devtools/issues: redmine deployment

Change-Id: I71956c4132bf2063e9fc41eb24c4f37657b8fd9d
2021-02-06 22:23:53 +01:00 · 2021-02-06 22:23:53 +01:00 · 0572fff9a4
parent 95da3d5011
commit 0572fff9a4
3 changed files with 175 additions and 0 deletions
--- a/devtools/issues/Dockerfile
+++ b/devtools/issues/Dockerfile
@ -0,0 +1,12 @@
+FROM redmine:4.1.1-alpine@sha256:8396c1a7e5b2087a16d54aa08578fc1c30fa7aba85b6d4cd592a07c410f1a743
+
+RUN git clone -n https://github.com/anteo/redmine_custom_workflows plugins/redmine_custom_workflows && cd plugins/redmine_custom_workflows && git checkout 2802812c331a03b0443aeba1101d74aee442e0f7
+RUN git clone -n https://github.com/informatic/redmine_openid_connect plugins/redmine_openid_connect && cd plugins/redmine_openid_connect && git checkout bfd22cef9b5916ccde7d6da9cc363b30c001f42c
+RUN git clone -n https://github.com/informatic/redmine_s3 plugins/redmine_s3 && cd plugins/redmine_s3 && git checkout 9b3881c2a80bc4093f29345b4ee6f98dc7aa874a
+RUN git clone -n https://github.com/two-pack/redmine_auto_assign_group plugins/redmine_auto_assign_group && cd plugins/redmine_auto_assign_group && git checkout aad1c4b9f5500d7a03bbfa34cc0c50b05d2a9b8a
+RUN git clone -n https://github.com/sf-cola/select_to_select2 plugins/select_to_select2 && cd plugins/select_to_select2 && git checkout 9b12893849bdbfbd75cbc321c9b1f0fb7833802c
+RUN git clone -n https://github.com/davidegiacometti/redmine_shortcuts plugins/redmine_shortcuts && cd plugins/redmine_shortcuts && git checkout a15128f9b6ccd74893cb57a157e2838591a6df4a
+
+RUN bundle check || bundle install --without development test
+
+ENV REDMINE_PLUGINS_MIGRATE 1
--- a/devtools/issues/prod.jsonnet
+++ b/devtools/issues/prod.jsonnet
@ -0,0 +1,40 @@
+#
+# issues.hackerspace.pl redmine deployment
+#
+# Bootstrap:
+#
+#    ns=redmine
+#    kubectl -n $ns create secret generic redmine --from-literal=secret_key=$(pwgen 24 1) --from-literal=oidc_secret=...
+#
+#    ceph_ns=ceph-waw3; ceph_pool=waw-hdd-redundant-3
+#    kubectl -n $ceph_ns get secrets rook-ceph-object-user-${ceph_pool}-object-issues -o json | jq 'del(.metadata.namespace,.metadata.resourceVersion,.metadata.uid) | .metadata.creationTimestamp=null' | kubectl replace -f - -n $ns
+#
+
+local redmine = import "./redmine.libsonnet";
+
+{
+    issues: redmine {
+        cfg+: {
+            namespace: "redmine",
+            domain: "issues.hackerspace.pl",
+
+            storage+: {
+                endpoint: "https://object.ceph-waw3.hswaw.net",
+                bucket: "issues",
+
+                # This is required for redmine_s3 to properly create a bucket
+                region: "us-east-1",
+
+                local rookSecret = "rook-ceph-object-user-waw-hdd-redundant-3-object-issues",
+                accessKey: { secretKeyRef: { name: rookSecret, key: "AccessKey" } },
+                secretKey: { secretKeyRef: { name: rookSecret, key: "SecretKey" } },
+            },
+
+            oidc+: {
+                server: "https://sso.hackerspace.pl",
+                clientID: "70ee2821-2657-4409-a298-98649d1f689f",
+                clientSecret: { secretKeyRef: { name: "redmine", key: "oidc_secret" } },
+            },
+        },
+    },
+}
--- a/devtools/issues/redmine.libsonnet
+++ b/devtools/issues/redmine.libsonnet
@ -0,0 +1,123 @@
+local kube = import "../../kube/kube.libsonnet";
+local postgres = import "../../kube/postgres.libsonnet";
+
+{
+    local app = self,
+    local cfg = app.cfg,
+
+    cfg:: {
+        namespace: "redmine",
+        image: "registry.k0.hswaw.net/informatic/redmine@sha256:b04d1fd04549424e505722c9feb0b6741a057cb8f0fab68ad3730ecb167417df",
+        domain: error "domain must be set",
+        storageClassName: "waw-hdd-redundant-3",
+        database: {
+            host: "postgres",
+            name: "redmine",
+            username: "redmine",
+            password: { secretKeyRef: { name: "redmine", key: "postgres_password" } },
