# services/gitea/oidc-job.yaml apiVersion: batch/v1 kind: Job metadata: name: gitea-oidc-bootstrap namespace: gitea spec: # clean and recreate when the manifest changes to avoid immutable pod fields template: {} --- apiVersion: batch/v1 kind: Job metadata: name: gitea-oidc-bootstrap namespace: gitea spec: ttlSecondsAfterFinished: 1800 backoffLimit: 1 template: metadata: labels: app: gitea job: gitea-oidc-bootstrap spec: securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app: gitea topologyKey: kubernetes.io/hostname restartPolicy: OnFailure volumes: - name: gitea-data persistentVolumeClaim: claimName: gitea-data containers: - name: gitea-oidc-bootstrap image: gitea/gitea:1.23 imagePullPolicy: IfNotPresent volumeMounts: - name: gitea-data mountPath: /data env: - name: CLIENT_ID valueFrom: secretKeyRef: name: gitea-oidc key: client_id - name: CLIENT_SECRET valueFrom: secretKeyRef: name: gitea-oidc key: client_secret - name: DISCOVERY_URL valueFrom: secretKeyRef: name: gitea-oidc key: openid_auto_discovery_url command: - /bin/bash - -c - | set -euo pipefail APPINI=/data/gitea/conf/app.ini BIN=/usr/local/bin/gitea list="$($BIN -c "$APPINI" admin auth list)" id=$(echo "$list" | awk '$2=="keycloak"{print $1}') if [ -n "$id" ]; then echo "Updating existing auth source id=$id" $BIN -c "$APPINI" admin auth update-oauth \ --id "$id" \ --name keycloak \ --provider openidConnect \ --key "$CLIENT_ID" \ --secret "$CLIENT_SECRET" \ --auto-discover-url "$DISCOVERY_URL" \ --scopes "openid profile email" \ --group-claim-name groups \ --admin-group admin \ --skip-local-2fa else echo "Creating keycloak auth source" $BIN -c "$APPINI" admin auth add-oauth \ --name keycloak \ --provider openidConnect \ --key "$CLIENT_ID" \ --secret "$CLIENT_SECRET" \ --auto-discover-url "$DISCOVERY_URL" \ --scopes "openid profile email" \ --group-claim-name groups \ --admin-group admin \ --skip-local-2fa fi