bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(gitea): inline vault secrets

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 03:11:53 -03:00
parent 3384533acd
commit bb2a3ba904
3 changed files with 12 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
services/gitea/deployment.yaml
View File

@ -33,7 +33,9 @@ spec:
- -c - -c
- | - |
set -euo pipefail set -euo pipefail
. /vault/scripts/gitea_vault_env.sh CLIENT_ID="$(cat /vault/secrets/gitea-oidc__client_id)"
CLIENT_SECRET="$(cat /vault/secrets/gitea-oidc__client_secret)"
DISCOVERY_URL="$(cat /vault/secrets/gitea-oidc__openid_auto_discovery_url)"
APPINI=/data/gitea/conf/app.ini APPINI=/data/gitea/conf/app.ini
BIN=/usr/local/bin/gitea BIN=/usr/local/bin/gitea
@ -76,9 +78,6 @@ spec:
- name: vault-secrets - name: vault-secrets
mountPath: /vault/secrets mountPath: /vault/secrets
readOnly: true readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
nodeSelector: nodeSelector:
node-role.kubernetes.io/worker: "true" node-role.kubernetes.io/worker: "true"
affinity: affinity:
@ -101,9 +100,12 @@ spec:
image: gitea/gitea:1.23 image: gitea/gitea:1.23
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- >- - |
. /vault/scripts/gitea_vault_env.sh set -euo pipefail
&& exec /usr/bin/entrypoint /usr/bin/s6-svscan /etc/s6 export GITEA__security__SECRET_KEY="$(cat /vault/secrets/gitea-secret__SECRET_KEY)"
export GITEA__security__INTERNAL_TOKEN="$(cat /vault/secrets/gitea-secret__INTERNAL_TOKEN)"
export DB_PASS="$(cat /vault/secrets/gitea-db-secret__password)"
exec /usr/bin/entrypoint /usr/bin/s6-svscan /etc/s6
ports: ports:
- containerPort: 3000 - containerPort: 3000
name: http name: http
@ -155,6 +157,9 @@ spec:
volumeMounts: volumeMounts:
- name: gitea-data - name: gitea-data
mountPath: /data mountPath: /data
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
volumes: volumes:
- name: gitea-data - name: gitea-data
persistentVolumeClaim: persistentVolumeClaim:
@ -165,7 +170,3 @@ spec:
readOnly: true readOnly: true
volumeAttributes: volumeAttributes:
secretProviderClass: gitea-vault secretProviderClass: gitea-vault
- name: vault-scripts
configMap:
name: gitea-vault-env
defaultMode: 0555

7
services/gitea/kustomization.yaml
View File

@ -9,10 +9,3 @@ resources:
- deployment.yaml - deployment.yaml
- service.yaml - service.yaml
- ingress.yaml - ingress.yaml
configMapGenerator:
- name: gitea-vault-env
namespace: gitea
files:
- gitea_vault_env.sh=scripts/gitea_vault_env.sh
options:
disableNameSuffixHash: true

15
services/gitea/scripts/gitea_vault_env.sh
View File

@ -1,15 +0,0 @@
#!/usr/bin/env sh
set -eu
vault_dir="/vault/secrets"
read_secret() {
cat "${vault_dir}/$1"
}
export GITEA__security__SECRET_KEY="$(read_secret gitea-secret__SECRET_KEY)"
export GITEA__security__INTERNAL_TOKEN="$(read_secret gitea-secret__INTERNAL_TOKEN)"
export DB_PASS="$(read_secret gitea-db-secret__password)"
export CLIENT_ID="$(read_secret gitea-oidc__client_id)"
export CLIENT_SECRET="$(read_secret gitea-oidc__client_secret)"
export DISCOVERY_URL="$(read_secret gitea-oidc__openid_auto_discovery_url)"