From 28861f1fc2fa74ec7793d6122c8e77699113c6a8 Mon Sep 17 00:00:00 2001 From: Edward Cheng Date: Tue, 23 Jul 2024 01:08:28 +1000 Subject: [PATCH] refactor gitea --- .../{env/k3s-cluster => base}/deployment.yaml | 0 .../{env/k3s-cluster => base}/ingress.yaml | 0 apps/gitea/base/kustomization.yaml | 7 + .../k3s-cluster => base}/service-account.yaml | 0 .../{env/k3s-cluster => base}/service.yaml | 0 apps/gitea/base/values.yaml | 778 ++++++++++++++++++ apps/gitea/env/k3s-cluster/config.json | 12 + apps/gitea/env/k3s-cluster/kustomization.yaml | 11 +- apps/gitea/env/k3s-cluster/values.yaml | 778 +----------------- .../env/k3s-cluster/templates/gitea.yaml | 12 +- .../env/k3s-cluster/templates/gitea-pv.yaml | 4 +- 11 files changed, 822 insertions(+), 780 deletions(-) rename apps/gitea/{env/k3s-cluster => base}/deployment.yaml (100%) rename apps/gitea/{env/k3s-cluster => base}/ingress.yaml (100%) create mode 100644 apps/gitea/base/kustomization.yaml rename apps/gitea/{env/k3s-cluster => base}/service-account.yaml (100%) rename apps/gitea/{env/k3s-cluster => base}/service.yaml (100%) create mode 100644 apps/gitea/base/values.yaml create mode 100644 apps/gitea/env/k3s-cluster/config.json diff --git a/apps/gitea/env/k3s-cluster/deployment.yaml b/apps/gitea/base/deployment.yaml similarity index 100% rename from apps/gitea/env/k3s-cluster/deployment.yaml rename to apps/gitea/base/deployment.yaml diff --git a/apps/gitea/env/k3s-cluster/ingress.yaml b/apps/gitea/base/ingress.yaml similarity index 100% rename from apps/gitea/env/k3s-cluster/ingress.yaml rename to apps/gitea/base/ingress.yaml diff --git a/apps/gitea/base/kustomization.yaml b/apps/gitea/base/kustomization.yaml new file mode 100644 index 0000000..d6e4736 --- /dev/null +++ b/apps/gitea/base/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./deployment.yaml + - ./service.yaml + - ./service-account.yaml + - ./ingress.yaml \ No newline at end of file diff --git a/apps/gitea/env/k3s-cluster/service-account.yaml b/apps/gitea/base/service-account.yaml similarity index 100% rename from apps/gitea/env/k3s-cluster/service-account.yaml rename to apps/gitea/base/service-account.yaml diff --git a/apps/gitea/env/k3s-cluster/service.yaml b/apps/gitea/base/service.yaml similarity index 100% rename from apps/gitea/env/k3s-cluster/service.yaml rename to apps/gitea/base/service.yaml diff --git a/apps/gitea/base/values.yaml b/apps/gitea/base/values.yaml new file mode 100644 index 0000000..5fe6525 --- /dev/null +++ b/apps/gitea/base/values.yaml @@ -0,0 +1,778 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + defaultStorageClass: "" + storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common parameters +## + +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override gitea.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override gitea.fullname template +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param commonAnnotations Common annotations to add to all Gitea resources (sub-charts are not considered). Evaluated as a template +## +commonAnnotations: {} +## @param commonLabels Common labels to add to all Gitea resources (sub-charts are not considered). Evaluated as a template +## +commonLabels: {} +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template). +## +extraDeploy: [] +## @section Gitea parameters +## + +## Bitnami Gitea image version +## ref: https://hub.docker.com/r/bitnami/gitea/tags/ +## @param image.registry [default: REGISTRY_NAME] Gitea image registry +## @param image.repository [default: REPOSITORY_NAME/gitea] Gitea Image name +## @skip image.tag Gitea Image tag +## @param image.digest Gitea image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Gitea image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Specify if debug logs should be enabled +## +image: + registry: docker.io + repository: bitnami/gitea + tag: 1.22.1-debian-12-r4 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: true +## @param adminUsername User of the application +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration +## +adminUsername: bn_user +## @param adminPassword Application password +## Defaults to a random 10-character alphanumeric string if not set +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration +## +adminPassword: "" +## @param adminEmail Admin email +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration +## +adminEmail: user@example.com +## @param appName Gitea application name +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration +## +appName: gitea +## @param runMode Gitea application host +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration +## +runMode: prod +## @param exposeSSH Make the SSH server accesible +## +exposeSSH: true +## @param rootURL UI Root URL (for link generation) +## +rootURL: "" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param updateStrategy.type Update strategy - only really applicable for deployments with RWO PVs attached +## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the +## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will +## terminate the single previous pod, so that the new, incoming pod can attach to the PV +## +updateStrategy: + type: Recreate +## @param priorityClassName Gitea pods' priorityClassName +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false +## @param hostAliases [array] Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param extraEnvVars Extra environment variables +## For example: +## +extraEnvVars: [] +# - name: BEARER_AUTH +# value: true +## @param extraEnvVarsCM ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) +## +extraEnvVarsSecret: "" +## @param extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` +## +extraVolumes: [] +## @param extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. +## +extraVolumeMounts: [] +## @param initContainers Add additional init containers to the pod (evaluated as a template) +## +initContainers: [] +## Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb +## @param pdb.create Enable/disable a Pod Disruption Budget creation +## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. +## +pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## @param sidecars Attach additional containers to the pod (evaluated as a template) +## +sidecars: [] +## @param tolerations Tolerations for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param existingSecret Name of a secret with the application password +## +existingSecret: "" +## @param existingSecretKey Key inside the existing secret containing the password +## +existingSecretKey: "admin-password" +## SMTP mail delivery configuration +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea/#smtp-configuration +## @param smtpHost SMTP host +## @param smtpPort SMTP port +## @param smtpUser SMTP user +## @param smtpPassword SMTP password +## +smtpHost: "" +smtpPort: "" +smtpUser: "" +smtpPassword: "" +## @param smtpExistingSecret The name of an existing secret with SMTP credentials +## NOTE: Must contain key `smtp-password` +## NOTE: When it's set, the `smtpPassword` parameter is ignored +## +smtpExistingSecret: "" +## @param containerPorts [object] Container ports +## +containerPorts: + http: 3000 + ssh: 2222 +## @param extraContainerPorts Optionally specify extra list of additional ports for Gitea container(s) +## e.g: +## extraContainerPorts: +## - name: myservice +## containerPort: 9090 +## +extraContainerPorts: [] +## Enable OpenID Configurations +## @param openid.enableSignIn Enable sign in with OpenID +## @param openid.enableSignUp Enable sign up with OpenID +openid: + enableSignIn: false + enableSignUp: false +## Enable persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ +## +persistence: + ## @param persistence.enabled Enable persistence using PVC + ## + enabled: true + ## @param persistence.storageClass PVC Storage Class for Gitea volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param persistence.accessModes PVC Access Mode for Gitea volume + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size PVC Storage Request for Gitea volume + ## + size: 8Gi + ## @param persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param persistence.existingClaim A manually managed Persistent Volume Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## + existingClaim: "gitea-pvc" + ## @param persistence.hostPath If defined, the gitea-data volume will mount to the specified hostPath. + ## Requires persistence.enabled: true + ## Requires persistence.existingClaim: nil|false + ## Default: nil. + ## + hostPath: "" + ## @param persistence.annotations Persistent Volume Claim annotations + ## + annotations: {} + ## @param persistence.selector Selector to match an existing Persistent Volume for Gitea data PVC + ## If set, the PVC can't have a PV dynamically provisioned for it + ## E.g. + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. +## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. +## +nodeAffinityPreset: + type: "" + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector Node labels for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## Gitea container's resource requests and limits +## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "micro" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enable Gitea pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Gitea pods' group ID +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Configure Container Security Context (only main container) +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## Configure extra options for startup probe +## Gitea core exposes / to unauthenticated requests, making it a good +## default startup and readiness path. However, that may not always be the +## case. For example, if the image value is overridden to an image containing a +## module that alters that route, or an image that does not auto-install Gitea. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.path Request path for startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + path: / + initialDelaySeconds: 600 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 5 + successThreshold: 1 +## Configure extra options for liveness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 30 + failureThreshold: 5 + successThreshold: 1 +## Configure extra options for readiness probe +## Gitea core exposes / to unauthenticated requests, making it a good +## default startup and readiness path. However, that may not always be the +## case. For example, if the image value is overridden to an image containing a +## module that alters that route, or an image that does not auto-install Gitea. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.path Request path for readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + path: / + initialDelaySeconds: 30 + periodSeconds: 60 + timeoutSeconds: 30 + failureThreshold: 5 + successThreshold: 1 +## @param customStartupProbe Override default startup probe +## +customStartupProbe: {} +## @param customLivenessProbe Override default liveness probe +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe +## +customReadinessProbe: {} +## @param lifecycleHooks LifecycleHook to set additional configuration at startup Evaluated as a template +## +lifecycleHooks: {} +## @param podAnnotations Pod annotations +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podLabels Add additional labels to the pod (evaluated as a template) +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @section Traffic Exposure Parameters +## + +## Kubernetes configuration. For minikube, set this to NodePort, elsewhere use LoadBalancer +## +service: + ## @param service.type Kubernetes Service type + ## + type: LoadBalancer + ## @param service.ports.http Service HTTP port + ## @param service.ports.ssh Service SSH port + ## + ports: + http: 10080 + ssh: 10022 + ## @param service.loadBalancerSourceRanges Restricts access for LoadBalancer (only with `service.type: LoadBalancer`) + ## e.g: + ## loadBalancerSourceRanges: + ## - 0.0.0.0/0 + ## + loadBalancerSourceRanges: [] + ## @param service.loadBalancerIP loadBalancerIP for the Gitea Service (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param service.nodePorts [object] Kubernetes node port + ## nodePorts: + ## http: + ## https: + ## + nodePorts: + http: "" + ssh: "" + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.clusterIP Gitea service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.annotations Additional custom annotations for Gitea service + ## + annotations: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + +## Configure the ingress resource that allows you to access the +## Gitea installation. Set up the URL +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress controller resource + ## + enabled: true + ## @param ingress.pathType Ingress Path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Override API Version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "nginx" + ## @param ingress.hostname Default host for the ingress resource + ## + hostname: "gitea.cluster.edward.sydney" + ## @param ingress.path The Path to Gitea. You may need to set this to '/*' in order to use this + ## with ALB ingress controllers. + ## + path: / + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} + ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it + ## + tls: false + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## extraHosts: + ## - name: gitea.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - gitea.local + ## secretName: gitea.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## Example: + ## - name: gitea.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] +## @section Other Parameters +## + +## Service account for Gitea to use. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for Gitea pod + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: false + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## @section Database parameters +## + +## PostgreSQL chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml +## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart +## @param postgresql.auth.username Name for a custom user to create +## @param postgresql.auth.password Password for the custom user to create +## @param postgresql.auth.database Name for a custom database to create +## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials +## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) +## @param postgresql.service.ports.postgresql PostgreSQL service port +## +postgresql: + enabled: false + auth: + username: bn_gitea + password: "" + database: bitnami_gitea + existingSecret: "" + architecture: standalone + service: + ports: + postgresql: 5432 +## External PostgreSQL configuration +## All of these values are only used when postgresql.enabled is set to false +## @param externalDatabase.host Database host +## @param externalDatabase.port Database port number +## @param externalDatabase.user Non-root username for JupyterHub +## @param externalDatabase.password Password for the non-root username for JupyterHub +## @param externalDatabase.database JupyterHub database name +## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials +## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials +## +externalDatabase: + host: "" + port: 5432 + user: postgres + database: gitea + password: "" + existingSecret: "" + existingSecretPasswordKey: "db-password" +## @section Volume Permissions parameters +## + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) + ## + enabled: false + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image name + ## @skip volumePermissions.image.tag Init container volume-permissions image tag + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r25 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init containers' resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} diff --git a/apps/gitea/env/k3s-cluster/config.json b/apps/gitea/env/k3s-cluster/config.json new file mode 100644 index 0000000..05e65c8 --- /dev/null +++ b/apps/gitea/env/k3s-cluster/config.json @@ -0,0 +1,12 @@ +{ + "appName": "gitea", + "userGivenName": "gitea", + "namespace": "gitea", + "destNamespace": "gitea", + "destServer": "https://kubernetes.default.svc", + "srcPath": "apps/gitea/env/k3s-cluster", + "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git", + "srcTargetRevision": "", + "labels": null, + "annotations": null +} \ No newline at end of file diff --git a/apps/gitea/env/k3s-cluster/kustomization.yaml b/apps/gitea/env/k3s-cluster/kustomization.yaml index d6e4736..8ec8b56 100644 --- a/apps/gitea/env/k3s-cluster/kustomization.yaml +++ b/apps/gitea/env/k3s-cluster/kustomization.yaml @@ -1,7 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: - - ./deployment.yaml - - ./service.yaml - - ./service-account.yaml - - ./ingress.yaml \ No newline at end of file +helmCharts: + - name: gitea + repo: oci://registry-1.docker.io/bitnamicharts + version: 2.3.14 + releaseName: gitea + valuesFile: values.yaml \ No newline at end of file diff --git a/apps/gitea/env/k3s-cluster/values.yaml b/apps/gitea/env/k3s-cluster/values.yaml index 5fe6525..19bd4a5 100644 --- a/apps/gitea/env/k3s-cluster/values.yaml +++ b/apps/gitea/env/k3s-cluster/values.yaml @@ -1,778 +1,28 @@ -# Copyright Broadcom, Inc. All Rights Reserved. -# SPDX-License-Identifier: APACHE-2.0 - -## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass -## - -## @param global.imageRegistry Global Docker image registry -## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) -## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead -## -global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] - defaultStorageClass: "" - storageClass: "" - ## Compatibility adaptations for Kubernetes platforms - ## - compatibility: - ## Compatibility adaptations for Openshift - ## - openshift: - ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) - ## - adaptSecurityContext: auto -## @section Common parameters -## - -## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) -## -kubeVersion: "" -## @param nameOverride String to partially override gitea.fullname template (will maintain the release name) -## -nameOverride: "" -## @param fullnameOverride String to fully override gitea.fullname template -## -fullnameOverride: "" -## @param namespaceOverride String to fully override common.names.namespace -## -namespaceOverride: "" -## @param