Add dev instructions to README (#228)

FYI: My editor automatically changes two trailing whitespaces into a linebreak. I know it's not completely the same but maybe it can be accepted (would make things easier in the long run).
Co-authored-by: pat-s <patrick.schratz@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/228
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: pat-s <pat-s@noreply.gitea.io>
Co-committed-by: pat-s <pat-s@noreply.gitea.io>

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.14.2
+appVersion: 1.15.3
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -26,11 +26,13 @@ maintainers:
     email: konrad.lother@novum-rgi.de
   - name: Lucas Hahn
     email: lucas.hahn@novum-rgi.de
+  - name: Steven Kriegler
+    email: sk.bunsenbrenner@gmail.com
 
 dependencies:
 - name: memcached
   repository: https://charts.bitnami.com/bitnami
-  version: 4.2.20
+  version: 5.9.0
   condition: gitea.cache.builtIn.enabled
 - name: mysql
   repository: https://charts.bitnami.com/bitnami
@@ -38,9 +40,9 @@ dependencies:
   condition: gitea.database.builtIn.mysql.enabled
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 9.7.2
+  version: 10.3.17
   condition: gitea.database.builtIn.postgresql.enabled
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
-  version: 8.0.0
+  version: 9.3.6
   condition: gitea.database.builtIn.mariadb.enabled

README.md

@@ -23,6 +23,7 @@ Dependencies:
 
 ```sh
   helm repo add gitea-charts https://dl.gitea.io/charts/
+  helm repo update
   helm install gitea gitea-charts/gitea
 ```
 
@@ -32,6 +33,63 @@ Dependencies:
 * Helm 3.0+
 * PV provisioner for persistent data support
 
+## Chart upgrade from 3.x.x to 4.0.0
+
+:warning: The most recent 4.0.0 update brings some breaking changes. Please note the following changes in the Chart to upgrade successfully. :warning:
+
+### Ingress changes
+
+To provide a more flexible Ingress configuration we now support not only host settings but also provide configuration for the path and pathType. So this change changes the hosts from a simple string list, to a list containing a more complex object for more configuration.
+
+
+```diff
+ingress:
+  enabled: false
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+-  hosts:
+-    - git.example.com
++  hosts:
++    - host: git.example.com
++      paths:
++        - path: /
++          pathType: Prefix
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - git.example.com
+```
+
+If you want everything as it was before, you can simply add the following code to all your host entries.
+
+```yaml
+paths:
+  - path: /
+    pathType: Prefix
+```
+
+### Dropped kebab-case support
+
+In 3.x.x it was possible to provide an ldap configuration via kebab-case, this support has now been dropped and only camel case is supported.
+See [LDAP section](#ldap-settings) for more information.
+
+### Dependency update
+
+The chart comes with multiple databases and memcached as dependency, the latest release updated the dependencies.
+
+- memcached: 4.2.20 -> 5.9.0
+- postgresql: 9.7.2 -> 10.3.17
+- mariadb: 8.0.0 -> 9.3.6
+
+If you're using the builtin databases you will most likely redeploy the chart in order to update the database correctly.
+
+### Execution of initPreScript
+
+Generally spoken, this might not be a breaking change, but it is worth to be mentioned.
+
+Prior to 4.0.0 only one init container was used to both setup directories and configure Gitea. As of now the actual Gitea configuration is separated from the other pre-execution. This also includes the execution of _initPreScript_. If you have such script, please be aware of this. Dynamically prepare the Gitea setup during execution by e.g. adding environment variables to the execution context won't work anymore.
+
 ## Gitea Version 1.14.X repository ROOT
 
 Previously the ROOT folder for the gitea repositories was located at /data/git/gitea-repositories
@@ -39,6 +97,18 @@ Previously the ROOT folder for the gitea repositories was located at /data/git/g
 
 This chart will set the gitea.config.repository.ROOT value default to /data/git/gitea-repositories
 
+## Configure Commit Signing
+
+When using the rootless image the gpg key folder was is not persistent by default. If you consider using signed commits for internal Gitea activities (e.g. initial commit), you'd need to provide a signing key. Prior to [PR 186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
+
+The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing. By default this section is disabled to maintain backwards compatibility.
+
+```yaml
+  signing:
+    enabled: false
+    gpgHome: /data/git/.gnupg
+```
+
 ## Examples
 
 ### Gitea Configuration
@@ -141,13 +211,13 @@ By default port 3000 is used for web traffic and 22 for ssh. Those can be change
 
 ```yaml
   service:
-    http: 
+    http:
       port: 3000
     ssh:
       port: 22
 ```
 
-This helm chart automatically configures the clone urls to use the correct ports. You can change these ports by hand using the gitea.config dict. However you should know what you're doing.
+This helm chart automatically configures the clone urls to use the correct ports. You can change these ports by hand using the `gitea.config` dict. However you should know what you're doing.
 
 ### ClusterIP
 
@@ -177,6 +247,24 @@ service:
       metallb.universe.tf/allow-shared-ip: test
 ```
 
+### SSH on crio based kubernetes cluster
+
+If you use crio as container runtime it is not possible to read from a remote
+repository. You should get an error message like this:
+
+```bash
+$ git clone git@k8s-demo.internal:admin/test.git
+Cloning into 'test'...
+Connection reset by 192.168.179.217 port 22
+fatal: Could not read from remote repository.
+
+Please make sure you have the correct access rights
+and the repository exists.
+```
+
+To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
+More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
+
 ### Cache
 
 This helm chart can use a built in cache. The default is memcached from bitnami.
@@ -213,7 +301,6 @@ If you want to use your own storageClass define it as followed:
 persistence:
   enabled: true
   storageClass: myOwnStorageClass
-
 ```
 
 When using Postgresql as dependency, this will also be deployed as a statefulset by default.
@@ -262,13 +349,29 @@ You cannot use `admin` as username.
       email: "gi@tea.com"
 ```
 
+You can also use an existing Secret to configure the admin user:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-admin-secret
+type: Opaque
+stringData:
+  username: MyAwesomeGiteaAdmin
+  password: AReallyAwesomeGiteaPassword
+```
+
+```yaml
+gitea:
+    admin:
+      existingSecret: gitea-admin-secret
+```
+
 ### LDAP Settings
 
 Like the admin user the LDAP settings can be updated, but also disabled or deleted.
 All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
-You can either use them in camel case or kebab case.
-
-camelCase:
 
 ```yaml
   gitea:
@@ -288,31 +391,37 @@ camelCase:
       sshPublicKeyAttribute: sshPublicKey
 ```
 
-kebab-case:
+You can also use an existing secret to set the bindDn and bindPassword:
 
 ```yaml
-  gitea:
-    ldap:
-      enabled: true
-      name: 'MyAwesomeGiteaLdap'
-      security-protocol: unencrypted
-      host: "127.0.0.1"
-      port: "389"
-      user-search-base: ou=Users,dc=example,dc=com
-      user-filter: sAMAccountName=%s
-      admin-filter: CN=Admin,CN=Group,DC=example,DC=com
-      email-attribute: mail
-      bind-dn: CN=ldap read,OU=Spezial,DC=example,DC=com
-      bind-password: JustAnotherBindPw
-      username-attribute: CN
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-ldap-secret
+type: Opaque
+stringData:
+  bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
+  bindPassword: JustAnotherBindPw
 ```
+
+```yaml
+gitea:
+    ldap:
+      existingSecret: gitea-ldap-secret
+```
+
+:warning: Some options are just flags and therefore don't any values. If they are defined in `gitea.ldap` configuration, they will be passed to the gitea cli without any value. Affected options:
+
+- notActive
+- skipTlsVerify
+- allowDeactivateAll
+- synchronizeUsers
+- attributesInBind
+
 ### OAuth2 Settings
 
-Like the admin user the OAuth2 settings can be updated but also disabled or deleted.
+Like the admin user, OAuth2 settings can be updated and disabled but not deleted. Deleting OAuth2 settings has to be done in the ui.
 All OAuth2 values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
-You can either use them in camel case or kebab case.
-
-camelCase:
 
 ```yaml
   gitea:
@@ -330,24 +439,6 @@ camelCase:
       #customEmailUrl:
 ```
 
-kebab-case:
-
-```yaml
-  gitea:
-    oauth:
-      enabled: true
-      name: 'MyAwesomeGiteaOAuth'
-      provider: 'openidConnect'
-      key: 'hello'
-      secret: 'world'
-      auto-discover-url: 'https://gitea.example.com/.well-known/openid-configuration'
-      #use-custom-urls:
-      #custom-auth-url:
-      #custom-token-url:
-      #custom-profile-url:
-      #custom-email-url:
-```
-
 ### Metrics and profiling
 
 A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling endpoints on port 6060 can be enabled under `gitea`. Beware that the metrics endpoint is exposed via the ingress, manage access using ingress annotations for example.
@@ -381,10 +472,10 @@ Annotations can be added to the Gitea pod.
 
 | Parameter                                 | Description                                            | Default     |
 |-------------------------------------------|--------------------------------------------------------|-------------|
-| statefulset.terminationGracePeriodSeconds | Image to start for this pod                            | gitea/gitea |
+| statefulset.terminationGracePeriodSeconds | How long to wait until forcefully kill the pod         | 60          |
 | statefulset.env                           | Additional environment variables to pass to containers | []          |
 | extraVolumes                              | Additional volumes to mount to the Gitea statefulset   | {}          |
-| extraVolumeMounts                         | Additional volumes mounts for the Gitea containers     | {}          |
+| extraVolumeMounts                         | Additional volume mounts for the Gitea containers      | {}          |
 | initPreScript                             | Bash script copied verbatim to start of init container |             |
 | securityContext                           | Run as a specific securityContext                      | {}          |
 | schedulerName                             | Use an alternate scheduler, e.g. "stork"               |             |
@@ -394,7 +485,7 @@ Annotations can be added to the Gitea pod.
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
 |image.repository| Image to start for this pod | gitea/gitea |
-|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.14.2 |
+|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.15.3 |
 |image.pullPolicy| Image pull policy | Always |
 |image.rootless | Wether or not to pull the rootless version of gitea, only works on gitea 1.14.x or higher | false |
 
@@ -416,11 +507,16 @@ Annotations can be added to the Gitea pod.
 |---------------------|-----------------------------------|------------------------------|
 |ingress.enabled| enable ingress | false|
 |ingress.annotations| add ingress annotations | |
-|ingress.hosts| add hosts for ingress as string list | git.example.com |
-|ingress.tls|add ingress tls settings|[]|
+|ingress.hosts[0].host | add hosts for ingress | git.example.com |
+|ingress.hosts[0].paths[0].path | add path for each ingress host | / |
+|ingress.hosts[0].paths[0].pathType | add ingress path type | Prefix |
+|ingress.tls| add ingress tls settings|[]|
+|ingress.className| add ingress class name. Only used in k8s 1.19+ | |
 
 ### Service
 
+#### Web
+
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
 |service.http.type| Kubernetes service type for web traffic | ClusterIP |
@@ -429,16 +525,20 @@ Annotations can be added to the Gitea pod.
 |service.http.loadBalancerIP| LoadBalancer Ip setting | |
 |service.http.nodePort| NodePort for http service | |
 |service.http.externalTrafficPolicy| If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
-|service.http.externalIPs| http service external IP addresses | 3000 |
+|service.http.externalIPs| http service external IP addresses | |
 |service.http.loadBalancerSourceRanges| Source range filter for http loadbalancer | [] |
 |service.http.annotations| http service annotations | |
 
+#### SSH
+
+| Parameter           | Description                       | Default                      |
+|---------------------|-----------------------------------|------------------------------|
 |service.ssh.type| Kubernetes service type for ssh traffic | ClusterIP |
 |service.ssh.port| Port for ssh traffic | 22 |
 |service.ssh.loadBalancerIP| LoadBalancer Ip setting | |
 |service.ssh.nodePort| NodePort for ssh service | |
 |service.ssh.externalTrafficPolicy| If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
-|service.ssh.externalIPs| ssh service external IP addresses | 3000 |
+|service.ssh.externalIPs| ssh service external IP addresses | |
 |service.ssh.loadBalancerSourceRanges| Source range filter for ssh loadbalancer | [] |
 |service.ssh.annotations| ssh service annotations | |
 
@@ -446,7 +546,7 @@ Annotations can be added to the Gitea pod.
 
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
-|gitea.config | Everything in app.ini can be configured with this dict. See Examples for more details | {} |
+|gitea.config | Everything in `app.ini` can be configured with this dict. See [Examples](#examples) for more details | {} |
 
 ### Gitea Probes
 
@@ -461,13 +561,13 @@ Configure Liveness, Readiness and Startup [Probes](https://kubernetes.io/docs/ta
 |gitea.livenessProbe.successThreshold | Minimum consecutive success probes | 1 |
 |gitea.livenessProbe.failureThreshold | Minimum consecutive error probes | 10 |
 |gitea.readinessProbe.enabled | Enable readiness probe | true |
-|gitea.readinessProbe.initialDelaySeconds | Delay before probe start| 200 |
+|gitea.readinessProbe.initialDelaySeconds | Delay before probe start| 5 |
 |gitea.readinessProbe.timeoutSeconds | probe timeout | 1 |
 |gitea.readinessProbe.periodSeconds | period between probes | 10 |
 |gitea.readinessProbe.successThreshold | Minimum consecutive success probes | 1 |
-|gitea.readinessProbe.failureThreshold | Minimum consecutive error probes | 10 |
+|gitea.readinessProbe.failureThreshold | Minimum consecutive error probes | 3 |
 |gitea.startupProbe.enabled | Enable startup probe | false |
-|gitea.startupProbe.initialDelaySeconds | Delay before probe start| 200 |
+|gitea.startupProbe.initialDelaySeconds | Delay before probe start| 60 |
 |gitea.startupProbe.timeoutSeconds | probe timeout | 1 |
 |gitea.startupProbe.periodSeconds | period between probes | 10 |
 |gitea.startupProbe.successThreshold | Minimum consecutive success probes | 1 |
@@ -488,22 +588,22 @@ The following parameters are the defaults set by this chart
 
 ### Mysql BuiltIn
 
-Mysql is loaded as a dependency from stable. Configuration can be found from this [website](https://github.com/helm/charts/tree/master/stable/mysql)
+Mysql is loaded as a dependency from stable. Configuration can be found on this [website](https://github.com/helm/charts/tree/master/stable/mysql).
 
 The following parameters are the defaults set by this chart
 
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
-|mysql.mysqlRootPassword|Password for the root user. Ignored if existing secret is provided|gitea|
-|mysql.mysqlUser|Username of new user to create.|gitea|
-|mysql.mysqlPassword|Password for the new user. Ignored if existing secret is provided|gitea|
-|mysql.mysqlDatabase|Name for new database to create.|gitea|
+|mysql.root.password|Password for the root user. Ignored if existing secret is provided|gitea|
+|mysql.db.user|Username of new user to create.|gitea|
+|mysql.db.password|Password for the new user. Ignored if existing secret is provided|gitea|
+|mysql.db.name|Name for new database to create.|gitea|
 |mysql.service.port|Port to connect to mysql service|3306|
 |mysql.persistence.size|Persistence size for mysql |10Gi|
 
 ### Postgresql BuiltIn
 
-Postgresql is loaded as a dependency from Bitnami. The chart configuration can be found from this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) repository.
+Postgresql is loaded as a dependency from Bitnami. The chart configuration can be found in this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) repository.
 
 The following parameters are the defaults set by this chart
 
@@ -517,7 +617,7 @@ The following parameters are the defaults set by this chart
 
 ### MariaDB BuiltIn
 
-MariaDB is loaded as a dependency from bitnami. Configuration can be found from this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/mariadb)
+MariaDB is loaded as a dependency from bitnami. Configuration can be found in this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) repository.
 
 The following parameters are the defaults set by this chart
 
@@ -529,3 +629,16 @@ The following parameters are the defaults set by this chart
 |mariadb.auth.rootPassword|Password for the root user.|gitea|
 |mariadb.primary.service.port|Port to connect to mariadb service|3306|
 |mariadb.primary.persistence.size|Persistence size for mariadb |10Gi|
+
+## Local development & testing
+
+For local development and testing of pull requests, the following workflow can be used:
+
