update to gitea 1.15.10 (#278)

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/278
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-committed-by: techknowlogick <techknowlogick@gitea.io>

.drone.yml

@@ -1,5 +1,6 @@
 ---
 kind: pipeline
+type: docker
 name: lint
 
 platform:
@@ -7,13 +8,27 @@ platform:
   arch: arm64
 
 steps:
-- name: lint
+- name: helm lint
   pull: always
   image: alpine:3.13
   commands:
   - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
   - helm lint
 
+- name: helm template
+  pull: always
+  image: alpine:3.13
+  commands:
+  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+  - helm dependency update
+  - helm template --debug gitea-helm .
+
+- name: markdown lint
+  pull: always
+  image: docker.io/volkerraschek/markdownlint:latest
+  commands:
+  - markdownlint *.md
+
 - name: discord
   pull: always
   image: appleboy/drone-discord:1.2.4
@@ -29,6 +44,7 @@ steps:
 
 ---
 kind: pipeline
+type: docker
 name: release-version
 
 platform:

.markdownlint.yaml

@@ -0,0 +1,151 @@
+# markdownlint YAML configuration
+# https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+# Default state for all rules
+default: true
+
+# Path to configuration file to extend
+extends: null
+
+# MD003/heading-style/header-style - Heading style
+MD003:
+  # Heading style
+  style: "atx"
+
+# MD004/ul-style - Unordered list style
+MD004:
+  style: "dash"
+
+# MD007/ul-indent - Unordered list indentation
+MD007:
+  # Spaces for indent
+  indent: 2
+  # Whether to indent the first level of the list
+  start_indented: false
+
+# MD009/no-trailing-spaces - Trailing spaces
+MD009:
+  # Spaces for line break
+  br_spaces: 2
+  # Allow spaces for empty lines in list items
+  list_item_empty_lines: false
+  # Include unnecessary breaks
+  strict: false
+
+# MD010/no-hard-tabs - Hard tabs
+MD010:
+  # Include code blocks
+  code_blocks: true
+
+# MD012/no-multiple-blanks - Multiple consecutive blank lines
+MD012:
+  # Consecutive blank lines
+  maximum: 1
+
+# MD013/line-length - Line length
+MD013:
+  # Number of characters
+  line_length: 80
+  # Number of characters for headings
+  heading_line_length: 80
+  # Number of characters for code blocks
+  code_block_line_length: 80
+  # Include code blocks
+  code_blocks: false
+  # Include tables
+  tables: false
+  # Include headings
+  headings: true
+  # Include headings
+  headers: true
+  # Strict length checking
+  strict: false
+  # Stern length checking
+  stern: false
+
+# MD022/blanks-around-headings/blanks-around-headers - Headings should be surrounded by blank lines
+MD022:
+  # Blank lines above heading
+  lines_above: 1
+  # Blank lines below heading
+  lines_below: 1
+
+# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
+MD024:
+  # Only check sibling headings
+  allow_different_nesting: true
+
+# MD025/single-title/single-h1 - Multiple top-level headings in the same document
+MD025:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD026/no-trailing-punctuation - Trailing punctuation in heading
+MD026:
+  # Punctuation characters
+  punctuation: ".,;:!。，；：！"
+
+# MD029/ol-prefix - Ordered list item prefix
+MD029:
+  # List style
+  style: "one_or_ordered"
+
+# MD030/list-marker-space - Spaces after list markers
+MD030:
+  # Spaces for single-line unordered list items
+  ul_single: 1
+  # Spaces for single-line ordered list items
+  ol_single: 1
+  # Spaces for multi-line unordered list items
+  ul_multi: 1
+  # Spaces for multi-line ordered list items
+  ol_multi: 1
+
+# MD033/no-inline-html - Inline HTML
+MD033:
+  # Allowed elements
+  allowed_elements: []
+
+# MD035/hr-style - Horizontal rule style
+MD035:
+  # Horizontal rule style
+  style: "---"
+
+# MD036/no-emphasis-as-heading/no-emphasis-as-header - Emphasis used instead of a heading
+MD036:
+  # Punctuation characters
+  punctuation: ".,;:!?。，；：！？"
+
+# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
+MD041:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD044/proper-names - Proper names should have the correct capitalization
+MD044:
+  # List of proper names
+  names:
+  - Gitea
+  - PostgreSQL
+  - MariaDB
+  - MySQL
+  - Memcached
+  - Prometheus
+  - Git
+  - GitOps
+  # Include code blocks
+  code_blocks: false
+
+# MD046/code-block-style - Code block style
+MD046:
+  # Block style
+  style: "fenced"
+
+# MD048/code-fence-style - Code fence style
+MD048:
+  # Code fence syle
+  style: "backtick"

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.15.0
+appVersion: 1.15.10
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -33,16 +33,16 @@ dependencies:
 - name: memcached
   repository: https://charts.bitnami.com/bitnami
   version: 5.9.0
-  condition: gitea.cache.builtIn.enabled
+  condition: memcached.enabled
 - name: mysql
   repository: https://charts.bitnami.com/bitnami
   version: 6.14.10
-  condition: gitea.database.builtIn.mysql.enabled
+  condition: mysql.enabled
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
   version: 10.3.17
-  condition: gitea.database.builtIn.postgresql.enabled
+  condition: postgresql.enabled
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
   version: 9.3.6
-  condition: gitea.database.builtIn.mariadb.enabled
+  condition: mariadb.enabled

README.md

@@ -1,23 +1,27 @@
 # Gitea Helm Chart
 
-[Gitea](https://gitea.io/en-us/) is a community managed lightweight code hosting solution written in Go. It is published under the MIT license.
+[Gitea](https://gitea.io/en-us/) is a community managed lightweight code hosting
+solution written in Go. It is published under the MIT license.
 
 ## Introduction
 
-This helm chart has taken some inspiration from <https://github.com/jfelten/gitea-helm-chart>
-But takes a completely different approach in providing a database and cache with dependencies.
-Additionally, this chart provides LDAP and admin user configuration with values, as well as being deployed as a statefulset to retain stored repositories.
+This helm chart has taken some inspiration from [jfelten's helm
+chart](https://github.com/jfelten/gitea-helm-chart). But takes a completely
+different approach in providing a database and cache with dependencies.
+Additionally, this chart provides LDAP and admin user configuration with values,
+as well as being deployed as a statefulset to retain stored repositories.
 
 ## Dependencies
 
-Gitea can be run with an external database and cache. This chart provides those dependencies, which can be
-enabled, or disabled via [configuration](#configuration).
+Gitea can be run with an external database and cache. This chart provides those
+dependencies, which can be enabled, or disabled via
+[configuration](#configuration).
 
 Dependencies:
 
-* Postgresql
-* Memcached
-* Mysql
+- PostgreSQL
+- Memcached
+- MySQL
 
 ## Installing
 
@@ -29,18 +33,101 @@ Dependencies:
 
 ## Prerequisites
 
-* Kubernetes 1.12+
-* Helm 3.0+
-* PV provisioner for persistent data support
+- Kubernetes 1.12+
+- Helm 3.0+
+- PV provisioner for persistent data support
+
+## Chart upgrade to 5.0.0
+
+:warning: The most recent `5.0.0` update brings some major and breaking changes.
+Please note the following changes in the Chart to upgrade successfully. :warning:
+
+### Enable Dependencies
+
+:warning: The values to enable the dependencies,
+such as PostgreSQL, Memcached, MySQL and MariaDB
+have been moved from `gitea.database.builtIn.` to the dependency values. :warning:
+
+You can now enable the dependencies as followed:
+
+```yaml
+memcached:
+  enabled: true
+
+postgresql:
+  enabled: true
+
+mysql:
+  enabled: false
+
+mariadb:
+  enabled: false
+```
+
+### App.ini generation
+
+The app.ini generation has changed and now utilizes the environment-to-ini
+script provided by newer Gitea versions.
+
+> :boom: The Helm Chart now requires Gitea versions of at least 1.11.0.
+
+This change ensures, that the app.ini is now persistent.
+
+#### Secret Key generation
+
+Gitea secret keys (SECRET_KEY, INTERNAL_TOKEN, JWT_SECRET) are now generated
+automatically in certain situations:
+
+- New install: By default the secrets are created automatically. If you provide
+  secrets via `gitea.config` they will be used instead of automatic generation.
+- Existing installs: The secrets won't be deployed, neither via
+  configuration nor via auto generation. We explicitly prevent to set new secrets.
+
+> :rotating_light: It would be possible to set new secret keys manually by entering
+the running container and rewriting the app.ini by hand. However, this it is
+not advisable to do so for existing installations. Certain settings like
+_LDAP_ would not be readable anymore.
+
+### Probes
+
+> :boom: `gitea.customLivenessProbe`, `gitea.customReadinessProbe` and `gitea.customStartupProbe`
+have been removed.
+
+They are replaced by the settings `gitea.livenessProbe`, `gitea.readinessProbe`
+and `gitea.startupProbe` which are now fully configurable and used _as-is_ for
+a Chart deployment.
+If you have customized their values instead of using the `custom` prefixed settings,
+please ensure that you remove the `enabled` property from each of them.
+
+In case you want to disable one of these probes, let's say the `livenessProbe`, add
+the following to your values. The `podAnnotation` is just there to have a bit more
+context.
+
+```diff
+gitea:
++ livenessProbe:
+  podAnnotations: {}
+```
+
+### Multiple OAuth and LDAP authentication sources
+
+With `5.0.0` of this Chart it is now possible to configure Gitea with multiple
+OAuth and LDAP sources. As a result, you need to update an existing OAuth/LDAP configuration
+in your customized `values.yaml` by replacing the object with settings to a list
+of settings objects. See [OAuth2 Settings](#oauth-settings) and
+[LDAP Settings](#ldap-settings) section for details.
 
