Initial commit.

2025-10-11 17:25:46 +00:00
commit db621755b3
123 changed files with 5066 additions and 0 deletions
--- a/gitea/README.md
+++ b/gitea/README.md
@@ -0,0 +1,85 @@
+# Gitea Configuration
+
+This Gitea deployment uses a hybrid configuration approach combining environment variables with Gitea's self-managed configuration file.
+
+## Configuration Architecture
+
+### Environment Variables (gitea.env)
+Non-secret configuration is stored in `gitea.env` and automatically loaded via kustomize's `configMapGenerator`. This includes:
+- Server settings (domain, URLs, ports)
+- Database connection details (except password)
+- SMTP settings (except password)
+- Service settings (registration, notifications)
+- Repository and storage paths
+
+### Kubernetes Secrets (gitea-secrets)
+Sensitive configuration is stored in the `gitea-secrets` secret and managed by the wild-cloud deployment system:
+- `adminPassword` - Gitea admin user password
+- `secretKey` - Application secret key
+- `jwtSecret` - JWT signing secret
+- `dbPassword` - Database password
+- `smtpPassword` - SMTP authentication password
+
+Secrets are defined in `secrets.yaml` and listed in `manifest.yaml` under `requiredSecrets`. The `wild-app-deploy` command automatically ensures all required secrets exist in the `gitea-secrets` secret before deployment.
+
+### Persistent Configuration (app.ini)
+Gitea manages its own `app.ini` file on persistent storage for:
+- Generated security tokens
+- Runtime configuration changes made via web UI
+- Database migration state
+- User-modified settings
+
+## How It Works
+
+1. **Startup**: Kustomize generates a ConfigMap from `gitea.env`
+2. **Environment Loading**: Pod loads non-secret config from ConfigMap via `envFrom`
+3. **Secret Loading**: Pod loads sensitive config from Kubernetes secrets via `env`
+4. **Configuration Merge**: Gitea's environment-to-ini process merges environment variables into `app.ini`
+5. **Persistence**: Gitea writes the merged configuration plus generated tokens to persistent storage
+
+## Making Configuration Changes
+
+### Non-Secret Settings
+1. Edit `gitea.env` with your changes
+2. Run `wild-app-deploy gitea` to apply changes
+3. Pod will restart and pick up new configuration
+
+### Secret Settings
+1. Edit `secrets.yaml` with your secret values
+2. Ensure the secret key is listed in `manifest.yaml` under `requiredSecrets`
+3. Run `wild-app-deploy gitea` - this will automatically update the `gitea-secrets` secret and restart the pod
+
+### Web UI Changes
+Configuration changes made through Gitea's admin web interface are automatically persisted to the `app.ini` file on persistent storage and will survive pod restarts.
+
+## Configuration Precedence
+
+1. **Kubernetes Secrets** (highest priority)
+2. **Environment Variables** (from gitea.env)
+3. **Persistent app.ini** (lowest priority)
+
+Environment variables override file settings, and secrets override everything.
+
+## Troubleshooting
+
+### Check Current Configuration
+```bash
+# View environment variables
+kubectl describe pod -n gitea -l app=gitea | grep -A 20 "Environment"
+
+# View current app.ini
+kubectl exec -it deployment/gitea -n gitea -- cat /data/gitea/conf/app.ini
+```
+
+### Configuration Not Applied
+- Verify the ConfigMap was generated: `kubectl get configmap -n gitea`
+- Check pod restart: `kubectl get pods -n gitea`
+- Review startup logs: `kubectl logs -n gitea -l app=gitea`
+
+
+## External Dependencies
+
+- **Database**: PostgreSQL instance in `postgres` namespace
+- **Storage**: Longhorn distributed storage
+- **Ingress**: Traefik with Let's Encrypt certificates
+- **DNS**: External-DNS with Cloudflare integration
--- a/gitea/db-init-job.yaml
+++ b/gitea/db-init-job.yaml
@@ -0,0 +1,51 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gitea-db-init
+  labels:
+    component: db-init
+spec:
+  template:
+    metadata:
+      labels:
+        component: db-init
+    spec:
+      containers:
+        - name: db-init
+          image: {{ .apps.postgres.image }}
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              PGPASSWORD=${POSTGRES_ADMIN_PASSWORD} psql -h ${DB_HOSTNAME} -U postgres <<EOF
