chore: upgrade Gitea to 1.25.2

charts/gitea/Chart.yaml

@@ -11,7 +11,7 @@ annotations:
     - kind: changed
       description: update alpine/helm docker tag to v3.19.0 (#954)
 apiVersion: v2
-appVersion: 1.24.7
+appVersion: 1.25.2
 dependencies:
 - condition: postgresql.enabled
   name: postgresql

src/common/k8s.test.ts

@@ -7,6 +7,7 @@ import {
   KubeConfig,
   PatchStrategy,
   setHeaderOptions,
+  V1Deployment,
   V1Pod,
   V1PodList,
   V1ResourceRequirements,
@@ -169,6 +170,45 @@ describe('StatefulSet tests', () => {
     jest.clearAllMocks()
   })
 
+  describe('getPodsOfDeployment', () => {
+    it('should return pods matching the Deployment label selector', async () => {
+      const mockDeployment = {
+        spec: {
+          selector: {
+            matchLabels: { app: 'my-app' },
+          },
+        },
+      }
+
+      const mockPodList: V1PodList = {
+        items: [{ metadata: { name: 'pod-1' } }, { metadata: { name: 'pod-2' } }],
+      } as V1PodList
+
+      mockAppsApi.readNamespacedDeployment.mockResolvedValue(mockDeployment as any)
+      mockCoreApi.listNamespacedPod.mockResolvedValue(mockPodList as any)
+
+      const pods = await k8s.getPodsOfDeployment(mockAppsApi, mockCoreApi, 'my-deploy', 'my-namespace')
+      expect(mockAppsApi.readNamespacedDeployment).toHaveBeenCalledWith({
+        name: 'my-deploy',
+        namespace: 'my-namespace',
+      })
+      expect(mockCoreApi.listNamespacedPod).toHaveBeenCalledWith({
+        labelSelector: 'app=my-app',
+        namespace: 'my-namespace',
+      })
+      expect(pods).toEqual(mockPodList)
+    })
+
+    it('should throw an error if matchLabels is missing', async () => {
+      const mockDeployment: V1Deployment = {} as V1Deployment
+      mockAppsApi.readNamespacedDeployment.mockResolvedValue(mockDeployment as any)
+
+      await expect(k8s.getPodsOfDeployment(mockAppsApi, mockCoreApi, 'my-deploy', 'my-namespace')).rejects.toThrow(
+        'Deployment my-deploy does not have matchLabels',
+      )
+    })
+  })
+
   describe('getPodsOfStatefulSet', () => {
     it('should return pods matching the StatefulSet label selector', async () => {
       const mockStatefulSet = {

src/common/k8s.ts

@@ -629,6 +629,28 @@ export async function createUpdateConfigMap(
   }
 }
 
+export async function getPodsOfDeployment(
+  appsApi: AppsV1Api,
+  coreApi: CoreV1Api,
+  deploymentName: string,
+  namespace: string,
+) {
+  const deployment = await appsApi.readNamespacedDeployment({ name: deploymentName, namespace })
+
+  if (!deployment.spec?.selector?.matchLabels) {
+    throw new Error(`Deployment ${deploymentName} does not have matchLabels`)
+  }
+
+  const labelSelector = Object.entries(deployment.spec.selector.matchLabels)
+    .map(([key, value]) => `${key}=${value}`)
+    .join(',')
+
+  return await coreApi.listNamespacedPod({
+    namespace,
+    labelSelector,
+  })
+}
+
 export async function getPodsOfStatefulSet(
   appsApi: AppsV1Api,
   statefulSetName: string,

src/common/runtime-upgrades/runtime-upgrades.ts

@@ -6,7 +6,7 @@ import { updateDbCollation } from './cloudnative-pg'
 import { removeOldMinioResources } from './remove-old-minio-resources'
 import { detectAndRestartOutdatedIstioSidecars } from './restart-istio-sidecars'
 import { upgradeKnativeServing } from './upgrade-knative-serving-cr'
-import { detachApplicationFromApplicationSet, pruneArgoCDImageUpdater } from './v4.13.0'
+import { detachApplicationFromApplicationSet, pruneArgoCDImageUpdater, resetGiteaPasswordValidity } from './v4.13.0'
 import { removeHttpBinApplication } from './remove-httpbin-application'
 
 export interface RuntimeUpgradeContext {
@@ -151,4 +151,14 @@ export const runtimeUpgrades: RuntimeUpgrades = [
       await removeHttpBinApplication()
     },
   },
+  {
+    version: '4.14.0',
+    applications: {
+      'gitea-gitea': {
+        post: async (context: RuntimeUpgradeContext) => {
+          await resetGiteaPasswordValidity(context)
+        },
+      },
+    },
+  },
 ]

src/common/runtime-upgrades/v4.13.0.ts

@@ -1,6 +1,6 @@
 import { ApiException } from '@kubernetes/client-node'
 import { ARGOCD_APP_PARAMS, ObjectMetadataCollection } from '../constants'
-import { getArgoCdApp, k8s, setArgoCdAppSync } from '../k8s'
+import { exec, getArgoCdApp, getK8sSecret, getPodsOfDeployment, k8s, setArgoCdAppSync } from '../k8s'
 import { RuntimeUpgradeContext } from './runtime-upgrades'
 
 async function scaleDeployment(context: RuntimeUpgradeContext, namespace: string, name: string, replicas: number) {
@@ -135,3 +135,22 @@ export async function detachApplicationFromApplicationSet(context: RuntimeUpgrad
   await setArgoCdAppSync('argocd-argocd', true, customApi)
   d.log('Cleanup complete: ApplicationSets removed, Applications retained.')
 }
+
+export async function resetGiteaPasswordValidity(context: RuntimeUpgradeContext) {
+  context.debug.info('Resetting status of Gitea admin credentials')
+  const giteaPods = await getPodsOfDeployment(k8s.app(), k8s.core(), 'gitea', 'gitea')
+  const [firstPod] = giteaPods.items
+  // In case Gitea pods happened to be restarting in the meantime, it will likely fix the issue by itself
+  if (firstPod) {
+    const giteaCredentialsSecret = await getK8sSecret('gitea-credentials', 'apl-operator')
+    const userName = giteaCredentialsSecret?.GITEA_USERNAME ?? 'otomi-admin'
+    const resetCmd = ['gitea', 'admin', 'user', 'must-change-password', '--unset', userName as string]
+    const { stdout, stderr } = await exec(
+      firstPod.metadata!.namespace as string,
+      firstPod.metadata!.name as string,
+      'gitea',
+      resetCmd,
+    )
+    context.debug.info(stderr, stdout)
+  }
+}