From d3e75b3e96cd94009f00128a6509672ce399444c Mon Sep 17 00:00:00 2001 From: WrenIX Date: Wed, 8 Jan 2025 21:21:20 +0100 Subject: [PATCH] fix(mycloud-git-small): add mycloud-git-small alpha (with forgejo and woodpecker) --- base-values/commons.yaml | 2 - base-values/mycloud-core.yaml | 14 ++ base-values/mycloud-git-small.yaml | 19 ++ mycloud-git-small/.helmignore | 23 ++ mycloud-git-small/Chart.yaml | 9 + mycloud-git-small/README.md | 130 ++++++++++++ mycloud-git-small/_docs.gotmpl | 0 .../templates/authentik-application.yaml | 73 +++++++ .../templates/configmap_init_crd.yaml | 14 ++ .../templates/forgejo/release.yaml | 142 +++++++++++++ mycloud-git-small/templates/forgejo/repo.yaml | 10 + .../templates/forgejo/secret.yaml | 12 ++ .../templates/forgejo/traefik.yaml | 16 ++ .../templates/woodpecker/jobs/namespace.yaml | 8 + .../templates/woodpecker/release.yaml | 141 +++++++++++++ .../templates/woodpecker/repo.yaml | 10 + .../templates/woodpecker/secret.yaml | 13 ++ mycloud-git-small/values.yaml | 197 ++++++++++++++++++ 18 files changed, 831 insertions(+), 2 deletions(-) create mode 100644 base-values/mycloud-git-small.yaml create mode 100644 mycloud-git-small/.helmignore create mode 100644 mycloud-git-small/Chart.yaml create mode 100644 mycloud-git-small/README.md create mode 100644 mycloud-git-small/_docs.gotmpl create mode 100644 mycloud-git-small/templates/authentik-application.yaml create mode 100644 mycloud-git-small/templates/configmap_init_crd.yaml create mode 100644 mycloud-git-small/templates/forgejo/release.yaml create mode 100644 mycloud-git-small/templates/forgejo/repo.yaml create mode 100644 mycloud-git-small/templates/forgejo/secret.yaml create mode 100644 mycloud-git-small/templates/forgejo/traefik.yaml create mode 100644 mycloud-git-small/templates/woodpecker/jobs/namespace.yaml create mode 100644 mycloud-git-small/templates/woodpecker/release.yaml create mode 100644 mycloud-git-small/templates/woodpecker/repo.yaml create mode 100644 mycloud-git-small/templates/woodpecker/secret.yaml create mode 100644 mycloud-git-small/values.yaml diff --git a/base-values/commons.yaml b/base-values/commons.yaml index f6f6146..2f0715e 100644 --- a/base-values/commons.yaml +++ b/base-values/commons.yaml @@ -48,8 +48,6 @@ commons: to: dns: [] k8sAPI: [] - smtp: [] - matrix: [] grafana: datasource: diff --git a/base-values/mycloud-core.yaml b/base-values/mycloud-core.yaml index 15dd97b..65cb4ef 100644 --- a/base-values/mycloud-core.yaml +++ b/base-values/mycloud-core.yaml @@ -27,6 +27,20 @@ commons: annotations: grafana.mon.local/dashboard-folder: "myCloud" + networkpolicies: + to: + smtp: [] + matrix: [] + database: + - ports: + - port: 5432 + protocol: "TCP" + to: + - podSelector: + matchLabels: + app.kubernetes.io/instance: mycloud-services-postgresql + app.kubernetes.io/name: postgresql + redis: replicas: 0 diff --git a/base-values/mycloud-git-small.yaml b/base-values/mycloud-git-small.yaml new file mode 100644 index 0000000..fa6de49 --- /dev/null +++ b/base-values/mycloud-git-small.yaml @@ -0,0 +1,19 @@ +## +# commons are from mycloud-core +## + +components: + mycloud-services: + # patch mycloud-core to get another database + values: + databases: + git-forgejo: + type: postgresql + git-woodpecker: + type: postgresql + + mycloud-git-small: + enabled: true + namespace: + # current namespace + name: diff --git a/mycloud-git-small/.helmignore b/mycloud-git-small/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/mycloud-git-small/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/mycloud-git-small/Chart.yaml b/mycloud-git-small/Chart.yaml new file mode 100644 index 0000000..b5e8aa2 --- /dev/null +++ b/mycloud-git-small/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: mycloud-git-small +description: myCloud component to setup forgjo and codeberg +type: application +maintainers: + - name: WrenIX + url: https://wrenix.eu + +version: 0.0.1 diff --git a/mycloud-git-small/README.md b/mycloud-git-small/README.md new file mode 100644 index 0000000..0b122c7 --- /dev/null +++ b/mycloud-git-small/README.md @@ -0,0 +1,130 @@ +--- +title: "mycloud-git-small" + +description: "myCloud component to setup forgjo and codeberg" + +--- + +# mycloud-git-small + +![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +myCloud component to setup forgjo and codeberg + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| WrenIX | | | + +## Values + +### Commons + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.auth.host | string | `nil` | default auth.(.Values.commons.ingress.domain) | +| commons.masterPassword | string | `"CHANGEME"` | masterPassword to generate secrets | + +### Commons Monitoring + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.grafana.dashboards.annotations | string | `nil` | annotations of grafana dashboard configmap | +| commons.grafana.dashboards.labels | object | `{"grafana_dashboard":"1"}` | labels of grafana dashboard configmap | +| commons.prometheus.monitor.labels | object | `{}` | labels on Pod- and Service-Monitor | +| commons.prometheus.rules.labels | object | `{}` | labels on PrometheusRules | + +### Commons helm release + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.helm.release.driftDetection | object | `{}` | driftDetection of FluxCD HelmRelease | +| commons.helm.release.install | object | `{}` | install of FluxCD HelmRelease | +| commons.helm.release.test | object | `{}` | test of FluxCD HelmRelease | +| commons.helm.release.upgrade | object | `{}` | upgrade of FluxCD HelmRelease | + +### Commons Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.ingress.annotations | object | `{"cert-manager.io/cluster-issuer":"letsencrypt-prod"}` | annotations for all ingress objects | +| commons.ingress.domain | string | `"wrenix.eu"` | top domain for all services | +| commons.ingress.tls.enabled | bool | `true` | tls on every ingress | +| commons.ingress.tls.override | list | `[]` | use own definition of tls (e.g. for own or wildcard certificate) | + +### Commons mail + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.mail.from | string | `nil` | send from address | +| commons.mail.host | string | `""` | smtp server | +| commons.mail.password | string | `""` | smtp password | +| commons.mail.use_ssl | bool | `false` | smtp server use ssl | +| commons.mail.use_tls | bool | `false` | smtp server use start tls | +| commons.mail.username | string | `""` | smtp username | + +### Commons Persistence + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.persistence.hostPath.enabled | bool | `false` | use hostPath instatt of PVC | +| commons.persistence.hostPath.prefix | string | `"/var/lib/mycloud"` | use hostPath under the following path | +| commons.persistence.storageClass | string | `nil` | storageClass of PVC | + +### Commons theme + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.theme.favicon | string | `"/static/dist/assets/icons/icon.png"` | favicon everywhere | +| commons.theme.logo | string | `"/static/dist/assets/icons/icon_left_brand.svg"` | logo everywhere | +| commons.theme.title | string | `"myCloud"` | title everywhere | + +### Commons Tracing + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.tracing.enabled | bool | `false` | enable tracing on all components | +| commons.tracing.grpc.enabled | bool | `true` | prefer grpc over http | +| commons.tracing.grpc.endpoint | string | `"tempo.monitoring.svc:4317"` | grpc endpoint | +| commons.tracing.grpc.insecure | bool | `true` | allow insecure connection per grpc | +| commons.tracing.http.endpoint | string | `"http://tempo.monitoring.svc:4318/v1/traces"` | http endpoint | + +### Other Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| auth.clientID | string | `nil` | OIDC client id (default: "mycloud-git-small"-forgejo) | +| auth.clientSecret | string | `nil` | generated by .Values.commons.masterPassword | +| commons.networkpolicies.enabled | bool | `false` | | +| commons.networkpolicies.from.ingress | list | `[]` | | +| commons.networkpolicies.from.metrics | list | `[]` | | +| commons.networkpolicies.to.database | list | `[]` | | +| commons.networkpolicies.to.dns | list | `[]` | | +| databases.forgejo.host | string | `"mycloud-services-postgresql"` | default is from mysql-services | +| databases.forgejo.name | string | `"git-forgejo"` | | +| databases.forgejo.password | string | `nil` | generated by .Values.commons.masterPassword (equal to mycloud-services) | +| databases.forgejo.username | string | `"git-forgejo"` | | +| databases.woodpecker.host | string | `"mycloud-services-postgresql"` | default is from mysql-services | +| databases.woodpecker.name | string | `"git-woodpecker"` | | +| databases.woodpecker.password | string | `nil` | generated by .Values.commons.masterPassword (equal to mycloud-services) | +| databases.woodpecker.username | string | `"git-woodpecker"` | | +| forgejo | string | `nil` | | +| ingress.forgejo.annotations | string | `nil` | | +| ingress.forgejo.host | string | `nil` | default: git.(Values.commons.ingress.domain) | +| ingress.woodpecker.annotations | string | `nil` | | +| ingress.woodpecker.host | string | `nil` | default: ci.(Values.commons.ingress.domain) | +| init.namespace | string | `"bases"` | | +| init.version | int | `0` | | +| mail.from | string | `nil` | generade by Values.commons.mail.from | +| mail.host | string | `nil` | default Values.commons.mail.host | +| persistence.forgejo.size | string | `"16Gi"` | | +| persistence.forgejo.storageClass | string | `nil` | | +| traefik.enabled | bool | `true` | | +| woodpecker.admins | list | `[]` | admins of woodpecker (manage manuelle) | +| woodpecker.auth.clientID | string | `""` | need to be manuelle set, after setup on forgejo | +| woodpecker.auth.clientSecret | string | `""` | need to be manuelle set, after setup on forgejo | +| woodpecker.jobs.namespace.create | bool | `true` | | +| woodpecker.jobs.namespace.name | string | `"woodpecker"` | | + +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) diff --git a/mycloud-git-small/_docs.gotmpl b/mycloud-git-small/_docs.gotmpl new file mode 100644 index 0000000..e69de29 diff --git a/mycloud-git-small/templates/authentik-application.yaml b/mycloud-git-small/templates/authentik-application.yaml new file mode 100644 index 0000000..babc404 --- /dev/null +++ b/mycloud-git-small/templates/authentik-application.yaml @@ -0,0 +1,73 @@ +{{ $name := printf "%s-forgejo" .Release.Name }} +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-auth +spec: + chart: + spec: + sourceRef: + kind: GitRepository + name: "wrenix-helm-charts" + namespace: "flux-system" + chart: "./authentik-application" + reconcileStrategy: "Revision" + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + driftDetection: + {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} + interval: 10m + values: + {{- $host := .Values.ingress.host | default (printf "git.%s" .Values.commons.ingress.domain) }} + blueprint: + authentik: + domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}" + provider: + type: "oidc" + name: {{ $name }} + oidc: + clientType: "confidential" + redirectURL: "https://{{ $host }}/user/oauth2/authentik/callback" + clientID: {{ .Values.auth.clientID | default $name | quote }} + clientSecret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "git-forgejo" "auth.clientSecret") | quote }} + signingKey: "authentik Self-signed Certificate" + scopes: + - name: "authentik default OAuth Mapping: OpenID 'openid'" + - name: "authentik default OAuth Mapping: OpenID 'email'" + - name: "authentik gitea OAuth Mapping: OpenID 'gitea'" + scope_name: gitea + expression: |- + groups = [group.name for group in user.ak_groups.all()] + gitea = {} + if user.is_superuser: + gitea = "admin" + if "admin" not in groups: + groups.append("admin") + else: + gitea = "user" + + return { + "nickname": request.user.username, + "groups": groups, + "gitea": gitea + } + + groups: + - slug: "mycloud - users" + bindID: "cefc0c13-49fa-4374-a909-e201a88a473b" + + application: + policyEngineMode: "any" + openInNewTab: true + publisher: "WrenIX's myCloud" + slug: {{ $name }} + group: "Communication" + name: "Forgejo" + launchURL: "https://{{ $host }}" + icon: "https://{{ $host }}/assets/img/logo.png" + description: "With GoToSocial, you can keep in touch with your friends, post, read, and share images and articles. All without being tracked or advertised to!" diff --git a/mycloud-git-small/templates/configmap_init_crd.yaml b/mycloud-git-small/templates/configmap_init_crd.yaml new file mode 100644 index 0000000..f82bbe4 --- /dev/null +++ b/mycloud-git-small/templates/configmap_init_crd.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-init + namespace: "{{ .Values.init.namespace }}" +data: + {{- if and + (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") + (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") + }} + init: "-1" + {{- else }} + init: "{{ add1 .Values.init.version }}" + {{- end }} diff --git a/mycloud-git-small/templates/forgejo/release.yaml b/mycloud-git-small/templates/forgejo/release.yaml new file mode 100644 index 0000000..c90e739 --- /dev/null +++ b/mycloud-git-small/templates/forgejo/release.yaml @@ -0,0 +1,142 @@ +{{ $name := printf "%s-forgejo" .Release.Name }} +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ $name }} +spec: + chartRef: + kind: OCIRepository + name: "{{ .Release.Name }}-forgejo" + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + driftDetection: + {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} + interval: 10m + valuesFrom: + - kind: Secret + name: {{ $name }} + valuesKey: "DATABASE_PASSWD" + targetPath: "gitea.config.database.PASSWD" + - kind: Secret + name: {{ $name }} + valuesKey: "MAILER_PASSWD" + targetPath: "gitea.config.mailer.PASSWD" + values: + {{- $host := .Values.ingress.host | default (printf "git.%s" .Values.commons.ingress.domain) }} + redis-cluster: + enabled: false + redis: + enabled: true + postgresql-ha: + enabled: false + gitea: + admin: + username: false + password: false + config: + APP_NAME: {{ .Values.commons.theme.title | quote }} + database: + DB_TYPE: postgres + HOST: {{ .Values.databases.forgejo.host | quote }} + USER: {{ .Values.databases.forgejo.username | quote }} + NAME: {{ .Values.databases.forgejo.name | quote }} + mailer: + ENABLED: true + PROTOCOL: "smtp+starttls" + SMTP_ADDR: {{ .Values.mail.host | default .Values.commons.mail.host | quote }} + SMTP_PORT: 587 + USER: {{ .Values.commons.mail.username | quote }} + FROM: {{ .Values.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "git" .Values.commons.mail.from) | quote }} + server: + LFS_START_SERVER: true + openid: + ENABLE_OPENID_SIGNUP: false + oauth2_client: + OPENID_CONNECT_SCOPES: "email gitea" + ENABLE_AUTO_REGISTRATION: true + USERNAME: nickname + UPDATE_AVATAR: true + ACCOUNT_LINKING: disabled + service: + DISABLE_REGISTRATION: true + ALLOW_ONLY_EXTERNAL_REGISTRATION: true + picture: + DISABLE_GRAVATAR: true + ENABLE_FEDERATED_AVATAR: true + federation: + ENABLED: true + oauth: + - name: "authentik" + provider: "openidConnect" + autoDiscoverUrl: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/{{ $name }}/" + existingSecret: {{ $name }} + scopes: "email gitea" + groupClaimName: groups + adminGroup: admin + + metrics: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} + serviceMonitor: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} + labels: + {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }} + + ingress: + enabled: true + annotations: + {{- with .Values.commons.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + hosts: + - host: "{{ $host }}" + paths: + - path: / + pathType: Prefix + {{- if .Values.commons.ingress.tls.enabled }} + tls: + {{- with .Values.commons.ingress.tls.override }} + {{- toYaml . | nindent 8 }} + {{- else }} + - secretName: "mycloud-forgejo-cert" + hosts: + - "{{ $host }}" + {{- end }} + {{- end }} + + {{- if .Values.commons.persistence.hostPath.enabled }} + # TODO has no effect + extraInitContainers: + - name: "take-ownership" + image: "alpine:3" + command: ["chown", "-R", "1000:1000", "/data" ] + volumeMounts: + - name: "data" + mountPath: /data + + extraVolumes: + - name: data + hostPath: + path: "{{ .Values.commons.persistence.hostPath.prefix }}/git-small/forgejo" + type: Directory + {{- end }} + + persistence: + enabled: true + {{- with .Values.persistence.forgejo }} + size: {{ .size }} + {{- with .storageClass | default $.Values.commons.persistence.storageClass }} + storageClass: {{ . }} + {{- end }} + {{- if $.Values.commons.persistence.hostPath.enabled }} + create: false + mount: false + {{- end }} + {{- end }} diff --git a/mycloud-git-small/templates/forgejo/repo.yaml b/mycloud-git-small/templates/forgejo/repo.yaml new file mode 100644 index 0000000..6c0b768 --- /dev/null +++ b/mycloud-git-small/templates/forgejo/repo.