Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

Compare commits

base: Forte:03d526208be551cdd1cbafdf689460a49eaf5555
Branches Tags
Forte:main Forte:fix/drop-duplicate-keycloak-secret Forte:feature/dns01 Forte:feat/forte-drop-infra Forte:feature/ppusher Forte:feature/chibisafe Forte:hotfix/backup Forte:feature/vault-migration Forte:feature/hashicorp-vault Forte:feature/homepage Forte:feature/argocd-rbac Forte:feature/argocd-tls Forte:feature/multi-cloud Forte:feature/karpor Forte:feature/backstage Forte:feature/ai-review Forte:gitea-pages Forte:feature/gitea-docs Forte:feature/multicluster Forte:feature/secret-syncing Forte:feature/smtp Forte:renovate/configure
..
compare: Forte:feature/karpor
Branches Tags
Forte:main Forte:fix/drop-duplicate-keycloak-secret Forte:feature/dns01 Forte:feat/forte-drop-infra Forte:feature/ppusher Forte:feature/chibisafe Forte:hotfix/backup Forte:feature/vault-migration Forte:feature/hashicorp-vault Forte:feature/homepage Forte:feature/argocd-rbac Forte:feature/argocd-tls Forte:feature/multi-cloud Forte:feature/karpor Forte:feature/backstage Forte:feature/ai-review Forte:gitea-pages Forte:feature/gitea-docs Forte:feature/multicluster Forte:feature/secret-syncing Forte:feature/smtp Forte:renovate/configure

11 Commits
03d526208b ... feature/ka

Author SHA1 Message Date
Danijel Simeunovic
3f0f70699b karpor 2026-04-24 09:43:16 +02:00
Danijel Simeunovic
06522b2f19 ts-mcp 2026-04-23 14:44:33 +02:00
Danijel Simeunovic
4c65035485 ns 2026-04-23 14:11:45 +02:00
Danijel Simeunovic
84f4bebc08 ts-mcp 2026-04-23 13:41:51 +02:00
Danijel Simeunovic
5394b2c714 ts-mcp 2026-04-23 13:40:33 +02:00
Danijel Simeunovic
c4e586a7be ts-mcp 2026-04-23 13:38:47 +02:00
Danijel Simeunovic
1fa070b041 argo 2026-04-23 13:35:42 +02:00
Danijel Simeunovic
9c905355e3 argocd known host 2026-04-23 13:28:34 +02:00
Danijel Simeunovic
6b1115ec28 argocd disable submodule 2026-04-23 13:09:02 +02:00
Danijel Simeunovic
2fb276a62c ts-mcp 2026-04-23 13:02:00 +02:00
Danijel Simeunovic
3efe1b68ef auth doc 2026-04-23 10:05:15 +02:00
62 changed files with 312 additions and 1151 deletions
Expand all files Collapse all files

1
.gitea/workflows/ai-review.yaml
View File

@@ -34,7 +34,6 @@ jobs:
with: with:
submodules: true submodules: true
fetch-depth: 0 fetch-depth: 0
token: ${{ secrets.AI_REVIEW_TOKEN }}
- name: Run inline review - name: Run inline review
uses: docker://nikitafilonov/ai-review:v0.64.0 uses: docker://nikitafilonov/ai-review:v0.64.0

40
README.md
View File

@@ -1,9 +1,9 @@
# Kubernetes Cluster - GitOps Configuration # Kubernetes Cluster - GitOps Configuration
> **Kubernetes cluster bootstrapping and GitOps configuration repository** using ArgoCD for multi-cloud Kubernetes (UpCloud, AWS EKS, Azure AKS, GCP GKE) > **Kubernetes cluster bootstrapping and GitOps configuration repository** using ArgoCD for UpCloud Managed Kubernetes
[![GitOps](https://img.shields.io/badge/GitOps-ArgoCD-blue)](https://argoproj.github.io/cd/) [![GitOps](https://img.shields.io/badge/GitOps-ArgoCD-blue)](https://argoproj.github.io/cd/)
[![Kubernetes](https://img.shields.io/badge/Kubernetes-Multi--Cloud-orange)]() [![Kubernetes](https://img.shields.io/badge/Kubernetes-UpCloud-orange)](https://upcloud.com/)
--- ---
@@ -95,26 +95,14 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
│ │ ├── renovate.yaml │ │ ├── renovate.yaml
│ │ ├── ... # All other Application manifests │ │ ├── ... # All other Application manifests
│ │ └── secrets.yaml │ │ └── secrets.yaml
│ ├── overlays/ # Per-cluster overrides (Kustomize) │ ├── overlays/ # Per-cluster overrides
│ │ ├── upc-dev/ # UpCloud Dev (uses base as-is) │ │ ├── upc-dev/ # UpCloud Dev cluster (uses base as-is)
│ │ ── upc-prod/ # UpCloud Prod (patches value paths) │ │ ── upc-prod/ # UpCloud Prod cluster (patches value paths)
│ │ ├── aws-dev/ # AWS EKS Dev
│ │ ├── aws-prod/ # AWS EKS Prod
│ │ ├── azure-dev/ # Azure AKS Dev
│ │ ├── azure-prod/ # Azure AKS Prod
│ │ ├── gcp-dev/ # GCP GKE Dev
│ │ └── gcp-prod/ # GCP GKE Prod
│ ├── dashboards/ # Grafana dashboard ConfigMaps │ ├── dashboards/ # Grafana dashboard ConfigMaps
│ └── values/ # Helm value overrides │ └── values/ # Helm value overrides
│ ├── base/ # Shared cloud-agnostic values │ ├── base/ # Shared values (all clusters)
│ ├── upc-dev/ # UpCloud Dev (storage, LB, pricing) │ ├── upc-dev/ # UpCloud Dev-specific values
── upc-prod/ # UpCloud Prod ── upc-prod/ # UpCloud Prod-specific values
│ ├── aws-dev/ # AWS EKS Dev
│ ├── aws-prod/ # AWS EKS Prod
│ ├── azure-dev/ # Azure AKS Dev
│ ├── azure-prod/ # Azure AKS Prod
│ ├── gcp-dev/ # GCP GKE Dev
│ └── gcp-prod/ # GCP GKE Prod
├── apps/ # Business Applications ├── apps/ # Business Applications
│ ├── mcp10x.yaml │ ├── mcp10x.yaml
@@ -373,7 +361,7 @@ kubectl patch application myapp -n argocd \
## 📖 Key Concepts ## 📖 Key Concepts
### App-of-Apps Pattern ### App-of-Apps Pattern
`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{cluster}/` render the base Applications with per-cluster patches (e.g., swapping value file paths). Supported clusters: `upc-dev`, `upc-prod`, `aws-dev`, `aws-prod`, `azure-dev`, `azure-prod`, `gcp-dev`, `gcp-prod`. `_app-of-apps.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{upc-dev,upc-prod}/` render the base Applications with per-cluster patches (e.g., swapping value file paths from `upc-dev` to `upc-prod`).
### Multi-Source Pattern ### Multi-Source Pattern
Applications reference both: Applications reference both:
@@ -470,14 +458,16 @@ Documentation lives in `docs/`. To update:
## 📝 Notes ## 📝 Notes
### Current Environment ### Current Environment
- **Provider**: Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE) - **Provider**: UpCloud Managed Kubernetes
- **Active clusters**: UpCloud (upc-dev, upc-prod)
- **Environment**: Production (internal use only) - **Environment**: Production (internal use only)
- **Clusters**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
- **Auth**: Disabled for ArgoCD (internal access) - **Auth**: Disabled for ArgoCD (internal access)
- **Backup**: Gitea daily backup to S3-compatible storage - **Backup**: None (cluster rebuildable via GitOps)
### Known Limitations ### Known Limitations
- No automated backups (yet)
- Secret rotation not automated - Secret rotation not automated
- Multi-cluster limited to upc-dev and upc-prod environments
- DNS management is manual - DNS management is manual
**Future improvements**: See [Operations Runbook - Disaster Recovery](docs/OPERATIONS-RUNBOOK.md#disaster-recovery) **Future improvements**: See [Operations Runbook - Disaster Recovery](docs/OPERATIONS-RUNBOOK.md#disaster-recovery)
@@ -514,7 +504,7 @@ Internal use only. Not for public distribution.
--- ---
**Last Updated**: 2026-04-22 **Last Updated**: 2026-03-16
**Documentation Version**: 1.0.0 **Documentation Version**: 1.0.0
**🚀 Ready to get started? Check out the [Documentation Index](docs/README.md)!** **🚀 Ready to get started? Check out the [Documentation Index](docs/README.md)!**

32
_app-of-apps-aws-dev.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
annotations:
argocd.argoproj.io/sync-wave: "-1"
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infrastructure-apps
namespace: argocd
labels:
app.kubernetes.io/name: infrastructure-apps
app.kubernetes.io/part-of: platform
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: git@github.com:fortedigital/sturdy-adventure.git
targetRevision: HEAD
path: infra/overlays/aws-dev
destination:
server: https://kubernetes.default.svc
namespace: default
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

32
_app-of-apps-aws-prod.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
annotations:
argocd.argoproj.io/sync-wave: "-1"
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infrastructure-apps
namespace: argocd
labels:
app.kubernetes.io/name: infrastructure-apps
app.kubernetes.io/part-of: platform
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: git@github.com:fortedigital/sturdy-adventure.git
targetRevision: HEAD
path: infra/overlays/aws-prod
destination:
server: https://kubernetes.default.svc
namespace: default
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

32
_app-of-apps-azure-dev.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
annotations:
argocd.argoproj.io/sync-wave: "-1"
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infrastructure-apps
namespace: argocd
labels:
app.kubernetes.io/name: infrastructure-apps
app.kubernetes.io/part-of: platform
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: git@github.com:fortedigital/sturdy-adventure.git
targetRevision: HEAD
path: infra/overlays/azure-dev
destination:
server: https://kubernetes.default.svc
namespace: default
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

32
_app-of-apps-azure-prod.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
annotations:
argocd.argoproj.io/sync-wave: "-1"
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infrastructure-apps
namespace: argocd
labels:
app.kubernetes.io/name: infrastructure-apps
app.kubernetes.io/part-of: platform
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: git@github.com:fortedigital/sturdy-adventure.git
targetRevision: HEAD
path: infra/overlays/azure-prod
destination:
server: https://kubernetes.default.svc
namespace: default
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

32
_app-of-apps-gcp-dev.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
annotations:
argocd.argoproj.io/sync-wave: "-1"
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infrastructure-apps
namespace: argocd
labels:
app.kubernetes.io/name: infrastructure-apps
app.kubernetes.io/part-of: platform
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: git@github.com:fortedigital/sturdy-adventure.git
targetRevision: HEAD
path: infra/overlays/gcp-dev
destination:
server: https://kubernetes.default.svc
namespace: default
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

32
_app-of-apps-gcp-prod.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
annotations:
argocd.argoproj.io/sync-wave: "-1"
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infrastructure-apps
namespace: argocd
labels:
app.kubernetes.io/name: infrastructure-apps
app.kubernetes.io/part-of: platform
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: git@github.com:fortedigital/sturdy-adventure.git
targetRevision: HEAD
path: infra/overlays/gcp-prod
destination:
server: https://kubernetes.default.svc
namespace: default
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

1
apps/base/kustomization.yaml
View File

@@ -4,4 +4,5 @@ resources:
- dot-ai-stack.yaml - dot-ai-stack.yaml
- mcp10x.yaml - mcp10x.yaml
- musicman.yaml - musicman.yaml
- ts-mcp.yaml
- argo-mcp.yaml - argo-mcp.yaml

40
apps/base/ts-mcp.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: ts-mcp
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "11"
notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
notifications.argoproj.io/subscribe.on-degraded.slack: ""
labels:
app.kubernetes.io/name: ts-mcp
app.kubernetes.io/part-of: apps
app.kubernetes.io/managed-by: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
path: forteapp
targetRevision: HEAD
helm:
valueFiles:
- $values/ts-mcp/values.yaml
- repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
targetRevision: HEAD
ref: values
destination:
server: https://kubernetes.default.svc
namespace: ts-mcp
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

6
cluster-resources/gitea-backup-cronjob.yaml
View File

@@ -57,17 +57,17 @@ spec:
- sh - sh
- -c - -c
- | - |
mc alias set s3 "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}" mc alias set upcloud "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
TIMESTAMP=$(date +%Y%m%d-%H%M%S) TIMESTAMP=$(date +%Y%m%d-%H%M%S)
KEY="gitea-dump-${TIMESTAMP}.zip" KEY="gitea-dump-${TIMESTAMP}.zip"
echo "Uploading ${KEY}..." echo "Uploading ${KEY}..."
mc cp /backup/gitea-dump.zip "s3/${S3_BUCKET}/${KEY}" && \ mc cp /backup/gitea-dump.zip "upcloud/${S3_BUCKET}/${KEY}" && \
echo "Upload complete." echo "Upload complete."
# Prune backups older than 7 days # Prune backups older than 7 days
echo "Pruning backups older than 7 days..." echo "Pruning backups older than 7 days..."
mc rm --older-than 7d --force "s3/${S3_BUCKET}/" 2>&1 || true mc rm --older-than 7d --force "upcloud/${S3_BUCKET}/" 2>&1 || true
echo "Pruning complete." echo "Pruning complete."
envFrom: envFrom:
- secretRef: - secretRef:

10
clusters/aws-dev.yaml
View File

@@ -1,10 +0,0 @@
clusterName: dev-eks # <- adjust to your EKS cluster name
domain: example.com # <- adjust to your domain
argocdDomain: argocd.example.com
grafanaDomain: grafana.example.com
keycloakDomain: id.example.com
dotaiDomain: kubemcp.example.com
dotaiUiDomain: kubemcpui.example.com
letsencryptEmail: admin@example.com # <- adjust
trustedIPs: "10.0.0.0/8" # <- adjust to your VPC CIDR
cloudProvider: aws

10
clusters/aws-prod.yaml
View File

@@ -1,10 +0,0 @@
clusterName: prod-eks # <- adjust to your EKS cluster name
domain: example.com # <- adjust to your domain
argocdDomain: argocd.example.com
grafanaDomain: grafana.example.com
keycloakDomain: id.example.com
dotaiDomain: kubemcp.example.com
dotaiUiDomain: kubemcpui.example.com
letsencryptEmail: admin@example.com # <- adjust
trustedIPs: "10.0.0.0/8" # <- adjust to your VPC CIDR
cloudProvider: aws

10
clusters/azure-dev.yaml
View File

@@ -1,10 +0,0 @@
clusterName: dev-aks # <- adjust to your AKS cluster name
domain: example.com # <- adjust to your domain
argocdDomain: argocd.example.com
grafanaDomain: grafana.example.com
keycloakDomain: id.example.com
dotaiDomain: kubemcp.example.com
dotaiUiDomain: kubemcpui.example.com
letsencryptEmail: admin@example.com # <- adjust
trustedIPs: "10.0.0.0/8,168.63.129.16/32" # <- VNet CIDR + Azure health probe
cloudProvider: azure

10
clusters/azure-prod.yaml
View File

@@ -1,10 +0,0 @@
clusterName: prod-aks # <- adjust to your AKS cluster name
domain: example.com # <- adjust to your domain
argocdDomain: argocd.example.com
grafanaDomain: grafana.example.com
keycloakDomain: id.example.com
dotaiDomain: kubemcp.example.com
dotaiUiDomain: kubemcpui.example.com
letsencryptEmail: admin@example.com # <- adjust
trustedIPs: "10.0.0.0/8,168.63.129.16/32" # <- VNet CIDR + Azure health probe
cloudProvider: azure

10
clusters/gcp-dev.yaml
View File

@@ -1,10 +0,0 @@
clusterName: dev-gke # <- adjust to your GKE cluster name
domain: example.com # <- adjust to your domain
argocdDomain: argocd.example.com
grafanaDomain: grafana.example.com
keycloakDomain: id.example.com
dotaiDomain: kubemcp.example.com
dotaiUiDomain: kubemcpui.example.com
letsencryptEmail: admin@example.com # <- adjust
trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # <- subnet CIDR + GCP health checks
cloudProvider: gcp

10
clusters/gcp-prod.yaml
View File

@@ -1,10 +0,0 @@
clusterName: prod-gke # <- adjust to your GKE cluster name
domain: example.com # <- adjust to your domain
argocdDomain: argocd.example.com
grafanaDomain: grafana.example.com
keycloakDomain: id.example.com
dotaiDomain: kubemcp.example.com
dotaiUiDomain: kubemcpui.example.com
letsencryptEmail: admin@example.com # <- adjust
trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # <- subnet CIDR + GCP health checks
cloudProvider: gcp

40
docs/DEVELOPER-GUIDE.md
View File

@@ -962,6 +962,46 @@ User sees application (authenticated)
--- ---
### Accessing Authenticated User Information
The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
| Header | Description | Available in |
|--------|-------------|-------------|
| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
| `X-Auth-Email` | User email address | OIDC |
| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
| `X-Auth-Token` | The validated access token | All modes |
**Your application reads these headers — no auth library needed:**
```javascript
// Express.js example
app.get('/profile', (req, res) => {
const user = req.headers['x-auth-user'];
const email = req.headers['x-auth-email'];
res.json({ user, email });
});
```
```python
# Flask example
@app.route('/profile')
def profile():
user = request.headers.get('X-Auth-User')
email = request.headers.get('X-Auth-Email')
return jsonify(user=user, email=email)
```
**Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
**Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
---
### Authentication Configuration Reference ### Authentication Configuration Reference
#### Helm Values Schema #### Helm Values Schema

49
docs/GITOPS-ARCHITECTURE.md
View File

@@ -12,11 +12,11 @@
## Overview ## Overview
This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster setup is **cloud-agnostic**, with ready-to-use configurations for **UpCloud**, **AWS EKS**, **Azure AKS**, and **GCP GKE**. This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster is running on **UpCloud Managed Kubernetes** but is designed to be cloud-agnostic.
### Key Characteristics ### Key Characteristics
- **Environment**: Production (internal use only) - **Environment**: Production (internal use only)
- **Cluster Type**: Multi-cloud, multi-cluster via Kustomize overlays (UpCloud, AWS, Azure, GCP) - **Cluster Type**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
- **GitOps Tool**: ArgoCD - **GitOps Tool**: ArgoCD
- **Deployment Pattern**: App-of-Apps - **Deployment Pattern**: App-of-Apps
- **Secret Management**: Sealed Secrets (kubeseal) - **Secret Management**: Sealed Secrets (kubeseal)
@@ -63,7 +63,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
┌────────────────────────────────┐ ┌────────────────────────────────┐
│ Kubernetes Clusters │ │ Kubernetes Clusters │
│ (UpCloud, AWS, Azure, GCP) │ (UpCloud: upc-dev, upc-prod)
│ │ │ │
│ ┌──────────────────────────┐ │ │ ┌──────────────────────────┐ │
│ │ ArgoCD │ │ │ │ ArgoCD │ │
@@ -131,22 +131,26 @@ launchpad/
│ │ ├── renovate.yaml │ │ ├── renovate.yaml
│ │ ├── ... # All other Application manifests │ │ ├── ... # All other Application manifests
│ │ └── secrets.yaml │ │ └── secrets.yaml
│ ├── overlays/ # Per-cluster Kustomize overrides │ ├── overlays/ # Per-cluster overrides
│ │ ├── upc-dev/ # UpCloud Dev (uses base as-is) │ │ ├── upc-dev/ # UpCloud Dev (uses base as-is)
│ │ ── upc-prod/ # UpCloud Prod (patches value paths) │ │ ── upc-prod/ # UpCloud Prod (patches value paths)
│ │ ├── aws-dev/ # AWS EKS Dev
│ │ ├── aws-prod/ # AWS EKS Prod
│ │ ├── azure-dev/ # Azure AKS Dev
│ │ ├── azure-prod/ # Azure AKS Prod
│ │ ├── gcp-dev/ # GCP GKE Dev
│ │ └── gcp-prod/ # GCP GKE Prod
│ ├── dashboards/ # Grafana dashboard ConfigMaps │ ├── dashboards/ # Grafana dashboard ConfigMaps
│ └── values/ # Helm value overrides for infra │ └── values/ # Helm value overrides for infra
│ ├── base/ # Cloud-agnostic shared values │ ├── base/ # Shared values (all clusters)
├── upc-{dev,prod}/ # UpCloud: storage class, LB, pricing │ ├── traefik-values.yaml
├── aws-{dev,prod}/ # AWS: gp3, NLB, CUR pricing │ ├── keycloak-values.yaml
├── azure-{dev,prod}/ # Azure: managed-csi-premium, Standard LB │ ├── grafana-values.yaml
└── gcp-{dev,prod}/ # GCP: premium-rwo, L4 LB │ ├── prometheus-values.yaml
│ │ ├── gitea-values.yaml
│ │ └── ...
│ ├── upc-dev/ # upc-dev cluster-specific values
│ │ ├── traefik-values.yaml
│ │ ├── keycloak-values.yaml
│ │ └── grafana-values.yaml
│ └── upc-prod/ # upc-prod cluster-specific values
│ ├── traefik-values.yaml
│ ├── keycloak-values.yaml
│ └── grafana-values.yaml
├── apps/ # Business Application ArgoCD manifests (Kustomize) ├── apps/ # Business Application ArgoCD manifests (Kustomize)
│ ├── base/ # Base app manifests │ ├── base/ # Base app manifests
@@ -283,7 +287,7 @@ app-repository/
### The App-of-Apps Pattern ### The App-of-Apps Pattern
``` ```
_app-of-apps-{cluster}.yaml (Root, per cluster — e.g. upc-dev, aws-prod, gcp-dev) _app-of-apps-{upc-dev,upc-prod}.yaml (Root, per cluster)
├── infrastructure-apps (manages infra/) ├── infrastructure-apps (manages infra/)
│ ├── cluster-resources-application │ ├── cluster-resources-application
@@ -373,15 +377,6 @@ patches:
value: $values/infra/values/upc-prod/traefik-values.yaml value: $values/infra/values/upc-prod/traefik-values.yaml
``` ```
Cloud-specific values (storage classes, load balancer annotations, cost model) are isolated in per-cluster value files. Base values are fully cloud-agnostic:
| Cloud | Storage Class | Load Balancer | OpenCost Provider |
|-------|--------------|---------------|-------------------|
| **UpCloud** | `upcloud-block-storage-maxiops` | UpCloud LB (ProxyProtocol v2) | Custom pricing |
| **AWS EKS** | `gp3` (EBS CSI) | NLB (ProxyProtocol v2) | AWS CUR |
| **Azure AKS** | `managed-csi-premium` | Standard LB (`externalTrafficPolicy: Local`) | Azure Billing API |
| **GCP GKE** | `premium-rwo` (PD CSI) | L4 passthrough NLB | GCP Cloud Billing |
**Benefits**: **Benefits**:
- Single source of truth for Application definitions - Single source of truth for Application definitions
- Cluster-specific values isolated per overlay - Cluster-specific values isolated per overlay
@@ -663,6 +658,6 @@ Notifications include:
--- ---
**Last Updated**: 2026-04-22 **Last Updated**: 2026-03-16
**Maintained By**: Platform Team **Maintained By**: Platform Team
**Questions?**: Contact #platform-support on Slack **Questions?**: Contact #platform-support on Slack

66
docs/OPERATIONS-RUNBOOK.md
View File

@@ -37,7 +37,7 @@ Bootstrap a new cluster from scratch:
#### Prerequisites #### Prerequisites
1. **Kubernetes cluster running** (UpCloud, AWS EKS, Azure AKS, GCP GKE, or any K8s cluster) 1. **Kubernetes cluster running** (UpCloud or any K8s cluster)
2. **kubectl configured** with admin access 2. **kubectl configured** with admin access
3. **Repositories cloned** locally 3. **Repositories cloned** locally
@@ -54,13 +54,11 @@ kubectl get nodes
git clone https://git.forteapps.net/Forte/launchpad git clone https://git.forteapps.net/Forte/launchpad
cd launchpad cd launchpad
# 2. Run bootstrap script with cluster target # 2. Set cluster name (optional)
# Available clusters: upc-dev, upc-prod, aws-dev, aws-prod, export CLUSTER_NAME="prod-cluster-01"
# azure-dev, azure-prod, gcp-dev, gcp-prod
./bootstrap.sh upc-dev
# Cluster config is loaded from clusters/<cluster>.yaml # 3. Run bootstrap script
# (cloudProvider, trustedIPs, domain, etc.) ./bootstrap.sh
``` ```
**What Happens:** **What Happens:**
@@ -1264,21 +1262,13 @@ spec:
### Backup Strategy ### Backup Strategy
**Current State**: Gitea daily backups to S3-compatible storage **Current State**: No automated backups
**What Is Backed Up**: **What Needs Backup**:
- ✅ Gitea repositories + database: Daily CronJob (`cluster-resources/gitea-backup-cronjob.yaml`) uploads to S3-compatible storage with 7-day retention - ❌ Cluster state (not backed up - recreate via GitOps)
- ✅ Git repositories: Full cluster config recoverable from Git - ❌ Persistent volumes (currently not critical)
- ⚠️ Secrets: Sealed secrets in Git; unseal keys need safekeeping - ✅ Git repositories (Gitea provides backup)
- ⚠️ Secrets (sealed secrets in Git, unseal keys need safekeeping)
**What Is NOT Backed Up**:
- ❌ Cluster state (recreate via GitOps)
- ❌ Other persistent volumes (Prometheus, Loki, Tempo data)
**Per-cloud backup scripts** (manual restore helpers):
- UpCloud/AWS: `scripts/gitea-backup.sh` / `scripts/gitea-backup-aws.sh` (MinIO CLI, S3-compatible)
- Azure: `scripts/gitea-backup-azure.sh` (Azure CLI + Blob Storage)
- GCP: `scripts/gitea-backup-gcp.sh` (gsutil + GCS)
### Cluster Rebuild ### Cluster Rebuild
@@ -1380,9 +1370,6 @@ kubectl get pods -n argocd
```bash ```bash
# UpCloud: Upgrade via control panel or CLI # UpCloud: Upgrade via control panel or CLI
# AWS EKS: eksctl upgrade cluster / AWS Console
# Azure AKS: az aks upgrade / Azure Portal
# GCP GKE: gcloud container clusters upgrade / Cloud Console
# After upgrade, verify cluster # After upgrade, verify cluster
kubectl version kubectl version
@@ -1520,35 +1507,18 @@ git push
### Multi-Cluster Setup ### Multi-Cluster Setup
The repository supports multiple clusters across multiple clouds via Kustomize overlays: The repository supports multiple clusters via Kustomize overlays:
**Active clusters:**
- **upc-dev** (default): `infra/overlays/upc-dev/` — uses base Applications as-is - **upc-dev** (default): `infra/overlays/upc-dev/` — uses base Applications as-is
- **upc-prod**: `infra/overlays/upc-prod/` — patches value file paths from `upc-dev` to `upc-prod` - **upc-prod**: `infra/overlays/upc-prod/` — patches value file paths from `upc-dev` to `upc-prod`
**Cloud-ready templates (fill in `clusters/*.yaml` before use):**
- **aws-dev** / **aws-prod**: AWS EKS with NLB, gp3 storage, AWS CUR pricing
- **azure-dev** / **azure-prod**: Azure AKS with Standard LB, managed-csi-premium storage
- **gcp-dev** / **gcp-prod**: GCP GKE with L4 LB, premium-rwo storage
Each cluster has its own: Each cluster has its own:
- Root app-of-apps: `_app-of-apps-{cluster}.yaml` - Root app-of-apps file: `_app-of-apps-upc-dev.yaml` / `_app-of-apps-upc-prod.yaml`
- Cluster config: `clusters/{cluster}.yaml` (domain, trustedIPs, cloudProvider) - Cluster-specific Helm values: `infra/values/upc-dev/` / `infra/values/upc-prod/`
- Kustomize overlay: `infra/overlays/{cluster}/kustomization.yaml` - Sealed secrets: `secrets/upc-dev/` (others as needed)
- Helm value overrides: `infra/values/{cluster}/` (traefik, gitea, opencost) - Apps overlay: `apps/overlays/upc-dev/` / `apps/overlays/upc-prod/`
- Sealed secrets: `secrets/{cluster}/` (as needed)
- Apps overlay: `apps/overlays/{cluster}/`
Cloud-specific values handled per-cluster: To add a new cluster, create a new overlay directory (e.g., `infra/overlays/upc-staging/`) with patches that swap the value file paths.
| Concern | UpCloud | AWS EKS | Azure AKS | GCP GKE |
|---------|---------|---------|-----------|---------|
| **Storage class** | `upcloud-block-storage-maxiops` | `gp3` | `managed-csi-premium` | `premium-rwo` |
| **Load balancer** | UpCloud LB + ProxyProtocol v2 | NLB + ProxyProtocol v2 | Standard LB + `externalTrafficPolicy: Local` | L4 passthrough NLB |
| **Cost monitoring** | Custom pricing | AWS CUR | Azure Billing API | GCP Cloud Billing |
| **Backup storage** | UpCloud S3-compat | AWS S3 (native) | Azure Blob Storage | GCS |
To add a new cluster, create a new overlay directory (e.g., `infra/overlays/aws-staging/`) with patches that swap the value file paths, and a matching `clusters/aws-staging.yaml`.
### Blue-Green Deployments ### Blue-Green Deployments
@@ -1691,6 +1661,6 @@ echo "Remember to delete: $SECRET_FILE"
--- ---
**Last Updated**: 2026-04-22 **Last Updated**: 2026-03-16
**Maintained By**: Platform Team **Maintained By**: Platform Team
**Emergency Contact**: #platform-support on Slack **Emergency Contact**: #platform-support on Slack

11
docs/README.md
View File

@@ -180,7 +180,7 @@ Reference for:
┌──────────────────────────────────────────────────────────────┐ ┌──────────────────────────────────────────────────────────────┐
│ Kubernetes Clusters (UpCloud, AWS, Azure, GCP) │ Kubernetes Clusters (UpCloud: upc-dev, upc-prod)
│ ┌──────────────────────────────────────────────────────┐ │ │ ┌──────────────────────────────────────────────────────┐ │
│ │ Infrastructure: Traefik, Cert-Manager, Kyverno │ │ │ │ Infrastructure: Traefik, Cert-Manager, Kyverno │ │
│ ├──────────────────────────────────────────────────────┤ │ │ ├──────────────────────────────────────────────────────┤ │
@@ -194,7 +194,7 @@ Reference for:
### Key Technologies ### Key Technologies
- **GitOps**: ArgoCD - **GitOps**: ArgoCD
- **Kubernetes**: Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE) - **Kubernetes**: UpCloud Managed Kubernetes (multi-cluster: upc-dev, upc-prod)
- **Ingress**: Traefik v2 - **Ingress**: Traefik v2
- **Certificates**: Cert-Manager + Let's Encrypt - **Certificates**: Cert-Manager + Let's Encrypt
- **Policies**: Kyverno - **Policies**: Kyverno
@@ -299,16 +299,11 @@ docs/
## 🔄 Documentation Versions ## 🔄 Documentation Versions
**Current Version**: 1.0.0 **Current Version**: 1.0.0
**Last Updated**: 2026-04-22 **Last Updated**: 2026-03-16
**Maintained By**: Platform Team **Maintained By**: Platform Team
### Changelog ### Changelog
- **v1.1.0 (2026-04-22)**: Multi-cloud support
- Cloud-agnostic base values (storage, LB, pricing moved to per-cluster overlays)
- Added AWS EKS, Azure AKS, GCP GKE configurations
- Per-cloud backup scripts
- Updated all documentation
- **v1.0.0 (2026-03-16)**: Initial comprehensive documentation release - **v1.0.0 (2026-03-16)**: Initial comprehensive documentation release
- GitOps Architecture guide - GitOps Architecture guide
- Developer Onboarding guide - Developer Onboarding guide

76
docs/REFERENCE.md
View File

@@ -19,9 +19,9 @@
| Component | Value | | Component | Value |
|-----------|-------| |-----------|-------|
| **Provider** | Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE) | | **Provider** | UpCloud Managed Kubernetes |
| **Active clusters** | UpCloud (upc-dev, upc-prod) | | **Environment** | Production (internal use) |
| **Cloud-ready templates** | AWS, Azure, GCP (dev + prod each) | | **Cluster Count** | Multi-cluster (upc-dev, upc-prod) |
| **GitOps Tool** | ArgoCD | | **GitOps Tool** | ArgoCD |
| **Ingress Controller** | Traefik v2 | | **Ingress Controller** | Traefik v2 |
| **Certificate Management** | Cert-Manager + Let's Encrypt | | **Certificate Management** | Cert-Manager + Let's Encrypt |
@@ -42,7 +42,7 @@ Internet
[DNS: *.forteapps.net] [DNS: *.forteapps.net]
[Cloud Load Balancer] [UpCloud LoadBalancer]
[Traefik Ingress Controller] [Traefik Ingress Controller]
@@ -602,6 +602,15 @@ retry:
4. 40 seconds 4. 40 seconds
5. 80 seconds (capped at 3 minutes) 5. 80 seconds (capped at 3 minutes)
### Global Settings (`argocd-cm`)
| Setting | Value | Purpose |
|---------|-------|---------|
| `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
| `timeout.reconciliation` | `60s` | Reconciliation interval |
| `admin.enabled` | `true` | Enable admin account |
| `git.submodule.enabled` | `false` | Disable git submodule checkout — submodules are not needed for manifest generation |
--- ---
## Infrastructure Components ## Infrastructure Components
@@ -1069,6 +1078,33 @@ kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.ann
**See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client) **See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client)
### Karpor
**Chart**: `karpor` from `https://kusionstack.github.io/charts`
**Version**: 0.7.6 (app v0.6.4)
**Namespace**: `karpor`
**Sync Wave**: 1
**Purpose**: Kubernetes visualization and intelligence tool. Provides cross-cluster resource search, compliance checking, and topology visualization. Gives platform engineers a unified view of all cluster resources and their relationships.
**Architecture** (4 components):
- **Server** — main Karpor API/UI (port 7443)
- **Syncer** — syncs cluster state into the search index
- **ElasticSearch** — search backend for resource indexing
- **etcd** — persistent key-value store (10Gi PVC)
**Configuration** (`infra/values/base/karpor-values.yaml`):
- `namespaceEnabled: false` — ArgoCD manages namespace creation
- Default resource limits tuned for small clusters
- ElasticSearch: 2 CPU / 4Gi memory (the heaviest component)
- AI features available but not enabled (requires `server.ai.authToken` + backend config)
**Access**: Port-forward to reach the UI:
```bash
kubectl port-forward svc/karpor-release-server -n karpor 7443:7443
# Open https://localhost:7443
```
### Renovate ### Renovate
**Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`) **Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
@@ -1516,7 +1552,23 @@ Forward to Application (localhost:3000)
Application processes request Application processes request
``` ```
**See**: [Developer Guide - Enabling Authentication](DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for usage examples. #### Forwarded Headers
After successful authentication, the sidecar injects user identity as HTTP headers before forwarding the request to the application container:
| Header | Description | Auth Modes |
|--------|-------------|------------|
| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
| `X-Auth-Email` | User email address | OIDC |
| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if `groups` scope) |
| `X-Auth-Token` | The validated access token | All modes |
These headers are trustworthy because the auto-generated `NetworkPolicy` restricts pod ingress to the sidecar port only — external traffic cannot reach the application container directly, so headers cannot be spoofed.
Applications should read these headers to obtain authenticated user information (e.g. for display, authorisation decisions, or audit logging) instead of implementing their own authentication.
**See**: [Developer Guide - Accessing Authenticated User Information](DEVELOPER-GUIDE.md#accessing-authenticated-user-information) for code examples.
--- ---
@@ -1550,22 +1602,14 @@ Recommended resource allocation:
### Storage Classes ### Storage Classes
Storage classes are cloud-specific and configured in per-cluster value overrides (`infra/values/{cluster}/gitea-values.yaml`): Default storage class used: **UpCloud default** (varies by provider)
| Cloud | Storage Class | Driver |
|-------|--------------|--------|
| **UpCloud** | `upcloud-block-storage-maxiops` | UpCloud CSI |
| **AWS EKS** | `gp3` | EBS CSI |
| **Azure AKS** | `managed-csi-premium` | Azure Disk CSI |
| **GCP GKE** | `premium-rwo` | PD CSI |
```yaml ```yaml
# Example: base values omit storageClass (set in per-cluster overlay)
persistence: persistence:
enabled: true enabled: true
storageClass: "" # Uses default
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 5Gi size: 5Gi
# storageClass set by infra/values/{cluster}/gitea-values.yaml
``` ```
--- ---
@@ -1761,6 +1805,6 @@ team: platform
--- ---
**Last Updated**: 2026-04-22 **Last Updated**: 2026-04-16
**Maintained By**: Platform Team **Maintained By**: Platform Team
**Version**: 1.0.0 **Version**: 1.0.0

1
infra/base/gitea.yaml
View File

@@ -22,7 +22,6 @@ spec:
releaseName: gitea releaseName: gitea
valueFiles: valueFiles:
- $values/infra/values/base/gitea-values.yaml - $values/infra/values/base/gitea-values.yaml
- $values/infra/values/upc-dev/gitea-values.yaml
- repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
targetRevision: HEAD targetRevision: HEAD

42
infra/base/karpor.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: karpor
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "1"
labels:
app.kubernetes.io/name: karpor
app.kubernetes.io/part-of: developer-portal
app.kubernetes.io/managed-by: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: https://kusionstack.github.io/charts
chart: karpor
targetRevision: "0.7.6"
helm:
releaseName: karpor
valueFiles:
- $values/infra/values/base/karpor-values.yaml
- repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
targetRevision: HEAD
ref: values
destination:
server: https://kubernetes.default.svc
namespace: karpor
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- Validate=true
- ServerSideApply=true

1
infra/base/kustomization.yaml
View File

@@ -22,3 +22,4 @@ resources:
- tempo.yaml - tempo.yaml
- grafana-dashboards.yaml - grafana-dashboards.yaml
- network-policies-application.yaml - network-policies-application.yaml
- karpor.yaml

1
infra/base/opencost.yaml
View File

@@ -22,7 +22,6 @@ spec:
releaseName: opencost releaseName: opencost
valueFiles: valueFiles:
- $values/infra/values/base/opencost-values.yaml - $values/infra/values/base/opencost-values.yaml
- $values/infra/values/upc-dev/opencost-values.yaml
- repoURL: git@github.com:fortedigital/sturdy-adventure.git - repoURL: git@github.com:fortedigital/sturdy-adventure.git
targetRevision: HEAD targetRevision: HEAD

35
infra/overlays/aws-dev/kustomization.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patches:
# Traefik: swap upc-dev → aws-dev
- target:
kind: Application
name: traefik
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/aws-dev/traefik-values.yaml
# Gitea: swap upc-dev → aws-dev
- target:
kind: Application
name: gitea
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/aws-dev/gitea-values.yaml
# OpenCost: swap upc-dev → aws-dev
- target:
kind: Application
name: opencost
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/aws-dev/opencost-values.yaml
# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
# when deploying to this cluster (these are deployment-specific, not cloud-specific)

35
infra/overlays/aws-prod/kustomization.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patches:
# Traefik: swap upc-dev → aws-prod
- target:
kind: Application
name: traefik
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/aws-prod/traefik-values.yaml
# Gitea: swap upc-dev → aws-prod
- target:
kind: Application
name: gitea
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/aws-prod/gitea-values.yaml
# OpenCost: swap upc-dev → aws-prod
- target:
kind: Application
name: opencost
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/aws-prod/opencost-values.yaml
# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
# when deploying to this cluster (these are deployment-specific, not cloud-specific)

35
infra/overlays/azure-dev/kustomization.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patches:
# Traefik: swap upc-dev → azure-dev
- target:
kind: Application
name: traefik
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/azure-dev/traefik-values.yaml
# Gitea: swap upc-dev → azure-dev
- target:
kind: Application
name: gitea
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/azure-dev/gitea-values.yaml
# OpenCost: swap upc-dev → azure-dev
- target:
kind: Application
name: opencost
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/azure-dev/opencost-values.yaml
# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
# when deploying to this cluster (these are deployment-specific, not cloud-specific)

35
infra/overlays/azure-prod/kustomization.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patches:
# Traefik: swap upc-dev → azure-prod
- target:
kind: Application
name: traefik
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/azure-prod/traefik-values.yaml
# Gitea: swap upc-dev → azure-prod
- target:
kind: Application
name: gitea
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/azure-prod/gitea-values.yaml
# OpenCost: swap upc-dev → azure-prod
- target:
kind: Application
name: opencost
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/azure-prod/opencost-values.yaml
# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
# when deploying to this cluster (these are deployment-specific, not cloud-specific)

35
infra/overlays/gcp-dev/kustomization.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patches:
# Traefik: swap upc-dev → gcp-dev
- target:
kind: Application
name: traefik
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/gcp-dev/traefik-values.yaml
# Gitea: swap upc-dev → gcp-dev
- target:
kind: Application
name: gitea
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/gcp-dev/gitea-values.yaml
# OpenCost: swap upc-dev → gcp-dev
- target:
kind: Application
name: opencost
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/gcp-dev/opencost-values.yaml
# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
# when deploying to this cluster (these are deployment-specific, not cloud-specific)

35
infra/overlays/gcp-prod/kustomization.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patches:
# Traefik: swap upc-dev → gcp-prod
- target:
kind: Application
name: traefik
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/gcp-prod/traefik-values.yaml
# Gitea: swap upc-dev → gcp-prod
- target:
kind: Application
name: gitea
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/gcp-prod/gitea-values.yaml
# OpenCost: swap upc-dev → gcp-prod
- target:
kind: Application
name: opencost
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/gcp-prod/opencost-values.yaml
# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
# when deploying to this cluster (these are deployment-specific, not cloud-specific)

18
infra/overlays/upc-prod/kustomization.yaml
View File

@@ -48,21 +48,3 @@ patches:
- op: replace - op: replace
path: /spec/source/path path: /spec/source/path
value: apps/overlays/upc-prod value: apps/overlays/upc-prod
# Gitea: swap upc-dev → upc-prod
- target:
kind: Application
name: gitea
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/upc-prod/gitea-values.yaml
# OpenCost: swap upc-dev → upc-prod
- target:
kind: Application
name: opencost
patch: |
- op: replace
path: /spec/sources/0/helm/valueFiles/1
value: $values/infra/values/upc-prod/opencost-values.yaml

7
infra/values/aws-dev/gitea-values.yaml
View File

@@ -1,7 +0,0 @@
# AWS EBS gp3 storage class (requires EBS CSI driver)
persistence:
storageClass: gp3
postgresql:
primary:
persistence:
storageClass: gp3

13
infra/values/aws-dev/opencost-values.yaml
View File

@@ -1,13 +0,0 @@
# AWS native pricing via Cost and Usage Reports
opencost:
exporter:
customPricing:
enabled: true
provider: aws
aws:
service_key_name: "" # <- populate or use IRSA
service_key_secret: ""
spot_data_region: ""
spot_data_bucket: ""
spot_data_prefix: ""
account_id: ""

18
infra/values/aws-dev/traefik-values.yaml
View File

@@ -1,18 +0,0 @@
# AWS EKS — NLB with Proxy Protocol v2 for real client IPs
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
ports:
web:
proxyProtocol:
trustedIPs: "10.0.0.0/8" # <- adjust to your VPC CIDR
forwardedHeaders:
trustedIPs: "10.0.0.0/8"
websecure:
proxyProtocol:
trustedIPs: "10.0.0.0/8"
forwardedHeaders:
trustedIPs: "10.0.0.0/8"

7
infra/values/aws-prod/gitea-values.yaml
View File

@@ -1,7 +0,0 @@
# AWS EBS gp3 storage class (requires EBS CSI driver)
persistence:
storageClass: gp3
postgresql:
primary:
persistence:
storageClass: gp3

13
infra/values/aws-prod/opencost-values.yaml
View File

@@ -1,13 +0,0 @@
# AWS native pricing via Cost and Usage Reports
opencost:
exporter:
customPricing:
enabled: true
provider: aws
aws:
service_key_name: "" # <- populate or use IRSA
service_key_secret: ""
spot_data_region: ""
spot_data_bucket: ""
spot_data_prefix: ""
account_id: ""

18
infra/values/aws-prod/traefik-values.yaml
View File

@@ -1,18 +0,0 @@
# AWS EKS — NLB with Proxy Protocol v2 for real client IPs
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
ports:
web:
proxyProtocol:
trustedIPs: "10.0.0.0/8" # <- adjust to your VPC CIDR
forwardedHeaders:
trustedIPs: "10.0.0.0/8"
websecure:
proxyProtocol:
trustedIPs: "10.0.0.0/8"
forwardedHeaders:
trustedIPs: "10.0.0.0/8"

7
infra/values/azure-dev/gitea-values.yaml
View File

@@ -1,7 +0,0 @@
# Azure Managed Disk (Premium SSD via CSI driver)
persistence:
storageClass: managed-csi-premium
postgresql:
primary:
persistence:
storageClass: managed-csi-premium

11
infra/values/azure-dev/opencost-values.yaml
View File

@@ -1,11 +0,0 @@
# Azure native pricing via Billing API
opencost:
exporter:
customPricing:
enabled: true
provider: azure
azure:
subscriptionID: "" # <- populate
clientID: ""
clientSecret: ""
tenantID: ""

16
infra/values/azure-dev/traefik-values.yaml
View File

@@ -1,16 +0,0 @@
# Azure AKS — Standard Load Balancer
# Note: Azure Standard LB does not support Proxy Protocol.
# Use externalTrafficPolicy: Local on the Traefik service to preserve
# client IPs, or deploy behind Azure Application Gateway.
service:
annotations:
service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/ping"
spec:
externalTrafficPolicy: Local
ports:
web:
forwardedHeaders:
trustedIPs: "10.0.0.0/8,168.63.129.16/32" # <- VNet CIDR + Azure health probe
websecure:
forwardedHeaders:
trustedIPs: "10.0.0.0/8,168.63.129.16/32"

7
infra/values/azure-prod/gitea-values.yaml
View File

@@ -1,7 +0,0 @@
# Azure Managed Disk (Premium SSD via CSI driver)
persistence:
storageClass: managed-csi-premium
postgresql:
primary:
persistence:
storageClass: managed-csi-premium

11
infra/values/azure-prod/opencost-values.yaml
View File

@@ -1,11 +0,0 @@
