---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: gitea
  namespace: gitea
spec:
  dnsNames:
    - git.k-space.ee
  issuerRef:
    kind: ClusterIssuer
    name: default
  secretName: git-tls
  revisionHistoryLimit: 1
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
  name: gitea-security-secret-key
spec:
  size: 32
  mapping:
    - key: secret
      value: "%(plaintext)s"
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
  name: gitea-security-internal-token
spec:
  size: 32
  mapping:
    - key: secret
      value: "%(plaintext)s"
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
  name: gitea
spec:
  displayName: Gitea
  uri: https://git.k-space.ee/user/oauth2/OpenID
  redirectUris:
    - https://git.k-space.ee/user/oauth2/OpenID/callback
  allowedGroups:
    - k-space:floor
    - k-space:friends
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  availableScopes:
    - openid
    - profile
  overrideIncomingScopes: true
  pkce: false
  secretRefreshPod:
    apiVersion: v1
    kind: Pod
    metadata:
      name: reset-oidc-config
    spec:
      volumes:
        - name: tmp
          emptyDir: {}
      initContainers:
        - name: jq
          image: alpine/k8s:1.24.16@sha256:06f8942d87fa17b40795bb9a8eff029a9be3fc3c9bcc13d62071de4cc3324153
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - mountPath: /tmp
              name: tmp
          envFrom:
            - secretRef:
                name: oidc-client-gitea-owner-secrets
          command:
            - /bin/bash
            - -c
            - jq '{"strategyKey":"OpenID","config":{"Provider":"openidConnect","ClientID":$ENV.OIDC_CLIENT_ID,"ClientSecret":$ENV.OIDC_CLIENT_SECRET,"OpenIDConnectAutoDiscoveryURL":"https://auth.k-space.ee/.well-known/openid-configuration","CustomURLMapping":null,"IconURL":"","Scopes":null,"RequiredClaimName":"","RequiredClaimValue":"","GroupClaimName":"","AdminGroup":"","GroupTeamMap":"","GroupTeamMapRemoval":false,"RestrictedGroup":""}} | "UPDATE login_source SET cfg=\(.config|tostring|@sh) WHERE name=\(.strategyKey|tostring|@sh) LIMIT 1"' -n -r > /tmp/update.sql
      containers:
        - name: mysql
          image: mysql
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - mountPath: /tmp
              name: tmp
          env:
            - name: MYSQL_PWD
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
                  key: GITEA__DATABASE__PASSWD
          command:
            - /bin/bash
            - -c
            - mysql -u kspace_git kspace_git -h 172.20.36.1 -p${MYSQL_PWD} < /tmp/update.sql
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: gitea
  labels:
    app.kubernetes.io/name: gitea
spec:
  revisionHistoryLimit: 0
  serviceName: gitea
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: gitea
  template:
    metadata:
      labels:
        app.kubernetes.io/name: gitea
    spec:
      enableServiceLinks: false
      securityContext:
        fsGroup: 1000
        runAsUser: 1000
        runAsGroup: 1000
        runAsNonRoot: true
      containers:
        - name: gitea
          image: gitea/gitea:1.22.2-rootless
          imagePullPolicy: IfNotPresent
          securityContext:
            readOnlyRootFilesystem: true
          env:
            - name: GITEA__REPOSITORY__DISABLED_REPO_UNITS
              value: repo.releases,repo.wiki
            - name: GITEA__ADMIN__DISABLE_REGULAR_ORG_CREATION
              value: "true"
            - name: GITEA__SERVER__SSH_SERVER_HOST_KEYS
              value: ssh/gitea.rsa,ssh/gitea.ecdsa,ssh/gitea.ed25519
            - name: GITEA__SERVER__START_SSH_SERVER
              value: "true"
            - name: GITEA__SERVER__CERT_FILE
              value: "/cert/tls.crt"
            - name: GITEA__SERVER__KEY_FILE
              value: "/cert/tls.key"
            - name: GITEA__SERVER__SSH_PORT
              value: "22"
            - name: GITEA__SERVER__PROTOCOL
              value: https
            - name: GITEA__SERVER__REDIRECT_OTHER_PORT
              value: "true"
