Update Gitea version and configuration for Azure Blob storage support.

CHANGELOG.md

@@ -1,5 +1,7 @@
 <!-- markdownlint-disable MD041 -->
 ## 0.26.0 (Unreleased)
+**BREAKING CHANGES & MIGRATIONS**:
+* Updated the version of gitea and the runtime build script. Updating Gitea will remove the storage from underneath it and result in a redeploy. ([#4672](https://github.com/microsoft/AzureTRE/pull/4672))
 
 ENHANCEMENTS:
 * Create CODEOWNERS file with repository maintainers

devops/scripts/bundle_runtime_image_build.sh

@@ -32,15 +32,13 @@ if [ -n "${CI_CACHE_ACR_NAME:-}" ]; then
 	docker_cache+=("--cache-from" "${CI_CACHE_ACR_NAME}${acr_domain_suffix}/${IMAGE_NAME_PREFIX}/${image_name}:${version}")
 fi
 
-ARCHITECTURE=$(docker info --format "{{ .Architecture }}" )
-
-if [ "${ARCHITECTURE}" == "aarch64" ]; then
-    DOCKER_BUILD_COMMAND="docker buildx build --platform linux/amd64"
-else
-    DOCKER_BUILD_COMMAND="docker build"
-fi
+# Force BuildKit + buildx for amd64 + load into local docker
+export DOCKER_BUILDKIT=1
+DOCKER_BUILD_COMMAND="docker buildx build --platform linux/amd64 --load"
 
 ${DOCKER_BUILD_COMMAND} --build-arg BUILDKIT_INLINE_CACHE=1 \
   -t "${FULL_IMAGE_NAME_PREFIX}/${image_name}:${version}" \
   "${docker_cache[@]}" -f "${docker_file}" "${docker_context}"
 
+## Needed as workaround for v1 manifests not being supported in Azure App Service on Linux.
+

templates/shared_services/gitea/docker/Dockerfile

@@ -1,4 +1,4 @@
-ARG GITEA_TAG=1.15
+ARG GITEA_TAG=1.24.5
 ARG CERTIFICATE_URL=https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem
 
 FROM gitea/gitea:${GITEA_TAG}

templates/shared_services/gitea/docker/version.txt

@@ -1 +1 @@
-__version__ = "0.3.12"
+__version__ = "0.4.1"

templates/shared_services/gitea/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-gitea
-version: 1.2.1
+version: 2.0.1
 description: "A Gitea shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/shared_services/gitea/terraform/gitea-webapp.tf

@@ -39,13 +39,19 @@ resource "azurerm_linux_web_app" "gitea" {
 
     GITEA__server__ROOT_URL              = "https://${local.webapp_name}.azurewebsites.net/"
     GITEA__server__LFS_START_SERVER      = "true"
-    GITEA__lfs__PATH                     = "/data/lfs"
-    GITEA__lfs__STORAGE_TYPE             = "local"
     GITEA__log_0x2E_console__COLORIZE    = "false" # Azure monitor doens't show colors, so this is easier to read.
     GITEA__picture__DISABLE_GRAVATAR     = "true"  # external avaters are not available due to network restrictions
     GITEA__security__INSTALL_LOCK        = true
     GITEA__service__DISABLE_REGISTRATION = true
 
+    GITEA__migrations__ALLOW_LOCALNETWORKS = "true"
+
+    GITEA__storage__STORAGE_TYPE            = "azureblob"
+    GITEA__storage__AZURE_BLOB_ENDPOINT     = data.azurerm_storage_account.gitea.primary_blob_endpoint
+    GITEA__storage__AZURE_BLOB_ACCOUNT_NAME = data.azurerm_storage_account.gitea.name
+    GITEA__storage__AZURE_BLOB_ACCOUNT_KEY  = data.azurerm_storage_account.gitea.primary_access_key
+    GITEA__storage__AZURE_BLOB_CONTAINER    = azurerm_storage_container.gitea_blob_container.name
+
     GITEA__database__SSL_MODE = "true"
     GITEA__database__DB_TYPE  = "mysql"
     GITEA__database__HOST     = azurerm_mysql_flexible_server.gitea.fqdn
@@ -74,16 +80,6 @@ resource "azurerm_linux_web_app" "gitea" {
       docker_image_name   = "microsoft/azuretre/gitea:${local.version}"
     }
   }
-
-  storage_account {
-    name         = "gitea-data"
-    type         = "AzureFiles"
-    account_name = data.azurerm_storage_account.gitea.name
-    access_key   = data.azurerm_storage_account.gitea.primary_access_key
-    share_name   = azurerm_storage_share.gitea.name
-    mount_path   = "/data"
-  }
-
   logs {
     application_logs {
       file_system_level = "Information"
@@ -98,7 +94,8 @@ resource "azurerm_linux_web_app" "gitea" {
   }
 
