cd-service account role revision (removed access to networking.k8s.io and policy), helm values reviewed to run on cicd pipeline and ingress moved to infra

README.md

@@ -12,6 +12,11 @@ Using [gitea](https://git.limbosolutions.com/kb/gitea) as git server.
 
 ## Deploy
 
+References:
+
+- <https://gitea.com/gitea/helm-gitea>
+- <https://dl.gitea.com/charts/>
+
 ### Continuous Deploy
 
 Executes [App Deploy](#app) using [Gitea workflow](./.gitea/workflows/app-continous-deploy.yaml).
@@ -32,7 +37,6 @@ Deploy App
 ```
 
 - [backups-kustomization](/deploy/app/kustomization.yaml)
-- <https://dl.gitea.com/charts/>
 
 ### Infra
 

deploy/app/helm-values.yaml

@@ -1,31 +1,87 @@
 image:
   registry: ""
+  # IMPORTANT:
+  # The default image used by the Gitea Helm chart is the *rootless* variant.
+  # Rootless Gitea does NOT include an SSH server, so enabling SSH in the chart
+  # will NOT work unless you explicitly switch to the rootful image.
+  #
+  # Default chart image (rootless, SSH disabled):
+  #   registry: "docker.gitea.com"
+  #   repository: gitea
+  #
+  # Correct rootful image (SSH enabled):
+  #   repository: gitea/gitea
+  #
+  # This ensures the container includes OpenSSH and can expose the SSH port.
   repository: gitea/gitea
   pullPolicy: Always
-  tag: "1"
+# dependency: 
-
+# https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml
-cache:
-  enabled: false
-
 valkey-cluster:
   enabled: false
 
+# dependency:
+# https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml
 valkey:
   enabled: true
   architecture: standalone
   global:
     valkey:
       password: "???"
-  master:
-    count: 1
-    service:
-      ports:
-        valkey: 6379
 
+  # Disable NetworkPolicy creation in the Bitnami valkey subchart.
+  # This deployment runs inside a controlled namespace where network
+  # boundaries are enforced by the platform (Infra team), not by Helm.
+  #
+  # CI/CD pipelines use a restricted ServiceAccount that is intentionally
+  # NOT allowed to create or modify NetworkPolicies. Leaving this enabled
+  # would cause Helm upgrades to fail with RBAC errors.
+  #
+  # Infra-owned NetworkPolicies are applied separately and independently
+  # of application charts to maintain a clean separation of responsibilities.
+  networkPolicy:
+    enabled: false
+
+  serviceAccount:
+    # serviceAccount resources are owned and managed by the Infrastructure layer.
+    # The CI/CD ServiceAccount used for application deployments does not have
+    # permissions to create or modify serviceAccounts, by design.
+    #
+    # In this setup Valkey does not require its own ServiceAccount, so enabling
+    # this would provide no benefit and would cause Helm upgrades to fail due
+    # to RBAC restrictions. 
+    create: false 
+    name: ""
+
+  primary:
+    pdb:
+      # Disable the PodDisruptionBudget for PostgreSQL.
+      #
+      # This deployment uses a single‑instance (non‑HA) valkey, so a PDB
+      # provides no real benefit — Kubernetes cannot evict the only pod anyway.
+      #
+      # More importantly, PodDisruptionBudgets are considered an Infra‑owned
+      # resource in this cluster. The CI/CD ServiceAccount intentionally lacks
+      # permissions to create or modify PDBs, and enabling this would cause
+      # Helm upgrades to fail with RBAC errors.
+      #
+      # The platform team applies disruption policies separately at the
+      # infrastructure layer, keeping a clean separation of responsibilities.
+      create: false 
+    
+
+
+
+# dependency:
+# https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
+postgresql-ha:
+  enabled: false
+
+# dependency:
+# https://github.com/bitnami/charts/blob/main/bitnami/postgresql
 postgresql:
   enabled: true
   image:
-    registry: ""
     repository: bitnami/postgresql
     tag: 16
     imagePullPolicy: IfNotPresent
@@ -36,29 +92,59 @@ postgresql:
         password: "???"
         database: "???"
         username: "???"
-      service:
+
-        ports:
-          postgresql: 5432
   primary:
+    networkPolicy:
+     # Disable NetworkPolicy creation in the Bitnami PostgreSQL subchart.
+      # This deployment runs inside a controlled namespace where network
+      # boundaries are enforced by the platform (Infra team), not by Helm.
+      #
+      # CI/CD pipelines use a restricted ServiceAccount that is intentionally
+      # NOT allowed to create or modify NetworkPolicies. Leaving this enabled
+      # would cause Helm upgrades to fail with RBAC errors.
+      #
+      # Infra-owned NetworkPolicies are applied separately and independently
+      # of application charts to maintain a clean separation of responsibilities.
+      enabled: false 
+    pdb:
+      # Disable the PodDisruptionBudget for PostgreSQL.
+      #
+      # This deployment uses a single‑instance (non‑HA) PostgreSQL, so a PDB
+      # provides no real benefit — Kubernetes cannot evict the only pod anyway.
+      #
+      # More importantly, PodDisruptionBudgets are considered an Infra‑owned
+      # resource in this cluster. The CI/CD ServiceAccount intentionally lacks
+      # permissions to create or modify PDBs, and enabling this would cause
+      # Helm upgrades to fail with RBAC errors.
+      #
+      # The platform team applies disruption policies separately at the
+      # infrastructure layer, keeping a clean separation of responsibilities.
+      create: false 
+
+    serviceAccount:
+      # serviceAccount resources are owned and managed by the Infrastructure layer.
+      # The CI/CD ServiceAccount used for application deployments does not have
+      # permissions to create or modify serviceAccounts, by design.
+      # In this setup postgresql does not require its own ServiceAccount, so enabling
+      # this would provide no benefit and would cause Helm upgrades to fail due
+      # to RBAC restrictions. 
+      create: false
+
     persistence:
       size: 10Gi
   metrics:
-    enabled: true
+    enabled: false
-    collectors:
-      wal: false
- 
-postgresql-ha:
-  enabled: false
 
 persistence:
   enabled: true
+
 service:
   ssh:
-      type: LoadBalancer
+    type: LoadBalancer
-      enabled: true
+    enabled: true
-      port: 2222
+    port: 2222
-      loadBalancerIP: "" # optional
+    loadBalancerIP: 
-      externalTrafficPolicy: Local
+    externalTrafficPolicy: Local
   http:
     clusterIP: ""   # empty string → Kubernetes assigns a routable ClusterIP
     type: ClusterIP
@@ -129,22 +215,12 @@ gitea:
       INTERNAL_TOKEN: "???"
       PASSWORD_HASH_ALGO: "???"
 
+  # Ingress resources are owned and managed by the Infrastructure layer.
+  # The CI/CD ServiceAccount used for application deployments does not have
+  # permissions to create or modify Ingress objects, by design.
+  # for ingress setup check infra folder
 ingress:
-  enabled: true
+  enabled: false
-  className: traefik
-  annotations:
-    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
-  hosts:
-    - host: git.limbosolutions.com
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: limbosolutions-com-tls
-      hosts:
-       - "git.limbosolutions.com"
 
 
 

deploy/infra/cd-serviceaccount.yaml

@@ -24,7 +24,7 @@ metadata:
   name: continuous-deploy
 rules:
 - apiGroups: [""]
-  resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims", "endpoints", "serviceaccounts"]
+  resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims"]
   verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
 
 - apiGroups: ["apps"]
@@ -35,15 +35,6 @@ rules:
   resources: ["cronjobs", "jobs"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
-- apiGroups: ["networking.k8s.io"]
-  resources: ["networkpolicies", "ingresses"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
-- apiGroups: ["policy"]
-  resources: ["poddisruptionbudgets"]
-  verbs: ["get", "list", "watch", "update", "patch"]
-
-
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1

deploy/infra/ingress.yaml

@@ -0,0 +1,27 @@
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: git-limbosolutions-com
+  namespace: git-limbosolutions-com
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
+spec: 
+  ingressClassName: traefik
+  rules:
+    - host: git.limbosolutions.com
+      http:
+        paths:
+        - backend:
+            service:
+              name: gitea-http
+              port:
+                number: 3000
+          path: /
+          pathType: Prefix
+  tls:
+    - secretName: limbosolutions-com-tls
+      hosts:
+        - "git.limbosolutions.com"

deploy/infra/kustomization.yaml

@@ -2,7 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - continuous-deploy-account.yaml
+  - cd-serviceaccount.yaml
+  - ingress.yaml
   - network-policies/egress.yaml
   - network-policies/egress-local-services.yaml
   - network-policies/ingress.yaml

ops-scripts/apply-app.sh

@@ -12,8 +12,8 @@ fi
 if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then
   echo "Executing helm deploy."
 
-    helm repo add gitea-charts https://dl.gitea.com/charts/
+    helm repo add gitea-charts https://dl.gitea.com/charts/ --force-update
-    helm repo update
+
     helm upgrade --install gitea gitea-charts/gitea --version 12.5.0 \
     --values deploy/app/helm-values.yaml \
     --set valkey.global.valkey.password=${APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD} \