Added forgejo deployment
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 1s

This commit is contained in:
tegwick 2026-07-04 13:26:07 +02:00
parent b78877b5f7
commit 37d9b0e271
4 changed files with 119 additions and 1 deletions

View file

@ -53,6 +53,19 @@ db-shell: ## Open psql shell on gitea-db primary
db-logs: ## Tail gitea-db primary logs
$(KUBECTL) logs -n databases -l cnpg.io/cluster=gitea-db -f --tail=50
##@ Forgejo database (railiance01 production forge)
forgejo-db-deploy: ## Apply forgejo-db cnpg Cluster + NetworkPolicies on railiance01
$(KUBECTL) apply -f helm/forgejo-db-cluster.yaml
$(KUBECTL) apply -f helm/forgejo-db-networkpolicies.yaml
forgejo-db-status: ## Show forgejo-db cnpg cluster health
$(KUBECTL) cnpg status forgejo-db -n databases 2>/dev/null || \
$(KUBECTL) get cluster forgejo-db -n databases -o wide
forgejo-db-shell: ## Open psql shell on forgejo-db primary
$(KUBECTL) cnpg psql forgejo-db -n databases -- -U forgejo forgejo
##@ Shared apps-pg (S5 application databases)
apps-pg-deploy: ## Apply shared apps-pg cnpg Cluster + NetworkPolicies
@ -342,4 +355,4 @@ help: ## Show this help
/^[a-zA-Z_-]+:.*?##/ { printf " \033[36m%-22s\033[0m %s\n", $$1, $$2 } \
/^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
.PHONY: db-deploy db-status db-shell db-logs apps-pg-deploy apps-pg-status apps-pg-shell apps-pg-logs net-kingdom-pg-inter-hub-networkpolicy-deploy pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-overlay-apply openbao-verify-login-overlay openbao-deploy openbao-status openbao-verify openbao-verify-post-unseal openbao-configure-initial openbao-configure-ssh openbao-verify-ssh openbao-verify-authenticated openbao-configure-external-secrets-issue-core openbao-configure-external-secrets-activity-core openbao-validate-restore-evidence openbao-validate-emergency-evidence credential-grants-validate credential-change-applier-dry-run credential-change-applier-apply-plan credential-change-applier-apply credential-change-runbook credential-change-record-evidence credential-change-lifecycle-plan credential-change-lifecycle-event credential-change-import-inventory openbao-credential-change-appliers-dry-run openbao-configure-credential-change-appliers openbao-token-grants-dry-run openbao-configure-token-grants openbao-verify-token-grants-dry-run openbao-verify-token-grants openbao-verify-token-grants-smoke credential-helper-dry-run credential-tests credential-exec-ops-warden-smoke argocd-bootstrap-dry-run argocd-bootstrap-deploy argocd-repo-apply argocd-status backup help
.PHONY: db-deploy db-status db-shell db-logs forgejo-db-deploy forgejo-db-status forgejo-db-shell apps-pg-deploy apps-pg-status apps-pg-shell apps-pg-logs net-kingdom-pg-inter-hub-networkpolicy-deploy pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-overlay-apply openbao-verify-login-overlay openbao-deploy openbao-status openbao-verify openbao-verify-post-unseal openbao-configure-initial openbao-configure-ssh openbao-verify-ssh openbao-verify-authenticated openbao-configure-external-secrets-issue-core openbao-configure-external-secrets-activity-core openbao-validate-restore-evidence openbao-validate-emergency-evidence credential-grants-validate credential-change-applier-dry-run credential-change-applier-apply-plan credential-change-applier-apply credential-change-runbook credential-change-record-evidence credential-change-lifecycle-plan credential-change-lifecycle-event credential-change-import-inventory openbao-credential-change-appliers-dry-run openbao-configure-credential-change-appliers openbao-token-grants-dry-run openbao-configure-token-grants openbao-verify-token-grants-dry-run openbao-verify-token-grants openbao-verify-token-grants-smoke credential-helper-dry-run credential-tests credential-exec-ops-warden-smoke argocd-bootstrap-dry-run argocd-bootstrap-deploy argocd-repo-apply argocd-status backup help

View file

@ -0,0 +1,31 @@
---
# CNPG cluster for Forgejo (railiance01 production forge).
# Managed by railiance-platform (S3). Operator: cnpg-system.
#
# Apply: KUBECONFIG=~/.kube/config-hosteurope make forgejo-db-deploy
# Status: make forgejo-db-status
#
# Pre-condition: forgejo-db-credentials Secret in databases namespace.
# See helm/forgejo-db-secret.sops.yaml.template
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: forgejo-db
namespace: databases
labels:
app.kubernetes.io/name: forgejo-db
app.kubernetes.io/component: database
app.kubernetes.io/managed-by: manual
railiance.io/layer: s3-platform
railiance.io/consumer: forgejo
spec:
instances: 1
imageName: ghcr.io/cloudnative-pg/postgresql:16
storage:
size: 10Gi
bootstrap:
initdb:
database: forgejo
owner: forgejo
secret:
name: forgejo-db-credentials

View file

@ -0,0 +1,61 @@
---
# NetworkPolicies for forgejo-db CNPG cluster on railiance01.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-kube-api-forgejo-db
namespace: databases
spec:
podSelector:
matchLabels:
cnpg.io/cluster: forgejo-db
policyTypes:
- Egress
egress:
- ports:
- port: 6443
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-cnpg-operator-forgejo-db
namespace: databases
spec:
podSelector:
matchLabels:
cnpg.io/cluster: forgejo-db
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: cnpg-system
ports:
- port: 5432
protocol: TCP
- port: 8000
protocol: TCP
- port: 9187
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-forgejo-forgejo-db
namespace: databases
spec:
podSelector:
matchLabels:
cnpg.io/cluster: forgejo-db
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: forgejo
ports:
- port: 5432
protocol: TCP

View file

@ -0,0 +1,13 @@
# Template for forgejo-db-credentials (databases namespace).
# Encrypt: sops -e -i helm/forgejo-db-secret.sops.yaml
# Apply: KUBECONFIG=~/.kube/config-hosteurope kubectl apply -f <(sops -d helm/forgejo-db-secret.sops.yaml)
---
apiVersion: v1
kind: Secret
metadata:
name: forgejo-db-credentials
namespace: databases
type: kubernetes.io/basic-auth
stringData:
username: forgejo
password: REPLACE_WITH_PASSWORD