Merge remote-tracking branch 'origin/main' into ci-update-base-to-1.26.1

svcAPLBot · svcAPLBot · commit 7521868893df · 2025-05-30T13:11:10.000Z
diff --git a/apps.yaml b/apps.yaml
@@ -99,7 +99,7 @@ appsInfo:
     integration: Falco can be enabled in APL for runtime intrusion detection. Macros have been configured to exclude all known platform violations so platform admins are only notified when user workloads are not compliant to the security rules. Alerts are automatically send using Alertmanager and the Falco Dashboard is added to Grafana.
   gitea:
     title: Gitea Self-hosted GIT
-    appVersion: 1.23.7
+    appVersion: 1.23.8
     repo: https://github.com/go-gitea/gitea
     maintainers: Gitea
     relatedLinks:
diff --git a/values/gitea/gitea-raw.gotmpl b/values/gitea/gitea-raw.gotmpl
@@ -73,9 +73,12 @@ resources:
   metadata:
     name: gitea-backup-operator
   rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get"]
   - apiGroups: [""]
     resources: ["pods"]
-    verbs: ["get", "watch", "list"]
+    verbs: ["get", "list"]
   - apiGroups: [""]
     resources: ["pods/exec"]
     verbs: ["create"]
diff --git a/values/gitea/gitea.gotmpl b/values/gitea/gitea.gotmpl
@@ -28,23 +28,12 @@ podDns:
 
 resources: {{- $g.resources.gitea | toYaml | nindent 2 }}
 
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - ALL
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 1000
-  runAsNonRoot: true
-  runAsUser: 1000
-
 image:
   {{- with $v.otomi | get "globalPullSecret" nil }}
   imagePullSecrets:
     - name: otomi-pullsecret-global
   {{- end }}
-  {{- with $g | get "image.gitea.tag" "1.23.7" }}
+  {{- with $g | get "image.gitea.tag" "1.23.8" }}
   tag: {{ . }}
   {{- end }}
   pullPolicy: {{ $g | get "image.gitea.pullPolicy" "IfNotPresent" }}
@@ -212,11 +201,19 @@ extraVolumes:
 
 podSecurityContext:
   fsGroup: 1000
-
-containerSecurityContext:
   runAsNonRoot: true
   runAsUser: 1000
   runAsGroup: 1000
+  seccompProfile:
+    type: RuntimeDefault
+
+containerSecurityContext:
+  capabilities:
+    drop:
+      - ALL
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
 
 {{- with .Values.otomi | get "globalPullSecret" nil }}
 global:
