gitea

infra/gitea.yaml

@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: gitea
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://dl.gitea.com/charts
+    chart: gitea
+    targetRevision: "12.5.0"
+    helm:
+      releaseName: gitea
+      valueFiles:
+      - $values/infra/values/gitea-values.yaml
+
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: gitea
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/values/gitea-values.yaml

@@ -0,0 +1,152 @@
+# Gitea Helm Chart Values
+# Host: git.forteapps.net
+# Chart: gitea v12.5.0 (app v1.25.4)
+# Repo: https://dl.gitea.com/charts
+
+# -- Admin account (password from sealed secret)
+gitea:
+  admin:
+    existingSecret: gitea-credentials
+    email: admin@forteapps.net
+
+  # -- Gitea app.ini configuration
+  config:
+    APP_NAME: "Forte Git"
+
+    server:
+      DOMAIN: git.forteapps.net
+      ROOT_URL: https://git.forteapps.net
+      SSH_DOMAIN: git.forteapps.net
+      SSH_PORT: 22
+      LFS_START_SERVER: true
+
+    service:
+      DISABLE_REGISTRATION: true
+      REQUIRE_SIGNIN_VIEW: false
+      ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+
+    openid:
+      ENABLE_OPENID_SIGNIN: true
+      ENABLE_OPENID_SIGNUP: true
+
+    oauth2:
+      ENABLED: true
+
+    session:
+      PROVIDER: db
+
+    cache:
+      ADAPTER: memory
+
+    database:
+      DB_TYPE: postgres
+
+    metrics:
+      ENABLED: true
+
+    repository:
+      DEFAULT_BRANCH: main
+      DEFAULT_PRIVATE: last
+
+    actions:
+      ENABLED: true
+
+    packages:
+      ENABLED: true
+
+    indexer:
+      ISSUE_INDEXER_TYPE: bleve
+      REPO_INDEXER_ENABLED: true
+
+  # -- OIDC authentication via Keycloak
+  oauth:
+  - name: "Keycloak"
+    provider: "openidConnect"
+    existingSecret: gitea-credentials
+    key: gitea
+    autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
+    scopes: "openid email profile"
+    groupClaimName: ""
+    adminGroup: ""
+    restrictedGroup: ""
+
+  # -- Prometheus metrics (scraped via annotations, no ServiceMonitor CRD needed)
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+# -- Ingress via Traefik with Let's Encrypt TLS
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+  - host: git.forteapps.net
+    paths:
+    - path: /
+      pathType: Prefix
+  tls:
+  - secretName: gitea-tls
+    hosts:
+    - git.forteapps.net
+
+# -- Git repository storage
+persistence:
+  enabled: true
+  size: 10Gi
+  accessModes:
+  - ReadWriteOnce
+  storageClass: upcloud-block-storage-maxiops
+
+# -- Pod resources
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+# -- Embedded PostgreSQL (Bitnami subchart)
+# Password auto-generated by the subchart; Gitea chart auto-wires the connection.
+postgresql:
+  enabled: true
+  auth:
+    existingSecret: gitea-credentials
+    secretKeys:
+      adminPasswordKey: postgres-password
+      userPasswordKey: postgres-password
+    username: gitea
+    database: gitea
+  primary:
+    persistence:
+      enabled: true
+      size: 8Gi
+      storageClass: upcloud-block-storage-maxiops
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+
+# -- Disable PostgreSQL HA (using single-instance postgresql above)
+postgresql-ha:
+  enabled: false
+
+# -- Disable Redis cluster (use in-memory cache instead)
+redis-cluster:
+  enabled: false
+
+# -- Disable test pod
+test:
+  enabled: false
+
+# -- SSH service (ClusterIP for now; enable NodePort if SSH access needed)
+service:
+  ssh:
+    type: ClusterIP
+    port: 22

infra/values/keycloak-values.yaml

@@ -64,5 +64,21 @@ keycloakConfigCli:
         "registrationAllowed": false,
         "loginWithEmailAllowed": true,
         "resetPasswordAllowed": true,
-        "rememberMe": true
+        "rememberMe": true,
+        "clients": [
+          {
+            "clientId": "gitea",
+            "name": "Gitea",
+            "enabled": true,
+            "protocol": "openid-connect",
+            "clientAuthenticatorType": "client-secret",
+            "secret": "382ed413580cb79d0f54813e5da87007b28fe766a8903d378b9e1c266405a784",
+            "standardFlowEnabled": true,
+            "directAccessGrantsEnabled": false,
+            "publicClient": false,
+            "redirectUris": ["https://git.forteapps.net/*"],
+            "webOrigins": ["https://git.forteapps.net"],
+            "defaultClientScopes": ["openid", "email", "profile"]
+          }
+        ]
       }