gooseek/backend/deploy/k8s/gitea/deploy.sh

#!/bin/bash
set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

echo "=== Gitea Security Update Deployment ==="
echo "Version: 1.25.4"
echo ""

# Check kubectl
if ! command -v kubectl &> /dev/null; then
    echo "Error: kubectl not found"
    exit 1
fi

# Check cluster connectivity
echo "Checking cluster connectivity..."
if ! kubectl cluster-info &> /dev/null; then
    echo "Error: Cannot connect to Kubernetes cluster"
    echo "Please ensure kubectl is configured correctly"
    exit 1
fi

echo ""
echo "=== Backing up current Gitea data ==="
BACKUP_POD=$(kubectl get pods -n gitea -l app=gitea -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
if [ -n "$BACKUP_POD" ]; then
    echo "Creating backup of Gitea database..."
    kubectl exec -n gitea "$BACKUP_POD" -- sh -c "cp /data/gitea/gitea.db /data/gitea/gitea.db.backup.$(date +%Y%m%d%H%M%S)" || echo "Backup skipped (new installation)"
fi

echo ""
echo "=== Applying Gitea manifests ==="
cd "$SCRIPT_DIR"
kubectl apply -k .

echo ""
echo "=== Waiting for rollout ==="
kubectl -n gitea rollout status deployment/gitea --timeout=300s

echo ""
echo "=== Verifying deployment ==="
kubectl -n gitea get pods -o wide
echo ""
kubectl -n gitea get svc
echo ""
kubectl -n gitea get ingress

echo ""
echo "=== Security verification ==="
echo "Checking HTTP headers..."
sleep 5
curl -sI https://git.gooseek.ru/ | grep -E "(strict-transport|x-frame|x-content-type|content-security)" || echo "Headers check failed - wait for DNS propagation"

echo ""
echo "=== Deployment Complete ==="
echo ""
echo "Gitea URL: https://git.gooseek.ru"
echo "SSH: git@git.gooseek.ru (port 30022 NodePort)"
echo ""
echo "Security fixes applied:"
echo "  [✓] Updated to Gitea 1.25.4 (CVE fixes)"
echo "  [✓] Disabled public registration"
echo "  [✓] Added CSP header"
echo "  [✓] Added X-Content-Type-Options header"
echo "  [✓] Added X-XSS-Protection header"
echo "  [✓] Added Referrer-Policy header"
echo "  [✓] Disabled Swagger API"
echo "  [✓] Enabled CAPTCHA for login"
echo "  [✓] Enforced strong passwords (12+ chars)"
echo "  [✓] Disabled Gravatar"
echo ""