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: OCIRepository +metadata: + name: "{{ .Release.Name }}-forgejo" +spec: + url: oci://code.forgejo.org/forgejo-helm/forgejo + interval: 5m + ref: + semver: "^10.1.2" diff --git a/mycloud-git-small/templates/forgejo/secret.yaml b/mycloud-git-small/templates/forgejo/secret.yaml new file mode 100644 index 0000000..22d8992 --- /dev/null +++ b/mycloud-git-small/templates/forgejo/secret.yaml @@ -0,0 +1,12 @@ +{{- $name := printf "%s-forgejo" .Release.Name }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $name | quote }} +data: + DATABASE_PASSWD: {{ .Values.databases.forgejo.password | default (derivePassword 1 "long" .Values.commons.masterPassword "git-forgejo" "database_password" | b64enc) | b64enc }} + MAILER_PASSWD: {{ .Values.commons.mail.password | b64enc }} + # for OIDC + key: {{ .Values.auth.clientID | default $name | b64enc }} + secret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "git-forgejo" "auth.clientSecret") | b64enc }} diff --git a/mycloud-git-small/templates/forgejo/traefik.yaml b/mycloud-git-small/templates/forgejo/traefik.yaml new file mode 100644 index 0000000..523c48c --- /dev/null +++ b/mycloud-git-small/templates/forgejo/traefik.yaml @@ -0,0 +1,16 @@ +{{- if .Values.traefik.enabled }} +{{- $host := .Values.ingress.host | default (printf "git.%s" .Values.commons.ingress.domain) }} +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteTCP +metadata: + name: {{ .Release.Name }}-forgejo +spec: + entryPoints: + - ssh + routes: + - match: "HostSNI(`*`)" + services: + - name: {{ .Release.Name }}-forgejo-ssh + port: 22 +{{- end }} diff --git a/mycloud-git-small/templates/woodpecker/jobs/namespace.yaml b/mycloud-git-small/templates/woodpecker/jobs/namespace.yaml new file mode 100644 index 0000000..51efdb8 --- /dev/null +++ b/mycloud-git-small/templates/woodpecker/jobs/namespace.yaml @@ -0,0 +1,8 @@ +{{- with .Values.woodpecker.jobs.namespace }} +{{- if .create }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .name }} +{{- end }} +{{- end }} diff --git a/mycloud-git-small/templates/woodpecker/release.yaml b/mycloud-git-small/templates/woodpecker/release.yaml new file mode 100644 index 0000000..2d00a38 --- /dev/null +++ b/mycloud-git-small/templates/woodpecker/release.yaml @@ -0,0 +1,141 @@ +{{- $name := printf "%s-woodpecker" .Release.Name }} +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ $name | quote }} +spec: + chartRef: + kind: OCIRepository + name: {{ $name | quote }} + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + driftDetection: + {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} + interval: 10m + values: + {{- $hostCI := .Values.ingress.woodpecker.host | default (printf "ci.%s" .Values.commons.ingress.domain) }} + {{- $hostGit := .Values.ingress.woodpecker.host | default (printf "git.%s" .Values.commons.ingress.domain) }} + agent: + replicaCount: 1 + env: + WOODPECKER_MAX_WORKFLOWS: 4 + WOODPECKER_BACKEND_K8S_NAMESPACE: {{ .Values.woodpecker.jobs.namespace.name }} + WOODPECKER_BACKEND_K8S_STORAGE_RWX: false + WOODPECKER_BACKEND_K8S_POD_LABELS_ALLOW_FROM_STEP: true + WOODPECKER_BACKEND_K8S_POD_LABELS: | + { + "app.kubernetes.io/name": "server", + "app.kubernetes.io/instance": "{{.Release.Namespace }}-{{ $name }}", + "app.kubernetes.io/component": "job" + } + WOODPECKER_SERVER: "{{ $name }}-server:9000" + {{- if .Values.commons.networkpolicies.enabled }} + networkPolicy: + enabled: true + egress: + enabled: true + dns: + {{- toYaml .Values.commons.networkpolicies.to.dns | nindent 12 }} + apiserver: + {{- toYaml .Values.commons.networkpolicies.to.k8sAPI | nindent 12 }} + server: + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: server + app.kubernetes.io/instance: {{ $name }} + {{- end }} + persistentVolume: + enabled: false + server: + env: + WOODPECKER_OPEN: "true" + WOODPECKER_HOST: {{ printf "https://%s" $hostCI | quote }} + WOODPECKER_FORGEJO: "true" + WOODPECKER_FORGEJO_URL: {{ printf "https://%s" $hostGit | quote }} + WOODPECKER_ADMIN: {{ join "," .Values.woodpecker.admins | quote }} + WOODPECKER_DATABASE_DRIVER: postgres + WOODPECKER_LOG_FILE: "stdout" + podAnnotations: + config-hash: {{ include (print $.Template.BasePath "/woodpecker/secret.yaml") . | sha256sum }} + extraSecretNamesForEnvFrom: + - {{ $name }} + metrics: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }} + prometheus: + podmonitor: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }} + labels: + {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }} + rules: + enabled: true + labels: + {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }} + grafana: + dashboards: + enabled: true + labels: + {{- toYaml .Values.commons.grafana.dashboards.labels | nindent 12 }} + annotations: + {{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 12 }} + + ingress: + enabled: true + annotations: + {{- with .Values.commons.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + hosts: + - host: {{ $hostCI }} + paths: + - path: / + {{- if .Values.commons.ingress.tls.enabled }} + tls: + {{- with .Values.commons.ingress.tls.override }} + {{- toYaml . | nindent 8 }} + {{- else }} + - secretName: "mycloud-woodpecker-cert" + hosts: + - "{{ $hostCI }}" + {{- end }} + {{- end }} + {{- if .Values.commons.networkpolicies.enabled }} + networkPolicy: + enabled: true + ingress: + http: + {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 12 }} + metrics: + {{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 12 }} + grpc: + - podSelector: + matchLabels: + app.kubernetes.io/name: agent + app.kubernetes.io/instance: "{{ .Release.Name }}-woodpecker" + egress: + enabled: true + dns: + {{- toYaml .Values.commons.networkpolicies.to.dns | nindent 12 }} + database: + {{- with .Values.commons.networkpolicies.to.database }} + {{- toYaml . | nindent 12 }} + {{- end }} + extra: + {{/* need to call git instance*/}} + - ports: + - port: 443 + protocol: TCP + to: + {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 16 }} + + {{- end }} + persistentVolume: + enabled: false diff --git a/mycloud-git-small/templates/woodpecker/repo.yaml b/mycloud-git-small/templates/woodpecker/repo.yaml new file mode 100644 index 0000000..1ce1ab4 --- /dev/null +++ b/mycloud-git-small/templates/woodpecker/repo.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: OCIRepository +metadata: + name: "{{ .Release.Name }}-woodpecker" +spec: + url: oci://ghcr.io/woodpecker-ci/helm/woodpecker + interval: 10m + ref: + semver: "^2.0.0" diff --git a/mycloud-git-small/templates/woodpecker/secret.yaml b/mycloud-git-small/templates/woodpecker/secret.yaml new file mode 100644 index 0000000..a640812 --- /dev/null +++ b/mycloud-git-small/templates/woodpecker/secret.yaml @@ -0,0 +1,13 @@ +{{- $name := printf "%s-woodpecker" .Release.Name }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $name | quote }} +data: + {{- with .Values.databases.woodpecker }} + {{- $db_pass := .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "git-woodpecker" "database_password" | b64enc) }} + WOODPECKER_DATABASE_DATASOURCE: {{ printf "postgres://%s:%s@%s/%s?sslmode=disable" .username $db_pass .host .name | b64enc }} + {{- end }} + WOODPECKER_FORGEJO_CLIENT: {{ .Values.woodpecker.auth.clientID | b64enc }} + WOODPECKER_FORGEJO_SECRET: {{ .Values.woodpecker.auth.clientSecret | b64enc }} diff --git a/mycloud-git-small/values.yaml b/mycloud-git-small/values.yaml new file mode 100644 index 0000000..e14f961 --- /dev/null +++ b/mycloud-git-small/values.yaml @@ -0,0 +1,197 @@ +init: + version: 0 + namespace: "bases" + +commons: + # -- masterPassword to generate secrets + # @section -- Commons + masterPassword: "CHANGEME" + + auth: + # -- default auth.