commonAnnotations Common annotations to add to all Gitea resources (sub-charts are not considered). Evaluated as a template -## -commonAnnotations: {} -## @param commonLabels Common labels to add to all Gitea resources (sub-charts are not considered). Evaluated as a template -## -commonLabels: {} -## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template). -## -extraDeploy: [] -## @section Gitea parameters -## - -## Bitnami Gitea image version -## ref: https://hub.docker.com/r/bitnami/gitea/tags/ -## @param image.registry [default: REGISTRY_NAME] Gitea image registry -## @param image.repository [default: REPOSITORY_NAME/gitea] Gitea Image name -## @skip image.tag Gitea Image tag -## @param image.digest Gitea image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag -## @param image.pullPolicy Gitea image pull policy -## @param image.pullSecrets Specify docker-registry secret names as an array -## @param image.debug Specify if debug logs should be enabled -## -image: - registry: docker.io - repository: bitnami/gitea - tag: 1.22.1-debian-12-r4 - digest: "" - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## - debug: true -## @param adminUsername User of the application -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration -## -adminUsername: bn_user -## @param adminPassword Application password -## Defaults to a random 10-character alphanumeric string if not set -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration -## -adminPassword: "" -## @param adminEmail Admin email -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration -## -adminEmail: user@example.com -## @param appName Gitea application name -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration -## -appName: gitea -## @param runMode Gitea application host -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration -## -runMode: prod -## @param exposeSSH Make the SSH server accesible -## -exposeSSH: true -## @param rootURL UI Root URL (for link generation) -## -rootURL: "" -## @param command Override default container command (useful when using custom images) -## -command: [] -## @param args Override default container args (useful when using custom images) -## -args: [] -## @param updateStrategy.type Update strategy - only really applicable for deployments with RWO PVs attached -## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the -## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will -## terminate the single previous pod, so that the new, incoming pod can attach to the PV -## -updateStrategy: - type: Recreate -## @param priorityClassName Gitea pods' priorityClassName -## -priorityClassName: "" -## @param schedulerName Name of the k8s scheduler (other than default) -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -schedulerName: "" -## @param topologySpreadConstraints Topology Spread Constraints for pod assignment -## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -## The value is evaluated as a template -## -topologySpreadConstraints: [] -## @param automountServiceAccountToken Mount Service Account token in pod -## -automountServiceAccountToken: false -## @param hostAliases [array] Add deployment host aliases -## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ -## -hostAliases: [] -## @param extraEnvVars Extra environment variables -## For example: -## -extraEnvVars: [] -# - name: BEARER_AUTH -# value: true -## @param extraEnvVarsCM ConfigMap containing extra env vars -## -extraEnvVarsCM: "" -## @param extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) -## -extraEnvVarsSecret: "" -## @param extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` -## -extraVolumes: [] -## @param extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. -## -extraVolumeMounts: [] -## @param initContainers Add additional init containers to the pod (evaluated as a template) -## -initContainers: [] -## Pod Disruption Budget configuration -## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb -## @param pdb.create Enable/disable a Pod Disruption Budget creation -## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled -## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. -## -pdb: - create: true - minAvailable: "" - maxUnavailable: "" -## @param sidecars Attach additional containers to the pod (evaluated as a template) -## -sidecars: [] -## @param tolerations Tolerations for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -## -tolerations: [] -## @param existingSecret Name of a secret with the application password -## -existingSecret: "" -## @param existingSecretKey Key inside the existing secret containing the password -## +namespaceOverride: "gitea" +adminUsername: "gitea_admin" +adminEmail: "edward@cheng.sydney" +appName: "gitea" +existingSecret: "gitea-secrets" existingSecretKey: "admin-password" -## SMTP mail delivery configuration -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea/#smtp-configuration -## @param smtpHost SMTP host -## @param smtpPort SMTP port -## @param smtpUser SMTP user -## @param smtpPassword SMTP password -## -smtpHost: "" -smtpPort: "" -smtpUser: "" -smtpPassword: "" -## @param smtpExistingSecret The name of an existing secret with SMTP credentials -## NOTE: Must contain key `smtp-password` -## NOTE: When it's set, the `smtpPassword` parameter is ignored -## -smtpExistingSecret: "" -## @param containerPorts [object] Container ports -## -containerPorts: - http: 3000 - ssh: 2222 -## @param extraContainerPorts Optionally specify extra list of additional ports for Gitea container(s) -## e.g: -## extraContainerPorts: -## - name: myservice -## containerPort: 9090 -## -extraContainerPorts: [] -## Enable OpenID Configurations -## @param openid.enableSignIn Enable sign in with OpenID -## @param openid.enableSignUp Enable sign up with OpenID -openid: - enableSignIn: false - enableSignUp: false -## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ -## +smtpHost: "smtp.gmail.com" +smtpPort: "587" +smtpUser: "me@edward.sydney" +smtpExistingSecret: "sonarqube-secrets" persistence: - ## @param persistence.enabled Enable persistence using PVC - ## - enabled: true - ## @param persistence.storageClass PVC Storage Class for Gitea volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "" - ## @param persistence.accessModes PVC Access Mode for Gitea volume - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - ## - accessModes: - - ReadWriteOnce - ## @param persistence.size PVC Storage Request for Gitea volume - ## - size: 8Gi - ## @param persistence.dataSource Custom PVC data source - ## - dataSource: {} - ## @param persistence.existingClaim A manually managed Persistent Volume Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - ## existingClaim: "gitea-pvc" - ## @param persistence.hostPath If defined, the gitea-data volume will mount to the specified hostPath. - ## Requires persistence.enabled: true - ## Requires persistence.existingClaim: nil|false - ## Default: nil. - ## - hostPath: "" - ## @param persistence.annotations Persistent Volume Claim annotations - ## - annotations: {} - ## @param persistence.selector Selector to match an existing Persistent Volume for Gitea data PVC - ## If set, the PVC can't have a PV dynamically provisioned for it - ## E.g. - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} -## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAffinityPreset: "" -## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAntiAffinityPreset: soft -## Node affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. -## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. -## -nodeAffinityPreset: - type: "" - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] -## @param affinity Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set -## -affinity: {} -## @param nodeSelector Node labels for pod assignment. Evaluated as a template. -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ -## -nodeSelector: {} -## Gitea container's resource requests and limits -## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). -## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 -## -resourcesPreset: "micro" -## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) -## Example: -## resources: -## requests: -## cpu: 2 -## memory: 512Mi -## limits: -## cpu: 3 -## memory: 1024Mi -## -resources: {} -## Configure Pods Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## @param podSecurityContext.enabled Enable Gitea pods' Security Context -## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy -## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface -## @param podSecurityContext.supplementalGroups Set filesystem extra groups -## @param podSecurityContext.fsGroup Gitea pods' group ID -## -podSecurityContext: - enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 -## Configure Container Security Context (only main container) -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## @param containerSecurityContext.enabled Enabled containers' Security Context -## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container -## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser -## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup -## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot -## @param containerSecurityContext.privileged Set container's Security Context privileged -## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem -## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation -## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped -## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile -## -containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" -## Configure extra options for startup probe -## Gitea core exposes / to unauthenticated requests, making it a good -## default startup and readiness path. However, that may not always be the -## case. For example, if the image value is overridden to an image containing a -## module that alters that route, or an image that does not auto-install Gitea. -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes -## @param startupProbe.enabled Enable startupProbe -## @param startupProbe.path Request path for startupProbe -## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe -## @param startupProbe.periodSeconds Period seconds for startupProbe -## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe -## @param startupProbe.failureThreshold Failure threshold for startupProbe -## @param startupProbe.successThreshold Success threshold for startupProbe -## -startupProbe: - enabled: false - path: / - initialDelaySeconds: 600 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 5 - successThreshold: 1 -## Configure extra options for liveness probe -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes -## @param livenessProbe.enabled Enable livenessProbe -## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe -## @param livenessProbe.periodSeconds Period seconds for livenessProbe -## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe -## @param livenessProbe.failureThreshold Failure threshold for livenessProbe -## @param livenessProbe.successThreshold Success threshold for livenessProbe -## -livenessProbe: - enabled: true - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 30 - failureThreshold: 5 - successThreshold: 1 -## Configure extra options for readiness probe -## Gitea core exposes / to unauthenticated requests, making it a good -## default startup and readiness path. However, that may not always be the -## case. For example, if the image value is overridden to an image containing a -## module that alters that route, or an image that does not auto-install Gitea. -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes -## @param readinessProbe.enabled Enable readinessProbe -## @param readinessProbe.path Request path for readinessProbe -## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe -## @param readinessProbe.periodSeconds Period seconds for readinessProbe -## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe -## @param readinessProbe.failureThreshold Failure threshold for readinessProbe -## @param readinessProbe.successThreshold Success threshold for readinessProbe -## -readinessProbe: - enabled: true - path: / - initialDelaySeconds: 30 - periodSeconds: 60 - timeoutSeconds: 30 - failureThreshold: 5 - successThreshold: 1 -## @param customStartupProbe Override default startup probe -## -customStartupProbe: {} -## @param customLivenessProbe Override default liveness probe -## -customLivenessProbe: {} -## @param customReadinessProbe Override default readiness probe -## -customReadinessProbe: {} -## @param lifecycleHooks LifecycleHook to set additional configuration at startup Evaluated as a template -## -lifecycleHooks: {} -## @param podAnnotations Pod annotations -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -podAnnotations: {} -## @param podLabels Add additional labels to the pod (evaluated as a template) -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -## -podLabels: {} -## @section Traffic Exposure Parameters -## - -## Kubernetes configuration. For minikube, set this to NodePort, elsewhere use LoadBalancer -## service: - ## @param service.type Kubernetes Service type - ## - type: LoadBalancer - ## @param service.ports.http Service HTTP port - ## @param service.ports.ssh Service SSH port - ## ports: http: 10080 ssh: 10022 - ## @param service.loadBalancerSourceRanges Restricts access for LoadBalancer (only with `service.type: LoadBalancer`) - ## e.g: - ## loadBalancerSourceRanges: - ## - 0.0.0.0/0 - ## - loadBalancerSourceRanges: [] - ## @param service.loadBalancerIP loadBalancerIP for the Gitea Service (optional, cloud specific) - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer - ## - loadBalancerIP: "" - ## @param service.nodePorts [object] Kubernetes node port - ## nodePorts: - ## http: - ## https: - ## - nodePorts: - http: "" - ssh: "" - ## @param service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param service.clusterIP Gitea service Cluster IP - ## e.g.: - ## clusterIP: None - ## - clusterIP: "" - ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) - ## - extraPorts: [] - ## @param service.annotations Additional custom annotations for Gitea service - ## - annotations: {} - ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - -## Network Policy configuration -## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -## -networkPolicy: - ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created - ## - enabled: true - ## @param networkPolicy.allowExternal Don't require server label for connections - ## The Policy model to apply. When set to false, only pods with the correct - ## server label will have network access to the ports server is listening - ## on. When true, server will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. - ## - allowExternalEgress: true - ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraIngress: - ## - ports: - ## - port: 1234 - ## from: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - extraIngress: [] - ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraEgress: - ## - ports: - ## - port: 1234 - ## to: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - extraEgress: [] - ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces - ## - ingressNSMatchLabels: {} - ingressNSPodMatchLabels: {} - -## Configure the ingress resource that allows you to access the -## Gitea installation. Set up the URL -## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ -## ingress: - ## @param ingress.enabled Enable ingress controller resource - ## enabled: true - ## @param ingress.pathType Ingress Path type - ## - pathType: ImplementationSpecific - ## @param ingress.apiVersion Override API Version (automatically detected if not set) - ## - apiVersion: "" - ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## ingressClassName: "nginx" - ## @param ingress.hostname Default host for the ingress resource - ## - hostname: "gitea.cluster.edward.sydney" - ## @param ingress.path The Path to Gitea. You may need to set this to '/*' in order to use this - ## with ALB ingress controllers. - ## - path: / - ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. - ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: {} - ## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter - ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} - ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it - ## - tls: false - ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm - ## - selfSigned: false - ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. - ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array - ## extraHosts: - ## - name: gitea.local - ## path: / - ## - extraHosts: [] - ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - extraPaths: [] - ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - gitea.local - ## secretName: gitea.local-tls - ## - extraTls: [] - ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - ## Example: - ## - name: gitea.local-tls - ## key: - ## certificate: - ## - secrets: [] - ## @param ingress.extraRules Additional rules to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules - ## e.g: - ## extraRules: - ## - host: example.local - ## http: - ## path: / - ## backend: - ## service: - ## name: example-svc - ## port: - ## name: http - ## - extraRules: [] -## @section Other Parameters -## - -## Service account for Gitea to use. -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -## serviceAccount: - ## @param serviceAccount.create Enable creation of ServiceAccount for Gitea pod - ## - create: true - ## @param serviceAccount.name The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the common.names.fullname template - ## - name: "" - ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created - ## Can be set to false if pods using this serviceAccount do not need to use K8s API - ## - automountServiceAccountToken: false - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount - ## - annotations: {} -## @section Database parameters -## - -## PostgreSQL chart configuration -## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml -## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart -## @param postgresql.auth.username Name for a custom user to create -## @param postgresql.auth.password Password for the custom user to create -## @param postgresql.auth.database Name for a custom database to