From bb2a3ba904bbc23d1e4e587ba64c410176df972b Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Wed, 14 Jan 2026 03:11:53 -0300 Subject: [PATCH] fix(gitea): inline vault secrets --- services/gitea/deployment.yaml | 23 ++++++++++++----------- services/gitea/kustomization.yaml | 7 ------- services/gitea/scripts/gitea_vault_env.sh | 15 --------------- 3 files changed, 12 insertions(+), 33 deletions(-) delete mode 100644 services/gitea/scripts/gitea_vault_env.sh diff --git a/services/gitea/deployment.yaml b/services/gitea/deployment.yaml index 83bd144..4fa1ecb 100644 --- a/services/gitea/deployment.yaml +++ b/services/gitea/deployment.yaml @@ -33,7 +33,9 @@ spec: - -c - | set -euo pipefail - . /vault/scripts/gitea_vault_env.sh + CLIENT_ID="$(cat /vault/secrets/gitea-oidc__client_id)" + CLIENT_SECRET="$(cat /vault/secrets/gitea-oidc__client_secret)" + DISCOVERY_URL="$(cat /vault/secrets/gitea-oidc__openid_auto_discovery_url)" APPINI=/data/gitea/conf/app.ini BIN=/usr/local/bin/gitea @@ -76,9 +78,6 @@ spec: - name: vault-secrets mountPath: /vault/secrets readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true nodeSelector: node-role.kubernetes.io/worker: "true" affinity: @@ -101,9 +100,12 @@ spec: image: gitea/gitea:1.23 command: ["/bin/sh", "-c"] args: - - >- - . /vault/scripts/gitea_vault_env.sh - && exec /usr/bin/entrypoint /usr/bin/s6-svscan /etc/s6 + - | + set -euo pipefail + export GITEA__security__SECRET_KEY="$(cat /vault/secrets/gitea-secret__SECRET_KEY)" + export GITEA__security__INTERNAL_TOKEN="$(cat /vault/secrets/gitea-secret__INTERNAL_TOKEN)" + export DB_PASS="$(cat /vault/secrets/gitea-db-secret__password)" + exec /usr/bin/entrypoint /usr/bin/s6-svscan /etc/s6 ports: - containerPort: 3000 name: http @@ -155,6 +157,9 @@ spec: volumeMounts: - name: gitea-data mountPath: /data + - name: vault-secrets + mountPath: /vault/secrets + readOnly: true volumes: - name: gitea-data persistentVolumeClaim: @@ -165,7 +170,3 @@ spec: readOnly: true volumeAttributes: secretProviderClass: gitea-vault - - name: vault-scripts - configMap: - name: gitea-vault-env - defaultMode: 0555 diff --git a/services/gitea/kustomization.yaml b/services/gitea/kustomization.yaml index 466e6ce..84a1b64 100644 --- a/services/gitea/kustomization.yaml +++ b/services/gitea/kustomization.yaml @@ -9,10 +9,3 @@ resources: - deployment.yaml - service.yaml - ingress.yaml -configMapGenerator: - - name: gitea-vault-env - namespace: gitea - files: - - gitea_vault_env.sh=scripts/gitea_vault_env.sh - options: - disableNameSuffixHash: true diff --git a/services/gitea/scripts/gitea_vault_env.sh b/services/gitea/scripts/gitea_vault_env.sh deleted file mode 100644 index 0e4c4a8..0000000 --- a/services/gitea/scripts/gitea_vault_env.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env sh -set -eu - -vault_dir="/vault/secrets" - -read_secret() { - cat "${vault_dir}/$1" -} - -export GITEA__security__SECRET_KEY="$(read_secret gitea-secret__SECRET_KEY)" -export GITEA__security__INTERNAL_TOKEN="$(read_secret gitea-secret__INTERNAL_TOKEN)" -export DB_PASS="$(read_secret gitea-db-secret__password)" -export CLIENT_ID="$(read_secret gitea-oidc__client_id)" -export CLIENT_SECRET="$(read_secret gitea-oidc__client_secret)" -export DISCOVERY_URL="$(read_secret gitea-oidc__openid_auto_discovery_url)"