 ## Chart upgrade from 3.x.x to 4.0.0
 
-:warning: The most recent 4.0.0 update brings some breaking changes. Please note the following changes in the Chart to upgrade successfully. :warning:
+:warning: The most recent `4.0.0` update brings some breaking changes. Please note
+the following changes in the Chart to upgrade successfully. :warning:
 
 ### Ingress changes
 
-To provide a more flexible Ingress configuration we now support not only host settings but also provide configuration for the path and pathType. So this change changes the hosts from a simple string list, to a list containing a more complex object for more configuration.
-
+To provide a more flexible Ingress configuration we now support not only host
+settings but also provide configuration for the path and pathType. So this
+change changes the hosts from a simple string list, to a list containing a more
+complex object for more configuration.
 
 ```diff
 ingress:
@@ -61,7 +148,8 @@ ingress:
   #      - git.example.com
 ```
 
-If you want everything as it was before, you can simply add the following code to all your host entries.
+If you want everything as it was before, you can simply add the following code
+to all your host entries.
 
 ```yaml
 paths:
@@ -71,35 +159,54 @@ paths:
 
 ### Dropped kebab-case support
 
-In 3.x.x it was possible to provide an ldap configuration via kebab-case, this support has now been dropped and only camel case is supported.
-See [LDAP section](#ldap-settings) for more information.
+In 3.x.x it was possible to provide an ldap configuration via kebab-case, this
+support has now been dropped and only camel case is supported. See [LDAP
+section](#ldap-settings) for more information.
 
 ### Dependency update
 
-The chart comes with multiple databases and memcached as dependency, the latest release updated the dependencies.
+The chart comes with multiple databases and Memcached as dependency, the latest
+release updated the dependencies.
 
-- memcached: 4.2.20 -> 5.9.0
-- postgresql: 9.7.2 -> 10.3.17
-- mariadb: 8.0.0 -> 9.3.6
+- Memcached: `4.2.20` -> `5.9.0`
+- PostgreSQL: `9.7.2` -> `10.3.17`
+- MariaDB: `8.0.0` -> `9.3.6`
 
-If you're using the builtin databases you will most likely redeploy the chart in order to update the database correctly.
+If you're using the builtin databases you will most likely redeploy the chart in
+order to update the database correctly.
 
 ### Execution of initPreScript
 
-Generally spoken, this might not be a breaking change, but it is worth to be mentioned.  
-Prior to 4.0.0 only one init container was used to both setup directories and configure Gitea. As of now the actual Gitea configuration is separated from the other pre-execution. This also includes the execution of _initPreScript_. If you have such script, please be aware of this. Dynamically prepare the Gitea setup during execution by e.g. adding environment variables to the execution context won't work anymore.
+Generally spoken, this might not be a breaking change, but it is worth to be
+mentioned.
+
+Prior to `4.0.0` only one init container was used to both setup directories and
+configure Gitea. As of now the actual Gitea configuration is separated from the
+other pre-execution. This also includes the execution of _initPreScript_. If you
+have such script, please be aware of this. Dynamically prepare the Gitea setup
+during execution by e.g. adding environment variables to the execution context
+won't work anymore.
 
 ## Gitea Version 1.14.X repository ROOT
 
-Previously the ROOT folder for the gitea repositories was located at /data/git/gitea-repositories
-1.14 changed this to /data/gitea-repositories.
+Previously the ROOT folder for the Gitea repositories was located at
+`/data/git/gitea-repositories`. In version `1.14` has the path been changed to
+`/data/gitea-repositories`.
 
-This chart will set the gitea.config.repository.ROOT value default to /data/git/gitea-repositories
+This chart will set the `gitea.config.repository.ROOT` value default to
+`/data/git/gitea-repositories`.
 
 ## Configure Commit Signing
 
-When using the rootless image the gpg key folder was is not persistent by default. If you consider using signed commits for internal Gitea activities (e.g. initial commit), you'd need to provide a signing key. Prior to [PR 186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.  
-The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing. By default this section is disabled to maintain backwards compatibility.
+When using the rootless image the gpg key folder was is not persistent by
+default. If you consider using signed commits for internal Gitea activities
+(e.g. initial commit), you'd need to provide a signing key. Prior to
+[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
+re-imported once the container got replaced by another.
+
+The mentioned PR introduced a new configuration object `signing` allowing you to
+configure prerequisites for commit signing. By default this section is disabled
+to maintain backwards compatibility.
 
 ```yaml
 signing:
@@ -111,7 +218,8 @@ The mentioned PR introduced a new configuration object `signing` allowing you to
 
 ### Gitea Configuration
 
-Gitea offers lots of configuration options. This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
+Gitea offers lots of configuration options. This is fully described in the
+[Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
 
 ```yaml
 gitea:
@@ -125,15 +233,18 @@ Gitea offers lots of configuration options. This is fully described in the [Gite
 
 ### Default Configuration
 
-This chart will set a few defaults in the gitea configuration based on the service and ingress settings. All defaults can be overwritten in gitea.config.
+This chart will set a few defaults in the Gitea configuration based on the
+service and ingress settings. All defaults can be overwritten in `gitea.config`.
 
-INSTALL_LOCK is always set to true, since we want to configure gitea with this helm chart and everything is taken care of.
+INSTALL_LOCK is always set to true, since we want to configure Gitea with this
+helm chart and everything is taken care of.
 
 *All default settings are made directly in the generated app.ini, not in the Values.*
 
 #### Database defaults
 
-If a builtIn database is enabled the database configuration is set automatically. For example, postgresql builtIn will appear in the app.ini as:
+If a builtIn database is enabled the database configuration is set
+automatically. For example, PostgreSQL builtIn will appear in the app.ini as:
 
 ```ini
 [database]
@@ -146,7 +257,8 @@ USER = gitea
 
 #### Memcached defaults
 
-Memcached is handled the exact same way as database builtIn. Once memcached builtIn is enabled, this chart will generate the following part in the app.ini:
+Memcached is handled the exact same way as database builtIn. Once Memcached
+builtIn is enabled, this chart will generate the following part in the `app.ini`:
 
 ```ini
 [cache]
@@ -157,8 +269,9 @@ HOST = RELEASE-NAME-memcached.default.svc.cluster.local:11211
 
 #### Server defaults
 
-The server defaults are a bit more complex.
-If ingress is enabled, the ROOT_URL, DOMAIN and SSH_DOMAIN will be set accordingly. HTTP_PORT always defaults to 3000 as well as SSH_PORT to 22.
+The server defaults are a bit more complex. If ingress is `enabled`, the
+`ROOT_URL`, `DOMAIN` and `SSH_DOMAIN` will be set accordingly. `HTTP_PORT`
+always defaults to `3000` as well as `SSH_PORT` to `22`.
 
 ```ini
 [server]
@@ -182,17 +295,58 @@ The Prometheus `/metrics` endpoint is disabled by default.
 ENABLED = false
 ```
 
-### External Database
+### Additional _app.ini_ settings
 
-An external Database can be used instead of builtIn postgresql or mysql.
+> **The [generic](https://docs.gitea.io/en-us/config-cheat-sheet/#overall-default)
+section cannot be defined that way.**
+
+Some settings inside _app.ini_ (like passwords or whole authentication configurations)
+must be considered sensitive and therefore should not be passed via plain text
+inside the _values.yaml_ file. In times of _GitOps_ the values.yaml could be stored
+in a Git repository where sensitive data should never be accessible.
+
+The Helm Chart supports this approach and let the user define custom sources like
+Kubernetes Secrets to be loaded as environment variables during _app.ini_ creation
+or update.
 
 ```yaml
 gitea:
-    database:
-      builtIn:
-        postgresql:
-          enabled: false
+  additionalConfigSources:
+    - secret:
+        secretName: gitea-app-ini-oauth
+    - configMap:
+        name: gitea-app-ini-plaintext
+```
 
+This would mount the two additional volumes (`oauth` and `some-additionals`)
+from different sources to the init containerwhere the _app.ini_ gets updated.
+All files mounted that way will be read and converted to environment variables
+and then added to the _app.ini_ using [environment-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini).
+
+The key of such additional source represents the section inside the _app.ini_.
+The value for each key can be multiline ini-like definitions.
+
+In example, the referenced `gitea-app-ini-plaintext` could look like this.
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-app-ini-plaintext
+data:
+  session: |
+    PROVIDER=memory
+    SAME_SITE=strict
+  cron.archive_cleanup: |
+    ENABLED=true
+```
+
+### External Database
+
+An external Database can be used instead of builtIn PostgreSQL or MySQL.
+
+```yaml
+gitea:
   config:
     database:
       DB_TYPE: mysql
@@ -201,11 +355,14 @@ An external Database can be used instead of builtIn postgresql or mysql.
       USER: root
       PASSWD: gitea
       SCHEMA: gitea
+
+postgresql:
+  enabled: false
 ```
 
 ### Ports and external url
 
-By default port 3000 is used for web traffic and 22 for ssh. Those can be changed:
+By default port `3000` is used for web traffic and `22` for ssh. Those can be changed:
 
 ```yaml
 service:
@@ -215,11 +372,15 @@ By default port 3000 is used for web traffic and 22 for ssh. Those can be change
     port: 22
 ```
 
-This helm chart automatically configures the clone urls to use the correct ports. You can change these ports by hand using the `gitea.config` dict. However you should know what you're doing.
+This helm chart automatically configures the clone urls to use the correct
+ports. You can change these ports by hand using the `gitea.config` dict. However
+you should know what you're doing.
 
 ### ClusterIP
 
-By default the clusterIP will be set to None, which is the default for headless services. However if you want to omit the clusterIP field in the service, use the following values:
+By default the clusterIP will be set to None, which is the default for headless
+services. However if you want to omit the clusterIP field in the service, use
+the following values:
 
 ```yaml
 service:
@@ -235,8 +396,9 @@ service:
 
 ### SSH and Ingress
 
-If you're using ingress and wan't to use SSH, keep in mind, that ingress is not able to forward SSH Ports.
-You will need a LoadBalancer like metallb and a setting in your ssh service annotations.
+If you're using ingress and won't to use SSH, keep in mind, that ingress is not
+able to forward SSH Ports. You will need a LoadBalancer like `metallb` and a
+setting in your ssh service annotations.
 
 ```yaml
 service:
@@ -265,16 +427,15 @@ More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
 
 ### Cache
 
-This helm chart can use a built in cache. The default is memcached from bitnami.
+This helm chart can use a built in cache. The default is Memcached from bitnami.
 
