repo refactoring continuous-deploy prep
This commit is contained in:
@@ -1,60 +0,0 @@
|
||||
# Deploy
|
||||
|
||||
- [kubernetes Namespace](#kubernetes-namespace)
|
||||
- [Backups](#backups)
|
||||
- [secrets](#secrets)
|
||||
- [Proxmox Backup Server (kubernetes cron job)](#proxmox-backup-server-kubernetes-cron-job)
|
||||
- [Borg and Offsite sync (kubernetes cron job)](#borg-and-offsite-sync-kubernetes-cron-job)
|
||||
|
||||
```bash
|
||||
# run for setup/update
|
||||
# using helm chart
|
||||
./setup.sh
|
||||
```
|
||||
|
||||
## kubernetes Namespace
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: git-limbosolutions-com
|
||||
labels:
|
||||
name: git-limbosolutions-com
|
||||
|
||||
```
|
||||
|
||||
## Backups
|
||||
|
||||
### secrets
|
||||
|
||||
```bash
|
||||
set -a
|
||||
source ./backups/.env
|
||||
set +a
|
||||
envsubst < ./backups/backup-secrets.yaml | kubectl apply -n git-limbosolutions-com -f -
|
||||
|
||||
SSH_ID_RSA=$(echo -n "$SSH_ID_RSA" | base64 -w 0)
|
||||
BORG_KEY=$(echo -n "$BORG_KEY" | base64 -w 0)
|
||||
|
||||
kubectl patch secret gitea-backup-secret --patch "{\"data\":{\"ssh_id_rsa\":\"$SSH_ID_RSA\"}}" -n git-limbosolutions-com
|
||||
kubectl patch secret gitea-backup-secret --patch "{\"data\":{\"borg_key\":\"$BORG_KEY\"}}" -n git-limbosolutions-com
|
||||
```
|
||||
|
||||
### Proxmox Backup Server (kubernetes cron job)
|
||||
|
||||
```bash
|
||||
# deploy cronjon
|
||||
kubectl apply -f ./backups/backup-pbs-cronjob.yaml -n git-limbosolutions-com
|
||||
```
|
||||
|
||||
[kubernetes cron job](./backups/backup-pbs-cronjob.yaml)
|
||||
|
||||
### Borg and Offsite sync (kubernetes cron job)
|
||||
|
||||
```bash
|
||||
# deploy cronjon
|
||||
kubectl apply -f ./backups/backup-borg-offsite-cronjob.yaml -n git-limbosolutions-com
|
||||
```
|
||||
|
||||
[kubernetes cron job](./backups/borgbackup-offsite-cronjob.yaml)
|
||||
@@ -1,156 +0,0 @@
|
||||
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: backup-borg-offsite
|
||||
namespace: git-limbosolutions-com
|
||||
spec:
|
||||
schedule: "0 16 * * 0" #every sunday at 4pm
|
||||
jobTemplate:
|
||||
spec:
|
||||
backoffLimit: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: offsite-backup
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
initContainers:
|
||||
- name: postgres-export
|
||||
image: postgres:latest
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
set -e
|
||||
. /root/.gitea-inline-config/database
|
||||
export PGPASSWORD=$PASSWD
|
||||
pg_dump -h gitea-postgresql.git-limbosolutions-com.svc.cluster.local -U $USER -d $NAME > /data/postgresql-export/db_backup.sql
|
||||
|
||||
volumeMounts:
|
||||
|
||||
- name: backup-var-data
|
||||
mountPath: /data/postgresql-export
|
||||
subPath: postgresql-export
|
||||
|
||||
- name: gitea-inline-config
|
||||
mountPath: /root/.gitea-inline-config
|
||||
readOnly: true
|
||||
|
||||
|
||||
|
||||
containers:
|
||||
- name: borg-client
|
||||
image: git.limbosolutions.com/kb/borg-backup:latest
|
||||
imagePullPolicy: Always
|
||||
# resources:
|
||||
# limits:
|
||||
# memory: "512Mi"
|
||||
# cpu: "500m"
|
||||
# requests:
|
||||
# memory: "256Mi"
|
||||
# cpu: "250m"
|
||||
env:
|
||||
- name: BORG_REPO
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-backup-secret
|
||||
key: borg_repo
|
||||
|
||||
- name: BORG_PASSPHRASE
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-backup-secret
|
||||
key: borg_passphrase
|
||||
|
||||
|
||||
- name: OFFSITE_TARGET_FOLDER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-backup-secret
|
||||
key: offsite_target_folder
|
||||
|
||||
|
||||
- name: BORG_RSH
|
||||
value: ssh -p 2222 -o StrictHostKeyChecking=no -o LogLevel=ERROR
|
||||
|
||||
- name: REPO_SYNC_MAX_SIZE
|
||||
value: "10737418240" # 10GB
|
||||
|
||||
- name: MODE
|
||||
value: SHELL
|
||||
|
||||
|
||||
args:
|
||||
- |
|
||||
set -e
|
||||
|
||||
SCRIPT_START_TIME=$(date +%s)
|
||||
|
||||
# while true; do
|
||||
# sleep 5
|
||||
# done
|
||||
|
||||
borg create ${BORG_REPO}::postgresql-export-$(date +%Y%m%d%H%M%S) /data/postgresql-export
|
||||
borg create ${BORG_REPO}::gitea-data-$(date +%Y%m%d%H%M%S) /data/gitea-data
|
||||
|
||||
#cleanup
|
||||
borg prune -v --list --keep-daily=10 --keep-weekly=7 --keep-monthly=-1 ${BORG_REPO} --glob-archives='gitea-data*'
|
||||
borg prune -v --list --keep-daily=10 --keep-weekly=7 --keep-monthly=-1 ${BORG_REPO} --glob-archives='postgresql-export*'
|
||||
borg compact ${BORG_REPO}
|
||||
|
||||
# check repo size
|
||||
REPO_SIZE_IN_BYTES=$(remote-get-folder-size)
|
||||
echo "Repository size: $((REPO_SIZE_IN_BYTES / 1024 / 1024))MB"
|
||||
|
||||
if [ $REPO_SIZE_IN_BYTES -gt $REPO_SYNC_MAX_SIZE ]; then \
|
||||
echo "ERROR: Repository size $((REPO_SIZE_IN_BYTES / 1024 / 1024))MB exceeds $((REPO_SYNC_MAX_SIZE / 1024 / 1024))MB";
|
||||
exit 1;
|
||||
else
|
||||
# Repository size is within limits for offsite sync
|
||||
# ssh to backup server and enforce rclone to onedrive
|
||||
remote-connect "rclone sync $SSH_FOLDER $OFFSITE_TARGET_FOLDER --progress" && \
|
||||
echo "INFO: Finished Backup of git.limbosolutions.com (offsite) ($((SCRIPT_DURATION / 60 / 60)):$((SCRIPT_DURATION / 60)):$((SCRIPT_DURATION % 60))) "
|
||||
fi
|
||||
|
||||
#outputs info
|
||||
borg info ${BORG_REPO}
|
||||
#borg info ${BORG_REPO} --json
|
||||
|
||||
volumeMounts:
|
||||
- name: gitea-data
|
||||
mountPath: /data/gitea-data
|
||||
|
||||
- name: backup-var-data
|
||||
mountPath: /data/postgresql-export
|
||||
subPath: postgresql-export
|
||||
|
||||
- name: gitea-backup-secret
|
||||
mountPath: /root/.ssh/id_rsa
|
||||
subPath: ssh_id_rsa
|
||||
readOnly: true
|
||||
|
||||
- name: gitea-backup-secret
|
||||
mountPath: /app/borg/key
|
||||
subPath: borg_key
|
||||
|
||||
volumes:
|
||||
|
||||
- name: gitea-data
|
||||
persistentVolumeClaim:
|
||||
claimName: gitea-shared-storage
|
||||
|
||||
- name: gitea-inline-config
|
||||
secret:
|
||||
secretName: gitea-inline-config
|
||||
|
||||
- name: gitea-backup-secret
|
||||
secret:
|
||||
secretName: gitea-backup-secret
|
||||
defaultMode: 0600
|
||||
|
||||
- name: backup-var-data
|
||||
emptyDir: {}
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,109 +0,0 @@
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: backup-pbs
|
||||
namespace: git-limbosolutions-com
|
||||
spec:
|
||||
schedule: "0 1 * * *"
|
||||
jobTemplate:
|
||||
