fix(gitea): inline vault secrets

2026-01-14 03:11:53 -03:00 · 2026-01-14 03:11:53 -03:00 · bb2a3ba904
commit bb2a3ba904
parent 3384533acd
3 changed files with 12 additions and 33 deletions
--- a/services/gitea/deployment.yaml
+++ b/services/gitea/deployment.yaml
@ -33,7 +33,9 @@ spec:
            - -c
            - |
              set -euo pipefail
-              . /vault/scripts/gitea_vault_env.sh
+              CLIENT_ID="$(cat /vault/secrets/gitea-oidc__client_id)"
+              CLIENT_SECRET="$(cat /vault/secrets/gitea-oidc__client_secret)"
+              DISCOVERY_URL="$(cat /vault/secrets/gitea-oidc__openid_auto_discovery_url)"
              APPINI=/data/gitea/conf/app.ini
              BIN=/usr/local/bin/gitea

@ -76,9 +78,6 @@ spec:
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
      nodeSelector:
        node-role.kubernetes.io/worker: "true"
      affinity:
@ -101,9 +100,12 @@ spec:
          image: gitea/gitea:1.23
          command: ["/bin/sh", "-c"]
          args:
-            - >-
-              . /vault/scripts/gitea_vault_env.sh
-              && exec /usr/bin/entrypoint /usr/bin/s6-svscan /etc/s6
+            - |
+              set -euo pipefail
+              export GITEA__security__SECRET_KEY="$(cat /vault/secrets/gitea-secret__SECRET_KEY)"
+              export GITEA__security__INTERNAL_TOKEN="$(cat /vault/secrets/gitea-secret__INTERNAL_TOKEN)"
+              export DB_PASS="$(cat /vault/secrets/gitea-db-secret__password)"
+              exec /usr/bin/entrypoint /usr/bin/s6-svscan /etc/s6
          ports:
            - containerPort: 3000
              name: http
@ -155,6 +157,9 @@ spec:
          volumeMounts:
            - name: gitea-data
              mountPath: /data
+            - name: vault-secrets
+              mountPath: /vault/secrets
+              readOnly: true
      volumes:
        - name: gitea-data
          persistentVolumeClaim:
@ -165,7 +170,3 @@ spec:
            readOnly: true
            volumeAttributes:
              secretProviderClass: gitea-vault
-        - name: vault-scripts
-          configMap:
-            name: gitea-vault-env
-            defaultMode: 0555
--- a/services/gitea/kustomization.yaml
+++ b/services/gitea/kustomization.yaml
@ -9,10 +9,3 @@ resources:
  - deployment.yaml
  - service.yaml
  - ingress.yaml
-configMapGenerator:
-  - name: gitea-vault-env
-    namespace: gitea
-    files:
-      - gitea_vault_env.sh=scripts/gitea_vault_env.sh
-    options:
-      disableNameSuffixHash: true
--- a/services/gitea/scripts/gitea_vault_env.sh
+++ b/services/gitea/scripts/gitea_vault_env.sh
@ -1,15 +0,0 @@
-#!/usr/bin/env sh
-set -eu
-
-vault_dir="/vault/secrets"
-
-read_secret() {
-  cat "${vault_dir}/$1"
-}
-
-export GITEA__security__SECRET_KEY="$(read_secret gitea-secret__SECRET_KEY)"
-export GITEA__security__INTERNAL_TOKEN="$(read_secret gitea-secret__INTERNAL_TOKEN)"
-export DB_PASS="$(read_secret gitea-db-secret__password)"
-export CLIENT_ID="$(read_secret gitea-oidc__client_id)"
-export CLIENT_SECRET="$(read_secret gitea-oidc__client_secret)"
-export DISCOVERY_URL="$(read_secret gitea-oidc__openid_auto_discovery_url)"