Actions are required for CI runners. Recreate avoids leveldb queue lock contention on the shared PVC during Helm upgrades.
2.6 KiB
2.6 KiB
Forgejo on railiance01
Production source forge at https://forgejo.coulomb.social.
Mirrors the coulombcore Gitea pattern (railiance-forge) but targets
railiance01 using the same OAS split as other S5 apps (inter-hub,
reuse-surface).
Layer ownership
| Layer | Repo | Concern |
|---|---|---|
| S3 | railiance-platform |
forgejo-db CNPG cluster + network policies |
| S5 | railiance-apps |
Helm release, ingress, operator Makefile |
| S2 | railiance-cluster |
Traefik, cert-manager, cnpg operator |
Hostname decision: the-custodian/docs/forgejo-production-decisions.md.
Hosts
| Item | Value |
|---|---|
| Server | railiance01 92.205.62.239 |
| Namespace | forgejo |
| Helm release | forgejo |
| HTTP service | forgejo-gitea-http (chart naming; ingress must target this) |
| Chart | gitea-charts/gitea 12.5.0 (Forgejo-compatible; 12.6+ needs Gitea 1.26 config edit-ini) |
| Image | code.forgejo.org/forgejo/forgejo:11.0.3 |
| Database | forgejo-db-rw.databases.svc.cluster.local:5432 |
| Kubeconfig | ~/.kube/config-hosteurope |
Bootstrap (first deploy)
1. Database credentials (platform)
cd ~/railiance-platform
# One-time: create and SOPS-encrypt helm/forgejo-db-secret.sops.yaml from template
KUBECONFIG=~/.kube/config-hosteurope make forgejo-db-deploy
KUBECONFIG=~/.kube/config-hosteurope make forgejo-db-status
2. Application secrets (apps)
cd ~/railiance-apps
# Encrypt helm/forgejo-secrets.sops.yaml from template (DB PASSWD must match platform secret)
make check-sops
3. Deploy Forgejo
cd ~/railiance-apps
make forgejo-dry-run
make forgejo-deploy
make forgejo-ingress-deploy
make forgejo-ssh-nodeport-deploy # optional; git+ssh via nodePort 30022
make forgejo-status
make forgejo-smoke
Upgrade notes
- Pin
FORGEJO_CHART_VERSION=12.5.0— chart 12.6+ requires Gitea 1.26config edit-ini. strategy.type: Recreateinhelm/forgejo-values.yaml— avoids leveldb queue lock on the shared RWO PVC during rolling updates.- Actions enabled via
gitea.config.actions.ENABLED: true. - Ingress backend service name is
forgejo-gitea-http(Helm release naming).
Day-2 operator targets
make forgejo-status
make forgejo-logs
make forgejo-smoke
Coexistence with Gitea
Gitea on coulombcore remains canonical until RAIL-HO-WP-0005 migration drills
and cutover pass. Do not repoint repo remotes until Wave 1 cutover is approved.
Related
- Gitea reference:
~/railiance-forge/Makefile(gitea-deploy) - Drain plan:
the-custodian/docs/coulombcore-drain-placement-plan.mdWave 1 - Onboarding checklist:
docs/s5-app-onboarding-checklist.md