0dee133377
- Move Keycloak off Helm to plain Crossplane Object manifests (PostgreSQL + Keycloak deployment) - Add Vaultwarden SSO/OIDC config with Keycloak, fix Recreate deployment strategy for RWO volumes - Switch routing from Helm-based Pomerium to pomerium-allinone with all service routes - Deploy Argo Workflows (controller, server, CRDs, RBAC) with KEDA queue-depth autoscaling - Add Civo cluster autoscaler with pool-scaler for zero-to-one scale-up via Civo API - Add node-labeler to auto-tag nodes by pool membership for nodeSelector scheduling - Set up mTLS container registry at registry.nge6.com (Forgejo built-in, client cert required) - Add internal registry route (registry-internal.nge6.com) for in-cluster image pulls - Fix DNS records for new Emissary LB IP (212.2.241.28) - Fix CoreDNS crash from invalid custom config - Fix Emissary apiext expired webhook CA certificate Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
314 lines
No EOL
7.7 KiB
YAML
314 lines
No EOL
7.7 KiB
YAML
# Forgejo namespace
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: forgejo-namespace
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: forgejo
|
|
---
|
|
# Forgejo ConfigMap
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: forgejo-config
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: forgejo-config
|
|
namespace: forgejo
|
|
data:
|
|
app.ini: |
|
|
APP_NAME = Forgejo: Beyond coding. We forge.
|
|
RUN_MODE = prod
|
|
|
|
[server]
|
|
DOMAIN = git.nge6.com
|
|
SSH_DOMAIN = git.nge6.com
|
|
HTTP_PORT = 3000
|
|
ROOT_URL = https://git.nge6.com/
|
|
DISABLE_SSH = true
|
|
SSH_PORT = 2222
|
|
SSH_LISTEN_PORT = 2222
|
|
START_SSH_SERVER = false
|
|
LFS_START_SERVER = true
|
|
OFFLINE_MODE = false
|
|
|
|
[packages]
|
|
ENABLED = true
|
|
CONTAINER_REGISTRY_TOKEN_REALM = https://registry.nge6.com
|
|
|
|
[database]
|
|
DB_TYPE = sqlite3
|
|
PATH = /data/gitea/gitea.db
|
|
|
|
[repository]
|
|
ROOT = /data/git/repositories
|
|
|
|
[security]
|
|
INSTALL_LOCK = true
|
|
SECRET_KEY = forgejo-secret-key-change-this-in-production-please
|
|
INTERNAL_TOKEN = forgejo-internal-token-change-this-in-production-too
|
|
|
|
[service]
|
|
DISABLE_REGISTRATION = false
|
|
REQUIRE_SIGNIN_VIEW = false
|
|
ENABLE_NOTIFY_MAIL = false
|
|
|
|
[picture]
|
|
DISABLE_GRAVATAR = false
|
|
ENABLE_FEDERATED_AVATAR = true
|
|
|
|
[openid]
|
|
ENABLE_OPENID_SIGNIN = false
|
|
ENABLE_OPENID_SIGNUP = false
|
|
|
|
[log]
|
|
MODE = console
|
|
LEVEL = Info
|
|
ROOT_PATH = /data/gitea/log
|
|
---
|
|
# Forgejo PVC for data persistence
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: forgejo-data-pvc
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: forgejo-data
|
|
namespace: forgejo
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClassName: civo-volume
|
|
resources:
|
|
requests:
|
|
storage: 10Gi
|
|
---
|
|
# Forgejo Deployment
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: forgejo-deployment
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: forgejo
|
|
namespace: forgejo
|
|
labels:
|
|
app: forgejo
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: forgejo
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: forgejo
|
|
spec:
|
|
initContainers:
|
|
- name: setup-config
|
|
image: busybox:1.36
|
|
command: ['sh', '-c']
|
|
args:
|
|
- |
|
|
mkdir -p /data/gitea/conf /data/gitea/log /data/git/repositories /data/git/.ssh
|
|
cp /tmp/app.ini /data/gitea/conf/app.ini
|
|
touch /data/git/.ssh/authorized_keys
|
|
chown -R 1000:1000 /data
|
|
volumeMounts:
|
|
- name: data
|
|
mountPath: /data
|
|
- name: config
|
|
mountPath: /tmp
|
|
containers:
|
|
- name: forgejo
|
|
image: codeberg.org/forgejo/forgejo:9.0.2
|
|
ports:
|
|
- containerPort: 3000
|
|
name: http
|
|
- containerPort: 2222
|
|
name: ssh
|
|
env:
|
|
- name: USER_UID
|
|
value: "1000"
|
|
- name: USER_GID
|
|
value: "1000"
|
|
resources:
|
|
limits:
|
|
cpu: 1000m
|
|
memory: 2Gi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 512Mi
|
|
volumeMounts:
|
|
- name: data
|
|
mountPath: /data
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 3000
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 3000
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 30
|
|
volumes:
|
|
- name: data
|
|
persistentVolumeClaim:
|
|
claimName: forgejo-data
|
|
- name: config
|
|
configMap:
|
|
name: forgejo-config
|
|
---
|
|
# Forgejo HTTP Service
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: forgejo-http-service
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: forgejo-http
|
|
namespace: forgejo
|
|
labels:
|
|
app: forgejo
|
|
spec:
|
|
selector:
|
|
app: forgejo
|
|
ports:
|
|
- name: http
|
|
port: 3000
|
|
targetPort: 3000
|
|
type: ClusterIP
|
|
---
|
|
# Forgejo SSH Service
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: forgejo-ssh-service
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: forgejo-ssh
|
|
namespace: forgejo
|
|
labels:
|
|
app: forgejo
|
|
spec:
|
|
selector:
|
|
app: forgejo
|
|
ports:
|
|
- name: ssh
|
|
port: 2222
|
|
targetPort: 2222
|
|
type: LoadBalancer
|
|
---
|
|
# SSL Certificate for Forgejo
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: forgejo-certificate
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: forgejo-tls
|
|
namespace: emissary
|
|
spec:
|
|
secretName: forgejo-tls
|
|
issuerRef:
|
|
name: letsencrypt-dns
|
|
kind: ClusterIssuer
|
|
dnsNames:
|
|
- git.nge6.com
|
|
---
|
|
# Ambassador Host for Forgejo
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: forgejo-host
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: getambassador.io/v3alpha1
|
|
kind: Host
|
|
metadata:
|
|
name: forgejo-host
|
|
namespace: emissary
|
|
spec:
|
|
hostname: git.nge6.com
|
|
tlsSecret:
|
|
name: forgejo-tls
|
|
---
|
|
# Ambassador Mapping for Forgejo
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: forgejo-mapping
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: getambassador.io/v3alpha1
|
|
kind: Mapping
|
|
metadata:
|
|
name: forgejo-mapping
|
|
namespace: emissary
|
|
spec:
|
|
hostname: git.nge6.com
|
|
prefix: /
|
|
service: http://pomerium-allinone.pomerium:443
|
|
timeout_ms: 30000
|
|
connect_timeout_ms: 10000 |