fix gitea

cluster/apps/default/gitea/gitea-pv.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: gitea-pv
+  namespace: default
+  labels:
+    app.kubernetes.io/name: gitea-pv
+spec:
+  storageClassName: hostpath
+  persistentVolumeReclaimPolicy: Retain
+  capacity:
+    storage: 30Gi
+  accessModes:
+  - ReadWriteOnce
+  hostPath:
+    path: "/mnt/MainPool/Kubernetes/gitea"

cluster/apps/default/gitea/gitea-secret.sops.yaml

@@ -4,19 +4,16 @@ metadata:
     name: gitea-secret
     namespace: default
 stringData:
-    GITEA__database__DB_TYPE: ENC[AES256_GCM,data:CxKLDkwWDro=,iv:vMzk5XUyeiUog3uaNWQi3YKOpnhUTUbZLWi8aQe1GOI=,tag:cIa3sjnmZZeqf8RkHaHyCA==,type:str]
-    GITEA__database__HOST: ENC[AES256_GCM,data:SPy0h0kvhTMzbx7IhmOrOZ2RfVF0h2E4,iv:YvrmhhZfPGzjuuppfBumrKjQzGAwmScZ4Kv88bTRTa4=,tag:xnrGbDv0XwhYrCeJ3l+Cvg==,type:str]
-    GITEA__database__NAME: ENC[AES256_GCM,data:K1lM4P8=,iv:5sN41GkSZ4sPLwIyVjiy6JNm20WFq3qNYFZ1gWfqG/4=,tag:hBoBRIgae5QRoMirGgEWmg==,type:str]
-    GITEA__database__USER: ENC[AES256_GCM,data:aQvMk8Y=,iv:SaDZ5fWWbhu66BqYJ+KKs6/zMrdTDoDZvBQKd2IyLck=,tag:4z7jRIT158aUxaOmYWewAQ==,type:str]
-    GITEA__database__PASSWD: ENC[AES256_GCM,data:n6ywTKo/Eb8JU9/MBvwlbLxcPJp1VRRrMKniktMZjS4=,iv:c7DSl3ReYNWoRN2TPeGkxIUo/OXz7EtKr416nBtFUxA=,tag:zEf7GhN3RNkfbSn13WA1Yg==,type:str]
+    admin-password: ENC[AES256_GCM,data:IjukgfqqKKmFzOA=,iv:pbkG9/pRDveNksDJJU8ujje56xLTUFAFHDuaX2Te7yg=,tag:dMXUc4wQ1n6U0jmFmDdR9Q==,type:str]
+    db-password: ENC[AES256_GCM,data:V7tDCRPEbYrSLbgwZgU7yVOPh/kUH0cK4aFkmvEiFgI=,iv:u8dgHSPrIYY7kBjiWTEmgYnQzh157iPpC0d0j2KWOZ4=,tag:IbY2UumxQhANDF7lEcEEig==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-04-27T23:49:11Z"
-    mac: ENC[AES256_GCM,data:tAs7ev9V8nwDlpUeYC6D79gpT2IztnIppycM3GSmiLwock9XrJilAyaahd+OdmLQXjEqqqOZjLKVCm67xf+3jiPFkmCsIfP9A0incrySEJBVsum9/7i3nbUTf2tJyhj7mlex33KG3Arsinx3oPfY1U5QykYBBLR6dEan69Vg6Fc=,iv:IrrJnQgpyGW6B2Nu2IKetT279/WRDU9yG/A6r+5gtXo=,tag:ZXdVSvVsP3IJECSCguSdVw==,type:str]
+    lastmodified: "2023-06-04T04:02:52Z"
+    mac: ENC[AES256_GCM,data:Rfp9jgDr4b35rwTmX9EfOGgPSdYGSwoK096cDz2MFFzp3akUyeRQposFJ/M1JtcYLseg+XCKCLNSd/yVxwhNGMcA+lF4kgHHXAZyjYGHqOuo4RaylaYuAavdFmC8LL0f0fUX3P5L1AHH1JuqW9EJK60/IxqxD1/d/qJdhwaLH7k=,iv:fwLlG5BsTf70IyeXkWfHwfB3phjJTLYLZoYWFMo6qJ4=,tag:ZJLMIGRW4OUKauvOyaO8AQ==,type:str]
     pgp:
         - created_at: "2023-04-07T01:57:22Z"
           enc: |

cluster/apps/default/gitea/gitea-sidecar-secret.sops.yaml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-sidecar-secret
+    namespace: default
+stringData:
+    GITHUB_USERNAME: ENC[AES256_GCM,data:SXCx5XDUwLQ=,iv:6X5UHnxR+TDTPyRXijZun4PMNzpKqjJRF4MRBlFIReg=,tag:9Kd4zvFW+wDUk6/8HMTvhQ==,type:str]
+    GITEA_URL: ENC[AES256_GCM,data:Bn6oR1biDoq6qxWMCPXGcWYO/ZGArNgY,iv:zriCzHEGvtRlh6CnVLPFzpzsfjkDvsHn65skToQIycE=,tag:N+KqSWOXr1AZ3ejXpXic7Q==,type:str]
+    GITEA_TOKEN: ENC[AES256_GCM,data:yycB4vt0vIiTL47ShrHdUoQJ65/fwvDNLlNnWx9fHAW7a6L3fH1e1Q==,iv:ba721yEtnG+BaLMZGOxou72UN8l2bSU9ouoxPDV1W2A=,tag:wgWIiPpKZoH7JRkm+ALe/Q==,type:str]
+    GITHUB_TOKEN: ENC[AES256_GCM,data:v+JZTunM9gdt86VS9ucaD0u8uNbJGZDIu8KftY5nuN0MehOpF/QYWw==,iv:NEo0+pElEbH4va/BBQw2BydkZFshzKDlWhY8lhcNd2I=,tag:FZtCX9DtbJ0VZ3COpvp5iQ==,type:str]
+    MIRROR_PRIVATE_REPOSITORIES: ENC[AES256_GCM,data:tl8JqA==,iv:oc0ryLDZW3FzUD2/Db51VOTjTAoaKDeh2QSfo4HgCF4=,tag:RhSv1KLk2BC1XMoRneeC9g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-06-03T18:05:43Z"
+    mac: ENC[AES256_GCM,data:MjqQ910pVYck69rTk7UrU5LQ0yCwypu/vnqdUzXnrJ5hTiEHlArFb/CxJNWiMIg/T3XNRPE2jIyxeDnlrDlH9JH/yyLYLuMw+bBrEgkjK/HIfZrJvVJMLXnFYne1SvINk0j5x7h0ubJYu5tUXmz2Aeskn/n9GhCO50NB1ok8GJk=,iv:c7OWJLL+tyVYeZarvjCOemAe/crrJVTnF7hqo02zPNs=,tag:gBtswvBP1sClhh47MrF3PA==,type:str]
+    pgp:
+        - created_at: "2023-06-03T18:05:43Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixAQ//Sas6j7EYRheBkqGZtOCHezGHLk7hvY8iX0Lkm0X5g42M
+            orLdkS6kccStt27jgnxcllm6/++OuX1DLiOPdhM/H+3t3etBXOeFKp4yLZiVkttb
+            QnYgnV9EcuhU6g5GUro6gSzpsfZIxiDWyShb8Ha3aReqoR30Jtpaxtu82Q0oD7gQ
+            s6DwrjuYKsXRsv+s+0IwW5r/r3SPqwT4zLowwPbyakRp2cG8iI3d55rEPar5k652
+            4vqQaVlKMPgHx06IGUpkc2TdC1UM32jJsJdepe8KAySe1Tq2HOuOF5RLv6ukr/r6
+            7ENhUivTWRE/v0/kJi9r1tqyE0wNekTGGyluKKaWtgZFddhexFrwpDcqJRyBQjKO
+            p6T5RgrG5eerS49h8zO28Ars3q6oOYWg7RTTinVEZBu4wD5ZW/8rM8N4DtGPD3TB
+            FrwWjL3sVzyMCDXHCnjce0C2ZpGpRoqZh0pNchNCr9xIN/iiirubhXABmWcW6qwp
+            9tnIbgHLW3welq5g7zOTB1+EVVTJgQtSVUxQ8MhlYWsZisaP+WtHfRy6yeeczJwI
+            z6SrTGmfQQeJDj1ynwF+UrDAKt14wwbSZn0YzT9bC5qxynNalnxcJEnq/2Ga2mTN
+            t7LhFpyUzFD0ZA1lNZqzFVbjuiBwHV0RiMuuBfD1CvyHg6oOfvNqYYuhzzE6N0XU
+            aAEJAhAEP5hmq0w18dLqY+oay38ng8LUXOdOG/RJ20KvysEtlm+8d7k1cG6s81EQ
+            +B0CID587oPs3PUFK9yeo36bK5aa4n9vJku0R2fdh8LmHXAME2O216O3xKtpg3fq
+            5gEls4nY/Hni
+            =/eHH
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-06-03T18:05:43Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4WLYkVpP8xtAQ//RjJU3Gy9CMFc0FZPBTfIx+3OJMwXjvGarpHgqmDdDiPE
+            8O6h6dANI/3xXhbkxbPfY3UD2RQtA2UHCbFORwsTiIOIdLoJaABAxRUyM0V+jRqb
+            Mp2NYT3CCdZ6CJryukZGnj9dVANlqQPap1pxN+n5r7b3RHXhb37ZHBXhghaF46RL
+            1i+do/AmQ1ElLuaxM5R+yCAJYCNNGHp7Xz7NEgHGejMGhLQuwPFpscfRpF7MkUgO
+            98eyC5gsdLSrRCRkB7lz6xm0O/WWyuoPH95GklvG7m4rpfP+C7ySQs3/kxJhVrmZ
+            1XOWw6WO17l66FziNlRMXEisyGipzQQ8OnZGXjgxH2ON0YRPq9rfqaEm2RMcMesZ
+            6RMqZPcX+up109D53GZkrz3OOQS6fFiBArWvO+8AgshoF844OYtl6FGA2ZHaZfx8
+            l6bgrXbE0q2ReFOewgmytbSQS5oH9qrCBp85kS/ulQvzAfav3YKDIDcCAo1jmNnm
+            jZQJ+bVutYq6HgQN2Xz5i0qKGPSRsu6OubCdGRD3dR6TwMkfMzEVDfAjPSw4lpL6
+            Ffbleq6Wq1+V0e2sB2I2+rV+VySVnd7f3P8NzSvQM2z5v2HPeOotVTFSml938moT
+            LrjdMc9vuTlKGb2idQOZ22hWq24UjYsolHknYXqMxjcirpEYQV5Pz7R0I0rAKVXU
+            aAEJAhANgdJ5tt7r5f2w+wm73enOn88vRjoo0ukN43C93ZqMXo83QCuFiwHT334Z
+            q3AtplABnicVogPicrtgfzZCZw74oHC8HG5ZK/BAU5gMyJu555MdMFXBlqwo+9g1
+            GDWhKPbYnh7u
+            =iyaG
+            -----END PGP MESSAGE-----
+          fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

