gitea and woodpecker

2026-02-04 13:09:53 +00:00 · 2024-05-31 09:17:55 -04:00
parent 07f1e2d1ff
commit 72e05a573e
3 changed files with 37 additions and 270 deletions
--- a/gitea/helmrelease-gitea.yaml
+++ b/gitea/helmrelease-gitea.yaml
@@ -37,27 +37,23 @@ spec:
            - gitea.michaelthomson.dev
          secretName: letsencrypt-wildcard-cert-michaelthomson.dev

-    deployment:
-      env:
-        - name: GITEA__webhook__ALLOWED_HOST_LIST
-          value: external,loopback,private
-
    persistence:
      claimName: gitea-shared-storage
      size: 10Gi
      storageClass: longhorn

    gitea:
+      config:
+        service:
+          DISABLE_REGISTRATION: true
+        webhook:
+          ALLOWED_HOST_LIST: external,loopback,private
      admin:
        existingSecret: gitea-admin-secret
        email: "gitea@michaelthomson.dev"

    redis-cluster:
      enabled: false
-      usePassword: false
-      cluster:
-        nodes: 3 # default: 6
-        replicas: 0 # default: 1

    postgresql-ha:
      enabled: false
--- a/woodpecker/helmrelease-woodpecker.yaml
+++ b/woodpecker/helmrelease-woodpecker.yaml
@@ -7,7 +7,7 @@ spec:
  chart:
    spec:
      chart: woodpecker
-      version: 1.0.x
+      version: 1.3.x
      sourceRef:
        kind: HelmRepository
        name: woodpecker
@@ -16,213 +16,33 @@ spec:
  timeout: 5m
  releaseName: woodpecker
  values:
-    # Default values for woodpecker.
-    # This is a YAML-formatted file.
-    # Declare variables to be passed into your templates.
-
-    # -- Overrides the name of the chart
-    nameOverride: ""
-    # -- Overrides the full name of the chart
-    fullnameOverride: ""
-
    agent:
-      # -- Enable the agent component
-      enabled: true
-
-      # -- The number of replicas for the deployment
-      replicaCount: 2
-
-      image:
-        # -- The image registry
-        registry: docker.io
-        # -- The image repository
-        repository: woodpeckerci/woodpecker-agent
-        # -- The pull policy for the image
-        pullPolicy: IfNotPresent
-        # -- Overrides the image tag whose default is the chart appVersion.
-        tag: ""
-
      env:
        # -- Add the environment variables for the agent component
        WOODPECKER_SERVER: "woodpecker-server:9000"
        WOODPECKER_BACKEND: kubernetes
        WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker
-        WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "longhorn"
+        WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "nfs-client"
        WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G
-        WOODPECKER_BACKEND_K8S_STORAGE_RWX: false
+        WOODPECKER_BACKEND_K8S_STORAGE_RWX: true
        WOODPECKER_BACKEND_K8S_POD_LABELS: ""
        WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: ""
        WOODPECKER_CONNECT_RETRY_COUNT: "1"
-        WOODPECKER_AGENT_SECRET: "nfijsebifeisihbes87843ygyibdui"

