volker.raschek/helm-gitea
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: volker.raschek:main
Branches Tags
volker.raschek:main
volker.raschek:feat/support-artifacthub-annotation-changes
volker.raschek:v12.0.0
volker.raschek:v11.0.1
volker.raschek:v11.0.0
volker.raschek:v10.6.0
volker.raschek:v10.5.0
volker.raschek:v10.4.1
volker.raschek:v10.4.0
volker.raschek:v10.3.0
volker.raschek:v10.2.0
volker.raschek:v10.1.4
volker.raschek:v10.1.3
volker.raschek:v10.1.2
volker.raschek:v10.1.1
volker.raschek:v10.1.0
volker.raschek:v10.0.2
volker.raschek:v10.0.1
volker.raschek:v10.0.0
volker.raschek:v9.6.1
volker.raschek:v9.6.0
volker.raschek:v9.5.1
volker.raschek:v9.5.0
volker.raschek:v9.4.0
volker.raschek:v9.3.0
volker.raschek:v9.2.1
volker.raschek:v9.2.0
volker.raschek:v9.1.0
volker.raschek:v9.0.4
volker.raschek:v9.0.3
volker.raschek:v9.0.2
volker.raschek:v9.0.1
volker.raschek:v9.0.0
volker.raschek:v8.3.0
volker.raschek:v8.2.0
volker.raschek:v8.1.0
volker.raschek:v8.0.3
volker.raschek:v8.0.2
volker.raschek:v8.0.1
volker.raschek:v8.0.0
volker.raschek:v7.0.4
volker.raschek:v7.0.3
volker.raschek:v7.0.2
volker.raschek:v7.0.1
volker.raschek:v7.0.0
volker.raschek:v6.0.5
volker.raschek:v6.0.4
volker.raschek:v6.0.3
volker.raschek:v6.0.2
volker.raschek:v6.0.1
volker.raschek:v6.0.0
volker.raschek:v5.0.9
volker.raschek:v5.0.8
volker.raschek:v5.0.7
volker.raschek:v5.0.6
volker.raschek:v5.0.5
volker.raschek:v5.0.4
volker.raschek:v5.0.3
volker.raschek:v5.0.2
volker.raschek:v5.0.1
volker.raschek:v5.0.0
volker.raschek:v4.1.1
volker.raschek:v4.1.0
volker.raschek:v4.0.3
volker.raschek:v4.0.2
volker.raschek:v4.0.1
volker.raschek:v4.0.0
volker.raschek:v3.1.4
volker.raschek:v3.1.3
volker.raschek:v3.1.2
volker.raschek:v3.1.1
volker.raschek:v3.1.0
volker.raschek:v3.0.0
volker.raschek:v2.2.5
volker.raschek:v2.2.4
volker.raschek:v2.2.3
volker.raschek:v2.2.2
volker.raschek:v2.2.1
volker.raschek:v2.2.0
volker.raschek:v2.1.11
volker.raschek:v2.1.10
volker.raschek:v2.1.9
volker.raschek:v2.1.8
volker.raschek:v2.1.7
volker.raschek:v2.1.6
volker.raschek:v2.1.5
volker.raschek:v2.1.4
volker.raschek:v2.1.3
volker.raschek:v2.1.2
volker.raschek:v2.1.1
volker.raschek:v2.1.0
volker.raschek:v2.0.7
volker.raschek:v2.0.6
volker.raschek:v2.0.5
volker.raschek:v2.0.4
volker.raschek:v2.0.3
volker.raschek:v2.0.2
volker.raschek:v2.0.0
volker.raschek:v1.5.5
volker.raschek:v1.5.4
volker.raschek:v1.5.3
volker.raschek:v1.5.2
volker.raschek:v1.5.1
volker.raschek:v1.5.0
volker.raschek:v1.4.9
volker.raschek:v1.4.8
volker.raschek:v1.4.7
volker.raschek:v1.4.6
volker.raschek:v1.4.5
volker.raschek:v1.4.4
volker.raschek:v1.4.3
volker.raschek:v1.4.2
..
compare: volker.raschek:v9.0.1
Branches Tags
volker.raschek:feat/support-artifacthub-annotation-changes
volker.raschek:main
volker.raschek:v12.0.0
volker.raschek:v11.0.1
volker.raschek:v11.0.0
volker.raschek:v10.6.0
volker.raschek:v10.5.0
volker.raschek:v10.4.1
volker.raschek:v10.4.0
volker.raschek:v10.3.0
volker.raschek:v10.2.0
volker.raschek:v10.1.4
volker.raschek:v10.1.3
volker.raschek:v10.1.2
volker.raschek:v10.1.1
volker.raschek:v10.1.0
volker.raschek:v10.0.2
volker.raschek:v10.0.1
volker.raschek:v10.0.0
volker.raschek:v9.6.1
volker.raschek:v9.6.0
volker.raschek:v9.5.1
volker.raschek:v9.5.0
volker.raschek:v9.4.0
volker.raschek:v9.3.0
volker.raschek:v9.2.1
volker.raschek:v9.2.0
volker.raschek:v9.1.0
volker.raschek:v9.0.4
volker.raschek:v9.0.3
volker.raschek:v9.0.2
volker.raschek:v9.0.1
volker.raschek:v9.0.0
volker.raschek:v8.3.0
volker.raschek:v8.2.0
volker.raschek:v8.1.0
volker.raschek:v8.0.3
volker.raschek:v8.0.2
volker.raschek:v8.0.1
volker.raschek:v8.0.0
volker.raschek:v7.0.4
volker.raschek:v7.0.3
volker.raschek:v7.0.2
volker.raschek:v7.0.1
volker.raschek:v7.0.0
volker.raschek:v6.0.5
volker.raschek:v6.0.4
volker.raschek:v6.0.3
volker.raschek:v6.0.2
volker.raschek:v6.0.1
volker.raschek:v6.0.0
volker.raschek:v5.0.9
volker.raschek:v5.0.8
volker.raschek:v5.0.7
volker.raschek:v5.0.6
volker.raschek:v5.0.5
volker.raschek:v5.0.4
volker.raschek:v5.0.3
volker.raschek:v5.0.2
volker.raschek:v5.0.1
volker.raschek:v5.0.0
volker.raschek:v4.1.1
volker.raschek:v4.1.0
volker.raschek:v4.0.3
volker.raschek:v4.0.2
volker.raschek:v4.0.1
volker.raschek:v4.0.0
volker.raschek:v3.1.4
volker.raschek:v3.1.3
volker.raschek:v3.1.2
volker.raschek:v3.1.1
volker.raschek:v3.1.0
volker.raschek:v3.0.0
volker.raschek:v2.2.5
volker.raschek:v2.2.4
volker.raschek:v2.2.3
volker.raschek:v2.2.2
volker.raschek:v2.2.1
volker.raschek:v2.2.0
volker.raschek:v2.1.11
volker.raschek:v2.1.10
volker.raschek:v2.1.9
volker.raschek:v2.1.8
volker.raschek:v2.1.7
volker.raschek:v2.1.6
volker.raschek:v2.1.5
volker.raschek:v2.1.4
volker.raschek:v2.1.3
volker.raschek:v2.1.2
volker.raschek:v2.1.1
volker.raschek:v2.1.0
volker.raschek:v2.0.7
volker.raschek:v2.0.6
volker.raschek:v2.0.5
volker.raschek:v2.0.4
volker.raschek:v2.0.3
volker.raschek:v2.0.2
volker.raschek:v2.0.0
volker.raschek:v1.5.5
volker.raschek:v1.5.4
volker.raschek:v1.5.3
volker.raschek:v1.5.2
volker.raschek:v1.5.1
volker.raschek:v1.5.0
volker.raschek:v1.4.9
volker.raschek:v1.4.8
volker.raschek:v1.4.7
volker.raschek:v1.4.6
volker.raschek:v1.4.5
volker.raschek:v1.4.4
volker.raschek:v1.4.3
volker.raschek:v1.4.2

No commits in common. "main" and "v9.0.1" have entirely different histories.
main ... v9.0.1

92 changed files with 833 additions and 5191 deletions
Show Stats Expand all files Collapse all files

7
.commitlintrc.json
View File

@ -1,7 +0,0 @@
{
"extends": ["@commitlint/config-conventional"],
"rules": {
"type-enum": [2, "always", ["feat", "fix", "chore", "docs", "style", "refactor", "test", "perf", "ci", "WIP"]],
"type-case": [0, "always", "lower-case"]
}
}

6
.gitea/PULL_REQUEST_TEMPLATE.md
View File

@ -23,7 +23,7 @@
### Applicable issues ### Applicable issues
<!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. --> <!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
- Fixes # - fixes #
### Additional information ### Additional information
@ -39,6 +39,4 @@
- [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
- [ ] Breaking changes are documented in the `README.md` - [ ] Breaking changes are documented in the `README.md`
- [ ] Helm templating unittests are added (required when changing anything in `templates` folder) - [ ] Templating unittests are added
- [ ] Bash unittests are added (required when changing anything in `scripts` folder)
- [ ] All added template resources MUST render a namespace in metadata

114
.gitea/scripts/add-annotations.sh
View File

@ -1,114 +0,0 @@
#!/bin/bash
set -e
CHART_FILE="Chart.yaml"
if [ ! -f "${CHART_FILE}" ]; then
echo "ERROR: ${CHART_FILE} not found!" 1>&2
exit 1
fi
DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
if [ -z "${1}" ]; then
read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
if [ -z "${OLD_TAG}" ]; then
OLD_TAG="${DEFAULT_OLD_TAG}"
fi
while [ -z "$(git tag --list "${OLD_TAG}")" ]; do
echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
if [ -z "${OLD_TAG}" ]; then
OLD_TAG="${DEFAULT_OLD_TAG}"
fi
done
else
OLD_TAG=${1}
if [ -z "$(git tag --list "${OLD_TAG}")" ]; then
echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
exit 1
fi
fi
if [ -z "${2}" ]; then
read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
if [ -z "${NEW_TAG}" ]; then
NEW_TAG="${DEFAULT_NEW_TAG}"
fi
while [ -z "$(git tag --list "${NEW_TAG}")" ]; do
echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
if [ -z "${NEW_TAG}" ]; then
NEW_TAG="${DEFAULT_NEW_TAG}"
fi
done
else
NEW_TAG=${2}
if [ -z "$(git tag --list "${NEW_TAG}")" ]; then
echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
exit 1
fi
fi
CHANGE_LOG_YAML=$(mktemp)
echo "[]" > "${CHANGE_LOG_YAML}"
function map_type_to_kind() {
case "${1}" in
feat)
echo "added"
;;
fix)
echo "fixed"
;;
chore|style|test|ci|docs|refac)
echo "changed"
;;
revert)
echo "removed"
;;
sec)
echo "security"
;;
*)
echo "skip"
;;
esac
}
COMMIT_TITLES="$(git log --pretty=format:"%s" "${OLD_TAG}..${NEW_TAG}")"
echo "INFO: Generate change log entries from ${OLD_TAG} until ${NEW_TAG}"
while IFS= read -r line; do
if [[ "${line}" =~ ^([a-zA-Z]+)(\([^\)]+\))?\:\ (.+)$ ]]; then
TYPE="${BASH_REMATCH[1]}"
KIND=$(map_type_to_kind "${TYPE}")
if [ "${KIND}" == "skip" ]; then
continue
fi
DESC="${BASH_REMATCH[3]}"
echo "- ${KIND}: ${DESC}"
jq --arg kind changed --arg description "$DESC" '. += [ $ARGS.named ]' < ${CHANGE_LOG_YAML} > ${CHANGE_LOG_YAML}.new
mv ${CHANGE_LOG_YAML}.new ${CHANGE_LOG_YAML}
fi
done <<< "${COMMIT_TITLES}"
if [ -s "${CHANGE_LOG_YAML}" ]; then
yq --inplace --input-format json --output-format yml "${CHANGE_LOG_YAML}"
yq --no-colors --inplace ".annotations.\"artifacthub.io/changes\" |= loadstr(\"${CHANGE_LOG_YAML}\") | sort_keys(.)" "${CHART_FILE}"
else
echo "ERROR: Changelog file is empty: ${CHANGE_LOG_YAML}" 1>&2
exit 1
fi
rm "${CHANGE_LOG_YAML}"

167
.gitea/workflows/release-version.yml
View File

@ -2,145 +2,52 @@ name: generate-chart
on: on:
push: push:
branches: tags:
- "*" - "*"
env:
# renovate: datasource=docker depName=alpine/helm
HELM_VERSION: "3.17.3"
jobs: jobs:
generate-chart-publish: generate-chart-publish:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v3
- name: install tools
run: |
apt update -y
apt install -y curl
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
apt update -y
apt install -y python helm python3-pip apt-transport-https
pip install awscli
- name: Import GPG key
id: import_gpg
uses: https://github.com/crazy-max/ghaction-import-gpg@v5
with: with:
fetch-depth: 0 gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
- name: Determine Architecture and Operating System to support x86_64 and ARM based CI nodes # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
- name: package chart
run: | run: |
# determine operating system # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
OS=$(uname | tr '[:upper:]' '[:lower:]') helm plugin install https://github.com/pat-s/helm-gpg
echo "OS=${OS}" >> $GITHUB_ENV helm dependency update
echo "INFO: Set environment variable OS=${OS}" helm package --version "${GITHUB_REF#refs/tags/v}" ./
helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
mkdir gitea
mv gitea*.tgz gitea/
curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
# determine architecture - name: aws credential configure
ARCH="$(uname -m)" uses: https://github.com/aws-actions/configure-aws-credentials@v2
case "${ARCH}" in with:
aarch64) ARCH=arm64;; aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
x86_64) ARCH=amd64;; aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
esac aws-region: ${{ secrets.AWS_REGION }}
echo "ARCH=${ARCH}" >> $GITHUB_ENV
echo "INFO: Set environment variable ARCH=${ARCH}"
- name: Install packages via apt - name: Copy files to S3 and clear cache
run: | run: |
apt update --yes aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
echo "INFO: Install packages via apt"
apt install --yes curl ca-certificates curl gnupg jq
- name: Install helm
run: |
curl --fail --location --output /dev/stdout --silent --show-error https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-${OS}-${ARCH}.tar.gz | tar --extract --gzip --file /dev/stdin
mv ${OS}-${ARCH}/helm /usr/local/bin/
rm --force --recursive ${OS}-${ARCH} helm-v${{ env.HELM_VERSION }}-${OS}-${ARCH}.tar.gz
helm version
- name: Install yq
env:
YQ_VERSION: v4.45.4 # renovate: datasource=github-releases depName=mikefarah/yq
run: |
curl --fail --location --output /dev/stdout --silent --show-error https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_${OS}_${ARCH}.tar.gz | tar --extract --gzip --file /dev/stdin
mv yq_${OS}_${ARCH} /usr/local/bin
rm --force --recursive yq_${OS}_${ARCH} yq_${OS}_${ARCH}.tar.gz
yq --version
- name: Install docker-ce via apt
run: |
echo "INFO: Install docker"
install -m 0755 -d /etc/apt/keyrings
curl --fail --location --silent --show-error https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt update --yes
apt install --yes python3 python3-pip apt-transport-https docker-ce-cli
- name: Install awscli
run: |
echo "INFO: Install awscli via python pip"
pip install awscli --break-system-packages
aws --version
# - name: Import GPG key
# id: import_gpg
# uses: https://github.com/crazy-max/ghaction-import-gpg@v6
# with:
# gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
# passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
# fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
- name: Add Artifacthub.io annotations
run: |
NEW_TAG=v12.0.0
OLD_TAG=v11.0.1
# NEW_TAG="$(git tag --sort=-version:refname | head --lines 1)"
# OLD_TAG="$(git tag --sort=-version:refname | head --lines 2 | tail --lines 1)"
.gitea/scripts/add-annotations.sh "${OLD_TAG}" "${NEW_TAG}"
- name: Print Chart.yaml
run: cat Chart.yaml
# # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
# - name: package chart
# run: |
# echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
# # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
# helm plugin install https://github.com/pat-s/helm-gpg
# helm dependency build
# helm package --version "${GITHUB_REF#refs/tags/v}" ./
# mkdir gitea
# mv gitea*.tgz gitea/
# curl --fail --location --output gitea/index.yaml --silent --show-error https://dl.gitea.com/charts/index.yaml
# helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
# # push to dockerhub
# echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
# helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
# helm registry logout registry-1.docker.io
# - name: aws credential configure
# uses: https://github.com/aws-actions/configure-aws-credentials@v4
# with:
# aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# aws-region: ${{ secrets.AWS_REGION }}
# - name: Copy files to S3 and clear cache
# run: |
# aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
# release-gitea:
# # needs: generate-chart-publish
# runs-on: ubuntu-latest
# container: docker.io/thegeeklab/git-sv:2.0.1
# steps:
# - name: install tools
# run: |
# apk add -q --update --no-cache nodejs
# - uses: actions/checkout@v4
# with:
# fetch-tags: true
# fetch-depth: 0
# - name: Create changelog
# run: |
# git sv current-version
# git sv release-notes -t ${GITHUB_REF#refs/tags/} -o CHANGELOG.md
# sed -i '1,2d' CHANGELOG.md # remove version
# cat CHANGELOG.md
# - name: Release
# uses: https://github.com/akkuman/gitea-release-action@v1
# with:
# body_path: CHANGELOG.md
# token: "${{ secrets.RELEASE_TOKEN }}"

36
.gitea/workflows/test-pr.yml Normal file
View File

@ -0,0 +1,36 @@
name: check-and-test
on:
- pull_request
jobs:
check-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: install tools
run: |
apt update -y
apt install -y curl make
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
apt update -y
apt install -y helm python3-pip
pip install yamllint
- name: dependency update
run: helm dependency update
- name: lint
run: helm lint
- name: template
run: |
helm template --debug gitea-helm .
- name: unit tests
run: |
helm plugin install --version 0.3.3 https://github.com/helm-unittest/helm-unittest
make unittests
- name: verify readme
run: |
make readme
git diff --exit-code --name-only README.md
- name: yaml lint
uses: https://github.com/ibiqlik/action-yamllint@v3

12
.gitmodules vendored
View File

@ -1,12 +0,0 @@
[submodule "unittests/bash/bats"]
path = unittests/bash/bats
url = https://github.com/bats-core/bats-core.git
[submodule "unittests/bash/test_helper/bats-support"]
path = unittests/bash/test_helper/bats-support
url = https://github.com/bats-core/bats-support.git
[submodule "unittests/bash/test_helper/bats-assert"]
path = unittests/bash/test_helper/bats-assert
url = https://github.com/bats-core/bats-assert.git
[submodule "unittests/bash/test_helper/bats-mock"]
path = unittests/bash/test_helper/bats-mock
url = https://github.com/jasonkarns/bats-mock.git

57
.gitsv/config.yaml
View File

@ -1,57 +0,0 @@
version: '1.1' # Configuration version.
versioning:
update-major: [breaking] # Commit types used to bump major.
update-minor: [feat, perf] # Commit types used to bump minor.
update-patch: [build, ci, chore, fix, perf, refactor, test] # Commit types used to bump patch.
# When type is not present on update rules and is unknown (not mapped on commit message types);
# if ignore-unknown=false bump patch, if ignore-unknown=true do not bump version.
ignore-unknown: false
tag:
pattern: 'v%d.%d.%d' # Pattern used to create git tag.
filter: '' # Enables you to filter for considerable tags using git pattern syntax.
release-notes:
sections: # Array with each section of release note. Check template section for more information.
- name: Breaking Changes
section-type: breaking-changes
- name: Features # Name used on section.
section-type: commits # Type of the section, supported types: commits, breaking-changes.
commit-types: [feat, perf] # Commit types for commit section-type, one commit type cannot be in more than one section.
- name: Bug Fixes
section-type: commits
commit-types: [fix]
- name: Maintenance
section-type: commits
commit-types: [chore, refactor]
- name: Documentation
commit-types: [docs]
section-type: commits
- name: CI
commit-types: [ci]
section-type: commits
branches: # Git branches config.
prefix: ([a-z]+\/)? # Prefix used on branch name, it should be a regex group.
suffix: (-.*)? # Suffix used on branch name, it should be a regex group.
disable-issue: false # Set true if there is no need to recover issue id from branch name.
skip: [] # List of branch names ignored on commit message validation.
skip-detached: false # Set true if a detached branch should be ignored on commit message validation.
commit-message:
# Supported commit types.
types: [build, ci, chore, docs, feat, fix, perf, refactor, revert, style, test]
header-selector: '' # You can put in a regex here to select only a certain part of the commit message. Please define a regex group 'header'.
scope:
# Define supported scopes, if blank, scope will not be validated, if not, only scope listed will be valid.
# Don't forget to add "" on your list if you need to define scopes and keep it optional.
values: []
footer:
issue: # Use "issue: {}" if you wish to disable issue footer.
key: jira # Name used to define an issue on footer metadata.
key-synonyms: [Jira, JIRA] # Supported variations for footer metadata.
use-hash: false # If false, use :<space> separator. If true, use <space># separator.
add-value-prefix: '' # Add a prefix to issue value.
issue:
regex: '[A-Z]+-[0-9]+' # Regex for issue id.

