# services/gitea/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: gitea namespace: gitea labels: app: gitea spec: replicas: 1 selector: matchLabels: app: gitea strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 maxSurge: 0 template: metadata: labels: app: gitea spec: initContainers: - name: configure-oidc image: gitea/gitea:1.23 securityContext: runAsUser: 1000 runAsGroup: 1000 env: - name: CLIENT_ID valueFrom: secretKeyRef: name: gitea-oidc key: client_id - name: CLIENT_SECRET valueFrom: secretKeyRef: name: gitea-oidc key: client_secret - name: DISCOVERY_URL valueFrom: secretKeyRef: name: gitea-oidc key: openid_auto_discovery_url command: - /bin/bash - -c - | set -euo pipefail APPINI=/data/gitea/conf/app.ini BIN=/usr/local/bin/gitea list="$($BIN -c "$APPINI" admin auth list)" id=$(echo "$list" | awk '$2=="keycloak"{print $1}') if [ -n "$id" ]; then echo "Updating existing auth source id=$id" $BIN -c "$APPINI" admin auth update-oauth \ --id "$id" \ --name keycloak \ --provider openidConnect \ --key "$CLIENT_ID" \ --secret "$CLIENT_SECRET" \ --auto-discover-url "$DISCOVERY_URL" \ --scopes "openid profile email" \ --group-claim-name groups \ --admin-group admin \ --skip-local-2fa else echo "Creating keycloak auth source" $BIN -c "$APPINI" admin auth add-oauth \ --name keycloak \ --provider openidConnect \ --key "$CLIENT_ID" \ --secret "$CLIENT_SECRET" \ --auto-discover-url "$DISCOVERY_URL" \ --scopes "openid profile email" \ --group-claim-name groups \ --admin-group admin \ --skip-local-2fa fi volumeMounts: - name: gitea-data mountPath: /data nodeSelector: node-role.kubernetes.io/worker: "true" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: hardware operator: In values: ["rpi4","rpi5"] preferredDuringSchedulingIgnoredDuringExecution: - weight: 50 preference: matchExpressions: - key: hardware operator: In values: ["rpi4"] containers: - name: gitea image: gitea/gitea:1.23 ports: - containerPort: 3000 name: http - containerPort: 2242 name: ssh env: - name: USER_UID value: "1000" - name: USER_GID value: "1000" - name: DEFAULT_BRANCH value: "master" - name: ROOT_URL value: "https://scm.bstein.dev" - name: GITEA__service__ENABLE_OPENID_SIGNIN value: "true" - name: GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION value: "true" - name: GITEA__service__DISABLE_REGISTRATION value: "false" - name: GITEA__log__LEVEL value: "trace" - name: GITEA__service__REQUIRE_SIGNIN_VIEW value: "false" - name: DB_TYPE value: "postgres" - name: DB_HOST value: "postgres-service.postgres.svc.cluster.local:5432" - name: DB_NAME value: "gitea" - name: DB_USER value: "gitea" - name: DB_PASS valueFrom: secretKeyRef: name: gitea-db-secret key: password - name: START_SSH_SERVER value: "true" - name: SSH_PORT value: "2242" volumeMounts: - name: gitea-data mountPath: /data volumes: - name: gitea-data persistentVolumeClaim: claimName: gitea-data