apiVersion: v1
kind: List
items:
# The gitserver is deployed as a singleton pod and uses a very small amount
# of resources. It can host or transiently serve Git repositories, as well
# as automatically integrate with builds in a namespace.
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: gitserver
labels:
app: gitserver
spec:
replicas: 1 # the gitserver is not HA and should not be scaled past 1
selector:
run-container: gitserver
template:
metadata:
labels:
run-container: gitserver
spec:
serviceAccountName: gitserver
containers:
- name: gitserver
image: openshift/origin-gitserver
ports:
- containerPort: 8080
env:
# Each environment variable matching GIT_INITIAL_CLONE_* will
# be cloned when the process starts; failures will be logged.
# <name> must be [A-Z0-9_\-\.], the cloned directory name will
# be lowercased. If the name is invalid the pod will halt. If
# the repository already exists on disk, it will be updated
# from the remote.
#
#- name: GIT_INITIAL_CLONE_1
# value: <url>[;<name>]
# The namespace of the pod is required for implicit config
# (passing '-' to AUTOLINK_KUBECONFIG or REQUIRE_SERVER_AUTH)
# and can also be used to target a specific namespace.
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# The URL that builds must use to access the Git repositories
# stored in this app.
# TOOD: support HTTPS
- name: PUBLIC_URL
value: http://gitserver.$(POD_NAMESPACE).svc.cluster.local:8080
# The directory to store Git repositories in. If not backed
# by a persistent volume, repositories will be lost when
# deployments occur. Use INITIAL_GIT_CLONE and AUTOLINK_*
# to remove the need to use a persistent volume.
- name: GIT_HOME
value: /var/lib/git
# The directory to use as the default hook directory for any
# cloned or autolinked directories.
- name: HOOK_PATH
# value: /var/lib/git-hooks
# Authentication and authorization
# If 'yes', clients may push to the server with git push.
- name: ALLOW_GIT_PUSH
value: "yes"
# If 'yes', clients may set hooks via the API. However, unless
# the Git home is backed by a persistent volume, any deployment
# will result in the hooks being lost.
- name: ALLOW_GIT_HOOKS
value: "yes"
# If 'yes', clients can create new git repositories on demand
# by pushing. If the data on disk is not backed by a persistent
# volume, the Git repo will be deleted if the deployment is
# updated.
- name: ALLOW_LAZY_CREATE
value: "yes"
# If 'yes', clients can pull without being authenticated.
- name: ALLOW_ANON_GIT_PULL
# Provides the path to a kubeconfig file in the image that
# should be used to authorize against the server. The value
# '-' will use the pod's service account.
# May not be used in combination with REQUIRE_GIT_AUTH
- name: REQUIRE_SERVER_AUTH
value: "-"
# The namespace to check authorization against when
# REQUIRE_SERVICE_AUTH is used. Users must have 'get' on
# 'pods' to pull and 'create' on 'pods' to push.
- name: AUTH_NAMESPACE
value: $(POD_NAMESPACE)
# Require BASIC authentication with a username and password
# to push or pull.
# May not be used in combination with REQUIRE_SERVER_AUTH
- name: REQUIRE_GIT_AUTH
# value: <username>:<password>
# Autolinking:
#
# The gitserver can automatically clone Git repositories
# associated with a build config and replace the URL with
# a link to the repo on PUBLIC_URL. The default post-receive
# hook on the cloned repo will then trigger a build. You
# may customize the hook with AUTOLINK_HOOK (path to hook).
# To autolink, the account the pod runs under must have 'edit'
# on the AUTOLINK_NAMESPACE:
#
# oc policy add-role-to-user \
# system:serviceaccount:${namespace}:gitserver edit
#
# Links are checked every time the pod starts.
# The location to read auth configuration from for autolinking.
# If '-', use the service account token to link. The account
# represented by this config must have the edit role on the
# namespace.
- name: AUTOLINK_KUBECONFIG
value: "-"
# The namespace to autolink
- name: AUTOLINK_NAMESPACE
value: $(POD_NAMESPACE)
# The path to a script in the image to use as the default
# post-receive hook - only set during link, so has no effect
# on cloned repositories. See the "hooks" directory in the
# image for examples.
- name: AUTOLINK_HOOK
# The master service host is not signed with the service IP
# so we override with the consistent DNS name. Required for
# connections to the server.
- name: KUBERNETES_SERVICE_HOST
value: kubernetes.default
volumeMounts:
- mountPath: /var/lib/git/
name: git
volumes:
- name: git
triggers:
- type: ConfigChange
# The gitserver service is required for DNS resolution
- apiVersion: v1
kind: Service
metadata:
name: gitserver
labels:
app: gitserver
spec:
ports:
- port: 8080
targetPort: 8080
selector:
run-container: gitserver
# The service account for the gitserver must be granted the edit role if
# you wish to use autolinking.
- apiVersion: v1
kind: ServiceAccount
metadata:
name: gitserver
labels:
app: gitserver