mirror of https://gerrit.hackerspace.pl/hscloud
213 lines
6.8 KiB
Plaintext
213 lines
6.8 KiB
Plaintext
local kube = import "../../../kube/kube.libsonnet";
|
|
|
|
{
|
|
local gerrit = self,
|
|
local cfg = gerrit.cfg,
|
|
|
|
cfg:: {
|
|
namespace: error "namespace must be set",
|
|
appName: "gerrit",
|
|
prefix: "", # if set, should be 'foo-'
|
|
domain: error "domain must be set",
|
|
identity: error "identity (UUID) must be set",
|
|
|
|
// The secret must contain a key named 'secure.config' containing (at least):
|
|
// [auth]
|
|
// registerEmailPrivateKey = <random>
|
|
// [plugin "gerrit-oauth-provider-warsawhackerspace-oauth"]
|
|
// client-id = foo
|
|
// client-secret = bar
|
|
// [sendemail]
|
|
// smtpPass = foo
|
|
// [receiveemail]
|
|
// password = bar
|
|
secureSecret: error "secure secret name must be set",
|
|
|
|
storageClass: error "storage class must be set",
|
|
storageSize: {
|
|
git: "50Gi", // Main storage for repositories and NoteDB.
|
|
index: "10Gi", // Secondary Lucene index
|
|
cache: "10Gi", // H2 cache databases
|
|
db: "1Gi", // NoteDB is used, so database is basically empty (H2 accountPatchReviewDatabase)
|
|
etc: "1Gi", // Random site stuff.
|
|
},
|
|
|
|
email: {
|
|
server: "mail.hackerspace.pl",
|
|
username: "gerrit",
|
|
address: "gerrit@hackerspace.pl",
|
|
},
|
|
|
|
tag: "3.0.0-r7",
|
|
image: "registry.k0.hswaw.net/devtools/gerrit:" + cfg.tag,
|
|
resources: {
|
|
requests: {
|
|
cpu: "100m",
|
|
memory: "500Mi",
|
|
},
|
|
limits: {
|
|
cpu: "1",
|
|
memory: "2Gi",
|
|
},
|
|
},
|
|
},
|
|
|
|
name(suffix):: cfg.prefix + suffix,
|
|
|
|
metadata(component):: {
|
|
namespace: cfg.namespace,
|
|
labels: {
|
|
"app.kubernetes.io/name": cfg.appName,
|
|
"app.kubernetes.io/managed-by": "kubecfg",
|
|
"app.kubernetes.io/component": "component",
|
|
},
|
|
},
|
|
|
|
configmap: kube.ConfigMap(gerrit.name("gerrit")) {
|
|
metadata+: gerrit.metadata("configmap"),
|
|
data: {
|
|
"gerrit.config": |||
|
|
[gerrit]
|
|
basePath = git
|
|
canonicalWebUrl = https://%(domain)s/
|
|
serverId = %(identity)s
|
|
|
|
[sshd]
|
|
advertisedAddress = %(domain)s
|
|
|
|
[container]
|
|
javaOptions = -Djava.security.edg=file:/dev/./urandom
|
|
|
|
[auth]
|
|
type = OAUTH
|
|
gitBasicAuthPolicy = HTTP
|
|
|
|
[httpd]
|
|
listenUrl = proxy-http://*:8080
|
|
|
|
[sshd]
|
|
advertisedAddress = %(domain)s
|
|
|
|
[user]
|
|
email = %(emailAddress)s
|
|
|
|
[sendemail]
|
|
enable = true
|
|
from = MIXED
|
|
smtpServer = %(emailServer)s
|
|
smtpServerPort = 465
|
|
smtpEncryption = ssl
|
|
smtpUser = %(emailUser)s
|
|
|
|
[receiveemail]
|
|
protocol = IMAP
|
|
host = %(emailServer)s
|
|
username = %(emailUser)s
|
|
encryption = TLS
|
|
enableImapIdle = true
|
|
|
|
||| % {
|
|
domain: cfg.domain,
|
|
identity: cfg.identity,
|
|
emailAddress: cfg.email.address,
|
|
emailServer: cfg.email.server,
|
|
emailUser: cfg.email.username,
|
|
},
|
|
},
|
|
},
|
|
|
|
volumes: {
|
|
[name]: kube.PersistentVolumeClaim(gerrit.name(name)) {
|
|
metadata+: gerrit.metadata("storage"),
|
|
spec+: {
|
|
storageClassName: cfg.storageClassName,
|
|
accessModes: ["ReadWriteOnce"],
|
|
resources: {
|
|
requests: {
|
|
storage: cfg.storageSize[name],
|
|
},
|
|
},
|
|
},
|
|
}
|
|
for name in ["etc", "git", "index", "cache", "db"]
|
|
},
|
|
|
|
local volumeMounts = {
|
|
[name]: { mountPath: "/var/gerrit/%s" % name }
|
|
for name in ["etc", "git", "index", "cache", "db"]
|
|
} {
|
|
// ConfigMap gets mounted here
|
|
config: { mountPath: "/var/gerrit-config" },
|
|
// SecureSecret gets mounted here
|
|
secure: { mountPath: "/var/gerrit-secure" },
|
|
},
|
|
deployment: kube.Deployment(gerrit.name("gerrit")) {
|
|
metadata+: gerrit.metadata("deployment"),
|
|
spec+: {
|
|
replicas: 1,
|
|
template+: {
|
|
spec+: {
|
|
securityContext: {
|
|
fsGroup: 1000, # gerrit uid
|
|
},
|
|
volumes_: {
|
|
config: kube.ConfigMapVolume(gerrit.configmap),
|
|
secure: { secret: { secretName: cfg.secureSecret} },
|
|
} {
|
|
[name]: kube.PersistentVolumeClaimVolume(gerrit.volumes[name])
|
|
for name in ["etc", "git", "index", "cache", "db"]
|
|
},
|
|
containers_: {
|
|
gerrit: kube.Container(gerrit.name("gerrit")) {
|
|
image: cfg.image,
|
|
ports_: {
|
|
http: { containerPort: 8080 },
|
|
ssh: { containerPort: 29418 },
|
|
},
|
|
resources: cfg.resources,
|
|
volumeMounts_: volumeMounts,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
|
|
svc: kube.Service(gerrit.name("gerrit")) {
|
|
metadata+: gerrit.metadata("service"),
|
|
target_pod:: gerrit.deployment.spec.template,
|
|
spec+: {
|
|
ports: [
|
|
{ name: "http", port: 80, targetPort: 8080, protocol: "TCP" },
|
|
{ name: "ssh", port: 22, targetPort: 29418, protocol: "TCP" },
|
|
],
|
|
type: "ClusterIP",
|
|
},
|
|
},
|
|
|
|
ingress: kube.Ingress(gerrit.name("gerrit")) {
|
|
metadata+: gerrit.metadata("ingress") {
|
|
annotations+: {
|
|
"kubernetes.io/tls-acme": "true",
|
|
"certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
|
|
"nginx.ingress.kubernetes.io/proxy-body-size": "0",
|
|
},
|
|
},
|
|
spec+: {
|
|
tls: [
|
|
{ hosts: [cfg.domain], secretName: gerrit.name("acme") },
|
|
],
|
|
rules: [
|
|
{
|
|
host: cfg.domain,
|
|
http: {
|
|
paths: [
|
|
{ path: "/", backend: gerrit.svc.name_port },
|
|
],
|
|
},
|
|
}
|
|
],
|
|
},
|
|
},
|
|
}
|