gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat: Switch Forgejo SSH to hostPort 222

Browse source 
Use hostPort instead of NodePort for SSH access to avoid cross-node
asymmetric routing issues with kube-proxy nftables mode. Pin Forgejo
pod to node 3 (DNS target) and use port 222 to bypass ISP port 22
blocking.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Felix Wolf 2026-03-30 20:56:38 +02:00
parent 6f717a602f
commit 14cb67369d
16 changed files with 42 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
prototypes/forgejo/helm/forgejo.yaml
View file

@ -26,6 +26,10 @@ ingress:
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt cert-manager.io/cluster-issuer: letsencrypt
service:
ssh:
type: ClusterIP
gitea: gitea:
admin: admin:
existingSecret: forgejo-admin-secret existingSecret: forgejo-admin-secret
@ -42,6 +46,7 @@ gitea:
server: server:
DOMAIN: git.tr1ceracop.de DOMAIN: git.tr1ceracop.de
ROOT_URL: https://git.tr1ceracop.de/ ROOT_URL: https://git.tr1ceracop.de/
SSH_PORT: 222
service: service:
DISABLE_REGISTRATION: true DISABLE_REGISTRATION: true
actions: actions:

17
prototypes/forgejo/ytt/ssh-hostport.ytt.yaml Normal file
View file

@ -0,0 +1,17 @@
#@ load("@ytt:overlay", "overlay")
#! Add hostPort 22 to the SSH container port and pin to the DNS target node
#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "forgejo"}})
---
spec:
template:
spec:
#@overlay/match missing_ok=True
nodeSelector:
kubernetes.io/hostname: ubuntu-4gb-nbg1-3
containers:
#@overlay/match by=overlay.subset({"name": "forgejo"})
- ports:
#@overlay/match by=overlay.subset({"name": "ssh"})
#@overlay/match-child-defaults missing_ok=True
- hostPort: 222

2
rendered/argocd/production/app-forgejo.yaml
View file

@ -14,7 +14,7 @@ spec:
project: env-production project: env-production
source: source:
path: rendered/envs/production/forgejo path: rendered/envs/production/forgejo
repoURL: "" repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
targetRevision: main targetRevision: main
syncPolicy: syncPolicy:
automated: automated:

9
rendered/envs/production/forgejo/deployment-forgejo.yaml
View file

@ -2,7 +2,7 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
app: forgejo app: forgejo
app.kubernetes.io/instance: forgejo app.kubernetes.io/instance: forgejo
@ -24,7 +24,7 @@ spec:
template: template:
metadata: metadata:
annotations: annotations:
checksum/config: 76b90927e318c6c351bd4820494876eba431085b375f4c446a0b2fa312636c54 checksum/config: 507b290a6b8e8566a121f0f35baf2cd5e6fc4b3b8560e8452ce70c812b11fde5
labels: labels:
app: forgejo app: forgejo
app.kubernetes.io/instance: forgejo app.kubernetes.io/instance: forgejo
@ -39,7 +39,7 @@ spec:
- name: SSH_LISTEN_PORT - name: SSH_LISTEN_PORT
value: "2222" value: "2222"
- name: SSH_PORT - name: SSH_PORT
value: "22" value: "222"
- name: GITEA_APP_INI - name: GITEA_APP_INI
value: /data/gitea/conf/app.ini value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM - name: GITEA_CUSTOM
@ -65,6 +65,7 @@ spec:
name: forgejo name: forgejo
ports: ports:
- containerPort: 2222 - containerPort: 2222
hostPort: 222
name: ssh name: ssh
- containerPort: 3000 - containerPort: 3000
name: http name: http
@ -180,6 +181,8 @@ spec:
name: temp name: temp
- mountPath: /data - mountPath: /data
name: data name: data
nodeSelector:
kubernetes.io/hostname: ubuntu-4gb-nbg1-3
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60

2
rendered/envs/production/forgejo/ingress-forgejo.yaml
View file

@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
cert-manager.io/cluster-issuer: letsencrypt cert-manager.io/cluster-issuer: letsencrypt
labels: labels:
app: forgejo app: forgejo

2
rendered/envs/production/forgejo/job-forgejo-admin-secret-init.yaml
View file

@ -2,7 +2,7 @@ apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
name: forgejo-admin-secret-init name: forgejo-admin-secret-init
namespace: forgejo namespace: forgejo
spec: spec:

2
rendered/envs/production/forgejo/namespace-forgejo.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce: privileged
name: forgejo name: forgejo

2
rendered/envs/production/forgejo/persistentvolumeclaim-gitea-shared-storage.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
name: gitea-shared-storage name: gitea-shared-storage
namespace: forgejo namespace: forgejo

2
rendered/envs/production/forgejo/role-forgejo-admin-secret-init.yaml
View file

@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
name: forgejo-admin-secret-init name: forgejo-admin-secret-init
namespace: forgejo namespace: forgejo
rules: rules:

2
rendered/envs/production/forgejo/rolebinding-forgejo-admin-secret-init.yaml
View file

@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
name: forgejo-admin-secret-init name: forgejo-admin-secret-init
namespace: forgejo namespace: forgejo
roleRef: roleRef:

2
rendered/envs/production/forgejo/secret-forgejo-init.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
app: forgejo app: forgejo
app.kubernetes.io/instance: forgejo app.kubernetes.io/instance: forgejo

4
rendered/envs/production/forgejo/secret-forgejo-inline-config.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
app: forgejo app: forgejo
app.kubernetes.io/instance: forgejo app.kubernetes.io/instance: forgejo
@ -38,7 +38,7 @@ stringData:
ROOT_URL=https://git.tr1ceracop.de/ ROOT_URL=https://git.tr1ceracop.de/
SSH_DOMAIN=git.tr1ceracop.de SSH_DOMAIN=git.tr1ceracop.de
SSH_LISTEN_PORT=2222 SSH_LISTEN_PORT=2222
SSH_PORT=22 SSH_PORT=222
START_SSH_SERVER=true START_SSH_SERVER=true
service: DISABLE_REGISTRATION=true service: DISABLE_REGISTRATION=true
session: |- session: |-

2
rendered/envs/production/forgejo/secret-forgejo.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
app: forgejo app: forgejo
app.kubernetes.io/instance: forgejo app.kubernetes.io/instance: forgejo

2
rendered/envs/production/forgejo/service-forgejo-http.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
app: forgejo app: forgejo
app.kubernetes.io/instance: forgejo app.kubernetes.io/instance: forgejo

2
rendered/envs/production/forgejo/service-forgejo-ssh.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
app: forgejo app: forgejo
app.kubernetes.io/instance: forgejo app.kubernetes.io/instance: forgejo

2
rendered/envs/production/forgejo/serviceaccount-forgejo-admin-secret-init.yaml
View file

@ -2,6 +2,6 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
annotations: annotations:
a8r.io/repository: "" a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
name: forgejo-admin-secret-init name: forgejo-admin-secret-init
namespace: forgejo namespace: forgejo