Skip to main content

Gitea Bootstrap Hardening

This page is an incident retrospective for the April 12-15, 2026 Gitea hardening sequence. The steady-state service contract lives in the infrastructure GitOps Gitea reference page.

What Changed

CommitChangeLasting effect
6571494fMoved Gitea from SQLite-era assumptions to infra-db PostgreSQL and added gitea-db-vss in bootstrap/gitea/common-values.yamlSurvives in the current repo.
dff411efSet gitea.config.webhook.ALLOWED_HOST_LIST: "*" so webhooks could reach in-cluster ClusterIP targetsSurvives in the current repo.
c0c14df0Disabled SSH, removed the NodePort SSH service, and added a direct git.lumie-infra.com ingress plus header-stripping middlewareOnly the SSH disablement survived. The direct ingress path was later reverted.

What Survived

The current source of truth is bootstrap/gitea/common-values.yaml, bootstrap/gitea/helm-values.yaml, and bootstrap/gitea/argocd.yaml.

Those files still enforce the hardening that remained valuable after the incident window:

  • common-values.yaml projects both gitea-admin and gitea-db-secret from Vault-backed VaultStaticSecret resources.
  • helm-values.yaml uses gitea.config.database.DB_TYPE: postgres with HOST: infra-db-rw.infra-db.svc.cluster.local:5432.
  • helm-values.yaml keeps DISABLE_SSH: true, so Git traffic is HTTPS-only.
  • helm-values.yaml keeps Teleport reverse-proxy auth enabled through the X-Teleport-* headers.
  • helm-values.yaml still sets webhook.ALLOWED_HOST_LIST: "*" for internal webhook delivery.

What Was Reverted Later

3e4e0ae4 removed bootstrap/gitea/manifests/** and the extra Argo CD source that c0c14df0 had added for git.lumie-infra.com. That means the direct-exposure ingress and its Traefik middleware were a short-lived hardening step for a route that no longer exists in the current repo.

Today, the smaller contract is the real one:

  • bootstrap/gitea/argocd.yaml no longer references bootstrap/gitea/manifests
  • the checked-in app sources are the chart, the charts/common values source, and the theme ConfigMap source
  • public access is expected to flow through the Teleport-backed github.lumie-infra.com path instead of a second direct hostname

Drift To Call Out Explicitly

The top comment block in the current bootstrap/gitea/helm-values.yaml is stale. It still mentions a SQLite backend and a git.lumie-infra.com ingress, but the active configuration below it uses PostgreSQL and has no checked-in direct-ingress source. Treat the runtime keys, not the comment header, as the source of truth.

Lasting Invariants

  • If Gitea trusts X-Teleport-* identity headers, every non-Teleport route must either strip those headers or be removed.
  • Database and admin credentials belong in Vault-projected secrets, not inline chart values.
  • For this repo, comments in bootstrap/gitea/helm-values.yaml are less reliable than the actual gitea.config.* block and the current Argo CD sources.

Verification

cd lumie-infra
rg -n "DB_TYPE|DISABLE_SSH|ALLOWED_HOST_LIST|ENABLE_REVERSE_PROXY_AUTHENTICATION|REVERSE_PROXY_AUTHENTICATION_USER" \
bootstrap/gitea/common-values.yaml \
bootstrap/gitea/helm-values.yaml
rg -n "bootstrap/gitea/manifests" bootstrap/gitea/argocd.yaml

Success means the runtime config still shows PostgreSQL, HTTPS-only Git, Teleport header auth, and permissive webhook delivery, while the Argo CD app no longer carries the reverted direct-ingress manifest source.