fix: Inject ca-bundle into gitea container

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml

@@ -34,6 +34,7 @@
         kubeconfig: "{{ kubeconfig.path }}"
       loop:
         - argo-cd
+        - gitea
         # - kube-system
 
     - name: Store root certificate in namespaced configmaps/secrets
@@ -63,6 +64,12 @@
           data:
             - key: git.{{ vapp['metacluster.fqdn'] }}
               value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
+        - name: step-certificates-certs
+          namespace: gitea
+          kind: secret
+          data:
+            - key: ca_chain.crt
+              value: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ _newline ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
         - name: step-certificates-certs
           namespace: kube-system
           kind: secret

ansible/vars/metacluster.yml

@@ -135,6 +135,16 @@ components:
       chart: gitea-charts/gitea
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | sed '/:/!s/$/:latest/'
       chart_values: !unsafe |
+        extraVolumes:
+          - secret:
+              defaultMode: 420
+              name: step-certificates-certs
+            name: step-certificates-certs
+        extraVolumeMounts:
+          - mountPath: /etc/ssl/certs/ca-chain.crt
+            name: step-certificates-certs
+            readOnly: true
+            subPath: ca_chain.crt
         gitea:
           admin:
             username: administrator