            - name: GITEA__SERVER__PORT_TO_REDIRECT
              value: "8080"
            - name: GITEA__SERVER__DOMAIN
              value: git.k-space.ee
            - name: GITEA__SERVER__SSH_DOMAIN
              value: git.k-space.ee
            - name: GITEA__SERVER__HTTP_ADDR
              value: 0.0.0.0
            - name: GITEA__SERVER__ROOT_URL
              value: https://git.k-space.ee
            - name: GITEA__SSH.MINIMUM_KEY_SIZES__DSA
              value: "-1"
            - name: GITEA__DATABASE__DB_TYPE
              value: mysql
            - name: GITEA__DATABASE__HOST
              value: mariadb.infra.k-space.ee:3306
            - name: GITEA__DATABASE__NAME
              value: kspace_git
            - name: GITEA__DATABASE__USER
              value: kspace_git
            - name: GITEA__DATABASE__SSL_MODE
              value: disable
            - name: GITEA__DATABASE__LOG_SQL
              value: "false"
            - name: GITEA__SECURITY__INSTALL_LOCK
              value: "true"
            - name: GITEA__SERVICE__REGISTER_EMAIL_CONFIRM
              value: "true"
            - name: GITEA__SERVICE__DISABLE_REGISTRATION
              value: "true"
            - name: GITEA__SERVICE__ENABLE_NOTIFY_MAIL
              value: "true"
            - name: GITEA__MAILER__ENABLED
              value: "true"
            - name: GITEA__MAILER__SMTP_ADDR
              value: mail.k-space.ee
            - name: GITEA__MAILER__SMTP_PORT
              value: "465"
            - name: GITEA__MAILER__FROM
              value: Gitea <git@k-space.ee>
            - name: GITEA__MAILER__USER
              value: git
            - name: GITEA__MAILER__USE_PLAIN_TEXT
              value: "false"
            - name: GITEA__SESSION__PROVIDER
              value: file
            - name: GITEA__SESSION__COOKIE_SECURE
              value: "true"
            - name: GITEA__CRON__ENABLED
              value: "true"
            - name: GITEA__OAUTH2_CLIENT__ENABLE_AUTO_REGISTRATION
              value: "true"
            - name: GITEA__DATABASE__PASSWD
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
                  key: GITEA__DATABASE__PASSWD
            - name: GITEA__MAILER__PASSWD
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
                  key: GITEA__MAILER__PASSWD
            - name: GITEA__OAUTH2__JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
                  key: GITEA__OAUTH2__JWT_SECRET
            - name: GITEA__SECURITY__INTERNAL_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitea-security-internal-token
                  key: secret
            - name: GITEA__SECURITY__SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: gitea-security-secret-key
                  key: secret
          ports:
            - containerPort: 8080
              name: http
            - containerPort: 3000
              name: https
            - containerPort: 2222
              name: ssh
          volumeMounts:
            - mountPath: /tmp
              name: tmp
            - mountPath: /etc/gitea
              name: etc
            - mountPath: /cert
              name: cert
            - mountPath: /var/lib/gitea
              name: data
      volumes:
        - name: tmp
          emptyDir: {}
        - name: etc
          emptyDir: {}
        - name: cert
          secret:
            secretName: git-tls
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes:
          - ReadWriteOnce
        storageClassName: gitea
        resources:
          requests:
            storage: 10Gi
---
apiVersion: v1
kind: Service
metadata:
  name: gitea
  namespace: gitea
  annotations:
    external-dns.alpha.kubernetes.io/hostname: git.k-space.ee
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  selector:
    app.kubernetes.io/name: gitea
  ports:
  - port: 22
    name: ssh
    targetPort: 2222
  - port: 80
    name: http
    targetPort: 8080
  - port: 443
    name: https
    targetPort: 3000
  sessionAffinity: ClientIP