-      # -- Add extra secret that is contains environment variables
-      extraSecretNamesForEnvFrom: []
-      #  - woodpecker-secret
-
-      # -- Additional volumes that can be mounted in containers
-      extraVolumes:
-        []
-        # - name: docker-config
-        #   configMap:
-        #     name: docker-config
-        # - name: data-volume
-        #   persistentVolumeClaim:
-        #     claimName: example
-
-      # -- Additional volumes that will be attached to the agent container
-      extraVolumeMounts:
-        []
-        # - name: ca-certs
-        #   mountPath: /etc/ssl/certs/ca-certificates.crt
-
-      # -- The image pull secrets
-      imagePullSecrets: []
-      # -- Overrides the name of the chart of the agent component
-      nameOverride: ""
-      # -- Overrides the full name of the chart of the agent component
-      fullnameOverride: ""
-
-      serviceAccount:
-        # -- Specifies whether a service account should be created (also see RBAC subsection)
-        create: true
-        # -- Annotations to add to the service account
-        annotations: {}
-        # -- The name of the service account to use.
-        # If not set and create is true, a name is generated using the fullname template
-        name: ""
-        rbac:
-          # -- If your cluster has RBAC enabled and you're using the Kubernetes agent-
-          # backend you'll need this. (this is true for almost all production clusters)
-          # only change this if you have a non CNCF compliant cluster, missing the RBAC endpoints
-          # the Role and RoleBinding are only created if serviceAccount.create is also true
-          create: true
-          # Additional annotations and labels in role and roleBinding are only needed, if you
-          # are using additional tooling to manage / verify roles or roleBindings (OPA, etc.)
-          role:
-            annotations: {}
-            labels: {}
-          roleBinding:
-            annotations: {}
-            labels: {}
-
-      # -- Add pod annotations for the agent component
-      podAnnotations: {}
-
-      # -- Add pod security context
-      podSecurityContext:
-        {}
-        # fsGroup: 2000
-
-      # -- Add security context
-      securityContext:
-        {}
-        # capabilities:
-        #   drop:
-        #   - ALL
-        # readOnlyRootFilesystem: true
-        # runAsNonRoot: true
-        # runAsUser: 1000
-
-      # -- Specifies the resources for the agent component
-      resources:
-        {}
-        # We usually recommend not to specify default resources and to leave this as a conscious
-        # choice for the user. This also increases chances charts run on environments with little
-        # resources, such as Minikube. If you do want to specify resources, uncomment the following
-        # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-        # limits:
-        #   cpu: 100m
-        #   memory: 128Mi
-        # requests:
-        #   cpu: 100m
-        #   memory: 128Mi
-
-      # -- Specifies the labels of the nodes that the agent component must be running
-      nodeSelector: {}
-
-      # -- Specifies the tolerations
-      tolerations: []
-
-      # -- Specifies the affinity
-      affinity: {}
-
-      # -- Overrides the default DNS configuration
-      dnsConfig: {}
-
-      # -- Using topology spread constraints, you can ensure that there is at least one agent
-      # pod for each topology zone, e.g. one per arch for multi-architecture clusters
-      # or one for each region for geographically distributed cloud-hosted clusters.
-      # Ref: <https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/>
-      topologySpreadConstraints: []
-      # - maxSkew: 1
-      #   topologyKey: "beta.kubernetes.io/arch"
-      #   whenUnsatisfiable: "DoNotSchedule"
-      #   labelSelector:
-      #     matchLabels:
-      #       "app.kubernetes.io/name": woodpecker-agent
+      extraSecretNamesForEnvFrom:
+      - woodpecker-secret

    server:
-      # -- Enable the server component
-      enabled: true
-
-      statefulSet:
-        # -- Add annotations to the StatefulSet
-        annotations: {}
-        # -- Add labels to the StatefulSet
-        labels: {}
-        # -- Defines the number of replicas
-        replicaCount: 1
-        # -- The maximum number of revisions that will be maintained in the StatefulSet's revision history
-        # Default in 10.
-        revisionHistoryLimit: 5
-
-      updateStrategy:
-        # -- Defines the update strategy of the StatefulSet
-        type: RollingUpdate
-
-      image:
-        # -- The image registry
-        registry: docker.io
-        # -- The image repository
-        repository: woodpeckerci/woodpecker-server
-        # -- The image pull policy
-        pullPolicy: IfNotPresent
-        # -- Overrides the image tag whose default is the chart appVersion.
-        tag: ""
-
-      # -- Add environment variables for the server component
      env:
        WOODPECKER_ADMIN: "woodpecker,admin,gitea_admin,mthomson"
        WOODPECKER_HOST: "https://woodpecker.michaelthomson.dev"
        WOODPECKER_WEBHOOK_HOST: "http://woodpecker-server.woodpecker.svc.cluster.local:80"
        WOODPECKER_GITEA: "true"
        WOODPECKER_GITEA_URL: "https://gitea.michaelthomson.dev"
-        WOODPECKER_GITEA_CLIENT: "93262b6f-e472-4ba5-b28e-3b9aa3de30f6"
-        WOODPECKER_GITEA_SECRET: "gto_bd2gg2etyx4enh5zgnnm7yodmsrtztxkx4pgezdo7vpaboq4ejcq"
        WOODPECKER_GITEA_SKIP_VERIFY: "true"
-        WOODPECKER_AGENT_SECRET: "nfijsebifeisihbes87843ygyibdui"

-      # -- Add extra environment variables from the secrets list
-      extraSecretNamesForEnvFrom: []
-        # - woodpecker-github-client
-        # - woodpecker-github-secret
-        # - woodpecker-secret
-
-      # -- Additional volumes that can be mounted in containers
-      extraVolumes:
-        []
-        # - name: docker-config
-        #   configMap:
-        #     name: docker-config
-        # - name: data-volume
-        #   persistentVolumeClaim:
-        #     claimName: example
-
-      # -- Additional volumes that will be attached to the agent container
-      extraVolumeMounts:
-        []
-        # - name: ca-certs
-        #   mountPath: /etc/ssl/certs/ca-certificates.crt
+      extraSecretNamesForEnvFrom:
+      - woodpecker-secret

      persistentVolume:
        # -- Enable the creation of the persistent volume
@@ -234,60 +54,14 @@ spec:
        # -- Defines the storageClass of the persistent volume
        storageClass: "longhorn"

