2026-02-22 21:30:25 +00:00
|
|
|
server:
|
|
|
|
|
enabled: true
|
migrate consuming stacks to ESO + remove k8s-dashboard static token
Phase 9: ExternalSecret migration across 26 stacks:
Fully migrated (vault data source removed, ESO delivers secrets):
- speedtest, shadowsocks, wealthfolio, plotting-book, f1-stream, tandoor
- n8n, dawarich, diun, netbox, onlyoffice, tuya-bridge
- hackmd (ESO template for DB URL), health (ESO template for DB URL)
- trading-bot (ESO template for DATABASE_URL + 7 secret env vars)
- forgejo (removed unused vault data source)
Partially migrated (vault kept for plan-time, ESO added for runtime):
- immich, linkwarden, nextcloud, paperless-ngx (jsondecode for homepage)
- claude-memory, rybbit, url, webhook_handler (plan-time in locals/jobs)
- woodpecker, openclaw, resume (plan-time in helm values/jobs/modules)
17 stacks unchanged (all plan-time: homepage annotations, configmaps,
module inputs) — vault data source works with OIDC auth.
Phase 17a: Remove k8s-dashboard static admin token secret.
Users now get tokens via: vault write kubernetes/creds/dashboard-admin
2026-03-15 19:05:04 +00:00
|
|
|
podAnnotations:
|
|
|
|
|
reloader.stakater.com/search: "true"
|
2026-02-22 21:30:25 +00:00
|
|
|
statefulSet:
|
|
|
|
|
replicaCount: 1
|
2026-05-07 17:18:57 +00:00
|
|
|
# NOTE: hostAliases is NOT exposed by the woodpecker Helm chart (3.5.1 verified) —
|
|
|
|
|
# see main.tf null_resource.woodpecker_server_host_alias which applies the same
|
|
|
|
|
# via `kubectl patch` post-helm. Pinned to the in-cluster Traefik LB
|
|
|
|
|
# (10.0.20.200) so the forge-API fetch path never round-trips through
|
|
|
|
|
# Cloudflare ("context deadline exceeded" was failing every Forgejo
|
|
|
|
|
# pipeline trigger).
|
2026-02-22 21:30:25 +00:00
|
|
|
image:
|
|
|
|
|
registry: docker.io
|
|
|
|
|
repository: woodpeckerci/woodpecker-server
|
2026-05-07 22:28:56 +00:00
|
|
|
# Bumped 2026-05-07 from v3.13.0 → v3.14.0 to fix the
|
|
|
|
|
# "could not load config from forge: context deadline exceeded"
|
|
|
|
|
# issue when fetching .woodpecker.yml from Forgejo.
|
|
|
|
|
tag: "v3.14.0"
|
2026-03-17 07:39:29 +00:00
|
|
|
extraSecretNamesForEnvFrom:
|
|
|
|
|
- woodpecker-db-creds
|
2026-02-22 21:30:25 +00:00
|
|
|
env:
|
|
|
|
|
WOODPECKER_HOST: "https://ci.viktorbarzin.me"
|
add generic multi-user cluster onboarding system
Data-driven user onboarding: add a JSON entry to Vault KV k8s_users,
apply vault + platform + woodpecker stacks, and everything is auto-generated.
Vault stack: namespace creation, per-user Vault policies with secret isolation
via identity entities/aliases, K8s deployer roles, CI policy update.
Platform stack: domains field in k8s_users type, TLS secrets per user namespace,
user domains merged into Cloudflare DNS, user-roles ConfigMap mounted in portal.
Woodpecker stack: admin list auto-generated from k8s_users, WOODPECKER_OPEN=true.
K8s-portal: dual-track onboarding (general/namespace-owner), namespace-owner
dashboard with Vault/kubectl commands, setup script adds Vault+Terraform+Terragrunt,
contributing page with CI pipeline template, versioned image tags in CI pipeline.
New: stacks/_template/ with copyable stack template for namespace-owners.
2026-03-15 22:23:36 +00:00
|
|
|
WOODPECKER_ADMIN: "${woodpecker_admins}"
|
|
|
|
|
WOODPECKER_OPEN: "true"
|
2026-02-22 21:30:25 +00:00
|
|
|
WOODPECKER_GITHUB: "true"
|
2026-02-24 23:02:33 +00:00
|
|
|
WOODPECKER_GITHUB_URL: "https://github.com"
|
2026-02-22 21:30:25 +00:00
|
|
|
WOODPECKER_GITHUB_CLIENT: "${github_client_id}"
|
|
|
|
|
WOODPECKER_GITHUB_SECRET: "${github_client_secret}"
|
|
|
|
|
WOODPECKER_AGENT_SECRET: "${agent_secret}"
|
|
|
|
|
WOODPECKER_DATABASE_DRIVER: "postgres"
|
|
|
|
|
WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx,plugins/docker"
|
2026-02-23 19:38:55 +00:00
|
|
|
WOODPECKER_PLUGINS_TRUSTED_CLONE: "woodpeckerci/plugin-git,alpine"
|
2026-02-22 21:30:25 +00:00
|
|
|
WOODPECKER_LOG_LEVEL: "info"
|
2026-02-24 23:02:33 +00:00
|
|
|
WOODPECKER_FORGEJO: "true"
|
|
|
|
|
WOODPECKER_FORGEJO_CLIENT: "${forgejo_client_id}"
|
|
|
|
|
WOODPECKER_FORGEJO_SECRET: "${forgejo_client_secret}"
|
|
|
|
|
WOODPECKER_FORGEJO_URL: "${forgejo_url}"
|
2026-05-07 23:10:48 +00:00
|
|
|
# Default is 3s (cmd/server/flags.go @ default `--forge-timeout`).
|
|
|
|
|
# Forgejo responses on this cluster spike to 1-2s under load and the
|
|
|
|
|
# config-loader makes 4-6 sequential calls (.woodpecker dir, .woodpecker.yaml,
|
|
|
|
|
# .woodpecker.yml, raw .woodpecker/build.yml, etc.); occasionally the cumulative
|
|
|
|
|
# overhead trips the 3s deadline → "could not load config from forge: context
|
|
|
|
|
# deadline exceeded" on every pipeline. 30s removes the false-positive timeouts
|
|
|
|
|
# without regressing the legitimate-failure detection window meaningfully.
|
|
|
|
|
WOODPECKER_FORGE_TIMEOUT: "30s"
|
2026-02-22 21:30:25 +00:00
|
|
|
service:
|
|
|
|
|
type: ClusterIP
|
|
|
|
|
port: 80
|
|
|
|
|
# Disable built-in ingress (using ingress_factory)
|
|
|
|
|
ingress:
|
|
|
|
|
enabled: false
|
|
|
|
|
# Disable PVC (using PostgreSQL instead of SQLite)
|
truenas deprecation: migrate all non-immich storage to proxmox NFS
- Migrate 7 backup CronJobs to Proxmox host NFS (192.168.1.127)
(etcd, mysql, postgresql, nextcloud, redis, vaultwarden, plotting-book)
- Migrate headscale backup, ebook2audiobook, osm_routing to Proxmox NFS
- Migrate servarr (lidarr, readarr, soulseek) NFS refs to Proxmox
- Remove 79 orphaned TrueNAS NFS module declarations from 49 stacks
- Delete stacks/platform/modules/ (27 dead module copies, 65MB)
- Update nfs-truenas StorageClass to point to Proxmox (192.168.1.127)
- Remove iscsi DNS record from config.tfvars
- Fix woodpecker persistence config and alertmanager PV
Only Immich (8 PVCs, ~1.4TB) remains on TrueNAS.
2026-04-12 14:35:39 +01:00
|
|
|
# Note: the correct key is persistentVolume, not persistence
|
|
|
|
|
persistentVolume:
|
2026-02-22 21:30:25 +00:00
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
agent:
|
|
|
|
|
enabled: true
|
migrate consuming stacks to ESO + remove k8s-dashboard static token
Phase 9: ExternalSecret migration across 26 stacks:
Fully migrated (vault data source removed, ESO delivers secrets):
- speedtest, shadowsocks, wealthfolio, plotting-book, f1-stream, tandoor
- n8n, dawarich, diun, netbox, onlyoffice, tuya-bridge
- hackmd (ESO template for DB URL), health (ESO template for DB URL)
- trading-bot (ESO template for DATABASE_URL + 7 secret env vars)
- forgejo (removed unused vault data source)
Partially migrated (vault kept for plan-time, ESO added for runtime):
- immich, linkwarden, nextcloud, paperless-ngx (jsondecode for homepage)
- claude-memory, rybbit, url, webhook_handler (plan-time in locals/jobs)
- woodpecker, openclaw, resume (plan-time in helm values/jobs/modules)
17 stacks unchanged (all plan-time: homepage annotations, configmaps,
module inputs) — vault data source works with OIDC auth.
Phase 17a: Remove k8s-dashboard static admin token secret.
Users now get tokens via: vault write kubernetes/creds/dashboard-admin
2026-03-15 19:05:04 +00:00
|
|
|
podAnnotations:
|
|
|
|
|
reloader.stakater.com/search: "true"
|
2026-02-22 21:30:25 +00:00
|
|
|
replicaCount: 2
|
|
|
|
|
image:
|
|
|
|
|
registry: docker.io
|
|
|
|
|
repository: woodpeckerci/woodpecker-agent
|
2026-05-07 22:28:56 +00:00
|
|
|
tag: "v3.14.0"
|
2026-02-22 21:30:25 +00:00
|
|
|
env:
|
|
|
|
|
WOODPECKER_BACKEND: "kubernetes"
|
|
|
|
|
WOODPECKER_BACKEND_K8S_NAMESPACE: "woodpecker"
|
2026-04-15 14:41:08 +00:00
|
|
|
WOODPECKER_BACKEND_K8S_PULL_SECRET_NAMES: "registry-credentials"
|
2026-02-22 21:30:25 +00:00
|
|
|
WOODPECKER_MAX_WORKFLOWS: "2"
|
|
|
|
|
WOODPECKER_AGENT_SECRET: "${agent_secret}"
|
|
|
|
|
persistence:
|
|
|
|
|
enabled: false
|
|
|
|
|
rbac:
|
|
|
|
|
create: true
|
|
|
|
|
serviceAccount:
|
|
|
|
|
create: true
|
|
|
|
|
name: "woodpecker-agent"
|