feat: support shared Forgejo token for all RunnerPools #16

Merged

rcsheets merged 1 commit from feat/shared-forgejo-token into master 2026-03-27 05:14:42 +00:00

Conversation 1 Commits 1 Files changed 5 +41 -20

rcsheets commented 2026-03-27 05:13:04 +00:00

Owner

Copy link

Add --forgejo-url flag and FORGEJO_TOKEN env var to the controller.
When both are set, the controller uses a single shared Forgejo client
for all RunnerPools instead of reading per-pool tokenSecretRef secrets.
This keeps the site-admin token in the controller's namespace,
away from runner pods.

• tokenSecretRef is now optional in the RunnerPool CRD
• Controller falls back to tokenSecretRef if no shared token is set
• Updated webhook validation and tests accordingly

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

Add --forgejo-url flag and FORGEJO_TOKEN env var to the controller. When both are set, the controller uses a single shared Forgejo client for all RunnerPools instead of reading per-pool tokenSecretRef secrets. This keeps the site-admin token in the controller's namespace, away from runner pods. - tokenSecretRef is now optional in the RunnerPool CRD - Controller falls back to tokenSecretRef if no shared token is set - Updated webhook validation and tests accordingly Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

rcsheets added 1 commit 2026-03-27 05:13:04 +00:00

feat: support shared Forgejo token for all RunnerPools ... 7965a095da

Add --forgejo-url flag and FORGEJO_TOKEN env var to the controller.
When both are set, the controller uses a single shared Forgejo client
for all RunnerPools instead of reading per-pool tokenSecretRef secrets.
This keeps the site-admin token in the controller's namespace,
away from runner pods.

- tokenSecretRef is now optional in the RunnerPool CRD
- Controller falls back to tokenSecretRef if no shared token is set
- Updated webhook validation and tests accordingly

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pr-reviewer-bot commented 2026-03-27 05:13:07 +00:00

Collaborator

Copy link

Automated review by pr-reviewer v0.15.0 | Safety Check | anthropic | tracking id r-c611e1-23d996
This is an AI-generated review and may contain mistakes.

Status: ✅ Completed

---

✅ Verdict: LGTM — The changes safely add optional shared token support with proper fallback to per-pool tokens.
Complexity: moderate

Safety Check Review

The changes look clean and safe:

• No security issues: The shared token approach actually improves security by keeping the admin token in the controller namespace rather than exposing it to runner pods
• Proper validation logic: The webhook correctly validates that either a shared token or per-pool tokenSecretRef is provided
• Backward compatibility: Existing deployments using tokenSecretRef will continue to work unchanged
• Safe error handling: Clear error message when neither token option is available

The automated flag about "possible secret or credential detected" is a false positive - it's just referencing the FORGEJO_TOKEN environment variable name in a comment, not exposing actual credentials.

All changes follow expected patterns for optional configuration flags in Kubernetes operators.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.15.0 | Safety Check | anthropic | tracking id `r-c611e1-23d996`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The changes safely add optional shared token support with proper fallback to per-pool tokens. **Complexity:** moderate ## Safety Check Review The changes look clean and safe: - **No security issues**: The shared token approach actually improves security by keeping the admin token in the controller namespace rather than exposing it to runner pods - **Proper validation logic**: The webhook correctly validates that either a shared token or per-pool `tokenSecretRef` is provided - **Backward compatibility**: Existing deployments using `tokenSecretRef` will continue to work unchanged - **Safe error handling**: Clear error message when neither token option is available The automated flag about "possible secret or credential detected" is a false positive - it's just referencing the `FORGEJO_TOKEN` environment variable name in a comment, not exposing actual credentials. All changes follow expected patterns for optional configuration flags in Kubernetes operators.

rcsheets merged commit 639cd71746 into master 2026-03-27 05:14:42 +00:00

rcsheets referenced this pull request from a commit 2026-03-27 05:14:42 +00:00

Merge pull request 'feat: support shared Forgejo token for all RunnerPools' (#16) from feat/shared-forgejo-token into master

rcsheets deleted branch feat/shared-forgejo-token 2026-03-27 05:14:42 +00:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

brooktrails/forgejo-runner-operator!16

No description provided.