From adf7f23685c110266c8a6a3170d1b5141a7904a8 Mon Sep 17 00:00:00 2001
From: Daniel Sy <Daniel.Sy@telekom.de>
Date: Fri, 15 May 2026 16:22:20 +0200
Subject: [PATCH 1/2] =?UTF-8?q?fix(sizer):=20=F0=9F=90=9B=20make=20GARM=20?=
 =?UTF-8?q?env=20vars=20conditional=20in=20receiver=20deployment?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Clusters without GARM lack the garm-fixed-credentials secret, causing
pod crash loops. The receiver already handles empty GARM_URL gracefully.

Ref: IPCEICIS-6886
---
 template/stacks/ci-sizer/sizer-receiver/deployment.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/template/stacks/ci-sizer/sizer-receiver/deployment.yaml b/template/stacks/ci-sizer/sizer-receiver/deployment.yaml
index 26174c9..3f38b2d 100644
--- a/template/stacks/ci-sizer/sizer-receiver/deployment.yaml
+++ b/template/stacks/ci-sizer/sizer-receiver/deployment.yaml
@@ -39,15 +39,17 @@ spec:
                 secretKeyRef:
                   name: sizer-tokens
                   key: hmac-key
+{{{ if .Env.GARM_URL }}}
             - name: GARM_URL
-              value: "http://garm.garm.svc.cluster.local:80"
+              value: "{{{ .Env.GARM_URL }}}"
             - name: GARM_USER
-              value: "admin"
+              value: "{{{ .Env.GARM_USER }}}"
             - name: GARM_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: garm-fixed-credentials
                   key: admin_password
+{{{ end }}}
             - name: RECEIVER_OIDC_ISSUER
               value: "https://dex.{{{ .Env.DOMAIN }}}"
             - name: RECEIVER_OIDC_CLIENT_ID

From fe51e8588cd0bed19db553f381d5e523d333b1cf Mon Sep 17 00:00:00 2001
From: Daniel Sy <Daniel.Sy@telekom.de>
Date: Fri, 15 May 2026 16:22:35 +0200
Subject: [PATCH 2/2] =?UTF-8?q?feat(ci-sizer):=20=E2=9C=A8=20add=20gitlab-?=
 =?UTF-8?q?webhook=20ArgoCD=20app=20to=20stacks=20template?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds the mutating webhook deployment as a managed ArgoCD application
alongside the existing sizer-receiver. Includes deployment, service,
RBAC, cert-manager certificates, and webhook configuration.

Ref: IPCEICIS-6886
---
 template/stacks/ci-sizer/gitlab-webhook.yaml  |  25 ++++
 .../ci-sizer/gitlab-webhook/certificates.yaml |  27 ++++
 .../ci-sizer/gitlab-webhook/deployment.yaml   | 141 ++++++++++++++++++
 .../gitlab-webhook/webhook-config.yaml        |  30 ++++
 4 files changed, 223 insertions(+)
 create mode 100644 template/stacks/ci-sizer/gitlab-webhook.yaml
 create mode 100644 template/stacks/ci-sizer/gitlab-webhook/certificates.yaml
 create mode 100644 template/stacks/ci-sizer/gitlab-webhook/deployment.yaml
 create mode 100644 template/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml

diff --git a/template/stacks/ci-sizer/gitlab-webhook.yaml b/template/stacks/ci-sizer/gitlab-webhook.yaml
new file mode 100644
index 0000000..c0b1bce
--- /dev/null
+++ b/template/stacks/ci-sizer/gitlab-webhook.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitlab-sizer-webhook
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: ci-sizer
+  source:
+    repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
+    targetRevision: HEAD
+    path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/ci-sizer/gitlab-webhook"
diff --git a/template/stacks/ci-sizer/gitlab-webhook/certificates.yaml b/template/stacks/ci-sizer/gitlab-webhook/certificates.yaml
new file mode 100644
index 0000000..ee1fece
--- /dev/null
+++ b/template/stacks/ci-sizer/gitlab-webhook/certificates.yaml
@@ -0,0 +1,27 @@
+# Self-signed Issuer for webhook TLS.
+# For production, replace with a ClusterIssuer backed by a real CA.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+# cert-manager Certificate for the webhook TLS.
+# The resulting Secret (gitlab-sizer-webhook-tls) is mounted into the webhook pod.
+# cert-manager also injects the CA into the MutatingWebhookConfiguration via the
+# cert-manager.io/inject-ca-from annotation.
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitlab-sizer-webhook-cert
+spec:
+  secretName: gitlab-sizer-webhook-tls
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+  dnsNames:
+    - gitlab-sizer-webhook.ci-sizer.svc
+    - gitlab-sizer-webhook.ci-sizer.svc.cluster.local
+  duration: 8760h
+  renewBefore: 720h
diff --git a/template/stacks/ci-sizer/gitlab-webhook/deployment.yaml b/template/stacks/ci-sizer/gitlab-webhook/deployment.yaml
new file mode 100644
index 0000000..0b99859
--- /dev/null
+++ b/template/stacks/ci-sizer/gitlab-webhook/deployment.yaml
@@ -0,0 +1,141 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitlab-sizer-webhook
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gitlab-sizer-webhook
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gitlab-sizer-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gitlab-sizer-webhook
+subjects:
+  - kind: ServiceAccount
+    name: gitlab-sizer-webhook
+    namespace: ci-sizer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitlab-sizer-webhook
+  labels:
+    app: gitlab-sizer-webhook
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: gitlab-sizer-webhook
+  template:
+    metadata:
+      labels:
+        app: gitlab-sizer-webhook
+    spec:
+      serviceAccountName: gitlab-sizer-webhook
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: webhook
+          image: edp.buildth.ing/devfw-cicd/gitlab-webhook-edge-connect:latest
+          imagePullPolicy: Always
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+          ports:
+            - containerPort: 8443
+              protocol: TCP
+          args:
+            - --listen-addr=:8443
+            - --tls-cert-file=/etc/webhook/tls/tls.crt
+            - --tls-key-file=/etc/webhook/tls/tls.key
+            - --sizer-url=http://sizer-receiver.ci-sizer.svc:8080
+            - --sizer-sidecar-image=edp.buildth.ing/devfw-cicd/ci-sizer-collector:latest
+          env:
+            - name: WEBHOOK_SIZER_READ_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitlab-sizer-webhook-tokens
+                  key: sizer-read-token
+            - name: WEBHOOK_SIZER_PUSH_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitlab-sizer-webhook-tokens
+                  key: sizer-push-token
+            - name: HTTP_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: HTTP_PROXY
+                  optional: true
+            - name: HTTPS_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: HTTPS_PROXY
+                  optional: true
+            - name: NO_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: NO_PROXY
+                  optional: true
+          volumeMounts:
+            - name: webhook-tls
+              mountPath: /etc/webhook/tls
+              readOnly: true
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
+      volumes:
+        - name: webhook-tls
+          secret:
+            secretName: gitlab-sizer-webhook-tls
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab-sizer-webhook
+  labels:
+    app: gitlab-sizer-webhook
+spec:
+  selector:
+    app: gitlab-sizer-webhook
+  ports:
+    - port: 443
+      targetPort: 8443
+      protocol: TCP
diff --git a/template/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml b/template/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml
new file mode 100644
index 0000000..72aea4a
--- /dev/null
+++ b/template/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml
@@ -0,0 +1,30 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: gitlab-sizer-webhook
+  annotations:
+    cert-manager.io/inject-ca-from: ci-sizer/gitlab-sizer-webhook-cert
+webhooks:
+  - name: gitlab-sizer-webhook.ci-sizer.svc
+    admissionReviewVersions: ["v1"]
+    sideEffects: NoneOnDryRun
+    failurePolicy: Ignore
+    timeoutSeconds: 5
+    reinvocationPolicy: Never
+    clientConfig:
+      service:
+        name: gitlab-sizer-webhook
+        namespace: ci-sizer
+        path: /mutate
+    rules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        operations: ["CREATE"]
+        resources: ["pods"]
+    namespaceSelector:
+      matchLabels:
+        ci-sizer.devfw.io/watch: "true"
+    objectSelector:
+      matchExpressions:
+        - key: job.runner.gitlab.com/pod
+          operator: Exists