From 00fc0cf5bbe968ea7d2585196bb4c22b94414336 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 7 May 2026 17:13:51 +0000 Subject: [PATCH] [woodpecker] Pin forgejo.viktorbarzin.me to in-cluster Traefik LB MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pipeline triggers from Forgejo were failing with "could not load config from forge: context deadline exceeded" — Woodpecker's forge-API fetch path was round-tripping through Cloudflare via the public IP, hitting 30s deadline timeouts on cold connections. The in-cluster path via the Traefik LB (10.0.20.200) is consistently sub-100ms. Same trick we use for the containerd hosts.toml redirect on each node — Traefik serves the *.viktorbarzin.me wildcard cert so SNI verification still passes. OAuth callbacks still use the public hostname (correct, those come from the user's browser). Co-Authored-By: Claude Opus 4.7 --- stacks/woodpecker/values.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/stacks/woodpecker/values.yaml b/stacks/woodpecker/values.yaml index 2a2f8615..03e0881c 100644 --- a/stacks/woodpecker/values.yaml +++ b/stacks/woodpecker/values.yaml @@ -4,6 +4,17 @@ server: reloader.stakater.com/search: "true" statefulSet: replicaCount: 1 + # Pin forgejo.viktorbarzin.me to the in-cluster Traefik LB so the + # forge-API fetch path never round-trips through Cloudflare. Without + # this, OAuth/HTTP requests hit 30s context-deadline timeouts on cold + # DNS / TLS handshakes through the WAN gateway, which fails every + # pipeline trigger ("could not load config from forge: context + # deadline exceeded"). Traefik serves the wildcard cert so SNI + # verification still passes. + hostAliases: + - ip: "10.0.20.200" + hostnames: + - "forgejo.viktorbarzin.me" image: registry: docker.io repository: woodpeckerci/woodpecker-server