1.14.6 (#212)

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/212
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-committed-by: techknowlogick <techknowlogick@gitea.io>

.drone.yml

@@ -4,19 +4,19 @@ name: lint
 
 platform:
   os: linux
-  arch: amd64
+  arch: arm64
 
 steps:
 - name: lint
   pull: always
-  image: pelotech/drone-helm3
-  settings:
-    helm_command: lint
-    chart: ./
+  image: alpine:3.13
+  commands:
+    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+    - helm lint
 
 - name: discord
   pull: always
-  image: appleboy/drone-discord:1.0.0
+  image: appleboy/drone-discord:1.2.4
   environment:
     DISCORD_WEBHOOK_ID:
       from_secret: discord_webhook_id
@@ -41,23 +41,23 @@ trigger:
 
 steps:
   - name: generate-chart
-    pull: default
-    image: alpine:3.12
+    pull: always
+    image: alpine:3.13
     commands:
-      - wget -q https://get.helm.sh/helm-v3.3.1-linux-arm64.tar.gz -O - | tar -xzO linux-arm64/helm > /usr/local/bin/helm
-      - chmod +x /usr/local/bin/helm
+      - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+      - apk add --no-cache curl
       - helm dependency update
-      - helm package ./
+      - helm package --version "${DRONE_TAG##v}" ./
       - mkdir gitea
       - mv gitea*.tgz gitea/
-      - wget -O gitea/index.yaml https://dl.gitea.io/charts/index.yaml
+      - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
       - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
 
   - name: upload-chart
-    pull: default
+    pull: always
     image: plugins/s3:latest
     settings:
-      bucket: releases
+      bucket: gitea-artifacts
       endpoint: https://storage.gitea.io
       path_style: true
       access_key:

.gitignore

@@ -1,2 +1,3 @@
 charts
 Chart.lock
+.DS_Store

Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
-version: 1.4.8
-appVersion: 1.12.4
+version: 0.0.0
+appVersion: 1.14.6
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -14,6 +14,7 @@ keywords:
   - gitea
   - gogs
 sources:
+  - https://gitea.com/gitea/helm-chart
   - https://github.com/go-gitea/gitea
   - https://hub.docker.com/r/gitea/gitea/
 maintainers:
@@ -25,17 +26,23 @@ maintainers:
     email: konrad.lother@novum-rgi.de
   - name: Lucas Hahn
     email: lucas.hahn@novum-rgi.de
+  - name: Steven Kriegler
+    email: sk.bunsenbrenner@gmail.com
 
 dependencies:
 - name: memcached
   repository: https://charts.bitnami.com/bitnami
-  version: 4.2.20
+  version: 5.9.0
   condition: gitea.cache.builtIn.enabled
 - name: mysql
   repository: https://charts.bitnami.com/bitnami
-  version: 6.14.8
+  version: 6.14.10
   condition: gitea.database.builtIn.mysql.enabled
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 8.6.4
+  version: 10.3.17
   condition: gitea.database.builtIn.postgresql.enabled
+- name: mariadb
+  repository: https://charts.bitnami.com/bitnami
+  version: 9.3.6
+  condition: gitea.database.builtIn.mariadb.enabled

README.md

@@ -4,13 +4,13 @@
 
 ## Introduction
 
-This helm chart has taken some inspiration from https://github.com/jfelten/gitea-helm-chart
-But takes a completly different approach in providing database and cache with dependencies.
-Also this chart provides ldap and admin user configuration with values as well as it is deployed as statefulset to retain stored repositories.
+This helm chart has taken some inspiration from <https://github.com/jfelten/gitea-helm-chart>
+But takes a completely different approach in providing a database and cache with dependencies.
+Additionally, this chart provides LDAP and admin user configuration with values, as well as being deployed as a statefulset to retain stored repositories.
 
 ## Dependencies
 
-Gitea can be run with external database and cache. This chart provides those dependencies, which can be
+Gitea can be run with an external database and cache. This chart provides those dependencies, which can be
 enabled, or disabled via [configuration](#configuration).
 
 Dependencies:
@@ -21,8 +21,9 @@ Dependencies:
 
 ## Installing
 
-```
+```sh
   helm repo add gitea-charts https://dl.gitea.io/charts/
+  helm repo update
   helm install gitea gitea-charts/gitea
 ```
 
@@ -32,11 +33,85 @@ Dependencies:
 * Helm 3.0+
 * PV provisioner for persistent data support
 
+## Chart upgrade from 3.x.x to 4.0.0
+
+:warning: The most recent 4.0.0 update brings some breaking changes. Please note the following changes in the Chart to upgrade successfully. :warning:
+
+### Ingress changes
+
+To provide a more flexible Ingress configuration we now support not only host settings but also provide configuration for the path and pathType. So this change changes the hosts from a simple string list, to a list containing a more complex object for more configuration.
+
+
+```diff
+ingress:
+  enabled: false
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+-  hosts:
+-    - git.example.com
++  hosts:
++    - host: git.example.com
++      paths:
++        - path: /
++          pathType: Prefix
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - git.example.com
+```
+
+If you want everything as it was before, you can simply add the following code to all your host entries.
+
+```yaml
+paths:
+  - path: /
+    pathType: Prefix
+```
+
+### Dropped kebab-case support
+
+In 3.x.x it was possible to provide an ldap configuration via kebab-case, this support has now been dropped and only camel case is supported.
+See [LDAP section](#ldap-settings) for more information.
+
+### Dependency update
+
+The chart comes with multiple databases and memcached as dependency, the latest release updated the dependencies.
+
+- memcached: 4.2.20 -> 5.9.0
+- postgresql: 9.7.2 -> 10.3.17
+- mariadb: 8.0.0 -> 9.3.6
+
+If you're using the builtin databases you will most likely redeploy the chart in order to update the database correctly.
+
+### Execution of initPreScript
+
+Generally spoken, this might not be a breaking change, but it is worth to be mentioned.  
+Prior to 4.0.0 only one init container was used to both setup directories and configure Gitea. As of now the actual Gitea configuration is separated from the other pre-execution. This also includes the execution of _initPreScript_. If you have such script, please be aware of this. Dynamically prepare the Gitea setup during execution by e.g. adding environment variables to the execution context won't work anymore.
+
+## Gitea Version 1.14.X repository ROOT
+
+Previously the ROOT folder for the gitea repositories was located at /data/git/gitea-repositories
+1.14 changed this to /data/gitea-repositories.
+
+This chart will set the gitea.config.repository.ROOT value default to /data/git/gitea-repositories
+
+## Configure Commit Signing
+
+When using the rootless image the gpg key folder was is not persistent by default. If you consider using signed commits for internal Gitea activities (e.g. initial commit), you'd need to provide a signing key. Prior to [PR 186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.  
+The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing. By default this section is disabled to maintain backwards compatibility.
+
+```yaml
+  signing:
+    enabled: false
+    gpgHome: /data/git/.gnupg
+```
+
 ## Examples
 
 ### Gitea Configuration
 
-Gitea offers lots of configuration. This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
+Gitea offers lots of configuration options. This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
 
 ```yaml
   gitea:
@@ -47,6 +122,66 @@ Gitea offers lots of configuration. This is fully described in the [Gitea Cheat
       repository.pull-request:
         WORK_IN_PROGRESS_PREFIXES: "WIP:,[WIP]:"
 ```
+
+### Default Configuration
+
+This chart will set a few defaults in the gitea configuration based on the service and ingress settings. All defaults can be overwritten in gitea.config.
+
+INSTALL_LOCK is always set to true, since we want to configure gitea with this helm chart and everything is taken care of.
+
+*All default settings are made directly in the generated app.ini, not in the Values.*
+
+#### Database defaults
+
+If a builtIn database is enabled the database configuration is set automatically. For example, postgresql builtIn will appear in the app.ini as:
+
+```ini
+[database]
+DB_TYPE = postgres
+HOST = RELEASE-NAME-postgresql.default.svc.cluster.local:5432
+NAME = gitea
+PASSWD = gitea
+USER = gitea
+```
+
+#### Memcached defaults
+
+Memcached is handled the exact same way as database builtIn. Once memcached builtIn is enabled, this chart will generate the following part in the app.ini:
+
+```ini
+[cache]
+ADAPTER = memcache
+ENABLED = true
+HOST = RELEASE-NAME-memcached.default.svc.cluster.local:11211
+```
+
+#### Server defaults
+
+The server defaults are a bit more complex.
+If ingress is enabled, the ROOT_URL, DOMAIN and SSH_DOMAIN will be set accordingly. HTTP_PORT always defaults to 3000 as well as SSH_PORT to 22.
+
+```ini
+[server]
+APP_DATA_PATH = /data
+DOMAIN = git.example.com
+HTTP_PORT = 3000
+PROTOCOL = http
+ROOT_URL = http://git.example.com
+SSH_DOMAIN = git.example.com
+SSH_LISTEN_PORT = 22
+SSH_PORT = 22
+ENABLE_PPROF = false
+```
+
+#### Metrics defaults
+
+The Prometheus `/metrics` endpoint is disabled by default.
+
+```ini
+[metrics]
+ENABLED = false
+```
+
 ### External Database
 
 An external Database can be used instead of builtIn postgresql or mysql.
@@ -80,7 +215,53 @@ By default port 3000 is used for web traffic and 22 for ssh. Those can be change
       port: 22
 ```
 
-This helmchart automatically configures the clone urls to use the correct ports. You can change these ports by hand using the gitea.config dict. However you should know what you're doing.
+This helm chart automatically configures the clone urls to use the correct ports. You can change these ports by hand using the `gitea.config` dict. However you should know what you're doing.
+
+### ClusterIP
+
+By default the clusterIP will be set to None, which is the default for headless services. However if you want to omit the clusterIP field in the service, use the following values:
+
+```yaml
+service:
+  http:
+    type: ClusterIP
+    port: 3000
+    clusterIP:
+  ssh:
+    type: ClusterIP
+    port: 22
+    clusterIP:
+```
+
+### SSH and Ingress
+
+If you're using ingress and wan't to use SSH, keep in mind, that ingress is not able to forward SSH Ports.
+You will need a LoadBalancer like metallb and a setting in your ssh service annotations.
+
+```yaml
+service:
+  ssh:
+    annotations:
+      metallb.universe.tf/allow-shared-ip: test
+```
+
+### SSH on crio based kubernetes cluster
+
+If you use crio as container runtime it is not possible to read from a remote
+repository. You should get an error message like this:
+
+```bash
+$ git clone git@k8s-demo.internal:admin/test.git
+Cloning into 'test'...
+Connection reset by 192.168.179.217 port 22
+fatal: Could not read from remote repository.
+
+Please make sure you have the correct access rights
+and the repository exists.
+```
+
+To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
+More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
 
 ### Cache
 
@@ -104,11 +285,22 @@ If the built in cache should not be used simply configure the cache in gitea.con
         INTERVAL: 60
         HOST: 127.0.0.1:9090
 ```
+
 ### Persistence
 
 Gitea will be deployed as a statefulset. By simply enabling the persistence and setting the storage class according to your cluster
-everything else will be taken care of. The following example will create a PVC as a part of the statefulset. This PVC will not be deleted
-even if you uninstall the chart.
+everything else will be taken care of. The following example will create a PVC as a part of the statefulset. This PVC will not be deleted even if you uninstall the chart.
+
+Please note, that an empty storageClass in the persistence will result in kubernetes using your default storage class.
+
+If you want to use your own storageClass define it as followed:
+
+```yaml
+persistence:
+  enabled: true
+  storageClass: myOwnStorageClass
+```
+
 When using Postgresql as dependency, this will also be deployed as a statefulset by default.
 
 If you want to manage your own PVC you can simply pass the PVC name to the chart.
@@ -145,6 +337,7 @@ You can interact with the postgres settings as displayed in the following exampl
 
 This chart enables you to create a default admin user. It is also possible to update the password for this user by upgrading or redeloying the chart.
 It is not possible to delete an admin user after it has been created. This has to be done in the ui.
+You cannot use `admin` as username.
 
 ```yaml
   gitea:
@@ -154,9 +347,29 @@ It is not possible to delete an admin user after it has been created. This has t
       email: "gi@tea.com"
 ```
 
+You can also use an existing Secret to configure the admin user:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-admin-secret
+type: Opaque
+stringData:
+  username: MyAwesomeGiteaAdmin
+  password: AReallyAwesomeGiteaPassword
+```
+
+```yaml
+gitea:
+    admin:
+      existingSecret: gitea-admin-secret
+```
+
 ### LDAP Settings
 
-Like the admin user the ldap settings can be updated but also disabled or deleted.
+Like the admin user the LDAP settings can be updated, but also disabled or deleted.
+All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
 
 ```yaml
   gitea:
@@ -173,6 +386,82 @@ Like the admin user the ldap settings can be updated but also disabled or delete
       bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
       bindPassword: JustAnotherBindPw
       usernameAttribute: CN
+      sshPublicKeyAttribute: sshPublicKey
+```
+
+You can also use an existing secret to set the bindDn and bindPassword:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-ldap-secret
+type: Opaque
+stringData:
+  bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
+  bindPassword: JustAnotherBindPw
+```
+
+```yaml
+gitea:
+    ldap:
+      existingSecret: gitea-ldap-secret
+```
+
+:warning: Some options are just flags and therefore don't any values. If they are defined in `gitea.ldap` configuration, they will be passed to the gitea cli without any value. Affected options:
+
+- notActive
+- skipTlsVerify
+- allowDeactivateAll
+- synchronizeUsers
+- attributesInBind
+
+### OAuth2 Settings
+
+Like the admin user, OAuth2 settings can be updated and disabled but not deleted. Deleting OAuth2 settings has to be done in the ui.
+All OAuth2 values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
+
+```yaml
+  gitea:
+    oauth:
+      enabled: true
+      name: 'MyAwesomeGiteaOAuth'
+      provider: 'openidConnect'
+      key: 'hello'
+      secret: 'world'
+      autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
+      #useCustomUrls:
+      #customAuthUrl:
+      #customTokenUrl:
+      #customProfileUrl:
+      #customEmailUrl:
+```
+
+### Metrics and profiling
+
+A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling endpoints on port 6060 can be enabled under `gitea`. Beware that the metrics endpoint is exposed via the ingress, manage access using ingress annotations for example.
+
+To deploy the `ServiceMonitor`, you first need to ensure that you have deployed `prometheus-operator` and its CRDs: https://github.com/prometheus-operator/prometheus-operator#customresourcedefinitions.
+
+```yaml
+gitea:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+
+  config:
+    server:
+      ENABLE_PPROF: true
+```
+
+### Pod Annotations
+
+Annotations can be added to the Gitea pod.
+
+```yaml
+  gitea:
+    podAnnotations: {}
 ```
 
 ## Configuration
@@ -180,18 +469,23 @@ Like the admin user the ldap settings can be updated but also disabled or delete
 ### Others
 
 | Parameter                                 | Description                                            | Default     |
-|---------------------|-----------------------------------|------------------------------|
-|statefulset.terminationGracePeriodSeconds| Image to start for this pod | gitea/gitea |
+|-------------------------------------------|--------------------------------------------------------|-------------|
+| statefulset.terminationGracePeriodSeconds | How long to wait until forcefully kill the pod         | 60          |
 | statefulset.env                           | Additional environment variables to pass to containers | []          |
-
+| extraVolumes                              | Additional volumes to mount to the Gitea statefulset   | {}          |
+| extraVolumeMounts                         | Additional volume mounts for the Gitea containers      | {}          |
+| initPreScript                             | Bash script copied verbatim to start of init container |             |
+| securityContext                           | Run as a specific securityContext                      | {}          |
+| schedulerName                             | Use an alternate scheduler, e.g. "stork"               |             |
 
 ### Image
 
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
 |image.repository| Image to start for this pod | gitea/gitea |
-|image.version| Image Version | 1.12.4 |
+|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.14.6 |
 |image.pullPolicy| Image pull policy | Always |
+|image.rootless | Wether or not to pull the rootless version of gitea, only works on gitea 1.14.x or higher | false |
 
 ### Persistence
 
@@ -201,7 +495,9 @@ Like the admin user the ldap settings can be updated but also disabled or delete
 |persistence.existingClaim| Use an existing claim to store repository information | |
 |persistence.size| Size for persistence to store repo information | 10Gi |
 |persistence.accessModes|AccessMode for persistence||
-|persistence.storageClass|Storage class for repository persistence|standard|
+|persistence.storageClass|Storage class for repository persistence||
+|persistence.labels|Labels for the persistence volume claim to be created|{}|
+|persistence.annotations|Annotations for the persistence volume claim to be created|{}|
 
 ### Ingress
 
@@ -209,26 +505,73 @@ Like the admin user the ldap settings can be updated but also disabled or delete
 |---------------------|-----------------------------------|------------------------------|
 |ingress.enabled| enable ingress | false|
 |ingress.annotations| add ingress annotations | |
-|ingress.hosts| add hosts for ingress as string list | git.example.com |
+|ingress.hosts[0].host | add hosts for ingress | git.example.com |
+|ingress.hosts[0].paths[0].path | add path for each ingress host | / |
+|ingress.hosts[0].paths[0].pathType | add ingress path type | Prefix |
 |ingress.tls|add ingress tls settings|[]|
 
 ### Service
 
+#### Web
+
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
 |service.http.type| Kubernetes service type for web traffic | ClusterIP |
 |service.http.port| Port for web traffic | 3000 |
+|service.http.clusterIP| ClusterIP setting for http autosetup for statefulset is None | None |
+|service.http.loadBalancerIP| LoadBalancer Ip setting | |
+|service.http.nodePort| NodePort for http service | |
+|service.http.externalTrafficPolicy| If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
+|service.http.externalIPs| http service external IP addresses | |
+|service.http.loadBalancerSourceRanges| Source range filter for http loadbalancer | [] |
+|service.http.annotations| http service annotations | |
+
+#### SSH
+
+| Parameter           | Description                       | Default                      |
+|---------------------|-----------------------------------|------------------------------|
 |service.ssh.type| Kubernetes service type for ssh traffic | ClusterIP |
 |service.ssh.port| Port for ssh traffic | 22 |
+|service.ssh.loadBalancerIP| LoadBalancer Ip setting | |
+|service.ssh.nodePort| NodePort for ssh service | |
 |service.ssh.externalTrafficPolicy| If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
-|service.ssh.externalIPs| SSH service external IP addresses |[]|
-|service.ssh.annotations| Additional ssh annotations for the ssh service ||
+|service.ssh.externalIPs| ssh service external IP addresses | |