+              DO \$\$
+              BEGIN
+                IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '${DB_USERNAME}') THEN
+                  CREATE USER ${DB_USERNAME} WITH ENCRYPTED PASSWORD '${DB_PASSWORD}';
+                ELSE
+                  ALTER USER ${DB_USERNAME} WITH ENCRYPTED PASSWORD '${DB_PASSWORD}';
+                END IF;
+              END
+              \$\$;
+
+              SELECT 'CREATE DATABASE ${DB_DATABASE_NAME}' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${DB_DATABASE_NAME}')\gexec
+              ALTER DATABASE ${DB_DATABASE_NAME} OWNER TO ${DB_USERNAME};
+              GRANT ALL PRIVILEGES ON DATABASE ${DB_DATABASE_NAME} TO ${DB_USERNAME};
+              EOF
+          env:
+            - name: POSTGRES_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-secrets
+                  key: apps.postgres.password
+            - name: DB_HOSTNAME
+              value: "{{ .apps.gitea.dbHost }}"
+            - name: DB_DATABASE_NAME
+              value: "{{ .apps.gitea.dbName }}"
+            - name: DB_USERNAME
+              value: "{{ .apps.gitea.dbUser }}"
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-secrets
+                  key: apps.gitea.dbPassword
+      restartPolicy: OnFailure
--- a/gitea/deployment.yaml
+++ b/gitea/deployment.yaml
@@ -0,0 +1,92 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea
+  namespace: gitea
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      component: web
+  template:
+    metadata:
+      labels:
+        app: gitea
+        component: web
+        managedBy: kustomize
+        partOf: wild-cloud
+    spec:
+      securityContext:
+        fsGroup: 1000
+      terminationGracePeriodSeconds: 60
+      containers:
+        - name: gitea
+          image: "{{ .apps.gitea.image }}"
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: gitea-env
+          env:
+            - name: GITEA_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-secrets
+                  key: apps.gitea.adminPassword
+            - name: GITEA__security__SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-secrets
+                  key: apps.gitea.secretKey
+            - name: GITEA__security__INTERNAL_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-secrets
+                  key: apps.gitea.jwtSecret
+            - name: GITEA__database__PASSWD
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-secrets
+                  key: apps.gitea.dbPassword
+            - name: GITEA__mailer__PASSWD
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-secrets
+                  key: apps.gitea.smtpPassword
+          ports:
+            - name: ssh
+              containerPort: 2222
+            - name: http
+              containerPort: 3000
+          livenessProbe:
+            failureThreshold: 10
+            initialDelaySeconds: 200
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+          readinessProbe:
+            failureThreshold: 3
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+          resources:
+            {}
+          securityContext:
+            {}
+          volumeMounts:
+            - name: temp
+              mountPath: /tmp
+            - name: data
+              mountPath: /data
+      volumes:
+        - name: temp
+          emptyDir: {}
+        - name: data
+          persistentVolumeClaim:
+            claimName: gitea-data
--- a/gitea/gitea.env
+++ b/gitea/gitea.env
@@ -0,0 +1,60 @@
+SSH_LISTEN_PORT=2222
+SSH_PORT=22
+GITEA_WORK_DIR=/data
+GITEA_TEMP=/tmp/gitea
+TMPDIR=/tmp/gitea
+GITEA_ADMIN_USERNAME={{ .apps.gitea.adminUser }}
+GITEA_ADMIN_PASSWORD_MODE=keepUpdated
+
+# Core app settings
+GITEA____APP_NAME={{ .apps.gitea.appName }}
+GITEA____RUN_MODE={{ .apps.gitea.runMode }}  
+GITEA____RUN_USER=git
+
+# Security settings
+GITEA__security__INSTALL_LOCK=true
+GITEA__security__PASSWORD_HASH_ALGO=pbkdf2
+
+# Database settings (except password which comes from secret)
+GITEA__database__DB_TYPE=postgres
+GITEA__database__HOST={{ .apps.gitea.dbHost }}:{{ .apps.gitea.dbPort }}
+GITEA__database__NAME={{ .apps.gitea.dbName }}
+GITEA__database__USER={{ .apps.gitea.dbUser }}
+GITEA__database__SSL_MODE=disable
+GITEA__database__LOG_SQL=false
+
+# Server settings
+GITEA__server__DOMAIN={{ .apps.gitea.domain }}
+GITEA__server__HTTP_PORT={{ .apps.gitea.port }}
+GITEA__server__ROOT_URL=https://{{ .apps.gitea.domain }}/
+GITEA__server__DISABLE_SSH=false
+GITEA__server__SSH_DOMAIN={{ .apps.gitea.domain }}
+GITEA__server__SSH_PORT={{ .apps.gitea.sshPort }}
+GITEA__server__SSH_LISTEN_PORT=2222
+GITEA__server__LFS_START_SERVER=true
+GITEA__server__OFFLINE_MODE=true
+
+# Service settings
+GITEA__service__REGISTER_EMAIL_CONFIRM=true
+GITEA__service__DISABLE_REGISTRATION=false
+GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=false
+GITEA__service__ENABLE_NOTIFY_MAIL=true
+GITEA__service__ENABLE_BASIC_AUTHENTICATION=false
+GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION=false
+GITEA__service__ENABLE_CAPTCHA=false
+GITEA__service__REQUIRE_SIGNIN_VIEW=false
+GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE=false
+GITEA__service__DEFAULT_ALLOW_CREATE_ORGANIZATION=true
+GITEA__service__DEFAULT_ENABLE_TIMETRACKING=true
+GITEA__service__NO_REPLY_ADDRESS=noreply.localhost
+
+# Webhook settings
+GITEA__webhook__ALLOWED_HOST_LIST=*
+
+# Mailer settings (enabled via env vars, password from secret)
+GITEA__mailer__ENABLED=true
+GITEA__mailer__SMTP_ADDR={{ .apps.gitea.smtp.host }}
+GITEA__mailer__SMTP_PORT={{ .apps.gitea.smtp.port }}
+GITEA__mailer__FROM={{ .apps.gitea.smtp.from }}
+GITEA__mailer__USER={{ .apps.gitea.smtp.user }}
+
--- a/gitea/ingress.yaml
+++ b/gitea/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-public
+  namespace: gitea
+  annotations:
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
+    external-dns.alpha.kubernetes.io/target: "{{ .cloud.domain }}"
+spec:
+  rules:
+    - host: "{{ .apps.gitea.domain }}"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea-http
+                port:
+                  number: 3000
+  tls:
+    - secretName: "{{ .apps.gitea.tlsSecretName }}"
+      hosts:
+        - "{{ .apps.gitea.domain }}"
--- a/gitea/kustomization.yaml
+++ b/gitea/kustomization.yaml
@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: gitea
+labels:
+  - includeSelectors: true
+    pairs:
+      app: gitea
+      managedBy: kustomize
+      partOf: wild-cloud
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - pvc.yaml
+  - db-init-job.yaml
+configMapGenerator:
+  - name: gitea-env
+    envs:
+      - gitea.env
--- a/gitea/manifest.yaml
+++ b/gitea/manifest.yaml
@@ -0,0 +1,33 @@
+name: gitea
+description: Gitea is a painless self-hosted Git service written in Go
+version: 1.24.3
+icon: https://github.com/go-gitea/gitea/raw/main/assets/logo.png
+requires:
+  - name: postgres
+defaultConfig:
+  image: gitea/gitea:1.24.3
+  appName: Gitea
+  domain: gitea.{{ .cloud.domain }}
+  tlsSecretName: wildcard-wild-cloud-tls
+  port: 3000
+  sshPort: 22
+  storage: 10Gi
+  dbName: gitea
+  dbUser: gitea
+  dbHost: postgres.postgres.svc.cluster.local
+  adminUser: admin
+  adminEmail: "admin@{{ .cloud.domain }}"
+  dbPort: 5432
+  timezone: UTC
+  runMode: prod
+  smtp:
+    host: TBD
+    port: 465
+    from: no-reply@{{ .cloud.domain }}
+    user: TBD
+requiredSecrets:
+  - apps.gitea.adminPassword
+  - apps.gitea.dbPassword
+  - apps.gitea.secretKey
+  - apps.gitea.jwtSecret
+  - apps.gitea.smtpPassword
--- a/gitea/namespace.yaml
+++ b/gitea/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea
--- a/gitea/pvc.yaml
+++ b/gitea/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-data
+  namespace: gitea
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: "{{ .apps.gitea.storage }}"
--- a/gitea/service.yaml
+++ b/gitea/service.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-http
+  namespace: gitea
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 3000
+    targetPort: {{ .apps.gitea.port }}
+  selector:
+    component: web
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-ssh
+  namespace: gitea
+spec:
+  type: LoadBalancer
+  ports:
+  - name: ssh
+    port: {{ .apps.gitea.sshPort }}
+    targetPort: 2222
+    protocol: TCP
+  selector:
+    component: web