 ```yaml
-  gitea:
-    cache:
-      builtIn:
+memcached:
   enabled: true
 ```
 
-If the built in cache should not be used simply configure the cache in gitea.config
+If the built in cache should not be used simply configure the cache in
+`gitea.config`.
 
 ```yaml
 gitea:
@@ -288,10 +449,13 @@ If the built in cache should not be used simply configure the cache in gitea.con
 
 ### Persistence
 
-Gitea will be deployed as a statefulset. By simply enabling the persistence and setting the storage class according to your cluster
-everything else will be taken care of. The following example will create a PVC as a part of the statefulset. This PVC will not be deleted even if you uninstall the chart.
+Gitea will be deployed as a statefulset. By simply enabling the persistence and
+setting the storage class according to your cluster everything else will be
+taken care of. The following example will create a PVC as a part of the
+statefulset. This PVC will not be deleted even if you uninstall the chart.
 
-Please note, that an empty storageClass in the persistence will result in kubernetes using your default storage class.
+Please note, that an empty storageClass in the persistence will result in
+kubernetes using your default storage class.
 
 If you want to use your own storageClass define it as followed:
 
@@ -301,7 +465,8 @@ persistence:
   storageClass: myOwnStorageClass
 ```
 
-When using Postgresql as dependency, this will also be deployed as a statefulset by default.
+When using PostgreSQL as dependency, this will also be deployed as a statefulset
+by default.
 
 If you want to manage your own PVC you can simply pass the PVC name to the chart.
 
@@ -313,7 +478,7 @@ If you want to manage your own PVC you can simply pass the PVC name to the chart
 
 In case that peristence has been disabled it will simply use an empty dir volume.
 
-Postgresql handles the persistence in the exact same way.
+PostgreSQL handles the persistence in the exact same way.
 You can interact with the postgres settings as displayed in the following example:
 
 ```yaml
@@ -323,7 +488,7 @@ You can interact with the postgres settings as displayed in the following exampl
       existingClaim: MyAwesomeGiteaPostgresClaim
 ```
 
-Mysql also handles persistence the same, even though it is not deployed as a statefulset.
+MySQL also handles persistence the same, even though it is not deployed as a statefulset.
 You can interact with the postgres settings as displayed in the following example:
 
 ```yaml
@@ -335,9 +500,10 @@ You can interact with the postgres settings as displayed in the following exampl
 
 ### Admin User
 
-This chart enables you to create a default admin user. It is also possible to update the password for this user by upgrading or redeloying the chart.
-It is not possible to delete an admin user after it has been created. This has to be done in the ui.
-You cannot use `admin` as username.
+This chart enables you to create a default admin user. It is also possible to
+update the password for this user by upgrading or redeloying the chart. It is
+not possible to delete an admin user after it has been created. This has to be
+done in the ui. You cannot use `admin` as username.
 
 ```yaml
   gitea:
@@ -368,14 +534,15 @@ gitea:
 
 ### LDAP Settings
 
-Like the admin user the LDAP settings can be updated, but also disabled or deleted.
+Like the admin user the LDAP settings can be updated.
 All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
 
+Multiple LDAP sources can be configured with additional LDAP list items.
+
 ```yaml
   gitea:
     ldap:
-      enabled: true
-      name: 'MyAwesomeGiteaLdap'
+      - name: MyAwesomeGiteaLdap
         securityProtocol: unencrypted
         host: "127.0.0.1"
         port: "389"
@@ -386,7 +553,7 @@ All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are avail
         bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
         bindPassword: JustAnotherBindPw
         usernameAttribute: CN
-      sshPublicKeyAttribute: sshPublicKey
+        publicSSHKeyAttribute: publicSSHKey
 ```
 
 You can also use an existing secret to set the bindDn and bindPassword:
@@ -405,10 +572,13 @@ stringData:
 ```yaml
 gitea:
     ldap:
-      existingSecret: gitea-ldap-secret
+      - existingSecret: gitea-ldap-secret
+        ...
 ```
 
-:warning: Some options are just flags and therefore don't any values. If they are defined in `gitea.ldap` configuration, they will be passed to the gitea cli without any value. Affected options:
+:warning: Some options are just flags and therefore don't any values. If they
+are defined in `gitea.ldap` configuration, they will be passed to the Gitea cli
+without any value. Affected options:
 
 - notActive
 - skipTlsVerify
@@ -418,14 +588,17 @@ gitea:
 
 ### OAuth2 Settings
 
-Like the admin user, OAuth2 settings can be updated and disabled but not deleted. Deleting OAuth2 settings has to be done in the ui.
-All OAuth2 values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
+Like the admin user, OAuth2 settings can be updated and disabled but not
+deleted. Deleting OAuth2 settings has to be done in the ui. All OAuth2 values,
+which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are
+available.
+
+Multiple OAuth2 sources can be configured with additional OAuth list items.
 
 ```yaml
 gitea:
   oauth:
-      enabled: true
-      name: 'MyAwesomeGiteaOAuth'
+    - name: 'MyAwesomeGiteaOAuth'
       provider: 'openidConnect'
       key: 'hello'
       secret: 'world'
@@ -437,11 +610,37 @@ All OAuth2 values from <https://docs.gitea.io/en-us/command-line/#admin> are ava
       #customEmailUrl:
 ```
 
+You can also use an existing secret to set the `key` and `secret`:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-oauth-secret
+type: Opaque
+stringData:
+  key: hello
+  secret: world
+```
+
+```yaml
+gitea:
+  oauth:
+    - name: 'MyAwesomeGiteaOAuth'
+      existingSecret: gitea-oauth-secret
+        ...
+```
+
 ### Metrics and profiling
 
-A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling endpoints on port 6060 can be enabled under `gitea`. Beware that the metrics endpoint is exposed via the ingress, manage access using ingress annotations for example.
+A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling
+endpoints on port 6060 can be enabled under `gitea`. Beware that the metrics
+endpoint is exposed via the ingress, manage access using ingress annotations for
+example.
 
-To deploy the `ServiceMonitor`, you first need to ensure that you have deployed `prometheus-operator` and its CRDs: https://github.com/prometheus-operator/prometheus-operator#customresourcedefinitions.
+To deploy the `ServiceMonitor`, you first need to ensure that you have deployed
+`prometheus-operator` and its
+[CRDs](https://github.com/prometheus-operator/prometheus-operator#customresourcedefinitions).
 
 ```yaml
 gitea:
@@ -469,161 +668,209 @@ Annotations can be added to the Gitea pod.
 ### Others
 
 | Parameter                                   | Description                                                          | Default |
-|-------------------------------------------|--------------------------------------------------------|-------------|
-| statefulset.terminationGracePeriodSeconds | How long to wait until forcefully kill the pod         | 60          |
-| statefulset.env                           | Additional environment variables to pass to containers | []          |
-| extraVolumes                              | Additional volumes to mount to the Gitea statefulset   | {}          |
-| extraVolumeMounts                         | Additional volume mounts for the Gitea containers      | {}          |
-| initPreScript                             | Bash script copied verbatim to start of init container |             |
-| securityContext                           | Run as a specific securityContext                      | {}          |
-| schedulerName                             | Use an alternate scheduler, e.g. "stork"               |             |
+| ------------------------------------------- | -------------------------------------------------------------------- | ------- |
+| `statefulset.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod                       | `60`    |
+| `statefulset.env`                           | Additional environment variables to pass to containers               | `[]`    |
+| `extraVolumes`                              | Additional volumes to mount to the Gitea statefulset                 | `{}`    |
+| `extraVolumeMounts`                         | Additional volume mounts for the Gitea containers                    | `{}`    |
+| `initPreScript`                             | Bash script copied verbatim to start of init container               |         |
+| `podSecurityContext.fsGroup`                | Set the shared file system group for all containers                  | 1000    |
+| `containerSecurityContext`                  | Run init and Gitea containers as a specific securityContext          | `{}`    |
+| `schedulerName`                             | Use an alternate scheduler, e.g. "stork"                             |         |
 
 ### Image
 
 | Parameter          | Description                                                                               | Default       |
-|---------------------|-----------------------------------|------------------------------|
-|image.repository| Image to start for this pod | gitea/gitea |
-|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.15.0 |
-|image.pullPolicy| Image pull policy | Always |
-|image.rootless | Wether or not to pull the rootless version of gitea, only works on gitea 1.14.x or higher | false |
+| ------------------ | ----------------------------------------------------------------------------------------- | ------------- |
+| `image.repository` | Image to start for this pod                                                               | `gitea/gitea` |
+| `image.tag`        | [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated)       | `1.15.10`      |
+| `image.pullPolicy` | Image pull policy                                                                         | `Always`      |
+| `image.rootless`   | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `false`       |
 
