2026-02-22 21:30:25 +00:00
|
|
|
server:
|
|
|
|
|
enabled: true
|
migrate consuming stacks to ESO + remove k8s-dashboard static token
Phase 9: ExternalSecret migration across 26 stacks:
Fully migrated (vault data source removed, ESO delivers secrets):
- speedtest, shadowsocks, wealthfolio, plotting-book, f1-stream, tandoor
- n8n, dawarich, diun, netbox, onlyoffice, tuya-bridge
- hackmd (ESO template for DB URL), health (ESO template for DB URL)
- trading-bot (ESO template for DATABASE_URL + 7 secret env vars)
- forgejo (removed unused vault data source)
Partially migrated (vault kept for plan-time, ESO added for runtime):
- immich, linkwarden, nextcloud, paperless-ngx (jsondecode for homepage)
- claude-memory, rybbit, url, webhook_handler (plan-time in locals/jobs)
- woodpecker, openclaw, resume (plan-time in helm values/jobs/modules)
17 stacks unchanged (all plan-time: homepage annotations, configmaps,
module inputs) — vault data source works with OIDC auth.
Phase 17a: Remove k8s-dashboard static admin token secret.
Users now get tokens via: vault write kubernetes/creds/dashboard-admin
2026-03-15 19:05:04 +00:00
|
|
|
podAnnotations:
|
|
|
|
|
reloader.stakater.com/search: "true"
|
2026-02-22 21:30:25 +00:00
|
|
|
statefulSet:
|
|
|
|
|
replicaCount: 1
|
|
|
|
|
image:
|
|
|
|
|
registry: docker.io
|
|
|
|
|
repository: woodpeckerci/woodpecker-server
|
2026-02-23 20:14:30 +00:00
|
|
|
tag: "v3.13.0"
|
2026-03-17 07:39:29 +00:00
|
|
|
extraSecretNamesForEnvFrom:
|
|
|
|
|
- woodpecker-db-creds
|
2026-02-22 21:30:25 +00:00
|
|
|
env:
|
|
|
|
|
WOODPECKER_HOST: "https://ci.viktorbarzin.me"
|
add generic multi-user cluster onboarding system
Data-driven user onboarding: add a JSON entry to Vault KV k8s_users,
apply vault + platform + woodpecker stacks, and everything is auto-generated.
Vault stack: namespace creation, per-user Vault policies with secret isolation
via identity entities/aliases, K8s deployer roles, CI policy update.
Platform stack: domains field in k8s_users type, TLS secrets per user namespace,
user domains merged into Cloudflare DNS, user-roles ConfigMap mounted in portal.
Woodpecker stack: admin list auto-generated from k8s_users, WOODPECKER_OPEN=true.
K8s-portal: dual-track onboarding (general/namespace-owner), namespace-owner
dashboard with Vault/kubectl commands, setup script adds Vault+Terraform+Terragrunt,
contributing page with CI pipeline template, versioned image tags in CI pipeline.
New: stacks/_template/ with copyable stack template for namespace-owners.
2026-03-15 22:23:36 +00:00
|
|
|
WOODPECKER_ADMIN: "${woodpecker_admins}"
|
|
|
|
|
WOODPECKER_OPEN: "true"
|
2026-02-22 21:30:25 +00:00
|
|
|
WOODPECKER_GITHUB: "true"
|
2026-02-24 23:02:33 +00:00
|
|
|
WOODPECKER_GITHUB_URL: "https://github.com"
|
2026-02-22 21:30:25 +00:00
|
|
|
WOODPECKER_GITHUB_CLIENT: "${github_client_id}"
|
|
|
|
|
WOODPECKER_GITHUB_SECRET: "${github_client_secret}"
|
|
|
|
|
WOODPECKER_AGENT_SECRET: "${agent_secret}"
|
|
|
|
|
WOODPECKER_DATABASE_DRIVER: "postgres"
|
|
|
|
|
WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx,plugins/docker"
|
2026-02-23 19:38:55 +00:00
|
|
|
WOODPECKER_PLUGINS_TRUSTED_CLONE: "woodpeckerci/plugin-git,alpine"
|
2026-02-22 21:30:25 +00:00
|
|
|
WOODPECKER_LOG_LEVEL: "info"
|
2026-02-24 23:02:33 +00:00
|
|
|
WOODPECKER_FORGEJO: "true"
|
|
|
|
|
WOODPECKER_FORGEJO_CLIENT: "${forgejo_client_id}"
|
|
|
|
|
WOODPECKER_FORGEJO_SECRET: "${forgejo_client_secret}"
|
|
|
|
|
WOODPECKER_FORGEJO_URL: "${forgejo_url}"
|
2026-02-22 21:30:25 +00:00
|
|
|
service:
|
|
|
|
|
type: ClusterIP
|
|
|
|
|
port: 80
|
|
|
|
|
# Disable built-in ingress (using ingress_factory)
|
|
|
|
|
ingress:
|
|
|
|
|
enabled: false
|
|
|
|
|
# Disable PVC (using PostgreSQL instead of SQLite)
|
|
|
|
|
persistence:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
agent:
|
|
|
|
|
enabled: true
|
migrate consuming stacks to ESO + remove k8s-dashboard static token
Phase 9: ExternalSecret migration across 26 stacks:
Fully migrated (vault data source removed, ESO delivers secrets):
- speedtest, shadowsocks, wealthfolio, plotting-book, f1-stream, tandoor
- n8n, dawarich, diun, netbox, onlyoffice, tuya-bridge
- hackmd (ESO template for DB URL), health (ESO template for DB URL)
- trading-bot (ESO template for DATABASE_URL + 7 secret env vars)
- forgejo (removed unused vault data source)
Partially migrated (vault kept for plan-time, ESO added for runtime):
- immich, linkwarden, nextcloud, paperless-ngx (jsondecode for homepage)
- claude-memory, rybbit, url, webhook_handler (plan-time in locals/jobs)
- woodpecker, openclaw, resume (plan-time in helm values/jobs/modules)
17 stacks unchanged (all plan-time: homepage annotations, configmaps,
module inputs) — vault data source works with OIDC auth.
Phase 17a: Remove k8s-dashboard static admin token secret.
Users now get tokens via: vault write kubernetes/creds/dashboard-admin
2026-03-15 19:05:04 +00:00
|
|
|
podAnnotations:
|
|
|
|
|
reloader.stakater.com/search: "true"
|
2026-02-22 21:30:25 +00:00
|
|
|
replicaCount: 2
|
|
|
|
|
image:
|
|
|
|
|
registry: docker.io
|
|
|
|
|
repository: woodpeckerci/woodpecker-agent
|
2026-02-23 20:14:30 +00:00
|
|
|
tag: "v3.13.0"
|
2026-02-22 21:30:25 +00:00
|
|
|
env:
|
|
|
|
|
WOODPECKER_BACKEND: "kubernetes"
|
|
|
|
|
WOODPECKER_BACKEND_K8S_NAMESPACE: "woodpecker"
|
|
|
|
|
WOODPECKER_MAX_WORKFLOWS: "2"
|
|
|
|
|
WOODPECKER_AGENT_SECRET: "${agent_secret}"
|
|
|
|
|
persistence:
|
|
|
|
|
enabled: false
|
|
|
|
|
rbac:
|
|
|
|
|
create: true
|
|
|
|
|
serviceAccount:
|
|
|
|
|
create: true
|
|
|
|
|
name: "woodpecker-agent"
|