+|service.ssh.loadBalancerSourceRanges| Source range filter for ssh loadbalancer | [] |
+|service.ssh.annotations| ssh service annotations | |
 
 ### Gitea Configuration
 
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
-|gitea.config | Everything in app.ini can be configured with this dict. See Examples for more details | {} |
+|gitea.config | Everything in `app.ini` can be configured with this dict. See [Examples](#examples) for more details | {} |
+
+### Gitea Probes
+
+Configure Liveness, Readiness and Startup [Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)
+
+| Parameter           | Description                       | Default                      |
+|---------------------|-----------------------------------|------------------------------|
+|gitea.livenessProbe.enabled | Enable liveness probe | true |
+|gitea.livenessProbe.initialDelaySeconds | Delay before probe start| 200 |
+|gitea.livenessProbe.timeoutSeconds | probe timeout | 1 |
+|gitea.livenessProbe.periodSeconds | period between probes | 10 |
+|gitea.livenessProbe.successThreshold | Minimum consecutive success probes | 1 |
+|gitea.livenessProbe.failureThreshold | Minimum consecutive error probes | 10 |
+|gitea.readinessProbe.enabled | Enable readiness probe | true |
+|gitea.readinessProbe.initialDelaySeconds | Delay before probe start| 5 |
+|gitea.readinessProbe.timeoutSeconds | probe timeout | 1 |
+|gitea.readinessProbe.periodSeconds | period between probes | 10 |
+|gitea.readinessProbe.successThreshold | Minimum consecutive success probes | 1 |
+|gitea.readinessProbe.failureThreshold | Minimum consecutive error probes | 3 |
+|gitea.startupProbe.enabled | Enable startup probe | false |
+|gitea.startupProbe.initialDelaySeconds | Delay before probe start| 60 |
+|gitea.startupProbe.timeoutSeconds | probe timeout | 1 |
+|gitea.startupProbe.periodSeconds | period between probes | 10 |
+|gitea.startupProbe.successThreshold | Minimum consecutive success probes | 1 |
+|gitea.startupProbe.failureThreshold | Minimum consecutive error probes | 10 |
+|gitea.customLivenessProbe | Custom liveness probe (needs `gitea.livenessProbe.enabled: false`) |  |
+|gitea.customReadinessProbe | Custom readiness probe (needs `gitea.readinessProbe.enabled: false`) |  |
+|gitea.customStartupProbe | Custom startup probe (needs `gitea.startupProbe.enabled: false`) |  |
 
 ### Memcached BuiltIn
 
@@ -242,22 +585,22 @@ The following parameters are the defaults set by this chart
 
 ### Mysql BuiltIn
 
-Mysql is loaded as a dependency from stable. Configuration can be found from this [website](https://github.com/helm/charts/tree/master/stable/mysql)
+Mysql is loaded as a dependency from stable. Configuration can be found on this [website](https://github.com/helm/charts/tree/master/stable/mysql).
 
 The following parameters are the defaults set by this chart
 
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
-|mysql.mysqlRootPassword|Password for the root user. Ignored if existing secret is provided|gitea|
-|mysql.mysqlUser|Username of new user to create.|gitea|
-|mysql.mysqlPassword|Password for the new user. Ignored if existing secret is provided|gitea|
-|mysql.mysqlDatabase|Name for new database to create.|gitea|
+|mysql.root.password|Password for the root user. Ignored if existing secret is provided|gitea|
+|mysql.db.user|Username of new user to create.|gitea|
+|mysql.db.password|Password for the new user. Ignored if existing secret is provided|gitea|
+|mysql.db.name|Name for new database to create.|gitea|
 |mysql.service.port|Port to connect to mysql service|3306|
-|mysql.persistence|Persistence size for mysql |10Gi|
+|mysql.persistence.size|Persistence size for mysql |10Gi|
 
 ### Postgresql BuiltIn
 
-Postgresql is loaded as a dependency from bitnami. Configuration can be found from this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql)
+Postgresql is loaded as a dependency from Bitnami. The chart configuration can be found in this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) repository.
 
 The following parameters are the defaults set by this chart
 
@@ -268,3 +611,18 @@ The following parameters are the defaults set by this chart
 |postgresql.global.postgresql.postgresqlPassword| PostgreSQL admin password (overrides postgresqlPassword)|gitea|
 |postgresql.global.postgresql.servicePort|PostgreSQL port (overrides service.port)|5432|
 |postgresql.persistence.size| PVC Storage Request for PostgreSQL volume |10Gi|
+
+### MariaDB BuiltIn
+
+MariaDB is loaded as a dependency from bitnami. Configuration can be found in this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) repository.
+
+The following parameters are the defaults set by this chart
+
+| Parameter           | Description                       | Default                      |
+|---------------------|-----------------------------------|------------------------------|
+|mariadb.auth.username|Username of new user to create.|gitea|
+|mariadb.auth.password|Password for the new user. Ignored if existing secret is provided|gitea|
+|mariadb.auth.database|Name for new database to create.|gitea|
+|mariadb.auth.rootPassword|Password for the root user.|gitea|
+|mariadb.primary.service.port|Port to connect to mariadb service|3306|
+|mariadb.primary.persistence.size|Persistence size for mariadb |10Gi|

templates/NOTES.txt

@@ -1,7 +1,9 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
 {{- range $host := .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}/
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.http.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gitea.fullname" . }})

templates/_helpers.tpl

@@ -31,14 +31,26 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create image name and tag used by the deployment.
+*/}}
+{{- define "gitea.image" -}}
+{{- $name := .Values.image.repository -}}
+{{- $tag := ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") -}}
+{{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
+{{- printf "%s:%s%s" $name $tag $rootless -}}
+{{- end -}}
+
 {{/*
 Common labels
 */}}
 {{- define "gitea.labels" -}}
 helm.sh/chart: {{ include "gitea.chart" . }}
+app: {{ include "gitea.name" . }}
 {{ include "gitea.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
@@ -51,16 +63,14 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
-{{- define "postgresql.dns" -}}
-{{- printf "%s-postgresql.%s.svc.cluster.local:%g" .Release.Name .Release.Namespace .Values.postgresql.global.postgresql.servicePort -}}
-{{- end -}}
-
 {{- define "db.servicename" -}}
 {{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
 {{- printf "%s-postgresql" .Release.Name -}}
 {{- else if .Values.gitea.database.builtIn.mysql.enabled -}}
 {{- printf "%s-mysql" .Release.Name -}}
-{{- else -}}
+{{- else if .Values.gitea.database.builtIn.mariadb.enabled -}}
+{{- printf "%s-mariadb" .Release.Name -}}
+{{- else if ne .Values.gitea.config.database.DB_TYPE "sqlite3" -}}
 {{- $parts := split ":" .Values.gitea.config.database.HOST -}}
 {{- printf "%s %s" $parts._0 $parts._1 -}}
 {{- end -}}
@@ -71,19 +81,63 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{ .Values.postgresql.global.postgresql.servicePort }}
 {{- else if .Values.gitea.database.builtIn.mysql.enabled -}}
 {{ .Values.mysql.service.port }}
+{{- else if .Values.gitea.database.builtIn.mariadb.enabled -}}
+{{ .Values.mariadb.primary.service.port }}
 {{- else -}}
 {{- end -}}
 {{- end -}}
 
+{{- define "postgresql.dns" -}}
+{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.servicePort -}}
