coilyco-flight-deck/infrastructure
1
0
Fork 0
Code Issues 101 Pull requests Projects Releases Packages Wiki Activity Actions 1

In-cluster registry: GitHub-free deploy path #168

New issue
Open
opened 2026-05-28 11:57:39 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-28 11:57:39 +00:00
Owner
Copy link

Context

Backend (and the other deployable repos) deployed via GitHub Actions joining the tailnet over OIDC, then tailscale ssh deploy@kai-server to sideload images. That path broke when the May 26 Tailscale stack-merge recreated the per-repo federated identities without re-syncing TS_CLIENT_ID/TS_AUDIENCE to GitHub.

Direction (from Kai): GitHub should never join the tailnet. All TS_* secrets have been stripped from backend, eco-jobs-tracker, galaxy-gen, personal-dashboard, repo-recall. Deploys move to the in-cluster Forgejo runner pushing to an in-cluster registry.

This issue

Stand up an in-cluster OCI registry as the build->deploy bridge.

  • deploy/registry.yml - registry:2, namespace registry, NodePort 192.168.0.194:30500, applied + healthy
  • deploy/forgejo-runner.yml - DinD --insecure-registry, applied + both runner pods healthy
  • docs/k3s-deploy-notes.md section 11 - bring-up runbook
  • host-root: /etc/rancher/k3s/registries.yaml insecure entry + k3s restart on kai-server (dispatched as o2r agent-channel task Q9WR)
  • verify plain-http push + pull round-trip
  • per-repo: .forgejo/workflows/build-publish-deploy.yml, deployer ServiceAccount/RBAC + kubeconfig secret, deploy-manifest image ref, remove dead .github/workflows/build-and-publish.yml (backend first, then the other 4)
  • tear down the now-orphaned tailscale_federated_identity.ci + repos.yaml in terraform/tailscale/
## Context Backend (and the other deployable repos) deployed via GitHub Actions joining the tailnet over OIDC, then `tailscale ssh deploy@kai-server` to sideload images. That path broke when the May 26 Tailscale stack-merge recreated the per-repo federated identities without re-syncing `TS_CLIENT_ID`/`TS_AUDIENCE` to GitHub. Direction (from Kai): **GitHub should never join the tailnet.** All `TS_*` secrets have been stripped from backend, eco-jobs-tracker, galaxy-gen, personal-dashboard, repo-recall. Deploys move to the in-cluster Forgejo runner pushing to an in-cluster registry. ## This issue Stand up an in-cluster OCI registry as the build->deploy bridge. - [x] `deploy/registry.yml` - registry:2, namespace `registry`, NodePort `192.168.0.194:30500`, applied + healthy - [x] `deploy/forgejo-runner.yml` - DinD `--insecure-registry`, applied + both runner pods healthy - [x] `docs/k3s-deploy-notes.md` section 11 - bring-up runbook - [ ] host-root: `/etc/rancher/k3s/registries.yaml` insecure entry + k3s restart on kai-server (dispatched as o2r agent-channel task Q9WR) - [ ] verify plain-http push + pull round-trip - [ ] per-repo: `.forgejo/workflows/build-publish-deploy.yml`, deployer ServiceAccount/RBAC + kubeconfig secret, deploy-manifest image ref, remove dead `.github/workflows/build-and-publish.yml` (backend first, then the other 4) - [ ] tear down the now-orphaned `tailscale_federated_identity.ci` + `repos.yaml` in `terraform/tailscale/`
coilysiren added
P2
 and removed
P1
 labels 2026-05-31 07:00:34 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-294
tangled-knot
dispatch/issue-216
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/infrastructure#168
No description provided.