titan-iac/services/gitea/deployment.yaml

# services/gitea/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gitea
  namespace: gitea
  labels:
    app: gitea
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitea
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 0
  template:
    metadata:
      labels:
        app: gitea
    spec:
      serviceAccountName: gitea-vault
      initContainers:
        - name: configure-oidc
          image: gitea/gitea:1.23
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
          command:
            - /bin/sh
            - -c
            - |
              set -euo pipefail
              CLIENT_ID="$(cat /vault/secrets/gitea-oidc__client_id)"
              CLIENT_SECRET="$(cat /vault/secrets/gitea-oidc__client_secret)"
              DISCOVERY_URL="$(cat /vault/secrets/gitea-oidc__openid_auto_discovery_url)"
              APPINI=/data/gitea/conf/app.ini
              BIN=/usr/local/bin/gitea

              list="$($BIN -c "$APPINI" admin auth list)"
              id=$(echo "$list" | awk '$2=="keycloak"{print $1}')

              if [ -n "$id" ]; then
                echo "Updating existing auth source id=$id"
                $BIN -c "$APPINI" admin auth update-oauth \
                  --id "$id" \
                  --name keycloak \
                  --provider openidConnect \
                  --key "$CLIENT_ID" \
                  --secret "$CLIENT_SECRET" \
                  --auto-discover-url "$DISCOVERY_URL" \
                  --scopes "openid profile email groups" \
                  --required-claim-name "" \
                  --required-claim-value "" \
                  --group-claim-name groups \
                  --admin-group admin \
                  --skip-local-2fa
              else
                echo "Creating keycloak auth source"
                $BIN -c "$APPINI" admin auth add-oauth \
                  --name keycloak \
                  --provider openidConnect \
                  --key "$CLIENT_ID" \
                  --secret "$CLIENT_SECRET" \
                  --auto-discover-url "$DISCOVERY_URL" \
                  --scopes "openid profile email groups" \
                  --required-claim-name "" \
                  --required-claim-value "" \
                  --group-claim-name groups \
                  --admin-group admin \
                  --skip-local-2fa
              fi
          volumeMounts:
            - name: gitea-data
              mountPath: /data
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
      nodeSelector:
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: hardware
                operator: In
                values: ["rpi4","rpi5"]
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 50
              preference:
                matchExpressions:
                - key: hardware
                  operator: In
                  values: ["rpi4"]
      containers:
        - name: gitea
          image: gitea/gitea:1.23
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              export GITEA__security__SECRET_KEY="$(cat /vault/secrets/gitea-secret__SECRET_KEY)"
              export GITEA__security__INTERNAL_TOKEN="$(cat /vault/secrets/gitea-secret__INTERNAL_TOKEN)"
              export DB_PASS="$(cat /vault/secrets/gitea-db-secret__password)"
              exec /usr/bin/entrypoint /usr/bin/s6-svscan /etc/s6
          ports:
            - containerPort: 3000
              name: http
            - containerPort: 2242
              name: ssh
          env:
            - name: USER_UID
              value: "1000"
            - name: USER_GID
              value: "1000"
            - name: DEFAULT_BRANCH
              value: "master"
            - name: ROOT_URL
              value: "https://scm.bstein.dev"
            - name: GITEA__service__ENABLE_OPENID_SIGNIN
              value: "true"
            - name: GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION
              value: "true"
            - name: GITEA__oauth2_client__ACCOUNT_LINKING
              value: "auto"
            - name: GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION
              value: "true"
            - name: GITEA__service__DISABLE_REGISTRATION
              value: "false"
            - name: GITEA__log__LEVEL
              value: "trace"
            - name: GITEA__service__REQUIRE_SIGNIN_VIEW
              value: "false"
            - name: GITEA__server__PROXY_HEADERS
              value: "X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host"
            - name: GITEA__session__COOKIE_SECURE
              value: "true"
            - name: GITEA__session__DOMAIN
              value: "scm.bstein.dev"
            - name: GITEA__session__SAME_SITE
              value: "lax"
            - name: DB_TYPE
              value: "postgres"
            - name: DB_HOST
              value: "postgres-service.postgres.svc.cluster.local:5432"
            - name: DB_NAME
              value: "gitea"
            - name: DB_USER
              value: "gitea"
            - name: START_SSH_SERVER
              value: "true"
            - name: SSH_PORT
              value: "2242"
          volumeMounts:
            - name: gitea-data
              mountPath: /data
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
      volumes:
        - name: gitea-data
          persistentVolumeClaim:
            claimName: gitea-data
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: gitea-vault