feat: revamp and use single namespace and update to latest versions

helm/values/gitea.values.yaml

@@ -1,22 +1,34 @@
+global:
+  storageClass: longhorn-crypto
+image:
+  rootless: false
 service:
   http:
     annotations:
       metallb.universe.tf/allow-shared-ip: gitea
+    port: 443
+    targetPort: 443
   ssh:
     annotations:
       metallb.universe.tf/allow-shared-ip: gitea
 ingress:
   enabled: true
-  className: nginx-internal
   annotations:
+    kubernetes.io/ingress.class: nginx-internal
     cert-manager.io/cluster-issuer: cloudflare-issuer
     cert-manager.io/acme-challenge-type: dns01
     cert-manager.io/private-key-size: "4096"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
   hosts:
     - host: git.dogar.dev
       paths:
         - path: /
           pathType: Prefix
+          backend:
+            service:
+              name: gitea-http
+              port:
+                number: 443
   tls:
     - secretName: gitea-tls
       hosts:
@@ -37,19 +49,23 @@ gitea:
       ENABLE_GZIP: true
       LFS_START_SERVER: true
       SSH_DOMAIN: git.dogar.dev
+      HTTP_PORT: 443
+      PROTOCOL: https
+      CERT_FILE: /opt/gitea/tls/cert.pem
+      KEY_FILE: /opt/gitea/tls/key.pem
     database:
       DB_TYPE: postgres
-      HOST: postgres-cluster-rw.postgres-system.svc.cluster.local:5432
+      HOST: postgres-cluster-rw
       NAME: gitea
       USER: gitea
+      SSL_MODE: require
     cache:
-      ADAPTER: memcache
-      HOST: memcached.memcached-system.svc.cluster.local:11211
+      ADAPTER: memory
     session:
       PROVIDER: db
       PROVIDER_CONFIG: ""
     queue:
-      TYPE: redis
+      TYPE: channel
     lfs:
       STORAGE_TYPE: local
     service:
@@ -69,27 +85,76 @@ gitea:
       iconUrl: "https://goauthentik.io/img/icon.png"
       scopes: "email profile"
   additionalConfigFromEnvs:
-    - name: GITEA__DATABASE__PASSWD
-      valueFrom:
-        secretKeyRef:
-          name: gitea-postgres
-          key: password
-    - name: GITEA__QUEUE__CONN_STR
-      valueFrom:
-        secretKeyRef:
-          name: gitea-redis
-          key: password
     - name: GITEA__MAILER__PASSWD
       valueFrom:
         secretKeyRef:
           name: smtp-token
-          key: password
+          key: gitea-password
+  livenessProbe:
+    enabled: true
+    tcpSocket:
+      port: 443
+  readinessProbe:
+    enabled: true
+    tcpSocket:
+      port: 443
+  startupProbe:
+    enabled: true
+    tcpSocket:
+      port: 443
 persistence:
   enabled: true
-  storageClass: longhorn-crypto
   accessModes:
     - ReadWriteMany
+deployment:
+  env:
+    - name: PGSSLMODE
+      value: verify-full
+    - name: PGSSLROOTCERT
+      value: /opt/gitea/.postgresql/root.crt
+    - name: PGSSLCERT
+      value: /opt/gitea/.postgresql/postgresql.crt
+    - name: PGSSLKEY
+      value: /opt/gitea/.postgresql/postgresql.key
+extraVolumes:
+  - name: ssl-bundle
+    projected:
+      sources:
+        - secret:
+            name: gitea-client-cert
+            items:
+              - key: tls.crt
+                path: postgresql.crt
+              - key: tls.key
+                path: postgresql.key
+                mode: 0600
+        - secret:
+            name: postgres-server-cert
+            items:
+              - key: ca.crt
+                path: root.crt
+  - name: tls-bundle
+    projected:
+      sources:
+        - secret:
+            name: gitea-tls
+            items:
+              - key: tls.crt
+                path: cert.pem
+              - key: tls.key
+                path: key.pem
+extraInitVolumeMounts:
+  - name: ssl-bundle
+    mountPath: /opt/gitea/.postgresql
+    readOnly: true
+extraContainerVolumeMounts:
+  - name: ssl-bundle
+    mountPath: /opt/gitea/.postgresql
+    readOnly: true
+  - name: tls-bundle
+    mountPath: /opt/gitea/tls
+    readOnly: true
 postgresql-ha:
   enabled: false
-redis-cluster:
+valkey-cluster:
   enabled: false