You've already forked helm-gitea
Compare commits
1 Commits
main
..
5ff3508519
| Author | SHA1 | Date | |
|---|---|---|---|
 CSRBot
|
5ff3508519
|
@@ -8,7 +8,7 @@ on:
|
||||
jobs:
|
||||
changelog:
|
||||
runs-on: ubuntu-latest
|
||||
container: docker.io/thegeeklab/git-sv:2.1.1
|
||||
container: docker.io/thegeeklab/git-sv:2.0.9
|
||||
steps:
|
||||
- name: install tools
|
||||
run: |
|
||||
|
||||
@@ -11,7 +11,7 @@ on:
|
||||
jobs:
|
||||
check-and-test:
|
||||
runs-on: ubuntu-latest
|
||||
container: commitlint/commitlint:20.5.3
|
||||
container: commitlint/commitlint:20.2.0
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- name: check PR title
|
||||
|
||||
@@ -21,7 +21,7 @@ jobs:
|
||||
- name: Install helm
|
||||
env:
|
||||
# renovate: datasource=docker depName=alpine/helm
|
||||
HELM_VERSION: "3.21.0"
|
||||
HELM_VERSION: "3.19.0"
|
||||
run: |
|
||||
curl --fail --location --output /dev/stdout --silent --show-error https://get.helm.sh/helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin
|
||||
mv linux-$(dpkg --print-architecture)/helm /usr/local/bin/
|
||||
@@ -53,7 +53,7 @@ jobs:
|
||||
|
||||
- name: Import GPG key
|
||||
id: import_gpg
|
||||
uses: https://github.com/crazy-max/ghaction-import-gpg@v7
|
||||
uses: https://github.com/crazy-max/ghaction-import-gpg@v6
|
||||
with:
|
||||
gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
|
||||
passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
|
||||
@@ -86,7 +86,7 @@ jobs:
|
||||
helm registry logout registry-1.docker.io
|
||||
|
||||
- name: aws credential configure
|
||||
uses: https://github.com/aws-actions/configure-aws-credentials@v6
|
||||
uses: https://github.com/aws-actions/configure-aws-credentials@v5
|
||||
with:
|
||||
aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
|
||||
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
||||
@@ -99,7 +99,7 @@ jobs:
|
||||
release-gitea:
|
||||
needs: generate-chart-publish
|
||||
runs-on: ubuntu-latest
|
||||
container: docker.io/thegeeklab/git-sv:2.1.1
|
||||
container: docker.io/thegeeklab/git-sv:2.0.9
|
||||
steps:
|
||||
- name: install tools
|
||||
run: |
|
||||
|
||||
@@ -10,12 +10,12 @@ on:
|
||||
|
||||
env:
|
||||
# renovate: datasource=github-releases depName=helm-unittest/helm-unittest
|
||||
HELM_UNITTEST_VERSION: "v1.1.0"
|
||||
HELM_UNITTEST_VERSION: "v1.0.3"
|
||||
|
||||
jobs:
|
||||
check-and-test:
|
||||
runs-on: ubuntu-latest
|
||||
container: alpine/helm:3.21.0
|
||||
container: alpine/helm:3.19.0
|
||||
steps:
|
||||
- name: install tools
|
||||
run: |
|
||||
|
||||
Vendored
+1
-1
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"yaml.schemas": {
|
||||
"https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.1.0/schema/helm-testsuite.json": [
|
||||
"https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.3/schema/helm-testsuite.json": [
|
||||
"/unittests/**/*.yaml"
|
||||
]
|
||||
},
|
||||
|
||||
+1
-1
@@ -1 +1 @@
|
||||
* @volker.raschek @ChristopherHX
|
||||
* @rossigee @volker.raschek @ChristopherHX
|
||||
|
||||
+4
-1
@@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes
|
||||
type: application
|
||||
version: 0.0.0
|
||||
# renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
|
||||
appVersion: 1.26.2
|
||||
appVersion: 1.25.4
|
||||
icon: https://gitea.com/assets/img/logo.svg
|
||||
|
||||
annotations:
|
||||
@@ -26,6 +26,9 @@ sources:
|
||||
- https://docker.gitea.com/gitea
|
||||
|
||||
maintainers:
|
||||
# https://gitea.com/rossigee
|
||||
- name: Ross Golder
|
||||
email: ross@golder.org
|
||||
# https://gitea.com/volker.raschek
|
||||
- name: Markus Pesch
|
||||
email: markus.pesch+apps@cryptic.systems
|
||||
|
||||
@@ -280,37 +280,6 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
|
||||
|
||||
[see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
|
||||
|
||||
#### OpenShift Compatibility
|
||||
|
||||
When installing on OpenShift, enable the compatibility profile so chart-managed pods render SCC-safe defaults and the Gitea init containers stop forcing `runAsUser: 1000`:
|
||||
|
||||
```yaml
|
||||
openshift:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
When enabled, the chart applies `allowPrivilegeEscalation: false`, drops all
|
||||
Linux capabilities, sets `runAsNonRoot: true`, uses
|
||||
`seccompProfile.type: RuntimeDefault`, and leaves `hostUsers` unset unless
|
||||
`openshift.hostUsers` is explicitly overridden.
|
||||
|
||||
The deployment keeps the existing vanilla Kubernetes behavior when OpenShift
|
||||
compatibility is disabled. Auto-detection relies on the
|
||||
`security.openshift.io/v1/SecurityContextConstraints` API, so set
|
||||
`openshift.enabled: true` explicitly when rendering outside a live cluster.
|
||||
|
||||
If you also want to expose Gitea through an OpenShift Route, enable the optional Route resource:
|
||||
|
||||
```yaml
|
||||
route:
|
||||
enabled: true
|
||||
host: git.apps.example.com
|
||||
tls:
|
||||
termination: edge
|
||||
```
|
||||
|
||||
When `route.host` is set, the chart uses it for `DOMAIN`, `SSH_DOMAIN`, and `ROOT_URL`. Setting `route.tls.termination` also switches the default `ROOT_URL` scheme to `https`.
|
||||
|
||||
#### Session, Cache and Queue
|
||||
|
||||
The session, cache and queue settings are set to use the built-in Valkey Cluster sub-chart dependency.
|
||||
@@ -412,7 +381,7 @@ gitea:
|
||||
```
|
||||
|
||||
This would mount the two additional volumes (`oauth` and `some-additionals`) from different sources to the init container where the _app.ini_ gets updated.
|
||||
All files mounted that way will be read and converted to environment variables and then added to the _app.ini_ using [Gitea config edit-ini](https://docs.gitea.com/administration/config-cheat-sheet#use-environment-variables-to-setup-gitea).
|
||||
All files mounted that way will be read and converted to environment variables and then added to the _app.ini_ using [environment-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini).
|
||||
|
||||
The key of such additional source represents the section inside the _app.ini_.
|
||||
The value for each key can be multiline ini-like definitions.
|
||||
@@ -453,10 +422,10 @@ Users are able to define their own environment variables, which are loaded into
|
||||
We also support to directly interact with the generated _app.ini_.
|
||||
|
||||
To inject self defined variables into the _app.ini_ a certain format needs to be honored.
|
||||
This is described in detail on the [Gitea config edit-ini](https://docs.gitea.com/administration/config-cheat-sheet#use-environment-variables-to-setup-gitea) page.
|
||||
This is described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini) page.
|
||||
|
||||
Prior to Gitea 1.20 and Chart 9.0.0 the helm chart had a custom prefix `ENV_TO_INI`.
|
||||
After the support for a custom prefix was removed in Gitea core, the prefix was changed to `GITEA`.
|
||||
After the support for a custom prefix was removed in Gite core, the prefix was changed to `GITEA`.
|
||||
|
||||
For example a database setting needs to have the following format:
|
||||
|
||||
@@ -1006,14 +975,12 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
|
||||
|
||||
### Security
|
||||
|
||||
| Name | Description | Value |
|
||||
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ----- |
|
||||
| `openshift.enabled` | Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API. | `nil` |
|
||||
| `openshift.hostUsers` | Override the PodSpec hostUsers field for chart-managed pods. When unset, the field is omitted so the platform default is used. | `nil` |
|
||||
| `podSecurityContext` | Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty. | `{}` |
|
||||
| `containerSecurityContext` | Security context | `{}` |
|
||||
| `securityContext` | Run init and Gitea containers as a specific securityContext | `{}` |
|
||||
| `podDisruptionBudget` | Pod disruption budget | `{}` |
|
||||
| Name | Description | Value |
|
||||
| ---------------------------- | --------------------------------------------------------------- | ------ |
|
||||
| `podSecurityContext.fsGroup` | Set the shared file system group for all containers in the pod. | `1000` |
|
||||
| `containerSecurityContext` | Security context | `{}` |
|
||||
| `securityContext` | Run init and Gitea containers as a specific securityContext | `{}` |
|
||||
| `podDisruptionBudget` | Pod disruption budget | `{}` |
|
||||
|
||||
### Service
|
||||
|
||||
@@ -1059,22 +1026,6 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
|
||||
| `ingress.hosts[0].paths[0].path` | Default Ingress path | `/` |
|
||||
| `ingress.tls` | Ingress tls settings | `[]` |
|
||||
|
||||
### Route
|
||||
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------- |
|
||||
| `route.enabled` | Enable OpenShift Route | `false` |
|
||||
| `route.annotations` | Route annotations | `{}` |
|
||||
| `route.host` | Route host. When unset, OpenShift may generate one and Gitea URL defaults fall back to ingress/service values. | `""` |
|
||||
| `route.path` | Route path | `""` |
|
||||
| `route.wildcardPolicy` | Route wildcard policy | `None` |
|
||||
| `route.tls.termination` | Route TLS termination type | `nil` |
|
||||
| `route.tls.insecureEdgeTerminationPolicy` | Route insecure edge termination policy | `nil` |
|
||||
| `route.tls.key` | Route TLS key | `nil` |
|
||||
| `route.tls.certificate` | Route TLS certificate | `nil` |
|
||||
| `route.tls.caCertificate` | Route TLS CA certificate | `nil` |
|
||||
| `route.tls.destinationCACertificate` | Route destination CA certificate | `nil` |
|
||||
|
||||
### deployment
|
||||
|
||||
| Name | Description | Value |
|
||||
@@ -1147,30 +1098,29 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
|
||||
|
||||
### Gitea
|
||||
|
||||
| Name | Description | Value |
|
||||
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- |
|
||||
| `gitea.admin.username` | Username for the Gitea admin user | `gitea_admin` |
|
||||
| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` |
|
||||
| `gitea.admin.password` | Password for the Gitea admin user | `r8sA8CPHD9!bt6d` |
|
||||
| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` |
|
||||
| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` |
|
||||
| `gitea.metrics.enabled` | Enable Gitea metrics | `false` |
|
||||
| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` |
|
||||
| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` |
|
||||
| `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` |
|
||||
| `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` |
|
||||
| `gitea.metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. For example `http` or `https`. Default is http. | `""` |
|
||||
| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. | `""` |
|
||||
| `gitea.metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the metric endpoint by Prometheus. | `{}` |
|
||||
| `gitea.ldap` | LDAP configuration | `[]` |
|
||||
| `gitea.oauth` | OAuth configuration | `[]` |
|
||||
| `gitea.config.server.SSH_PORT` | SSH port for rootlful Gitea image | `22` |
|
||||
| `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Gitea image | `2222` |
|
||||
| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` |
|
||||
| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` |
|
||||
| `gitea.extraEnvSourceFile` | Source environment variables from a file during init container startup. This is especially useful for reading environment variable files generated by the Vault agent-injector. | `nil` |
|
||||
| `gitea.podAnnotations` | Annotations for the Gitea pod | `{}` |
|
||||
| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO` |
|
||||
| Name | Description | Value |
|
||||
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
|
||||
| `gitea.admin.username` | Username for the Gitea admin user | `gitea_admin` |
|
||||
| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` |
|
||||
| `gitea.admin.password` | Password for the Gitea admin user | `r8sA8CPHD9!bt6d` |
|
||||
| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` |
|
||||
| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` |
|
||||
| `gitea.metrics.enabled` | Enable Gitea metrics | `false` |
|
||||
| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` |
|
||||
| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` |
|
||||
| `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` |
|
||||
| `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` |
|
||||
| `gitea.metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. For example `http` or `https`. Default is http. | `""` |
|
||||
| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. | `""` |
|
||||
| `gitea.metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the metric endpoint by Prometheus. | `{}` |
|
||||
| `gitea.ldap` | LDAP configuration | `[]` |
|
||||
| `gitea.oauth` | OAuth configuration | `[]` |
|
||||
| `gitea.config.server.SSH_PORT` | SSH port for rootlful Gitea image | `22` |
|
||||
| `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Gitea image | `2222` |
|
||||
| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` |
|
||||
| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` |
|
||||
| `gitea.podAnnotations` | Annotations for the Gitea pod | `{}` |
|
||||
| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO` |
|
||||
|
||||
### LivenessProbe
|
||||
|
||||
@@ -1577,7 +1527,7 @@ mariadb:
|
||||
|
||||
### App.ini generation <!-- omit from toc -->
|
||||
|
||||
The app.ini generation has changed and now uses the `gitea config edit-ini` subcommand introduced in Gitea 1.26.
|
||||
The app.ini generation has changed and now utilizes the environment-to-ini script provided by newer Gitea versions.
|
||||
This change ensures, that the app.ini is now persistent.
|
||||
|
||||
### Secret Key generation <!-- omit from toc -->
|
||||
|
||||
Generated
+78
-78
@@ -8,7 +8,7 @@
|
||||
"license": "MIT",
|
||||
"devDependencies": {
|
||||
"@bitnami/readme-generator-for-helm": "^2.5.0",
|
||||
"markdownlint-cli": "^0.48.0"
|
||||
"markdownlint-cli": "^0.47.0"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=16.0.0",
|
||||
@@ -32,10 +32,33 @@
|
||||
"readme-generator": "bin/index.js"
|
||||
}
|
||||
},
|
||||
"node_modules/@isaacs/balanced-match": {
|
||||
"version": "4.0.1",
|
||||
"resolved": "https://registry.npmjs.org/@isaacs/balanced-match/-/balanced-match-4.0.1.tgz",
|
||||
