feat(forgejo): Git self-host en miroir de GitHub (git.funklab.online, SSO Authentik)

- k8s/apps/forgejo : deployment (image forgejo:11, config par env), service, PVC nfs,
  IngressRoute interne (git.lab.local) + publique (git.funklab.online + middlewares
  security-headers/ratelimit), Application ArgoCD (ns ai, recurse)
- base PostgreSQL `forgejo` sur storage-01 (rôle postgresql)
- vault : vault_pg_forgejo_password + vault_forgejo_oauth_client_secret
- doc admin/k8s/forgejo.md (archi, OIDC, création du miroir, pièges) + index + CLAUDE.md

GitHub reste la source de vérité (pull-mirror lecture seule) — ArgoCD inchangé.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
alkatrazz 2026-07-07 23:19:19 +02:00
parent fe0aa89ffa
commit 9f1f7e6ce2
12 changed files with 498 additions and 163 deletions

View file

@ -99,6 +99,7 @@ Authentik (`https://auth.funklab.online`) et directement par leur URL.
| **Open WebUI** | `openwebui.funklab.online` | SSO OIDC | `https://openwebui.funklab.online/oauth/oidc/callback` |
| **Argo CD** | `argocd.funklab.online` | SSO OIDC (lab-admins→admin) | `https://argocd.funklab.online/auth/callback` |
| **n8n** | `n8n.funklab.online` | **login natif** (SSO = Enterprise, indispo en communautaire) | — |
| **Forgejo** (Git, miroir GitHub) | `git.funklab.online` | SSO OIDC (lab-admins→admin) | `https://git.funklab.online/user/oauth2/authentik/callback` |
- Chaque app OIDC : provider Authentik **Confidential**, client secret archivé au vault
(`vault_<app>_oauth_client_secret` / `vault_argocd_oidc_client_secret`) et dans un