| local kube = import "../../../kube/kube.libsonnet"; |
| |
| { |
| local gerrit = self, |
| local cfg = gerrit.cfg, |
| |
| cfg:: { |
| namespace: error "namespace must be set", |
| appName: "gerrit", |
| prefix: "", # if set, should be 'foo-' |
| domain: error "domain must be set", |
| identity: error "identity (UUID) must be set", |
| |
| // The secret must contain a key named 'secure.config' containing (at least): |
| // [auth] |
| // registerEmailPrivateKey = <random> |
| // [plugin "gerrit-oauth-provider-warsawhackerspace-oauth"] |
| // client-id = foo |
| // client-secret = bar |
| // [sendemail] |
| // smtpPass = foo |
| // [receiveemail] |
| // password = bar |
| secureSecret: error "secure secret name must be set", |
| |
| storageClass: error "storage class must be set", |
| storageSize: { |
| git: "50Gi", // Main storage for repositories and NoteDB. |
| index: "10Gi", // Secondary Lucene index |
| cache: "10Gi", // H2 cache databases |
| db: "1Gi", // NoteDB is used, so database is basically empty (H2 accountPatchReviewDatabase) |
| etc: "1Gi", // Random site stuff. |
| }, |
| |
| email: { |
| server: "mail.hackerspace.pl", |
| username: "gerrit", |
| address: "gerrit@hackerspace.pl", |
| }, |
| |
| tag: "3.3.0-r7", |
| image: "registry.k0.hswaw.net/q3k/gerrit:" + cfg.tag, |
| resources: { |
| requests: { |
| cpu: "100m", |
| memory: "500Mi", |
| }, |
| limits: { |
| cpu: "1", |
| memory: "2Gi", |
| }, |
| }, |
| }, |
| |
| name(suffix):: cfg.prefix + suffix, |
| |
| metadata(component):: { |
| namespace: cfg.namespace, |
| labels: { |
| "app.kubernetes.io/name": cfg.appName, |
| "app.kubernetes.io/managed-by": "kubecfg", |
| "app.kubernetes.io/component": "component", |
| }, |
| }, |
| |
| configmap: kube.ConfigMap(gerrit.name("gerrit")) { |
| metadata+: gerrit.metadata("configmap"), |
| data: { |
| "gerrit.config": ||| |
| [gerrit] |
| basePath = git |
| canonicalWebUrl = https://%(domain)s/ |
| serverId = %(identity)s |
| |
| [sshd] |
| advertisedAddress = %(domain)s |
| |
| [container] |
| javaOptions = -Djava.security.edg=file:/dev/./urandom |
| |
| [auth] |
| type = OAUTH |
| gitBasicAuthPolicy = HTTP |
| |
| [httpd] |
| listenUrl = proxy-http://*:8080 |
| |
| [sshd] |
| advertisedAddress = %(domain)s |
| |
| [user] |
| email = %(emailAddress)s |
| |
| [sendemail] |
| enable = true |
| from = MIXED |
| smtpServer = %(emailServer)s |
| smtpServerPort = 465 |
| smtpEncryption = ssl |
| smtpUser = %(emailUser)s |
| |
| [receiveemail] |
| protocol = IMAP |
| host = %(emailServer)s |
| username = %(emailUser)s |
| encryption = TLS |
| enableImapIdle = true |
| |
| ||| % { |
| domain: cfg.domain, |
| identity: cfg.identity, |
| emailAddress: cfg.email.address, |
| emailServer: cfg.email.server, |
| emailUser: cfg.email.username, |
| }, |
| }, |
| }, |
| |
| volumes: { |
| [name]: kube.PersistentVolumeClaim(gerrit.name(name)) { |
| metadata+: gerrit.metadata("storage"), |
| spec+: { |
| storageClassName: cfg.storageClassName, |
| accessModes: ["ReadWriteOnce"], |
| resources: { |
| requests: { |
| storage: cfg.storageSize[name], |
| }, |
| }, |
| }, |
| } |
| for name in ["etc", "git", "index", "cache", "db"] |
| }, |
| |
| local volumeMounts = { |
| [name]: { mountPath: "/var/gerrit/%s" % name } |
| for name in ["etc", "git", "index", "cache", "db"] |
| } { |
| // ConfigMap gets mounted here |
| config: { mountPath: "/var/gerrit-config" }, |
| // SecureSecret gets mounted here |
| secure: { mountPath: "/var/gerrit-secure" }, |
| }, |
| deployment: kube.Deployment(gerrit.name("gerrit")) { |
| metadata+: gerrit.metadata("deployment"), |
| spec+: { |
| replicas: 1, |
| template+: { |
| spec+: { |
| securityContext: { |
| fsGroup: 1000, # gerrit uid |
| }, |
| volumes_: { |
| config: kube.ConfigMapVolume(gerrit.configmap), |
| secure: { secret: { secretName: cfg.secureSecret} }, |
| } { |
| [name]: kube.PersistentVolumeClaimVolume(gerrit.volumes[name]) |
| for name in ["etc", "git", "index", "cache", "db"] |
| }, |
| containers_: { |
| gerrit: kube.Container(gerrit.name("gerrit")) { |
| image: cfg.image, |
| ports_: { |
| http: { containerPort: 8080 }, |
| ssh: { containerPort: 29418 }, |
| }, |
| resources: cfg.resources, |
| volumeMounts_: volumeMounts, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| |
| svc: kube.Service(gerrit.name("gerrit")) { |
| metadata+: gerrit.metadata("service"), |
| target_pod:: gerrit.deployment.spec.template, |
| spec+: { |
| ports: [ |
| { name: "http", port: 80, targetPort: 8080, protocol: "TCP" }, |
| { name: "ssh", port: 22, targetPort: 29418, protocol: "TCP" }, |
| ], |
| type: "ClusterIP", |
| }, |
| }, |
| |
| ingress: kube.Ingress(gerrit.name("gerrit")) { |
| metadata+: gerrit.metadata("ingress") { |
| annotations+: { |
| "kubernetes.io/tls-acme": "true", |
| "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod", |
| "nginx.ingress.kubernetes.io/proxy-body-size": "0", |
| }, |
| }, |
| spec+: { |
| tls: [ |
| { hosts: [cfg.domain], secretName: gerrit.name("acme") }, |
| ], |
| rules: [ |
| { |
| host: cfg.domain, |
| http: { |
| paths: [ |
| { path: "/", backend: gerrit.svc.name_port }, |
| ], |
| }, |
| } |
| ], |
| }, |
| }, |
| } |