Initial upload

2025-05-20 14:58:55 +00:00 · 2025-05-20 14:58:55 +00:00 · 7164230ca5
commit 7164230ca5
parent b6b1c9a925
113 changed files with 17019 additions and 0 deletions
--- a/otc/observability.think-ahead.cloud/stacks/core/argocd.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/argocd.yaml
@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: argocd
+  sources:
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/argocd-helm.git
+      path: charts/argo-cd
+      # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
+      # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
+      # similar to the CNOE amazon reference implementation and in our case, Forgejo
+      targetRevision: argo-cd-7.8.14-depends
+      helm:
+        valueFiles:
+          - $values/otc/observability.think-ahead.cloud/stacks/core/argocd/values.yaml
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values
--- a/otc/observability.think-ahead.cloud/stacks/core/argocd/values.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/argocd/values.yaml
@ -0,0 +1,35 @@
+global:
+  domain: observability.think-ahead.cloud
+
+configs:
+  params:
+    server.insecure: true
+    server.basehref: /argocd
+    server.rootpath: /argocd
+  cm:
+    application.resourceTrackingMethod: annotation
+    timeout.reconciliation: 60s
+    resource.exclusions: |
+      - apiGroups:
+        - "*"
+        kinds:
+        - ProviderConfigUsage
+      - apiGroups:
+        - cilium.io
+        kinds:
+        - CiliumIdentity
+        clusters:
+        - "*"
+    accounts.provider-argocd: apiKey
+    url: https://observability.think-ahead.cloud/argocd
+  rbac:
+    policy.csv: 'g, provider-argocd, role:admin'
+
+  tls:
+    certificates:
+
+notifications:
+  enabled: false
+
+dex:
+  enabled: false
--- a/otc/observability.think-ahead.cloud/stacks/core/forgejo-runner.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/forgejo-runner.yaml
@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo-runner
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/stacks-instances
+    targetRevision: HEAD
+    path: "otc/observability.think-ahead.cloud/stacks/core/forgejo-runner"
--- a/otc/observability.think-ahead.cloud/stacks/core/forgejo-runner/dind-docker.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/forgejo-runner/dind-docker.yaml
@ -0,0 +1,104 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: forgejo-runner
+  name: forgejo-runner
+  namespace: gitea
+spec:
+  # Two replicas means that if one is busy, the other can pick up jobs.
+  replicas: 1
+  selector:
+    matchLabels:
+      app: forgejo-runner
+  strategy: {}
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: forgejo-runner
+    spec:
+      restartPolicy: Always
+      volumes:
+      - name: docker-certs
+        emptyDir: {}
+      - name: runner-data
+        emptyDir: {}
+      # Initialise our configuration file using offline registration
+      # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
+      initContainers:
+        - name: runner-register
+          image: code.forgejo.org/forgejo/runner:6.3.1
+          command:
+          - "sh"
+          - "-c"
+          - |
+            forgejo-runner \
+              register \
+              --no-interactive \
+              --token ${RUNNER_SECRET} \
+              --name ${RUNNER_NAME} \
+              --instance ${FORGEJO_INSTANCE_URL} \
+              --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04
+          env:
+            - name: RUNNER_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: RUNNER_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-runner-token
+                  key: token
+            - name: FORGEJO_INSTANCE_URL
+              value: https://gitea.observability.think-ahead.cloud
+          volumeMounts:
+            - name: runner-data
+              mountPath: /data
+      containers:
+      - name: runner
+        image: code.forgejo.org/forgejo/runner:6.3.1
+        command: 
+          - "sh"
+          - "-c"
+          - |
+            while ! nc -z 127.0.0.1 2376 </dev/null; do
+              echo 'waiting for docker daemon...';
+              sleep 5;
+            done
+            forgejo-runner generate-config > config.yml ;
+            sed -i -e "s|privileged: .*|privileged: true|" config.yml
+            sed -i -e "s|network: .*|network: host|" config.yml ;
+            sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://127.0.0.1:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
+            sed -i -e "s|^  options:|  options: -v /certs/client:/certs/client|" config.yml ;
+            sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml ;
+            /bin/forgejo-runner --config config.yml daemon
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          readOnlyRootFilesystem: false
+          runAsGroup: 0
+          runAsNonRoot: false
+          runAsUser: 0
+        env:
+        - name: DOCKER_HOST
+          value: tcp://localhost:2376
+        - name: DOCKER_CERT_PATH
+          value: /certs/client
+        - name: DOCKER_TLS_VERIFY
+          value: "1"
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
+        - name: runner-data
+          mountPath: /data
+      - name: daemon
+        image: docker:28.0.4-dind
+        env:
+        - name: DOCKER_TLS_CERTDIR
+          value: /certs
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
--- a/otc/observability.think-ahead.cloud/stacks/core/forgejo.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/forgejo.yaml
@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: gitea
+  sources:
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
+      path: .
+      targetRevision: v12.0.0-depends
+      helm:
+        valueFiles:
+          - $values/otc/observability.think-ahead.cloud/stacks/core/forgejo/values.yaml
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values
--- a/otc/observability.think-ahead.cloud/stacks/core/forgejo/values.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/forgejo/values.yaml
@ -0,0 +1,67 @@
+redis-cluster:
+  enabled: true
+postgresql:
+  enabled: false
+postgresql-ha:
+  enabled: false
+
+persistence:
+  enabled: true
+  size: 5Gi
+
+test:
+  enabled: false
+
+gitea:
+  admin:
+    existingSecret: gitea-credential
+  config:
+    service:
+      DISABLE_REGISTRATION: true
+    other:
+      SHOW_FOOTER_VERSION: false
+      SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
+    database:
+      DB_TYPE: sqlite3
+    session:
+      PROVIDER: memory
+    cache:
+      ADAPTER: memory
+    queue:
+      TYPE: level
+    server:
+      DOMAIN: 'gitea.observability.think-ahead.cloud'
+      ROOT_URL: 'https://gitea.observability.think-ahead.cloud:443'
+    mailer:
+      ENABLED: true
+      FROM: forgejo@gitea.observability.think-ahead.cloud
+      PROTOCOL: smtp
+      SMTP_ADDR: mailhog.mailhog.svc.cluster.local
+      SMTP_PORT: 1025
+
+service:
+  ssh:
+    type: NodePort
+    nodePort: 32222
+    externalTrafficPolicy: Local
+
+image:
+  pullPolicy: "IfNotPresent"
+  # Overrides the image tag whose default is the chart appVersion.
+  #tag: "8.0.3"
+  # Adds -rootless suffix to image name
+  rootless: true
+
+forgejo:
+  runner:
+    enabled: true
+    image:
+      tag: latest
+    # replicas: 3
+    config:
+      runner:
+        labels:
+          - docker:docker://node:16-bullseye
+          - self-hosted:docker://ghcr.io/catthehacker/ubuntu:act-22.04
+          - ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04
+          - ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04
--- a/otc/observability.think-ahead.cloud/stacks/core/ingress-apps.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/ingress-apps.yaml
@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ingress-apps
+  namespace: argocd
+  labels:
+    example: ref-implementation
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/stacks-instances
+    targetRevision: HEAD
+    path: "otc/observability.think-ahead.cloud/stacks/core/ingress-apps"
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
--- a/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/argo-workflows-ingress.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/argo-workflows-ingress.yaml
@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/use-regex: "true"
+  name: argo-workflows-ingress
+  namespace: argo
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: localhost
+    http:
+      paths:
+      - backend:
+          service:
+            name: argo-server
+            port:
+              name: web
+        path: /argo-workflows(/|$)(.*)
+        pathType: ImplementationSpecific
+  - host: observability.think-ahead.cloud
+    http:
+      paths:
+      - backend:
+          service:
+            name: argo-server
+            port:
+              name: web
+        path: /argo-workflows(/|$)(.*)
+        pathType: ImplementationSpecific
--- a/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/argocd-server.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/argocd-server.yaml
@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: main
+
+  name: argocd-server
+  namespace: argocd
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: observability.think-ahead.cloud
+    http:
+      paths:
+      - backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80
+        path: /argocd
+        pathType: Prefix
+  tls:
+  - hosts:
+    - observability.think-ahead.cloud
+    secretName: argocd-net-tls
--- a/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/backstage.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/backstage.yaml
@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: backstage
+  namespace: backstage
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: localhost
+    http:
+      paths:
+      - backend:
+          service:
+            name: backstage
+            port:
+              name: http
+        path: /
+        pathType: Prefix
+  - host: observability.think-ahead.cloud
+    http:
+      paths:
+      - backend:
+          service:
+            name: backstage
+            port:
+              name: http
+        path: /
+        pathType: Prefix
--- a/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/forgejo.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/forgejo.yaml
@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: 512m
+    cert-manager.io/cluster-issuer: main
+
+  name: forgejo
+  namespace: gitea
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: gitea.observability.think-ahead.cloud
+    http:
+      paths:
+      - backend:
+          service:
+            name: forgejo-http
+            port:
+              number: 3000
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - gitea.observability.think-ahead.cloud
+    secretName: forgejo-net-tls
--- a/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/keycloak-ingress-localhost.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/keycloak-ingress-localhost.yaml
@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keycloak-ingress-localhost
+  namespace: keycloak
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: localhost
+    http:
+      paths:
+      - backend:
+          service:
+            name: keycloak
+            port:
+              name: http
+        path: /keycloak
+        pathType: ImplementationSpecific
+  - host: observability.think-ahead.cloud
+    http:
+      paths:
+      - backend:
+          service:
+            name: keycloak
+            port:
+              name: http
+        path: /keycloak
+        pathType: ImplementationSpecific
--- a/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/kube-prometheus-stack-grafana.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/kube-prometheus-stack-grafana.yaml
@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kube-prometheus-stack-grafana
+  namespace: monitoring
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: observability.think-ahead.cloud
+    http:
+      paths:
+      - backend:
+          service:
+            name: kube-prometheus-stack-grafana
+            port:
+              number: 80
+        path: /grafana
+        pathType: Prefix
--- a/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/mailhog.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/mailhog.yaml
@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mailhog
+  namespace: mailhog
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: observability.think-ahead.cloud
+    http:
+      paths:
+      - backend:
+          service:
+            name: mailhog
+            port:
+              number: 8025
+        path: /mailhog
+        pathType: Prefix
--- a/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/openbao.yaml
+++ b/otc/observability.think-ahead.cloud/stacks/core/ingress-apps/openbao.yaml
@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao
+  namespace: openbao
+
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: openbao.observability.think-ahead.cloud
+    http:
+      paths:
+      - backend:
+          service:
+            name: openbao
+            port:
+              number: 8200
+        path: /
+        pathType: Prefix