From a3c73dccb0be033296b60c5d2c9bbf5c3ca78b57 Mon Sep 17 00:00:00 2001
From: Julia McGhee <julia.eloise@pm.me>
Date: Sat, 21 Mar 2026 15:56:18 +0000
Subject: [PATCH] Fix Gitea DB auth: use additionalConfigFromEnvs for password

The _secret/_key syntax doesn't work in Gitea Helm values. Use
additionalConfigFromEnvs to inject GITEA__database__PASSWD from
the sealed secret, which the chart translates into app.ini config.
---
 infra/kubernetes/platform/gitea/application.yaml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/infra/kubernetes/platform/gitea/application.yaml b/infra/kubernetes/platform/gitea/application.yaml
index cb0fa0a..6ed220e 100644
--- a/infra/kubernetes/platform/gitea/application.yaml
+++ b/infra/kubernetes/platform/gitea/application.yaml
@@ -26,15 +26,18 @@ spec:
         gitea:
           admin:
             existingSecret: gitea-admin-credentials
+          additionalConfigFromEnvs:
+            - name: GITEA__database__PASSWD
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-pg-credentials
+                  key: password
           config:
             database:
               DB_TYPE: postgres
               HOST: gitea-pg-rw.platform.svc:5432
               NAME: gitea
               USER: gitea
-              PASSWD:
-                _secret: gitea-pg-credentials
-                _key: password
             cache:
               ADAPTER: redis
               HOST: redis://valkey.platform.svc:6379/0