From b6c581492be0d61ba12afe13683ec0d0198c2121 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Thu, 18 Dec 2025 19:08:20 +0900
Subject: [PATCH] FEAT(gitea): add gitea Application to apps reposit

- Move gitea Application definition to applications repo
- Add gitea resources (helm-values, vault secrets, runner deployment)
- Update kustomization.yaml to include gitea Application
- This enables ArgoCD to manage gitea with proper Helm chart integration
---
 gitea/argocd/gitea.yaml                  |  58 ++++++++
 gitea/deployment.yaml                    | 100 +++++++++++++
 gitea/helm-values/gitea.yaml             | 172 +++++++++++++++++++++++
 gitea/kustomization.yaml                 |  19 +++
 gitea/vault/gitea-admin-secret.yaml      |  22 +++
 gitea/vault/gitea-minio-credentials.yaml |  18 +++
 gitea/vault/gitea-postgres-password.yaml |  18 +++
 gitea/vault/gitea-runner-token.yaml      |  18 +++
 gitea/vault/minio-root-password.yaml     |  22 +++
 9 files changed, 447 insertions(+)
 create mode 100644 gitea/argocd/gitea.yaml
 create mode 100644 gitea/deployment.yaml
 create mode 100644 gitea/helm-values/gitea.yaml
 create mode 100644 gitea/kustomization.yaml
 create mode 100644 gitea/vault/gitea-admin-secret.yaml
 create mode 100644 gitea/vault/gitea-minio-credentials.yaml
 create mode 100644 gitea/vault/gitea-postgres-password.yaml
 create mode 100644 gitea/vault/gitea-runner-token.yaml
 create mode 100644 gitea/vault/minio-root-password.yaml

diff --git a/gitea/argocd/gitea.yaml b/gitea/argocd/gitea.yaml
new file mode 100644
index 0000000..b2a570a
--- /dev/null
+++ b/gitea/argocd/gitea.yaml
@@ -0,0 +1,58 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+    # Helm chart from Gitea repository
+    - repoURL: https://dl.gitea.com/charts/
+      chart: gitea
+      targetRevision: 12.4.0
+      helm:
+        valueFiles:
+          - $values/gitea/helm-values/gitea.yaml
+    # Values file from Git repository
+    - repoURL: https://gitea0213.kro.kr/bluemayne/infrastructure.git
+      targetRevision: main
+      ref: values
+    # Vault secrets from Git repository
+    - repoURL: https://gitea0213.kro.kr/bluemayne/infrastructure.git
+      targetRevision: main
+      path: gitea
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: gitea
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+      - CreateNamespace=true
+      - PrunePropagationPolicy=foreground
+      - PruneLast=true
+
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  revisionHistoryLimit: 10
+
+  # Ignore differences in checksum annotations and manual restart annotations
+  ignoreDifferences:
+    - group: apps
+      kind: Deployment
+      jqPathExpressions:
+        - .spec.template.metadata.annotations
+        - .metadata.annotations
diff --git a/gitea/deployment.yaml b/gitea/deployment.yaml
new file mode 100644
index 0000000..d87cd87
--- /dev/null
+++ b/gitea/deployment.yaml
@@ -0,0 +1,100 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-runner-config
+  namespace: gitea
+data:
+  config.yaml: |
+    log:
+      level: info
+    runner:
+      name: k8s-runner
+      capacity: 10
+      timeout: 3h
+      insecure: false
+      fetch_timeout: 5s
+      fetch_interval: 2s
+      labels:
+        - "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
+        - "ubuntu-24.04:docker://catthehacker/ubuntu:act-latest"
+        - "ubuntu-24.04-arm:docker://catthehacker/ubuntu:act-latest"
+    container:
+      network: host
+      options: -e DOCKER_HOST=tcp://localhost:2375
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-runner
+  namespace: gitea
+  labels:
+    app: gitea-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-runner
+  template:
+    metadata:
+      labels:
+        app: gitea-runner
+    spec:
+      restartPolicy: Always
+      volumes:
+        - name: docker-certs
+          emptyDir: {}
+        - name: runner-data
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: gitea-runner-config
+      containers:
+        # Docker daemon (Docker-in-Docker)
+        - name: docker-daemon
+          image: docker:dind
+          env:
+            - name: DOCKER_TLS_CERTDIR
+              value: ""
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: docker-certs
+              mountPath: /certs
+
+        # Gitea Actions runner
+        - name: runner
+          image: gitea/act_runner:latest
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z localhost 2375 </dev/null; do
+                echo 'waiting for docker daemon...';
+                sleep 1;
+              done
+              act_runner register --no-interactive --instance "$GITEA_INSTANCE_URL" --token "$GITEA_RUNNER_REGISTRATION_TOKEN" --name k8s-runner --labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest,ubuntu-24.04:docker://catthehacker/ubuntu:act-latest,ubuntu-24.04-arm:docker://catthehacker/ubuntu:act-latest"
+              act_runner daemon
+          env:
+            - name: DOCKER_HOST
+              value: tcp://localhost:2375
+            - name: GITEA_INSTANCE_URL
+              value: "http://gitea-http.gitea.svc.cluster.local:3000"
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-runner-token
+                  key: token
+          volumeMounts:
+            - name: docker-certs
+              mountPath: /certs
+            - name: runner-data
+              mountPath: /data
+            - name: config
+              mountPath: /config.yaml
+              subPath: config.yaml
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              memory: 2Gi
diff --git a/gitea/helm-values/gitea.yaml b/gitea/helm-values/gitea.yaml
new file mode 100644
index 0000000..d161089
--- /dev/null
+++ b/gitea/helm-values/gitea.yaml
@@ -0,0 +1,172 @@
+# Gitea Helm Values
+# Chart: https://gitea.com/gitea/helm-chart
+# Self-hosted Git service
+
+fullnameOverride: gitea
+
+replicaCount: 1
+
+image:
+  registry: docker.io
+  repository: gitea/gitea
+  tag: "1.25.2"
+  pullPolicy: IfNotPresent
+  rootless: false
+
+# Gitea configuration
+gitea:
+  admin:
+    # Admin credentials managed via environment variables
+    existingSecret: gitea-admin-secret
+
+  config:
+    server:
+      DOMAIN: gitea0213.kro.kr
+      ROOT_URL: https://gitea0213.kro.kr
+      SSH_DOMAIN: gitea0213.kro.kr
+      SSH_PORT: 2222
+      DISABLE_SSH: true
+      START_SSH_SERVER: false
+      SSH_LISTEN_PORT: 2222
+
+    database:
+      DB_TYPE: postgres
+      HOST: postgresql-primary.postgresql.svc.cluster.local:5432
+      NAME: gitea
+      USER: postgres
+      SCHEMA: public
+      SSL_MODE: disable
+
+    service:
+      DISABLE_REGISTRATION: false
+      REQUIRE_SIGNIN_VIEW: false
+      ENABLE_NOTIFY_MAIL: false
+
+    cache:
+      ENABLED: true
+      ADAPTER: memory
+
+    session:
+      PROVIDER: memory
+
+    git:
+      PATH: /usr/bin/git
+
+    actions:
+      ENABLED: true
+      DEFAULT_ACTIONS_URL: github
+
+    packages:
+      ENABLED: true
+      CHUNKED_UPLOAD_PATH: /data/packages/chunked-upload
+
+    container:
+      ENABLED: true
+      REGISTRY_HOST: gitea0213.kro.kr
+
+  # Health checks
+  livenessProbe:
+    enabled: true
+    tcpSocket:
+      port: http
+    initialDelaySeconds: 60
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 10
+
+  readinessProbe:
+    enabled: true
+    tcpSocket:
+      port: http
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+
+# PostgreSQL dependency (using existing PostgreSQL instance)
+postgresql:
+  enabled: false
+
+# Use existing PostgreSQL
+postgresql-ha:
+  enabled: false
+
+# Valkey cluster (disabled, using memory for cache/session)
+valkey-cluster:
+  enabled: false
+
+# Redis (optional, for caching)
+redis-cluster:
+  enabled: false
+
+# Environment variables for database password
+deployment:
+  env:
+    - name: GITEA__database__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: gitea-postgres-password
+          key: password
+
+# Persistence for Gitea data
+persistence:
+  enabled: true
+  size: 10Gi
+  storageClass: local-path
+  accessModes:
+    - ReadWriteOnce
+
+# Service configuration
+service:
+  http:
+    type: ClusterIP
+    port: 3000
+  ssh:
+    type: LoadBalancer
+    port: 2222
+    externalTrafficPolicy: Local
+    annotations:
+      metallb.universe.tf/allow-shared-ip: gitea
+
+# Ingress configuration
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+  hosts:
+    - host: gitea0213.kro.kr
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: gitea-tls
+      hosts:
+        - gitea0213.kro.kr
+
+# Resource limits
+resources:
+  requests:
+    cpu: 50m
+    memory: 256Mi
+  limits:
+    memory: 512Mi
+
+# Security context
+securityContext:
+  fsGroup: 1000
+
+# Init containers for database setup
+initPreScript: |
+  #!/bin/sh
+  echo "Waiting for PostgreSQL..."
