diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 716d684..c176726 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -31,10 +31,14 @@ jobs: TF_VAR_email: ${{ secrets.EMAIL }} TF_VAR_do_token: ${{ secrets.DO_TOKEN }} TF_VAR_do_dns_token: ${{ secrets.DO_DNS_TOKEN }} - TF_VAR_spaces_access_id: ${{ secrets.SPACES_ACCESS_ID }} - TF_VAR_spaces_secret_key: ${{ secrets.SPACES_SECRET_KEY }} - AWS_ACCESS_KEY_ID: ${{ secrets.SPACES_ACCESS_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET_KEY }} + TF_VAR_cloudflare_account_id: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} + TF_VAR_cloudflare_api_token: ${{ secrets.CLOUDFLARE_API_TOKEN }} + TF_VAR_cloudflare_r2_endpoint: ${{ secrets.R2_ENDPOINT }} + TF_VAR_cloudflare_r2_access_key_id: ${{ secrets.R2_ACCESS_KEY_ID }} + TF_VAR_cloudflare_r2_secret_access_key: ${{ secrets.R2_SECRET_ACCESS_KEY }} + AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }} + TF_VAR_sendgrid_api_key: ${{ secrets.SENDGRID_API_KEY }} if: github.ref == 'refs/heads/main' needs: validate steps: diff --git a/.gitignore b/.gitignore index 888c8ed..143ceea 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ .env - +TODO.md # Terraform diff --git a/helm/gitlab/values.yaml b/helm/gitlab/values.yaml index 62beab7..418c90a 100644 --- a/helm/gitlab/values.yaml +++ b/helm/gitlab/values.yaml @@ -74,6 +74,24 @@ global: minio: enabled: false + email: + display_name: GitLab + from: gitlab@${domain} + reply_to: noreply@${domain} + + smtp: + enabled: true + domain: smtp.sendgrid.net + address: smtp.sendgrid.net + port: 587 + user_name: apikey + password: + secret: gitlab-sendgrid-secret + key: password + tls: false + starttls_auto: true + openssl_verify_mode: peer + time_zone: UTC extraEnv: diff --git a/terraform/helm.tf b/terraform/helm.tf index c1332b9..2de9c37 100644 --- a/terraform/helm.tf +++ b/terraform/helm.tf @@ -101,7 +101,7 @@ resource "helm_release" "gitlab" { postgres_username = digitalocean_database_cluster.postgres.user redis_host = digitalocean_database_cluster.valkey.private_host redis_port = digitalocean_database_cluster.valkey.port - buckets = {for key, bucket in digitalocean_spaces_bucket.gitlab : key => bucket.name} + buckets = {for key, bucket in cloudflare_r2_bucket.gitlab : key => bucket.name} }) ] @@ -121,7 +121,8 @@ resource "helm_release" "gitlab" { kubernetes_secret_v1.gitlab_initial_root_password, kubernetes_secret_v1.gitlab_postgres, kubernetes_secret_v1.gitlab_redis, - kubernetes_secret_v1.gitlab_s3_main + kubernetes_secret_v1.gitlab_s3_main, + kubernetes_secret_v1.gitlab_sendgrid_secret ] } diff --git a/terraform/kubernetes.tf b/terraform/kubernetes.tf index 4db55b1..fbfc969 100644 --- a/terraform/kubernetes.tf +++ b/terraform/kubernetes.tf @@ -104,9 +104,9 @@ resource "kubernetes_secret_v1" "gitlab_s3_main" { connection = yamlencode({ provider = "AWS" region = var.region - endpoint = "https://${var.region}.digitaloceanspaces.com" - aws_access_key_id = var.spaces_access_id - aws_secret_access_key = var.spaces_secret_key + endpoint = var.cloudflare_r2_endpoint + aws_access_key_id = var.cloudflare_account_id + aws_secret_access_key = var.cloudflare_api_token path_style = true }) } @@ -125,7 +125,7 @@ resource "kubernetes_secret_v1" "gitlab_s3_main" { # accesskey = var.spaces_access_id # secretkey = var.spaces_secret_key # region = var.region -# regionendpoint = "https://${var.region}.digitaloceanspaces.com" +# regionendpoint = ${{ secrets.R2_ACCESS_KEY_ID }} # bucket = digitalocean_spaces_bucket.gitlab["registry"].name # }) # } @@ -143,9 +143,9 @@ resource "kubernetes_secret_v1" "gitlab_s3_backup" { connection = yamlencode({ provider = "AWS" region = var.region - endpoint = "https://${var.region}.digitaloceanspaces.com" - aws_access_key_id = var.spaces_access_id - aws_secret_access_key = var.spaces_secret_key + endpoint = var.cloudflare_r2_endpoint + aws_access_key_id = var.cloudflare_account_id + aws_secret_access_key = var.cloudflare_api_token path_style = true }) } @@ -153,6 +153,19 @@ resource "kubernetes_secret_v1" "gitlab_s3_backup" { type = "Opaque" } +resource "kubernetes_secret_v1" "gitlab_sendgrid_secret" { + metadata { + name = "gitlab-sendgrid-secret" + namespace = kubernetes_namespace_v1.gitlab.metadata[0].name + } + + data = { + password = var.sendgrid_api_key + } + + type = "Opaque" +} + resource "time_sleep" "wait_for_lb" { depends_on = [ helm_release.ingress_nginx ] create_duration = "120s" diff --git a/terraform/outputs.tf b/terraform/outputs.tf index b1f14bc..a1897c5 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -41,10 +41,6 @@ output "valkey_password" { } -output "spaces_endpoint" { - value = "${var.region}.digitaloceanspaces.com" -} - -output "spaces_buckets" { - value = { for k, b in digitalocean_spaces_bucket.gitlab : k => b.name } +output "r2_buckets" { + value = { for k, b in cloudflare_r2_bucket.gitlab : k => b.name } } \ No newline at end of file diff --git a/terraform/providers.tf b/terraform/providers.tf index e7a75a2..92cd8e9 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -1,7 +1,9 @@ provider "digitalocean" { token = var.do_token - spaces_access_id = var.spaces_access_id - spaces_secret_key = var.spaces_secret_key +} + +provider "cloudflare" { + api_token = var.cloudflare_api_token } provider "kubernetes" { diff --git a/terraform/s3.tf b/terraform/s3.tf new file mode 100644 index 0000000..b804346 --- /dev/null +++ b/terraform/s3.tf @@ -0,0 +1,21 @@ +locals { + buckets = toset([ + "artifacts", "lfs", "uploads", "packages", + "registry", "pages", "backups", "tmp", "ci-secure-files", + "dependency-proxy", "terraform-state" + ]) +} + +resource "random_id" "suffix" { + byte_length = 3 +} + +resource "cloudflare_r2_bucket" "gitlab" { + for_each = local.buckets + account_id = var.cloudflare_account_id + name = "${var.cluster_name}-${each.key}-${random_id.suffix.hex}" + jurisdiction = var.r2_jurisdiction + lifecycle { + prevent_destroy = true + } +} \ No newline at end of file diff --git a/terraform/spaces.tf b/terraform/spaces.tf deleted file mode 100644 index 9ba9d8e..0000000 --- a/terraform/spaces.tf +++ /dev/null @@ -1,18 +0,0 @@ -locals { - buckets = toset([ - "artifacts", "lfs", "uploads", "packages", - "registry", "pages" #"backups", "tmp", # "ci-secure-files", - # "dependency-proxy", # "terraform-state", - ]) -} - -resource "random_id" "suffix" { - byte_length = 3 -} - -resource "digitalocean_spaces_bucket" "gitlab" { - for_each = local.buckets - name = "${var.cluster_name}-${each.key}-${random_id.suffix.hex}" - region = var.region - acl = "private" -} \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf index 416ff17..e7fb83c 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -8,12 +8,32 @@ variable "do_dns_token" { sensitive = true } -variable "spaces_access_id" { +variable "cloudflare_account_id" { type = string sensitive = true } -variable "spaces_secret_key" { +variable "cloudflare_api_token" { + type = string + sensitive = true +} + +variable "cloudflare_r2_endpoint" { + type = string + sensitive = true +} + +variable "cloudflare_r2_access_key_id" { + type = string + sensitive = true +} + +variable "cloudflare_r2_secret_access_key" { + type = string + sensitive = true +} + +variable "sendgrid_api_key" { type = string sensitive = true } @@ -24,6 +44,11 @@ variable "region" { default = "ams3" } +variable "r2_jurisdiction" { + type = string + default = "eu" +} + variable "cluster_name" { type = string default = "gitlab" diff --git a/terraform/versions.tf b/terraform/versions.tf index 4503751..581f474 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -6,6 +6,10 @@ terraform { source = "digitalocean/digitalocean" version = "~> 2.81.0" } + cloudflare = { + source = "cloudflare/cloudflare" + version = "~> 5.19.0" + } kubernetes = { source = "hashicorp/kubernetes" version = "~> 3.0.1"