# services/gitea/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: gitea namespace: gitea labels: app: gitea spec: replicas: 1 selector: matchLabels: app: gitea strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 maxSurge: 0 template: metadata: labels: app: gitea spec: serviceAccountName: gitea-vault initContainers: - name: configure-oidc image: gitea/gitea:1.23 securityContext: runAsUser: 1000 runAsGroup: 1000 command: - /bin/sh - -c - | set -euo pipefail . /vault/scripts/gitea_vault_env.sh APPINI=/data/gitea/conf/app.ini BIN=/usr/local/bin/gitea list="$($BIN -c "$APPINI" admin auth list)" id=$(echo "$list" | awk '$2=="keycloak"{print $1}') if [ -n "$id" ]; then echo "Updating existing auth source id=$id" $BIN -c "$APPINI" admin auth update-oauth \ --id "$id" \ --name keycloak \ --provider openidConnect \ --key "$CLIENT_ID" \ --secret "$CLIENT_SECRET" \ --auto-discover-url "$DISCOVERY_URL" \ --scopes "openid profile email groups" \ --required-claim-name "" \ --required-claim-value "" \ --group-claim-name groups \ --admin-group admin \ --skip-local-2fa else echo "Creating keycloak auth source" $BIN -c "$APPINI" admin auth add-oauth \ --name keycloak \ --provider openidConnect \ --key "$CLIENT_ID" \ --secret "$CLIENT_SECRET" \ --auto-discover-url "$DISCOVERY_URL" \ --scopes "openid profile email groups" \ --required-claim-name "" \ --required-claim-value "" \ --group-claim-name groups \ --admin-group admin \ --skip-local-2fa fi volumeMounts: - name: gitea-data mountPath: /data - name: vault-secrets mountPath: /vault/secrets readOnly: true - name: vault-scripts mountPath: /vault/scripts readOnly: true nodeSelector: node-role.kubernetes.io/worker: "true" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: hardware operator: In values: ["rpi4","rpi5"] preferredDuringSchedulingIgnoredDuringExecution: - weight: 50 preference: matchExpressions: - key: hardware operator: In values: ["rpi4"] containers: - name: gitea image: gitea/gitea:1.23 command: ["/bin/sh", "-c"] args: - >- . /vault/scripts/gitea_vault_env.sh && exec /usr/bin/entrypoint /usr/bin/s6-svscan /etc/s6 ports: - containerPort: 3000 name: http - containerPort: 2242 name: ssh env: - name: USER_UID value: "1000" - name: USER_GID value: "1000" - name: DEFAULT_BRANCH value: "master" - name: ROOT_URL value: "https://scm.bstein.dev" - name: GITEA__service__ENABLE_OPENID_SIGNIN value: "true" - name: GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION value: "true" - name: GITEA__oauth2_client__ACCOUNT_LINKING value: "auto" - name: GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION value: "true" - name: GITEA__service__DISABLE_REGISTRATION value: "false" - name: GITEA__log__LEVEL value: "trace" - name: GITEA__service__REQUIRE_SIGNIN_VIEW value: "false" - name: GITEA__server__PROXY_HEADERS value: "X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host" - name: GITEA__session__COOKIE_SECURE value: "true" - name: GITEA__session__DOMAIN value: "scm.bstein.dev" - name: GITEA__session__SAME_SITE value: "lax" - name: DB_TYPE value: "postgres" - name: DB_HOST value: "postgres-service.postgres.svc.cluster.local:5432" - name: DB_NAME value: "gitea" - name: DB_USER value: "gitea" - name: START_SSH_SERVER value: "true" - name: SSH_PORT value: "2242" volumeMounts: - name: gitea-data mountPath: /data volumes: - name: gitea-data persistentVolumeClaim: claimName: gitea-data - name: vault-secrets csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: gitea-vault - name: vault-scripts configMap: name: gitea-vault-env defaultMode: 0555