feat: add STACKIT SKE hub modules

modules/stackit/git-repository/buildingblock/versions.tf

@@ -3,8 +3,8 @@ terraform {
 
   required_providers {
     gitea = {
-      source  = "Lerentis/gitea"
-      version = "~> 0.16.0"
+      source  = "go-gitea/gitea"
+      version = "~> 0.7.0"
     }
     null = {
       source  = "hashicorp/null"

modules/stackit/git-repository/meshstack_integration.tf

@@ -182,3 +182,13 @@ resource "meshstack_building_block_definition" "stackit_git_repo" {
     }
   }
 }
+
+output "bbd_uuid" {
+  description = "UUID of the STACKIT Git repository building block definition."
+  value       = meshstack_building_block_definition.stackit_git_repo.ref.uuid
+}
+
+output "bbd_version_uuid" {
+  description = "UUID of the latest version of the STACKIT Git repository building block definition."
+  value       = meshstack_building_block_definition.stackit_git_repo.version_latest.uuid
+}

modules/stackit/ske/backplane/README.md

@@ -0,0 +1,82 @@
+# SKE Backplane
+
+This module provisions the STACKIT Kubernetes Engine (SKE) cluster and sets up the
+meshStack platform integration (replicator and metering service accounts).
+
+## What it creates
+
+- **SKE Cluster** with a configurable node pool (machine type, count, availability zones)
+- **Kubeconfig** for cluster access (180-day expiration, auto-refresh)
+- **meshStack platform integration** via [terraform-kubernetes-meshplatform](https://github.com/meshcloud/terraform-kubernetes-meshplatform):
+  - Replicator service account for namespace provisioning
+  - Metering service account for usage data collection
+
+## Usage
+
+This module is called from `meshstack_integration.tf` and its outputs are wired into the
+`meshstack_platform` resource's `config.kubernetes` block.
+
+```hcl
+module "backplane" {
+  source = "./backplane"
+
+  stackit_project_id = "your-project-id"
+  cluster_name       = "ske-cluster"
+  region             = "eu01"
+}
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.0 |
+| <a name="requirement_stackit"></a> [stackit](#requirement\_stackit) | >= 0.68.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_meshplatform"></a> [meshplatform](#module\_meshplatform) | git::https://github.com/meshcloud/terraform-kubernetes-meshplatform.git | v0.1.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [stackit_ske_cluster.this](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/resources/ske_cluster) | resource |
+| [stackit_ske_kubeconfig.this](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/resources/ske_kubeconfig) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | Availability zones for the default node pool. | `list(string)` | <pre>[<br>  "eu01-1"<br>]</pre> | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the SKE cluster. | `string` | `"ske-cluster"` | no |
+| <a name="input_enable_kubernetes_version_updates"></a> [enable\_kubernetes\_version\_updates](#input\_enable\_kubernetes\_version\_updates) | Enable automatic Kubernetes version updates during maintenance windows. | `bool` | `true` | no |
+| <a name="input_enable_machine_image_version_updates"></a> [enable\_machine\_image\_version\_updates](#input\_enable\_machine\_image\_version\_updates) | Enable automatic machine image version updates during maintenance windows. | `bool` | `true` | no |
+| <a name="input_machine_type"></a> [machine\_type](#input\_machine\_type) | Machine type for the default node pool. | `string` | `"c2i.2"` | no |
+| <a name="input_maintenance_end"></a> [maintenance\_end](#input\_maintenance\_end) | End of the maintenance window (UTC). | `string` | `"06:00:00Z"` | no |
+| <a name="input_maintenance_start"></a> [maintenance\_start](#input\_maintenance\_start) | Start of the maintenance window (UTC). | `string` | `"02:00:00Z"` | no |
+| <a name="input_meshplatform_namespace"></a> [meshplatform\_namespace](#input\_meshplatform\_namespace) | Kubernetes namespace for the meshStack platform integration (replicator + metering service accounts). | `string` | `"meshcloud"` | no |
+| <a name="input_node_count"></a> [node\_count](#input\_node\_count) | Number of nodes in the default node pool. | `number` | `1` | no |
+| <a name="input_region"></a> [region](#input\_region) | STACKIT region for the SKE cluster. | `string` | `"eu01"` | no |
+| <a name="input_stackit_project_id"></a> [stackit\_project\_id](#input\_stackit\_project\_id) | STACKIT project ID where the SKE cluster will be created. | `string` | n/a | yes |
+| <a name="input_volume_size"></a> [volume\_size](#input\_volume\_size) | Volume size in GB for nodes in the default node pool. | `number` | `25` | no |
+| <a name="input_volume_type"></a> [volume\_type](#input\_volume\_type) | Volume type for nodes in the default node pool. | `string` | `"storage_premium_perf0"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_client_certificate"></a> [client\_certificate](#output\_client\_certificate) | PEM-encoded client certificate for authentication. |
+| <a name="output_client_key"></a> [client\_key](#output\_client\_key) | PEM-encoded client key for authentication. |
+| <a name="output_cluster_ca_certificate"></a> [cluster\_ca\_certificate](#output\_cluster\_ca\_certificate) | PEM-encoded CA certificate for the cluster. |
+| <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | Name of the SKE cluster. |
+| <a name="output_console_url"></a> [console\_url](#output\_console\_url) | URL to the STACKIT portal for this SKE cluster. |
+| <a name="output_kube_host"></a> [kube\_host](#output\_kube\_host) | Kubernetes API server endpoint. |
+| <a name="output_kubernetes_version"></a> [kubernetes\_version](#output\_kubernetes\_version) | Kubernetes version running on the cluster. |
+| <a name="output_metering_token"></a> [metering\_token](#output\_metering\_token) | Access token for the meshStack metering service account. |
+| <a name="output_replicator_token"></a> [replicator\_token](#output\_replicator\_token) | Access token for the meshStack replicator service account. |
+<!-- END_TF_DOCS -->

modules/stackit/ske/backplane/main.tf

@@ -0,0 +1,55 @@
+resource "stackit_ske_cluster" "this" {
+  project_id = var.stackit_project_id
+  name       = var.cluster_name
+  node_pools = [
+    {
+      name               = "default"
+      machine_type       = var.machine_type
+      minimum            = var.node_count
+      maximum            = var.node_count
+      availability_zones = var.availability_zones
+      volume_size        = var.volume_size
+      volume_type        = var.volume_type
+    }
+  ]
+  maintenance = {
+    enable_kubernetes_version_updates    = var.enable_kubernetes_version_updates
+    enable_machine_image_version_updates = var.enable_machine_image_version_updates
+    start                                = var.maintenance_start
+    end                                  = var.maintenance_end
+  }
+
+  lifecycle {
+    ignore_changes = [kubernetes_version_used, node_pools[0].os_version_used]
+  }
+}
+
+resource "stackit_ske_kubeconfig" "this" {
+  project_id   = var.stackit_project_id
+  cluster_name = stackit_ske_cluster.this.name
+  expiration   = "15552000" # 180 days
+  refresh      = true
+}
+
+locals {
+  kubeconfig             = yamldecode(stackit_ske_kubeconfig.this.kube_config)
+  kube_host              = local.kubeconfig["clusters"][0]["cluster"]["server"]
+  cluster_ca_certificate = base64decode(local.kubeconfig["clusters"][0]["cluster"]["certificate-authority-data"])
+  client_certificate     = base64decode(local.kubeconfig["users"][0]["user"]["client-certificate-data"])
+  client_key             = base64decode(local.kubeconfig["users"][0]["user"]["client-key-data"])
+}
+
+provider "kubernetes" {
+  host                   = local.kube_host
+  cluster_ca_certificate = local.cluster_ca_certificate
+  client_certificate     = local.client_certificate
+  client_key             = local.client_key
+}
+
+module "meshplatform" {
+  source = "git::https://github.com/meshcloud/terraform-kubernetes-meshplatform.git?ref=v0.1.0"
+
+  namespace          = var.meshplatform_namespace
+  replicator_enabled = true
+  metering_enabled   = true
+}

modules/stackit/ske/backplane/outputs.tf

@@ -0,0 +1,50 @@
+output "cluster_name" {
+  description = "Name of the SKE cluster."
+  value       = stackit_ske_cluster.this.name
+}
+
+output "kube_host" {
+  description = "Kubernetes API server endpoint."
+  value       = local.kube_host
+  sensitive   = true
+}
+
+output "cluster_ca_certificate" {
+  description = "PEM-encoded CA certificate for the cluster."
+  value       = local.cluster_ca_certificate
+  sensitive   = true
+}
+
+output "client_certificate" {
+  description = "PEM-encoded client certificate for authentication."
+  value       = local.client_certificate
+  sensitive   = true
+}
+
+output "client_key" {
+  description = "PEM-encoded client key for authentication."
+  value       = local.client_key
+  sensitive   = true
+}
+
+output "replicator_token" {
+  description = "Access token for the meshStack replicator service account."
+  value       = module.meshplatform.replicator_token
+  sensitive   = true
+}
+
+output "metering_token" {
+  description = "Access token for the meshStack metering service account."
+  value       = module.meshplatform.metering_token
+  sensitive   = true
+}
+
+output "kubernetes_version" {
+  description = "Kubernetes version running on the cluster."
+  value       = stackit_ske_cluster.this.kubernetes_version_used
+}
+
+output "console_url" {
+  description = "URL to the STACKIT portal for this SKE cluster."
+  value       = "https://portal.stackit.cloud/project/${stackit_ske_cluster.this.project_id}/kubernetes/${stackit_ske_cluster.this.name}"
+}

modules/stackit/ske/backplane/variables.tf

@@ -0,0 +1,76 @@
+variable "stackit_project_id" {
+  type        = string
+  description = "STACKIT project ID where the SKE cluster will be created."
+}
+
+variable "cluster_name" {
+  type        = string
+  description = "Name of the SKE cluster."
+  default     = "ske-cluster"
+}
+
+variable "region" {
+  type        = string
+  description = "STACKIT region for the SKE cluster."
+  default     = "eu01"
+}
+
+variable "node_count" {
+  type        = number
+  description = "Number of nodes in the default node pool."
+  default     = 1
+}
+
+variable "machine_type" {
+  type        = string
+  description = "Machine type for the default node pool."
+  default     = "c2i.2"
+}
+
+variable "availability_zones" {
+  type        = list(string)
+  description = "Availability zones for the default node pool."
+  default     = ["eu01-1"]
+}
+
+variable "volume_size" {
+  type        = number
+  description = "Volume size in GB for nodes in the default node pool."
+  default     = 25
+}
+
+variable "volume_type" {
+  type        = string
+  description = "Volume type for nodes in the default node pool."
+  default     = "storage_premium_perf0"
+}
+
+variable "maintenance_start" {
+  type        = string
+  description = "Start of the maintenance window (UTC)."
+  default     = "02:00:00Z"
+}
+
+variable "maintenance_end" {
+  type        = string
+  description = "End of the maintenance window (UTC)."
+  default     = "06:00:00Z"
+}
+
+variable "enable_kubernetes_version_updates" {
+  type        = bool
+  description = "Enable automatic Kubernetes version updates during maintenance windows."
+  default     = true
+}
+
+variable "enable_machine_image_version_updates" {
+  type        = bool
+  description = "Enable automatic machine image version updates during maintenance windows."
+  default     = true
+}
+
+variable "meshplatform_namespace" {
+  type        = string
+  description = "Kubernetes namespace for the meshStack platform integration (replicator + metering service accounts)."
+  default     = "meshcloud"
+}

modules/stackit/ske/backplane/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">= 0.68.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.0"
+    }
+  }
+}

modules/stackit/ske/forgejo-connector/buildingblock/APP_TEAM_README.md

@@ -0,0 +1,41 @@
+# Forgejo Actions Integration with SKE
+
+## Description
+
+This building block connects your Forgejo (STACKIT Git) repository to a STACKIT Kubernetes
+Engine (SKE) namespace via Forgejo Actions. It provides your CI/CD workflows with secure
+access to deploy applications into your Kubernetes namespace.
+
+## Usage Motivation
+
+Use this building block when you want to automate deployments from your STACKIT Git repository
+to SKE using Forgejo Actions workflows, similar to GitHub Actions.
+
+## Usage Examples
+
+- Push code to your repository and have Forgejo Actions automatically build and deploy your
+  application to the connected SKE namespace.
+- Set up a workflow that runs tests and deploys on merge to the main branch.
+
+## Prerequisites
+
+- A Forgejo repository (created via the STACKIT Git Repository building block)
+- An SKE namespace (created via the STACKIT Starterkit or manually)
+
+## Shared Responsibility
+
+| Responsibility                                    | Platform Team | Application Team |
+|---------------------------------------------------|---------------|------------------|
+| Setting up Forgejo Actions connector and secrets  | ✅           | ❌              |
+| Managing SKE cluster and namespace                | ✅           | ❌              |
+| Writing Forgejo Actions workflow files            | ❌           | ✅              |
+| Writing and maintaining Kubernetes manifests      | ❌           | ✅              |
+| Monitoring deployments and troubleshooting        | ❌           | ✅              |
+
+## Recommendations
+
+- **Use namespace-scoped resources**: The service account only has `edit` access within your
+  namespace — do not attempt to create cluster-scoped resources.
+- **Keep secrets secure**: The `KUBECONFIG` secret is automatically managed. Do not expose it
+  in workflow logs.
+- **Use deployment strategies**: Implement rolling updates for minimal downtime.

modules/stackit/ske/forgejo-connector/buildingblock/README.md

@@ -0,0 +1,19 @@
+---
+name: Forgejo Actions Integration with SKE
+supportedPlatforms:
+  - stackit
+description: |
+  CI/CD pipeline using Forgejo Actions for deploying to STACKIT Kubernetes Engine (SKE).
+---
+
+# Forgejo Actions Integration with SKE
+
+This Terraform module provisions the necessary resources to integrate Forgejo Actions
+with an SKE cluster namespace. It creates a Kubernetes service account with deployment
+permissions and stores the kubeconfig as a Forgejo Actions secret.
+
+## Features
+
+- Secure authentication using Kubernetes service accounts
+- Kubeconfig automatically stored as a Forgejo Actions repository secret
+- Namespace-scoped RBAC (edit role) for least-privilege deployments