f3s/git-server/helm-chart/templates/deployment.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

apiVersion: apps/v1
kind: Deployment
metadata:
  name: git-server
  namespace: cicd
  labels:
    app: git-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: git-server
  template:
    metadata:
      labels:
        app: git-server
    spec:
      securityContext:
        fsGroup: 33
      initContainers:
      - name: setup
        image: alpine:3.19
        command:
        - /bin/sh
        - -c
        - |
          # Install openssh for key generation
          apk add --no-cache openssh
          # Setup SSH host keys directory and generate keys
          mkdir -p /ssh-init
          ssh-keygen -A -f /ssh-init/..
          mv /ssh-init/../etc/ssh/ssh_host_* /ssh-init/
          chown -R 1001:33 /ssh-init
          chmod 600 /ssh-init/ssh_host_*_key
          chmod 644 /ssh-init/ssh_host_*_key.pub
          # Setup authorized_keys with correct ownership
          # The /ssh-git mount point IS the .ssh directory
          # UID 1001 and GID 33 match the NFS file ownership
          cp /ssh-keys-secret/authorized_keys /ssh-git/authorized_keys
          chown -R 1001:33 /ssh-git
          chmod 755 /ssh-git
          chmod 644 /ssh-git/authorized_keys
        volumeMounts:
        - name: ssh-host-keys
          mountPath: /ssh-init
        - name: git-ssh-keys
          mountPath: /ssh-keys-secret
          readOnly: true
        - name: git-ssh-writable
          mountPath: /ssh-git

      containers:
      # Container 1: SSH Git Server
      - name: git-server
        image: registry.lan.buetow.org:30001/git-server:1.0
        imagePullPolicy: Always
        ports:
        - containerPort: 22
          name: ssh
          protocol: TCP
        volumeMounts:
        - name: repos
          mountPath: /repos
        - name: git-ssh-writable
          mountPath: /home/git/.ssh
        - name: ssh-host-keys
          mountPath: /etc/ssh
        securityContext:
          runAsUser: 1001
          runAsGroup: 33
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
        resources:
          requests:
            cpu: 50m
            memory: 128Mi
          limits:
            cpu: 250m
            memory: 256Mi

      # Container 2: CGit Web UI + git-http-backend
      - name: cgit
        image: joseluisq/alpine-cgit:latest
        command: ["/bin/sh", "-c"]
        args:
        - |
          # Note: joseluisq/alpine-cgit already has git installed, no need to install again

          # Copy nginx configs to writable location and modify them
          cp /etc/nginx/nginx.conf /tmp/nginx.conf
          cp -r /etc/nginx/conf.d /tmp/conf.d
          cp /etc/nginx/fastcgi_params /tmp/fastcgi_params
          sed -i 's/^user nginx;//' /tmp/nginx.conf
          sed -i 's|pid /var/run/nginx.pid;|pid /tmp/nginx.pid;|' /tmp/nginx.conf
          sed -i 's|/etc/nginx/conf.d/|/tmp/conf.d/|' /tmp/nginx.conf

          # Update default.conf to use /tmp socket for cgit
          sed -i 's|unix:/var/run/fcgiwrap.sock|unix:/tmp/fcgiwrap.sock|' /tmp/conf.d/default.conf

          # Add git-http-backend location to default.conf (insert before the cgit location)
          # Find the server block and add the location directive
          sed -i '/location \/ {/i \
              # Git HTTP backend for clone/fetch/pull operations\
              location ~ ^/([^/]+\\.git)/(.*) {\
                  fastcgi_pass unix:/tmp/fcgiwrap.sock;\
                  fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;\
                  fastcgi_param GIT_PROJECT_ROOT /repos/repos;\
                  fastcgi_param GIT_HTTP_EXPORT_ALL "";\
                  fastcgi_param PATH_INFO /$1/$2;\
                  fastcgi_param REMOTE_USER $remote_user;\
                  include /tmp/fastcgi_params;\
              }\
          ' /tmp/conf.d/default.conf

          # Start fcgiwrap with socket in /tmp
          spawn-fcgi -s /tmp/fcgiwrap.sock -n -- /usr/bin/fcgiwrap &
          sleep 1
          chmod 666 /tmp/fcgiwrap.sock
          exec nginx -c /tmp/nginx.conf -g 'daemon off;'
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        env:
        - name: CGIT_TITLE
          value: "f3s Git Repository Browser"
        - name: CGIT_DESC
          value: "Browse git repositories"
        - name: USE_CUSTOM_CONFIG
          value: "true"
        volumeMounts:
        - name: repos
          mountPath: /repos
          readOnly: true
        - name: cgit-config
          mountPath: /etc/cgitrc
          subPath: cgitrc
          readOnly: true
        - name: cgit-runtime
          mountPath: /tmp
        securityContext:
          runAsUser: 33
          runAsGroup: 33
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
        resources:
          requests:
            cpu: 50m
            memory: 128Mi
          limits:
            cpu: 250m
            memory: 256Mi

      volumes:
      - name: repos
        persistentVolumeClaim:
          claimName: git-server-pvc
      - name: git-ssh-keys
        secret:
          secretName: git-server-authorized-keys
          defaultMode: 0400
      - name: git-ssh-writable
        emptyDir: {}
      - name: cgit-config
        configMap:
          name: cgit-config
      - name: ssh-host-keys
        emptyDir: {}
      - name: cgit-runtime
        emptyDir: {}