Added forgejo deployment
This commit is contained in:
parent
b78877b5f7
commit
37d9b0e271
4 changed files with 119 additions and 1 deletions
15
Makefile
15
Makefile
|
|
@ -53,6 +53,19 @@ db-shell: ## Open psql shell on gitea-db primary
|
|||
db-logs: ## Tail gitea-db primary logs
|
||||
$(KUBECTL) logs -n databases -l cnpg.io/cluster=gitea-db -f --tail=50
|
||||
|
||||
##@ Forgejo database (railiance01 production forge)
|
||||
|
||||
forgejo-db-deploy: ## Apply forgejo-db cnpg Cluster + NetworkPolicies on railiance01
|
||||
$(KUBECTL) apply -f helm/forgejo-db-cluster.yaml
|
||||
$(KUBECTL) apply -f helm/forgejo-db-networkpolicies.yaml
|
||||
|
||||
forgejo-db-status: ## Show forgejo-db cnpg cluster health
|
||||
$(KUBECTL) cnpg status forgejo-db -n databases 2>/dev/null || \
|
||||
$(KUBECTL) get cluster forgejo-db -n databases -o wide
|
||||
|
||||
forgejo-db-shell: ## Open psql shell on forgejo-db primary
|
||||
$(KUBECTL) cnpg psql forgejo-db -n databases -- -U forgejo forgejo
|
||||
|
||||
##@ Shared apps-pg (S5 application databases)
|
||||
|
||||
apps-pg-deploy: ## Apply shared apps-pg cnpg Cluster + NetworkPolicies
|
||||
|
|
@ -342,4 +355,4 @@ help: ## Show this help
|
|||
/^[a-zA-Z_-]+:.*?##/ { printf " \033[36m%-22s\033[0m %s\n", $$1, $$2 } \
|
||||
/^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
|
||||
|
||||
.PHONY: db-deploy db-status db-shell db-logs apps-pg-deploy apps-pg-status apps-pg-shell apps-pg-logs net-kingdom-pg-inter-hub-networkpolicy-deploy pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-overlay-apply openbao-verify-login-overlay openbao-deploy openbao-status openbao-verify openbao-verify-post-unseal openbao-configure-initial openbao-configure-ssh openbao-verify-ssh openbao-verify-authenticated openbao-configure-external-secrets-issue-core openbao-configure-external-secrets-activity-core openbao-validate-restore-evidence openbao-validate-emergency-evidence credential-grants-validate credential-change-applier-dry-run credential-change-applier-apply-plan credential-change-applier-apply credential-change-runbook credential-change-record-evidence credential-change-lifecycle-plan credential-change-lifecycle-event credential-change-import-inventory openbao-credential-change-appliers-dry-run openbao-configure-credential-change-appliers openbao-token-grants-dry-run openbao-configure-token-grants openbao-verify-token-grants-dry-run openbao-verify-token-grants openbao-verify-token-grants-smoke credential-helper-dry-run credential-tests credential-exec-ops-warden-smoke argocd-bootstrap-dry-run argocd-bootstrap-deploy argocd-repo-apply argocd-status backup help
|
||||
.PHONY: db-deploy db-status db-shell db-logs forgejo-db-deploy forgejo-db-status forgejo-db-shell apps-pg-deploy apps-pg-status apps-pg-shell apps-pg-logs net-kingdom-pg-inter-hub-networkpolicy-deploy pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-overlay-apply openbao-verify-login-overlay openbao-deploy openbao-status openbao-verify openbao-verify-post-unseal openbao-configure-initial openbao-configure-ssh openbao-verify-ssh openbao-verify-authenticated openbao-configure-external-secrets-issue-core openbao-configure-external-secrets-activity-core openbao-validate-restore-evidence openbao-validate-emergency-evidence credential-grants-validate credential-change-applier-dry-run credential-change-applier-apply-plan credential-change-applier-apply credential-change-runbook credential-change-record-evidence credential-change-lifecycle-plan credential-change-lifecycle-event credential-change-import-inventory openbao-credential-change-appliers-dry-run openbao-configure-credential-change-appliers openbao-token-grants-dry-run openbao-configure-token-grants openbao-verify-token-grants-dry-run openbao-verify-token-grants openbao-verify-token-grants-smoke credential-helper-dry-run credential-tests credential-exec-ops-warden-smoke argocd-bootstrap-dry-run argocd-bootstrap-deploy argocd-repo-apply argocd-status backup help
|
||||
|
|
|
|||
31
helm/forgejo-db-cluster.yaml
Normal file
31
helm/forgejo-db-cluster.yaml
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
# CNPG cluster for Forgejo (railiance01 production forge).
|
||||
# Managed by railiance-platform (S3). Operator: cnpg-system.
|
||||
#
|
||||
# Apply: KUBECONFIG=~/.kube/config-hosteurope make forgejo-db-deploy
|
||||
# Status: make forgejo-db-status
|
||||
#
|
||||
# Pre-condition: forgejo-db-credentials Secret in databases namespace.
|
||||
# See helm/forgejo-db-secret.sops.yaml.template
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Cluster
|
||||
metadata:
|
||||
name: forgejo-db
|
||||
namespace: databases
|
||||
labels:
|
||||
app.kubernetes.io/name: forgejo-db
|
||||
app.kubernetes.io/component: database
|
||||
app.kubernetes.io/managed-by: manual
|
||||
railiance.io/layer: s3-platform
|
||||
railiance.io/consumer: forgejo
|
||||
spec:
|
||||
instances: 1
|
||||
imageName: ghcr.io/cloudnative-pg/postgresql:16
|
||||
storage:
|
||||
size: 10Gi
|
||||
bootstrap:
|
||||
initdb:
|
||||
database: forgejo
|
||||
owner: forgejo
|
||||
secret:
|
||||
name: forgejo-db-credentials
|
||||
61
helm/forgejo-db-networkpolicies.yaml
Normal file
61
helm/forgejo-db-networkpolicies.yaml
Normal file
|
|
@ -0,0 +1,61 @@
|
|||
---
|
||||
# NetworkPolicies for forgejo-db CNPG cluster on railiance01.
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-egress-kube-api-forgejo-db
|
||||
namespace: databases
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: forgejo-db
|
||||
policyTypes:
|
||||
- Egress
|
||||
egress:
|
||||
- ports:
|
||||
- port: 6443
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress-from-cnpg-operator-forgejo-db
|
||||
namespace: databases
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: forgejo-db
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: cnpg-system
|
||||
ports:
|
||||
- port: 5432
|
||||
protocol: TCP
|
||||
- port: 8000
|
||||
protocol: TCP
|
||||
- port: 9187
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress-from-forgejo-forgejo-db
|
||||
namespace: databases
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: forgejo-db
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: forgejo
|
||||
ports:
|
||||
- port: 5432
|
||||
protocol: TCP
|
||||
13
helm/forgejo-db-secret.sops.yaml.template
Normal file
13
helm/forgejo-db-secret.sops.yaml.template
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
# Template for forgejo-db-credentials (databases namespace).
|
||||
# Encrypt: sops -e -i helm/forgejo-db-secret.sops.yaml
|
||||
# Apply: KUBECONFIG=~/.kube/config-hosteurope kubectl apply -f <(sops -d helm/forgejo-db-secret.sops.yaml)
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: forgejo-db-credentials
|
||||
namespace: databases
|
||||
type: kubernetes.io/basic-auth
|
||||
stringData:
|
||||
username: forgejo
|
||||
password: REPLACE_WITH_PASSWORD
|
||||
Loading…
Add table
Add a link
Reference in a new issue