tec3/ublue-forge
tec3/ublue-forge
1
0
Fork 0
mirror of https://github.com/ublue-os/forge.git synced 2025-04-20 13:33:44 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(main): rewrite and update pod setup

Browse source 
use traefik instead of caddy, use variables where needed
This commit is contained in:
Stephan Lüscher 2024-04-29 11:00:32 +00:00
parent 2e8cc2f51a
commit 742f74eec2
No known key found for this signature in database
GPG key ID: 445779060FF3D3CF
2 changed files with 122 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

144
forge-pod.yml
View file

@ -1,41 +1,82 @@
# uBlue-OS forge podman deployment # uBlue-OS forge podman deployment
## variables will be replaces with envsubst when invoked via forge.sh
--- ---
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: ublue-os_forge name: ${FORGE_POD_NAME_REVERSE_PROXY}
labels:
traefik.enable: true
traefik.http.routers.traefik-dashboard.entrypoints: web,websecure
traefik.http.routers.traefik-dashboard.rule: Host(`traefik.${FORGE_DOMAIN_NAME}`)
traefik.http.services.traefik-dashboard.loadbalancer.server.port: 8080
traefik.http.routers.traefik-dashboard.service: api@internal
spec:
securityContext:
seLinuxOptions:
type: "container_runtime_t" # needed for podman.sock access
restartPolicy: OnFailure
volumes:
- name: podman-socket
hostPath:
path: /run/user/${FORGE_HOST_UID}/podman/podman.sock
type: Socket
- name: ublue-os_forge-certs-pvc
persistentVolumeClaim:
claimName: ublue-os_forge-certs
containers:
- name: traefik.${FORGE_DOMAIN_NAME}
image: traefik # will be built on pod start
resources:
limits:
memory: 128Mi
cpu: 200m
volumeMounts:
- mountPath: /var/run/podman.sock
name: podman-socket
readOnly: true
- mountPath: /certs
name: ublue-os_forge-certs-pvc
ports:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
- containerPort: 8080
hostPort: 8080
protocol: TCP
initContainers:
- name: minica.${FORGE_DOMAIN_NAME}
image: minica
volumeMounts:
- mountPath: /certs
name: ublue-os_forge-certs-pvc
---
apiVersion: v1
kind: Pod
metadata:
name: ${FORGE_POD_NAME_REGISTRY}
labels:
traefik.enable: true
traefik.http.routers.registry.entryPoints: web,websecure
traefik.http.services.registry.loadbalancer.server.port: 5000
traefik.http.services.registry.loadbalancer.server.scheme: https
traefik.http.routers.registry.rule: Host(`registry.${FORGE_DOMAIN_NAME}`)
spec: spec:
restartPolicy: OnFailure restartPolicy: OnFailure
volumes: volumes:
- name: ublue-os_forge-certs-pvc - name: ublue-os_forge-certs-pvc
persistentVolumeClaim: persistentVolumeClaim:
claimName: ublue-os_forge-certs claimName: ublue-os_forge-certs
- name: ublue-os_forge-registry-pvc - name: ublue-os_forge-registry-pvc
persistentVolumeClaim: persistentVolumeClaim:
claimName: ublue-os_forge-registry claimName: ublue-os_forge-registry
- name: ublue-os_forge-semaphore-pvc
persistentVolumeClaim:
claimName: ublue-os_forge-semaphore
containers: containers:
- name: rvproxy.ublue.local - name: docker.${FORGE_DOMAIN_NAME}
image: rvproxy image: registry # will be built on pod start
resources:
limits:
memory: 128Mi
cpu: 200m
volumeMounts:
- mountPath: /certs
name: ublue-os_forge-certs-pvc
ports:
- containerPort: 443
hostPort: 443
protocol: TCP
- name: registry.ublue.local
image: registry
resources: resources:
limits: limits:
memory: 512Mi memory: 512Mi
@ -43,61 +84,44 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /certs - mountPath: /certs
name: ublue-os_forge-certs-pvc name: ublue-os_forge-certs-pvc
subPath: _.ublue.local subPath: _.${FORGE_DOMAIN_NAME}
- mountPath: /var/lib/registry - mountPath: /var/lib/registry
name: ublue-os_forge-registry-pvc name: ublue-os_forge-registry-pvc
ports: ports:
- containerPort: 5000 - containerPort: 5000
protocol: TCP protocol: TCP
- name: semaphore.ublue.local ---
image: semaphore apiVersion: v1
resources: kind: Pod
limits: metadata:
memory: 512Mi name: ${FORGE_POD_NAME_SETUP}
cpu: 200m spec:
volumeMounts: restartPolicy: OnFailure
- mountPath: /var/lib/semaphore volumes:
name: ublue-os_forge-semaphore-pvc - name: ublue-os_forge-certs-pvc
- mountPath: /certs persistentVolumeClaim:
subPath: ssh claimName: ublue-os_forge-certs
name: ublue-os_forge-certs-pvc containers:
readOnly: true - name: ansible.${FORGE_DOMAIN_NAME}
ports: image: ansible # will be built on pod start
- containerPort: 3000
protocol: TCP
- name: setup.ublue.local
image: setup
volumeMounts: volumeMounts:
- mountPath: /certs - mountPath: /certs
name: ublue-os_forge-certs-pvc name: ublue-os_forge-certs-pvc
readOnly: true readOnly: true
env: env:
- name: ANSIBLE_FORGE_HOST_USER - name: ANSIBLE_HOST_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: ublue-os_forge-secure name: ublue-os_forge-secure
key: ANSIBLE_FORGE_HOST_USER key: ANSIBLE_HOST_USER
- name: ANSIBLE_FORGE_HOST_BECOME_PASSWORD - name: ANSIBLE_HOST_BECOME_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: ublue-os_forge-secure name: ublue-os_forge-secure
key: ANSIBLE_FORGE_HOST_BECOME_PASSWORD key: ANSIBLE_HOST_BECOME_PASSWORD
workingDir: /ansible
command: command:
- ansible-playbook - ansible-playbook
args: args:
- main.yml - playbooks/configure_host.yml
resources:
limits:
memory: 512Mi
cpu: 200m
initContainers:
- name: minica.ublue.local
image: minica
volumeMounts:
- mountPath: /certs
name: ublue-os_forge-certs-pvc

54
forge.sh
View file

@ -1,4 +1,13 @@
#!/bin/bash #!/bin/bash
# Variables
export FORGE_DOMAIN_NAME="ublue.local"
export FORGE_NETWORK_NAME="ublue-os_forge"
export FORGE_HOST_UID=$(id -u)
export FORGE_POD_CONFIGURATION="forge-pod.yml"
export FORGE_POD_NAME_PRE_AMBLE="ublue-os_forge-"
export FORGE_POD_NAME_REVERSE_PROXY=${FORGE_POD_NAME_PRE_AMBLE}rvproxy
export FORGE_POD_NAME_REGISTRY=${FORGE_POD_NAME_PRE_AMBLE}registry
export FORGE_POD_NAME_SETUP=${FORGE_POD_NAME_PRE_AMBLE}setup
# Functions # Functions
function setup { function setup {
@ -6,14 +15,16 @@ function setup {
check_prerequisites check_prerequisites
echo -e "${YELLOW}Creating secret configuration...${ENDCOLOR}" echo -e "${YELLOW}Creating secret configuration...${ENDCOLOR}"
create_secrets create_secrets
echo -e "${YELLOW}Creating podman network...${ENDCOLOR}"
create_network
echo -e "${YELLOW}Heating up forge for the first time...${ENDCOLOR}" echo -e "${YELLOW}Heating up forge for the first time...${ENDCOLOR}"
podman play kube forge-pod.yml --build --replace & PID_BUILD=$! cat ${FORGE_POD_CONFIGURATION} | envsubst | podman play kube --build --replace --network "${FORGE_NETWORK_NAME}" - & PID_BUILD=$!
wait ${PID_BUILD} wait ${PID_BUILD}
echo -e "${YELLOW}Configuring host system...${ENDCOLOR}" echo -e "${YELLOW}Configuring host system pre-requisites...${ENDCOLOR}"
configure_host & PID_CONFIG=$! configure_host_prerequisites & PID_CONFIG=$!
wait ${PID_CONFIG} wait ${PID_CONFIG}
echo -e "${YELLOW}Configuring forge...${ENDCOLOR}" echo -e "${YELLOW}Configuring host system...${ENDCOLOR}"
podman logs --color -f ublue-os_forge-setup.ublue.local podman logs --color --follow "${FORGE_POD_NAME_SETUP}-ansible.${FORGE_DOMAIN_NAME}"
echo "" echo ""
echo -e "${YELLOW}Cleaning up secrets...${ENDCOLOR}" echo -e "${YELLOW}Cleaning up secrets...${ENDCOLOR}"
delete_secrets delete_secrets
@ -23,17 +34,19 @@ function setup {
function up { function up {
echo -e "${YELLOW}Heating up forge...${ENDCOLOR}" echo -e "${YELLOW}Heating up forge...${ENDCOLOR}"
podman pod start ublue-os_forge podman pod start ${FORGE_POD_NAME_REVERSE_PROXY}
podman pod start ${FORGE_POD_NAME_REGISTRY}
echo -e "${GREEN}Done. Happy forging!${ENDCOLOR}" echo -e "${GREEN}Done. Happy forging!${ENDCOLOR}"
} }
function down { function down {
echo -e "${YELLOW}Cooling down forge...${ENDCOLOR}" echo -e "${YELLOW}Cooling down forge...${ENDCOLOR}"
podman pod stop ublue-os_forge --ignore podman pod stop "${FORGE_POD_NAME_REVERSE_PROXY}" --ignore
podman pod stop "${FORGE_POD_NAME_REGISTRY}" --ignore
echo -e "${GREEN}Done. Have a nice day${ENDCOLOR}" echo -e "${GREEN}Done. Have a nice day${ENDCOLOR}"
} }
function configure_host { function configure_host_prerequisites {
if [ ! -f ~/.config/.ublue-os_forge-host-setup-done ]; if [ ! -f ~/.config/.ublue-os_forge-host-setup-done ];
then then
echo "adding ssh public key to ~/.ssh/authorized_keys" echo "adding ssh public key to ~/.ssh/authorized_keys"
@ -46,7 +59,7 @@ function configure_host {
touch ~/.config/.ublue-os_forge-host-setup-done touch ~/.config/.ublue-os_forge-host-setup-done
echo "" echo ""
else else
echo "Host system already configured. Nothing to do..." echo "Host system pre-requisites already configured. Nothing to do..."
echo "" echo ""
fi fi
} }
@ -54,11 +67,11 @@ function configure_host {
function create_secrets { function create_secrets {
# Get user input # Get user input
echo -e "${YELLOW}Gathering user input${ENDCOLOR}" echo -e "${YELLOW}Gathering user input${ENDCOLOR}"
read -s -p "Enter sudo password for user $USER: " ANSIBLE_FORGE_HOST_BECOME_PASSWORD read -s -p "Enter sudo password for user $USER: " ANSIBLE_HOST_BECOME_PASSWORD
cat <<EOF | jq '.|map_values(@base64)' | podman secret create ublue-os_forge-secure - >/dev/null cat <<EOF | jq '.|map_values(@base64)' | podman secret create ublue-os_forge-secure - >/dev/null
{ {
"ANSIBLE_FORGE_HOST_USER": "$USER", "ANSIBLE_HOST_USER": "$USER",
"ANSIBLE_FORGE_HOST_BECOME_PASSWORD": "${ANSIBLE_FORGE_HOST_BECOME_PASSWORD}" "ANSIBLE_HOST_BECOME_PASSWORD": "${ANSIBLE_HOST_BECOME_PASSWORD}"
} }
EOF EOF
echo "" echo ""
@ -68,6 +81,15 @@ function delete_secrets {
podman secret rm ublue-os_forge-secure podman secret rm ublue-os_forge-secure
} }
function create_network {
if ! podman network inspect "${FORGE_NETWORK_NAME}" &>/dev/null; then
echo "Podman network ${FORGE_NETWORK_NAME} does not exist. Creating..."
podman network create "${FORGE_NETWORK_NAME}"
else
echo "Podman network ${FORGE_NETWORK_NAME} already exists."
fi
}
function check_prerequisites { function check_prerequisites {
echo -e "${YELLOW}Checking sshd service${ENDCOLOR}" echo -e "${YELLOW}Checking sshd service${ENDCOLOR}"
SSH_SERVICE_STATUS="$(systemctl is-active sshd)" SSH_SERVICE_STATUS="$(systemctl is-active sshd)"
@ -88,7 +110,7 @@ function check_prerequisites {
echo -e "${RED}Make sure to install it first.${ENDCOLOR}" echo -e "${RED}Make sure to install it first.${ENDCOLOR}"
exit 1 exit 1
else else
echo -e "${GREEN}podman is installed${SSH_SERVICE_STATUS}${ENDCOLOR}" echo -e "${GREEN}podman is installed${ENDCOLOR}"
echo "" echo ""
fi fi
echo -e "${YELLOW}Checking jq installation${ENDCOLOR}" echo -e "${YELLOW}Checking jq installation${ENDCOLOR}"
@ -99,14 +121,14 @@ function check_prerequisites {
echo -e "${RED}Make sure to install it first.${ENDCOLOR}" echo -e "${RED}Make sure to install it first.${ENDCOLOR}"
exit 1 exit 1
else else
echo -e "${GREEN}jq is installed${SSH_SERVICE_STATUS}${ENDCOLOR}" echo -e "${GREEN}jq is installed${ENDCOLOR}"
echo "" echo ""
fi fi
} }
function show_info { function show_info {
VOLUME_DIR="$(podman volume inspect ublue-os_forge-certs | jq -r '.[0].Mountpoint')" echo -e "${GREEN}uBlue forge reverse-proxy is available at: https://traefik.${FORGE_DOMAIN_NAME}${ENDCOLOR}"
echo -e "${GREEN}uBlue forge is available at: https://forge.ublue.local${ENDCOLOR}" echo -e "${GREEN}uBlue forge docker registry is available at: registry.${FORGE_DOMAIN_NAME}${ENDCOLOR}"
echo -e "${GREEN}To trust the certificate in your Browser of choice, make sure to import the root certificate from:${ENDCOLOR}" echo -e "${GREEN}To trust the certificate in your Browser of choice, make sure to import the root certificate from:${ENDCOLOR}"
echo -e "${GREEN}$HOME/Downloads/tls/ublue-os_forge-root.pem${ENDCOLOR}" echo -e "${GREEN}$HOME/Downloads/tls/ublue-os_forge-root.pem${ENDCOLOR}"
echo "" echo ""