chore: bump garm image to v0.1.7-forgejo-23 (OOM detection)

bump garm-helm to v0.0.16 (RBAC fix)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 16:14:31 +02:00 · 2026-05-19 09:51:38 +02:00 · 2026-05-18 17:18:44 +02:00 · 2026-05-18 16:27:56 +02:00 · 2026-05-18 10:22:26 +02:00 · 2026-05-18 10:15:58 +02:00
11 changed files with 276 additions and 5 deletions
--- a/template/registry/ci-sizer.yaml
+++ b/template/registry/ci-sizer.yaml
@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: ci-sizer-reg
  namespace: argocd
  labels:
    env: dev
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    name: in-cluster
    namespace: argocd
  source:
    path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/ci-sizer"
    repoURL: "https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}"
    targetRevision: HEAD
  project: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/template/stacks/ci-sizer/gitlab-webhook.yaml
+++ b/template/stacks/ci-sizer/gitlab-webhook.yaml
@ -0,0 +1,29 @@
 # Optional: GitLab CI integration
 # Only hydrate this app for clusters that run GitLab Runner.
 # For Forgejo/GitHub-only deployments, omit this app from stacks-instances.
 # See: ci-sizer/docs/deployment-modes.md
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: gitlab-sizer-webhook
  namespace: argocd
  labels:
    env: dev
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  syncPolicy:
    automated:
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
    retry:
      limit: -1
  destination:
    name: in-cluster
    namespace: ci-sizer
  source:
    repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
    targetRevision: HEAD
    path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/ci-sizer/gitlab-webhook"
--- a/template/stacks/ci-sizer/gitlab-webhook/certificates.yaml
+++ b/template/stacks/ci-sizer/gitlab-webhook/certificates.yaml
@ -0,0 +1,27 @@
 # Self-signed Issuer for webhook TLS.
 # For production, replace with a ClusterIssuer backed by a real CA.
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: selfsigned-issuer
 spec:
  selfSigned: {}
 ---
 # cert-manager Certificate for the webhook TLS.
 # The resulting Secret (gitlab-sizer-webhook-tls) is mounted into the webhook pod.
 # cert-manager also injects the CA into the MutatingWebhookConfiguration via the
 # cert-manager.io/inject-ca-from annotation.
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: gitlab-sizer-webhook-cert
 spec:
  secretName: gitlab-sizer-webhook-tls
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
  dnsNames:
    - gitlab-sizer-webhook.ci-sizer.svc
    - gitlab-sizer-webhook.ci-sizer.svc.cluster.local
  duration: 8760h
  renewBefore: 720h
--- a/template/stacks/ci-sizer/gitlab-webhook/deployment.yaml
+++ b/template/stacks/ci-sizer/gitlab-webhook/deployment.yaml
@ -0,0 +1,141 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: gitlab-sizer-webhook
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: gitlab-sizer-webhook
 rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: gitlab-sizer-webhook
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gitlab-sizer-webhook
 subjects:
  - kind: ServiceAccount
    name: gitlab-sizer-webhook
    namespace: ci-sizer
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: gitlab-sizer-webhook
  labels:
    app: gitlab-sizer-webhook
 spec:
  replicas: 2
  selector:
    matchLabels:
      app: gitlab-sizer-webhook
  template:
    metadata:
      labels:
        app: gitlab-sizer-webhook
    spec:
      serviceAccountName: gitlab-sizer-webhook
      securityContext:
        runAsNonRoot: true
        runAsUser: 65534
        runAsGroup: 65534
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: webhook
          image: edp.buildth.ing/devfw-cicd/gitlab-webhook-edge-connect:latest
          imagePullPolicy: Always
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --listen-addr=:8443
            - --tls-cert-file=/etc/webhook/tls/tls.crt
            - --tls-key-file=/etc/webhook/tls/tls.key
            - --sizer-url=http://sizer-receiver.ci-sizer.svc:8080
            - --sizer-sidecar-image=edp.buildth.ing/devfw-cicd/ci-sizer-collector:latest
          env:
            - name: WEBHOOK_SIZER_READ_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitlab-sizer-webhook-tokens
                  key: sizer-read-token
            - name: WEBHOOK_SIZER_PUSH_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitlab-sizer-webhook-tokens
                  key: sizer-push-token
            - name: HTTP_PROXY
              valueFrom:
                configMapKeyRef:
                  name: gitlab-sizer-webhook-config
                  key: HTTP_PROXY
                  optional: true
            - name: HTTPS_PROXY
              valueFrom:
                configMapKeyRef:
                  name: gitlab-sizer-webhook-config
                  key: HTTPS_PROXY
                  optional: true
            - name: NO_PROXY
              valueFrom:
                configMapKeyRef:
                  name: gitlab-sizer-webhook-config
                  key: NO_PROXY
                  optional: true
          volumeMounts:
            - name: webhook-tls
              mountPath: /etc/webhook/tls
              readOnly: true
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 8443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 200m
              memory: 128Mi
      volumes:
        - name: webhook-tls
          secret:
            secretName: gitlab-sizer-webhook-tls
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: gitlab-sizer-webhook
  labels:
    app: gitlab-sizer-webhook
 spec:
  selector:
    app: gitlab-sizer-webhook
  ports:
    - port: 443
      targetPort: 8443
      protocol: TCP
--- a/template/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml
+++ b/template/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml
@ -0,0 +1,30 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
  name: gitlab-sizer-webhook
  annotations:
    cert-manager.io/inject-ca-from: ci-sizer/gitlab-sizer-webhook-cert
 webhooks:
  - name: gitlab-sizer-webhook.ci-sizer.svc
    admissionReviewVersions: ["v1"]
    sideEffects: NoneOnDryRun
    failurePolicy: Ignore
    timeoutSeconds: 5
    reinvocationPolicy: Never
    clientConfig:
      service:
        name: gitlab-sizer-webhook
        namespace: ci-sizer
        path: /mutate
    rules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        operations: ["CREATE"]
        resources: ["pods"]
    namespaceSelector:
      matchLabels:
        ci-sizer.devfw.io/watch: "true"
    objectSelector:
      matchExpressions:
        - key: job.runner.gitlab.com/pod
          operator: Exists
--- a/template/stacks/ci-sizer/sizer-receiver.yaml
+++ b/template/stacks/ci-sizer/sizer-receiver.yaml
@ -1,3 +1,7 @@
 # Required: CI Sizer receiver
 # Always deploy this — it stores metrics and computes sizing recommendations.
 # Works standalone or with GARM (Forgejo/GitHub) and/or GitLab webhook.
 # See: ci-sizer/docs/deployment-modes.md
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
--- a/template/stacks/ci-sizer/sizer-receiver/deployment.yaml
+++ b/template/stacks/ci-sizer/sizer-receiver/deployment.yaml
@ -39,8 +39,9 @@ spec:
                secretKeyRef:
                  name: sizer-tokens
                  key: hmac-key
 {{{- if index .Env "DOMAIN_GITEA" }}}
            - name: GARM_URL
-              value: "http://garm.garm.svc.cluster.local:80"
+              value: "http://garm.garm.svc:80"
            - name: GARM_USER
              value: "admin"
            - name: GARM_PASSWORD
@ -48,6 +49,7 @@ spec:
                secretKeyRef:
                  name: garm-fixed-credentials
                  key: admin_password
            {{{- end }}}
            - name: RECEIVER_OIDC_ISSUER
              value: "https://dex.{{{ .Env.DOMAIN }}}"
            - name: RECEIVER_OIDC_CLIENT_ID
@ -62,7 +64,7 @@ spec:
            - name: RECEIVER_SESSION_TTL
              value: "12h"
            - name: RECEIVER_ALLOWED_ORG
-              value: "{{{ .Env.SIZER_ALLOWED_ORG }}}"
+              value: "{{{ getenv "SIZER_ALLOWED_ORG" "DevFW-CICD" }}}"
            - name: RECEIVER_CPU_SIZING_MODE
              value: "observe"
            - name: RECEIVER_MEMORY_QOS
--- a/template/stacks/core/dex/values.yaml
+++ b/template/stacks/core/dex/values.yaml
@ -34,6 +34,11 @@ envVars:
      secretKeyRef:
        name: dex-argo-client
        key: clientSecret
  - name: FORGEJO_RUNNER_SIZER_CLIENT_SECRET
    valueFrom:
      secretKeyRef:
        name: dex-sizer-client
        key: clientSecret
  - name: LOG_LEVEL
    value: debug
@ -74,3 +79,8 @@ config:
        - "https://{{{ .Env.DOMAIN_GRAFANA }}}/login/generic_oauth"
      name: "Grafana"
      secretEnv: "OIDC_DEX_GRAFANA_CLIENT_SECRET"
    - id: ci-sizer
      name: "CI Sizer"
      redirectURIs:
        - "https://sizer.{{{ .Env.DOMAIN }}}/ui/callback"
      secretEnv: "FORGEJO_RUNNER_SIZER_CLIENT_SECRET"
--- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
+++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
@ -72,7 +72,7 @@ spec:
    - ReadWriteOnce
  resources:
    requests:
-      storage: 100Gi
+      storage: 500Gi
 ---
 apiVersion: v1
 kind: Secret
--- a/template/stacks/garm/garm.yaml
+++ b/template/stacks/garm/garm.yaml
@ -1,3 +1,7 @@
 # Default: Forgejo/GitHub Actions runner manager
 # Deploys GARM with the ci-sizer provider for automatic sizing + collector injection.
 # For GitLab-only deployments, omit this and use gitlab-webhook instead.
 # See: ci-sizer/docs/deployment-modes.md
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@ -20,7 +24,7 @@ spec:
  sources:
    - repoURL: https://edp.buildth.ing/DevFW-CICD/garm-helm
      path: charts/garm
-      targetRevision: v0.0.15
+      targetRevision: v0.0.16
      helm:
        valueFiles:
          - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/garm/garm/values.yaml
--- a/template/stacks/garm/garm/values.yaml
+++ b/template/stacks/garm/garm/values.yaml
@ -26,7 +26,7 @@ credentials:
 image:
  repository: {{{ .Env.CLIENT_REPO_DOMAIN }}}/devfw-cicd/garm-forgejo
-  tag: v0.1.7-forgejo-22
+  tag: v0.1.7-forgejo-23
 providerConfig:
  edgeConnect:
Author	SHA1	Message	Date
Daniel Sy	02308cf633	chore: bump garm image to v0.1.7-forgejo-23 (OOM detection)	2026-05-19 16:14:31 +02:00
Martin McCaffery	aaf9e6eade	bump garm-helm to v0.0.16 (RBAC fix) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-05-19 09:51:38 +02:00
Martin McCaffery	d857f155a8	feat(dex): add ci-sizer OIDC static client to template	2026-05-18 17:18:44 +02:00
Martin McCaffery	707a7b933a	feat(registry): add ci-sizer registry template	2026-05-18 16:27:56 +02:00
Daniel Sy	a8ce4c5c38	fix(sizer): 🐛 use internal K8s service URL for GARM connection Switch GARM conditional from explicit GARM_URL env var to DOMAIN_GITEA presence check. When Forgejo is deployed, GARM is always available at its cluster-internal service (http://garm.garm.svc:80). Hardcode admin user since GARM always uses that. GitLab-only deploys skip the block. Ref: IPCEICIS-6886	2026-05-18 10:22:26 +02:00
Daniel Sy	32665ff620	fix(ci-sizer): 🐛 use safe map access for optional GARM_URL env var `index .Env "GARM_URL"` returns empty string for missing keys instead of panicking with "map has no entry for key". Ref: IPCEICIS-6886	2026-05-18 10:15:58 +02:00
Daniel Sy	2a12a568ce	docs(stacks): 📝 add clarifying comments to stack templates Document which components are required vs opt-in for deployment modes. Ref: IPCEICIS-6886	2026-05-15 16:35:02 +02:00
Daniel Sy	d161b8ea4d	docs(ci-sizer): 📝 add opt-in comment to gitlab webhook app Clarifies that the GitLab webhook ArgoCD app is optional and should only be hydrated for clusters running GitLab Runner. Ref: IPCEICIS-6886	2026-05-15 16:33:52 +02:00
Daniel Sy	fe51e8588c	feat(ci-sizer): ✨ add gitlab-webhook ArgoCD app to stacks template Adds the mutating webhook deployment as a managed ArgoCD application alongside the existing sizer-receiver. Includes deployment, service, RBAC, cert-manager certificates, and webhook configuration. Ref: IPCEICIS-6886	2026-05-15 16:30:42 +02:00
Daniel Sy	adf7f23685	fix(sizer): 🐛 make GARM env vars conditional in receiver deployment Clusters without GARM lack the garm-fixed-credentials secret, causing pod crash loops. The receiver already handles empty GARM_URL gracefully. Ref: IPCEICIS-6886	2026-05-15 16:30:42 +02:00
Daniel.Sy	1f4489bd70	fix(ci-sizer): use getenv with default for SIZER_ALLOWED_ORG Prevents gomplate crash when SIZER_ALLOWED_ORG is not set in environment. Falls back to DevFW-CICD as default org.	2026-05-13 10:18:43 +00:00
Patrick Sy	5eaf4a761a	fix: increased s3 backup disk size	2026-05-07 17:48:17 +02:00
Patrick.Sy	a957ca14b7	Merge pull request 'Update template/stacks/forgejo/forgejo-server/manifests/forgejo-ingress.yaml' (#36 ) from proxy-body-size into main Reviewed-on: https://edp.buildth.ing/DevFW-CICD/stacks/pulls/36	2026-05-05 12:04:23 +00:00