Gitea

Purpose

Gitea is Lumie's internal Git hosting service for developer pushes and Tekton webhook intake. It is not currently the only Git source in the platform: Argo CD root Applications still reference GitHub for lumie-infra, so Gitea sits on the build side of the delivery path rather than cleanly owning the whole GitOps loop.

This page is a reference document for developers changing repository hosting, Git credentials, or Tekton's source control integration.

Source Paths

Path	Role
`lumie-infra/bootstrap/gitea/argocd.yaml`	Argo CD application and sync-wave placement
`lumie-infra/bootstrap/gitea/common-values.yaml`	Vault-backed admin and database Secret projection
`lumie-infra/bootstrap/gitea/helm-values.yaml`	Gitea chart settings, DB config, reverse-proxy auth, storage, and theme mount
`lumie-infra/bootstrap/gitea/themes/kustomization.yaml`	Packages the custom GitHub-style theme ConfigMap
`lumie-infra/applications/tekton/ci-cd/manifests/secrets/gitea-credentials.yaml`	Tekton's Gitea credential Secret
`lumie-infra/applications/tekton/ci-cd/manifests/triggers/triggerbinding.yaml`	In-cluster Gitea clone URL contract

Public Surface

Surface	Contract
External URL	`https://github.lumie-infra.com/` from `gitea.config.server.ROOT_URL`
In-cluster Service	`gitea-http` on port `3000`
Auth path	Reverse-proxy headers from Teleport; SSH is disabled
Admin bootstrap	`gitea-admin` Secret projected from Vault path `secret/infrastructure/gitea`
Database	PostgreSQL `infra-db-rw.infra-db.svc.cluster.local:5432`, database `gitea`, user `gitea`

The service is single-replica and pinned to the control-plane node because its PVC uses local-path-retain.

Runtime Flow

Configuration Notes

This excerpt shows the active storage and database contract:

gitea:
  config:
    database:
      DB_TYPE: postgres
      HOST: infra-db-rw.infra-db.svc.cluster.local:5432
      NAME: gitea
      USER: gitea

Other important runtime choices in bootstrap/gitea/helm-values.yaml:

DISABLE_SSH: true, so Git traffic is HTTPS-only.
ENABLE_REVERSE_PROXY_AUTHENTICATION: "true" trusts Teleport-injected identity headers.
serviceMonitor.enabled: true exposes metrics.
mirror.ENABLED: true allows repository mirroring, although the actual mirror relationship is not declared in the inspected manifests.
a custom github theme is mounted from a ConfigMap in bootstrap/gitea/themes.

Failure And Drift Behavior

Inspected sources disagree on the backing database:

Source	Claim
Top comment block in `bootstrap/gitea/helm-values.yaml`	Says Gitea is a single replica with a SQLite backend
Actual `gitea.config.database` and `gitea-db-vss` config	Use PostgreSQL in `infra-db` with a Vault-projected password

Treat PostgreSQL as the active contract. The SQLite comment is stale.

There is also a Git-host ownership split:

Source	Claim
Argo CD root Applications	Still pull `lumie-infra` from GitHub
Tekton trigger binding and values-update task	Clone and push through in-cluster Gitea

Do not describe Gitea as the sole GitOps source until those paths are aligned.

Verification

cd lumie-infra
rg -n "ROOT_URL|DISABLE_SSH|REVERSE_PROXY|DB_TYPE|gitea-http" \
  bootstrap/gitea applications/tekton/ci-cd

kubectl get application gitea -n argocd -o yaml
kubectl get secret gitea-admin gitea-db-secret -n gitea
kubectl get svc -n gitea

Purpose​

Source Paths​

Public Surface​

Runtime Flow​

Configuration Notes​

Failure And Drift Behavior​

Verification​