linode · CasLubbers · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026 · Jan 21, 2026
@@ -1,5 +1,5 @@
 The APL installer was successfully deployed on the cluster.
 
-Please inspect the output of the installer job ({{ .Release.Namespace }}/{{ include "apl-operator.fullname" . }}) for any feedback or errors.
+Please inspect the output of the apl-operator deployment (apl-operator/{{ include "apl-operator.fullname" . }}) for any feedback or errors.
 
-Also visit https://apl-docs.net for further instructions and reference documentation.
+Also visit https://apl-docs.net for further instructions and reference documentation.
@@ -80,7 +80,7 @@ spec:
             - secretRef:
                 name: apl-sops-secrets
             - secretRef:
-                name: gitea-credentials
+                name: apl-git-credentials
           {{- end }}
           volumeMounts:
             - name: otomi-values

@@ -0,0 +1,14 @@
+{{- $git := .Values.otomi.git | default dict }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apl-git-config
+  namespace: apl-operator
+data:
+  {{- if $git.repoUrl }}
+  repoUrl: {{ $git.repoUrl | quote }}
+  {{- end }}
+  branch: {{ $git.branch | quote }}
+  {{- if $git.email }}
+  email: {{ $git.email | quote }}
+  {{- end }}
@@ -1,13 +1,14 @@
+{{- $git := .Values.otomi.git | default dict }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: gitea-credentials
+  name: apl-git-credentials
   namespace: apl-operator
 type: Opaque
 stringData:
-{{- if .Values.gitUsername }}
-  GIT_USERNAME: {{ .Values.gitUsername | quote }}
-{{- end }}
-{{- if .Values.gitPassword }}
-  GIT_PASSWORD: {{ .Values.gitPassword | quote }}
-{{- end }}
+  {{- if $git.username }}
+  username: {{ $git.username | quote }}
+  {{- end }}
+  {{- if $git.password }}
+  password: {{ $git.password | quote }}
+  {{- end }}
@@ -43,6 +43,15 @@ otomi:
   ## By default the image tag is set to .Chart.AppVersion
   # version: main
 
+  ## Git repository configuration
+  ## By default, APL uses the built-in Gitea instance.
+  git:
+    # repoUrl: ''      # Repository url (e.g., https://github.com/org/repo)
+    # user: ''         # Git username (defaults to 'otomi-admin')
+    # password: ''     # Git password or personal access token
+    # email: ''        # Email for git commits (defaults to 'pipeline@cluster.local')
+    branch: main
+
 ## Optional configuration
 # apps:
 #   cert-manager:

@@ -11,10 +11,13 @@ spec:
       {{- include "apl-operator.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
       annotations:
+        # Restart pod when git credentials or config changes (important for migration)
+        checksum/git-credentials: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+        checksum/git-config: {{ include (print $.Template.BasePath "/git-config.yaml") . | sha256sum }}
+        {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
       labels:
         {{- include "apl-operator.selectorLabels" . | nindent 8 }}
     spec:
@@ -38,6 +41,11 @@ spec:
           env:
             - name: CI
               value: "true"
+          envFrom:
+            - secretRef:
+                name: apl-sops-secrets
+            - secretRef:
+                name: apl-git-credentials
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:

@@ -0,0 +1,16 @@
+{{- $git := .Values.git | default dict }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apl-git-config
+  namespace: apl-operator
+data:
+  {{- if $git.repoUrl }}
+  repoUrl: {{ $git.repoUrl | quote }}
+  {{- end }}
+  {{- if $git.branch }}
+  branch: {{ $git.branch | quote }}
+  {{- end }}
+  {{- if $git.email }}
+  email: {{ $git.email | quote }}
+  {{- end }}
@@ -1,4 +1,5 @@
 {{- $kms := .Values.kms | default dict }}
+{{- $git := .Values.git | default dict }}
 {{- if hasKey $kms "sops" }}
 {{- $v := $kms.sops }}
 apiVersion: v1
@@ -34,12 +35,30 @@ data:
 {{- end }}
 {{- end }}
 ---
+# Keep old secret for migration. Remove in future release.
 apiVersion: v1
 kind: Secret
 metadata:
   name: gitea-credentials
-  namespace: {{ .Release.Namespace }}
+  namespace: apl-operator
 type: Opaque
 stringData:
+{{- if .Values.gitUsername }}
   GIT_USERNAME: {{ .Values.gitUsername | quote }}
+{{- end }}
+{{- if .Values.gitPassword }}
   GIT_PASSWORD: {{ .Values.gitPassword | quote }}
+{{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: apl-git-credentials
+type: Opaque
+stringData:
+  {{- if $git.username }}
+  username: {{ $git.username | quote }}
+  {{- end }}
+  {{- if $git.password }}
+  password: {{ $git.password | quote }}
+  {{- end }}
@@ -63,6 +63,3 @@ kms: {}
 #  sops:
 #    age:
 #      privateKey: "AGE-SECRET-KEY-EXAMPLExxxxxxxxxxxxxxxxxxxxxxxx"
-
-gitPassword: ""
-gitUsername: "otomi-admin"
@@ -15,14 +15,14 @@ bases:
 
 releases:
   - name: gitea-db-secret-artifacts
-    installed: true
+    installed: {{ $a | get "gitea.enabled" }}
     namespace: gitea
     labels:
       pkg: gitea
       app: core
     <<: *raw
   - name: gitea-otomi-db
-    installed: true
+    installed: {{ $a | get "gitea.enabled" }}
     namespace: gitea
     labels:
       pkg: gitea

@@ -24,8 +24,6 @@ environments:
     - apps:
         kubeflow-pipelines:
           rootPassword: {{ randAlphaNum 32 }}
-        gitea:
-          adminPassword: {{ randAlphaNum 20 }}
         {{- range $index,$ingressClassName := $ingressClassNames }}
         ingress-nginx-{{ $ingressClassName}}:
           autoscaling:
@@ -274,6 +272,8 @@ environments:
       {{- end }}
       otomi:
         adminPassword: {{ randAlphaNum 32 }}
+        git:
+          password: {{ randAlphaNum 20 }}
       cluster:
         owner: customer
         name: apl

@@ -146,7 +146,6 @@ environments:
                 memory: 64Mi
                 cpu: 10m
           gitea:
-            adminUsername: otomi-admin
             _rawValues: {}
             networkPolicies:
               enabled: true
@@ -1143,6 +1142,11 @@ environments:
           receivers:
             - none
         otomi:
+          git:
+            branch: main
+            repoUrl: http://gitea-http.gitea.svc.cluster.local:3000/otomi/values.git
+            username: otomi-admin
+            email: pipeline@cluster.local
           hasExternalDNS: false
           hasExternalIDP: false
           isMultitenant: true