8
.helmignore
View File

@ -5,7 +5,6 @@
# Common VCS dirs # Common VCS dirs
.git/ .git/
.gitignore .gitignore
.gitmodules
.bzr/ .bzr/
.bzrignore .bzrignore
.hg/ .hg/
@ -32,10 +31,3 @@ Makefile
.drone.yml .drone.yml
CONTRIBUTING.md CONTRIBUTING.md
unittests/ unittests/
.editorconfig
.prettierignore
.yamllint
CODEOWNERS
renovate.json5
.commitlintrc.json
.gitsv/

3
.markdownlint.yaml
View File

@ -73,7 +73,7 @@ MD022:
# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content # MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
MD024: MD024:
# Only check sibling headings # Only check sibling headings
siblings_only: true allow_different_nesting: true
# MD025/single-title/single-h1 - Multiple top-level headings in the same document # MD025/single-title/single-h1 - Multiple top-level headings in the same document
MD025: MD025:
@ -129,7 +129,6 @@ MD041:
MD044: MD044:
# List of proper names # List of proper names
names: names:
- docker.gitea.com
- Gitea - Gitea
- PostgreSQL - PostgreSQL
- Memcached - Memcached

9
.vscode/extensions.json vendored
View File

@ -1,9 +0,0 @@
{
"recommendations": [
"yzhang.markdown-all-in-one",
"DavidAnson.vscode-markdownlint",
"Tim-Koehler.helm-intellisense",
"esbenp.prettier-vscode",
"jetmartin.bats"
]
}

15
.vscode/settings.json vendored
View File

@ -1,15 +0,0 @@
{
"yaml.schemas": {
"https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.8.2/schema/helm-testsuite.json": [
"/unittests/**/*.yaml"
]
},
"yaml.schemaStore.enable": true,
"[bats]": {
"editor.tabSize": 2
},
"[shellscript]": {
"files.eol": "\n",
"editor.tabSize": 2
}
}

4
.yamllint
View File

@ -5,7 +5,7 @@ ignore: |
.yamllint .yamllint
node_modules node_modules
templates templates
unittests/bash
rules: rules:
truthy: truthy:
@ -17,4 +17,4 @@ rules:
comments: comments:
min-spaces-from-content: 1 min-spaces-from-content: 1
braces: braces:
max-spaces-inside: 2 max-spaces-inside: 2

1
CODEOWNERS
View File

@ -1 +0,0 @@
charts/* @justusbunsi @pat-s

34
CONTRIBUTING.md
View File

@ -9,7 +9,12 @@ refactorings for easier maintainability or documentation improvements.
- [`helm`](https://helm.sh/docs/intro/install/) - [`helm`](https://helm.sh/docs/intro/install/)
- `make` is optional; you may call the commands directly - `make` is optional; you may call the commands directly
When using Visual Studio Code as IDE, a [ready-to-use profile](.vscode/) is available. When using Visual Studio Code as IDE, following plugins might be useful:
- [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
- [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
- [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
- [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)
## Documentation Requirements ## Documentation Requirements
@ -29,7 +34,6 @@ When submitting or updating a PR:
- try to avoid rebases. They make code reviews for large PRs and comments much harder. - try to avoid rebases. They make code reviews for large PRs and comments much harder.
- if applicable, use the PR template for a well-defined PR description. - if applicable, use the PR template for a well-defined PR description.
- clearly mark breaking changes. - clearly mark breaking changes.
- format the PR title following the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/#specification) schema
## Local development & testing ## Local development & testing
@ -38,7 +42,7 @@ be used:
1. Install `minikube` and `helm`. 1. Install `minikube` and `helm`.
1. Start a `minikube` cluster via `minikube start`. 1. Start a `minikube` cluster via `minikube start`.
1. From the `gitea/helm-gitea` directory execute the following command. 1. From the `gitea/helm-chart` directory execute the following command.
This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally. This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
If you want to test a branch, make sure to switch to the respective branch first. If you want to test a branch, make sure to switch to the respective branch first.
`helm install --dependency-update gitea . -f values.yaml`. `helm install --dependency-update gitea . -f values.yaml`.
@ -49,32 +53,18 @@ default port-forward svc/gitea-http 3000:3000`.
### Unit tests ### Unit tests
#### Helm templating tests
```bash ```bash
# install the unittest plugin # install the unittest plugin
$ helm plugin install https://github.com/helm-unittest/helm-unittest $ helm plugin install https://github.com/helm-unittest/helm-unittest
# run the Helm unittests # run the unittests
make unittests-helm make unittests
``` ```
See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions. See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/v0.3.3/DOCUMENT.md) for usage instructions.
#### Bash script tests
```bash
# setup the environment
git submodule update --init --recursive
# run the bash tests
make unittests-bash
```
See [bats documentation](https://bats-core.readthedocs.io/en/stable/) for usage instructions.
## Release process ## Release process
1. Ensure you have [`git-sv`](https://github.com/thegeeklab/git-sv) installed 1. Create a tag following the tagging schema
1. Run `git sv tag` (this creates and pushes the tag following the respective next tag according to the semver commits issued since the last release) 1. Push the tag
1. Let CI do it's work 1. Let CI do it's work

15
Chart.lock
View File

@ -1,15 +1,12 @@
dependencies: dependencies:
- name: postgresql - name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 16.7.4 version: 12.6.6
- name: postgresql-ha - name: postgresql-ha
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 16.0.6 version: 11.7.9
- name: valkey-cluster - name: redis-cluster
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 3.0.10 version: 8.6.9
- name: valkey digest: sha256:52296a48610712a8eb69a32b1b5818b014bfb8dac79d883e11ebdaf97d41e85d
repository: oci://registry-1.docker.io/bitnamicharts generated: "2023-07-17T21:24:06.888357+02:00"
version: 3.0.9
digest: sha256:aeafc605b86db0ff3999cd808af1c9ca3a6a749aae0d42f2fdae89803b3bb60a
generated: "2025-05-25T00:23:17.804516988Z"

31
Chart.yaml
View File

@ -3,9 +3,8 @@ name: gitea
description: Gitea Helm chart for Kubernetes description: Gitea Helm chart for Kubernetes
type: application type: application
version: 0.0.0 version: 0.0.0
# renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$ appVersion: 1.20.0
appVersion: 1.23.8 icon: https://docs.gitea.io/images/gitea.png
icon: https://gitea.com/assets/img/logo.svg
keywords: keywords:
- git - git
@ -15,9 +14,9 @@ keywords:
- gitea - gitea
- gogs - gogs
sources: sources:
- https://gitea.com/gitea/helm-gitea - https://gitea.com/gitea/helm-chart
- https://github.com/go-gitea/gitea - https://github.com/go-gitea/gitea
- https://docker.gitea.com/gitea - https://hub.docker.com/r/gitea/gitea/
maintainers: maintainers:
- name: Charlie Drage - name: Charlie Drage
email: charlie@charliedrage.com email: charlie@charliedrage.com
@ -32,24 +31,20 @@ maintainers:
- name: Patrick Schratz - name: Patrick Schratz
email: patrick.schratz@gmail.com email: patrick.schratz@gmail.com
# Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
dependencies: dependencies:
# https://github.com/bitnami/charts/blob/main/bitnami/postgresql # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)
- name: postgresql - name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 16.7.4 version: 12.6.6
condition: postgresql.enabled condition: postgresql.enabled
# https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml)
- name: postgresql-ha - name: postgresql-ha
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 16.0.6 version: 11.7.9
condition: postgresql-ha.enabled condition: postgresql-ha.enabled
# https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml)
- name: valkey-cluster - name: redis-cluster
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 3.0.10 version: 8.6.9
condition: valkey-cluster.enabled condition: redis-cluster.enabled
# https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml
- name: valkey
repository: oci://registry-1.docker.io/bitnamicharts
version: 3.0.9
condition: valkey.enabled

13
Makefile
View File

@ -1,5 +1,3 @@
SHELL := /usr/bin/env bash -O globstar
.PHONY: prepare-environment .PHONY: prepare-environment
prepare-environment: prepare-environment:
npm install npm install
@ -10,15 +8,8 @@ readme: prepare-environment
npm run readme:lint npm run readme:lint
.PHONY: unittests .PHONY: unittests
unittests: unittests-helm unittests-bash unittests:
helm unittest --strict -f 'unittests/**/*.yaml' ./
.PHONY: unittests-helm
unittests-helm:
helm unittest --strict -f 'unittests/helm/**/*.yaml' -f 'unittests/helm/values-conflicting-checks.yaml' ./
.PHONY: unittests-bash
unittests-bash:
./unittests/bash/bats/bin/bats --pretty ./unittests/bash/tests/**/*.bats
.PHONY: helm .PHONY: helm
update-helm-dependencies: update-helm-dependencies:

645
README.md
View File

@ -3,22 +3,11 @@
- [Introduction](#introduction) - [Introduction](#introduction)
- [Update and versioning policy](#update-and-versioning-policy) - [Update and versioning policy](#update-and-versioning-policy)
- [Dependencies](#dependencies) - [Dependencies](#dependencies)
- [HA Dependencies](#ha-dependencies)
- [Non-HA Dependencies](#non-ha-dependencies)
- [Dependency Versioning](#dependency-versioning)
- [Installing](#installing) - [Installing](#installing)
- [High Availability](#high-availability) - [High Availability](#high-availability)
- [Limit resources](#limit-resources)
- [Configuration](#configuration) - [Configuration](#configuration)
- [Default Configuration](#default-configuration) - [Default Configuration](#default-configuration)
- [Database defaults](#database-defaults)
- [Server defaults](#server-defaults)
- [Metrics defaults](#metrics-defaults)
- [Rootless Defaults](#rootless-defaults)
- [Session, Cache and Queue](#session-cache-and-queue)
- [Single-Pod Configurations](#single-pod-configurations)
- [Additional _app.ini_ settings](#additional-appini-settings) - [Additional _app.ini_ settings](#additional-appini-settings)
- [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
- [External Database](#external-database) - [External Database](#external-database)
- [Ports and external url](#ports-and-external-url) - [Ports and external url](#ports-and-external-url)
- [ClusterIP](#clusterip) - [ClusterIP](#clusterip)
@ -31,10 +20,8 @@
- [OAuth2 Settings](#oauth2-settings) - [OAuth2 Settings](#oauth2-settings)
- [Configure commit signing](#configure-commit-signing) - [Configure commit signing](#configure-commit-signing)
- [Metrics and profiling](#metrics-and-profiling) - [Metrics and profiling](#metrics-and-profiling)
- [Secure Metrics Endpoint](#secure-metrics-endpoint)
- [Pod annotations](#pod-annotations) - [Pod annotations](#pod-annotations)
- [Themes](#themes) - [Themes](#themes)
- [Renovate](#renovate)
- [Parameters](#parameters) - [Parameters](#parameters)
- [Global](#global) - [Global](#global)
- [strategy](#strategy) - [strategy](#strategy)
@ -51,15 +38,14 @@
- [LivenessProbe](#livenessprobe) - [LivenessProbe](#livenessprobe)
- [ReadinessProbe](#readinessprobe) - [ReadinessProbe](#readinessprobe)
- [StartupProbe](#startupprobe) - [StartupProbe](#startupprobe)
- [valkey-cluster](#valkey-cluster) - [redis-cluster](#redis-cluster)
- [valkey](#valkey) - [PostgreSQL-ha](#postgresql-ha)
- [PostgreSQL HA](#postgresql-ha)
- [PostgreSQL](#postgresql) - [PostgreSQL](#postgresql)
- [Advanced](#advanced) - [Advanced](#advanced)
- [Contributing](#contributing) - [Contributing](#contributing)
- [Upgrading](#upgrading) - [Upgrading](#upgrading)
[Gitea](https://gitea.com) is a community managed lightweight code hosting solution written in Go. [Gitea](https://gitea.io/en-us/) is a community managed lightweight code hosting solution written in Go.
It is published under the MIT license. It is published under the MIT license.
## Introduction ## Introduction
@ -71,7 +57,7 @@ Additionally, this chart allows to provide LDAP and admin user configuration wit
## Update and versioning policy ## Update and versioning policy
The Gitea helm chart versioning does not follow Gitea's versioning. The Gitea helm chart versioning does not follow Gitea's versioning.
The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases). The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-chart/releases).
The chart aims to follow Gitea's releases closely. The chart aims to follow Gitea's releases closely.
There might be times when the chart is behind the latest Gitea release. There might be times when the chart is behind the latest Gitea release.
@ -86,117 +72,38 @@ Yet most often no issues will be encountered and the chart maintainers aim to co
## Dependencies ## Dependencies
Gitea is most performant when run with an external database and cache. Gitea can be run with an external database and cache.
This chart provides those dependencies via sub-charts. This chart provides those dependencies, which can be enabled, or disabled via configuration.
Users can also configure their own external providers via the configuration.
### HA Dependencies Dependencies:
These dependencies are enabled by default: - PostgreSQL HA ([configuration](#postgresql))
- Redis Cluster ([configuration](#cache))
- PostgreSQL HA ([Bitnami PostgreSQL-HA](https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml))
- Valkey-Cluster ([Bitnami Valkey-Cluster](https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml))
### Non-HA Dependencies
Alternatively, the following non-HA replacements are available:
- PostgreSQL ([Bitnami PostgreSQL](<Postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)>))
- Valkey ([Bitnami Valkey](<Valkey](https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml)>))
### Dependency Versioning
Updates of sub-charts will be incorporated into the Gitea chart as they are released.
The reasoning behind this is that new users of the chart will start with the most recent sub-chart dependency versions.
**Note** If you want to stay on an older appVersion of a sub-chart dependency (e.g. PostgreSQL), you need to override the image tag in your `values.yaml` file.
In fact, we recommend to do so right from the start to be independent of major sub-chart dependency changes as they are released.
There is no need to update to every new PostgreSQL major version - you can happily skip some and do larger updates when you are ready for them.
We recommend to use a rolling tag like `:<majorVersion>-debian-<debian major version>` to incorporate minor and patch updates for the respective major version as they are released.
Alternatively you can also use a versioning helper tool like [renovate](https://github.com/renovatebot/renovate).
Please double-check the image repository and available tags in the sub-chart:
- [PostgreSQL-HA](https://hub.docker.com/r/bitnami/postgresql-repmgr/tags)
- [PostgreSQL](https://hub.docker.com/r/bitnami/postgresql/tags)
- [Valkey Cluster](https://hub.docker.com/r/bitnami/valkey-cluster/tags)
- [Valkey](https://hub.docker.com/r/bitnami/valkey/tags)
and look up the image tag which fits your needs on Dockerhub.
## Installing ## Installing
```sh ```sh
helm repo add gitea-charts https://dl.gitea.com/charts/ helm repo add gitea-charts https://dl.gitea.io/charts/
helm repo update helm repo update
helm install gitea gitea-charts/gitea helm install gitea gitea-charts/gitea
``` ```
Alternatively, the chart can also be installed from Dockerhub (since v9.6.0)
```sh
helm install gitea oci://registry-1.docker.io/giteacharts/gitea
```
To avoid potential Dockerhub rate limits, the chart can also be installed via [docker.gitea.com](https://blog.gitea.com/docker-registry-update/) (since v9.6.0)
```sh
helm install gitea oci://docker.gitea.com/charts/gitea
```
When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes. When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes.
## High Availability ## High Availability
Since version 9.0.0 this chart supports running Gitea and it's dependencies in HA mode. ⚠️ **EXPERIMENTAL** ⚠️
Care must be taken for production use as not all implementation details of Gitea core are officially HA-ready yet.
Since version 9.0.0 this chart has experimental support for running Gitea and it's dependencies in a HA setup.
The setup is still experimental and care must be taken for production use as Gitea core is not yet officially HA-ready.
Deploying a HA-ready Gitea instance requires some effort including using HA-ready dependencies. Deploying a HA-ready Gitea instance requires some effort including using HA-ready dependencies.
See the [HA Setup](docs/ha-setup.md) document for more details. See the [HA Setup](docs/ha-setup.md) document for more details.
## Limit resources
If the application is deployed with a CPU resource limit, Prometheus may throw a CPU throttling warning for the
application. This has more or less to do with the fact that the application finds the number of CPUs of the host, but
cannot use the available CPU time to perform computing operations.
The application must be informed that despite several CPUs only a part (limit) of the available computing time is
available. As this is a Golang application, this can be implemented using `GOMAXPROCS`. The following example is one way
of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS
rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling.
Further information about this topic can be found [here](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
> [!NOTE]
> The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is
> not anymore required.
>
> Please note that a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
```yaml
deployment:
env:
# Will be automatically defined!
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
divisor: "1" # Is required for GitDevOps systems like ArgoCD/Flux. Otherwise throw the system a diff error. (k8s-default=1)
resource: limits.cpu
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 100m
memory: 512Mi
```
## Configuration ## Configuration
Gitea offers lots of configuration options. Gitea offers lots of configuration options.
This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet). This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
```yaml ```yaml
gitea: gitea:
@ -259,109 +166,9 @@ The Prometheus `/metrics` endpoint is disabled by default.
ENABLED = false ENABLED = false
``` ```
#### Rootless Defaults
If `.Values.image.rootless: true`, then the following will occur. In case you use `.Values.image.fullOverride`, check that this works in your image:
- `$HOME` becomes `/data/gitea/git`
[see deployment.yaml](./templates/gitea/deployment.yaml) template inside (init-)container "env" declarations
- `START_SSH_SERVER: true` (Unless explicity overwritten by `gitea.config.server.START_SSH_SERVER`)
[see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition
- `SSH_LISTEN_PORT: 2222` (Unless explicity overwritten by `gitea.config.server.SSH_LISTEN_PORT`)
[see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition
- `SSH_LOG_LEVEL` environment variable is not injected into the container
[see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
#### Session, Cache and Queue
The session, cache and queue settings are set to use the built-in Valkey Cluster sub-chart dependency.
If Valkey Cluster is disabled, the chart will fall back to the Gitea defaults which use "memory" for `session` and `cache` and "level" for `queue`.
While these will work and even not cause immediate issues after startup, **they are not recommended for production use**.
Reasons being that a single pod will take on all the work for `session` and `cache` tasks in its available memory.
It is likely that the pod will run out of memory or will face substantial memory spikes, depending on the workload.
External tools such as `valkey-cluster` or `memcached` handle these workloads much better.
### Single-Pod Configurations
If HA is not needed/desired, the following configurations can be used to deploy a single-pod Gitea instance.
1. For a production-ready single-pod Gitea instance without external dependencies (using the chart dependency `postgresql` and `valkey`):
<details>
<summary>values.yml</summary>
```yaml
valkey-cluster:
enabled: false
valkey:
enabled: true
postgresql:
enabled: true
postgresql-ha:
enabled: false
persistence:
enabled: true
gitea:
config:
database:
DB_TYPE: postgres
indexer:
ISSUE_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
```
</details>
2. For a minimal DEV installation (using the built-in sqlite DB instead of Postgres):
This will result in a single-pod Gitea instance _without any dependencies and persistence_.
**Do not use this configuration for production use**.
<details>
<summary>values.yml</summary>
```yaml
valkey-cluster:
enabled: false
valkey:
enabled: false
postgresql:
enabled: false
postgresql-ha:
enabled: false
persistence:
enabled: false
gitea:
config:
database:
DB_TYPE: sqlite3
session:
PROVIDER: memory
cache:
ADAPTER: memory
queue:
TYPE: level
```
</details>
### Additional _app.ini_ settings ### Additional _app.ini_ settings
> **The [generic](https://docs.gitea.com/administration/config-cheat-sheet#overall-default) > **The [generic](https://docs.gitea.io/en-us/config-cheat-sheet/#overall-default)
> section cannot be defined that way.** > section cannot be defined that way.**
Some settings inside _app.ini_ (like passwords or whole authentication configurations) must be considered sensitive and therefore should not be passed via plain text inside the _values.yaml_ file. Some settings inside _app.ini_ (like passwords or whole authentication configurations) must be considered sensitive and therefore should not be passed via plain text inside the _values.yaml_ file.
@ -448,7 +255,7 @@ Priority (highest to lowest) for defining app.ini variables:
### External Database ### External Database
Any external database listed in [https://docs.gitea.com/installation/database-prep](https://docs.gitea.com/installation/database-prep) can be used instead of the built-in PostgreSQL. Any external database listed in [https://docs.gitea.io/en-us/database-prep/](https://docs.gitea.io/en-us/database-prep/) can be used instead of the built-in PostgreSQL.
In fact, it is **highly recommended** to use an external database to ensure a stable Gitea installation longterm. In fact, it is **highly recommended** to use an external database to ensure a stable Gitea installation longterm.
If an external database is used, no matter which type, make sure to set `postgresql.enabled` to `false` to disable the use of the built-in PostgreSQL. If an external database is used, no matter which type, make sure to set `postgresql.enabled` to `false` to disable the use of the built-in PostgreSQL.
@ -466,9 +273,6 @@ gitea:
postgresql: postgresql:
enabled: false enabled: false
postgresql-ha:
enabled: false
``` ```
### Ports and external url ### Ports and external url
@ -533,23 +337,20 @@ and the repository exists.
``` ```
To solve this problem add the capability `SYS_CHROOT` to the `securityContext`. To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
More about this issue [here](https://gitea.com/gitea/helm-gitea/issues/161). More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
### Cache ### Cache
The cache handling is done via `valkey-cluster` (via the `bitnami` chart) by default. The cache handling is done via `redis-cluster` (via the `bitnami` chart) by default.
This deployment is HA-ready but can also be used for single-pod deployments. This deployment is HA-ready but can also be used for single-pod deployments.
By default, 6 replicas are deployed for a working `valkey-cluster` deployment. By default, 6 replicas are deployed for a working `redis-cluster` deployment.
Many cloud providers offer a managed valkey service, which can be used instead of the built-in `valkey-cluster`. Many cloud providers offer a managed redis service, which can be used instead of the built-in `redis-cluster`.
```yaml ```yaml
valkey-cluster: redis-cluster:
enabled: true enabled: true
``` ```
⚠️ The valkey charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-chart/issues/690).
Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
### Persistence ### Persistence
Gitea will be deployed as a deployment. Gitea will be deployed as a deployment.
@ -583,7 +384,7 @@ You can interact with the postgres settings as displayed in the following exampl
postgresql: postgresql:
persistence: persistence:
enabled: true enabled: true
existingClaim: MyAwesomeGiteaPostgresClaim claimName: MyAwesomeGiteaPostgresClaim
``` ```
### Admin User ### Admin User
@ -621,24 +422,10 @@ gitea:
existingSecret: gitea-admin-secret existingSecret: gitea-admin-secret
``` ```
Whether you use the existing Secret or specify a user name and password, there are three modes for how the admin user password is created or set.
- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
These modes can be set like the following:
```yaml
gitea:
admin:
passwordMode: initialOnlyRequireReset
```
### LDAP Settings ### LDAP Settings
Like the admin user the LDAP settings can be updated. Like the admin user the LDAP settings can be updated.
All LDAP values from <https://docs.gitea.com/administration/command-line#admin> are available. All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
Multiple LDAP sources can be configured with additional LDAP list items. Multiple LDAP sources can be configured with additional LDAP list items.
@ -693,7 +480,7 @@ Affected options:
Like the admin user, OAuth2 settings can be updated and disabled but not deleted. Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
Deleting OAuth2 settings has to be done in the ui. Deleting OAuth2 settings has to be done in the ui.
All OAuth2 values, which are documented [here](https://docs.gitea.com/administration/command-line#admin), are All OAuth2 values, which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are
available. available.
Multiple OAuth2 sources can be configured with additional OAuth list items. Multiple OAuth2 sources can be configured with additional OAuth list items.
@ -738,7 +525,7 @@ gitea:
When using the rootless image the gpg key folder is not persistent by default. When using the rootless image the gpg key folder is not persistent by default.
If you consider using signed commits for internal Gitea activities (e.g. initial commit), you'd need to provide a signing key. If you consider using signed commits for internal Gitea activities (e.g. initial commit), you'd need to provide a signing key.
Prior to [PR186](https://gitea.com/gitea/helm-gitea/pulls/186), imported keys had to be re-imported once the container got replaced by another. Prior to [PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing. The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing.
By default this section is disabled to maintain backwards compatibility. By default this section is disabled to maintain backwards compatibility.
@ -771,7 +558,7 @@ signing:
``` ```
To use the gpg key, Gitea needs to be configured accordingly. To use the gpg key, Gitea needs to be configured accordingly.
A detailed description can be found in the [official Gitea documentation](https://docs.gitea.com/administration/signing#general-configuration). A detailed description can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration).
## Metrics and profiling ## Metrics and profiling
@ -792,21 +579,6 @@ gitea:
ENABLE_PPROF: true ENABLE_PPROF: true
``` ```
### Secure Metrics Endpoint
Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication.
**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`.
```yaml
gitea:
metrics:
token: "secure-token"
enabled: true
serviceMonitor:
enabled: true
```
## Pod annotations ## Pod annotations
Annotations can be added to the Gitea pod. Annotations can be added to the Gitea pod.
@ -820,8 +592,6 @@ gitea:
Custom themes can be added via k8s secrets and referencing them in `values.yaml`. Custom themes can be added via k8s secrets and referencing them in `values.yaml`.
The [http provider](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) is useful here.
```yaml ```yaml
extraVolumes: extraVolumes:
- name: gitea-themes - name: gitea-themes
@ -831,7 +601,7 @@ extraVolumes:
extraVolumeMounts: extraVolumeMounts:
- name: gitea-themes - name: gitea-themes
readOnly: true readOnly: true
mountPath: "/data/gitea/public/assets/css" mountPath: "/data/gitea/public/css"
``` ```
The secret can be created via `terraform`: The secret can be created via `terraform`:
@ -844,37 +614,13 @@ resource "kubernetes_secret" "gitea-themes" {
} }
data = { data = {
"my-theme.css" = data.http.gitea-theme-light.body "theme-custom.css" = "${file("FULL-PATH-TO-CSS")}"
"my-theme-dark.css" = data.http.gitea-theme-dark.body "theme-custom-dark.css" = "${file("FULL-PATH-TO-CSS")}"
"my-theme-auto.css" = data.http.gitea-theme-auto.body
} }
type = "Opaque" type = "Opaque"
}
depends_on = [kubernetes_namespace.gitea]
data "http" "gitea-theme-light" {
url = "<raw theme url>"
request_headers = {
Accept = "application/json"
}
}
data "http" "gitea-theme-dark" {
url = "<raw theme url>"
request_headers = {
Accept = "application/json"
}
}
data "http" "gitea-theme-auto" {
url = "<raw theme url>"
request_headers = {
Accept = "application/json"
}
} }
``` ```
@ -884,46 +630,17 @@ or natively via `kubectl`:
kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --namespace gitea kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --namespace gitea
``` ```
## Renovate
To be able to use a digest value which is automatically updated by `Renovate` a [customManager](https://docs.renovatebot.com/modules/manager/regex/) is required.
Here's an examplary `values.yml` definition which makes use of a digest:
```yaml
image:
repository: gitea/gitea
tag: 1.20.2
digest: sha256:6e3b85a36653894d6741d0aefb41dfaac39044e028a42e0a520cc05ebd7bfc3f
```
By default Renovate adds digest after the `tag`.
To comply with the Gitea helm chart definition of the digest parameter, a "customManagers" definition is required:
```json
"customManagers": [
{
"customType": "regex",
"description": "Apply an explicit gitea digest field match",
"fileMatch": ["values\\.ya?ml"],
"matchStrings": ["(?<depName>gitea\\/gitea)\\n(?<indentation>\\s+)tag: (?<currentValue>[^@].*?)\\n\\s+digest: (?<currentDigest>sha256:[a-f0-9]+)"],
"datasourceTemplate": "docker",
"autoReplaceStringTemplate": "{{depName}}\n{{indentation}}tag: {{newValue}}\n{{indentation}}digest: {{#if newDigest}}{{{newDigest}}}{{else}}{{{currentDigest}}}{{/if}}"
}
]
```
## Parameters ## Parameters
### Global ### Global
| Name | Description | Value | | Name | Description | Value |
| ------------------------- | ---------------------------------------------------------------------------------------------- | ----- | | ------------------------- | ------------------------------------------------------------------------- | ----- |
| `global.imageRegistry` | global image registry override | `""` | | `global.imageRegistry` | global image registry override | `""` |
| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]` | | `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]` |
| `global.storageClass` | global storage class override | `""` | | `global.storageClass` | global storage class override | `""` |
| `global.hostAliases` | global hostAliases which will be added to the pod's hosts files | `[]` | | `global.hostAliases` | global hostAliases which will be added to the pod's hosts files | `[]` |
| `namespace` | An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified | `""` | | `replicaCount` | number of replicas for the deployment | `1` |
| `replicaCount` | number of replicas for the deployment | `1` |
### strategy ### strategy
@ -936,16 +653,14 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
### Image ### Image
| Name | Description | Value | | Name | Description | Value |
| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `image.registry` | image registry, e.g. gcr.io,docker.io | `docker.gitea.com` | | `image.registry` | image registry, e.g. gcr.io,docker.io | `""` |
| `image.repository` | Image to start for this pod | `gitea` | | `image.repository` | Image to start for this pod | `gitea/gitea` |
| `image.tag` | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. | `""` | | `image.tag` | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. | `""` |
| `image.digest` | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` | `""` | | `image.pullPolicy` | Image pull policy | `Always` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` | | `image.rootless` | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `true` |
| `image.rootless` | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `true` | | `imagePullSecrets` | Secret to use for pulling the image | `[]` |
| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""` |
| `imagePullSecrets` | Secret to use for pulling the image | `[]` |
### Security ### Security
@ -971,8 +686,6 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| `service.http.ipFamilies` | HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). | `nil` | | `service.http.ipFamilies` | HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). | `nil` |
| `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer | `[]` | | `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer | `[]` |
| `service.http.annotations` | HTTP service annotations | `{}` | | `service.http.annotations` | HTTP service annotations | `{}` |
| `service.http.labels` | HTTP service additional labels | `{}` |
| `service.http.loadBalancerClass` | Loadbalancer class | `nil` |
| `service.ssh.type` | Kubernetes service type for ssh traffic | `ClusterIP` | | `service.ssh.type` | Kubernetes service type for ssh traffic | `ClusterIP` |
| `service.ssh.port` | Port number for ssh traffic | `22` | | `service.ssh.port` | Port number for ssh traffic | `22` |
| `service.ssh.clusterIP` | ClusterIP setting for ssh autosetup for deployment is None | `None` | | `service.ssh.clusterIP` | ClusterIP setting for ssh autosetup for deployment is None | `None` |
@ -985,20 +698,19 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| `service.ssh.hostPort` | HostPort for ssh service | `nil` | | `service.ssh.hostPort` | HostPort for ssh service | `nil` |
| `service.ssh.loadBalancerSourceRanges` | Source range filter for ssh loadbalancer | `[]` | | `service.ssh.loadBalancerSourceRanges` | Source range filter for ssh loadbalancer | `[]` |
| `service.ssh.annotations` | SSH service annotations | `{}` | | `service.ssh.annotations` | SSH service annotations | `{}` |
| `service.ssh.labels` | SSH service additional labels | `{}` |
| `service.ssh.loadBalancerClass` | Loadbalancer class | `nil` |
### Ingress ### Ingress
| Name | Description | Value | | Name | Description | Value |
| -------------------------------- | ------------------------------- | ----------------- | | ------------------------------------ | --------------------------------------------------------------------------- | ----------------- |
| `ingress.enabled` | Enable ingress | `false` | | `ingress.enabled` | Enable ingress | `false` |
| `ingress.className` | DEPRECATED: Ingress class name. | `""` | | `ingress.className` | Ingress class name | `nil` |
| `ingress.pathType` | Ingress Path Type | `Prefix` | | `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.annotations` | Ingress annotations | `{}` | | `ingress.hosts[0].host` | Default Ingress host | `git.example.com` |
| `ingress.hosts[0].host` | Default Ingress host | `git.example.com` | | `ingress.hosts[0].paths[0].path` | Default Ingress path | `/` |
| `ingress.hosts[0].paths[0].path` | Default Ingress path | `/` | | `ingress.hosts[0].paths[0].pathType` | Ingress path type | `Prefix` |
| `ingress.tls` | Ingress tls settings | `[]` | | `ingress.tls` | Ingress tls settings | `[]` |
| `ingress.apiVersion` | Specify APIVersion of ingress object. Mostly would only be used for argocd. | |
### deployment ### deployment
@ -1030,34 +742,31 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
### Persistence ### Persistence
| Name | Description | Value | | Name | Description | Value |
| ------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------------- | | ---------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------------- |
| `persistence.enabled` | Enable persistent storage | `true` | | `persistence.enabled` | Enable persistent storage | `true` |
| `persistence.create` | Whether to create the persistentVolumeClaim for shared storage | `true` | | `persistence.create` | Whether to create the persistentVolumeClaim for shared storage | `true` |
| `persistence.mount` | Whether the persistentVolumeClaim should be mounted (even if not created) | `true` | | `persistence.mount` | Whether the persistentVolumeClaim should be mounted (even if not created) | `true` |
| `persistence.claimName` | Use an existing claim to store repository information | `gitea-shared-storage` | | `persistence.claimName` | Use an existing claim to store repository information | `gitea-shared-storage` |
| `persistence.size` | Size for persistence to store repo information | `10Gi` | | `persistence.size` | Size for persistence to store repo information | `10Gi` |
| `persistence.accessModes` | AccessMode for persistence | `["ReadWriteOnce"]` | | `persistence.accessModes` | AccessMode for persistence | `["ReadWriteOnce"]` |
| `persistence.labels` | Labels for the persistence volume claim to be created | `{}` | | `persistence.labels` | Labels for the persistence volume claim to be created | `{}` |
| `persistence.annotations.helm.sh/resource-policy` | Resource policy for the persistence volume claim | `keep` | | `persistence.annotations` | Annotations for the persistence volume claim to be created | `{}` |
| `persistence.storageClass` | Name of the storage class to use | `nil` | | `persistence.storageClass` | Name of the storage class to use | `nil` |
| `persistence.subPath` | Subdirectory of the volume to mount at | `nil` | | `persistence.subPath` | Subdirectory of the volume to mount at | `nil` |
| `persistence.volumeName` | Name of persistent volume in PVC | `""` | | `extraVolumes` | Additional volumes to mount to the Gitea deployment | `[]` |
| `extraContainers` | Additional sidecar containers to run in the pod | `[]` | | `extraContainerVolumeMounts` | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]` |
| `extraVolumes` | Additional volumes to mount to the Gitea deployment | `[]` | | `extraInitVolumeMounts` | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration. | `[]` |
| `extraContainerVolumeMounts` | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]` | | `extraVolumeMounts` | **DEPRECATED** Additional volume mounts for init containers and the Gitea main container | `[]` |
| `extraInitVolumeMounts` | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration. | `[]` |
| `extraVolumeMounts` | **DEPRECATED** Additional volume mounts for init containers and the Gitea main container | `[]` |
### Init ### Init
| Name | Description | Value | | Name | Description | Value |
| ------------------------------------------ | ------------------------------------------------------------------------------------ | ------------ | | ------------------------------------------ | ------------------------------------------------------------------------------------ | ------- |
| `initPreScript` | Bash shell script copied verbatim to the start of the init-container. | `""` | | `initPreScript` | Bash shell script copied verbatim to the start of the init-container. | `""` |
| `initContainersScriptsVolumeMountPath` | Path to mount the scripts consumed from the Secrets | `/usr/sbinx` | | `initContainers.resources.limits` | initContainers.limits Kubernetes resource limits for init containers | `{}` |
| `initContainers.resources.limits` | initContainers.limits Kubernetes resource limits for init containers | `{}` | | `initContainers.resources.requests.cpu` | initContainers.requests.cpu Kubernetes cpu resource limits for init containers | `100m` |
| `initContainers.resources.requests.cpu` | initContainers.requests.cpu Kubernetes cpu resource limits for init containers | `100m` | | `initContainers.resources.requests.memory` | initContainers.requests.memory Kubernetes memory resource limits for init containers | `128Mi` |
| `initContainers.resources.requests.memory` | initContainers.requests.memory Kubernetes memory resource limits for init containers | `128Mi` |
### Signing ### Signing
@ -1065,34 +774,27 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| ------------------------ | ----------------------------------------------------------------- | ------------------ | | ------------------------ | ----------------------------------------------------------------- | ------------------ |
| `signing.enabled` | Enable commit/action signing | `false` | | `signing.enabled` | Enable commit/action signing | `false` |
| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` | | `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` |
| `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` | | `signing.privateKey` | Inline private gpg key for signed Gitea actions | `""` |
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
### Gitea ### Gitea
| Name | Description | Value | | Name | Description | Value |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------- | | -------------------------------------- | ------------------------------------------------------------------------- | -------------------- |
| `gitea.admin.username` | Username for the Gitea admin user | `gitea_admin` | | `gitea.admin.username` | Username for the Gitea admin user | `gitea_admin` |
| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` | | `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` |
| `gitea.admin.password` | Password for the Gitea admin user | `r8sA8CPHD9!bt6d` | | `gitea.admin.password` | Password for the Gitea admin user | `r8sA8CPHD9!bt6d` |
| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` | | `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` |
| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` | | `gitea.metrics.enabled` | Enable Gitea metrics | `false` |
| `gitea.metrics.enabled` | Enable Gitea metrics | `false` | | `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor | `false` |
| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` | | `gitea.ldap` | LDAP configuration | `[]` |
| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` | | `gitea.oauth` | OAuth configuration | `[]` |
| `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` | | `gitea.config.server.SSH_PORT` | SSH port for rootlful Gitea image | `22` |
| `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | | `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Gitea image | `2222` |
| `gitea.metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. For example `http` or `https`. Default is http. | `""` | | `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` |
| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. | `""` | | `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` |
| `gitea.metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the metric endpoint by Prometheus. | `{}` | | `gitea.podAnnotations` | Annotations for the Gitea pod | `{}` |
| `gitea.ldap` | LDAP configuration | `[]` | | `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO` |
| `gitea.oauth` | OAuth configuration | `[]` |
| `gitea.config.server.SSH_PORT` | SSH port for rootlful Gitea image | `22` |
| `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Gitea image | `2222` |
| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` |
| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` |
| `gitea.podAnnotations` | Annotations for the Gitea pod | `{}` |
| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO` |
### LivenessProbe ### LivenessProbe
@ -1130,45 +832,25 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| `gitea.startupProbe.successThreshold` | Success threshold for startup probe | `1` | | `gitea.startupProbe.successThreshold` | Success threshold for startup probe | `1` |
| `gitea.startupProbe.failureThreshold` | Failure threshold for startup probe | `10` | | `gitea.startupProbe.failureThreshold` | Failure threshold for startup probe | `10` |
### valkey-cluster ### redis-cluster
Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time. | Name | Description | Value |
| ------------------------------------- | ---------------------------------------------------- | ------- |
| `redis-cluster.enabled` | Enable redis | `true` |
| `redis-cluster.global.redis.password` | Password for the "Gitea" user (overrides `password`) | `gitea` |
| Name | Description | Value | ### PostgreSQL-ha
| ------------------------------------- | -------------------------------------------------------------------- | ------- |
| `valkey-cluster.enabled` | Enable valkey cluster | `true` |
| `valkey-cluster.usePassword` | Whether to use password authentication | `false` |
| `valkey-cluster.usePasswordFiles` | Whether to mount passwords as files instead of environment variables | `false` |
| `valkey-cluster.cluster.nodes` | Number of valkey cluster master nodes | `3` |
| `valkey-cluster.cluster.replicas` | Number of valkey cluster master node replicas | `0` |
| `valkey-cluster.service.ports.valkey` | Port of Valkey service | `6379` |
### valkey | Name | Description | Value |
| -------------------------------------------------- | ---------------------------------------------------------------- | ---------- |
Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time. | `postgresql-ha.enabled` | Enable PostgreSQL-ha | `true` |
| `postgresql-ha.global.postgresql.password` | Password for the `gitea` user (overrides `auth.password`) | `gitea` |
| Name | Description | Value | | `postgresql-ha.global.postgresql.database` | Name for a custom database to create (overrides `auth.database`) | `gitea` |
| ------------------------------------ | ------------------------------------------- | ------------ | | `postgresql-ha.global.postgresql.username` | Name for a custom user to create (overrides `auth.username`) | `gitea` |
| `valkey.enabled` | Enable valkey standalone or replicated | `false` | | `postgresql-ha.global.postgresql.postgresPassword` | Postgres Password | `changeme` |
| `valkey.architecture` | Whether to use standalone or replication | `standalone` | | `postgresql-ha.global.postgresql.repmgrPassword` | Repmgr Password | `changeme` |
| `valkey.global.valkey.password` | Required password | `changeme` | | `postgresql-ha.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `5432` |
| `valkey.master.count` | Number of Valkey master instances to deploy | `1` | | `postgresql-ha.primary.persistence.size` | PVC Storage Request for PostgreSQL-ha volume | `10Gi` |
| `valkey.master.service.ports.valkey` | Port of Valkey service | `6379` |
### PostgreSQL HA
| Name | Description | Value |
| ------------------------------------------- | ---------------------------------------------------------------- | ----------- |
| `postgresql-ha.enabled` | Enable PostgreSQL HA | `true` |
| `postgresql-ha.postgresql.password` | Password for the `gitea` user (overrides `auth.password`) | `changeme4` |
| `postgresql-ha.global.postgresql.database` | Name for a custom database to create (overrides `auth.database`) | `gitea` |
| `postgresql-ha.global.postgresql.username` | Name for a custom user to create (overrides `auth.username`) | `gitea` |
| `postgresql-ha.global.postgresql.password` | Name for a custom password to create (overrides `auth.password`) | `gitea` |
| `postgresql-ha.postgresql.repmgrPassword` | Repmgr Password | `changeme2` |
| `postgresql-ha.postgresql.postgresPassword` | postgres Password | `changeme1` |
| `postgresql-ha.pgpool.adminPassword` | pgpool adminPassword | `changeme3` |
| `postgresql-ha.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `5432` |
| `postgresql-ha.persistence.size` | PVC Storage Request for PostgreSQL HA volume | `10Gi` |
### PostgreSQL ### PostgreSQL
@ -1205,77 +887,6 @@ If you miss this, blindly upgrading may delete your Postgres instance and you ma
<details> <details>
<summary>To 12.0.0</summary>
<!-- prettier-ignore-start -->
<!-- markdownlint-disable-next-line -->
**Breaking changes**
<!-- prettier-ignore-end -->
- Outsourced "Actions" related configuration.
To deploy and use "Actions", please see the new dedicated chart at <https://gitea.com/gitea/helm-actions>.
It is maintained by a seperate maintainer group and hasn't seen a release yet (at the time of the 12.0 release).
Feel encouraged to contribute if "Actions" is important to you!
This change was made to avoid overloading the existing helm chart, which is already quite large in size and configuration options.
In addition, the existing maintainers team was not actively using "Actions" which slowed down development and community contributions.
While the new chart is still young (and waiting for contributions! and maintainers), we believe that it is the best way moving forward for both parts.
- Migrated from Redis/Redis-cluster to Valkey/Valkey-cluster charts (#775).
While marked as breaking, there is no need to migrate data.
The cache will start to refill automatically.
- Migrated ingress from `networking.k8s.io/v1beta` to `networking.k8s.io/v1`.
We didn't make any changes to the syntax, so the upgrade should be seamless.
</details>
<details>
<summary>To 11.0.0</summary>
<!-- prettier-ignore-start -->
<!-- markdownlint-disable-next-line -->
**Breaking changes**
<!-- prettier-ignore-end -->
- Update Gitea to 1.23.x (review the [1.23 release blog post](https://blog.gitea.com/release-of-1.23.0/) for all application breaking changes)
- Update PostgreSQL sub-chart dependencies to appVersion 17.x
- Update Redis sub-chart to version 20.x (appVersion 7.4)
Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
- [Redis Chart release notes (starting with v20.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis/CHANGELOG.md#2000-2024-08-09).
- [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
- Update Redis Cluster sub-chart to version 11.x (appVersion 7.4)
Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes:
- [Redis Chart release notes (starting with v11.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis-cluster/CHANGELOG.md#1100-2024-08-09).
- [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES).
</details>
<details>
<summary>To 10.0.0</summary>
<!-- prettier-ignore-start -->
<!-- markdownlint-disable-next-line -->
**Breaking changes**
<!-- prettier-ignore-end -->
- Update PostgreSQL sub-chart dependencies to appVersion 16.x
- Update to sub-charts versioning approach: Users are encouraged to pin the version tag of the sub-chart dependencies to a major appVersion.
This avoids issues during chart upgrades and allows to incorporate new sub-chart versions as they are released.
Please see the new [README section describing the versioning approach for sub-chart versions](#dependency-versioning).
</details>
<details>
<summary>To 9.6.0</summary>
Chart 9.6.0 ships with Gitea 1.21.0.
While there are no breaking changes in the chart, please check the changes of the [1.21 release blog post](https://blog.gitea.com/release-of-1.21.0/).
</details>
<details>
<summary>To 9.0.0</summary> <summary>To 9.0.0</summary>
This chart release comes with many breaking changes while aiming for a HA-ready setup. This chart release comes with many breaking changes while aiming for a HA-ready setup.
@ -1317,37 +928,25 @@ The first item here (`<memcache service name>`) will be different compared to th
The above changes are motivated by the idea to tidy dependencies but also have HA-ready ones at the same time. The above changes are motivated by the idea to tidy dependencies but also have HA-ready ones at the same time.
The previous `memcache` default was not HA-ready, hence we decided to switch to `redis-cluster` by default. The previous `memcache` default was not HA-ready, hence we decided to switch to `redis-cluster` by default.
If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-gitea/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly: If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-chart/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly:
```yaml ```yaml
gitea:
config:
session: session:
PROVIDER: redis-cluster PROVIDER: redis
PROVIDER_CONFIG: redis+cluster://:gitea@gitea-valkey-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& PROVIDER_CONFIG: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
cache: cache:
ENABLED: true ENABLED: true
ADAPTER: redis-cluster ADAPTER: redis
HOST: redis+cluster://:gitea@gitea-valkey-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& HOST: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
queue: queue:
TYPE: redis TYPE: redis
CONN_STR: redis+cluster://:gitea@gitea-valkey-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& CONN_STR: redis+cluster://:gitea@gitea-redis-cluster-headless.<namespace>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
``` ```
<!-- prettier-ignore-start -->
<!-- markdownlint-disable-next-line -->
**Switch to rootless image by default**
<!-- prettier-ignore-end -->
If you are facing errors like `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED` due to this automatic transition:
Have a look at [this discussion](https://gitea.com/gitea/helm-gitea/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s).
<!-- prettier-ignore-start -->
<!-- markdownlint-disable-next-line --> <!-- markdownlint-disable-next-line -->
**Transitioning from a RWO to RWX Persistent Volume** **Transitioning from a RWO to RWX Persistent Volume**
<!-- prettier-ignore-end -->
If you want to switch to a RWX volume and go for HA, you need to If you want to switch to a RWX volume and go for HA, you need to
@ -1355,10 +954,8 @@ If you want to switch to a RWX volume and go for HA, you need to
2. Let the chart create a new RWX PV (or do it statically yourself) 2. Let the chart create a new RWX PV (or do it statically yourself)
3. Restore the backup to the same location in the new PV 3. Restore the backup to the same location in the new PV
<!-- prettier-ignore-start -->
<!-- markdownlint-disable-next-line --> <!-- markdownlint-disable-next-line -->
**Transitioning from Postgres to Postgres HA** **Transitioning from Postgres to Postgres HA**
<!-- prettier-ignore-end -->
If you are running with a non-HA PG DB from a previous chart release, you need to set If you are running with a non-HA PG DB from a previous chart release, you need to set
@ -1367,10 +964,8 @@ If you are running with a non-HA PG DB from a previous chart release, you need t
This is needed to stay with your existing single-instance DB (as the HA-variant is the new default). This is needed to stay with your existing single-instance DB (as the HA-variant is the new default).
<!-- prettier-ignore-start -->
<!-- markdownlint-disable-next-line --> <!-- markdownlint-disable-next-line -->
**Change of env-to-ini prefix** **Change of env-to-ini prefix**
<!-- prettier-ignore-end -->
Before this release, the env-to-ini prefix was `ENV_TO_INI__`. Before this release, the env-to-ini prefix was `ENV_TO_INI__`.
This allowed a clear distinction between user-provided and chart-provided env-to-ini variables. This allowed a clear distinction between user-provided and chart-provided env-to-ini variables.
@ -1398,7 +993,7 @@ With respect to `values.yaml`, parameters `username`, `database` and `password`
Please adjust your `values.yaml` accordingly. Please adjust your `values.yaml` accordingly.
**Attention**: The Postgres upgrade is not automatically handled by the chart and must be done by yourself. **Attention**: The Postgres upgrade is not automatically handled by the chart and must be done by yourself.
See [this comment](https://gitea.com/gitea/helm-gitea/issues/452#issuecomment-740885) for an extensive walkthrough. See [this comment](https://gitea.com/gitea/helm-chart/issues/452#issuecomment-740885) for an extensive walkthrough.
We again highly encourage users to use an external (managed) database for production instances. We again highly encourage users to use an external (managed) database for production instances.
</details> </details>

35
docs/ha-setup.md
View File

@ -1,5 +1,7 @@
# High Availability # High Availability
⚠️ **EXPERIMENTAL** ⚠️
All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment. All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment.
The following document explains how to achieve this for all individual components. The following document explains how to achieve this for all individual components.
@ -25,7 +27,7 @@ In addition, the following components are required for full HA-readiness:
- A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch` - A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch`
- A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system) - A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system)
- A HA-ready cache (`valkey-cluster`) - A HA-ready cache (`redis-cluster`)
- A HA-ready DB - A HA-ready DB
`postgres.enabled`, which default to `true`, must be set to `false` for a HA setup. `postgres.enabled`, which default to `true`, must be set to `false` for a HA setup.
@ -72,33 +74,28 @@ persistence:
## Cache, session and queue ## Cache, session and queue
A `valkey` instance is required for the in-memory cache. A `redis` instance is required for the in-memory cache.
Two options exist: Two options exist:
- `valkey` - `redis`
- `valkey-cluster` - `redis-cluster`
The chart provides `valkey-cluster` as a dependency as this one can be used for both HA and non-HA setups. The chart provides `redis-cluster` as a dependency as this one can be used for both HA and non-HA setups.
You're also welcome to go with `valkey` if you prefer or already have a running instance. You're also welcome to go with `redis` if you prefer or already have a running instance.
It should be noted that `valkey-cluster` support is only available starting with Gitea 1.19.2. It should be noted that `redis-cluster` support is only available starting with Gitea 1.19.2.
You can also configure an external (managed) `valkey` instance to be used. You can also configure an external (managed) `redis` instance to be used.
To do so, you need to set the following configuration values yourself: To do so, you need to set the following configuration values yourself:
- `gitea.config.queue.TYPE`: valkey` - `gitea.config.queue.TYPE`: redis`
- `gitea.config.queue.CONN_STR`: `<your valkey connection string>` - `gitea.config.queue.CONN_STR`: `<your redis connection string>`
- `gitea.config.session.PROVIDER`: `valkey` - `gitea.config.session.PROVIDER`: `redis`
- `gitea.config.session.PROVIDER_CONFIG`: `<your valkey connection string>` - `gitea.config.session.PROVIDER_CONFIG`: `<your redis connection string>`
- `gitea.config.cache.ENABLED`: `true` - `gitea.config.cache.ENABLED`: `true`
- `gitea.config.cache.ADAPTER`: `valkey` - `gitea.config.cache.ADAPTER`: `redis`
- `gitea.config.cache.HOST`: `<your valkey connection string>` - `gitea.config.cache.HOST`: `<your redis connection string>`
By default, the `valkey-cluster` chart provisions three standalone master nodes of which each has a single replica.
To reduce the number of pods for a default Gitea deployment, we opted to omit the replicas (`replicas: 0`) by default.
Only the minimum required number of master pods for a functional `valkey-cluster` deployment are provisioned.
For a "proper" `valkey-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
## Object and asset storage ## Object and asset storage

1118
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

8
package.json
View File

@ -1,6 +1,6 @@
{ {
"name": "gitea-helm", "name": "gitea-helm-chart",
"homepage": "https://gitea.com/gitea/helm-gitea.git", "homepage": "https://gitea.com/gitea/helm-chart.git",
"license": "MIT", "license": "MIT",
"private": true, "private": true,
"engineStrict": true, "engineStrict": true,
@ -14,6 +14,6 @@
}, },
"devDependencies": { "devDependencies": {
"@bitnami/readme-generator-for-helm": "^2.5.0", "@bitnami/readme-generator-for-helm": "^2.5.0",
"markdownlint-cli": "^0.44.0" "markdownlint-cli": "^0.34.0"
} }
} }

124
renovate.json5
View File

@ -1,124 +0,0 @@
{
$schema: 'https://docs.renovatebot.com/renovate-schema.json',
extends: [
'gitea>gitea/renovate-config',
':automergeMinor',
'schedule:automergeDaily',
'schedule:weekends',
],
labels: [
'kind/dependency',
],
digest: {
automerge: true,
},
automergeStrategy: 'squash',
'git-submodules': {
enabled: true,
},
customManagers: [
{
description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
customType: 'regex',
managerFilePatterns: [
'/.gitea/workflows/.+\\.ya?ml$/',
],
matchStrings: [
'# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
],
},
{
description: 'Detect helm-unittest yaml schema file',
customType: 'regex',
managerFilePatterns: [
'/.vscode/settings\\.json$/',
],
matchStrings: [
'https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json',
],
datasourceTemplate: 'github-releases',
},
{
description: 'Automatically detect new Gitea releases',
customType: 'regex',
managerFilePatterns: [
'/(^|/)Chart\\.yaml$/',
],
matchStrings: [
'# renovate datasource=(?<datasource>\\S+) depName=(?<depName>\\S+) extractVersion=(?<extractVersion>\\S+)\\nappVersion:\\s?(?<currentValue>\\S+)\\n',
],
},
],
packageRules: [
{
groupName: 'subcharts (minor & patch)',
matchManagers: [
'helmv3',
],
matchUpdateTypes: [
'minor',
'patch',
'digest',
],
},
{
groupName: 'bats testing framework',
matchManagers: [
'git-submodules',
],
matchUpdateTypes: [
'minor',
'patch',
'digest',
],
},
{
groupName: 'workflow dependencies (minor & patch)',
matchManagers: [
'github-actions',
'npm',
'custom.regex',
],
matchUpdateTypes: [
'minor',
'patch',
'digest',
],
matchFileNames: [
'!Chart.yaml',
],
},
{
description: 'Update README.md on changes in values.yaml',
matchManagers: [
'helm-values',
],
postUpgradeTasks: {
commands: [
'install-tool node',
'make readme',
],
fileFilters: [
'README.md',
],
executionMode: 'update',
},
},
{
description: 'Override changelog url for Helm image, to have release notes in our PRs',
matchDepNames: [
'alpine/helm',
],
changelogUrl: 'https://github.com/helm/helm',
},
{
description: 'Bump Gitea as fast as possible - not only on weekends',
matchDepNames: [
'go-gitea/gitea',
],
schedule: [
'at any time',
],
},
],
}

43
scripts/act_runner/token.sh
View File

@ -1,43 +0,0 @@
#!/bin/sh
set -eu
timeout_delay=15
check_token() {
set +e
echo "Checking for existing token..."
token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
[ $? -ne 0 ] && return 1
[ -z "$token" ] && return 2
return 0
}
create_token() {
echo "Waiting for new token to be generated..."
begin=$(date +%s)
end=$((begin + timeout_delay))
while true; do
[ -f /data/actions/token ] && return 0
[ "$(date +%s)" -gt $end ] && return 1
sleep 5
done
}
store_token() {
echo "Storing the token in Kubernetes secret..."
kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
}
if check_token; then
echo "Key already in place, exiting."
exit
fi
if ! create_token; then
echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
exit 1
fi
store_token

154
scripts/init-containers/config/config_environment.sh
View File

@ -1,154 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
function env2ini::log() {
printf "${1}\n"
}
function env2ini::read_config_to_env() {
local section="${1}"
local line="${2}"
if [[ -z "${line}" ]]; then
# skip empty line
return
fi
# 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
if [[ -z "${setting}" ]]; then
env2ini::log ' ! invalid setting'
exit 1
fi
local value=''
local regex="^${setting}(\s*)=(\s*)(.*)"
if [[ $line =~ $regex ]]; then
value="${BASH_REMATCH[3]}"
else
env2ini::log ' ! invalid setting'
exit 1
fi
env2ini::log " + '${setting}'"
if [[ -z "${section}" ]]; then
export "GITEA____${setting^^}=${value}" # '^^' makes the variable content uppercase
return
fi
local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches
masked_section="${masked_section//-/_0X2D_}"
export "GITEA__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase
}
function env2ini::reload_preset_envs() {
env2ini::log "Reloading preset envs..."
while read -r line; do
if [[ -z "${line}" ]]; then
# skip empty line
return
fi
# 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
if [[ -z "${setting}" ]]; then
env2ini::log ' ! invalid setting'
exit 1
fi
local value=''
local regex="^${setting}(\s*)=(\s*)(.*)"
if [[ $line =~ $regex ]]; then
value="${BASH_REMATCH[3]}"
else
env2ini::log ' ! invalid setting'
exit 1
fi
env2ini::log " + '${setting}'"
export "${setting^^}=${value}" # '^^' makes the variable content uppercase
done < "$TMP_EXISTING_ENVS_FILE"
rm $TMP_EXISTING_ENVS_FILE
}
function env2ini::process_config_file() {
local config_file="${1}"
local section="$(basename "${config_file}")"
if [[ $section == '_generals_' ]]; then
env2ini::log " [ini root]"
section=''
else
env2ini::log " ${section}"
fi
while read -r line; do
env2ini::read_config_to_env "${section}" "${line}"
done < <(awk 1 "${config_file}") # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
}
function env2ini::load_config_sources() {
local path="${1}"
if [[ -d "${path}" ]]; then
env2ini::log "Processing $(basename "${path}")..."
while read -d '' configFile; do
env2ini::process_config_file "${configFile}"
done < <(find "${path}" -type l -not -name '..data' -print0)
env2ini::log "\n"
fi
}
function env2ini::generate_initial_secrets() {
# These environment variables will either be
# - overwritten with user defined values,
# - initially used to set up Gitea
# Anyway, they won't harm existing app.ini files
export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
env2ini::log "...Initial secrets generated\n"
}
# save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE
# MUST BE CALLED BEFORE OTHER CONFIGURATION
env2ini::generate_initial_secrets
env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/"
env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/"
# load existing envs to override auto generated envs
env2ini::reload_preset_envs
env2ini::log "=== All configuration sources loaded ===\n"
# safety to prevent rewrite of secret keys if an app.ini already exists
if [ -f ${GITEA_APP_INI} ]; then
env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
env2ini::log ' - security.INTERNAL_TOKEN'
env2ini::log ' - security.SECRET_KEY'
env2ini::log ' - oauth2.JWT_SECRET'
env2ini::log ' - server.LFS_JWT_SECRET'
unset GITEA__SECURITY__INTERNAL_TOKEN
unset GITEA__SECURITY__SECRET_KEY
unset GITEA__OAUTH2__JWT_SECRET
unset GITEA__SERVER__LFS_JWT_SECRET
fi
environment-to-ini -o $GITEA_APP_INI

4
scripts/init-containers/init/configure_gpg_environment.sh
View File

@ -1,4 +0,0 @@
#!/usr/bin/env bash
set -eu
gpg --batch --import "$TMP_RAW_GPG_KEY"

16
templates/NOTES.txt
View File

@ -18,19 +18,3 @@
echo "Visit http://127.0.0.1:{{ .Values.service.http.port }} to use your application" echo "Visit http://127.0.0.1:{{ .Values.service.http.port }} to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ .Release.Name }}-http {{ .Values.service.http.port }}:{{ .Values.service.http.port }} kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ .Release.Name }}-http {{ .Values.service.http.port }}:{{ .Values.service.http.port }}
{{- end }} {{- end }}
{{- $warnings := list -}}
{{- if eq (get .Values.gitea.config.cache "ADAPTER") "memory" -}}
{{- $warnings = append $warnings "Gitea uses 'memory' for caching which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#cache-cache for available options." -}}
{{- end }}
{{- if eq (get .Values.gitea.config.queue "TYPE") "level" -}}
{{- $warnings = append $warnings "Gitea uses 'leveldb' for queue actions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#queue-queue-and-queue for available options." -}}
{{- end }}
{{- if eq (get .Values.gitea.config.session "PROVIDER") "memory" -}}
{{- $warnings = append $warnings "Gitea uses 'memory' for sessions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#session-session for available options." -}}
{{- end }}
{{- if gt (len $warnings) 0 }}
2. Review these warnings:
{{- range $warnings }}
- {{ . }}
{{- end }}
{{- end }}

204
templates/_helpers.tpl
View File

@ -3,6 +3,26 @@
Expand the name of the chart. Expand the name of the chart.
*/}} */}}
{{- /* multiple replicas assertions */ -}}
{{- if gt .Values.replicaCount 1.0 -}}
{{- fail "When using multiple replicas, a RWX file system is required" -}}
{{- if eq (get (.Values.persistence.accessModes 0) "ReadWriteOnce") -}}
{{- fail "When using multiple replicas, a RWX file system is required" -}}
{{- end }}
{{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
{{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
{{- end }}
{{- if and (eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve") (eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED "true") -}}
{{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
{{- end }}
{{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
{{- (printf "DEBUG: When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'") | fail -}}
{{- end }}
{{- end }}
{{- define "gitea.name" -}} {{- define "gitea.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
@ -25,13 +45,6 @@ If release name contains chart name it will be used as a full name.
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Create a default worker name.
*/}}
{{- define "gitea.workername" -}}
{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* {{/*
Create chart name and version as used by the chart label. Create chart name and version as used by the chart label.
*/}} */}}
@ -43,22 +56,14 @@ Create chart name and version as used by the chart label.
Create image name and tag used by the deployment. Create image name and tag used by the deployment.
*/}} */}}
{{- define "gitea.image" -}} {{- define "gitea.image" -}}
{{- $fullOverride := .Values.image.fullOverride | default "" -}}
{{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}} {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
{{- $repository := .Values.image.repository -}} {{- $name := .Values.image.repository -}}
{{- $separator := ":" -}} {{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
{{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}} {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
{{- $digest := "" -}} {{- if $registry -}}
{{- if .Values.image.digest }} {{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}}
{{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
{{- end -}}
{{- if $fullOverride }}
{{- printf "%s" $fullOverride -}}
{{- else if $registry }}
{{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
{{- else -}} {{- else -}}
{{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}} {{- printf "%s:%s%s" $name $tag $rootless -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -81,7 +86,7 @@ imagePullSecrets:
Storage Class Storage Class
*/}} */}}
{{- define "gitea.persistence.storageClass" -}} {{- define "gitea.persistence.storageClass" -}}
{{- $storageClass := (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }} {{- $storageClass := .Values.global.storageClass | default .Values.persistence.storageClass }}
{{- if $storageClass }} {{- if $storageClass }}
storageClassName: {{ $storageClass | quote }} storageClassName: {{ $storageClass | quote }}
{{- end }} {{- end }}
@ -99,15 +104,6 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}} {{- end -}}
{{- define "gitea.labels.actRunner" -}}
helm.sh/chart: {{ include "gitea.chart" . }}
app: {{ include "gitea.name" . }}-act-runner
{{ include "gitea.selectorLabels.actRunner" . }}
app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/* {{/*
Selector labels Selector labels
*/}} */}}
@ -116,51 +112,30 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}} {{- end -}}
{{- define "gitea.selectorLabels.actRunner" -}}
app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- define "postgresql-ha.dns" -}}
{{- if (index .Values "postgresql-ha").enabled -}}
{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
{{- end -}}
{{- end -}}
{{- define "postgresql.dns" -}} {{- define "postgresql.dns" -}}
{{- if (index .Values "postgresql").enabled -}} {{- printf "%s-postgresql-ha-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}} {{- end -}}
{{- define "redis.dns" -}}
{{- if (index .Values "redis-cluster").enabled -}}
{{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "valkey.dns" -}} {{- define "redis.port" -}}
{{- if and ((index .Values "valkey-cluster").enabled) ((index .Values "valkey").enabled) -}} {{- if (index .Values "redis-cluster").enabled -}}
{{- fail "valkey and valkey-cluster cannot be enabled at the same time. Please only choose one." -}} {{ (index .Values "redis-cluster").service.ports.redis }}
{{- else if (index .Values "valkey-cluster").enabled -}}
{{- printf "redis+cluster://:%s@%s-valkey-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey-cluster").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey-cluster").service.ports.valkey -}}
{{- else if (index .Values "valkey").enabled -}}
{{- printf "redis://:%s@%s-valkey-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "valkey.port" -}} {{- define "redis.servicename" -}}
{{- if (index .Values "valkey-cluster").enabled -}} {{- if (index .Values "redis-cluster").enabled -}}
{{ (index .Values "valkey-cluster").service.ports.valkey }} {{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
{{- else if (index .Values "valkey").enabled -}}
{{ (index .Values "valkey").master.service.ports.valkey }}
{{- end -}}
{{- end -}}
{{- define "valkey.servicename" -}}
{{- if (index .Values "valkey-cluster").enabled -}}
{{- printf "%s-valkey-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
{{- else if (index .Values "valkey").enabled -}}
{{- printf "%s-valkey-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "gitea.default_domain" -}} {{- define "gitea.default_domain" -}}
{{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}} {{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{- define "gitea.ldap_settings" -}} {{- define "gitea.ldap_settings" -}}
@ -284,9 +259,6 @@ https
{{- if not (hasKey .Values.gitea.config "indexer") -}} {{- if not (hasKey .Values.gitea.config "indexer") -}}
{{- $_ := set .Values.gitea.config "indexer" dict -}} {{- $_ := set .Values.gitea.config "indexer" dict -}}
{{- end -}} {{- end -}}
{{- if not (hasKey .Values.gitea.config "actions") -}}
{{- $_ := set .Values.gitea.config "actions" dict -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- define "gitea.inline_configuration.defaults" -}} {{- define "gitea.inline_configuration.defaults" -}}
@ -302,37 +274,24 @@ https
{{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
{{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
{{- end -}} {{- end -}}
{{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}} {{- if (index .Values "redis-cluster").enabled -}}
{{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}} {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
{{- end -}}
{{- /* valkey queue */ -}}
{{- if or ((index .Values "valkey-cluster").enabled) ((index .Values "valkey").enabled) -}}
{{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
{{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "valkey.dns" .) -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "valkey.dns" .) -}}
{{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}} {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
{{- $_ := set .Values.gitea.config.cache "HOST" (include "valkey.dns" .) -}} {{- if not (.Values.gitea.config.cache.HOST) -}}
{{- else -}} {{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
{{- if not (get .Values.gitea.config.session "PROVIDER") -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER" "memory" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" "" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.queue "TYPE") -}}
{{- $_ := set .Values.gitea.config.queue "TYPE" "level" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.queue "CONN_STR") -}}
{{- $_ := set .Values.gitea.config.queue "CONN_STR" "" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.cache "ADAPTER") -}}
{{- $_ := set .Values.gitea.config.cache "ADAPTER" "memory" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.cache "HOST") -}}
{{- $_ := set .Values.gitea.config.cache "HOST" "" -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- /* redis queue */ -}}
{{- if (index .Values "redis-cluster").enabled -}}
{{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
{{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
{{- end -}}
{{- if not (get .Values.gitea.config.session "PROVIDER") -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "redis.dns" .) -}}
{{- end -}}
{{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}} {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
{{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}} {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
{{- end -}} {{- end -}}
@ -347,7 +306,7 @@ https
{{- end -}} {{- end -}}
{{- if not (.Values.gitea.config.server.DOMAIN) -}} {{- if not (.Values.gitea.config.server.DOMAIN) -}}
{{- if gt (len .Values.ingress.hosts) 0 -}} {{- if gt (len .Values.ingress.hosts) 0 -}}
{{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}} {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
{{- else -}} {{- else -}}
{{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}} {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
{{- end -}} {{- end -}}
@ -385,21 +344,12 @@ https
{{- if (index .Values "postgresql-ha" "enabled") -}} {{- if (index .Values "postgresql-ha" "enabled") -}}
{{- $_ := set .Values.gitea.config.database "DB_TYPE" "postgres" -}} {{- $_ := set .Values.gitea.config.database "DB_TYPE" "postgres" -}}
{{- if not (.Values.gitea.config.database.HOST) -}} {{- if not (.Values.gitea.config.database.HOST) -}}
{{- $_ := set .Values.gitea.config.database "HOST" (include "postgresql-ha.dns" .) -}} {{- $_ := set .Values.gitea.config.database "HOST" (include "postgresql.dns" .) -}}
{{- end -}} {{- end -}}
{{- $_ := set .Values.gitea.config.database "NAME" (index .Values "postgresql-ha" "global" "postgresql" "database") -}} {{- $_ := set .Values.gitea.config.database "NAME" (index .Values "postgresql-ha" "global" "postgresql" "database") -}}
{{- $_ := set .Values.gitea.config.database "USER" (index .Values "postgresql-ha" "global" "postgresql" "username") -}} {{- $_ := set .Values.gitea.config.database "USER" (index .Values "postgresql-ha" "global" "postgresql" "username") -}}
{{- $_ := set .Values.gitea.config.database "PASSWD" (index .Values "postgresql-ha" "global" "postgresql" "password") -}} {{- $_ := set .Values.gitea.config.database "PASSWD" (index .Values "postgresql-ha" "global" "postgresql" "password") -}}
{{- end -}} {{- end -}}
{{- if (index .Values "postgresql" "enabled") -}}
{{- $_ := set .Values.gitea.config.database "DB_TYPE" "postgres" -}}
{{- if not (.Values.gitea.config.database.HOST) -}}
{{- $_ := set .Values.gitea.config.database "HOST" (include "postgresql.dns" .) -}}
{{- end -}}
{{- $_ := set .Values.gitea.config.database "NAME" .Values.postgresql.global.postgresql.auth.database -}}
{{- $_ := set .Values.gitea.config.database "USER" .Values.postgresql.global.postgresql.auth.username -}}
{{- $_ := set .Values.gitea.config.database "PASSWD" .Values.postgresql.global.postgresql.auth.password -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- define "gitea.init-additional-mounts" -}} {{- define "gitea.init-additional-mounts" -}}
@ -427,45 +377,3 @@ https
{{- define "gitea.serviceAccountName" -}} {{- define "gitea.serviceAccountName" -}}
{{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }} {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
{{- end -}} {{- end -}}
{{- define "ingress.annotations" -}}
{{- if .Values.ingress.annotations }}
annotations:
{{- $tp := typeOf .Values.ingress.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.ingress.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.ingress.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{- define "gitea.admin.passwordMode" -}}
{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
{{ .Values.gitea.admin.passwordMode }}
{{- else -}}
{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
{{- end -}}
{{- end -}}
{{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}}
{{- define "gitea.deployment.probe" -}}
{{- $probe := unset . "enabled" -}}
{{- $probeKeys := keys $probe -}}
{{- $containsCustomMethod := false -}}
{{- $chartDefaultMethod := "tcpSocket" -}}
{{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}}
{{- range $probeKeys -}}
{{- if has . $nonChartDefaultMethods -}}
{{- $containsCustomMethod = true -}}
{{- end -}}
{{- end -}}
{{- if $containsCustomMethod -}}
{{- $probe = unset . $chartDefaultMethod -}}
{{- end -}}
{{- toYaml $probe -}}
{{- end -}}
{{- define "gitea.metrics-secret-name" -}}
{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
{{- end -}}

3
templates/gitea/check-actions-not-present.yaml
View File

@ -1,3 +0,0 @@
{{- if .Values.actions -}}
{{- fail "The actions sub-chart has been outsourced to a dedicated chart available at https://gitea.com/gitea/helm-actions. For assistance with the migration process, check https://gitea.com/gitea/helm-actions/issues/9." -}}
{{- end -}}

214
templates/gitea/config.yaml
View File

@ -2,7 +2,6 @@ apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ include "gitea.fullname" . }}-inline-config name: {{ include "gitea.fullname" . }}-inline-config
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
type: Opaque type: Opaque
@ -13,45 +12,188 @@ apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ include "gitea.fullname" . }} name: {{ include "gitea.fullname" . }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
type: Opaque type: Opaque
stringData: stringData:
{{ (.Files.Glob "scripts/init-containers/config/*.sh").AsConfig | indent 2 }}
assertions: | assertions: |
{{- /* multiple replicas assertions */ -}}
{{- if gt .Values.replicaCount 1.0 -}}
{{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
{{- if .Values.gitea.config.cron.GIT_GC_REPOS.enabled -}}
{{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'GIT_GC_REPOS.enabled = false'." -}}
{{- end }}
{{- end }}
{{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
{{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
{{- end }}
{{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
{{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
{{- end }}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
{{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
{{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
{{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
config_environment.sh: |-
#!/usr/bin/env bash
set -euo pipefail
{{- /*assert that only one PG dep is enabled */ -}} function env2ini::log() {
{{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}} printf "${1}\n"
{{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}} }
{{- end }}
function env2ini::read_config_to_env() {
{{- /* multiple replicas assertions */ -}} local section="${1}"
{{- if gt .Values.replicaCount 1.0 -}} local line="${2}"
{{- if .Values.gitea.config.cron -}}
{{- if .Values.gitea.config.cron.GIT_GC_REPOS -}} if [[ -z "${line}" ]]; then
{{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}} # skip empty line
{{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'." }} return
{{- end }} fi
{{- end }}
{{- end }}
{{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
{{- fail "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany." -}}
{{- end }}
{{- if .Values.gitea.config.indexer -}}
{{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
{{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
{{- end }}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
{{- if eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve" -}}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
{{- if eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED true -}}
{{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }} # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
if [[ -z "${setting}" ]]; then
env2ini::log ' ! invalid setting'
exit 1
fi
local value=''
local regex="^${setting}(\s*)=(\s*)(.*)"
if [[ $line =~ $regex ]]; then
value="${BASH_REMATCH[3]}"
else
env2ini::log ' ! invalid setting'
exit 1
fi
env2ini::log " + '${setting}'"
if [[ -z "${section}" ]]; then
export "GITEA____${setting^^}=${value}" # '^^' makes the variable content uppercase
return
fi
local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches
masked_section="${masked_section//-/_0X2D_}"
export "GITEA__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase
}
function env2ini::reload_preset_envs() {
env2ini::log "Reloading preset envs..."
while read -r line; do
if [[ -z "${line}" ]]; then
# skip empty line
return
fi
# 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
if [[ -z "${setting}" ]]; then
env2ini::log ' ! invalid setting'
exit 1
fi
local value=''
local regex="^${setting}(\s*)=(\s*)(.*)"
if [[ $line =~ $regex ]]; then
value="${BASH_REMATCH[3]}"
else
env2ini::log ' ! invalid setting'
exit 1
fi
env2ini::log " + '${setting}'"
export "${setting^^}=${value}" # '^^' makes the variable content uppercase
done < "/tmp/existing-envs"
rm /tmp/existing-envs
}
function env2ini::process_config_file() {
local config_file="${1}"
local section="$(basename "${config_file}")"
if [[ $section == '_generals_' ]]; then
env2ini::log " [ini root]"
section=''
else
env2ini::log " ${section}"
fi
while read -r line; do
env2ini::read_config_to_env "${section}" "${line}"
done < <(awk 1 "${config_file}") # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
}
function env2ini::load_config_sources() {
local path="${1}"
if [[ -d "${path}" ]]; then
env2ini::log "Processing $(basename "${path}")..."
while read -d '' configFile; do
env2ini::process_config_file "${configFile}"
done < <(find "${path}" -type l -not -name '..data' -print0)
env2ini::log "\n"
fi
}
function env2ini::generate_initial_secrets() {
# These environment variables will either be
# - overwritten with user defined values,
# - initially used to set up Gitea
# Anyway, they won't harm existing app.ini files
export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
env2ini::log "...Initial secrets generated\n"
}
# save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
env | (grep GITEA || [[ $? == 1 ]]) > /tmp/existing-envs
# MUST BE CALLED BEFORE OTHER CONFIGURATION
env2ini::generate_initial_secrets
env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
# load existing envs to override auto generated envs
env2ini::reload_preset_envs
env2ini::log "=== All configuration sources loaded ===\n"
# safety to prevent rewrite of secret keys if an app.ini already exists
if [ -f ${GITEA_APP_INI} ]; then
env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
env2ini::log ' - security.INTERNAL_TOKEN'
env2ini::log ' - security.SECRET_KEY'
env2ini::log ' - oauth2.JWT_SECRET'
env2ini::log ' - server.LFS_JWT_SECRET'
unset GITEA__SECURITY__INTERNAL_TOKEN
unset GITEA__SECURITY__SECRET_KEY
unset GITEA__OAUTH2__JWT_SECRET
unset GITEA__SERVER__LFS_JWT_SECRET
fi
environment-to-ini -o $GITEA_APP_INI

56
templates/gitea/deployment.yaml
View File

@ -2,16 +2,12 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ include "gitea.fullname" . }} name: {{ include "gitea.fullname" . }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
annotations: annotations:
{{- if .Values.deployment.annotations }} {{- if .Values.deployment.annotations }}
{{- toYaml .Values.deployment.annotations | nindent 4 }} {{- toYaml .Values.deployment.annotations | nindent 4 }}
{{- end }} {{- end }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
{{- if .Values.deployment.labels }}
{{- toYaml .Values.deployment.labels | nindent 4 }}
{{- end }}
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
strategy: strategy:
@ -62,8 +58,7 @@ spec:
- name: init-directories - name: init-directories
image: "{{ include "gitea.image" . }}" image: "{{ include "gitea.image" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
command: command: ["/usr/sbin/init_directory_structure.sh"]
- "{{ .Values.initContainersScriptsVolumeMountPath }}/init_directory_structure.sh"
env: env:
- name: GITEA_APP_INI - name: GITEA_APP_INI
value: /data/gitea/conf/app.ini value: /data/gitea/conf/app.ini
@ -82,7 +77,7 @@ spec:
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: init - name: init
mountPath: {{ .Values.initContainersScriptsVolumeMountPath }} mountPath: /usr/sbin
- name: temp - name: temp
mountPath: /tmp mountPath: /tmp
- name: data - name: data
@ -98,8 +93,7 @@ spec:
- name: init-app-ini - name: init-app-ini
image: "{{ include "gitea.image" . }}" image: "{{ include "gitea.image" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
command: command: ["/usr/sbin/config_environment.sh"]
- "{{ .Values.initContainersScriptsVolumeMountPath }}/config_environment.sh"
env: env:
- name: GITEA_APP_INI - name: GITEA_APP_INI
value: /data/gitea/conf/app.ini value: /data/gitea/conf/app.ini
@ -109,19 +103,15 @@ spec:
value: /data value: /data
- name: GITEA_TEMP - name: GITEA_TEMP
value: /tmp/gitea value: /tmp/gitea
- name: TMP_EXISTING_ENVS_FILE
value: /tmp/existing-envs
- name: ENV_TO_INI_MOUNT_POINT
value: /env-to-ini-mounts
{{- if .Values.deployment.env }} {{- if .Values.deployment.env }}
{{- toYaml .Values.deployment.env | nindent 12 }} {{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.gitea.additionalConfigFromEnvs }} {{- if .Values.gitea.additionalConfigFromEnvs }}
{{- tpl (toYaml .Values.gitea.additionalConfigFromEnvs) $ | nindent 12 }} {{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: config - name: config
mountPath: {{ .Values.initContainersScriptsVolumeMountPath }} mountPath: /usr/sbin
- name: temp - name: temp
mountPath: /tmp mountPath: /tmp
- name: data - name: data
@ -143,8 +133,7 @@ spec:
{{- if .Values.signing.enabled }} {{- if .Values.signing.enabled }}
- name: configure-gpg - name: configure-gpg
image: "{{ include "gitea.image" . }}" image: "{{ include "gitea.image" . }}"
command: command: ["/usr/sbin/configure_gpg_environment.sh"]
- "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext: securityContext:
{{- /* By default this container runs as user 1000 unless otherwise stated */ -}} {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
@ -156,11 +145,9 @@ spec:
env: env:
- name: GNUPGHOME - name: GNUPGHOME
value: {{ .Values.signing.gpgHome }} value: {{ .Values.signing.gpgHome }}
- name: TMP_RAW_GPG_KEY
value: /raw/private.asc
volumeMounts: volumeMounts:
- name: init - name: init
mountPath: {{ .Values.initContainersScriptsVolumeMountPath }} mountPath: /usr/sbin
- name: data - name: data
mountPath: /data mountPath: /data
{{- if .Values.persistence.subPath }} {{- if .Values.persistence.subPath }}
@ -177,8 +164,7 @@ spec:
{{- end }} {{- end }}
- name: configure-gitea - name: configure-gitea
image: "{{ include "gitea.image" . }}" image: "{{ include "gitea.image" . }}"
command: command: ["/usr/sbin/configure_gitea.sh"]
- "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext: securityContext:
{{- /* By default this container runs as user 1000 unless otherwise stated */ -}} {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
@ -254,14 +240,12 @@ spec:
- name: GITEA_ADMIN_PASSWORD - name: GITEA_ADMIN_PASSWORD
value: {{ .Values.gitea.admin.password | quote }} value: {{ .Values.gitea.admin.password | quote }}
{{- end }} {{- end }}
- name: GITEA_ADMIN_PASSWORD_MODE
value: {{ include "gitea.admin.passwordMode" $ }}
{{- if .Values.deployment.env }} {{- if .Values.deployment.env }}
{{- toYaml .Values.deployment.env | nindent 12 }} {{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: init - name: init
mountPath: {{ .Values.initContainersScriptsVolumeMountPath }} mountPath: /usr/sbin
- name: temp - name: temp
mountPath: /tmp mountPath: /tmp
- name: data - name: data
@ -295,13 +279,6 @@ spec:
value: /data value: /data
- name: GITEA_TEMP - name: GITEA_TEMP
value: /tmp/gitea value: /tmp/gitea
{{- if and (hasKey .Values.resources "limits") (hasKey .Values.resources.limits "cpu") }}
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
divisor: "1"
resource: limits.cpu
{{- end }}
- name: TMPDIR - name: TMPDIR
value: /tmp/gitea value: /tmp/gitea
{{- if .Values.image.rootless }} {{- if .Values.image.rootless }}
@ -329,15 +306,15 @@ spec:
{{- end }} {{- end }}
{{- if .Values.gitea.livenessProbe.enabled }} {{- if .Values.gitea.livenessProbe.enabled }}
livenessProbe: livenessProbe:
{{- include "gitea.deployment.probe" .Values.gitea.livenessProbe | nindent 12 }} {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.gitea.readinessProbe.enabled }} {{- if .Values.gitea.readinessProbe.enabled }}
readinessProbe: readinessProbe:
{{- include "gitea.deployment.probe" .Values.gitea.readinessProbe | nindent 12 }} {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.gitea.startupProbe.enabled }} {{- if .Values.gitea.startupProbe.enabled }}
startupProbe: startupProbe:
{{- include "gitea.deployment.probe" .Values.gitea.startupProbe | nindent 12 }} {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }}
{{- end }} {{- end }}
resources: resources:
{{- toYaml .Values.resources | nindent 12 }} {{- toYaml .Values.resources | nindent 12 }}
@ -357,23 +334,20 @@ spec:
subPath: {{ .Values.persistence.subPath }} subPath: {{ .Values.persistence.subPath }}
{{- end }} {{- end }}
{{- include "gitea.container-additional-mounts" . | nindent 12 }} {{- include "gitea.container-additional-mounts" . | nindent 12 }}
{{- if .Values.extraContainers }}
{{- toYaml .Values.extraContainers | nindent 8 }}
{{- end }}
{{- with .Values.global.hostAliases }} {{- with .Values.global.hostAliases }}
hostAliases: hostAliases:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- range $key, $value := .Values.nodeSelector }} {{- with .Values.nodeSelector }}
nodeSelector: nodeSelector:
{{ $key }}: {{ $value | quote }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- with .Values.affinity }} {{- with .Values.affinity }}
affinity: affinity:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- with .Values.topologySpreadConstraints }} {{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints: topologySpreadConstraints:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- with .Values.tolerations }} {{- with .Values.tolerations }}

1
templates/gitea/gpg-secret.yaml
View File

@ -7,7 +7,6 @@ apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ include "gitea.gpg-key-secret-name" . }} name: {{ include "gitea.gpg-key-secret-name" . }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
type: Opaque type: Opaque

11
templates/gitea/http-svc.yaml
View File

@ -2,21 +2,13 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ include "gitea.fullname" . }}-http name: {{ include "gitea.fullname" . }}-http
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
{{- if .Values.service.http.labels }}
{{- toYaml .Values.service.http.labels | nindent 4 }}
{{- end }}
annotations: annotations:
{{- toYaml .Values.service.http.annotations | nindent 4 }} {{- toYaml .Values.service.http.annotations | nindent 4 }}
spec: spec:
type: {{ .Values.service.http.type }} type: {{ .Values.service.http.type }}
{{- if eq .Values.service.http.type "LoadBalancer" }} {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
{{- if .Values.service.http.loadBalancerClass }}
loadBalancerClass: {{ .Values.service.http.loadBalancerClass }}
{{- end }}
{{- if and .Values.service.http.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.http.loadBalancerIP }} loadBalancerIP: {{ .Values.service.http.loadBalancerIP }}
{{- end }} {{- end }}
{{- if .Values.service.http.loadBalancerSourceRanges }} {{- if .Values.service.http.loadBalancerSourceRanges }}
@ -25,7 +17,6 @@ spec:
- {{ . }} - {{ . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}
{{- if .Values.service.http.externalIPs }} {{- if .Values.service.http.externalIPs }}
externalIPs: externalIPs:
{{- toYaml .Values.service.http.externalIPs | nindent 4 }} {{- toYaml .Values.service.http.externalIPs | nindent 4 }}

56
templates/gitea/ingress.yaml
View File

@ -1,62 +1,58 @@
{{- if .Values.ingress.enabled -}} {{- if .Values.ingress.enabled -}}
{{- $fullName := include "gitea.fullname" . -}} {{- $fullName := include "gitea.fullname" . -}}
{{- $httpPort := .Values.service.http.port -}} {{- $httpPort := .Values.service.http.port -}}
apiVersion: networking.k8s.io/v1 {{- $apiVersion := "extensions/v1beta1" -}}
{{- if .Values.ingress.apiVersion -}}
{{- $apiVersion = .Values.ingress.apiVersion -}}
{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
{{- $apiVersion = "networking.k8s.io/v1" }}
{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
{{- $apiVersion = "networking.k8s.io/v1beta1" }}
{{- end }}
apiVersion: {{ $apiVersion }}
kind: Ingress kind: Ingress
metadata: metadata:
name: {{ $fullName }} name: {{ $fullName }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations: annotations:
{{- range $key, $value := .Values.ingress.annotations }} {{- toYaml . | nindent 4 }}
{{ $key }}: {{ $value | quote }} {{- end }}
{{- end }}
spec: spec:
ingressClassName: {{ tpl .Values.ingress.className . }} {{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }} {{- if .Values.ingress.tls }}
tls: tls:
{{- range .Values.ingress.tls }} {{- range .Values.ingress.tls }}
- hosts: - hosts:
{{- range .hosts }} {{- range .hosts }}
- {{ tpl . $ | quote }} - {{ . | quote }}
{{- end }} {{- end }}
secretName: {{ .secretName }} secretName: {{ .secretName }}
{{- end }} {{- end }}
{{- end }} {{- end }}
rules: rules:
{{- range .Values.ingress.hosts }} {{- range .Values.ingress.hosts }}
- host: {{ tpl .host $ | quote }} - host: {{ .host | quote }}
http: http:
paths: paths:
{{- if .paths }}
{{- range .paths }} {{- range .paths }}
{{- if kindIs "string" . }} - path: {{ .path }}
- path: {{ . }} {{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
pathType: {{ default "Prefix" $.Values.ingress.pathType }} pathType: {{ .pathType }}
backend: {{- end }}
service:
name: {{ $fullName }}-http
port:
number: {{ $httpPort }}
{{- else }}
- path: {{ .path | default "/" }}
pathType: {{ .pathType | default "Prefix" }}
backend:
service:
name: {{ $fullName }}-http
port:
number: {{ $httpPort }}
{{- end }}
{{- end }}
{{- else }}
- path: "/"
pathType: "Prefix"
backend: backend:
{{- if eq $apiVersion "networking.k8s.io/v1" }}
service: service:
name: {{ $fullName }}-http name: {{ $fullName }}-http
port: port:
number: {{ $httpPort }} number: {{ $httpPort }}
{{- else }}
serviceName: {{ $fullName }}-http
servicePort: {{ $httpPort }}
{{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

140
templates/gitea/init.yaml
View File

@ -2,12 +2,15 @@ apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ include "gitea.fullname" . }}-init name: {{ include "gitea.fullname" . }}-init
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
type: Opaque type: Opaque
stringData: stringData:
{{ (.Files.Glob "scripts/init-containers/init/*.sh").AsConfig | indent 2 }} configure_gpg_environment.sh: |-
#!/usr/bin/env bash
set -eu
gpg --batch --import /raw/private.asc
init_directory_structure.sh: |- init_directory_structure.sh: |-
#!/usr/bin/env bash #!/usr/bin/env bash
@ -21,25 +24,27 @@ stringData:
# END: initPreScript # END: initPreScript
{{- end }} {{- end }}
set -x
{{- if not .Values.image.rootless }} {{- if not .Values.image.rootless }}
chown -v 1000:1000 /data chown 1000:1000 /data
{{- end }} {{- end }}
mkdir -pv /data/git/.ssh mkdir -p /data/git/.ssh
chmod -Rv 700 /data/git/.ssh chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure # prepare temp directory structure
mkdir -pv "${GITEA_TEMP}" mkdir -p "${GITEA_TEMP}"
{{- if not .Values.image.rootless }} {{- if not .Values.image.rootless }}
chown -v 1000:1000 "${GITEA_TEMP}" chown 1000:1000 "${GITEA_TEMP}"
{{- end }} {{- end }}
chmod -v ug+rwx "${GITEA_TEMP}" chmod ug+rwx "${GITEA_TEMP}"
{{ if .Values.signing.enabled -}} {{ if .Values.signing.enabled -}}
if [ ! -d "${GNUPGHOME}" ]; then if [ ! -d "${GNUPGHOME}" ]; then
mkdir -pv "${GNUPGHOME}" mkdir -p "${GNUPGHOME}"
chmod -v 700 "${GNUPGHOME}" chmod 700 "${GNUPGHOME}"
chown -v 1000:1000 "${GNUPGHOME}" chown 1000:1000 "${GNUPGHOME}"
fi fi
{{- end }} {{- end }}
@ -57,80 +62,39 @@ stringData:
exit 1 exit 1
} }
{{- if include "valkey.servicename" . }} {{- if include "redis.servicename" . }}
function test_valkey_connection() { function test_redis_connection() {
local RETRY=0 local RETRY=0
local MAX=30 local MAX=30
echo 'Wait for valkey to become avialable...' echo 'Wait for redis to become avialable...'
until [ "${RETRY}" -ge "${MAX}" ]; do until [ "${RETRY}" -ge "${MAX}" ]; do
nc -vz -w2 {{ include "valkey.servicename" . }} {{ include "valkey.port" . }} && break nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
RETRY=$[${RETRY}+1] RETRY=$[${RETRY}+1]
echo "...not ready yet (${RETRY}/${MAX})" echo "...not ready yet (${RETRY}/${MAX})"
done done
if [ "${RETRY}" -ge "${MAX}" ]; then if [ "${RETRY}" -ge "${MAX}" ]; then
echo "Valkey not reachable after '${MAX}' attempts!" echo "Redis not reachable after '${MAX}' attempts!"
exit 1 exit 1
fi fi
} }
test_valkey_connection test_redis_connection
{{- end }} {{- end }}
{{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }} {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
function configure_admin_user() { function configure_admin_user() {
local full_admin_list=$(gitea admin user list --admin) local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
local actual_user_table=''
# We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
local regex="(.*)(ID\s+Username\s+Email\s+IsActive.*)"
if [[ "${full_admin_list}" =~ $regex ]]; then
actual_user_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
else
# This code block should never be reached, as long as the output table header remains the same.
# If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users."
echo " Please review the output of 'gitea admin user list --admin' shown below."
echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
echo "DEBUG: Output of 'gitea admin user list --admin'"
echo "--"
echo "${full_admin_list}"
echo "--"
exit 1
fi
local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
if [[ -z "${ACCOUNT_ID}" ]]; then if [[ -z "${ACCOUNT_ID}" ]]; then
local -a create_args
create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
create_args+=(--must-change-password=true)
else
create_args+=(--must-change-password=false)
fi
echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..." echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
gitea admin user create "${create_args[@]}" gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
echo '...created.' echo '...created.'
else else
if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..." gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
# See https://gitea.com/gitea/helm-gitea/issues/673 echo '...password sync done.'
# --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior
# which acted as if it were provided with =false. If the argument is present in this version of gitea, then we
# should add it to prevent requiring frequent admin password resets.
local -a change_args
change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}")
if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then
change_args+=(--must-change-password=false)
fi
gitea admin user change-password "${change_args[@]}"
echo '...password sync done.'
else
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
fi
fi fi
} }
@ -141,28 +105,7 @@ stringData:
{{- if .Values.gitea.ldap }} {{- if .Values.gitea.ldap }}
{{- range $idx, $value := .Values.gitea.ldap }} {{- range $idx, $value := .Values.gitea.ldap }}
local LDAP_NAME={{ (printf "%s" $value.name) | squote }} local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
local full_auth_list=$(gitea admin auth list --vertical-bars) local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}")
local actual_auth_table=''
# We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
if [[ "${full_auth_list}" =~ $regex ]]; then
actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
else
# This code block should never be reached, as long as the output table header remains the same.
# If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
echo "ERROR: 'configure_ldap' was not able to determine the current list of authentication sources."
echo " Please review the output of 'gitea admin auth list --vertical-bars' shown below."
echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
echo "--"
echo "${full_auth_list}"
echo "--"
exit 1
fi
local GITEA_AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}")
if [[ -z "${GITEA_AUTH_ID}" ]]; then if [[ -z "${GITEA_AUTH_ID}" ]]; then
echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..." echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
@ -185,28 +128,7 @@ stringData:
{{- if .Values.gitea.oauth }} {{- if .Values.gitea.oauth }}
{{- range $idx, $value := .Values.gitea.oauth }} {{- range $idx, $value := .Values.gitea.oauth }}
local OAUTH_NAME={{ (printf "%s" $value.name) | squote }} local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
local full_auth_list=$(gitea admin auth list --vertical-bars) local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}")
local actual_auth_table=''
# We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
if [[ "${full_auth_list}" =~ $regex ]]; then
actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
else
# This code block should never be reached, as long as the output table header remains the same.
# If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources."
echo " Please review the output of 'gitea admin auth list --vertical-bars' shown below."
echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues."
echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
echo "--"
echo "${full_auth_list}"
echo "--"
exit 1
fi
local AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}")
if [[ -z "${AUTH_ID}" ]]; then if [[ -z "${AUTH_ID}" ]]; then
echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..." echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
@ -225,4 +147,4 @@ stringData:
configure_oauth configure_oauth
echo '==== END GITEA CONFIGURATION ====' echo '==== END GITEA CONFIGURATION ===='

12
templates/gitea/metrics-secret.yaml
View File

@ -1,12 +0,0 @@
{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "gitea.metrics-secret-name" . }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque
data:
token: {{ .Values.gitea.metrics.token | b64enc }}
{{- end }}

1
templates/gitea/poddisruptionbudget.yaml
View File

@ -7,7 +7,6 @@ apiVersion: policy/v1beta1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: {{ include "gitea.fullname" . }} name: {{ include "gitea.fullname" . }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
spec: spec:

10
templates/gitea/pvc.yaml
View File

@ -3,11 +3,9 @@ kind: PersistentVolumeClaim
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: {{ .Values.persistence.claimName }} name: {{ .Values.persistence.claimName }}
namespace: {{ .Values.namespace | default .Release.Namespace }} namespace: {{ $.Release.Namespace }}
annotations: annotations:
{{ .Values.persistence.annotations | toYaml | indent 4}} {{ .Values.persistence.annotations | toYaml | indent 4}}
labels:
{{ .Values.persistence.labels | toYaml | indent 4}}
spec: spec:
accessModes: accessModes:
{{- if gt .Values.replicaCount 1.0 }} {{- if gt .Values.replicaCount 1.0 }}
@ -16,10 +14,10 @@ spec:
{{- .Values.persistence.accessModes | toYaml | nindent 4 }} {{- .Values.persistence.accessModes | toYaml | nindent 4 }}
{{- end }} {{- end }}
volumeMode: Filesystem volumeMode: Filesystem
{{- include "gitea.persistence.storageClass" . | nindent 2 }} {{- if .Values.persistence.storageClass }}
{{- with .Values.persistence.volumeName }} storageClassName: {{ .Values.persistence.storageClass }}
volumeName: {{ . }}
{{- end }} {{- end }}
volumeName: ""
resources: resources:
requests: requests:
storage: {{ .Values.persistence.size }} storage: {{ .Values.persistence.size }}

2
templates/gitea/serviceaccount.yaml
View File

@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ include "gitea.serviceAccountName" . }} name: {{ include "gitea.serviceAccountName" . }}
namespace: {{ .Values.namespace | default .Release.Namespace }} namespace: {{ .Release.Namespace | quote }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.labels }} {{- with .Values.serviceAccount.labels }}

28
templates/gitea/servicemonitor.yaml
View File

@ -1,9 +1,8 @@
{{- if and .Values.gitea.metrics.enabled .Values.gitea.metrics.serviceMonitor.enabled -}} {{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:
name: {{ include "gitea.fullname" . }} name: {{ include "gitea.fullname" . }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
{{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }} {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
@ -15,29 +14,4 @@ spec:
{{- include "gitea.selectorLabels" . | nindent 6 }} {{- include "gitea.selectorLabels" . | nindent 6 }}
endpoints: endpoints:
- port: http - port: http
{{- if .Values.gitea.metrics.serviceMonitor.interval }}
interval: {{ .Values.gitea.metrics.serviceMonitor.interval }}
{{- end }}
{{- with .Values.gitea.metrics.serviceMonitor.relabelings }}
relabelings:
{{- . | toYaml | nindent 6 }}
{{- end }}
{{- if .Values.gitea.metrics.serviceMonitor.scheme }}
scheme: {{ .Values.gitea.metrics.serviceMonitor.scheme }}
{{- end }}
{{- if .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- with .Values.gitea.metrics.serviceMonitor.tlsConfig }}
tlsConfig:
{{- . | toYaml | nindent 6 }}
{{- end }}
{{- if .Values.gitea.metrics.token }}
authorization:
type: Bearer
credentials:
name: {{ include "gitea.metrics-secret-name" . }}
key: token
optional: false
{{- end }}
{{- end -}} {{- end -}}

7
templates/gitea/ssh-svc.yaml
View File

@ -2,20 +2,13 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ include "gitea.fullname" . }}-ssh name: {{ include "gitea.fullname" . }}-ssh
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
{{- if .Values.service.ssh.labels }}
{{- toYaml .Values.service.ssh.labels | nindent 4 }}
{{- end }}
annotations: annotations:
{{- toYaml .Values.service.ssh.annotations | nindent 4 }} {{- toYaml .Values.service.ssh.annotations | nindent 4 }}
spec: spec:
type: {{ .Values.service.ssh.type }} type: {{ .Values.service.ssh.type }}
{{- if eq .Values.service.ssh.type "LoadBalancer" }} {{- if eq .Values.service.ssh.type "LoadBalancer" }}
{{- if .Values.service.ssh.loadBalancerClass }}
loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }}
{{- end }}
{{- if .Values.service.ssh.loadBalancerIP }} {{- if .Values.service.ssh.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }} loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
{{- end -}} {{- end -}}

1
templates/tests/test-http-connection.yaml
View File

@ -3,7 +3,6 @@ apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: "{{ include "gitea.fullname" . }}-test-connection" name: "{{ include "gitea.fullname" . }}-test-connection"
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels: labels:
{{ include "gitea.labels" . | nindent 4 }} {{ include "gitea.labels" . | nindent 4 }}
annotations: annotations:

1
unittests/bash/bats

@ -1 +0,0 @@
Subproject commit 5ec2d815109358b3ad86f5aabf289d96e6535ac5

1
unittests/bash/test_helper/bats-assert

@ -1 +0,0 @@
Subproject commit b93143a1bfbde41d9b7343aab0d36f3ef6549e6b

1
unittests/bash/test_helper/bats-mock

@ -1 +0,0 @@
Subproject commit 93e0128b8787db05a2632c70501cd667dd35d253

1
unittests/bash/test_helper/bats-support

@ -1 +0,0 @@
Subproject commit d007fc1f451abbad55204fa9c9eb3e6ed5dc5f61

7
unittests/bash/test_helper/common-setup.bash
View File

@ -1,7 +0,0 @@
#!/usr/bin/env bash
function common_setup() {
load "$TEST_ROOT/test_helper/bats-support/load"
load "$TEST_ROOT/test_helper/bats-assert/load"
load "$TEST_ROOT/test_helper/bats-mock/stub"
}

204
unittests/bash/tests/init-containers/config/config_environment.bats
View File

@ -1,204 +0,0 @@
#!/usr/bin/env bats
function setup() {
PROJECT_ROOT="$(git rev-parse --show-toplevel)"
TEST_ROOT="$PROJECT_ROOT/unittests/bash"
load "$TEST_ROOT/test_helper/common-setup"
common_setup
export GITEA_APP_INI="$BATS_TEST_TMPDIR/app.ini"
export TMP_EXISTING_ENVS_FILE="$BATS_TEST_TMPDIR/existing-envs"
export ENV_TO_INI_MOUNT_POINT="$BATS_TEST_TMPDIR/env-to-ini-mounts"
stub gitea \
"generate secret INTERNAL_TOKEN : echo 'mocked-internal-token'" \
"generate secret SECRET_KEY : echo 'mocked-secret-key'" \
"generate secret JWT_SECRET : echo 'mocked-jwt-secret'" \
"generate secret LFS_JWT_SECRET : echo 'mocked-lfs-jwt-secret'"
}
function teardown() {
unstub gitea
# This condition exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
if [ $ENV_TO_INI_EXPECTED -eq 1 ]; then
unstub environment-to-ini
fi
}
# This function exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open
function expect_environment_to_ini_call() {
export ENV_TO_INI_EXPECTED=1
stub environment-to-ini \
"-o $GITEA_APP_INI : echo 'Stubbed environment-to-ini was called!'"
}
function execute_test_script() {
currentEnvsBefore=$(env | sort)
source $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
local exitCode=$?
currentEnvsAfter=$(env | sort)
# diff as unified +/- output without context before/after
diff --unified=0 <(echo "$currentEnvsBefore") <(echo "$currentEnvsAfter")
exit $exitCode
}
function write_mounted_file() {
# either "inlines" or "additionals"
scope="${1}"
file="${2}"
content="${3}"
mkdir -p "$ENV_TO_INI_MOUNT_POINT/$scope/..data/"
echo "${content}" > "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file"
ln -sf "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file" "$ENV_TO_INI_MOUNT_POINT/$scope/$file"
}
@test "works as expected when nothing is configured" {
expect_environment_to_ini_call
run $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh
assert_success
assert_line '...Initial secrets generated'
assert_line 'Reloading preset envs...'
assert_line '=== All configuration sources loaded ==='
assert_line 'Stubbed environment-to-ini was called!'
}
@test "exports initial secrets" {
expect_environment_to_ini_call
run execute_test_script
assert_success
assert_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
assert_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
assert_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
assert_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
}
@test "does NOT export initial secrets when app.ini already exists" {
expect_environment_to_ini_call
touch $GITEA_APP_INI
run execute_test_script
assert_success
assert_line --partial 'An app.ini file already exists.'
refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
refute_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token'
refute_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key'
refute_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret'
}
@test "ensures that preset environment variables take precedence over auto-generated ones" {
expect_environment_to_ini_call
export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
run execute_test_script
assert_success
refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
}
@test "ensures that preset environment variables take precedence over mounted ones" {
expect_environment_to_ini_call
export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret"
write_mounted_file "inlines" "oauth2" "$(cat << EOF
JWT_SECRET=inline-jwt-secret
EOF
)"
run execute_test_script
assert_success
refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
}
@test "ensures that additionals take precedence over inlines" {
expect_environment_to_ini_call
write_mounted_file "inlines" "oauth2" "$(cat << EOF
JWT_SECRET=inline-jwt-secret
EOF
)"
write_mounted_file "additionals" "oauth2" "$(cat << EOF
JWT_SECRET=additional-jwt-secret
EOF
)"
run execute_test_script
assert_success
refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret'
refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret'
assert_line '+GITEA__OAUTH2__JWT_SECRET=additional-jwt-secret'
}
@test "ensures that dotted/dashed sections are properly masked" {
expect_environment_to_ini_call
write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]
EOF
)"
run execute_test_script
assert_success
assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
}
###############################################################
##### THIS IS A BUG, BUT I WANT IT TO BE COVERED BY TESTS #####
###############################################################
@test "ensures uppercase section and setting names (🐞)" {
expect_environment_to_ini_call
export GITEA__oauth2__JwT_Secret="pre-defined-jwt-secret"
write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF
WORK_IN_progress_PREFIXES=WIP:,[WIP]
EOF
)"
run execute_test_script
assert_success
assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]'
assert_line '+GITEA__OAUTH2__JWT_SECRET=pre-defined-jwt-secret'
}
@test "treats top-level configuration as section-less" {
expect_environment_to_ini_call
write_mounted_file "inlines" "_generals_" "$(cat << EOF
APP_NAME=Hello top-level configuration
RUN_MODE=dev
EOF
)"
run execute_test_script
assert_success
assert_line '+GITEA____APP_NAME=Hello top-level configuration'
assert_line '+GITEA____RUN_MODE=dev'
}
@test "fails on invalid setting" {
write_mounted_file "inlines" "_generals_" "$(cat << EOF
some random invalid string
EOF
)"
run execute_test_script
assert_failure
}
@test "treats empty setting name as invalid setting" {
write_mounted_file "inlines" "_generals_" "$(cat << EOF
=value
EOF
)"
run execute_test_script
assert_failure
}

17
unittests/deployment/basic.yaml Normal file
View File

@ -0,0 +1,17 @@
suite: deployment template (basic)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: renders a deployment
template: templates/gitea/deployment.yaml
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Deployment
apiVersion: apps/v1
name: gitea-unittests

0
unittests/helm/deployment/signing-disabled.yaml → unittests/deployment/signing-disabled.yaml
View File

6
unittests/helm/deployment/signing-enabled.yaml → unittests/deployment/signing-enabled.yaml
View File

@ -18,7 +18,7 @@ tests:
value: configure-gpg value: configure-gpg
- equal: - equal:
path: spec.template.spec.initContainers[2].command path: spec.template.spec.initContainers[2].command
value: ["/usr/sbinx/configure_gpg_environment.sh"] value: ["/usr/sbin/configure_gpg_environment.sh"]
- equal: - equal:
path: spec.template.spec.initContainers[2].securityContext path: spec.template.spec.initContainers[2].securityContext
value: value:
@ -28,13 +28,11 @@ tests:
value: value:
- name: GNUPGHOME - name: GNUPGHOME
value: /data/git/.gnupg value: /data/git/.gnupg
- name: TMP_RAW_GPG_KEY
value: /raw/private.asc
- equal: - equal:
path: spec.template.spec.initContainers[2].volumeMounts path: spec.template.spec.initContainers[2].volumeMounts
value: value:
- name: init - name: init
mountPath: /usr/sbinx mountPath: /usr/sbin
- name: data - name: data
mountPath: /data mountPath: /data
- name: gpg-private-key - name: gpg-private-key

24
unittests/helm/deployment/ssh-configuration.yaml → unittests/deployment/ssh-configuration.yaml
View File

@ -27,18 +27,6 @@ tests:
content: content:
name: SSH_LOG_LEVEL name: SSH_LOG_LEVEL
value: "DEBUG" value: "DEBUG"
- it: supports overriding SSH log level (even when image.fullOverride set)
template: templates/gitea/deployment.yaml
set:
image.fullOverride: docker.gitea.com/gitea:1.19.3
image.rootless: false
gitea.ssh.logLevel: "DEBUG"
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSH_LOG_LEVEL
value: "DEBUG"
- it: skips SSH_LOG_LEVEL for rootless image - it: skips SSH_LOG_LEVEL for rootless image
template: templates/gitea/deployment.yaml template: templates/gitea/deployment.yaml
set: set:
@ -50,15 +38,3 @@ tests:
any: true any: true
content: content:
name: SSH_LOG_LEVEL name: SSH_LOG_LEVEL
- it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
template: templates/gitea/deployment.yaml
set:
image.fullOverride: docker.gitea.com/gitea:1.19.3
image.rootless: true
gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
asserts:
- notContains:
path: spec.template.spec.containers[0].env
any: true
content:
name: SSH_LOG_LEVEL

0
unittests/helm/gpg-secret/signing-disabled.yaml → unittests/gpg-secret/signing-disabled.yaml
View File

2
unittests/helm/gpg-secret/signing-enabled.yaml → unittests/gpg-secret/signing-enabled.yaml
View File

@ -33,7 +33,7 @@ tests:
kind: Secret kind: Secret
apiVersion: v1 apiVersion: v1
name: gitea-unittests-gpg-key name: gitea-unittests-gpg-key
- isNotNullOrEmpty: - isNotEmpty:
path: metadata.labels path: metadata.labels
- equal: - equal:
path: data.privateKey path: data.privateKey

12
unittests/helm/check-actions-not-present.yaml
View File

@ -1,12 +0,0 @@
suite: Check if actions raises an error
release:
name: gitea-unittests
namespace: testing
tests:
- it: fails when trying to configure actions due to removal
set:
actions:
enabled: true
asserts:
- failedTemplate:
errorMessage: The actions sub-chart has been outsourced to a dedicated chart available at https://gitea.com/gitea/helm-actions. For assistance with the migration process, check https://gitea.com/gitea/helm-actions/issues/9.

24
unittests/helm/config/actions-config.yaml
View File

@ -1,24 +0,0 @@
suite: config template | actions config
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/config.yaml
tests:
- it: "actions are enabled by default (based on vanilla Gitea behavior)"
template: templates/gitea/config.yaml
asserts:
- documentIndex: 0
notExists:
path: stringData.actions
- it: "actions can be disabled via inline config"
template: templates/gitea/config.yaml
set:
gitea.config.actions.ENABLED: false
asserts:
- documentIndex: 0
equal:
path: stringData.actions
value: |-
ENABLED=false

66
unittests/helm/config/cache-config.yaml
View File

@ -1,66 +0,0 @@
suite: config template | cache config
release:
name: gitea-unittests
namespace: testing
tests:
- it: "cache is configured correctly for valkey-cluster"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: true
valkey:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.cache
value: |-
ADAPTER=redis
HOST=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: "cache is configured correctly for valkey"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: false
valkey:
enabled: true
asserts:
- documentIndex: 0
equal:
path: stringData.cache
value: |-
ADAPTER=redis
HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: false
valkey:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.cache
value: |-
ADAPTER=memory
HOST=
- it: "cache can be customized when valkey (or valkey-cluster) is disabled"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: false
valkey:
enabled: false
gitea.config.cache.ADAPTER: custom-adapter
gitea.config.cache.HOST: custom-host
asserts:
- documentIndex: 0
equal:
path: stringData.cache
value: |-
ADAPTER=custom-adapter
HOST=custom-host

58
unittests/helm/config/metrics-section_metrics-token.yaml
View File

@ -1,58 +0,0 @@
suite: config template | metrics section (metrics token)
release:
name: gitea-unittests
namespace: testing
tests:
- it: metrics token is set
template: templates/gitea/config.yaml
set:
gitea:
metrics:
enabled: true
token: "somepassword"
asserts:
- documentIndex: 0
equal:
path: stringData.metrics
value: |-
ENABLED=true
TOKEN=somepassword
- it: metrics token is empty
template: templates/gitea/config.yaml
set:
gitea:
metrics:
enabled: true
token: ""
asserts:
- documentIndex: 0
equal:
path: stringData.metrics
value: |-
ENABLED=true
- it: metrics token is nil
template: templates/gitea/config.yaml
set:
gitea:
metrics:
enabled: true
token:
asserts:
- documentIndex: 0
equal:
path: stringData.metrics
value: |-
ENABLED=true
- it: does not configures a token if metrics are disabled
template: templates/gitea/config.yaml
set:
gitea:
metrics:
enabled: false
token: "somepassword"
asserts:
- documentIndex: 0
equal:
path: stringData.metrics
value: |-
ENABLED=false

66
unittests/helm/config/queue-config.yaml
View File

@ -1,66 +0,0 @@
suite: config template | queue config
release:
name: gitea-unittests
namespace: testing
tests:
- it: "queue is configured correctly for valkey-cluster"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: true
valkey:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.queue
value: |-
CONN_STR=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
TYPE=redis
- it: "queue is configured correctly for valkey"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: false
valkey:
enabled: true
asserts:
- documentIndex: 0
equal:
path: stringData.queue
value: |-
CONN_STR=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
TYPE=redis
- it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: false
valkey:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.queue
value: |-
CONN_STR=
TYPE=level
- it: "queue can be customized when valkey (and valkey-cluster) are disabled"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: false
valkey:
enabled: false
gitea.config.queue.TYPE: custom-type
gitea.config.queue.CONN_STR: custom-connection-string
asserts:
- documentIndex: 0
equal:
path: stringData.queue
value: |-
CONN_STR=custom-connection-string
TYPE=custom-type

67
unittests/helm/config/server-section_domain.yaml
View File

@ -1,67 +0,0 @@
suite: config template | server section (domain related)
release:
name: gitea-unittests
namespace: testing
tests:
- it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL"
template: templates/gitea/config.yaml
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nDOMAIN=git.example.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nSSH_DOMAIN=git.example.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nROOT_URL=http://git.example.com
################################################
- it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL"
template: templates/gitea/config.yaml
set:
ingress:
hosts: []
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nDOMAIN=gitea-unittests-http.testing.svc.cluster.local
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nSSH_DOMAIN=gitea-unittests-http.testing.svc.cluster.local
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nROOT_URL=http://gitea-unittests-http.testing.svc.cluster.local
################################################
- it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL"
template: templates/gitea/config.yaml
set:
gitea.config.server.DOMAIN: provided.example.com
ingress:
hosts:
- host: non-used.example.com
paths:
- path: /
pathType: Prefix
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nDOMAIN=provided.example.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nSSH_DOMAIN=provided.example.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nROOT_URL=http://provided.example.com

66
unittests/helm/config/session-config.yaml
View File

@ -1,66 +0,0 @@
suite: config template | session config
release:
name: gitea-unittests
namespace: testing
tests:
- it: "session is configured correctly for valkey-cluster"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: true
valkey:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.session
value: |-
PROVIDER=redis
PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: "session is configured correctly for valkey"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: false
valkey:
enabled: true
asserts:
- documentIndex: 0
equal:
path: stringData.session
value: |-
PROVIDER=redis
PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: false
valkey:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.session
value: |-
PROVIDER=memory
PROVIDER_CONFIG=
- it: "session can be customized when valkey (and valkey-cluster) is disabled"
template: templates/gitea/config.yaml
set:
valkey-cluster:
enabled: false
valkey:
enabled: false
gitea.config.session.PROVIDER: custom-provider
gitea.config.session.PROVIDER_CONFIG: custom-provider-config
asserts:
- documentIndex: 0
equal:
path: stringData.session
value: |-
PROVIDER=custom-provider
PROVIDER_CONFIG=custom-provider-config

121
unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml
View File

@ -1,121 +0,0 @@
suite: Dependency checks | Customization integrity | postgresql-ha
release:
name: gitea-unittests
namespace: testing
set:
postgresql:
enabled: false
postgresql-ha:
enabled: true
global:
postgresql:
database: gitea-database
password: gitea-password
username: gitea-username
postgresql:
repmgrPassword: custom-password-repmgr
postgresPassword: custom-password-postgres
password: custom-password-overwritten-by-global-postgresql-password
pgpool:
adminPassword: custom-password-pgpool
service:
ports:
postgresql: 1234
persistence:
size: 1337Mi
tests:
- it: "[postgresql-ha] DB settings are applied as expected"
template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
asserts:
- documentIndex: 0
contains:
path: spec.template.spec.containers[0].env
content:
name: POSTGRES_DB
value: "gitea-database"
- documentIndex: 0
contains:
path: spec.template.spec.containers[0].env
content:
name: POSTGRES_USER
value: "gitea-username"
- it: "[postgresql-ha] DB passwords are applied as expected"
template: charts/postgresql-ha/templates/postgresql/secrets.yaml
asserts:
- documentIndex: 0
equal:
path: data["repmgr-password"]
value: "Y3VzdG9tLXBhc3N3b3JkLXJlcG1ncg=="
- documentIndex: 0
equal:
path: data["postgres-password"]
value: "Y3VzdG9tLXBhc3N3b3JkLXBvc3RncmVz"
- documentIndex: 0
equal:
path: data["password"]
value: "Z2l0ZWEtcGFzc3dvcmQ=" # postgresql-ha.postgresql.password is overwritten by postgresql-ha.global.postgresql.password and should not be referenced here
- it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
template: charts/postgresql-ha/templates/pgpool/secrets.yaml
asserts:
- documentIndex: 0
equal:
path: data["admin-password"]
value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
- it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
template: charts/postgresql-ha/templates/pgpool/secrets.yaml
asserts:
- documentIndex: 0
equal:
path: data["admin-password"]
value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
- it: "[postgresql-ha] pgpool.adminPassword is applied as expected"
template: charts/postgresql-ha/templates/pgpool/secrets.yaml
asserts:
- documentIndex: 0
equal:
path: data["admin-password"]
value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA=="
- it: "[postgresql-ha] persistence.size is applied as expected"
template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
asserts:
- documentIndex: 0
equal:
path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
value: "1337Mi"
- it: "[postgresql-ha] service.ports.postgresql is applied as expected"
template: charts/postgresql-ha/templates/pgpool/service.yaml
asserts:
- documentIndex: 0
equal:
path: spec.ports[0].port
value: 1234
- it: "[postgresql-ha] renders the referenced service"
template: charts/postgresql-ha/templates/pgpool/service.yaml
asserts:
- containsDocument:
kind: Service
apiVersion: v1
name: gitea-unittests-postgresql-ha-pgpool
namespace: testing
- it: "[gitea] connects to pgpool service"
template: templates/gitea/config.yaml
asserts:
- documentIndex: 0
matchRegex:
path: stringData.database
pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:1234
- it: "[gitea] connects to configured database"
template: templates/gitea/config.yaml
asserts:
- documentIndex: 0
matchRegex:
path: stringData.database
pattern: NAME=gitea-database
- documentIndex: 0
matchRegex:
path: stringData.database
pattern: USER=gitea-username
- documentIndex: 0
matchRegex:
path: stringData.database
pattern: PASSWD=gitea-password

88
unittests/helm/dependency-checks/customization-integrity-postgresql.yaml
View File

@ -1,88 +0,0 @@
suite: Dependency checks | Customization integrity | postgresql
release:
name: gitea-unittests
namespace: testing
set:
postgresql-ha:
enabled: false
postgresql:
enabled: true
global:
postgresql:
auth:
password: gitea-password
database: gitea-database
username: gitea-username
service:
ports:
postgresql: 1234
primary:
persistence:
size: 1337Mi
tests:
- it: "[postgresql] DB settings are applied as expected"
template: charts/postgresql/templates/primary/statefulset.yaml
asserts:
- documentIndex: 0
contains:
path: spec.template.spec.containers[0].env
content:
name: POSTGRES_DATABASE
value: "gitea-database"
- documentIndex: 0
contains:
path: spec.template.spec.containers[0].env
content:
name: POSTGRES_USER
value: "gitea-username"
- it: "[postgresql] DB password is applied as expected"
template: charts/postgresql/templates/secrets.yaml
asserts:
- documentIndex: 0
equal:
path: data["password"]
value: "Z2l0ZWEtcGFzc3dvcmQ="
- it: "[postgresql] primary.persistence.size is applied as expected"
template: charts/postgresql/templates/primary/statefulset.yaml
asserts:
- documentIndex: 0
equal:
path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
value: "1337Mi"
- it: "[postgresql] global.postgresql.service.ports.postgresql is applied as expected"
template: charts/postgresql/templates/primary/svc.yaml
asserts:
- documentIndex: 0
equal:
path: spec.ports[0].port
value: 1234
- it: "[postgresql] renders the referenced service"
template: charts/postgresql/templates/primary/svc.yaml
asserts:
- containsDocument:
kind: Service
apiVersion: v1
name: gitea-unittests-postgresql
namespace: testing
- it: "[gitea] connects to postgresql service"
template: templates/gitea/config.yaml
asserts:
- documentIndex: 0
matchRegex:
path: stringData.database
pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:1234
- it: "[gitea] connects to configured database"
template: templates/gitea/config.yaml
asserts:
- documentIndex: 0
matchRegex:
path: stringData.database
pattern: NAME=gitea-database
- documentIndex: 0
matchRegex:
path: stringData.database
pattern: USER=gitea-username
- documentIndex: 0
matchRegex:
path: stringData.database
pattern: PASSWD=gitea-password

90
unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml
View File

@ -1,90 +0,0 @@
suite: Dependency checks | Customization integrity | valkey-cluster
release:
name: gitea-unittests
namespace: testing
set:
valkey:
enabled: false
valkey-cluster:
enabled: true
usePassword: false
cluster:
nodes: 5
replicas: 2
tests:
- it: "[valkey-cluster] configures correct nodes/replicas"
template: charts/valkey-cluster/templates/valkey-statefulset.yaml
asserts:
- documentIndex: 0
equal:
path: spec.replicas
value: 5
- documentIndex: 0
matchRegex:
path: spec.template.spec.containers[0].args[0]
pattern: VALKEY_CLUSTER_REPLICAS="2"
- it: "[valkey-cluster] support auth-less connections"
asserts:
- template: charts/valkey-cluster/templates/secret.yaml
hasDocuments:
count: 0
- template: charts/valkey-cluster/templates/valkey-statefulset.yaml
documentIndex: 0
contains:
path: spec.template.spec.containers[0].env
content:
name: ALLOW_EMPTY_PASSWORD
value: "yes"
- it: "[valkey-cluster] support auth-full connections"
set:
valkey-cluster:
usePassword: true
asserts:
- template: charts/valkey-cluster/templates/secret.yaml
containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-valkey-cluster
namespace: testing
- template: charts/valkey-cluster/templates/valkey-statefulset.yaml
documentIndex: 0
contains:
path: spec.template.spec.containers[0].env
content:
name: REDISCLI_AUTH
valueFrom:
secretKeyRef:
name: gitea-unittests-valkey-cluster
key: valkey-password
- template: charts/valkey-cluster/templates/valkey-statefulset.yaml
documentIndex: 0
contains:
path: spec.template.spec.containers[0].env
content:
name: REDISCLI_AUTH
valueFrom:
secretKeyRef:
name: gitea-unittests-valkey-cluster
key: valkey-password
- it: "[valkey-cluster] renders the referenced service"
template: charts/valkey-cluster/templates/headless-svc.yaml
asserts:
- containsDocument:
kind: Service
apiVersion: v1
name: gitea-unittests-valkey-cluster-headless
namespace: testing
- documentIndex: 0
contains:
path: spec.ports
content:
name: tcp-redis
port: 6379
targetPort: tcp-redis
- it: "[gitea] waits for valkey-cluster to be up and running"
template: templates/gitea/init.yaml
asserts:
- documentIndex: 0
matchRegex:
path: stringData["configure_gitea.sh"]
pattern: nc -vz -w2 gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local 6379

52
unittests/helm/dependency-checks/customization-integrity-valkey.yaml
View File

@ -1,52 +0,0 @@
suite: Dependency checks | Customization integrity | valkey
release:
name: gitea-unittests
namespace: testing
set:
valkey-cluster:
enabled: false
valkey:
enabled: true
architecture: standalone
global:
valkey:
password: gitea-password
master:
count: 2
tests:
- it: "[valkey] configures correct 'master' nodes"
template: charts/valkey/templates/primary/application.yaml
asserts:
- documentIndex: 0
equal:
path: spec.replicas
value: 1
- it: "[valkey] valkey.global.valkey.password is applied as expected"
template: charts/valkey/templates/secret.yaml
asserts:
- documentIndex: 0
equal:
path: data["valkey-password"]
value: "Z2l0ZWEtcGFzc3dvcmQ="
- it: "[valkey] renders the referenced service"
template: charts/valkey/templates/headless-svc.yaml
asserts:
- containsDocument:
kind: Service
apiVersion: v1
name: gitea-unittests-valkey-headless
namespace: testing
- documentIndex: 0
contains:
path: spec.ports
content:
name: tcp-redis
port: 6379
targetPort: redis
- it: "[gitea] waits for valkey to be up and running"
template: templates/gitea/init.yaml
asserts:
- documentIndex: 0
matchRegex:
path: stringData["configure_gitea.sh"]
pattern: nc -vz -w2 gitea-unittests-valkey-headless.testing.svc.cluster.local 6379

57
unittests/helm/dependency-checks/major-image-bump.yaml
View File

@ -1,57 +0,0 @@
suite: Dependency checks | Major image bumps
release:
name: gitea-unittests
namespace: testing
tests:
- it: "[postgresql-ha] ensures we detect major image version upgrades"
template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
set:
postgresql:
enabled: false
postgresql-ha:
enabled: true
asserts:
- documentIndex: 0
matchRegex:
path: spec.template.spec.containers[0].image
# IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
pattern: bitnami/postgresql-repmgr:17.+$
- it: "[postgresql] ensures we detect major image version upgrades"
template: charts/postgresql/templates/primary/statefulset.yaml
set:
postgresql:
enabled: true
postgresql-ha:
enabled: false
asserts:
- documentIndex: 0
matchRegex:
path: spec.template.spec.containers[0].image
# IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
pattern: bitnami/postgresql:17.+$
- it: "[valkey-cluster] ensures we detect major image version upgrades"
template: charts/valkey-cluster/templates/valkey-statefulset.yaml
set:
valkey-cluster:
enabled: true
valkey:
enabled: false
asserts:
- documentIndex: 0
matchRegex:
path: spec.template.spec.containers[0].image
# IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
pattern: bitnami/valkey-cluster:8.+$
- it: "[valkey] ensures we detect major image version upgrades"
template: charts/valkey/templates/primary/application.yaml
set:
valkey-cluster:
enabled: false
valkey:
enabled: true
asserts:
- documentIndex: 0
matchRegex:
path: spec.template.spec.containers[0].image
# IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
pattern: bitnami/valkey:8.+$

59
unittests/helm/deployment/HA.yaml
View File

@ -1,59 +0,0 @@
suite: deployment template (HA)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: fails with multiple replicas and "GIT_GC_REPOS" enabled
template: templates/gitea/deployment.yaml
set:
replicaCount: 2
persistence:
accessModes:
- ReadWriteMany
gitea:
config:
cron:
GIT_GC_REPOS:
ENABLED: true
asserts:
- failedTemplate:
errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'."
- it: fails with multiple replicas and RWX file system not set
template: templates/gitea/deployment.yaml
set:
replicaCount: 2
asserts:
- failedTemplate:
errorMessage: "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany."
- it: fails with multiple replicas and bleve issue indexer
template: templates/gitea/deployment.yaml
set:
replicaCount: 2
persistence:
accessModes:
- ReadWriteMany
gitea:
config:
indexer:
ISSUE_INDEXER_TYPE: bleve
asserts:
- failedTemplate:
errorMessage: "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)."
- it: fails with multiple replicas and bleve repo indexer
template: templates/gitea/deployment.yaml
set:
replicaCount: 2
persistence:
accessModes:
- ReadWriteMany
gitea:
config:
indexer:
REPO_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
asserts:
- failedTemplate:
errorMessage: "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled."

95
unittests/helm/deployment/basic.yaml
View File

@ -1,95 +0,0 @@
suite: deployment template (basic)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: renders a deployment
template: templates/gitea/deployment.yaml
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Deployment
apiVersion: apps/v1
name: gitea-unittests
- it: deployment labels are set
template: templates/gitea/deployment.yaml
set:
deployment.labels:
hello: world
asserts:
- isSubset:
path: metadata.labels
content:
hello: world
- isSubset:
path: spec.template.metadata.labels
content:
hello: world
- it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
template: templates/gitea/deployment.yaml
asserts:
- contains:
path: spec.template.spec.initContainers[1].env
content:
name: TMP_EXISTING_ENVS_FILE
value: /tmp/existing-envs
- it: "injects ENV_TO_INI_MOUNT_POINT as environment variable to 'init-app-ini' init container"
template: templates/gitea/deployment.yaml
asserts:
- contains:
path: spec.template.spec.initContainers[1].env
content:
name: ENV_TO_INI_MOUNT_POINT
value: /env-to-ini-mounts
- it: CPU resources are defined as well as GOMAXPROCS
template: templates/gitea/deployment.yaml
set:
resources:
limits:
cpu: 200ms
memory: 200Mi
requests:
cpu: 100ms
memory: 100Mi
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: GOMAXPROCS
valueFrom:
resourceFieldRef:
divisor: "1"
resource: limits.cpu
- equal:
path: spec.template.spec.containers[0].resources
value:
limits:
cpu: 200ms
memory: 200Mi
requests:
cpu: 100ms
memory: 100Mi
- it: Init containers have correct volumeMount path
template: templates/gitea/deployment.yaml
set:
initContainersScriptsVolumeMountPath: "/custom/init/path"
asserts:
- equal:
path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="init")].mountPath
value: "/custom/init/path"
- equal:
path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="config")].mountPath
value: "/custom/init/path"
- it: Init containers have correct volumeMount path if there is no override
template: templates/gitea/deployment.yaml
asserts:
- equal:
path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="init")].mountPath
value: "/usr/sbinx"
- equal:
path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="config")].mountPath
value: "/usr/sbinx"

150
unittests/helm/deployment/deployment-additional-config.yaml
View File

@ -1,150 +0,0 @@
suite: deployment template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: Renders a deployment
template: templates/gitea/deployment.yaml
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Deployment
apiVersion: apps/v1
name: gitea-unittests
- it: Deployment with empty additionalConfigFromEnvs
template: templates/gitea/deployment.yaml
set:
gitea.additionalConfigFromEnvs: []
asserts:
- hasDocuments:
count: 1
- exists:
path: spec.template.spec.initContainers[1].env
- lengthEqual:
path: spec.template.spec.initContainers[1].env
count: 6
- isSubset:
path: spec.template.spec.initContainers[1]
content:
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM
value: /data/gitea
- name: GITEA_WORK_DIR
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
- name: TMP_EXISTING_ENVS_FILE
value: /tmp/existing-envs
- name: ENV_TO_INI_MOUNT_POINT
value: /env-to-ini-mounts
- it: Deployment with standard additionalConfigFromEnvs
template: templates/gitea/deployment.yaml
set:
gitea.additionalConfigFromEnvs: [{name: GITEA_database_HOST, value: my-db:123}, {name: GITEA_database_USER, value: my-user}]
asserts:
- hasDocuments:
count: 1
- exists:
path: spec.template.spec.initContainers[1].env
- lengthEqual:
path: spec.template.spec.initContainers[1].env
count: 8
- isSubset:
path: spec.template.spec.initContainers[1]
content:
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM
value: /data/gitea
- name: GITEA_WORK_DIR
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
- name: TMP_EXISTING_ENVS_FILE
value: /tmp/existing-envs
- name: ENV_TO_INI_MOUNT_POINT
value: /env-to-ini-mounts
- name: GITEA_database_HOST
value: my-db:123
- name: GITEA_database_USER
value: my-user
- it: Deployment with templated additionalConfigFromEnvs
template: templates/gitea/deployment.yaml
set:
gitea.misc.host: my-db-host:321
gitea.misc.user: my-db-user
gitea.additionalConfigFromEnvs: [{name: GITEA_database_HOST, value: "{{ .Values.gitea.misc.host }}"}, {name: GITEA_database_USER, value: "{{ .Values.gitea.misc.user }}"}]
asserts:
- hasDocuments:
count: 1
- exists:
path: spec.template.spec.initContainers[1].env
- lengthEqual:
path: spec.template.spec.initContainers[1].env
count: 8
- isSubset:
path: spec.template.spec.initContainers[1]
content:
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM
value: /data/gitea
- name: GITEA_WORK_DIR
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
- name: TMP_EXISTING_ENVS_FILE
value: /tmp/existing-envs
- name: ENV_TO_INI_MOUNT_POINT
value: /env-to-ini-mounts
- name: GITEA_database_HOST
value: my-db-host:321
- name: GITEA_database_USER
value: my-db-user
- it: Deployment with additionalConfigFromEnvs templated secret name
template: templates/gitea/deployment.yaml
set:
gitea.misc.existingSecret: my-db-secret
gitea.additionalConfigFromEnvs[0]:
name: GITEA_database_HOST
valueFrom:
secretKeyRef:
name: "{{ .Values.gitea.misc.existingSecret }}"
key: password
asserts:
- hasDocuments:
count: 1
- exists:
path: spec.template.spec.initContainers[1].env
- lengthEqual:
path: spec.template.spec.initContainers[1].env
count: 7
- isSubset:
path: spec.template.spec.initContainers[1]
content:
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM
value: /data/gitea
- name: GITEA_WORK_DIR
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
- name: TMP_EXISTING_ENVS_FILE
value: /tmp/existing-envs
- name: ENV_TO_INI_MOUNT_POINT
value: /env-to-ini-mounts
- name: GITEA_database_HOST
valueFrom:
secretKeyRef:
name: "my-db-secret"
key: password

110
unittests/helm/deployment/image-configuration.yaml
View File

@ -1,110 +0,0 @@
suite: deployment template (image configuration)
release:
name: gitea-unittests
namespace: testing
chart:
# Override appVersion to be consistent with used digest :)
appVersion: 1.19.3
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: default values
template: templates/gitea/deployment.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.19.3-rootless"
- it: tag override
template: templates/gitea/deployment.yaml
set:
image.tag: "1.19.4"
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.19.4-rootless"
- it: root-based image
template: templates/gitea/deployment.yaml
set:
image.rootless: false
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.19.3"
- it: scoped registry
template: templates/gitea/deployment.yaml
set:
image.registry: "example.com"
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "example.com/gitea:1.19.3-rootless"
- it: global registry
template: templates/gitea/deployment.yaml
set:
global.imageRegistry: "global.example.com"
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "global.example.com/gitea:1.19.3-rootless"
- it: digest for rootless image
template: templates/gitea/deployment.yaml
set:
image:
rootless: true
digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
- it: image fullOverride (does not append rootless)
template: templates/gitea/deployment.yaml
set:
image:
fullOverride: docker.gitea.com/gitea:1.19.3
# setting rootless, registry, repository, tag, and digest to prove that override works
rootless: true
registry: example.com
repository: example/image
tag: "1.0.0"
digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.19.3"
- it: digest for root-based image
template: templates/gitea/deployment.yaml
set:
image:
rootless: false
digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
- it: digest and global registry
template: templates/gitea/deployment.yaml
set:
global.imageRegistry: "global.example.com"
image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "global.example.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
- it: correctly renders floating tag references
template: templates/gitea/deployment.yaml
set:
image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-gitea/issues/631
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: "docker.gitea.com/gitea:1.21-rootless"
- equal:
path: spec.template.spec.initContainers[1].image
value: "docker.gitea.com/gitea:1.21-rootless"
- equal:
path: spec.template.spec.initContainers[2].image
value: "docker.gitea.com/gitea:1.21-rootless"
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.21-rootless"

45
unittests/helm/deployment/ingress-configuration.yaml
View File

@ -1,45 +0,0 @@
suite: Test ingress tpl use
templates:
- templates/gitea/ingress.yaml
tests:
- it: Ingress Class using TPL
set:
global.ingress.className: "ingress-class"
ingress.className: "{{ .Values.global.ingress.className }}"
ingress.enabled: true
ingress.hosts[0].host: "some-host"
ingress.tls:
- secretName: gitea-tls
hosts:
- "some-host"
asserts:
- isKind:
of: Ingress
- equal:
path: spec.tls[0].hosts[0]
value: "some-host"
- equal:
path: spec.rules[0].host
value: "some-host"
- equal:
path: spec.ingressClassName
value: "ingress-class"
- it: hostname using TPL
set:
global.giteaHostName: "gitea.example.com"
ingress.enabled: true
ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
ingress.tls:
- secretName: gitea-tls
hosts:
- "{{ .Values.global.giteaHostName }}"
asserts:
- isKind:
of: Ingress
- equal:
path: spec.tls[0].hosts[0]
value: "gitea.example.com"
- equal:
path: spec.rules[0].host
value: "gitea.example.com"

33
unittests/helm/deployment/inline-config.yaml
View File

@ -1,33 +0,0 @@
suite: config template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/config.yaml
tests:
- it: inline config stringData.server using TPL
set:
global.giteaHostName: "gitea.example.com"
ingress.enabled: true
ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
ingress.tls:
- secretName: gitea-tls
hosts:
- "{{ .Values.global.giteaHostName }}"
asserts:
- documentIndex: 0
matchRegex:
path: metadata.name
pattern: .*-inline-config$
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: DOMAIN=gitea\.example\.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: ROOT_URL=https://gitea\.example\.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: SSH_DOMAIN=gitea\.example\.com

188
unittests/helm/deployment/probes.yaml
View File

@ -1,188 +0,0 @@
suite: deployment template (probes)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: renders default liveness probe
template: templates/gitea/deployment.yaml
asserts:
- notExists:
path: spec.template.spec.containers[0].livenessProbe.enabled
- isSubset:
path: spec.template.spec.containers[0].livenessProbe
content:
failureThreshold: 10
initialDelaySeconds: 200
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: http
timeoutSeconds: 1
- it: renders default readiness probe
template: templates/gitea/deployment.yaml
asserts:
- notExists:
path: spec.template.spec.containers[0].readinessProbe.enabled
- isSubset:
path: spec.template.spec.containers[0].readinessProbe
content:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: http
timeoutSeconds: 1
- it: does not render a default startup probe
template: templates/gitea/deployment.yaml
asserts:
- notExists:
path: spec.template.spec.containers[0].startupProbe
- it: allows enabling a startup probe
template: templates/gitea/deployment.yaml
set:
gitea.startupProbe.enabled: true
asserts:
- notExists:
path: spec.template.spec.containers[0].startupProbe.enabled
- isSubset:
path: spec.template.spec.containers[0].startupProbe
content:
failureThreshold: 10
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: http
timeoutSeconds: 1
- it: allows overwriting the default port of the liveness probe
template: templates/gitea/deployment.yaml
set:
gitea:
livenessProbe:
tcpSocket:
port: my-port
asserts:
- isSubset:
path: spec.template.spec.containers[0].livenessProbe
content:
tcpSocket:
port: my-port
- it: allows overwriting the default port of the readiness probe
template: templates/gitea/deployment.yaml
set:
gitea:
readinessProbe:
tcpSocket:
port: my-port
asserts:
- isSubset:
path: spec.template.spec.containers[0].readinessProbe
content:
tcpSocket:
port: my-port
- it: allows overwriting the default port of the startup probe
template: templates/gitea/deployment.yaml
set:
gitea:
startupProbe:
enabled: true
tcpSocket:
port: my-port
asserts:
- isSubset:
path: spec.template.spec.containers[0].startupProbe
content:
tcpSocket:
port: my-port
- it: allows using a non-default method as liveness probe
template: templates/gitea/deployment.yaml
set:
gitea:
livenessProbe:
httpGet:
path: /api/healthz
port: http
initialDelaySeconds: 13371
timeoutSeconds: 13372
periodSeconds: 13373
successThreshold: 13374
failureThreshold: 13375
asserts:
- notExists:
path: spec.template.spec.containers[0].livenessProbe.tcpSocket
- isSubset:
path: spec.template.spec.containers[0].livenessProbe
content:
failureThreshold: 13375
initialDelaySeconds: 13371
periodSeconds: 13373
successThreshold: 13374
httpGet:
path: /api/healthz
port: http
timeoutSeconds: 13372
- it: allows using a non-default method as readiness probe
template: templates/gitea/deployment.yaml
set:
gitea:
readinessProbe:
httpGet:
path: /api/healthz
port: http
initialDelaySeconds: 13371
timeoutSeconds: 13372
periodSeconds: 13373
successThreshold: 13374
failureThreshold: 13375
asserts:
- notExists:
path: spec.template.spec.containers[0].readinessProbe.tcpSocket
- isSubset:
path: spec.template.spec.containers[0].readinessProbe
content:
failureThreshold: 13375
initialDelaySeconds: 13371
periodSeconds: 13373
successThreshold: 13374
httpGet:
path: /api/healthz
port: http
timeoutSeconds: 13372
- it: allows using a non-default method as startup probe
template: templates/gitea/deployment.yaml
set:
gitea:
startupProbe:
enabled: true
httpGet:
path: /api/healthz
port: http
initialDelaySeconds: 13371
timeoutSeconds: 13372
periodSeconds: 13373
successThreshold: 13374
failureThreshold: 13375
asserts:
- notExists:
path: spec.template.spec.containers[0].startupProbe.tcpSocket
- isSubset:
path: spec.template.spec.containers[0].startupProbe
content:
failureThreshold: 13375
initialDelaySeconds: 13371
periodSeconds: 13373
successThreshold: 13374
httpGet:
path: /api/healthz
port: http
timeoutSeconds: 13372

21
unittests/helm/deployment/sidecar-container.yaml
View File

@ -1,21 +0,0 @@
suite: sidecar container
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: supports adding a sidecar container
template: templates/gitea/deployment.yaml
set:
extraContainers:
- name: sidecar-bob
image: busybox
asserts:
- equal:
path: spec.template.spec.containers[1].name
value: "sidecar-bob"
- equal:
path: spec.template.spec.containers[1].image
value: "busybox"

39
unittests/helm/deployment/storage-class-configuration.yaml
View File

@ -1,39 +0,0 @@
# File: tests/gitea-storageclass-tests.yaml
suite: storage class configuration tests
release:
name: gitea-storageclass-tests
namespace: testing
templates:
- templates/gitea/pvc.yaml
tests:
- it: should set storageClassName when persistence.storageClass is defined
template: templates/gitea/pvc.yaml
set:
persistence.storageClass: "my-storage-class"
asserts:
- equal:
path: "spec.storageClassName"
value: "my-storage-class"
- it: should set global.storageClass when persistence.storageClass is not defined
template: templates/gitea/pvc.yaml
set:
global.storageClass: "default-storage-class"
asserts:
- equal:
path: spec.storageClassName
value: "default-storage-class"
- it: should set storageClassName when persistence.storageClass is defined and global.storageClass is defined
template: templates/gitea/pvc.yaml
set:
global.storageClass: "default-storage-class"
persistence.storageClass: "my-storage-class"
asserts:
- equal:
path: spec.storageClassName
value: "my-storage-class"

118
unittests/helm/deployment/svc-configuration.yaml
View File

@ -1,118 +0,0 @@
suite: ssh-svc / http-svc template (Services configuration)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/ssh-svc.yaml
- templates/gitea/http-svc.yaml
tests:
- it: supports adding custom labels to ssh-svc
template: templates/gitea/ssh-svc.yaml
set:
service:
ssh:
labels:
gitea/testkey: testvalue
asserts:
- equal:
path: metadata.labels["gitea/testkey"]
value: "testvalue"
- it: keeps existing labels (ssh)
template: templates/gitea/ssh-svc.yaml
set:
service:
ssh:
labels: {}
asserts:
- exists:
path: metadata.labels["app"]
- it: supports adding custom labels to http-svc
template: templates/gitea/http-svc.yaml
set:
service:
http:
labels:
gitea/testkey: testvalue
asserts:
- equal:
path: metadata.labels["gitea/testkey"]
value: "testvalue"
- it: keeps existing labels (http)
template: templates/gitea/http-svc.yaml
set:
service:
http:
labels: {}
asserts:
- exists:
path: metadata.labels["app"]
- it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
template: templates/gitea/ssh-svc.yaml
set:
service:
ssh:
loadBalancerClass: "example.com/class"
type: LoadBalancer
loadBalancerIP: "1.2.3.4"
loadBalancerSourceRanges:
- "1.2.3.4/32"
- "5.6.7.8/32"
asserts:
- equal:
path: spec.loadBalancerClass
value: "example.com/class"
- equal:
path: spec.loadBalancerIP
value: "1.2.3.4"
- equal:
path: spec.loadBalancerSourceRanges
value: ["1.2.3.4/32", "5.6.7.8/32"]
- it: does not render when loadbalancer properties are set but type is not loadBalancerClass
template: templates/gitea/http-svc.yaml
set:
service:
http:
type: ClusterIP
loadBalancerClass: "example.com/class"
loadBalancerIP: "1.2.3.4"
loadBalancerSourceRanges:
- "1.2.3.4/32"
- "5.6.7.8/32"
asserts:
- notExists:
path: spec.loadBalancerClass
- notExists:
path: spec.loadBalancerIP
- notExists:
path: spec.loadBalancerSourceRanges
- it: does not render loadBalancerClass by default even when type is LoadBalancer
template: templates/gitea/http-svc.yaml
set:
service:
http:
type: LoadBalancer
loadBalancerIP: "1.2.3.4"
asserts:
- notExists:
path: spec.loadBalancerClass
- equal:
path: spec.loadBalancerIP
value: "1.2.3.4"
- it: both ssh and http services exist
templates:
- templates/gitea/ssh-svc.yaml
- templates/gitea/http-svc.yaml
asserts:
- matchRegex:
path: metadata.name
pattern: "^gitea-unittests-(?:ssh|http)$"
- matchRegex:
path: spec.ports[0].name
pattern: "^(?:ssh|http)$"

93
unittests/helm/ingress/basic.yaml
View File

@ -1,93 +0,0 @@
suite: Test ingress.yaml
templates:
- templates/gitea/ingress.yaml
tests:
- it: should enable ingress when ingress.enabled is true
set:
ingress.enabled: true
ingress.apiVersion: networking.k8s.io/v1
ingress.annotations:
kubernetes.io/ingress.class: nginx
ingress.className: nginx
ingress.tls:
- hosts:
- example.com
secretName: tls-secret
ingress.hosts:
- host: example.com
paths: ["/"]
asserts:
- hasDocuments:
count: 1
- isKind:
of: Ingress
- equal:
path: metadata.name
value: RELEASE-NAME-gitea
- matchRegex:
path: apiVersion
pattern: networking.k8s.io/v1
- equal:
path: spec.ingressClassName
value: nginx
- equal:
path: spec.rules[0].host
value: "example.com"
- equal:
path: spec.tls[0].hosts[0]
value: "example.com"
- equal:
path: spec.tls[0].secretName
value: tls-secret
- equal:
path: metadata.annotations["kubernetes.io/ingress.class"]
value: nginx
- it: should not create ingress when ingress.enabled is false
set:
ingress.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Ingress Class using TPL
set:
global.ingress.className: "ingress-class"
ingress.className: "{{ .Values.global.ingress.className }}"
ingress.enabled: true
ingress.hosts[0].host: "some-host"
ingress.tls:
- secretName: gitea-tls
hosts:
- "some-host"
asserts:
- isKind:
of: Ingress
- equal:
path: spec.tls[0].hosts[0]
value: "some-host"
- equal:
path: spec.rules[0].host
value: "some-host"
- equal:
path: spec.ingressClassName
value: "ingress-class"
- it: hostname using TPL
set:
global.giteaHostName: "gitea.example.com"
ingress.enabled: true
ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
ingress.tls:
- secretName: gitea-tls
hosts:
- "{{ .Values.global.giteaHostName }}"
asserts:
- isKind:
of: Ingress
- equal:
path: spec.tls[0].hosts[0]
value: "gitea.example.com"
- equal:
path: spec.rules[0].host
value: "gitea.example.com"

23
unittests/helm/ingress/implicit-defaults.yaml
View File

@ -1,23 +0,0 @@
suite: Test ingress with implicit path defaults
templates:
- templates/gitea/ingress.yaml
tests:
- it: should use default path and pathType when no paths are specified
set:
ingress.enabled: true
ingress.hosts:
- host: git.example.com
asserts:
- hasDocuments:
count: 1
- isKind:
of: Ingress
- equal:
path: spec.rules[0].host
value: "git.example.com"
- equal:
path: spec.rules[0].http.paths[0].path
value: "/"
- equal:
path: spec.rules[0].http.paths[0].pathType
value: "Prefix"

45
unittests/helm/ingress/ingress.tpl.yaml
View File

@ -1,45 +0,0 @@
suite: Test ingress tpl use
templates:
- templates/gitea/ingress.yaml
tests:
- it: Ingress Class using TPL
set:
global.ingress.className: "ingress-class"
ingress.className: "{{ .Values.global.ingress.className }}"
ingress.enabled: true
ingress.hosts[0].host: "some-host"
ingress.tls:
- secretName: gitea-tls
hosts:
- "some-host"
asserts:
- isKind:
of: Ingress
- equal:
path: spec.tls[0].hosts[0]
value: "some-host"
- equal:
path: spec.rules[0].host
value: "some-host"
- equal:
path: spec.ingressClassName
value: "ingress-class"
- it: hostname using TPL
set:
global.giteaHostName: "gitea.example.com"
ingress.enabled: true
ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
ingress.tls:
- secretName: gitea-tls
hosts:
- "{{ .Values.global.giteaHostName }}"
asserts:
- isKind:
of: Ingress
- equal:
path: spec.tls[0].hosts[0]
value: "gitea.example.com"
- equal:
path: spec.rules[0].host
value: "gitea.example.com"

26
unittests/helm/ingress/structured-paths.yaml
View File

@ -1,26 +0,0 @@
suite: Test ingress with structured paths
templates:
- templates/gitea/ingress.yaml
tests:
- it: should work with structured path definitions
set:
ingress.enabled: true
ingress.hosts:
- host: git.devxy.io
paths:
- path: /
pathType: Prefix
asserts:
- hasDocuments:
count: 1
- isKind:
of: Ingress
- equal:
path: spec.rules[0].host
value: "git.devxy.io"
- equal:
path: spec.rules[0].http.paths[0].path
value: "/"
- equal:
path: spec.rules[0].http.paths[0].pathType
value: "Prefix"

23
unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml
View File

@ -1,23 +0,0 @@
suite: Metrics secret template (monitoring disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/metrics-secret.yaml
tests:
- it: renders nothing if monitoring disabled and gitea.metrics.token empty
set:
gitea.metrics.enabled: false
gitea.metrics.serviceMonitor.enabled: false
gitea.metrics.token: ""
asserts:
- hasDocuments:
count: 0
- it: renders nothing if monitoring disabled and gitea.metrics.token not empty
set:
gitea.metrics.enabled: false
gitea.metrics.serviceMonitor.enabled: false
gitea.metrics.token: "test-token"
asserts:
- hasDocuments:
count: 0

33
unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml
View File

@ -1,33 +0,0 @@
suite: Metrics secret template (monitoring enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/metrics-secret.yaml
tests:
- it: renders nothing if monitoring enabled and gitea.metrics.token empty
set:
gitea.metrics.enabled: true
gitea.metrics.serviceMonitor.enabled: true
gitea.metrics.token: ""
asserts:
- hasDocuments:
count: 0
- it: renders Secret if monitoring enabled and gitea.metrics.token not empty
set:
gitea.metrics.enabled: true
gitea.metrics.serviceMonitor.enabled: true
gitea.metrics.token: "test-token"
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-metrics-secret
- isNotNullOrEmpty:
path: metadata.labels
- equal:
path: data.token
value: "dGVzdC10b2tlbg=="

19
unittests/helm/pvc/pvc-configuration.yaml
View File

@ -1,19 +0,0 @@
suite: PVC template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/pvc.yaml
tests:
- it: Storage Class using TPL
set:
global.persistence.storageClass: "storage-class"
persistence.enabled: true
persistence.create: true
persistence.storageClass: "{{ .Values.global.persistence.storageClass }}"
asserts:
- isKind:
of: PersistentVolumeClaim
- equal:
path: spec.storageClassName
value: "storage-class"

89
unittests/helm/servicemonitor/basic.yaml
View File

@ -1,89 +0,0 @@
suite: ServiceMonitor template (basic)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/servicemonitor.yaml
tests:
- it: skips rendering by default
asserts:
- hasDocuments:
count: 0
- it: renders default ServiceMonitor object with gitea.metrics.enabled=true
set:
gitea.metrics.enabled: true
asserts:
- hasDocuments:
count: 0
- it: renders default ServiceMonitor object with gitea.metrics.serviceMonitor.enabled=true
set:
gitea.metrics.serviceMonitor.enabled: true
asserts:
- hasDocuments:
count: 0
- it: renders defaults
set:
gitea.metrics.enabled: true
gitea.metrics.serviceMonitor.enabled: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ServiceMonitor
apiVersion: monitoring.coreos.com/v1
name: gitea-unittests
- notExists:
path: metadata.annotations
- notExists:
path: spec.endpoints[0].interval
- equal:
path: spec.endpoints[0].port
value: http
- notExists:
path: spec.endpoints[0].scheme
- notExists:
path: spec.endpoints[0].scrapeTimeout
- notExists:
path: spec.endpoints[0].tlsConfig
- it: renders custom scrape interval
set:
gitea.metrics.enabled: true
gitea.metrics.serviceMonitor.enabled: true
gitea.metrics.serviceMonitor.interval: 30s
gitea.metrics.serviceMonitor.scrapeTimeout: 5s
asserts:
- equal:
path: spec.endpoints[0].interval
value: 30s
- equal:
path: spec.endpoints[0].scrapeTimeout
value: 5s
- it: renders custom tls config
set:
gitea.metrics.enabled: true
gitea.metrics.serviceMonitor.enabled: true
gitea.metrics.serviceMonitor.scheme: https
gitea.metrics.serviceMonitor.tlsConfig.caFile: /etc/prometheus/tls/ca.crt
gitea.metrics.serviceMonitor.tlsConfig.certFile: /etc/prometheus/tls/tls.crt
gitea.metrics.serviceMonitor.tlsConfig.keyFile: /etc/prometheus/tls/tls.key
gitea.metrics.serviceMonitor.tlsConfig.insecureSkipVerify: false
gitea.metrics.serviceMonitor.tlsConfig.serverName: gitea-unittest
asserts:
- equal:
path: spec.endpoints[0].scheme
value: https
- equal:
path: spec.endpoints[0].tlsConfig.caFile
value: /etc/prometheus/tls/ca.crt
- equal:
path: spec.endpoints[0].tlsConfig.certFile
value: /etc/prometheus/tls/tls.crt
- equal:
path: spec.endpoints[0].tlsConfig.keyFile
value: /etc/prometheus/tls/tls.key
- equal:
path: spec.endpoints[0].tlsConfig.insecureSkipVerify
value: false
- equal:
path: spec.endpoints[0].tlsConfig.serverName
value: gitea-unittest

23
unittests/helm/servicemonitor/servicemonitor-disabled.yaml
View File

@ -1,23 +0,0 @@
suite: ServiceMonitor template (monitoring disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/servicemonitor.yaml
tests:
- it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty
set:
gitea.metrics.enabled: false
gitea.metrics.token: ""
gitea.metrics.serviceMonitor.enabled: false
asserts:
- hasDocuments:
count: 0
- it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty
set:
gitea.metrics.enabled: false
gitea.metrics.token: "test-token"
gitea.metrics.serviceMonitor.enabled: false
asserts:
- hasDocuments:
count: 0

70
unittests/helm/servicemonitor/servicemonitor-enabled.yaml
View File

@ -1,70 +0,0 @@
suite: ServiceMonitor template (monitoring enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/servicemonitor.yaml
tests:
- it: renders unsecure ServiceMonitor if gitea.metrics.token nil
set:
gitea.metrics.enabled: true
gitea.metrics.token:
gitea.metrics.serviceMonitor.enabled: true
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: ServiceMonitor
apiVersion: monitoring.coreos.com/v1
name: gitea-unittests
- isNotNullOrEmpty:
path: metadata.labels
- equal:
path: spec.endpoints
value:
- port: http
- it: renders unsecure ServiceMonitor if gitea.metrics.token empty
set:
gitea.metrics.enabled: true
gitea.metrics.token: ""
gitea.metrics.serviceMonitor.enabled: true
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: ServiceMonitor
apiVersion: monitoring.coreos.com/v1
name: gitea-unittests
- isNotNullOrEmpty:
path: metadata.labels
- equal:
path: spec.endpoints
value:
- port: http
- it: renders secure ServiceMonitor if gitea.metrics.token not empty
set:
gitea.metrics.enabled: true
gitea.metrics.token: "test-token"
gitea.metrics.serviceMonitor.enabled: true
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: ServiceMonitor
apiVersion: monitoring.coreos.com/v1
name: gitea-unittests
- isNotNullOrEmpty:
path: metadata.labels
- equal:
path: spec.endpoints
value:
- port: http
authorization:
type: Bearer
credentials:
name: gitea-unittests-metrics-secret
key: token
optional: false

14
unittests/helm/values-conflicting-checks.yaml
View File

@ -1,14 +0,0 @@
suite: Values conflicting checks
release:
name: gitea-unittests
namespace: testing
tests:
- it: fails when trying to configure valkey and valkey-cluster the same time
set:
valkey-cluster:
enabled: true
valkey:
enabled: true
asserts:
- failedTemplate:
errorMessage: valkey and valkey-cluster cannot be enabled at the same time. Please only choose one.

0
unittests/helm/init/basic.yaml → unittests/init/basic.yaml
View File

52
unittests/helm/init/init_directory_structure.sh-rootless.yaml → unittests/init/init_directory_structure.sh-rootless.yaml
View File

@ -15,11 +15,11 @@ tests:
asserts: asserts:
- equal: - equal:
path: stringData["configure_gpg_environment.sh"] path: stringData["configure_gpg_environment.sh"]
value: | value: |-
#!/usr/bin/env bash #!/usr/bin/env bash
set -eu set -eu
gpg --batch --import "$TMP_RAW_GPG_KEY" gpg --batch --import /raw/private.asc
- it: skips gpg script block for disabled signing - it: skips gpg script block for disabled signing
asserts: asserts:
- equal: - equal:
@ -28,13 +28,15 @@ tests:
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
mkdir -pv /data/git/.ssh
chmod -Rv 700 /data/git/.ssh set -x
[ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure # prepare temp directory structure
mkdir -pv "${GITEA_TEMP}" mkdir -p "${GITEA_TEMP}"
chmod -v ug+rwx "${GITEA_TEMP}" chmod ug+rwx "${GITEA_TEMP}"
- it: adds gpg script block for enabled signing - it: adds gpg script block for enabled signing
set: set:
signing.enabled: true signing.enabled: true
@ -49,34 +51,18 @@ tests:
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
mkdir -pv /data/git/.ssh
chmod -Rv 700 /data/git/.ssh set -x
[ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure # prepare temp directory structure
mkdir -pv "${GITEA_TEMP}" mkdir -p "${GITEA_TEMP}"
chmod -v ug+rwx "${GITEA_TEMP}" chmod ug+rwx "${GITEA_TEMP}"
if [ ! -d "${GNUPGHOME}" ]; then if [ ! -d "${GNUPGHOME}" ]; then
mkdir -pv "${GNUPGHOME}" mkdir -p "${GNUPGHOME}"
chmod -v 700 "${GNUPGHOME}" chmod 700 "${GNUPGHOME}"
chown -v 1000:1000 "${GNUPGHOME}" chown 1000:1000 "${GNUPGHOME}"
fi fi
- it: it does not chown /data even when image.fullOverride is set
template: templates/gitea/init.yaml
set:
image.fullOverride: docker.gitea.com/gitea:1.20.5
asserts:
- equal:
path: stringData["init_directory_structure.sh"]
value: |-
#!/usr/bin/env bash
set -euo pipefail
mkdir -pv /data/git/.ssh
chmod -Rv 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf
# prepare temp directory structure
mkdir -pv "${GITEA_TEMP}"
chmod -v ug+rwx "${GITEA_TEMP}"

42
unittests/helm/init/init_directory_structure.sh.yaml → unittests/init/init_directory_structure.sh.yaml
View File

@ -16,11 +16,11 @@ tests:
asserts: asserts:
- equal: - equal:
path: stringData["configure_gpg_environment.sh"] path: stringData["configure_gpg_environment.sh"]
value: | value: |-
#!/usr/bin/env bash #!/usr/bin/env bash
set -eu set -eu
gpg --batch --import "$TMP_RAW_GPG_KEY" gpg --batch --import /raw/private.asc
- it: skips gpg script block for disabled signing - it: skips gpg script block for disabled signing
set: set:
image.rootless: false image.rootless: false
@ -31,15 +31,17 @@ tests:
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
chown -v 1000:1000 /data
mkdir -pv /data/git/.ssh set -x
chmod -Rv 700 /data/git/.ssh chown 1000:1000 /data
[ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure # prepare temp directory structure
mkdir -pv "${GITEA_TEMP}" mkdir -p "${GITEA_TEMP}"
chown -v 1000:1000 "${GITEA_TEMP}" chown 1000:1000 "${GITEA_TEMP}"
chmod -v ug+rwx "${GITEA_TEMP}" chmod ug+rwx "${GITEA_TEMP}"
- it: adds gpg script block for enabled signing - it: adds gpg script block for enabled signing
set: set:
image.rootless: false image.rootless: false
@ -55,18 +57,20 @@ tests:
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
chown -v 1000:1000 /data
mkdir -pv /data/git/.ssh set -x
chmod -Rv 700 /data/git/.ssh chown 1000:1000 /data
[ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure # prepare temp directory structure
mkdir -pv "${GITEA_TEMP}" mkdir -p "${GITEA_TEMP}"
chown -v 1000:1000 "${GITEA_TEMP}" chown 1000:1000 "${GITEA_TEMP}"
chmod -v ug+rwx "${GITEA_TEMP}" chmod ug+rwx "${GITEA_TEMP}"
if [ ! -d "${GNUPGHOME}" ]; then if [ ! -d "${GNUPGHOME}" ]; then
mkdir -pv "${GNUPGHOME}" mkdir -p "${GNUPGHOME}"
chmod -v 700 "${GNUPGHOME}" chmod 700 "${GNUPGHOME}"
chown -v 1000:1000 "${GNUPGHOME}" chown 1000:1000 "${GNUPGHOME}"
fi fi

0
unittests/helm/serviceaccount/basic.yaml → unittests/serviceaccount/basic.yaml
View File

0
unittests/helm/serviceaccount/reference.yaml → unittests/serviceaccount/reference.yaml
View File

158
values.yaml
View File

@ -20,9 +20,6 @@ global:
# hostnames: # hostnames:
# - example.com # - example.com
## @param namespace An explicit namespace to deploy gitea into. Defaults to the release namespace if not specified
namespace: ""
## @param replicaCount number of replicas for the deployment ## @param replicaCount number of replicas for the deployment
replicaCount: 1 replicaCount: 1
@ -43,19 +40,15 @@ clusterDomain: cluster.local
## @param image.registry image registry, e.g. gcr.io,docker.io ## @param image.registry image registry, e.g. gcr.io,docker.io
## @param image.repository Image to start for this pod ## @param image.repository Image to start for this pod
## @param image.tag Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. ## @param image.tag Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.
## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
## @param image.pullPolicy Image pull policy ## @param image.pullPolicy Image pull policy
## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher ## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher
## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
image: image:
registry: "docker.gitea.com" registry: ""
repository: gitea repository: gitea/gitea
# Overrides the image tag whose default is the chart appVersion. # Overrides the image tag whose default is the chart appVersion.
tag: "" tag: ""
digest: "" pullPolicy: Always
pullPolicy: IfNotPresent
rootless: true rootless: true
fullOverride: ""
## @param imagePullSecrets Secret to use for pulling the image ## @param imagePullSecrets Secret to use for pulling the image
imagePullSecrets: [] imagePullSecrets: []
@ -76,7 +69,7 @@ containerSecurityContext: {}
# # run pods on nodes that use the container runtime cri-o. Otherwise, you will # # run pods on nodes that use the container runtime cri-o. Otherwise, you will
# # get an error message from the SSH server that it is not possible to read from # # get an error message from the SSH server that it is not possible to read from
# # the repository. # # the repository.
# # https://gitea.com/gitea/helm-gitea/issues/161 # # https://gitea.com/gitea/helm-chart/issues/161
# add: # add:
# - SYS_CHROOT # - SYS_CHROOT
# privileged: false # privileged: false
@ -109,8 +102,6 @@ service:
## @param service.http.ipFamilies HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). ## @param service.http.ipFamilies HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/).
## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer ## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer
## @param service.http.annotations HTTP service annotations ## @param service.http.annotations HTTP service annotations
## @param service.http.labels HTTP service additional labels
## @param service.http.loadBalancerClass Loadbalancer class
http: http:
type: ClusterIP type: ClusterIP
port: 3000 port: 3000
@ -123,8 +114,6 @@ service:
ipFamilies: ipFamilies:
loadBalancerSourceRanges: [] loadBalancerSourceRanges: []
annotations: {} annotations: {}
labels: {}
loadBalancerClass:
## @param service.ssh.type Kubernetes service type for ssh traffic ## @param service.ssh.type Kubernetes service type for ssh traffic
## @param service.ssh.port Port number for ssh traffic ## @param service.ssh.port Port number for ssh traffic
## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None
@ -137,8 +126,6 @@ service:
## @param service.ssh.hostPort HostPort for ssh service ## @param service.ssh.hostPort HostPort for ssh service
## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer ## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer
## @param service.ssh.annotations SSH service annotations ## @param service.ssh.annotations SSH service annotations
## @param service.ssh.labels SSH service additional labels
## @param service.ssh.loadBalancerClass Loadbalancer class
ssh: ssh:
type: ClusterIP type: ClusterIP
port: 22 port: 22
@ -152,30 +139,36 @@ service:
hostPort: hostPort:
loadBalancerSourceRanges: [] loadBalancerSourceRanges: []
annotations: {} annotations: {}
labels: {}
loadBalancerClass:
## @section Ingress ## @section Ingress
## @param ingress.enabled Enable ingress ## @param ingress.enabled Enable ingress
## @param ingress.className DEPRECATED: Ingress class name. ## @param ingress.className Ingress class name
## @param ingress.pathType Ingress Path Type
## @param ingress.annotations Ingress annotations ## @param ingress.annotations Ingress annotations
## @param ingress.hosts[0].host Default Ingress host ## @param ingress.hosts[0].host Default Ingress host
## @param ingress.hosts[0].paths[0].path Default Ingress path ## @param ingress.hosts[0].paths[0].path Default Ingress path
## @param ingress.hosts[0].paths[0].pathType Ingress path type
## @param ingress.tls Ingress tls settings ## @param ingress.tls Ingress tls settings
## @extra ingress.apiVersion Specify APIVersion of ingress object. Mostly would only be used for argocd.
ingress: ingress:
enabled: false enabled: false
className: "" # className: nginx
pathType: Prefix className:
annotations: {} annotations:
{}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts: hosts:
- host: git.example.com - host: git.example.com
paths: paths:
- path: / - path: /
pathType: Prefix
tls: [] tls: []
# - secretName: chart-example-tls # - secretName: chart-example-tls
# hosts: # hosts:
# - git.example.com # - git.example.com
# Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
# If helm doesn't correctly detect your ingress API version you can set it here.
# apiVersion: networking.k8s.io/v1
## @section deployment ## @section deployment
# #
@ -256,10 +249,9 @@ serviceAccount:
## @param persistence.size Size for persistence to store repo information ## @param persistence.size Size for persistence to store repo information
## @param persistence.accessModes AccessMode for persistence ## @param persistence.accessModes AccessMode for persistence
## @param persistence.labels Labels for the persistence volume claim to be created ## @param persistence.labels Labels for the persistence volume claim to be created
## @param persistence.annotations.helm.sh/resource-policy Resource policy for the persistence volume claim ## @param persistence.annotations Annotations for the persistence volume claim to be created
## @param persistence.storageClass Name of the storage class to use ## @param persistence.storageClass Name of the storage class to use
## @param persistence.subPath Subdirectory of the volume to mount at ## @param persistence.subPath Subdirectory of the volume to mount at
## @param persistence.volumeName Name of persistent volume in PVC
persistence: persistence:
enabled: true enabled: true
create: true create: true
@ -269,17 +261,9 @@ persistence:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
labels: {} labels: {}
annotations: {}
storageClass: storageClass:
subPath: subPath:
volumeName: ""
annotations:
helm.sh/resource-policy: keep
## @param extraContainers Additional sidecar containers to run in the pod
extraContainers: []
# - name: sidecar-bob
# image: busybox
# command: [/bin/sh, -c, 'echo "Hello world"; sleep 86400']
## @param extraVolumes Additional volumes to mount to the Gitea deployment ## @param extraVolumes Additional volumes to mount to the Gitea deployment
extraVolumes: [] extraVolumes: []
@ -306,8 +290,6 @@ extraVolumeMounts: []
## @section Init ## @section Init
## @param initPreScript Bash shell script copied verbatim to the start of the init-container. ## @param initPreScript Bash shell script copied verbatim to the start of the init-container.
initPreScript: "" initPreScript: ""
## @param initContainersScriptsVolumeMountPath Path to mount the scripts consumed from the Secrets
initContainersScriptsVolumeMountPath: "/usr/sbinx"
# #
# initPreScript: | # initPreScript: |
# mkdir -p /data/git/.postgresql # mkdir -p /data/git/.postgresql
@ -330,7 +312,7 @@ initContainers:
# #
## @param signing.enabled Enable commit/action signing ## @param signing.enabled Enable commit/action signing
## @param signing.gpgHome GPG home directory ## @param signing.gpgHome GPG home directory
## @param signing.privateKey Inline private gpg key for signed internal Git activity ## @param signing.privateKey Inline private gpg key for signed Gitea actions
## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey` ## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
signing: signing:
enabled: false enabled: false
@ -349,35 +331,21 @@ gitea:
## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
## @param gitea.admin.password Password for the Gitea admin user ## @param gitea.admin.password Password for the Gitea admin user
## @param gitea.admin.email Email for the Gitea admin user ## @param gitea.admin.email Email for the Gitea admin user
## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
admin: admin:
# existingSecret: gitea-admin-secret # existingSecret: gitea-admin-secret
existingSecret: existingSecret:
username: gitea_admin username: gitea_admin
password: r8sA8CPHD9!bt6d password: r8sA8CPHD9!bt6d
email: "gitea@local.domain" email: "gitea@local.domain"
passwordMode: keepUpdated
## @param gitea.metrics.enabled Enable Gitea metrics ## @param gitea.metrics.enabled Enable Gitea metrics
## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor
## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally.
## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping.
## @param gitea.metrics.serviceMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`. Default is http.
## @param gitea.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.
## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
metrics: metrics:
enabled: false enabled: false
token:
serviceMonitor: serviceMonitor:
enabled: false enabled: false
# additionalLabels: # additionalLabels:
# prometheus-release: prom1 # prometheus-release: prom1
interval: ""
relabelings: []
scheme: ""
scrapeTimeout: ""
tlsConfig: {}
## @param gitea.ldap LDAP configuration ## @param gitea.ldap LDAP configuration
ldap: ldap:
@ -501,82 +469,42 @@ gitea:
successThreshold: 1 successThreshold: 1
failureThreshold: 10 failureThreshold: 10
## @section valkey-cluster ## @section redis-cluster
## @param valkey-cluster.enabled Enable valkey cluster ## @param redis-cluster.enabled Enable redis
# ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>). ## @param redis-cluster.global.redis.password Password for the "gitea" user (overrides `password`)
# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed. redis-cluster:
## @param valkey-cluster.usePassword Whether to use password authentication
## @param valkey-cluster.usePasswordFiles Whether to mount passwords as files instead of environment variables
## @param valkey-cluster.cluster.nodes Number of valkey cluster master nodes
## @param valkey-cluster.cluster.replicas Number of valkey cluster master node replicas
## @param valkey-cluster.service.ports.valkey Port of Valkey service
## @descriptionStart
## Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time.
## @descriptionEnd
valkey-cluster:
enabled: true enabled: true
usePassword: false
usePasswordFiles: false
cluster:
nodes: 3 # default: 6
replicas: 0 # default: 1
service:
ports:
valkey: 6379
## @section valkey
## @param valkey.enabled Enable valkey standalone or replicated
## @param valkey.architecture Whether to use standalone or replication
# ⚠️ The valkey charts do not work well with special characters in the password (<https://gitea.com/gitea/helm-chart/issues/690>).
# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
## @param valkey.global.valkey.password Required password
## @param valkey.master.count Number of Valkey master instances to deploy
## @param valkey.master.service.ports.valkey Port of Valkey service
## @descriptionStart
## Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time.
## @descriptionEnd
valkey:
enabled: false
architecture: standalone
global: global:
valkey: redis:
password: changeme password: gitea
master:
count: 1
service:
ports:
valkey: 6379
## @section PostgreSQL HA ## @section postgresql-ha
# #
## @param postgresql-ha.enabled Enable PostgreSQL HA ## @param postgresql-ha.enabled Enable postgresql-ha
## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`) ## @param postgresql-ha.global.postgresql.password Password for the `gitea` user (overrides `auth.password`)
## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`) ## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`)
## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`) ## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`)
## @param postgresql-ha.global.postgresql.password Name for a custom password to create (overrides `auth.password`) ## @param postgresql-ha.global.postgresql.postgresPassword Postgres Password
## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password ## @param postgresql-ha.global.postgresql.repmgrPassword Repmgr Password
## @param postgresql-ha.postgresql.postgresPassword postgres Password ## @param postgresql-ha.service.ports.postgresql postgresql service port (overrides `service.ports.postgresql`)
## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword ## @param postgresql-ha.primary.persistence.size PVC Storage Request for postgresql-ha volume
## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
## @param postgresql-ha.persistence.size PVC Storage Request for PostgreSQL HA volume
postgresql-ha: postgresql-ha:
enabled: true
global: global:
postgresql: postgresql:
database: gitea
password: gitea password: gitea
database: gitea
username: gitea username: gitea
enabled: true # FIXME: https://github.com/bitnami/charts/issues/17052
postgresql: postgresPassword: changeme
repmgrPassword: changeme2 # FIXME: https://github.com/bitnami/charts/issues/17052
postgresPassword: changeme1 repmgrPassword: changeme
password: changeme4
pgpool:
adminPassword: changeme3
service: service:
ports: ports:
postgresql: 5432 postgresql: 5432
persistence: primary:
size: 10Gi persistence:
size: 10Gi
## @section PostgreSQL ## @section PostgreSQL
# #