From 874f80ecbe2df9f640018e69a80e9d8700c4add9 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 7 May 2026 17:18:57 +0000 Subject: [PATCH] [woodpecker] Persist hostAliases patch via null_resource (chart doesn't expose it) Helm chart 3.5.1 has no `server.hostAliases` field, so the YAML addition I made earlier was a no-op. Apply via kubectl patch in a null_resource keyed on helm revision so it re-asserts on every chart upgrade. Same pattern as the CoreDNS replicas/affinity patch in stacks/technitium/. Without this, every helm upgrade on woodpecker reverts the hostAliases fix and the Forgejo pipeline triggers start failing with context-deadline-exceeded again. Co-Authored-By: Claude Opus 4.7 --- stacks/woodpecker/main.tf | 25 +++++++++++++++++++++++++ stacks/woodpecker/values.yaml | 17 ++++++----------- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf index 58b105af..7ac2cfda 100644 --- a/stacks/woodpecker/main.tf +++ b/stacks/woodpecker/main.tf @@ -172,6 +172,31 @@ resource "helm_release" "woodpecker" { depends_on = [kubernetes_manifest.db_external_secret] } +# Patch hostAliases onto the woodpecker-server StatefulSet — the chart 3.5.1 +# does NOT expose this field, so we have to do it after the helm release. +# Keeps the OAuth/forge-API path off the WAN gateway (forgejo.viktorbarzin.me +# resolves to the public IP via DNS, which round-trips through Cloudflare +# and routinely tripped 30s context-deadline timeouts when fetching pipeline +# config). 10.0.20.200 is the Traefik LB that fronts forgejo internally; +# Traefik serves the *.viktorbarzin.me wildcard so SNI verification still +# passes. +resource "null_resource" "woodpecker_server_host_alias" { + triggers = { + helm_revision = helm_release.woodpecker.metadata[0].revision + } + + provisioner "local-exec" { + command = <<-BASH + set -euo pipefail + kubectl -n woodpecker patch statefulset/woodpecker-server --type=strategic --patch '{"spec":{"template":{"spec":{"hostAliases":[{"ip":"10.0.20.200","hostnames":["forgejo.viktorbarzin.me"]}]}}}}' + kubectl -n woodpecker rollout status statefulset/woodpecker-server --timeout=120s + BASH + interpreter = ["/bin/bash", "-c"] + } + + depends_on = [helm_release.woodpecker] +} + # ClusterRoleBinding - build pods need cluster-admin to PATCH deployments across namespaces resource "kubernetes_cluster_role_binding" "woodpecker" { metadata { diff --git a/stacks/woodpecker/values.yaml b/stacks/woodpecker/values.yaml index 03e0881c..71e4361b 100644 --- a/stacks/woodpecker/values.yaml +++ b/stacks/woodpecker/values.yaml @@ -4,17 +4,12 @@ server: reloader.stakater.com/search: "true" statefulSet: replicaCount: 1 - # Pin forgejo.viktorbarzin.me to the in-cluster Traefik LB so the - # forge-API fetch path never round-trips through Cloudflare. Without - # this, OAuth/HTTP requests hit 30s context-deadline timeouts on cold - # DNS / TLS handshakes through the WAN gateway, which fails every - # pipeline trigger ("could not load config from forge: context - # deadline exceeded"). Traefik serves the wildcard cert so SNI - # verification still passes. - hostAliases: - - ip: "10.0.20.200" - hostnames: - - "forgejo.viktorbarzin.me" + # NOTE: hostAliases is NOT exposed by the woodpecker Helm chart (3.5.1 verified) — + # see main.tf null_resource.woodpecker_server_host_alias which applies the same + # via `kubectl patch` post-helm. Pinned to the in-cluster Traefik LB + # (10.0.20.200) so the forge-API fetch path never round-trips through + # Cloudflare ("context deadline exceeded" was failing every Forgejo + # pipeline trigger). image: registry: docker.io repository: woodpeckerci/woodpecker-server