From ca4ded3d0de5a30348d496c133ac13813d4cf907 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri@k-space.ee>
Date: Mon, 14 Aug 2023 23:38:01 +0300
Subject: [PATCH] gitea: Cleanup config and rotate secrets

---
 gitea/application.yaml | 42 +++++++++++++++++++++++++++++-------------
 1 file changed, 29 insertions(+), 13 deletions(-)

diff --git a/gitea/application.yaml b/gitea/application.yaml
index abb7c1b..9e6aa85 100644
--- a/gitea/application.yaml
+++ b/gitea/application.yaml
@@ -12,6 +12,26 @@ spec:
     name: default
   secretName: git-tls
 ---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: gitea-security-secret-key
+spec:
+  size: 32
+  mapping:
+    - key: secret
+      value: "%(plaintext)s"
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: gitea-security-internal-token
+spec:
+  size: 32
+  mapping:
+    - key: secret
+      value: "%(plaintext)s"
+---
 apiVersion: codemowers.io/v1alpha1
 kind: OIDCGWClient
 metadata:
@@ -55,8 +75,8 @@ spec:
         - name: gitea
           image: gitea/gitea:1.20.2
           env:
-            - name: GITEA__OPENID__ENABLE_OPENID_SIGNIN
-              value: "false"
+            - name: GITEA__ADMIN__DISABLE_REGULAR_ORG_CREATION
+              value: "true"
             - name: GITEA__SERVER__SSH_SERVER_HOST_KEYS
               value: ssh/gitea.rsa,ssh/gitea.ecdsa,ssh/gitea.ed25519
             - name: GITEA__SERVER__START_SSH_SERVER
@@ -97,10 +117,6 @@ spec:
               value: "false"
             - name: GITEA__SECURITY__INSTALL_LOCK
               value: "true"
-            - name: GITEA__SECURITY__SECRET_KEY
-              value: t2RrFCn4Q22MFPc
-            - name: GITEA__SECURITY__LOGIN_REMEMBER_DAYS
-              value: "30"
             - name: GITEA__SERVICE__REGISTER_EMAIL_CONFIRM
               value: "true"
             - name: GITEA__SERVICE__DISABLE_REGISTRATION
@@ -125,10 +141,6 @@ spec:
               value: "false"
             - name: GITEA__CRON__ENABLED
               value: "true"
-            - name: GITEA__I18N__LANGS
-              value: en-US
-            - name: GITEA__I18N__NAMES
-              value: English
             - name: GITEA__DATABASE__PASSWD
               valueFrom:
                 secretKeyRef:
@@ -147,8 +159,13 @@ spec:
             - name: GITEA__SECURITY__INTERNAL_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: gitea-secrets
-                  key: GITEA__SECURITY__INTERNAL_TOKEN
+                  name: gitea-security-internal-token
+                  key: secret
+            - name: GITEA__SECURITY__SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-security-secret-key
+                  key: secret
           ports:
             - containerPort: 8080
               name: http
@@ -199,4 +216,3 @@ spec:
     name: https
     targetPort: 3000
   sessionAffinity: ClientIP
-  publishNotReadyAddresses: true