admin/stonks-oracle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: remove remaining ghcr-credentials from inttest seed/minio pod overrides

Browse Source
This commit is contained in:
Celes Renata
2026-04-19 06:45:46 +00:00
parent ebafe795c1
commit 2d40d70975
5 changed files with 334 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infra/inttest/run_pipeline.sh
+2 -2
View File
@@ -343,7 +343,7 @@ if ! kubectl run seed-sandbox \
--image-pull-policy=Always \
--overrides='{
"spec": {
"imagePullSecrets": [{"name": "ghcr-credentials"}],
"securityContext": {"runAsNonRoot": true, "runAsUser": 1000, "runAsGroup": 1000}
}
}' \
@@ -375,7 +375,7 @@ if ! kubectl run seed-minio \
--image-pull-policy=Always \
--overrides='{
"spec": {
"imagePullSecrets": [{"name": "ghcr-credentials"}],
"securityContext": {"runAsNonRoot": true, "runAsUser": 1000, "runAsGroup": 1000}
}
}' \
pipelines/harbor/pvcs.yaml
+86
View File
@@ -0,0 +1,86 @@
# Harbor PersistentVolumeClaims — bind to NFS PVs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-registry-pvc
namespace: harbor-service
labels:
app: harbor
component: registry
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
storageClassName: ""
volumeName: harbor-registry-pv
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-jobservice-pvc
namespace: harbor-service
labels:
app: harbor
component: jobservice
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
storageClassName: ""
volumeName: harbor-jobservice-pv
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-database-pvc
namespace: harbor-service
labels:
app: harbor
component: database
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: ""
volumeName: harbor-database-pv
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-redis-pvc
namespace: harbor-service
labels:
app: harbor
component: redis
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
storageClassName: ""
volumeName: harbor-redis-pv
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-trivy-pvc
namespace: harbor-service
labels:
app: harbor
component: trivy
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: ""
volumeName: harbor-trivy-pv
pipelines/harbor/values.yaml
+100
View File
@@ -0,0 +1,100 @@
# Harbor Helm values — Stonks Oracle registry
# Domain: registry.celestium.life
# Ingress: Traefik with cert-manager (letsencrypt-prod)
# Storage: NFS PVs on 192.168.42.8
expose:
type: ingress
tls:
enabled: true
certSource: secret
secret:
secretName: harbor-tls
ingress:
hosts:
core: registry.celestium.life
controller: default
className: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.entrypoints: websecure
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
externalURL: https://registry.celestium.life
# Initial admin password — change after first login
harborAdminPassword: "St0nks0racl3!"
# Use internal database and redis (bundled with Harbor)
database:
type: internal
redis:
type: internal
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
existingClaim: harbor-registry-pvc
size: 100Gi
jobservice:
jobLog:
existingClaim: harbor-jobservice-pvc
size: 2Gi
database:
existingClaim: harbor-database-pvc
size: 5Gi
redis:
existingClaim: harbor-redis-pvc
size: 2Gi
trivy:
existingClaim: harbor-trivy-pvc
size: 5Gi
# Trivy vulnerability scanner
trivy:
enabled: true
# Metrics for Prometheus (optional, enable if you have monitoring)
metrics:
enabled: false
# Resource limits — conservative for a 4-node cluster
core:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 512Mi
jobservice:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
registry:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
portal:
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
pipelines/pvs/harbor-pv.yaml
+87
View File
@@ -0,0 +1,87 @@
# Harbor NFS PersistentVolumes
# NFS path: nfs://192.168.42.8:/volume1/Kubernetes/harbor/data/<component>
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-registry-pv
labels:
app: harbor
component: registry
spec:
capacity:
storage: 100Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nfs:
server: 192.168.42.8
path: /volume1/Kubernetes/harbor/data/registry
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-database-pv
labels:
app: harbor
component: database
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nfs:
server: 192.168.42.8
path: /volume1/Kubernetes/harbor/data/database
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-redis-pv
labels:
app: harbor
component: redis
spec:
capacity:
