chore: upgrade customer tvs to chart 0.1.100

- Fix secret references: all env vars now read from lunarfront-secrets (was referencing 3 non-existent separate secrets)
- Add ENCRYPTION_KEY, RESEND_API_KEY, MAIL_FROM, BUSINESS_NAME, INITIAL_USER_* env vars to backend container
- Add RESEND_API_KEY to manager deployment from manager-secrets

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

argocd/app-template.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://git.lunarfront.tech/ryan/lunarfront-charts.git
+    repoURL: ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git
     targetRevision: main
     path: charts/lunarfront
     helm:

argocd/cert-manager-app.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager-config
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git
+    targetRevision: main
+    path: cert-manager
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd/customers-app.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: customers
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git
+    targetRevision: main
+    path: customers
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

argocd/dev-app.yaml

@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dev
+  namespace: argocd
+  annotations:
+    argocd-image-updater.argoproj.io/image-list: dev=registry.digitalocean.com/lunarfront/manager
+    argocd-image-updater.argoproj.io/dev.update-strategy: name
+    argocd-image-updater.argoproj.io/dev.allow-tags: regexp:^devpod-
+    argocd-image-updater.argoproj.io/write-back-method: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git
+    targetRevision: main
+    path: dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: dev
+  ignoreDifferences:
+    - group: apps
+      kind: Deployment
+      name: dev
+      jsonPointers:
+        - /spec/replicas
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd/gitea-app.yaml

@@ -19,7 +19,7 @@ spec:
       helm:
         valueFiles:
           - $values/gitea/values.yaml
-    - repoURL: ssh://git@134.199.248.182:22/ryan/lunarfront-charts.git
+    - repoURL: ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git
       targetRevision: main
       ref: values
   destination:

argocd/manager-app.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: manager
+  namespace: argocd
+  annotations:
+    argocd-image-updater.argoproj.io/image-list: manager=registry.digitalocean.com/lunarfront/manager
+    argocd-image-updater.argoproj.io/manager.update-strategy: semver
+    argocd-image-updater.argoproj.io/manager.allow-tags: regexp:^\d+\.\d+\.\d+$
+    argocd-image-updater.argoproj.io/write-back-method: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git
+    targetRevision: main
+    path: manager
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd/pgbouncer-app.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: pgbouncer
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git
+    targetRevision: main
+    path: pgbouncer
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: pgbouncer
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd/runner-app.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: ssh://git@134.199.248.182:22/ryan/lunarfront-charts.git
+    repoURL: ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git
     targetRevision: main
     path: runner
   destination:

cert-manager/clusterissuer.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: ryan@lunarfront.tech
+    privateKeySecretRef:
+      name: letsencrypt-prod-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token

charts/lunarfront/templates/deployment.yaml

@@ -28,18 +28,92 @@ spec:
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.database.secretName }}
-                  key: url
+                  name: lunarfront-secrets
+                  key: database-url
             - name: REDIS_URL
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.redis.secretName }}
-                  key: url
+                  name: lunarfront-secrets
+                  key: redis-url
+            - name: REDIS_KEY_PREFIX
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: redis-key-prefix
             - name: JWT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.auth.secretName }}
-                  key: secret
+                  name: lunarfront-secrets
+                  key: jwt-secret
+            - name: SPACES_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: spaces-key
+            - name: SPACES_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: spaces-secret
+            - name: SPACES_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: spaces-bucket
+            - name: SPACES_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: spaces-endpoint
+            - name: SPACES_PREFIX
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: spaces-prefix
+            - name: ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: encryption-key
+            - name: RESEND_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: resend-api-key
+            - name: MAIL_FROM
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: mail-from
+            - name: BUSINESS_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: business-name
+            - name: INITIAL_USER_EMAIL
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: initial-user-email
+                  optional: true
+            - name: INITIAL_USER_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: initial-user-password
+                  optional: true
+            - name: INITIAL_USER_FIRST_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: initial-user-first-name
+                  optional: true
+            - name: INITIAL_USER_LAST_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: lunarfront-secrets
+                  key: initial-user-last-name
+                  optional: true
           resources:
             {{- toYaml .Values.resources.backend | nindent 12 }}
           livenessProbe:

charts/lunarfront/values.yaml

@@ -2,11 +2,11 @@
 
 image:
   backend:
-    repository: registry.lunarfront.tech/ryan/lunarfront-app
+    repository: git.lunarfront.tech/ryan/lunarfront-app
     tag: latest
     pullPolicy: Always
   frontend:
-    repository: registry.lunarfront.tech/ryan/lunarfront-frontend
+    repository: git.lunarfront.tech/ryan/lunarfront-frontend
     tag: latest
     pullPolicy: Always
 

customers/tvs.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: customer-tvs
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: registry.digitalocean.com/lunarfront
+    chart: lunarfront
+    targetRevision: "0.1.100"
+    helm:
+      parameters:
+        - name: ingress.host
+          value: tvs.lunarfront.tech
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: customer-tvs
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

dev/deployment.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dev
+  namespace: dev
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      app: dev
+  template:
+    metadata:
+      labels:
+        app: dev
+    spec:
+      nodeSelector:
+        role: dev
+      tolerations:
+        - key: dedicated
+          value: dev
+          effect: NoSchedule
+      imagePullSecrets:
+        - name: registry-lunarfront
+      containers:
+        - name: dev
+          image: registry.digitalocean.com/lunarfront/manager:devpod-latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8080
+              name: web
+            - containerPort: 22
+              name: ssh
+          env:
+            - name: SSH_AUTHORIZED_KEYS
+              valueFrom:
+                secretKeyRef:
+                  name: dev-secrets
+                  key: ssh-authorized-keys
+            - name: ANTHROPIC_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: dev-secrets
+                  key: anthropic-api-key
+          volumeMounts:
+            - name: workspace
+              mountPath: /root
+          resources:
+            requests:
+              cpu: 500m
+              memory: 1Gi
+      volumes:
+        - name: workspace
+          persistentVolumeClaim:
+            claimName: dev-workspace

dev/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dev
+  namespace: dev
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: dev.lunarfront.tech
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: dev
+                port:
+                  number: 8080
+  tls:
+    - secretName: dev-lunarfront-tech-tls
+      hosts:
+        - dev.lunarfront.tech

dev/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dev

dev/pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: dev-workspace
+  namespace: dev
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Gi
+  storageClassName: do-block-storage

dev/secret.yaml

@@ -0,0 +1,4 @@
+# Managed externally — apply manually:
+# kubectl create secret generic dev-secrets -n dev \
+#   --from-literal=code-server-password=<password> \
+#   --from-literal=ssh-authorized-keys="<your-public-key>"

dev/services.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: dev
+  namespace: dev
+spec:
+  selector:
+    app: dev
+  ports:
+    - name: web
+      port: 8080
+      targetPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dev-ssh
+  namespace: dev
+spec:
+  selector:
+    app: dev
+  ports:
+    - name: ssh
+      port: 22
+      targetPort: 22

gitea/values.yaml

@@ -6,20 +6,22 @@ gitea:
 
   config:
     server:
-      DOMAIN: git2.lunarfront.tech
-      ROOT_URL: https://git2.lunarfront.tech
-      SSH_DOMAIN: git2-ssh.lunarfront.tech
+      DOMAIN: git.lunarfront.tech
+      ROOT_URL: https://git.lunarfront.tech
+      SSH_DOMAIN: git-ssh.lunarfront.tech
       SSH_PORT: 22
       START_SSH_SERVER: true
     database:
       DB_TYPE: postgres
-      SSL_MODE: require
+      SSL_MODE: disable
     session:
       PROVIDER: db
     cache:
       ADAPTER: memory
     queue:
       TYPE: level
+    actions:
+      ENABLED: true
 
   additionalConfigFromEnvs:
     - name: GITEA__database__HOST
@@ -63,26 +65,35 @@ persistence:
 
 service:
   ssh:
-    type: LoadBalancer
+    type: ClusterIP
+    clusterIP: None
     port: 22
     annotations:
-      service.beta.kubernetes.io/do-loadbalancer-name: "gitea-ssh"
-      external-dns.alpha.kubernetes.io/hostname: git2-ssh.lunarfront.tech
+      external-dns.alpha.kubernetes.io/hostname: git-ssh.lunarfront.tech
+      external-dns.alpha.kubernetes.io/target: "167.99.21.170"
 
 ingress:
   enabled: true
   className: nginx
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
   hosts:
-    - host: git2.lunarfront.tech
+    - host: git.lunarfront.tech
       paths:
         - path: /
           pathType: Prefix
   tls:
-    - secretName: cloudflare-origin-cert
+    - secretName: git-lunarfront-tech-tls
       hosts:
-        - git2.lunarfront.tech
+        - git.lunarfront.tech
+
+strategy:
+  type: Recreate
+
+nodeSelector:
+  role: system
 
 resources:
   requests:

ingress/tcp-services.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tcp-services
+  namespace: ingress-nginx
+data:
+  "22": "gitea/gitea-ssh:22"
+  "2222": "dev/dev-ssh:22"

manager/deployment.yaml

@@ -0,0 +1,107 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: manager
+  namespace: manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: manager
+  template:
+    metadata:
+      labels:
+        app: manager
+    spec:
+      serviceAccountName: manager
+      nodeSelector:
+        role: system
+      imagePullSecrets:
+        - name: registry-lunarfront
+      containers:
+        - name: manager
+          image: registry.digitalocean.com/lunarfront/manager:0.12.2
+          ports:
+            - containerPort: 3000
+          env:
+            - name: PORT
+              value: "3000"
+            - name: DO_API_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: do-api-token
+            - name: DO_DB_CLUSTER_ID
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: do-db-cluster-id
+            - name: GIT_SSH_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: git-ssh-key
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: database-url
+            - name: DOADMIN_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: doadmin-database-url
+            - name: JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: jwt-secret
+            - name: MANAGED_VALKEY_URL
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: managed-valkey-url
+            - name: SPACES_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: spaces-key
+            - name: SPACES_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: spaces-secret
+            - name: CF_API_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: cf-api-token
+            - name: CF_ZONE_ID
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: cf-zone-id
+            - name: RESEND_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: resend-api-key
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 256Mi
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 3000
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 3000
+            initialDelaySeconds: 5
+            periodSeconds: 10

manager/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: manager
+  namespace: manager
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: manager.lunarfront.tech
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: manager
+                port:
+                  number: 3000
+  tls:
+    - secretName: manager-lunarfront-tech-tls
+      hosts:
+        - manager.lunarfront.tech

manager/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - rbac.yaml

manager/rbac.yaml

@@ -0,0 +1,125 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: manager
+  namespace: manager
+---
+# pgbouncer config management
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-pgbouncer
+  namespace: pgbouncer
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["pgbouncer-config"]
+    verbs: ["get", "patch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["pgbouncer-userlist"]
+    verbs: ["get", "patch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: ["pgbouncer"]
+    verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manager-pgbouncer
+  namespace: pgbouncer
+subjects:
+  - kind: ServiceAccount
+    name: manager
+    namespace: manager
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: manager-pgbouncer
+---
+# ArgoCD application management
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-argocd
+  namespace: argocd
+rules:
+  - apiGroups: ["argoproj.io"]
+    resources: ["applications"]
+    verbs: ["get", "create", "delete", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manager-argocd
+  namespace: argocd
+subjects:
+  - kind: ServiceAccount
+    name: manager
+    namespace: manager
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: manager-argocd
+---
+# Dev pod management
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-dev
+  namespace: dev
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "patch", "update"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["dev-secrets"]
+    verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manager-dev
+  namespace: dev
+subjects:
+  - kind: ServiceAccount
+    name: manager
+    namespace: manager
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: manager-dev
+---
+# Cluster-wide: create/delete customer namespaces and manage secrets within them
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-customer-provisioner
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "delete", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: manager-customer-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: manager
+    namespace: manager
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: manager-customer-provisioner

manager/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: manager
+  namespace: manager
+spec:
+  selector:
+    app: manager
+  ports:
+    - port: 3000
+      targetPort: 3000

pgbouncer/configmap.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pgbouncer-config
+  namespace: pgbouncer
+data:
+  pgbouncer.ini: |
+    [databases]
+    gitea = host=lunarfront-postgres-do-user-35277853-0.e.db.ondigitalocean.com port=25060 dbname=gitea user=gitea pool_mode=session pool_size=3
+    manager = host=lunarfront-postgres-do-user-35277853-0.e.db.ondigitalocean.com port=25060 dbname=manager user=manager pool_mode=session pool_size=3
+
+    [pgbouncer]
+    listen_port = 5432
+    listen_addr = 0.0.0.0
+    auth_type = plain
+    auth_file = /etc/pgbouncer/userlist.txt
+    pool_mode = transaction
+    max_client_conn = 200
+    default_pool_size = 3
+    min_pool_size = 0
+    reserve_pool_size = 1
+    server_tls_sslmode = require
+    server_reset_query = DISCARD ALL
+    ignore_startup_parameters = extra_float_digits
+    log_connections = 0
+    log_disconnections = 0

pgbouncer/deployment.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pgbouncer
+  namespace: pgbouncer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pgbouncer
+  template:
+    metadata:
+      labels:
+        app: pgbouncer
+    spec:
+      nodeSelector:
+        role: system
+      containers:
+        - name: pgbouncer
+          image: pgbouncer/pgbouncer:latest
+          command: ["/opt/pgbouncer/pgbouncer", "/etc/pgbouncer/pgbouncer.ini"]
+          ports:
+            - containerPort: 5432
+          volumeMounts:
+            - name: config
+              mountPath: /etc/pgbouncer/pgbouncer.ini
+              subPath: pgbouncer.ini
+            - name: userlist
+              mountPath: /etc/pgbouncer/userlist.txt
+              subPath: userlist.txt
+          resources:
+            requests:
+              cpu: 10m
+              memory: 32Mi
+            limits:
+              cpu: 200m
+              memory: 64Mi
+          livenessProbe:
+            tcpSocket:
+              port: 5432
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            tcpSocket:
+              port: 5432
+            initialDelaySeconds: 5
+            periodSeconds: 10
+      volumes:
+        - name: config
+          configMap:
+            name: pgbouncer-config
+        - name: userlist
+          secret:
+            secretName: pgbouncer-userlist

pgbouncer/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pgbouncer
+  namespace: pgbouncer
+spec:
+  selector:
+    app: pgbouncer
+  ports:
+    - port: 5432
+      targetPort: 5432

runner/config.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-runner-config
+  namespace: runner
+data:
+  config.yaml: |
+    runner:
+      labels:
+        - "ubuntu-latest:docker://catthehacker/ubuntu:act-22.04"
+        - "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04"
+        - "ubuntu-24.04:docker://catthehacker/ubuntu:act-24.04"
+    container:
+      docker_host: tcp://localhost:2375
+      network: host
+      force_pull: false

runner/deployment.yaml

@@ -5,6 +5,8 @@ metadata:
   namespace: runner
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: gitea-runner
@@ -13,9 +15,17 @@ spec:
       labels:
         app: gitea-runner
     spec:
+      nodeSelector:
+        role: system
+      hostAliases:
+        - ip: 127.0.0.1
+          hostnames:
+            - git.lunarfront.tech
       containers:
         - name: runner
           image: gitea/act_runner:latest
+          workingDir: /data
+          command: ["sh", "-c", "until nc -z localhost 2375 2>/dev/null; do echo 'waiting for dind...'; sleep 2; done && if [ ! -f /data/.runner ]; then /usr/local/bin/act_runner register --no-interactive --instance \"$GITEA_INSTANCE_URL\" --token \"$GITEA_RUNNER_REGISTRATION_TOKEN\" --name \"$GITEA_RUNNER_NAME\" --config \"$CONFIG_FILE\"; fi && exec /usr/local/bin/act_runner daemon --config \"$CONFIG_FILE\""]
           resources:
             requests:
               cpu: 100m
@@ -25,7 +35,7 @@ spec:
               memory: 2Gi
           env:
             - name: GITEA_INSTANCE_URL
-              value: https://git2.lunarfront.tech
+              value: http://gitea-http.gitea.svc.cluster.local:3000
             - name: GITEA_RUNNER_REGISTRATION_TOKEN
               valueFrom:
                 secretKeyRef:
@@ -37,6 +47,28 @@ spec:
               value: tcp://localhost:2375
             - name: DOCKER_TLS_VERIFY
               value: "0"
+            - name: CONFIG_FILE
+              value: /etc/runner/config.yaml
+          volumeMounts:
+            - name: runner-config
+              mountPath: /etc/runner
+            - name: runner-data
+              mountPath: /data
+
+        - name: registry-proxy
+          image: haproxy:alpine
+          securityContext:
+            runAsUser: 0
+          resources:
+            requests:
+              cpu: 10m
+              memory: 32Mi
+            limits:
+              cpu: 100m
+              memory: 128Mi
+          volumeMounts:
+            - name: haproxy-config
+              mountPath: /usr/local/etc/haproxy
 
         - name: dind
           image: docker:dind
@@ -53,3 +85,14 @@ spec:
             - name: DOCKER_TLS_CERTDIR
               value: ""
           args: ["--host=tcp://0.0.0.0:2375"]
+
+      volumes:
+        - name: runner-config
+          configMap:
+            name: gitea-runner-config
+        - name: runner-data
+          persistentVolumeClaim:
+            claimName: gitea-runner-data
+        - name: haproxy-config
+          configMap:
+            name: runner-haproxy-config

runner/haproxy-configmap.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: runner-haproxy-config
+  namespace: runner
+data:
+  haproxy.cfg: |
+    global
+      daemon
+      log stdout format raw local0
+
+    defaults
+      mode tcp
+      log global
+      timeout connect 5s
+      timeout client 30s
+      timeout server 30s
+
+    frontend registry
+      bind 0.0.0.0:443
+      default_backend nginx
+
+    backend nginx
+      server nginx ingress-nginx-controller.ingress-nginx.svc.cluster.local:443 send-proxy

runner/pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-runner-data
+  namespace: runner
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: do-block-storage