mirror of
https://code.forgejo.org/infrastructure/documentation
synced 2024-12-17 19:11:11 +00:00
k8s forgejo instance helpers
This commit is contained in:
parent
f84b863480
commit
8f0057787a
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,3 +1,4 @@
|
||||||
*~
|
*~
|
||||||
k3s-host/secrets.sh
|
k3s-host/secrets.sh
|
||||||
k3s-host/variables.sh
|
k3s-host/variables.sh
|
||||||
|
k8s-forgejo/*-secrets.yml
|
||||||
|
|
|
@ -1,48 +1,23 @@
|
||||||
## Forgejo
|
# Forgejo k8s instance
|
||||||
|
|
||||||
[forgejo](https://code.forgejo.org/forgejo-helm/forgejo-helm) configuration in [ingress](https://code.forgejo.org/forgejo-helm/forgejo-helm#ingress) for the reverse proxy (`traefik`) to route the domain and for the ACME issuer (`cert-manager`) to obtain a certificate. And in [service](https://code.forgejo.org/forgejo-helm/forgejo-helm#service) for the `ssh` port to be bound to the desired IPs of the load balancer (`metallb`).
|
[forgejo](https://code.forgejo.org/forgejo-helm/forgejo-helm) configuration in [ingress](https://code.forgejo.org/forgejo-helm/forgejo-helm#ingress) for the reverse proxy (`traefik`) to route the domain and for the ACME issuer (`cert-manager`) to obtain a certificate. And in [service](https://code.forgejo.org/forgejo-helm/forgejo-helm#service) for the `ssh` port to be bound to the desired IPs of the load balancer (`metallb`). A [PVC](https://code.forgejo.org/forgejo-helm/forgejo-helm#persistence) is created on the networked storage.
|
||||||
|
|
||||||
```
|
## Secrets
|
||||||
ingress:
|
|
||||||
enabled: true
|
|
||||||
annotations:
|
|
||||||
# https://cert-manager.io/docs/usage/ingress/#supported-annotations
|
|
||||||
# https://github.com/cert-manager/cert-manager/issues/2239
|
|
||||||
cert-manager.io/cluster-issuer: letsencrypt-http
|
|
||||||
cert-manager.io/private-key-algorithm: ECDSA
|
|
||||||
cert-manager.io/private-key-size: 384
|
|
||||||
kubernetes.io/ingress.class: traefik
|
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
||||||
tls:
|
|
||||||
- hosts:
|
|
||||||
- t1.forgejo.org
|
|
||||||
secretName: tls-forgejo-t1-ingress-http
|
|
||||||
hosts:
|
|
||||||
- host: t1.forgejo.org
|
|
||||||
paths:
|
|
||||||
- path: /
|
|
||||||
pathType: Prefix
|
|
||||||
|
|
||||||
service:
|
### New
|
||||||
http:
|
|
||||||
type: ClusterIP
|
|
||||||
ipFamilyPolicy: PreferDualStack
|
|
||||||
port: 3000
|
|
||||||
ssh:
|
|
||||||
type: LoadBalancer
|
|
||||||
annotations:
|
|
||||||
metallb.universe.tf/loadBalancerIPs: 188.40.16.47,2a01:4f8:fff2:48::2
|
|
||||||
metallb.universe.tf/allow-shared-ip: "key-to-share-failover"
|
|
||||||
ipFamilyPolicy: PreferDualStack
|
|
||||||
port: 2222
|
|
||||||
```
|
|
||||||
|
|
||||||
[Instruct the forgejo pod](https://code.forgejo.org/forgejo-helm/forgejo-helm#persistence) to use the `forgejo-data` pvc.
|
- `cp forgejo-secrets.yml.example $name-secrets.yml`
|
||||||
|
- edit
|
||||||
|
- `kubectl create secret generic forgejo-$name-secrets --from-file=value=$name-secrets.yml`
|
||||||
|
|
||||||
```yaml
|
### Existing
|
||||||
persistence:
|
|
||||||
enabled: true
|
|
||||||
create: false
|
|
||||||
claimName: forgejo-data
|
|
||||||
```
|
|
||||||
|
|
||||||
|
- `kubectl get secret forgejo-$name-secrets -o json | jq -r '.data.value' | base64 -d > $name-secrets.yml`
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
|
||||||
|
- `../k3s-host/setup.sh setup_k8s_pvc forgejo-$name 4Gi 1000`
|
||||||
|
|
||||||
|
## Pod
|
||||||
|
|
||||||
|
- `../k3s-host/subst.sh forgejo-values.yml | helm upgrade forgejo-$name -f - -f $name-values.yml -f $name-secrets.yml oci://code.forgejo.org/forgejo-helm/forgejo --atomic --wait --install`
|
||||||
|
|
6
k8s-forgejo/forgejo-secrets.yml.example
Normal file
6
k8s-forgejo/forgejo-secrets.yml.example
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
gitea:
|
||||||
|
