---
apiVersion: v1
data:
  configure-gitea-kubectl.sh: "#!/bin/bash\napt-get update && apt-get install -y curl jq\n\ncurl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl\nchmod +x ./kubectl\nmv ./kubectl /usr/local/bin\n\nfunction wait_for_keycloak() {\n  echo \"Checking keycloak...\"\n  echo \"\"\n  while true; do\n      NAMESPACE=\"keycloak\"\n      LABEL=\"app=keycloak\"\n      CONTAINER=\"keycloak\"\n\n      # Find the first pod name matching label and is Running\n      PODS=$(kubectl get pods -n \"$NAMESPACE\" -l \"$LABEL\" --field-selector=status.phase=Running -o jsonpath=\"{.items[*].metadata.name}\")\n      FIRST_POD=$(echo \"$PODS\" | awk '{print $1}')\n      if [[ -z \"$FIRST_POD\" ]]; then\n          echo \"No running pod with label $LABEL in namespace $NAMESPACE found yet.\"\n          echo \"Waiting 10 seconds...\"\n          sleep 10\n          continue\n      fi\n      POD=$FIRST_POD\n\n      echo \"Found running pod: $POD\"\n      # Check if the specific container is present and ready\n      IS_READY=$(kubectl get pod \"$POD\" -n \"$NAMESPACE\" -o jsonpath=\"{.status.containerStatuses[?(@.name=='$CONTAINER')].ready}\")\n      if [[ \"$IS_READY\" == \"true\" ]]; then\n          echo \"Container '$CONTAINER' in pod '$POD' is ready.\"\n          break\n      else\n          echo \"Container '$CONTAINER' in pod '$POD' is NOT ready.\"\n      fi\n  done\n}\n\nwait_for_keycloak\n\n# randomize token name to avoid collisions\nRANDOM_TOKEN_NAME='giteajob-'$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 5)\n\nkubectl -n cf-gitea exec deploy/gitea -c gitea -- \\\n  gitea admin user create --username $ADMIN_USERNAME --password $ADMIN_PASSWORD --admin=true --must-change-password=false --email ${ADMIN_USERNAME}@${DOMAIN}\n\nadmin_token=$(kubectl -n cf-gitea exec deploy/gitea -c gitea -- \\\n  gitea admin user generate-access-token --raw --username $ADMIN_USERNAME --token-name ${RANDOM_TOKEN_NAME} --scopes all\n)\n\n# Update Gitea config to use correct domain\nkubectl -n cf-gitea exec deploy/gitea -c gitea -- \\\n  sed -i -e \"s/git\\.example\\.com/gitea\\.$DOMAIN/g\" /data/gitea/conf/app.ini\n\nkubectl -n cf-gitea exec deploy/gitea -c gitea -- \\\n  sed -i -e \"s/http:/https:/g\" /data/gitea/conf/app.ini\n\n# Rename user forge to forge_user\ncurl -H \"Content-Type: application/json\" -H \"Authorization: Bearer ${admin_token}\" -d '{\"new_username\": \"forge_user\"}' https://gitea.${DOMAIN}/api/v1/admin/users/forge/rename\n\n# create organization forge\ncurl -H \"Content-Type: application/json\" -H \"Authorization: Bearer ${admin_token}\" -d '{\"username\": \"forge\"}' https://gitea.${DOMAIN}/api/v1/admin/users/forge_user/orgs\n\n# create team Developers with write access to org and save the ID\nTEAM_ID=$(curl -H \"Content-Type: application/json\" -H \"Authorization: Bearer ${admin_token}\" -d '{\"name\": \"Developers\", \"permission\": \"write\", \"units\": [\"repo.actions\",\"repo.code\",\"repo.issues\",\"repo.ext_issues\",\"repo.wiki\",\"repo.ext_wiki\",\"repo.pulls\",\"repo.releases\",\"repo.projects\",\"repo.ext_wiki\"]}' https://gitea.${DOMAIN}/api/v1/orgs/forge/teams | jq -r '.id')\n\n# transfer repo clusterforge to org forge\ncurl -H \"Content-Type: application/json\" -H \"Authorization: Bearer ${admin_token}\" -d '{\"new_owner\": \"forge\"}' https://gitea.${DOMAIN}/api/v1/repos/forge_user/clusterforge/transfer\n\n# add forge repo to Developer teams \ncurl -H \"Content-Type: application/json\" -X PUT -H \"Authorization: Bearer ${admin_token}\"  https://gitea.${DOMAIN}/api/v1/teams/${TEAM_ID}/repos/forge/clusterforge\n\n# add user forge_user as admin collaborator to repo clusterforge\ncurl -H \"Content-Type: application/json\" -H \"Authorization: Bearer ${admin_token}\" -d '{\"permission\": \"admin\"}' https://gitea.${DOMAIN}/api/v1/repos/forge/clusterforge/collaborators/forge_user\n\n\n\nkubectl -n cf-gitea exec deploy/gitea -c gitea -- \\\n  gitea admin auth add-oauth \\\n  --name \"Keycloak\" \\\n  --provider openidConnect \\\n  --key \"gitea\" \\\n  --secret ${CLIENT_SECRET} \\\n  --group-claim-name \"groups\" \\\n  --scopes \"groups\" \\\n  --group-team-map \"{\\\"/gitea-users\\\":{\\\"forge\\\":[\\\"Developers\\\"]}}\" \\\n  --auto-discover-url \"https://kc.${DOMAIN}/realms/k8s/.well-known/openid-configuration\"\n\n\npodname=$(kubectl -n cf-gitea get pods --selector=app=gitea -o jsonpath='{.items[*].metadata.name}')\n\necho \"Restarting gitea pod after keycloak is alive\"\nkubectl -n cf-gitea delete --wait=false pod/$podname\n\necho \"Restarting minio tenant pool pod after keycloak is alive\"\nkubectl -n minio-tenant-default delete --wait=false pod/default-minio-tenant-pool-0-0\n"
kind: ConfigMap
metadata:
  name: gitea-config-script
  namespace: keycloak