don't sync users with cron job

2026-04-19 11:43:47 +02:00
parent eed53006c1
commit d7c1341eab
2 changed files with 12 additions and 1 deletions
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -817,12 +817,19 @@ postgresql:

 **Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`). Protocol mapper: `email_verified` hardcoded claim (`true`, boolean) on ID token, Access token, and Userinfo.

+**External User Sync**: Disabled (`cron.sync_external_users.ENABLED: false`). This Gitea cron job is designed for LDAP and deactivates OIDC-only users because it cannot enumerate them — causing "Sign-in prohibited" errors after the sync runs.
+
+**Email Notifications**: Enabled (`ENABLE_NOTIFY_MAIL: true`). SMTP credentials injected via `gitea-smtp-secret` using `additionalConfigFromEnvs` with `GITEA__mailer__USER` / `GITEA__mailer__PASSWD` environment variables.
+
 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
 - SSH: port 22 (ClusterIP)
 - Metrics: `/metrics` (Prometheus scrape)

-**Secrets**: `gitea-credentials` (SealedSecret) containing `admin-password`, `postgres-password`, `secret` (OIDC client secret)
+**Secrets**:
+- `gitea-credentials` (SealedSecret) — admin password
+- `gitea-oidc-credentials` (registrar-managed) — OIDC client ID + secret
+- `gitea-smtp-secret` (SealedSecret) — SMTP username + password

 ### Gitea Actions Runners

--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -73,6 +73,10 @@ gitea:
      SMTP_PORT: 587
      FROM: "noreply@fortedigital.com"

+    # -- Disable external user sync (designed for LDAP; deactivates OIDC users)
+    "cron.sync_external_users":
+      ENABLED: false
+
    admin:
      DEFAULT_EMAIL_NOTIFICATIONS: enabled