diff --git a/gitea.tf b/gitea.tf index a65f21a..55acb7a 100644 --- a/gitea.tf +++ b/gitea.tf @@ -5,12 +5,12 @@ resource "kubernetes_namespace" "this" { } resource "helm_release" "this" { - name = "gitea" + name = local.instance_name namespace = kubernetes_namespace.this.metadata.0.name repository = "https://dl.gitea.io/charts/" chart = "gitea" - version = "10.1.4" + version = "12.4.0" create_namespace = false @@ -91,7 +91,7 @@ resource "helm_release" "this" { ISSUE_INDEXER_TYPE = "db" # bleve doesn't like 9p filesystems :/ } metrics = { - ENABLED = false ## the metrics not really worth it + ENABLED = false ## the metrics are not really worth it } service = { DISABLE_REGISTRATION = true @@ -112,10 +112,6 @@ resource "helm_release" "this" { PROTOCOL = "smtp" SMTP_ADDR = "nat.lawndale" SMTP_PORT = "25" - ## Deprecated config for 1.17 - HOST = "nat.lawndale:25" - IS_TLS_ENABLED = false - MAILER_TYPE = "smtp" } } } @@ -129,37 +125,29 @@ resource "helm_release" "this" { }), jsonencode({ postgresql = { - enabled = true - image = { - tag = "12.20.0-debian-12-r26" - } - primary = { - persistence = { - enabled = true - existingClaim = module.postgres_persistance.pvc_name - claimName = module.postgres_persistance.pvc_name - } - podSecurityContext = { - enabled = true - } - volumePermissions = { - enabled = true - } - } - } - }), - # Non-HA config base, see https://gitea.com/gitea/helm-chart/src/tag/v10.1.4#single-pod-configurations - jsonencode({ - "redis-cluster" = { enabled = false } "postgresql-ha" = { enabled = false } + "redis-cluster" = { + enabled = false + } + "valkey-cluster" = { + enabled = false + } + "valkey" = { + enabled = false + } + }), + # Non-HA config base, see https://gitea.com/gitea/helm-chart/src/tag/v10.1.4#single-pod-configurations + jsonencode({ gitea = { config = { database = { DB_TYPE = "postgres" + NAME = local.postgresql_dbname + HOST = "${kubernetes_service.postgresql.metadata.0.name}.${kubernetes_namespace.this.metadata.0.name}.svc.k8s.lawndale" } session = { PROVIDER = "db" @@ -180,13 +168,18 @@ resource "helm_release" "this" { ] set_sensitive { - name = "postgresql.global.postgresql.auth.password" - value = random_password.postgresql_gitea.result - } - set_sensitive { - name = "postgresql.global.postgresql.auth.postgresPassword" + name = "gitea.config.database.PASSWD" value = random_password.postgresql.result } + + # set_sensitive { + # name = "postgresql.global.postgresql.auth.password" + # value = random_password.postgresql_gitea.result + # } + # set_sensitive { + # name = "postgresql.global.postgresql.auth.postgresPassword" + # value = random_password.postgresql.result + # } set_sensitive { name = "gitea.oauth[0].key" value = aws_cognito_user_pool_client.gitea.id diff --git a/locals.tf b/locals.tf index 29c40fb..50bffcf 100644 --- a/locals.tf +++ b/locals.tf @@ -1,5 +1,6 @@ locals { ingress_domain = "git.thomasklein.me" + instance_name = "gitea" } data "aws_region" "current" {} diff --git a/postgresql.tf b/postgresql.tf new file mode 100644 index 0000000..7d5d086 --- /dev/null +++ b/postgresql.tf @@ -0,0 +1,186 @@ +locals { + postgresql_user = "gitea" + postgresql_version = "18" + postgresql_dbname = "gitea" +} +resource "kubernetes_service" "postgresql_headless" { + metadata { + name = "${local.instance_name}-postgresql-hl" + namespace = kubernetes_namespace.this.metadata.0.name + labels = { + "app.kubernetes.io/instance" = local.instance_name + "app.kubernetes.io/managed-by" = "terraform" + "app.kubernetes.io/version" = local.postgresql_version + "app.kubernetes.io/name" = "postgresql" + } + } + spec { + type = "ClusterIP" + cluster_ip = null + selector = { + "app.kubernetes.io/instance" = local.instance_name + "app.kubernetes.io/name" = "postgresql" + } + port { + name = "tcp-postgresql" + port = 5432 + protocol = "TCP" + target_port = "tcp-postgresql" + } + } +} + +resource "kubernetes_service" "postgresql" { + metadata { + name = "${local.instance_name}-postgresql" + namespace = kubernetes_namespace.this.metadata.0.name + labels = { + "app.kubernetes.io/instance" = local.instance_name + "app.kubernetes.io/managed-by" = "terraform" + "app.kubernetes.io/version" = local.postgresql_version + "app.kubernetes.io/name" = "postgresql" + } + } + spec { + type = "ClusterIP" + selector = { + "app.kubernetes.io/instance" = local.instance_name + "app.kubernetes.io/name" = "postgresql" + } + port { + name = "tcp-postgresql" + port = 5432 + protocol = "TCP" + target_port = "tcp-postgresql" + } + } +} + +resource "kubernetes_secret" "postgresql" { + metadata { + namespace = kubernetes_namespace.this.metadata.0.name + name = "${local.instance_name}-postgresql" + } + data = { + password = sensitive(random_password.postgresql.result) + } +} + +resource "kubernetes_stateful_set" "postgresql" { + metadata { + namespace = kubernetes_namespace.this.metadata.0.name + name = "${local.instance_name}-postgresql" + labels = { + "app.kubernetes.io/instance" = local.instance_name + "app.kubernetes.io/managed-by" = "terraform" + "app.kubernetes.io/version" = local.postgresql_version + "app.kubernetes.io/name" = "postgresql" + } + } + spec { + replicas = 1 + selector { + match_labels = { + "app.kubernetes.io/instance" = local.instance_name + "app.kubernetes.io/name" = "postgresql" + } + } + service_name = kubernetes_service.postgresql.metadata.0.name + + template { + metadata { + labels = { + "app.kubernetes.io/instance" = local.instance_name + "app.kubernetes.io/managed-by" = "terraform" + "app.kubernetes.io/version" = local.postgresql_version + "app.kubernetes.io/name" = "postgresql" + } + name = "${local.instance_name}-postgresql" + } + spec { + automount_service_account_token = false + container { + name = "postgresql" + image = "docker.io/library/postgres:${local.postgresql_version}-trixie" + image_pull_policy = "IfNotPresent" + + env { + name = "POSTGRES_DB" + value = local.postgresql_dbname + } + env { + name = "POSTGRES_USER" + value = local.postgresql_user + } + env { + name = "POSTGRES_PASSWORD" + value_from { + secret_key_ref { + key = "password" + name = kubernetes_secret.postgresql.metadata.0.name + } + } + } + port { + container_port = 5432 + protocol = "TCP" + name = "tcp-postgresql" + } + volume_mount { + name = "data" + mount_path = "/var/lib/postgresql" + } + # volume_mount { + # name = "data" + # mount_path = "/var/lib/postgresql/data" + # sub_path = "data" + # } + # resources { + # limits = { + # "cpu" = "1" + # "memory" = "1Gi" + # } + # } + liveness_probe { + failure_threshold = 6 + initial_delay_seconds = 30 + period_seconds = 15 + timeout_seconds = 10 + exec { + command = [ + "/bin/sh", + "-c", + "exec pg_isready -U ${local.postgresql_user} -d 'dbname=${local.postgresql_dbname}' -h 127.0.0.1 -p 5432" + ] + } + } + } + volume { + name = "data" + persistent_volume_claim { + claim_name = module.postgres_persistance.pvc_name + } + } + } + } + } +} + + +# image = { +# tag = "12.20.0-debian-12-r26" +# } +# primary = { +# persistence = { +# enabled = true +# existingClaim = module.postgres_persistance.pvc_name +# claimName = module.postgres_persistance.pvc_name +# } +# podSecurityContext = { +# enabled = true +# } +# volumePermissions = { +# enabled = true +# } +# } + \ No newline at end of file