00fc0cf5bb
Pipeline triggers from Forgejo were failing with "could not load config from forge: context deadline exceeded" — Woodpecker's forge-API fetch path was round-tripping through Cloudflare via the public IP, hitting 30s deadline timeouts on cold connections. The in-cluster path via the Traefik LB (10.0.20.200) is consistently sub-100ms. Same trick we use for the containerd hosts.toml redirect on each node — Traefik serves the *.viktorbarzin.me wildcard cert so SNI verification still passes. OAuth callbacks still use the public hostname (correct, those come from the user's browser). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
73 lines
2.4 KiB
YAML
73 lines
2.4 KiB
YAML
server:
|
|
enabled: true
|
|
podAnnotations:
|
|
reloader.stakater.com/search: "true"
|
|
statefulSet:
|
|
replicaCount: 1
|
|
# Pin forgejo.viktorbarzin.me to the in-cluster Traefik LB so the
|
|
# forge-API fetch path never round-trips through Cloudflare. Without
|
|
# this, OAuth/HTTP requests hit 30s context-deadline timeouts on cold
|
|
# DNS / TLS handshakes through the WAN gateway, which fails every
|
|
# pipeline trigger ("could not load config from forge: context
|
|
# deadline exceeded"). Traefik serves the wildcard cert so SNI
|
|
# verification still passes.
|
|
hostAliases:
|
|
- ip: "10.0.20.200"
|
|
hostnames:
|
|
- "forgejo.viktorbarzin.me"
|
|
image:
|
|
registry: docker.io
|
|
repository: woodpeckerci/woodpecker-server
|
|
tag: "v3.13.0"
|
|
extraSecretNamesForEnvFrom:
|
|
- woodpecker-db-creds
|
|
env:
|
|
WOODPECKER_HOST: "https://ci.viktorbarzin.me"
|
|
WOODPECKER_ADMIN: "${woodpecker_admins}"
|
|
WOODPECKER_OPEN: "true"
|
|
WOODPECKER_GITHUB: "true"
|
|
WOODPECKER_GITHUB_URL: "https://github.com"
|
|
WOODPECKER_GITHUB_CLIENT: "${github_client_id}"
|
|
WOODPECKER_GITHUB_SECRET: "${github_client_secret}"
|
|
WOODPECKER_AGENT_SECRET: "${agent_secret}"
|
|
WOODPECKER_DATABASE_DRIVER: "postgres"
|
|
WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx,plugins/docker"
|
|
WOODPECKER_PLUGINS_TRUSTED_CLONE: "woodpeckerci/plugin-git,alpine"
|
|
WOODPECKER_LOG_LEVEL: "info"
|
|
WOODPECKER_FORGEJO: "true"
|
|
WOODPECKER_FORGEJO_CLIENT: "${forgejo_client_id}"
|
|
WOODPECKER_FORGEJO_SECRET: "${forgejo_client_secret}"
|
|
WOODPECKER_FORGEJO_URL: "${forgejo_url}"
|
|
service:
|
|
type: ClusterIP
|
|
port: 80
|
|
# Disable built-in ingress (using ingress_factory)
|
|
ingress:
|
|
enabled: false
|
|
# Disable PVC (using PostgreSQL instead of SQLite)
|
|
# Note: the correct key is persistentVolume, not persistence
|
|
persistentVolume:
|
|
enabled: false
|
|
|
|
agent:
|
|
enabled: true
|
|
podAnnotations:
|
|
reloader.stakater.com/search: "true"
|
|
replicaCount: 2
|
|
image:
|
|
registry: docker.io
|
|
repository: woodpeckerci/woodpecker-agent
|
|
tag: "v3.13.0"
|
|
env:
|
|
WOODPECKER_BACKEND: "kubernetes"
|
|
WOODPECKER_BACKEND_K8S_NAMESPACE: "woodpecker"
|
|
WOODPECKER_BACKEND_K8S_PULL_SECRET_NAMES: "registry-credentials"
|
|
WOODPECKER_MAX_WORKFLOWS: "2"
|
|
WOODPECKER_AGENT_SECRET: "${agent_secret}"
|
|
persistence:
|
|
enabled: false
|
|
rbac:
|
|
create: true
|
|
serviceAccount:
|
|
create: true
|
|
name: "woodpecker-agent"
|