"integrity": "sha512-yzMTt9lEb8Gv7zRioUilSglI0c0smZ9k5D65677DLWLtWJaXIS3CqcGyUFByYKlnUj6TkjLVs54fBl6+TiGQDQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"engines": {
|
||||
"node": "20 || >=22"
|
||||
}
|
||||
},
|
||||
"node_modules/@isaacs/brace-expansion": {
|
||||
"version": "5.0.0",
|
||||
"resolved": "https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.0.tgz",
|
||||
"integrity": "sha512-ZT55BDLV0yv0RBm2czMiZ+SqCGO7AvmOM3G/w2xhVPH+te0aKgFjmBvGlL1dH+ql2tgGO3MVrbb3jCKyvpgnxA==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@isaacs/balanced-match": "^4.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": "20 || >=22"
|
||||
}
|
||||
},
|
||||
"node_modules/@types/debug": {
|
||||
"version": "4.1.13",
|
||||
"resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.13.tgz",
|
||||
"integrity": "sha512-KSVgmQmzMwPlmtljOomayoR89W4FynCAi3E8PPs7vmDVPe84hT+vGPKkJfThkmXs0x0jAaa9U8uW8bbfyS2fWw==",
|
||||
"version": "4.1.12",
|
||||
"resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.12.tgz",
|
||||
"integrity": "sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
@@ -91,9 +114,9 @@
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/brace-expansion": {
|
||||
"version": "1.1.14",
|
||||
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
|
||||
"integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
|
||||
"version": "1.1.12",
|
||||
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
|
||||
"integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
@@ -280,9 +303,9 @@
|
||||
"license": "ISC"
|
||||
},
|
||||
"node_modules/get-east-asian-width": {
|
||||
"version": "1.6.0",
|
||||
"resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.6.0.tgz",
|
||||
"integrity": "sha512-QRbvDIbx6YklUe6RxeTeleMR0yv3cYH6PsPZHcnVn7xv7zO1BHN8r0XETu8n6Ye3Q+ahtSarc3WgtNWmehIBfA==",
|
||||
"version": "1.4.0",
|
||||
"resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.4.0.tgz",
|
||||
"integrity": "sha512-QZjmEOC+IT1uk6Rx0sX22V6uHWVwbdbxf1faPqJ1QhLdGgsRGCZoyaQBm/piRdJy/D2um6hM1UP7ZEeQ4EkP+Q==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"engines": {
|
||||
@@ -296,7 +319,7 @@
|
||||
"version": "7.2.3",
|
||||
"resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
|
||||
"integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
|
||||
"deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
|
||||
"deprecated": "Glob versions prior to v9 are no longer supported",
|
||||
"dev": true,
|
||||
"license": "ISC",
|
||||
"dependencies": {
|
||||
@@ -432,9 +455,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/katex": {
|
||||
"version": "0.16.47",
|
||||
"resolved": "https://registry.npmjs.org/katex/-/katex-0.16.47.tgz",
|
||||
"integrity": "sha512-Eeo8Ys1doU1z+x8AZsPpQu+p/QcZBI5PeOo7QGQdy2x2m0MU/hYagBbGOmXwr5KVbEfVuWv9LpnQWeehogurjg==",
|
||||
"version": "0.16.27",
|
||||
"resolved": "https://registry.npmjs.org/katex/-/katex-0.16.27.tgz",
|
||||
"integrity": "sha512-aeQoDkuRWSqQN6nSvVCEFvfXdqo1OQiCmmW1kc9xSdjutPv7BGO7pqY9sQRJpMOGrEdfDgF2TfRXe5eUAD2Waw==",
|
||||
"dev": true,
|
||||
"funding": [
|
||||
"https://opencollective.com/katex",
|
||||
@@ -469,16 +492,16 @@
|
||||
}
|
||||
},
|
||||
"node_modules/lodash": {
|
||||
"version": "4.18.1",
|
||||
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
|
||||
"integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
|
||||
"version": "4.17.23",
|
||||
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
|
||||
"integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
|
||||
"dev": true,
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/markdown-it": {
|
||||
"version": "14.1.1",
|
||||
"resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.1.tgz",
|
||||
"integrity": "sha512-BuU2qnTti9YKgK5N+IeMubp14ZUKUUw7yeJbkjtosvHiP0AZ5c8IAgEMk79D0eC8F23r4Ac/q8cAIFdm2FtyoA==",
|
||||
"version": "14.1.0",
|
||||
"resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.0.tgz",
|
||||
"integrity": "sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
@@ -532,23 +555,23 @@
|
||||
}
|
||||
},
|
||||
"node_modules/markdownlint-cli": {
|
||||
"version": "0.48.0",
|
||||
"resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.48.0.tgz",
|
||||
"integrity": "sha512-NkZQNu2E0Q5qLEEHwWj674eYISTLD4jMHkBzDobujXd1kv+yCxi8jOaD/rZoQNW1FBBMMGQpuW5So8B51N/e0A==",
|
||||
"version": "0.47.0",
|
||||
"resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.47.0.tgz",
|
||||
"integrity": "sha512-HOcxeKFAdDoldvoYDofd85vI8LgNWy8vmYpCwnlLV46PJcodmGzD7COSSBlhHwsfT4o9KrAStGodImVBus31Bg==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"commander": "~14.0.3",
|
||||
"commander": "~14.0.2",
|
||||
"deep-extend": "~0.6.0",
|
||||
"ignore": "~7.0.5",
|
||||
"js-yaml": "~4.1.1",
|
||||
"jsonc-parser": "~3.3.1",
|
||||
"jsonpointer": "~5.0.1",
|
||||
"markdown-it": "~14.1.1",
|
||||
"markdown-it": "~14.1.0",
|
||||
"markdownlint": "~0.40.0",
|
||||
"minimatch": "~10.2.4",
|
||||
"minimatch": "~10.1.1",
|
||||
"run-con": "~1.3.2",
|
||||
"smol-toml": "~1.6.0",
|
||||
"smol-toml": "~1.5.2",
|
||||
"tinyglobby": "~0.2.15"
|
||||
},
|
||||
"bin": {
|
||||
@@ -558,33 +581,10 @@
|
||||
"node": ">=20"
|
||||
}
|
||||
},
|
||||
"node_modules/markdownlint-cli/node_modules/balanced-match": {
|
||||
"version": "4.0.4",
|
||||
"resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
|
||||
"integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"engines": {
|
||||
"node": "18 || 20 || >=22"
|
||||
}
|
||||
},
|
||||
"node_modules/markdownlint-cli/node_modules/brace-expansion": {
|
||||
"version": "5.0.6",
|
||||
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
|
||||
"integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"balanced-match": "^4.0.2"
|
||||
},
|
||||
"engines": {
|
||||
"node": "18 || 20 || >=22"
|
||||
}
|
||||
},
|
||||
"node_modules/markdownlint-cli/node_modules/commander": {
|
||||
"version": "14.0.3",
|
||||
"resolved": "https://registry.npmjs.org/commander/-/commander-14.0.3.tgz",
|
||||
"integrity": "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw==",
|
||||
"version": "14.0.2",
|
||||
"resolved": "https://registry.npmjs.org/commander/-/commander-14.0.2.tgz",
|
||||
"integrity": "sha512-TywoWNNRbhoD0BXs1P3ZEScW8W5iKrnbithIl0YH+uCmBd0QpPOA8yc82DS3BIE5Ma6FnBVUsJ7wVUDz4dvOWQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"engines": {
|
||||
@@ -592,16 +592,16 @@
|
||||
}
|
||||
},
|
||||
"node_modules/markdownlint-cli/node_modules/minimatch": {
|
||||
"version": "10.2.5",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.5.tgz",
|
||||
"integrity": "sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==",
|
||||
"version": "10.1.1",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz",
|
||||
"integrity": "sha512-enIvLvRAFZYXJzkCYG5RKmPfrFArdLv+R+lbQ53BmIMLIry74bjKzX6iHAm8WYamJkhSSEabrWN5D97XnKObjQ==",
|
||||
"dev": true,
|
||||
"license": "BlueOak-1.0.0",
|
||||
"dependencies": {
|
||||
"brace-expansion": "^5.0.5"
|
||||
"@isaacs/brace-expansion": "^5.0.0"
|
||||
},
|
||||
"engines": {
|
||||
"node": "18 || 20 || >=22"
|
||||
"node": "20 || >=22"
|
||||
},
|
||||
"funding": {
|
||||
"url": "https://github.com/sponsors/isaacs"
|
||||
@@ -1151,9 +1151,9 @@
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/minimatch": {
|
||||
"version": "3.1.5",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
|
||||
"integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
|
||||
