gitea_admin/deploy-app-kargo-private
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial prod: bootstrap apps only

Browse Source 
Bootstrap: cert-manager kargo kargo-infra-pipeline kargo-ci-pipeline kargo-test-env-pipeline kargo-credentials
Other apps arrive via Kargo promotion (dev → test → PR → prod)
This commit is contained in:
XoR
2026-03-11 10:01:35 +03:00
parent 4dd68859d8
commit 2ef96b3f49
16 changed files with 5 additions and 311 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
infra/argo-rollouts/config.yaml
View File

@@ -1,13 +0,0 @@
{
"name": "argo-rollouts",
"namespace": "argo-rollouts",
"step": "2",
"source": {
"repoURL": "https://argoproj.github.io/argo-helm",
"chart": "argo-rollouts",
"targetRevision": 2.40.6
},
"helm": {
"values": "dashboard:\n enabled: true\n"
}
}

10
infra/gitea-custom/config.yaml
View File

@@ -1,10 +0,0 @@
{
"name": "gitea-custom",
"namespace": "gitea",
"step": "6",
"source": {
"repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
"path": "infra/gitea-custom/manifests",
"targetRevision": "main"
}
}

16
infra/gitea-custom/manifests/disable-cache.yaml
View File

@@ -1,16 +0,0 @@
# Override Gitea cache/session to use memory (no redis/valkey)
# Mount this ConfigMap as /data/gitea/conf/app.ini override
apiVersion: v1
kind: ConfigMap
metadata:
name: gitea-disable-cache
namespace: gitea
data:
_10-cache.ini: |
[cache]
ENABLED = false
ADAPTER = memory
INTERVAL = 0
[session]
PROVIDER = memory

13
infra/gitea/config.yaml
View File

@@ -1,13 +0,0 @@
{
"name": "gitea",
"namespace": "gitea",
"step": "4",
"source": {
"repoURL": "https://dl.gitea.com/charts",
"chart": "gitea",
"targetRevision": "12.5.0"
},
"helm": {
"values": "gitea:\n admin:\n existingSecret: gitea-admin\n config:\n server:\n ROOT_URL: \"https://gitea.k3s.e2e.local\"\n DOMAIN: \"k3s.e2e.local\"\n SSH_DOMAIN: \"gitea.k3s.e2e.local\"\n SSH_PORT: 2222\n service:\n DISABLE_REGISTRATION: false\n actions:\n ENABLED: \"true\"\n cache:\n ENABLED: false\n ADAPTER: memory\n session:\n PROVIDER: memory\n\ningress:\n enabled: false\n\npostgresql:\n enabled: true\n image:\n repository: bitnamilegacy/postgresql\n tag: \"17\"\n\npostgresql-ha:\n enabled: false\n\nmemcached:\n enabled: false\n\nredis-cluster:\n enabled: false\n\nredis:\n enabled: false\n\nvalkey-cluster:\n enabled: false\n\nimage:\n rootless: false\n"
}
}

27
infra/gitea/values/secret-values.dev.enc.yaml
View File

@@ -1,27 +0,0 @@
# Gitea secrets for dev/test cluster
admin-password: ENC[AES256_GCM,data:Nh7IDhZbJxOYjat8JhRoWtQ=,iv:mDtUOdjiKxvTTKaWNQ6bUQ2rCbV9Ule25IN5AVBTrp0=,tag:FxMWUvu82HusjtPBmEtwcA==,type:str]
db-password: ENC[AES256_GCM,data:qRZjNRGr/oJVzYTz6Kv0sZ7Sbns=,iv:V03c8IrsLZzJck5ZqrXS46LydbGPtLBwkjjGQI0zkv4=,tag:pxDpAbekwwOw9yiqMwl2QA==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdWFvNXF3QXpnbjFsbHhn
dmdnRmRwWnpkUVlRSHlEZXdXT2FoeVVVejFNCkZ0UGp5YWZ2TThEUnZPOVNqVjJR
S0lXSGxSSFF3ZWhUM2NMWW9MZUszZnMKLS0tIEowWHo5SUFMMDFNY1lWY3NuNnJN
OERJZklLT1RnSDc4VjdaQ0F3cVRTaGsKYIfYSv4In5YiGs2/KWX1oPqOoiUxwVUl
jROG2UecsSjhKq6XdX+KVYmcSKhy1ljPjHaL+t3MmSNE6+jJpMpDvQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNzZSWE1NcTR1blQ5TWxH
N0k2YWNOdTA4WHZXQ3VlTHpWNVNuRm53S3dzCnZOR0gyWTVzams4SjdCZVpSMjdL
S2dqZTcvb3VtVE9JUWVlVU1QL1NaZ3MKLS0tIHdUZldWZWdIZ01VUWxLeEJDNmY0
aEV2U1JMaTFYRldjc1kwNHczd3gvM1kKEytPjCdNTG+8SFnQxh50XKfjAxa1xn0t
D3dj6yMfIfkgnp84pI9PY5hBweHrEcdeUwhPrkNY8dRuiShv4o4xTQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-11T06:57:04Z"
mac: ENC[AES256_GCM,data:LKIihGyIcUImsmRWgPhWQRBeaFiXdWgaMwlif+FPNdmy/LSRlwIqIN8KzwuMu1zAlNvl1SVOVZL7SgRe9rZHax5pIn+Qrb5B+cuFPZTyvl24VBlJ+l29x182CKhRnT1RDDA9D7do+y8bG+rjyJ6u5d/yYcMAYIH9+I4fS4uERQw=,iv:23M4i1uCpQzfWZIp2c4gGThOCGotS3eajdjItlAwh2Y=,tag:MoD7LbWCu5EGxPeliRDinQ==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
version: 3.12.1

27
infra/gitea/values/secret-values.prod.enc.yaml
View File

@@ -1,27 +0,0 @@
# Gitea secrets for prod cluster
admin-password: ENC[AES256_GCM,data:4pXdFHPAXo9fnyEmAqDygucpGrOy,iv:Qa/fQvRoU8TXMlkSjlomwzOn0v1M/PJ606HZI+inRcQ=,tag:/fKGATm+rUSCUH+os12qlQ==,type:str]
db-password: ENC[AES256_GCM,data:lw3I+smG/1DaMFd2V98D7ENu6MB0g+e81A==,iv:DZmS4R2buArXMkO/Cjtp9gN9AqpTaVHs7NfqQFqciWY=,tag:OA9kzug/Mel6+GDlnYU/jA==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCd2VUaHhQc0h4bmYwdmFy
WVJLS2dURWZnOUtCKzRoajB2RVI5U1ROOEVvCnV2VmxFTkhPNlErOE5SZzUyT0c1
VitrWFlJVUt5N2plMitWVjZPUHBmYU0KLS0tIFJVUnBBZjl6cWlRYUNiZSs1V0Q2
b1NBVnZydDVlY09LeHNpbkdsTzRNNmcKO9GFvLHIWTh/Aseuo3Z8FE47dE92MxJ6
p5OCsZRw+bpQfURStiyckaoMW8Of716uDIS3v1JaW8u4xm3e+lZXGg==
-----END AGE ENCRYPTED FILE-----
- recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOUZjdlk4MU4yWGNPOEs4
ZkplUzlyV1lmQUxidHk3aDFhU1NOeElxeVU4CngxWS8vOTdUbEVNM2thMWgxNGRo
ZUlYdjVPTXFJWGtNWEJEa2V1dGhqSTgKLS0tIEI2V1hrWUVnRnovblhVQ2ROSENE
dXhwWXJJbnVBaFpraXJURERMR1lkUjQKFzaekfQFqg2cVT5gks4fXX26GtZu+M1F
g+pzNxpFVlzdrXiWrzjePshTVblVsxV8fKpUVoLYwwLOSILRzF3uwg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-11T06:57:04Z"
mac: ENC[AES256_GCM,data:qWDAgi9DeHnc4TfH2la54mKtkNRkO3ArfXJBxZ6D6yEk5nylMA+Fw3FBmsKuU+F1/JN7CQVHbez37jjOXDmoFUfGXunionqkaf4wYz/3duRjdm/ApTLLMAYaq1YHzp6XNF4x+1LBtp0RadK//wwhxXQHoYdui9IH2Ts5ALLjOzo=,iv:B86+ovgnit5oKxY1wgxvYBEhRmnjJiQ7GdveJAGytfA=,tag:QgVjYIvIgwXvfbTxiti1OA==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
version: 3.12.1

10
infra/traefik-routes/config.yaml
View File

@@ -1,10 +0,0 @@
{
"name": "traefik-routes",
"namespace": "kube-system",
"step": "3",
"source": {
"repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
"path": "infra/traefik-routes/manifests",
"targetRevision": "main"
}
}

41
infra/traefik-routes/manifests/gitea-ingress.yaml
View File

@@ -1,41 +0,0 @@
# Gitea HTTPS IngressRoute via Traefik
# Uses default TLS store (wildcard-tls from kube-system via TLSStore)
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: gitea-https
namespace: gitea
spec:
entryPoints:
- websecure
routes:
- match: HostRegexp(`gitea.k3s\..+\.local`)
kind: Rule
middlewares:
- name: sslheader
namespace: kube-system
- name: gitea-buffer-timeout
namespace: gitea
services:
- name: gitea-http
port: 3000
tls: {}
---
# HTTP → HTTPS redirect for Gitea
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: gitea-http-redirect
namespace: gitea
spec:
entryPoints:
- web
routes:
- match: HostRegexp(`gitea.k3s\..+\.local`)
kind: Rule
middlewares:
- name: redirect-https
namespace: kube-system
services:
- name: gitea-http
port: 3000

