diff --git a/.gitignore b/.gitignore index f58c9b8..762f8e5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ /.terraform/providers/registry.opentofu.org /terraform.tfstate /terraform.tfstate.backup +/manifests/secrets +/manifests/devops/gitea-action-secrets.yaml diff --git a/kustomization.yaml b/kustomization.yaml index e945766..44c4c84 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -4,3 +4,4 @@ resources: - ./manifests/jellyfin/ - ./manifests/cert-manager/ - ./manifests/argo/ + - ./manifests/secrets/ diff --git a/manifests/devops/cert.yaml b/manifests/devops/cert.yaml index 863abab..7c3a219 100644 --- a/manifests/devops/cert.yaml +++ b/manifests/devops/cert.yaml @@ -10,4 +10,31 @@ spec: kind: ClusterIssuer dnsNames: - gitea.milasholsting.dk +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: harbor-tls + namespace: devops +spec: + secretName: harbor-tls + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + dnsNames: + - reg.milasholsting.dk +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: grafana-tls + namespace: devops +spec: + secretName: grafana-tls + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + dnsNames: + - grafana.milasholsting.dk diff --git a/manifests/devops/gitea-actions.yaml b/manifests/devops/gitea-actions.yaml new file mode 100644 index 0000000..b796c94 --- /dev/null +++ b/manifests/devops/gitea-actions.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: gitea-runner + namespace: devops +spec: + serviceName: gitea-runner + replicas: 1 + selector: + matchLabels: + app: gitea-runner + template: + metadata: + labels: + app: gitea-runner + spec: + containers: + - name: runner + image: gitea/act_runner:latest + env: + - name: GITEA_INSTANCE_URL + value: "https://gitea.milasholsting.dk" + - name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: actions-secret + key: registerKey + - name: DOCKER_HOST + value: unix:///var/run/docker/docker.sock + - name: GITEA_RUNNER_LABELS + value: "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" + volumeMounts: + - name: data + mountPath: /data + - name: docker-sock + mountPath: /var/run/docker + + - name: dind + image: reg.milasholsting.dk/devops/docker:dind + command: ["dockerd"] + args: ["--host=unix:///var/run/docker/docker.sock", "--host=tcp://0.0.0.0:2375"] + securityContext: + privileged: true + env: + - name: DOCKER_TLS_CERTDIR + value: "" # Explicitly disable TLS to stick to the socket + volumeMounts: + - name: dind-storage + mountPath: /var/lib/docker + - name: docker-sock + mountPath: /var/run/docker + volumes: + - name: dind-storage + emptyDir: {} + - name: data + emptyDir: {} + - name: docker-sock + emptyDir: {} diff --git a/manifests/devops/gitea-ssh-ingress.yaml b/manifests/devops/gitea-ssh-ingress.yaml new file mode 100644 index 0000000..74060e1 --- /dev/null +++ b/manifests/devops/gitea-ssh-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: traefik.io/v1alpha1 + +kind: IngressRouteTCP +metadata: + name: gitea-ssh + namespace: devops # Ensure this is your Gitea namespace +spec: + entryPoints: + - ssh # This MUST match the name used in your Traefik config + routes: + - match: HostSNI(`*`) + services: + - name: gitea-ssh # Replace with the service name from Step 1 + port: 22 diff --git a/manifests/devops/giteaChartConfig.yaml b/manifests/devops/giteaChartConfig.yaml index 0438ac9..6d8f933 100644 --- a/manifests/devops/giteaChartConfig.yaml +++ b/manifests/devops/giteaChartConfig.yaml @@ -39,7 +39,12 @@ spec: server: DOMAIN: gitea.milasholsting.dk ROOT_URL: https://gitea.milasholsting.dk/ - + START_SSH_SERVER: true + SSH_DOMAIN: gitea.milasholsting.dk + SSH_PORT: 22 + SSH_LISTEN_PORT: 22 + podSecurityContext: + fsGroup: 1000 persistence: size: 20Gi storageClass: local-path diff --git a/manifests/devops/grafana-ingress.yaml b/manifests/devops/grafana-ingress.yaml new file mode 100644 index 0000000..81607c2 --- /dev/null +++ b/manifests/devops/grafana-ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grafana-ingress + annotations: + spec.ingressClassName: traefik + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + rules: + - host: grafana.milasholsting.dk + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana + port: + number: 80 + tls: + - secretName: grafana-tls + hosts: + - grafana.milasholsting.dk diff --git a/manifests/devops/grafana.yaml b/manifests/devops/grafana.yaml new file mode 100644 index 0000000..d31abdd --- /dev/null +++ b/manifests/devops/grafana.yaml @@ -0,0 +1,12 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: grafana + namespace: devops +spec: + repo: https://grafana-community.github.io/helm-charts + chart: grafana + targetNamespace: devops + version: 11.6.0 + valuesContent: |- + diff --git a/manifests/devops/grafanaChartConfig.yaml b/manifests/devops/grafanaChartConfig.yaml new file mode 100644 index 0000000..95f9b8e --- /dev/null +++ b/manifests/devops/grafanaChartConfig.yaml @@ -0,0 +1,57 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: grafana + namespace: devops +spec: + valuesContent: |- + # Disable etcd monitoring. See https://github.com/cablespaghetti/k3s-monitoring/issues/4 + kubeEtcd: + enabled: false + + # Disable kube-controller-manager and kube-scheduler monitoring. See https://github.com/cablespaghetti/k3s-monitoring/issues/2 + kubeControllerManager: + enabled: false + kubeScheduler: + enabled: false + + prometheus: + prometheusSpec: + retention: 3d + + storageSpec: + spec: + accessModes: + - ReadWriteOnce + storageClassName: local-path + resources: + requests: + storage: 20Gi + + grafana: + plugins: + - grafana-piechart-panel + enabled: true + grafana.ini: + users: + viewers_can_edit: true + auth: + disable_login_form: false + disable_signout_menu: false + auth.anonymous: + enabled: false + org_role: Admin + auth.basic: + enabled: true + + persistence: + enabled: true + type: pvc + storageClassName: local-path + accessModes: + - ReadWriteOnce + size: 4Gi + finalizers: + - kubernetes.io/pvc-protection + # ALTERNATIVELY IF YOU HAVE AN EXISTING CLAME YOU WISH TO USE/REUSE + # existingClaim: prom-grafana diff --git a/manifests/devops/harbor.yaml b/manifests/devops/harbor.yaml new file mode 100644 index 0000000..1811c1c --- /dev/null +++ b/manifests/devops/harbor.yaml @@ -0,0 +1,12 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: harbor + namespace: devops +spec: + repo: https://helm.goharbor.io + chart: harbor + targetNamespace: devops + version: 1.18.2 + valuesContent: |- + diff --git a/manifests/devops/harborChartValues.yaml b/manifests/devops/harborChartValues.yaml new file mode 100644 index 0000000..c60abac --- /dev/null +++ b/manifests/devops/harborChartValues.yaml @@ -0,0 +1,55 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: harbor + namespace: devops +spec: + valuesContent: |- + expose: + type: ingress + tls: + certSource: secret + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "harbor-tls" + ingress: + className: traefik + hosts: + core: reg.milasholsting.dk + notary: notary.reg.milasholsting.dk + + externalURL: https://reg.milasholsting.dk + + harborAdminPassword: "ChangeMe123!" + + persistence: + persistentVolumeClaim: + registry: + storageClass: local-path + size: 100Gi + chartmuseum: + storageClass: local-path + size: 5Gi + jobservice: + storageClass: local-path + size: 2Gi + database: + storageClass: local-path + size: 10Gi + redis: + storageClass: local-path + size: 2Gi + + database: + internal: + image: + repository: goharbor/harbor-db + tag: v2.11.0 + + redis: + internal: + image: + repository: goharbor/redis-photon + tag: v2.11.0 diff --git a/manifests/devops/kustomization.yaml b/manifests/devops/kustomization.yaml index d6630c5..5066e8a 100644 --- a/manifests/devops/kustomization.yaml +++ b/manifests/devops/kustomization.yaml @@ -4,4 +4,13 @@ resources: - ./namespace.yaml - ./gitea-admin-secret.yaml - ./gitea.yaml + - ./giteaChartConfig.yaml - ./cert.yaml + - ./harbor.yaml + - ./harborChartValues.yaml + - ./gitea-ssh-ingress.yaml + - ./gitea-actions.yaml + - ./gitea-action-secrets.yaml + - ./grafana-ingress.yaml + - ./grafana.yaml + - ./grafanaChartConfig.yaml