git-pages helm chart

git-pages/templates/NOTES.txt

@@ -0,0 +1,16 @@
+git-pages installed.
+
+See docs/secrets.md for secret prerequisites (K8s + Gitea Actions).
+
+Install:
+  helm upgrade --install git-pages ./git-pages -n {{ .Release.Namespace }} -f dev-values.yaml
+
+Host:     https://{{ .Values.ingress.host }}
+Reports:  https://{{ .Values.ingress.host }}/{owner}/{repo}/reports/{sha8}/index.html
+
+Publish (CI):
+  PATCH https://{{ .Values.ingress.host }}/
+  Authorization: Basic publish:<GIT_PAGES_PUBLISH_TOKEN>
+
+Upgrade:   helm upgrade {{ .Release.Name }} ./git-pages -n {{ .Release.Namespace }} -f dev-values.yaml
+Uninstall: helm uninstall {{ .Release.Name }} -n {{ .Release.Namespace }}

git-pages/templates/_helpers.tpl

@@ -0,0 +1,39 @@
+{{- define "git-pages.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "git-pages.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "git-pages.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "git-pages.labels" -}}
+helm.sh/chart: {{ include "git-pages.chart" . }}
+{{ include "git-pages.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- define "git-pages.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "git-pages.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{- define "git-pages.componentLabels" -}}
+{{ include "git-pages.labels" . }}
+app.kubernetes.io/component: pages-server
+{{- end }}

git-pages/templates/certificate.yaml

@@ -0,0 +1,15 @@
+{{- if and .Values.ingress.enabled .Values.certificate.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "git-pages.fullname" . }}-tls
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+spec:
+  secretName: git-pages-tls
+  dnsNames:
+    - {{ .Values.ingress.host | quote }}
+  issuerRef:
+    name: {{ .Values.certificate.issuerRef.name }}
+    kind: {{ .Values.certificate.issuerRef.kind }}
+{{- end }}

git-pages/templates/configmap.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "git-pages.fullname" . }}-config
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+data:
+  config.toml: |
+    log-format = "text"
+
+    [server]
+    pages = "tcp/:3000"
+    caddy = "-"
+    metrics = "tcp/:3002"
+
+    [storage]
+    type = "fs"
+
+    [storage.fs]
+    root = "/app/data"

git-pages/templates/deployment.yaml

@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "git-pages.fullname" . }}
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "git-pages.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "git-pages.componentLabels" . | nindent 8 }}
+    spec:
+      securityContext:
+        fsGroup: 1000
+      containers:
+        - name: git-pages
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - git-pages
+          args:
+            - -config
+            - /etc/git-pages/config.toml
+          {{- if .Values.pagesInsecure }}
+          env:
+            - name: PAGES_INSECURE
+              value: "1"
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+            - name: metrics
+              containerPort: 3002
+              protocol: TCP
+          volumeMounts:
+            - name: config
+              mountPath: /etc/git-pages
+              readOnly: true
+            {{- if .Values.persistence.enabled }}
+            - name: data
+              mountPath: /app/data
+            {{- end }}
+          readinessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 20
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "git-pages.fullname" . }}-config
+        {{- if .Values.persistence.enabled }}
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ include "git-pages.fullname" . }}-data
+        {{- end }}

git-pages/templates/ingressroute.yaml

@@ -0,0 +1,48 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ include "git-pages.fullname" . }}
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+spec:
+  entryPoints:
+    - {{ .Values.ingress.entryPoints.websecure }}
+  routes:
+    - match: >-
+        Host(`{{ .Values.ingress.host }}`) &&
+        (Method(`PATCH`) || Method(`PUT`))
+      kind: Rule
+      middlewares:
+        - name: {{ include "git-pages.fullname" . }}-publish-auth
+      services:
+        - name: {{ include "git-pages.fullname" . }}
+          port: {{ .Values.service.port }}
+    - match: Host(`{{ .Values.ingress.host }}`) && (Method(`GET`) || Method(`HEAD`))
+      kind: Rule
+      services:
+        - name: {{ include "git-pages.fullname" . }}
+          port: {{ .Values.service.port }}
+  tls:
+    secretName: git-pages-tls
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ include "git-pages.fullname" . }}-http
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+spec:
+  entryPoints:
+    - {{ .Values.ingress.entryPoints.web }}
+  routes:
+    - match: >-
+        Host(`{{ .Values.ingress.host }}`) &&
+        !PathPrefix(`/.well-known/acme-challenge/`)
+      kind: Rule
+      middlewares:
+        - name: {{ include "git-pages.fullname" . }}-https-redirect
+      services:
+        - name: {{ include "git-pages.fullname" . }}
+          port: {{ .Values.service.port }}
+{{- end }}