storage: 2Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nfs:
server: 192.168.42.8
path: /volume1/Kubernetes/harbor/data/redis
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-jobservice-pv
labels:
app: harbor
component: jobservice
spec:
capacity:
storage: 2Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nfs:
server: 192.168.42.8
path: /volume1/Kubernetes/harbor/data/jobservice
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-trivy-pv
labels:
app: harbor
component: trivy
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nfs:
server: 192.168.42.8
path: /volume1/Kubernetes/harbor/data/trivy
pipelines/runmefirst.sh
+59 -2
View File
@@ -15,7 +15,7 @@ GITEA_API="http://10.1.1.12:30300/api/v1"
# 1. Create namespaces
# -------------------------------------------------------
echo "--- Step 1: Creating namespaces ---"
for ns in woodpecker argocd kargo stonks-beta stonks-paper; do
for ns in woodpecker argocd kargo stonks-beta stonks-paper harbor-service; do
kubectl create namespace "$ns" --dry-run=client -o yaml | kubectl apply -f -
echo " ✓ namespace/$ns"
done
@@ -27,7 +27,7 @@ echo ""
echo "--- Step 2: Proxy CA cert and Kyverno policies ---"
CA_CERT_PATH="${SCRIPT_DIR}/home.crt"
curl -sf http://192.168.42.1/home.crt -o "$CA_CERT_PATH"
for ns in woodpecker argocd kargo; do
for ns in woodpecker argocd kargo harbor-service; do
if ! kubectl get configmap proxy-ca-cert -n "$ns" > /dev/null 2>&1; then
kubectl create configmap proxy-ca-cert --from-file=ca.crt="$CA_CERT_PATH" -n "$ns"
echo " ✓ proxy-ca-cert created in $ns"
@@ -55,9 +55,65 @@ echo "--- Step 3: Applying NFS PersistentVolumes ---"
kubectl apply -f pvs/argocd-pv.yaml
kubectl apply -f pvs/kargo-pv.yaml
kubectl apply -f pvs/woodpecker-pv.yaml
kubectl apply -f pvs/harbor-pv.yaml
echo " ✓ PVs applied"
echo ""
# -------------------------------------------------------
# 3b. Install Harbor container registry
# -------------------------------------------------------
echo "--- Step 3b: Installing Harbor ---"
kubectl create namespace harbor-service --dry-run=client -o yaml | kubectl apply -f -
# Remove old plain Docker Registry ingress (registry.celestium.life) if it exists
# Harbor will take over that domain
if kubectl get ingress registry-ingress -n git-server > /dev/null 2>&1; then
echo " Removing old registry ingress from git-server namespace..."
kubectl delete ingress registry-ingress -n git-server
echo " ✓ Old registry ingress removed"
fi
# Create NFS directories on the NAS (via a temporary pod)
echo " Ensuring NFS directories exist..."
ssh root@gremlin-1 "
mkdir -p /tmp/harbor-nfs-init
mount -t nfs 192.168.42.8:/volume1/Kubernetes/harbor /tmp/harbor-nfs-init 2>/dev/null || true
mkdir -p /tmp/harbor-nfs-init/data/registry
mkdir -p /tmp/harbor-nfs-init/data/database
mkdir -p /tmp/harbor-nfs-init/data/redis
mkdir -p /tmp/harbor-nfs-init/data/jobservice
mkdir -p /tmp/harbor-nfs-init/data/trivy
umount /tmp/harbor-nfs-init 2>/dev/null || true
rmdir /tmp/harbor-nfs-init 2>/dev/null || true
" 2>/dev/null || echo " ⚠ Could not create NFS dirs via SSH (non-fatal, they may already exist)"
# Apply PVCs
kubectl apply -f harbor/pvcs.yaml
echo " ✓ Harbor PVCs applied"
# Install/upgrade Harbor via Helm
helm repo add harbor https://helm.goharbor.io 2>/dev/null || true
helm repo update harbor 2>/dev/null || true
HARBOR_EXISTS=$(helm list -n harbor-service -q 2>/dev/null | grep -c harbor || true)
if [ "${HARBOR_EXISTS:-0}" -gt 0 ]; then
echo " Harbor already installed — upgrading..."
else
echo " Fresh Harbor install..."
fi
helm upgrade --install harbor harbor/harbor \
--namespace harbor-service \
--values harbor/values.yaml \
--timeout 10m \
--wait
echo " Waiting for Harbor core to be ready..."
kubectl wait --for=condition=ready pod -l app=harbor,component=core -n harbor-service --timeout=180s > /dev/null 2>&1 || true
echo " ✓ Harbor installed at https://registry.celestium.life"
echo " Default login: admin / St0nks0racl3!"
echo ""
# -------------------------------------------------------
# 4. Configure Gitea (admin user, repo, webhook config)
# -------------------------------------------------------
@@ -246,6 +302,7 @@ echo ""
echo "=== Pipeline Infrastructure Install Complete ==="
echo ""
echo "Endpoints:"
echo " Harbor: https://registry.celestium.life"
echo " Woodpecker CI: https://stonks-ci.celestium.life"
echo " ArgoCD: https://stonks-argocd.celestium.life"
echo " Kargo: https://stonks-kargo.celestium.life"