279cd0d19f
Extract domain, ingress class, TLS issuer, storage classes, S3 endpoints, backup toggles, and forgejo node selector into env-data values. Each prototype's app-data declares its subdomain alongside namespace; templates compute host as <subdomain>.<cluster.domain>. Schema is shape-only with safe defaults; production env-data sets values explicitly. Backup CronJobs and external-secret prechecks gate on backups.enabled and ocis.s3.external. Adds mkcert ClusterIssuer + precheck Job for local-dev TLS, gated on cluster.tls.issuer == "mkcert". forgejo argocd-deploy-key Job: REPO_URL/FORGEJO_URL moved to container env vars to keep the script ytt-templatable; runtime behavior unchanged. Production render verified byte-identical (excluding the deploy-key Job env-var refactor and chart-volatile UUID ConfigMaps).
117 lines
4.5 KiB
YAML
117 lines
4.5 KiB
YAML
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
argocd.argoproj.io/sync-options: Replace=true,Force=true
|
|
argocd.argoproj.io/sync-wave: "1"
|
|
name: argocd-deploy-key-init
|
|
namespace: forgejo
|
|
spec:
|
|
template:
|
|
spec:
|
|
containers:
|
|
- command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
set -e
|
|
|
|
ARGOCD_NS="argocd"
|
|
REPO_SECRET="forgejo-repo"
|
|
REPO_OWNER="gitea_admin"
|
|
REPO_NAME="k8s-and-chill"
|
|
|
|
# Check if ArgoCD repo secret already exists
|
|
if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
|
|
echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping"
|
|
exit 0
|
|
fi
|
|
|
|
# Wait for mittwald to populate the keypair and admin secrets
|
|
echo "Waiting for forgejo-repo-keypair to be populated..."
|
|
for i in $(seq 1 60); do
|
|
PRIV_B64=$(kubectl get secret forgejo-repo-keypair -n "${NAMESPACE}" -o jsonpath='{.data.ssh-privatekey}' 2>/dev/null || true)
|
|
PUB_B64=$(kubectl get secret forgejo-repo-keypair -n "${NAMESPACE}" -o jsonpath='{.data.ssh-publickey}' 2>/dev/null || true)
|
|
if [ -n "${PRIV_B64}" ] && [ -n "${PUB_B64}" ]; then
|
|
break
|
|
fi
|
|
if [ "$i" -eq 60 ]; then
|
|
echo "forgejo-repo-keypair was not populated in time"
|
|
exit 1
|
|
fi
|
|
sleep 5
|
|
done
|
|
|
|
# Wait for Forgejo to be ready
|
|
echo "Waiting for Forgejo to be ready..."
|
|
for i in $(seq 1 60); do
|
|
if curl -sk "${FORGEJO_URL}/api/v1/version" >/dev/null 2>&1; then
|
|
echo "Forgejo HTTPS is ready"
|
|
break
|
|
fi
|
|
if [ "$i" -eq 60 ]; then
|
|
echo "Forgejo did not become ready in time"
|
|
exit 1
|
|
fi
|
|
sleep 5
|
|
done
|
|
|
|
# Read admin credentials
|
|
ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
|
|
ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)
|
|
|
|
PRIVKEY=$(echo "${PRIV_B64}" | base64 -d)
|
|
PUBKEY=$(echo "${PUB_B64}" | base64 -d)
|
|
|
|
# Register deploy key via Forgejo API
|
|
echo "Registering deploy key..."
|
|
HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
|
|
-X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
|
|
-H "Content-Type: application/json" \
|
|
-u "${ADMIN_USER}:${ADMIN_PASS}" \
|
|
-d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")
|
|
|
|
if [ "${HTTP_CODE}" = "201" ]; then
|
|
echo "Deploy key registered successfully"
|
|
elif [ "${HTTP_CODE}" = "422" ]; then
|
|
echo "Deploy key already exists in Forgejo (422), continuing"
|
|
else
|
|
echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
|
|
cat /tmp/response.json
|
|
exit 1
|
|
fi
|
|
|
|
# Create ArgoCD repository secret with insecure flag (skip host key verification)
|
|
cat <<EOSECRET | kubectl apply -f -
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: ${REPO_SECRET}
|
|
namespace: ${ARGOCD_NS}
|
|
labels:
|
|
argocd.argoproj.io/secret-type: repository
|
|
stringData:
|
|
type: git
|
|
url: "${REPO_URL}"
|
|
insecure: "true"
|
|
sshPrivateKey: |
|
|
$(echo "${PRIVKEY}" | sed 's/^/ /')
|
|
EOSECRET
|
|
|
|
echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
|
|
env:
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: REPO_URL
|
|
value: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
- name: FORGEJO_URL
|
|
value: https://git.tr1ceracop.de
|
|
image: alpine/k8s:1.32.3
|
|
name: init
|
|
restartPolicy: OnFailure
|
|
serviceAccountName: argocd-deploy-key-init
|
|
ttlSecondsAfterFinished: 300
|