deploy scripts & helm review: Secrets values from set instead on values, cd pre; add kustomization for infra

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "cSpell.words": [
+        "valkey"
+    ]
+}

README.md

@@ -5,7 +5,6 @@ Welcome to public repository of my [Git Server](https://git.limbosolutions.com)
 Using [gitea](https://git.limbosolutions.com/kb/gitea) as git server.
 
 - [Deploy](#deploy)
-  - [Environment files](#environment-files)
   - [App](#app)
   - [Continuous Deploy](#continuous-deploy)
   - [Infra](#infra)
@@ -14,14 +13,15 @@ Using [gitea](https://git.limbosolutions.com/kb/gitea) as git server.
 
 ## Deploy
 
-### Environment files
-
-- /.deploy/app/cronjobs/backups/.env.d/secrets [Example:](./deploy/app/cronjobs/backups/.env.d/secrets.example).
-- /.deploy/app/cronjobs/backups/.env.d/borg_key [Example:](./deploy/app/cronjobs/backups/.env.d/borg_key.example).
-- /.deploy/app/cronjobs/backups/.env.d/id_rsa [Example:](./deploy/app/cronjobs/backups/.env.d/id_rsa.example).
-
 ### App
 
+**Environment files:**
+
+- ./deploy/app/cronjobs/backups/.env.d/secrets [Example:](./deploy/app/cronjobs/backups/.env.d/secrets.example).
+- ./deploy/app/cronjobs/backups/.env.d/borg_key [Example:](./deploy/app/cronjobs/backups/.env.d/borg_key.example).
+- ./deploy/app/cronjobs/backups/.env.d/id_rsa [Example:](./deploy/app/cronjobs/backups/.env.d/id_rsa.example).
+- ./deploy/helm/.env [Example:](./deploy/helm/.env.example).
+
 ```bash
 ./deploy/apply-app.sh
 ```
@@ -30,7 +30,7 @@ Using [gitea](https://git.limbosolutions.com/kb/gitea) as git server.
 
 ### Continuous Deploy
 
-Executes [App Deploy](#app) using an [Gitea workflow](./.gitea/workflows/app-deploy.yaml).
+Executes [App Deploy](#app) using [Gitea workflow](./.gitea/workflows/app-deploy.yaml).
 
 ### Infra
 

deploy/apply-app.sh

@@ -1,2 +1,36 @@
 #/bin/bash
 kubectl kustomize deploy/app | kubectl apply -f -
+
+if [ -f "deploy/helm/.env" ]; then
+  # Export all variables from the file
+  echo "export variables from file helm/.env" 
+  set -a
+  . deploy/helm/.env
+  set +a
+fi
+
+
+if [ -n "${GITEA_ADMIN_USERNAME:-}" ]; then
+  echo "Executing helm deploy."
+
+    helm repo add gitea-charts https://dl.gitea.com/charts/
+    helm repo update
+    helm upgrade --install gitea gitea-charts/gitea \
+    --values deploy/helm/values.yaml \
+    --set valkey.global.valkey.password=${VALKEY_GLOBAL_PASSWORD} \
+    --set postgresql.global.postgresql.auth.postgresPassword=${POSTGRESQL_AUTH_POSTGRESPASSWORD} \
+    --set postgresql.global.postgresql.auth.password=${POSTGRESQL_AUTH_PASSWORD} \
+    --set postgresql.global.postgresql.auth.database=${POSTGRESQL_AUTH_DATABASE} \
+    --set postgresql.global.postgresql.auth.username=${POSTGRESQL_AUTH_USERNAME} \
+    --set gitea.admin.username=${GITEA_ADMIN_USERNAME} \
+    --set gitea.admin.password=${GITEA_ADMIN_PASSWORD} \
+    --set gitea.admin.email=${GITEA_ADMIN_EMAIL} \
+    --set gitea.config.oauth2.JWT_SECRET=${GITEA_CONFIG_OAUTH2_JWT_SECRET} \
+    --set gitea.config.server.LFS_JWT_SECRET=${GITEA_CONFIG_SERVER_LFS_JWT_SECRET} \
+    --set gitea.config.security.SECRET_KEY=${GITEA_CONFIG_SECURITY_SECRET_KEY} \
+    --set gitea.config.security.REVERSE_PROXY_TRUSTED_PROXIES=${GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES} \
+    --set gitea.config.security.INTERNAL_TOKEN=${GITEA_CONFIG_SECURITY_INTERNAL_TOKEN} \
+    --set gitea.config.security.PASSWORD_HASH_ALGO=${GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO} \
+    --set gitea.config.service.oauth2.JWT_SECRET=${GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET} \
+    --namespace=git-limbosolutions-com
+fi

deploy/apply-infra.sh

@@ -1,11 +1,7 @@
-#/bin/bash
+#!/bin/bash
+set -e
+echo "Executing infra deploy."
 
 kubectl kustomize deploy/infra | kubectl apply -f -
 
-helm repo add gitea-charts https://dl.gitea.com/charts/
-helm repo update
-helm upgrade --install gitea gitea-charts/gitea \
---values helm/values.yaml \
---values helm/values.private.yaml \
---namespace=git-limbosolutions-com
 

deploy/helm/.env.example

@@ -0,0 +1,15 @@
+VALKEY_GLOBAL_PASSWORD="????"
+POSTGRESQL_AUTH_POSTGRESPASSWORD="????"
+POSTGRESQL_AUTH_PASSWORD="????"
+POSTGRESQL_AUTH_DATABASE="????"
+POSTGRESQL_AUTH_USERNAME="????"
+GITEA_ADMIN_USERNAME=m"????"
+GITEA_ADMIN_PASSWORD="????"
+GITEA_ADMIN_EMAIL="????"
+GITEA_CONFIG_OAUTH2_JWT_SECRET=i"????"
+GITEA_CONFIG_SERVER_LFS_JWT_SECRET="????"
+GITEA_CONFIG_SECURITY_INTERNAL_TOKEN="????"
+GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO="????"
+GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES="????"
+GITEA_CONFIG_SECURITY_SECRET_KEY="????"
+GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET="????"

