feat: Gitea | activate internal tls
This commit is contained in:
@@ -1,10 +1,10 @@
|
|||||||
import { Construct } from "constructs";
|
import { Construct } from "constructs";
|
||||||
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
|
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
|
||||||
|
|
||||||
import { OnePasswordSecret, LonghornPvc } from "../../utils";
|
|
||||||
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
|
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
|
||||||
import { PodDisruptionBudgetV1 } from "@cdktf/provider-kubernetes/lib/pod-disruption-budget-v1";
|
import { PodDisruptionBudgetV1 } from "@cdktf/provider-kubernetes/lib/pod-disruption-budget-v1";
|
||||||
|
|
||||||
|
import { OnePasswordSecret, LonghornPvc } from "../../../utils";
|
||||||
|
|
||||||
type GiteaRunnerOptions = {
|
type GiteaRunnerOptions = {
|
||||||
provider: KubernetesProvider;
|
provider: KubernetesProvider;
|
||||||
name: string;
|
name: string;
|
||||||
@@ -7,8 +7,9 @@ import {
|
|||||||
OnePasswordSecret,
|
OnePasswordSecret,
|
||||||
PublicIngressRoute,
|
PublicIngressRoute,
|
||||||
IngressRouteTcp,
|
IngressRouteTcp,
|
||||||
} from "../../utils";
|
PrivateCertificate,
|
||||||
import type { Providers } from "../../types";
|
} from "../../../utils";
|
||||||
|
import type { Providers } from "../../../types";
|
||||||
|
|
||||||
type GiteaServerOptions = {
|
type GiteaServerOptions = {
|
||||||
providers: Providers;
|
providers: Providers;
|
||||||
@@ -22,45 +23,61 @@ export class GiteaServer extends Construct {
|
|||||||
super(scope, id);
|
super(scope, id);
|
||||||
|
|
||||||
const { kubernetes, helm } = options.providers;
|
const { kubernetes, helm } = options.providers;
|
||||||
|
const { name, namespace, r2Endpoint } = options;
|
||||||
|
|
||||||
new OnePasswordSecret(this, "admin", {
|
new OnePasswordSecret(this, "admin", {
|
||||||
provider: kubernetes,
|
provider: kubernetes,
|
||||||
name: "gitea-admin",
|
name: "gitea-admin",
|
||||||
namespace: options.namespace,
|
namespace,
|
||||||
itemPath: "vaults/Lab/items/gitea-admin",
|
itemPath: "vaults/Lab/items/gitea-admin",
|
||||||
});
|
});
|
||||||
|
|
||||||
new OnePasswordSecret(this, "oauth", {
|
new OnePasswordSecret(this, "oauth", {
|
||||||
provider: kubernetes,
|
provider: kubernetes,
|
||||||
name: "gitea-oauth",
|
name: "gitea-oauth",
|
||||||
namespace: options.namespace,
|
namespace,
|
||||||
itemPath: "vaults/Lab/items/gitea-oauth",
|
itemPath: "vaults/Lab/items/gitea-oauth",
|
||||||
});
|
});
|
||||||
|
|
||||||
new OnePasswordSecret(this, "smtp", {
|
new OnePasswordSecret(this, "smtp", {
|
||||||
provider: kubernetes,
|
provider: kubernetes,
|
||||||
name: "gitea-smtp-token",
|
name: "gitea-smtp-token",
|
||||||
namespace: options.namespace,
|
namespace,
|
||||||
itemPath: "vaults/Lab/items/smtp-token",
|
itemPath: "vaults/Lab/items/smtp-token",
|
||||||
});
|
});
|
||||||
|
|
||||||
new OnePasswordSecret(this, "r2", {
|
new OnePasswordSecret(this, "r2", {
|
||||||
provider: kubernetes,
|
provider: kubernetes,
|
||||||
name: "gitea-cloudflare-token",
|
name: "gitea-cloudflare-token",
|
||||||
namespace: options.namespace,
|
namespace,
|
||||||
itemPath: "vaults/Lab/items/cloudflare",
|
itemPath: "vaults/Lab/items/cloudflare",
|
||||||
});
|
});
|
||||||
|
|
||||||
|
new PrivateCertificate(this, "internal-cert", {
|
||||||
|
provider: kubernetes,
|
||||||
|
namespace,
|
||||||
|
name: "gitea-tls-internal",
|
||||||
|
secretName: "gitea-tls-internal",
|
||||||
|
dnsNames: [
|
||||||
|
"git.dogar.dev",
|
||||||
|
"gitea",
|
||||||
|
"gitea.homelab.svc",
|
||||||
|
"gitea.homelab.svc.cluster.local",
|
||||||
|
],
|
||||||
|
usages: ["digital signature", "key encipherment", "server auth"],
|
||||||
|
});
|
||||||
|
|
||||||
new Release(this, id, {
|
new Release(this, id, {
|
||||||
...options,
|
...options,
|
||||||
provider: helm,
|
provider: helm,
|
||||||
repository: "https://dl.gitea.com/charts",
|
repository: "https://dl.gitea.com/charts",
