Funk-lab/k8s/apps/forgejo/deployment.yaml
ALI YESILKAYA be695bd437
fix(forgejo): autoriser *.github.com + *.githubusercontent.com pour la migration/miroir (#99)
ALLOWED_DOMAINS=github.com bloquait api.github.com (importer GitHub : issues/releases)
→ échec de migration. Ajout de *.github.com (api/codeload) et *.githubusercontent.com
(assets de release) pour couvrir toute la migration.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-08 00:14:13 +02:00

105 lines
3.9 KiB
YAML

apiVersion: apps/v1
kind: Deployment
metadata:
name: forgejo
namespace: ai
spec:
replicas: 1
strategy:
type: Recreate # PVC RWO : pas de deux pods qui montent /data en parallèle
selector:
matchLabels:
app: forgejo
template:
metadata:
labels:
app: forgejo
spec:
containers:
- name: forgejo
image: codeberg.org/forgejo/forgejo:11
ports:
- containerPort: 3000
name: http
env:
# --- Base PostgreSQL sur storage-01 (hors cluster), pattern Ghostfolio/n8n ---
- name: FORGEJO__database__DB_TYPE
value: "postgres"
- name: FORGEJO__database__HOST
value: "192.168.10.1:5432"
- name: FORGEJO__database__NAME
value: "forgejo"
- name: FORGEJO__database__USER
value: "forgejo"
- name: FORGEJO__database__PASSWD
valueFrom:
secretKeyRef:
name: forgejo-secret
key: pg-password
# --- Serveur : URL canonique = domaine HTTPS (split-horizon dnsmasq en LAN) ---
- name: FORGEJO__server__DOMAIN
value: "git.funklab.online"
- name: FORGEJO__server__ROOT_URL
value: "https://git.funklab.online/"
- name: FORGEJO__server__HTTP_PORT
value: "3000"
# Pas de git-over-SSH : miroir + consultation en HTTPS uniquement (aucun
# port 22 supplémentaire exposé). Le clone/pull passe par HTTPS.
- name: FORGEJO__server__DISABLE_SSH
value: "true"
# --- Service : SSO uniquement. DISABLE_REGISTRATION doit rester false, sinon
# il bloque AUSSI l'auto-provisioning OIDC ("inscriptions désactivées").
# ALLOW_ONLY_EXTERNAL_REGISTRATION=true masque le formulaire local et
# n'autorise la création de compte QUE via Authentik (1er login OIDC). ---
- name: FORGEJO__service__DISABLE_REGISTRATION
value: "false"
- name: FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION
value: "true"
- name: FORGEJO__service__ENABLE_BASIC_AUTHENTICATION
value: "true" # clone HTTPS avec token perso
# --- Sécurité : install déjà verrouillée (config par env), clé stable ---
- name: FORGEJO__security__INSTALL_LOCK
value: "true"
- name: FORGEJO__security__SECRET_KEY
valueFrom:
secretKeyRef:
name: forgejo-secret
key: secret-key
# Miroir : ne tire que depuis GitHub. La migration appelle plusieurs hôtes :
# api.github.com (issues/releases), codeload.github.com (archives) et
# objects.githubusercontent.com (assets de release) — sinon
# « migration can only call allowed HTTP servers ... deny <hôte> ».
- name: FORGEJO__migrations__ALLOWED_DOMAINS
value: "github.com,*.github.com,*.githubusercontent.com"
- name: USER_UID
value: "1000"
- name: USER_GID
value: "1000"
- name: TZ
value: "Europe/Paris"
volumeMounts:
- name: data
mountPath: /data
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: "1000m"
memory: 768Mi
readinessProbe:
httpGet:
path: /api/healthz
port: 3000
initialDelaySeconds: 20
periodSeconds: 15
livenessProbe:
httpGet:
path: /api/healthz
port: 3000
initialDelaySeconds: 60
periodSeconds: 30
volumes:
- name: data
persistentVolumeClaim:
claimName: forgejo-data