linode · CasLubbers · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026 · Jan 21, 2026
@@ -1,5 +1,5 @@
 The APL installer was successfully deployed on the cluster.
 
-Please inspect the output of the installer job ({{ .Release.Namespace }}/{{ include "apl-operator.fullname" . }}) for any feedback or errors.
+Please inspect the output of the apl-operator deployment (apl-operator/{{ include "apl-operator.fullname" . }}) for any feedback or errors.
 
-Also visit https://apl-docs.net for further instructions and reference documentation.
+Also visit https://apl-docs.net for further instructions and reference documentation.
@@ -80,7 +80,7 @@ spec:
             - secretRef:
                 name: apl-sops-secrets
             - secretRef:
-                name: gitea-credentials
+                name: apl-git-credentials
           {{- end }}
           volumeMounts:
             - name: otomi-values

@@ -0,0 +1,14 @@
+{{- $git := .Values.otomi.git | default dict }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apl-git-config
+  namespace: apl-operator
+data:
+  {{- if $git.repoUrl }}
+  repoUrl: {{ $git.repoUrl | quote }}
+  {{- end }}
+  branch: {{ $git.branch | quote }}
+  {{- if $git.email }}
+  email: {{ $git.email | quote }}
+  {{- end }}
@@ -1,13 +1,14 @@
+{{- $git := .Values.otomi.git | default dict }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: gitea-credentials
+  name: apl-git-credentials
   namespace: apl-operator
 type: Opaque
 stringData:
-{{- if .Values.gitUsername }}
-  GIT_USERNAME: {{ .Values.gitUsername | quote }}
-{{- end }}
-{{- if .Values.gitPassword }}
-  GIT_PASSWORD: {{ .Values.gitPassword | quote }}
-{{- end }}
+  {{- if $git.username }}
+  username: {{ $git.username | quote }}
+  {{- end }}
+  {{- if $git.password }}
+  password: {{ $git.password | quote }}
+  {{- end }}
@@ -43,6 +43,15 @@ otomi:
   ## By default the image tag is set to .Chart.AppVersion
   # version: main
 
+  ## Git repository configuration
+  ## By default, APL uses the built-in Gitea instance.
+  git:
+    # repoUrl: ''      # Repository url (e.g., https://github.com/org/repo)
+    # user: ''         # Git username (defaults to 'otomi-admin')
+    # password: ''     # Git password or personal access token
+    # email: ''        # Email for git commits (defaults to '[email protected]')
+    branch: main
+
 ## Optional configuration
 # apps:
 #   cert-manager:

@@ -11,10 +11,13 @@ spec:
       {{- include "apl-operator.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
       annotations:
+        # Restart pod when git credentials or config changes (important for migration)
+        checksum/git-credentials: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+        checksum/git-config: {{ include (print $.Template.BasePath "/git-config.yaml") . | sha256sum }}
+        {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
       labels:
         {{- include "apl-operator.selectorLabels" . | nindent 8 }}
     spec:
@@ -38,6 +41,11 @@ spec:
           env:
             - name: CI
               value: "true"
+          envFrom:
+            - secretRef:
+                name: apl-sops-secrets
+            - secretRef:
+                name: apl-git-credentials
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:

@@ -0,0 +1,16 @@
+{{- $git := .Values.git | default dict }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apl-git-config
+  namespace: apl-operator
+data:
+  {{- if $git.repoUrl }}
+  repoUrl: {{ $git.repoUrl | quote }}
+  {{- end }}
+  {{- if $git.branch }}
+  branch: {{ $git.branch | quote }}
+  {{- end }}
+  {{- if $git.email }}
+  email: {{ $git.email | quote }}
+  {{- end }}
@@ -1,4 +1,5 @@
 {{- $kms := .Values.kms | default dict }}
+{{- $git := .Values.git | default dict }}
 {{- if hasKey $kms "sops" }}
 {{- $v := $kms.sops }}
 apiVersion: v1
@@ -34,12 +35,30 @@ data:
 {{- end }}
 {{- end }}
 ---
+# Keep old secret for migration. Remove in future release.
 apiVersion: v1
 kind: Secret
 metadata:
   name: gitea-credentials
-  namespace: {{ .Release.Namespace }}
+  namespace: apl-operator
 type: Opaque
 stringData:
+{{- if .Values.gitUsername }}
   GIT_USERNAME: {{ .Values.gitUsername | quote }}
+{{- end }}
+{{- if .Values.gitPassword }}
   GIT_PASSWORD: {{ .Values.gitPassword | quote }}
+{{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: apl-git-credentials
+type: Opaque
+stringData:
+  {{- if $git.username }}
+  username: {{ $git.username | quote }}
+  {{- end }}
+  {{- if $git.password }}
+  password: {{ $git.password | quote }}
+  {{- end }}
@@ -63,6 +63,3 @@ kms: {}
 #  sops:
 #    age:
 #      privateKey: "AGE-SECRET-KEY-EXAMPLExxxxxxxxxxxxxxxxxxxxxxxx"
-
-gitPassword: ""
-gitUsername: "otomi-admin"
@@ -1,6 +1,6 @@
 {{- $v := .Values }}
 {{- $a := $v.apps.argocd }}
-{{- if $a.enabled }}
+{{- if and $a.enabled $v.gitOps.teamRepoUrl }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:

@@ -5,7 +5,9 @@
 {{- range $i, $item := $v.workloads }}
   {{- $urls = append $urls $item.url }}
 {{- end }}
+{{- if $v.gitOps.teamRepoUrl }}
 {{- $urls = append $urls $v.gitOps.teamRepoUrl }}
+{{- end }}
 {{- $urls = append $urls $v.gitOps.valuesRepoUrl }}
 {{- $urls = sortAlpha (uniq $urls) }}
 

@@ -1,3 +1,4 @@
+{{- if .Values.gitOps.teamRepoUrl }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,3 +9,4 @@ metadata:
 stringData:
   type: git
   url: {{ .Values.gitOps.teamRepoUrl }}
+{{- end }}
@@ -10,7 +10,7 @@ metadata:
   annotations:
     sidecar.istio.io/inject: "false"
     # ArgoCD sync wave annotation to ensure it's applied first
-    argocd.argoproj.io/sync-wave: "-2" 
+    argocd.argoproj.io/sync-wave: "-2"
   labels: {{- include "team-ns.chart-labels" $ | nindent 4 }}
 spec:
   workspaces:
@@ -76,7 +76,7 @@ spec:
       value: {{ $v.harborDomain }}/team-{{ $v.teamId }}/{{ .imageName }}:{{ .tag }}
     {{- with (dig "mode" "docker" "envVars" nil . ) }}
     - name: EXTRA_ARGS
-      value: 
+      value:
         {{- range . }}
         - --build-arg={{ .name }}={{ .value }}
         {{- end }}
@@ -116,7 +116,7 @@ spec:
             metadata:
               creationTimestamp: null
             spec:
-              {{- if $v.buildStorageClassName }}  
+              {{- if $v.buildStorageClassName }}
               storageClassName: {{ $v.buildStorageClassName }}
               {{- end }}
               accessModes:
@@ -134,7 +134,7 @@ spec:
         {{- else }}
         - name: git-credentials
           secret:
-            secretName: gitea-credentials
+            secretName: apl-git-credentials
         {{- end }}
         - name: docker-credentials
           secret:
@@ -166,7 +166,7 @@ spec:
       metadata:
         creationTimestamp: null
       spec:
-        {{- if $v.buildStorageClassName }}  
+        {{- if $v.buildStorageClassName }}
         storageClassName: {{ $v.buildStorageClassName }}
         {{- end }}
         accessModes:
@@ -184,7 +184,7 @@ spec:
   {{- else }}
   - name: git-credentials
     secret:
-      secretName: gitea-credentials
+      secretName: apl-git-credentials
   {{- end }}
   - name: docker-credentials
     secret:
@@ -211,7 +211,7 @@ kind: EventListener
 metadata:
   name: gitea-webhook-{{ .name }}
   annotations:
-    argocd.argoproj.io/sync-wave: "-1" 
+    argocd.argoproj.io/sync-wave: "-1"
   labels:
     tekton.dev/pipeline: docker-build-{{ .name }}
     {{- include "team-ns.chart-labels" $ | nindent 4 }}

@@ -15,14 +15,14 @@ bases:
 
 releases:
   - name: gitea-db-secret-artifacts
-    installed: true
+    installed: {{ $a | get "gitea.enabled" }}
     namespace: gitea
     labels:
       pkg: gitea
       app: core
     <<: *raw
   - name: gitea-otomi-db
-    installed: true
+    installed: {{ $a | get "gitea.enabled" }}
     namespace: gitea
     labels:
       pkg: gitea

@@ -24,8 +24,6 @@ environments:
     - apps:
         kubeflow-pipelines:
           rootPassword: {{ randAlphaNum 32 }}
-        gitea:
-          adminPassword: {{ randAlphaNum 20 }}
         {{- range $index,$ingressClassName := $ingressClassNames }}
         ingress-nginx-{{ $ingressClassName}}:
           autoscaling:
@@ -274,6 +272,8 @@ environments:
       {{- end }}
       otomi:
         adminPassword: {{ randAlphaNum 32 }}
+        git:
+          password: {{ randAlphaNum 20 }}
       cluster:
         owner: customer
         name: apl

@@ -146,8 +146,8 @@ environments:
                 memory: 64Mi
                 cpu: 10m
           gitea:
-            adminUsername: otomi-admin
             _rawValues: {}
+            enabled: true
             networkPolicies:
               enabled: true
             databaseMaxConnections: 28
@@ -1143,6 +1143,11 @@ environments:
           receivers:
             - none
         otomi:
+          git:
+            branch: main
+            repoUrl: http://gitea-http.gitea.svc.cluster.local:3000/otomi/values.git
+            username: otomi-admin
+            email: [email protected]
           hasExternalDNS: false
           hasExternalIDP: false
           isMultitenant: true

@@ -225,8 +225,6 @@ environments:
             registry:
               credentials:
                 password: {{ $a | get "harbor.registry.credentials.password" $v.otomi.adminPassword | quote }}
-          gitea:
-            enabled: true
           keycloak:
             enabled: true
             address: {{ $keycloakBaseUrl }}

@@ -207,6 +207,7 @@ describe('Bootstrapping values', () => {
         getKmsSettings: jest.fn(),
         terminal,
         writeFile: jest.fn(),
+        createUpdateGenericSecret: jest.fn(),
       }
       it('should create files on first run and en/de-crypt', async () => {
         deps.pathExists.mockReturnValue(false)

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { existsSync } from 'fs'
 import { copyFile, cp, mkdir, readFile, writeFile } from 'fs/promises'
 import { generate as generatePassword } from 'generate-password'
-import { cloneDeep, get, isEmpty, merge, set } from 'lodash'
+import { cloneDeep, get, merge, set } from 'lodash'
 import { pki } from 'node-forge'
 import path from 'path'
 import { bootstrapGit } from 'src/common/bootstrap'
@@ -12,7 +12,14 @@ import { decrypt, encrypt } from 'src/common/crypt'
 import { terminal } from 'src/common/debug'
 import { env, isCli } from 'src/common/envalid'
 import { hfValues } from 'src/common/hf'
-import { createK8sSecret, getDeploymentState, getK8sSecret, secretId } from 'src/common/k8s'
+import {
+  createK8sSecret,
+  createUpdateGenericSecret,
+  getDeploymentState,
+  getK8sSecret,
+  k8s,
+  secretId,
+} from 'src/common/k8s'
 import { getKmsSettings } from 'src/common/repo'
 import { ensureTeamGitOpsDirectories, getFilename, gucci, isCore, loadYaml, rootDir } from 'src/common/utils'
 import { generateSecrets, writeValues } from 'src/common/values'
@@ -44,6 +51,7 @@ export const bootstrapSops = async (
     readFile,
     terminal,
     writeFile,
+    createUpdateGenericSecret,
   },
 ): Promise<void> => {
   const d = deps.terminal(`cmd:${cmdName}:genSops`)
@@ -75,6 +83,13 @@ export const bootstrapSops = async (
     if (privateKey && !process.env.SOPS_AGE_KEY) {
       process.env.SOPS_AGE_KEY = privateKey
       await deps.writeFile(`${envDir}/.secrets`, `SOPS_AGE_KEY=${privateKey}`)
+      try {
+        await deps.createUpdateGenericSecret(k8s.core(), 'apl-sops-secrets', 'apl-operator', {
+          SOPS_AGE_KEY: privateKey,
+        })
+      } catch (e) {
+        d.warn('Failed to create or update apl-sops-secrets secret with SOPS_AGE_KEY, this might come later')
+      }
     }
   }