Merge pull request 'add woodpecker-deployment' (#152) from woodpecker-deployment into main

Reviewed-on: #152
Reviewed-by: Tom Neuber <tomneuber@web.de>

app-files/apps.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: woodpecker
+  namespace: argocd
+spec:
+  project: default
+  sources:
+    - chart: woodpecker
+      repoURL:  https://woodpecker-ci.org/
+      targetRevision: 1.6.0
+      helm:
+        releaseName: woodpecker
+        valueFiles:
+        - $values/woodpecker/values.yaml
+    - repoURL: https://git.ar21.de/yolokube/core-deployments.git
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://git.ar21.de/yolokube/core-deployments.git
+      targetRevision: HEAD
+      path: secrets
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: woodpecker
+  syncPolicy:
+    syncOptions:
+    - CreateNamespace=true
+    automated:
+      prune: false

woodpecker/secrets/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generators:
+  - ./secret-generator.yaml

woodpecker/secrets/secret-generator.yaml

@@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - ./secrets.enc.yaml

woodpecker/secrets/secrets.enc.yaml

@@ -0,0 +1,51 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: woodpecker-forgejo
+    namespace: woodpecker
+    labels:
+        app.kubernetes.io/instance: woodpecker
+type: Opaque
+data:
+    WOODPECKER_FORGEJO_CLIENT: ENC[AES256_GCM,data:zTcJ9+s6Oykd2ptkaM4/FTcIriF0BarmswUyDzvLIyeBQl7mvTktPKJaeK/RudFVzdgEJA==,iv:im64HVYag5cWwo3+wINzoHMbfaiAYu67GeNexm6ffsA=,tag:a1a6eUmjyRPOzX4r8m9iuQ==,type:str]
+    WOODPECKER_FORGEJO_SECRET: ENC[AES256_GCM,data:gYiC+ZYXeMGPgWnvaHHEs8pNq1UP3kFthryX346TNnM7+oJVKQjz+ufLlsKmradtH6W4ulHzmSBHByT2VHHH8uHItA+Qbs55twRL0w==,iv:4VaEMHf7K+2lEYZAMCTo+Ot018SNIzCNJs27RovaN+I=,tag:qMkWRopd4/4xGBFZk7PW/Q==,type:str]
+    WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:DokhZ7SJGOeHnTVmnwJgmXJngaoSBZjdCAQUE76bf/tyQJoBA8Sh4vGy3VgVORY3MQIF33glxm+VNvqFWxV6LYbOvfGlJgZ5R8435NBPXfZnG/+PEungX9vQpcDvIf8ffcgGpC/Z/f3QBRAV,iv:DyuzOYf/bvUUm8NT4+8dk2hEgyqeVxOJqmt0mKCw2SQ=,tag:pvKr0hZzM4cXMErTYRr2jg==,type:str]
+    WOODPECKER_PROMETHEUS_AUTH_TOKEN: ENC[AES256_GCM,data:yzYzatAWs3BO8C4rsq3KpTYrHagA0eUkSD6aOlSU8u0mfJeoVq1vTzR3lLo=,iv:bhaaf9CCSHLkhYgdsTvNlZD/FFQCL6FanhIgsaXLfOA=,tag:W+MXx47fRElZaTmsAoMvPw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzakpwaHhhclQ5MU5BOVpO
+            eHY0WGF6bHlyaStxNW5WVGZIQzZnRVR3SVFrCjdrRjIzRjFheHZqdWpmYlFpODVo
+            RzBsd1llNk5JZEtFbCtuN3Nrd2lTejAKLS0tIEFxOU00aGVlM1U3S0tYdFJ5NnVH
+            U0h3czZCUUk5NDdlL1o1THJGSXdqMUUKA4bMrmS1o1yB+aGdUgUzWMGjfYaQ55UW
+            Em+FXnis5k+3eY18YplZs3rBRiiuSHjt4WOnrwOymn3TvGixS1nA2A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1s9nvc4rxj3kaj4apmzzn8fmjrudrvdhgu70rg04we9hyse5aadsq7kmckn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WGlRZzJ4emVKazRtbGxk
+            SUs3R3J4aGpZV2EvVTllb2h4Tlh6NDd2QndBCnlxdUQ1L3BReHV3eTQ2OEh1bjNM
+            b3UzdjR5YlBqakN1aU9CanZrM0RqajQKLS0tIGFhVGVXSmRXbmhJVE1aOW0xYzV2
+            ZStBaHZxRDhzWTVnSHFBK3J4R3R5Z2cKg/yRNnsxy0Zrwi/dcNHTzjSHcQ9ZbipN
+            N1JKH1WCGdmZku3m/G0DSRdxP7yNs3rJBoOg63h632bWHKHj/pElsQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVkdsM01hVzhpaUVCYTk5
+            SXZTemJudWl6YlNnTnJiN1dIQkdlbnBZZ2o0CkFvNndWbXBNcUNkSkVmeGx2aVBJ
+            WkYxbHV0czBydWZpWnN6NFkwdm5aZVUKLS0tIEhNK0FLakVZMXNKRGdpYXd2WmQz
+            dGZrWWhwemxSdzdjNmF2UmdVWklJeEkKmLPdUb3KcgA61fMhhiaQxwcDx0kEdh0t
+            gMyW7MGzyCxkUjGxb/amuPJkq0/7MujpfHK8q0AgUztmqa6Tk02P9Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-04T17:19:41Z"
+    mac: ENC[AES256_GCM,data:oW62pLYPe4greXFb5rbyLhr29FltC1tcVsbwJd6x9HZ5Iz3JiLkHU49R4fObMBBt7gE/Dv+d+U5Ov/ucq3ulzvQdLffkzhIBilfHMCTksd8Dj41Q+I6mcedRnnFbPhyI2bVTivftotsbtPldYIl8PaWcmCRohM9Mjzf/TbWWrag=,iv:ZlmpKUWt0T06RaJdRJqqjeQaBoCgMhnpLcnydcgMCLI=,tag:Vgw7xuWVp/gnLNOD096z+w==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.0

woodpecker/values/values.yaml

@@ -0,0 +1,35 @@
+server:
+  ingress:
+    # -- Enable the ingress for the server component
+    enabled: true
+    # -- Add annotations to the ingress
+    annotations:
+    # kubernetes.io/ingress.class: nginx
+      kubernetes.io/tls-acme: "true"
+    hosts:
+      - host: woodpecker.ar21.de
+        paths:
+          - path: /
+            backend:
+              serviceName: woodpecker-svc
+              servicePort: 80
+    tls:
+      - hosts:
+        - woodpecker.ar21.de
+        secretName: woodpecker-tls-key
+  statefulSet:
+    replicaCount: 1
+  env:
+    WOODPECKER_ADMIN: 'aaron'
+    WOODPECKER_HOST: 'https://woodpecker.ar21.de'
+    WOODPECKER_OPEN: true
+    WOODPECKER_FORGEJO: true
+    WOODPECKER_FORGEJO_URL: 'https://git.ar21.de'
+  extraSecretNamesForEnvFrom:
+    - woodpecker-forgejo
+agent:
+  extraSecretNamesForEnvFrom:
+    - woodpecker-forgejo
+  replicaCount: 3
+  env:
+    WOODPECKER_MAX_WORKFLOWS: 2