--- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gitea namespace: gitea spec: dnsNames: - git.k-space.ee issuerRef: kind: ClusterIssuer name: default secretName: git-tls revisionHistoryLimit: 1 --- apiVersion: codemowers.cloud/v1beta1 kind: SecretClaim metadata: name: gitea-security-secret-key spec: size: 32 mapping: - key: secret value: "%(plaintext)s" --- apiVersion: codemowers.cloud/v1beta1 kind: SecretClaim metadata: name: gitea-security-internal-token spec: size: 32 mapping: - key: secret value: "%(plaintext)s" --- apiVersion: codemowers.cloud/v1beta1 kind: OIDCClient metadata: name: gitea spec: displayName: Gitea uri: https://git.k-space.ee/user/oauth2/OpenID redirectUris: - https://git.k-space.ee/user/oauth2/OpenID/callback allowedGroups: - k-space:floor - k-space:friends grantTypes: - authorization_code - refresh_token responseTypes: - code availableScopes: - openid - profile pkce: false secretRefreshPod: apiVersion: v1 kind: Pod metadata: name: reset-oidc-config spec: volumes: - name: tmp emptyDir: {} initContainers: - name: jq image: alpine/k8s:1.24.16@sha256:06f8942d87fa17b40795bb9a8eff029a9be3fc3c9bcc13d62071de4cc3324153 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /tmp name: tmp envFrom: - secretRef: name: oidc-client-gitea-owner-secrets command: - /bin/bash - -c - jq '{"strategyKey":"OpenID","config":{"Provider":"openidConnect","ClientID":$ENV.OIDC_CLIENT_ID,"ClientSecret":$ENV.OIDC_CLIENT_SECRET,"OpenIDConnectAutoDiscoveryURL":"https://auth.k-space.ee/.well-known/openid-configuration","CustomURLMapping":null,"IconURL":"","Scopes":null,"RequiredClaimName":"","RequiredClaimValue":"","GroupClaimName":"","AdminGroup":"","GroupTeamMap":"","GroupTeamMapRemoval":false,"RestrictedGroup":""}} | "UPDATE login_source SET cfg=\(.config|tostring|@sh) WHERE name=\(.strategyKey|tostring|@sh) LIMIT 1"' -n -r > /tmp/update.sql containers: - name: mysql image: mysql imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /tmp name: tmp env: - name: MYSQL_PWD valueFrom: secretKeyRef: name: gitea-secrets key: GITEA__DATABASE__PASSWD command: - /bin/bash - -c - mysql -u kspace_git kspace_git -h 172.20.36.1 -p${MYSQL_PWD} < /tmp/update.sql --- apiVersion: apps/v1 kind: StatefulSet metadata: name: gitea labels: app.kubernetes.io/name: gitea spec: revisionHistoryLimit: 0 serviceName: gitea replicas: 1 selector: matchLabels: app.kubernetes.io/name: gitea template: metadata: labels: app.kubernetes.io/name: gitea spec: enableServiceLinks: false securityContext: fsGroup: 1000 runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true containers: - name: gitea image: gitea/gitea:1.22.1-rootless imagePullPolicy: IfNotPresent securityContext: readOnlyRootFilesystem: true env: - name: GITEA__REPOSITORY__DISABLED_REPO_UNITS value: repo.releases,repo.wiki - name: GITEA__ADMIN__DISABLE_REGULAR_ORG_CREATION value: "true" - name: GITEA__SERVER__SSH_SERVER_HOST_KEYS value: ssh/gitea.rsa,ssh/gitea.ecdsa,ssh/gitea.ed25519 - name: GITEA__SERVER__START_SSH_SERVER value: "true" - name: GITEA__SERVER__CERT_FILE value: "/cert/tls.crt" - name: GITEA__SERVER__KEY_FILE value: "/cert/tls.key" - name: GITEA__SERVER__SSH_PORT value: "22" - name: GITEA__SERVER__PROTOCOL value: https - name: GITEA__SERVER__REDIRECT_OTHER_PORT value: "true" - name: GITEA__SERVER__PORT_TO_REDIRECT value: "8080" - name: GITEA__SERVER__DOMAIN value: git.k-space.ee - name: GITEA__SERVER__SSH_DOMAIN value: git.k-space.ee - name: GITEA__SERVER__HTTP_ADDR value: 0.0.0.0 - name: GITEA__SERVER__ROOT_URL value: https://git.k-space.ee - name: GITEA__SSH.MINIMUM_KEY_SIZES__DSA value: "-1" - name: GITEA__DATABASE__DB_TYPE value: mysql - name: GITEA__DATABASE__HOST value: mariadb.infra.k-space.ee:3306 - name: GITEA__DATABASE__NAME value: kspace_git - name: GITEA__DATABASE__USER value: kspace_git - name: GITEA__DATABASE__SSL_MODE value: disable - name: GITEA__DATABASE__LOG_SQL value: "false" - name: GITEA__SECURITY__INSTALL_LOCK value: "true" - name: GITEA__SERVICE__REGISTER_EMAIL_CONFIRM value: "true" - name: GITEA__SERVICE__DISABLE_REGISTRATION value: "true" - name: GITEA__SERVICE__ENABLE_NOTIFY_MAIL value: "true" - name: GITEA__MAILER__ENABLED value: "true" - name: GITEA__MAILER__SMTP_ADDR value: mail.k-space.ee - name: GITEA__MAILER__SMTP_PORT value: "465" - name: GITEA__MAILER__FROM value: Gitea - name: GITEA__MAILER__USER value: git - name: GITEA__MAILER__USE_PLAIN_TEXT value: "false" - name: GITEA__SESSION__PROVIDER value: file - name: GITEA__SESSION__COOKIE_SECURE value: "true" - name: GITEA__CRON__ENABLED value: "true" - name: GITEA__OAUTH2_CLIENT__ENABLE_AUTO_REGISTRATION value: "true" - name: GITEA__DATABASE__PASSWD valueFrom: secretKeyRef: name: gitea-secrets key: GITEA__DATABASE__PASSWD - name: GITEA__MAILER__PASSWD valueFrom: secretKeyRef: name: gitea-secrets key: GITEA__MAILER__PASSWD - name: GITEA__OAUTH2__JWT_SECRET valueFrom: secretKeyRef: name: gitea-secrets key: GITEA__OAUTH2__JWT_SECRET - name: GITEA__SECURITY__INTERNAL_TOKEN valueFrom: secretKeyRef: name: gitea-security-internal-token key: secret - name: GITEA__SECURITY__SECRET_KEY valueFrom: secretKeyRef: name: gitea-security-secret-key key: secret ports: - containerPort: 8080 name: http - containerPort: 3000 name: https - containerPort: 2222 name: ssh volumeMounts: - mountPath: /tmp name: tmp - mountPath: /etc/gitea name: etc - mountPath: /cert name: cert - mountPath: /var/lib/gitea name: data volumes: - name: tmp emptyDir: {} - name: etc emptyDir: {} - name: cert secret: secretName: git-tls volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce storageClassName: gitea resources: requests: storage: 10Gi --- apiVersion: v1 kind: Service metadata: name: gitea namespace: gitea annotations: external-dns.alpha.kubernetes.io/hostname: git.k-space.ee spec: type: LoadBalancer externalTrafficPolicy: Local selector: app.kubernetes.io/name: gitea ports: - port: 22 name: ssh targetPort: 2222 - port: 80 name: http targetPort: 8080 - port: 443 name: https targetPort: 3000 sessionAffinity: ClientIP