(.Values.commons.ingress.domain) + # @section -- Commons + host: + + theme: + # -- title everywhere + # @section -- Commons theme + title: myCloud + # -- logo everywhere + # @section -- Commons theme + logo: /static/dist/assets/icons/icon_left_brand.svg + # -- favicon everywhere + # @section -- Commons theme + favicon: /static/dist/assets/icons/icon.png + + mail: + # -- smtp server + # @section -- Commons mail + host: "" + # -- smtp username + # @section -- Commons mail + username: "" + # -- smtp password + # @section -- Commons mail + password: "" + # -- send from address + # @section -- Commons mail + from: + # -- smtp server use start tls + # @section -- Commons mail + use_tls: false + # -- smtp server use ssl + # @section -- Commons mail + use_ssl: false + + persistence: + # -- storageClass of PVC + # @section -- Commons Persistence + storageClass: + hostPath: + # -- use hostPath instatt of PVC + # @section -- Commons Persistence + enabled: false + # -- use hostPath under the following path + # @section -- Commons Persistence + prefix: "/var/lib/mycloud" + + helm: + release: + # -- install of FluxCD HelmRelease + # @section -- Commons helm release + install: {} + # -- test of FluxCD HelmRelease + # @section -- Commons helm release + test: {} + # -- upgrade of FluxCD HelmRelease + # @section -- Commons helm release + upgrade: {} + # -- driftDetection of FluxCD HelmRelease + # @section -- Commons helm release + driftDetection: {} + + ingress: + # -- top domain for all services + # @section -- Commons Ingress + domain: "wrenix.eu" + # -- annotations for all ingress objects + # @section -- Commons Ingress + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + tls: + # -- tls on every ingress + # @section -- Commons Ingress + enabled: true + # -- use own definition of tls (e.g. for own or wildcard certificate) + # @section -- Commons Ingress + override: [] + + networkpolicies: + enabled: false + from: + ingress: [] + metrics: [] + to: + dns: [] + database: [] + + prometheus: + monitor: + # -- labels on Pod- and Service-Monitor + # @section -- Commons Monitoring + labels: {} + rules: + # -- labels on PrometheusRules + # @section -- Commons Monitoring + labels: {} + + grafana: + dashboards: + # -- labels of grafana dashboard configmap + # @section -- Commons Monitoring + labels: + grafana_dashboard: "1" + # -- annotations of grafana dashboard configmap + # @section -- Commons Monitoring + annotations: + + tracing: + # -- enable tracing on all components + # @section -- Commons Tracing + enabled: false + http: + # -- http endpoint + # @section -- Commons Tracing + endpoint: "http://tempo.monitoring.svc:4318/v1/traces" + grpc: + # -- prefer grpc over http + # @section -- Commons Tracing + enabled: true + # -- allow insecure connection per grpc + # @section -- Commons Tracing + insecure: true + # -- grpc endpoint + # @section -- Commons Tracing + endpoint: "tempo.monitoring.svc:4317" + +auth: + # -- OIDC client id (default: "mycloud-git-small"-forgejo) + clientID: + # -- generated by .Values.commons.masterPassword + clientSecret: + + +ingress: + forgejo: + # -- default: git.(Values.commons.ingress.domain) + host: + annotations: + woodpecker: + # -- default: ci.(Values.commons.ingress.domain) + host: + annotations: + +traefik: + enabled: true + +databases: + forgejo: + # -- default is from mysql-services + host: mycloud-services-postgresql + name: git-forgejo + username: git-forgejo + # -- generated by .Values.commons.masterPassword (equal to mycloud-services) + password: + woodpecker: + # -- default is from mysql-services + host: mycloud-services-postgresql + name: git-woodpecker + username: git-woodpecker + # -- generated by .Values.commons.masterPassword (equal to mycloud-services) + password: + +mail: + # -- generade by Values.commons.mail.from + from: + # -- default Values.commons.mail.host + host: + +persistence: + forgejo: + storageClass: + size: 16Gi + +woodpecker: + auth: + # -- need to be manuelle set, after setup on forgejo + clientID: "" + # -- need to be manuelle set, after setup on forgejo + clientSecret: "" + # -- admins of woodpecker (manage manuelle) + admins: [] + jobs: + namespace: + create: true + name: "woodpecker" + +forgejo: