bakery-ia/infrastructure/cicd/gitea/setup-admin-secret.sh

#!/bin/bash
# Setup Gitea Admin Secret
#
# This script creates TWO Kubernetes secrets:
# 1. gitea-admin-secret (gitea namespace) - Used by Gitea Helm chart for admin credentials
# 2. gitea-registry-secret (bakery-ia namespace) - Used by pods for imagePullSecrets
#
# Both secrets use the SAME credentials, ensuring consistency.
#
# Usage:
#   ./setup-admin-secret.sh [password]
#
# If password is not provided, a random one will be generated.

set -e

KUBECTL="kubectl"
GITEA_NAMESPACE="gitea"
BAKERY_NAMESPACE="bakery-ia"
REGISTRY_HOST="registry.bakery-ia.local"
ADMIN_USERNAME="bakery-admin"
# Static password for consistent dev environment setup
# This ensures the same credentials work across environment recreations
STATIC_ADMIN_PASSWORD="pvYUkGWJijqc0QfIZEXw"

# Check if running in microk8s
if command -v microk8s &> /dev/null; then
    KUBECTL="microk8s kubectl"
fi

# Get password from argument, environment variable, or use static default
if [ -n "$1" ]; then
    ADMIN_PASSWORD="$1"
elif [ -n "$GITEA_ADMIN_PASSWORD" ]; then
    ADMIN_PASSWORD="$GITEA_ADMIN_PASSWORD"
else
    ADMIN_PASSWORD="$STATIC_ADMIN_PASSWORD"
    echo "Using static admin password for dev environment consistency"
fi

# Create namespaces if they don't exist
$KUBECTL create namespace "$GITEA_NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f -
$KUBECTL create namespace "$BAKERY_NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f -

# 1. Create gitea-admin-secret for Gitea Helm chart
echo "Creating gitea-admin-secret in $GITEA_NAMESPACE namespace..."
$KUBECTL create secret generic gitea-admin-secret \
    --namespace "$GITEA_NAMESPACE" \
    --from-literal=username="$ADMIN_USERNAME" \
    --from-literal=password="$ADMIN_PASSWORD" \
    --dry-run=client -o yaml | $KUBECTL apply -f -

# 2. Create gitea-registry-secret for imagePullSecrets
echo "Creating gitea-registry-secret in $BAKERY_NAMESPACE namespace..."

# Create Docker config JSON for registry authentication
# Include both external (ingress) and internal (cluster) registry URLs
AUTH_BASE64=$(echo -n "${ADMIN_USERNAME}:${ADMIN_PASSWORD}" | base64)
INTERNAL_REGISTRY_HOST="gitea-http.gitea.svc.cluster.local:3000"
DOCKER_CONFIG_JSON=$(cat <<EOF
{
  "auths": {
    "${REGISTRY_HOST}": {
      "username": "${ADMIN_USERNAME}",
      "password": "${ADMIN_PASSWORD}",
      "auth": "${AUTH_BASE64}"
    },
    "${INTERNAL_REGISTRY_HOST}": {
      "username": "${ADMIN_USERNAME}",
      "password": "${ADMIN_PASSWORD}",
      "auth": "${AUTH_BASE64}"
    }
  }
}
EOF
)

# Base64 encode the entire config (use -w0 on Linux, no flag needed on macOS)
if [[ "$OSTYPE" == "darwin"* ]]; then
    DOCKER_CONFIG_BASE64=$(echo -n "$DOCKER_CONFIG_JSON" | base64)
else
    DOCKER_CONFIG_BASE64=$(echo -n "$DOCKER_CONFIG_JSON" | base64 -w0)
fi

# Create the registry secret
cat <<EOF | $KUBECTL apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: gitea-registry-secret
  namespace: ${BAKERY_NAMESPACE}
  labels:
    app.kubernetes.io/name: bakery-ia
    app.kubernetes.io/component: registry
    app.kubernetes.io/managed-by: setup-admin-secret
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: ${DOCKER_CONFIG_BASE64}
EOF

echo ""
echo "=========================================="
echo "Gitea secrets created successfully!"
echo "=========================================="
echo ""
echo "Credentials (same for both secrets):"
echo "  Username: $ADMIN_USERNAME"
echo "  Password: $ADMIN_PASSWORD"
echo ""
echo "Secrets created:"
echo "  1. gitea-admin-secret      (namespace: $GITEA_NAMESPACE)  - For Gitea Helm chart"
echo "  2. gitea-registry-secret   (namespace: $BAKERY_NAMESPACE) - For imagePullSecrets"
echo ""
echo "Registry URLs:"
echo "  External: https://$REGISTRY_HOST"
echo "  Internal: $INTERNAL_REGISTRY_HOST"
echo ""
echo "Now install Gitea with:"
echo "  helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml"