viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

forgejo pulls: route *.viktorbarzin.me to Technitium, drop /etc/hosts pins [ci skip]

Browse source 
Supersedes this morning's per-node /etc/hosts pin (no hardcoded service
IPs on nodes, per Viktor). Technitium's split-horizon zone already
resolves forgejo.viktorbarzin.me -> CNAME apex -> live Traefik LB IP
(ingress-dns-sync auto-CNAMEs every ingress host; apex drift probe
alerts) -- the nodes just never queried it. Rolled the devvm's
systemd-resolved routing-domain pattern (~viktorbarzin.me ->
10.0.20.201) to all 7 nodes, removed the pins, verified getent +
crictl pull via pure DNS.

Also demoted node5/6's cloud-init global-dns.conf (DNS=8.8.8.8 1.1.1.1)
to FallbackDNS-only: public servers in the global set race the routing
domain. Its justification ("Technitium NXDOMAINs forgejo") was obsolete
-- exactly the stale comment that pointed new nodes at the hairpin.

hosts.toml mirror kept but documented as vestigial (Traefik 404s
bare-IP requests; registry auth realm is an absolute URL).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-10 07:56:31 +00:00
parent b6976ce014
commit 1ee1bf0817
7 changed files with 135 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

14
docs/runbooks/forgejo-registry-setup.md
View file

@ -119,9 +119,9 @@ cd infra/stacks/kyverno && scripts/tg apply
cd infra/stacks/monitoring && scripts/tg apply
cd infra/stacks/forgejo && scripts/tg apply
# Containerd hosts.toml + /etc/hosts pin on each existing k8s node — VM
# cloud-init only fires on first boot. The /etc/hosts pin
# (10.0.20.203 forgejo.viktorbarzin.me) is what makes pulls hairpin-proof:
# Resolved routing domain (+ vestigial containerd hosts.toml) on each
# existing k8s node — VM cloud-init only fires on first boot. The routing
# domain (~viktorbarzin.me -> Technitium) is what makes pulls hairpin-proof:
# the hosts.toml mirror alone falls back to public DNS (Traefik 404s its
# bare-IP requests, and the registry auth realm is an absolute public URL).
infra/scripts/setup-forgejo-containerd-mirror.sh
@ -138,9 +138,11 @@ docker pull alpine:3.20
docker tag alpine:3.20 forgejo.viktorbarzin.me/viktor/smoketest:1
docker push forgejo.viktorbarzin.me/viktor/smoketest:1
# Per-node pull path: pin present + name resolves internally + pull works.
ssh wizard@<node> 'grep forgejo-internal-pin /etc/hosts && getent hosts forgejo.viktorbarzin.me'
# Expect: 10.0.20.203 forgejo.viktorbarzin.me
# Per-node pull path: routing domain active + name resolves to the live
# Traefik LB (via Technitium split-horizon zone) + pull works.
ssh wizard@<node> 'resolvectl status | grep -A2 "~viktorbarzin.me"; getent hosts forgejo.viktorbarzin.me'
# Expect: DNS Domain ~viktorbarzin.me on server 10.0.20.201, and
# getent -> the current Traefik LB IP (10.0.20.203 today)
ssh wizard@<node> sudo crictl pull forgejo.viktorbarzin.me/viktor/smoketest:1
# Confirm the cluster-wide Secret was synced into a fresh namespace.