Add Authentik Gitea secret and public ingress configuration, and update Gitea values for internal CA support

2026-03-11 22:31:10 +09:00 · 2026-03-11 22:31:10 +09:00 · b2af26ead8
commit b2af26ead8
parent a7f7cd4095
4 changed files with 79 additions and 1 deletions
--- a/manifests/authentik-gitea-secret.sh
+++ b/manifests/authentik-gitea-secret.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+set -euo pipefail
+source "$(dirname "$0")/../.env"
+
+kubectl create secret generic authentik-gitea-oauth \
+  --namespace gitea \
+  --from-literal=client-id="${AUTHENTIK_GITEA_CLIENT_ID}" \
+  --from-literal=client-secret="${AUTHENTIK_GITEA_CLIENT_SECRET}" \
+  --dry-run=client -o yaml | kubectl apply -f -
--- a/manifests/authentik-public-ingress.yaml
+++ b/manifests/authentik-public-ingress.yaml
@ -0,0 +1,31 @@
+# authentik public ingress
+# Apply: kubectl apply -f manifests/authentik-public-ingress.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: authentik-public-tls
+  namespace: authentik
+spec:
+  secretName: authentik-public-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+    - auth.nik4nao.com
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik-public
+  namespace: authentik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`auth.nik4nao.com`)
+      kind: Rule
+      services:
+        - name: authentik-server
+          port: 80
+  tls:
+    secretName: authentik-public-tls
--- a/manifests/traefik-dashboard-ingress.yaml
+++ b/manifests/traefik-dashboard-ingress.yaml
@ -15,6 +15,14 @@ spec:
        - name: authentik-proxy-outpost
          namespace: authentik
          port: 9000
+    - match: Host(`traefik.home.arpa`) && Path(`/`)
+      kind: Rule
+      middlewares:
+        - name: redirect-to-dashboard
+          namespace: traefik
+      services:
+        - name: api@internal
+          kind: TraefikService
    - match: Host(`traefik.home.arpa`) && PathPrefix(`/dashboard`)
      kind: Rule
      middlewares:
@ -34,6 +42,17 @@ spec:
  tls:
    secretName: traefik-dashboard-tls
 ---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-to-dashboard
+  namespace: traefik
+spec:
+  redirectRegex:
+    regex: ^https://traefik.home.arpa/$
+    replacement: https://traefik.home.arpa/dashboard/
+    permanent: true
+---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
--- a/values/gitea.yaml
+++ b/values/gitea.yaml
@ -75,3 +75,22 @@ service:

 postgresql-ha:
  enabled: false
+
+deployment:
+  env:
+    - name: SSL_CERT_FILE
+      value: /etc/ssl/internal-ca/ca.crt
+
+extraVolumes:
+  - name: internal-ca
+    configMap:
+      name: internal-ca-cert
+
+extraVolumeMounts:
+  - name: internal-ca
+    mountPath: /etc/ssl/internal-ca
+    readOnly: true
+
+initPreScript: |
+  cp /etc/ssl/internal-ca/ca.crt /usr/local/share/ca-certificates/internal-ca.crt
+  update-ca-certificates