 ### Persistence
 
 | Parameter                   | Description                                                | Default |
-|---------------------|-----------------------------------|------------------------------|
-|persistence.enabled| Enable persistence for Gitea |true|
-|persistence.existingClaim| Use an existing claim to store repository information | |
-|persistence.size| Size for persistence to store repo information | 10Gi |
-|persistence.accessModes|AccessMode for persistence||
-|persistence.storageClass|Storage class for repository persistence||
-|persistence.labels|Labels for the persistence volume claim to be created|{}|
-|persistence.annotations|Annotations for the persistence volume claim to be created|{}|
+| --------------------------- | ---------------------------------------------------------- | ------- |
+| `persistence.enabled`       | Enable persistence for Gitea                               | `true`  |
+| `persistence.existingClaim` | Use an existing claim to store repository information      |         |
+| `persistence.size`          | Size for persistence to store repo information             | `10Gi`  |
+| `persistence.accessModes`   | AccessMode for persistence                                 |         |
+| `persistence.storageClass`  | Storage class for repository persistence                   |         |
+| `persistence.subPath`       | Subdirectory of the volume to mount at                     |         |
+| `persistence.labels`        | Labels for the persistence volume claim to be created      | `{}`    |
+| `persistence.annotations`   | Annotations for the persistence volume claim to be created | `{}`    |
 
 ### Ingress
 
 | Parameter                            | Description                                                                  | Default                                            |
-|---------------------|-----------------------------------|------------------------------|
-|ingress.enabled| enable ingress | false|
-|ingress.annotations| add ingress annotations | |
-|ingress.hosts[0].host | add hosts for ingress | git.example.com |
-|ingress.hosts[0].paths[0].path | add path for each ingress host | / |
-|ingress.hosts[0].paths[0].pathType | add ingress path type | Prefix |
-|ingress.tls| add ingress tls settings|[]|
-|ingress.className| add ingress class name. Only used in k8s 1.19+ | |
+| ------------------------------------ | ---------------------------------------------------------------------------- | -------------------------------------------------- |
+| `ingress.enabled`                    | enable ingress                                                               | `false`                                            |
+| `ingress.annotations`                | add ingress annotations                                                      |                                                    |
+| `ingress.hosts[0].host`              | add hosts for ingress                                                        | `git.example.com`                                  |
+| `ingress.hosts[0].paths[0].path`     | add path for each ingress host                                               | `/`                                                |
+| `ingress.hosts[0].paths[0].pathType` | add ingress path type                                                        | `Prefix`                                           |
+| `ingress.tls`                        | add ingress tls settings                                                     | `[]`                                               |
+| `ingress.className`                  | add ingress class name. Only used in k8s 1.19+                               |                                                    |
+| `ingress.apiVersion`                 | specify APIVersion of ingress object.  Mostly would only be used for argocd. | version indicated by helm's `Capabilities` object. |
 
 ### Service
 
 #### Web
 
 | Parameter                               | Description                                                                                                  | Default     |
-|---------------------|-----------------------------------|------------------------------|
-|service.http.type| Kubernetes service type for web traffic | ClusterIP |
-|service.http.port| Port for web traffic | 3000 |
-|service.http.clusterIP| ClusterIP setting for http autosetup for statefulset is None | None |
-|service.http.loadBalancerIP| LoadBalancer Ip setting | |
-|service.http.nodePort| NodePort for http service | |
-|service.http.externalTrafficPolicy| If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
-|service.http.externalIPs| http service external IP addresses | |
-|service.http.loadBalancerSourceRanges| Source range filter for http loadbalancer | [] |
-|service.http.annotations| http service annotations | |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ----------- |
+| `service.http.type`                     | Kubernetes service type for web traffic                                                                      | `ClusterIP` |
+| `service.http.port`                     | Port for web traffic                                                                                         | `3000`      |
+| `service.http.clusterIP`                | ClusterIP setting for http autosetup for statefulset is None                                                 | `None`      |
+| `service.http.loadBalancerIP`           | LoadBalancer Ip setting                                                                                      |             |
+| `service.http.nodePort`                 | NodePort for http service                                                                                    |             |
+| `service.http.externalTrafficPolicy`    | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation |             |
+| `service.http.externalIPs`              | http service external IP addresses                                                                           |             |
+| `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer                                                                    | `[]`        |
+| `service.http.annotations`              | http service annotations                                                                                     |             |
 
 #### SSH
 
 | Parameter                              | Description                                                                                                 | Default     |
-|---------------------|-----------------------------------|------------------------------|
-|service.ssh.type| Kubernetes service type for ssh traffic | ClusterIP |
-|service.ssh.port| Port for ssh traffic | 22 |
-|service.ssh.loadBalancerIP| LoadBalancer Ip setting | |
-|service.ssh.nodePort| NodePort for ssh service | |
-|service.ssh.externalTrafficPolicy| If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
-|service.ssh.externalIPs| ssh service external IP addresses | |
-|service.ssh.loadBalancerSourceRanges| Source range filter for ssh loadbalancer | [] |
-|service.ssh.annotations| ssh service annotations | |
+| -------------------------------------- | ----------------------------------------------------------------------------------------------------------- | ----------- |
+| `service.ssh.type`                     | Kubernetes service type for ssh traffic                                                                     | `ClusterIP` |
+| `service.ssh.port`                     | Port for ssh traffic                                                                                        | `22`        |
+| `service.ssh.loadBalancerIP`           | LoadBalancer Ip setting                                                                                     |             |
+| `service.ssh.nodePort`                 | NodePort for ssh service                                                                                    |             |
+| `service.ssh.externalTrafficPolicy`    | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation |             |
+| `service.ssh.externalIPs`              | ssh service external IP addresses                                                                           |             |
+| `service.ssh.loadBalancerSourceRanges` | Source range filter for ssh loadbalancer                                                                    | `[]`        |
+| `service.ssh.annotations`              | ssh service annotations                                                                                     |             |
 
 ### Gitea Configuration
 
 | Parameter      | Description                                                                                          | Default |
-|---------------------|-----------------------------------|------------------------------|
-|gitea.config | Everything in `app.ini` can be configured with this dict. See [Examples](#examples) for more details | {} |
+| -------------- | ---------------------------------------------------------------------------------------------------- | ------- |
+| `gitea.config` | Everything in `app.ini` can be configured with this dict. See [Examples](#examples) for more details | `{}`    |
 
 ### Gitea Probes
 
-Configure Liveness, Readiness and Startup [Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)
+Configure Liveness, Readiness and Startup
+[Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/).
+
+#### Liveness probe
+
+- Default status: Enabled
+- Default action: tcp socket connect
 
 | Parameter                                  | Description                                                          | Default |
-|---------------------|-----------------------------------|------------------------------|
-|gitea.livenessProbe.enabled | Enable liveness probe | true |
-|gitea.livenessProbe.initialDelaySeconds | Delay before probe start| 200 |
-|gitea.livenessProbe.timeoutSeconds | probe timeout | 1 |
-|gitea.livenessProbe.periodSeconds | period between probes | 10 |
-|gitea.livenessProbe.successThreshold | Minimum consecutive success probes | 1 |
-|gitea.livenessProbe.failureThreshold | Minimum consecutive error probes | 10 |
-|gitea.readinessProbe.enabled | Enable readiness probe | true |
-|gitea.readinessProbe.initialDelaySeconds | Delay before probe start| 5 |
-|gitea.readinessProbe.timeoutSeconds | probe timeout | 1 |
-|gitea.readinessProbe.periodSeconds | period between probes | 10 |
-|gitea.readinessProbe.successThreshold | Minimum consecutive success probes | 1 |
-|gitea.readinessProbe.failureThreshold | Minimum consecutive error probes | 3 |
-|gitea.startupProbe.enabled | Enable startup probe | false |
-|gitea.startupProbe.initialDelaySeconds | Delay before probe start| 60 |
-|gitea.startupProbe.timeoutSeconds | probe timeout | 1 |
-|gitea.startupProbe.periodSeconds | period between probes | 10 |
-|gitea.startupProbe.successThreshold | Minimum consecutive success probes | 1 |
-|gitea.startupProbe.failureThreshold | Minimum consecutive error probes | 10 |
-|gitea.customLivenessProbe | Custom liveness probe (needs `gitea.livenessProbe.enabled: false`) |  |
-|gitea.customReadinessProbe | Custom readiness probe (needs `gitea.readinessProbe.enabled: false`) |  |
-|gitea.customStartupProbe | Custom startup probe (needs `gitea.startupProbe.enabled: false`) |  |
+| ------------------------------------------ | -------------------------------------------------------------------- | ------- |
+| `gitea.livenessProbe.initialDelaySeconds`  | Delay before probe start                                             | `200`   |
+| `gitea.livenessProbe.timeoutSeconds`       | probe timeout                                                        | `1`     |
+| `gitea.livenessProbe.periodSeconds`        | period between probes                                                | `10`    |
+| `gitea.livenessProbe.successThreshold`     | Minimum consecutive success probes                                   | `1`     |
+| `gitea.livenessProbe.failureThreshold`     | Minimum consecutive error probes                                     | `10`    |
+
+#### Readiness probe
+
+- Default status: Enabled
+- Default action: tcp socket connect
+
+| Parameter                                  | Description                                                          | Default |
+| ------------------------------------------ | -------------------------------------------------------------------- | ------- |
+| `gitea.readinessProbe.initialDelaySeconds` | Delay before probe start                                             | `5`     |
+| `gitea.readinessProbe.timeoutSeconds`      | probe timeout                                                        | `1`     |
+| `gitea.readinessProbe.periodSeconds`       | period between probes                                                | `10`    |
+| `gitea.readinessProbe.successThreshold`    | Minimum consecutive success probes                                   | `1`     |
+| `gitea.readinessProbe.failureThreshold`    | Minimum consecutive error probes                                     | `3`     |
+
+#### Startup probe
+
+- Default status: Disabled
+- Default action: tcp socket connect
+
+| Parameter                                  | Description                                                          | Default |
+| ------------------------------------------ | -------------------------------------------------------------------- | ------- |
+| `gitea.startupProbe.initialDelaySeconds`   | Delay before probe start                                             | `60`    |
+| `gitea.startupProbe.timeoutSeconds`        | probe timeout                                                        | `1`     |
+| `gitea.startupProbe.periodSeconds`         | period between probes                                                | `10`    |
+| `gitea.startupProbe.successThreshold`      | Minimum consecutive success probes                                   | `1`     |
+| `gitea.startupProbe.failureThreshold`      | Minimum consecutive error probes                                     | `10`    |
 
 ### Memcached BuiltIn
 
-Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website.
+Memcached is loaded as a dependency from
+[Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if
+enabled in the values. Complete Configuration can be taken from their website.
 
