Several Improvements to Helm Chart (#87)

Improve ldap settings with helper function

Allow clusterIP for http service to be set, default to None

Use imagePullSecrets in statefulset now

Update default values

Update README

Bump Chart version

Co-authored-by: luhahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/87
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-Authored-By: luhahn <luhahn@noreply.gitea.io>
Co-Committed-By: luhahn <luhahn@noreply.gitea.io>

Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
-version: 1.5.5
-appVersion: 1.12.5
+version: 2.1.3
+appVersion: 1.13.0
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -14,6 +14,7 @@ keywords:
   - gitea
   - gogs
 sources:
+  - https://gitea.com/gitea/helm-chart
   - https://github.com/go-gitea/gitea
   - https://hub.docker.com/r/gitea/gitea/
 maintainers:
@@ -41,5 +42,5 @@ dependencies:
   condition: gitea.database.builtIn.postgresql.enabled
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
-  version: 7.10.2
+  version: 8.0.0
   condition: gitea.database.builtIn.mariadb.enabled

README.md

@@ -132,6 +132,34 @@ By default port 3000 is used for web traffic and 22 for ssh. Those can be change
 
 This helmchart automatically configures the clone urls to use the correct ports. You can change these ports by hand using the gitea.config dict. However you should know what you're doing.
 
+### ClusterIP
+
+By default the clusterIP will be set to None, which is the default for headless services. However if you want to omit the clusterIP field in the service, use the following values:
+
+```yaml
+service:
+  http:
+    type: ClusterIP
+    port: 3000
+    clusterIP:
+  ssh:
+    type: ClusterIP
+    port: 22
+    clusterIP:
+```
+
+### SSH and Ingress
+
+If you're using ingress and wan't to use SSH, keep in mind, that ingress is not able to forward SSH Ports.
+You will need a LoadBalancer like metallb and a setting in your ssh service annotations.
+
+```yaml
+service:
+  ssh:
+    annotations:
+      metallb.universe.tf/allow-shared-ip: test
+```
+
 ### Cache
 
 This helm chart can use a built in cache. The default is memcached from bitnami.
@@ -208,6 +236,10 @@ It is not possible to delete an admin user after it has been created. This has t
 ### LDAP Settings
 
 Like the admin user the ldap settings can be updated but also disabled or deleted.
+All ldap values from https://docs.gitea.io/en-us/command-line/#admin are available.
+You can either use them in camel case or kebab case.
+
+camelCase:
 
 ```yaml
   gitea:
@@ -226,6 +258,25 @@ Like the admin user the ldap settings can be updated but also disabled or delete
       usernameAttribute: CN
 ```
 
+kebab-case:
+
+```yaml
+  gitea:
+    ldap:
+      enabled: true
+      name: 'MyAwesomeGiteaLdap'
+      security-protocol: unencrypted
+      host: "127.0.0.1"
+      port: "389"
+      user-search-base: ou=Users,dc=example,dc=com
+      user-filter: sAMAccountName=%s
+      admin-filter: CN=Admin,CN=Group,DC=example,DC=com
+      email-attribute: mail
+      bind-dn: CN=ldap read,OU=Spezial,DC=example,DC=com
+      bind-password: JustAnotherBindPw
+      username-attribute: CN
+```
+
 ### Pod Annotations
 
 Annotations can be added to the Gitea pod.
@@ -249,7 +300,7 @@ Annotations can be added to the Gitea pod.
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
 |image.repository| Image to start for this pod | gitea/gitea |
-|image.version| Image Version | 1.12.4 |
+|image.version| Image Version | 1.13.0 |
 |image.pullPolicy| Image pull policy | Always |
 
 ### Persistence
@@ -260,7 +311,7 @@ Annotations can be added to the Gitea pod.
 |persistence.existingClaim| Use an existing claim to store repository information | |
 |persistence.size| Size for persistence to store repo information | 10Gi |
 |persistence.accessModes|AccessMode for persistence||
-|persistence.storageClass|Storage class for repository persistence|standard|
+|persistence.storageClass|Storage class for repository persistence||
 