+            port: 5432,
+        },
+
+        storage: {
+            endpoint: error "storage.endpoint must be set",
+            region: error "storage.region must be set",
+            bucket: error "storage.bucket must be set",
+            accessKey: error "storage.accessKey must be set",
+            secretKey: error "storage.secretKey must be set",
+        },
+
+        oidc: {
+            server: error "oidc.server must be set",
+            clientID: error "oidc.clientID must be set",
+            clientSecret: error "oidc.clientSecret must be set",
+        },
+    },
+
+    ns: kube.Namespace(app.cfg.namespace),
+
+    postgres: postgres {
+        cfg+: {
+            namespace: cfg.namespace,
+            appName: "redmine",
+            database: cfg.database.name,
+            username: cfg.database.username,
+            password: cfg.database.password,
+            storageClassName: cfg.storageClassName,
+        },
+    },
+
+    deployment: app.ns.Contain(kube.Deployment("redmine")) {
+        spec+: {
+            replicas: 1,
+            template+: {
+                spec+: {
+                    securityContext: {
+                        runAsUser: 999,
+                        runAsGroup: 999,
+                        fsGroup: 999,
+                    },
+                    containers_: {
+                        web: kube.Container("redmine") {
+                            image: cfg.image,
+                            ports_: {
+                                http: { containerPort: 3000 },
+                            },
+                            env_: {
+                                REDMINE_DB_POSTGRES: cfg.database.host,
+                                REDMINE_DB_PORT: cfg.database.port,
+                                REDMINE_DB_USERNAME: cfg.database.username,
+                                REDMINE_DB_PASSWORD: cfg.database.password,
+                                REDMINE_DB_DATABASE: cfg.database.name,
+
+                                REDMINE_SECRET_KEY_BASE: { secretKeyRef: { name: "redmine", key: "secret_key" } },
+
+                                REDMINE_OIDC_SERVER: cfg.oidc.server,
+                                REDMINE_OIDC_CLIENT_ID: cfg.oidc.clientID,
+                                REDMINE_OIDC_CLIENT_SECRET: cfg.oidc.clientSecret,
+                                REDMINE_OIDC_ADMIN_GROUP: "issues-admin",
+
+                                REDMINE_S3_ENDPOINT: cfg.storage.endpoint,
+                                REDMINE_S3_BUCKET: cfg.storage.bucket,
+                                REDMINE_S3_ACCESS_KEY_ID: cfg.storage.accessKey,
+                                REDMINE_S3_SECRET_ACCESS_KEY: cfg.storage.secretKey,
+                                REDMINE_S3_REGION: cfg.storage.region,
+                            },
+                        },
+                    },
+                },
+            },
+        },
+    },
+
+    svc: app.ns.Contain(kube.Service("redmine")) {
+        target_pod:: app.deployment.spec.template,
+    },
+
+    ingress: app.ns.Contain(kube.Ingress("redmine")) {
+        metadata+: {
+            annotations+: {
+                "kubernetes.io/tls-acme": "true",
+                "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
+                "nginx.ingress.kubernetes.io/proxy-body-size": "0",
+            },
+        },
+        spec+: {
+            tls: [
+                {
+                    hosts: [cfg.domain],
+                    secretName: "redmine-tls",
+                },
+            ],
+            rules: [
+                {
+                    host: cfg.domain,
+                    http: {
+                        paths: [
+                            { path: "/", backend: app.svc.name_port },
+                        ]
+                    },
+                }
+            ],
+        },
+    },
+}