spec:
|
||||
backoffLimit: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: pbs-backup
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
initContainers:
|
||||
- name: postgres-export
|
||||
image: postgres:latest
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
#echo "INFO: Starting export"
|
||||
. /root/.gitea-inline-config/database
|
||||
export PGPASSWORD=$PASSWD
|
||||
#echo "INFO: Exporting database"
|
||||
pg_dump -h gitea-postgresql.git-limbosolutions-com.svc.cluster.local -U $USER -d $NAME > /data/postgresql-export/db_backup.sql
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "ERROR: Exporting database failed"
|
||||
exit 1
|
||||
fi
|
||||
#echo "INFO: Exporting database finished"
|
||||
|
||||
volumeMounts:
|
||||
|
||||
- name: backup-run-data
|
||||
mountPath: /data/postgresql-export
|
||||
subPath: postgresql-export
|
||||
|
||||
- name: gitea-inline-config
|
||||
mountPath: /root/.gitea-inline-config
|
||||
readOnly: true
|
||||
|
||||
containers:
|
||||
- name: gitea-pbs-client
|
||||
image: git.limbosolutions.com/kb/pbsclient
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: MODE
|
||||
value: shell
|
||||
- name: PBS_REPOSITORY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-backup-secret
|
||||
key: pbs_repository
|
||||
- name: PBS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-backup-secret
|
||||
key: pbs_password
|
||||
- name: PBS_FINGERPRINT
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-backup-secret
|
||||
key: pbs_fingerprint
|
||||
|
||||
command: ["bash", "-c"]
|
||||
args:
|
||||
- |
|
||||
set -e
|
||||
# while true; do
|
||||
# sleep 1s
|
||||
# done
|
||||
SCRIPT_START_TIME=$(date +%s)
|
||||
proxmox-backup-client backup gitea-data.pxar:/data/gitea-data postgresql-data.pxar:/data/postgresql-data postgresql-export.pxar:/data/postgresql-export --include-dev /data/postgresql-data --include-dev /data/postgresql-export --include-dev /data/gitea-data --backup-id "gitea-full" -ns git.limbosolutions.com
|
||||
SCRIPT_DURATION=$(($(date +%s) - SCRIPT_START_TIME))
|
||||
echo "INFO: Finished Backup of git.limbosolutions.com ($((SCRIPT_DURATION / 60 / 60)):$((SCRIPT_DURATION / 60)):$((SCRIPT_DURATION % 60))) "
|
||||
|
||||
volumeMounts:
|
||||
- name: gitea-shared-storage
|
||||
mountPath: /data/gitea-data
|
||||
|
||||
- name: db-postgresql-data
|
||||
mountPath: /data/postgresql-data
|
||||
|
||||
- name: backup-run-data
|
||||
mountPath: /data/postgresql-export
|
||||
subPath: postgresql-export
|
||||
|
||||
- name: backup-run-data
|
||||
mountPath: /tmp
|
||||
subPath: tmp
|
||||
|
||||
|
||||
volumes:
|
||||
- name: gitea-shared-storage
|
||||
persistentVolumeClaim:
|
||||
claimName: gitea-shared-storage
|
||||
|
||||
- name: db-postgresql-data
|
||||
persistentVolumeClaim:
|
||||
claimName: data-gitea-postgresql-0
|
||||
|
||||
- name: backup-run-data
|
||||
emptyDir: {}
|
||||
|
||||
- name: gitea-inline-config
|
||||
secret:
|
||||
secretName: gitea-inline-config
|
||||
@@ -1,17 +0,0 @@
|
||||
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: gitea-backup-secret
|
||||
namespace: git-limbosolutions-com
|
||||
type: Opaque
|
||||
stringData:
|
||||
pbs_repository: ${PBS_REPOSITORY}
|
||||
pbs_password: ${PBS_PASSWORD}
|
||||
pbs_fingerprint: ${PBS_FINGERPRINT}
|
||||
borg_repo: ${BORG_REPO}
|
||||
borg_passphrase: ${BORG_PASSPHRASE}
|
||||
offsite_target_folder: ${OFFSITE_TARGET_FOLDER}
|
||||
#SSH_ID_RSA: ""
|
||||
#BORG_KEY: ""
|
||||
|
||||
@@ -1,61 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: borgbackup-sidekick
|
||||
namespace: git-limbosolutions-com
|
||||
labels:
|
||||
app: borgbackup-sidekick
|
||||
spec:
|
||||
containers:
|
||||
- name: borgbackup-sidekick
|
||||
image: git.limbosolutions.com/kb/borg-backup:latest
|
||||
imagePullPolicy: Always
|
||||
resources:
|
||||
limits:
|
||||
memory: "512Mi"
|
||||
cpu: "500m"
|
||||
requests:
|
||||
memory: "256Mi"
|
||||
cpu: "250m"
|
||||
env:
|
||||
- name: BORG_REPO
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-backup-secret
|
||||
key: borg_repo
|
||||
|
||||
- name: BORG_PASSPHRASE
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-backup-secret
|
||||
key: borg_passphrase
|
||||
|
||||
- name: BORG_RSH
|
||||
value: ssh -p 2222 -o StrictHostKeyChecking=no -o LogLevel=ERROR
|
||||
|
||||
- name: borg_key_file
|
||||
value: /root/.borg/key
|
||||
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
while true; do
|
||||
sleep 1s
|
||||
done
|
||||
|
||||
volumeMounts:
|
||||
|
||||
- name: gitea-backup-secret
|
||||
mountPath: /root/.ssh/id_rsa
|
||||
subPath: ssh_id_rsa
|
||||
readOnly: true
|
||||
|
||||
- name: gitea-backup-secret
|
||||
mountPath: /app/borg/key
|
||||
subPath: borg_key
|
||||
volumes:
|
||||
- name: gitea-backup-secret
|
||||
secret:
|
||||
secretName: gitea-backup-secret
|
||||
defaultMode: 0600
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
helm repo add gitea-charts https://dl.gitea.com/charts/
|
||||
helm repo update
|
||||
|
||||
helm upgrade --install gitea gitea-charts/gitea \
|
||||
--values ./values.yaml \
|
||||
--values ./values.private.yaml \
|
||||
--namespace=git-limbosolutions-com
|
||||
|
||||
kubectl apply -f ./ssh-ingress.yaml
|
||||
@@ -1,17 +0,0 @@
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRouteTCP
|
||||
metadata:
|
||||
name: git-limbosolutions-com-ssh-ingress
|
||||
namespace: git-limbosolutions-com
|
||||
spec:
|
||||
entryPoints:
|
||||
- ssh-git
|
||||
routes:
|
||||
- match: HostSNI(`*`)
|
||||
services:
|
||||
- name: gitea-ssh
|
||||
port: 2222
|
||||
weight: 10
|
||||
terminationDelay: 90000
|
||||
proxyProtocol:
|
||||
version: 1
|
||||
@@ -1,146 +0,0 @@
|
||||
image:
|
||||
registry: ""
|
||||
repository: gitea/gitea
|
||||
pullPolicy: Always
|
||||
tag: "1"
|
||||
|
||||
cache:
|
||||
enabled: false
|
||||
|
||||
valkey-cluster:
|
||||
enabled: false
|
||||
|
||||
valkey:
|
||||
enabled: true
|
||||
architecture: standalone
|
||||
global:
|
||||
valkey:
|
||||
password: "????"
|
||||
master:
|
||||
count: 1
|
||||
service:
|
||||
ports:
|
||||
valkey: 6379
|
||||
|
||||
postgresql:
|
||||
enabled: true
|
||||
image:
|
||||
registry: ""
|
||||
repository: bitnami/postgresql
|
||||
tag: 16
|
||||
imagePullPolicy: IfNotPresent
|
||||
global:
|
||||
postgresql:
|
||||
# volumePermissions:
|
||||
# enabled: true
|
||||
auth:
|
||||
postgresPassword: "???"