-      # -- The image pull secrets
-      imagePullSecrets: []
-      # -- Overrides the name of the helm chart of the server component
-      nameOverride: ""
-      # -- Overrides the full name of the helm chart of the server component
-      fullnameOverride: ""
-
-      serviceAccount:
-        # -- Specifies whether a service account should be created
-        create: false
-        # -- Annotations to add to the service account
-        annotations: {}
-        # -- The name of the service account to use.
-        # If not set and create is true, a name is generated using the fullname template
-        name: ""
-
-      # -- Add pod annotations
-      podAnnotations:
-        {}
-        # prometheus.io/scrape: "true"
-
-      # -- Add pod security context
-      podSecurityContext:
-        {}
-        # fsGroup: 2000
-
-      # -- Add security context
-      securityContext:
-        {}
-        # capabilities:
-        #   drop:
-        #   - ALL
-        # readOnlyRootFilesystem: true
-        # runAsNonRoot: true
-        # runAsUser: 1000
-
-      service:
-        # -- The type of the service
-        type: ClusterIP
-        # -- The port of the service
-        port: &servicePort 80
-        # -- The cluster IP of the service (optional)
-        clusterIP:
-        # -- The loadbalancer IP of the service (optional)
-        loadBalancerIP:
-
      ingress:
        # -- Enable the ingress for the server component
        enabled: true
        # -- Add annotations to the ingress
        annotations:
-          # traefik.ingress.kubernetes.io/router.entrypoints: websecure
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
          # traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
-          # traefik.ingress.kubernetes.io/router.tls: "true"
+          traefik.ingress.kubernetes.io/router.tls: "true"

