Gitea Bootstrap Hardening
This page is an incident retrospective for the April 12-15, 2026 Gitea hardening sequence. The steady-state service contract lives in the infrastructure GitOps Gitea reference page.
What Changed
| Commit | Change | Lasting effect |
|---|---|---|
6571494f | Moved Gitea from SQLite-era assumptions to infra-db PostgreSQL and added gitea-db-vss in bootstrap/gitea/common-values.yaml | Survives in the current repo. |
dff411ef | Set gitea.config.webhook.ALLOWED_HOST_LIST: "*" so webhooks could reach in-cluster ClusterIP targets | Survives in the current repo. |
c0c14df0 | Disabled SSH, removed the NodePort SSH service, and added a direct git.lumie-infra.com ingress plus header-stripping middleware | Only the SSH disablement survived. The direct ingress path was later reverted. |
What Survived
The current source of truth is bootstrap/gitea/common-values.yaml, bootstrap/gitea/helm-values.yaml, and bootstrap/gitea/argocd.yaml.
Those files still enforce the hardening that remained valuable after the incident window:
common-values.yamlprojects bothgitea-adminandgitea-db-secretfrom Vault-backedVaultStaticSecretresources.helm-values.yamlusesgitea.config.database.DB_TYPE: postgreswithHOST: infra-db-rw.infra-db.svc.cluster.local:5432.helm-values.yamlkeepsDISABLE_SSH: true, so Git traffic is HTTPS-only.helm-values.yamlkeeps Teleport reverse-proxy auth enabled through theX-Teleport-*headers.helm-values.yamlstill setswebhook.ALLOWED_HOST_LIST: "*"for internal webhook delivery.
What Was Reverted Later
3e4e0ae4 removed bootstrap/gitea/manifests/** and the extra Argo CD source that c0c14df0 had added for git.lumie-infra.com. That means the direct-exposure ingress and its Traefik middleware were a short-lived hardening step for a route that no longer exists in the current repo.
Today, the smaller contract is the real one:
bootstrap/gitea/argocd.yamlno longer referencesbootstrap/gitea/manifests- the checked-in app sources are the chart, the
charts/commonvalues source, and the theme ConfigMap source - public access is expected to flow through the Teleport-backed
github.lumie-infra.compath instead of a second direct hostname
Drift To Call Out Explicitly
The top comment block in the current bootstrap/gitea/helm-values.yaml is stale. It still mentions a SQLite backend and a git.lumie-infra.com ingress, but the active configuration below it uses PostgreSQL and has no checked-in direct-ingress source. Treat the runtime keys, not the comment header, as the source of truth.
Lasting Invariants
- If Gitea trusts
X-Teleport-*identity headers, every non-Teleport route must either strip those headers or be removed. - Database and admin credentials belong in Vault-projected secrets, not inline chart values.
- For this repo, comments in
bootstrap/gitea/helm-values.yamlare less reliable than the actualgitea.config.*block and the current Argo CD sources.
Verification
cd lumie-infra
rg -n "DB_TYPE|DISABLE_SSH|ALLOWED_HOST_LIST|ENABLE_REVERSE_PROXY_AUTHENTICATION|REVERSE_PROXY_AUTHENTICATION_USER" \
bootstrap/gitea/common-values.yaml \
bootstrap/gitea/helm-values.yaml
rg -n "bootstrap/gitea/manifests" bootstrap/gitea/argocd.yaml
Success means the runtime config still shows PostgreSQL, HTTPS-only Git, Teleport header auth, and permissive webhook delivery, while the Argo CD app no longer carries the reverted direct-ingress manifest source.