|
||||
password: "???"
|
||||
database: "???"
|
||||
username: "???"
|
||||
service:
|
||||
ports:
|
||||
postgresql: "???"
|
||||
primary:
|
||||
persistence:
|
||||
size: 10Gi
|
||||
metrics:
|
||||
enabled: true
|
||||
collectors:
|
||||
wal: false
|
||||
|
||||
postgresql-ha:
|
||||
enabled: false
|
||||
|
||||
persistence:
|
||||
enabled: true
|
||||
service:
|
||||
ssh:
|
||||
enabled: true
|
||||
port: 2222
|
||||
annotations:
|
||||
metallb.universe.tf/allow-shared-ip: test
|
||||
|
||||
gitea:
|
||||
admin:
|
||||
username: "???"
|
||||
password: "???"
|
||||
email: "???"
|
||||
config:
|
||||
actions:
|
||||
ENABLED: true
|
||||
database:
|
||||
DB_TYPE: postgres
|
||||
indexer:
|
||||
ISSUE_INDEXER_TYPE: bleve
|
||||
REPO_INDEXER_ENABLED: true
|
||||
picture:
|
||||
AVATAR_UPLOAD_PATH: /data/avatars
|
||||
server:
|
||||
DOMAIN: git.limbosolutions.com
|
||||
SSH_DOMAIN: git.limbosolutions.com
|
||||
#HTTP_PORT: 3000
|
||||
ROOT_URL: https://git.limbosolutions.com
|
||||
DISABLE_SSH: false
|
||||
SSH_PORT: 2222
|
||||
SSH_LISTEN_PORT: 2222
|
||||
LFS_START_SERVER: true
|
||||
START_SSH_SERVER: true
|
||||
LFS_PATH: /data/git/lfs
|
||||
LFS_JWT_SECRET: "???"
|
||||
OFFLINE_MODE: false
|
||||
#MFF 03/08/2024
|
||||
REPO_INDEXER_ENABLED: true
|
||||
REPO_INDEXER_PATH: indexers/repos.bleve
|
||||
MAX_FILE_SIZE: 1048576
|
||||
REPO_INDEXER_INCLUDE:
|
||||
REPO_INDEXER_EXCLUDE: resources/bin/**
|
||||
####
|
||||
|
||||
service:
|
||||
DISABLE_REGISTRATION: "???"
|
||||
REQUIRE_SIGNIN_VIEW: "???"
|
||||
REGISTER_EMAIL_CONFIRM: "???"
|
||||
ENABLE_NOTIFY_MAIL: "???"
|
||||
ALLOW_ONLY_EXTERNAL_REGISTRATION: "???"
|
||||
ENABLE_CAPTCHA: "???"
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE : "???"
|
||||
DEFAULT_ALLOW_CREATE_ORGANIZATION: "???"
|
||||
DEFAULT_ENABLE_TIMETRACKING: "???"
|
||||
NO_REPLY_ADDRESS: noreply.localhost
|
||||
oauth2:
|
||||
JWT_SECRET: "???"
|
||||
mailer:
|
||||
ENABLED: false
|
||||
|
||||
openid:
|
||||
ENABLE_OPENID_SIGNIN: true
|
||||
ENABLE_OPENID_SIGNUP: true
|
||||
|
||||
|
||||
security:
|
||||
INSTALL_LOCK: true
|
||||
SECRET_KEY: "???"
|
||||
REVERSE_PROXY_LIMIT: 1
|
||||
REVERSE_PROXY_TRUSTED_PROXIES:
|
||||
INTERNAL_TOKEN: "???"
|
||||
PASSWORD_HASH_ALGO: "???"
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
className: traefik
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: traefik
|
||||
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
|
||||
hosts:
|
||||
- host: git.limbosolutions.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: limbosolutions-com-secret-tls
|
||||
hosts:
|
||||
- "git.limbosolutions.com"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user