f3s/git-server/helm-chart/templates/deployment.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

apiVersion: apps/v1
kind: Deployment
metadata:
  name: git-server
  namespace: cicd
  labels:
    app: git-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: git-server
  template:
    metadata:
      labels:
        app: git-server
    spec:
      initContainers:
      - name: setup
        image: alpine:3.19
        command:
        - /bin/sh
        - -c
        - |
          mkdir -p /ssh-init
          chown -R 0:0 /ssh-init
        volumeMounts:
        - name: ssh-host-keys
          mountPath: /ssh-init

      containers:
      # Container 1: SSH Git Server
      - name: git-server
        image: registry.lan.buetow.org:30001/git-server:1.0
        imagePullPolicy: Always
        ports:
        - containerPort: 22
          name: ssh
          protocol: TCP
        volumeMounts:
        - name: repos
          mountPath: /repos
        - name: git-ssh-keys
          mountPath: /home/git/.ssh/authorized_keys
          subPath: authorized_keys
          readOnly: true
        - name: ssh-host-keys
          mountPath: /etc/ssh
        securityContext:
          runAsUser: 0
          runAsGroup: 0
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
        resources:
          requests:
            cpu: 50m
            memory: 128Mi
          limits:
            cpu: 250m
            memory: 256Mi

      # Container 2: CGit Web UI
      - name: cgit
        image: joseluisq/alpine-cgit:latest
        command: ["/bin/sh", "-c"]
        args:
        - |
          # Remove 'user nginx;' directive to avoid setgid errors when running as root
          sed -i 's/^user nginx;//' /etc/nginx/nginx.conf
          spawn-fcgi -s /var/run/fcgiwrap.sock -n -- /usr/bin/fcgiwrap &
          exec nginx -g 'daemon off;'
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        env:
        - name: CGIT_TITLE
          value: "f3s Git Repository Browser"
        - name: CGIT_DESC
          value: "Browse git repositories"
        - name: USE_CUSTOM_CONFIG
          value: "true"
        volumeMounts:
        - name: repos
          mountPath: /repos
          readOnly: true
        - name: cgit-config
          mountPath: /etc/cgitrc
          subPath: cgitrc
          readOnly: true
        securityContext:
          runAsUser: 0
          runAsGroup: 0
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
            add: ["SETGID", "SETUID"]
        resources:
          requests:
            cpu: 50m
            memory: 128Mi
          limits:
            cpu: 250m
            memory: 256Mi

      volumes:
      - name: repos
        persistentVolumeClaim:
          claimName: git-server-pvc
      - name: git-ssh-keys
        secret:
          secretName: git-server-authorized-keys
          defaultMode: 0400
      - name: cgit-config
        configMap:
          name: cgit-config
      - name: ssh-host-keys
        emptyDir: {}