kube/alrest: add gitea config

Signed-off-by: Xe Iaso <me@xeiaso.net>

7 files changed, 226 insertions, 0 deletions

diff --git a/kube/alrest/gitea/1password.yaml b/kube/alrest/gitea/1password.yaml
new file mode 100644
index 0000000..e11a542
--- /dev/null
+++ b/kube/alrest/gitea/1password.yaml
@@ -0,0 +1,6 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: tigris-creds
+spec:
+  itemPath: "vaults/Kubernetes/items/Tigris creds"
diff --git a/kube/alrest/gitea/deployment.yaml b/kube/alrest/gitea/deployment.yaml
new file mode 100644
index 0000000..9c9f95d
--- /dev/null
+++ b/kube/alrest/gitea/deployment.yaml
@@ -0,0 +1,82 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "gitea"
+data:
+  USER: git
+  USER_UID: "1000"
+  USER_GID: "1000"
+
+  #GITEA__storage__STORAGE_TYPE: minio
+  GITEA__storage__STORAGE_TYPE: local
+  GITEA__storage__SERVE_DIRECT: "true"
+  GITEA__storage__MINIO_ENDPOINT: https://fly.storage.tigris.dev
+  GITEA__storage__MINIO_BUCKET: alrest-gitea
+  GITEA__storage__MINIO_LOCATION: auto
+  GITEA__storage__MINIO_USE_SSL: "true"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea
+  labels:
+    xeiaso.net/thing: http
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      xeiaso.net/thing: http
+  template:
+    metadata:
+      labels:
+        xeiaso.net/thing: http
+    spec:
+      securityContext:
+        fsGroup: 1000
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: gitea
+        - name: conf
+          persistentVolumeClaim:
+            claimName: conf
+      containers:
+        - name: main
+          image: gitea/gitea:1-rootless
+          imagePullPolicy: Always
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          envFrom:
+            - configMapRef:
+                name: gitea
+            - secretRef:
+                name: tigris-creds
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+            - name: ssh
+              containerPort: 2222
+              protocol: TCP
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/gitea
+            - name: conf
+              mountPath: /etc/gitea
+          livenessProbe:
+            httpGet:
+              path: /api/healthz
+              port: http
+            initialDelaySeconds: 200
+            timeoutSeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 10
diff --git a/kube/alrest/gitea/kustomization.yaml b/kube/alrest/gitea/kustomization.yaml
new file mode 100644
index 0000000..123d121
--- /dev/null
+++ b/kube/alrest/gitea/kustomization.yaml
@@ -0,0 +1,10 @@
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - 1password.yaml
+  - deployment.yaml
+  - service.yaml
+  - runner.yaml
+namespace: gitea
+commonLabels:
+  app.kubernetes.io/name: gitea
diff --git a/kube/alrest/gitea/namespace.yaml b/kube/alrest/gitea/namespace.yaml
new file mode 100644
index 0000000..c10142c
--- /dev/null
+++ b/kube/alrest/gitea/namespace.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea
+  labels:
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/warn-version: latest
diff --git a/kube/alrest/gitea/pvc.yaml b/kube/alrest/gitea/pvc.yaml
new file mode 100644
index 0000000..0a02161
--- /dev/null
+++ b/kube/alrest/gitea/pvc.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 64Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: conf
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 512Mi
diff --git a/kube/alrest/gitea/runner.yaml b/kube/alrest/gitea/runner.yaml
new file mode 100644
index 0000000..12b5ba2
--- /dev/null
+++ b/kube/alrest/gitea/runner.yaml
@@ -0,0 +1,77 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: act-runner-vol
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: runner-secret
+data:
+  token: NE9vMUx4RXg0QjF5dUlienZCQTFPTFFqbTdzeTBVV2RMOVhCdWM3bg==
+type: Opaque
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: act-runner
+  name: act-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: act-runner
+  strategy: {}
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: act-runner
+    spec:
+      restartPolicy: Always
+      volumes:
+      - name: docker-certs
+        emptyDir: {}
+      - name: runner-data
+        persistentVolumeClaim:
+          claimName: act-runner-vol
+      containers:
+      - name: runner
+        image: gitea/act_runner:nightly
+        command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
+        env:
+        - name: DOCKER_HOST
+          value: tcp://localhost:2376
+        - name: DOCKER_CERT_PATH
+          value: /certs/client
+        - name: DOCKER_TLS_VERIFY
+          value: "1"
+        - name: GITEA_INSTANCE_URL
+          value: http://git.gitea.svc.alrest.xeserv.us
+        - name: GITEA_RUNNER_REGISTRATION_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: runner-secret
+              key: token
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
+        - name: runner-data
+          mountPath: /data
+      - name: dockerd
+        image: docker:27.0.2-dind
+        env:
+        - name: DOCKER_TLS_CERTDIR
+          value: /certs
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
diff --git a/kube/alrest/gitea/service.yaml b/kube/alrest/gitea/service.yaml
new file mode 100644
index 0000000..988f1fa
--- /dev/null
+++ b/kube/alrest/gitea/service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: git
+spec:
+  selector:
+    xeiaso.net/thing: http
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 3000
+      name: http
+    - protocol: TCP
+      port: 22
+      targetPort: 2222
+      name: ssh
+  type: ClusterIP