Use Secrets for passwords and tokens

Signed-off-by: Thomas Matysik <thomas@matysik.co.nz>

values.yaml

@@ -187,6 +187,8 @@ mariadb:
 
 ## Connect to an external database instead
 # externalDB:
+#   #secretName: "<EXISTING_SECRET_NAME>"  # Existing secret that contains the password; auto-created otherwise.
+#   passwordKey: "db-password"  # Identifier in the Secret's dictionary.
 #   dbUser: "postgres"
 #   dbPassword: "<MY_PASSWORD>"
 #   dbHost: "service-name.namespace.svc.cluster.local" # or some external host
@@ -197,13 +199,26 @@ mariadb:
 ## Actual Gitea configuration (modified the default .ini file for Gitea)
 ## This will skip the initial installation screen. You must have a secretKey already defined
 ## and disableInstaller set to True
+## If secretName is set, it should point to an existing secret with the following keys:
+##   - internal-token
+##   - secret-key
+##   - jwt-secret
+##   - lfs-jwt-secret
+## If secretName is unset, secret is created from values specified below.
+## Secrets should be generated with 'gitea generate secret'
+## Unspecified secrets are auto-generated by the init container
 config:
-##  secretKey: ThisIsMySuperSecretKeyThatsUsedInterally
+##  secretName: "<Existing Secret Name>"
+##  secretKey: "<random>"  # Generate with 'gitea generate secret SECRET_KEY'
+##  jwtSecret: "<random>"  # Generate with 'gitea generate secret JWT_SECRET'
+##  lfsJwtSecret: "<random>"  # Generate with 'gitea generate secret LFS_JWT_SECRET'
+##  internalToken: "<random>"  # Generate with 'gitea generate secret INTERNAL_TOKEN'
   disableInstaller: false
   offlineMode: false
   requireSignin: false
   disableRegistration: false
   openidSignin: true
+  immutableConfig: false  # Regenerate config every time, and set as read-only
 
 ## Common helm annotations
 ## Node labels and tolerations for pod assignment