fix: Inject ca-bundle into gitea container

2023-08-25 14:13:01 +02:00 · 2023-08-25 14:13:01 +02:00 · 90082ca36a
parent b2ae56e54b
commit 90082ca36a
2 changed files with 17 additions and 0 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
@ -34,6 +34,7 @@
        kubeconfig: "{{ kubeconfig.path }}"
      loop:
        - argo-cd
+        - gitea
        # - kube-system

    - name: Store root certificate in namespaced configmaps/secrets
@ -63,6 +64,12 @@
          data:
            - key: git.{{ vapp['metacluster.fqdn'] }}
              value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
+        - name: step-certificates-certs
+          namespace: gitea
+          kind: secret
+          data:
+            - key: ca_chain.crt
+              value: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ _newline ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
        - name: step-certificates-certs
          namespace: kube-system
          kind: secret
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@ -135,6 +135,16 @@ components:
      chart: gitea-charts/gitea
      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | sed '/:/!s/$/:latest/'
      chart_values: !unsafe |
+        extraVolumes:
+          - secret:
+              defaultMode: 420
+              name: step-certificates-certs
+            name: step-certificates-certs
+        extraVolumeMounts:
+          - mountPath: /etc/ssl/certs/ca-chain.crt
+            name: step-certificates-certs
+            readOnly: true
+            subPath: ca_chain.crt
        gitea:
          admin:
            username: administrator