admin:
|
||||||
|
password: "***"
|
||||||
|
config:
|
||||||
|
mailer:
|
||||||
|
PASSWD: "***"
|
36
k8s-forgejo/forgejo-values.yml
Normal file
36
k8s-forgejo/forgejo-values.yml
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
strategy:
|
||||||
|
type: 'Recreate'
|
||||||
|
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
annotations:
|
||||||
|
# https://cert-manager.io/docs/usage/ingress/#supported-annotations
|
||||||
|
# https://github.com/cert-manager/cert-manager/issues/2239
|
||||||
|
cert-manager.io/cluster-issuer: letsencrypt-http
|
||||||
|
cert-manager.io/private-key-algorithm: ECDSA
|
||||||
|
cert-manager.io/private-key-size: 384
|
||||||
|
kubernetes.io/ingress.class: traefik
|
||||||
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||||
|
|
||||||
|
service:
|
||||||
|
http:
|
||||||
|
type: ClusterIP
|
||||||
|
ipFamilyPolicy: PreferDualStack
|
||||||
|
port: 3000
|
||||||
|
ssh:
|
||||||
|
type: LoadBalancer
|
||||||
|
annotations:
|
||||||
|
metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6
|
||||||
|
metallb.universe.tf/allow-shared-ip: "key-to-share-failover"
|
||||||
|
ipFamilyPolicy: PreferDualStack
|
||||||
|
|
||||||
|
redis-cluster:
|
||||||
|
enabled: false
|
||||||
|
postgresql:
|
||||||
|
enabled: false
|
||||||
|
postgresql-ha:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
persistence:
|
||||||
|
enabled: true
|
||||||
|
create: false
|
81
k8s-forgejo/next-values.yml
Normal file
81
k8s-forgejo/next-values.yml
Normal file
|
@ -0,0 +1,81 @@
|
||||||
|
image:
|
||||||
|
registry: codeberg.org
|
||||||
|
repository: forgejo-experimental/forgejo
|
||||||
|
tag: '8.0-test'
|
||||||
|
rootless: false
|
||||||
|
|
||||||
|
ingress:
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- next.forgejo.org
|
||||||
|
secretName: tls-forgejo-next-ingress-http
|
||||||
|
hosts:
|
||||||
|
- host: next.forgejo.org
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
|
||||||
|
service:
|
||||||
|
ssh:
|
||||||
|
port: 2020
|
||||||
|
|
||||||
|
persistence:
|
||||||
|
claimName: forgejo-next
|
||||||
|
|
||||||
|
gitea:
|
||||||
|
admin:
|
||||||
|
username: earl-warren
|
||||||
|
email: 'contact@earl-warren.org'
|
||||||
|
config:
|
||||||
|
APP_NAME: "Forgejo v8.0 demo"
|
||||||
|
APP_SLOGAN: "ARCHIVED USE v8.next.forgejo.org instead"
|
||||||
|
APP_DISPLAY_NAME_FORMAT: "{APP_NAME} [{APP_SLOGAN}]"
|
||||||
|
log:
|
||||||
|
LEVEL: "info"
|
||||||
|
server:
|
||||||
|
ROOT_URL: https://next.forgejo.org/
|
||||||
|
DOMAIN: next.forgejo.org
|
||||||
|
SSH_DOMAIN: next.forgejo.org
|
||||||
|
SSH_PORT: "2020"
|
||||||
|
LFS_START_SERVER: true
|
||||||
|
OFFLINE_MODE: true
|
||||||
|
repository:
|
||||||
|
ROOT: /data/git/repositories
|
||||||
|
service:
|
||||||
|
REGISTER_EMAIL_CONFIRM: true
|
||||||
|
DEFAULT_KEEP_EMAIL_PRIVATE: true
|
||||||
|
ENABLE_NOTIFY_MAIL: true
|
||||||
|
DISABLE_REGISTRATION: true
|
||||||
|
actions:
|
||||||
|
ENABLED: false
|
||||||
|
mirror:
|
||||||
|
ENABLED: false
|
||||||
|
federation:
|
||||||
|
ENABLED: true
|
||||||
|
admin:
|
||||||
|
SEND_NOTIFICATION_EMAIL_ON_NEW_USER: true
|
||||||
|
cors:
|
||||||
|
ENABLED: true
|
||||||
|
ALLOW_DOMAIN: "*"
|
||||||
|
HEADERS: "Access-Control-Allow-Origin"
|
||||||
|
mailer:
|
||||||
|
ENABLED: true
|
||||||
|
FROM: "noreply@forgejo.org"
|
||||||
|
PROTOCOL: "smtp+starttls"
|
||||||
|
SMTP_ADDR: "ssl0.ovh.net"
|
||||||
|
SMTP_PORT: "587"
|
||||||
|
USER: "next@forgejo.org"
|
||||||
|
database:
|
||||||
|
PATH: /data/gitea.db
|
||||||
|
DB_TYPE: sqlite3
|
||||||
|
session:
|
||||||
|
PROVIDER: db
|
||||||
|
cache:
|
||||||
|
ADAPTER: memory
|
||||||
|
queue:
|
||||||
|
TYPE: level
|
||||||
|
indexer:
|
||||||
|
REPO_INDEXER_ENABLED: true
|
||||||
|
cron.archive_cleanup:
|
||||||
|
SCHEDULE: "@hourly"
|
||||||
|
OLDER_THAN: "2h"
|
Loading…
Reference in a new issue