 The following parameters are the defaults set by this chart
 
 | Parameter                | Description                 | Default |
-|---------------------|-----------------------------------|------------------------------|
-|memcached.service.port|Memcached Port| 11211|
+| ------------------------ | --------------------------- | ------- |
+| `memcached.service.port` | Memcached Port              | 11211   |
+| `memcached.enabled`      | Enable Memcached dependency | `true`  |
 
-### Mysql BuiltIn
+### MySQL BuiltIn
 
-Mysql is loaded as a dependency from stable. Configuration can be found on this [website](https://github.com/helm/charts/tree/master/stable/mysql).
+MySQL is loaded as a dependency from stable. Configuration can be found on this
+[website](https://github.com/helm/charts/tree/master/stable/mysql).
 
 The following parameters are the defaults set by this chart
 
 | Parameter                | Description                                                        | Default |
-|---------------------|-----------------------------------|------------------------------|
-|mysql.root.password|Password for the root user. Ignored if existing secret is provided|gitea|
-|mysql.db.user|Username of new user to create.|gitea|
-|mysql.db.password|Password for the new user. Ignored if existing secret is provided|gitea|
-|mysql.db.name|Name for new database to create.|gitea|
-|mysql.service.port|Port to connect to mysql service|3306|
-|mysql.persistence.size|Persistence size for mysql |10Gi|
+| ------------------------ | ------------------------------------------------------------------ | ------- |
+| `mysql.root.password`    | Password for the root user. Ignored if existing secret is provided | `gitea` |
+| `mysql.db.user`          | Username of new user to create.                                    | `gitea` |
+| `mysql.db.password`      | Password for the new user. Ignored if existing secret is provided  | `gitea` |
+| `mysql.db.name`          | Name for new database to create.                                   | `gitea` |
+| `mysql.service.port`     | Port to connect to MySQL service                                   | `3306`  |
+| `mysql.persistence.size` | Persistence size for MySQL                                         | `10Gi`  |
+| `mysql.enabled`          | Enable MySQL dependency                                            | `false` |
 
-### Postgresql BuiltIn
+### PostgreSQL BuiltIn
 
-Postgresql is loaded as a dependency from Bitnami. The chart configuration can be found in this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) repository.
+PostgreSQL is loaded as a dependency from Bitnami. The chart configuration can
+be found in this
+[Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql)
+repository.
 
 The following parameters are the defaults set by this chart
 
 | Parameter                                         | Description                                              | Default |
-|---------------------|-----------------------------------|------------------------------|
-|postgresql.global.postgresql.postgresqlDatabase| PostgreSQL database (overrides postgresqlDatabase)|gitea|
-|postgresql.global.postgresql.postgresqlUsername| PostgreSQL username (overrides postgresqlUsername)|gitea|
-|postgresql.global.postgresql.postgresqlPassword| PostgreSQL admin password (overrides postgresqlPassword)|gitea|
-|postgresql.global.postgresql.servicePort|PostgreSQL port (overrides service.port)|5432|
-|postgresql.persistence.size| PVC Storage Request for PostgreSQL volume |10Gi|
+| ------------------------------------------------- | -------------------------------------------------------- | ------- |
+| `postgresql.global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides postgresqlDatabase)       | `gitea` |
+| `postgresql.global.postgresql.postgresqlUsername` | PostgreSQL username (overrides postgresqlUsername)       | `gitea` |
+| `postgresql.global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides postgresqlPassword) | `gitea` |
+| `postgresql.global.postgresql.servicePort`        | PostgreSQL port (overrides service.port)                 | `5432`  |
+| `postgresql.persistence.size`                     | PVC Storage Request for PostgreSQL volume                | `10Gi`  |
+| `postgresql.enabled`                              | Enable PostgreSQL dependency                             | `true`  |
 
 ### MariaDB BuiltIn
 
-MariaDB is loaded as a dependency from bitnami. Configuration can be found in this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) repository.
+MariaDB is loaded as a dependency from bitnami. Configuration can be found in
+this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/mariadb)
+repository.
 
 The following parameters are the defaults set by this chart
 
 | Parameter                          | Description                                                       | Default |
-|---------------------|-----------------------------------|------------------------------|
-|mariadb.auth.username|Username of new user to create.|gitea|
-|mariadb.auth.password|Password for the new user. Ignored if existing secret is provided|gitea|
-|mariadb.auth.database|Name for new database to create.|gitea|
-|mariadb.auth.rootPassword|Password for the root user.|gitea|
-|mariadb.primary.service.port|Port to connect to mariadb service|3306|
-|mariadb.primary.persistence.size|Persistence size for mariadb |10Gi|
+| ---------------------------------- | ----------------------------------------------------------------- | ------- |
+| `mariadb.auth.username`            | Username of new user to create.                                   | `gitea` |
+| `mariadb.auth.password`            | Password for the new user. Ignored if existing secret is provided | `gitea` |
+| `mariadb.auth.database`            | Name for new database to create.                                  | `gitea` |
+| `mariadb.auth.rootPassword`        | Password for the root user.                                       | `gitea` |
+| `mariadb.primary.service.port`     | Port to connect to MariaDB service                                | `3306`  |
+| `mariadb.primary.persistence.size` | Persistence size for MariaDB                                      | `10Gi`  |
+| `mariadb.enabled`                  | Enable MariaDB dependency                                         | `false` |
+
+## Local development & testing
+
+For local development and testing of pull requests, the following workflow can
+be used:
+
+1. Install `minikube` and `helm`.
+2. Start a `minikube` cluster via `minikube start`.
+3. From the `gitea/helm-chart` directory execute the following command. This
+   will install the dependencies listed in `Chart.yml` and deploy the current
+   state of the helm chart found locally. If you want to test a branch, make
+   sure to switch to the respective branch first.
+  `helm install --dependency-update gitea . -f values.yaml`.
+4. Gitea is now deployed in `minikube`. To access it, it's port needs to be
+   forwarded first from `minikube` to localhost first via `kubectl --namespace
+   default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
+   [http://localhost:3000](http://localhost:3000).

templates/_helpers.tpl

@@ -64,11 +64,11 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "db.servicename" -}}
-{{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
+{{- if .Values.postgresql.enabled -}}
 {{- printf "%s-postgresql" .Release.Name -}}
-{{- else if .Values.gitea.database.builtIn.mysql.enabled -}}
+{{- else if .Values.mysql.enabled -}}
 {{- printf "%s-mysql" .Release.Name -}}
-{{- else if .Values.gitea.database.builtIn.mariadb.enabled -}}
+{{- else if .Values.mariadb.enabled -}}
 {{- printf "%s-mariadb" .Release.Name -}}
 {{- else if ne .Values.gitea.config.database.DB_TYPE "sqlite3" -}}
 {{- $parts := split ":" .Values.gitea.config.database.HOST -}}
@@ -77,11 +77,11 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "db.port" -}}
-{{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
+{{- if .Values.postgresql.enabled -}}
 {{ .Values.postgresql.global.postgresql.servicePort }}
-{{- else if .Values.gitea.database.builtIn.mysql.enabled -}}
+{{- else if .Values.mysql.enabled -}}
 {{ .Values.mysql.service.port }}
-{{- else if .Values.gitea.database.builtIn.mariadb.enabled -}}
+{{- else if .Values.mariadb.enabled -}}
 {{ .Values.mariadb.primary.service.port }}
 {{- else -}}
 {{- end -}}
@@ -108,21 +108,24 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.ldap_settings" -}}
-{{- if not (hasKey .Values.gitea.ldap "bindDn") -}}
-{{- $_ := set .Values.gitea.ldap "bindDn" "" -}}
+{{- $idx := index . 0 }}
+{{- $values := index . 1 }}
+
+{{- if not (hasKey $values "bindDn") -}}
+{{- $_ := set $values "bindDn" "" -}}
 {{- end -}}
 
-{{- if not (hasKey .Values.gitea.ldap "bindPassword") -}}
-{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}}
+{{- if not (hasKey $values "bindPassword") -}}
+{{- $_ := set $values "bindPassword" "" -}}
 {{- end -}}
 
