fix: Inject ca-bundle into gitea container

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml

@@ -34,6 +34,7 @@
         kubeconfig: "{{ kubeconfig.path }}"
       loop:
         - argo-cd
+        - gitea
         # - kube-system
 
     - name: Store root certificate in namespaced configmaps/secrets
@@ -63,6 +64,12 @@
           data:
             - key: git.{{ vapp['metacluster.fqdn'] }}
               value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
+        - name: step-certificates-certs
+          namespace: gitea
+          kind: secret
+          data:
+            - key: ca_chain.crt
+              value: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ _newline ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
         - name: step-certificates-certs
           namespace: kube-system
           kind: secret

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/clusterapi.yml

@@ -140,7 +140,7 @@
     dest: "{{ capi_clustermanifest.path }}/new-cluster.yaml"
     content: "{{ clusterctl_newcluster.stdout }}"
 
-- name: Split manifest into separate files
+- name: Split workload cluster manifest into separate files
   ansible.builtin.shell:
     cmd: >-
       kubectl slice \
@@ -161,9 +161,16 @@
 
 - name: Store nodepool manifest
   ansible.builtin.copy:
-    dest: "{{ capi_clustermanifest.path }}/manifests/nodepool-worker-storage.yaml"
+    dest: "{{ capi_clustermanifest.path }}/nodepool-worker-storage.yaml"
     content: "{{ lookup('kubernetes.core.kustomize', dir=capi_clustermanifest.path) }}"
 
+- name: Split nodepool manifest into separate files
+  ansible.builtin.shell:
+    cmd: >-
+      kubectl slice \
+        -f {{ capi_clustermanifest.path }}/nodepool-worker-storage.yaml \
+        -o {{ capi_clustermanifest.path }}/manifests
+
 - name: Create in-cluster IpPool
   ansible.builtin.template:
     src: ippool.j2
@@ -201,19 +208,6 @@
     GIT_COMMITTER_NAME: administrator
     GIT_COMMITTER_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}
 
-# - name: Initialize/Push git repository
-#   ansible.builtin.shell:
-#     cmd: |
-#       git init
-#       git config --global user.email "administrator@{{ vapp['metacluster.fqdn'] }}"
-#       git config --global user.name "administrator"
-#       git checkout -b main
-#       git add ./manifests
-#       git commit -m "Upload manifests"
-#       git remote add origin https://git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git
-#       git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git --all
-#     chdir: "{{ capi_clustermanifest.path }}"
-
 # - name: Cleanup tempfolder
 #   ansible.builtin.file:
 #     path: "{{ capi_clustermanifest.path }}"

ansible/vars/metacluster.yml

@@ -135,6 +135,16 @@ components:
       chart: gitea-charts/gitea
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | sed '/:/!s/$/:latest/'
       chart_values: !unsafe |
+        extraVolumes:
+          - secret:
+              defaultMode: 420
+              name: step-certificates-certs
+            name: step-certificates-certs
+        extraVolumeMounts:
+          - mountPath: /etc/ssl/certs/ca-chain.crt
+            name: step-certificates-certs
+            readOnly: true
+            subPath: ca_chain.crt
         gitea:
           admin:
             username: administrator