From 72e05a573e9b92bc8642e028f58c00a06d79fb91 Mon Sep 17 00:00:00 2001 From: Michael Thomson Date: Fri, 31 May 2024 09:17:55 -0400 Subject: [PATCH] gitea and woodpecker --- gitea/helmrelease-gitea.yaml | 14 +- woodpecker/helmrelease-woodpecker.yaml | 270 +----------------- .../sealedsecret-woodpecker-secret.yaml | 23 ++ 3 files changed, 37 insertions(+), 270 deletions(-) create mode 100644 woodpecker/sealedsecret-woodpecker-secret.yaml diff --git a/gitea/helmrelease-gitea.yaml b/gitea/helmrelease-gitea.yaml index 5c9ddcd..cb219f5 100644 --- a/gitea/helmrelease-gitea.yaml +++ b/gitea/helmrelease-gitea.yaml @@ -37,27 +37,23 @@ spec: - gitea.michaelthomson.dev secretName: letsencrypt-wildcard-cert-michaelthomson.dev - deployment: - env: - - name: GITEA__webhook__ALLOWED_HOST_LIST - value: external,loopback,private - persistence: claimName: gitea-shared-storage size: 10Gi storageClass: longhorn gitea: + config: + service: + DISABLE_REGISTRATION: true + webhook: + ALLOWED_HOST_LIST: external,loopback,private admin: existingSecret: gitea-admin-secret email: "gitea@michaelthomson.dev" redis-cluster: enabled: false - usePassword: false - cluster: - nodes: 3 # default: 6 - replicas: 0 # default: 1 postgresql-ha: enabled: false diff --git a/woodpecker/helmrelease-woodpecker.yaml b/woodpecker/helmrelease-woodpecker.yaml index 33b7b93..0f90a38 100644 --- a/woodpecker/helmrelease-woodpecker.yaml +++ b/woodpecker/helmrelease-woodpecker.yaml @@ -7,7 +7,7 @@ spec: chart: spec: chart: woodpecker - version: 1.0.x + version: 1.3.x sourceRef: kind: HelmRepository name: woodpecker @@ -16,213 +16,33 @@ spec: timeout: 5m releaseName: woodpecker values: - # Default values for woodpecker. - # This is a YAML-formatted file. - # Declare variables to be passed into your templates. - - # -- Overrides the name of the chart - nameOverride: "" - # -- Overrides the full name of the chart - fullnameOverride: "" - agent: - # -- Enable the agent component - enabled: true - - # -- The number of replicas for the deployment - replicaCount: 2 - - image: - # -- The image registry - registry: docker.io - # -- The image repository - repository: woodpeckerci/woodpecker-agent - # -- The pull policy for the image - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion. - tag: "" - env: # -- Add the environment variables for the agent component WOODPECKER_SERVER: "woodpecker-server:9000" WOODPECKER_BACKEND: kubernetes WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker - WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "longhorn" + WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "nfs-client" WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G - WOODPECKER_BACKEND_K8S_STORAGE_RWX: false + WOODPECKER_BACKEND_K8S_STORAGE_RWX: true WOODPECKER_BACKEND_K8S_POD_LABELS: "" WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: "" WOODPECKER_CONNECT_RETRY_COUNT: "1" - WOODPECKER_AGENT_SECRET: "nfijsebifeisihbes87843ygyibdui" - # -- Add extra secret that is contains environment variables - extraSecretNamesForEnvFrom: [] - # - woodpecker-secret - - # -- Additional volumes that can be mounted in containers - extraVolumes: - [] - # - name: docker-config - # configMap: - # name: docker-config - # - name: data-volume - # persistentVolumeClaim: - # claimName: example - - # -- Additional volumes that will be attached to the agent container - extraVolumeMounts: - [] - # - name: ca-certs - # mountPath: /etc/ssl/certs/ca-certificates.crt - - # -- The image pull secrets - imagePullSecrets: [] - # -- Overrides the name of the chart of the agent component - nameOverride: "" - # -- Overrides the full name of the chart of the agent component - fullnameOverride: "" - - serviceAccount: - # -- Specifies whether a service account should be created (also see RBAC subsection) - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - rbac: - # -- If your cluster has RBAC enabled and you're using the Kubernetes agent- - # backend you'll need this. (this is true for almost all production clusters) - # only change this if you have a non CNCF compliant cluster, missing the RBAC endpoints - # the Role and RoleBinding are only created if serviceAccount.create is also true - create: true - # Additional annotations and labels in role and roleBinding are only needed, if you - # are using additional tooling to manage / verify roles or roleBindings (OPA, etc.) - role: - annotations: {} - labels: {} - roleBinding: - annotations: {} - labels: {} - - # -- Add pod annotations for the agent component - podAnnotations: {} - - # -- Add pod security context - podSecurityContext: - {} - # fsGroup: 2000 - - # -- Add security context - securityContext: - {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - - # -- Specifies the resources for the agent component - resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - # -- Specifies the labels of the nodes that the agent component must be running - nodeSelector: {} - - # -- Specifies the tolerations - tolerations: [] - - # -- Specifies the affinity - affinity: {} - - # -- Overrides the default DNS configuration - dnsConfig: {} - - # -- Using topology spread constraints, you can ensure that there is at least one agent - # pod for each topology zone, e.g. one per arch for multi-architecture clusters - # or one for each region for geographically distributed cloud-hosted clusters. - # Ref: - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: "beta.kubernetes.io/arch" - # whenUnsatisfiable: "DoNotSchedule" - # labelSelector: - # matchLabels: - # "app.kubernetes.io/name": woodpecker-agent + extraSecretNamesForEnvFrom: + - woodpecker-secret server: - # -- Enable the server component - enabled: true - - statefulSet: - # -- Add annotations to the StatefulSet - annotations: {} - # -- Add labels to the StatefulSet - labels: {} - # -- Defines the number of replicas - replicaCount: 1 - # -- The maximum number of revisions that will be maintained in the StatefulSet's revision history - # Default in 10. - revisionHistoryLimit: 5 - - updateStrategy: - # -- Defines the update strategy of the StatefulSet - type: RollingUpdate - - image: - # -- The image registry - registry: docker.io - # -- The image repository - repository: woodpeckerci/woodpecker-server - # -- The image pull policy - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion. - tag: "" - - # -- Add environment variables for the server component env: WOODPECKER_ADMIN: "woodpecker,admin,gitea_admin,mthomson" WOODPECKER_HOST: "https://woodpecker.michaelthomson.dev" WOODPECKER_WEBHOOK_HOST: "http://woodpecker-server.woodpecker.svc.cluster.local:80" WOODPECKER_GITEA: "true" WOODPECKER_GITEA_URL: "https://gitea.michaelthomson.dev" - WOODPECKER_GITEA_CLIENT: "93262b6f-e472-4ba5-b28e-3b9aa3de30f6" - WOODPECKER_GITEA_SECRET: "gto_bd2gg2etyx4enh5zgnnm7yodmsrtztxkx4pgezdo7vpaboq4ejcq" WOODPECKER_GITEA_SKIP_VERIFY: "true" - WOODPECKER_AGENT_SECRET: "nfijsebifeisihbes87843ygyibdui" - # -- Add extra environment variables from the secrets list - extraSecretNamesForEnvFrom: [] - # - woodpecker-github-client - # - woodpecker-github-secret - # - woodpecker-secret - - # -- Additional volumes that can be mounted in containers - extraVolumes: - [] - # - name: docker-config - # configMap: - # name: docker-config - # - name: data-volume - # persistentVolumeClaim: - # claimName: example - - # -- Additional volumes that will be attached to the agent container - extraVolumeMounts: - [] - # - name: ca-certs - # mountPath: /etc/ssl/certs/ca-certificates.crt + extraSecretNamesForEnvFrom: + - woodpecker-secret persistentVolume: # -- Enable the creation of the persistent volume @@ -234,60 +54,14 @@ spec: # -- Defines the storageClass of the persistent volume storageClass: "longhorn" - # -- The image pull secrets - imagePullSecrets: [] - # -- Overrides the name of the helm chart of the server component - nameOverride: "" - # -- Overrides the full name of the helm chart of the server component - fullnameOverride: "" - - serviceAccount: - # -- Specifies whether a service account should be created - create: false - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - - # -- Add pod annotations - podAnnotations: - {} - # prometheus.io/scrape: "true" - - # -- Add pod security context - podSecurityContext: - {} - # fsGroup: 2000 - - # -- Add security context - securityContext: - {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - - service: - # -- The type of the service - type: ClusterIP - # -- The port of the service - port: &servicePort 80 - # -- The cluster IP of the service (optional) - clusterIP: - # -- The loadbalancer IP of the service (optional) - loadBalancerIP: - ingress: # -- Enable the ingress for the server component enabled: true # -- Add annotations to the ingress annotations: - # traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.entrypoints: websecure # traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd - # traefik.ingress.kubernetes.io/router.tls: "true" + traefik.ingress.kubernetes.io/router.tls: "true" # -- Defines which ingress controller will implement the resource ingressClassName: traefik @@ -303,29 +77,3 @@ spec: - hosts: - woodpecker.michaelthomson.dev secretName: letsencrypt-wildcard-cert-michaelthomson.dev - - # -- Specifies the ressources for the server component - resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - # -- Defines the labels of the node where the server component must be running - nodeSelector: {} - - # -- Add tolerations rules - tolerations: [] - - # -- Add affinity - affinity: {} - - # -- Overrides the default DNS configuration - dnsConfig: {} diff --git a/woodpecker/sealedsecret-woodpecker-secret.yaml b/woodpecker/sealedsecret-woodpecker-secret.yaml new file mode 100644 index 0000000..32598e9 --- /dev/null +++ b/woodpecker/sealedsecret-woodpecker-secret.yaml @@ -0,0 +1,23 @@ +{ + "kind": "SealedSecret", + "apiVersion": "bitnami.com/v1alpha1", + "metadata": { + "name": "woodpecker-secret", + "namespace": "woodpecker", + "creationTimestamp": null + }, + "spec": { + "template": { + "metadata": { + "name": "woodpecker-secret", + "namespace": "woodpecker", + "creationTimestamp": null + } + }, + "encryptedData": { + "WOODPECKER_AGENT_SECRET": "AgA6zq0vXuV+wVXkF1E7YeORjGchFPxWFT8M3kgBvREAZ6hvB/DPBDT3w5TkSKdaIuxczxYCNwIhzKCp831NeqLH4yE/4tBQnNImGPazO93e1GAvLgsNwJZuWXFhT4ydkc6KT6koIGYAax54LJoMCF1jctUKTgon1hXimKB12KH6MrR3d/hy/i9pMB3a+298Lz8Cp0bmj8BdOklsj4nRFolQB5HDlFhrTAUb4RbuTyvjLxbVu9dKgmdScFEdSipemRkJE2zLGA72T/I5pIWRVSWL3ymrgDLDqX22yzoLjSPrT9wNm4STqZdxn6ERj4A16Bz6kRKEAbhTwv/gpxPKSBTfARQJByYuYklNzu2/p8e9nRSbHpzy6VtFjuxgnKUvH7I0iewd390UoUJUeQZisoFi9eFQU1Q41S05tAenjwUxK0T6/xp4Qp8xA9/ZVAK/gJBhCH/1eOzdMTksJ3fWCSaTlDED7Lu3l5KA7rOUvDWG0eqC6HsRqKl09KW4LJdjzQt0M8gfMa0rkptJCs+Y/rxYBroMd1RVBwT6C2NyUKQxdBKchIpxD6bDgt1Sl0+3O72ZW9iEVH2xGFveQNIDGEWsNpnVq90qvXCE7wOl7i4RWyr3H2r7WpihIOBm67CVHVUdkq/iSY35L//cwfCa/E7P6btmsuJYPdOYL0IdRzn55pHhs0XFKSf+bnJwxkgURhIWKOktSH/nVF5yJCZXCZaD8Hebfyr3n+L+0LKXdus=", + "WOODPECKER_GITEA_CLIENT": "AgAn9yXV84B9U4NhzU4FfXMpEKnnj0My6VAduLO7L55/V8OcNIH/AaPp5LsMzCLoy7QORaRct67p3a4/ijoAwQ0a3zRnlXBz2/czSm6pQ8rfcZKMVmOvHrIAAWcLJlHu7WjVjGdxtLbdv5S8RKNHvIdZ08RhXnFehSKpNBBWz9tHXjU/rdALD1RNvWjG0jJ1FyqtOhwdr91fzf3KrzwWs10lRE2m1y7yIx9sVLkX10ty1ABwmlZXpOXWoQxUWfzsIH+b2ny0sXi8jO61MWRFZUb/rnsZZJsPdcG2XZhAmM4U1n8KVZ9BoLd2E4oCO4hJ4zTeLW4AKaumduoZURJT2xBfAKubQMNf+bYqT+EFFtq2I//Baq+9Uo20ITsCVCLNqdUuEQ29hKAXlgOJFvP2vHsajBJ/3v80cGNMAvj+wG1Avkuz7gaLMIXUsQhU4qco4NIZZtB9W7qcNjFVoVnM6Ljy84E4Pwyjx4PiyHo9NKBohb+NUvoSJF3kNKihO8OgUo35l9Cl0IgnW7MBFhKpAr1SqS0M3qyHkt0hww5B6lk4eXD2xbGfOH/CNTXDQih6A/ggNuz+dN8O1NuH3g6LcqgO7lOARNQ3Ava+oMRMJU3k1kz3I7N/wdLOH8swzPC9t+eSaBgbihKmZH0nS9NnO+olb6KQY4k9KHdIz8EZrjKjae/AmZ/WVVFKOePQY/7p4Ux61gE2AGHHZ8TDqjXr2/dEcAb3CXy3RV0iiqrIa7TH+Dn8WXs=", + "WOODPECKER_GITEA_SECRET": "AgAVT8ncCJ5Uoi+McGk4UhegwkVaajBTBXs3Gdvf0Dk1hDx0dQXWo7/hopSUV8mOdN5h3P4JuVbrBYrLMUby1gCL3UgZSc6Ylc8NfiYVosdaS9Z0nrJ2AMgc3TqfVaW0I/DHyRQhvHCdF87Tou0w7W+2lDmDyRQ+z/lcfyES3B6bE6MuArZH7UFTYsV7Cah8+5fCNrqEmFhebRe10EXMWd4wwe00g/GoslQzYugvZ2Elk7atn+Mat9yLC/eTpyWKlXP81vs5O5ln1maI0r6+9l3MLPfbOjclxUjRk/epXUE/hqtwoLFH8+9irqARqD2zOb2jT830Pneb6lC0Y6P1MH03lac9wCe9Pso1AMllcVDDTco1x+XXrNJsvrQG9PoyQDueoA3TbEcnWRS1e8B61myXPYF7t7V5ySh9X/xcZBxeEarLwkJbNrDRgivrQOyMeegY/jSyMp8D9nJkJiDHTSArTiOTIkwCOa97aoFGZiNpWx0LZ9Zo+JS1FELmLgAXktvO7HGbnogjHzcy8Fepqu0EZLvqYROeJcdwLHR05jd73nAHgmkaliRf+u46G5e+pwIF8o4iK4gk1aTFO5hl02Qs3CwQiqI8pc8R5j5zgmnlP5/Kg85krz3wX7TpZCfiC18KhCpfPj+D8LPCzdYljSo5upC2gvsrNH5EtZsnChQ3ZbOH0joiO62RU+waFNwnWu0Q3FfQKwUjE96jyeFbIc5US8euJQvWREjYPGMnSkl6ldcCUMz+p54dwvlwI8oAVJd0HD0Ofcrm4g==" + } + } +}