+{{- end -}}
+
 {{- define "mysql.dns" -}}
-{{- printf "%s-mysql.%s.svc.cluster.local:%g" .Release.Name .Release.Namespace .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-mysql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "mariadb.dns" -}}
+{{- printf "%s-mariadb.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mariadb.primary.service.port | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "memcached.dns" -}}
-{{- printf "%s-memcached.%s.svc.cluster.local:%g" .Release.Name .Release.Namespace .Values.memcached.service.port | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.port | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "gitea.default_domain" -}}
-{{- printf "%s-gitea.%s.svc.cluster.local" (include "gitea.fullname" .) .Release.Namespace  | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{- define "gitea.ldap_settings" -}}
+{{- if not (hasKey .Values.gitea.ldap "bindDn") -}}
+{{- $_ := set .Values.gitea.ldap "bindDn" "" -}}
+{{- end -}}
+
+{{- if not (hasKey .Values.gitea.ldap "bindPassword") -}}
+{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}}
+{{- end -}}
+
+{{- $flags := list "notActive" "skipTlsVerify" "allowDeactivateAll" "synchronizeUsers" "attributesInBind" -}}
+{{- range $key, $val := .Values.gitea.ldap -}}
+{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
+{{- if eq $key "bindDn" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_BIND_DN}" | quote ) -}}
+{{- else if eq $key "bindPassword" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}}
+{{- else if eq $key "port" -}}
+{{- printf "--%s %d " $key ($val | int) -}}
+{{- else if has $key $flags -}}
+{{- printf "--%s " ($key | kebabcase) -}}
+{{- else -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "gitea.oauth_settings" -}}
+{{- range $key, $val := .Values.gitea.oauth -}}
+{{- if ne $key "enabled" -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}

templates/gitea/config.yaml

@@ -1,10 +1,11 @@
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
-data:
+type: Opaque
+stringData:
   app.ini: |-
     {{- if not (hasKey .Values.gitea.config "cache") -}}
     {{- $_ := set .Values.gitea.config "cache" dict -}}
@@ -14,6 +15,10 @@ data:
     {{- $_ := set .Values.gitea.config "server" dict -}}
     {{- end -}}
 
+    {{- if not (hasKey .Values.gitea.config "metrics") -}}
+    {{- $_ := set .Values.gitea.config "metrics" dict -}}
+    {{- end -}}
+
     {{- if not (hasKey .Values.gitea.config "database") -}}
     {{- $_ := set .Values.gitea.config "database" dict -}}
     {{- end -}}
@@ -22,6 +27,15 @@ data:
     {{- $_ := set .Values.gitea.config "security" dict -}}
     {{- end -}}
 
+    {{- if not .Values.gitea.config.repository -}}
+    {{- $_ := set .Values.gitea.config "repository" dict -}}
+    {{- end -}}
+
+    {{- /* repository default settings */ -}}
+    {{- if not .Values.gitea.config.repository.ROOT -}}
+    {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}}
+    {{- end -}}
+
     {{- /* security default settings */ -}}
     {{- if not .Values.gitea.config.security.INSTALL_LOCK -}}
     {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}}
@@ -36,7 +50,7 @@ data:
     {{- end -}}
     {{- if not (.Values.gitea.config.server.DOMAIN) -}}
     {{- if gt (len .Values.ingress.hosts) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0) -}}
+    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
     {{- else -}}
     {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
     {{- end -}}
@@ -46,7 +60,7 @@ data:
     {{- if gt (len .Values.ingress.tls) 0 -}}
     {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
     {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0)) -}}
+    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}}
     {{- end -}}
     {{- else -}}
     {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
@@ -59,7 +73,27 @@ data:
     {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
     {{- end -}}
     {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
+    {{- if not .Values.image.rootless -}}
     {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
+    {{- else -}}
+    {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
+    {{- end -}}
+    {{- end -}}
+    {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
+    {{- if .Values.image.rootless -}}
+    {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
+    {{- end -}}
+    {{- end -}}
+    {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}
+    {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}}
+    {{- end -}}
+    {{- if not (hasKey .Values.gitea.config.server "ENABLE_PPROF") -}}
+    {{- $_ := set .Values.gitea.config.server "ENABLE_PPROF" false -}}
+    {{- end -}}
+
+    {{- /* metrics default settings */ -}}
+    {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
+    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
     {{- end -}}
 
     {{- /* database default settings */ -}}
@@ -79,6 +113,14 @@ data:
     {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
     {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
     {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
+    {{ else if .Values.gitea.database.builtIn.mariadb.enabled -}}
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
+    {{- if not (.Values.gitea.config.database.HOST) -}}
+    {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
+    {{- end -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
     {{- end -}}
 
     {{- /* cache default settings */ -}}

templates/gitea/http-svc.yaml

@@ -4,9 +4,29 @@ metadata:
   name: {{ include "gitea.fullname" . }}-http
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.http.type }}
-  clusterIP: None
+  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
+  loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
+  {{- end }}
+  {{- if .Values.service.http.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.http.loadBalancerSourceRanges }}
+    - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.service.http.externalIPs }}
+  externalIPs:
+    {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
+  {{- end }}
+  {{- if .Values.service.http.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }}
+  {{- end }}
+  {{- if and .Values.service.http.clusterIP (eq .Values.service.http.type "ClusterIP") }}
+  clusterIP: {{ .Values.service.http.clusterIP }}
+  {{- end }}
   ports:
   - name: http
     port: {{ .Values.service.http.port }}

templates/gitea/ingress.yaml

@@ -1,7 +1,9 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
 {{- $httpPort := .Values.service.http.port -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+apiVersion: networking.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
 apiVersion: networking.k8s.io/v1beta1
 {{- else -}}
 apiVersion: extensions/v1beta1
@@ -28,12 +30,24 @@ spec:
 {{- end }}
   rules:
     {{- range .Values.ingress.hosts }}
-    - host: {{ . | quote }}
+    - host: {{ .host | quote }}
       http:
         paths:
-          - path: /
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }}
+            pathType: {{ .pathType }}
+            {{- end }}
             backend:
+            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+              service:
+                name: {{ $fullName }}-http
+                port:
+                  number: {{ $httpPort }}
+            {{- else }}
               serviceName: {{ $fullName }}-http
               servicePort: {{ $httpPort }}
             {{- end }}
           {{- end }}
+    {{- end }}
+{{- end }}

templates/gitea/init.yaml

@@ -0,0 +1,125 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.fullname" . }}-init
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  init_directory_structure.sh: |-
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
+    {{- if .Values.initPreScript }}
+    # BEGIN: initPreScript
+    {{- with .Values.initPreScript -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+    # END: initPreScript
+    {{- end }}
+
+    set -x
+
+    {{- if not .Values.image.rootless }}
+    chown 1000:1000 /data
+    {{- end }}
+    mkdir -p /data/git/.ssh
+    chmod -R 700 /data/git/.ssh
+    mkdir -p /data/gitea/conf
+
+    # prepare temp directory structure
+    mkdir -p "${GITEA_TEMP}"
+    chown 1000:1000 "${GITEA_TEMP}"
+    chmod ug+rwx "${GITEA_TEMP}"
+
+    # Copy config file to writable volume
+    cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
+    chmod a+rwx /data/gitea/conf/app.ini
+  configure_gitea.sh: |-
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
+    {{- if include "db.servicename" . }}
+    # Connection retry inspired by https://gist.github.com/dublx/e99ea94858c07d2ca6de
+    function test_db_connection() {
+      local RETRY=0
+      local MAX=30
+
+      echo 'Wait for database to become avialable...'
+      until [ "${RETRY}" -ge "${MAX}" ]; do
+        nc -vz -w2 {{ include "db.servicename" . }} {{ include "db.port" . }} && break
+        RETRY=$[${RETRY}+1]
+        echo "...not ready yet (${RETRY}/${MAX})"
+      done
+
+      if [ "${RETRY}" -ge "${MAX}" ]; then
+        echo "Database not reachable after '${MAX}' attempts!"
+        exit 1
+      fi
+    }
+
+    test_db_connection
+    {{- end }}
+
+    echo '==== BEGIN GITEA CONFIGURATION ===='
+
+    gitea migrate
+
+    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
+    function configure_admin_user() {
+      local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
+      if [[ -z "${ACCOUNT_ID}" ]]; then
+        echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
+        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        echo '...created.'
+      else
+        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
+        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
+        echo '...password sync done.'
+      fi
+    }
+
+    configure_admin_user
+    {{- end }}
+
+    {{- if .Values.gitea.ldap.enabled }}
+    function configure_ldap() {
+      local LDAP_NAME={{ (printf "%s" .Values.gitea.ldap.name) | squote }}
+      local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${GITEA_AUTH_ID}" ]]; then
+        echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
+        gitea admin auth add-ldap {{- include "gitea.ldap_settings" . | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" . | indent 1 }}
+        echo '...sync settings done.'
+      fi
+    }
+
+    configure_ldap
+    {{- end }}
+
+    {{- if .Values.gitea.oauth.enabled }}
+    function configure_oauth() {
+      local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }}
+      local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${AUTH_ID}" ]]; then
+        echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
+        gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }}
+        echo '...sync settings done.'
+      fi
+    }
+
+    configure_oauth
+    {{- end }}
+
+    echo '==== END GITEA CONFIGURATION ===='

templates/gitea/servicemonitor.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "gitea.fullname" . }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
+    {{- toYaml .Values.gitea.metrics.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels" . | nindent 6 }}
+  endpoints:
+  - port: http
+{{- end -}}

templates/gitea/ssh-svc.yaml

@@ -5,18 +5,26 @@ metadata:
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
   annotations:
-{{ toYaml .Values.service.ssh.annotations | indent 4 }}
+    {{- toYaml .Values.service.ssh.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.ssh.type }}
-  {{- if and .Values.service.ssh.loadBalancerIP (eq .Values.service.ssh.type "LoadBalancer") }}
+  {{- if eq .Values.service.ssh.type "LoadBalancer" }}
+  {{- if .Values.service.ssh.loadBalancerIP }}
   loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
+  {{- end -}}
+  {{- if .Values.service.ssh.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.ssh.loadBalancerSourceRanges }}
+    - {{ . }}
   {{- end }}
-  {{- if ne .Values.service.ssh.type "LoadBalancer" }}
-  clusterIP: None
+  {{- end }}
+  {{- end }}
+  {{- if and .Values.service.ssh.clusterIP (eq .Values.service.ssh.type "ClusterIP") }}
+  clusterIP: {{ .Values.service.ssh.clusterIP }}
   {{- end }}
   {{- if .Values.service.ssh.externalIPs }}
   externalIPs:
-  {{ toYaml .Values.service.ssh.externalIPs | indent 4 }}
+    {{- toYaml .Values.service.ssh.externalIPs | nindent 4 }}
   {{- end }}
   {{- if .Values.service.ssh.externalTrafficPolicy }}
   externalTrafficPolicy: {{ .Values.service.ssh.externalTrafficPolicy }}

templates/gitea/statefulset.yaml

@@ -9,79 +9,129 @@ spec:
   selector:
     matchLabels:
       {{- include "gitea.selectorLabels" . | nindent 6 }}
+      {{- if .Values.statefulset.labels }}
+      {{- toYaml .Values.statefulset.labels | nindent 6 }}
+      {{- end }}
   serviceName: {{ include "gitea.fullname" . }}
   template:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
+        checksum/ldap: {{ include "gitea.ldap_settings" . | sha256sum }}
+        checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }}
+        {{- with .Values.gitea.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       labels:
-        {{- include "gitea.selectorLabels" . | nindent 8 }}
+        {{- include "gitea.labels" . | nindent 8 }}
+        {{- if .Values.statefulset.labels }}
+        {{- toYaml .Values.statefulset.labels | nindent 8 }}
+        {{- end }}
     spec:
+      {{- if .Values.schedulerName }}
+      schedulerName: "{{ .Values.schedulerName }}"
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       securityContext:
         fsGroup: 1000
       initContainers:
-        - name: init
-          image: "{{ .Values.image.repository }}:{{ .Values.image.version }}"
+        - name: init-directories
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/init_directory_structure.sh"]
           env:
-            - name: SCRIPT
-              value: &script |-
-                mkdir -p /data/git/.ssh
-                chmod -R 700 /data/git/.ssh
-                mkdir -p /data/gitea/conf
-                cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
-                chmod a+rwx /data/gitea/conf/app.ini
-                nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \
-                su git -c ' \
-                set -x; \
-                gitea migrate; \
-                {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
-                gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin \
-                || \
-                gitea admin change-password --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}'; \
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
-                {{- if .Values.gitea.ldap.enabled }}
-                gitea admin auth add-ldap \
-                --name {{ .Values.gitea.ldap.name | quote }} \
-                --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \
-                --host {{ .Values.gitea.ldap.host | quote }} \
-                --port {{ .Values.gitea.ldap.port | int}} \
-                --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \
-                --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \
-                --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \
-                --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \
-                --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \
-                --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \
-                --synchronize-users \
-                --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \
-                || \
-                ( \
-                  export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " "  "{print \$1}"); \
-                  gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \
-                  --name {{ .Values.gitea.ldap.name | quote }} \
-                  --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \
-                  --host {{ .Values.gitea.ldap.host | quote }} \
-                  --port {{ .Values.gitea.ldap.port | int}} \
-                  --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \
-                  --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \
-                  --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \
-                  --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \
-                  --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \
-                  --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \
-                  --synchronize-users \
-                  --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \
-                ) \
-                {{- end }}
-                '
-          command: ["/bin/sh",'-c', *script]
           volumeMounts:
+            - name: init
+              mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
             - name: config
               mountPath: /etc/gitea/conf
             - name: data
               mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+        - name: configure-gitea
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/configure_gitea.sh"]
+          securityContext:
+            runAsUser: 1000
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            {{- if .Values.gitea.ldap.enabled }}
+            {{- if .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_BIND_DN
+              valueFrom:
+                secretKeyRef:
+                  key:  bindDn
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  bindPassword
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            {{- else }}
+            - name: GITEA_LDAP_BIND_DN
+              value: {{ .Values.gitea.ldap.bindDn | quote }}
+            - name: GITEA_LDAP_PASSWORD
+              value: {{ .Values.gitea.ldap.bindPassword | quote }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key:  username
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  password
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            {{- else }}
+            - name: GITEA_ADMIN_USERNAME
+              value: {{ .Values.gitea.admin.username | quote }}
+            - name: GITEA_ADMIN_PASSWORD
+              value: {{ .Values.gitea.admin.password | quote }}
+            {{- end }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- end }}
+          volumeMounts:
+            - name: init
+              mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
+            - name: data
+              mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.version }}"
+          image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             # SSH Port values have to be set here as well for openssh configuration
@@ -89,35 +139,83 @@ spec:
               value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }}
             - name: SSH_PORT
               value: {{ .Values.gitea.config.server.SSH_PORT | quote }}
-            {{- range .Values.statefulset.env }}
-            - name: {{ .name | quote | nospace }}
-              value: {{ .value | quote }}
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            - name: TMPDIR
+              value: /tmp/gitea
+            {{- if .Values.signing.enabled }}
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+            {{- end }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
           ports:
             - name: ssh
               containerPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
             - name: http
               containerPort: {{ .Values.gitea.config.server.HTTP_PORT }}
+            {{- if .Values.gitea.config.server.ENABLE_PPROF }}
+            - name: profiler
+              containerPort: 6060
+            {{- end }}
+          {{- if .Values.gitea.livenessProbe.enabled }}
           livenessProbe:
             tcpSocket:
               port: http
-            initialDelaySeconds: 200
-            timeoutSeconds: 1
-            periodSeconds: 10
-            successThreshold: 1
-            failureThreshold: 10
+            initialDelaySeconds: {{ .Values.gitea.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.gitea.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.gitea.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.gitea.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.gitea.livenessProbe.failureThreshold }}
+          {{- else if .Values.gitea.customLivenessProbe }}
+          livenessProbe:
+            {{- toYaml .Values.gitea.customLivenessProbe | nindent 12 }}
+          {{- end }}
+          {{- if .Values.gitea.readinessProbe.enabled }}
           readinessProbe:
             tcpSocket:
               port: http
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            successThreshold: 1
-            failureThreshold: 3
+            initialDelaySeconds: {{ .Values.gitea.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.gitea.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.gitea.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.gitea.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.gitea.readinessProbe.failureThreshold }}
+          {{- else if .Values.gitea.customReadinessProbe }}
+          readinessProbe:
+            {{- toYaml .Values.gitea.customReadinessProbe | nindent 12 }}
+          {{- end }}
+          {{- if .Values.gitea.startupProbe.enabled }}
+          startupProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: {{ .Values.gitea.startupProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.gitea.startupProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.gitea.startupProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.gitea.startupProbe.successThreshold }}
+            failureThreshold: {{ .Values.gitea.startupProbe.failureThreshold }}
+          {{- else if .Values.gitea.customStartupProbe }}
+          startupProbe:
+            {{- toYaml .Values.gitea.customStartupProbe | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           volumeMounts:
+            - name: temp
+              mountPath: /tmp
             - name: data
               mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -131,13 +229,24 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
       volumes:
+        - name: init
+          secret:
+            secretName: {{ include "gitea.fullname" . }}-init
+            defaultMode: 0777
         - name: config
-          configMap:
-            name: {{ include "gitea.fullname" . }}
+          secret:
+            secretName: {{ include "gitea.fullname" . }}
+        {{- if .Values.extraVolumes }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
+        - name: temp
+          emptyDir: {}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:
-            claimName: {{ .Values.persistence.existingClaim }}
+  {{- with .Values.persistence.existingClaim }}
+            claimName: {{ tpl . $ }}
+  {{- end }}
   {{- else if not .Values.persistence.enabled }}
         - name: data
           emptyDir: {}
@@ -145,12 +254,26 @@ spec:
   volumeClaimTemplates:
     - metadata:
         name: data
+      {{- with .Values.persistence.annotations }}
+        annotations:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.persistence.labels }}
+        labels:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
       spec:
         accessModes:
           {{- range .Values.persistence.accessModes }}
             - {{ . | quote }}
           {{- end }}
-        storageClassName: {{ .Values.persistence.storageClass | default "standard" | quote }}
+        {{- if .Values.persistence.storageClass }}
+        storageClassName: {{ .Values.persistence.storageClass | quote }}
+        {{- end }}
         resources:
           requests:
             storage: {{ .Values.persistence.size | quote }}

templates/tests/test-http-connection.yaml

@@ -11,5 +11,5 @@ spec:
     - name: wget
       image: busybox
       command: ['wget']
-      args:  ['{{ include "gitea.fullname" . }}:{{ .Values.service.port }}']
+      args:  ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
   restartPolicy: Never

values.yaml

@@ -4,24 +4,55 @@
 
 replicaCount: 1
 
+clusterDomain: cluster.local
+
 image:
   repository: gitea/gitea
-  version: 1.12.4
+  tag: 1.14.6
   pullPolicy: Always
+  rootless: false # only possible when running 1.14 or later
 
 imagePullSecrets: []
 
+# only usable with rootless image due to image design
+securityContext: {}
+#   allowPrivilegeEscalation: false
+#   capabilities:
+#     drop:
+#       - ALL
+#   # Add the SYS_CHROOT capability for root and rootless images if you intend to
+#   # run pods on nodes that use the container runtime cri-o. Otherwise, you will
+#   # get an error message from the SSH server that it is not possible to read from
+#   # the repository.
+#   # https://gitea.com/gitea/helm-chart/issues/161
+#     add:
+#       - SYS_CHROOT
+#   privileged: false
+#   readOnlyRootFilesystem: true
+#   runAsGroup: 1000
+#   runAsNonRoot: true
+#   runAsUser: 1000
+
 service:
   http:
     type: ClusterIP
     port: 3000
-  ssh:
-    type: ClusterIP
-    port: 22
+    clusterIP: None
     #loadBalancerIP:
     #nodePort:
     #externalTrafficPolicy:
     #externalIPs:
+    loadBalancerSourceRanges: []
+    annotations:
+  ssh:
+    type: ClusterIP
+    port: 22
+    clusterIP: None
+    #loadBalancerIP:
+    #nodePort:
+    #externalTrafficPolicy:
+    #externalIPs:
+    loadBalancerSourceRanges: []
     annotations:
 
 ingress:
@@ -30,7 +61,10 @@ ingress:
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
-    - git.example.com
+    - host: git.example.com
+      paths:
+        - path: /
+          pathType: Prefix
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
@@ -48,6 +82,11 @@ resources: {}
   #   cpu: 100m
   #   memory: 128Mi
 
+## Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+# schedulerName:
+
 nodeSelector: {}
 
 tolerations: []
@@ -59,6 +98,7 @@ statefulset:
     # - name: VARIABLE
     #   value: my-value
   terminationGracePeriodSeconds: 60
+  labels: {}
 
 persistence:
   enabled: true
@@ -66,27 +106,81 @@ persistence:
   size: 10Gi
   accessModes:
     - ReadWriteOnce
-  storageClass: standard
+  labels: {}
+  annotations: {}
+  # storageClass:
+
+# additional volumes to add to the Gitea statefulset.
+extraVolumes:
+# - name: postgres-ssl-vol
+#   secret:
+#     secretName: gitea-postgres-ssl
+
+
+# additional volumes to mount, both to the init container and to the main
+# container. As an example, can be used to mount a client cert when connecting
+# to an external Postgres server.
+extraVolumeMounts:
+# - name: postgres-ssl-vol
+#   readOnly: true
+#   mountPath: "/pg-ssl"
+
+# bash shell script copied verbatim to the start of the init-container.
+initPreScript: ""
+#
+# initPreScript: |
+#   mkdir -p /data/git/.postgresql
+#   cp /pg-ssl/* /data/git/.postgresql/
+#   chown -R git:git /data/git/.postgresql/
+#   chmod 400 /data/git/.postgresql/postgresql.key
+
+# Configure commit/action signing prerequisites
+signing:
+  enabled: false
+  gpgHome: /data/git/.gnupg
 
 gitea:
   admin:
+    #existingSecret: gitea-admin-secret
     username: gitea_admin
     password: r8sA8CPHD9!bt6d
     email: "gitea@local.domain"
 
+  metrics:
+    enabled: false
+    serviceMonitor:
+      enabled: false
+      #  additionalLabels:
+      #    prometheus-release: prom1
+
   ldap:
     enabled: false
-    name: ""
-    securityProtocol: ""
-    host: ""
-    port: ""
-    userSearchBase: ""
-    userFilter: ""
-    adminFilter: ""
-    emailAttribute: ""
-    bindDn: ""
-    bindPassword: ""
-    usernameAttribute: ""
+    #existingSecret: gitea-ldap-secret
+    #name:
+    #securityProtocol:
+    #host:
+    #port:
+    #userSearchBase:
+    #userFilter:
+    #adminFilter:
+    #emailAttribute:
+    #bindDn:
+    #bindPassword:
+    #usernameAttribute:
+    #sshPublicKeyAttribute:
+
+  oauth:
+    enabled: false
+    #name:
+    #provider:
+    #key:
+    #secret:
+    #autoDiscoverUrl:
+    #useCustomUrls:
+    #customAuthUrl:
+    #customTokenUrl:
+    #customProfileUrl:
+    #customEmailUrl:
 
   config: {}
   #  APP_NAME: "Gitea: Git with a cup of tea"
@@ -98,17 +192,68 @@ gitea:
   #  security:
   #    PASSWORD_COMPLEXITY: spec
 
+  podAnnotations: {}
+
   database:
     builtIn:
       postgresql:
         enabled: true
       mysql:
         enabled: false
+      mariadb:
+        enabled: false
 
   cache:
     builtIn:
       enabled: true
 
+  livenessProbe:
+    enabled: true
+    initialDelaySeconds: 200
+    timeoutSeconds: 1
+    periodSeconds: 10
+    successThreshold: 1
+    failureThreshold: 10
+  readinessProbe:
+    enabled: true
+    initialDelaySeconds: 5
+    timeoutSeconds: 1
+    periodSeconds: 10
+    successThreshold: 1
+    failureThreshold: 3
+  startupProbe:
+    enabled: false
+    initialDelaySeconds: 60
+    timeoutSeconds: 1
+    periodSeconds: 10
+    successThreshold: 1
+    failureThreshold: 10
+
+  # customLivenessProbe:
+  #   httpGet:
+  #     path: /user/login
+  #     port: http
+  #   initialDelaySeconds: 60
+  #   periodSeconds: 10
+  #   successThreshold: 1
+  #   failureThreshold: 10
+  # customReadinessProbe:
+  #   httpGet:
+  #     path: /user/login
+  #     port: http
+  #   initialDelaySeconds: 5
+  #   periodSeconds: 10
+  #   successThreshold: 1
+  #   failureThreshold: 3
+  # customStartupProbe:
+  #   httpGet:
+  #     path: /user/login
+  #     port: http
+  #   initialDelaySeconds: 60
+  #   periodSeconds: 10
+  #   successThreshold: 1
+  #   failureThreshold: 10
+
 memcached:
   service:
     port: 11211
@@ -134,3 +279,15 @@ mysql:
     port: 3306
   persistence:
     size: 10Gi
+
+mariadb:
+  auth:
+    database: gitea
+    username: gitea
+    password: gitea
+    rootPassword: gitea
+  primary:
+    service:
+      port: 3306
+    persistence:
+      size: 10Gi