migration

infra/gitea-actions.yaml

@@ -40,3 +40,9 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

infra/gitea.yaml

@@ -40,3 +40,9 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

infra/traefik-application.yaml

@@ -76,6 +76,10 @@ spec:
                       {
                           "name": "websecure",
                           "mode": "tcp"
+                      },
+                      {
+                          "name": "giteassh",
+                          "mode": "tcp"
                       }
                   ],
                   "backends": [
@@ -90,6 +94,9 @@ spec:
                           "properties": {
                               "outbound_proxy_protocol": "v2"
                           }
+                      },
+                      {
+                          "name": "giteassh"
                       }
                   ]
               }
@@ -129,6 +136,13 @@ spec:
               metrics: true
               tracing: true
 
+          giteassh:
+            port: 2222
+            expose:
+              default: true
+            exposedPort: 2222
+            protocol: TCP
+
   destination:
     server: https://kubernetes.default.svc
     namespace: traefik-system

infra/values/gitea-actions-values.yaml

@@ -3,7 +3,7 @@
 
 enabled: true
 
-giteaRootURL: http://gitea-http.gitea.svc.cluster.local:3000
+giteaRootURL: https://git.forteapps.net
 
 existingSecret: gitea-runner-token
 existingSecretKey: token
@@ -30,8 +30,7 @@ statefulset:
         docker_timeout: 300s
       runner:
         labels:
-          - "ubuntu-latest:docker://node:20-bookworm"
-          - "ubuntu-22.04:docker://node:20-bookworm"
-
+          - "ubuntu-latest:docker://catthehacker/ubuntu:act-22.04"
+          - "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04"
   dind:
     rootless: false

infra/values/gitea-values.yaml

@@ -17,13 +17,17 @@ gitea:
       DOMAIN: git.forteapps.net
       ROOT_URL: https://git.forteapps.net
       SSH_DOMAIN: git.forteapps.net
-      SSH_PORT: 22
+      SSH_PORT: 2222
       LFS_START_SERVER: true
+      ENABLE_GITEA_PAGES: true
 
     service:
       DISABLE_REGISTRATION: false
+      DEFAULT_ALLOW_CREATE_ORGANIZATION: false
       REQUIRE_SIGNIN_VIEW: false
       ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+      ENABLE_BASIC_AUTHENTICATION: true
+      ENABLE_PASSWORD_SIGNIN_FORM: false
 
     openid:
       ENABLE_OPENID_SIGNIN: false
@@ -67,8 +71,8 @@ gitea:
     existingSecret: gitea-credentials
     key: gitea
     autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
-    scopes: "openid email profile"
-    groupClaimName: ""
+    scopes: "openid email profile organization"
+    groupClaimName: "groups"
     adminGroup: ""
     restrictedGroup: ""
   # -- Prometheus metrics (scraped via annotations, no ServiceMonitor CRD needed)
@@ -146,7 +150,7 @@ redis-cluster:
 test:
   enabled: false
 
-# -- SSH service (ClusterIP for now; enable NodePort if SSH access needed)
+# -- SSH service (ClusterIP, exposed externally via Traefik TCP IngressRoute on port 2222)
 service:
   ssh:
     type: ClusterIP

infra/values/opencost-values.yaml

@@ -15,10 +15,10 @@ opencost:
       provider: custom
       costModel:
         description: "UpCloud 4-node cluster pricing"
-        CPU: "6.07"
-        RAM: "1.52"
+        CPU: "5.86"
+        RAM: "1.46"
         GPU: "0"
-        storage: "0.03"
+        storage: "0.34"
         zoneNetworkEgress: "0"
         regionNetworkEgress: "0"
         internetNetworkEgress: "0"