fix

share/organisation/gitea-user.tf

@@ -0,0 +1,118 @@
+locals {
+  needUser = length(local.sorted-stages)>0 && var.haveGitea
+}
+
+data "kubernetes_secret_v1" "gitea" {
+  metadata {
+    name = "gitea-admin-user"
+    namespace = "${var.domain}-ci"
+  }
+}
+
+data "kubernetes_ingress_v1" "gitea" {
+  metadata {
+    name = "gitea"
+    namespace = "${var.domain}-ci"
+  }
+}
+
+data "kubernetes_service" "gitea-ssh" {
+  metadata {
+    name = "gitea-ssh"
+    namespace = "${var.domain}-ci"
+  }
+}
+
+resource "null_resource" "get_known" {
+  count = local.needUser?1:0
+  triggers  =  { always_run = "${timestamp()}" }
+  provisioner "local-exec" {
+    command = "ssh-keyscan -p ${data.kubernetes_service.gitea-ssh.spec.0.port.0.port} ${data.kubernetes_ingress_v1.gitea.spec[0].rule[0].host} > ${path.module}/known_host.txt"
+  }
+}
+
+data "local_file" "known_host" {
+  count = local.needUser?1:0
+  filename = "${path.module}/known_host.txt"
+  depends_on = ["null_resource.get_known"]
+}
+
+resource "kubectl_manifest" "ssh-creds" {
+  depends_on = [kubernetes_namespace_v1.ns]
+  count = local.needUser?length(local.sorted-stages):0
+  yaml_body  = <<-EOF
+    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+    kind: "SSHKeyPair"
+    metadata:
+      name: "ssh-credentials"
+      namespace: "${local.sorted-stages[count.index].namespace}"
+      labels: ${jsonencode(local.common-labels)}
+    spec:
+      length: "40"
+      forceRegenerate: false
+      data:
+        known_hosts: "${data.local_file.known_host[0].content}"
+  EOF
+}
+
+data "kubernetes_secret_v1" "ssh-creds-read" {
+  depends_on = [kubectl_manifest.ssh-creds]
+  count = local.needUser?length(local.sorted-stages):0
+  metadata {
+    name = "ssh-credentials"
+    namespace = "${local.sorted-stages[count.index].namespace}"
+  }
+}
+
+resource "random_password" "password" {
+  length           = 16
+  special          = true
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+resource "gitea_user" "user-ci" {
+  count = local.needUser?1:0
+  username             = "${var.instance}-ci"
+  login_name           = "${var.instance}-ci"
+  password             = random_password.password.result
+  email                = "${var.instance}-ci@${var.domain-name}"
+  must_change_password = true
+}
+
+resource "gitea_public_key" "user-ci-keys" {
+  count = local.needUser?length(local.sorted-stages):0
+  title = "Stage ${local.sorted-stages[count.index].name} for organisation ${var.instance}"
+  username  = gitea_user.user-ci[0].username
+  key = data.kubernetes_secret_v1.ssh-creds-read[count.index].data["ssh-publickey"]
+}
+
+resource "gitea_org" "orga" {
+  count = var.haveGitea?1:0
+  name = "${var.instance}"
+}
+
+resource "gitea_repository" "deploy" {
+  count = local.needUser?1:0
+  username     = gitea_org.orga[0].name
+  name         = "deploy"
+  private      = true
+}
+
+resource "gitea_team" "ci-team" {
+  count = local.needUser?1:0
+  name         = "Automation"
+  organisation = gitea_org.orga[0].name
+  description  = "Automation"
+  permission   = "write"
+  members      = [gitea_user.user-ci[0].username]
+  include_all_repositories = false
+  repositories             = [gitea_repository.deploy[0].name]
+}
+
+resource "gitea_team" "dev-team" {
+  count = var.haveGitea?1:0
+  name         = "Devs"
+  organisation = gitea_org.orga[0].name
+  description  = "Dev Team"
+  permission   = "write"
+}

share/organisation/index.yaml

@@ -6,36 +6,11 @@ metadata:
   name: organisation
   description: null
 options:
-  distributions:
-    default:
-      core: core
-      domain: domain
-    examples:
-    - core: core
-      domain: domain
-    properties:
-      core:
-        default: core
-        type: string
-      domain:
-        default: domain
-        type: string
-    type: object
-  issuer:
-    default: letsencrypt-prod
-    examples:
-    - letsencrypt-prod
-    type: string
   haveGitea:
     default: false
     examples:
     - false
     type: boolean
-  domain:
-    default: your-company
-    examples:
-    - your-company
-    type: string
   datasets:
     default: []
     items:
@@ -48,11 +23,40 @@ options:
           type: string
       type: object
     type: array
+  domain-name:
+    default: your_company.com
+    examples:
+    - your_company.com
+    type: string
+  stages:
+    default: []
+    items:
+      properties:
+        name:
+          default: prod
+          type: string
+      type: object
+    type: array
   app-group:
     default: dev
     examples:
     - dev
     type: string
+  domain:
+    default: your-company
+    examples:
+    - your-company
+    type: string
+  issuer:
+    default: letsencrypt-prod
+    examples:
+    - letsencrypt-prod
+    type: string
+  ingress-class:
+    default: traefik
+    examples:
+    - traefik
+    type: string
   backups:
     default:
       enable: false
@@ -83,25 +87,21 @@ options:
         default: backup-settings
         type: string
     type: object
-  stages:
-    default: []
-    items:
+  distributions:
+    default:
+      core: core
+      domain: domain
+    examples:
+    - core: core
+      domain: domain
     properties:
-        name:
-          default: prod
+      core:
+        default: core
+        type: string
+      domain:
+        default: domain
         type: string
     type: object
-    type: array
-  ingress-class:
-    default: traefik
-    examples:
-    - traefik
-    type: string
-  domain-name:
-    default: your_company.com
-    examples:
-    - your_company.com
-    type: string
 dependencies: []
 providers:
   kubernetes: true
@@ -110,5 +110,5 @@ providers:
   postgresql: null
   restapi: null
   http: null
-  gitea: null
+  gitea: true
 tfaddtype: null

share/organisation/stages.tf

@@ -33,6 +33,7 @@ locals {
     ])
   ])
 }
+
 resource "kubernetes_namespace_v1" "ns" {
   count = length(local.sorted-stages)
   metadata {