Add Gitea self-hosted git/CI/registry to replace GitHub

Deploy Gitea via Helm with dedicated CloudNativePG database, in-cluster Actions runner (DinD), and built-in container registry. ArgoCD repoURLs updated to use in-cluster Gitea SSH. Preview ApplicationSet switched from GitHub PR generator to Gitea PR generator. App images now pull from gitea.coreworlds.io registry. Remaining setup after deploy: seal runner token, ArgoCD API token, and registry pull secret once Gitea is running. Add ArgoCD deploy key to Gitea repo settings.
2026-03-21 15:43:30 +00:00
parent 06ae2c7d46
commit f04ecbf5cd
36 changed files with 640 additions and 52 deletions
--- a/apps/api/k8s/base/deployment.yaml
+++ b/apps/api/k8s/base/deployment.yaml
@@ -15,10 +15,10 @@ spec:
        app: api
    spec:
      imagePullSecrets:
-        - name: ghcr-pull-secret
+        - name: gitea-pull-secret
      containers:
        - name: api
-          image: ghcr.io/lazorgurl/homelab-api:latest
+          image: gitea.coreworlds.io/julia/homelab-api:latest
          ports:
            - containerPort: 4000
              name: http
--- a/apps/api/k8s/base/ghcr-pull-secret-sealed.yaml
+++ b/apps/api/k8s/base/ghcr-pull-secret-sealed.yaml
@@ -1,14 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: ghcr-pull-secret
-  namespace: apps
-spec:
-  encryptedData:
-    .dockerconfigjson: AgB7twUw+WM+H96XJQlZNqTTY5uweBab7NfDuK/CEFJ7062A6+1U3ZRGRhA1QXJJBnITlRT6rNAlVmhGw4aEPWeGeBzutpBcOT2JytQY0NbVf1cpTIkNv8ca/oUQMKbTEbCZ6lBcX2NzJjkTQI/MrN+bH7yCfgWKJUFxy6h41go37RlBj+G3uso4wQ7mTEV6dNIPw/vFfHyygDK4XUmYV6tFfVkYC/wPBxUlQvQqjKFvCVcNm7cog9vJqdRmiRgwUqehzHnGIqiUH+0Da6kwxs3+Rw9blFB4PBSDSa0YVUVvAvW2QpE8ZvfoAbj79x7i2fl8gDO3176vTkzen1hZl5TtIk+Hr2GChFkiNslOXKgsJVuWISQtnaTA4j9aOE8kona7zzE6J7vTQOmnlVSGHDjY/TAHjnB7qsodl6Vma6FLShcbG75E2+iAhJzxgbu2gLMcLFD8CuHNSur5rfnnhDeYhedQIyf4qcocXgL0yO+/NTv2hH76cfFPsn2dAwwwL6iVJWvFgA7pywAD0jr8r7PMLRZjQrJxOu1vqgXPMo2656A7yD9Mk87Z8W0g7LgP9XKITxwIW5B47kEdOkifwP/doazgsHs153eZSmbN8oVXXM4EGrAPMOJs+MVt9/pBcKA8Ct5QuCHpSKBZVWVOVbT1r2jFY+b7jHWb2zg93WYP8kU+ZN8a1D52h0zKgb9nTBn6qaDK2gSRCj0CSl11JVUynVAA60ZSHalQriZV2+ZAo1SHx4/uMhOpnJVU9mY9sIbXrMCJTGtWgyOlAg1UpdOefCJyfxEihm+n82Xp12fqmKjiptXgQX5YHF9stpo3VKOPpxfk6kfMIRh9ckuD3JXS3xJZV/7t/dSHXc0NsZxp/FTbP31pAcgWXS4s9qF681IyjXx3IGnxcyd16ADtXCvVfjDCZZceNWatxb7SABQg2F7h
-  template:
-    metadata:
-      name: ghcr-pull-secret
-      namespace: apps
-    type: kubernetes.io/dockerconfigjson
--- a/apps/api/k8s/base/gitea-pull-secret-sealed.yaml
+++ b/apps/api/k8s/base/gitea-pull-secret-sealed.yaml
@@ -0,0 +1,22 @@
+# PLACEHOLDER: Re-seal with Gitea registry credentials
+# kubectl create secret docker-registry gitea-pull-secret \
+#   --namespace apps \
+#   --docker-server=gitea.coreworlds.io \
+#   --docker-username=julia \
+#   --docker-password=<token> \
+#   --dry-run=client -o yaml | kubeseal --format yaml \
+#     --controller-namespace kube-system --controller-name sealed-secrets-helm
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitea-pull-secret
+  namespace: apps
+spec:
+  encryptedData:
+    .dockerconfigjson: PLACEHOLDER_SEAL_ME
+  template:
+    metadata:
+      name: gitea-pull-secret
+      namespace: apps
+    type: kubernetes.io/dockerconfigjson
--- a/apps/api/k8s/base/kustomization.yaml
+++ b/apps/api/k8s/base/kustomization.yaml
@@ -4,6 +4,6 @@ resources:
  - deployment.yaml
  - service.yaml
  - ingress.yaml
-  - ghcr-pull-secret-sealed.yaml
+  - gitea-pull-secret-sealed.yaml
  - api-secrets-sealed.yaml
  - servicemonitor.yaml