infrastructure/clusters/cl01tl/manifests/gitea/Secret-gitea-init.yml

---
# Source: gitea/charts/gitea/templates/gitea/init.yaml
apiVersion: v1
kind: Secret
metadata:
  name: gitea-init
  namespace: gitea
  labels:
    helm.sh/chart: gitea-12.4.0
    app: gitea
    app.kubernetes.io/name: gitea
    app.kubernetes.io/instance: gitea
    app.kubernetes.io/version: "1.25.2"
    version: "1.25.2"
    app.kubernetes.io/managed-by: Helm
type: Opaque
stringData:
  configure_gpg_environment.sh: |
    #!/usr/bin/env bash
    set -eu

    gpg --batch --import "$TMP_RAW_GPG_KEY"
  init_directory_structure.sh: |-
    #!/usr/bin/env bash

    set -euo pipefail
    # BEGIN: initPreScript
    wget https://github.com/catppuccin/gitea/releases/latest/download/catppuccin-gitea.tar.gz;
    tar -xvzf catppuccin-gitea.tar.gz -C /data/gitea/public/assets/css;
    rm catppuccin-gitea.tar.gz;
    # END: initPreScript
    mkdir -pv /data/git/.ssh
    chmod -Rv 700 /data/git/.ssh
    [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf

    # prepare temp directory structure
    mkdir -pv "${GITEA_TEMP}"
    chmod -v ug+rwx "${GITEA_TEMP}"
  configure_gitea.sh: "#!/usr/bin/env bash\n\nset -euo pipefail\n\necho '==== BEGIN GITEA CONFIGURATION ===='\n\n{ # try\n  gitea migrate\n} || { # catch\n  echo \"Gitea migrate might fail due to database connection...This init-container will try again in a few seconds\"\n  exit 1\n}\nfunction configure_admin_user() {\n  local full_admin_list=$(gitea admin user list --admin)\n  local actual_user_table=''\n\n  # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line\n  local regex=\"(.*)(ID\\s+Username\\s+Email\\s+IsActive.*)\"\n  if [[ \"${full_admin_list}\" =~ $regex ]]; then\n    actual_user_table=$(echo \"${BASH_REMATCH[2]}\" | tail -n+2) # tail'ing to drop the table headline\n  else\n    # This code block should never be reached, as long as the output table header remains the same.\n    # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.\n\n    echo \"ERROR: 'configure_admin_user' was not able to determine the current list of admin users.\"\n    echo \"       Please review the output of 'gitea admin user list --admin' shown below.\"\n    echo \"       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues.\"\n    echo \"DEBUG: Output of 'gitea admin user list --admin'\"\n    echo \"--\"\n    echo \"${full_admin_list}\"\n    echo \"--\"\n    exit 1\n  fi\n\n  local ACCOUNT_ID=$(echo \"${actual_user_table}\" | grep -E \"\\s+${GITEA_ADMIN_USERNAME}\\s+\" | awk -F \" \" \"{printf \\$1}\")\n  if [[ -z \"${ACCOUNT_ID}\" ]]; then\n    local -a create_args\n    create_args=(--admin --username \"${GITEA_ADMIN_USERNAME}\" --password \"${GITEA_ADMIN_PASSWORD}\" --email \"gitea@local.domain\")\n    if [[ \"${GITEA_ADMIN_PASSWORD_MODE}\" = initialOnlyRequireReset ]]; then\n      create_args+=(--must-change-password=true)\n    else\n      create_args+=(--must-change-password=false)\n    fi\n    echo \"No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now...\"\n    gitea admin user create \"${create_args[@]}\"\n    echo '...created.'\n  else\n    if [[ \"${GITEA_ADMIN_PASSWORD_MODE}\" = keepUpdated ]]; then\n      echo \"Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password...\"\n      # See https://gitea.com/gitea/helm-gitea/issues/673\n      # --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior\n      #   which acted as if it were provided with =false. If the argument is present in this version of gitea, then we\n      #   should add it to prevent requiring frequent admin password resets.\n      local -a change_args\n      change_args=(--username \"${GITEA_ADMIN_USERNAME}\" --password \"${GITEA_ADMIN_PASSWORD}\")\n      if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then\n        change_args+=(--must-change-password=false)\n      fi\n      gitea admin user change-password \"${change_args[@]}\"\n      echo '...password sync done.'\n    else\n      echo \"Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping.\"\n    fi\n  fi\n}\n\nconfigure_admin_user\n\nfunction configure_ldap() {\n    echo 'no ldap configuration... skipping.'\n}\n\nconfigure_ldap\n\nfunction configure_oauth() {\n  local OAUTH_NAME='Authentik'\n  local full_auth_list=$(gitea admin auth list --vertical-bars)\n  local actual_auth_table=''\n\n  # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line\n  local regex=\"(.*)(ID\\s+\\|Name\\s+\\|Type\\s+\\|Enabled.*)\"\n  if [[ \"${full_auth_list}\" =~ $regex ]]; then\n    actual_auth_table=$(echo \"${BASH_REMATCH[2]}\" | tail -n+2) # tail'ing to drop the table headline\n  else\n    # This code block should never be reached, as long as the output table header remains the same.\n    # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.\n\n    echo \"ERROR: 'configure_oauth' was not able to determine the current list of authentication sources.\"\n    echo \"       Please review the output of 'gitea admin auth list --vertical-bars' shown below.\"\n    echo \"       If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues.\"\n    echo \"DEBUG: Output of 'gitea admin auth list --vertical-bars'\"\n    echo \"--\"\n    echo \"${full_auth_list}\"\n    echo \"--\"\n    exit 1\n  fi\n\n  local AUTH_ID=$(echo \"${actual_auth_table}\" | grep -E \"\\|${OAUTH_NAME}\\s+\\|\" | grep -iE '\\|OAuth2\\s+\\|' | awk -F \" \"  \"{print \\$1}\")\n\n  if [[ -z \"${AUTH_ID}\" ]]; then\n    echo \"No oauth configuration found with name '${OAUTH_NAME}'. Installing it now...\"\n    gitea admin auth add-oauth --auto-discover-url \"https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration\" --icon-url \"https://goauthentik.io/img/icon.png\" --key \"${GITEA_OAUTH_KEY_0}\" --name \"Authentik\" --provider \"openidConnect\" --scopes \"email profile\" --secret \"${GITEA_OAUTH_SECRET_0}\" \n    echo '...installed.'\n  else\n    echo \"Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings...\"\n    gitea admin auth update-oauth --id \"${AUTH_ID}\" --auto-discover-url \"https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration\" --icon-url \"https://goauthentik.io/img/icon.png\" --key \"${GITEA_OAUTH_KEY_0}\" --name \"Authentik\" --provider \"openidConnect\" --scopes \"email profile\" --secret \"${GITEA_OAUTH_SECRET_0}\" \n    echo '...sync settings done.'\n  fi\n}\n\nconfigure_oauth\n\necho '==== END GITEA CONFIGURATION ===='"