From a648e9ba189e52a6ed6fad2a3c8771fa4a4dc027 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Wed, 16 Jul 2025 14:57:14 +0200
Subject: [PATCH] initial commit

---
 forgejo-appset.yaml                           |  45 +++++
 forgejo/forgejo-runner.yaml                   |  24 +++
 forgejo/forgejo-runner/dind-docker.yaml       | 104 ++++++++++
 forgejo/forgejo-server.yaml                   |  38 ++++
 .../manifests/forgejo-ingress.yaml            |  31 +++
 forgejo/forgejo-server/values.yaml            | 180 ++++++++++++++++++
 6 files changed, 422 insertions(+)
 create mode 100644 forgejo-appset.yaml
 create mode 100644 forgejo/forgejo-runner.yaml
 create mode 100644 forgejo/forgejo-runner/dind-docker.yaml
 create mode 100644 forgejo/forgejo-server.yaml
 create mode 100644 forgejo/forgejo-server/manifests/forgejo-ingress.yaml
 create mode 100644 forgejo/forgejo-server/values.yaml

diff --git a/forgejo-appset.yaml b/forgejo-appset.yaml
new file mode 100644
index 0000000..7de736d
--- /dev/null
+++ b/forgejo-appset.yaml
@@ -0,0 +1,45 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: forgejo
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+  - list:
+      elements:
+      - cluster: edp-dev
+  template:
+    metadata:
+      name: '{{.cluster}}-guestbook'
+    spec:
+      project: default
+      syncPolicy:
+        automated:
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+        retry:
+          limit: -1
+      destination:
+        name: in-cluster
+        namespace: gitea
+      sources:
+        - repoURL: https://edp.buildth.ing/DevFW-CICD/forgejo-helm.git
+          path: .
+          # first check out the desired version (example v9.0.0): https://code.forgejo.org/forgejo-helm/forgejo-helm/src/tag/v9.0.0/Chart.yaml
+          # (note that the chart version is not the same as the forgejo application version, which is specified in the above Chart.yaml file)
+          # then use the devops pipeline and select development, forgejo and the desired version (example v9.0.0):
+          # https://edp.buildth.ing/DevFW-CICD/devops-pipelines/actions?workflow=update-helm-depends.yaml&actor=0&status=0
+          # finally update the desired version here and include "-depends", it is created by the devops pipeline. 
+          # why do we have an added "-depends" tag? it resolves rate limitings when downloading helm OCI dependencies
+          targetRevision: v12.0.0-depends
+          helm:
+            valueFiles:
+              - $values/forgejo/forgejo-server/values.yaml
+        - repoURL: https://edp.buildth.ing/DevFW/applicationset-poc.git
+          targetRevision: '{{.cluster}}'
+          ref: values
+        - repoURL: https://edp.buildth.ing/DevFW/applicationset-poc.git
+          targetRevision: '{{.cluster}}'
+          path: "forgejo/forgejo-server/manifests"
\ No newline at end of file
diff --git a/forgejo/forgejo-runner.yaml b/forgejo/forgejo-runner.yaml
new file mode 100644
index 0000000..f3044b3
--- /dev/null
+++ b/forgejo/forgejo-runner.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo-runner
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: https://edp.buildth.ing/DevFW/applicationset-poc.git
+    targetRevision: HEAD
+    path: "forgejo/forgejo-runner"
diff --git a/forgejo/forgejo-runner/dind-docker.yaml b/forgejo/forgejo-runner/dind-docker.yaml
new file mode 100644
index 0000000..bd9fac0
--- /dev/null
+++ b/forgejo/forgejo-runner/dind-docker.yaml
@@ -0,0 +1,104 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: forgejo-runner
+  name: forgejo-runner
+  namespace: gitea
+spec:
+  # Two replicas means that if one is busy, the other can pick up jobs.
+  replicas: 1
+  selector:
+    matchLabels:
+      app: forgejo-runner
+  strategy: {}
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: forgejo-runner
+    spec:
+      restartPolicy: Always
+      volumes:
+      - name: docker-certs
+        emptyDir: {}
+      - name: runner-data
+        emptyDir: {}
+      # Initialise our configuration file using offline registration
+      # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
+      initContainers:
+        - name: runner-register
+          image: code.forgejo.org/forgejo/runner:6.3.1
+          command:
+          - "sh"
+          - "-c"
+          - |
+            forgejo-runner \
+              register \
+              --no-interactive \
+              --token ${RUNNER_SECRET} \
+              --name ${RUNNER_NAME} \
+              --instance ${FORGEJO_INSTANCE_URL} \
+              --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://edp.buildth.ing/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://edp.buildth.ing/devfw-cicd/catthehackerubuntu:act-22.04
+          env:
+            - name: RUNNER_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: RUNNER_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-runner-token
+                  key: token
+            - name: FORGEJO_INSTANCE_URL
+              value: https://{{{ .Env.DOMAIN_GITEA }}}
+          volumeMounts:
+            - name: runner-data
+              mountPath: /data
+      containers:
+      - name: runner
+        image: code.forgejo.org/forgejo/runner:6.3.1
+        command: 
+          - "sh"
+          - "-c"
+          - |
+            while ! nc -z 127.0.0.1 2376 </dev/null; do
+              echo 'waiting for docker daemon...';
+              sleep 5;
+            done
+            forgejo-runner generate-config > config.yml ;
+            sed -i -e "s|privileged: .*|privileged: true|" config.yml
+            sed -i -e "s|network: .*|network: host|" config.yml ;
+            sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://127.0.0.1:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
+            sed -i -e "s|^  options:|  options: -v /certs/client:/certs/client|" config.yml ;
+            sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml ;
+            /bin/forgejo-runner --config config.yml daemon
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          readOnlyRootFilesystem: false
+          runAsGroup: 0
+          runAsNonRoot: false
+          runAsUser: 0
+        env:
+        - name: DOCKER_HOST
+          value: tcp://localhost:2376
+        - name: DOCKER_CERT_PATH
+          value: /certs/client
+        - name: DOCKER_TLS_VERIFY
+          value: "1"
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
+        - name: runner-data
+          mountPath: /data
+      - name: daemon
+        image: docker:28.0.4-dind
+        env:
+        - name: DOCKER_TLS_CERTDIR
+          value: /certs
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
diff --git a/forgejo/forgejo-server.yaml b/forgejo/forgejo-server.yaml
new file mode 100644
index 0000000..515d55a
--- /dev/null
+++ b/forgejo/forgejo-server.yaml
@@ -0,0 +1,38 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo-server
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: gitea
+  sources:
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/forgejo-helm.git
+      path: .
+      # first check out the desired version (example v9.0.0): https://code.forgejo.org/forgejo-helm/forgejo-helm/src/tag/v9.0.0/Chart.yaml
+      # (note that the chart version is not the same as the forgejo application version, which is specified in the above Chart.yaml file)
+      # then use the devops pipeline and select development, forgejo and the desired version (example v9.0.0):
+      # https://edp.buildth.ing/DevFW-CICD/devops-pipelines/actions?workflow=update-helm-depends.yaml&actor=0&status=0
+      # finally update the desired version here and include "-depends", it is created by the devops pipeline. 
+      # why do we have an added "-depends" tag? it resolves rate limitings when downloading helm OCI dependencies
+      targetRevision: v12.0.0-depends
+      helm:
+        valueFiles:
+          - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/forgejo/forgejo-server/values.yaml
+    - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
+      targetRevision: HEAD
+      path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/forgejo/forgejo-server/manifests"
\ No newline at end of file
diff --git a/forgejo/forgejo-server/manifests/forgejo-ingress.yaml b/forgejo/forgejo-server/manifests/forgejo-ingress.yaml
new file mode 100644
index 0000000..1caab08
--- /dev/null
+++ b/forgejo/forgejo-server/manifests/forgejo-ingress.yaml
@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: 512m
+    cert-manager.io/cluster-issuer: main
+{{{ if eq .Env.CLUSTER_TYPE "osc" }}}
+    dns.gardener.cloud/class: garden
+    dns.gardener.cloud/dnsnames: {{{ .Env.DOMAIN_GITEA }}}
+    dns.gardener.cloud/ttl: "600"
+{{{ end }}}
+  name: forgejo-server
+  namespace: gitea
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{{ .Env.DOMAIN_GITEA }}}
+    http:
+      paths:
+      - backend:
+          service:
+            name: forgejo-server-http
+            port:
+              number: 3000
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - {{{ .Env.DOMAIN_GITEA }}}
+    secretName: forgejo-net-tls
diff --git a/forgejo/forgejo-server/values.yaml b/forgejo/forgejo-server/values.yaml
new file mode 100644
index 0000000..9b4332c
--- /dev/null
+++ b/forgejo/forgejo-server/values.yaml
@@ -0,0 +1,180 @@
+# We use recreate to make sure only one instance with one version is running, because Forgejo might break or data gets inconsistant. 
+strategy:
+  type: Recreate
+
+redis-cluster:
+  enabled: false
+
+redis:
+  enabled: false
+
+postgresql:
+  enabled: false
+
+postgresql-ha:
+  enabled: false
+
+persistence:
+  enabled: true
+  size: 200Gi
+  annotations:
+    everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}}
+
+test:
+  enabled: false
+
+deployment:
+  env:
+    - name: SSL_CERT_DIR
+      value: /etc/ssl/forgejo
+
+extraVolumeMounts:
+  - mountPath: /etc/ssl/forgejo
+    name: custom-database-certs-volume
+    readOnly: true
+
+extraVolumes:
+  - name: custom-database-certs-volume
+    secret:
+      secretName: custom-database-certs
+
+gitea:
+  additionalConfigFromEnvs:
+    - name: FORGEJO__storage__MINIO_ACCESS_KEY_ID
+      valueFrom:
+        secretKeyRef:
+          name: forgejo-cloud-credentials
+          key: access-key
+    - name: FORGEJO__storage__MINIO_SECRET_ACCESS_KEY
+      valueFrom:
+        secretKeyRef:
+          name: forgejo-cloud-credentials
+          key: secret-key
+    - name: FORGEJO__queue__CONN_STR
+      valueFrom:
+        secretKeyRef:
+          name: redis-forgejo-cloud-credentials
+          key: connection-string
+    - name: FORGEJO__session__PROVIDER_CONFIG
+      valueFrom:
+        secretKeyRef:
+          name: redis-forgejo-cloud-credentials
+          key: connection-string
+    - name: FORGEJO__cache__HOST
+      valueFrom:
+        secretKeyRef:
+          name: redis-forgejo-cloud-credentials
+          key: connection-string
+    - name: FORGEJO__database__HOST
+      valueFrom:
+        secretKeyRef:
+          name: postgres-forgejo-cloud-credentials
+          key: host_port
+    - name: FORGEJO__database__NAME
+      valueFrom:
+        secretKeyRef:
+          name: postgres-forgejo-cloud-credentials
+          key: database
+    - name: FORGEJO__database__USER
+      valueFrom:
+        secretKeyRef:
+          name: postgres-forgejo-cloud-credentials
+          key: username
+    - name: FORGEJO__database__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: postgres-forgejo-cloud-credentials
+          key: password
+    - name: FORGEJO__indexer__ISSUE_INDEXER_CONN_STR
+      valueFrom:
+        secretKeyRef:
+          name: elasticsearch-cloud-credentials
+          key: connection-string
+    - name: FORGEJO__mailer__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: email-user-credentials
+          key: connection-string
+
+  admin:
+    existingSecret: gitea-credential
+
+  config:
+    APP_NAME: 'EDP'
+    APP_SLOGAN: 'Build your thing in minutes'
+    indexer:
+      ISSUE_INDEXER_ENABLED: true
+      ISSUE_INDEXER_TYPE: elasticsearch
+      # TODO next
+      REPO_INDEXER_ENABLED: false
+      # REPO_INDEXER_TYPE: meilisearch # not yet working
+
+    storage:
+      MINIO_ENDPOINT: obs.eu-de.otc.t-systems.com:443
+      STORAGE_TYPE: minio
+      MINIO_LOCATION: eu-de
+      MINIO_BUCKET: edp-forgejo-{{{ .Env.CLUSTER_ENVIRONMENT }}}
+      MINIO_USE_SSL: true
+
+    queue:
+      TYPE: redis
+
+    session:
+      PROVIDER: redis
+
+    cache:
+      ENABLED: true
+      ADAPTER: redis
+
+    service:
+      DISABLE_REGISTRATION: true
+
+    other:
+      SHOW_FOOTER_VERSION: false
+      SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
+
+    database:
+      DB_TYPE: postgres
+      SSL_MODE: verify-ca
+
+    server:
+      DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}'
+      ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443'
+
+    mailer:
+      ENABLED: true
+      USER: ipcei-cis-devfw@mms-support.de
+      PROTOCOL: smtps
+      FROM: '"IPCEI CIS DevFW" <ipcei-cis-devfw@mms-support.de>'
+      SMTP_ADDR: mail.mms-support.de
+      SMTP_PORT: 465
+
+service:
+  ssh:
+    type: LoadBalancer
+    nodePort: 32222
+    externalTrafficPolicy: Cluster
+    annotations:
+      kubernetes.io/elb.id: {{{ .Env.LOADBALANCER_ID }}}  
+
+image:
+  pullPolicy: "IfNotPresent"
+  # Overrides the image tag whose default is the chart appVersion.
+  #tag: "8.0.3"
+  # Adds -rootless suffix to image name
+  # rootless: true
+  fullOverride: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/edp-forgejo:prerelease-v11-0-1-rootless
+
+forgejo:
+  runner:
+    enabled: true
+    image:
+      tag: latest
+    # replicas: 3
+    config:
+      runner:
+        labels:
+          - docker:docker://node:16-bullseye
+          - self-hosted:docker://ghcr.io/catthehacker/ubuntu:act-22.04
+          - ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04
+          - ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04