devtools/gerrit/kube/gerrit.libsonnet - hscloud - Gitiles

 local kube = import "../../../kube/hscloud.libsonnet";

 {
     local top = self,
     local cfg = top.cfg,

     cfg:: {
         namespace: error "namespace must be set",
         appName: "gerrit",
         prefix: "", # if set, should be 'foo-'
         domain: error "domain must be set",
         identity: error "identity (UUID) must be set",

         // The secret must contain a key named 'secure.config' containing (at least):
         // [auth]
         //      registerEmailPrivateKey = <random>
         // [plugin "gerrit-oauth-provider-warsawhackerspace-oauth"]
         //      client-id = foo
         //      client-secret = bar
         // [sendemail]
         //      smtpPass = foo
         // [receiveemail]
         //      password = bar
         secureSecret: error "secure secret name must be set",

         storageClass: error "storage class must be set",
         storageSize: {
             git: "50Gi", // Main storage for repositories and NoteDB.
             index: "10Gi", // Secondary Lucene index
             cache: "10Gi", // H2 cache databases
             db: "1Gi", // NoteDB is used, so database is basically empty (H2 accountPatchReviewDatabase)
             etc: "1Gi", // Random site stuff.
         },

         email: {
             server: "mail.hackerspace.pl",
             username: "gerrit",
             address: "gerrit@hackerspace.pl",
         },

         tag: "3.7.5-r7",
         image: "registry.k0.hswaw.net/q3k/gerrit:" + cfg.tag,
         resources: {
             requests: {
                 cpu: "100m",
                 memory: "500Mi",
             },
             limits: {
                 cpu: "1",
                 memory: "2Gi",
             },
         },
     },

     secretRefs:: {
         FORGEJO_TOKEN: { secretKeyRef: { name: top.keys.metadata.name, key: "FORGEJO_TOKEN" } },
     },

     name(suffix):: cfg.prefix + suffix,

     metadata(component):: {
         namespace: cfg.namespace,
         labels: {
             "app.kubernetes.io/name": cfg.appName,
             "app.kubernetes.io/managed-by": "kubecfg",
             "app.kubernetes.io/component": "component",
         },
     },

     configmap: kube.ConfigMap(top.name("gerrit")) {
         metadata+: top.metadata("configmap"),
         data: {
             "gerrit.config": |||
                 [gerrit]
                     basePath  = git
                     canonicalWebUrl = https://%(domain)s/
                     serverId = %(identity)s
                     reportBugUrl = https://b.hackerspace.pl/new
                     primaryWeblinkName = Forgejo

                 [commentlink "b"]
                     match = [Bb]/(\\d+)
                     link = https://b.hackerspace.pl/$1

                 [gitweb]
                     url = https://code.hackerspace.pl/
                     type = custom
                     revision = hswaw/${project}/commit/${commit}
                     project = hswaw/${project}
                     branch = hswaw/${project}/src/branch/${branch}
                     tag = hswaw/${project}/releases/tag/${tag}
                     roottree = hswaw/${project}/src/commit/${commit}
                     file = hswaw/${project}/src/commit/${hash}/${file}
                     filehistory = hswaw/${project}/commits/branch/${branch}/${file}
                     linkname = Forgejo

                 [sshd]
                     advertisedAddress  = %(domain)s

                 [container]
                     javaOptions = -Djava.security.edg=file:/dev/./urandom

                 [auth]
                     type = OAUTH
                     gitBasicAuthPolicy = HTTP

                 [httpd]
                     listenUrl = proxy-http://*:8080

                 [sshd]
                     advertisedAddress = %(domain)s

                 [user]
                     email = %(emailAddress)s

                 [sendemail]
                     enable = true
                     from = MIXED
                     smtpServer = %(emailServer)s
                     smtpServerPort = 465
                     smtpEncryption = ssl
                     smtpUser = %(emailUser)s

                 [receiveemail]
                     protocol = IMAP
                     host = %(emailServer)s
                     username = %(emailUser)s
                     encryption = TLS
                     enableImapIdle = true