cluster/apps/default/gitea/helm-release.yaml

@@ -7,78 +7,86 @@ spec:
   interval: 5m
   chart:
     spec:
-      chart: app-template
-      version: 1.3.x
+      chart: gitea
+      version: 0.3.2
       sourceRef:
         kind: HelmRepository
-        name: bjws-charts
+        name: bitnami-charts
         namespace: flux-system
 
+  timeout: 5m
+
   values:
-    image:
-      repository: gitea/gitea
-      tag: 1.19.0
-
-    podLabels:
-      needsDatabase: "yes"
-      needsAuthentik: "yes"
-
-    env:
-      USER_UID: 1000
-      USER_GID: 1000
-
-    envFrom:
-      - secretRef:
-          name: gitea-secret
-
-    # Sidecar used for mirroring GitHub repos to gitea
-    sidecars:
-      mirror-to-gitea:
-        image: jaedle/mirror-to-gitea:latest
-        imagePullPolicy: Always
-        envFrom:
-        - secretRef:
-            name: gitea-sidecar-secret
-
-    service:
-      main:
-        ports:
-          http:
-            port: 3000
-
-      ssh:
-        enabled: true
-        type: NodePort
-        ports:
-          ssh:
-            enabled: true
-            port: 22
-            protocol: TCP
-            nodePort: 30022
-
-    probes:
-      liveness:
-        enabled: false
-
-    ingress:
-      main:
-        enabled: true
-        annotations:
-          cert-manager.io/cluster-issuer: letsencrypt-production
-          traefik.ingress.kubernetes.io/router.entrypoints: websecure
-        hosts:
-          - host: &host "git.${SECRET_NEW_DOMAIN}"
-            paths:
-              - path: /
-                pathType: Prefix
-        tls:
-          - hosts:
-              - *host
-            secretName: wildcard-main-tls
+    existingSecret: gitea-secret
+    existingSecretKey: admin-password
 
     persistence:
-      storage:
-        enabled: true
-        type: hostPath
-        hostPath: /mnt/MainPool/Kubernetes/gitea
-        mountPath: /data
+      enabled: true
+      size: 30Gi
+      storageClass: hostpath
+      selector:
+        matchLabels:
+          app.kubernetes.io/name: gitea-pv
+
+    resources:
+      requests:
+        cpu: 1m
+        memory: 340Mi
+      limits:
+        memory: 2Gi
+
+#    podSecurityContext:
+#      enabled: true
+#      fsGroup: 10000
+
+#    containerSecurityContext:
+#      enabled: true
+#      runAsUser: 10000
+#      runAsNonRoot: true
+
+    # Sidecar used for mirroring GitHub repos to gitea
+#    sidecars:
+#      - name: mirror-to-gitea
+#        image: jaedle/mirror-to-gitea:latest
+#        imagePullPolicy: Always
+#        envFrom:
+#        - secretRef:
+#            name: gitea-sidecar-secret
+
+    service:
+      type: ClusterIP
+      nodePorts:
+        ssh: 30022
+
+    ingress:
+      enabled: false
+#      annotations:
+#        cert-manager.io/cluster-issuer: letsencrypt-production
+#        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+#      hostname: &host "budget.${SECRET_NEW_DOMAIN}"
+#
+#      tls: true
+#      selfSigned: false
+#
+#      extraTls:
+#      - hosts:
+#        - *host
+#        secretName: wildcard-main-tls
+#
+#      secrets: nil
+#      secrets:
+#      - wildcard-main-tls
+
+    postgresql:
+      enabled: false
+
+    externalDatabase:
+      host: postgresql.database
+      port: 5432
+      user: gitea
+      database: gitea
+      existingSecret: gitea-secret
+      existingSecretPasswordKey: db-password
+
+    volumePermissions:
+      enabled: true

cluster/apps/default/gitea/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-ingress
+  namespace: default
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  rules:
+    - host: &host "git.${SECRET_NEW_DOMAIN}"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea
+                port:
+                  number: 80
+  tls:
+  - hosts:
+    - *host
+    secretName: wildcard-main-tls

cluster/apps/default/gitea/kustomization.yaml

@@ -1,6 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- ./gitea-pv.yaml
 - ./gitea-secret.sops.yaml
 - ./gitea-sidecar-secret.sops.yaml
 - ./helm-release.yaml
+- ./ingress.yaml