feat: Switch Forgejo SSH to hostPort 222

Use hostPort instead of NodePort for SSH access to avoid cross-node asymmetric routing issues with kube-proxy nftables mode. Pin Forgejo pod to node 3 (DNS target) and use port 222 to bypass ISP port 22 blocking. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 20:56:38 +02:00 · 2026-03-30 20:56:38 +02:00 · 14cb67369d
parent 6f717a602f
commit 14cb67369d
16 changed files with 42 additions and 17 deletions
--- a/prototypes/forgejo/helm/forgejo.yaml
+++ b/prototypes/forgejo/helm/forgejo.yaml
@ -26,6 +26,10 @@ ingress:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt

+service:
+  ssh:
+    type: ClusterIP
+
 gitea:
  admin:
    existingSecret: forgejo-admin-secret
@ -42,6 +46,7 @@ gitea:
    server:
      DOMAIN: git.tr1ceracop.de
      ROOT_URL: https://git.tr1ceracop.de/
+      SSH_PORT: 222
    service:
      DISABLE_REGISTRATION: true
    actions:
--- a/prototypes/forgejo/ytt/ssh-hostport.ytt.yaml
+++ b/prototypes/forgejo/ytt/ssh-hostport.ytt.yaml
@ -0,0 +1,17 @@
+#@ load("@ytt:overlay", "overlay")
+
+#! Add hostPort 22 to the SSH container port and pin to the DNS target node
+#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "forgejo"}})
+---
+spec:
+  template:
+    spec:
+      #@overlay/match missing_ok=True
+      nodeSelector:
+        kubernetes.io/hostname: ubuntu-4gb-nbg1-3
+      containers:
+        #@overlay/match by=overlay.subset({"name": "forgejo"})
+        - ports:
+            #@overlay/match by=overlay.subset({"name": "ssh"})
+            #@overlay/match-child-defaults missing_ok=True
+            - hostPort: 222
--- a/rendered/argocd/production/app-forgejo.yaml
+++ b/rendered/argocd/production/app-forgejo.yaml
@ -14,7 +14,7 @@ spec:
  project: env-production
  source:
    path: rendered/envs/production/forgejo
-    repoURL: ""
+    repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    targetRevision: main
  syncPolicy:
    automated:
--- a/rendered/envs/production/forgejo/deployment-forgejo.yaml
+++ b/rendered/envs/production/forgejo/deployment-forgejo.yaml
@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: forgejo
    app.kubernetes.io/instance: forgejo
@ -24,7 +24,7 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/config: 76b90927e318c6c351bd4820494876eba431085b375f4c446a0b2fa312636c54
+        checksum/config: 507b290a6b8e8566a121f0f35baf2cd5e6fc4b3b8560e8452ce70c812b11fde5
      labels:
        app: forgejo
        app.kubernetes.io/instance: forgejo
@ -39,7 +39,7 @@ spec:
            - name: SSH_LISTEN_PORT
              value: "2222"
            - name: SSH_PORT
-              value: "22"
+              value: "222"
            - name: GITEA_APP_INI
              value: /data/gitea/conf/app.ini
            - name: GITEA_CUSTOM
@ -65,6 +65,7 @@ spec:
          name: forgejo
          ports:
            - containerPort: 2222
+              hostPort: 222
              name: ssh
            - containerPort: 3000
              name: http
@ -180,6 +181,8 @@ spec:
              name: temp
            - mountPath: /data
              name: data
+      nodeSelector:
+        kubernetes.io/hostname: ubuntu-4gb-nbg1-3
      securityContext:
        fsGroup: 1000
      terminationGracePeriodSeconds: 60
--- a/rendered/envs/production/forgejo/ingress-forgejo.yaml
+++ b/rendered/envs/production/forgejo/ingress-forgejo.yaml
@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    cert-manager.io/cluster-issuer: letsencrypt
  labels:
    app: forgejo
--- a/rendered/envs/production/forgejo/job-forgejo-admin-secret-init.yaml
+++ b/rendered/envs/production/forgejo/job-forgejo-admin-secret-init.yaml
@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  name: forgejo-admin-secret-init
  namespace: forgejo
 spec:
--- a/rendered/envs/production/forgejo/namespace-forgejo.yaml
+++ b/rendered/envs/production/forgejo/namespace-forgejo.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    pod-security.kubernetes.io/enforce: privileged
  name: forgejo
--- a/rendered/envs/production/forgejo/persistentvolumeclaim-gitea-shared-storage.yaml
+++ b/rendered/envs/production/forgejo/persistentvolumeclaim-gitea-shared-storage.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    helm.sh/resource-policy: keep
  name: gitea-shared-storage
  namespace: forgejo
--- a/rendered/envs/production/forgejo/role-forgejo-admin-secret-init.yaml
+++ b/rendered/envs/production/forgejo/role-forgejo-admin-secret-init.yaml
@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  name: forgejo-admin-secret-init
  namespace: forgejo
 rules:
--- a/rendered/envs/production/forgejo/rolebinding-forgejo-admin-secret-init.yaml
+++ b/rendered/envs/production/forgejo/rolebinding-forgejo-admin-secret-init.yaml
@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  name: forgejo-admin-secret-init
  namespace: forgejo
 roleRef:
--- a/rendered/envs/production/forgejo/secret-forgejo-init.yaml
+++ b/rendered/envs/production/forgejo/secret-forgejo-init.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: forgejo
    app.kubernetes.io/instance: forgejo
--- a/rendered/envs/production/forgejo/secret-forgejo-inline-config.yaml
+++ b/rendered/envs/production/forgejo/secret-forgejo-inline-config.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: forgejo
    app.kubernetes.io/instance: forgejo
@ -38,7 +38,7 @@ stringData:
    ROOT_URL=https://git.tr1ceracop.de/
    SSH_DOMAIN=git.tr1ceracop.de
    SSH_LISTEN_PORT=2222
-    SSH_PORT=22
+    SSH_PORT=222
    START_SSH_SERVER=true
  service: DISABLE_REGISTRATION=true
  session: |-
--- a/rendered/envs/production/forgejo/secret-forgejo.yaml
+++ b/rendered/envs/production/forgejo/secret-forgejo.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: forgejo
    app.kubernetes.io/instance: forgejo
--- a/rendered/envs/production/forgejo/service-forgejo-http.yaml
+++ b/rendered/envs/production/forgejo/service-forgejo-http.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: forgejo
    app.kubernetes.io/instance: forgejo
--- a/rendered/envs/production/forgejo/service-forgejo-ssh.yaml
+++ b/rendered/envs/production/forgejo/service-forgejo-ssh.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: forgejo
    app.kubernetes.io/instance: forgejo
--- a/rendered/envs/production/forgejo/serviceaccount-forgejo-admin-secret-init.yaml
+++ b/rendered/envs/production/forgejo/serviceaccount-forgejo-admin-secret-init.yaml
@ -2,6 +2,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  annotations:
-    a8r.io/repository: ""
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  name: forgejo-admin-secret-init
  namespace: forgejo