create -## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials -## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) -## @param postgresql.service.ports.postgresql PostgreSQL service port -## + name: gitea postgresql: enabled: false - auth: - username: bn_gitea - password: "" - database: bitnami_gitea - existingSecret: "" - architecture: standalone - service: - ports: - postgresql: 5432 -## External PostgreSQL configuration -## All of these values are only used when postgresql.enabled is set to false -## @param externalDatabase.host Database host -## @param externalDatabase.port Database port number -## @param externalDatabase.user Non-root username for JupyterHub -## @param externalDatabase.password Password for the non-root username for JupyterHub -## @param externalDatabase.database JupyterHub database name -## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials -## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials -## externalDatabase: - host: "" - port: 5432 - user: postgres - database: gitea - password: "" - existingSecret: "" - existingSecretPasswordKey: "db-password" -## @section Volume Permissions parameters -## - -## Init containers parameters: -## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. -## -volumePermissions: - ## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) - ## - enabled: false - ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry - ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image name - ## @skip volumePermissions.image.tag Init container volume-permissions image tag - ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy - ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array - ## - image: - registry: docker.io - repository: bitnami/os-shell - tag: 12-debian-12-r25 - digest: "" - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Init containers' resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). - ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - ## - resourcesPreset: "nano" - ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) - ## Example: - ## resources: - ## requests: - ## cpu: 2 - ## memory: 512Mi - ## limits: - ## cpu: 3 - ## memory: 1024Mi - ## - resources: {} + host: "postgresql-primary.argocd.svc.cluster.local" + user: "gitea_user" + existingSecret: "gitea-secrets" + existingSecretPasswordKey: "db-password" \ No newline at end of file diff --git a/resources/app-secrets/env/k3s-cluster/templates/gitea.yaml b/resources/app-secrets/env/k3s-cluster/templates/gitea.yaml index e20de64..c5fcb01 100644 --- a/resources/app-secrets/env/k3s-cluster/templates/gitea.yaml +++ b/resources/app-secrets/env/k3s-cluster/templates/gitea.yaml @@ -9,15 +9,9 @@ metadata: namespace: gitea spec: encryptedData: - admin_email: AgA9oimJQpXAdvmQRSd84ygn/l5bSr+o8Cv10oY6qZA6Qp+FpK90o3433HWPrGGXJ+ewGJ4r1LGH7wyHlrsdem8EphjKdqz73WMSnv4Wtjao2P1txOjEmpusn3444j0fT3d8PY+8Q07x0Mj2AGqOIyzAHZfykT9AgX+xJygVv7jt1pjO4KYdtfD2QPt+jPShxpVXD+IP/euf+6rVNbudk/vJgGO4I/ITLlX2tL28vClHEzLst3Us4R81WFztcCbPc93wxvO6QFy5AlrA5CVP2lQJCj/E6uYbc1sO3WdrmkKVyecYd67nVstqp8CWf7qclBuDpj16IDDC+93jbGR6AydvQCgb3tAOGpW9IWghCoiHlWawcMqwbdweVYNF+Z7Rssprt4m60X0+sdMtq7vp43wIqJHWq8jZeLwlEKJDyT96uL5kfnmRpo0tTzbAbQVKBZ5hskJm+ga3Tld42nZytlXx3occ5qABRF5CotqTEtaT9JNPX3yPOVcVegUpmQeQa65Ssg7cJagC9ud1hwoYe/IxOub4xogh+gEDdIipiPGxHDdFZFXCwAVkEJdfBbH5zFXNpr7t8jt0TBkOLvsGzMsgZxqIXHVMrOW/a73urLXiflzEzmU6NET1jji7gwS6rj1Q/cKTNI5R9EsElafGsKy+jsF/BUMiNqInrMbOs+edyaM4S6enYMZU5pJ0HBBdF3AQRZKPSzXn1TFLQYsXkhm0UPC/ - admin_password: AgBUy2a0J9nZxlngZu9Wl/NaRt+7GtpV1JJbFUNdYgNVInvUL6RO7dQz7zzKepmo4yuBIId7GA/NWvxd4qP9Mwm6/hIGuwNaRzK4vtJrDG0O1pUjJz3gDD5snFYtUEVf1XmBm7YklMy3fNWif7BNbBhHB/RjgD01fpFL5s1y36UxHoicaaLB/iWJXv+ZvKRpnmbsAuxtIwH2Cn0i/mJR0elk80I2ZfwXjfmv49u/R7L86g6aq/XpeFfJ+q0t0ZTzfA98HA6GtUqDw58lshTFbXOwYV5h6JDoKs3yLucu0Q+L6LteEj1PHYB7yDH3/25gMi0ckzJP/Hz8dde8BwO3UQDZtIZ7SvOznXMd3DIj6693URnp4LwPC3UZKqZMUFpGVuZAWQa6w8rmRSBqbsSIwYdEDoAz3Cmw/EJjGQpfs6/n8UZgZ6P78T5cCOEBTpbd1lRR7KcaJqU4mFCJHPSHrxMPi7zEXVrtXEYqIwWN1YrHvFxw8FN+H/Dyq3B6g45hj786uRjOFkbS6I/mgmo9IUhQQgKn9H5K5ze9WGLGl00LR8JPYAdvMnC14IzTVeceU44G/fbZStP9mkayZsBlA/OvGFTg14qC5o6agjB0vZmQkyFYKm7h36Bu/UcLUljNmN7IruLd4zbn+N77mGatjMufJP9tQkfv4YL5NWxUz1v5UY+WG0JIjLj+svawce9xJftk9LJ185VHlnHztFoutTI8e6l7PQ== - admin_username: AgC4ih1J5E8YEKBWLrgCbApElhIF75+B7504aIAVM3GfnUI7sdKIlxfjCAR+4vtja6CpTlwNN9GHyq+jNeBQN662R1mm2P4p3/V1tZ3dpwi1xAaPn0JoFVnILO/mkwHGvfKaXeiAscZoVm+s4TNQ5vXNRyPaCNW72tHxBfkTXQOXUyf9sWIX0Mq8eEa6uAkAs/MKwOrU4q2UWn5ASjpy1m/AMJyDB4O/XifxcuAV110ragDLnKJVPoKsw2xdYMSF7nWt2mlKYGzRJKuNYSBZOaUGM4/oqKtPMr2TUxv/ktqZaJ9x2O0kRV+GIJdYJo+XWtZVZtuYN9YZ1++m0A/QECp4ADlh8Vyq7qXPBNYa2k3m6K6yWJk14gl1t+Pamg4fveR0gB52Ow0xFJl6856NfB3/umtWk21TVN1Sx/aZrspJqzqNY9FM0XCZXd4M800LnqwkNdHzuSwNe6kD9Hb1P8v/SrCPfjdhZpFv4msCCXQ8AJ2hx7DV8v8SqYXqjsCrPDxVdcvyOZMEhNXwN53BajE/6dkvy0oFg3aWCd/mupqbPrVdij5+vaEpuyaD8EfnB2K9fOF4XgKYivBAZwvkF3eO81vkrEpqMSABbo2WC+isbWGBsnmzVAw1MNpUj4Vy4pIWJSY+S/fwqRUvF7TMuixW1X6+ZUyhwu3T966o3gm6a1p2D2/B/oil7jYfn8NP+386FjN9/xeMZ6ar5Q== - app_name: AgCshGi1SYnZS+R/EVHGyEPOdwYPKSGHd3Q/1MeG00bHp4JK/hMoOf2qnXdIFk08F/uGaJfRajjMXWi/D8aTiFxAMkpg2Ao4Ow5jg7tX42gvXk2qiav6LDf+Vx2jpcBBIrqAt8GBwNBYOJ8g7WMTYqSU8KyFRjGo4ZS6r840OVmyKNzHWLh6S9QICYjSjw/4XGdSdGu7zSFnHxEzM9SnD4K4R5Ndmlkog3gikTMaRApGLg964E+hUQ9VG1hzlhuOtfrgmau9mdELK1zv76JoVqRkLG9ikR05R7OJIzaF/2ozvZWQcIvyApb6axREuBBNbMjn6o3EW83zxO0zUZFbqon0pEUBoPmPC584kQU2DfJjNf8CzBPPMBQVYv4UCPiMdax1xnV5Wm06AuLW9zG3WH5Myf8Zv/qsvISfvtwym4LC+NDLVztc+x8FFERJYsMG/+ndpY+R5Ln1PIZ/8tE6BgSQ0Y3m1ep+gr9H1ZfFEhqcbIE0yWzPsmW+F5xsIhQwm0F025jUF1y7IA1T55N92nHkEcyuwfu2z4kKuEm+AT1hGOk3a2tpVbdEvLXDpl0irfaOyiiunH06jvhliKgfHxCwQGihSD7lfEJUapSh17rXcGEDFXvOGsql4448JuQHB8j5Hdn7xGImF7VtzP0V738rXyMzgtoiwb0QTNl+TopnoUHXElu255ZekHX5RT7LagM8p3kx3g== - db_host: AgA7m/x+3dVniLN1p2QhvuFNQKBZ1g+554+q02kbp498LEvg7xlabvcYdYkK+PHi+KoirykenJqyo3eZdwe1LkoSqAgp3LJNF/xWKU1ulpVhZRk68VgGcMdG70cKH9uk9irbOxSRkt/d07yeY1Ba/68PrYy56Lf03hnNyh+RyCMpISy3q7+EwZc6oiqcmV6rxr0AbP1iqV6G6kDVa0iQEerOnOZ0clXjZOERyhGFAv2jEqHuKQXdJ+Su9YIduqoQj+/7yrhmi+ifj33dGAQrZxZlIFcd5PdPJMhSo5WsjCP6bP6a10hi5m0bv6z56Z7dgqHeXzXPJnpnU1fjb4crrJRkSOJzR2mtVlLI8UGdNU7hkYFNvrV4lNDXhcyd8W8cTMCVIJzIW9g5mporMZdghlCwwZkti1CpAshLlKeF3iOUdX0nYWVGNLURg6Kkvta2GwbL3rVMxgZ5HTcWoulvMT12aRPRxGhsyLvXiAS9C+b6XQSSl1k2lvpoLDOhQJdoCHXByUxi3YBElAdfNZ+IQ1Mc855+ZOz1UO7lHiqadpCnVgT32TnZVwGZJKE/B8Sr7AfRtp4n//g6q1XlMdTwkyFtHP36dPKidnUd2ReYzysvMThvVy45dSMXBET6x8t4k4QbhjtSMHMunKLmVsur3tTb3T6t03T4NG3tb4+oWofxCCBCrFUIlddawLodZv7fP+AuuqKrumJWfYfF8xNIwVzTC98U+Kq2OsXyCw/7PLXhc4jbNeQes8TBmcaNJDxV+w== - db_name: AgApTQ4a2gBfYYAeXjkkO3CsJouadi8n4TZzyPW+KMtbgFXq0RP6T3jwPnf9SWFlZxkoDUtwiQWOXPN6jc/B+pd3CU/dpqCBD/Nf/BX91VoWvzyYXnBHkLzTiU7CXBn3J5omjLnm16YrAaxxk3b/L6RZSqX1DVunlXBIgIHYY2egyKWx2YblH2DXF65eI0eQ3wjy1nf4akdVEOZJnP2nPb36Rvs6ZYo5UjuxqkeVNum5+R7R4yTmdbADdyZPswxczSh3NT8/7dJA56Sg+BXDrdNlpahoApDfLWm/S58XDN4bQt7bE180nbeFYnNMcxdNTqkldAzfLff4CWfeTmK+F9sHCmtB1af9NZrR2/mLG3+v8tUP+EsLUbp8HeAxV3TXqaaAEOCI0lRT3/YDHnCuS/nNGndwfCUHyJhjA/dCpkY4mol4Y592bCf3RomdZOH5dSlwc/opRn+hJKzWsFZgUxG4miQ09Htti9op4gK5cX1NVmUegSLeLF9GtxzTd0/Qf2u3t8yTqIGNCjohtWnHY8pI4q9oZmc6hw/62y1nFhCnEPuxsqkYQr0Y6+CjQ0/D1eHQCLR2pe6tjvy4rgJBiIwG1Ns/ipNrC/7pegb+XwQ35lVDGvO9knlCzYwnt4piBYly3/I4NW3oswHLvC0488FXcJt0jtVTGZKQCGFwzZs84ZtnrHuAZqiKsoWCMirc2KnIdJePcQ== - db_password: AgBdld/wramisqL57iY8Uc3OtssE+T3bIWoRugg9NcKBEG5CgHtBjO1wlS/LVPKBi0wrliFfpwGuXZWl7GemhFi1AxVLZ3NuR5R4sRG/+jFwc4AktaugrUIxnAgRetLBYPQMxOnsVVU4hnPfTHjd8WK7mciLzaqvMaVWHLV2PFQhGFAyag0Ud97qZ1FnlqYFPyg1JK/Hiv6sQ+zS6CqrMwtlcJHRjvZntDXe5EMV7pObxFoxuCI68SGB9yDiYZIHbD/wBbZ7B1coQVVeqIGOkxDfKUk3xz1CfXoH9Jp9uHVayssa5kh1cEjuyyiaqE4laHH5bgDBWSU32ZhABZR4uVHOrOAf3p2EZvriCJVYGQ4TYKlzJlf8H3/F1B8lTlyXxBgcKjyZskCaYG9/V12WxoeQPfucH1nN4WJi8mwcD9GqnbHC6UE6Q6EW8QG9D/iIdv6kAzrVXixhSHrSOLUf4N6hDQ/E37IuWLwdSGfIseCGShX7Er/7aRTILMX5v4zrTZbs4ih+rWzy0vDIhe4jl8N8MTQqtvpryfCSdFxqIk00MMh9zBftFXKAVXKk/1AQclAQHc/b/fgZrM9kbAX1Jo2zKblD07tas+/9vlL4MQ70UDsmz37/6uAhA4diQi8tmiqIMxoeTnqs1f5HMDkVuy7hyLV/Xg4ZA2U9RmdqnpGcmrWc1BpUf8cL4AjItf6tSdWc+ch6UvDx/lBzDeJpJsezTjnsQA== - db_port: AgB7IN1Gs3WBKPvMujyS1e9AqxotjmQOv2QfOqX6dGEYEET4Ay067xcdbyns6oczUnuQyKpIr79oZzeezevPM+RTVYCwEyTxF84Qcs9h/psY61cYOEwNcIu+m5iP+qb2sFlopK6QZk03zPyd1XZ5TlRw6Nv2Nt3gPvoksgG7L0CM8xWvcpcG2/khh9UuckUGErcaK3nMxdKAKZLjVaVdRIC78u03NEc4cj9KH7r/Zz5PZXOVlZyUAxCtUMe0NHs7bFhRp5Boxa+Jz0cfJ4fDZlwHgMQLxi8nQbKmZf1B3HY4+zUYShBrxWWFBimqpctJDFpV4z5DHJVTeFSxgPXh0t5qsYikeeVqDnbGMx+4yyno3+IkD+Se73z7boS5sbYhPtifm1dS88DbAMDckMAiR5ktDLbItSwGoxGTegqmhbvUtxhpzl64Q6yrrQetJ/sT/j+Q6YWCqrnhQvgcR9rasFCUswGmnr0cF9jYVRkDHpK4Ehwf8HNriyY1RlDnopBGtx+t7hUb7yrNoSnJQEVSCKCMkxOzP9gMsfZptO66MWsX+Jbr9vQV88Wzqshe5oYTJk8UkqeOqZLPp5aKs/5uv/BJNGwJbDuMlXmX8ZU5c4jn0FyzGeamqxqttgIonXgo0eeR4FwV5NTLgX1h5IETMKHBsNbzmJuu9fF92pycYVeb3AngMMKveLqkN2y/s/bKBNGFtcyh - db_user: AgCwCgsYWuB3S4PaAA/WSoTrqABcJnFrmu8ud6FUk4tQjhBySGlODANZVI9XoHh16iNRMSLiVlUihiyr8d/Dh9TP7Q4nwKlLoRmObbH5hyqPEC+y+phccwC8OSQ8pA/Xy1mv+dQhH8Ssz3hR2UGdS8BBEeBgnLZYJR1B0zOrAijCnv6lsdDY6dIuLv3ijsRtIzHIT2Q1UcvJrd3cP16PT2xKw+3X7rPURkMRwbDKyKslhpJeVohVc7SoG04SUXZ7GUtR0S02WIrd3UXfjXcrV1fa5C5ssRN9CEMs0TWBo+0q/tp81mPFYPEbdWsKGBZ+1VxGL0PnbiMJBizGq3YOBU3KY2irXSipsWXeoZOOK8d4E8lnT0toVKFSafp8tkASxT7pEgVrJ5QPlcT5wO/eMehNQ4ZMc1DPAUHD740il1q2Zse9JMsa5sYu5SCsvaAC5ON0w6111AM9OS5t3jxN/lMhcZFqAtcLtDL9Ut68KBtvWEnPJdqnT8mRjR0bH0wLrjv1Irzdt7yHHIkZRjLRaxWXrnNfj/UaRkAsCRtD0aqtWe/grU7pj7ud9i5b849gJl9Ps6zsvwtW4ZBWDtn6TWUjn1dhKqOz78qG561YqTRSE784O66vZwHlAsq9Ow2K/mQCBdOA39vJgIg+xtyMvRG1Upissq2WOzECyY+9jsOBowVKcSKSCUBADHF7oNJqcTcez/zNIZ1viNbB + admin-password: AgBOc0Fe32b91T1Y2x1A+NtK+IP/P8J/3z0XHP/+3yP1Nrzl6PvQbyNXPZCCpjH1CSek+8JmkfXKtOXd1MQ6/AFfRo6MaNV4fmW3UZsrEyjx69pKuif1Ej32y2JM22sMvHzfgDDjeyqpZQ19DTh/rtLoGkV5QQkeQ7Pnd6zX0ksrUezrKBzIv4NcSkzLzU0NBkmPS4VSrO52x95xqdDmI9KtYDVaBaJ0MRkltsrHXHPqjVFlDchuXTBD+D6sL2VMB0fLvyNAAgYnQV8dlMxyoV3zn/zdlXofy4INtQ6ZbK/WEIV+2aujyYAs787197CXc6QJGGhXo4WWfSbSueAVHcGu9RZJFcMugslwnGKtqC3oCTkqHWqvXkMRCZsVVu4dxxoHvxe39B0/J31ZF650mrkxOMaxFpIszGievFmdFhgcsicrgUXCDbkxIH+Uphs+piZK0Ec3c20oINZKjlZbKXQW3Pb2Ln85FGnIEelE7svryzv5mrr9C4SBvU0j4O/4q5XMZa8iU7ncX1crK7fzYjlSzHl0xPmuT/hyoSf7ULRnZxjiYqPffoAyjMxlWmbI81VqgMEMFkchhMWgDYelfki0FDtbn2RXBLB/MHe9blXr42GaW8SIbnQeFt4ATD1JLeqJyaCmH3mpBuSoJb6ngdeswfZDneumQfufQ6wwLCwoARLXGpEJD9Bcl5GrNxqXB7qc0E1jVZIEEVXM4XL0i8GBqnoA6A== + db-password: AgAPxChdWn6aw0hn9qcstz2BBE+sr6wEYhHgQ8MjoFsS1bQXoEE0B9KS3Z1L8bo9Xo+gvlk6funXa2X+Cdl11AYy1mzGCJDLpZu6EIrI2dpQd0aMHCyUspB0PZ8fGvIcNsxcDFRUwWt0IZ4LyxUNXsekbets0RpreDI3rDtoutcJWaKPI4LZKAK9bLyC5WAcLaJf/bj3JxCMcIzWqg6XvY6L1qRjVQxvZ7Fubs9IsbyTFWryINfS019IVSFa/iwXSNwk6f9fv8e0clkbw/xzvVZTLP7uRDxacsZWasjUofxNTNlHeYnBvjTQTfDvIcUEriQ4RyZyk+3wzh6n7zwbJ/fKKzRq11xFAsEnmkxtEtlU2bmphd0xfhZvuXvbN04zv5pHlYjU7qWSdYSY338NsD9LeJS/Jt8pUv2icOwk3DUDmMcsGC74vdvaNCPfkBkmAp5lxf+WnMaIJcEQU4gJ52EdPR1tqbMqJ/t3FYQeSA1erPq7LHoczzN3t+GfctxLLQGqY1OikDJdza+aX55QIDbRX5g3EetTklxZuTMRMtSFCdByaRiwPyutQaBSBxQkPSv4rkOoHFc8trHmfj3/nQtcjNVH3kyrR7rmw2hiSd6QJ05KCu83FTjh7qvlCPY0taltE6mmCb+PgWmMg8bg+jhqdbmIwnugB6RvdrKJkB1RE4w3KRpPXt4yE229OeKU8JNrHG4vG0HbY6nzXVplDMVMc0/A8A== + smtp-password: AgDeVCiOlfLQReoytKqcV7sRQ59SGPo7pu/7wdsaLbpl8wA0PJ8W2ucgMsj6vi1Qemyz7z4+aq+E1SzIl59woC2eouusPNyjk52LfD3R2z2bChkHsfy8P49Cb31YPuL+qcByxUR1aJvbWegToEMUFaqDFsJno1wxLmDmWjLEYtIdspEhCWnWNdnpuSXD4VyXAAJjElNQj81SYGbXdcD6BrLf9iOBX1PdghwigsDqQ12vdGUUMRNKWm5Rw5mkkh0XveaCAFEfegE5XC007qyx/3wte9FhbDPdx94+Svrj2vdQv/WjLVJVPpjKbIkd1pBf5LmrFUK7yPdlXzkqmBnIN16ZLB2CSzVNN3EPAuG+ZAlD4Sm7kKtSb/uiZX5Le7niJQ+K0bwvsjtO3VLSV6HLbFO5Mw16klvZ4jWHcAA21/mfl4OjHKv9yagIfELm3LdlNPvwJfyA7v7L8aHEnPtUbl7iXajHCg2uTofBX14/XZk8EcK/IxouNOvqMTIxxcUiufIWUgBm6/q0BDnghyia4oJYFAOTA484RlM9Cfv1Alta/9S5buKwSGkhDM/NZZ8qYt4SqIVhYxBUaYZnz+DqmzEVDm8C8u+1PlJxr29LiPneqq2Edvze5MRJOgIdqHeP+mVdISs1L4eI0yJodv8eddGf7QDcE/V8m9I0g3n3nCFGXILBWkoZ0XK448YC39QfopJwAkzJUnTxmhfcn7rOM2Z8G4pL template: metadata: annotations: diff --git a/resources/app-volumes/env/k3s-cluster/templates/gitea-pv.yaml b/resources/app-volumes/env/k3s-cluster/templates/gitea-pv.yaml index 887278a..ad0e65a 100644 --- a/resources/app-volumes/env/k3s-cluster/templates/gitea-pv.yaml +++ b/resources/app-volumes/env/k3s-cluster/templates/gitea-pv.yaml @@ -24,7 +24,7 @@ spec: required: nodeSelectorTerms: - matchExpressions: - - key: kubernetes.io/hostname + - key: kubernetes.io/arch operator: In values: - - rpi5-cluster-node-2 \ No newline at end of file + - arm64 \ No newline at end of file