# Azure native pricing via Billing API
opencost:
exporter:
customPricing:
enabled: true
provider: azure
azure:
subscriptionID: "" # <- populate
clientID: ""
clientSecret: ""
tenantID: ""

16
infra/values/azure-prod/traefik-values.yaml
View File

@@ -1,16 +0,0 @@
# Azure AKS — Standard Load Balancer
# Note: Azure Standard LB does not support Proxy Protocol.
# Use externalTrafficPolicy: Local on the Traefik service to preserve
# client IPs, or deploy behind Azure Application Gateway.
service:
annotations:
service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/ping"
spec:
externalTrafficPolicy: Local
ports:
web:
forwardedHeaders:
trustedIPs: "10.0.0.0/8,168.63.129.16/32" # <- VNet CIDR + Azure health probe
websecure:
forwardedHeaders:
trustedIPs: "10.0.0.0/8,168.63.129.16/32"

9
infra/values/base/argocd-values.yaml
View File

@@ -2,12 +2,21 @@ configs:
secret: secret:
createSecret: true createSecret: true
argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm" argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
ssh:
knownHosts: |
[git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
cm: cm:
application.resourceTrackingMethod: annotation application.resourceTrackingMethod: annotation
timeout.reconciliation: 60s timeout.reconciliation: 60s
admin.enabled: "true" admin.enabled: "true"
params: params:
"server.insecure": true "server.insecure": true
repoServer:
env:
# Disable git submodule checkout - submodules (e.g. shared-prompts)
# are not needed for K8s manifest generation
- name: ARGOCD_GIT_MODULES_ENABLED
value: "false"
server: server:
ingress: ingress:
enabled: false enabled: false

2
infra/values/base/gitea-values.yaml
View File

@@ -130,6 +130,7 @@ persistence:
size: 10Gi size: 10Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
storageClass: upcloud-block-storage-maxiops
# -- Recreate strategy to avoid Multi-Attach errors with RWO volumes # -- Recreate strategy to avoid Multi-Attach errors with RWO volumes
strategy: strategy:
@@ -155,6 +156,7 @@ postgresql:
persistence: persistence:
enabled: true enabled: true
size: 8Gi size: 8Gi
storageClass: upcloud-block-storage-maxiops
resources: resources:
requests: requests:
cpu: 100m cpu: 100m

44
infra/values/base/karpor-values.yaml Normal file
View File

@@ -0,0 +1,44 @@
# Karpor - Kubernetes Visualization & Intelligence Tool
# Helm chart: https://github.com/KusionStack/charts/tree/master/charts/karpor
# Let the ArgoCD Application manage the namespace
namespaceEnabled: false
server:
replicas: 1
port: 7443
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
syncer:
replicas: 1
port: 7443
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
elasticsearch:
replicas: 1
port: 9200
resources:
requests:
cpu: 500m
memory: 2Gi
limits:
cpu: "2"
memory: 4Gi
etcd:
replicas: 1
port: 2379
persistence:
size: 5Gi

14
infra/values/base/opencost-values.yaml
View File

@@ -10,8 +10,18 @@ opencost:
serviceName: prometheus-server serviceName: prometheus-server
namespaceName: monitoring namespaceName: monitoring
port: 80 port: 80
# Cloud-specific pricing is in per-cluster value overrides customPricing:
# (e.g. infra/values/upc-dev/opencost-values.yaml) enabled: true
provider: custom
costModel:
description: "UpCloud 4-node cluster pricing"
CPU: "5.86"
RAM: "1.46"
GPU: "0"
storage: "0.34"
zoneNetworkEgress: "0"
regionNetworkEgress: "0"
internetNetworkEgress: "0"
ui: ui:
enabled: false enabled: false
service: service:

7
infra/values/gcp-dev/gitea-values.yaml
View File

@@ -1,7 +0,0 @@
# GCP Persistent Disk (SSD via CSI driver)
persistence:
storageClass: premium-rwo
postgresql:
primary:
persistence:
storageClass: premium-rwo

9
infra/values/gcp-dev/opencost-values.yaml
View File

@@ -1,9 +0,0 @@
# GCP native pricing via Cloud Billing API
opencost:
exporter:
customPricing:
enabled: true
provider: gcp
gcp:
projectID: "" # <- populate with your GCP project ID
key: "" # <- or use Workload Identity

15
infra/values/gcp-dev/traefik-values.yaml
View File

@@ -1,15 +0,0 @@
# GCP GKE — External passthrough Network Load Balancer
service:
annotations:
cloud.google.com/l4-rbs: "enabled"
ports:
web:
proxyProtocol:
trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # <- subnet CIDR + GCP health checks
forwardedHeaders:
trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
websecure:
proxyProtocol:
trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
forwardedHeaders:
trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"

7
infra/values/gcp-prod/gitea-values.yaml
View File

@@ -1,7 +0,0 @@
# GCP Persistent Disk (SSD via CSI driver)
persistence:
storageClass: premium-rwo
postgresql:
primary:
persistence:
storageClass: premium-rwo

9
infra/values/gcp-prod/opencost-values.yaml
View File

@@ -1,9 +0,0 @@
# GCP native pricing via Cloud Billing API
opencost:
exporter:
customPricing:
enabled: true
provider: gcp
gcp:
projectID: "" # <- populate with your GCP project ID
key: "" # <- or use Workload Identity

15
infra/values/gcp-prod/traefik-values.yaml
View File

@@ -1,15 +0,0 @@
# GCP GKE — External passthrough Network Load Balancer
service:
annotations:
cloud.google.com/l4-rbs: "enabled"
ports:
web:
proxyProtocol:
trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # <- subnet CIDR + GCP health checks
forwardedHeaders:
trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
websecure:
proxyProtocol:
trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
forwardedHeaders:
trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"

7
infra/values/upc-dev/gitea-values.yaml
View File

@@ -1,7 +0,0 @@
# UpCloud storage class for Gitea and its embedded PostgreSQL
persistence:
storageClass: upcloud-block-storage-maxiops
postgresql:
primary:
persistence:
storageClass: upcloud-block-storage-maxiops

15
infra/values/upc-dev/opencost-values.yaml
View File

@@ -1,15 +0,0 @@
# UpCloud custom pricing (no native OpenCost integration)
opencost:
exporter:
customPricing:
enabled: true
provider: custom
costModel:
description: "UpCloud 4-node cluster pricing"
CPU: "5.86"
RAM: "1.46"
GPU: "0"
storage: "0.34"
zoneNetworkEgress: "0"
regionNetworkEgress: "0"
internetNetworkEgress: "0"

7
infra/values/upc-prod/gitea-values.yaml
View File

@@ -1,7 +0,0 @@
# UpCloud storage class for Gitea and its embedded PostgreSQL
persistence:
storageClass: upcloud-block-storage-maxiops
postgresql:
primary:
persistence:
storageClass: upcloud-block-storage-maxiops

15
infra/values/upc-prod/opencost-values.yaml
View File

@@ -1,15 +0,0 @@
# UpCloud custom pricing (no native OpenCost integration)
opencost:
exporter:
customPricing:
enabled: true
provider: custom
costModel:
description: "UpCloud 4-node cluster pricing"
CPU: "5.86"
RAM: "1.46"
GPU: "0"
storage: "0.34"
zoneNetworkEgress: "0"
regionNetworkEgress: "0"
internetNetworkEgress: "0"

94
scripts/gitea-backup-aws.sh
View File

@@ -1,94 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Gitea backup helper for AWS S3
# Uses the gitea-backup-s3 secret in the gitea namespace
# (same secret schema: S3_ENDPOINT, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, S3_BUCKET)
#
# For AWS, S3_ENDPOINT is typically https://s3.<region>.amazonaws.com
#
# Usage:
# ./scripts/gitea-backup-aws.sh list # list all backups
# ./scripts/gitea-backup-aws.sh download <filename> # download a backup to current dir
# ./scripts/gitea-backup-aws.sh download latest # download the most recent backup
NAMESPACE="gitea"
SECRET="gitea-backup-s3"
IMAGE="minio/mc:latest"
POD_NAME="gitea-backup-helper"
ALIAS_CMD='mc alias set s3 ${S3_ENDPOINT} ${AWS_ACCESS_KEY_ID} ${AWS_SECRET_ACCESS_KEY} > /dev/null'
cleanup() {
kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
}
mc_run() {
cleanup
kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