                 [plugin "avatars-gravatar"]
                     gravatarUrl = https://profile.hackerspace.pl/avatar/
                     changeAvatarUrl = https://profile.hackerspace.pl/vcard

             ||| % {
                 domain: cfg.domain,
                 identity: cfg.identity,
                 emailAddress: cfg.email.address,
                 emailServer: cfg.email.server,
                 emailUser: cfg.email.username,
             },
         },
     },

     volumes: {
         [name]: kube.PersistentVolumeClaim(top.name(name)) {
             metadata+: top.metadata("storage"),
             storage:: cfg.storageSize[name],
             storageClass:: cfg.storageClassName,
         }
         for name in ["etc", "git", "index", "cache", "db"]
     },

     local volumeMounts = {
         [name]: { mountPath: "/var/gerrit/%s" % name }
         for name in ["etc", "git", "index", "cache", "db"]
     } {
         // ConfigMap gets mounted here
         config: { mountPath: "/var/gerrit-config" },
         // SecureSecret gets mounted here
         secure: { mountPath: "/var/gerrit-secure" },
     },
     keys: kube.Secret(top.name("keys")) {
         metadata+: top.metadata("deployment"),
         //data_: {
         //    FORGEJO_TOKEN: "fill me when deploying, TODO(q3k): god damn secrets",
         //},
     },
     deployment: kube.Deployment(top.name("gerrit")) {
         metadata+: top.metadata("deployment"),
         spec+: {
             replicas: 1,
             template+: {
                 spec+: {
                     securityContext: {
                         fsGroup: 1000, # gerrit uid
                     },
                     volumes_: {
                         config: top.configmap.volume,
                         secure: { secret: { secretName: cfg.secureSecret} },
                     } {
                         [name]: kube.PersistentVolumeClaimVolume(top.volumes[name])
                         for name in ["etc", "git", "index", "cache", "db"]
                     },
                     containers_: {
                         gerrit: kube.Container(top.name("gerrit")) {
                             image: cfg.image,
                             ports_: {
                                 http: { containerPort: 8080 },
                                 ssh: { containerPort: 29418 },
                             },
                             env_: {
                                 FORGEJO_TOKEN: top.secretRefs.FORGEJO_TOKEN,
                             },
                             resources: cfg.resources,
                             volumeMounts_: volumeMounts,

                             livenessProbe: {
                                 httpGet: {
                                     path: "/",
                                     port: 8080,
                                 },
                                 initialDelaySeconds: 60,
                                 periodSeconds: 10,
                             },
                         },
                     },
                 },
             },
         },
     },

     svc: kube.Service(top.name("gerrit")) {
         metadata+: top.metadata("service"),
         target:: top.deployment,
         spec+: {
             ports: [
                 { name: "http", port: 80, targetPort: 8080, protocol: "TCP" },
                 { name: "ssh", port: 22, targetPort: 29418, protocol: "TCP" },
             ],
             type: "ClusterIP",
         },
     },

     ingress: kube.SimpleIngress(top.name("gerrit")) {
         hosts:: [cfg.domain],
         target:: top.svc,
         metadata+: top.metadata("ingress"),
     },
 }
	local kube = import "../../../kube/hscloud.libsonnet";

	{
	local top = self,
	local cfg = top.cfg,

	cfg:: {
	namespace: error "namespace must be set",
	appName: "gerrit",
	prefix: "", # if set, should be 'foo-'
	domain: error "domain must be set",
	identity: error "identity (UUID) must be set",

	// The secret must contain a key named 'secure.config' containing (at least):
	// [auth]
	// registerEmailPrivateKey = <random>
	// [plugin "gerrit-oauth-provider-warsawhackerspace-oauth"]
	// client-id = foo
	// client-secret = bar
	// [sendemail]
	// smtpPass = foo
	// [receiveemail]
	// password = bar
	secureSecret: error "secure secret name must be set",

	storageClass: error "storage class must be set",
	storageSize: {
	git: "50Gi", // Main storage for repositories and NoteDB.
	index: "10Gi", // Secondary Lucene index
	cache: "10Gi", // H2 cache databases
	db: "1Gi", // NoteDB is used, so database is basically empty (H2 accountPatchReviewDatabase)
	etc: "1Gi", // Random site stuff.
	},

	email: {
	server: "mail.hackerspace.pl",
	username: "gerrit",
	address: "gerrit@hackerspace.pl",
	},

	tag: "3.7.5-r7",
	image: "registry.k0.hswaw.net/q3k/gerrit:" + cfg.tag,
	resources: {
	requests: {
	cpu: "100m",
	memory: "500Mi",
	},
	limits: {
	cpu: "1",
	memory: "2Gi",
	},
	},
	},

	secretRefs:: {
	FORGEJO_TOKEN: { secretKeyRef: { name: top.keys.metadata.name, key: "FORGEJO_TOKEN" } },
	},

	name(suffix):: cfg.prefix + suffix,

	metadata(component):: {
	namespace: cfg.namespace,
	labels: {
	"app.kubernetes.io/name": cfg.appName,
	"app.kubernetes.io/managed-by": "kubecfg",
	"app.kubernetes.io/component": "component",
	},
	},

	configmap: kube.ConfigMap(top.name("gerrit")) {
	metadata+: top.metadata("configmap"),
	data: {
	"gerrit.config": \|\|\|
	[gerrit]
	basePath = git
	canonicalWebUrl = https://%(domain)s/
	serverId = %(identity)s
	reportBugUrl = https://b.hackerspace.pl/new
	primaryWeblinkName = Forgejo

	[commentlink "b"]
	match = [Bb]/(\\d+)
	link = https://b.hackerspace.pl/$1

	[gitweb]
	url = https://code.hackerspace.pl/
	type = custom
	revision = hswaw/${project}/commit/${commit}
	project = hswaw/${project}
	branch = hswaw/${project}/src/branch/${branch}
	tag = hswaw/${project}/releases/tag/${tag}
	roottree = hswaw/${project}/src/commit/${commit}
	file = hswaw/${project}/src/commit/${hash}/${file}
	filehistory = hswaw/${project}/commits/branch/${branch}/${file}
	linkname = Forgejo

	[sshd]
	advertisedAddress = %(domain)s

	[container]
	javaOptions = -Djava.security.edg=file:/dev/./urandom

	[auth]
	type = OAUTH
	gitBasicAuthPolicy = HTTP

	[httpd]
	listenUrl = proxy-http://*:8080

	[sshd]
	advertisedAddress = %(domain)s

	[user]
	email = %(emailAddress)s

	[sendemail]
	enable = true
	from = MIXED
	smtpServer = %(emailServer)s
	smtpServerPort = 465
	smtpEncryption = ssl
	smtpUser = %(emailUser)s

	[receiveemail]
	protocol = IMAP
	host = %(emailServer)s
	username = %(emailUser)s
	encryption = TLS
	enableImapIdle = true

	[plugin "avatars-gravatar"]
	gravatarUrl = https://profile.hackerspace.pl/avatar/
	changeAvatarUrl = https://profile.hackerspace.pl/vcard

	\|\|\| % {
	domain: cfg.domain,
	identity: cfg.identity,
	emailAddress: cfg.email.address,
	emailServer: cfg.email.server,
	emailUser: cfg.email.username,
	},
	},
	},

	volumes: {
	[name]: kube.PersistentVolumeClaim(top.name(name)) {
	metadata+: top.metadata("storage"),
	storage:: cfg.storageSize[name],
	storageClass:: cfg.storageClassName,
	}
	for name in ["etc", "git", "index", "cache", "db"]
	},

	local volumeMounts = {
	[name]: { mountPath: "/var/gerrit/%s" % name }
	for name in ["etc", "git", "index", "cache", "db"]
	} {
	// ConfigMap gets mounted here
	config: { mountPath: "/var/gerrit-config" },
	// SecureSecret gets mounted here
	secure: { mountPath: "/var/gerrit-secure" },
	},
	keys: kube.Secret(top.name("keys")) {
	metadata+: top.metadata("deployment"),
	//data_: {
	// FORGEJO_TOKEN: "fill me when deploying, TODO(q3k): god damn secrets",
	//},
	},
	deployment: kube.Deployment(top.name("gerrit")) {
	metadata+: top.metadata("deployment"),
	spec+: {
	replicas: 1,
	template+: {
	spec+: {
	securityContext: {
	fsGroup: 1000, # gerrit uid
	},
	volumes_: {
	config: top.configmap.volume,
	secure: { secret: { secretName: cfg.secureSecret} },
	} {
	[name]: kube.PersistentVolumeClaimVolume(top.volumes[name])
	for name in ["etc", "git", "index", "cache", "db"]
	},
	containers_: {
	gerrit: kube.Container(top.name("gerrit")) {
	image: cfg.image,
	ports_: {
	http: { containerPort: 8080 },
	ssh: { containerPort: 29418 },
	},
	env_: {
	FORGEJO_TOKEN: top.secretRefs.FORGEJO_TOKEN,
	},
	resources: cfg.resources,
	volumeMounts_: volumeMounts,

	livenessProbe: {
	httpGet: {
	path: "/",
	port: 8080,
	},
	initialDelaySeconds: 60,
	periodSeconds: 10,
	},
	},
	},
	},
	},
	},
	},

	svc: kube.Service(top.name("gerrit")) {
	metadata+: top.metadata("service"),
	target:: top.deployment,
	spec+: {
	ports: [
	{ name: "http", port: 80, targetPort: 8080, protocol: "TCP" },
	{ name: "ssh", port: 22, targetPort: 29418, protocol: "TCP" },
	],
	type: "ClusterIP",
	},
	},

	ingress: kube.SimpleIngress(top.name("gerrit")) {
	hosts:: [cfg.domain],
	target:: top.svc,
	metadata+: top.metadata("ingress"),
	},
	}