14
infra/traefik-routes/manifests/gitea-ssh.yaml
View File

@@ -1,14 +0,0 @@
# Gitea SSH access via Traefik TCP routing (port 2222)
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: gitea-ssh
namespace: gitea
spec:
entryPoints:
- ssh
routes:
- match: HostSNI(`*`)
services:
- name: gitea-ssh
port: 22

21
infra/traefik-routes/manifests/kargo-ingress.yaml
View File

@@ -1,21 +0,0 @@
# Kargo dashboard HTTPS IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: kargo-https
namespace: kargo
spec:
entryPoints:
- websecure
routes:
- match: HostRegexp(`kargo.k3s\..+\.local`)
kind: Rule
middlewares:
- name: kargo-tls-middleware
namespace: kargo
services:
- name: kargo-api
port: 443
scheme: https
serversTransport: kargo-skip-verify
tls: {}

8
infra/traefik-routes/manifests/kargo-transport.yaml
View File

@@ -1,8 +0,0 @@
# ServersTransport to skip TLS verification for Kargo backend (self-signed cert)
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: kargo-skip-verify
namespace: kargo
spec:
insecureSkipVerify: true

57
infra/traefik-routes/manifests/middlewares.yaml
View File

@@ -1,57 +0,0 @@
# HTTP → HTTPS redirect
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirect-https
namespace: kube-system
spec:
redirectScheme:
scheme: https
permanent: true
---
# Forward X-Forwarded-Proto header for backends behind TLS termination
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: sslheader
namespace: kube-system
spec:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
---
# Gitea: buffer large requests (git push) + timeout for CI builds
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: gitea-buffer-timeout
namespace: gitea
spec:
buffering:
maxRequestBodyBytes: 0
maxResponseBodyBytes: 0
memRequestBodyBytes: 20971520
memResponseBodyBytes: 20971520
retryExpression: "IsNetworkError()"
---
# ArgoCD: X-Forwarded-Proto for TLS termination
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: argocd-tls-middleware
namespace: argocd
spec:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
---
# Kargo: X-Forwarded-Proto for TLS termination
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: kargo-tls-middleware
namespace: kargo
spec:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"

14
infra/traefik-routes/manifests/namespaces.yaml
View File

@@ -1,14 +0,0 @@
# Ensure namespaces exist for cross-namespace middleware references
apiVersion: v1
kind: Namespace
metadata:
name: gitea
labels:
name: gitea
---
apiVersion: v1
kind: Namespace
metadata:
name: kargo
labels:
name: kargo

10
infra/traefik-routes/manifests/tls-store.yaml
View File

@@ -1,10 +0,0 @@
# Default TLS store — uses wildcard-tls from kube-system as default cert.
# All IngressRoutes with tls: {} will use this certificate.
apiVersion: traefik.io/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: kube-system
spec:
defaultCertificate:
secretName: wildcard-tls

19
infra/traefik-routes/manifests/traefik-dashboard.yaml
View File

@@ -1,19 +0,0 @@
# Traefik Dashboard IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: kube-system
spec:
entryPoints:
- websecure
routes:
- match: HostRegexp(`traefik.k3s\..+\.local`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
kind: Rule
middlewares:
- name: sslheader
namespace: kube-system
services:
- name: api@internal
kind: TraefikService
tls: {}

16
kargo/credentials/ksops-generator.yaml
View File

@@ -1,11 +1,5 @@
# ksops generator: decrypts SOPS-encrypted K8s Secret manifests # ksops generator for PROD cluster
# ArgoCD repo-server must have ksops + sops + age installed # Replace ksops-generator.yaml on infra/stage/prod branch
#
# Dev cluster uses: *.dev.enc.yaml
# Prod cluster uses: *.prod.enc.yaml
#
# Which files to decrypt is controlled by the kustomization overlay
# in the cluster-specific branch (infra/stage/dev or infra/stage/prod)
apiVersion: viaduct.ai/v1 apiVersion: viaduct.ai/v1
kind: ksops kind: ksops
metadata: metadata:
@@ -15,6 +9,6 @@ metadata:
exec: exec:
path: ksops path: ksops
files: files:
- git-creds-infra.dev.enc.yaml - git-creds-infra.prod.enc.yaml
- git-creds-ci.dev.enc.yaml - git-creds-ci.prod.enc.yaml
- git-creds-test-env.dev.enc.yaml - git-creds-test-env.prod.enc.yaml