ldraney/pal-e-platform
1
0
Fork 0
Code Issues 91 Pull requests 5 Projects Releases Packages Wiki Activity Actions

fix(forgejo): persist sessions to disk instead of memory #356

Merged
forgejo_admin merged 1 commit from fix-forgejo-session-provider into main 2026-05-09 16:45:33 +00:00
Conversation 2 Commits 1 Files changed 1 +1
forgejo_admin commented 2026-05-09 16:39:58 +00:00
Contributor
Copy link

Summary

Switch Forgejo session provider from memory to file so sessions survive pod restarts.

Changes

  • Add PROVIDER = "file" to Forgejo Helm session config
  • Sessions now stored on the existing 10Gi PVC

Test Plan

  • Applied via tofu apply — confirmed PROVIDER = file in running pod
  • Confirm session survives next pal-e-platform merge (pod restart)

Review Checklist

  • No new variables or secrets required
  • Single-line change, no side effects

Related Notes

Closes #336

Root cause: every pal-e-platform merge triggers CI apply → Forgejo pod restart → all in-memory sessions wiped → user logged out.

## Summary Switch Forgejo session provider from `memory` to `file` so sessions survive pod restarts. ## Changes - Add `PROVIDER = "file"` to Forgejo Helm session config - Sessions now stored on the existing 10Gi PVC ## Test Plan - [x] Applied via `tofu apply` — confirmed `PROVIDER = file` in running pod - [ ] Confirm session survives next pal-e-platform merge (pod restart) ## Review Checklist - [x] No new variables or secrets required - [x] Single-line change, no side effects ## Related Notes Closes #336 Root cause: every pal-e-platform merge triggers CI apply → Forgejo pod restart → all in-memory sessions wiped → user logged out.
fix(forgejo): persist sessions to disk instead of memory
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/pr/woodpecker Pipeline was successful
Details
ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful
Details
c31bbb4481 
Memory session provider loses all sessions on pod restart, which
happens on every pal-e-platform merge. File provider stores sessions
on the existing 10Gi PVC so they survive restarts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
forgejo_admin commented 2026-05-09 16:40:30 +00:00
Author
Contributor
Copy link

Tofu Plan Output (targeted: forgejo)

module.forgejo.kubernetes_namespace_v1.forgejo: Refreshing state... [id=forgejo]
module.forgejo.kubernetes_secret_v1.forgejo_oidc: Refreshing state... [id=forgejo/forgejo-oidc]
module.forgejo.kubernetes_config_map_v1.forgejo_custom_css: Refreshing state... [id=forgejo/forgejo-custom-css]
module.forgejo.helm_release.forgejo: Refreshing state... [id=forgejo]

No changes. Your infrastructure matches the configuration.

OpenTofu has compared your real infrastructure against your configuration and
found no differences, so no changes are needed.

Warning: Resource targeting is in effect

You are creating a plan with either the -target option or the -exclude
option, which means that the result of this plan may not represent all of the
changes requested by the current configuration.

The -target and -exclude options are not for routine use, and are provided
only for exceptional situations such as recovering from errors or mistakes,
or when OpenTofu specifically suggests to use it as part of an error message.
## Tofu Plan Output (targeted: forgejo) ``` module.forgejo.kubernetes_namespace_v1.forgejo: Refreshing state... [id=forgejo] module.forgejo.kubernetes_secret_v1.forgejo_oidc: Refreshing state... [id=forgejo/forgejo-oidc] module.forgejo.kubernetes_config_map_v1.forgejo_custom_css: Refreshing state... [id=forgejo/forgejo-custom-css] module.forgejo.helm_release.forgejo: Refreshing state... [id=forgejo] No changes. Your infrastructure matches the configuration. OpenTofu has compared your real infrastructure against your configuration and found no differences, so no changes are needed. Warning: Resource targeting is in effect You are creating a plan with either the -target option or the -exclude option, which means that the result of this plan may not represent all of the changes requested by the current configuration. The -target and -exclude options are not for routine use, and are provided only for exceptional situations such as recovering from errors or mistakes, or when OpenTofu specifically suggests to use it as part of an error message. ```
forgejo_admin commented 2026-05-09 16:41:22 +00:00
Author
Contributor
Copy link

PR #356 Review

DOMAIN REVIEW

Tech stack: Terraform (HCL) / Helm / Kubernetes

This is a single-line Terraform change adding PROVIDER = "file" to the Forgejo Helm release session config block in terraform/modules/forgejo/main.tf.

Terraform/Helm assessment:

  • The change is tofu fmt compliant -- alignment matches the existing block style (consistent padding with surrounding keys SESSION_LIFE_TIME and COOKIE_SECURE).
  • No new variables, outputs, or secrets introduced.
  • No state-breaking changes -- this modifies an in-place Helm value, which triggers a Helm upgrade (pod restart), not a destroy/recreate.
  • The PROVIDER = "file" value is a valid Forgejo/Gitea session provider. File-based sessions store to /data/sessions inside the container.

Storage verification: The persistence block (lines 182-186) confirms a 10Gi PVC with local-path storageClass is enabled. Forgejo mounts this at /data, so file-based sessions at /data/sessions will persist across pod restarts. This is the correct fix for the stated problem.

No secrets exposure: The only sensitive value in this module (forgejo_admin_password) is properly handled via set_sensitive (line 215-219). The new line introduces no credentials.

BLOCKERS

None.

This is a configuration-only change (one Helm value). No new functionality requiring test coverage. No user input handling. No secrets. No auth logic duplication.

NITS

  1. SESSION_LIFE_TIME value: 604800 seconds = 7 days. Not introduced by this PR, but worth noting this is a reasonable session lifetime for an internal Forgejo instance behind Tailscale. No action needed.

  2. Test plan gap: The PR body shows one test plan item is still unchecked ("Confirm session survives next pal-e-platform merge"). This is expected -- it can only be validated post-merge. The checked item ("Applied via tofu apply -- confirmed PROVIDER = file in running pod") is sufficient for pre-merge confidence.

SOP COMPLIANCE

  • Branch named after issue -- branch is fix-forgejo-session-provider, not 336-fix-forgejo-session-provider. Convention expects {issue-number}-{kebab-case-purpose}.
  • PR body follows template -- Summary, Changes, Test Plan, Related sections all present.
  • Related references plan slug -- no plan slug provided (noted as N/A by caller). "Closes #336" is present, which is correct issue linkage.
  • No secrets committed -- verified, no credentials in diff.
  • No unnecessary file changes -- 1 file, 1 line, directly addresses the issue.
  • Commit message is descriptive -- title follows conventional commit format: fix(forgejo): persist sessions to disk instead of memory.

PROCESS OBSERVATIONS

  • Change failure risk: Very low. Single config value change to a well-documented Forgejo setting. Rollback is trivial (remove the line, sessions revert to memory default).
  • Deployment frequency impact: Positive. This fix eliminates forced logouts on every CI-triggered deployment, which was a friction point discouraging frequent merges.
  • Branch naming: Minor SOP deviation. The branch should be prefixed with 336-. This is a nit for a hotfix-style PR, not a blocker.

VERDICT: APPROVED

## PR #356 Review ### DOMAIN REVIEW **Tech stack**: Terraform (HCL) / Helm / Kubernetes This is a single-line Terraform change adding `PROVIDER = "file"` to the Forgejo Helm release session config block in `terraform/modules/forgejo/main.tf`. **Terraform/Helm assessment**: - The change is `tofu fmt` compliant -- alignment matches the existing block style (consistent padding with surrounding keys `SESSION_LIFE_TIME` and `COOKIE_SECURE`). - No new variables, outputs, or secrets introduced. - No state-breaking changes -- this modifies an in-place Helm value, which triggers a Helm upgrade (pod restart), not a destroy/recreate. - The `PROVIDER = "file"` value is a valid Forgejo/Gitea session provider. File-based sessions store to `/data/sessions` inside the container. **Storage verification**: The `persistence` block (lines 182-186) confirms a 10Gi PVC with `local-path` storageClass is enabled. Forgejo mounts this at `/data`, so file-based sessions at `/data/sessions` will persist across pod restarts. This is the correct fix for the stated problem. **No secrets exposure**: The only sensitive value in this module (`forgejo_admin_password`) is properly handled via `set_sensitive` (line 215-219). The new line introduces no credentials. ### BLOCKERS None. This is a configuration-only change (one Helm value). No new functionality requiring test coverage. No user input handling. No secrets. No auth logic duplication. ### NITS 1. **SESSION_LIFE_TIME value**: 604800 seconds = 7 days. Not introduced by this PR, but worth noting this is a reasonable session lifetime for an internal Forgejo instance behind Tailscale. No action needed. 2. **Test plan gap**: The PR body shows one test plan item is still unchecked ("Confirm session survives next pal-e-platform merge"). This is expected -- it can only be validated post-merge. The checked item ("Applied via tofu apply -- confirmed PROVIDER = file in running pod") is sufficient for pre-merge confidence. ### SOP COMPLIANCE - [ ] Branch named after issue -- branch is `fix-forgejo-session-provider`, not `336-fix-forgejo-session-provider`. Convention expects `{issue-number}-{kebab-case-purpose}`. - [x] PR body follows template -- Summary, Changes, Test Plan, Related sections all present. - [ ] Related references plan slug -- no plan slug provided (noted as N/A by caller). "Closes #336" is present, which is correct issue linkage. - [x] No secrets committed -- verified, no credentials in diff. - [x] No unnecessary file changes -- 1 file, 1 line, directly addresses the issue. - [x] Commit message is descriptive -- title follows conventional commit format: `fix(forgejo): persist sessions to disk instead of memory`. ### PROCESS OBSERVATIONS - **Change failure risk**: Very low. Single config value change to a well-documented Forgejo setting. Rollback is trivial (remove the line, sessions revert to memory default). - **Deployment frequency impact**: Positive. This fix eliminates forced logouts on every CI-triggered deployment, which was a friction point discouraging frequent merges. - **Branch naming**: Minor SOP deviation. The branch should be prefixed with `336-`. This is a nit for a hotfix-style PR, not a blocker. ### VERDICT: APPROVED
forgejo_admin deleted branch fix-forgejo-session-provider 2026-05-09 16:45:33 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform!356
No description provided.