 {{- $flags := list "notActive" "skipTlsVerify" "allowDeactivateAll" "synchronizeUsers" "attributesInBind" -}}
-{{- range $key, $val := .Values.gitea.ldap -}}
+{{- range $key, $val := $values -}}
 {{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
 {{- if eq $key "bindDn" -}}
-{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_BIND_DN}" | quote ) -}}
+{{- printf "--%s \"${GITEA_LDAP_BIND_DN_%d}\" " ($key | kebabcase) ($idx) -}}
 {{- else if eq $key "bindPassword" -}}
-{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}}
+{{- printf "--%s \"${GITEA_LDAP_PASSWORD_%d}\" " ($key | kebabcase) ($idx) -}}
 {{- else if eq $key "port" -}}
 {{- printf "--%s %d " $key ($val | int) -}}
 {{- else if has $key $flags -}}
@@ -135,9 +138,174 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.oauth_settings" -}}
-{{- range $key, $val := .Values.gitea.oauth -}}
-{{- if ne $key "enabled" -}}
-{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
+{{- $idx := index . 0 }}
+{{- $values := index . 1 }}
+
+{{- if not (hasKey $values "key") -}}
+{{- $_ := set $values "key" (printf "${GITEA_OAUTH_KEY_%d}" $idx) -}}
+{{- end -}}
+
+{{- if not (hasKey $values "secret") -}}
+{{- $_ := set $values "secret" (printf "${GITEA_OAUTH_SECRET_%d}" $idx) -}}
+{{- end -}}
+
+{{- range $key, $val := $values -}}
+{{- if ne $key "existingSecret" -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{- define "gitea.inline_configuration" -}}
+  {{- include "gitea.inline_configuration.init" . -}}
+  {{- include "gitea.inline_configuration.defaults" . -}}
+
+  {{- $generals := list -}}
+  {{- $inlines := dict -}}
+
+  {{- range $key, $value := .Values.gitea.config  }}
+    {{- if kindIs "map" $value }}
+      {{- if gt (len $value) 0 }}
+        {{- $section := default list (get $inlines $key) -}}
+        {{- range $n_key, $n_value := $value }}
+          {{- $section = append $section (printf "%s=%v" $n_key $n_value) -}}
+        {{- end }}
+        {{- $_ := set $inlines $key (join "\n" $section) -}}
+      {{- end -}}
+    {{- else }}
+      {{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") -}}
+        {{- $generals = append $generals (printf "%s=%s" $key $value) -}}
+      {{- else -}}
+        {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
+      {{- end -}}
+    {{- end }}
+  {{- end }}
+
+  {{- $_ := set $inlines "_generals_" (join "\n" $generals) -}}
+  {{- toYaml $inlines -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.init" -}}
+  {{- if not (hasKey .Values.gitea.config "cache") -}}
+    {{- $_ := set .Values.gitea.config "cache" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "server") -}}
+    {{- $_ := set .Values.gitea.config "server" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "metrics") -}}
+    {{- $_ := set .Values.gitea.config "metrics" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "database") -}}
+    {{- $_ := set .Values.gitea.config "database" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "security") -}}
+    {{- $_ := set .Values.gitea.config "security" dict -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.repository -}}
+    {{- $_ := set .Values.gitea.config "repository" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "oauth2") -}}
+    {{- $_ := set .Values.gitea.config "oauth2" dict -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.defaults" -}}
+  {{- include "gitea.inline_configuration.defaults.server" . -}}
+  {{- include "gitea.inline_configuration.defaults.database" . -}}
+
+  {{- if not .Values.gitea.config.repository.ROOT -}}
+    {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.security.INSTALL_LOCK -}}
+    {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
+    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
+  {{- end -}}
+  {{- if .Values.memcached.enabled -}}
+    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
+    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
+    {{- if not (.Values.gitea.config.cache.HOST) -}}
+      {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.defaults.server" -}}
+  {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}}
+    {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.PROTOCOL -}}
+    {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
+  {{- end -}}
+  {{- if not (.Values.gitea.config.server.DOMAIN) -}}
+    {{- if gt (len .Values.ingress.hosts) 0 -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.ROOT_URL -}}
+    {{- if .Values.ingress.enabled -}}
+      {{- if gt (len .Values.ingress.tls) 0 -}}
+        {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
+      {{- else -}}
+        {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
+    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.SSH_PORT -}}
+    {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
+    {{- if not .Values.image.rootless -}}
+      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
+    {{- if .Values.image.rootless -}}
+      {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}
+    {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "ENABLE_PPROF") -}}
+    {{- $_ := set .Values.gitea.config.server "ENABLE_PPROF" false -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.defaults.database" -}}
+  {{- if .Values.postgresql.enabled -}}
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
+    {{- if not (.Values.gitea.config.database.HOST) -}}
+      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
+    {{- end -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
+  {{- else if .Values.mysql.enabled -}}
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
+    {{- if not (.Values.gitea.config.database.HOST) -}}
+      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
+    {{- end -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
+  {{- else if .Values.mariadb.enabled -}}
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
+    {{- if not (.Values.gitea.config.database.HOST) -}}
+      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
+    {{- end -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
+  {{- end -}}
+{{- end -}}

templates/gitea/config.yaml

@@ -1,148 +1,127 @@
 apiVersion: v1
 kind: Secret
+metadata:
+  name: {{ include "gitea.fullname" . }}-inline-config
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{- include "gitea.inline_configuration" . | nindent 2 }}
+---
+apiVersion: v1
+kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  app.ini: |-
-    {{- if not (hasKey .Values.gitea.config "cache") -}}
-    {{- $_ := set .Values.gitea.config "cache" dict -}}
-    {{- end -}}
+  config_environment.sh: |-
+    #!/usr/bin/env bash
+    set -euo pipefail
 
-    {{- if not (hasKey .Values.gitea.config "server") -}}
-    {{- $_ := set .Values.gitea.config "server" dict -}}
-    {{- end -}}
+    function env2ini::log() {
+      printf "${1}\n"
+    }
 
-    {{- if not (hasKey .Values.gitea.config "metrics") -}}
-    {{- $_ := set .Values.gitea.config "metrics" dict -}}
-    {{- end -}}
+    function env2ini::read_config_to_env() {
+      local section="${1}"
+      local line="${2}"
 
-    {{- if not (hasKey .Values.gitea.config "database") -}}
-    {{- $_ := set .Values.gitea.config "database" dict -}}
-    {{- end -}}
+      if [[ -z "${line}" ]]; then
+        # skip empty line
+        return
+      fi
       
-    {{- if not (hasKey .Values.gitea.config "security") -}}
-    {{- $_ := set .Values.gitea.config "security" dict -}}
-    {{- end -}}
+      # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+      local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
 
-    {{- if not .Values.gitea.config.repository -}}
-    {{- $_ := set .Values.gitea.config "repository" dict -}}
-    {{- end -}}
+      if [[ -z "${setting}" ]]; then
+        env2ini::log '  ! invalid setting'
+        exit 1
+      fi
 
-    {{- /* repository default settings */ -}}
-    {{- if not .Values.gitea.config.repository.ROOT -}}
-    {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}}
-    {{- end -}}
+      local value=''
+      local regex="^${setting}(\s*)=(\s*)(.*)"
+      if [[ $line =~ $regex ]]; then
+        value="${BASH_REMATCH[3]}"
+      else
+        env2ini::log '  ! invalid setting'
+        exit 1
+      fi
 
-    {{- /* security default settings */ -}}
-    {{- if not .Values.gitea.config.security.INSTALL_LOCK -}}
-    {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}}
-    {{- end -}}
+      env2ini::log "    + '${setting}'"
 
-    {{- /* server default settings */ -}}
-    {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}}
-    {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.PROTOCOL -}}
-    {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
-    {{- end -}}
-    {{- if not (.Values.gitea.config.server.DOMAIN) -}}
-    {{- if gt (len .Values.ingress.hosts) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.ROOT_URL -}}
-    {{- if .Values.ingress.enabled -}}
-    {{- if gt (len .Values.ingress.tls) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}}
-    {{- end -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.SSH_PORT -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
-    {{- if not .Values.image.rootless -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
-    {{- if .Values.image.rootless -}}
-    {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}
-    {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "ENABLE_PPROF") -}}
-    {{- $_ := set .Values.gitea.config.server "ENABLE_PPROF" false -}}
-    {{- end -}}
+      if [[ -z "${section}" ]]; then
+        export "ENV_TO_INI____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+        return
+      fi
 
-    {{- /* metrics default settings */ -}}
-    {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
-    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
-    {{- end -}}
+      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
+      masked_section="${masked_section//-/_0X2D_}"
 
-    {{- /* database default settings */ -}}
-    {{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
-    {{ else if .Values.gitea.database.builtIn.mysql.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
-    {{ else if .Values.gitea.database.builtIn.mariadb.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
-    {{- end -}}
+      export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+    }
 
-    {{- /* cache default settings */ -}}
-    {{- if .Values.gitea.cache.builtIn.enabled -}}
-    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
-    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
-    {{- if not (.Values.gitea.config.cache.HOST) -}}
-    {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
-    {{- end -}}
-    {{- end -}}
+    function env2ini::process_config_file() {
+      local config_file="${1}"
+      local section="$(basename "${config_file}")"
 
-    {{- /* autogenerate app.ini */ -}}
-    {{- range $key, $value := .Values.gitea.config  }}
-    {{- if kindIs "map" $value }}
-    {{- if gt (len $value) 0 }}
+      if [[ $section == '_generals_' ]]; then
+        env2ini::log "  [ini root]"
+        section=''
+      else
+        env2ini::log "  ${section}"
+      fi
 