+  until nc -z postgresql-primary.postgresql.svc.cluster.local 5432; do
+    echo "Waiting for PostgreSQL to be ready..."
+    sleep 2
+  done
+  echo "PostgreSQL is ready"
diff --git a/gitea/kustomization.yaml b/gitea/kustomization.yaml
new file mode 100644
index 0000000..0509b26
--- /dev/null
+++ b/gitea/kustomization.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # ArgoCD Application (주석 처리: circular dependency 방지)
+  # - argocd/gitea.yaml
+  # Gitea Application은 수동으로 적용: kubectl apply -f gitea/argocd/gitea.yaml
+  
+  # Gitea Runner
+  - deployment.yaml
+  
+  # Vault secrets
+  - vault/gitea-admin-secret.yaml
+  - vault/gitea-postgres-password.yaml
+  - vault/gitea-runner-token.yaml
+  - vault/gitea-minio-credentials.yaml
+  - vault/minio-root-password.yaml
+
+namespace: gitea
diff --git a/gitea/vault/gitea-admin-secret.yaml b/gitea/vault/gitea-admin-secret.yaml
new file mode 100644
index 0000000..1b3a6ba
--- /dev/null
+++ b/gitea/vault/gitea-admin-secret.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-admin-secret
+  namespace: gitea
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: gitea-admin-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: username
+      remoteRef:
+        key: gitea/admin
+        property: USERNAME
+    - secretKey: password
+      remoteRef:
+        key: gitea/admin
+        property: PASSWORD
diff --git a/gitea/vault/gitea-minio-credentials.yaml b/gitea/vault/gitea-minio-credentials.yaml
new file mode 100644
index 0000000..169760b
--- /dev/null
+++ b/gitea/vault/gitea-minio-credentials.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-minio-credentials
+  namespace: gitea
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: gitea-minio-credentials
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: gitea/minio
+        property: GITEA_MINIO_PASSWORD
diff --git a/gitea/vault/gitea-postgres-password.yaml b/gitea/vault/gitea-postgres-password.yaml
new file mode 100644
index 0000000..3921f0f
--- /dev/null
+++ b/gitea/vault/gitea-postgres-password.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-postgres-password
+  namespace: gitea
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: gitea-postgres-password
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: gitea/postgres
+        property: PASSWORD
diff --git a/gitea/vault/gitea-runner-token.yaml b/gitea/vault/gitea-runner-token.yaml
new file mode 100644
index 0000000..9d8b1ee
--- /dev/null
+++ b/gitea/vault/gitea-runner-token.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-runner-token
+  namespace: gitea
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: gitea-runner-token
+    creationPolicy: Owner
+  data:
+    - secretKey: token
+      remoteRef:
+        key: gitea/runner
+        property: TOKEN
diff --git a/gitea/vault/minio-root-password.yaml b/gitea/vault/minio-root-password.yaml
new file mode 100644
index 0000000..e145891
--- /dev/null
+++ b/gitea/vault/minio-root-password.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: minio-root-password
+  namespace: gitea
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: minio-root-password
+    creationPolicy: Owner
+  data:
+    - secretKey: root-user
+      remoteRef:
+        key: gitea/minio
+        property: ROOT_USER
+    - secretKey: root-password
+      remoteRef:
+        key: gitea/minio
+        property: ROOT_PASSWORD