Add incngrnt website along with gitea runner to build it

2025-03-16 19:05:50 -06:00 · 2025-03-16 19:05:50 -06:00 · 38a6ee61c9
commit 38a6ee61c9
parent 2830ed72c1
10 changed files with 65 additions and 33 deletions
--- a/README.md
+++ b/README.md
@ -115,6 +115,15 @@ PGPASSWORD=$(kubectl -n datastore get secrets  "postgres-pguser-grant" -o go-tem
 kubectl -n datastore exec -it "$PRIMARY_POD" -- psql -c 'DROP DATABASE gitea;'
 kubectl -n datastore exec -it "$PRIMARY_POD" -- createdb --encoding=UTF8 --locale=C --template=template0 --owner=gitea gitea
 ```
+create runner token 
+```sh
+kubectl exec -it <pod> -- gitea --config /data/gitea/conf/app.ini actions generate-runner-token
+kubectl create secret generic gitea-runner-token --from-literal=token='<token>'
+```
+allow priviledge pods
+```sh
+kubectl label namespace gitea pod-security.kubernetes.io/enforce=privileged
+```

 #### Ghost Blogs
 I got tired of fighting the docker container so I manually overrode the `config.production.json`
--- a/gitea/ssh_ingress.yaml
+++ b/gitea/ssh_ingress.yaml
--- a/gitea/values.yaml
+++ b/gitea/values.yaml
@ -38,6 +38,7 @@ gitea:

 strategy:
  type: Recreate
+
 ingress:
  enabled: true
  hosts:
@ -54,7 +55,11 @@ service:
    port: 22
    clusterIP:
      
-  
+actions:
+  enabled: true
+  existingSecret: gitea-runner-token
+  existingSecretKey: token
+ 
 redis:
  enabled: true
 redis-cluster:
--- a/helmfile.lock
+++ b/helmfile.lock
@ -14,7 +14,7 @@ dependencies:
  version: 11.0.0
 - name: grafana
  repository: https://grafana.github.io/helm-charts
-  version: 8.10.3
+  version: 8.10.4
 - name: k8up
  repository: https://k8up-io.github.io/k8up
  version: 4.8.4
@ -42,11 +42,14 @@ dependencies:
 - name: rook-ceph-cluster
  repository: https://charts.rook.io/release
  version: v1.16.5
+- name: static-site
+  repository: git+https://github.com/cfpb/static-site@charts?ref=main
+  version: 0.1.1
 - name: tailscale-operator
  repository: https://pkgs.tailscale.com/helmcharts
  version: 1.80.3
 - name: traefik
  repository: https://traefik.github.io/charts
  version: 34.4.1
-digest: sha256:b28767f0ec4d8549e0b1de7446f3468555a2a67bf88d2b554e9a12c2de723d2d
-generated: "2025-03-15T14:34:49.001292746-06:00"
+digest: sha256:256e38bc7feb044a2b643abcc7f3fa2efbdfc7bad65647543be1917abde8b709
+generated: "2025-03-16T18:36:00.677364313-06:00"
--- a/helmfile.yaml
+++ b/helmfile.yaml
@ -23,6 +23,9 @@ repositories:
    url: https://grafana.github.io/helm-charts
  - name: prometheus-community
    url: https://prometheus-community.github.io/helm-charts
+  - name: static-site
+    url: git+https://github.com/cfpb/static-site@charts?ref=main
+
 releases:
  # networking
  - name: metallb
@ -145,6 +148,13 @@ releases:
      - name: adminApiSharedSecret
        value: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET"}}

+  # website
+  - name: incngrnt-web
+    namespace: incngrnt-web
+    createNamespace: true
+    chart: static-site/static-site
+    values:
+      - incngrnt-web/values.yaml
  # ghost blogs
  - name: kgnot-ghost
    namespace: ghost
--- a/incngrnt-web/values.yaml
+++ b/incngrnt-web/values.yaml
@ -0,0 +1,14 @@
+init:
+  method: wget
+  wget:
+    url: https://git.incngrnt.ca/grant/incngrnt/releases/download/v0.0.7/v0.0.7.tar
+
+ingress:
+  enabled: true
+  annotations:
+    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"  
+  hosts:
+    - host: incngrnt.ca
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
--- a/rook-ceph-cluster/middleware.yaml
+++ b/rook-ceph-cluster/middleware.yaml
@ -0,0 +1,8 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: ceph-stripprefix
+spec:
+  stripPrefix:
+    prefixes:
+      - /fog/ceph
--- a/rook-ceph-cluster/route.yaml
+++ b/rook-ceph-cluster/route.yaml
@ -1,28 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: rook-ceph-mgr-dashboard
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`fog.goatchat.ca`) && PathPrefix(`/fog/ceph`)
-    kind: Rule
-    middlewares:
-     - name: ceph-stripprefix
-    services:
-    - kind: Service
-      name: rook-ceph-mgr-dashboard
-      port: 7000
-  tls:
-    certResolver: letsencrypt
-
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: ceph-stripprefix
-spec:
-  stripPrefix:
-    prefixes:
-      - /fog/ceph
--- a/rook-ceph-cluster/values.yaml
+++ b/rook-ceph-cluster/values.yaml
@ -25,6 +25,17 @@ cephClusterSpec:
        memory: 256Mi
      limits:
        cpu: "1"
+
+ingress:
+  dashboard:
+      host:
+        name: fog.incngrnt.ca
+        path: /fog/ceph
+        pathType: Prefix
+      annotations:
+        "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
+        "traefik.ingress.kubernetes.io/router.middlewares": "rook-ceph-ceph-stripprefix@kubernetescrd"
+
 cephFileSystems:
  - name: ceph-filesystem
    # see https://github.com/rook/rook/blob/master/Documentation/ceph-filesystem-crd.md#filesystem-settings for available configuration
--- a/traefik/values.yaml
+++ b/traefik/values.yaml
@ -36,7 +36,7 @@ service:
 ingressRoute:
  dashboard:
    enabled: true
-    matchRule: Host(`fog.goatchat.ca`) && (PathPrefix(`/fog/traefik/dashboard`) || PathPrefix(`/fog/traefik/api`))
+    matchRule: Host(`fog.incngrnt.ca`) && (PathPrefix(`/fog/traefik/dashboard`) || PathPrefix(`/fog/traefik/api`))
    entryPoints: ["websecure"]
    middlewares:
      - name: traefik-dashboard-auth