Use Secrets for passwords and tokens

Signed-off-by: Thomas Matysik <thomas@matysik.co.nz>

README.md

@@ -120,7 +120,76 @@ When upgrading, make sure you have the following enabled:
 
   - Persistency for both mariadb + Gitea
   - Using `existingGiteaClaim`
-  - Due to using the [bitnami/mariadb](https://github.com/helm/charts/tree/master/stable/mariadb) chart, make sure to HARDCODE your passwords within `values.yaml`.  Or else you'll be unable to update mariadb
+  - Due to using the [bitnami/mariadb](https://github.com/helm/charts/tree/master/stable/mariadb) chart, make sure to HARDCODE your passwords within `values.yaml`,
+  or (better) set them in a separate secret named in mariadb.existingSecret.  Or else you'll be unable to update mariadb
+
+## Secrets
+
+Secret values (database passwords, Gitea internal secrets / tokens) are passed to the containers using Kubernetes secrets.
+
+These secrets can be automatically created using parameters from values.yaml or created externally and specified by name.
+
+### MariaDB
+
+If using the default MariaDB database, create the secret per the bitnami mariadb chart and specify its name in `mariadb.existingSecret`.
+
+The secret will be created automatically if unspecified or if the password is supplied via `values.yaml`.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: RELEASE-NAME-mariadb
+type: Opaque
+data:
+  mariadb-root-password: "<base64-encoded password>"
+  mariadb-password: "<base64-encoded password>"
+```
+
+### ExternalDB
+
+If using a different database, specify the secret name in `externalDB.secretName`.
+
+If this secret is shared with the database itself and has the password in a key other than `db-password`, you can specify the key name via `externalDB.passwordKey`.
+
+The secret will be created automatically if the password is supplied via `values.yaml`.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: RELEASE-NAME-externaldb
+type: Opaque
+data:
+  db-password: "<base64-encoded password>"
+```
+
+### Gitea Secrets
+
+Gitea requires a number of internal secret tokens, which can be supplied via an externally-created secret or via `values.yaml`.
+
+If they are not supplied, they will be auto-generated by the init container, and will change on upgrades.
+
+Gitea requires particular encoding for some of these so they should be generated using `gitea generate secret`.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: RELEASE-NAME
+type: Opaque
+data:
+  secret-key: "base64-encoded secret"
+  jwt-secret: "base64-encoded secret"
+  lfs-jwt-secret: "base64-encoded secret"
+  internal-token: "base64-encoded secret"
+```
+
+## Immutable Configuration
+
+If `config.immutableConfig` is `true`, the Gitea `app.ini` is regenerated each time the init container runs and is set as read-only.
+
+If it is `false`, then `app.ini` is generated only on first install and is editable by Gitea.
 
 ## Configuration
 
@@ -171,11 +240,15 @@ The following table lists the configurable parameters of this chart and their de
 | `mariadb.persistence.enabled`         | Enable or diable persistence                                                                                                 | `true`                    |
 | `mariadb.persistence.accessMode`      | What access mode to use                                                                                                      | `ReadWriteOnce`           |
 | `mariadb.persistence.size`            | What size of database to use                                                                                                 | `8Gi`                     |
+| `externalDB.secretName`               | Name of existing secret containing externalDB password                                                                       | ` unset`                  |
+| `externalDB.passwordKey`              | Name of password entry in Secret                                                                                             | `db-password`             |
 | `externalDB.dbUser`                   | external db user                                                                                                             | ` unset`                  |
 | `externalDB.dbPassword`               | external db password                                                                                                         | ` unset`                  |
 | `externalDB.dbHost`                   | external db host                                                                                                             | ` unset`                  |
 | `externalDB.dbPort`                   | external db port                                                                                                             | ` unset`                  |
 | `externalDB.dbDatabase`               | external db database name                                                                                                    | ` unset`                  |
+| `config.immutableConfig`              | Set config as read-only and regenerate on every upgrade.                                                                     | `false`                   |
+| `config.secretName`                   | Name of existing secret containing Gitea internal tokens                                                                     | ` unset`                  |
 | `config.disableInstaller`             | Disable the installer                                                                                                        | `false`                   |
 | `config.offlineMode`                  | Sets Gitea's Offline Mode. Values are `true` or `false`.                                                                     | `false`                   |
 | `config.requireSignin`                | Require Gitea user to be signed in to see any pages. Values are `true` or `false`.                                           | `false`                   |