|
||||||
chart: "gitea",
|
chart: "gitea",
|
||||||
|
namespace,
|
||||||
createNamespace: true,
|
createNamespace: true,
|
||||||
set: [
|
set: [
|
||||||
{
|
{
|
||||||
name: "gitea.config.storage.MINIO_ENDPOINT",
|
name: "gitea.config.storage.MINIO_ENDPOINT",
|
||||||
value: options.r2Endpoint,
|
value: r2Endpoint,
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
values: [
|
values: [
|
||||||
@@ -72,21 +89,22 @@ export class GiteaServer extends Construct {
|
|||||||
|
|
||||||
new IngressRouteTcp(this, "ssh-ingress", {
|
new IngressRouteTcp(this, "ssh-ingress", {
|
||||||
provider: kubernetes,
|
provider: kubernetes,
|
||||||
namespace: options.namespace,
|
namespace,
|
||||||
name: options.name,
|
name,
|
||||||
match: "HostSNI(`*`)",
|
match: "HostSNI(`*`)",
|
||||||
entryPoint: "ssh",
|
entryPoint: "ssh",
|
||||||
serviceName: `${options.name}-ssh`,
|
serviceName: `${name}-ssh`,
|
||||||
servicePort: 22,
|
servicePort: 22,
|
||||||
});
|
});
|
||||||
|
|
||||||
new PublicIngressRoute(this, "http-ingress", {
|
new PublicIngressRoute(this, "http-ingress", {
|
||||||
provider: kubernetes,
|
provider: kubernetes,
|
||||||
namespace: options.namespace,
|
namespace,
|
||||||
name: options.name,
|
name,
|
||||||
host: "git.dogar.dev",
|
host: "git.dogar.dev",
|
||||||
serviceName: `${options.name}-http`,
|
serviceName: `${name}-http`,
|
||||||
servicePort: 3000,
|
servicePort: 3000,
|
||||||
|
serviceProtocol: "https",
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -24,11 +24,18 @@ gitea:
|
|||||||
enabled: true
|
enabled: true
|
||||||
serviceMonitor:
|
serviceMonitor:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
scheme: "https"
|
||||||
|
tlsConfig:
|
||||||
|
insecureSkipVerify: false
|
||||||
|
caFile: /internal-ca/ca.crt
|
||||||
config:
|
config:
|
||||||
server:
|
server:
|
||||||
ENABLE_PPROF: true
|
ENABLE_PPROF: true
|
||||||
ENABLE_GZIP: true
|
ENABLE_GZIP: true
|
||||||
LFS_START_SERVER: true
|
LFS_START_SERVER: true
|
||||||
|
PROTOCOL: https
|
||||||
|
CERT_FILE: /certs/tls.crt
|
||||||
|
KEY_FILE: /certs/tls.key
|
||||||
ROOT_URL: https://git.dogar.dev/
|
ROOT_URL: https://git.dogar.dev/
|
||||||
SSH_DOMAIN: git.dogar.dev
|
SSH_DOMAIN: git.dogar.dev
|
||||||
DISABLE_SSH: false
|
DISABLE_SSH: false
|
||||||
@@ -93,6 +100,27 @@ gitea:
|
|||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: gitea-cloudflare-token
|
name: gitea-cloudflare-token
|
||||||
key: secret_access_key
|
key: secret_access_key
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /api/healthz
|
||||||
|
port: 3000
|
||||||
|
scheme: HTTPS
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /api/healthz
|
||||||
|
port: 3000
|
||||||
|
scheme: HTTPS
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
startupProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /api/healthz
|
||||||
|
port: 3000
|
||||||
|
scheme: HTTPS
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
persistence:
|
persistence:
|
||||||
labels:
|
labels:
|
||||||
recurring-job.longhorn.io/source: "enabled"
|
recurring-job.longhorn.io/source: "enabled"
|
||||||
@@ -149,6 +177,9 @@ extraVolumes:
|
|||||||
items:
|
items:
|
||||||
- key: ca.crt
|
- key: ca.crt
|
||||||
path: root.crt
|
path: root.crt
|
||||||
|
- name: gitea-tls-internal
|
||||||
|
secret:
|
||||||
|
secretName: gitea-tls-internal
|
||||||
- name: gitea-temp
|
- name: gitea-temp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
extraInitVolumeMounts:
|
extraInitVolumeMounts:
|
||||||
@@ -159,6 +190,8 @@ extraContainerVolumeMounts:
|
|||||||
- name: ssl-bundle
|
- name: ssl-bundle
|
||||||
mountPath: /opt/gitea/.postgresql
|
mountPath: /opt/gitea/.postgresql
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
- name: gitea-tls-internal
|
||||||
|
mountPath: /certs
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: gitea-temp
|
- name: gitea-temp
|
||||||
mountPath: /tmp/gitea-uploads
|
mountPath: /tmp/gitea-uploads
|
||||||
Reference in New Issue
Block a user