FigJam Diagram: Gitea — Package Registry (expires 2026-04-13)
Gitea is deployed as a package registry only — git repository features are disabled. It provides PyPI, npm, Maven, Go, and generic package hosting for CI/CD pipelines and local development.
| URL | https://gitea.k3s.internal.strommen.systems (internal only) |
| Namespace | gitea |
| Chart | gitea-charts/gitea v10.6.0 |
| Database | SQLite (sufficient for package-only use) |
| Storage | 20Gi NFS on NAS DXP4800 (storageClass: nfs-gitea) |
| Org | k3s-homelab |
| Format | Usage |
|---|---|
| PyPI | Python packages (pip install --index-url ...) |
| npm | Node packages (npm install --registry ...) |
| Maven | Java artifacts |
| Go | Go modules |
| Generic | Arbitrary binary/archive assets |
DISABLE_REGISTRATION: false, ALLOW_ONLY_EXTERNAL_REGISTRATION: true). The local signup form is hidden — users cannot self-register with a local password.gitea-admin-secret (created out-of-band)REQUIRE_SIGNIN_VIEW: false) — packages are readable without auth from within the clusterci-publish — write:package scope — used by CI/CD to push packagesci-read — read:package scope — used by CI/CD pulls and local dev| Setting | Value | Effect |
|---|---|---|
DISABLE_REGISTRATION |
false |
Registration is not globally blocked — Authentik SSO can create accounts |
ALLOW_ONLY_EXTERNAL_REGISTRATION |
true |
Local signup form is hidden; only SSO (Authentik) can create accounts |
REQUIRE_SIGNIN_VIEW |
false |
Anonymous package reads allowed (internal network only) |
Summary: Authentik is the sole account creation path. A user authenticating via Authentik SSO for the first time gets a Gitea account auto-provisioned.
# Admin credentials (create before first helm install)
kubectl create secret generic gitea-admin-secret -n gitea \
--from-literal=username=gitea-admin \
--from-literal=password="$(openssl rand -base64 32)"
CI token values are stored as GitHub repo secrets GITEA_PUBLISH_TOKEN and GITEA_READ_TOKEN — set after deploying Gitea and creating the tokens in the UI.
The following Gitea features are explicitly disabled to reduce attack surface:
DISABLE_HTTP_GIT: true)| Requests | Limits | |
|---|---|---|
| CPU | 100m | 500m |
| Memory | 256Mi | 512Mi |
Storage: 20Gi NFS PVC on NAS DXP4800 (nfs-gitea StorageClass, RWO).
Metrics at /metrics with no auth token (internal network). Prometheus scrapes this endpoint.
# Verify Gitea is healthy
kubectl get pods -n gitea
kubectl logs -n gitea -l app.kubernetes.io/name=gitea --tail=20
kubernetes/apps/gitea/
values.yaml — Helm values (all configuration)
Deployed with:
helm upgrade --install gitea gitea-charts/gitea \
-n gitea --create-namespace \
-f kubernetes/apps/gitea/values.yaml