Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 9a88f28805fc74a7c710aa7ddc56e99badabb964 / . / devtools / gerrit / kube / gerrit.libsonnet
blob: b5850a535e8207260e1f679dd93dbc22285a06c8 [file] [log] [blame]
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]1local kube = import "../../../kube/kube.libsonnet";
2
3{
4 local gerrit = self,
5 local cfg = gerrit.cfg,
6
7 cfg:: {
8 namespace: error "namespace must be set",
9 appName: "gerrit",
10 prefix: "", # if set, should be 'foo-'
11 domain: error "domain must be set",
12 identity: error "identity (UUID) must be set",
13
14 // The secret must contain a key named 'secure.config' containing (at least):
15 // [auth]
16 // registerEmailPrivateKey = <random>
17 // [plugin "gerrit-oauth-provider-warsawhackerspace-oauth"]
18 // client-id = foo
19 // client-secret = bar
20 // [sendemail]
21 // smtpPass = foo
22 // [receiveemail]
23 // password = bar
24 secureSecret: error "secure secret name must be set",
25
26 storageClass: error "storage class must be set",
27 storageSize: {
28 git: "50Gi", // Main storage for repositories and NoteDB.
29 index: "10Gi", // Secondary Lucene index
30 cache: "10Gi", // H2 cache databases
31 db: "1Gi", // NoteDB is used, so database is basically empty (H2 accountPatchReviewDatabase)
32 etc: "1Gi", // Random site stuff.
33 },
34
35 email: {
36 server: "mail.hackerspace.pl",
37 username: "gerrit",
38 address: "gerrit@hackerspace.pl",
39 },
40
Serge Bazanski7f5f2092023-10-08 14:01:04 +0000[diff] [blame]41 tag: "3.7.5-r7",
Serge Bazanskiee2f8a32020-12-17 23:06:10 +0100[diff] [blame]42 image: "registry.k0.hswaw.net/q3k/gerrit:" + cfg.tag,
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]43 resources: {
44 requests: {
45 cpu: "100m",
46 memory: "500Mi",
47 },
48 limits: {
49 cpu: "1",
50 memory: "2Gi",
51 },
52 },
53 },
54
55 name(suffix):: cfg.prefix + suffix,
56
57 metadata(component):: {
58 namespace: cfg.namespace,
59 labels: {
60 "app.kubernetes.io/name": cfg.appName,
61 "app.kubernetes.io/managed-by": "kubecfg",
62 "app.kubernetes.io/component": "component",
63 },
64 },
65
66 configmap: kube.ConfigMap(gerrit.name("gerrit")) {
67 metadata+: gerrit.metadata("configmap"),
68 data: {
69 "gerrit.config": |||
70 [gerrit]
71 basePath = git
72 canonicalWebUrl = https://%(domain)s/
73 serverId = %(identity)s
Serge Bazanskic9f48fe2021-02-08 00:44:56 +0100[diff] [blame]74 reportBugUrl = https://b.hackerspace.pl/new
Serge Bazanskic68343c2023-10-08 12:58:05 +0000[diff] [blame]75 primaryWeblinkName = Forgejo
Serge Bazanskic9f48fe2021-02-08 00:44:56 +0100[diff] [blame]76
77 [commentlink "b"]
78 match = [Bb]/(\\d+)
79 link = https://b.hackerspace.pl/$1
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]80
Serge Bazanskic68343c2023-10-08 12:58:05 +0000[diff] [blame]81 [gitweb]
82 url = https://git.hackerspace.pl/
83 type = custom
84 revision = hswaw/${project}/commit/${commit}
85 project = hswaw/${project}
86 branch = hswaw/${project}/src/branch/${branch}
87 tag = hswaw/${project}/releases/tag/${tag}
88 roottree = hswaw/${project}/src/commit/${commit}
89 file = hswaw/${project}/src/commit/${hash}/${file}
90 filehistory = hswaw/${project}/commits/branch/${branch}/${file}
91 linkname = Forgejo
92
Sergiusz Bazanski9b5359d2019-07-20 17:20:53 +0200[diff] [blame]93 [sshd]
94 advertisedAddress = %(domain)s
95
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]96 [container]
97 javaOptions = -Djava.security.edg=file:/dev/./urandom
98
99 [auth]
100 type = OAUTH
101 gitBasicAuthPolicy = HTTP
102
103 [httpd]
104 listenUrl = proxy-http://*:8080
105
106 [sshd]
107 advertisedAddress = %(domain)s
108
109 [user]
110 email = %(emailAddress)s
111
112 [sendemail]
113 enable = true
114 from = MIXED
