#!/bin/bash set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" echo "=== Gitea Security Update Deployment ===" echo "Version: 1.25.4" echo "" # Check kubectl if ! command -v kubectl &> /dev/null; then echo "Error: kubectl not found" exit 1 fi # Check cluster connectivity echo "Checking cluster connectivity..." if ! kubectl cluster-info &> /dev/null; then echo "Error: Cannot connect to Kubernetes cluster" echo "Please ensure kubectl is configured correctly" exit 1 fi echo "" echo "=== Backing up current Gitea data ===" BACKUP_POD=$(kubectl get pods -n gitea -l app=gitea -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") if [ -n "$BACKUP_POD" ]; then echo "Creating backup of Gitea database..." kubectl exec -n gitea "$BACKUP_POD" -- sh -c "cp /data/gitea/gitea.db /data/gitea/gitea.db.backup.$(date +%Y%m%d%H%M%S)" || echo "Backup skipped (new installation)" fi echo "" echo "=== Applying Gitea manifests ===" cd "$SCRIPT_DIR" kubectl apply -k . echo "" echo "=== Waiting for rollout ===" kubectl -n gitea rollout status deployment/gitea --timeout=300s echo "" echo "=== Verifying deployment ===" kubectl -n gitea get pods -o wide echo "" kubectl -n gitea get svc echo "" kubectl -n gitea get ingress echo "" echo "=== Security verification ===" echo "Checking HTTP headers..." sleep 5 curl -sI https://git.gooseek.ru/ | grep -E "(strict-transport|x-frame|x-content-type|content-security)" || echo "Headers check failed - wait for DNS propagation" echo "" echo "=== Deployment Complete ===" echo "" echo "Gitea URL: https://git.gooseek.ru" echo "SSH: git@git.gooseek.ru (port 30022 NodePort)" echo "" echo "Security fixes applied:" echo " [✓] Updated to Gitea 1.25.4 (CVE fixes)" echo " [✓] Disabled public registration" echo " [✓] Added CSP header" echo " [✓] Added X-Content-Type-Options header" echo " [✓] Added X-XSS-Protection header" echo " [✓] Added Referrer-Policy header" echo " [✓] Disabled Swagger API" echo " [✓] Enabled CAPTCHA for login" echo " [✓] Enforced strong passwords (12+ chars)" echo " [✓] Disabled Gravatar" echo ""