From e5c0094061c01da36ebc8389c75bfefda05851b5 Mon Sep 17 00:00:00 2001 From: uni-kakurenbo Date: Wed, 24 Sep 2025 17:55:12 +0900 Subject: [PATCH] migrate: gitea-dev (in-progress) --- gitea-dev/certificate.yaml | 14 +++++ gitea-dev/config/app.ini | 99 ++++++++++++++++++++++++++++++++ gitea-dev/deployment.yaml | 48 ++++++++++++++++ gitea-dev/ingress-route.yaml | 20 +++++++ gitea-dev/ksops.yaml | 11 ++++ gitea-dev/kustomization.yaml | 19 ++++++ gitea-dev/secrets/gitea-dev.yaml | 29 ++++++++++ gitea-dev/service.yaml | 16 ++++++ gitea-dev/volume-storage.yaml | 13 +++++ 9 files changed, 269 insertions(+) create mode 100644 gitea-dev/certificate.yaml create mode 100644 gitea-dev/config/app.ini create mode 100644 gitea-dev/deployment.yaml create mode 100644 gitea-dev/ingress-route.yaml create mode 100644 gitea-dev/ksops.yaml create mode 100644 gitea-dev/kustomization.yaml create mode 100644 gitea-dev/secrets/gitea-dev.yaml create mode 100644 gitea-dev/service.yaml create mode 100644 gitea-dev/volume-storage.yaml diff --git a/gitea-dev/certificate.yaml b/gitea-dev/certificate.yaml new file mode 100644 index 000000000..d45f030b6 --- /dev/null +++ b/gitea-dev/certificate.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gitea-dev + +spec: + issuerRef: + kind: ClusterIssuer + name: dns-cluster-issuer + secretName: gitea-dev-tls + duration: 2160h0m0s # 90d + renewBefore: 720h0m0s # 30d + dnsNames: + - git-dev.trapti.tech diff --git a/gitea-dev/config/app.ini b/gitea-dev/config/app.ini new file mode 100644 index 000000000..8d3b8381c --- /dev/null +++ b/gitea-dev/config/app.ini @@ -0,0 +1,99 @@ +APP_NAME = traP Gitea Develop +RUN_MODE = prod +WORK_PATH = /data/gitea + +[repository] +ROOT = /data/git/repositories +DISABLED_REPO_UNITS = repo.wiki + +[repository.local] +LOCAL_COPY_PATH = /data/gitea/tmp/local-repo + +[repository.upload] +TEMP_PATH = /data/gitea/uploads + +[server] +APP_DATA_PATH = /data/gitea +DOMAIN = git-dev.trapti.tech +SSH_DOMAIN = git-dev.trapti.tech +HTTP_PORT = 3000 +ROOT_URL = https://git-dev.trapti.tech/ +DISABLE_SSH = false +SSH_PORT = 2200 +SSH_LISTEN_PORT = 2200 +LFS_START_SERVER = true +START_SSH_SERVER = true + +[database] +PATH = /data/gitea/gitea.db +DB_TYPE = mysql +HOST = private.kmbk.tokyotech.org:33060 +NAME = service_gitea_dev +USER = service_gitea_dev +LOG_SQL = false + +[indexer] +ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve + +[session] +PROVIDER_CONFIG = /data/gitea/sessions + +[picture] +AVATAR_UPLOAD_PATH = /data/gitea/avatars +REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars + +[attachment] +PATH = /data/gitea/attachments + +[log] +MODE = console +LEVEL = Debug +ROOT_PATH = /data/gitea/log + +[security] +INSTALL_LOCK = true +REVERSE_PROXY_LIMIT = 1 +REVERSE_PROXY_TRUSTED_PROXIES = * +REVERSE_PROXY_AUTHENTICATION_EMAIL = X-Forwarded-User-Email +REVERSE_PROXY_AUTHENTICATION_USER = X-Forwarded-User + +[service] +DISABLE_REGISTRATION = true +REQUIRE_SIGNIN_VIEW = true +ENABLE_REVERSE_PROXY_AUTHENTICATION = false +ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true +NO_REPLY_ADDRESS = trap.jp +ENABLE_REVERSE_PROXY_EMAIL = true +DEFAULT_KEEP_EMAIL_PRIVATE = true +DEFAULT_ORG_MEMBER_VISIBLE = true +ENABLE_NOTIFY_MAIL = true +ENABLE_BASIC_AUTHENTICATION = false + +[lfs] +STORAGE_TYPE = minio +MINIO_ENDPOINT = s3.ap-northeast-1.wasabisys.com +MINIO_BUCKET = trap-gitea-dev +MINIO_LOCATION = ap-northeast-1 +MINIO_USE_SSL = true +MINIO_CHECKSUM_ALGORITHM = md5 + +[actions] +DEFAULT_ACTIONS_URL = github + +[openid] +ENABLE_OPENID_SIGNIN = false + +[default] +APP_NAME = traP Git Develop + +[mailer] +ENABLED = true + +[metrics] +ENABLED = true + +[oauth2] +ENABLED = false + +[admin] +USER_DISABLED_FEATURES = deletion,change_username,change_full_name diff --git a/gitea-dev/deployment.yaml b/gitea-dev/deployment.yaml new file mode 100644 index 000000000..54b7d9b04 --- /dev/null +++ b/gitea-dev/deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: gitea-dev + name: gitea-dev +spec: + replicas: 1 + selector: + matchLabels: + app: gitea-dev + strategy: + type: Recreate + template: + metadata: + labels: + app: gitea-dev + spec: + containers: + - env: + - name: USER_GID + value: "996" + - name: USER_UID + value: "996" + image: gitea-latest + name: gitea-dev + ports: + - containerPort: 3000 + protocol: TCP + - containerPort: 2200 + protocol: TCP + volumeMounts: + - name: gitea-dev-storage + mountPath: /data + - name: gitea-dev-config + mountPath: /app.ini + restartPolicy: Always + volumes: + - name: gitea-dev-storage + persistentVolumeClaim: + claimName: gitea-dev + - name: gitea-dev-config + configMap: + name: gitea-dev + items: + - key: app.ini + path: app.ini + mode: 0666 diff --git a/gitea-dev/ingress-route.yaml b/gitea-dev/ingress-route.yaml new file mode 100644 index 000000000..0eea5f736 --- /dev/null +++ b/gitea-dev/ingress-route.yaml @@ -0,0 +1,20 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: gitea-dev +spec: + entryPoints: + - websecure + tls: + secretName: gitea-dev-tls + routes: + - kind: Rule + match: Host(`git-dev.trapti.tech`) + services: + - name: gitea-dev + port: 3000 + - kind: Rule + match: Host(`git-dev.trapti.tech`) + services: + - name: gitea-dev + port: 2200 diff --git a/gitea-dev/ksops.yaml b/gitea-dev/ksops.yaml new file mode 100644 index 000000000..e70471186 --- /dev/null +++ b/gitea-dev/ksops.yaml @@ -0,0 +1,11 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: ksops + annotations: + config.kubernetes.io/function: | + exec: + path: ksops + +files: + - ./secrets/gitea-dev.yaml diff --git a/gitea-dev/kustomization.yaml b/gitea-dev/kustomization.yaml new file mode 100644 index 000000000..b5cb7dfad --- /dev/null +++ b/gitea-dev/kustomization.yaml @@ -0,0 +1,19 @@ +resources: +- certificate.yaml +- deployment.yaml +- ingress-route.yaml +- service.yaml +- volume-storage.yaml + +images: +- name: gitea-latest + newName: ghcr.io/traptitech/gitea + newTag: latest + +generators: + - ksops.yaml + +configMapGenerator: +- name: gitea-dev + files: + - ./config/app.ini diff --git a/gitea-dev/secrets/gitea-dev.yaml b/gitea-dev/secrets/gitea-dev.yaml new file mode 100644 index 000000000..74ed8ead1 --- /dev/null +++ b/gitea-dev/secrets/gitea-dev.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitea-dev-secret + annotations: + kustomize.config.k8s.io/needs-hash: "true" +stringData: + GITEA__server__LFS_JWT_SECRET: ENC[AES256_GCM,data:lpP9yggfBU7C953tI4HmPQK1Omcr9dXl2A2NlJQI8r0whJ3ZnXp4pf1QJw==,iv:BesPX2oosSwRZfMtTh1NGf7jjH4GtAqV71Xfg0Oybeg=,tag:SfawB+hlcXFJMr/FKOQ6NA==,type:str] + GITEA__database__PASSWD: ENC[AES256_GCM,data:mSj8U7fT8E/WFwvDL+zTaaAAYlEJmFTYgWfh6PoxJnw=,iv:9UvWElMtEenTWDX80TWSTfAQ+86zmcGn//FviUc9qUM=,tag:TV3Y3B/Pcr3+W26/SFF1nw==,type:str] + GITEA__security__SECRET_KEY: ENC[AES256_GCM,data:oTRNt/52ZU24qYovNxBBkOJFeMChUa5kWerOXorhoyIQFKBU9YNMTtXizTKuCnGyA7pmr0Ak79XUKxh6fakqVg==,iv:UidGRaAbbamad7m8WTwsnpGDykRya8XBDWHDqZ0lqq0=,tag:Yk5Hr5AV8Ak7c1fZoc8vdQ==,type:str] + GITEA__security__INTERNAL_TOKEN: ENC[AES256_GCM,data:8nVJclrXNVcj4bzsM0sTeXgWS0efcCcX/7s/6NQXKZ2mXVqpTIRQ8VO4AZGNxouOyHv1uApRJQjBMnsIXqCZvlSttTWGGZTmbdeww6Q1MLf9M5om1u1XngzC4uKkr/SlZxHizGodRPcK,iv:BRGnwEe2pPdtHZebpIWbg0H6W08UT6TP8LLZmBSH9UY=,tag:yAfQqOIvjZtFoFWXFFByKQ==,type:str] + GITEA__lfs__MINIO_ACCESS_KEY_ID: ENC[AES256_GCM,data:JhkdKHZsI3BPhVVNZo2WPL0Hqqg=,iv:izcJl5Y465qys/ujRTzHr7Xzoi+XzL3MNVscQ2y3AMY=,tag:hLdo4ZpeEwg9ECJj3cXPcw==,type:str] + GITEA__lfs__MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:AAyFxipxE3fk3QJ8hbLLw9RBHg4Yy0Z0vZsKF9jJaiUQOVTu//pREg==,iv:gU1/eUj8ugWjvPZvncNCtoPfsC+USwSfFOVvZrkPUdQ=,tag:6dXKZ5+EQ+mCXxnI/VwfGw==,type:str] + GITEA__oauth2__JWT_SECRET: ENC[AES256_GCM,data:wTtle6sapYVRfenjnuXlEU40yDu0luwya6a0xI/aZ2xNSn/ho3LeN+H8Hg==,iv:zoia7oqPPCIztz+dOqQnIG6j/Ng19vng9xegy9IiZZ0=,tag:K2OTdsuQlvCxL+oL6L5jBw==,type:str] +sops: + age: + - recipient: age156red4ptw5huzpwlfnrukg4htuucdweu9jg8usjz98ggmeyedces3xqplq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VElFWXRQM29VVDJtbHRn + UGFQcGxYRCtndnloODBmQ1dodHlSK244SDNJClJvK1k1bThnTS9CaG1yWUlLSi9m + enUxdHE5UERub25sdzBmMlF6VTM2d2cKLS0tIE96SDlpTlRnL043U2lMM3NZTVJz + Ky9xckxxNGtZd0Y3R2FCQ3NVdlFhQkEK81ftmIE1ly0qWcrcNGiXmB+vsqP/YfzL + cc2aIjkSgUaRQOoXusQMLsnXmYqsWKMWG9MP/exSgjvoWJerkUlTsQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-09-24T11:05:31Z" + mac: ENC[AES256_GCM,data:1NucylRUClTDhUTtZdzIvNAUXV7nmlLjtDCEusfDCeyTy48VE6KZz+spP8cCa3J9CIdIiu1n6LGuXqtZhVeFOvc4TQN2zQiYaqU+si+nEbmqLIUSM+m/w6ht/15QezYSlKmt1bNH2jp++0NXis3kfWnE4Y/Uo06O+xyD7HRwOlQ=,iv:+YTnp0vw8b525g41zziD5u2SA7tm0EPeEJRU8lXpc8g=,tag:RGvyG5oBkIAsW1r/R+Dbuw==,type:str] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.10.2 diff --git a/gitea-dev/service.yaml b/gitea-dev/service.yaml new file mode 100644 index 000000000..bec9d9c6a --- /dev/null +++ b/gitea-dev/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: gitea-dev + name: gitea-dev +spec: + ports: + - name: "3000" + port: 3000 + targetPort: 3000 + - name: "2200" + port: 2200 + targetPort: 2200 + selector: + app: gitea-dev diff --git a/gitea-dev/volume-storage.yaml b/gitea-dev/volume-storage.yaml new file mode 100644 index 000000000..2939d67fe --- /dev/null +++ b/gitea-dev/volume-storage.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app: gitea-dev-storage + name: gitea-dev-storage +spec: + resources: + requests: + storage: 100Mi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce