Skip to content

feat(forgejo): self-hosted forge with ArgoCD-Dex OIDC#28

Merged
xnoto merged 1 commit intomainfrom
feat/forgejo
Apr 30, 2026
Merged

feat(forgejo): self-hosted forge with ArgoCD-Dex OIDC#28
xnoto merged 1 commit intomainfrom
feat/forgejo

Conversation

@xnoto
Copy link
Copy Markdown
Contributor

@xnoto xnoto commented Apr 30, 2026
edited
Loading

Summary

Self-hosted Forgejo via the upstream Helm chart. Auth delegated to ArgoCD's embedded Dex (one IdP, one GitHub OAuth app) — same pattern as Headlamp / Grafana. SSH-over-tunnel deferred; HTTPS-only git for now.

Defaults chosen (per the sketch)

  • HTTPS-only git push (no SSH tunnel) — `gitea.config.server.DISABLE_SSH=true`
  • SQLite (chart default) — fine for solo
  • OIDC primary auth — `ALLOW_ONLY_EXTERNAL_REGISTRATION=true`, no local sign-ups
  • 20 GiB PVC, 1 GiB memory limit

Layout

  • bootstrap/argocd-config.yaml — register `forgejo` Dex static client. Callback URL: `https://forgejo.makeitwork.cloud/user/oauth2/dex/callback\`.
  • bootstrap/secrets/github-oauth-secret.yaml — sops-encrypted `dex.forgejo.clientSecret` added to argocd-secret.
  • operators/forgejo/
    • `oidc-secret.yaml` — Secret `forgejo-oidc` with the `key` and `secret` stringData fields the chart's `existingSecret` hook reads.
    • `application.yaml` — Helm Application installing chart `forgejo` v13.1.0 from `code.forgejo.org/forgejo-helm`. Includes the `gitea.oauth[]` entry pointing at Dex's well-known URL with our existingSecret, and OIDC-only sign-up config.
    • `tunnel-binding.yaml` — fronts `forgejo-http` Service on `forgejo.makeitwork.cloud`.
    • `namespace.yaml` + `kustomization.yaml` + `ksops-forgejo-secrets.yaml`.
  • operators/kustomization.yaml — add `forgejo`.

Pairs with

Test plan

  • After merge: `kubectl -n forgejo get pods` shows `forgejo-0` Running 1/1
  • After merge: `https://forgejo.makeitwork.cloud\` loads the home page
  • After merge: clicking "Sign in via Dex" redirects to GitHub OAuth via Dex; after consent lands on the dashboard with an OIDC-linked account
  • After merge: try a basic clone / push over HTTPS using a generated personal access token

Follow-ups

  • SSH-over-tunnel pattern (cloudflared access ssh + Dex-issued ssh certs?) if HTTPS git proves limiting
  • Wire Forgejo metrics into Prometheus (chart's `gitea.metrics.enabled`)

🤖 Generated with Claude Code

@xnoto
feat(forgejo): self-hosted forge with ArgoCD-Dex OIDC
a4d643d 
Forgejo deployed via the upstream Helm chart at code.forgejo.org/forgejo-helm,
sized for a single-user instance (1× pod, 20 GiB persistent volume, SQLite by
default). Authentication is delegated to ArgoCD's embedded Dex via an OIDC
auth source ("dex"); local password registration is disabled.

bootstrap/argocd-config.yaml — register `forgejo` as a Dex static client with
redirectURI https://forgejo.makeitwork.cloud/user/oauth2/dex/callback.

bootstrap/secrets/github-oauth-secret.yaml — add encrypted
dex.forgejo.clientSecret to argocd-secret.

operators/forgejo/oidc-secret.yaml — paired stringData keys (key/secret)
the Helm chart's add-oauth init container reads via existingSecret.

operators/forgejo/application.yaml — Helm Application for the chart with:
  - persistence 20 GiB
  - gitea.oauth[] entry for the Dex auth source
  - ALLOW_ONLY_EXTERNAL_REGISTRATION=true so OIDC is the only sign-up path
  - Public ROOT_URL/DOMAIN; SSH disabled (HTTPS-only git)
  - Modest resources for a home cluster

operators/forgejo/tunnel-binding.yaml — TunnelBinding fronts the
forgejo-http Service on forgejo.makeitwork.cloud via the cluster-apps tunnel.

Pairs with tfroot-cloudflare PR adding the CNAME.
@xnoto xnoto self-assigned this Apr 30, 2026
@xnoto xnoto merged commit 303eb92 into main Apr 30, 2026
2 checks passed
@xnoto xnoto deleted the feat/forgejo branch April 30, 2026 05:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@xnoto xnoto

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xnoto