-    [{{ $key }}]
-    {{- range $n_key, $n_value := $value }}
-    {{ $n_key | upper }} = {{ $n_value }}
-    {{- end }}
-    {{- end }}
-    {{- else }}
-    {{ $key | upper }} = {{ $value }}
-    {{- end }}
-    {{- end }}
+      while read -r line; do
+        env2ini::read_config_to_env "${section}" "${line}"
+      done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
+    }
+
+    function env2ini::load_config_sources() {
+      local path="${1}"
+
+      env2ini::log "Processing $(basename "${path}")..."
+
+      while read -d '' configFile; do
+        env2ini::process_config_file "${configFile}"
+      done < <(find "${path}" -type l -not -name '..data' -print0)
+
+      env2ini::log "\n"
+    }
+
+    function env2ini::generate_initial_secrets() {
+      # These environment variables will either be
+      #   - overwritten with user defined values,
+      #   - initially used to set up Gitea
+      # Anyway, they won't harm existing app.ini files
+
+      export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+      export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+      export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+
+      env2ini::log "...Initial secrets generated\n"
+    }
+
+    # MUST BE CALLED BEFORE OTHER CONFIGURATION
+    env2ini::generate_initial_secrets
+
+    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
+    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
+
+    env2ini::log "=== All configuration sources loaded ===\n"
+
+    # safety to prevent rewrite of secret keys if an app.ini already exists
+    if [ -f ${GITEA_APP_INI} ]; then
+      env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
+      env2ini::log '  - security.INTERNAL_TOKEN'
+      env2ini::log '  - security.SECRET_KEY'
+      env2ini::log '  - oauth2.JWT_SECRET'
+
+      unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
+      unset ENV_TO_INI__SECURITY__SECRET_KEY
+      unset ENV_TO_INI__OAUTH2__JWT_SECRET
+    fi
+
+    environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI

templates/gitea/deprecation.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.checkDeprecation -}}
+  {{/* CUSTOM PROBES */}}
+  {{- if .Values.gitea.customLivenessProbe -}}
+    {{- fail "`gitea.customLivenessProbe` does no longer exist. Please refer to the changelog and configure `gitea.livenessProbe` instead." -}}
+  {{- end -}}
+  {{- if .Values.gitea.customReadinessProbe -}}
+    {{- fail "`gitea.customReadinessProbe` does no longer exist. Please refer to the changelog and configure `gitea.readinessProbe` instead." -}}
+  {{- end -}}
+  {{- if .Values.gitea.customStartupProbe -}}
+    {{- fail "`gitea.customStartupProbe` does no longer exist. Please refer to the changelog and configure `gitea.startupProbe` instead." -}}
+  {{- end -}}
+
+  {{/* LDAP SOURCES */}}
+  {{- if kindIs "map" .Values.gitea.ldap -}}
+    {{- fail "You can configure multiple LDAP sources. Please refer to the changelog and switch `gitea.ldap` from object to array notation." -}}
+  {{- end -}}
+  
+  {{/* OAUTH SOURCES */}}
+  {{- if kindIs "map" .Values.gitea.oauth -}}
+    {{- fail "You can configure multiple OAuth sources. Please refer to the changelog and switch `gitea.oauth` from object to array notation." -}}
+  {{- end -}}
+  
+  {{/* BUILTIN */}}
+  {{- if .Values.gitea.cache -}}
+    {{- if .Values.gitea.cache.builtIn -}}
+      {{- fail "`gitea.cache.builtIn` does no longer exist. Please use `memcached` at root level instead." -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if .Values.gitea.database -}}
+    {{- if .Values.gitea.database.builtIn -}}
+      {{- fail "`gitea.database.builtIn` does no longer exist. Builtin databases can be configured inside the dependencies itself. Please refer to the changelog." -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}

templates/gitea/ingress.yaml

@@ -1,13 +1,15 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
 {{- $httpPort := .Values.service.http.port -}}
-{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
-apiVersion: networking.k8s.io/v1
+{{- $apiVersion := "extensions/v1beta1" -}}
+{{- if .Values.ingress.apiVersion -}}
+{{- $apiVersion = .Values.ingress.apiVersion -}}
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+{{- $apiVersion = "networking.k8s.io/v1" }}
 {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
+{{- $apiVersion = "networking.k8s.io/v1beta1" }}
 {{- end }}
+apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
   name: {{ $fullName }}
@@ -38,11 +40,11 @@ spec:
         paths:
           {{- range .paths }}
           - path: {{ .path }}
-            {{- if and .pathType ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }}
+            {{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
             pathType: {{ .pathType }}
             {{- end }}
             backend:
-            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            {{- if eq $apiVersion "networking.k8s.io/v1" }}
               service:
                 name: {{ $fullName }}-http
                 port:

templates/gitea/init.yaml

@@ -30,12 +30,11 @@ stringData:
 
     # prepare temp directory structure
     mkdir -p "${GITEA_TEMP}"
+    {{- if not .Values.image.rootless }}
     chown 1000:1000 "${GITEA_TEMP}"
+    {{- end }}
     chmod ug+rwx "${GITEA_TEMP}"
 
-    # Copy config file to writable volume
-    cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
-    chmod a+rwx /data/gitea/conf/app.ini
   configure_gitea.sh: |-
     #!/usr/bin/env bash
 
@@ -84,42 +83,50 @@ stringData:
     configure_admin_user
     {{- end }}
 
-    {{- if .Values.gitea.ldap.enabled }}
     function configure_ldap() {
-      local LDAP_NAME={{ (printf "%s" .Values.gitea.ldap.name) | squote }}
+      {{- if .Values.gitea.ldap }}
+      {{- range $idx, $value := .Values.gitea.ldap }}
+      local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
       local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
 
       if [[ -z "${GITEA_AUTH_ID}" ]]; then
         echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
-        gitea admin auth add-ldap {{- include "gitea.ldap_settings" . | indent 1 }}
+        gitea admin auth add-ldap {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
         echo '...installed.'
       else
         echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
-        gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" . | indent 1 }}
+        gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
         echo '...sync settings done.'
       fi
+      {{- end }}
+      {{- else }}
+        echo 'no ldap configuration... skipping.'
+      {{- end }}
     }
 
     configure_ldap
-    {{- end }}
 
-    {{- if .Values.gitea.oauth.enabled }}
     function configure_oauth() {
-      local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }}
+      {{- if .Values.gitea.oauth }}
+      {{- range $idx, $value := .Values.gitea.oauth }}
+      local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
       local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
 
       if [[ -z "${AUTH_ID}" ]]; then
         echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
-        gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }}
+        gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
         echo '...installed.'
       else
         echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
-        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }}
+        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
         echo '...sync settings done.'
       fi
+      {{- end }}
+      {{- else }}
+        echo 'no oauth configuration... skipping.'
+      {{- end }}
     }
 
     configure_oauth
-    {{- end }}
 
     echo '==== END GITEA CONFIGURATION ===='