 ### Ingress
 
@@ -336,8 +387,9 @@ The following parameters are the defaults set by this chart
 
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
-|mariadb.db.user |Username of new user to create.|gitea|
-|mariadb.db.password|Password for the new user. Ignored if existing secret is provided|gitea|
-|mariadb.db.name|Name for new database to create.|gitea|
-|mariadb.service.port|Port to connect to mariadb service|3306|
-|mariadb.master.persistence.size|Persistence size for mysql |10Gi|
+|mariadb.auth.username|Username of new user to create.|gitea|
+|mariadb.auth.password|Password for the new user. Ignored if existing secret is provided|gitea|
+|mariadb.auth.database|Name for new database to create.|gitea|
+|mariadb.auth.rootPassword|Password for the root user.|gitea|
+|mariadb.primary.service.port|Port to connect to mariadb service|3306|
+|mariadb.primary.persistence.size|Persistence size for mariadb |10Gi|

templates/_helpers.tpl

@@ -70,28 +70,39 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- else if .Values.gitea.database.builtIn.mysql.enabled -}}
 {{ .Values.mysql.service.port }}
 {{- else if .Values.gitea.database.builtIn.mariadb.enabled -}}
-{{ .Values.mariadb.service.port }}
+{{ .Values.mariadb.primary.service.port }}
 {{- else -}}
 {{- end -}}
 {{- end -}}
 
 {{- define "postgresql.dns" -}}
-{{- printf "%s-postgresql.%s.svc.cluster.local:%g" .Release.Name .Release.Namespace .Values.postgresql.global.postgresql.servicePort -}}
+{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.servicePort -}}
 {{- end -}}
 
 {{- define "mysql.dns" -}}
-{{- printf "%s-mysql.%s.svc.cluster.local:%g" .Release.Name .Release.Namespace .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-mysql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "mariadb.dns" -}}
-{{- printf "%s-mariadb.%s.svc.cluster.local:%g" .Release.Name .Release.Namespace .Values.mysql.service.port | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-mariadb.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mariadb.primary.service.port | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "memcached.dns" -}}
-{{- printf "%s-memcached.%s.svc.cluster.local:%g" .Release.Name .Release.Namespace .Values.memcached.service.port | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.port | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "gitea.default_domain" -}}
-{{- printf "%s-gitea.%s.svc.cluster.local" (include "gitea.fullname" .) .Release.Namespace  | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{- define "gitea.ldap_settings" -}}
+{{- range $key, $val := .Values.gitea.ldap -}}
+{{- if ne $key "enabled" -}}
+{{- if eq $key "port" -}}
+{{- printf "--%s %s " ($key | kebabcase) $val -}}
+{{- else -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}

templates/gitea/config.yaml

@@ -88,9 +88,9 @@ stringData:
     {{- if not (.Values.gitea.config.database.HOST) -}}
     {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
     {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.db.name -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.db.user -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.db.password -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
     {{- end -}}
 
     {{- /* cache default settings */ -}}

templates/gitea/http-svc.yaml

@@ -4,9 +4,16 @@ metadata:
   name: {{ include "gitea.fullname" . }}-http
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.http.type }}
-  clusterIP: None
+  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
+  loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
+  {{- end }}
+  {{- if and .Values.service.http.clusterIP (eq .Values.service.http.type "ClusterIP") }}
+  clusterIP: {{ .Values.service.http.clusterIP }}
+  {{- end }}
   ports:
   - name: http
     port: {{ .Values.service.http.port }}

templates/gitea/ingress.yaml

@@ -1,7 +1,9 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
 {{- $httpPort := .Values.service.http.port -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+apiVersion: networking.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
 apiVersion: networking.k8s.io/v1beta1
 {{- else -}}
 apiVersion: extensions/v1beta1
@@ -32,8 +34,18 @@ spec:
       http:
         paths:
           - path: /
+            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            pathType: Prefix
+            {{- end }}
             backend:
+            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+              service:
+                name: {{ $fullName }}-http
+                port:
+                  number: {{ $httpPort }}
+            {{- else }}
               serviceName: {{ $fullName }}-http
               servicePort: {{ $httpPort }}
             {{- end }}
+  {{- end }}
 {{- end }}

templates/gitea/init.yaml

@@ -18,40 +18,18 @@ stringData:
     set -x; \
     gitea migrate; \
     {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
-    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin \
+    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
     || \
     gitea admin change-password --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}'; \
     {{- end }}
     {{- if .Values.gitea.ldap.enabled }}
     gitea admin auth add-ldap \
-    --name {{ .Values.gitea.ldap.name | quote }} \
-    --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \
-    --host {{ .Values.gitea.ldap.host | quote }} \
-    --port {{ .Values.gitea.ldap.port | int}} \
-    --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \
-    --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \
-    --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \
-    --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \
-    --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \
-    --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \
-    --synchronize-users \
-    --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \
+    {{- include "gitea.ldap_settings" . | nindent 6 }} \
     || \
     ( \
       export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " "  "{print \$1}"); \
       gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \
-      --name {{ .Values.gitea.ldap.name | quote }} \
-      --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \
-      --host {{ .Values.gitea.ldap.host | quote }} \
-      --port {{ .Values.gitea.ldap.port | int}} \
-      --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \
-      --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \
-      --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \
-      --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \
-      --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \
-      --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \
-      --synchronize-users \
-      --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \
+      {{- include "gitea.ldap_settings" . | nindent 6 }} \
     ) \
     {{- end }}
     '

templates/gitea/ssh-svc.yaml

@@ -5,18 +5,18 @@ metadata:
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
   annotations:
-{{ toYaml .Values.service.ssh.annotations | indent 4 }}
+    {{- toYaml .Values.service.ssh.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.ssh.type }}
   {{- if and .Values.service.ssh.loadBalancerIP (eq .Values.service.ssh.type "LoadBalancer") }}
   loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
   {{- end }}
-  {{- if eq .Values.service.ssh.type "ClusterIP" }}
-  clusterIP: None
+  {{- if and .Values.service.ssh.clusterIP (eq .Values.service.ssh.type "ClusterIP") }}
+  clusterIP: {{ .Values.service.ssh.clusterIP }}
   {{- end }}
   {{- if .Values.service.ssh.externalIPs }}
   externalIPs:
-  {{ toYaml .Values.service.ssh.externalIPs | indent 4 }}
+    {{- toYaml .Values.service.ssh.externalIPs | nindent 4 }}
   {{- end }}
   {{- if .Values.service.ssh.externalTrafficPolicy }}
   externalTrafficPolicy: {{ .Values.service.ssh.externalTrafficPolicy }}

templates/gitea/statefulset.yaml

@@ -20,6 +20,10 @@ spec:
       labels:
         {{- include "gitea.selectorLabels" . | nindent 8 }}
     spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       securityContext:
         fsGroup: 1000
       initContainers:
@@ -109,7 +113,9 @@ spec:
           {{- range .Values.persistence.accessModes }}
             - {{ . | quote }}
           {{- end }}
-        storageClassName: {{ .Values.persistence.storageClass | default "standard" | quote }}
+        {{- if .Values.persistence.storageClass }}
+        storageClassName: {{ .Values.persistence.storageClass | quote }}
+        {{- end }}
         resources:
           requests:
             storage: {{ .Values.persistence.size | quote }}

templates/tests/test-http-connection.yaml

@@ -11,5 +11,5 @@ spec:
     - name: wget
       image: busybox
       command: ['wget']
-      args:  ['{{ include "gitea.fullname" . }}:{{ .Values.service.port }}']
+      args:  ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
   restartPolicy: Never

values.yaml

@@ -4,9 +4,11 @@
 
 replicaCount: 1
 
+clusterDomain: cluster.local
+
 image:
   repository: gitea/gitea
-  version: 1.12.5
+  version: 1.13.0
   pullPolicy: Always
 
 imagePullSecrets: []
@@ -15,9 +17,14 @@ service:
   http:
     type: ClusterIP
     port: 3000
+    clusterIP: None
+    #loadBalancerIP:
+    #nodePort:
+    annotations:
   ssh:
     type: ClusterIP
     port: 22
+    clusterIP: None
     #loadBalancerIP:
     #nodePort:
     #externalTrafficPolicy:
@@ -66,7 +73,6 @@ persistence:
   size: 10Gi
   accessModes:
     - ReadWriteOnce
-  storageClass: standard
 
 gitea:
   admin:
@@ -140,12 +146,13 @@ mysql:
     size: 10Gi
 
 mariadb:
-  db:
-    name: gitea
-    user: gitea
+  auth:
+    database: gitea
+    username: gitea
     password: gitea
+    rootPassword: gitea
+  primary:
     service:
       port: 3306
-  master:
     persistence:
       size: 10Gi