1.16.5

Signed-off-by: techknowlogick <techknowlogick@gitea.io>

.drone.yml

@@ -1,22 +1,37 @@
 ---
 kind: pipeline
+type: docker
 name: lint
 
 platform:
   os: linux
-  arch: amd64
+  arch: arm64
 
 steps:
-- name: lint
+- name: helm lint
   pull: always
-  image: pelotech/drone-helm3
+  image: alpine:3.15
-  settings:
+  commands:
-    helm_command: lint
+  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-    chart: ./
+  - helm lint
+
+- name: helm template
+  pull: always
+  image: alpine:3.15
+  commands:
+  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+  - helm dependency update
+  - helm template --debug gitea-helm .
+
+- name: markdown lint
+  pull: always
+  image: docker.io/volkerraschek/markdownlint:latest
+  commands:
+  - markdownlint *.md
 
 - name: discord
   pull: always
-  image: appleboy/drone-discord:1.0.0
+  image: appleboy/drone-discord:1.2.4
   environment:
     DISCORD_WEBHOOK_ID:
       from_secret: discord_webhook_id
@@ -29,6 +44,7 @@ steps:
 
 ---
 kind: pipeline
+type: docker
 name: release-version
 
 platform:
@@ -40,26 +56,25 @@ trigger:
   - tag
 
 steps:
-  - name: generate-chart
+- name: generate-chart
-    pull: default
+  pull: always
-    image: alpine:3.12
+  image: alpine:3.15
   commands:
-      - wget -q https://get.helm.sh/helm-v3.3.1-linux-arm64.tar.gz -O - | tar -xzO linux-arm64/helm > /usr/local/bin/helm
+    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-      - chmod +x /usr/local/bin/helm
+    - apk add --no-cache curl
     - helm dependency update
-      - helm package ./
+    - helm package --version "${DRONE_TAG##v}" ./
     - mkdir gitea
     - mv gitea*.tgz gitea/
-      - wget -O gitea/index.yaml https://dl.gitea.io/charts/index.yaml
+    - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
     - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
 
-  - name: upload-chart
+- name: upload-chart
-    pull: default
+  pull: always
   image: plugins/s3:latest
   settings:
-      bucket: releases
+    bucket: gitea-artifacts
-      endpoint: https://storage.gitea.io
+    endpoint: https://ams3.digitaloceanspaces.com
-      path_style: true
     access_key:
       from_secret: aws_access_key_id
     secret_key:

.gitignore

@@ -1,2 +1,3 @@
 charts
 Chart.lock
+.DS_Store

.markdownlint.yaml

@@ -0,0 +1,151 @@
+# markdownlint YAML configuration
+# https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+# Default state for all rules
+default: true
+
+# Path to configuration file to extend
+extends: null
+
+# MD003/heading-style/header-style - Heading style
+MD003:
+  # Heading style
+  style: "atx"
+
+# MD004/ul-style - Unordered list style
+MD004:
+  style: "dash"
+
+# MD007/ul-indent - Unordered list indentation
+MD007:
+  # Spaces for indent
+  indent: 2
+  # Whether to indent the first level of the list
+  start_indented: false
+
+# MD009/no-trailing-spaces - Trailing spaces
+MD009:
+  # Spaces for line break
+  br_spaces: 2
+  # Allow spaces for empty lines in list items
+  list_item_empty_lines: false
+  # Include unnecessary breaks
+  strict: false
+
+# MD010/no-hard-tabs - Hard tabs
+MD010:
+  # Include code blocks
+  code_blocks: true
+
+# MD012/no-multiple-blanks - Multiple consecutive blank lines
+MD012:
+  # Consecutive blank lines
+  maximum: 1
+
+# MD013/line-length - Line length
+MD013:
+  # Number of characters
+  line_length: 80
+  # Number of characters for headings
+  heading_line_length: 80
+  # Number of characters for code blocks
+  code_block_line_length: 80
+  # Include code blocks
+  code_blocks: false
+  # Include tables
+  tables: false
+  # Include headings
+  headings: true
+  # Include headings
+  headers: true
+  # Strict length checking
+  strict: false
+  # Stern length checking
+  stern: false
+
+# MD022/blanks-around-headings/blanks-around-headers - Headings should be surrounded by blank lines
+MD022:
+  # Blank lines above heading
+  lines_above: 1
+  # Blank lines below heading
+  lines_below: 1
+
+# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
+MD024:
+  # Only check sibling headings
+  allow_different_nesting: true
+
+# MD025/single-title/single-h1 - Multiple top-level headings in the same document
+MD025:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD026/no-trailing-punctuation - Trailing punctuation in heading
+MD026:
+  # Punctuation characters
+  punctuation: ".,;:!。，；：！"
+
+# MD029/ol-prefix - Ordered list item prefix
+MD029:
+  # List style
+  style: "one_or_ordered"
+
+# MD030/list-marker-space - Spaces after list markers
+MD030:
+  # Spaces for single-line unordered list items
+  ul_single: 1
+  # Spaces for single-line ordered list items
+  ol_single: 1
+  # Spaces for multi-line unordered list items
+  ul_multi: 1
+  # Spaces for multi-line ordered list items
+  ol_multi: 1
+
+# MD033/no-inline-html - Inline HTML
+MD033:
+  # Allowed elements
+  allowed_elements: []
+
+# MD035/hr-style - Horizontal rule style
+MD035:
+  # Horizontal rule style
+  style: "---"
+
+# MD036/no-emphasis-as-heading/no-emphasis-as-header - Emphasis used instead of a heading
+MD036:
+  # Punctuation characters
+  punctuation: ".,;:!?。，；：！？"
+
+# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
+MD041:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD044/proper-names - Proper names should have the correct capitalization
+MD044:
+  # List of proper names
+  names:
+  - Gitea
+  - PostgreSQL
+  - MariaDB
+  - MySQL
+  - Memcached
+  - Prometheus
+  - Git
+  - GitOps
+  # Include code blocks
+  code_blocks: false
+
+# MD046/code-block-style - Code block style
+MD046:
+  # Block style
+  style: "fenced"
+
+# MD048/code-fence-style - Code fence style
+MD048:
+  # Code fence syle
+  style: "backtick"

Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
-version: 1.4.5
+version: 0.0.0
-appVersion: 1.12.4
+appVersion: 1.16.5
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -14,6 +14,7 @@ keywords:
   - gitea
   - gogs
 sources:
+  - https://gitea.com/gitea/helm-chart
   - https://github.com/go-gitea/gitea
   - https://hub.docker.com/r/gitea/gitea/
 maintainers:
@@ -25,17 +26,23 @@ maintainers:
     email: konrad.lother@novum-rgi.de
   - name: Lucas Hahn
     email: lucas.hahn@novum-rgi.de
+  - name: Steven Kriegler
+    email: sk.bunsenbrenner@gmail.com
 
 dependencies:
 - name: memcached
   repository: https://charts.bitnami.com/bitnami
-  version: 4.2.20
+  version: 5.9.0
-  condition: gitea.cache.builtIn.enabled
+  condition: memcached.enabled
 - name: mysql
   repository: https://charts.bitnami.com/bitnami
-  version: 6.14.8
+  version: 6.14.10
-  condition: gitea.database.builtIn.mysql.enabled
+  condition: mysql.enabled
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 8.6.4
+  version: 10.3.17
-  condition: gitea.database.builtIn.postgresql.enabled
+  condition: postgresql.enabled
+- name: mariadb
+  repository: https://charts.bitnami.com/bitnami
+  version: 9.3.6
+  condition: mariadb.enabled

README.md

@@ -1,45 +1,228 @@
 # Gitea Helm Chart
 
-[Gitea](https://gitea.io/en-us/) is a community managed lightweight code hosting solution written in Go. It is published under the MIT license.
+[Gitea](https://gitea.io/en-us/) is a community managed lightweight code hosting
+solution written in Go. It is published under the MIT license.
 
 ## Introduction
 
-This helm chart has taken some inspiration from https://github.com/jfelten/gitea-helm-chart
+This helm chart has taken some inspiration from [jfelten's helm
-But takes a completly different approach in providing database and cache with dependencies.
+chart](https://github.com/jfelten/gitea-helm-chart). But takes a completely
-Also this chart provides ldap and admin user configuration with values as well as it is deployed as statefulset to retain stored repositories.
+different approach in providing a database and cache with dependencies.
+Additionally, this chart provides LDAP and admin user configuration with values,
+as well as being deployed as a statefulset to retain stored repositories.
 
 ## Dependencies
 
-Gitea can be run with external database and cache. This chart provides those dependencies, which can be
+Gitea can be run with an external database and cache. This chart provides those
-enabled, or disabled via [configuration](#configuration).
+dependencies, which can be enabled, or disabled via
+[configuration](#configuration).
 
 Dependencies:
 
-* Postgresql
+- PostgreSQL
-* Memcached
+- Memcached
-* Mysql
+- MySQL
 
 ## Installing
 
-```
+```sh
-  helm repo add gitea-charts https://dl.gitea.io/charts/
+helm repo add gitea-charts https://dl.gitea.io/charts/
-  helm install gitea gitea-charts/gitea
+helm repo update
+helm install gitea gitea-charts/gitea
 ```
 
 ## Prerequisites
 
-* Kubernetes 1.12+
+- Kubernetes 1.12+
-* Helm 3.0+
+- Helm 3.0+
-* PV provisioner for persistent data support
+- PV provisioner for persistent data support
+
+## Chart upgrade to 5.0.0
+
+:warning: The most recent `5.0.0` update brings some major and breaking changes.
+Please note the following changes in the Chart to upgrade successfully. :warning:
+
+### Enable Dependencies
+
+:warning: The values to enable the dependencies,
+such as PostgreSQL, Memcached, MySQL and MariaDB
+have been moved from `gitea.database.builtIn.` to the dependency values. :warning:
+
+You can now enable the dependencies as followed:
+
+```yaml
+memcached:
+  enabled: true
+
+postgresql:
+  enabled: true
+
+mysql:
+  enabled: false
+
+mariadb:
+  enabled: false
+```
+
+### App.ini generation
+
+The app.ini generation has changed and now utilizes the environment-to-ini
+script provided by newer Gitea versions.
+
+> :boom: The Helm Chart now requires Gitea versions of at least 1.11.0.
+
+This change ensures, that the app.ini is now persistent.
+
+#### Secret Key generation
+
+Gitea secret keys (SECRET_KEY, INTERNAL_TOKEN, JWT_SECRET) are now generated
+automatically in certain situations:
+
+- New install: By default the secrets are created automatically. If you provide
+  secrets via `gitea.config` they will be used instead of automatic generation.
+- Existing installs: The secrets won't be deployed, neither via
+  configuration nor via auto generation. We explicitly prevent to set new secrets.
+
+> :rotating_light: It would be possible to set new secret keys manually by entering
+the running container and rewriting the app.ini by hand. However, this it is
+not advisable to do so for existing installations. Certain settings like
+_LDAP_ would not be readable anymore.
+
+### Probes
+
+> :boom: `gitea.customLivenessProbe`, `gitea.customReadinessProbe` and `gitea.customStartupProbe`
+have been removed.
+
+They are replaced by the settings `gitea.livenessProbe`, `gitea.readinessProbe`
+and `gitea.startupProbe` which are now fully configurable and used _as-is_ for
+a Chart deployment.
+If you have customized their values instead of using the `custom` prefixed settings,
+please ensure that you remove the `enabled` property from each of them.
+
+In case you want to disable one of these probes, let's say the `livenessProbe`, add
+the following to your values. The `podAnnotation` is just there to have a bit more
+context.
+
+```diff
+gitea:
++ livenessProbe:
+  podAnnotations: {}
+```
+
+### Multiple OAuth and LDAP authentication sources
+
+With `5.0.0` of this Chart it is now possible to configure Gitea with multiple
+OAuth and LDAP sources. As a result, you need to update an existing OAuth/LDAP configuration
+in your customized `values.yaml` by replacing the object with settings to a list
+of settings objects. See [OAuth2 Settings](#oauth-settings) and
+[LDAP Settings](#ldap-settings) section for details.
+
+## Chart upgrade from 3.x.x to 4.0.0
+
+:warning: The most recent `4.0.0` update brings some breaking changes. Please note
+the following changes in the Chart to upgrade successfully. :warning:
+
+### Ingress changes
+
+To provide a more flexible Ingress configuration we now support not only host
+settings but also provide configuration for the path and pathType. So this
+change changes the hosts from a simple string list, to a list containing a more
+complex object for more configuration.
+
+```diff
+ingress:
+  enabled: false
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+-  hosts:
+-    - git.example.com
++  hosts:
++    - host: git.example.com
++      paths:
++        - path: /
++          pathType: Prefix
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - git.example.com
+```
+
+If you want everything as it was before, you can simply add the following code
+to all your host entries.
+
+```yaml
+paths:
+  - path: /
+    pathType: Prefix
+```
+
+### Dropped kebab-case support
+
+In 3.x.x it was possible to provide an ldap configuration via kebab-case, this
+support has now been dropped and only camel case is supported. See [LDAP
+section](#ldap-settings) for more information.
+
+### Dependency update
+
+The chart comes with multiple databases and Memcached as dependency, the latest
+release updated the dependencies.
+
+- Memcached: `4.2.20` -> `5.9.0`
+- PostgreSQL: `9.7.2` -> `10.3.17`
+- MariaDB: `8.0.0` -> `9.3.6`
+
+If you're using the builtin databases you will most likely redeploy the chart in
+order to update the database correctly.
+
+### Execution of initPreScript
+
+Generally spoken, this might not be a breaking change, but it is worth to be
+mentioned.
+
+Prior to `4.0.0` only one init container was used to both setup directories and
+configure Gitea. As of now the actual Gitea configuration is separated from the
+other pre-execution. This also includes the execution of _initPreScript_. If you
+have such script, please be aware of this. Dynamically prepare the Gitea setup
+during execution by e.g. adding environment variables to the execution context
+won't work anymore.
+
+## Gitea Version 1.14.X repository ROOT
+
+Previously the ROOT folder for the Gitea repositories was located at
+`/data/git/gitea-repositories`. In version `1.14` has the path been changed to
+`/data/gitea-repositories`.
+
+This chart will set the `gitea.config.repository.ROOT` value default to
+`/data/git/gitea-repositories`.
+
+## Configure Commit Signing
+
+When using the rootless image the gpg key folder was is not persistent by
+default. If you consider using signed commits for internal Gitea activities
+(e.g. initial commit), you'd need to provide a signing key. Prior to
+[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
+re-imported once the container got replaced by another.
+
+The mentioned PR introduced a new configuration object `signing` allowing you to
+configure prerequisites for commit signing. By default this section is disabled
+to maintain backwards compatibility.
+
+```yaml
+signing:
+  enabled: false
+  gpgHome: /data/git/.gnupg
+```
 
 ## Examples
 
 ### Gitea Configuration
 
-Gitea offers lots of configuration. This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
+Gitea offers lots of configuration options. This is fully described in the
+[Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
 
 ```yaml
-  gitea:
+gitea:
   config:
     APP_NAME: "Gitea: With a cup of tea."
     repository:
@@ -47,17 +230,172 @@ Gitea offers lots of configuration. This is fully described in the [Gitea Cheat
     repository.pull-request:
       WORK_IN_PROGRESS_PREFIXES: "WIP:,[WIP]:"
 ```
-### External Database
 
-An external Database can be used instead of builtIn postgresql or mysql.
+### Default Configuration
+
+This chart will set a few defaults in the Gitea configuration based on the
+service and ingress settings. All defaults can be overwritten in `gitea.config`.
+
+INSTALL_LOCK is always set to true, since we want to configure Gitea with this
+helm chart and everything is taken care of.
+
+_All default settings are made directly in the generated app.ini, not in the Values._
+
+#### Database defaults
+
+If a builtIn database is enabled the database configuration is set
+automatically. For example, PostgreSQL builtIn will appear in the app.ini as:
+
+```ini
+[database]
+DB_TYPE = postgres
+HOST = RELEASE-NAME-postgresql.default.svc.cluster.local:5432
+NAME = gitea
+PASSWD = gitea
+USER = gitea
+```
+
+#### Memcached defaults
+
+Memcached is handled the exact same way as database builtIn. Once Memcached
+builtIn is enabled, this chart will generate the following part in the `app.ini`:
+
+```ini
+[cache]
+ADAPTER = memcache
+ENABLED = true
+HOST = RELEASE-NAME-memcached.default.svc.cluster.local:11211
+```
+
+#### Server defaults
+
+The server defaults are a bit more complex. If ingress is `enabled`, the
+`ROOT_URL`, `DOMAIN` and `SSH_DOMAIN` will be set accordingly. `HTTP_PORT`
+always defaults to `3000` as well as `SSH_PORT` to `22`.
+
+```ini
+[server]
+APP_DATA_PATH = /data
+DOMAIN = git.example.com
+HTTP_PORT = 3000
+PROTOCOL = http
+ROOT_URL = http://git.example.com
+SSH_DOMAIN = git.example.com
+SSH_LISTEN_PORT = 22
+SSH_PORT = 22
+ENABLE_PPROF = false
+```
+
+#### Metrics defaults
+
+The Prometheus `/metrics` endpoint is disabled by default.
+
+```ini
+[metrics]
+ENABLED = false
+```
+
+### Additional _app.ini_ settings
+
+> **The [generic](https://docs.gitea.io/en-us/config-cheat-sheet/#overall-default)
+section cannot be defined that way.**
+
+Some settings inside _app.ini_ (like passwords or whole authentication configurations)
+must be considered sensitive and therefore should not be passed via plain text
+inside the _values.yaml_ file. In times of _GitOps_ the values.yaml could be stored
+in a Git repository where sensitive data should never be accessible.
+
+The Helm Chart supports this approach and let the user define custom sources like
+Kubernetes Secrets to be loaded as environment variables during _app.ini_ creation
+or update.
 
 ```yaml
-  gitea:
+gitea:
-    database:
+  additionalConfigSources:
-      builtIn:
+    - secret:
-        postgresql:
+        secretName: gitea-app-ini-oauth
-          enabled: false
+    - configMap:
+        name: gitea-app-ini-plaintext
+```
 
+This would mount the two additional volumes (`oauth` and `some-additionals`)
+from different sources to the init containerwhere the _app.ini_ gets updated.
+All files mounted that way will be read and converted to environment variables
+and then added to the _app.ini_ using [environment-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini).
+
+The key of such additional source represents the section inside the _app.ini_.
+The value for each key can be multiline ini-like definitions.
+
+In example, the referenced `gitea-app-ini-plaintext` could look like this.
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-app-ini-plaintext
+data:
+  session: |
+    PROVIDER=memory
+    SAME_SITE=strict
+  cron.archive_cleanup: |
+    ENABLED=true
+```
+
+Or when using a Kubernetes secret, having the same data structure:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-security-related-configuration
+type: Opaque
+stringData:
+  security: |
+    PASSWORD_COMPLEXITY=off
+  session: |
+    SAME_SITE=strict
+```
+
+#### User defined environment variables in app.ini
+
+Users are able to define their own environment variables,
+which are loaded into the containers. We also support to
+directly interact with the generated _app.ini_.
+
+To inject self defined variables into the _app.ini_ a
+certain format needs to be honored. This is
+described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini)
+page.
+
+Note that the Prefix on this helm chart is `ENV_TO_INI`.
+
+For example a database setting needs to have the following
+format:
+
+```yaml
+gitea:
+  additionalConfigFromEnvs:
+    - name: ENV_TO_INI__DATABASE__HOST
+      value: my.own.host
+    - name: ENV_TO_INI__DATABASE__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: postgres-secret
+          key: password
+```
+
+Priority (highest to lowest) for defining app.ini variables:
+
+1. Environment variables prefixed with `ENV_TO_INI`
+2. Additional config sources
+3. Values defined in `gitea.config`
+
+### External Database
+
+An external Database can be used instead of builtIn PostgreSQL or MySQL.
+
+```yaml
+gitea:
   config:
     database:
       DB_TYPE: mysql
@@ -66,37 +404,90 @@ An external Database can be used instead of builtIn postgresql or mysql.
       USER: root
       PASSWD: gitea
       SCHEMA: gitea
+
+postgresql:
+  enabled: false
 ```
 
 ### Ports and external url
 
-By default port 3000 is used for web traffic and 22 for ssh. Those can be changed:
+By default port `3000` is used for web traffic and `22` for ssh. Those can be changed:
 
 ```yaml
-  service:
+service:
   http:
     port: 3000
   ssh:
     port: 22
 ```
 
-This helmchart automatically configures the clone urls to use the correct ports. You can change these ports by hand using the gitea.config dict. However you should know what you're doing.
+This helm chart automatically configures the clone urls to use the correct
+ports. You can change these ports by hand using the `gitea.config` dict. However
+you should know what you're doing.
+
+### ClusterIP
+
+By default the clusterIP will be set to None, which is the default for headless
+services. However if you want to omit the clusterIP field in the service, use
+the following values:
+
+```yaml
+service:
+  http:
+    type: ClusterIP
+    port: 3000
+    clusterIP:
+  ssh:
+    type: ClusterIP
+    port: 22
+    clusterIP:
+```
+
+### SSH and Ingress
+
+If you're using ingress and won't to use SSH, keep in mind, that ingress is not
+able to forward SSH Ports. You will need a LoadBalancer like `metallb` and a
+setting in your ssh service annotations.
+
+```yaml
+service:
+  ssh:
+    annotations:
+      metallb.universe.tf/allow-shared-ip: test
+```
+
+### SSH on crio based kubernetes cluster
+
+If you use crio as container runtime it is not possible to read from a remote
+repository. You should get an error message like this:
+
+```bash
+$ git clone git@k8s-demo.internal:admin/test.git
+Cloning into 'test'...
+Connection reset by 192.168.179.217 port 22
+fatal: Could not read from remote repository.
+
+Please make sure you have the correct access rights
+and the repository exists.
+```
+
+To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
+More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
 
 ### Cache
 
-This helm chart can use a built in cache. The default is memcached from bitnami.
+This helm chart can use a built in cache. The default is Memcached from bitnami.
 
 ```yaml
-  gitea:
+memcached:
-    cache:
-      builtIn:
   enabled: true
 ```
 
-If the built in cache should not be used simply configure the cache in gitea.config
+If the built in cache should not be used simply configure the cache in
+`gitea.config`.
 
 ```yaml
-  gitea:
+gitea:
   config:
     cache:
       ENABLED: true
@@ -104,12 +495,27 @@ If the built in cache should not be used simply configure the cache in gitea.con
       INTERVAL: 60
       HOST: 127.0.0.1:9090
 ```
+
 ### Persistence
 
-Gitea will be deployed as a statefulset. By simply enabling the persistence and setting the storage class according to your cluster
+Gitea will be deployed as a statefulset. By simply enabling the persistence and
-everything else will be taken care of. The following example will create a PVC as a part of the statefulset. This PVC will not be deleted
+setting the storage class according to your cluster everything else will be
-even if you uninstall the chart.
+taken care of. The following example will create a PVC as a part of the
-When using Postgresql as dependency, this will also be deployed as a statefulset by default. 
+statefulset. This PVC will not be deleted even if you uninstall the chart.
+
+Please note, that an empty storageClass in the persistence will result in
+kubernetes using your default storage class.
+
+If you want to use your own storageClass define it as followed:
+
+```yaml
+persistence:
+  enabled: true
+  storageClass: myOwnStorageClass
+```
+
+When using PostgreSQL as dependency, this will also be deployed as a statefulset
+by default.
 
 If you want to manage your own PVC you can simply pass the PVC name to the chart.
 
@@ -121,7 +527,7 @@ If you want to manage your own PVC you can simply pass the PVC name to the chart
 
 In case that peristence has been disabled it will simply use an empty dir volume.
 
-Postgresql handles the persistence in the exact same way. 
+PostgreSQL handles the persistence in the exact same way.
 You can interact with the postgres settings as displayed in the following example:
 
 ```yaml
@@ -131,7 +537,7 @@ You can interact with the postgres settings as displayed in the following exampl
       existingClaim: MyAwesomeGiteaPostgresClaim
 ```
 
-Mysql also handles persistence the same, even though it is not deployed as a statefulset.
+MySQL also handles persistence the same, even though it is not deployed as a statefulset.
 You can interact with the postgres settings as displayed in the following example:
 
 ```yaml
@@ -143,8 +549,10 @@ You can interact with the postgres settings as displayed in the following exampl
 
 ### Admin User
 
-This chart enables you to create a default admin user. It is also possible to update the password for this user by upgrading or redeloying the chart.
+This chart enables you to create a default admin user. It is also possible to
-It is not possible to delete an admin user after it has been created. This has to be done in the ui.
+update the password for this user by upgrading or redeloying the chart. It is
+not possible to delete an admin user after it has been created. This has to be
+done in the ui. You cannot use `admin` as username.
 
 ```yaml
   gitea:
@@ -154,15 +562,36 @@ It is not possible to delete an admin user after it has been created. This has t
       email: "gi@tea.com"
 ```
 
+You can also use an existing Secret to configure the admin user:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-admin-secret
+type: Opaque
+stringData:
+  username: MyAwesomeGiteaAdmin
+  password: AReallyAwesomeGiteaPassword
+```
+
+```yaml
+gitea:
+    admin:
+      existingSecret: gitea-admin-secret
+```
+
 ### LDAP Settings
 
-Like the admin user the ldap settings can be updated but also disabled or deleted.
+Like the admin user the LDAP settings can be updated.
+All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
+
+Multiple LDAP sources can be configured with additional LDAP list items.
 
 ```yaml
   gitea:
     ldap:
-      enabled: true
+      - name: MyAwesomeGiteaLdap
-      name: 'MyAwesomeGiteaLdap'
         securityProtocol: unencrypted
         host: "127.0.0.1"
         port: "389"
@@ -173,6 +602,114 @@ Like the admin user the ldap settings can be updated but also disabled or delete
         bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
         bindPassword: JustAnotherBindPw
         usernameAttribute: CN
+        publicSSHKeyAttribute: publicSSHKey
+```
+
+You can also use an existing secret to set the bindDn and bindPassword:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-ldap-secret
+type: Opaque
+stringData:
+  bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
+  bindPassword: JustAnotherBindPw
+```
+
+```yaml
+gitea:
+    ldap:
+      - existingSecret: gitea-ldap-secret
+        ...
+```
+
+:warning: Some options are just flags and therefore don't any values. If they
+are defined in `gitea.ldap` configuration, they will be passed to the Gitea cli
+without any value. Affected options:
+
+- notActive
+- skipTlsVerify
+- allowDeactivateAll
+- synchronizeUsers
+- attributesInBind
+
+### OAuth2 Settings
+
+Like the admin user, OAuth2 settings can be updated and disabled but not
+deleted. Deleting OAuth2 settings has to be done in the ui. All OAuth2 values,
+which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are
+available.
+
+Multiple OAuth2 sources can be configured with additional OAuth list items.
+
+```yaml
+gitea:
+  oauth:
+    - name: 'MyAwesomeGiteaOAuth'
+      provider: 'openidConnect'
+      key: 'hello'
+      secret: 'world'
+      autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
+      #useCustomUrls:
+      #customAuthUrl:
+      #customTokenUrl:
+      #customProfileUrl:
+      #customEmailUrl:
+```
+
+You can also use an existing secret to set the `key` and `secret`:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-oauth-secret
+type: Opaque
+stringData:
+  key: hello
+  secret: world
+```
+
+```yaml
+gitea:
+  oauth:
+    - name: 'MyAwesomeGiteaOAuth'
+      existingSecret: gitea-oauth-secret
+        ...
+```
+
+### Metrics and profiling
+
+A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling
+endpoints on port 6060 can be enabled under `gitea`. Beware that the metrics
+endpoint is exposed via the ingress, manage access using ingress annotations for
+example.
+
+To deploy the `ServiceMonitor`, you first need to ensure that you have deployed
+`prometheus-operator` and its
+[CRDs](https://github.com/prometheus-operator/prometheus-operator#customresourcedefinitions).
+
+```yaml
+gitea:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+
+  config:
+    server:
+      ENABLE_PPROF: true
+```
+
+### Pod Annotations
+
+Annotations can be added to the Gitea pod.
+
+```yaml
+gitea:
+  podAnnotations: {}
 ```
 
 ## Configuration
@@ -180,91 +717,210 @@ Like the admin user the ldap settings can be updated but also disabled or delete
 ### Others
 
 | Parameter                                   | Description                                                          | Default |
-|---------------------|-----------------------------------|------------------------------|
+| ------------------------------------------- | -------------------------------------------------------------------- | ------- |
-|statefulset.terminationGracePeriodSeconds| Image to start for this pod | gitea/gitea |
+| `statefulset.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod                       | `60`    |
-|statefulset.env           | Additional environment variables to pass to containers | [] |
+| `statefulset.env`                           | Additional environment variables to pass to containers               | `[]`    |
-
+| `extraVolumes`                              | Additional volumes to mount to the Gitea statefulset                 | `{}`    |
+| `extraVolumeMounts`                         | Additional volume mounts for the Gitea containers                    | `{}`    |
+| `initPreScript`                             | Bash script copied verbatim to start of init container               |         |
+| `podSecurityContext.fsGroup`                | Set the shared file system group for all containers                  | 1000    |
+| `containerSecurityContext`                  | Run init and Gitea containers as a specific securityContext          | `{}`    |
+| `schedulerName`                             | Use an alternate scheduler, e.g. "stork"                             |         |
 
 ### Image
 
 | Parameter          | Description                                                                               | Default                            |
-|---------------------|-----------------------------------|------------------------------|
+| ------------------ | ----------------------------------------------------------------------------------------- | ---------------------------------- |
-|image.repository| Image to start for this pod | gitea/gitea |
+| `image.repository` | Image to start for this pod                                                               | `gitea/gitea`                      |
-|image.version| Image Version | 1.12.4 |
+| `image.tag`        | [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated)       | see [Chart.AppVersion](Chart.yaml) |
-|image.pullPolicy| Image pull policy | Always |
+| `image.pullPolicy` | Image pull policy                                                                         | `Always`                           |
+| `image.rootless`   | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `false`                            |
 
 ### Persistence
 
 | Parameter                   | Description                                                | Default |
-|---------------------|-----------------------------------|------------------------------|
+| --------------------------- | ---------------------------------------------------------- | ------- |
-|persistence.enabled| Enable persistence for Gitea |true|
+| `persistence.enabled`       | Enable persistence for Gitea                               | `true`  |
-|persistence.existingClaim| Use an existing claim to store repository information | |
+| `persistence.existingClaim` | Use an existing claim to store repository information      |         |
-|persistence.size| Size for persistence to store repo information | 10Gi |
+| `persistence.size`          | Size for persistence to store repo information             | `10Gi`  |
-|persistence.accessModes|AccessMode for persistence||
+| `persistence.accessModes`   | AccessMode for persistence                                 |         |
-|persistence.storageClass|Storage class for repository persistence|standard|
+| `persistence.storageClass`  | Storage class for repository persistence                   |         |
+| `persistence.subPath`       | Subdirectory of the volume to mount at                     |         |
+| `persistence.labels`        | Labels for the persistence volume claim to be created      | `{}`    |
+| `persistence.annotations`   | Annotations for the persistence volume claim to be created | `{}`    |
 
 ### Ingress
 
 | Parameter                            | Description                                                                  | Default                                            |
-|---------------------|-----------------------------------|------------------------------|
+| ------------------------------------ | ---------------------------------------------------------------------------- | -------------------------------------------------- |
-|ingress.enabled| enable ingress | false|
+| `ingress.enabled`                    | enable ingress                                                               | `false`                                            |
-|ingress.annotations| add ingress annotations | |
+| `ingress.annotations`                | add ingress annotations                                                      |                                                    |
-|ingress.hosts| add hosts for ingress as string list | git.example.com |
+| `ingress.hosts[0].host`              | add hosts for ingress                                                        | `git.example.com`                                  |
-|ingress.tls|add ingress tls settings|[]|
+| `ingress.hosts[0].paths[0].path`     | add path for each ingress host                                               | `/`                                                |
+| `ingress.hosts[0].paths[0].pathType` | add ingress path type                                                        | `Prefix`                                           |
+| `ingress.tls`                        | add ingress tls settings                                                     | `[]`                                               |
+| `ingress.className`                  | add ingress class name. Only used in k8s 1.19+                               |                                                    |
+| `ingress.apiVersion`                 | specify APIVersion of ingress object.  Mostly would only be used for argocd. | version indicated by helm's `Capabilities` object. |
 
 ### Service
 
+#### Web
+
 | Parameter                               | Description                                                                                                  | Default     |
-|---------------------|-----------------------------------|------------------------------|
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ----------- |
-|service.http.type| Kubernetes service type for web traffic | ClusterIP |
+| `service.http.type`                     | Kubernetes service type for web traffic                                                                      | `ClusterIP` |
-|service.http.port| Port for web traffic | 3000 |
+| `service.http.port`                     | Port for web traffic                                                                                         | `3000`      |
-|service.ssh.type| Kubernetes service type for ssh traffic | ClusterIP |
+| `service.http.clusterIP`                | ClusterIP setting for http autosetup for statefulset is None                                                 | `None`      |
-|service.ssh.port| Port for ssh traffic | 22 |
+| `service.http.loadBalancerIP`           | LoadBalancer Ip setting                                                                                      |             |
-|service.ssh.externalTrafficPolicy| If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
+| `service.http.nodePort`                 | NodePort for http service                                                                                    |             |
-|service.ssh.externalIPs| SSH service external IP addresses |[]|
+| `service.http.externalTrafficPolicy`    | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation |             |
-|service.ssh.annotations| Additional ssh annotations for the ssh service ||
+| `service.http.externalIPs`              | http service external IP addresses                                                                           |             |
+| `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer                                                                    | `[]`        |
+| `service.http.annotations`              | http service annotations                                                                                     |             |
+
+#### SSH
+
+| Parameter                              | Description                                                                                                 | Default     |
+| -------------------------------------- | ----------------------------------------------------------------------------------------------------------- | ----------- |
+| `service.ssh.type`                     | Kubernetes service type for ssh traffic                                                                     | `ClusterIP` |
+| `service.ssh.port`                     | Port for ssh traffic                                                                                        | `22`        |
+| `service.ssh.loadBalancerIP`           | LoadBalancer Ip setting                                                                                     |             |
+| `service.ssh.nodePort`                 | NodePort for ssh service                                                                                    |             |
+| `service.ssh.hostPort`                 | HostPort for ssh service                                                                                    |             |
+| `service.ssh.externalTrafficPolicy`    | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation |             |
+| `service.ssh.externalIPs`              | ssh service external IP addresses                                                                           |             |
+| `service.ssh.loadBalancerSourceRanges` | Source range filter for ssh loadbalancer                                                                    | `[]`        |
+| `service.ssh.annotations`              | ssh service annotations                                                                                     |             |
 
 ### Gitea Configuration
 
 | Parameter      | Description                                                                                          | Default |
-|---------------------|-----------------------------------|------------------------------|
+| -------------- | ---------------------------------------------------------------------------------------------------- | ------- |
-|gitea.config | Everything in app.ini can be configured with this dict. See Examples for more details | {} |
+| `gitea.config` | Everything in `app.ini` can be configured with this dict. See [Examples](#examples) for more details | `{}`    |
+
+### Gitea Probes
+
+Configure Liveness, Readiness and Startup
+[Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/).
+
+#### Liveness probe
+
+- Default status: Enabled
+- Default action: tcp socket connect
+
+| Parameter                                  | Description                                                          | Default |
+| ------------------------------------------ | -------------------------------------------------------------------- | ------- |
+| `gitea.livenessProbe.initialDelaySeconds`  | Delay before probe start                                             | `200`   |
+| `gitea.livenessProbe.timeoutSeconds`       | probe timeout                                                        | `1`     |
+| `gitea.livenessProbe.periodSeconds`        | period between probes                                                | `10`    |
+| `gitea.livenessProbe.successThreshold`     | Minimum consecutive success probes                                   | `1`     |
+| `gitea.livenessProbe.failureThreshold`     | Minimum consecutive error probes                                     | `10`    |
+
+#### Readiness probe
+
+- Default status: Enabled
+- Default action: tcp socket connect
+
+| Parameter                                  | Description                                                          | Default |
+| ------------------------------------------ | -------------------------------------------------------------------- | ------- |
+| `gitea.readinessProbe.initialDelaySeconds` | Delay before probe start                                             | `5`     |
+| `gitea.readinessProbe.timeoutSeconds`      | probe timeout                                                        | `1`     |
+| `gitea.readinessProbe.periodSeconds`       | period between probes                                                | `10`    |
+| `gitea.readinessProbe.successThreshold`    | Minimum consecutive success probes                                   | `1`     |
+| `gitea.readinessProbe.failureThreshold`    | Minimum consecutive error probes                                     | `3`     |
+
+#### Startup probe
+
+- Default status: Disabled
+- Default action: tcp socket connect
+
+| Parameter                                  | Description                                                          | Default |
+| ------------------------------------------ | -------------------------------------------------------------------- | ------- |
+| `gitea.startupProbe.initialDelaySeconds`   | Delay before probe start                                             | `60`    |
+| `gitea.startupProbe.timeoutSeconds`        | probe timeout                                                        | `1`     |
+| `gitea.startupProbe.periodSeconds`         | period between probes                                                | `10`    |
+| `gitea.startupProbe.successThreshold`      | Minimum consecutive success probes                                   | `1`     |
+| `gitea.startupProbe.failureThreshold`      | Minimum consecutive error probes                                     | `10`    |
 
 ### Memcached BuiltIn
 
-Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website.
+Memcached is loaded as a dependency from
+[Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if
+enabled in the values. Complete Configuration can be taken from their website.
 
 The following parameters are the defaults set by this chart
 
 | Parameter                | Description                 | Default |
-|---------------------|-----------------------------------|------------------------------|
+| ------------------------ | --------------------------- | ------- |
-|memcached.service.port|Memcached Port| 11211|
+| `memcached.service.port` | Memcached Port              | 11211   |
+| `memcached.enabled`      | Enable Memcached dependency | `true`  |
 
-### Mysql BuiltIn
+### MySQL BuiltIn
 
-Mysql is loaded as a dependency from stable. Configuration can be found from this [website](https://github.com/helm/charts/tree/master/stable/mysql)
+MySQL is loaded as a dependency from stable. Configuration can be found on this
+[website](https://github.com/helm/charts/tree/master/stable/mysql).
 
 The following parameters are the defaults set by this chart
 
 | Parameter                | Description                                                        | Default |
-|---------------------|-----------------------------------|------------------------------|
+| ------------------------ | ------------------------------------------------------------------ | ------- |
-|mysql.mysqlRootPassword|Password for the root user. Ignored if existing secret is provided|gitea|
+| `mysql.root.password`    | Password for the root user. Ignored if existing secret is provided | `gitea` |
-|mysql.mysqlUser|Username of new user to create.|gitea|
+| `mysql.db.user`          | Username of new user to create.                                    | `gitea` |
-|mysql.mysqlPassword|Password for the new user. Ignored if existing secret is provided|gitea|
+| `mysql.db.password`      | Password for the new user. Ignored if existing secret is provided  | `gitea` |
-|mysql.mysqlDatabase|Name for new database to create.|gitea|
+| `mysql.db.name`          | Name for new database to create.                                   | `gitea` |
-|mysql.service.port|Port to connect to mysql service|3306|
+| `mysql.service.port`     | Port to connect to MySQL service                                   | `3306`  |
-|mysql.persistence|Persistence size for mysql |10Gi|
+| `mysql.persistence.size` | Persistence size for MySQL                                         | `10Gi`  |
+| `mysql.enabled`          | Enable MySQL dependency                                            | `false` |
 
-### Postgresql BuiltIn
+### PostgreSQL BuiltIn
 
-Postgresql is loaded as a dependency from bitnami. Configuration can be found from this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql)
+PostgreSQL is loaded as a dependency from Bitnami. The chart configuration can
+be found in this
+[Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql)
+repository.
 
 The following parameters are the defaults set by this chart
 
 | Parameter                                         | Description                                              | Default |
-|---------------------|-----------------------------------|------------------------------|
+| ------------------------------------------------- | -------------------------------------------------------- | ------- |
-|postgresql.global.postgresql.postgresqlDatabase| PostgreSQL database (overrides postgresqlDatabase)|gitea|
+| `postgresql.global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides postgresqlDatabase)       | `gitea` |
-|postgresql.global.postgresql.postgresqlUsername| PostgreSQL username (overrides postgresqlUsername)|gitea|
+| `postgresql.global.postgresql.postgresqlUsername` | PostgreSQL username (overrides postgresqlUsername)       | `gitea` |
-|postgresql.global.postgresql.postgresqlPassword| PostgreSQL admin password (overrides postgresqlPassword)|gitea|
+| `postgresql.global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides postgresqlPassword) | `gitea` |
-|postgresql.global.postgresql.servicePort|PostgreSQL port (overrides service.port)|5432|
+| `postgresql.global.postgresql.servicePort`        | PostgreSQL port (overrides service.port)                 | `5432`  |
-|postgresql.persistence.size| PVC Storage Request for PostgreSQL volume |10Gi|
+| `postgresql.persistence.size`                     | PVC Storage Request for PostgreSQL volume                | `10Gi`  |
+| `postgresql.enabled`                              | Enable PostgreSQL dependency                             | `true`  |
+
+### MariaDB BuiltIn
+
+MariaDB is loaded as a dependency from bitnami. Configuration can be found in
+this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/mariadb)
+repository.
+
+The following parameters are the defaults set by this chart
+
+| Parameter                          | Description                                                       | Default |
+| ---------------------------------- | ----------------------------------------------------------------- | ------- |
+| `mariadb.auth.username`            | Username of new user to create.                                   | `gitea` |
+| `mariadb.auth.password`            | Password for the new user. Ignored if existing secret is provided | `gitea` |
+| `mariadb.auth.database`            | Name for new database to create.                                  | `gitea` |
+| `mariadb.auth.rootPassword`        | Password for the root user.                                       | `gitea` |
+| `mariadb.primary.service.port`     | Port to connect to MariaDB service                                | `3306`  |
+| `mariadb.primary.persistence.size` | Persistence size for MariaDB                                      | `10Gi`  |
+| `mariadb.enabled`                  | Enable MariaDB dependency                                         | `false` |
+
+## Local development & testing
+
+For local development and testing of pull requests, the following workflow can
+be used:
+
+1. Install `minikube` and `helm`.
+2. Start a `minikube` cluster via `minikube start`.
+3. From the `gitea/helm-chart` directory execute the following command. This
+   will install the dependencies listed in `Chart.yml` and deploy the current
+   state of the helm chart found locally. If you want to test a branch, make
+   sure to switch to the respective branch first.
+  `helm install --dependency-update gitea . -f values.yaml`.
+4. Gitea is now deployed in `minikube`. To access it, it's port needs to be
+   forwarded first from `minikube` to localhost first via `kubectl --namespace
+   default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
+   [http://localhost:3000](http://localhost:3000).

templates/NOTES.txt

@@ -1,7 +1,9 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
 {{- range $host := .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}/
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.http.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gitea.fullname" . }})
@@ -13,7 +15,6 @@
   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gitea.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
   echo http://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.http.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gitea.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
   echo "Visit http://127.0.0.1:{{ .Values.service.http.port }} to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME {{ .Values.service.http.port }}:{{ .Values.service.http.port }}
+  kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ .Release.Name }}-http {{ .Values.service.http.port }}:{{ .Values.service.http.port }}
 {{- end }}

templates/_helpers.tpl

@@ -31,15 +31,25 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create image name and tag used by the deployment.
+*/}}
+{{- define "gitea.image" -}}
+{{- $name := .Values.image.repository -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
+{{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
+{{- printf "%s:%s%s" $name $tag $rootless -}}
+{{- end -}}
+
 {{/*
 Common labels
 */}}
 {{- define "gitea.labels" -}}
 helm.sh/chart: {{ include "gitea.chart" . }}
+app: {{ include "gitea.name" . }}
 {{ include "gitea.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
-{{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
@@ -52,38 +62,224 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "postgresql.dns" -}}
-{{- printf "%s-postgresql.%s.svc.cluster.local:%g" .Release.Name .Release.Namespace .Values.postgresql.global.postgresql.servicePort -}}
+{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.servicePort -}}
-{{- end -}}
-
-{{- define "db.servicename" -}}
-{{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
-{{- printf "%s-postgresql" .Release.Name -}}
-{{- else if .Values.gitea.database.builtIn.mysql.enabled -}}
-{{- printf "%s-mysql" .Release.Name -}}
-{{- else -}}
-{{- $parts := split ":" .Values.gitea.config.database.HOST -}}
-{{- printf "%s %s" $parts._0 $parts._1 -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "db.port" -}}
-{{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
-{{ .Values.postgresql.global.postgresql.servicePort }}
-{{- else if .Values.gitea.database.builtIn.mysql.enabled -}}
-{{ .Values.mysql.service.port }}
-{{- else -}}
-{{- end -}}
 {{- end -}}
 
 {{- define "mysql.dns" -}}
-{{- printf "%s-mysql.%s.svc.cluster.local:%g" .Release.Name .Release.Namespace .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-mysql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "mariadb.dns" -}}
+{{- printf "%s-mariadb.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mariadb.primary.service.port | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "memcached.dns" -}}
-{{- printf "%s-memcached.%s.svc.cluster.local:%g" .Release.Name .Release.Namespace .Values.memcached.service.port | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.port | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "gitea.default_domain" -}}
-{{- printf "%s-gitea.%s.svc.cluster.local" (include "gitea.fullname" .) .Release.Namespace  | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{- define "gitea.ldap_settings" -}}
+{{- $idx := index . 0 }}
+{{- $values := index . 1 }}
+
+{{- if not (hasKey $values "bindDn") -}}
+{{- $_ := set $values "bindDn" "" -}}
+{{- end -}}
+
+{{- if not (hasKey $values "bindPassword") -}}
+{{- $_ := set $values "bindPassword" "" -}}
+{{- end -}}
+
+{{- $flags := list "notActive" "skipTlsVerify" "allowDeactivateAll" "synchronizeUsers" "attributesInBind" -}}
+{{- range $key, $val := $values -}}
+{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
+{{- if eq $key "bindDn" -}}
+{{- printf "--%s \"${GITEA_LDAP_BIND_DN_%d}\" " ($key | kebabcase) ($idx) -}}
+{{- else if eq $key "bindPassword" -}}
+{{- printf "--%s \"${GITEA_LDAP_PASSWORD_%d}\" " ($key | kebabcase) ($idx) -}}
+{{- else if eq $key "port" -}}
+{{- printf "--%s %d " $key ($val | int) -}}
+{{- else if has $key $flags -}}
+{{- printf "--%s " ($key | kebabcase) -}}
+{{- else -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "gitea.oauth_settings" -}}
+{{- $idx := index . 0 }}
+{{- $values := index . 1 }}
+
+{{- if not (hasKey $values "key") -}}
+{{- $_ := set $values "key" (printf "${GITEA_OAUTH_KEY_%d}" $idx) -}}
+{{- end -}}
+
+{{- if not (hasKey $values "secret") -}}
+{{- $_ := set $values "secret" (printf "${GITEA_OAUTH_SECRET_%d}" $idx) -}}
+{{- end -}}
+
+{{- range $key, $val := $values -}}
+{{- if ne $key "existingSecret" -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration" -}}
+  {{- include "gitea.inline_configuration.init" . -}}
+  {{- include "gitea.inline_configuration.defaults" . -}}
+
+  {{- $generals := list -}}
+  {{- $inlines := dict -}}
+
+  {{- range $key, $value := .Values.gitea.config  }}
+    {{- if kindIs "map" $value }}
+      {{- if gt (len $value) 0 }}
+        {{- $section := default list (get $inlines $key) -}}
+        {{- range $n_key, $n_value := $value }}
+          {{- $section = append $section (printf "%s=%v" $n_key $n_value) -}}
+        {{- end }}
+        {{- $_ := set $inlines $key (join "\n" $section) -}}
+      {{- end -}}
+    {{- else }}
+      {{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") -}}
+        {{- $generals = append $generals (printf "%s=%s" $key $value) -}}
+      {{- else -}}
+        {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
+      {{- end -}}
+    {{- end }}
+  {{- end }}
+
+  {{- $_ := set $inlines "_generals_" (join "\n" $generals) -}}
+  {{- toYaml $inlines -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.init" -}}
+  {{- if not (hasKey .Values.gitea.config "cache") -}}
+    {{- $_ := set .Values.gitea.config "cache" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "server") -}}
+    {{- $_ := set .Values.gitea.config "server" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "metrics") -}}
+    {{- $_ := set .Values.gitea.config "metrics" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "database") -}}
+    {{- $_ := set .Values.gitea.config "database" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "security") -}}
+    {{- $_ := set .Values.gitea.config "security" dict -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.repository -}}
+    {{- $_ := set .Values.gitea.config "repository" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "oauth2") -}}
+    {{- $_ := set .Values.gitea.config "oauth2" dict -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.defaults" -}}
+  {{- include "gitea.inline_configuration.defaults.server" . -}}
+  {{- include "gitea.inline_configuration.defaults.database" . -}}
+
+  {{- if not .Values.gitea.config.repository.ROOT -}}
+    {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.security.INSTALL_LOCK -}}
+    {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
+    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
+  {{- end -}}
+  {{- if .Values.memcached.enabled -}}
+    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
+    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
+    {{- if not (.Values.gitea.config.cache.HOST) -}}
+      {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.defaults.server" -}}
+  {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}}
+    {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.PROTOCOL -}}
+    {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
+  {{- end -}}
+  {{- if not (.Values.gitea.config.server.DOMAIN) -}}
+    {{- if gt (len .Values.ingress.hosts) 0 -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.ROOT_URL -}}
+    {{- if .Values.ingress.enabled -}}
+      {{- if gt (len .Values.ingress.tls) 0 -}}
+        {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
+      {{- else -}}
+        {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
+    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.SSH_PORT -}}
+    {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
+    {{- if not .Values.image.rootless -}}
+      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
+    {{- if .Values.image.rootless -}}
+      {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}
+    {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "ENABLE_PPROF") -}}
+    {{- $_ := set .Values.gitea.config.server "ENABLE_PPROF" false -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.defaults.database" -}}
+  {{- if .Values.postgresql.enabled -}}
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
+    {{- if not (.Values.gitea.config.database.HOST) -}}
+      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
+    {{- end -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
+  {{- else if .Values.mysql.enabled -}}
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
+    {{- if not (.Values.gitea.config.database.HOST) -}}
+      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
+    {{- end -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
+  {{- else if .Values.mariadb.enabled -}}
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
+    {{- if not (.Values.gitea.config.database.HOST) -}}
+      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
+    {{- end -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
+  {{- end -}}
+{{- end -}}

templates/gitea/config.yaml

@@ -1,100 +1,167 @@
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
+metadata:
+  name: {{ include "gitea.fullname" . }}-inline-config
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{- include "gitea.inline_configuration" . | nindent 2 }}
+---
+apiVersion: v1
+kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
-data:
+type: Opaque
-  app.ini: |-
+stringData:
-    {{- if not (hasKey .Values.gitea.config "cache") -}}
+  config_environment.sh: |-
-    {{- $_ := set .Values.gitea.config "cache" dict -}}
+    #!/usr/bin/env bash
-    {{- end -}}
+    set -euo pipefail
 
-    {{- if not (hasKey .Values.gitea.config "server") -}}
+    function env2ini::log() {
-    {{- $_ := set .Values.gitea.config "server" dict -}}
+      printf "${1}\n"
-    {{- end -}}
+    }
 
-    {{- if not (hasKey .Values.gitea.config "database") -}}
+    function env2ini::read_config_to_env() {
-    {{- $_ := set .Values.gitea.config "database" dict -}}
+      local section="${1}"
-    {{- end -}}
+      local line="${2}"
 
-    {{- if not (hasKey .Values.gitea.config "security") -}}
+      if [[ -z "${line}" ]]; then
-    {{- $_ := set .Values.gitea.config "security" dict -}}
+        # skip empty line
-    {{- end -}}
+        return
+      fi
       
-    {{- /* security default settings */ -}}   
+      # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-    {{- if not .Values.gitea.config.security.INSTALL_LOCK -}}
+      local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-    {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}}
-    {{- end -}}
 
-    {{- /* server default settings */ -}}   
+      if [[ -z "${setting}" ]]; then
-    {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}}
+        env2ini::log '  ! invalid setting'
-    {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}}
+        exit 1
-    {{- end -}}
+      fi
-    {{- if not .Values.gitea.config.server.PROTOCOL -}}
-    {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
-    {{- end -}}
-    {{- if not (.Values.gitea.config.server.DOMAIN) -}}
-    {{- if gt (len .Values.ingress.hosts) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0) -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.ROOT_URL -}}
-    {{- if .Values.ingress.enabled -}}
-    {{- if gt (len .Values.ingress.tls) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0)) -}}
-    {{- end -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.SSH_PORT -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
-    {{- end -}}
 
-    {{- /* database default settings */ -}}
+      local value=''
-    {{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
+      local regex="^${setting}(\s*)=(\s*)(.*)"
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}} 
+      if [[ $line =~ $regex ]]; then
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
+        value="${BASH_REMATCH[3]}"
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
+      else
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
+        env2ini::log '  ! invalid setting'
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
+        exit 1
-    {{ else if .Values.gitea.database.builtIn.mysql.enabled -}}
+      fi
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}} 
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
-    {{- end -}}
 
-    {{- /* cache default settings */ -}}
+      env2ini::log "    + '${setting}'"
-    {{- if .Values.gitea.cache.builtIn.enabled -}}
-    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
-    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
-    {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
-    {{- end -}}
 
-    {{- /* autogenerate app.ini */ -}}
+      if [[ -z "${section}" ]]; then
-    {{- range $key, $value := .Values.gitea.config  }}
+        export "ENV_TO_INI____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-    {{- if kindIs "map" $value }}
+        return
-    {{- if gt (len $value) 0 }}
+      fi
 
-    [{{ $key }}]
+      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
-    {{- range $n_key, $n_value := $value }}
+      masked_section="${masked_section//-/_0X2D_}"
-    {{ $n_key | upper }} = {{ $n_value }}
+
-    {{- end }}
+      export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
-    {{- end }}
+    }
-    {{- else }}
+
-    {{ $key | upper }} = {{ $value }}
+    function env2ini::reload_preset_envs() {
-    {{- end }}
+      env2ini::log "Reloading preset envs..."
-    {{- end }}
+
+      while read -r line; do
+        if [[ -z "${line}" ]]; then
+          # skip empty line
+          return
+        fi
+
+        # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+        local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+        if [[ -z "${setting}" ]]; then
+          env2ini::log '  ! invalid setting'
+          exit 1
+        fi
+
+        local value=''
+        local regex="^${setting}(\s*)=(\s*)(.*)"
+        if [[ $line =~ $regex ]]; then
+          value="${BASH_REMATCH[3]}"
+        else
+          env2ini::log '  ! invalid setting'
+          exit 1
+        fi
+
+        env2ini::log "  + '${setting}'"
+
+        export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+      done < "/tmp/existing-envs"
+
+      rm /tmp/existing-envs
+    }
+
+
+    function env2ini::process_config_file() {
+      local config_file="${1}"
+      local section="$(basename "${config_file}")"
+
+      if [[ $section == '_generals_' ]]; then
+        env2ini::log "  [ini root]"
+        section=''
+      else
+        env2ini::log "  ${section}"
+      fi
+
+      while read -r line; do
+        env2ini::read_config_to_env "${section}" "${line}"
+      done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
+    }
+
+    function env2ini::load_config_sources() {
+      local path="${1}"
+
+      env2ini::log "Processing $(basename "${path}")..."
+
+      while read -d '' configFile; do
+        env2ini::process_config_file "${configFile}"
+      done < <(find "${path}" -type l -not -name '..data' -print0)
+
+      env2ini::log "\n"
+    }
+
+    function env2ini::generate_initial_secrets() {
+      # These environment variables will either be
+      #   - overwritten with user defined values,
+      #   - initially used to set up Gitea
+      # Anyway, they won't harm existing app.ini files
+
+      export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+      export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+      export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+
+      env2ini::log "...Initial secrets generated\n"
+    }
+
+    env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs
+    
+    # MUST BE CALLED BEFORE OTHER CONFIGURATION
+    env2ini::generate_initial_secrets
+
+    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
+    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
+
+    # load existing envs to override auto generated envs
+    env2ini::reload_preset_envs
+
+    env2ini::log "=== All configuration sources loaded ===\n"
+
+    # safety to prevent rewrite of secret keys if an app.ini already exists
+    if [ -f ${GITEA_APP_INI} ]; then
+      env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
+      env2ini::log '  - security.INTERNAL_TOKEN'
+      env2ini::log '  - security.SECRET_KEY'
+      env2ini::log '  - oauth2.JWT_SECRET'
+
+      unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
+      unset ENV_TO_INI__SECURITY__SECRET_KEY
+      unset ENV_TO_INI__OAUTH2__JWT_SECRET
+    fi
+
+    environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI

templates/gitea/deprecation.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.checkDeprecation -}}
+  {{/* CUSTOM PROBES */}}
+  {{- if .Values.gitea.customLivenessProbe -}}
+    {{- fail "`gitea.customLivenessProbe` does no longer exist. Please refer to the changelog and configure `gitea.livenessProbe` instead." -}}
+  {{- end -}}
+  {{- if .Values.gitea.customReadinessProbe -}}
+    {{- fail "`gitea.customReadinessProbe` does no longer exist. Please refer to the changelog and configure `gitea.readinessProbe` instead." -}}
+  {{- end -}}
+  {{- if .Values.gitea.customStartupProbe -}}
+    {{- fail "`gitea.customStartupProbe` does no longer exist. Please refer to the changelog and configure `gitea.startupProbe` instead." -}}
+  {{- end -}}
+
+  {{/* LDAP SOURCES */}}
+  {{- if kindIs "map" .Values.gitea.ldap -}}
+    {{- fail "You can configure multiple LDAP sources. Please refer to the changelog and switch `gitea.ldap` from object to array notation." -}}
+  {{- end -}}
+  
+  {{/* OAUTH SOURCES */}}
+  {{- if kindIs "map" .Values.gitea.oauth -}}
+    {{- fail "You can configure multiple OAuth sources. Please refer to the changelog and switch `gitea.oauth` from object to array notation." -}}
+  {{- end -}}
+  
+  {{/* BUILTIN */}}
+  {{- if .Values.gitea.cache -}}
+    {{- if .Values.gitea.cache.builtIn -}}
+      {{- fail "`gitea.cache.builtIn` does no longer exist. Please use `memcached` at root level instead." -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if .Values.gitea.database -}}
+    {{- if .Values.gitea.database.builtIn -}}
+      {{- fail "`gitea.database.builtIn` does no longer exist. Builtin databases can be configured inside the dependencies itself. Please refer to the changelog." -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}

templates/gitea/http-svc.yaml

@@ -4,9 +4,29 @@ metadata:
   name: {{ include "gitea.fullname" . }}-http
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.http.type }}
-  clusterIP: None
+  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
+  loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
+  {{- end }}
+  {{- if .Values.service.http.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.http.loadBalancerSourceRanges }}
+    - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.service.http.externalIPs }}
+  externalIPs:
+    {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
+  {{- end }}
+  {{- if .Values.service.http.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }}
+  {{- end }}
+  {{- if and .Values.service.http.clusterIP (eq .Values.service.http.type "ClusterIP") }}
+  clusterIP: {{ .Values.service.http.clusterIP }}
+  {{- end }}
   ports:
   - name: http
     port: {{ .Values.service.http.port }}

templates/gitea/ingress.yaml

@@ -1,11 +1,15 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
 {{- $httpPort := .Values.service.http.port -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- $apiVersion := "extensions/v1beta1" -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- if .Values.ingress.apiVersion -}}
-{{- else -}}
+{{- $apiVersion = .Values.ingress.apiVersion -}}
-apiVersion: extensions/v1beta1
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+{{- $apiVersion = "networking.k8s.io/v1" }}
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
+{{- $apiVersion = "networking.k8s.io/v1beta1" }}
 {{- end }}
+apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
   name: {{ $fullName }}
@@ -16,6 +20,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
+{{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+{{- end }}
 {{- if .Values.ingress.tls }}
   tls:
   {{- range .Values.ingress.tls }}
@@ -28,12 +35,24 @@ spec:
 {{- end }}
   rules:
     {{- range .Values.ingress.hosts }}
-    - host: {{ . | quote }}
+    - host: {{ .host | quote }}
       http:
         paths:
-          - path: /
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
+            pathType: {{ .pathType }}
+            {{- end }}
             backend:
+            {{- if eq $apiVersion "networking.k8s.io/v1" }}
+              service:
+                name: {{ $fullName }}-http
+                port:
+                  number: {{ $httpPort }}
+            {{- else }}
               serviceName: {{ $fullName }}-http
               servicePort: {{ $httpPort }}
             {{- end }}
+          {{- end }}
+    {{- end }}
 {{- end }}

templates/gitea/init.yaml

@@ -0,0 +1,116 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.fullname" . }}-init
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  init_directory_structure.sh: |-
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
+    {{- if .Values.initPreScript }}
+    # BEGIN: initPreScript
+    {{- with .Values.initPreScript -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+    # END: initPreScript
+    {{- end }}
+
+    set -x
+
+    {{- if not .Values.image.rootless }}
+    chown 1000:1000 /data
+    {{- end }}
+    mkdir -p /data/git/.ssh
+    chmod -R 700 /data/git/.ssh
+    [ ! -d /data/gitea ] && mkdir -p /data/gitea/conf
+
+    # prepare temp directory structure
+    mkdir -p "${GITEA_TEMP}"
+    {{- if not .Values.image.rootless }}
+    chown 1000:1000 "${GITEA_TEMP}"
+    {{- end }}
+    chmod ug+rwx "${GITEA_TEMP}"
+
+  configure_gitea.sh: |-
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
+    echo '==== BEGIN GITEA CONFIGURATION ===='
+
+    { # try
+      gitea migrate
+    } || { # catch
+      echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds"
+      exit 1
+    }
+    
+
+    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
+    function configure_admin_user() {
+      local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
+      if [[ -z "${ACCOUNT_ID}" ]]; then
+        echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
+        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        echo '...created.'
+      else
+        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
+        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
+        echo '...password sync done.'
+      fi
+    }
+
+    configure_admin_user
+    {{- end }}
+
+    function configure_ldap() {
+      {{- if .Values.gitea.ldap }}
+      {{- range $idx, $value := .Values.gitea.ldap }}
+      local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
+      local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${GITEA_AUTH_ID}" ]]; then
+        echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
+        gitea admin auth add-ldap {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
+        echo '...sync settings done.'
+      fi
+      {{- end }}
+      {{- else }}
+        echo 'no ldap configuration... skipping.'
+      {{- end }}
+    }
+
+    configure_ldap
+
+    function configure_oauth() {
+      {{- if .Values.gitea.oauth }}
+      {{- range $idx, $value := .Values.gitea.oauth }}
+      local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
+      local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${AUTH_ID}" ]]; then
+        echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
+        gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
+        echo '...sync settings done.'
+      fi
+      {{- end }}
+      {{- else }}
+        echo 'no oauth configuration... skipping.'
+      {{- end }}
+    }
+
+    configure_oauth
+
+    echo '==== END GITEA CONFIGURATION ===='

templates/gitea/servicemonitor.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "gitea.fullname" . }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
+    {{- toYaml .Values.gitea.metrics.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels" . | nindent 6 }}
+  endpoints:
+  - port: http
+{{- end -}}

templates/gitea/ssh-svc.yaml

@@ -5,18 +5,26 @@ metadata:
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
   annotations:
-{{ toYaml .Values.service.ssh.annotations | indent 4 }}
+    {{- toYaml .Values.service.ssh.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.ssh.type }}
-  {{- if and .Values.service.ssh.loadBalancerIP (eq .Values.service.ssh.type "LoadBalancer") }}
+  {{- if eq .Values.service.ssh.type "LoadBalancer" }}
+  {{- if .Values.service.ssh.loadBalancerIP }}
   loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
+  {{- end -}}
+  {{- if .Values.service.ssh.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.ssh.loadBalancerSourceRanges }}
+    - {{ . }}
   {{- end }}
-  {{- if ne .Values.service.ssh.type "LoadBalancer" }}
+  {{- end }}
-  clusterIP: None
+  {{- end }}
+  {{- if and .Values.service.ssh.clusterIP (eq .Values.service.ssh.type "ClusterIP") }}
+  clusterIP: {{ .Values.service.ssh.clusterIP }}
   {{- end }}
   {{- if .Values.service.ssh.externalIPs }}
   externalIPs:
-  {{ toYaml .Values.service.ssh.externalIPs | indent 4 }}
+    {{- toYaml .Values.service.ssh.externalIPs | nindent 4 }}
   {{- end }}
   {{- if .Values.service.ssh.externalTrafficPolicy }}
   externalTrafficPolicy: {{ .Values.service.ssh.externalTrafficPolicy }}

templates/gitea/statefulset.yaml

@@ -9,77 +9,201 @@ spec:
   selector:
     matchLabels:
       {{- include "gitea.selectorLabels" . | nindent 6 }}
+      {{- if .Values.statefulset.labels }}
+      {{- toYaml .Values.statefulset.labels | nindent 6 }}
+      {{- end }}
   serviceName: {{ include "gitea.fullname" . }}
   template:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
+        {{- range $idx, $value := .Values.gitea.ldap }}
+        checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
+        {{- end }}
+        {{- range $idx, $value := .Values.gitea.oauth }}
+        checksum/oauth_{{ $idx }}: {{ include "gitea.oauth_settings" (list $idx $value) | sha256sum }}
+        {{- end }}
+        {{- with .Values.gitea.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       labels:
-        {{- include "gitea.selectorLabels" . | nindent 8 }}
+        {{- include "gitea.labels" . | nindent 8 }}
+        {{- if .Values.statefulset.labels }}
+        {{- toYaml .Values.statefulset.labels | nindent 8 }}
+        {{- end }}
     spec:
+      {{- if .Values.schedulerName }}
+      schedulerName: "{{ .Values.schedulerName }}"
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       securityContext:
-        fsGroup: 1000
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
-        - name: init
+        - name: init-directories
-          image: "{{ .Values.image.repository }}:{{ .Values.image.version }}"
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/init_directory_structure.sh"]
           env:
-            - name: SCRIPT
+            - name: GITEA_APP_INI
-              value: &script |-
+              value: /data/gitea/conf/app.ini
-                mkdir -p /data/gitea/conf
+            - name: GITEA_CUSTOM
-                cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
+              value: /data/gitea
-                chmod a+rwx /data/gitea/conf/app.ini
+            - name: GITEA_WORK_DIR
-                nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \
+              value: /data
-                su git -c ' \
+            - name: GITEA_TEMP
-                set -x; \
+              value: /tmp/gitea
-                gitea migrate; \
+            {{- if .Values.statefulset.env }}
-                {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
-                gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin \
-                || \
-                gitea admin change-password --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}'; \
             {{- end }}
-                {{- if .Values.gitea.ldap.enabled }}
-                gitea admin auth add-ldap \
-                --name {{ .Values.gitea.ldap.name | quote }} \
-                --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \
-                --host {{ .Values.gitea.ldap.host | quote }} \
-                --port {{ .Values.gitea.ldap.port | int}} \
-                --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \
-                --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \
-                --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \
-                --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \
-                --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \
-                --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \
-                --synchronize-users \
-                --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \
-                || \
-                ( \
-                  export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " "  "{print \$1}"); \
-                  gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \
-                  --name {{ .Values.gitea.ldap.name | quote }} \
-                  --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \
-                  --host {{ .Values.gitea.ldap.host | quote }} \
-                  --port {{ .Values.gitea.ldap.port | int}} \
-                  --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \
-                  --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \
-                  --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \
-                  --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \
-                  --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \
-                  --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \
-                  --synchronize-users \
-                  --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \
-                ) \
-                {{- end }}
-                '
-          command: ["/bin/sh",'-c', *script]
           volumeMounts:
-            - name: config
+            - name: init
-              mountPath: /etc/gitea/conf
+              mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
             - name: data
               mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+        - name: init-app-ini
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/config_environment.sh"]
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- end }}
+            {{- if .Values.gitea.additionalConfigFromEnvs }}
+            {{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }}
+            {{- end }}
+          volumeMounts:
+            - name: config
+              mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            - name: inline-config-sources
+              mountPath: /env-to-ini-mounts/inlines/
+            {{- range $idx, $value := .Values.gitea.additionalConfigSources }}
+            - name: additional-config-sources-{{ $idx }}
+              mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/"
+            {{- end }}
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+        - name: configure-gitea
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/configure_gitea.sh"]
+          securityContext:
+            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
+            {{- $csc := deepCopy .Values.containerSecurityContext -}}
+            {{- if not (hasKey $csc "runAsUser") -}}
+            {{- $_ := set $csc "runAsUser" 1000 -}}
+            {{- end -}}
+            {{- toYaml $csc | nindent 12 }}
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            {{- if .Values.gitea.ldap }}
+            {{- range $idx, $value := .Values.gitea.ldap }}
+            {{- if $value.existingSecret }}
+            - name: GITEA_LDAP_BIND_DN_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  bindDn
+                  name: {{ $value.existingSecret }}
+            - name: GITEA_LDAP_PASSWORD_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  bindPassword
+                  name: {{ $value.existingSecret }}
+            {{- else }}
+            - name: GITEA_LDAP_BIND_DN_{{ $idx }}
+              value: {{ $value.bindDn | quote }}
+            - name: GITEA_LDAP_PASSWORD_{{ $idx }}
+              value: {{ $value.bindPassword | quote }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.gitea.oauth }}
+            {{- range $idx, $value := .Values.gitea.oauth }}
+            {{- if $value.existingSecret }}
+            - name: GITEA_OAUTH_KEY_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  key
+                  name: {{ $value.existingSecret }}
+            - name: GITEA_OAUTH_SECRET_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  secret
+                  name: {{ $value.existingSecret }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key:  username
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  password
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            {{- else }}
+            - name: GITEA_ADMIN_USERNAME
+              value: {{ .Values.gitea.admin.username | quote }}
+            - name: GITEA_ADMIN_PASSWORD
+              value: {{ .Values.gitea.admin.password | quote }}
+            {{- end }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- end }}
+          volumeMounts:
+            - name: init
+              mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.version }}"
+          image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             # SSH Port values have to be set here as well for openssh configuration
@@ -87,35 +211,67 @@ spec:
               value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }}
             - name: SSH_PORT
               value: {{ .Values.gitea.config.server.SSH_PORT | quote }}
-            {{- range .Values.statefulset.env }}
+            - name: GITEA_APP_INI
-            - name: {{ .name | quote | nospace }}
+              value: /data/gitea/conf/app.ini
-              value: {{ .value | quote }}
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            - name: TMPDIR
+              value: /tmp/gitea
+            {{- if .Values.signing.enabled }}
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+            {{- end }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
           ports:
             - name: ssh
               containerPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
+            {{- if .Values.service.ssh.hostPort }}
+              hostPort: {{ .Values.service.ssh.hostPort }}
+            {{- end }}
             - name: http
               containerPort: {{ .Values.gitea.config.server.HTTP_PORT }}
+            {{- if .Values.gitea.config.server.ENABLE_PPROF }}
+            - name: profiler
+              containerPort: 6060
+            {{- end }}
+          {{- if .Values.gitea.livenessProbe }}
           livenessProbe:
-            tcpSocket:
+            {{- toYaml .Values.gitea.livenessProbe | nindent 12 }}
-              port: http
+          {{- end }}
-            initialDelaySeconds: 200
+          {{- if .Values.gitea.readinessProbe }}
-            timeoutSeconds: 1
-            periodSeconds: 10
-            successThreshold: 1
-            failureThreshold: 10
           readinessProbe:
-            tcpSocket:
+            {{- toYaml .Values.gitea.readinessProbe | nindent 12 }}
-              port: http
+          {{- end }}
-            initialDelaySeconds: 5
+          {{- if .Values.gitea.startupProbe }}
-            periodSeconds: 10
+          startupProbe:
-            successThreshold: 1
+            {{- toYaml .Values.gitea.startupProbe | nindent 12 }}
-            failureThreshold: 3
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            {{- /* Honor the deprecated securityContext variable when defined */ -}}
+            {{- if .Values.containerSecurityContext -}}
+            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
+            {{- else -}}
+            {{ toYaml .Values.securityContext | nindent 12 -}}
+            {{- end }}
           volumeMounts:
+            - name: temp
+              mountPath: /tmp
             - name: data
               mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -129,13 +285,32 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
       volumes:
+        - name: init
+          secret:
+            secretName: {{ include "gitea.fullname" . }}-init
+            defaultMode: 110
         - name: config
-          configMap:
+          secret:
-            name: {{ include "gitea.fullname" . }}
+            secretName: {{ include "gitea.fullname" . }}
+            defaultMode: 110
+        {{- if .Values.extraVolumes }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
+        - name: inline-config-sources
+          secret:
+            secretName: {{ include "gitea.fullname" . }}-inline-config
+        {{- range $idx, $value := .Values.gitea.additionalConfigSources }}
+        - name: additional-config-sources-{{ $idx }}
+          {{- toYaml $value | nindent 10 }}
+        {{- end }}
+        - name: temp
+          emptyDir: {}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:
-            claimName: {{ .Values.persistence.existingClaim }}
+  {{- with .Values.persistence.existingClaim }}
+            claimName: {{ tpl . $ }}
+  {{- end }}
   {{- else if not .Values.persistence.enabled }}
         - name: data
           emptyDir: {}
@@ -143,12 +318,26 @@ spec:
   volumeClaimTemplates:
     - metadata:
         name: data
+      {{- with .Values.persistence.annotations }}
+        annotations:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.persistence.labels }}
+        labels:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
       spec:
         accessModes:
           {{- range .Values.persistence.accessModes }}
             - {{ . | quote }}
           {{- end }}
-        storageClassName: {{ .Values.persistence.storageClass | default "standard" | quote }}
+        {{- if .Values.persistence.storageClass }}
+        storageClassName: {{ .Values.persistence.storageClass | quote }}
+        {{- end }}
         resources:
           requests:
             storage: {{ .Values.persistence.size | quote }}

templates/tests/test-http-connection.yaml

@@ -11,5 +11,5 @@ spec:
     - name: wget
       image: busybox
       command: ['wget']
-      args:  ['{{ include "gitea.fullname" . }}:{{ .Values.service.port }}']
+      args:  ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
   restartPolicy: Never

values.yaml

@@ -4,37 +4,85 @@
 
 replicaCount: 1
 
+clusterDomain: cluster.local
+
 image:
   repository: gitea/gitea
-  version: 1.12.4
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
   pullPolicy: Always
+  rootless: false # only possible when running 1.14 or later
 
 imagePullSecrets: []
 
+# Security context is only usable with rootless image due to image design
+podSecurityContext:
+  fsGroup: 1000
+
+containerSecurityContext: {}
+#   allowPrivilegeEscalation: false
+#   capabilities:
+#     drop:
+#       - ALL
+#   # Add the SYS_CHROOT capability for root and rootless images if you intend to
+#   # run pods on nodes that use the container runtime cri-o. Otherwise, you will
+#   # get an error message from the SSH server that it is not possible to read from
+#   # the repository.
+#   # https://gitea.com/gitea/helm-chart/issues/161
+#     add:
+#       - SYS_CHROOT
+#   privileged: false
+#   readOnlyRootFilesystem: true
+#   runAsGroup: 1000
+#   runAsNonRoot: true
+#   runAsUser: 1000
+
+# DEPRECATED. The securityContext variable has been split two:
+# - containerSecurityContext
+# - podSecurityContext.
+securityContext: {}
+
 service:
   http:
     type: ClusterIP
     port: 3000
-  ssh:
+    clusterIP: None
-    type: ClusterIP
-    port: 22
     #loadBalancerIP:
     #nodePort:
     #externalTrafficPolicy:
     #externalIPs:
+    loadBalancerSourceRanges: []
+    annotations:
+  ssh:
+    type: ClusterIP
+    port: 22
+    clusterIP: None
+    #loadBalancerIP:
+    #nodePort:
+    #externalTrafficPolicy:
+    #externalIPs:
+    #hostPort:
+    loadBalancerSourceRanges: []
     annotations:
 
 ingress:
   enabled: false
+  # className: nginx
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
-    - git.example.com
+    - host: git.example.com
+      paths:
+        - path: /
+          pathType: Prefix
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
   #      - git.example.com
+  # Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
+  # If helm doesn't correctly detect your ingress API version you can set it here.
+  # apiVersion: networking.k8s.io/v1
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -48,6 +96,11 @@ resources: {}
   #   cpu: 100m
   #   memory: 128Mi
 
+## Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+# schedulerName:
+
 nodeSelector: {}
 
 tolerations: []
@@ -59,6 +112,7 @@ statefulset:
     # - name: VARIABLE
     #   value: my-value
   terminationGracePeriodSeconds: 60
+  labels: {}
 
 persistence:
   enabled: true
@@ -66,27 +120,82 @@ persistence:
   size: 10Gi
   accessModes:
     - ReadWriteOnce
-  storageClass: standard
+  labels: {}
+  annotations: {}
+  # storageClass:
+  # subPath:
+
+# additional volumes to add to the Gitea statefulset.
+extraVolumes:
+# - name: postgres-ssl-vol
+#   secret:
+#     secretName: gitea-postgres-ssl
+
+
+# additional volumes to mount, both to the init container and to the main
+# container. As an example, can be used to mount a client cert when connecting
+# to an external Postgres server.
+extraVolumeMounts:
+# - name: postgres-ssl-vol
+#   readOnly: true
+#   mountPath: "/pg-ssl"
+
+# bash shell script copied verbatim to the start of the init-container.
+initPreScript: ""
+#
+# initPreScript: |
+#   mkdir -p /data/git/.postgresql
+#   cp /pg-ssl/* /data/git/.postgresql/
+#   chown -R git:git /data/git/.postgresql/
+#   chmod 400 /data/git/.postgresql/postgresql.key
+
+# Configure commit/action signing prerequisites
+signing:
+  enabled: false
+  gpgHome: /data/git/.gnupg
 
 gitea:
   admin:
+    #existingSecret: gitea-admin-secret
     username: gitea_admin
     password: r8sA8CPHD9!bt6d
     email: "gitea@local.domain"
 
-  ldap:
+  metrics:
     enabled: false
-    name: ""
+    serviceMonitor:
-    securityProtocol: ""
+      enabled: false
-    host: ""
+      #  additionalLabels:
-    port: ""
+      #    prometheus-release: prom1
-    userSearchBase: ""
+
-    userFilter: ""
+  ldap: []
-    adminFilter: ""
+    # - name: "LDAP 1"
-    emailAttribute: ""
+    #  existingSecret:
-    bindDn: ""
+    #  securityProtocol:
-    bindPassword: ""
+    #  host:
-    usernameAttribute: ""
+    #  port:
+    #  userSearchBase:
+    #  userFilter:
+    #  adminFilter:
+    #  emailAttribute:
+    #  bindDn:
+    #  bindPassword:
+    #  usernameAttribute:
+    #  publicSSHKeyAttribute:
+
+  # Either specify inline `key` and `secret` or refer to them via `existingSecret`
+  oauth: []
+    # - name: 'OAuth 1'
+    #   provider:
+    #   key:
+    #   secret:
+    #   existingSecret:
+    #   autoDiscoverUrl:
+    #   useCustomUrls:
+    #   customAuthUrl:
+    #   customTokenUrl:
+    #   customProfileUrl:
+    #   customEmailUrl:
 
   config: {}
   #  APP_NAME: "Gitea: Git with a cup of tea"
@@ -98,22 +207,53 @@ gitea:
   #  security:
   #    PASSWORD_COMPLEXITY: spec
 
-  database:
+  additionalConfigSources: []
-    builtIn:
+  #   - secret:
-      postgresql:
+  #       secretName: gitea-app-ini-oauth
-        enabled: true
+  #   - configMap:
-      mysql:
+  #       name: gitea-app-ini-plaintext
-        enabled: false
 
-  cache:
+  additionalConfigFromEnvs: []
-    builtIn:
+
-      enabled: true
+  podAnnotations: {}
+
+  # Modify the liveness probe for your needs or completely disable it by commenting out.
+  livenessProbe:
+    tcpSocket:
+      port: http
+    initialDelaySeconds: 200
+    timeoutSeconds: 1
+    periodSeconds: 10
+    successThreshold: 1
+    failureThreshold: 10
+
+  # Modify the readiness probe for your needs or completely disable it by commenting out.
+  readinessProbe:
+    tcpSocket:
+      port: http
+    initialDelaySeconds: 5
+    timeoutSeconds: 1
+    periodSeconds: 10
+    successThreshold: 1
+    failureThreshold: 3
+
+  # # Uncomment the startup probe to enable and modify it for your needs.
+  # startupProbe:
+  #   tcpSocket:
+  #     port: http
+  #   initialDelaySeconds: 60
+  #   timeoutSeconds: 1
+  #   periodSeconds: 10
+  #   successThreshold: 1
+  #   failureThreshold: 10
 
 memcached:
+  enabled: true
   service:
     port: 11211
 
 postgresql:
+  enabled: true
   global:
     postgresql:
       postgresqlDatabase: gitea
@@ -124,6 +264,7 @@ postgresql:
     size: 10Gi
 
 mysql:
+  enabled: false
   root:
     password: gitea
   db:
@@ -134,3 +275,20 @@ mysql:
     port: 3306
   persistence:
     size: 10Gi
+
+mariadb:
+  enabled: false
+  auth:
+    database: gitea
+    username: gitea
+    password: gitea
+    rootPassword: gitea
+  primary:
+    service:
+      port: 3306
+    persistence:
+      size: 10Gi
+
+# By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update.
+# Set it to false to skip this basic validation check.
+checkDeprecation: true