multi-cluster

infra/values/base/gitea-actions-values.yaml

@@ -0,0 +1,36 @@
+## Gitea Act Runner - Helm values
+## Chart: actions v0.0.5 (https://dl.gitea.com/charts)
+
+enabled: true
+
+giteaRootURL: https://git.forteapps.net
+
+existingSecret: gitea-runner-token
+existingSecretKey: token
+
+statefulset:
+  replicas: 3
+
+  resources:
+    requests:
+      cpu: 250m
+      memory: 256Mi
+    limits:
+      cpu: "1"
+      memory: 1Gi
+
+  actRunner:
+    config: |
+      log:
+        level: info
+      cache:
+        enabled: false
+      container:
+        require_docker: true
+        docker_timeout: 300s
+      runner:
+        labels:
+          - "ubuntu-latest:docker://catthehacker/ubuntu:act-22.04"
+          - "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04"
+  dind:
+    rootless: false

infra/values/base/gitea-values.yaml

@@ -0,0 +1,181 @@
+# Gitea Helm Chart Values
+# Host: git.forteapps.net
+# Chart: gitea v12.5.0 (app v1.25.4)
+# Repo: https://dl.gitea.com/charts
+
+# -- Admin account (password from sealed secret)
+gitea:
+  admin:
+    existingSecret: gitea-credentials
+    email: admin@forteapps.net
+
+  # -- Gitea app.ini configuration
+  config:
+    APP_NAME: "Forte Git"
+
+    server:
+      DOMAIN: git.forteapps.net
+      ROOT_URL: https://git.forteapps.net
+      SSH_DOMAIN: git.forteapps.net
+      SSH_PORT: 2222
+      LFS_START_SERVER: true
+      ENABLE_GITEA_PAGES: true
+      ENABLE_BASIC_AUTH_CHALLENGE: true
+
+    service:
+      DISABLE_REGISTRATION: false
+      DEFAULT_ALLOW_CREATE_ORGANIZATION: false
+      REQUIRE_SIGNIN_VIEW: false
+      ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+      ENABLE_BASIC_AUTHENTICATION: true
+      ENABLE_PASSWORD_SIGNIN_FORM: false
+      ENABLE_NOTIFY_MAIL: true
+
+    openid:
+      ENABLE_OPENID_SIGNIN: false
+      ENABLE_OPENID_SIGNUP: false
+
+    oauth2:
+      ENABLED: true
+      ENABLE_AUTO_REGISTRATION: true
+      USERNAME: email
+
+    session:
+      PROVIDER: db
+
+    cache:
+      ADAPTER: memory
+
+    database:
+      DB_TYPE: postgres
+
+    metrics:
+      ENABLED: true
+
+    repository:
+      DEFAULT_BRANCH: main
+      DEFAULT_PRIVATE: last
+
+    actions:
+      ENABLED: true
+
+    packages:
+      ENABLED: true
+
+    indexer:
+      ISSUE_INDEXER_TYPE: bleve
+      REPO_INDEXER_ENABLED: true
+
+    mailer:
+      ENABLED: true
+      PROTOCOL: smtp+starttls
+      SMTP_ADDR: smtp.office365.com
+      SMTP_PORT: 587
+      FROM: "noreply@fortedigital.com"
+
+    admin:
+      DEFAULT_EMAIL_NOTIFICATIONS: enabled
+
+  # -- SMTP credentials injected from secret (USER and PASSWD)
+  additionalConfigFromEnvs:
+  - name: GITEA__mailer__USER
+    valueFrom:
+      secretKeyRef:
+        name: gitea-smtp-secret
+        key: username
+  - name: GITEA__mailer__PASSWD
+    valueFrom:
+      secretKeyRef:
+        name: gitea-smtp-secret
+        key: password
+  # -- OIDC authentication via Forte
+  oauth:
+  - name: "Forte"
+    provider: "openidConnect"
+    existingSecret: gitea-oidc-credentials
+    key: gitea
+    autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
+    scopes: "openid email profile organization"
+    groupClaimName: "groups"
+    adminGroup: ""
+    restrictedGroup: ""
+  # -- Prometheus metrics (scraped via annotations, no ServiceMonitor CRD needed)
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+# -- Ingress via Traefik with Let's Encrypt TLS
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+  - host: git.forteapps.net
+    paths:
+    - path: /
+      pathType: Prefix
+  tls:
+  - secretName: gitea-tls
+    hosts:
+    - git.forteapps.net
+
+# -- Git repository storage
+persistence:
+  enabled: true
+  size: 10Gi
+  accessModes:
+  - ReadWriteOnce
+  storageClass: upcloud-block-storage-maxiops
+
+# -- Recreate strategy to avoid Multi-Attach errors with RWO volumes
+strategy:
+  type: Recreate
+
+# -- Pod resources
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+# -- Embedded PostgreSQL (Bitnami subchart)
+# Password auto-generated by the subchart; Gitea chart auto-wires the connection.
+postgresql:
+  enabled: true
+  auth:
+    username: gitea
+    database: gitea
+  primary:
+    persistence:
+      enabled: true
+      size: 8Gi
+      storageClass: upcloud-block-storage-maxiops
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+
+# -- Disable PostgreSQL HA (using single-instance postgresql above)
+postgresql-ha:
+  enabled: false
+
+# -- Disable Redis cluster (use in-memory cache instead)
+redis-cluster:
+  enabled: false
+
+# -- Disable test pod
+test:
+  enabled: false
+
+# -- SSH service (ClusterIP, exposed externally via Traefik TCP IngressRoute on port 2222)
+service:
+  ssh:
+    type: ClusterIP
+    port: 22

infra/values/base/opencost-values.yaml

@@ -0,0 +1,30 @@
+opencost:
+  exporter:
+    defaultClusterId: launchpad
+    extraEnv:
+      EMIT_KSM_V1_METRICS: "false"
+      EMIT_KSM_V1_METRICS_ONLY: "true"
+    prometheus:
+      internal:
+        enabled: true
+        serviceName: prometheus-server
+        namespaceName: monitoring
+        port: 80
+    customPricing:
+      enabled: true
+      provider: custom
+      costModel:
+        description: "UpCloud 4-node cluster pricing"
+        CPU: "5.86"
+        RAM: "1.46"
+        GPU: "0"
+        storage: "0.34"
+        zoneNetworkEgress: "0"
+        regionNetworkEgress: "0"
+        internetNetworkEgress: "0"
+  ui:
+    enabled: false
+service:
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "9003"

infra/values/base/renovate-values.yaml

@@ -0,0 +1,45 @@
+cronjob:
+  schedule: "@daily"
+  concurrencyPolicy: Forbid
+
+renovate:
+  config: |
+    {
+      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+      "platform": "gitea",
+      "endpoint": "https://git.forteapps.net",
+      "autodiscover": true,
+      "gitAuthor": "Renovate Bot <renovate@forteapps.net>",
+      "packageRules": [
+        {
+          "matchRepositories": ["**/10x"],
+          "assignees": ["edvard.unsvag"],
+          "reviewers": ["edvard.unsvag"]
+        },
+        {
+          "matchRepositories": ["**/auth-sidecar"],
+          "assignees": ["danijel.simeunovic"],
+          "reviewers": ["danijel.simeunovic"]
+        },
+        {
+          "matchRepositories": ["**/forte-helm"],
+          "assignees": ["danijel.simeunovic"],
+          "reviewers": ["danijel.simeunovic"]
+        }
+      ]
+    }
+
+envFrom:
+- secretRef:
+    name: renovate-env
+
+env:
+  LOG_LEVEL: info
+
+resources:
+  requests:
+    cpu: 500m
+    memory: 1Gi
+  limits:
+    cpu: "2"
+    memory: 4Gi

infra/values/base/tempo-values.yaml

@@ -0,0 +1,34 @@
+tempo:
+  metricsGenerator:
+    enabled: true
+    remoteWriteUrl: "http://prometheus-server.monitoring.svc.cluster.local/api/v1/write"
+  overrides:
+    defaults:
+      metrics_generator:
+        processors:
+        - service-graphs
+        - span-metrics
+  storage:
+    trace:
+      backend: local
+      local:
+        path: /var/tempo/traces
+  receivers:
+    otlp:
+      protocols:
+        grpc:
+          endpoint: "0.0.0.0:4317"
+        http:
+          endpoint: "0.0.0.0:4318"
+
+persistence:
+  enabled: true
+  size: 10Gi
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 256Mi
+  limits:
+    cpu: 100m
+    memory: 512Mi