templates/gitea/statefulset.yaml

@@ -17,8 +17,12 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
-        checksum/ldap: {{ include "gitea.ldap_settings" . | sha256sum }}
-        checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }}
+        {{- range $idx, $value := .Values.gitea.ldap }}
+        checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
+        {{- end }}
+        {{- range $idx, $value := .Values.gitea.oauth }}
+        checksum/oauth_{{ $idx }}: {{ include "gitea.oauth_settings" (list $idx $value) | sha256sum }}
+        {{- end }}
         {{- with .Values.gitea.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -36,7 +40,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        fsGroup: 1000
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
         - name: init-directories
           image: "{{ include "gitea.image" . }}"
@@ -58,18 +62,19 @@ spec:
               mountPath: /usr/sbin
             - name: temp
               mountPath: /tmp
-            - name: config
-              mountPath: /etc/gitea/conf
             - name: data
               mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
-        - name: configure-gitea
-          image: "{{ include "gitea.image" . }}"
-          command: ["/usr/sbin/configure_gitea.sh"]
           securityContext:
-            runAsUser: 1000
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+        - name: init-app-ini
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/config_environment.sh"]
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -79,23 +84,84 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
-            {{- if .Values.gitea.ldap.enabled }}
-            {{- if .Values.gitea.ldap.existingSecret }}
-            - name: GITEA_LDAP_BIND_DN
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- end }}
+          volumeMounts:
+            - name: config
+              mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            - name: inline-config-sources
+              mountPath: /env-to-ini-mounts/inlines/
+            {{- range $idx, $value := .Values.gitea.additionalConfigSources }}
+            - name: additional-config-sources-{{ $idx }}
+              mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/"
+            {{- end }}
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+        - name: configure-gitea
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/configure_gitea.sh"]
+          securityContext:
+            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
+            {{- $csc := deepCopy .Values.containerSecurityContext -}}
+            {{- if not (hasKey $csc "runAsUser") -}}
+            {{- $_ := set $csc "runAsUser" 1000 -}}
+            {{- end -}}
+            {{- toYaml $csc | nindent 12 }}
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            {{- if .Values.gitea.ldap }}
+            {{- range $idx, $value := .Values.gitea.ldap }}
+            {{- if $value.existingSecret }}
+            - name: GITEA_LDAP_BIND_DN_{{ $idx }}
               valueFrom:
                 secretKeyRef:
                   key:  bindDn
-                  name: {{ .Values.gitea.ldap.existingSecret }}
-            - name: GITEA_LDAP_PASSWORD
+                  name: {{ $value.existingSecret }}
+            - name: GITEA_LDAP_PASSWORD_{{ $idx }}
               valueFrom:
                 secretKeyRef:
                   key:  bindPassword
-                  name: {{ .Values.gitea.ldap.existingSecret }}
+                  name: {{ $value.existingSecret }}
             {{- else }}
-            - name: GITEA_LDAP_BIND_DN
-              value: {{ .Values.gitea.ldap.bindDn | quote }}
-            - name: GITEA_LDAP_PASSWORD
-              value: {{ .Values.gitea.ldap.bindPassword | quote }}
+            - name: GITEA_LDAP_BIND_DN_{{ $idx }}
+              value: {{ $value.bindDn | quote }}
+            - name: GITEA_LDAP_PASSWORD_{{ $idx }}
+              value: {{ $value.bindPassword | quote }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.gitea.oauth }}
+            {{- range $idx, $value := .Values.gitea.oauth }}
+            {{- if $value.existingSecret }}
+            - name: GITEA_OAUTH_KEY_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  key
+                  name: {{ $value.existingSecret }}
+            - name: GITEA_OAUTH_SECRET_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  secret
+                  name: {{ $value.existingSecret }}
+            {{- end }}
             {{- end }}
             {{- end }}
             {{- if .Values.gitea.admin.existingSecret }}
@@ -125,6 +191,9 @@ spec:
               mountPath: /tmp
             - name: data
               mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -165,54 +234,35 @@ spec:
             - name: profiler
               containerPort: 6060
             {{- end }}
-          {{- if .Values.gitea.livenessProbe.enabled }}
+          {{- if .Values.gitea.livenessProbe }}
           livenessProbe:
-            tcpSocket:
-              port: http
-            initialDelaySeconds: {{ .Values.gitea.livenessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.gitea.livenessProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.gitea.livenessProbe.timeoutSeconds }}
-            successThreshold: {{ .Values.gitea.livenessProbe.successThreshold }}
-            failureThreshold: {{ .Values.gitea.livenessProbe.failureThreshold }}
-          {{- else if .Values.gitea.customLivenessProbe }}
-          livenessProbe:
-            {{- toYaml .Values.gitea.customLivenessProbe | nindent 12 }}
+            {{- toYaml .Values.gitea.livenessProbe | nindent 12 }}
           {{- end }}
-          {{- if .Values.gitea.readinessProbe.enabled }}
+          {{- if .Values.gitea.readinessProbe }}
           readinessProbe:
-            tcpSocket:
-              port: http
-            initialDelaySeconds: {{ .Values.gitea.readinessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.gitea.readinessProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.gitea.readinessProbe.timeoutSeconds }}
-            successThreshold: {{ .Values.gitea.readinessProbe.successThreshold }}
-            failureThreshold: {{ .Values.gitea.readinessProbe.failureThreshold }}
-          {{- else if .Values.gitea.customReadinessProbe }}
-          readinessProbe:
-            {{- toYaml .Values.gitea.customReadinessProbe | nindent 12 }}
+            {{- toYaml .Values.gitea.readinessProbe | nindent 12 }}
           {{- end }}
-          {{- if .Values.gitea.startupProbe.enabled }}
+          {{- if .Values.gitea.startupProbe }}
           startupProbe:
-            tcpSocket:
-              port: http
-            initialDelaySeconds: {{ .Values.gitea.startupProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.gitea.startupProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.gitea.startupProbe.timeoutSeconds }}
-            successThreshold: {{ .Values.gitea.startupProbe.successThreshold }}
-            failureThreshold: {{ .Values.gitea.startupProbe.failureThreshold }}
-          {{- else if .Values.gitea.customStartupProbe }}
-          startupProbe:
-            {{- toYaml .Values.gitea.customStartupProbe | nindent 12 }}
+            {{- toYaml .Values.gitea.startupProbe | nindent 12 }}
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- /* Honor the deprecated securityContext variable when defined */ -}}
+            {{- if .Values.containerSecurityContext -}}
+            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
+            {{- else -}}
+            {{ toYaml .Values.securityContext | nindent 12 -}}
+            {{- end }}
           volumeMounts:
             - name: temp
               mountPath: /tmp
             - name: data
               mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -232,13 +282,21 @@ spec:
         - name: init
           secret:
             secretName: {{ include "gitea.fullname" . }}-init
-            defaultMode: 0777
+            defaultMode: 110
         - name: config
           secret:
             secretName: {{ include "gitea.fullname" . }}
+            defaultMode: 110
         {{- if .Values.extraVolumes }}
         {{- toYaml .Values.extraVolumes | nindent 8 }}
         {{- end }}
+        - name: inline-config-sources
+          secret:
+            secretName: {{ include "gitea.fullname" . }}-inline-config
+        {{- range $idx, $value := .Values.gitea.additionalConfigSources }}
+        - name: additional-config-sources-{{ $idx }}
+          {{- toYaml $value | nindent 10 }}
+        {{- end }}
         - name: temp
           emptyDir: {}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}

values.yaml

@@ -8,14 +8,17 @@ clusterDomain: cluster.local
 
 image:
   repository: gitea/gitea
-  tag: 1.15.0
+  tag: 1.15.10
   pullPolicy: Always
   rootless: false # only possible when running 1.14 or later
 
 imagePullSecrets: []
 
-# only usable with rootless image due to image design
-securityContext: {}
+# Security context is only usable with rootless image due to image design
+podSecurityContext:
+  fsGroup: 1000
+
+containerSecurityContext: {}
 #   allowPrivilegeEscalation: false
 #   capabilities:
 #     drop:
@@ -33,6 +36,11 @@ securityContext: {}
 #   runAsNonRoot: true
 #   runAsUser: 1000
 
+# DEPRECATED. The securityContext variable has been split two:
+# - containerSecurityContext
+# - podSecurityContext.
+securityContext: {}
+
 service:
   http:
     type: ClusterIP
@@ -70,6 +78,9 @@ ingress:
   #  - secretName: chart-example-tls
   #    hosts:
   #      - git.example.com
+  # Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
+  # If helm doesn't correctly detect your ingress API version you can set it here.
+  # apiVersion: networking.k8s.io/v1
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -110,6 +121,7 @@ persistence:
   labels: {}
   annotations: {}
   # storageClass:
+  # subPath:
 
 # additional volumes to add to the Gitea statefulset.
 extraVolumes:
@@ -154,10 +166,9 @@ gitea:
       #  additionalLabels:
       #    prometheus-release: prom1
 
-  ldap:
-    enabled: false
-    #existingSecret: gitea-ldap-secret
-    #name:
+  ldap: []
+    # - name: "LDAP 1"
+    #  existingSecret:
     #  securityProtocol:
     #  host:
     #  port:
@@ -168,14 +179,15 @@ gitea:
     #  bindDn:
     #  bindPassword:
     #  usernameAttribute:
-    #sshPublicKeyAttribute:
+    #  publicSSHKeyAttribute:
 
-  oauth:
-    enabled: false
-    #name:
+  # Either specify inline `key` and `secret` or refer to them via `existingSecret`
+  oauth: []
+    # - name: 'OAuth 1'
     #   provider:
     #   key:
     #   secret:
+    #   existingSecret:
     #   autoDiscoverUrl:
     #   useCustomUrls:
     #   customAuthUrl:
@@ -193,73 +205,51 @@ gitea:
   #  security:
   #    PASSWORD_COMPLEXITY: spec
 
+  additionalConfigSources: []
+  #   - secret:
+  #       secretName: gitea-app-ini-oauth
+  #   - configMap:
+  #       name: gitea-app-ini-plaintext
+
   podAnnotations: {}
 
-  database:
-    builtIn:
-      postgresql:
-        enabled: true
-      mysql:
-        enabled: false
-      mariadb:
-        enabled: false
-
-  cache:
-    builtIn:
-      enabled: true
-
+  # Modify the liveness probe for your needs or completely disable it by commenting out.
   livenessProbe:
-    enabled: true
+    tcpSocket:
+      port: http
     initialDelaySeconds: 200
     timeoutSeconds: 1
     periodSeconds: 10
     successThreshold: 1
     failureThreshold: 10
+
+  # Modify the readiness probe for your needs or completely disable it by commenting out.
   readinessProbe:
-    enabled: true
+    tcpSocket:
+      port: http
     initialDelaySeconds: 5
     timeoutSeconds: 1
     periodSeconds: 10
     successThreshold: 1
     failureThreshold: 3
-  startupProbe:
-    enabled: false
-    initialDelaySeconds: 60
-    timeoutSeconds: 1
-    periodSeconds: 10
-    successThreshold: 1
-    failureThreshold: 10
 
-  # customLivenessProbe:
-  #   httpGet:
-  #     path: /user/login
-  #     port: http
-  #   initialDelaySeconds: 60
-  #   periodSeconds: 10
-  #   successThreshold: 1
-  #   failureThreshold: 10
-  # customReadinessProbe:
-  #   httpGet:
-  #     path: /user/login
-  #     port: http
-  #   initialDelaySeconds: 5
-  #   periodSeconds: 10
-  #   successThreshold: 1
-  #   failureThreshold: 3
-  # customStartupProbe:
-  #   httpGet:
-  #     path: /user/login
+  # # Uncomment the startup probe to enable and modify it for your needs.
+  # startupProbe:
+  #   tcpSocket:
   #     port: http
   #   initialDelaySeconds: 60
+  #   timeoutSeconds: 1
   #   periodSeconds: 10
   #   successThreshold: 1
   #   failureThreshold: 10
 
 memcached:
+  enabled: true
   service:
     port: 11211
 
 postgresql:
+  enabled: true
   global:
     postgresql:
       postgresqlDatabase: gitea
@@ -270,6 +260,7 @@ postgresql:
     size: 10Gi
 
 mysql:
+  enabled: false
   root:
     password: gitea
   db:
@@ -282,6 +273,7 @@ mysql:
     size: 10Gi
 
 mariadb:
+  enabled: false
   auth:
     database: gitea
     username: gitea
@@ -292,3 +284,7 @@ mariadb:
       port: 3306
     persistence:
       size: 10Gi
+
+# By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update.
+# Set it to false to skip this basic validation check.
+checkDeprecation: true