
- path: /
pathType: Prefix
service:
ssh:
port: 2020
persistence:
claimName: forgejo-next
gitea:
admin:
username: earl-warren
email: 'contact@earl-warren.org'
config:
APP_NAME: "Forgejo v8.0 demo"
APP_SLOGAN: "ARCHIVED USE v8.next.forgejo.org instead"
APP_DISPLAY_NAME_FORMAT: "{APP_NAME} [{APP_SLOGAN}]"
log:
LEVEL: "info"
server:
ROOT_URL: https://next.forgejo.org/
DOMAIN: next.forgejo.org
SSH_DOMAIN: next.forgejo.org
SSH_PORT: "2020"
LFS_START_SERVER: true
OFFLINE_MODE: true
repository:
ROOT: /data/git/repositories
service:
REGISTER_EMAIL_CONFIRM: true
DEFAULT_KEEP_EMAIL_PRIVATE: true
ENABLE_NOTIFY_MAIL: true
DISABLE_REGISTRATION: true
actions:
ENABLED: false
mirror:
ENABLED: false
federation:
ENABLED: true
admin:
SEND_NOTIFICATION_EMAIL_ON_NEW_USER: true
cors:
ENABLED: true
ALLOW_DOMAIN: "*"
HEADERS: "Access-Control-Allow-Origin"
mailer:
ENABLED: true
FROM: "noreply@forgejo.org"
PROTOCOL: "smtp+starttls"
SMTP_ADDR: "ssl0.ovh.net"
SMTP_PORT: "587"
USER: "next@forgejo.org"
database:
PATH: /data/gitea.db
DB_TYPE: sqlite3
session:
PROVIDER: db
cache:
ADAPTER: memory
queue:
TYPE: level
indexer:
REPO_INDEXER_ENABLED: true
cron.archive_cleanup:
SCHEDULE: "@hourly"
OLDER_THAN: "2h"