gitea: Cleanup config and rotate secrets

2023-08-14 23:38:01 +03:00
parent f0c4be9b7d
commit ca4ded3d0d
1 changed files with 29 additions and 13 deletions
--- a/gitea/application.yaml
+++ b/gitea/application.yaml
@@ -12,6 +12,26 @@ spec:
    name: default
  secretName: git-tls
 ---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: gitea-security-secret-key
+spec:
+  size: 32
+  mapping:
+    - key: secret
+      value: "%(plaintext)s"
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: gitea-security-internal-token
+spec:
+  size: 32
+  mapping:
+    - key: secret
+      value: "%(plaintext)s"
+---
 apiVersion: codemowers.io/v1alpha1
 kind: OIDCGWClient
 metadata:
@@ -55,8 +75,8 @@ spec:
        - name: gitea
          image: gitea/gitea:1.20.2
          env:
-            - name: GITEA__OPENID__ENABLE_OPENID_SIGNIN
-              value: "false"
+            - name: GITEA__ADMIN__DISABLE_REGULAR_ORG_CREATION
+              value: "true"
            - name: GITEA__SERVER__SSH_SERVER_HOST_KEYS
              value: ssh/gitea.rsa,ssh/gitea.ecdsa,ssh/gitea.ed25519
            - name: GITEA__SERVER__START_SSH_SERVER
@@ -97,10 +117,6 @@ spec:
              value: "false"
            - name: GITEA__SECURITY__INSTALL_LOCK
              value: "true"
-            - name: GITEA__SECURITY__SECRET_KEY
-              value: t2RrFCn4Q22MFPc
-            - name: GITEA__SECURITY__LOGIN_REMEMBER_DAYS
-              value: "30"
            - name: GITEA__SERVICE__REGISTER_EMAIL_CONFIRM
              value: "true"
            - name: GITEA__SERVICE__DISABLE_REGISTRATION
@@ -125,10 +141,6 @@ spec:
              value: "false"
            - name: GITEA__CRON__ENABLED
              value: "true"
-            - name: GITEA__I18N__LANGS
-              value: en-US
-            - name: GITEA__I18N__NAMES
-              value: English
            - name: GITEA__DATABASE__PASSWD
              valueFrom:
                secretKeyRef:
@@ -147,8 +159,13 @@ spec:
            - name: GITEA__SECURITY__INTERNAL_TOKEN
              valueFrom:
                secretKeyRef:
-                  name: gitea-secrets
-                  key: GITEA__SECURITY__INTERNAL_TOKEN
+                  name: gitea-security-internal-token
+                  key: secret
+            - name: GITEA__SECURITY__SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-security-secret-key
+                  key: secret
          ports:
            - containerPort: 8080
              name: http
@@ -199,4 +216,3 @@ spec:
    name: https
    targetPort: 3000
  sessionAffinity: ClientIP
-  publishNotReadyAddresses: true