deploy/helm/values.yaml

@@ -15,7 +15,7 @@ valkey:
   architecture: standalone
   global:
     valkey:
-      password: "????"
+      password: "???"
   master:
     count: 1
     service:
@@ -31,8 +31,6 @@ postgresql:
     imagePullPolicy: IfNotPresent
   global:
     postgresql:
-      # volumePermissions:
-      #   enabled: true
       auth:
         postgresPassword: "???"
         password: "???"
@@ -40,7 +38,7 @@ postgresql:
         username: "???"
       service:
         ports:
-          postgresql: "???"
+          postgresql: 5432
   primary:
     persistence:
       size: 10Gi
@@ -67,6 +65,8 @@ gitea:
     password: "???"
     email: "???"
   config:
+    oauth2:
+      JWT_SECRET: "???"
     actions:
       ENABLED: true
     database:
@@ -79,7 +79,6 @@ gitea:
     server:
       DOMAIN: git.limbosolutions.com
       SSH_DOMAIN: git.limbosolutions.com
-      #HTTP_PORT: 3000
       ROOT_URL: https://git.limbosolutions.com
       DISABLE_SSH: false
       SSH_PORT: 2222
@@ -98,15 +97,15 @@ gitea:
       ####
     
     service:
-      DISABLE_REGISTRATION: "???"
-      REQUIRE_SIGNIN_VIEW: "???"
-      REGISTER_EMAIL_CONFIRM: "???"
-      ENABLE_NOTIFY_MAIL: "???"
-      ALLOW_ONLY_EXTERNAL_REGISTRATION: "???"
-      ENABLE_CAPTCHA: "???"
-      DEFAULT_KEEP_EMAIL_PRIVATE : "???"
-      DEFAULT_ALLOW_CREATE_ORGANIZATION: "???"
-      DEFAULT_ENABLE_TIMETRACKING: "???"
+      DISABLE_REGISTRATION: true
+      REQUIRE_SIGNIN_VIEW: false
+      REGISTER_EMAIL_CONFIRM: false
+      ENABLE_NOTIFY_MAIL: false
+      ALLOW_ONLY_EXTERNAL_REGISTRATION: false
+      ENABLE_CAPTCHA: true
+      DEFAULT_KEEP_EMAIL_PRIVATE : true
+      DEFAULT_ALLOW_CREATE_ORGANIZATION: true
+      DEFAULT_ENABLE_TIMETRACKING:  true
       NO_REPLY_ADDRESS: noreply.localhost
       oauth2:
           JWT_SECRET: "???"
@@ -114,33 +113,19 @@ gitea:
       ENABLED: false
 
     openid:
-      ENABLE_OPENID_SIGNIN: true
-      ENABLE_OPENID_SIGNUP: true
+      ENABLE_OPENID_SIGNIN: false
+      ENABLE_OPENID_SIGNUP: false
     
 
     security:
       INSTALL_LOCK: true
       SECRET_KEY: "???"
       REVERSE_PROXY_LIMIT: 1
-      REVERSE_PROXY_TRUSTED_PROXIES:
+      REVERSE_PROXY_TRUSTED_PROXIES: "???"
       INTERNAL_TOKEN: "???"
       PASSWORD_HASH_ALGO: "???"
 
 ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
-  hosts:
-    - host: git.limbosolutions.com
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: limbosolutions-com-secret-tls
-      hosts:
-       - "git.limbosolutions.com"
+  enabled: false
 
 

deploy/infra/ingress.yaml

@@ -0,0 +1,53 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: git-limbosolutions-com-ssh
+  namespace: git-limbosolutions-com
+spec:
+  entryPoints:
+    - ssh-git
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: gitea-ssh
+          port: 2222
+          weight: 10
+          terminationDelay: 90000
+          proxyProtocol:
+            version: 1
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea
+  namespace: git-limbosolutions-com
+  labels:
+    helm.sh/chart: gitea-12.4.0
+    app: gitea
+    app.kubernetes.io/name: gitea
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/version: "1"
+    version: "1"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+      cert-manager.io/cluster-issuer: "letsencrypt-prod"
+      kubernetes.io/ingress.class: "traefik"
+      traefik.ingress.kubernetes.io/router.entrypoints: "websecure, public-https"
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts:
+        - "git.limbosolutions.com"
+      secretName: limbosolutions-com-tls
+  rules:
+    - host: "git.limbosolutions.com"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea-http
+                port:
+                  number: 3000

deploy/infra/kustomization.yaml

@@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - ssh-ingress.yaml
+  - ingress.yaml
 
 

deploy/infra/ssh-ingress.yaml

@@ -1,17 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRouteTCP
-metadata:
-  name: git-limbosolutions-com-ssh-ingress
-  namespace: git-limbosolutions-com
-spec:
-  entryPoints:
-    - ssh-git
-  routes:
-    - match: HostSNI(`*`)
-      services:
-        - name: gitea-ssh
-          port: 2222
-          weight: 10
-          terminationDelay: 90000
-          proxyProtocol:
-            version: 1