+1. Install `minikube` and `helm`.
+2. Start a `minikube` cluster via `minikube start`.
+3. From the `gitea/helm-chart` directory execute `helm install --dependency-update gitea . -f values.yaml`.
+   This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
+   If you want to test a branch, make sure to switch to the respective branch first.
+4. Gitea is now deployed in `minikube`.
+   To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace default port-forward svc/gitea-http 3000:3000`.
+   Now Gitea is accessible at http://localhost:3000.

templates/NOTES.txt

@@ -1,7 +1,9 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
 {{- range $host := .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}/
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.http.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gitea.fullname" . }})

templates/_helpers.tpl

@@ -108,12 +108,27 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.ldap_settings" -}}
+{{- if not (hasKey .Values.gitea.ldap "bindDn") -}}
+{{- $_ := set .Values.gitea.ldap "bindDn" "" -}}
+{{- end -}}
+
+{{- if not (hasKey .Values.gitea.ldap "bindPassword") -}}
+{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}}
+{{- end -}}
+
+{{- $flags := list "notActive" "skipTlsVerify" "allowDeactivateAll" "synchronizeUsers" "attributesInBind" -}}
 {{- range $key, $val := .Values.gitea.ldap -}}
-{{- if ne $key "enabled" -}}
-{{- if eq $key "port" -}}
-{{- printf "--%s %d " ($key | kebabcase) ($val | int) -}}
+{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
+{{- if eq $key "bindDn" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_BIND_DN}" | quote ) -}}
+{{- else if eq $key "bindPassword" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}}
+{{- else if eq $key "port" -}}
+{{- printf "--%s %d " $key ($val | int) -}}
+{{- else if has $key $flags -}}
+{{- printf "--%s " ($key | kebabcase) -}}
 {{- else -}}
-{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
@@ -122,7 +137,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- define "gitea.oauth_settings" -}}
 {{- range $key, $val := .Values.gitea.oauth -}}
 {{- if ne $key "enabled" -}}
-{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}

templates/gitea/config.yaml

@@ -50,7 +50,7 @@ stringData:
     {{- end -}}
     {{- if not (.Values.gitea.config.server.DOMAIN) -}}
     {{- if gt (len .Values.ingress.hosts) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0) -}}
+    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
     {{- else -}}
     {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
     {{- end -}}
@@ -60,7 +60,7 @@ stringData:
     {{- if gt (len .Values.ingress.tls) 0 -}}
     {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
     {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0)) -}}
+    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}}
     {{- end -}}
     {{- else -}}
     {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}

templates/gitea/ingress.yaml

@@ -18,6 +18,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
+{{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+{{- end }}
 {{- if .Values.ingress.tls }}
   tls:
   {{- range .Values.ingress.tls }}
@@ -29,13 +32,14 @@ spec:
   {{- end }}
 {{- end }}
   rules:
-  {{- range .Values.ingress.hosts }}
-    - host: {{ . | quote }}
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
       http:
         paths:
-          - path: /
-            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
-            pathType: Prefix
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }}
+            pathType: {{ .pathType }}
             {{- end }}
             backend:
             {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
@@ -47,5 +51,6 @@ spec:
               serviceName: {{ $fullName }}-http
               servicePort: {{ $httpPort }}
             {{- end }}
-  {{- end }}
+          {{- end }}
+    {{- end }}
 {{- end }}

templates/gitea/init.yaml

@@ -6,8 +6,11 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  init_gitea.sh: |-
-    #!/bin/bash
+  init_directory_structure.sh: |-
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
     {{- if .Values.initPreScript }}
     # BEGIN: initPreScript
     {{- with .Values.initPreScript -}}
@@ -16,12 +19,14 @@ stringData:
     # END: initPreScript
     {{- end }}
 
+    set -x
+
     {{- if not .Values.image.rootless }}
     chown 1000:1000 /data
     {{- end }}
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
-    mkdir -p /data/gitea/conf