"version": "3.1.2",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
|
||||
"integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
|
||||
"dev": true,
|
||||
"license": "ISC",
|
||||
"dependencies": {
|
||||
@@ -1221,9 +1221,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/picomatch": {
|
||||
"version": "4.0.4",
|
||||
"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
|
||||
"integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
|
||||
"version": "4.0.3",
|
||||
"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
|
||||
"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"engines": {
|
||||
@@ -1270,9 +1270,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/smol-toml": {
|
||||
"version": "1.6.1",
|
||||
"resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.1.tgz",
|
||||
"integrity": "sha512-dWUG8F5sIIARXih1DTaQAX4SsiTXhInKf1buxdY9DIg4ZYPZK5nGM1VRIYmEbDbsHt7USo99xSLFu5Q1IqTmsg==",
|
||||
"version": "1.5.2",
|
||||
"resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.5.2.tgz",
|
||||
"integrity": "sha512-QlaZEqcAH3/RtNyet1IPIYPsEWAaYyXXv1Krsi+1L/QHppjX4Ifm8MQsBISz9vE8cHicIq3clogsheili5vhaQ==",
|
||||
"dev": true,
|
||||
"license": "BSD-3-Clause",
|
||||
"engines": {
|
||||
@@ -1300,13 +1300,13 @@
|
||||
}
|
||||
},
|
||||
"node_modules/strip-ansi": {
|
||||
"version": "7.2.0",
|
||||
"resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
|
||||
"integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
|
||||
"version": "7.1.2",
|
||||
"resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.2.tgz",
|
||||
"integrity": "sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"ansi-regex": "^6.2.2"
|
||||
"ansi-regex": "^6.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=12"
|
||||
@@ -1329,14 +1329,14 @@
|
||||
}
|
||||
},
|
||||
"node_modules/tinyglobby": {
|
||||
"version": "0.2.16",
|
||||
"resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.16.tgz",
|
||||
"integrity": "sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==",
|
||||
"version": "0.2.15",
|
||||
"resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
|
||||
"integrity": "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"fdir": "^6.5.0",
|
||||
"picomatch": "^4.0.4"
|
||||
"picomatch": "^4.0.3"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=12.0.0"
|
||||
@@ -1360,9 +1360,9 @@
|
||||
"license": "ISC"
|
||||
},
|
||||
"node_modules/yaml": {
|
||||
"version": "2.9.0",
|
||||
"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.9.0.tgz",
|
||||
"integrity": "sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA==",
|
||||
"version": "2.8.2",
|
||||
"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
|
||||
"integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
|
||||
"dev": true,
|
||||
"license": "ISC",
|
||||
"bin": {
|
||||
|
||||
+1
-1
@@ -14,6 +14,6 @@
|
||||
},
|
||||
"devDependencies": {
|
||||
"@bitnami/readme-generator-for-helm": "^2.5.0",
|
||||
"markdownlint-cli": "^0.48.0"
|
||||
"markdownlint-cli": "^0.47.0"
|
||||
}
|
||||
}
|
||||
@@ -78,6 +78,7 @@ function env2ini::reload_preset_envs() {
|
||||
rm $TMP_EXISTING_ENVS_FILE
|
||||
}
|
||||
|
||||
|
||||
function env2ini::process_config_file() {
|
||||
local config_file="${1}"
|
||||
local section="$(basename "${config_file}")"
|
||||
@@ -150,4 +151,4 @@ if [ -f ${GITEA_APP_INI} ]; then
|
||||
unset GITEA__SERVER__LFS_JWT_SECRET
|
||||
fi
|
||||
|
||||
gitea config edit-ini --apply-env --config "$GITEA_APP_INI" --out "$GITEA_APP_INI"
|
||||
environment-to-ini -o $GITEA_APP_INI
|
||||
|
||||
+1
-8
@@ -1,12 +1,5 @@
|
||||
1. Get the application URL by running these commands:
|
||||
{{- if .Values.route.enabled }}
|
||||
{{- if .Values.route.host }}
|
||||
{{ include "gitea.public_protocol" . }}://{{ tpl .Values.route.host . }}{{ .Values.route.path }}
|
||||
{{- else }}
|
||||
export ROUTE_HOST=$(kubectl get route --namespace {{ .Release.Namespace }} {{ include "gitea.fullname" . }} -o jsonpath="{.spec.host}")
|
||||
echo {{ include "gitea.public_protocol" . }}://$ROUTE_HOST{{ .Values.route.path }}
|
||||
{{- end }}
|
||||
{{- else if .Values.ingress.enabled }}
|
||||
{{- if .Values.ingress.enabled }}
|
||||
{{- range $host := .Values.ingress.hosts }}
|
||||
{{- range .paths }}
|
||||
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
|
||||
|
||||
+9
-98
@@ -76,87 +76,6 @@ imagePullSecrets:
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true when OpenShift compatibility defaults should be rendered.
|
||||
If openshift.enabled is unset, auto-detect via the SCC API.
|
||||
*/}}
|
||||
{{- define "gitea.openshift.enabled" -}}
|
||||
{{- if kindIs "bool" .Values.openshift.enabled -}}
|
||||
{{ ternary "true" "false" .Values.openshift.enabled }}
|
||||
{{- else if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" -}}
|
||||
true
|
||||
{{- else -}}
|
||||
false
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the pod's hostUsers setting when OpenShift compatibility is enabled.
|
||||
*/}}
|
||||
{{- define "gitea.hostUsers" -}}
|
||||
{{- if eq (include "gitea.openshift.enabled" . | trim) "true" -}}
|
||||
{{- if kindIs "bool" .Values.openshift.hostUsers -}}
|
||||
{{ ternary "true" "false" .Values.openshift.hostUsers }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Render pod securityContext. On non-OpenShift clusters an empty map defaults fsGroup to 1000.
|
||||
*/}}
|
||||
{{- define "gitea.podSecurityContext" -}}
|
||||
{{- $podSecurityContext := deepCopy .Values.podSecurityContext -}}
|
||||
{{- if and (ne (include "gitea.openshift.enabled" . | trim) "true") (not (hasKey $podSecurityContext "fsGroup")) -}}
|
||||
{{- $_ := set $podSecurityContext "fsGroup" 1000 -}}
|
||||
{{- end -}}
|
||||
{{- if gt (len $podSecurityContext) 0 -}}
|
||||
{{ toYaml $podSecurityContext }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Render container securityContext with OpenShift restricted SCC defaults when enabled.
|
||||
*/}}
|
||||
{{- define "gitea.containerSecurityContext" -}}
|
||||
{{- $root := index . 0 -}}
|
||||
{{- $containerSecurityContext := deepCopy (index . 1) -}}
|
||||
{{- if eq (include "gitea.openshift.enabled" $root | trim) "true" -}}
|
||||
{{- $containerSecurityContext = mergeOverwrite (dict
|
||||
"allowPrivilegeEscalation" false
|
||||
"capabilities" (dict "drop" (list "ALL"))
|
||||
"runAsNonRoot" true
|
||||
"seccompProfile" (dict "type" "RuntimeDefault")
|
||||
) $containerSecurityContext -}}
|
||||
{{- end -}}
|
||||
{{- if gt (len $containerSecurityContext) 0 -}}
|
||||
{{ toYaml $containerSecurityContext }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Render the securityContext for init containers that execute Gitea/GPG commands.
|
||||
These default to runAsUser 1000 outside OpenShift to preserve existing behavior.
|
||||
*/}}
|
||||
{{- define "gitea.commandInitContainerSecurityContext" -}}
|
||||
{{- $root := index . 0 -}}
|
||||
{{- $containerSecurityContext := deepCopy (index . 1) -}}
|
||||
{{- if and (ne (include "gitea.openshift.enabled" $root | trim) "true") (not (hasKey $containerSecurityContext "runAsUser")) -}}
|
||||
{{- $_ := set $containerSecurityContext "runAsUser" 1000 -}}
|
||||
{{- end -}}
|
||||
{{- include "gitea.containerSecurityContext" (list $root $containerSecurityContext) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Render the runtime container securityContext while honoring the deprecated securityContext value.
