Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / c9f48fee707ca73b09f8225814a63d7945dbebfd / . / devtools / gerrit / kube / gerrit.libsonnet
blob: 00272a16344abb1f3f9f7f07592c96ec6c8d0d5e [file] [log] [blame]
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]1local kube = import "../../../kube/kube.libsonnet";
2
3{
4 local gerrit = self,
5 local cfg = gerrit.cfg,
6
7 cfg:: {
8 namespace: error "namespace must be set",
9 appName: "gerrit",
10 prefix: "", # if set, should be 'foo-'
11 domain: error "domain must be set",
12 identity: error "identity (UUID) must be set",
13
14 // The secret must contain a key named 'secure.config' containing (at least):
15 // [auth]
16 // registerEmailPrivateKey = <random>
17 // [plugin "gerrit-oauth-provider-warsawhackerspace-oauth"]
18 // client-id = foo
19 // client-secret = bar
20 // [sendemail]
21 // smtpPass = foo
22 // [receiveemail]
23 // password = bar
24 secureSecret: error "secure secret name must be set",
25
26 storageClass: error "storage class must be set",
27 storageSize: {
28 git: "50Gi", // Main storage for repositories and NoteDB.
29 index: "10Gi", // Secondary Lucene index
30 cache: "10Gi", // H2 cache databases
31 db: "1Gi", // NoteDB is used, so database is basically empty (H2 accountPatchReviewDatabase)
32 etc: "1Gi", // Random site stuff.
33 },
34
35 email: {
36 server: "mail.hackerspace.pl",
37 username: "gerrit",
38 address: "gerrit@hackerspace.pl",
39 },
40
Serge Bazanskiee2f8a32020-12-17 23:06:10 +0100[diff] [blame]41 tag: "3.3.0-r7",
42 image: "registry.k0.hswaw.net/q3k/gerrit:" + cfg.tag,
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]43 resources: {
44 requests: {
45 cpu: "100m",
46 memory: "500Mi",
47 },
48 limits: {
49 cpu: "1",
50 memory: "2Gi",
51 },
52 },
53 },
54
55 name(suffix):: cfg.prefix + suffix,
56
57 metadata(component):: {
58 namespace: cfg.namespace,
59 labels: {
60 "app.kubernetes.io/name": cfg.appName,
61 "app.kubernetes.io/managed-by": "kubecfg",
62 "app.kubernetes.io/component": "component",
63 },
64 },
65
66 configmap: kube.ConfigMap(gerrit.name("gerrit")) {
67 metadata+: gerrit.metadata("configmap"),
68 data: {
69 "gerrit.config": |||
70 [gerrit]
71 basePath = git
72 canonicalWebUrl = https://%(domain)s/
73 serverId = %(identity)s
Serge Bazanskic9f48fe2021-02-08 00:44:56 +0100[diff] [blame^]74 reportBugUrl = https://b.hackerspace.pl/new
75
76 [commentlink "b"]
77 match = [Bb]/(\\d+)
78 link = https://b.hackerspace.pl/$1
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]79
Sergiusz Bazanski9b5359d2019-07-20 17:20:53 +0200[diff] [blame]80 [sshd]
81 advertisedAddress = %(domain)s
82
Sergiusz Bazanskia7e26cc2019-06-21 20:38:35 +0200[diff] [blame]83 [container]
84 javaOptions = -Djava.security.edg=file:/dev/./urandom
85
86 [auth]
87 type = OAUTH
88 gitBasicAuthPolicy = HTTP
89
90 [httpd]
91 listenUrl = proxy-http://*:8080
92
93 [sshd]
94 advertisedAddress = %(domain)s
95
96 [user]
97 email = %(emailAddress)s
98
99 [sendemail]
100 enable = true
101 from = MIXED
102 smtpServer = %(emailServer)s
103 smtpServerPort = 465
104 smtpEncryption = ssl
105 smtpUser = %(emailUser)s
106
107 [receiveemail]
108 protocol = IMAP
109 host = %(emailServer)s
110 username = %(emailUser)s
111 encryption = TLS
112 enableImapIdle = true
113
114 ||| % {
115 domain: cfg.domain,
116 identity: cfg.identity,
117 emailAddress: cfg.email.address,
118 emailServer: cfg.email.server,
119 emailUser: cfg.email.username,
120 },
121 },
122 },
123
124 volumes: {
125 [name]: kube.PersistentVolumeClaim(gerrit.name(name)) {
126 metadata+: gerrit.metadata("storage"),
127 spec+: {
128 storageClassName: cfg.storageClassName,
129 accessModes: ["ReadWriteOnce"],
130 resources: {
131 requests: {
132 storage: cfg.storageSize[name],
133 },
134 },
135 },
136 }
137 for name in ["etc", "git", "index", "cache", "db"]
138 },
139
140 local volumeMounts = {
141 [name]: { mountPath: "/var/gerrit/%s" % name }
142 for name in ["etc", "git", "index", "cache", "db"]
143 } {
144 // ConfigMap gets mounted here
145 config: { mountPath: "/var/gerrit-config" },
146 // SecureSecret gets mounted here
147 secure: { mountPath: "/var/gerrit-secure" },
148 },
149 deployment: kube.Deployment(gerrit.name("gerrit")) {
150 metadata+: gerrit.metadata("deployment"),
151 spec+: {
152 replicas: 1,
153 template+: {
154 spec+: {
155 securityContext: {
156 fsGroup: 1000, # gerrit uid
157 },
158 volumes_: {
159 config: kube.ConfigMapVolume(gerrit.configmap),
160 secure: { secret: { secretName: cfg.secureSecret} },
161 } {
162 [name]: kube.PersistentVolumeClaimVolume(gerrit.volumes[name])
163 for name in ["etc", "git", "index", "cache", "db"]
164 },
165 containers_: {
166 gerrit: kube.Container(gerrit.name("gerrit")) {
167 image: cfg.image,
168 ports_: {
169 http: { containerPort: 8080 },
170 ssh: { containerPort: 29418 },
171 },
172 resources: cfg.resources,
173 volumeMounts_: volumeMounts,
174 },
175 },
176 },
177 },
178 },
179 },
180
181 svc: kube.Service(gerrit.name("gerrit")) {
182 metadata+: gerrit.metadata("service"),
183 target_pod:: gerrit.deployment.spec.template,
184 spec+: {
185 ports: [
186 { name: "http", port: 80, targetPort: 8080, protocol: "TCP" },
187 { name: "ssh", port: 22, targetPort: 29418, protocol: "TCP" },
188 ],
189 type: "ClusterIP",
190 },
191 },
192
193 ingress: kube.Ingress(gerrit.name("gerrit")) {
194 metadata+: gerrit.metadata("ingress") {
195 annotations+: {
196 "kubernetes.io/tls-acme": "true",
197 "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
198 "nginx.ingress.kubernetes.io/proxy-body-size": "0",
199 },
200 },
201 spec+: {
202 tls: [
203 { hosts: [cfg.domain], secretName: gerrit.name("acme") },
204 ],
205 rules: [
206 {
207 host: cfg.domain,
208 http: {
209 paths: [
210 { path: "/", backend: gerrit.svc.name_port },
211 ],
212 },
213 }
214 ],
215 },
216 },
217}