--image="$IMAGE" \
--overrides="{
\"spec\":{\"containers\":[{
\"name\":\"$POD_NAME\",
\"image\":\"$IMAGE\",
\"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
\"command\":[\"sh\",\"-c\",\"${ALIAS_CMD}; $1\"],
\"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
}]}
}" > /dev/null 2>&1
kubectl -n "$NAMESPACE" wait --for=jsonpath='{.status.phase}'=Succeeded "pod/$POD_NAME" --timeout=120s > /dev/null 2>&1
kubectl -n "$NAMESPACE" logs "$POD_NAME"
cleanup
}
case "${1:-help}" in
list)
echo "Listing backups..."
mc_run 'mc ls s3/${S3_BUCKET}/'
;;
download)
FILE="${2:?Usage: $0 download <filename|latest>}"
if [ "$FILE" = "latest" ]; then
echo "Finding latest backup..."
FILE=$(mc_run 'mc ls s3/${S3_BUCKET}/' | sort | tail -1 | awk '{print $NF}' | tr -d '[:space:]')
if [ -z "$FILE" ]; then
echo "No backups found."
exit 1
fi
echo "Latest: $FILE"
fi
echo "Downloading $FILE..."
cleanup
kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
--image="$IMAGE" \
--overrides="{
\"spec\":{\"containers\":[{
\"name\":\"$POD_NAME\",
\"image\":\"$IMAGE\",
\"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
\"command\":[\"sh\",\"-c\",\"sleep 300\"],
\"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
}]}
}" > /dev/null 2>&1
kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
echo "Saving to ./$FILE ..."
kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${ALIAS_CMD} && mc cat s3/\${S3_BUCKET}/$FILE" > "./$FILE"
cleanup
echo "Downloaded: ./$FILE"
;;
*)
echo "Gitea backup helper (AWS S3)"
echo ""
echo "Usage:"
echo " $0 list List all backups in S3"
echo " $0 download <filename> Download a specific backup"
echo " $0 download latest Download the most recent backup"
;;
esac

100
scripts/gitea-backup-azure.sh
View File

@@ -1,100 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Gitea backup helper for Azure Blob Storage
# Uses the gitea-backup-azure secret in the gitea namespace
# Required secret keys:
# AZURE_STORAGE_ACCOUNT — storage account name
# AZURE_STORAGE_KEY — storage account key
# AZURE_CONTAINER — blob container name
#
# Usage:
# ./scripts/gitea-backup-azure.sh list # list all backups
# ./scripts/gitea-backup-azure.sh download <filename> # download a backup
# ./scripts/gitea-backup-azure.sh download latest # download the most recent backup
NAMESPACE="gitea"
SECRET="gitea-backup-azure"
IMAGE="mcr.microsoft.com/azure-cli:latest"
POD_NAME="gitea-backup-helper"
cleanup() {
kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
}
az_run() {
cleanup
kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
--image="$IMAGE" \
--overrides="{
\"spec\":{\"containers\":[{
\"name\":\"$POD_NAME\",
\"image\":\"$IMAGE\",
\"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
\"command\":[\"sh\",\"-c\",\"$1\"],
\"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
}]}
}" > /dev/null 2>&1
kubectl -n "$NAMESPACE" wait --for=jsonpath='{.status.phase}'=Succeeded "pod/$POD_NAME" --timeout=120s > /dev/null 2>&1
kubectl -n "$NAMESPACE" logs "$POD_NAME"
cleanup
}
case "${1:-help}" in
list)
echo "Listing backups..."
az_run 'az storage blob list --account-name ${AZURE_STORAGE_ACCOUNT} --account-key ${AZURE_STORAGE_KEY} --container-name ${AZURE_CONTAINER} --output table --query "[].{Name:name, Size:properties.contentLength, Modified:properties.lastModified}"'
;;
download)
FILE="${2:?Usage: $0 download <filename|latest>}"
if [ "$FILE" = "latest" ]; then
echo "Finding latest backup..."
FILE=$(az_run 'az storage blob list --account-name ${AZURE_STORAGE_ACCOUNT} --account-key ${AZURE_STORAGE_KEY} --container-name ${AZURE_CONTAINER} --query "sort_by([], &properties.lastModified)[-1].name" -o tsv' | tr -d '[:space:]')
if [ -z "$FILE" ]; then
echo "No backups found."
exit 1
fi
echo "Latest: $FILE"
fi
echo "Downloading $FILE..."
cleanup
kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
--image="$IMAGE" \
--overrides="{
\"spec\":{\"containers\":[{
\"name\":\"$POD_NAME\",
\"image\":\"$IMAGE\",
\"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
\"command\":[\"sh\",\"-c\",\"sleep 300\"],
\"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
}]}
}" > /dev/null 2>&1
kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
echo "Saving to ./$FILE ..."
kubectl -n "$NAMESPACE" exec "$POD_NAME" -- \
az storage blob download \
--account-name "\${AZURE_STORAGE_ACCOUNT}" \
--account-key "\${AZURE_STORAGE_KEY}" \
--container-name "\${AZURE_CONTAINER}" \
--name "$FILE" \
--file /dev/stdout 2>/dev/null > "./$FILE"
cleanup
echo "Downloaded: ./$FILE"
;;
*)
echo "Gitea backup helper (Azure Blob Storage)"
echo ""
echo "Usage:"
echo " $0 list List all backups in Azure Blob"
echo " $0 download <filename> Download a specific backup"
echo " $0 download latest Download the most recent backup"
;;
esac

95
scripts/gitea-backup-gcp.sh
View File

@@ -1,95 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Gitea backup helper for Google Cloud Storage
# Uses the gitea-backup-gcs secret in the gitea namespace
# Required secret keys:
# GCS_BUCKET — bucket name (without gs:// prefix)
# GOOGLE_APPLICATION_CREDENTIALS_JSON — service account key JSON
# (alternatively, use Workload Identity and omit the key)
#
# Usage:
# ./scripts/gitea-backup-gcp.sh list # list all backups
# ./scripts/gitea-backup-gcp.sh download <filename> # download a backup
# ./scripts/gitea-backup-gcp.sh download latest # download the most recent backup
NAMESPACE="gitea"
SECRET="gitea-backup-gcs"
IMAGE="gcr.io/google.com/cloudsdktool/google-cloud-cli:slim"
POD_NAME="gitea-backup-helper"
AUTH_CMD='if [ -n "${GOOGLE_APPLICATION_CREDENTIALS_JSON:-}" ]; then echo "${GOOGLE_APPLICATION_CREDENTIALS_JSON}" > /tmp/gcs-key.json && gcloud auth activate-service-account --key-file=/tmp/gcs-key.json > /dev/null 2>&1; fi'
cleanup() {
kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
}
gcs_run() {
cleanup
kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
--image="$IMAGE" \
--overrides="{
\"spec\":{\"containers\":[{
\"name\":\"$POD_NAME\",
\"image\":\"$IMAGE\",
\"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
\"command\":[\"sh\",\"-c\",\"${AUTH_CMD}; $1\"],
\"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
}]}
}" > /dev/null 2>&1
kubectl -n "$NAMESPACE" wait --for=jsonpath='{.status.phase}'=Succeeded "pod/$POD_NAME" --timeout=120s > /dev/null 2>&1
kubectl -n "$NAMESPACE" logs "$POD_NAME"
cleanup
}
case "${1:-help}" in
list)
echo "Listing backups..."
gcs_run 'gsutil ls -l gs://${GCS_BUCKET}/'
;;
download)
FILE="${2:?Usage: $0 download <filename|latest>}"
if [ "$FILE" = "latest" ]; then
echo "Finding latest backup..."
FILE=$(gcs_run 'gsutil ls gs://${GCS_BUCKET}/' | grep -v '^$' | grep -v 'TOTAL' | sort | tail -1 | xargs -I{} basename {} | tr -d '[:space:]')
if [ -z "$FILE" ]; then
echo "No backups found."
exit 1
fi
echo "Latest: $FILE"
fi
echo "Downloading $FILE..."
cleanup
kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
--image="$IMAGE" \
--overrides="{
\"spec\":{\"containers\":[{
\"name\":\"$POD_NAME\",
\"image\":\"$IMAGE\",
\"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
\"command\":[\"sh\",\"-c\",\"sleep 300\"],
\"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
}]}
}" > /dev/null 2>&1
kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
echo "Saving to ./$FILE ..."
kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${AUTH_CMD} && gsutil cat gs://\${GCS_BUCKET}/$FILE" > "./$FILE"
cleanup
echo "Downloaded: ./$FILE"
;;
*)
echo "Gitea backup helper (Google Cloud Storage)"
echo ""
echo "Usage:"
echo " $0 list List all backups in GCS"
echo " $0 download <filename> Download a specific backup"
echo " $0 download latest Download the most recent backup"
;;
esac