blob: 7df943ea9a63ce929a586f2dde671ef899fd83c7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
apiVersion: apps/v1
kind: Deployment
metadata:
name: git-server
namespace: cicd
labels:
app: git-server
spec:
replicas: 1
selector:
matchLabels:
app: git-server
template:
metadata:
labels:
app: git-server
spec:
initContainers:
- name: setup
image: alpine:3.19
command:
- /bin/sh
- -c
- |
# Setup SSH host keys directory
mkdir -p /ssh-init
chown -R 0:0 /ssh-init
# Setup authorized_keys with correct ownership
# The /ssh-git mount point IS the .ssh directory
cp /ssh-keys-secret/authorized_keys /ssh-git/authorized_keys
chown -R 1000:1000 /ssh-git
chmod 700 /ssh-git
chmod 600 /ssh-git/authorized_keys
volumeMounts:
- name: ssh-host-keys
mountPath: /ssh-init
- name: git-ssh-keys
mountPath: /ssh-keys-secret
readOnly: true
- name: git-ssh-writable
mountPath: /ssh-git
containers:
# Container 1: SSH Git Server
- name: git-server
image: registry.lan.buetow.org:30001/git-server:1.0
imagePullPolicy: Always
ports:
- containerPort: 22
name: ssh
protocol: TCP
volumeMounts:
- name: repos
mountPath: /repos
- name: git-ssh-writable
mountPath: /home/git/.ssh
readOnly: true
- name: ssh-host-keys
mountPath: /etc/ssh
securityContext:
runAsUser: 0
runAsGroup: 0
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
add: ["SYS_CHROOT", "SETGID", "SETUID"]
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
# Container 2: CGit Web UI
- name: cgit
image: joseluisq/alpine-cgit:latest
command: ["/bin/sh", "-c"]
args:
- |
# Remove 'user nginx;' directive to avoid setgid errors when running as root
sed -i 's/^user nginx;//' /etc/nginx/nginx.conf
# Start fcgiwrap and set socket permissions for nginx user
spawn-fcgi -s /var/run/fcgiwrap.sock -n -- /usr/bin/fcgiwrap &
sleep 1
chmod 666 /var/run/fcgiwrap.sock
exec nginx -g 'daemon off;'
ports:
- containerPort: 80
name: http
protocol: TCP
env:
- name: CGIT_TITLE
value: "f3s Git Repository Browser"
- name: CGIT_DESC
value: "Browse git repositories"
- name: USE_CUSTOM_CONFIG
value: "true"
volumeMounts:
- name: repos
mountPath: /repos
readOnly: true
- name: cgit-config
mountPath: /etc/cgitrc
subPath: cgitrc
readOnly: true
securityContext:
runAsUser: 0
runAsGroup: 0
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
add: ["SETGID", "SETUID"]
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
volumes:
- name: repos
persistentVolumeClaim:
claimName: git-server-pvc
- name: git-ssh-keys
secret:
secretName: git-server-authorized-keys
defaultMode: 0400
- name: git-ssh-writable
emptyDir: {}
- name: cgit-config
configMap:
name: cgit-config
- name: ssh-host-keys
emptyDir: {}
|
