feat: convert many

clusters/cl01tl/helm/gitea/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/gitea/templates/config-map.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-custom-templates
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
 data:
   header.tmpl: |
     <script defer src="https://rybbit.alexlebens.dev/api/script.js" data-site-id="b515c34a6dcc"></script>

clusters/cl01tl/helm/gitea/templates/external-secret.yaml

@@ -1,64 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
-metadata:
-  name: gitea-admin-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-admin-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: username
-      remoteRef:
-        key: /cl01tl/gitea/auth/admin
-        property: username
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/gitea/auth/admin
-        property: password
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-oidc-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: secret
-      remoteRef:
-        key: /authentik/oidc/gitea
-        property: secret
-    - secretKey: key
-      remoteRef:
-        key: /authentik/oidc/gitea
-        property: client
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
 metadata:
   name: gitea-runner-secret
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-runner-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: token
       remoteRef:
@@ -69,80 +20,15 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gitea-renovate-secret
+  name: gitea-meilisearch-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea-renovate-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
+    app.kubernetes.io/name: gitea-meilisearch-key
+    {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: RENOVATE_ENDPOINT
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_ENDPOINT
-    - secretKey: RENOVATE_GIT_AUTHOR
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_GIT_AUTHOR
-    - secretKey: RENOVATE_TOKEN
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_TOKEN
-    - secretKey: RENOVATE_GIT_PRIVATE_KEY
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa
-    - secretKey: RENOVATE_GITHUB_COM_TOKEN
-      remoteRef:
-        key: /github/gitea-cl01tl
-        property: token
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-renovate-ssh-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-renovate-ssh-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: config
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: ssh_config
-    - secretKey: id_rsa
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa
-    - secretKey: id_rsa.pub
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa.pub
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-meilisearch-master-key-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-meilisearch-master-key-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
+    name: openbao
   target:
     template:
       mergePolicy: Merge
@@ -153,4 +39,27 @@ spec:
     - secretKey: MEILI_MASTER_KEY
       remoteRef:
         key: /cl01tl/gitea/meilisearch
-        property: MEILI_MASTER_KEY
+        property: master-key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-oidc-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-oidc-authentik
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/authentik/oidc/gitea
+        property: secret
+    - secretKey: key
+      remoteRef:
+        key: /cl01tl/authentik/oidc/gitea
+        property: client

clusters/cl01tl/helm/gitea/templates/http-route.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io
@@ -21,8 +20,6 @@ spec:
           type: PathPrefix
           value: /
       backendRefs:
-        - group: ''
-          kind: Service
+        - kind: Service
           name: gitea-http
           port: 3000
-          weight: 100

clusters/cl01tl/helm/gitea/templates/ingress.yaml

@@ -1,12 +1,11 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: gitea-tailscale
+  name: {{ .Release.Name }}-tailscale
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea-tailscale
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
+    {{- include "custom.labels" . | nindent 4 }}
     tailscale.com/proxy-class: no-metrics
   annotations:
     tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -21,7 +20,7 @@ spec:
       http:
         paths:
           - path: /
-            pathType: ImplementationSpecific
+            pathType: Prefix
             backend:
               service:
                 name: gitea-http

clusters/cl01tl/helm/gitea/templates/namespace.yaml

@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: gitea
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ .Release.Namespace }}
+    {{- include "custom.labels" . | nindent 4 }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-themes-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
 spec:
   volumeMode: Filesystem
   storageClassName: ceph-filesystem

clusters/cl01tl/helm/gitea/templates/service-monitor.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:

clusters/cl01tl/helm/gitea/templates/tcp-route.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-ssh
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io
@@ -16,8 +15,6 @@ spec:
       sectionName: ssh
   rules:
     - backendRefs:
-        - group: ''
-          kind: Service
+        - kind: Service
           name: gitea-ssh
           port: 22
-          weight: 100

clusters/cl01tl/helm/gitea/values.yaml

@@ -59,7 +59,7 @@ gitea:
     oauth:
       - name: Authentik
         provider: openidConnect
-        existingSecret: gitea-oidc-secret
+        existingSecret: gitea-oidc-authentik
         autoDiscoverUrl: https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration
         iconUrl: https://goauthentik.io/img/icon.png
         scopes: "email profile"
@@ -137,7 +137,7 @@ gitea:
       - name: GITEA__INDEXER__ISSUE_INDEXER_CONN_STR
         valueFrom:
           secretKeyRef:
-            name: gitea-meilisearch-master-key-secret
+            name: gitea-meilisearch-key
             key: ISSUE_INDEXER_CONN_STR
   valkey-cluster:
     enabled: false
@@ -235,7 +235,7 @@ meilisearch:
     MEILI_ENV: production
     MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true
   auth:
-    existingMasterKeySecret: gitea-meilisearch-master-key-secret
+    existingMasterKeySecret: gitea-meilisearch-key
   persistence:
     enabled: true
     storageClass: ceph-block