   depends_on = [
-    azurerm_key_vault_secret.gitea_password
+    azurerm_key_vault_secret.gitea_password,
+    azurerm_storage_container.gitea_blob_container
   ]
 }
 
@@ -168,7 +165,6 @@ resource "azurerm_monitor_diagnostic_setting" "webapp_gitea" {
 
   metric {
     category = "AllMetrics"
-    enabled  = true
   }
 }
 
@@ -191,14 +187,14 @@ resource "azurerm_key_vault_secret" "gitea_password" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_storage_share" "gitea" {
-  name                 = "gitea-data"
-  storage_account_name = data.azurerm_storage_account.gitea.name
-  quota                = var.gitea_storage_limit
-}
-
 resource "azurerm_role_assignment" "gitea_acrpull_role" {
   scope                = data.azurerm_container_registry.mgmt_acr.id
   role_definition_name = "AcrPull"
   principal_id         = azurerm_user_assigned_identity.gitea_id.principal_id
 }
+
+resource "azurerm_storage_container" "gitea_blob_container" {
+  name                  = "gitea"
+  storage_account_id    = data.azurerm_storage_account.gitea.id
+  container_access_type = "private"
+}

templates/workspace_services/gitea/docker/Dockerfile

@@ -1,4 +1,4 @@
-ARG GITEA_TAG=1.17.3
+ARG GITEA_TAG=1.24.5
 ARG CERTIFICATE_URL=https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem
 
 FROM gitea/gitea:${GITEA_TAG}
@@ -7,6 +7,8 @@ ARG CERTIFICATE_URL
 RUN wget -q -O /usr/local/share/ca-certificates/mysql.crt.pem ${CERTIFICATE_URL} && update-ca-certificates
 COPY . /
 
+RUN chmod +x ./configure_gitea.sh
+
 RUN /usr/sbin/adduser -D -g users gitea
 
 ENTRYPOINT ["/bin/bash", "-c",  "./configure_gitea.sh & /usr/bin/entrypoint"]

templates/workspace_services/gitea/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-service-gitea
-version: 1.3.2
+version: 2.0.1
 description: "A Gitea workspace service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/workspace_services/gitea/terraform/data.tf

@@ -39,8 +39,8 @@ data "azurerm_private_dns_zone" "mysql" {
   resource_group_name = local.core_resource_group_name
 }
 
-data "azurerm_private_dns_zone" "filecore" {
-  name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.file.core.windows.net"]
+data "azurerm_private_dns_zone" "blobcore" {
+  name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.blob.core.windows.net"]
   resource_group_name = local.core_resource_group_name
 }
 