+    [ ! -d /data/gitea ] && mkdir -p /data/gitea/conf
 
     # prepare temp directory structure
     mkdir -p "${GITEA_TEMP}"
@@ -31,44 +36,90 @@ stringData:
     # Copy config file to writable volume
     cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
     chmod a+rwx /data/gitea/conf/app.ini
+  configure_gitea.sh: |-
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
     {{- if include "db.servicename" . }}
-    # Wait for database to become avialble
-    nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \
+    # Connection retry inspired by https://gist.github.com/dublx/e99ea94858c07d2ca6de
+    function test_db_connection() {
+      local RETRY=0
+      local MAX=30
+
+      echo 'Wait for database to become avialable...'
+      until [ "${RETRY}" -ge "${MAX}" ]; do
+        nc -vz -w2 {{ include "db.servicename" . }} {{ include "db.port" . }} && break
+        RETRY=$[${RETRY}+1]
+        echo "...not ready yet (${RETRY}/${MAX})"
+      done
+
+      if [ "${RETRY}" -ge "${MAX}" ]; then
+        echo "Database not reachable after '${MAX}' attempts!"
+        exit 1
+      fi
+    }
+
+    test_db_connection
     {{- end }}
-    {{- if not .Values.image.rootless }}
-    su git -c ' \
-    {{- end }}
-    set -x; \
-    gitea migrate; \
-    {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
-    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
-    || \
-    gitea admin change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} \
-    || \
-    gitea admin user create --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
-    || \
-    gitea admin user change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }}; \
+
+    echo '==== BEGIN GITEA CONFIGURATION ===='
+
+    gitea migrate
+
+    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
+    function configure_admin_user() {
+      local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
+      if [[ -z "${ACCOUNT_ID}" ]]; then
+        echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
+        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        echo '...created.'
+      else
+        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
+        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
+        echo '...password sync done.'
+      fi
+    }
+
+    configure_admin_user
     {{- end }}
+
     {{- if .Values.gitea.ldap.enabled }}
-    gitea admin auth add-ldap \
-    {{- include "gitea.ldap_settings" . | nindent 6 }} \
-    || \
-    ( \
-      export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " "  "{print \$1}"); \
-      gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \
-      {{- include "gitea.ldap_settings" . | nindent 6 }} \
-    ) \
+    function configure_ldap() {
+      local LDAP_NAME={{ (printf "%s" .Values.gitea.ldap.name) | squote }}
+      local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${GITEA_AUTH_ID}" ]]; then
+        echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
+        gitea admin auth add-ldap {{- include "gitea.ldap_settings" . | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" . | indent 1 }}
+        echo '...sync settings done.'
+      fi
+    }
+
+    configure_ldap
     {{- end }}
+
     {{- if .Values.gitea.oauth.enabled }}
-    gitea admin auth add-oauth \
-    {{- include "gitea.oauth_settings" . | nindent 6 }} \
-    || \
-    ( \
-      export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.oauth.name | quote }} | awk -F " "  "{print \$1}"); \
-      gitea admin auth update-oauth --id ${GITEA_AUTH_ID} \
-      {{- include "gitea.oauth_settings" . | nindent 6 }} \
-    ) \
-    {{- end }}
-    {{- if not .Values.image.rootless }}
-    '
+    function configure_oauth() {
+      local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }}
+      local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${AUTH_ID}" ]]; then
+        echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
+        gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }}
+        echo '...sync settings done.'
+      fi
+    }
+
+    configure_oauth
     {{- end }}
+
+    echo '==== END GITEA CONFIGURATION ===='

templates/gitea/statefulset.yaml

@@ -38,9 +38,9 @@ spec:
       securityContext:
         fsGroup: 1000
       initContainers:
-        - name: init
+        - name: init-directories
           image: "{{ include "gitea.image" . }}"
-          command: ["/usr/sbin/init_gitea.sh"]
+          command: ["/usr/sbin/init_directory_structure.sh"]
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -65,6 +65,69 @@ spec:
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
+        - name: configure-gitea
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/configure_gitea.sh"]
+          securityContext:
+            runAsUser: 1000
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            {{- if .Values.gitea.ldap.enabled }}
+            {{- if .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_BIND_DN
+              valueFrom:
+                secretKeyRef:
+                  key:  bindDn
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  bindPassword
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            {{- else }}
+            - name: GITEA_LDAP_BIND_DN
+              value: {{ .Values.gitea.ldap.bindDn | quote }}
+            - name: GITEA_LDAP_PASSWORD
+              value: {{ .Values.gitea.ldap.bindPassword | quote }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key:  username
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  password
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            {{- else }}
+            - name: GITEA_ADMIN_USERNAME
+              value: {{ .Values.gitea.admin.username | quote }}
+            - name: GITEA_ADMIN_PASSWORD
+              value: {{ .Values.gitea.admin.password | quote }}
+            {{- end }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- end }}
+          volumeMounts:
+            - name: init
+              mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
+            - name: data
+              mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
@@ -86,6 +149,10 @@ spec:
               value: /tmp/gitea
             - name: TMPDIR
               value: /tmp/gitea
+            {{- if .Values.signing.enabled }}
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+            {{- end }}
             {{- if .Values.statefulset.env }}
             {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
@@ -177,7 +244,9 @@ spec:
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:
-            claimName: {{ .Values.persistence.existingClaim }}
+  {{- with .Values.persistence.existingClaim }}
+            claimName: {{ tpl . $ }}
+  {{- end }}
   {{- else if not .Values.persistence.enabled }}
         - name: data
           emptyDir: {}

values.yaml

@@ -8,7 +8,7 @@ clusterDomain: cluster.local
 
 image:
   repository: gitea/gitea
-  tag: 1.14.2
+  tag: 1.15.3
   pullPolicy: Always
   rootless: false # only possible when running 1.14 or later
 
@@ -16,15 +16,22 @@ imagePullSecrets: []
 
 # only usable with rootless image due to image design
 securityContext: {}
-#  allowPrivilegeEscalation: false
-#  capabilities:
-#    drop:
-#      - ALL
-#  privileged: false
-#  readOnlyRootFilesystem: true
-#  runAsGroup: 1000
-#  runAsNonRoot: true
-#  runAsUser: 1000
+#   allowPrivilegeEscalation: false
+#   capabilities:
+#     drop:
+#       - ALL
+#   # Add the SYS_CHROOT capability for root and rootless images if you intend to
+#   # run pods on nodes that use the container runtime cri-o. Otherwise, you will
+#   # get an error message from the SSH server that it is not possible to read from
+#   # the repository.
+#   # https://gitea.com/gitea/helm-chart/issues/161
+#     add:
+#       - SYS_CHROOT
+#   privileged: false
+#   readOnlyRootFilesystem: true
+#   runAsGroup: 1000
+#   runAsNonRoot: true
+#   runAsUser: 1000
 
 service:
   http:
@@ -50,11 +57,15 @@ service:
 
 ingress:
   enabled: false
+  # className: nginx
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
-    - git.example.com
+    - host: git.example.com
+      paths:
+        - path: /
+          pathType: Prefix
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
@@ -124,9 +135,14 @@ initPreScript: ""
 #   chown -R git:git /data/git/.postgresql/
 #   chmod 400 /data/git/.postgresql/postgresql.key
 
+# Configure commit/action signing prerequisites
+signing:
+  enabled: false
+  gpgHome: /data/git/.gnupg
 
 gitea:
   admin:
+    #existingSecret: gitea-admin-secret
     username: gitea_admin
     password: r8sA8CPHD9!bt6d
     email: "gitea@local.domain"
@@ -140,6 +156,7 @@ gitea:
 
   ldap:
     enabled: false
+    #existingSecret: gitea-ldap-secret
     #name:
     #securityProtocol:
     #host:
@@ -208,6 +225,7 @@ gitea:
   startupProbe:
     enabled: false
     initialDelaySeconds: 60
+    timeoutSeconds: 1
     periodSeconds: 10
     successThreshold: 1
     failureThreshold: 10