[ci skip] Add Woodpecker CI stack (WIP) and claude agents

- Add stacks/woodpecker/ with Helm-based deployment config - Add .woodpecker/ CI pipeline configs (default, build-cli, renew-tls) - Add NFS export entry for woodpecker - Add .claude/agents/ definitions
2026-02-22 21:30:25 +00:00 · 2026-02-22 21:30:25 +00:00 · cbf041bcc9
commit cbf041bcc9
parent c4db6a9fdb
10 changed files with 1469 additions and 0 deletions
--- a/stacks/woodpecker/main.tf
+++ b/stacks/woodpecker/main.tf
@ -0,0 +1,183 @@
+variable "tls_secret_name" { type = string }
+variable "woodpecker_github_client_id" { type = string }
+variable "woodpecker_github_client_secret" { type = string }
+variable "woodpecker_agent_secret" { type = string }
+variable "woodpecker_db_password" { type = string }
+variable "dbaas_postgresql_root_password" { type = string }
+
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
+
+resource "kubernetes_namespace" "woodpecker" {
+  metadata {
+    name = "woodpecker"
+    labels = {
+      "resource-governance/custom-quota" = "true"
+      tier                               = local.tiers.edge
+    }
+  }
+}
+
+resource "kubernetes_resource_quota" "woodpecker" {
+  metadata {
+    name      = "tier-quota"
+    namespace = kubernetes_namespace.woodpecker.metadata[0].name
+  }
+  spec {
+    hard = {
+      "requests.cpu"    = "16"
+      "requests.memory" = "16Gi"
+      "limits.cpu"      = "64"
+      "limits.memory"   = "128Gi"
+      pods              = "60"
+    }
+  }
+}
+
+module "tls_secret" {
+  source          = "../../modules/kubernetes/setup_tls_secret"
+  namespace       = kubernetes_namespace.woodpecker.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_config_map" "git_crypt_key" {
+  metadata {
+    name      = "git-crypt-key"
+    namespace = kubernetes_namespace.woodpecker.metadata[0].name
+  }
+
+  data = {
+    "key" = filebase64("${path.root}/../../.git/git-crypt/keys/default")
+  }
+}
+
+# Database init job - creates the woodpecker database and user in PostgreSQL
+resource "kubernetes_job" "db_init" {
+  metadata {
+    name      = "woodpecker-db-init"
+    namespace = kubernetes_namespace.woodpecker.metadata[0].name
+  }
+  spec {
+    template {
+      metadata {}
+      spec {
+        container {
+          name  = "db-init"
+          image = "postgres:16-alpine"
+          command = [
+            "sh", "-c",
+            <<-EOT
+              set -e
+              # Create user if not exists
+              PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h postgresql.dbaas.svc.cluster.local -U root -tc "SELECT 1 FROM pg_roles WHERE rolname='woodpecker'" | grep -q 1 || \
+                PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h postgresql.dbaas.svc.cluster.local -U root -c "CREATE ROLE woodpecker WITH LOGIN PASSWORD '${var.woodpecker_db_password}'"
+              # Create database if not exists
+              PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h postgresql.dbaas.svc.cluster.local -U root -tc "SELECT 1 FROM pg_database WHERE datname='woodpecker'" | grep -q 1 || \
+                PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h postgresql.dbaas.svc.cluster.local -U root -c "CREATE DATABASE woodpecker OWNER woodpecker"
+              echo "Database init complete"
+            EOT
+          ]
+        }
+        restart_policy = "Never"
+      }
+    }
+    backoff_limit = 3
+  }
+  wait_for_completion = true
+  timeouts {
+    create = "2m"
+  }
+}
+
+# NFS PV for Woodpecker server data (Helm chart creates PVC via StatefulSet VCT)
+resource "kubernetes_persistent_volume" "woodpecker_server_data" {
+  metadata {
+    name = "woodpecker-server-data"
+  }
+  spec {
+    capacity = {
+      storage = "10Gi"
+    }
+    access_modes = ["ReadWriteOnce"]
+    persistent_volume_source {
+      nfs {
+        server = "10.0.10.15"
