init

gitea/deployment.yml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea
+  labels:
+    app: gitea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea
+  template:
+    metadata:
+      labels:
+        app: gitea
+    spec:
+      containers:
+        - name: gitea
+          image: registry.hub.docker.com/gitea/gitea:latest
+          imagePullPolicy: Always
+          ports:
+            - name: web
+              containerPort: 3000
+          volumeMounts:
+            - name: gitea-data
+              mountPath: /data  
+      volumes:
+        - name: gitea-data
+          persistentVolumeClaim:
+            claimName: gitea-storage

gitea/service.yml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea
+
+spec:
+  ports:
+    - name: web
+      port: 3000
+      targetPort: web
+
+  selector:
+    app: gitea
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-ingress
+spec:
+  rules:
+    - host: gitea.k8s.example.com
+      http:
+        paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: gitea
+              port:
+                number: 3000

gitea/storage.yml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-storage
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 4Gi

hello-world/deployment.yml

@@ -0,0 +1,23 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: hello-world
+  labels:
+    app: hello-world
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hello-world
+  template:
+    metadata:
+      labels:
+        app: hello-world
+    spec:
+      containers:
+        - name: hello-world
+          image: registry.hub.docker.com/lmmendes/http-hello-world
+          ports:
+            - name: web
+              containerPort: 80

hello-world/service.yml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: hello-world
+
+spec:
+  ports:
+    - name: web
+      port: 80
+      targetPort: web
+
+  selector:
+    app: hello-world
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hello-world-ingress
+spec:
+  ingressClassName: traefik
+  rules:
+  - host: hello-world.k8s.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: hello-world
+            port:
+              name: web

runner/config.yml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-runner
+data:
+  config: |
+    log:
+      level: info
+    runner:
+      # Where to store the registration result.
+      file: /data/.runner
+      # Execute how many tasks concurrently at the same time.
+      capacity: 1
+      # Extra environment variables to run jobs.
+      envs:
+        ACT_RUNNER_SEC: test-runner-1
+      env_file: .env
+      timeout: 3h
+      insecure: true
+      fetch_timeout: 5s
+      fetch_interval: 3s
+      labels: []
+    cache:
+      enabled: false
+      dir: ""
+      host: ""
+      port: 0
+      external_server: ""
+    container:
+      network: ""
+      privileged: false
+      options:
+      workdir_parent:
+      valid_volumes: []
+      docker_host: ""
+      force_pull: false
+    host:
+      workdir_parent:

runner/deployment.yml

@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: gitea-runner
+spec:
+  serviceName: "gitea-runner-service"
+  selector:
+    matchLabels:
+      app: gitea-runner
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: gitea-runner
+    spec:
+      containers:
+        - name: gitea-runner-dind
+          securityContext:
+            privileged: true
+          image: docker:dind
+          env:
+            - name: DOCKER_DRIVER
+              value: "overlay2"
+            - name: DOCKER_TLS_CERTDIR
+              value: ""
+          volumeMounts:
+          - name: docker-socket
+            mountPath: "/var/run"
+        - name: gitea-runner
+          image: gitea/act_runner:nightly
+          env:
+            # FIXME: use secret
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              value: "MPAEFqYGNTXhkmgJFMyakT58epIpQMfxQ6d20yyb"
+            - name: GITEA_INSTANCE_URL
+              value: "http://gitea.k8s.example.com:30429/"
+            - name: CONFIG_FILE
+              value: "/config/config.yaml"
+          volumeMounts:
+          - name: config
+            mountPath: "/config"
+            readOnly: true
+          - name: runner-data
+            mountPath: "/data"
+          - name: docker-socket
+            mountPath: "/var/run"
+          # FIXME: use socat
+          startupProbe:
+            exec:
+              command: ["/bin/sh", "-c", "sleep 10"]
+            timeoutSeconds: 12
+      volumes:
+        - name: config
+          configMap:
+            name: gitea-runner
+            items:
+            - key: "config"
+              path: "config.yaml"
+  volumeClaimTemplates:
+  - metadata:
+      name: runner-data
+    spec:
+      accessModes: 
+        - "ReadWriteOncePod"
+      resources:
+        requests:
+          storage: 256Mi
+  - metadata:
+      name: docker-socket
+    spec:
+      accessModes: 
+        - "ReadWriteOncePod"
+      resources:
+        requests:
+          storage: 256Mi

runner/storage.yml

@@ -0,0 +1,11 @@
+# runner cache
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-runner-storage
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 4Gi

traefik/config.yml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: traefik
+data:
+  config: |
+    api:
+      insecure: true
+      dashboard: true
+
+    ping: {}
+
+    providers:
+      kubernetesingress: {}
+
+    entryPoints:
+      web:
+        address: :80
+        http:
+        #   redirections:
+        #     entryPoint:
+        #       to: websecure
+        #       scheme: https
+        #       permanent: false
+        # http3: {}
+      websecure:
+        address: :443
+        http2: 
+          maxConcurrentStreams: 16      
+        http3: {}

traefik/deployment.yml

@@ -0,0 +1,49 @@
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: traefik
+  labels:
+    app: traefik
+spec:
+  selector:
+    matchLabels:
+      name: traefik
+  template:
+    metadata:
+      labels:
+        k8s-app: traefik
+        name: traefik
+    spec:
+      serviceAccountName: traefik-account
+      terminationGracePeriodSeconds: 60
+      containers:
+      - image: traefik:v3.0
+        name: traefik
+        ports:
+        - name: web
+          containerPort: 80
+          hostPort: 80
+        - name: dashboard
+          containerPort: 8080
+          # hostPort: 8080
+        volumeMounts:
+        - name: config
+          mountPath: "/config"
+          readOnly: true
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - NET_BIND_SERVICE
+        args:
+        - --api.insecure
+        # - --providers.kubernetesingress
+        - --configFile=/config/traefik.yaml
+      volumes:
+        - name: config
+          configMap:
+            name: traefik
+            items:
+            - key: "config"
+              path: "traefik.yaml"

traefik/role.yml

@@ -0,0 +1,52 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-role
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik-account
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-role-binding
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-role
+subjects:
+  - kind: ServiceAccount
+    name: traefik-account
+    namespace: default