launchpad/infra/values/base/gitea-values.yaml

# Gitea Helm Chart Values
# Host: git.forteapps.net
# Chart: gitea v12.5.0 (app v1.25.4)
# Repo: https://dl.gitea.com/charts

# -- Admin account (password from sealed secret)
gitea:
  admin:
    existingSecret: gitea-credentials
    email: admin@forteapps.net

  # -- Gitea app.ini configuration
  config:
    APP_NAME: "Forte Git"

    server:
      DOMAIN: git.forteapps.net
      ROOT_URL: https://git.forteapps.net
      SSH_DOMAIN: git.forteapps.net
      SSH_PORT: 2222
      LFS_START_SERVER: true
      ENABLE_GITEA_PAGES: true
      ENABLE_BASIC_AUTH_CHALLENGE: true

    service:
      DISABLE_REGISTRATION: false
      DEFAULT_ALLOW_CREATE_ORGANIZATION: false
      REQUIRE_SIGNIN_VIEW: false
      ALLOW_ONLY_EXTERNAL_REGISTRATION: true
      ENABLE_BASIC_AUTHENTICATION: true
      ENABLE_PASSWORD_SIGNIN_FORM: false
      AUTO_WATCH_ON_CHANGES: false
      AUTO_WATCH_NEW_REPOS: false
      ENABLE_NOTIFY_MAIL: false
      ENABLE_TIMETRACKING: false

    openid:
      ENABLE_OPENID_SIGNIN: false
      ENABLE_OPENID_SIGNUP: false

    oauth2:
      ENABLED: true
      ENABLE_AUTO_REGISTRATION: true
      USERNAME: email

    session:
      PROVIDER: db

    cache:
      ADAPTER: memory

    database:
      DB_TYPE: postgres

    metrics:
      ENABLED: true

    repository:
      DEFAULT_BRANCH: main
      DEFAULT_PRIVATE: last

    actions:
      ENABLED: true

    packages:
      ENABLED: true

    indexer:
      ISSUE_INDEXER_TYPE: bleve
      REPO_INDEXER_ENABLED: true

    mailer:
      ENABLED: true
      PROTOCOL: smtp+starttls
      SMTP_ADDR: smtp.office365.com
      SMTP_PORT: 587
      FROM: "noreply@fortedigital.com"

    admin:
      DEFAULT_EMAIL_NOTIFICATIONS: enabled

  # -- SMTP credentials injected from secret (USER and PASSWD)
  additionalConfigFromEnvs:
  - name: GITEA__mailer__USER
    valueFrom:
      secretKeyRef:
        name: gitea-smtp-secret
        key: username
  - name: GITEA__mailer__PASSWD
    valueFrom:
      secretKeyRef:
        name: gitea-smtp-secret
        key: password
  # -- OIDC authentication via Forte
  oauth:
  - name: "Forte"
    provider: "openidConnect"
    existingSecret: gitea-oidc-credentials
    key: gitea
    autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
    scopes: "openid email profile organization"
    groupClaimName: "groups"
    adminGroup: ""
    restrictedGroup: ""
  # -- Prometheus metrics (scraped via annotations, no ServiceMonitor CRD needed)
  metrics:
    enabled: true
    serviceMonitor:
      enabled: false

# -- Ingress via Traefik with Let's Encrypt TLS
ingress:
  enabled: true
  className: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
  - host: git.forteapps.net
    paths:
    - path: /
      pathType: Prefix
  tls:
  - secretName: gitea-tls
    hosts:
    - git.forteapps.net

# -- Git repository storage
persistence:
  enabled: true
  size: 10Gi
  accessModes:
  - ReadWriteOnce
  storageClass: upcloud-block-storage-maxiops

# -- Recreate strategy to avoid Multi-Attach errors with RWO volumes
strategy:
  type: Recreate

# -- Pod resources
resources:
  requests:
    cpu: 100m
    memory: 256Mi
  limits:
    cpu: 500m
    memory: 512Mi

# -- Embedded PostgreSQL (Bitnami subchart)
# Password auto-generated by the subchart; Gitea chart auto-wires the connection.
postgresql:
  enabled: true
  auth:
    username: gitea
    database: gitea
  primary:
    persistence:
      enabled: true
      size: 8Gi
      storageClass: upcloud-block-storage-maxiops
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 500m
        memory: 512Mi

# -- Disable PostgreSQL HA (using single-instance postgresql above)
postgresql-ha:
  enabled: false

# -- Disable Redis cluster (use in-memory cache instead)
redis-cluster:
  enabled: false

# -- Disable test pod
test:
  enabled: false

# -- SSH service (ClusterIP, exposed externally via Traefik TCP IngressRoute on port 2222)
service:
  ssh:
    type: ClusterIP
    port: 22