domain-incoming/apps/gitea/datas.tf

locals {
  authentik_url = "http://authentik.${var.domain}-auth.svc"
  authentik_token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
  common_labels = {
    "vynil.solidite.fr/owner-name" = var.instance
    "vynil.solidite.fr/owner-namespace" = var.namespace
    "vynil.solidite.fr/owner-category" = var.category
    "vynil.solidite.fr/owner-component" = var.component
    "app.kubernetes.io/managed-by" = "vynil"
    "app.kubernetes.io/instance" = var.instance
  }
  pvc_spec = merge({
    "accessModes" = [var.storage.volume.accessMode]
    "volumeMode" = var.storage.volume.type
    "resources" = {
      "requests" = {
        "storage" = "${var.storage.volume.size}"
      }
    }
  }, var.storage.volume.class != "" ?{
    "storageClassName" = var.storage.volume.class
  }:{})
  removePatch = <<-EOF
    - op: remove
      path: /spec/loadBalancerIP
  EOF
  modifyPatch = <<-EOF
    - op: replace
      path: /spec/loadBalancerIP
      value: "${var.load-balancer.ip}"
    EOF
}

data "kubernetes_secret_v1" "postgresql_password" {
  depends_on = [kubectl_manifest.prj_pg]
  metadata {
    name = "${var.instance}-${var.component}-pg-app"
    namespace = var.namespace
  }
}

data "kubernetes_secret_v1" "authentik" {
  metadata {
    name = "authentik"
    namespace = "${var.domain}-auth"
  }
}

data "kubernetes_ingress_v1" "authentik" {
  metadata {
    name = "authentik"
    namespace = "${var.domain}-auth"
  }
}

data "kustomization_overlay" "data" {
  common_labels = local.common_labels
  namespace = var.namespace
  resources = [for file in fileset(path.module, "*.yaml"): file if ! contains(["index.yaml"], file)]
  patches {
    target {
      kind = "Secret"
      name = "gitea-init"
    }
    patch = <<-EOF
      apiVersion: v1
      kind: Secret
      metadata:
        name: gitea-init
      stringData:
        configure_local_certs.sh: |-
          #!/usr/bin/env bash
          cp /etc/ssl/certs/ca-certificates.crt /etc/local-certs
          cat /etc/local-ca/ca.crt >>/etc/local-certs/ca-certificates.crt
          exec /usr/sbin/configure_gitea.sh
    EOF
  }
  patches {
    target {
      kind = "Deployment"
      name = "gitea"
    }
    patch = <<-EOF
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: gitea
        annotations:
          secret.reloader.stakater.com/reload: "gitea-ldap,gitea-admin-user"
      spec:
        replicas: ${var.replicas}
        template:
          spec:
            volumes:
            - name: certs
              emptyDir: {}
            - name: localcerts
              secret:
                secretName: "${var.instance}-cert"
                defaultMode: 0444
            initContainers:
            - name: init-directories
              image: "${var.images.gitea.registry}/${var.images.gitea.repository}:${var.images.gitea.tag}"
              imagePullPolicy: "${var.images.gitea.pull_policy}"
            - name: init-app-ini
              image: "${var.images.gitea.registry}/${var.images.gitea.repository}:${var.images.gitea.tag}"
              imagePullPolicy: IfNotPresent
            - name: configure-gitea
              command: ["/usr/sbin/configure_local_certs.sh"]
              image: "${var.images.gitea.registry}/${var.images.gitea.repository}:${var.images.gitea.tag}"
              imagePullPolicy: IfNotPresent
              volumeMounts:
              - name: localcerts
                mountPath: /etc/local-ca
                readOnly: true
              - name: certs
                mountPath: /etc/local-certs
              env:
              - name: VYNIL_OAUTH_DISCOVERY
                value: "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/.well-known/openid-configuration"
              - name: GITEA_OAUTH_KEY_0
                valueFrom:
                  secretKeyRef:
                    name: "${var.component}-${var.instance}-id"
                    key: client-id
              - name: GITEA_OAUTH_SECRET_0
                valueFrom:
                  secretKeyRef:
                    name: "${var.component}-${var.instance}-secret"
                    key: client-secret
              - name: TZ
                value: ${var.timezone}
              - name: SSL_CERT_FILE
                value: "/etc/local-certs/ca-certificates.crt"
            containers:
            - name: gitea
              image: "${var.images.gitea.registry}/${var.images.gitea.repository}:${var.images.gitea.tag}"
              imagePullPolicy: IfNotPresent
              resources: ${jsonencode(var.resources)}
              volumeMounts:
              - name: certs
                mountPath: /etc/ssl/certs
              env:
              - name: SSH_LISTEN_PORT
                value: "2222"
              - name: SSH_PORT
                value: "${var.ssh-port}"
              - name: SSH_LOG_LEVEL
                value: "INFO"
              - name: TZ
                value: ${var.timezone}
    EOF
  }

  patches {
    target {
      kind = "PersistentVolumeClaim"
      name = "gitea-shared-storage"
    }
    patch = <<-EOF
      kind: PersistentVolumeClaim
      apiVersion: v1
      metadata:
        name: gitea-shared-storage
        annotations:
          k8up.io/backup: "true"
          resize.kubesphere.io/storage_limit: "${var.storage.volume.maxSize}"
      spec: ${jsonencode(local.pvc_spec)}
    EOF
  }
  patches {
    target {
      kind = "Service"
      name = "gitea-ssh"
    }
    patch = <<-EOF
    - op: replace
      path: /spec/ports/0/port
      value: ${var.ssh-port}
    EOF
  }
  patches {
    target {
      kind = "Service"
      name = "gitea-ssh"
    }
    patch = var.load-balancer.ip==""?local.removePatch:local.modifyPatch
  }
}