From f7353d48f435a90825d337debe6777dd80c223fe Mon Sep 17 00:00:00 2001
From: Jan Novak <kacerr.cz@gmail.com>
Date: Thu, 26 Mar 2026 13:37:16 +0100
Subject: [PATCH] deploy: add Gitea registry pull secret and ExternalSecret

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 deploy/deployment_gateway-cert-operator.yaml |  2 ++
 deploy/externalsecret_gitea-registry.yaml    | 22 ++++++++++++++++++++
 deploy/kustomization.yaml                    |  1 +
 3 files changed, 25 insertions(+)
 create mode 100644 deploy/externalsecret_gitea-registry.yaml

diff --git a/deploy/deployment_gateway-cert-operator.yaml b/deploy/deployment_gateway-cert-operator.yaml
index 9f353cf..0be7882 100644
--- a/deploy/deployment_gateway-cert-operator.yaml
+++ b/deploy/deployment_gateway-cert-operator.yaml
@@ -17,6 +17,8 @@ spec:
         app.kubernetes.io/name: gateway-cert-operator
         app.kubernetes.io/component: operator
     spec:
+      imagePullSecrets:
+        - name: gitea-registry
       serviceAccountName: gateway-cert-operator
       terminationGracePeriodSeconds: 10
       securityContext:
diff --git a/deploy/externalsecret_gitea-registry.yaml b/deploy/externalsecret_gitea-registry.yaml
new file mode 100644
index 0000000..dff2698
--- /dev/null
+++ b/deploy/externalsecret_gitea-registry.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-registry
+  namespace: fujarna
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: gitea-registry
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ .token }}"
+  data:
+    - secretKey: token
+      remoteRef:
+        key: k8s_home/gitea/container-registry
+        property: token
diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml
index ed9bace..86734c1 100644
--- a/deploy/kustomization.yaml
+++ b/deploy/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 
 resources:
   - namespace_gateway-cert-operator-system.yaml
+  - externalsecret_gitea-registry.yaml
   - serviceaccount_gateway-cert-operator.yaml
   - clusterrole_gateway-cert-operator.yaml
   - clusterrolebinding_gateway-cert-operator.yaml