115 smtpServer = %(emailServer)s
116 smtpServerPort = 465
117 smtpEncryption = ssl
118 smtpUser = %(emailUser)s
119
120 [receiveemail]
121 protocol = IMAP
122 host = %(emailServer)s
123 username = %(emailUser)s
124 encryption = TLS
125 enableImapIdle = true
126
127 ||| % {
128 domain: cfg.domain,
129 identity: cfg.identity,
130 emailAddress: cfg.email.address,
131 emailServer: cfg.email.server,
132 emailUser: cfg.email.username,
133 },
134 },
135 },
136
137 volumes: {
138 [name]: kube.PersistentVolumeClaim(gerrit.name(name)) {
139 metadata+: gerrit.metadata("storage"),
140 spec+: {
141 storageClassName: cfg.storageClassName,
142 accessModes: ["ReadWriteOnce"],
143 resources: {
144 requests: {
145 storage: cfg.storageSize[name],
146 },
147 },
148 },
149 }
150 for name in ["etc", "git", "index", "cache", "db"]
151 },
152
153 local volumeMounts = {
154 [name]: { mountPath: "/var/gerrit/%s" % name }
155 for name in ["etc", "git", "index", "cache", "db"]
156 } {
157 // ConfigMap gets mounted here
158 config: { mountPath: "/var/gerrit-config" },
159 // SecureSecret gets mounted here
160 secure: { mountPath: "/var/gerrit-secure" },
161 },
Serge Bazanski7f5f2092023-10-08 14:01:04 +0000[diff] [blame]162 keys: kube.Secret(gerrit.name("keys")) {
163 metadata+: gerrit.metadata("deployment"),
164 //data_: {
165 // FORGEJO_TOKEN: "fill me when deploying, TODO(q3k): god damn secrets",
166 //},
167 },
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]168 deployment: kube.Deployment(gerrit.name("gerrit")) {
169 metadata+: gerrit.metadata("deployment"),
170 spec+: {
171 replicas: 1,
172 template+: {
173 spec+: {
174 securityContext: {
175 fsGroup: 1000, # gerrit uid
176 },
177 volumes_: {
178 config: kube.ConfigMapVolume(gerrit.configmap),
179 secure: { secret: { secretName: cfg.secureSecret} },
180 } {
181 [name]: kube.PersistentVolumeClaimVolume(gerrit.volumes[name])
182 for name in ["etc", "git", "index", "cache", "db"]
183 },
184 containers_: {
185 gerrit: kube.Container(gerrit.name("gerrit")) {
186 image: cfg.image,
187 ports_: {
188 http: { containerPort: 8080 },
189 ssh: { containerPort: 29418 },
190 },
Serge Bazanski7f5f2092023-10-08 14:01:04 +0000[diff] [blame]191 env_: {
192 FORGEJO_TOKEN: { secretKeyRef: { name: gerrit.keys.metadata.name, key: "FORGEJO_TOKEN" }},
193 },
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]194 resources: cfg.resources,
195 volumeMounts_: volumeMounts,
Piotr Dobrowolski69957c32023-09-17 21:43:51 +0200[diff] [blame]196
197 livenessProbe: {
198 httpGet: {
199 path: "/",
200 port: 8080,
201 },
202 initialDelaySeconds: 60,
203 periodSeconds: 10,
204 },
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]205 },
206 },
207 },
208 },
209 },
210 },
211
212 svc: kube.Service(gerrit.name("gerrit")) {
213 metadata+: gerrit.metadata("service"),
214 target_pod:: gerrit.deployment.spec.template,
215 spec+: {
216 ports: [
217 { name: "http", port: 80, targetPort: 8080, protocol: "TCP" },
218 { name: "ssh", port: 22, targetPort: 29418, protocol: "TCP" },
219 ],
220 type: "ClusterIP",
221 },
222 },
223
224 ingress: kube.Ingress(gerrit.name("gerrit")) {
225 metadata+: gerrit.metadata("ingress") {
226 annotations+: {
227 "kubernetes.io/tls-acme": "true",
Piotr Dobrowolski7e841062023-04-23 11:36:15 +0200[diff] [blame]228 "cert-manager.io/cluster-issuer": "letsencrypt-prod",
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]229 "nginx.ingress.kubernetes.io/proxy-body-size": "0",
230 },
231 },
232 spec+: {
233 tls: [
234 { hosts: [cfg.domain], secretName: gerrit.name("acme") },
235 ],
236 rules: [
237 {
238 host: cfg.domain,
239 http: {
240 paths: [
241 { path: "/", backend: gerrit.svc.name_port },
242 ],
243 },
244 }
245 ],
246 },
247 },
248}