Merge branch 'main' of github.com:hyperspike/gitea-operator

api/v1/gitea_types.go

@@ -54,6 +54,20 @@ type GiteaSpec struct {
 	// Use Valkey
 	// +kubebuilder:default:=false
 	Valkey bool `json:"valkey,omitempty"`
+
+	// Use TLS
+	// +kubebuilder:default:=false
+	TLS bool `json:"tls,omitempty"`
+
+	// TLS Cert-manager Issuer
+	CertIssuer string `json:"certIssuer,omitempty"`
+
+	// Cert-Manger Cluster Issuer Kind
+	// +kubebuilder:default:="ClusterIssuer"
+	// +kubebuilder:validation:Enum=ClusterIssuer;Issuer
+	CertIssuerType string `json:"certIssuerType,omitempty"`
+
+	ClusterDomain string `json:"clusterDomain,omitempty"`
 }
 
 type IngressSpec struct {

cmd/main.go

@@ -35,6 +35,7 @@ import (
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
+	certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	zalandov1 "github.com/zalando/postgres-operator/pkg/apis/acid.zalan.do/v1"
 	hyperspikeiov1 "hyperspike.io/gitea-operator/api/v1"
@@ -51,6 +52,7 @@ var (
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
+	utilruntime.Must(certv1.AddToScheme(scheme))
 	utilruntime.Must(zalandov1.AddToScheme(scheme))
 	utilruntime.Must(monitoringv1.AddToScheme(scheme))
 	utilruntime.Must(hyperspikeiov1.AddToScheme(scheme))
@@ -104,6 +106,7 @@ func main() {
 
 	var namespaces = []string{
 		"default",
+		"cert-manager",
 	}
 	defaultNamespaces := make(map[string]cache.Config)
 

config/crd/bases/hyperspike.io_gitea.yaml

@@ -58,6 +58,18 @@ spec:
           spec:
             description: GiteaSpec defines the desired state of Gitea
             properties:
+              certIssuer:
+                description: TLS Cert-manager Issuer
+                type: string
+              certIssuerType:
+                default: ClusterIssuer
+                description: Cert-Manger Cluster Issuer Kind
+                enum:
+                - ClusterIssuer
+                - Issuer
+                type: string
+              clusterDomain:
+                type: string
               externalSSH:
                 description: Create a loadbalancer for ssh access
                 type: boolean
@@ -94,6 +106,10 @@ spec:
               sshHostname:
                 description: if different from Hostname
                 type: string
+              tls:
+                default: false
+                description: Use TLS
+                type: boolean
               valkey:
                 default: false
                 description: Use Valkey

config/rbac/role.yaml

@@ -69,6 +69,27 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:

dist/install.yaml

@@ -66,6 +66,18 @@ spec:
           spec:
             description: GiteaSpec defines the desired state of Gitea
             properties:
+              certIssuer:
+                description: TLS Cert-manager Issuer
+                type: string
+              certIssuerType:
+                default: ClusterIssuer
+                description: Cert-Manger Cluster Issuer Kind
+                enum:
+                - ClusterIssuer
+                - Issuer
+                type: string
+              clusterDomain:
+                type: string
               externalSSH:
                 description: Create a loadbalancer for ssh access
                 type: boolean
@@ -102,6 +114,10 @@ spec:
               sshHostname:
                 description: if different from Hostname
                 type: string
+              tls:
+                default: false
+                description: Use TLS
+                type: boolean
               valkey:
                 default: false
                 description: Use Valkey
@@ -833,6 +849,27 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:

gitea.yaml

@@ -6,7 +6,9 @@ metadata:
     app.kubernetes.io/managed-by: kustomize
   name: gitea
 spec:
-  prometheus: true
+  tls: true
+  certIssuer: selfsigned
+  prometheus: false
   prometheusLabels:
     prometheus: prometheus
   valkey: true

go.mod

@@ -6,6 +6,7 @@ toolchain go1.22.3
 
 require (
 	code.gitea.io/sdk/gitea v0.19.0
+	github.com/cert-manager/cert-manager v1.15.2
 	github.com/onsi/ginkgo/v2 v2.20.0
 	github.com/onsi/gomega v1.34.1
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.75.2
@@ -82,6 +83,7 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240620174524-b456828f718b // indirect
 	k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect
+	sigs.k8s.io/gateway-api v1.1.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect

go.sum

@@ -2,6 +2,8 @@ code.gitea.io/sdk/gitea v0.19.0 h1:8I6s1s4RHgzxiPHhOQdgim1RWIRcr0LVMbHBjBFXq4Y=
 code.gitea.io/sdk/gitea v0.19.0/go.mod h1:IG9xZJoltDNeDSW0qiF2Vqx5orMWa7OhVWrjvrd5NpI=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cert-manager/cert-manager v1.15.2 h1:Mjbvc+FjYeg2928xy7bcS+c+ARxyqBcXM9QypOg1/Uo=
+github.com/cert-manager/cert-manager v1.15.2/go.mod h1:stBge/DTvrhfQMB/93+Y62s+gQgZBsfL1o0C/4AL/mI=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -268,6 +270,8 @@ k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCI
 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw=
 sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
+sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM=
+sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=

internal/client/client.go

@@ -2,20 +2,30 @@ package client
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"io"
+	"net/http"
+	"time"
 
 	"code.gitea.io/sdk/gitea"
 	"k8s.io/apimachinery/pkg/types"
 	rclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
+	certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	cmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	hyperv1 "hyperspike.io/gitea-operator/api/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 type Client struct {
 	*gitea.Client
-	Instance *hyperv1.Gitea
+	Instance   *hyperv1.Gitea
+	httpClient *http.Client
+	CA         []byte
+	token      string
 }
 
 func BuildFromOrg(ctx context.Context, r rclient.Client, instance *hyperv1.OrgRef, ns string) (*Client, *hyperv1.Gitea, error) {
@@ -52,6 +62,18 @@ func Build(ctx context.Context, r rclient.Client, instance *hyperv1.InstanceType
 	if !git.Status.Ready {
 		return nil, nil, nil
 	}
+	url := "http://" + git.Name + "." + git.Namespace + ".svc"
+	if git.Spec.TLS {
+		url = "https://" + git.Name + "." + git.Namespace + ".svc"
+	}
+	var err error
+	c := Client{}
+	c.CA, err = getCACertificate(ctx, r, git)
+	if err != nil {
+		logger.Error(err, "failed to get ca certificate")
+		return nil, nil, err
+	}
+	c.httpClient = httpClient(ctx, c.CA)
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      git.Name + "-admin",
@@ -62,8 +84,8 @@ func Build(ctx context.Context, r rclient.Client, instance *hyperv1.InstanceType
 		logger.Error(err, "failed getting admin secret "+git.Name+"-admin ")
 		return nil, nil, err
 	}
-	url := "http://" + git.Name + "." + git.Namespace + ".svc"
-	g, err := gitea.NewClient(url, gitea.SetContext(ctx), gitea.SetToken(string(secret.Data["token"])))
+	c.token = string(secret.Data["token"])
+	g, err := gitea.NewClient(url, gitea.SetContext(ctx), gitea.SetToken(c.token), gitea.SetHTTPClient(c.httpClient))
 	if err != nil {
 		logger.Error(err, "failed to create client for "+url)
 		return nil, nil, err
@@ -74,8 +96,97 @@ func Build(ctx context.Context, r rclient.Client, instance *hyperv1.InstanceType
 		return nil, nil, err
 	}
 
-	c := Client{}
 	c.Client = g
 	c.Instance = git
 	return &c, git, nil
 }
+
+func httpClient(ctx context.Context, CA []byte) *http.Client {
+	logger := log.FromContext(ctx)
+	httpClient := http.Client{
+		Timeout: time.Second * 10,
+	}
+	if CA != nil {
+		certpool, _ := x509.SystemCertPool()
+		if certpool == nil {
+			logger.Info("system cert pool is nil, creating new")
+			certpool = x509.NewCertPool()
+		}
+		certpool.AppendCertsFromPEM(CA)
+		httpClient.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs:    certpool,
+				MinVersion: tls.VersionTLS12,
+			},
+		}
+	}
+	return &httpClient
+}
+
+func getCACertificate(ctx context.Context, r rclient.Client, gitea *hyperv1.Gitea) ([]byte, error) {
+	logger := log.FromContext(ctx)
+
+	cert := &certv1.Certificate{}
+	if err := r.Get(ctx, types.NamespacedName{Namespace: gitea.Namespace, Name: gitea.Name}, cert); err != nil {
+		logger.Error(err, "failed to get ca certificate")
+		return []byte{}, err
+	}
+	if cert.Status.Conditions == nil {
+		return []byte{}, nil
+	}
+	good := false
+	for _, cond := range cert.Status.Conditions {
+		if cond.Type == certv1.CertificateConditionReady {
+			if cond.Status == cmetav1.ConditionTrue {
+				good = true
+				break
+			}
+		}
+	}
+	if !good {
+		return []byte{}, nil
+	}
+	tls := &corev1.Secret{}
+	err := r.Get(ctx, types.NamespacedName{Namespace: gitea.Namespace, Name: cert.Spec.SecretName}, tls)
+	if err != nil {
+		logger.Error(err, "failed to get tls secret")
+		return []byte{}, err
+	}
+	return tls.Data["ca.crt"], nil
+}
+
+func (c *Client) Get(url string) (resp *http.Response, err error) {
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return nil, err
+
+	}
+
+	req.Header.Set("User-Agent", "gitea-operator/0.1.0")
+	req.Header.Set("Authorization", c.token)
+
+	return c.httpClient.Do(req)
+
+}
+
+func (c *Client) Post(url, contentType string, body io.Reader) (resp *http.Response, err error) {
+	req, err := http.NewRequest("POST", url, body)
+	if err != nil {
+		return nil, err
+
+	}
+
+	req.Header.Set("Content-Type", contentType)
+	req.Header.Set("User-Agent", "gitea-operator/0.1.0")
+	req.Header.Set("Authorization", c.token)
+
+	return c.httpClient.Do(req)
+
+}
+
+func (c *Client) Do(req *http.Request) (*http.Response, error) {
+	req.Header.Set("User-Agent", "gitea-operator/0.1.0")
+	req.Header.Set("Authorization", c.token)
+	return c.httpClient.Do(req)
+
+}