|
||||
*/}}
|
||||
{{- define "gitea.runtimeContainerSecurityContext" -}}
|
||||
{{- $containerSecurityContext := deepCopy .Values.containerSecurityContext -}}
|
||||
{{- if and (eq (len $containerSecurityContext) 0) .Values.securityContext -}}
|
||||
{{- $containerSecurityContext = deepCopy .Values.securityContext -}}
|
||||
{{- end -}}
|
||||
{{- include "gitea.containerSecurityContext" (list . $containerSecurityContext) -}}
|
||||
{{- end -}}
|
||||
|
||||
|
||||
{{/*
|
||||
Storage Class
|
||||
@@ -220,7 +139,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- else if (index .Values "valkey-cluster").enabled -}}
|
||||
{{- printf "redis+cluster://:%s@%s-valkey-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey-cluster").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey-cluster").service.ports.valkey -}}
|
||||
{{- else if (index .Values "valkey").enabled -}}
|
||||
{{- printf "redis://:%s@%s-valkey-primary.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}}
|
||||
{{- printf "redis://:%s@%s-valkey-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
@@ -234,9 +153,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
|
||||
{{- define "valkey.servicename" -}}
|
||||
{{- if (index .Values "valkey-cluster").enabled -}}
|
||||
{{- printf "%s-valkey-cluster-headless.%s.svc" .Release.Name .Release.Namespace -}}
|
||||
{{- printf "%s-valkey-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
|
||||
{{- else if (index .Values "valkey").enabled -}}
|
||||
{{- printf "%s-valkey-primary.%s.svc" .Release.Name .Release.Namespace -}}
|
||||
{{- printf "%s-valkey-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
@@ -244,16 +163,6 @@ app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.public_hostname" -}}
|
||||
{{- if and .Values.route.enabled .Values.route.host -}}
|
||||
{{ tpl .Values.route.host . }}
|
||||
{{- else if gt (len .Values.ingress.hosts) 0 -}}
|
||||
{{ tpl (index .Values.ingress.hosts 0).host $ }}
|
||||
{{- else -}}
|
||||
{{ include "gitea.default_domain" . }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.ldap_settings" -}}
|
||||
{{- $idx := index . 0 }}
|
||||
{{- $values := index . 1 }}
|
||||
@@ -304,9 +213,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.public_protocol" -}}
|
||||
{{- if and .Values.route.enabled .Values.route.tls.termination -}}
|
||||
https
|
||||
{{- else if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}}
|
||||
{{- if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}}
|
||||
https
|
||||
{{- else -}}
|
||||
{{ .Values.gitea.config.server.PROTOCOL }}
|
||||
@@ -439,7 +346,11 @@ https
|
||||
{{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
|
||||
{{- end -}}
|
||||
{{- if not (.Values.gitea.config.server.DOMAIN) -}}
|
||||
{{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.public_hostname" .) -}}
|
||||
{{- if gt (len .Values.ingress.hosts) 0 -}}
|
||||
{{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if not .Values.gitea.config.server.ROOT_URL -}}
|
||||
{{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
|
||||
|
||||
@@ -43,11 +43,6 @@ spec:
|
||||
{{- toYaml .Values.deployment.labels | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- $hostUsers := include "gitea.hostUsers" . | trim }}
|
||||
{{- $podSecurityContext := include "gitea.podSecurityContext" . | trim }}
|
||||
{{- $containerSecurityContext := include "gitea.containerSecurityContext" (list . (deepCopy .Values.containerSecurityContext)) | trim }}
|
||||
{{- $commandInitContainerSecurityContext := include "gitea.commandInitContainerSecurityContext" (list . (deepCopy .Values.containerSecurityContext)) | trim }}
|
||||
{{- $runtimeContainerSecurityContext := include "gitea.runtimeContainerSecurityContext" . | trim }}
|
||||
{{- if .Values.schedulerName }}
|
||||
schedulerName: "{{ .Values.schedulerName }}"
|
||||
{{- end }}
|
||||
@@ -57,14 +52,9 @@ spec:
|
||||
{{- if .Values.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.priorityClassName }}"
|
||||
{{- end }}
|
||||
{{- if $hostUsers }}
|
||||
hostUsers: {{ $hostUsers }}
|
||||
{{- end }}
|
||||
{{- include "gitea.images.pullSecrets" . | nindent 6 }}
|
||||
{{- if $podSecurityContext }}
|
||||
securityContext:
|
||||
{{- $podSecurityContext | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||
initContainers:
|
||||
{{- if .Values.preExtraInitContainers }}
|
||||
{{- toYaml .Values.preExtraInitContainers | nindent 8 }}
|
||||
@@ -101,25 +91,15 @@ spec:
|
||||
subPath: {{ .Values.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
|
||||
{{- if $containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- $containerSecurityContext | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
|
||||
resources:
|
||||
{{- toYaml .Values.initContainers.resources | nindent 12 }}
|
||||
- name: init-app-ini
|
||||
image: "{{ include "gitea.image" . }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
{{- if .Values.gitea.extraEnvSourceFile }}
|
||||
command:
|
||||
- "/bin/bash"
|
||||
- "-c"
|
||||
args:
|
||||
- "test -f {{ .Values.gitea.extraEnvSourceFile }} && source {{ .Values.gitea.extraEnvSourceFile }} || { echo 'ERROR: Failed to source {{ .Values.gitea.extraEnvSourceFile }}'; exit 1; } && {{ .Values.initContainersScriptsVolumeMountPath }}/config_environment.sh"
|
||||
{{- else }}
|
||||
command:
|
||||
- "{{ .Values.initContainersScriptsVolumeMountPath }}/config_environment.sh"
|
||||
{{- end }}
|
||||
env:
|
||||
- name: GITEA_APP_INI
|
||||
value: /data/gitea/conf/app.ini
|
||||
@@ -156,30 +136,23 @@ spec:
|
||||
mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/"
|
||||
{{- end }}
|
||||
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
|
||||
{{- if $containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- $containerSecurityContext | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
|
||||
resources:
|
||||
{{- toYaml .Values.initContainers.resources | nindent 12 }}
|
||||
{{- if .Values.signing.enabled }}
|
||||
- name: configure-gpg
|
||||
image: "{{ include "gitea.image" . }}"
|
||||
{{- if .Values.gitea.extraEnvSourceFile }}
|
||||
command:
|
||||
- "/bin/bash"
|
||||
- "-c"
|
||||
args:
|
||||
- "test -f {{ .Values.gitea.extraEnvSourceFile }} && source {{ .Values.gitea.extraEnvSourceFile }} || { echo 'ERROR: Failed to source {{ .Values.gitea.extraEnvSourceFile }}'; exit 1; } && {{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh"
|
||||
{{- else }}
|
||||
command:
|
||||
- "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh"
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
{{- if $commandInitContainerSecurityContext }}
|
||||
securityContext:
|
||||
{{- $commandInitContainerSecurityContext | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
|
||||
{{- $csc := deepCopy .Values.containerSecurityContext -}}
|
||||
{{- if not (hasKey $csc "runAsUser") -}}
|
||||
{{- $_ := set $csc "runAsUser" 1000 -}}
|
||||
{{- end -}}
|
||||
{{- toYaml $csc | nindent 12 }}
|
||||
env:
|
||||
- name: GNUPGHOME
|
||||
value: {{ .Values.signing.gpgHome }}
|
||||
@@ -204,21 +177,16 @@ spec:
|
||||
{{- end }}
|
||||
- name: configure-gitea
|
||||
image: "{{ include "gitea.image" . }}"
|
||||
{{- if .Values.gitea.extraEnvSourceFile }}
|
||||
command:
|
||||
- "/bin/bash"
|
||||
- "-c"
|
||||
args:
|
||||
- "test -f {{ .Values.gitea.extraEnvSourceFile }} && source {{ .Values.gitea.extraEnvSourceFile }} || { echo 'ERROR: Failed to source {{ .Values.gitea.extraEnvSourceFile }}'; exit 1; } && {{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh"
|
||||
{{- else }}
|
||||
command:
|
||||
- "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh"
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
{{- if $commandInitContainerSecurityContext }}
|
||||
securityContext:
|
||||
{{- $commandInitContainerSecurityContext | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
|
||||
{{- $csc := deepCopy .Values.containerSecurityContext -}}
|
||||
{{- if not (hasKey $csc "runAsUser") -}}
|
||||
{{- $_ := set $csc "runAsUser" 1000 -}}
|
||||
{{- end -}}
|
||||
{{- toYaml $csc | nindent 12 }}
|
||||
env:
|
||||
- name: GITEA_APP_INI
|
||||
value: /data/gitea/conf/app.ini
|
||||
@@ -376,10 +344,13 @@ spec:
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
{{- if $runtimeContainerSecurityContext }}
|
||||
securityContext:
|
||||
{{- $runtimeContainerSecurityContext | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- /* Honor the deprecated securityContext variable when defined */ -}}
|
||||
{{- if .Values.containerSecurityContext -}}
|
||||
{{ toYaml .Values.containerSecurityContext | nindent 12 -}}
|
||||
{{- else -}}
|
||||
{{ toYaml .Values.securityContext | nindent 12 -}}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: temp
|
||||
mountPath: /tmp
|
||||
|
||||
@@ -123,7 +123,7 @@ stringData:
|
||||
# should add it to prevent requiring frequent admin password resets.
|
||||
local -a change_args
|
||||
change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}")
|
||||
if gitea admin user change-password --help | grep -F -- '--must-change-password' >/dev/null; then
|
||||
if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then
|
||||
change_args+=(--must-change-password=false)
|
||||
fi
|
||||
gitea admin user change-password "${change_args[@]}"
|
||||
|
||||
@@ -1,52 +0,0 @@
|
||||
{{- if .Values.route.enabled -}}
|
||||
{{- $fullName := include "gitea.fullname" . -}}
|
||||
apiVersion: route.openshift.io/v1
|
||||
kind: Route
|
||||
metadata:
|
||||
name: {{ $fullName }}
|
||||
namespace: {{ .Values.namespace | default .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
{{- with .Values.route.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.route.host }}
|
||||
host: {{ tpl .Values.route.host . | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.route.path }}
|
||||
path: {{ tpl .Values.route.path . | quote }}
|
||||
{{- end }}
|
||||
to:
|
||||
kind: Service
|
||||
name: {{ $fullName }}-http
|
||||
port:
|
||||
targetPort: http
|
||||
wildcardPolicy: {{ .Values.route.wildcardPolicy }}
|
||||
{{- with .Values.route.tls }}
|
||||
{{- if .termination }}
|
||||
tls:
|
||||
termination: {{ .termination }}
|
||||
{{- if .insecureEdgeTerminationPolicy }}
|
||||
insecureEdgeTerminationPolicy: {{ .insecureEdgeTerminationPolicy }}
|
||||
{{- end }}
|
||||
{{- if .key }}
|
||||
key: |
|
||||
{{- .key | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .certificate }}
|
||||
certificate: |
|
||||
{{- .certificate | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .caCertificate }}
|
||||
caCertificate: |
|
||||
{{- .caCertificate | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .destinationCACertificate }}
|
||||
destinationCACertificate: |
|
||||
{{- .destinationCACertificate | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -9,18 +9,9 @@ metadata:
|
||||
annotations:
|
||||
"helm.sh/hook": test-success
|
||||
spec:
|
||||
{{- $hostUsers := include "gitea.hostUsers" . | trim }}
|
||||
{{- $testContainerSecurityContext := include "gitea.containerSecurityContext" (list . (dict)) | trim }}
|
||||
{{- if $hostUsers }}
|
||||
hostUsers: {{ $hostUsers }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: wget
|
||||
image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}"
|
||||
{{- if $testContainerSecurityContext }}
|
||||
securityContext:
|
||||
{{- $testContainerSecurityContext | nindent 8 }}
|
||||
{{- end }}
|
||||
command: ['wget']
|
||||
args: ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
|
||||
restartPolicy: Never
|
||||
|
||||
@@ -9,51 +9,27 @@ function setup() {
|
||||
export GITEA_APP_INI="$BATS_TEST_TMPDIR/app.ini"
|
||||
export TMP_EXISTING_ENVS_FILE="$BATS_TEST_TMPDIR/existing-envs"
|
||||
export ENV_TO_INI_MOUNT_POINT="$BATS_TEST_TMPDIR/env-to-ini-mounts"
|
||||
export GITEA_EDIT_INI_EXPECTED=0
|
||||
export PATH="$BATS_TEST_TMPDIR/bin:$PATH"
|
||||
|
||||
mkdir -p "$BATS_TEST_TMPDIR/bin"
|
||||
cat >"$BATS_TEST_TMPDIR/bin/gitea" <<'EOF'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
case "$*" in
|
||||
'generate secret INTERNAL_TOKEN')
|
||||
echo 'mocked-internal-token'
|
||||
;;
|
||||
'generate secret SECRET_KEY')
|
||||
echo 'mocked-secret-key'
|
||||
;;
|
||||
'generate secret JWT_SECRET')
|
||||
echo 'mocked-jwt-secret'
|
||||
;;
|
||||
'generate secret LFS_JWT_SECRET')
|
||||
echo 'mocked-lfs-jwt-secret'
|
||||
;;
|
||||
"config edit-ini --apply-env --config $GITEA_APP_INI --out $GITEA_APP_INI")
|
||||
if [ "$GITEA_EDIT_INI_EXPECTED" -eq 1 ]; then
|
||||
echo 'Stubbed gitea config edit-ini was called!'
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo 'Unexpected gitea config edit-ini invocation' >&2
|
||||
exit 127
|
||||
;;
|
||||
*)
|
||||
echo "Unexpected gitea invocation: $*" >&2
|
||||
exit 127
|
||||
;;
|
||||
esac
|
||||
EOF
|
||||
chmod +x "$BATS_TEST_TMPDIR/bin/gitea"
|
||||
stub gitea \
|
||||
"generate secret INTERNAL_TOKEN : echo 'mocked-internal-token'" \
|
||||
"generate secret SECRET_KEY : echo 'mocked-secret-key'" \
|
||||
"generate secret JWT_SECRET : echo 'mocked-jwt-secret'" \
|
||||
"generate secret LFS_JWT_SECRET : echo 'mocked-lfs-jwt-secret'"
|
||||
}
|
||||
|
||||
function teardown() {
|
||||
:
|
||||
unstub gitea
|
||||
# This condition exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
|
||||
if [ $ENV_TO_INI_EXPECTED -eq 1 ]; then
|
||||
unstub environment-to-ini
|
||||
fi
|
||||
}
|
||||
|
||||
function expect_gitea_config_edit_ini_call() {
|
||||
export GITEA_EDIT_INI_EXPECTED=1
|
||||
# This function exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
|
||||
function expect_environment_to_ini_call() {
|
||||
export ENV_TO_INI_EXPECTED=1
|
||||
stub environment-to-ini \
|
||||
"-o $GITEA_APP_INI : echo 'Stubbed environment-to-ini was called!'"
|
||||
}
|
||||
|
||||
function execute_test_script() {
|
||||
@@ -80,18 +56,18 @@ function write_mounted_file() {
|
||||
}
|
||||
|
||||
@test "works as expected when nothing is configured" {
|
||||
expect_gitea_config_edit_ini_call
|
||||
expect_environment_to_ini_call
|
||||
run $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
|
||||
|
||||
assert_success
|
||||
assert_line '...Initial secrets generated'
|
||||
assert_line 'Reloading preset envs...'
|
||||
assert_line '=== All configuration sources loaded ==='
|
||||
assert_line 'Stubbed gitea config edit-ini was called!'
|
||||
assert_line 'Stubbed environment-to-ini was called!'
|
||||
}
|
||||
|
||||
@test "exports initial secrets" {
|
||||
expect_gitea_config_edit_ini_call
|
||||
expect_environment_to_ini_call
|
||||
run execute_test_script
|
||||
|
||||
assert_success
|
||||
@@ -102,7 +78,7 @@ function write_mounted_file() {
|
||||
}
|
||||
|
||||
@test "does NOT export initial secrets when app.ini already exists" {
|
||||
expect_gitea_config_edit_ini_call
|
||||
expect_environment_to_ini_call
|
||||
touch $GITEA_APP_INI
|
||||
|
||||
run execute_test_script
|
||||
@@ -116,7 +92,7 @@ function write_mounted_file() {
|
||||
}
|
||||
|
||||
@test "ensures that preset environment variables take precedence over auto-generated ones" {
|
||||
expect_gitea_config_edit_ini_call
|
||||
expect_environment_to_ini_call
|
||||
export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
|
||||
|
||||
run execute_test_script
|
||||
@@ -126,7 +102,7 @@ function write_mounted_file() {
|
||||
}
|
||||
|
||||
@test "ensures that preset environment variables take precedence over mounted ones" {
|
||||
expect_gitea_config_edit_ini_call
|
||||
expect_environment_to_ini_call
|
||||
export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
|
||||
write_mounted_file "inlines" "oauth2" "$(cat << EOF
|
||||
JWT_SECRET=inline-jwt-secret
|
||||
@@ -141,7 +117,7 @@ EOF
|
||||
}
|
||||
|
||||
@test "ensures that additionals take precedence over inlines" {
|
||||
expect_gitea_config_edit_ini_call
|
||||
expect_environment_to_ini_call
|
||||
write_mounted_file "inlines" "oauth2" "$(cat << EOF
|
||||
JWT_SECRET=inline-jwt-secret
|
||||
EOF
|
||||
@@ -160,7 +136,7 @@ EOF
|
||||
}
|
||||
|
||||
@test "ensures that dotted/dashed sections are properly masked" {
|
||||
expect_gitea_config_edit_ini_call
|
||||
expect_environment_to_ini_call
|
||||
write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
|
||||
WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]
|
||||
EOF
|
||||
@@ -176,7 +152,7 @@ EOF
|
||||
##### THIS IS A BUG, BUT I WANT IT TO BE COVERED BY TESTS #####
|
||||
###############################################################
|
||||
@test "ensures uppercase section and setting names (🐞)" {
|
||||
expect_gitea_config_edit_ini_call
|
||||
expect_environment_to_ini_call
|
||||
export GITEA__oauth2__JwT_Secret="pre-defined-jwt-secret"
|
||||
write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
|
||||
WORK_IN_progress_PREFIXES=WIP:,[WIP]
|
||||
@@ -191,7 +167,7 @@ EOF
|
||||
}
|
||||
|
||||
@test "treats top-level configuration as section-less" {
|
||||
expect_gitea_config_edit_ini_call
|
||||
expect_environment_to_ini_call
|
||||
write_mounted_file "inlines" "_generals_" "$(cat << EOF
|
||||
APP_NAME=Hello top-level configuration
|
||||
RUN_MODE=dev
|
||||
|
||||
@@ -31,7 +31,7 @@ tests:
|
||||
path: stringData.cache
|
||||
value: |-
|
||||
ADAPTER=redis
|
||||
HOST=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
|
||||
HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
|
||||
|
||||
- it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled"
|
||||
template: templates/gitea/config.yaml
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
suite: config template | config_environment.sh
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/config.yaml
|
||||
tests:
|
||||
- it: uses `gitea config edit-ini` to write app.ini from environment variables
|
||||
template: templates/gitea/config.yaml
|
||||
asserts:
|
||||
- documentIndex: 1
|
||||
matchRegex:
|
||||
path: stringData["config_environment.sh"]
|
||||
pattern: 'gitea config edit-ini --apply-env --config .+GITEA_APP_INI.+ --out .+GITEA_APP_INI'
|
||||
@@ -30,7 +30,7 @@ tests:
|
||||
equal:
|
||||
path: stringData.queue
|
||||
value: |-
|
||||
CONN_STR=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
|
||||
CONN_STR=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
|
||||
TYPE=redis
|
||||
|
||||
- it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled"
|
||||
|
||||
@@ -65,41 +65,3 @@ tests:
|
||||
matchRegex:
|
||||
path: stringData.server
|
||||
pattern: \nROOT_URL=http://provided.example.com
|
||||
|
||||
################################################
|
||||
|
||||
- it: "[route enabled] uses route host for DOMAIN|SSH_DOMAIN|ROOT_URL"
|
||||
template: templates/gitea/config.yaml
|
||||
set:
|
||||
route:
|
||||
enabled: true
|
||||
host: route.example.com
|
||||
asserts:
|
||||
- documentIndex: 0
|
||||
matchRegex:
|
||||
path: stringData.server
|
||||
pattern: \nDOMAIN=route.example.com
|
||||
- documentIndex: 0
|
||||
matchRegex:
|
||||
path: stringData.server
|
||||
pattern: \nSSH_DOMAIN=route.example.com
|
||||
- documentIndex: 0
|
||||
matchRegex:
|
||||
path: stringData.server
|
||||
pattern: \nROOT_URL=http://route.example.com
|
||||
|
||||
################################################
|
||||
|
||||
- it: "[route tls termination] uses https for ROOT_URL"
|
||||
template: templates/gitea/config.yaml
|
||||
set:
|
||||
route:
|
||||
enabled: true
|
||||
host: route.example.com
|
||||
tls:
|
||||
termination: edge
|
||||
asserts:
|
||||
- documentIndex: 0
|
||||
matchRegex:
|
||||
path: stringData.server
|
||||
pattern: \nROOT_URL=https://route.example.com
|
||||
|
||||
@@ -31,7 +31,7 @@ tests:
|
||||
path: stringData.session
|
||||
value: |-
|
||||
PROVIDER=redis
|
||||
PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
|
||||
PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
|
||||
|
||||
- it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled"
|
||||
template: templates/gitea/config.yaml
|
||||
|
||||
@@ -87,4 +87,4 @@ tests:
|
||||
- documentIndex: 0
|
||||
matchRegex:
|
||||
path: stringData["configure_gitea.sh"]
|
||||
pattern: nc -vz -w2 gitea-unittests-valkey-cluster-headless.testing.svc 6379
|
||||
pattern: nc -vz -w2 gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local 6379
|
||||
|
||||
@@ -29,19 +29,18 @@ tests:
|
||||
path: data["valkey-password"]
|
||||
value: "Z2l0ZWEtcGFzc3dvcmQ="
|
||||
- it: "[valkey] renders the referenced service"
|
||||
template: charts/valkey/templates/primary/service.yaml
|
||||
template: charts/valkey/templates/headless-svc.yaml
|
||||
asserts:
|
||||
- containsDocument:
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
name: gitea-unittests-valkey-primary
|
||||
name: gitea-unittests-valkey-headless
|
||||
namespace: testing
|
||||
- documentIndex: 0
|
||||
contains:
|
||||
path: spec.ports
|
||||
content:
|
||||
name: tcp-redis
|
||||
nodePort: null
|
||||
port: 6379
|
||||
targetPort: redis
|
||||
- it: "[gitea] waits for valkey to be up and running"
|
||||
@@ -50,4 +49,4 @@ tests:
|
||||
- documentIndex: 0
|
||||
matchRegex:
|
||||
path: stringData["configure_gitea.sh"]
|
||||
pattern: nc -vz -w2 gitea-unittests-valkey-primary.testing.svc 6379
|
||||
pattern: nc -vz -w2 gitea-unittests-valkey-headless.testing.svc.cluster.local 6379
|
||||
|
||||
@@ -1,82 +0,0 @@
|
||||
suite: deployment template (extraEnvSourceFile)
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/deployment.yaml
|
||||
- templates/gitea/config.yaml
|
||||
tests:
|
||||
- it: uses direct execution when extraEnvSourceFile is not set
|
||||
template: templates/gitea/deployment.yaml
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.initContainers[1].command
|
||||
value: ["/usr/sbinx/config_environment.sh"]
|
||||
- notExists:
|
||||
path: spec.template.spec.initContainers[1].args
|
||||
- equal:
|
||||
path: spec.template.spec.initContainers[2].command
|
||||
value: ["/usr/sbinx/configure_gitea.sh"]
|
||||
- notExists:
|
||||
path: spec.template.spec.initContainers[2].args
|
||||
|
||||
- it: sources env file in init-app-ini when extraEnvSourceFile is set
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
gitea:
|
||||
extraEnvSourceFile: /vault/secrets/gitea
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.initContainers[1].command
|
||||
value: ["/bin/bash", "-c"]
|
||||
- matchRegex:
|
||||
path: spec.template.spec.initContainers[1].args[0]
|
||||
pattern: source /vault/secrets/gitea
|
||||
- matchRegex:
|
||||
path: spec.template.spec.initContainers[1].args[0]
|
||||
pattern: config_environment\.sh
|
||||
|
||||
- it: sources env file in configure-gitea when extraEnvSourceFile is set
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
gitea:
|
||||
extraEnvSourceFile: /vault/secrets/gitea
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.initContainers[2].command
|
||||
value: ["/bin/bash", "-c"]
|
||||
- matchRegex:
|
||||
path: spec.template.spec.initContainers[2].args[0]
|
||||
pattern: source /vault/secrets/gitea
|
||||
- matchRegex:
|
||||
path: spec.template.spec.initContainers[2].args[0]
|
||||
pattern: configure_gitea\.sh
|
||||
|
||||
- it: sources env file in configure-gpg when extraEnvSourceFile is set with signing enabled
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
signing:
|
||||
enabled: true
|
||||
existingSecret: "custom-gpg-secret"
|
||||
gitea:
|
||||
extraEnvSourceFile: /vault/secrets/gitea
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.initContainers[2].command
|
||||
value: ["/bin/bash", "-c"]
|
||||
- matchRegex:
|
||||
path: spec.template.spec.initContainers[2].args[0]
|
||||
pattern: source /vault/secrets/gitea
|
||||
- matchRegex:
|
||||
path: spec.template.spec.initContainers[2].args[0]
|
||||
pattern: configure_gpg_environment\.sh
|
||||
|
||||
- it: includes file existence check in source command
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
gitea:
|
||||
extraEnvSourceFile: /vault/secrets/gitea
|
||||
asserts:
|
||||
- matchRegex:
|
||||
path: spec.template.spec.initContainers[1].args[0]
|
||||
pattern: "test -f /vault/secrets/gitea"
|
||||
@@ -1,106 +0,0 @@
|
||||
suite: deployment template (openshift)
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/deployment.yaml
|
||||
- templates/gitea/config.yaml
|
||||
tests:
|
||||
- it: renders openshift-compatible defaults for chart-managed containers
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
openshift.enabled: true
|
||||
asserts:
|
||||
- notExists:
|
||||
path: spec.template.spec.hostUsers
|
||||
- notExists:
|
||||
path: spec.template.spec.securityContext
|
||||
- equal:
|
||||
path: spec.template.spec.initContainers[0].securityContext
|
||||
value:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- equal:
|
||||
path: spec.template.spec.initContainers[1].securityContext
|
||||
value:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- equal:
|
||||
path: spec.template.spec.initContainers[2].securityContext
|
||||
value:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].securityContext
|
||||
value:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
- it: does not force runAsUser 1000 for command init containers on OpenShift
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
openshift.enabled: true
|
||||
signing.enabled: true
|
||||
signing.existingSecret: custom-gpg-secret
|
||||
asserts:
|
||||
- notExists:
|
||||
path: spec.template.spec.initContainers[2].securityContext.runAsUser
|
||||
- notExists:
|
||||
path: spec.template.spec.initContainers[3].securityContext.runAsUser
|
||||
|
||||
- it: preserves explicit pod and container security context overrides on OpenShift
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
openshift:
|
||||
enabled: true
|
||||
hostUsers: true
|
||||
podSecurityContext:
|
||||
fsGroup: 1000620000
|
||||
containerSecurityContext:
|
||||
runAsUser: 1000620000
|
||||
runAsGroup: 1000620000
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.hostUsers
|
||||
value: true
|
||||
- equal:
|
||||
path: spec.template.spec.securityContext
|
||||
value:
|
||||
fsGroup: 1000620000
|
||||
- equal:
|
||||
path: spec.template.spec.initContainers[2].securityContext.runAsUser
|
||||
value: 1000620000
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].securityContext.runAsGroup
|
||||
value: 1000620000
|
||||
|
||||
- it: renders an explicit hostUsers=false override on OpenShift
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
openshift:
|
||||
enabled: true
|
||||
hostUsers: false
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.hostUsers
|
||||
value: false
|
||||
@@ -1,58 +0,0 @@
|
||||
suite: Test route.yaml
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/route.yaml
|
||||
tests:
|
||||
- it: should create route when route.enabled is true
|
||||
set:
|
||||
route:
|
||||
enabled: true
|
||||
host: git.apps.example.com
|
||||
path: /
|
||||
annotations:
|
||||
haproxy.router.openshift.io/timeout: 5m
|
||||
tls:
|
||||
termination: edge
|
||||
insecureEdgeTerminationPolicy: Redirect
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: gitea-unittests
|
||||
- equal:
|
||||
path: metadata.annotations["haproxy.router.openshift.io/timeout"]
|
||||
value: 5m
|
||||
- equal:
|
||||
path: spec.host
|
||||
value: git.apps.example.com
|
||||
- equal:
|
||||
path: spec.path
|
||||
value: /
|
||||
- equal:
|
||||
path: spec.to.kind
|
||||
value: Service
|
||||
- equal:
|
||||
path: spec.to.name
|
||||
value: gitea-unittests-http
|
||||
- equal:
|
||||
path: spec.port.targetPort
|
||||
value: http
|
||||
- equal:
|
||||
path: spec.wildcardPolicy
|
||||
value: None
|
||||
- equal:
|
||||
path: spec.tls.termination
|
||||
value: edge
|
||||
- equal:
|
||||
path: spec.tls.insecureEdgeTerminationPolicy
|
||||
value: Redirect
|
||||
|
||||
- it: should not create route when route.enabled is false
|
||||
set:
|
||||
route.enabled: false
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
@@ -1,33 +0,0 @@
|
||||
suite: test connection template
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/tests/test-http-connection.yaml
|
||||
tests:
|
||||
- it: renders openshift-compatible defaults for the test pod
|
||||
set:
|
||||
openshift.enabled: true
|
||||
asserts:
|
||||
- notExists:
|
||||
path: spec.hostUsers
|
||||
- equal:
|
||||
path: spec.containers[0].securityContext
|
||||
value:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
- it: renders an explicit hostUsers=false override for the test pod
|
||||
set:
|
||||
openshift:
|
||||
enabled: true
|
||||
hostUsers: false
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.hostUsers
|
||||
value: false
|
||||
+3
-56
@@ -62,14 +62,9 @@ imagePullSecrets: []
|
||||
|
||||
## @section Security
|
||||
# Security context is only usable with rootless image due to image design
|
||||
## @param openshift.enabled Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API.
|
||||
## @param openshift.hostUsers Override the PodSpec hostUsers field for chart-managed pods. When unset, the field is omitted so the platform default is used.
|
||||
openshift:
|
||||
enabled: null
|
||||
hostUsers: null
|
||||
|
||||
## @param podSecurityContext Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty.
|
||||
podSecurityContext: {}
|
||||
## @param podSecurityContext.fsGroup Set the shared file system group for all containers in the pod.
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
|
||||
## @param containerSecurityContext Security context
|
||||
containerSecurityContext: {}
|
||||
@@ -182,32 +177,6 @@ ingress:
|
||||
# hosts:
|
||||
# - git.example.com
|
||||
|
||||
## @section Route
|
||||
## @param route.enabled Enable OpenShift Route
|
||||
## @param route.annotations Route annotations
|
||||
## @param route.host Route host. When unset, OpenShift may generate one and Gitea URL defaults fall back to ingress/service values.
|
||||
## @param route.path Route path
|
||||
## @param route.wildcardPolicy Route wildcard policy
|
||||
## @param route.tls.termination Route TLS termination type
|
||||
## @param route.tls.insecureEdgeTerminationPolicy Route insecure edge termination policy
|
||||
## @param route.tls.key Route TLS key
|
||||
## @param route.tls.certificate Route TLS certificate
|
||||
## @param route.tls.caCertificate Route TLS CA certificate
|
||||
## @param route.tls.destinationCACertificate Route destination CA certificate
|
||||
route:
|
||||
enabled: false
|
||||
annotations: {}
|
||||
host: ""
|
||||
path: ""
|
||||
wildcardPolicy: None
|
||||
tls:
|
||||
termination:
|
||||
insecureEdgeTerminationPolicy:
|
||||
key:
|
||||
certificate:
|
||||
caCertificate:
|
||||
destinationCACertificate:
|
||||
|
||||
## @section deployment
|
||||
#
|
||||
## @param resources Kubernetes resources
|
||||
@@ -477,28 +446,6 @@ gitea:
|
||||
## @param gitea.additionalConfigFromEnvs Additional configuration sources from environment variables
|
||||
additionalConfigFromEnvs: []
|
||||
|
||||
## @param gitea.extraEnvSourceFile Source environment variables from a file during init container startup. This is especially useful for reading environment variable files generated by the Vault agent-injector.
|
||||
## See the sample annotations below for reference.
|
||||
## podAnnotations:
|
||||
## vault.hashicorp.com/agent-inject: "true"
|
||||
## vault.hashicorp.com/agent-init-first: "true"
|
||||
## vault.hashicorp.com/agent-inject-secret-gitea: <path/to/secret>
|
||||
## vault.hashicorp.com/agent-inject-template-gitea: |
|
||||
## {{- with secret "path/to/secret" -}}
|
||||
## export GITEA__database__HOST="{{ .Data.data.db_host }}"
|
||||
## export GITEA__database__NAME="{{ .Data.data.db_name }}"
|
||||
## export GITEA__database__USER="{{ .Data.data.db_user }}"
|
||||
## export GITEA__database__PASSWD="{{ .Data.data.db_password }}"
|
||||
## export GITEA__queue__CONN_STR="{{ .Data.data.kv_conn_string }}"
|
||||
## export GITEA__session__PROVIDER_CONFIG="{{ .Data.data.kv_conn_string }}"
|
||||
## export GITEA__cache__HOST="{{ .Data.data.kv_conn_string }}"
|
||||
## export GITEA_ADMIN_USERNAME="{{ .Data.data.gitea_admin_user }}"
|
||||
## export GITEA_ADMIN_PASSWORD="{{ .Data.data.gitea_admin_password }}"
|
||||
## {{- end }}
|
||||
|
||||
# extraEnvSourceFile: /vault/secrets/gitea
|
||||
extraEnvSourceFile:
|
||||
|
||||
## @param gitea.podAnnotations Annotations for the Gitea pod
|
||||
podAnnotations: {}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user