Skip to content
MinimalViableK8s

Install Forgejo

From our host system, in another shell and from the location of the infctl-cli git repo, we need to copy our .env file to the gcloud vm:

Terminal window
gcloud compute scp .env  k3s-vm-1:/opt/src/infctl-cli/.env --zone=us-central1-a --project=$PROJECT_NAME

From a shell into our cluster from earlier or by reconnecting with

Terminal window
gcloud compute ssh k3s-vm-1 --zone=us-central1-a --project=$PROJECT_NAME

Change directory to /opt/src/infctl-cli/ and source the ‘.env’ file that was just copied

Terminal window
cd /opt/src/infctl-cli/
source .env

From here we can run a pipeline to install foregejo:

Terminal window
LOG_FORMAT=none infctl -f gcloud/tf/scripts/install-forgejo-pipeline.json

if the pipeline completes successfully we can test to see if the site is responding with

Terminal window
curl -k $APP_DOMAIN_NAME

we should see an HTML page returned to us from foregejo.

This should work also from our host or anywhere that is internet connected.

NB: the use of -k in the curl request: this is to tell curl to ignore TLS certificates that are not fully signed.

In the manifests used to install forgejo, this was intentionally set to use a staging service with LetsEncrypt:

Terminal window
user@k3s-vm-1:/opt/src/infctl-cli$ cat gcloud/tf/k3s/forgejo/issuer.yaml

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: le-cluster-issuer-http
  namespace: forgejo
spec:
  acme:
    email: marshyon@gmail.com
    # We use the staging server here for testing to avoid throttling.
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: http-issuer-account-key
    solvers:
      - http01:
          ingress:
            class: traefik

you can see that this has worked also by running

Terminal window
printf "Q" | openssl s_client -connect "$APP_DOMAIN_NAME":443 -servername "$APP_DOMAIN_NAME" -showcerts

Look for the section that looks like this:

depth=1 C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Tenuous Tomato R13

This certificate will not be trusted by Chrome or other modern browsers, so, to bypass this and to complete our tests, we can download a certificate root file from LetsEncrypt and install this into our browser.

Step 1: Download the Staging Root Certificate

The specific certificate you need is the “Let’s Encrypt Staging Root X1”. Here is the direct link to download the file from the official Let’s Encrypt website:

Direct Download Link: https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem

download this letsencrypt-stg-root-x1.pem file and save it to your computer.

Step 2: Import the Certificate into Your Browser

For security reasons, it is highly recommended to do this in a new, separate browser profile that you only use for testing.

For Google Chrome:

  1. Create a New Test Profile:
  2. Click your profile picture in the top-right of Chrome.
  3. Click Add > Continue without an account.
  4. Give the profile a name like “Staging Test” and click Done. A new Chrome window will open using this profile.
  5. Open Certificate Settings:
  6. In this new profile window, go to Settings > Privacy and security > Security.
  7. Scroll down and click on Manage device certificates.
  8. Import the Certificate:
  9. Click the Authorities tab.
  10. Click the Import… button.
  11. Select the letsencrypt-stg-root-x1.pem file you downloaded earlier.
  12. In the pop-up window, check the box for “Trust this certificate for identifying websites.”
  13. Click OK.

Test:

Close and reopen the “Staging Test” profile Chrome window.

Navigate to your site. It should load correctly with a padlock icon, without any security warnings.