Switch gitea to TLS

Gitea supports internal TLS termination as well as redirection of
http to https.  That may be simpler than terminating in a reverse
proxy.  Let's try it.

Also, make the dockerfile match the expectation of the job that
there will be a gitea-init stage.

Also, fix the repository root setting in app.ini.

Change-Id: Ia6b66b53cebdb1afa49fef89a0559615f98052f1

docker/gitea-init/Dockerfile

@@ -12,7 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-FROM opendevorg/jinja-init
+FROM opendevorg/jinja-init as gitea-init
 
 COPY entrypoint.sh /
 

docker/gitea-init/entrypoint.sh

@@ -21,6 +21,12 @@ chown 1000:1000 /data/git
 mkdir -p /data/gitea
 chown 1000:1000 /data/gitea
 
+mkdir -p /data/gitea/ssl
+chown 1000:1000 /data/gitea/ssl
+chmod 0500 /data/gitea/ssl
+cp /secrets/gitea_tls_cert /data/gitea/ssl/cert.pem
+cp /secrets/gitea_tls_key /data/gitea/ssl/key.pem
+
 # This one is used by openssh and can remain root-owned
 mkdir -p /data/ssh
 

kubernetes/gitea/app.ini.j2

@@ -5,8 +5,9 @@ RUN_USER = git
 [server]
 APP_DATA_PATH    = /data/gitea
 SSH_DOMAIN       = localhost
+PROTOCOL         = https
 HTTP_PORT        = 3000
-ROOT_URL         = http://38.108.68.64/
+ROOT_URL         = https://38.108.68.64/
 DISABLE_SSH      = false
 SSH_PORT         = 22
 LFS_CONTENT_PATH = /data/git/lfs
@@ -14,6 +15,10 @@ DOMAIN           = localhost
 LFS_START_SERVER = true
 LFS_JWT_SECRET   = {{ lfs_jwt_secret }}
 OFFLINE_MODE     = false
+CERT_FILE        = /data/gitea/ssl/cert.pem
+KEY_FILE         = /data/gitea/ssl/key.pem
+REDIRECT_OTHER_PORT = true
+PORT_TO_REDIRECT = 3080
 
 [database]
 DB_TYPE  = mysql
@@ -24,6 +29,9 @@ PASSWD   = {{ db_password }}
 SSL_MODE = disable
 LOG_SQL  = false
 
+[repository]
+ROOT = /data/git/repositories
+
 [indexer]
 ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
 REPO_INDEXER_ENABLED = true
@@ -50,7 +58,7 @@ SECRET_KEY     = {{ secret_key }}
 INTERNAL_TOKEN = {{ internal_token }}
 
 [service]
-DISABLE_REGISTRATION              = false
+DISABLE_REGISTRATION              = true
 REQUIRE_SIGNIN_VIEW               = false
 REGISTER_EMAIL_CONFIRM            = false
 ENABLE_NOTIFY_MAIL                = false

kubernetes/gitea/k8s/deployment.yaml

@@ -34,6 +34,7 @@ spec:
               value: '2'  # Increment to trigger a deployment.
           ports:
             - containerPort: 3000
+            - containerPort: 3080
           volumeMounts:
             - name: gitea-data
               mountPath: /data

kubernetes/gitea/k8s/secret.yaml

@@ -10,3 +10,5 @@ stringData:
   lfs_jwt_secret: {{ gitea_lfs_jwt_secret }}
   db_username: {{ gitea_db_username }}
   db_password: {{ gitea_db_password }}
+  gitea_tls_cert: {{ gitea_tls_cert }}
+  gitea_tls_key: {{ gitea_tls_key }}

kubernetes/gitea/k8s/service.yaml

@@ -9,6 +9,10 @@ spec:
   ports:
     - protocol: TCP
       port: 80
+      targetPort: 3080
+      name: http
+    - protocol: TCP
+      port: 443
       targetPort: 3000
       name: http
     - protocol: TCP