Allows git push/pull and Docker registry token exchange to bypass
Pomerium browser auth - Forgejo handles authentication natively
for these endpoints.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Move Keycloak off Helm to plain Crossplane Object manifests (PostgreSQL + Keycloak deployment)
- Add Vaultwarden SSO/OIDC config with Keycloak, fix Recreate deployment strategy for RWO volumes
- Switch routing from Helm-based Pomerium to pomerium-allinone with all service routes
- Deploy Argo Workflows (controller, server, CRDs, RBAC) with KEDA queue-depth autoscaling
- Add Civo cluster autoscaler with pool-scaler for zero-to-one scale-up via Civo API
- Add node-labeler to auto-tag nodes by pool membership for nodeSelector scheduling
- Set up mTLS container registry at registry.nge6.com (Forgejo built-in, client cert required)
- Add internal registry route (registry-internal.nge6.com) for in-cluster image pulls
- Fix DNS records for new Emissary LB IP (212.2.241.28)
- Fix CoreDNS crash from invalid custom config
- Fix Emissary apiext expired webhook CA certificate
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Created Ambassador Host: auth.nge6.com
- SSL certificate via Let's Encrypt
- External-DNS integration for automatic DNS records
- Direct access to Keycloak admin interface
Admin Access:
- URL: https://auth.nge6.com/admin
- Username: admin
- Password: thefi9paechooh
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Created eemoore user in Keycloak with admin privileges
- Added to k8s-admins group for cluster admin access
- Added to users group for basic access
- User: eemoore@nge6.com (Eric Moore)
User will have full access to all services via Pomerium authentication.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Includes Gandi webhook for DNS-01 challenges
- ClusterIssuers for Let's Encrypt certificates
- RBAC configurations for cert-manager components
Second batch deployment - cert infrastructure now managed via GitOps.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Enable debug logging for troubleshooting
- External-DNS now successfully creates vault.nge6.com → 212.2.241.56
- DNS record creation working via Gandi API
- Requires external-dns.ambassador-service annotation on Ambassador Hosts
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add Crossplane-managed gandi-api-key secret for external-dns
- Configure external-dns to watch Ambassador Host resources
- Add RBAC permissions for getambassador.io resources
- Enable automatic DNS record creation for vault.nge6.com
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Namespace, ConfigMap, PVC, Deployment, Service
- SSL certificate via cert-manager
- Ambassador Host and Mapping with Pomerium integration
- Uses SQLite for data persistence
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit includes the complete Kubernetes infrastructure deployment for NGE6:
- Crossplane setup with providers (Kubernetes, Helm, Civo)
- Ambassador/Emissary ingress controller with SSL termination
- Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges
- ExternalDNS integration with Gandi for automatic DNS management
- Keycloak authentication server with PostgreSQL
- Pomerium identity-aware proxy with OIDC integration
- Forgejo Git server with persistent storage and authentication
- Spire/SPIFFE for secure service communication
All services are deployed using Infrastructure as Code principles with
Crossplane managing Kubernetes and Helm resources declaratively.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