templates/workspace_services/gitea/terraform/gitea-webapp.tf

@@ -57,12 +57,21 @@ resource "azurerm_linux_web_app" "gitea" {
     GITEA__service__DISABLE_REGISTRATION             = false
     GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = true
     GITEA__service__SHOW_REGISTRATION_BUTTON         = false
-    GITEA__database__SSL_MODE                        = "true"
-    GITEA__database__DB_TYPE                         = "mysql"
-    GITEA__database__HOST                            = azurerm_mysql_flexible_server.gitea.fqdn
-    GITEA__database__NAME                            = azurerm_mysql_flexible_database.gitea.name
-    GITEA__database__USER                            = azurerm_mysql_flexible_server.gitea.administrator_login
-    GITEA__database__PASSWD                          = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.db_password.id})"
+
+    GITEA__migrations__ALLOW_LOCALNETWORKS = "true"
+
+    GITEA__storage__STORAGE_TYPE            = "azureblob"
+    GITEA__storage__AZURE_BLOB_ENDPOINT     = azurerm_storage_account.gitea.primary_blob_endpoint
+    GITEA__storage__AZURE_BLOB_ACCOUNT_NAME = azurerm_storage_account.gitea.name
+    GITEA__storage__AZURE_BLOB_ACCOUNT_KEY  = azurerm_storage_account.gitea.primary_access_key
+    GITEA__storage__AZURE_BLOB_CONTAINER    = azurerm_storage_container.gitea_blob_container.name
+
+    GITEA__database__SSL_MODE = "true"
+    GITEA__database__DB_TYPE  = "mysql"
+    GITEA__database__HOST     = azurerm_mysql_flexible_server.gitea.fqdn
+    GITEA__database__NAME     = azurerm_mysql_flexible_database.gitea.name
+    GITEA__database__USER     = azurerm_mysql_flexible_server.gitea.administrator_login
+    GITEA__database__PASSWD   = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.db_password.id})"
   }
 
   lifecycle { ignore_changes = [tags] }
@@ -86,14 +95,6 @@ resource "azurerm_linux_web_app" "gitea" {
     }
   }
 
-  storage_account {
-    name         = "gitea-data"
-    type         = "AzureFiles"
-    account_name = azurerm_storage_account.gitea.name
-    access_key   = azurerm_storage_account.gitea.primary_access_key
-    share_name   = azurerm_storage_share.gitea.name
-    mount_path   = "/data/gitea/"
-  }
 
   logs {
     application_logs {
@@ -109,7 +110,9 @@ resource "azurerm_linux_web_app" "gitea" {
   }
 
   depends_on = [
-    azurerm_key_vault_secret.gitea_password
+    azurerm_key_vault_secret.gitea_password,
+    azurerm_storage_account.gitea,
+    azurerm_storage_container.gitea_blob_container
   ]
 }
 
@@ -178,7 +181,6 @@ resource "azurerm_monitor_diagnostic_setting" "gitea" {
 
   metric {
     category = "AllMetrics"
-    enabled  = true
   }
 }
 

templates/workspace_services/gitea/terraform/storage.tf

@@ -38,8 +38,8 @@ resource "azurerm_storage_account_network_rules" "stgrules" {
   bypass         = ["AzureServices"]
 }
 
-resource "azurerm_private_endpoint" "stgfilepe" {
-  name                = "stgfilepe-${local.service_resource_name_suffix}"
+resource "azurerm_private_endpoint" "stgblobpe" {
+  name                = "stgblobpe-${local.service_resource_name_suffix}"
   location            = data.azurerm_resource_group.ws.location
   resource_group_name = data.azurerm_resource_group.ws.name
   subnet_id           = data.azurerm_subnet.services.id
@@ -49,20 +49,19 @@ resource "azurerm_private_endpoint" "stgfilepe" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.filecore.id]
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id]
   }
 
   private_service_connection {
-    name                           = "stgfilepesc-${local.service_resource_name_suffix}"
+    name                           = "stgblobpesc-${local.service_resource_name_suffix}"
     private_connection_resource_id = azurerm_storage_account.gitea.id
     is_manual_connection           = false
-    subresource_names              = ["File"]
+    subresource_names              = ["blob"]
   }
 }
 
-
-resource "azurerm_storage_share" "gitea" {
-  name                 = "gitea-data"
-  storage_account_name = azurerm_storage_account.gitea.name
-  quota                = var.gitea_storage_limit
+resource "azurerm_storage_container" "gitea_blob_container" {
+  name                  = "gitea"
+  storage_account_id    = azurerm_storage_account.gitea.id
+  container_access_type = "private"
 }

templates/workspace_services/gitea/terraform/variables.tf

@@ -16,11 +16,7 @@ variable "mgmt_acr_name" {
 variable "aad_authority_url" {
   type = string
 }
-variable "gitea_storage_limit" {
-  type        = number
-  description = "Space allocated in GB for the Gitea data in Azure Files Share"
-  default     = 100
-}
+
 variable "arm_environment" {
   type = string
 }

templates/workspace_services/gitea/version.txt

@@ -1 +1 @@
-__version__ = "0.6.1"
+__version__ = "0.7.1"