bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gitea: enforce keycloak auth source via init container

Browse Source
This commit is contained in:
Brad Stein 2025-12-14 21:54:18 -03:00
parent 9b994111cb
commit c8b89c3120
1 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
services/gitea/deployment.yaml
View File

@ -21,6 +21,68 @@ spec:
labels: labels:
app: gitea app: gitea
spec: spec:
initContainers:
- name: configure-oidc
image: gitea/gitea:1.23
securityContext:
runAsUser: 1000
runAsGroup: 1000
env:
- name: CLIENT_ID
valueFrom:
secretKeyRef:
name: gitea-oidc
key: client_id
- name: CLIENT_SECRET
valueFrom:
secretKeyRef:
name: gitea-oidc
key: client_secret
- name: DISCOVERY_URL
valueFrom:
secretKeyRef:
name: gitea-oidc
key: openid_auto_discovery_url
command:
- /bin/bash
- -c
- |
set -euo pipefail
APPINI=/data/gitea/conf/app.ini
BIN=/usr/local/bin/gitea
list="$($BIN -c "$APPINI" admin auth list)"
id=$(echo "$list" | awk '$2=="keycloak"{print $1}')
if [ -n "$id" ]; then
echo "Updating existing auth source id=$id"
$BIN -c "$APPINI" admin auth update-oauth \
--id "$id" \
--name keycloak \
--provider openidConnect \
--key "$CLIENT_ID" \
--secret "$CLIENT_SECRET" \
--auto-discover-url "$DISCOVERY_URL" \
--scopes "openid profile email" \
--group-claim-name groups \
--admin-group admin \
--skip-local-2fa
else
echo "Creating keycloak auth source"
$BIN -c "$APPINI" admin auth add-oauth \
--name keycloak \
--provider openidConnect \
--key "$CLIENT_ID" \
--secret "$CLIENT_SECRET" \
--auto-discover-url "$DISCOVERY_URL" \
--scopes "openid profile email" \
--group-claim-name groups \
--admin-group admin \
--skip-local-2fa
fi
volumeMounts:
- name: gitea-data
mountPath: /data
nodeSelector: nodeSelector:
node-role.kubernetes.io/worker: "true" node-role.kubernetes.io/worker: "true"
affinity: affinity: