infrastructure/forgejo-k8s.yaml

# Forgejo namespace
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: forgejo-namespace
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: Namespace
      metadata:
        name: forgejo
---
# Forgejo ConfigMap
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: forgejo-config
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: forgejo-config
        namespace: forgejo
      data:
        app.ini: |
          APP_NAME = Forgejo: Beyond coding. We forge.
          RUN_MODE = prod
          
          [server]
          DOMAIN               = git.nge6.com
          SSH_DOMAIN           = git.nge6.com
          HTTP_PORT            = 3000
          ROOT_URL             = https://git.nge6.com/
          DISABLE_SSH          = true
          SSH_PORT             = 2222
          SSH_LISTEN_PORT      = 2222
          START_SSH_SERVER     = false
          LFS_START_SERVER     = true
          OFFLINE_MODE         = false
          
          [database]
          DB_TYPE  = sqlite3
          PATH     = /data/gitea/gitea.db
          
          [repository]
          ROOT = /data/git/repositories
          
          [security]
          INSTALL_LOCK   = true
          SECRET_KEY     = forgejo-secret-key-change-this-in-production-please
          INTERNAL_TOKEN = forgejo-internal-token-change-this-in-production-too
          
          [service]
          DISABLE_REGISTRATION = false
          REQUIRE_SIGNIN_VIEW  = false
          ENABLE_NOTIFY_MAIL   = false
          
          [picture]
          DISABLE_GRAVATAR        = false
          ENABLE_FEDERATED_AVATAR = true
          
          [openid]
          ENABLE_OPENID_SIGNIN = false
          ENABLE_OPENID_SIGNUP = false
          
          [log]
          MODE      = console
          LEVEL     = Info
          ROOT_PATH = /data/gitea/log
---
# Forgejo PVC for data persistence
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: forgejo-data-pvc
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: forgejo-data
        namespace: forgejo
      spec:
        accessModes:
          - ReadWriteOnce
        storageClassName: civo-volume
        resources:
          requests:
            storage: 10Gi
---
# Forgejo Deployment
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: forgejo-deployment
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: forgejo
        namespace: forgejo
        labels:
          app: forgejo
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: forgejo
        template:
          metadata:
            labels:
              app: forgejo
          spec:
            initContainers:
            - name: setup-config
              image: busybox:1.36
              command: ['sh', '-c']
              args:
                - |
                  mkdir -p /data/gitea/conf /data/gitea/log /data/git/repositories /data/git/.ssh
                  cp /tmp/app.ini /data/gitea/conf/app.ini
                  touch /data/git/.ssh/authorized_keys
                  chown -R 1000:1000 /data
              volumeMounts:
              - name: data
                mountPath: /data
              - name: config
                mountPath: /tmp
            containers:
            - name: forgejo
              image: codeberg.org/forgejo/forgejo:9.0.2
              ports:
              - containerPort: 3000
                name: http
              - containerPort: 2222
                name: ssh
              env:
              - name: USER_UID
                value: "1000"
              - name: USER_GID  
                value: "1000"
              resources:
                limits:
                  cpu: 1000m
                  memory: 2Gi
                requests:
                  cpu: 100m
                  memory: 512Mi
              volumeMounts:
              - name: data
                mountPath: /data
              readinessProbe:
                httpGet:
                  path: /
                  port: 3000
                initialDelaySeconds: 30
                periodSeconds: 10
              livenessProbe:
                httpGet:
                  path: /
                  port: 3000
                initialDelaySeconds: 60
                periodSeconds: 30
            volumes:
            - name: data
              persistentVolumeClaim:
                claimName: forgejo-data
            - name: config
              configMap:
                name: forgejo-config
---
# Forgejo HTTP Service
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: forgejo-http-service
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: Service
      metadata:
        name: forgejo-http
        namespace: forgejo
        labels:
          app: forgejo
      spec:
        selector:
          app: forgejo
        ports:
        - name: http
          port: 3000
          targetPort: 3000
        type: ClusterIP
---
# Forgejo SSH Service
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: forgejo-ssh-service
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: Service
      metadata:
        name: forgejo-ssh
        namespace: forgejo
        labels:
          app: forgejo
      spec:
        selector:
          app: forgejo
        ports:
        - name: ssh
          port: 2222
          targetPort: 2222
        type: LoadBalancer
---
# SSL Certificate for Forgejo
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: forgejo-certificate
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: forgejo-tls
        namespace: emissary
      spec:
        secretName: forgejo-tls
        issuerRef:
          name: letsencrypt-dns
          kind: ClusterIssuer
        dnsNames:
          - git.nge6.com
---
# Ambassador Host for Forgejo
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: forgejo-host
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: getambassador.io/v3alpha1
      kind: Host
      metadata:
        name: forgejo-host
        namespace: emissary
      spec:
        hostname: git.nge6.com
        tlsSecret:
          name: forgejo-tls
---
# Ambassador Mapping for Forgejo
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: forgejo-mapping
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: getambassador.io/v3alpha1
      kind: Mapping
      metadata:
        name: forgejo-mapping
        namespace: emissary
      spec:
        hostname: git.nge6.com
        prefix: /
        service: https://pomerium-proxy.pomerium:443
        timeout_ms: 30000
        connect_timeout_ms: 10000
Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-23 12:43:06 +00:00			`# Forgejo namespace`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: forgejo-namespace`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
			`name: forgejo`
			`---`
			`# Forgejo ConfigMap`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: forgejo-config`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: forgejo-config`
			`namespace: forgejo`
			`data:`
			`app.ini: \|`
			`APP_NAME = Forgejo: Beyond coding. We forge.`
			`RUN_MODE = prod`

			`[server]`
			`DOMAIN = git.nge6.com`
			`SSH_DOMAIN = git.nge6.com`
			`HTTP_PORT = 3000`
			`ROOT_URL = https://git.nge6.com/`
			`DISABLE_SSH = true`
			`SSH_PORT = 2222`
			`SSH_LISTEN_PORT = 2222`
			`START_SSH_SERVER = false`
			`LFS_START_SERVER = true`
			`OFFLINE_MODE = false`

			`[database]`
			`DB_TYPE = sqlite3`
			`PATH = /data/gitea/gitea.db`

			`[repository]`
			`ROOT = /data/git/repositories`

			`[security]`
			`INSTALL_LOCK = true`
			`SECRET_KEY = forgejo-secret-key-change-this-in-production-please`
			`INTERNAL_TOKEN = forgejo-internal-token-change-this-in-production-too`

			`[service]`
			`DISABLE_REGISTRATION = false`
			`REQUIRE_SIGNIN_VIEW = false`
			`ENABLE_NOTIFY_MAIL = false`

			`[picture]`
			`DISABLE_GRAVATAR = false`
			`ENABLE_FEDERATED_AVATAR = true`

			`[openid]`
			`ENABLE_OPENID_SIGNIN = false`
			`ENABLE_OPENID_SIGNUP = false`

			`[log]`
			`MODE = console`
			`LEVEL = Info`
			`ROOT_PATH = /data/gitea/log`
			`---`
			`# Forgejo PVC for data persistence`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: forgejo-data-pvc`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: v1`
			`kind: PersistentVolumeClaim`
			`metadata:`
			`name: forgejo-data`
			`namespace: forgejo`
			`spec:`
			`accessModes:`
			`- ReadWriteOnce`
			`storageClassName: civo-volume`
			`resources:`
			`requests:`
			`storage: 10Gi`
			`---`
			`# Forgejo Deployment`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: forgejo-deployment`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: forgejo`
			`namespace: forgejo`
			`labels:`
			`app: forgejo`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: forgejo`
			`template:`
			`metadata:`
			`labels:`
			`app: forgejo`
			`spec:`
			`initContainers:`
			`- name: setup-config`
			`image: busybox:1.36`
			`command: ['sh', '-c']`
			`args:`
			`- \|`
			`mkdir -p /data/gitea/conf /data/gitea/log /data/git/repositories /data/git/.ssh`
			`cp /tmp/app.ini /data/gitea/conf/app.ini`
			`touch /data/git/.ssh/authorized_keys`
			`chown -R 1000:1000 /data`
			`volumeMounts:`
			`- name: data`
			`mountPath: /data`
			`- name: config`
			`mountPath: /tmp`
			`containers:`
			`- name: forgejo`
			`image: codeberg.org/forgejo/forgejo:9.0.2`
			`ports:`
			`- containerPort: 3000`
			`name: http`
			`- containerPort: 2222`
			`name: ssh`
			`env:`
			`- name: USER_UID`
			`value: "1000"`
			`- name: USER_GID`
			`value: "1000"`
			`resources:`
			`limits:`
			`cpu: 1000m`
			`memory: 2Gi`
			`requests:`
			`cpu: 100m`
			`memory: 512Mi`
			`volumeMounts:`
			`- name: data`
			`mountPath: /data`
			`readinessProbe:`
			`httpGet:`
			`path: /`
			`port: 3000`
			`initialDelaySeconds: 30`
			`periodSeconds: 10`
			`livenessProbe:`
			`httpGet:`
			`path: /`
			`port: 3000`
			`initialDelaySeconds: 60`
			`periodSeconds: 30`
			`volumes:`
			`- name: data`
			`persistentVolumeClaim:`
			`claimName: forgejo-data`
			`- name: config`
			`configMap:`
			`name: forgejo-config`
			`---`
			`# Forgejo HTTP Service`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: forgejo-http-service`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: forgejo-http`
			`namespace: forgejo`
			`labels:`
			`app: forgejo`
			`spec:`
			`selector:`
			`app: forgejo`
			`ports:`
			`- name: http`
			`port: 3000`
			`targetPort: 3000`
			`type: ClusterIP`
			`---`
			`# Forgejo SSH Service`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: forgejo-ssh-service`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: forgejo-ssh`
			`namespace: forgejo`
			`labels:`
			`app: forgejo`
			`spec:`
			`selector:`
			`app: forgejo`
			`ports:`
			`- name: ssh`
			`port: 2222`
			`targetPort: 2222`
			`type: LoadBalancer`
			`---`
			`# SSL Certificate for Forgejo`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: forgejo-certificate`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: cert-manager.io/v1`
			`kind: Certificate`
			`metadata:`
			`name: forgejo-tls`
			`namespace: emissary`
			`spec:`
			`secretName: forgejo-tls`
			`issuerRef:`
Complete GitOps infrastructure setup Added to kustomization.yaml: - namespaces.yaml: Centralized namespace management - auth/: Keycloak authentication system - keycloak-config.yaml: Identity provider configuration - sealed-secrets.yaml: Secret encryption system Fixed namespace conflicts: - Removed duplicate pomerium-namespace from pomerium.yaml - Removed duplicate external-dns-namespace from external-dns.yaml - All namespaces now managed centrally via namespaces.yaml Now managing 72 Kubernetes resources via GitOps: ✅ Infrastructure: Crossplane providers, external-dns ✅ Certificates: cert-manager, Let's Encrypt, Gandi webhook ✅ Authentication: Keycloak, RBAC configs ✅ Applications: Forgejo, Pomerium, Vaultwarden ✅ Security: Sealed secrets, proper RBAC 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-28 06:43:00 +00:00			`name: letsencrypt-dns`
Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-23 12:43:06 +00:00			`kind: ClusterIssuer`
			`dnsNames:`
			`- git.nge6.com`
			`---`
			`# Ambassador Host for Forgejo`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: forgejo-host`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: getambassador.io/v3alpha1`
			`kind: Host`
			`metadata:`
			`name: forgejo-host`
			`namespace: emissary`
			`spec:`
			`hostname: git.nge6.com`
			`tlsSecret:`
			`name: forgejo-tls`
			`---`
			`# Ambassador Mapping for Forgejo`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: forgejo-mapping`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: getambassador.io/v3alpha1`
			`kind: Mapping`
			`metadata:`
			`name: forgejo-mapping`
			`namespace: emissary`
			`spec:`
			`hostname: git.nge6.com`
			`prefix: /`
			`service: https://pomerium-proxy.pomerium:443`
			`timeout_ms: 30000`
			`connect_timeout_ms: 10000`