feat(observability): ✨ comprehensive platform alert rules

Replace ad-hoc forgejo/disk alerts with structured VMRule covering:
- platform-health: ForgejoDown, IngressHighErrorRate, NodeNotReady, PodCrashLooping
- storage: PVCUsageHigh (>80%), PVCUsageCritical (>90%)
- resources: NodeCPUHigh (>85%), NodeMemoryHigh (>90%)

otc/benchmark.t09.de/edfbuilder.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: edfbuilder
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "otc/benchmark.t09.de/registry"
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/stacks-instances"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

otc/benchmark.t09.de/registry/ci-sizer.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ci-sizer-reg
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "otc/benchmark.t09.de/stacks/ci-sizer"
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/stacks-instances"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

otc/benchmark.t09.de/registry/coder.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: coder-reg
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "otc/benchmark.t09.de/stacks/coder"
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/stacks-instances"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

otc/benchmark.t09.de/registry/core.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: core
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "otc/benchmark.t09.de/stacks/core"
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/stacks-instances"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

otc/benchmark.t09.de/registry/docs.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: docs-reg
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: argocd-stack
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/website-and-documentation"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+  syncOptions:
+    - CreateNamespace=true

otc/benchmark.t09.de/registry/forgejo.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "otc/benchmark.t09.de/stacks/forgejo"
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/stacks-instances"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

otc/benchmark.t09.de/registry/garm.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: garm-reg
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "otc/benchmark.t09.de/stacks/garm"
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/stacks-instances"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

otc/benchmark.t09.de/registry/observability-client.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: observability-client
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "otc/benchmark.t09.de/stacks/observability-client"
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/stacks-instances"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

otc/benchmark.t09.de/registry/observability.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: observability
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "otc/benchmark.t09.de/stacks/observability"
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/stacks-instances"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

otc/benchmark.t09.de/registry/otc.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: otc
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "otc/benchmark.t09.de/stacks/otc"
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/stacks-instances"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

otc/benchmark.t09.de/registry/terralist.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: terralist-reg
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "otc/benchmark.t09.de/stacks/terralist"
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/stacks-instances"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook.yaml

@@ -0,0 +1,29 @@
+# Optional: GitLab CI integration
+# Only hydrate this app for clusters that run GitLab Runner.
+# For Forgejo/GitHub-only deployments, omit this app from stacks-instances.
+# See: ci-sizer/docs/deployment-modes.md
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitlab-sizer-webhook
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: ci-sizer
+  source:
+    repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+    targetRevision: HEAD
+    path: "otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook"

otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/certificates.yaml

@@ -0,0 +1,27 @@
+# Self-signed Issuer for webhook TLS.
+# For production, replace with a ClusterIssuer backed by a real CA.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+# cert-manager Certificate for the webhook TLS.
+# The resulting Secret (gitlab-sizer-webhook-tls) is mounted into the webhook pod.
+# cert-manager also injects the CA into the MutatingWebhookConfiguration via the
+# cert-manager.io/inject-ca-from annotation.
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitlab-sizer-webhook-cert
+spec:
+  secretName: gitlab-sizer-webhook-tls
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+  dnsNames:
+    - gitlab-sizer-webhook.ci-sizer.svc
+    - gitlab-sizer-webhook.ci-sizer.svc.cluster.local
+  duration: 8760h
+  renewBefore: 720h

otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/deployment.yaml

@@ -0,0 +1,141 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitlab-sizer-webhook
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gitlab-sizer-webhook
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gitlab-sizer-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gitlab-sizer-webhook
+subjects:
+  - kind: ServiceAccount
+    name: gitlab-sizer-webhook
+    namespace: ci-sizer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitlab-sizer-webhook
+  labels:
+    app: gitlab-sizer-webhook
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: gitlab-sizer-webhook
+  template:
+    metadata:
+      labels:
+        app: gitlab-sizer-webhook
+    spec:
+      serviceAccountName: gitlab-sizer-webhook
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: webhook
+          image: edp.buildth.ing/devfw-cicd/gitlab-webhook-edge-connect:latest
+          imagePullPolicy: Always
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+          ports:
+            - containerPort: 8443
+              protocol: TCP
+          args:
+            - --listen-addr=:8443
+            - --tls-cert-file=/etc/webhook/tls/tls.crt
+            - --tls-key-file=/etc/webhook/tls/tls.key
+            - --sizer-url=http://sizer-receiver.ci-sizer.svc:8080
+            - --sizer-sidecar-image=edp.buildth.ing/devfw-cicd/ci-sizer-collector:latest
+          env:
+            - name: WEBHOOK_SIZER_READ_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitlab-sizer-webhook-tokens
+                  key: sizer-read-token
+            - name: WEBHOOK_SIZER_PUSH_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitlab-sizer-webhook-tokens
+                  key: sizer-push-token
+            - name: HTTP_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: HTTP_PROXY
+                  optional: true
+            - name: HTTPS_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: HTTPS_PROXY
+                  optional: true
+            - name: NO_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: NO_PROXY
+                  optional: true
+          volumeMounts:
+            - name: webhook-tls
+              mountPath: /etc/webhook/tls
+              readOnly: true
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
+      volumes:
+        - name: webhook-tls
+          secret:
+            secretName: gitlab-sizer-webhook-tls
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab-sizer-webhook
+  labels:
+    app: gitlab-sizer-webhook
+spec:
+  selector:
+    app: gitlab-sizer-webhook
+  ports:
+    - port: 443
+      targetPort: 8443
+      protocol: TCP

otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml

@@ -0,0 +1,30 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: gitlab-sizer-webhook
+  annotations:
+    cert-manager.io/inject-ca-from: ci-sizer/gitlab-sizer-webhook-cert
+webhooks:
+  - name: gitlab-sizer-webhook.ci-sizer.svc
+    admissionReviewVersions: ["v1"]
+    sideEffects: NoneOnDryRun
+    failurePolicy: Ignore
+    timeoutSeconds: 5
+    reinvocationPolicy: Never
+    clientConfig:
+      service:
+        name: gitlab-sizer-webhook
+        namespace: ci-sizer
+        path: /mutate
+    rules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        operations: ["CREATE"]
+        resources: ["pods"]
+    namespaceSelector:
+      matchLabels:
+        ci-sizer.devfw.io/watch: "true"
+    objectSelector:
+      matchExpressions:
+        - key: job.runner.gitlab.com/pod
+          operator: Exists

otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver.yaml

@@ -0,0 +1,29 @@
+# Required: CI Sizer receiver
+# Always deploy this — it stores metrics and computes sizing recommendations.
+# Works standalone or with GARM (Forgejo/GitHub) and/or GitLab webhook.
+# See: ci-sizer/docs/deployment-modes.md
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sizer-receiver
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: ci-sizer
+  source:
+    repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+    targetRevision: HEAD
+    path: "otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver"

otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver/deployment.yaml

@@ -0,0 +1,126 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sizer-receiver
+  labels:
+    app: sizer-receiver
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sizer-receiver
+  template:
+    metadata:
+      labels:
+        app: sizer-receiver
+    spec:
+      securityContext:
+        fsGroup: 65534
+      containers:
+        - name: receiver
+          image: edp.buildth.ing/devfw-cicd/ci-sizer-receiver:latest
+          imagePullPolicy: Always
+          args:
+            - --db=/data/metrics.db
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          env:
+            - name: RECEIVER_READ_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: sizer-tokens
+                  key: read-token
+            - name: RECEIVER_HMAC_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: sizer-tokens
+                  key: hmac-key
+            - name: GARM_URL
+              value: "http://garm.garm.svc:80"
+            - name: GARM_USER
+              value: "admin"
+            - name: GARM_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: garm-fixed-credentials
+                  key: admin_password
+            - name: RECEIVER_OIDC_ISSUER
+              value: "https://dex.benchmark.t09.de"
+            - name: RECEIVER_OIDC_CLIENT_ID
+              value: "ci-sizer"
+            - name: RECEIVER_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sizer-oidc-client
+                  key: client-secret
+            - name: RECEIVER_OIDC_REDIRECT_URI
+              value: "https://sizer.benchmark.t09.de/ui/callback"
+            - name: RECEIVER_SESSION_TTL
+              value: "12h"
+            - name: RECEIVER_ALLOWED_ORG
+              value: "giteaAdmin"
+            - name: RECEIVER_CPU_SIZING_MODE
+              value: "observe"
+            - name: RECEIVER_MEMORY_QOS
+              value: "guaranteed"
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 2
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: sizer-receiver-data
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sizer-receiver
+  labels:
+    app: sizer-receiver
+spec:
+  selector:
+    app: sizer-receiver
+  ports:
+    - name: http
+      port: 8080
+      targetPort: http
+      protocol: TCP
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: sizer-receiver-data
+  labels:
+    app: sizer-receiver
+  annotations:
+    everest.io/disk-volume-type: GPSSD
+spec:
+  storageClassName: csi-disk
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver/ingress.yaml

@@ -0,0 +1,36 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: main
+
+  name: sizer-receiver
+  namespace: ci-sizer
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: sizer.benchmark.t09.de
+      http:
+        paths:
+          - backend:
+              service:
+                name: sizer-receiver
+                port:
+                  number: 8080
+            path: /
+            pathType: Prefix
+    - host: ci-sizer.benchmark.t09.de
+      http:
+        paths:
+          - backend:
+              service:
+                name: sizer-receiver
+                port:
+                  number: 8080
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - sizer.benchmark.t09.de
+      secretName: sizer-receiver-tls

otc/benchmark.t09.de/stacks/coder/coder.yaml

@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: coder
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: coder
+  sources:
+    - repoURL: https://helm.coder.com/v2
+      chart: coder
+      targetRevision: 2.28.3
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/coder/coder/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      path: "otc/benchmark.t09.de/stacks/coder/coder/manifests"

otc/benchmark.t09.de/stacks/coder/coder/manifests/postgres.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: coder-db
+  namespace: coder
+spec:
+  instances: 1
+  primaryUpdateStrategy: unsupervised
+  resources:
+    requests:
+      memory: "1Gi"
+      cpu: "1"
+    limits:
+      memory: "1Gi"
+      cpu: "1"
+  managed:
+    roles:
+      - name: coder
+        createdb: true
+        login: true
+        passwordSecret:
+          name: coder-db-user
+  storage:
+    size: 10Gi
+    storageClass: csi-disk
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: coder
+  namespace: coder
+spec:
+  cluster:
+    name: coder-db
+  name: coder
+  owner: coder
+---

otc/benchmark.t09.de/stacks/coder/coder/values.yaml

@@ -0,0 +1,61 @@
+coder:
+  # You can specify any environment variables you'd like to pass to Coder
+  # here. Coder consumes environment variables listed in
+  # `coder server --help`, and these environment variables are also passed
+  # to the workspace provisioner (so you can consume them in your Terraform
+  # templates for auth keys etc.).
+  #
+  # Please keep in mind that you should not set `CODER_HTTP_ADDRESS`,
+  # `CODER_TLS_ENABLE`, `CODER_TLS_CERT_FILE` or `CODER_TLS_KEY_FILE` as
+  # they are already set by the Helm chart and will cause conflicts.
+  env:
+    - name: CODER_ACCESS_URL
+      value: https://coder.benchmark.t09.de
+    - name: CODER_PG_CONNECTION_URL
+      valueFrom:
+        secretKeyRef:
+          # You'll need to create a secret called coder-db-url with your
+          # Postgres connection URL like:
+          # postgres://coder:password@postgres:5432/coder?sslmode=disable
+          name: coder-db-user
+          key: url
+    # For production deployments, we recommend configuring your own GitHub
+    # OAuth2 provider and disabling the default one.
+    - name: CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE
+      value: "false"
+    - name: EDGE_CONNECT_ENDPOINT
+      valueFrom:
+        secretKeyRef:
+          name: edge-credential
+          key: endpoint
+    - name: EDGE_CONNECT_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: edge-credential
+          key: username
+    - name: EDGE_CONNECT_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: edge-credential
+          key: password
+
+    # (Optional) For production deployments the access URL should be set.
+    # If you're just trying Coder, access the dashboard via the service IP.
+    # - name: CODER_ACCESS_URL
+    #   value: "https://coder.example.com"
+
+  #tls:
+  #  secretNames:
+  #    - my-tls-secret-name
+  service:
+    type: ClusterIP
+
+  ingress:
+    enable: true
+    className: nginx
+    host: coder.benchmark.t09.de
+    annotations:
+      cert-manager.io/cluster-issuer: main
+    tls:
+      enable: true
+      secretName: coder-tls-secret

otc/benchmark.t09.de/stacks/core/argocd.yaml

@@ -0,0 +1,35 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: argocd
+  sources:
+    - repoURL: https://github.com/argoproj/argo-helm.git
+      path: charts/argo-cd
+      # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
+      # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
+      # similar to the CNOE amazon reference implementation and in our case, Forgejo
+      targetRevision: argo-cd-9.4.6
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/core/argocd/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      path: "otc/benchmark.t09.de/stacks/core/argocd/manifests"

otc/benchmark.t09.de/stacks/core/argocd/manifests/argocd-server-ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: main
+
+  name: argocd-server
+  namespace: argocd
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: argocd.benchmark.t09.de
+    http:
+      paths:
+      - backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - argocd.benchmark.t09.de
+    secretName: argocd-net-tls

otc/benchmark.t09.de/stacks/core/argocd/values.yaml

@@ -0,0 +1,66 @@
+global:
+  domain: argocd.benchmark.t09.de
+
+configs:
+  params:
+    server.insecure: true
+  cm:
+    oidc.config: |
+      name: FORGEJO
+      issuer: https://dex.benchmark.t09.de
+      clientID: controller-argocd-dex
+      clientSecret: $dex-argo-client:clientSecret
+      requestedScopes:
+      - openid
+      - profile
+      - email
+      - groups
+    application.resourceTrackingMethod: annotation
+    timeout.reconciliation: 60s
+    resource.exclusions: |
+      - apiGroups:
+        - "*"
+        kinds:
+        - ProviderConfigUsage
+      - apiGroups:
+        - cilium.io
+        kinds:
+        - CiliumIdentity
+        clusters:
+        - "*"
+    url: https://argocd.benchmark.t09.de
+  rbac:
+    policy.csv: 'g, DevFW, role:admin'
+
+  tls:
+    certificates:
+
+controller:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+server:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+repoServer:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+applicationSet:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+notifications:
+  enabled: false
+
+dex:
+  enabled: false

otc/benchmark.t09.de/stacks/core/cloudnative-pg.yaml

@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cloudnative-pg
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: cloudnative-pg
+  sources:
+    - repoURL: https://cloudnative-pg.github.io/charts
+      chart: cloudnative-pg
+      targetRevision: 0.26.1
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/core/cloudnative-pg/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values

otc/benchmark.t09.de/stacks/core/cloudnative-pg/values.yaml

@@ -0,0 +1 @@
+# No need for values here.

otc/benchmark.t09.de/stacks/core/dex.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dex
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: dex
+  sources:
+    - repoURL: https://charts.dexidp.io
+      chart: dex
+      targetRevision: 0.23.0
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/core/dex/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values

otc/benchmark.t09.de/stacks/core/dex/values.yaml

@@ -0,0 +1,86 @@
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: main
+  hosts:
+    - host: dex.benchmark.t09.de
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - hosts:
+        - dex.benchmark.t09.de
+      secretName: dex-cert
+
+envVars:
+  - name: FORGEJO_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: dex-forgejo-client
+        key: clientSecret
+  - name: FORGEJO_CLIENT_ID
+    valueFrom:
+      secretKeyRef:
+        name: dex-forgejo-client
+        key: clientID
+  - name: OIDC_DEX_GRAFANA_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: dex-grafana-client
+        key: clientSecret
+  - name: OIDC_DEX_ARGO_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: dex-argo-client
+        key: clientSecret
+  - name: FORGEJO_RUNNER_SIZER_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: dex-sizer-client
+        key: clientSecret
+  - name: LOG_LEVEL
+    value: debug
+
+config:
+  # Set it to a valid URL
+  issuer: https://dex.benchmark.t09.de
+
+  # See https://dexidp.io/docs/storage/ for more options
+  storage:
+    type: memory
+
+  oauth2:
+    skipApprovalScreen: true
+    alwaysShowLoginScreen: false
+
+  connectors:
+    - type: gitea
+      id: gitea
+      name: Forgejo
+      config:
+        clientID: "$FORGEJO_CLIENT_ID"
+        clientSecret: "$FORGEJO_CLIENT_SECRET"
+        redirectURI: https://dex.benchmark.t09.de/callback
+        baseURL: https://edp.buildth.ing
+        # loadAllGroups: true
+        orgs:
+          - name: DevFW
+  enablePasswordDB: false
+
+  staticClients:
+    - id: controller-argocd-dex
+      name: ArgoCD Client
+      redirectURIs:
+        - "https://argocd.benchmark.t09.de/auth/callback"
+      secretEnv: "OIDC_DEX_ARGO_CLIENT_SECRET"
+    - id: grafana
+      redirectURIs:
+        - "https://grafana.benchmark.t09.de/login/generic_oauth"
+      name: "Grafana"
+      secretEnv: "OIDC_DEX_GRAFANA_CLIENT_SECRET"
+    - id: ci-sizer
+      name: "CI Sizer"
+      redirectURIs:
+        - "https://sizer.benchmark.t09.de/ui/callback"
+      secretEnv: "FORGEJO_RUNNER_SIZER_CLIENT_SECRET"

otc/benchmark.t09.de/stacks/forgejo/forgejo-runner.yaml

@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: sizer-receiver
+  name: forgejo-runner
   namespace: argocd
   labels:
     env: dev
@@ -17,9 +17,8 @@ spec:
     retry:
       limit: -1
   destination:
-    name: in-cluster
-    namespace: garm
+    server: "https://kubernetes.default.svc"
   source:
     repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
     targetRevision: HEAD
-    path: "otc/dev.t09.de/stacks/garm/sizer-receiver"
+    path: "otc/benchmark.t09.de/stacks/forgejo/forgejo-runner"

otc/benchmark.t09.de/stacks/forgejo/forgejo-runner/dind-docker.yaml

@@ -0,0 +1,104 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: forgejo-runner
+  name: forgejo-runner
+  namespace: gitea
+spec:
+  # Two replicas means that if one is busy, the other can pick up jobs.
+  replicas: 3
+  selector:
+    matchLabels:
+      app: forgejo-runner
+  strategy: {}
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: forgejo-runner
+    spec:
+      restartPolicy: Always
+      volumes:
+      - name: docker-certs
+        emptyDir: {}
+      - name: runner-data
+        emptyDir: {}
+      # Initialise our configuration file using offline registration
+      # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
+      initContainers:
+        - name: runner-register
+          image: code.forgejo.org/forgejo/runner:12.6.4
+          command:
+          - "sh"
+          - "-c"
+          - |
+            forgejo-runner \
+              register \
+              --no-interactive \
+              --token ${RUNNER_SECRET} \
+              --name ${RUNNER_NAME} \
+              --instance ${FORGEJO_INSTANCE_URL} \
+              --labels docker:docker://node:24-bookworm,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-24.04,ubuntu-24.04:docker://ghcr.io/catthehacker/ubuntu:act-24.04
+          env:
+            - name: RUNNER_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: RUNNER_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-runner-token
+                  key: token
+            - name: FORGEJO_INSTANCE_URL
+              value: https://benchmark.t09.de
+          volumeMounts:
+            - name: runner-data
+              mountPath: /data
+      containers:
+      - name: runner
+        image: code.forgejo.org/forgejo/runner:12.6.4
+        command:
+          - "sh"
+          - "-c"
+          - |
+            while ! nc -z 127.0.0.1 2376 </dev/null; do
+              echo 'waiting for docker daemon...';
+              sleep 5;
+            done
+            forgejo-runner generate-config > config.yml ;
+            sed -i -e "s|privileged: .*|privileged: true|" config.yml
+            sed -i -e "s|network: .*|network: host|" config.yml ;
+            sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://127.0.0.1:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
+            sed -i -e "s|^  options:|  options: -v /certs/client:/certs/client|" config.yml ;
+            sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml ;
+            /bin/forgejo-runner --config config.yml daemon
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          readOnlyRootFilesystem: false
+          runAsGroup: 0
+          runAsNonRoot: false
+          runAsUser: 0
+        env:
+        - name: DOCKER_HOST
+          value: tcp://localhost:2376
+        - name: DOCKER_CERT_PATH
+          value: /certs/client
+        - name: DOCKER_TLS_VERIFY
+          value: "1"
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
+        - name: runner-data
+          mountPath: /data
+      - name: daemon
+        image: docker:28.0.4-dind
+        env:
+        - name: DOCKER_TLS_CERTDIR
+          value: /certs
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs

otc/benchmark.t09.de/stacks/forgejo/forgejo-server.yaml

@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo-server
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: gitea
+  sources:
+    - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git
+      path: .
+      targetRevision: v16.2.0
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/forgejo/forgejo-server/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      path: "otc/benchmark.t09.de/stacks/forgejo/forgejo-server/manifests"

otc/benchmark.t09.de/stacks/forgejo/forgejo-server/manifests/forgejo-ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: 5120m
+    cert-manager.io/cluster-issuer: main
+
+  name: forgejo-server
+  namespace: gitea
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: benchmark.t09.de
+    http:
+      paths:
+      - backend:
+          service:
+            name: forgejo-server-http
+            port:
+              number: 3000
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - benchmark.t09.de
+    secretName: forgejo-net-tls

otc/benchmark.t09.de/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml

@@ -0,0 +1,91 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: forgejo-s3-backup
+  namespace: gitea
+spec:
+  schedule: "0 1 * * *"
+  concurrencyPolicy: "Forbid"
+  successfulJobsHistoryLimit: 5
+  failedJobsHistoryLimit: 5
+  startingDeadlineSeconds: 600 # 10 minutes
+  jobTemplate:
+    spec:
+      # 2h window: handles large incremental syncs after repo growth or OBS slowness; BackupJobTooSlow alert fires at 5m
+      activeDeadlineSeconds: 7200
+      backoffLimit: 2
+      ttlSecondsAfterFinished: 259200 #
+      template:
+        spec:
+          containers:
+            - name: rclone
+              image: rclone/rclone:1.70
+              imagePullPolicy: IfNotPresent
+              env:
+                - name: SOURCE_BUCKET
+                  valueFrom:
+                    secretKeyRef:
+                      name: forgejo-cloud-credentials
+                      key: bucket-name
+                - name: AWS_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: forgejo-cloud-credentials
+                      key: access-key
+                - name: AWS_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: forgejo-cloud-credentials
+                      key: secret-key
+              volumeMounts:
+                - name: rclone-config
+                  mountPath: /config/rclone
+                  readOnly: true
+                - name: backup-dir
+                  mountPath: /backup
+                  readOnly: false
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  rclone sync source:/${SOURCE_BUCKET} /backup -v --ignore-checksum
+          restartPolicy: OnFailure
+          volumes:
+            - name: rclone-config
+              secret:
+                secretName: forgejo-s3-backup
+            - name: backup-dir
+              persistentVolumeClaim:
+                claimName: s3-backup
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: s3-backup
+  namespace: gitea
+  annotations:
+    everest.io/disk-volume-type: GPSSD
+    everest.io/crypt-key-id: ac5a45e8-c705-445e-8026-e643e3f2525d
+spec:
+  storageClassName: csi-disk
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 500Gi
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: forgejo-s3-backup
+  namespace: gitea
+type: Opaque
+stringData:
+  rclone.conf: |
+    [source]
+    type = s3
+    provider = HuaweiOBS
+    env_auth = true
+    endpoint = obs.eu-de.otc.t-systems.com
+    region = eu-de
+    acl = private

otc/benchmark.t09.de/stacks/forgejo/forgejo-server/values.yaml

@@ -0,0 +1,180 @@
+
+# We use recreate to make sure only one instance with one version is running, because Forgejo might break or data gets inconsistant.
+strategy:
+  type: Recreate
+
+redis-cluster:
+  enabled: false
+
+redis:
+  enabled: false
+
+postgresql:
+  enabled: false
+
+postgresql-ha:
+  enabled: false
+
+persistence:
+  enabled: true
+  size: 200Gi
+  storageClass: csi-disk
+  annotations:
+    everest.io/crypt-key-id: ac5a45e8-c705-445e-8026-e643e3f2525d
+    everest.io/disk-volume-type: GPSSD
+
+test:
+  enabled: false
+
+deployment:
+  env:
+    - name: SSL_CERT_DIR
+      value: /etc/ssl/forgejo
+
+extraVolumeMounts:
+  - mountPath: /etc/ssl/forgejo
+    name: custom-database-certs-volume
+    readOnly: true
+
+extraVolumes:
+  - name: custom-database-certs-volume
+    secret:
+      secretName: custom-database-certs
+
+gitea:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  additionalConfigFromEnvs:
+    - name: FORGEJO__storage__MINIO_ACCESS_KEY_ID
+      valueFrom:
+        secretKeyRef:
+          name: forgejo-cloud-credentials
+          key: access-key
+    - name: FORGEJO__storage__MINIO_SECRET_ACCESS_KEY
+      valueFrom:
+        secretKeyRef:
+          name: forgejo-cloud-credentials
+          key: secret-key
+    - name: FORGEJO__queue__CONN_STR
+      valueFrom:
+        secretKeyRef:
+          name: redis-forgejo-cloud-credentials
+          key: connection-string
+    - name: FORGEJO__session__PROVIDER_CONFIG
+      valueFrom:
+        secretKeyRef:
+          name: redis-forgejo-cloud-credentials
+          key: connection-string
+    - name: FORGEJO__cache__HOST
+      valueFrom:
+        secretKeyRef:
+          name: redis-forgejo-cloud-credentials
+          key: connection-string
+    - name: FORGEJO__database__HOST
+      valueFrom:
+        secretKeyRef:
+          name: postgres-forgejo-cloud-credentials
+          key: host_port
+    - name: FORGEJO__database__NAME
+      valueFrom:
+        secretKeyRef:
+          name: postgres-forgejo-cloud-credentials
+          key: database
+    - name: FORGEJO__database__USER
+      valueFrom:
+        secretKeyRef:
+          name: postgres-forgejo-cloud-credentials
+          key: username
+    - name: FORGEJO__database__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: postgres-forgejo-cloud-credentials
+          key: password
+    # Either 'elasticsearch' or 'bleve' (go in memory search engine)
+    - name: FORGEJO__indexer__ISSUE_INDEXER_TYPE
+      valueFrom:
+        secretKeyRef:
+          name: elasticsearch-cloud-credentials
+          key: type
+    - name: FORGEJO__indexer__ISSUE_INDEXER_CONN_STR
+      valueFrom:
+        secretKeyRef:
+          name: elasticsearch-cloud-credentials
+          key: connection-string
+    - name: FORGEJO__indexer__ISSUE_INDEXER_ENABLED
+      valueFrom:
+        secretKeyRef:
+          name: elasticsearch-cloud-credentials
+          key: enabled
+    - name: FORGEJO__mailer__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: email-user-credentials
+          key: connection-string
+
+  admin:
+    existingSecret: gitea-credential
+
+  config:
+    APP_NAME: 'EDP'
+    APP_SLOGAN: 'Build your thing in minutes'
+    storage:
+      MINIO_ENDPOINT: obs.eu-de.otc.t-systems.com:443
+      STORAGE_TYPE: minio
+      MINIO_LOCATION: eu-de
+      MINIO_BUCKET: "edp-forgejo-non-prod-benchmark"
+      MINIO_USE_SSL: true
+
+    queue:
+      TYPE: redis
+
+    session:
+      PROVIDER: redis
+
+    cache:
+      ENABLED: true
+      ADAPTER: redis
+
+    service:
+      DISABLE_REGISTRATION: true
+      ENABLE_NOTIFY_MAIL: true
+
+    other:
+      SHOW_FOOTER_VERSION: false
+      SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
+
+    database:
+      DB_TYPE: postgres
+      SSL_MODE: verify-ca
+
+    server:
+      DOMAIN: 'benchmark.t09.de'
+      ROOT_URL: 'https://benchmark.t09.de:443'
+
+    mailer:
+      ENABLED: true
+      USER: ipcei-cis-devfw@mms-support.de
+      PROTOCOL: smtps
+      FROM: '"IPCEI CIS DevFW" <ipcei-cis-devfw@mms-support.de>'
+      SMTP_ADDR: mail.mms-support.de
+      SMTP_PORT: 465
+
+service:
+  ssh:
+    type: LoadBalancer
+    nodePort: 32222
+    externalTrafficPolicy: Cluster
+    annotations:
+      kubernetes.io/elb.id: db60c1a9-312c-42b7-847b-781d950a0e7a
+
+image:
+  pullPolicy: "IfNotPresent"
+  # Overrides the image tag whose default is the chart appVersion.
+  #tag: "8.0.3"
+  # Adds -rootless suffix to image name
+  # rootless: true
+  fullOverride: edp.buildth.ing/devfw-cicd/edp-forgejo:workflow-webhook-20260305
+
+forgejo: {}

otc/benchmark.t09.de/stacks/garm/garm.yaml

@@ -0,0 +1,33 @@
+# Default: Forgejo/GitHub Actions runner manager
+# Deploys GARM with the ci-sizer provider for automatic sizing + collector injection.
+# For GitLab-only deployments, omit this and use gitlab-webhook instead.
+# See: ci-sizer/docs/deployment-modes.md
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: garm
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: garm
+  sources:
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/garm-helm
+      path: charts/garm
+      targetRevision: v0.0.17
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/garm/garm/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values

otc/benchmark.t09.de/stacks/garm/garm/values.yaml

@@ -0,0 +1,51 @@
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: main
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  hosts:
+    - host: garm.benchmark.t09.de
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: garm-net-tls
+      hosts:
+        - garm.benchmark.t09.de
+
+# Credentials and Secrets
+credentials:
+  edgeConnect:
+    existingSecretName: "edge-credential"
+  gitea:
+    url: "https://benchmark.t09.de"  # Required
+  db:
+    existingSecretName: garm-fixed-credentials
+
+image:
+  repository: edp.buildth.ing/devfw-cicd/garm-forgejo
+  tag: v0.1.7-forgejo-22
+
+providerConfig:
+  edgeConnect:
+    organization: edp2
+    region: EU
+    edgeConnectUrl: "https://hub.apps.edge.platform.mg3.mdb.osc.live"
+    cloudlet:
+      name: Hamburg
+      organization: TelekomOP
+  edgeConnectK8s:
+    pendingTimeout: "5m"
+    sizer:
+      sidecarImage: edp.buildth.ing/devfw-cicd/ci-sizer-collector:0.9.7
+      sidecarPushEndpoint: https://sizer.benchmark.t09.de/api/v1/metrics
+      baseUrl: "https://sizer.benchmark.t09.de"
+      readToken:
+        existingSecretName: sizer-tokens
+        # key/mountPath/fileName default sanely in garm-helm ≥v0.0.17
+
+garm:
+  logging:
+    logLevel: info

otc/benchmark.t09.de/stacks/observability-client/metrics-server.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metrics-server
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: observability
+  sources:
+    - chart: metrics-server
+      repoURL: https://kubernetes-sigs.github.io/metrics-server/
+      targetRevision: 3.12.2
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/observability-client/metrics-server/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values

otc/benchmark.t09.de/stacks/observability-client/metrics-server/values.yaml

@@ -0,0 +1,4 @@
+metrics:
+  enabled: true
+serviceMonitor:
+  enabled: true

otc/benchmark.t09.de/stacks/observability-client/vector.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vector
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: observability
+  sources:
+    - chart: vector
+      repoURL: https://helm.vector.dev
+      targetRevision: 0.43.0
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/observability-client/vector/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values

otc/benchmark.t09.de/stacks/observability-client/vector/values.yaml

@@ -0,0 +1,68 @@
+# -- Enable deployment of vector
+role: Agent
+dataDir: /vector-data-dir
+resources: {}
+args:
+  - -w
+  - --config-dir
+  - /etc/vector/
+env:
+  - name: VECTOR_USER
+    valueFrom:
+      secretKeyRef:
+        name: simple-user-secret
+        key: username
+  - name: VECTOR_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: simple-user-secret
+        key: password
+containerPorts:
+  - name: prom-exporter
+    containerPort: 9090
+    protocol: TCP
+service:
+  enabled: false
+customConfig:
+  data_dir: /vector-data-dir
+  api:
+    enabled: false
+    address: 0.0.0.0:8686
+    playground: true
+  sources:
+    k8s:
+      type: kubernetes_logs
+    internal_metrics:
+      type: internal_metrics
+  transforms:
+    parser:
+      type: remap
+      inputs: [k8s]
+      source: |
+        ._msg = parse_json(.message) ?? .message
+        del(.message)
+        # Add the cluster environment to the log event
+        .cluster_environment = "benchmark"
+  sinks:
+    vlogs:
+      type: elasticsearch
+      inputs: [parser]
+      endpoints: 
+        - https://o12y.observability.buildth.ing/insert/elasticsearch/
+      auth:
+        strategy: basic
+        user: ${VECTOR_USER}
+        password: ${VECTOR_PASSWORD}
+      mode: bulk
+      api_version: v8
+      compression: gzip
+      healthcheck:
+        enabled: false
+      request:
+        headers:
+          AccountID: "0"
+          ProjectID: "0"
+      query:
+        _msg_field: _msg
+        _time_field: _time
+        _stream_fields: cluster_environment,kubernetes.container_name,kubernetes.namespace

otc/benchmark.t09.de/stacks/observability-client/vm-client-stack.yaml

@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vm-client
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    name: in-cluster
+    namespace: observability
+  sources:
+    - chart: victoria-metrics-k8s-stack
+      repoURL: https://victoriametrics.github.io/helm-charts/
+      targetRevision: 0.48.1
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/observability-client/vm-client-stack/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      path: "otc/benchmark.t09.de/stacks/observability-client/vm-client-stack/manifests"

otc/benchmark.t09.de/stacks/observability-client/vm-client-stack/manifests/forgejo-scrape.yaml

@@ -0,0 +1,15 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMServiceScrape
+metadata:
+  name: forgejo
+  namespace: observability
+spec:
+  namespaceSelector:
+    matchNames:
+      - gitea
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: forgejo
+  endpoints:
+    - port: http
+      path: /metrics

otc/benchmark.t09.de/stacks/observability/grafana-operator.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: grafana-operator
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+  destination:
+    name: in-cluster
+    namespace: observability
+  sources:
+    - chart: grafana-operator
+      repoURL: ghcr.io/grafana/helm-charts
+      targetRevision: v5.18.0
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      path: "otc/benchmark.t09.de/stacks/observability/grafana-operator/manifests"

otc/benchmark.t09.de/stacks/observability/grafana-operator/manifests/argocd.yaml

@@ -0,0 +1,9 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: argocd
+spec:
+  instanceSelector:
+    matchLabels:
+      dashboards: "grafana"
+  url: "https://raw.githubusercontent.com/argoproj/argo-cd/refs/heads/master/examples/dashboard.json"

otc/benchmark.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml

@@ -0,0 +1,75 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: Grafana
+metadata:
+  name: grafana
+  labels:
+    dashboards: "grafana"
+spec:
+  persistentVolumeClaim:
+    metadata:
+      annotations:
+        everest.io/disk-volume-type: GPSSD
+        everest.io/crypt-key-id: ac5a45e8-c705-445e-8026-e643e3f2525d
+    spec:
+      storageClassName: csi-disk
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 10Gi
+  deployment:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: grafana
+              env:
+                - name: OAUTH_CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      key: clientSecret
+                      name: dex-grafana-client
+  config:
+    log.console:
+      level: debug
+    server:
+      root_url: "https://grafana.benchmark.t09.de"
+    auth:
+      disable_login: "true"
+      disable_login_form: "true"
+    auth.generic_oauth:
+      enabled: "true"
+      name: Forgejo
+      allow_sign_up: "true"
+      use_refresh_token: "true"
+      client_id: grafana
+      client_secret: $__env{OAUTH_CLIENT_SECRET}
+      scopes: openid email profile offline_access groups
+      auth_url: https://dex.benchmark.t09.de/auth
+      token_url: https://dex.benchmark.t09.de/token
+      api_url: https://dex.benchmark.t09.de/userinfo
+      redirect_uri: https://grafana.benchmark.t09.de/login/generic_oauth
+      role_attribute_path: "contains(groups[*], 'DevFW') && 'GrafanaAdmin' || 'None'"
+      allow_assign_grafana_admin: "true"
+  ingress:
+    metadata:
+      annotations:
+        cert-manager.io/cluster-issuer: main
+        nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    spec:
+      ingressClassName: nginx
+      rules:
+      - host: grafana.benchmark.t09.de
+        http:
+          paths:
+          - backend:
+              service:
+                name: grafana-service
+                port:
+                  number: 3000
+            path: /
+            pathType: Prefix
+      tls:
+      - hosts:
+        - grafana.benchmark.t09.de
+        secretName: grafana-net-tls

otc/benchmark.t09.de/stacks/observability/grafana-operator/manifests/ingress-nginx.yaml

@@ -0,0 +1,9 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: ingress-nginx 
+spec:
+  instanceSelector:
+    matchLabels:
+      dashboards: "grafana"
+  url: "https://raw.githubusercontent.com/adinhodovic/ingress-nginx-mixin/refs/heads/main/dashboards_out/ingress-nginx-overview.json"

otc/benchmark.t09.de/stacks/observability/grafana-operator/manifests/victoria-logs.yaml

@@ -0,0 +1,9 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: victoria-logs
+spec:
+  instanceSelector:
+    matchLabels:
+      dashboards: "grafana"
+  url: "https://raw.githubusercontent.com/VictoriaMetrics/VictoriaMetrics/refs/heads/master/dashboards/vm/victorialogs.json"

otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack.yaml

@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: o12y
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+  destination:
+    name: in-cluster
+    namespace: observability
+  sources:
+    - chart: victoria-metrics-k8s-stack
+      repoURL: https://victoriametrics.github.io/helm-charts/
+      targetRevision: 0.48.1
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      path: "otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/manifests"

otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml

@@ -0,0 +1,40 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMRule
+metadata:
+  name: forgejo-alerts
+  namespace: observability
+spec:
+  groups:
+    - name: forgejo
+      rules:
+        - alert: forgejo down
+          expr: sum by(cluster_environment) (up{pod=~"forgejo-server-.*"}) < 1
+          for: 30s
+          labels:
+            severity: critical
+            job:  "{{ $labels.job }}"
+          annotations:
+            value: "{{ $value }}"
+            description: 'forgejo is down in cluster environment {{ $labels.cluster_environment }}'
+    - name: forgejo-backup
+      rules:
+        - alert: forgejo s3 backup job failed
+          expr: max by(cluster_environment) (kube_job_status_failed{job_name=~"forgejo-s3-backup-.*"}) != 0
+          for: 30s
+          labels:
+            severity: critical
+            job:  "{{ $labels.job }}"
+          annotations:
+            value: "{{ $value }}"
+            description: 'forgejo s3 backup job failed in cluster environment {{ $labels.cluster_environment }}'
+    - name: disk-consumption-high
+      rules:
+        - alert: disk consumption high
+          expr: 1-(kubelet_volume_stats_available_bytes / kubelet_volume_stats_capacity_bytes) > 0.6
+          for: 30s
+          labels:
+            severity: major
+            job:  "{{ $labels.job }}"
+          annotations:
+            value: "{{ $value }}"
+            description: 'disk consumption of pvc {{ $labels.namespace }}/{{ $labels.persistentvolumeclaim }} is high in cluster environment {{ $labels.cluster_environment }}'

otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml

@@ -0,0 +1,26 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VLogs
+metadata:
+  name: victorialogs
+  namespace: observability
+spec:
+  retentionPeriod: "12"
+  removePvcAfterDelete: true
+  storageMetadata:
+    annotations:
+      everest.io/crypt-key-id: ac5a45e8-c705-445e-8026-e643e3f2525d
+      everest.io/disk-volume-type: GPSSD
+  storage:
+    storageClassName: csi-disk
+    accessModes:
+      - ReadWriteOnce
+    resources:
+      requests:
+        storage: 50Gi
+  resources:
+    requests:
+      memory: 500Mi
+      cpu: 500m
+    limits:
+      memory: 10Gi
+      cpu: 2

otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/manifests/vmauth.yaml

@@ -0,0 +1,17 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMUser
+metadata:
+  name: simple-user
+  namespace: observability
+spec:
+  username: simple-user
+  passwordRef:
+    key: password
+    name: simple-user-secret
+  targetRefs:
+    - static:
+        url: http://vmsingle-o12y:8429
+      paths: ["/api/v1/write"]
+    - static:
+        url: http://vlogs-victorialogs:9428
+      paths: ["/insert/elasticsearch/.*"]

otc/benchmark.t09.de/stacks/otc/cert-manager/manifests/clusterissuer.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: main
+spec:
+  acme:
+    email: admin@think-ahead.tech
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: cluster-issuer-account-key
+    solvers:
+    - http01:
+        ingress:
+          ingressClassName: nginx

otc/benchmark.t09.de/stacks/otc/cert-manager/values.yaml

@@ -0,0 +1,4 @@
+crds:
+  enabled: true
+
+replicaCount: 1

otc/benchmark.t09.de/stacks/otc/cert-manger.yaml

@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: cert-manager
+  sources:
+    - chart: cert-manager
+      repoURL: https://charts.jetstack.io
+      targetRevision: v1.17.2
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/otc/cert-manager/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      path: "otc/benchmark.t09.de/stacks/otc/cert-manager/manifests"

otc/benchmark.t09.de/stacks/otc/ingress-nginx.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ingress-nginx
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: ingress-nginx
+  sources:
+    - repoURL: https://github.com/kubernetes/ingress-nginx.git
+      path: charts/ingress-nginx
+      targetRevision: helm-chart-4.12.1
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/otc/ingress-nginx/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values

otc/benchmark.t09.de/stacks/otc/ingress-nginx/values.yaml

@@ -0,0 +1,31 @@
+controller:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  service:
+    annotations:
+      kubernetes.io/elb.class: union
+      kubernetes.io/elb.port: '80'
+      kubernetes.io/elb.id: db60c1a9-312c-42b7-847b-781d950a0e7a
+      kubernetes.io/elb.ip: 164.30.20.78
+
+  ingressClassResource:
+    name: nginx
+
+  # added for idpbuilder
+  allowSnippetAnnotations: true
+
+  # added for idpbuilder
+  config:
+    proxy-buffer-size: 32k
+    use-forwarded-headers: "true"
+
+  # monitoring nginx
+  metrics:
+    enabled: true
+    serviceMonitor:
+      additionalLabels: 
+        release: "ingress-nginx"  
+      enabled: true

otc/benchmark.t09.de/stacks/otc/storageclass.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: storageclass
+  namespace: argocd
+  labels:
+    example: otc
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: default
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+    targetRevision: HEAD
+    path: "otc/benchmark.t09.de/stacks/otc/storageclass"
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1

otc/benchmark.t09.de/stacks/otc/storageclass/storageclass.yaml

@@ -0,0 +1,18 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  annotations:
+    storageclass.beta.kubernetes.io/is-default-class: "true"
+  labels:
+    kubernetes.io/cluster-service: "true"
+  name: default
+parameters:
+  kubernetes.io/description: ""
+  kubernetes.io/hw:passthrough: "true"
+  kubernetes.io/storagetype: BS
+  kubernetes.io/volumetype: SATA
+  kubernetes.io/zone: eu-de-02
+provisioner: flexvolume-huawei.com/fuxivol
+reclaimPolicy: Delete
+volumeBindingMode: Immediate
+allowVolumeExpansion: true

otc/benchmark.t09.de/stacks/terralist/terralist.yaml

@@ -0,0 +1,30 @@
+# helm upgrade --install --create-namespace --namespace terralist terralist oci://ghcr.io/terralist/helm-charts/terralist -f terralist-values.yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: terralist
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: terralist
+  sources:
+    - repoURL: https://github.com/terralist/helm-charts
+      path: charts/terralist
+      targetRevision: terralist-0.8.1
+      helm:
+        valueFiles:
+          - $values/otc/benchmark.t09.de/stacks/terralist/terralist/values.yaml
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      ref: values

otc/benchmark.t09.de/stacks/terralist/terralist/values.yaml

@@ -0,0 +1,87 @@
+controllers:
+  main:
+    strategy: Recreate
+    containers:
+      app:
+        env:
+          - name: TERRALIST_OAUTH_PROVIDER
+            value: oidc
+          - name: TERRALIST_OI_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: oidc-credentials
+                key: client-id
+          - name: TERRALIST_OI_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: oidc-credentials
+                key: client-secret
+          - name: TERRALIST_OI_AUTHORIZE_URL
+            valueFrom:
+              secretKeyRef:
+                name: oidc-credentials
+                key: authorize-url
+          - name: TERRALIST_OI_TOKEN_URL
+            valueFrom:
+              secretKeyRef:
+                name: oidc-credentials
+                key: token-url
+          - name: TERRALIST_OI_USERINFO_URL
+            valueFrom:
+              secretKeyRef:
+                name: oidc-credentials
+                key: userinfo-url
+          - name: TERRALIST_OI_SCOPE
+            valueFrom:
+              secretKeyRef:
+                name: oidc-credentials
+                key: scope
+          - name: TERRALIST_TOKEN_SIGNING_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: terralist-secret
+                key: token-signing-secret
+          - name: TERRALIST_COOKIE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: terralist-secret
+                key: cookie-secret
+          - name: TERRALIST_URL
+            value: https://terralist.benchmark.t09.de
+          - name: TERRALIST_SQLITE_PATH
+            value: /data/db.sqlite
+          - name: TERRALIST_LOCAL_STORE
+            value: /data/modules
+          - name: TERRALIST_PROVIDERS_ANONYMOUS_READ
+            value: "true"
+
+ingress:
+  main:
+    enabled: true
+    className: nginx
+    annotations:
+      cert-manager.io/cluster-issuer: main
+    hosts:
+      - host: terralist.benchmark.t09.de
+        paths:
+          - path: /
+            pathType: Prefix
+            service:
+              identifier: main
+              port: http
+    tls:
+      - hosts:
+        - terralist.benchmark.t09.de
+        secretName: terralist-tls-secret
+
+persistence:
+  data:
+    enabled: true
+    accessMode: ReadWriteOnce
+    size: 10Gi
+    retain: false
+    storageClass: "csi-disk"
+    annotations:
+      everest.io/disk-volume-type: GPSSD
+    globalMounts:
+      - path: /data

otc/dev.t09.de/registry/ci-sizer.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ci-sizer-reg
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "otc/dev.t09.de/stacks/ci-sizer"
+    repoURL: "https://edp.buildth.ing/DevFW-CICD/stacks-instances"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

otc/dev.t09.de/stacks/ci-sizer/gitlab-webhook.yaml

@@ -0,0 +1,29 @@
+# Optional: GitLab CI integration
+# Only hydrate this app for clusters that run GitLab Runner.
+# For Forgejo/GitHub-only deployments, omit this app from stacks-instances.
+# See: ci-sizer/docs/deployment-modes.md
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitlab-sizer-webhook
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: ci-sizer
+  source:
+    repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+    targetRevision: HEAD
+    path: "otc/dev.t09.de/stacks/ci-sizer/gitlab-webhook"

otc/dev.t09.de/stacks/ci-sizer/gitlab-webhook/certificates.yaml

@@ -0,0 +1,27 @@
+# Self-signed Issuer for webhook TLS.
+# For production, replace with a ClusterIssuer backed by a real CA.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+# cert-manager Certificate for the webhook TLS.
+# The resulting Secret (gitlab-sizer-webhook-tls) is mounted into the webhook pod.
+# cert-manager also injects the CA into the MutatingWebhookConfiguration via the
+# cert-manager.io/inject-ca-from annotation.
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitlab-sizer-webhook-cert
+spec:
+  secretName: gitlab-sizer-webhook-tls
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+  dnsNames:
+    - gitlab-sizer-webhook.ci-sizer.svc
+    - gitlab-sizer-webhook.ci-sizer.svc.cluster.local
+  duration: 8760h
+  renewBefore: 720h

otc/dev.t09.de/stacks/ci-sizer/gitlab-webhook/deployment.yaml

@@ -0,0 +1,141 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitlab-sizer-webhook
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gitlab-sizer-webhook
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gitlab-sizer-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gitlab-sizer-webhook
+subjects:
+  - kind: ServiceAccount
+    name: gitlab-sizer-webhook
+    namespace: ci-sizer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitlab-sizer-webhook
+  labels:
+    app: gitlab-sizer-webhook
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: gitlab-sizer-webhook
+  template:
+    metadata:
+      labels:
+        app: gitlab-sizer-webhook
+    spec:
+      serviceAccountName: gitlab-sizer-webhook
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: webhook
+          image: edp.buildth.ing/devfw-cicd/gitlab-webhook-edge-connect:latest
+          imagePullPolicy: Always
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+          ports:
+            - containerPort: 8443
+              protocol: TCP
+          args:
+            - --listen-addr=:8443
+            - --tls-cert-file=/etc/webhook/tls/tls.crt
+            - --tls-key-file=/etc/webhook/tls/tls.key
+            - --sizer-url=http://sizer-receiver.ci-sizer.svc:8080
+            - --sizer-sidecar-image=edp.buildth.ing/devfw-cicd/ci-sizer-collector:latest
+          env:
+            - name: WEBHOOK_SIZER_READ_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitlab-sizer-webhook-tokens
+                  key: sizer-read-token
+            - name: WEBHOOK_SIZER_PUSH_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitlab-sizer-webhook-tokens
+                  key: sizer-push-token
+            - name: HTTP_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: HTTP_PROXY
+                  optional: true
+            - name: HTTPS_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: HTTPS_PROXY
+                  optional: true
+            - name: NO_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: NO_PROXY
+                  optional: true
+          volumeMounts:
+            - name: webhook-tls
+              mountPath: /etc/webhook/tls
+              readOnly: true
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
+      volumes:
+        - name: webhook-tls
+          secret:
+            secretName: gitlab-sizer-webhook-tls
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab-sizer-webhook
+  labels:
+    app: gitlab-sizer-webhook
+spec:
+  selector:
+    app: gitlab-sizer-webhook
+  ports:
+    - port: 443
+      targetPort: 8443
+      protocol: TCP

otc/dev.t09.de/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml

@@ -0,0 +1,30 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: gitlab-sizer-webhook
+  annotations:
+    cert-manager.io/inject-ca-from: ci-sizer/gitlab-sizer-webhook-cert
+webhooks:
+  - name: gitlab-sizer-webhook.ci-sizer.svc
+    admissionReviewVersions: ["v1"]
+    sideEffects: NoneOnDryRun
+    failurePolicy: Ignore
+    timeoutSeconds: 5
+    reinvocationPolicy: Never
+    clientConfig:
+      service:
+        name: gitlab-sizer-webhook
+        namespace: ci-sizer
+        path: /mutate
+    rules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        operations: ["CREATE"]
+        resources: ["pods"]
+    namespaceSelector:
+      matchLabels:
+        ci-sizer.devfw.io/watch: "true"
+    objectSelector:
+      matchExpressions:
+        - key: job.runner.gitlab.com/pod
+          operator: Exists

otc/dev.t09.de/stacks/ci-sizer/sizer-receiver.yaml

@@ -0,0 +1,29 @@
+# Required: CI Sizer receiver
+# Always deploy this — it stores metrics and computes sizing recommendations.
+# Works standalone or with GARM (Forgejo/GitHub) and/or GitLab webhook.
+# See: ci-sizer/docs/deployment-modes.md
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sizer-receiver
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: ci-sizer
+  source:
+    repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+    targetRevision: HEAD
+    path: "otc/dev.t09.de/stacks/ci-sizer/sizer-receiver"

otc/dev.t09.de/stacks/ci-sizer/sizer-receiver/deployment.yaml

@@ -1,22 +1,27 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: optimiser-receiver
+  name: sizer-receiver
   labels:
-    app: optimiser-receiver
+    app: sizer-receiver
 spec:
+  strategy:
+    type: Recreate
   replicas: 1
   selector:
     matchLabels:
-      app: optimiser-receiver
+      app: sizer-receiver
   template:
     metadata:
       labels:
-        app: optimiser-receiver
+        app: sizer-receiver
     spec:
+      securityContext:
+        fsGroup: 65534
       containers:
         - name: receiver
-          image: edp.buildth.ing/devfw-cicd/forgejo-runner-optimiser-receiver:0.0.3
+          image: edp.buildth.ing/devfw-cicd/ci-sizer-receiver:latest
+          imagePullPolicy: Always
           args:
             - --db=/data/metrics.db
           ports:
@@ -27,13 +32,41 @@ spec:
             - name: RECEIVER_READ_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: optimiser-tokens
+                  name: sizer-tokens
                   key: read-token
             - name: RECEIVER_HMAC_KEY
               valueFrom:
                 secretKeyRef:
-                  name: optimiser-tokens
+                  name: sizer-tokens
                   key: hmac-key
+            - name: GARM_URL
+              value: "http://garm.garm.svc:80"
+            - name: GARM_USER
+              value: "admin"
+            - name: GARM_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: garm-fixed-credentials
+                  key: admin_password
+            - name: RECEIVER_OIDC_ISSUER
+              value: "https://dex.dev.t09.de"
+            - name: RECEIVER_OIDC_CLIENT_ID
+              value: "ci-sizer"
+            - name: RECEIVER_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sizer-oidc-client
+                  key: client-secret
+            - name: RECEIVER_OIDC_REDIRECT_URI
+              value: "https://sizer.dev.t09.de/ui/callback"
+            - name: RECEIVER_SESSION_TTL
+              value: "12h"
+            - name: RECEIVER_ALLOWED_ORG
+              value: "DevFW-CICD"
+            - name: RECEIVER_CPU_SIZING_MODE
+              value: "observe"
+            - name: RECEIVER_MEMORY_QOS
+              value: "guaranteed"
           volumeMounts:
             - name: data
               mountPath: /data
@@ -59,17 +92,17 @@ spec:
       volumes:
         - name: data
           persistentVolumeClaim:
-            claimName: optimiser-receiver-data
+            claimName: sizer-receiver-data
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: optimiser-receiver
+  name: sizer-receiver
   labels:
-    app: optimiser-receiver
+    app: sizer-receiver
 spec:
   selector:
-    app: optimiser-receiver
+    app: sizer-receiver
   ports:
     - name: http
       port: 8080
@@ -79,9 +112,9 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: optimiser-receiver-data
+  name: sizer-receiver-data
   labels:
-    app: optimiser-receiver
+    app: sizer-receiver
   annotations:
     everest.io/disk-volume-type: GPSSD
 spec:

otc/dev.t09.de/stacks/ci-sizer/sizer-receiver/ingress.yaml

@@ -0,0 +1,36 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: main
+
+  name: sizer-receiver
+  namespace: ci-sizer
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: sizer.dev.t09.de
+      http:
+        paths:
+          - backend:
+              service:
+                name: sizer-receiver
+                port:
+                  number: 8080
+            path: /
+            pathType: Prefix
+    - host: ci-sizer.dev.t09.de
+      http:
+        paths:
+          - backend:
+              service:
+                name: sizer-receiver
+                port:
+                  number: 8080
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - sizer.dev.t09.de
+      secretName: sizer-receiver-tls

otc/dev.t09.de/stacks/ci-sizer/sizer-receiver/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sizer-oidc-client
+  labels:
+    app: sizer-receiver
+type: Opaque
+stringData:
+  client-secret: "73eda9068bd00dfe67d29f087b5540cb1cd82cc1dd2ac0f838558ac8bbcfcb3a"

otc/dev.t09.de/stacks/core/argocd/values.yaml

@@ -35,6 +35,30 @@ configs:
   tls:
     certificates:
 
+controller:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+server:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+repoServer:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+applicationSet:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
 notifications:
   enabled: false
 

otc/dev.t09.de/stacks/core/dex.yaml

@@ -27,3 +27,6 @@ spec:
     - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
       targetRevision: HEAD
       ref: values
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      path: "otc/dev.t09.de/stacks/core/dex/manifests"

otc/dev.t09.de/stacks/core/dex/manifests/dex-sizer-client.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dex-sizer-client
+  namespace: dex
+type: Opaque
+stringData:
+  clientSecret: "73eda9068bd00dfe67d29f087b5540cb1cd82cc1dd2ac0f838558ac8bbcfcb3a"

otc/dev.t09.de/stacks/core/dex/values.yaml

@@ -34,6 +34,11 @@ envVars:
       secretKeyRef:
         name: dex-argo-client
         key: clientSecret
+  - name: FORGEJO_RUNNER_SIZER_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: dex-sizer-client
+        key: clientSecret
   - name: LOG_LEVEL
     value: debug
 
@@ -74,3 +79,8 @@ config:
         - "https://grafana.dev.t09.de/login/generic_oauth"
       name: "Grafana"
       secretEnv: "OIDC_DEX_GRAFANA_CLIENT_SECRET"
+    - id: ci-sizer
+      name: "CI Sizer"
+      redirectURIs:
+        - "https://sizer.dev.t09.de/ui/callback"
+      secretEnv: "FORGEJO_RUNNER_SIZER_CLIENT_SECRET"

otc/dev.t09.de/stacks/core/secrets-backup.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: secrets-backup
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: gitea
+  sources:
+    - repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      path: "otc/dev.t09.de/stacks/core/secrets-backup/manifests"

otc/dev.t09.de/stacks/core/secrets-backup/manifests/secrets-backup-cronjob.yaml

@@ -0,0 +1,107 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: secrets-backup
+  namespace: gitea
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: secrets-backup-reader
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: secrets-backup-reader
+subjects:
+  - kind: ServiceAccount
+    name: secrets-backup
+    namespace: gitea
+roleRef:
+  kind: ClusterRole
+  name: secrets-backup-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: secrets-backup
+  namespace: gitea
+spec:
+  schedule: "30 3 * * *"
+  concurrencyPolicy: "Forbid"
+  successfulJobsHistoryLimit: 5
+  failedJobsHistoryLimit: 5
+  startingDeadlineSeconds: 600 # 10 minutes
+  jobTemplate:
+    spec:
+      activeDeadlineSeconds: 900
+      backoffLimit: 2
+      ttlSecondsAfterFinished: 259200
+      template:
+        spec:
+          serviceAccountName: secrets-backup
+          containers:
+            - name: secrets-backup
+              image: edp.buildth.ing/devfw-cicd/secrets-backup:1.0.1
+              imagePullPolicy: IfNotPresent
+              env:
+                - name: AWS_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: forgejo-cloud-credentials
+                      key: access-key
+                - name: AWS_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: forgejo-cloud-credentials
+                      key: secret-key
+                - name: SOURCE_BUCKET
+                  valueFrom:
+                    secretKeyRef:
+                      name: forgejo-cloud-credentials
+                      key: bucket-name
+                - name: OBS_ENDPOINT
+                  value: "obs.eu-de.otc.t-systems.com"
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  set -euo pipefail
+
+                  TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+                  BACKUP_DIR="/tmp/secrets-backup-${TIMESTAMP}"
+                  NAMESPACES="argocd cert-manager external-secrets"
+
+                  mkdir -p "${BACKUP_DIR}"
+
+                  echo "=== Exporting secrets from critical namespaces ==="
+                  for NS in ${NAMESPACES}; do
+                    echo "Exporting namespace: ${NS}"
+                    kubectl get secrets -n "${NS}" \
+                      -o json \
+                      --field-selector type!=kubernetes.io/service-account-token \
+                      > "${BACKUP_DIR}/${NS}-secrets.json"
+                  done
+
+                  echo "=== Creating compressed archive ==="
+                  ARCHIVE="${BACKUP_DIR}/secrets-backup-${TIMESTAMP}.tar.gz"
+                  tar -czf "${ARCHIVE}" -C "${BACKUP_DIR}" \
+                    $(ls "${BACKUP_DIR}"/*.json 2>/dev/null | xargs -n1 basename)
+
+                  echo "=== Uploading to OBS (SSE-KMS encryption at rest) ==="
+                  aws s3 cp "${ARCHIVE}" \
+                    "s3://${SOURCE_BUCKET}/cluster-secrets-backup/${TIMESTAMP}/secrets-backup.tar.gz" \
+                    --endpoint-url "https://${OBS_ENDPOINT}"
+
+                  echo "=== Cleanup ==="
+                  rm -rf "${BACKUP_DIR}"
+                  echo "Backup completed: ${TIMESTAMP}"
+          restartPolicy: OnFailure

otc/dev.t09.de/stacks/forgejo/forgejo-runner/dind-docker.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: gitea
 spec:
   # Two replicas means that if one is busy, the other can pick up jobs.
-  replicas: 0
+  replicas: 3
   selector:
     matchLabels:
       app: forgejo-runner

otc/dev.t09.de/stacks/forgejo/forgejo-server/manifests/forgejo-ingress.yaml

@@ -3,7 +3,7 @@ kind: Ingress
 metadata:
   annotations:
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/proxy-body-size: 512m
+    nginx.ingress.kubernetes.io/proxy-body-size: 5120m
     cert-manager.io/cluster-issuer: main
 
   name: forgejo-server

otc/dev.t09.de/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml

@@ -11,8 +11,8 @@ spec:
   startingDeadlineSeconds: 600 # 10 minutes
   jobTemplate:
     spec:
-      # 60 min until backup - 10 min start - (backoffLimit * activeDeadlineSeconds) - some time sync buffer
-      activeDeadlineSeconds: 1350
+      # 2h window: handles large incremental syncs after repo growth or OBS slowness; BackupJobTooSlow alert fires at 5m
+      activeDeadlineSeconds: 7200
       backoffLimit: 2
       ttlSecondsAfterFinished: 259200 #
       template:
@@ -72,7 +72,7 @@ spec:
     - ReadWriteOnce
   resources:
     requests:
-      storage: 100Gi
+      storage: 500Gi
 ---
 apiVersion: v1
 kind: Secret

otc/dev.t09.de/stacks/forgejo/forgejo-server/values.yaml

@@ -137,6 +137,9 @@ gitea:
       ENABLED: true
       ADAPTER: redis
 
+    security:
+      GLOBAL_TWO_FACTOR_REQUIREMENT: admin
+
     service:
       DISABLE_REGISTRATION: true
       ENABLE_NOTIFY_MAIL: true
@@ -171,10 +174,9 @@ service:
 
 image:
   pullPolicy: "IfNotPresent"
-  # Overrides the image tag whose default is the chart appVersion.
-  #tag: "8.0.3"
-  # Adds -rootless suffix to image name
-  # rootless: true
+  # DB has v15a/v15b migrations from workflow-webhook build.
+  # Using that image until a proper v15+ EDP release is cut.
+  # DO NOT revert — automated upload will break the DB schema.
   fullOverride: edp.buildth.ing/devfw-cicd/edp-forgejo:workflow-webhook-20260305
 
 forgejo: {}

otc/dev.t09.de/stacks/garm/garm.yaml

@@ -1,3 +1,7 @@
+# Default: Forgejo/GitHub Actions runner manager
+# Deploys GARM with the ci-sizer provider for automatic sizing + collector injection.
+# For GitLab-only deployments, omit this and use gitlab-webhook instead.
+# See: ci-sizer/docs/deployment-modes.md
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -20,7 +24,7 @@ spec:
   sources:
     - repoURL: https://edp.buildth.ing/DevFW-CICD/garm-helm
       path: charts/garm
-      targetRevision: v0.0.12
+      targetRevision: v0.0.16
       helm:
         valueFiles:
           - $values/otc/dev.t09.de/stacks/garm/garm/values.yaml

otc/dev.t09.de/stacks/garm/garm/values.yaml

@@ -26,7 +26,7 @@ credentials:
 
 image:
   repository: edp.buildth.ing/devfw-cicd/garm-forgejo
-  tag: v0.1.7-forgejo-3
+  tag: v0.1.7-forgejo-24
 
 providerConfig:
   edgeConnect:
@@ -38,12 +38,11 @@ providerConfig:
       organization: TelekomOP
   edgeConnectK8s:
     sizer:
-      sidecarImage: edp.buildth.ing/devfw-cicd/forgejo-runner-sizer-collector:latest
-      sidecarPushEndpoint: https://sizer.dev.t09.de/api/v1/metrics
-      baseUrl: "https://sizer.dev.t09.de"
-      readToken:
-        existingSecretName: sizer-tokens
+      sidecarImage: edp.buildth.ing/devfw-cicd/ci-sizer-collector:0.0.4
 
 garm:
+  metrics:
+    enable: true
+    disableAuth: true
   logging:
-    logLevel: debug
+    logLevel: info

otc/dev.t09.de/stacks/observability-client/vector/values.yaml

@@ -48,7 +48,7 @@ customConfig:
       type: elasticsearch
       inputs: [parser]
       endpoints: 
-        - https://o12y.observability./insert/elasticsearch/
+        - https://o12y.observability.buildth.ing/insert/elasticsearch/
       auth:
         strategy: basic
         user: ${VECTOR_USER}

otc/dev.t09.de/stacks/observability-client/vm-client-stack/manifests/argocd-scrape.yaml

@@ -0,0 +1,14 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMServiceScrape
+metadata:
+  name: argocd
+  namespace: observability
+spec:
+  namespaceSelector:
+    matchNames:
+      - argocd
+  selector:
+    matchLabels:
+      app.kubernetes.io/part-of: argocd
+  endpoints:
+    - port: http-metrics

otc/dev.t09.de/stacks/observability-client/vm-client-stack/manifests/forgejo-scrape.yaml

@@ -0,0 +1,15 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMServiceScrape
+metadata:
+  name: forgejo
+  namespace: observability
+spec:
+  namespaceSelector:
+    matchNames:
+      - gitea
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: forgejo
+  endpoints:
+    - port: http
+      path: /metrics

otc/dev.t09.de/stacks/observability-client/vm-client-stack/manifests/garm-scrape.yaml

@@ -0,0 +1,15 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMServiceScrape
+metadata:
+  name: garm
+  namespace: observability
+spec:
+  namespaceSelector:
+    matchNames:
+      - garm
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: garm
+  endpoints:
+    - port: http
+      path: /metrics

otc/dev.t09.de/stacks/observability-client/vm-client-stack/values.yaml

@@ -778,7 +778,7 @@ vmagent:
   # -- Remote write configuration of VMAgent, allowed parameters defined in a [spec](https://docs.victoriametrics.com/operator/api#vmagentremotewritespec)
   additionalRemoteWrites:
     # []
-    - url: https://o12y.observability./api/v1/write
+    - url: https://o12y.observability.buildth.ing/api/v1/write
       basicAuth:
         username:
           name: simple-user-secret

otc/dev.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml

@@ -35,8 +35,10 @@ spec:
     server:
       root_url: "https://grafana.dev.t09.de"
     auth:
-      disable_login: "true"
       disable_login_form: "true"
+    security:
+      admin_user: admin
+      admin_password: admin
     auth.generic_oauth:
       enabled: "true"
       name: Forgejo

otc/dev.t09.de/stacks/observability/victoria-k8s-stack.yaml

@@ -9,10 +9,13 @@ spec:
   project: default
   syncPolicy:
     automated:
+      prune: true
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
+      - RespectIgnoreDifferences=true
+      - SkipDryRunOnMissingResource=true
   destination:
     name: in-cluster
     namespace: observability

otc/dev.t09.de/stacks/observability/victoria-k8s-stack/manifests/argocd-scrape.yaml

@@ -0,0 +1,14 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMServiceScrape
+metadata:
+  name: argocd
+  namespace: observability
+spec:
+  namespaceSelector:
+    matchNames:
+      - argocd
+  selector:
+    matchLabels:
+      app.kubernetes.io/part-of: argocd
+  endpoints:
+    - port: http-metrics

otc/dev.t09.de/stacks/observability/victoria-k8s-stack/manifests/backup-alerts.yaml

@@ -0,0 +1,78 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMRule
+metadata:
+  name: backup-alerts
+  namespace: observability
+spec:
+  groups:
+    - name: backup-schedule-staleness
+      rules:
+        - alert: BackupCronJobNotScheduled
+          expr: |
+            time() - kube_cronjob_status_last_schedule_time{cronjob=~"forgejo-s3-backup|secrets-backup", namespace="gitea"}
+            > 26 * 3600
+          for: 5m
+          labels:
+            severity: critical
+            cronjob: "{{ $labels.cronjob }}"
+          annotations:
+            value: "{{ $value | humanizeDuration }}"
+            description: >-
+              CronJob {{ $labels.namespace }}/{{ $labels.cronjob }} has not been
+              scheduled for over 26 hours in cluster {{ $labels.cluster_environment }}.
+              Last schedule was {{ $value | humanizeDuration }} ago.
+            summary: "Backup CronJob {{ $labels.cronjob }} is stale"
+
+        - alert: BackupCronJobNeverScheduled
+          expr: |
+            kube_cronjob_status_last_schedule_time{cronjob=~"forgejo-s3-backup|secrets-backup", namespace="gitea"}
+            == 0
+          for: 30m
+          labels:
+            severity: critical
+            cronjob: "{{ $labels.cronjob }}"
+          annotations:
+            description: >-
+              CronJob {{ $labels.namespace }}/{{ $labels.cronjob }} has never been
+              scheduled in cluster {{ $labels.cluster_environment }}.
+            summary: "Backup CronJob {{ $labels.cronjob }} never ran"
+
+    - name: backup-job-failures
+      rules:
+        - alert: BackupJobFailed
+          expr: |
+            max by(cluster_environment, namespace, job_name) (
+              kube_job_status_failed{job_name=~"forgejo-s3-backup-.*|secrets-backup-.*", namespace="gitea"}
+            ) > 0
+          for: 30s
+          labels:
+            severity: critical
+            job_name: "{{ $labels.job_name }}"
+          annotations:
+            value: "{{ $value }}"
+            description: >-
+              Backup job {{ $labels.namespace }}/{{ $labels.job_name }} has
+              {{ $value }} failed pod(s) in cluster {{ $labels.cluster_environment }}.
+            summary: "Backup job {{ $labels.job_name }} failed"
+
+    - name: backup-job-duration
+      rules:
+        - alert: BackupJobTooSlow
+          expr: |
+            (
+              time() - kube_job_status_start_time{job_name=~"forgejo-s3-backup-.*|secrets-backup-.*", namespace="gitea"}
+            ) > 300
+            and
+            kube_job_status_active{job_name=~"forgejo-s3-backup-.*|secrets-backup-.*", namespace="gitea"} > 0
+          for: 1m
+          labels:
+            severity: major
+            job_name: "{{ $labels.job_name }}"
+          annotations:
+            value: "{{ $value | humanizeDuration }}"
+            description: >-
+              Backup job {{ $labels.namespace }}/{{ $labels.job_name }} has been
+              running for {{ $value | humanizeDuration }} (threshold: 5m)
+              in cluster {{ $labels.cluster_environment }}. This may indicate a
+              hung process or connectivity issue.
+            summary: "Backup job {{ $labels.job_name }} running too long"

otc/dev.t09.de/stacks/observability/victoria-k8s-stack/manifests/coredns-scrape.yaml

@@ -0,0 +1,14 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMServiceScrape
+metadata:
+  name: coredns
+  namespace: observability
+spec:
+  namespaceSelector:
+    matchNames:
+      - kube-system
+  selector:
+    matchLabels:
+      k8s-app: kube-dns
+  endpoints:
+    - port: metrics

otc/dev.t09.de/stacks/observability/victoria-k8s-stack/manifests/forgejo-scrape.yaml

@@ -0,0 +1,15 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMServiceScrape
+metadata:
+  name: forgejo
+  namespace: observability
+spec:
+  namespaceSelector:
+    matchNames:
+      - gitea
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: forgejo
+  endpoints:
+    - port: http
+      path: /metrics

otc/dev.t09.de/stacks/observability/victoria-k8s-stack/manifests/garm-scrape.yaml

@@ -0,0 +1,14 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMServiceScrape
+metadata:
+  name: garm
+  namespace: observability
+spec:
+  namespaceSelector:
+    matchNames:
+      - garm
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: garm
+  endpoints:
+    - port: http

otc/dev.t09.de/stacks/observability/victoria-k8s-stack/manifests/vmauth.yaml

@@ -12,6 +12,12 @@ spec:
     - static:
         url: http://vmsingle-o12y:8429
       paths: ["/api/v1/write"]
+    - static:
+        url: http://vmsingle-o12y:8429
+      paths: ["/api/v1/.*"]
     - static:
         url: http://vlogs-victorialogs:9428
       paths: ["/insert/elasticsearch/.*"]
+    - static:
+        url: http://vlogs-victorialogs:9428
+      paths: ["/select/.*"]

otc/dev.t09.de/stacks/observability/victoria-k8s-stack/values.yaml

@@ -28,10 +28,7 @@ victoria-metrics-operator:
   crds:
     plain: true
     cleanup:
-      enabled: true
-      image:
-        repository: bitnami/kubectl
-        pullPolicy: IfNotPresent
+      enabled: false  # disabled: cleanup hook can't schedule on resource-constrained nodes (Insufficient cpu / Too many pods)
   serviceMonitor:
     enabled: true
   operator:
@@ -676,7 +673,7 @@ vmalert:
 
 vmauth:
   # -- Enable VMAuth CR
-  enabled: true
+  enabled: false
   # -- VMAuth annotations
   annotations: {}
   # -- (object) Full spec for VMAuth CRD. Allowed values described [here](https://docs.victoriametrics.com/operator/api#vmauthspec)
@@ -699,7 +696,7 @@ vmauth:
 
 vmagent:
   # -- Create VMAgent CR
-  enabled: false
+  enabled: true
   # -- VMAgent annotations
   annotations: {}
   # -- Remote write configuration of VMAgent, allowed parameters defined in a [spec](https://docs.victoriametrics.com/operator/api#vmagentremotewritespec)
@@ -711,7 +708,8 @@ vmagent:
     port: "8429"
     selectAllByDefault: true
     scrapeInterval: 20s
-    externalLabels: {}
+    externalLabels:
+      cluster_environment: "dev"
       # For multi-cluster setups it is useful to use "cluster" label to identify the metrics source.
       # For example:
       # cluster: cluster-name

otc/edp.buildth.ing/stacks/core/argocd/values.yaml

@@ -35,6 +35,30 @@ configs:
   tls:
     certificates:
 
+controller:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+server:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+repoServer:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+applicationSet:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
 notifications:
   enabled: false