        # -- Defines which ingress controller will implement the resource
        ingressClassName: traefik
@@ -303,29 +77,3 @@ spec:
          - hosts:
              - woodpecker.michaelthomson.dev
            secretName: letsencrypt-wildcard-cert-michaelthomson.dev
-
-      # -- Specifies the ressources for the server component
-      resources:
-        {}
-        # We usually recommend not to specify default resources and to leave this as a conscious
-        # choice for the user. This also increases chances charts run on environments with little
-        # resources, such as Minikube. If you do want to specify resources, uncomment the following
-        # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-        # limits:
-        #   cpu: 100m
-        #   memory: 128Mi
-        # requests:
-        #   cpu: 100m
-        #   memory: 128Mi
-
-      # -- Defines the labels of the node where the server component must be running
-      nodeSelector: {}
-
-      # -- Add tolerations rules
-      tolerations: []
-
-      # -- Add affinity
-      affinity: {}
-
-      # -- Overrides the default DNS configuration
-      dnsConfig: {}
--- a/woodpecker/sealedsecret-woodpecker-secret.yaml
+++ b/woodpecker/sealedsecret-woodpecker-secret.yaml
@@ -0,0 +1,23 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "woodpecker-secret",
+    "namespace": "woodpecker",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "woodpecker-secret",
+        "namespace": "woodpecker",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "WOODPECKER_AGENT_SECRET": "AgA6zq0vXuV+wVXkF1E7YeORjGchFPxWFT8M3kgBvREAZ6hvB/DPBDT3w5TkSKdaIuxczxYCNwIhzKCp831NeqLH4yE/4tBQnNImGPazO93e1GAvLgsNwJZuWXFhT4ydkc6KT6koIGYAax54LJoMCF1jctUKTgon1hXimKB12KH6MrR3d/hy/i9pMB3a+298Lz8Cp0bmj8BdOklsj4nRFolQB5HDlFhrTAUb4RbuTyvjLxbVu9dKgmdScFEdSipemRkJE2zLGA72T/I5pIWRVSWL3ymrgDLDqX22yzoLjSPrT9wNm4STqZdxn6ERj4A16Bz6kRKEAbhTwv/gpxPKSBTfARQJByYuYklNzu2/p8e9nRSbHpzy6VtFjuxgnKUvH7I0iewd390UoUJUeQZisoFi9eFQU1Q41S05tAenjwUxK0T6/xp4Qp8xA9/ZVAK/gJBhCH/1eOzdMTksJ3fWCSaTlDED7Lu3l5KA7rOUvDWG0eqC6HsRqKl09KW4LJdjzQt0M8gfMa0rkptJCs+Y/rxYBroMd1RVBwT6C2NyUKQxdBKchIpxD6bDgt1Sl0+3O72ZW9iEVH2xGFveQNIDGEWsNpnVq90qvXCE7wOl7i4RWyr3H2r7WpihIOBm67CVHVUdkq/iSY35L//cwfCa/E7P6btmsuJYPdOYL0IdRzn55pHhs0XFKSf+bnJwxkgURhIWKOktSH/nVF5yJCZXCZaD8Hebfyr3n+L+0LKXdus=",
+      "WOODPECKER_GITEA_CLIENT": "AgAn9yXV84B9U4NhzU4FfXMpEKnnj0My6VAduLO7L55/V8OcNIH/AaPp5LsMzCLoy7QORaRct67p3a4/ijoAwQ0a3zRnlXBz2/czSm6pQ8rfcZKMVmOvHrIAAWcLJlHu7WjVjGdxtLbdv5S8RKNHvIdZ08RhXnFehSKpNBBWz9tHXjU/rdALD1RNvWjG0jJ1FyqtOhwdr91fzf3KrzwWs10lRE2m1y7yIx9sVLkX10ty1ABwmlZXpOXWoQxUWfzsIH+b2ny0sXi8jO61MWRFZUb/rnsZZJsPdcG2XZhAmM4U1n8KVZ9BoLd2E4oCO4hJ4zTeLW4AKaumduoZURJT2xBfAKubQMNf+bYqT+EFFtq2I//Baq+9Uo20ITsCVCLNqdUuEQ29hKAXlgOJFvP2vHsajBJ/3v80cGNMAvj+wG1Avkuz7gaLMIXUsQhU4qco4NIZZtB9W7qcNjFVoVnM6Ljy84E4Pwyjx4PiyHo9NKBohb+NUvoSJF3kNKihO8OgUo35l9Cl0IgnW7MBFhKpAr1SqS0M3qyHkt0hww5B6lk4eXD2xbGfOH/CNTXDQih6A/ggNuz+dN8O1NuH3g6LcqgO7lOARNQ3Ava+oMRMJU3k1kz3I7N/wdLOH8swzPC9t+eSaBgbihKmZH0nS9NnO+olb6KQY4k9KHdIz8EZrjKjae/AmZ/WVVFKOePQY/7p4Ux61gE2AGHHZ8TDqjXr2/dEcAb3CXy3RV0iiqrIa7TH+Dn8WXs=",
+      "WOODPECKER_GITEA_SECRET": "AgAVT8ncCJ5Uoi+McGk4UhegwkVaajBTBXs3Gdvf0Dk1hDx0dQXWo7/hopSUV8mOdN5h3P4JuVbrBYrLMUby1gCL3UgZSc6Ylc8NfiYVosdaS9Z0nrJ2AMgc3TqfVaW0I/DHyRQhvHCdF87Tou0w7W+2lDmDyRQ+z/lcfyES3B6bE6MuArZH7UFTYsV7Cah8+5fCNrqEmFhebRe10EXMWd4wwe00g/GoslQzYugvZ2Elk7atn+Mat9yLC/eTpyWKlXP81vs5O5ln1maI0r6+9l3MLPfbOjclxUjRk/epXUE/hqtwoLFH8+9irqARqD2zOb2jT830Pneb6lC0Y6P1MH03lac9wCe9Pso1AMllcVDDTco1x+XXrNJsvrQG9PoyQDueoA3TbEcnWRS1e8B61myXPYF7t7V5ySh9X/xcZBxeEarLwkJbNrDRgivrQOyMeegY/jSyMp8D9nJkJiDHTSArTiOTIkwCOa97aoFGZiNpWx0LZ9Zo+JS1FELmLgAXktvO7HGbnogjHzcy8Fepqu0EZLvqYROeJcdwLHR05jd73nAHgmkaliRf+u46G5e+pwIF8o4iK4gk1aTFO5hl02Qs3CwQiqI8pc8R5j5zgmnlP5/Kg85krz3wX7TpZCfiC18KhCpfPj+D8LPCzdYljSo5upC2gvsrNH5EtZsnChQ3ZbOH0joiO62RU+waFNwnWu0Q3FfQKwUjE96jyeFbIc5US8euJQvWREjYPGMnSkl6ldcCUMz+p54dwvlwI8oAVJd0HD0Ofcrm4g=="
+    }
+  }
+}