Developer and Platform Services

Relevant source files

This section details the namespaces and services providing development infrastructure, cluster administration interfaces, gaming environments, and communication platforms. These services bridge the gap between core infrastructure and user-facing applications, providing essential tools for both developers and the broader community.

Dev Namespace: Forgejo Git Infrastructure

The dev namespace hosts the primary Git version control system, Forgejo, along with its associated runner for CI/CD automation.

Forgejo Implementation

Forgejo is deployed using a rootless container image code.forgejo.org/forgejo/forgejo:15.0.2-rootlesskubernetes/apps/dev/forgejo/app/helmrelease.yaml114-118 It utilizes a DragonflyDB instance for caching, session management, and task queues via the Redis adapter kubernetes/apps/dev/forgejo/app/helmrelease.yaml23-26

Key configuration details include:

Storage: Persistent data is stored in a forgejo PVC kubernetes/apps/dev/forgejo/app/helmrelease.yaml121 with specific paths for LFS and repositories kubernetes/apps/dev/forgejo/app/helmrelease.yaml35-48
Authentication: Integrated with Authentik via OIDC. The configuration uses an ExternalSecret to pull the OIDC client ID and secret from Bitwarden kubernetes/apps/dev/forgejo/app/externalsecret.yaml70-95
SSH Signing: Forgejo is configured to sign commits and merges using an SSH key (Ed25519) mounted from a secret kubernetes/apps/dev/forgejo/app/helmrelease.yaml51-59
Ingress: HTTP traffic is routed through an Anubis proxy for enhanced security before reaching the Forgejo service kubernetes/apps/dev/forgejo/ks.yaml27 SSH traffic is exposed via a TCPRoute on the envoy-internal gateway kubernetes/apps/dev/forgejo/app/helmrelease.yaml126-132

CI/CD Runner

A dedicated forgejo-runner is deployed to handle Forgejo Actions kubernetes/apps/dev/forgejo/ks.yaml44-63 It depends on the main Forgejo instance and is managed via its own HelmRelease.

Forgejo Data Flow and Dependencies

Sources: kubernetes/apps/dev/forgejo/app/helmrelease.yaml1-132 kubernetes/apps/dev/forgejo/ks.yaml1-63 kubernetes/apps/dev/forgejo/app/externalsecret.yaml1-96

Flux-System Namespace: Platform UI

While the flux-system namespace primarily houses the Flux controllers, it also hosts Headlamp, the primary Kubernetes web UI.

Headlamp UI

Headlamp provides a graphical interface for cluster management. It is extended with a Flux-specific plugin to allow direct management of GitOps resources from the UI kubernetes/apps/flux-system/headlamp/app/helmrelease.yaml46-51

OIDC Integration: Headlamp uses Authentik for SSO. An ExternalSecret maps Bitwarden credentials to the headlamp-secretkubernetes/apps/flux-system/headlamp/app/externalsecret.yaml1-34
RBAC: A ServiceAccount named headlamp-admin is bound to the cluster-admin role. It also grants access to specific Authentik groups (e.g., authentik:superuser) kubernetes/apps/flux-system/headlamp/app/rbac.yaml20-41
Networking: Exposed via a fixed LoadBalancer IP 10.10.30.69kubernetes/apps/flux-system/headlamp/app/helmrelease.yaml92-94

Sources: kubernetes/apps/flux-system/headlamp/app/helmrelease.yaml1-101 kubernetes/apps/flux-system/headlamp/app/rbac.yaml1-41 kubernetes/apps/flux-system/headlamp/app/externalsecret.yaml1-34

Games Namespace: Minecraft Infrastructure

The games namespace is dedicated to hosting game servers, specifically Minecraft, with specialized routing and update mechanisms.

Minecraft Routing and DNS

The cluster uses mc-router to handle Minecraft protocol traffic. This allows for virtual hosting of multiple Minecraft servers behind a single entry point.

mc-router: Deployed via Helm, it uses a LoadBalancer service with IP 10.10.30.40kubernetes/apps/games/minecraft/mc-router/helmrelease.yaml40-42
External DNS: The service is annotated to automatically create DNS records for mc.cloudjur.com and minecraft.cloudjur.comkubernetes/apps/games/minecraft/mc-router/helmrelease.yaml43-44

Update Automation

The Minecraft deployment utilizes a custom Renovate datasource to track and update server versions automatically, ensuring the environment stays current with upstream releases.

Sources: kubernetes/apps/games/minecraft/mc-router/helmrelease.yaml1-45 kubernetes/apps/games/kustomization.yaml1-10

Workadventure Namespace: Matrix Communication

The workadventure namespace hosts a complete Matrix communication stack, including the Synapse homeserver and a Coturn TURN server for media relay.

Synapse Matrix Server

Synapse is the reference implementation of the Matrix homeserver protocol.

Database: Synapse connects to a PostgreSQL cluster managed by CloudNativePG, located in the database namespace (postgres-rw.database.svc.cluster.local) kubernetes/apps/workadventure/synapse/app/externalsecret.yaml62-71
OIDC: Authentik is used as the identity provider. Synapse is configured to map user attributes like email, display_name, and profile_picture from the OIDC claims kubernetes/apps/workadventure/synapse/app/externalsecret.yaml114-127
Secrets: All sensitive configuration, including the registration_shared_secret and macaroon_secret_key, is injected via a complex ExternalSecret template that generates the homeserver.yamlkubernetes/apps/workadventure/synapse/app/externalsecret.yaml14-127

Coturn TURN Server

Coturn provides STUN and TURN services, which are essential for NAT traversal in Matrix VoIP and video calls. It is integrated into the namespace to support the Synapse deployment.

Matrix Stack Architecture

Sources: kubernetes/apps/workadventure/synapse/app/externalsecret.yaml1-193 kubernetes/apps/workadventure/namespace.yaml1-5

Cloudjur

Explorer

Developer-and-Platform-Services