+        path   = "/mnt/main/woodpecker"
+      }
+    }
+    claim_ref {
+      name      = "data-woodpecker-server-0"
+      namespace = kubernetes_namespace.woodpecker.metadata[0].name
+    }
+  }
+}
+
+# Helm release for Woodpecker CI
+resource "helm_release" "woodpecker" {
+  name       = "woodpecker"
+  namespace  = kubernetes_namespace.woodpecker.metadata[0].name
+  repository = "oci://ghcr.io/woodpecker-ci/helm"
+  chart      = "woodpecker"
+  version    = "3.5.1"
+
+  values = [
+    templatefile("${path.module}/values.yaml", {
+      github_client_id     = var.woodpecker_github_client_id
+      github_client_secret = var.woodpecker_github_client_secret
+      agent_secret         = var.woodpecker_agent_secret
+      db_password          = var.woodpecker_db_password
+    })
+  ]
+
+  timeout    = 600
+  depends_on = [kubernetes_job.db_init, kubernetes_persistent_volume.woodpecker_server_data]
+}
+
+# ClusterRoleBinding - build pods need cluster-admin to PATCH deployments across namespaces
+resource "kubernetes_cluster_role_binding" "woodpecker" {
+  metadata {
+    name = "woodpecker"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "woodpecker-agent"
+    namespace = kubernetes_namespace.woodpecker.metadata[0].name
+  }
+  role_ref {
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+    api_group = "rbac.authorization.k8s.io"
+  }
+}
+
+# Also bind the default SA (pipeline pods run as default)
+resource "kubernetes_cluster_role_binding" "woodpecker_default" {
+  metadata {
+    name = "woodpecker-default"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "default"
+    namespace = kubernetes_namespace.woodpecker.metadata[0].name
+  }
+  role_ref {
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+    api_group = "rbac.authorization.k8s.io"
+  }
+}
+
+module "ingress" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  namespace       = kubernetes_namespace.woodpecker.metadata[0].name
+  name            = "ci"
+  service_name    = "woodpecker-server"
+  tls_secret_name = var.tls_secret_name
+}
--- a/stacks/woodpecker/secrets
+++ b/stacks/woodpecker/secrets
@ -0,0 +1 @@
+../../secrets
--- a/stacks/woodpecker/terragrunt.hcl
+++ b/stacks/woodpecker/terragrunt.hcl
@ -0,0 +1,8 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
--- a/stacks/woodpecker/values.yaml
+++ b/stacks/woodpecker/values.yaml
@ -0,0 +1,49 @@
+server:
+  enabled: true
+  statefulSet:
+    replicaCount: 1
+  image:
+    registry: docker.io
+    repository: woodpeckerci/woodpecker-server
+    tag: "v3.5.1"
+  env:
+    WOODPECKER_HOST: "https://ci.viktorbarzin.me"
+    WOODPECKER_ADMIN: "ViktorBarzin"
+    WOODPECKER_OPEN: "false"
+    WOODPECKER_GITHUB: "true"
+    WOODPECKER_GITHUB_CLIENT: "${github_client_id}"
+    WOODPECKER_GITHUB_SECRET: "${github_client_secret}"
+    WOODPECKER_AGENT_SECRET: "${agent_secret}"
+    WOODPECKER_DATABASE_DRIVER: "postgres"
+    WOODPECKER_DATABASE_DATASOURCE: "postgres://woodpecker:${db_password}@postgresql.dbaas.svc.cluster.local:5432/woodpecker?sslmode=disable"
+    WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx,plugins/docker"
+    WOODPECKER_LOG_LEVEL: "info"
+  service:
+    type: ClusterIP
+    port: 80
+  # Disable built-in ingress (using ingress_factory)
+  ingress:
+    enabled: false
+  # Disable PVC (using PostgreSQL instead of SQLite)
+  persistence:
+    enabled: false
+
+agent:
+  enabled: true
+  replicaCount: 2
+  image:
+    registry: docker.io
+    repository: woodpeckerci/woodpecker-agent
+    tag: "v3.5.1"
+  env:
+    WOODPECKER_BACKEND: "kubernetes"
+    WOODPECKER_BACKEND_K8S_NAMESPACE: "woodpecker"
+    WOODPECKER_MAX_WORKFLOWS: "2"
+    WOODPECKER_AGENT_SECRET: "${agent_secret}"
+  persistence:
+    enabled: false
+  rbac:
+    create: true
+  serviceAccount:
+    create: true
+    name: "woodpecker-agent"