From c8b89c312089c11694214436c381a8117c0a297a Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Sun, 14 Dec 2025 21:54:18 -0300 Subject: [PATCH] gitea: enforce keycloak auth source via init container --- services/gitea/deployment.yaml | 62 ++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/services/gitea/deployment.yaml b/services/gitea/deployment.yaml index 5f66347..f5b550e 100644 --- a/services/gitea/deployment.yaml +++ b/services/gitea/deployment.yaml @@ -21,6 +21,68 @@ spec: labels: app: gitea spec: + initContainers: + - name: configure-oidc + image: gitea/gitea:1.23 + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + env: + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: gitea-oidc + key: client_id + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: gitea-oidc + key: client_secret + - name: DISCOVERY_URL + valueFrom: + secretKeyRef: + name: gitea-oidc + key: openid_auto_discovery_url + command: + - /bin/bash + - -c + - | + set -euo pipefail + APPINI=/data/gitea/conf/app.ini + BIN=/usr/local/bin/gitea + + list="$($BIN -c "$APPINI" admin auth list)" + id=$(echo "$list" | awk '$2=="keycloak"{print $1}') + + if [ -n "$id" ]; then + echo "Updating existing auth source id=$id" + $BIN -c "$APPINI" admin auth update-oauth \ + --id "$id" \ + --name keycloak \ + --provider openidConnect \ + --key "$CLIENT_ID" \ + --secret "$CLIENT_SECRET" \ + --auto-discover-url "$DISCOVERY_URL" \ + --scopes "openid profile email" \ + --group-claim-name groups \ + --admin-group admin \ + --skip-local-2fa + else + echo "Creating keycloak auth source" + $BIN -c "$APPINI" admin auth add-oauth \ + --name keycloak \ + --provider openidConnect \ + --key "$CLIENT_ID" \ + --secret "$CLIENT_SECRET" \ + --auto-discover-url "$DISCOVERY_URL" \ + --scopes "openid profile email" \ + --group-claim-name groups \ + --admin-group admin \ + --skip-local-2fa + fi + volumeMounts: + - name: gitea-data + mountPath: /data nodeSelector: node-role.kubernetes.io/worker: "true" affinity: