viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

technitium: CoreDNS rewrite forgejo.viktorbarzin.me -> Traefik ClusterIP

Browse source 
In-cluster pods resolved forgejo.viktorbarzin.me to the public IP
(176.12.22.76) and hairpinned out through the WAN gateway, intermittently
timing out buildkit pushes from Woodpecker build pods (which, unlike
kubelet, don't use the per-node containerd Forgejo mirror). This silently
failed CI build-and-push for Forgejo-hosted repos (recruiter-responder
pipelines #15-#18 at the push step).

Add a CoreDNS `rewrite name exact forgejo.viktorbarzin.me
traefik.traefik.svc.cluster.local` so pods resolve to the Traefik ClusterIP
(reachable in-cluster, unlike the ETP=Local LB .203; the Service-name target
auto-tracks the ClusterIP so it can't rot on a Traefik renumber). Traefik's
*.viktorbarzin.me wildcard keeps SNI/TLS valid. Makes the per-pod
woodpecker-server hostAlias belt-and-suspenders.

Applied via targeted apply (coredns ConfigMap only, to avoid reconciling 7
unrelated pre-existing drifts in the stack) + verified:
- pod resolves forgejo.viktorbarzin.me -> 10.111.111.95 (Traefik ClusterIP)
- recruiter-responder pipeline #20 build-and-push succeeds via ClusterIP

Docs: networking.md (K8s cluster DNS path) + .claude/CLAUDE.md (forgejo
registry quick-ref). Advances beads code-yh33.

[ci skip]

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-04 07:34:30 +00:00
parent 7302cd7908
commit 98f29edf34
3 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
stacks/technitium/modules/technitium/main.tf
View file

@ -60,6 +60,15 @@ resource "kubernetes_config_map" "coredns" {
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
# Pin forgejo.viktorbarzin.me to the in-cluster Traefik Service so pod
# builds/pulls/pushes resolve to its ClusterIP, not the public IP that
# hairpins through the WAN gateway and intermittently times out buildkit
# pushes (woodpecker build pods don't use the node containerd mirror that
# fixes kubelet pulls). Service-name target auto-tracks the ClusterIP (no
# rot); Traefik's *.viktorbarzin.me wildcard keeps SNI/TLS valid. The
# woodpecker-server hostAlias (main.tf) becomes belt-and-suspenders.
# (beads code-yh33 in-cluster *.viktorbarzin.me hairpin)
rewrite name exact forgejo.viktorbarzin.me traefik.traefik.svc.cluster.local
prometheus :9153
forward . 10.0.20.1 8.8.8.8 1.1.1.1 {
policy sequential