git-pages/templates/middleware.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ include "git-pages.fullname" . }}-publish-auth
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+spec:
+  basicAuth:
+    secret: git-pages-publish-auth
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ include "git-pages.fullname" . }}-https-redirect
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+{{- end }}

git-pages/templates/publish-auth-secret.yaml

@@ -0,0 +1,12 @@
+{{- if and .Values.publishAuth.create .Values.publishAuth.htpasswdUsers }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-pages-publish-auth
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+type: Opaque
+stringData:
+  users: |
+    {{ .Values.publishAuth.htpasswdUsers }}
+{{- end }}

git-pages/templates/pvc.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "git-pages.fullname" . }}-data
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode }}
+  {{- if .Values.persistence.storageClass }}
+  storageClassName: {{ .Values.persistence.storageClass | quote }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size }}
+{{- end }}

git-pages/templates/retention-configmap.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.persistence.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: git-pages-retention
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+data:
+  retention.json: |
+    {{- .Values.retention.rules | toJson | nindent 4 }}
+  retention-cleanup.sh: |
+    {{- .Files.Get "files/retention-cleanup.sh" | nindent 4 }}
+  retention-run.sh: |
+    {{- .Files.Get "files/retention-run.sh" | nindent 4 }}
+{{- end }}

git-pages/templates/retention-cronjob.yaml

@@ -0,0 +1,78 @@
+{{- if .Values.persistence.enabled }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: git-pages-retention
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+spec:
+  schedule: {{ .Values.retention.schedule | quote }}
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: git-pages-retention
+            app.kubernetes.io/instance: {{ .Release.Name }}
+        spec:
+          serviceAccountName: git-pages-retention
+          restartPolicy: OnFailure
+          containers:
+            - name: retention
+              image: "{{ .Values.retention.image.repository }}:{{ .Values.retention.image.tag }}"
+              imagePullPolicy: {{ .Values.retention.image.pullPolicy }}
+              securityContext:
+                runAsUser: 0
+              command:
+                - bash
+                - -c
+                - |
+                  set -euo pipefail
+                  apt-get update -qq
+                  apt-get install -y --no-install-recommends curl jq >/dev/null
+                  chmod +x /scripts/retention-run.sh /scripts/retention-cleanup.sh
+                  /scripts/retention-run.sh
+              env:
+                - name: NAMESPACE
+                  value: {{ .Release.Namespace | quote }}
+                - name: DEPLOYMENT
+                  value: {{ include "git-pages.fullname" . | quote }}
+                - name: INSTANCE
+                  value: {{ .Release.Name | quote }}
+                - name: DATA_ROOT
+                  value: /app/data
+                - name: RETENTION_CONFIG
+                  value: /etc/retention/retention.json
+                - name: GITEA_API_URL
+                  value: {{ required "retention.giteaApiUrl is required" .Values.retention.giteaApiUrl | quote }}
+                - name: GITEA_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: git-pages-retention-gitea
+                      key: token
+              volumeMounts:
+                - name: data
+                  mountPath: /app/data
+                - name: scripts
+                  mountPath: /scripts
+                - name: config
+                  mountPath: /etc/retention
+          volumes:
+            - name: data
+              persistentVolumeClaim:
+                claimName: {{ include "git-pages.fullname" . }}-data
+            - name: scripts
+              configMap:
+                name: git-pages-retention
+                defaultMode: 0755
+            - name: config
+              configMap:
+                name: git-pages-retention
+                items:
+                  - key: retention.json
+                    path: retention.json
+{{- end }}

git-pages/templates/retention-rbac.yaml

@@ -0,0 +1,37 @@
+{{- if .Values.persistence.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: git-pages-retention
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: git-pages-retention
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments", "deployments/scale"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: git-pages-retention
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: git-pages-retention
+subjects:
+  - kind: ServiceAccount
+    name: git-pages-retention
+    namespace: {{ .Release.Namespace }}
+{{- end }}

git-pages/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "git-pages.fullname" . }}
+  labels:
+    {{- include "git-pages.componentLabels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  selector:
+    {{- include "git-pages.selectorLabels" . | nindent 4 }}
+  ports:
+    - name: http
+      port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP