From 4dc2f9a1ee5719bfaeabb30d50e77462da9604d7 Mon Sep 17 00:00:00 2001 From: Philip Haupt <“der.mad.mob@gmail.com”> Date: Tue, 3 Jun 2025 14:47:41 +0200 Subject: [PATCH] gitea --- gitea/kustomization.yaml | 6 + gitea/main.yaml | 621 +++++++++++++++++++++++++++++++++++ gitea/src/kustomization.yaml | 12 + gitea/src/values.yaml | 621 +++++++++++++++++++++++++++++++++++ 4 files changed, 1260 insertions(+) create mode 100644 gitea/kustomization.yaml create mode 100644 gitea/main.yaml create mode 100644 gitea/src/kustomization.yaml create mode 100644 gitea/src/values.yaml diff --git a/gitea/kustomization.yaml b/gitea/kustomization.yaml new file mode 100644 index 0000000..4ae436c --- /dev/null +++ b/gitea/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - main.yaml \ No newline at end of file diff --git a/gitea/main.yaml b/gitea/main.yaml new file mode 100644 index 0000000..ca487c5 --- /dev/null +++ b/gitea/main.yaml @@ -0,0 +1,621 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + app: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea + app.kubernetes.io/version: 1.23.8 + helm.sh/chart: gitea-12.0.0 + version: 1.23.8 + name: gitea + namespace: gitea +stringData: + assertions: "" + config_environment.sh: | + #!/usr/bin/env bash + set -euo pipefail + + function env2ini::log() { + printf "${1}\n" + } + + function env2ini::read_config_to_env() { + local section="${1}" + local line="${2}" + + if [[ -z "${line}" ]]; then + # skip empty line + return + fi + + # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line + local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)" + + if [[ -z "${setting}" ]]; then + env2ini::log ' ! invalid setting' + exit 1 + fi + + local value='' + local regex="^${setting}(\s*)=(\s*)(.*)" + if [[ $line =~ $regex ]]; then + value="${BASH_REMATCH[3]}" + else + env2ini::log ' ! invalid setting' + exit 1 + fi + + env2ini::log " + '${setting}'" + + if [[ -z "${section}" ]]; then + export "GITEA____${setting^^}=${value}" # '^^' makes the variable content uppercase + return + fi + + local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches + masked_section="${masked_section//-/_0X2D_}" + + export "GITEA__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase + } + + function env2ini::reload_preset_envs() { + env2ini::log "Reloading preset envs..." + + while read -r line; do + if [[ -z "${line}" ]]; then + # skip empty line + return + fi + + # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line + local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)" + + if [[ -z "${setting}" ]]; then + env2ini::log ' ! invalid setting' + exit 1 + fi + + local value='' + local regex="^${setting}(\s*)=(\s*)(.*)" + if [[ $line =~ $regex ]]; then + value="${BASH_REMATCH[3]}" + else + env2ini::log ' ! invalid setting' + exit 1 + fi + + env2ini::log " + '${setting}'" + + export "${setting^^}=${value}" # '^^' makes the variable content uppercase + done < "$TMP_EXISTING_ENVS_FILE" + + rm $TMP_EXISTING_ENVS_FILE + } + + + function env2ini::process_config_file() { + local config_file="${1}" + local section="$(basename "${config_file}")" + + if [[ $section == '_generals_' ]]; then + env2ini::log " [ini root]" + section='' + else + env2ini::log " ${section}" + fi + + while read -r line; do + env2ini::read_config_to_env "${section}" "${line}" + done < <(awk 1 "${config_file}") # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading + } + + function env2ini::load_config_sources() { + local path="${1}" + + if [[ -d "${path}" ]]; then + env2ini::log "Processing $(basename "${path}")..." + + while read -d '' configFile; do + env2ini::process_config_file "${configFile}" + done < <(find "${path}" -type l -not -name '..data' -print0) + + env2ini::log "\n" + fi + } + + function env2ini::generate_initial_secrets() { + # These environment variables will either be + # - overwritten with user defined values, + # - initially used to set up Gitea + # Anyway, they won't harm existing app.ini files + + export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) + export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) + export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) + export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET) + + env2ini::log "...Initial secrets generated\n" + } + + # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs + env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE + + # MUST BE CALLED BEFORE OTHER CONFIGURATION + env2ini::generate_initial_secrets + + env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/" + env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/" + + # load existing envs to override auto generated envs + env2ini::reload_preset_envs + + env2ini::log "=== All configuration sources loaded ===\n" + + # safety to prevent rewrite of secret keys if an app.ini already exists + if [ -f ${GITEA_APP_INI} ]; then + env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:' + env2ini::log ' - security.INTERNAL_TOKEN' + env2ini::log ' - security.SECRET_KEY' + env2ini::log ' - oauth2.JWT_SECRET' + env2ini::log ' - server.LFS_JWT_SECRET' + + unset GITEA__SECURITY__INTERNAL_TOKEN + unset GITEA__SECURITY__SECRET_KEY + unset GITEA__OAUTH2__JWT_SECRET + unset GITEA__SERVER__LFS_JWT_SECRET + fi + + environment-to-ini -o $GITEA_APP_INI +type: Opaque +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea + app.kubernetes.io/version: 1.23.8 + helm.sh/chart: gitea-12.0.0 + version: 1.23.8 + name: gitea-init + namespace: gitea +stringData: + configure_gitea.sh: |- + #!/usr/bin/env bash + + set -euo pipefail + + echo '==== BEGIN GITEA CONFIGURATION ====' + + { # try + gitea migrate + } || { # catch + echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds" + exit 1 + } + function configure_admin_user() { + local full_admin_list=$(gitea admin user list --admin) + local actual_user_table='' + + # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line + local regex="(.*)(ID\s+Username\s+Email\s+IsActive.*)" + if [[ "${full_admin_list}" =~ $regex ]]; then + actual_user_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline + else + # This code block should never be reached, as long as the output table header remains the same. + # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script. + + echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users." + echo " Please review the output of 'gitea admin user list --admin' shown below." + echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues." + echo "DEBUG: Output of 'gitea admin user list --admin'" + echo "--" + echo "${full_admin_list}" + echo "--" + exit 1 + fi + + local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}") + if [[ -z "${ACCOUNT_ID}" ]]; then + local -a create_args + create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email "gitea@local.domain") + if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then + create_args+=(--must-change-password=true) + else + create_args+=(--must-change-password=false) + fi + echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..." + gitea admin user create "${create_args[@]}" + echo '...created.' + else + if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then + echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..." + # See https://gitea.com/gitea/helm-gitea/issues/673 + # --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior + # which acted as if it were provided with =false. If the argument is present in this version of gitea, then we + # should add it to prevent requiring frequent admin password resets. + local -a change_args + change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}") + if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then + change_args+=(--must-change-password=false) + fi + gitea admin user change-password "${change_args[@]}" + echo '...password sync done.' + else + echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping." + fi + fi + } + + configure_admin_user + + function configure_ldap() { + echo 'no ldap configuration... skipping.' + } + + configure_ldap + + function configure_oauth() { + echo 'no oauth configuration... skipping.' + } + + configure_oauth + + echo '==== END GITEA CONFIGURATION ====' + configure_gpg_environment.sh: | + #!/usr/bin/env bash + set -eu + + gpg --batch --import "$TMP_RAW_GPG_KEY" + init_directory_structure.sh: |- + #!/usr/bin/env bash + + set -euo pipefail + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf + + # prepare temp directory structure + mkdir -pv "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" +type: Opaque +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea + app.kubernetes.io/version: 1.23.8 + helm.sh/chart: gitea-12.0.0 + version: 1.23.8 + name: gitea-inline-config + namespace: gitea +stringData: + _generals_: "" + cache: |- + ADAPTER=memory + HOST= + indexer: ISSUE_INDEXER_TYPE=db + metrics: ENABLED=false + queue: |- + CONN_STR= + TYPE=level + repository: ROOT=/data/git/gitea-repositories + security: INSTALL_LOCK=true + server: |- + APP_DATA_PATH=/data + DOMAIN=git.example.com + ENABLE_PPROF=false + HTTP_PORT=3000 + PROTOCOL=http + ROOT_URL=http://git.example.com + SSH_DOMAIN=git.example.com + SSH_LISTEN_PORT=2222 + SSH_PORT=22 + START_SSH_SERVER=true + session: |- + PROVIDER=memory + PROVIDER_CONFIG= +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea + app.kubernetes.io/version: 1.23.8 + helm.sh/chart: gitea-12.0.0 + version: 1.23.8 + name: gitea-http + namespace: gitea +spec: + clusterIP: None + ports: + - name: http + port: 3000 + targetPort: null + selector: + app.kubernetes.io/instance: gitea + app.kubernetes.io/name: gitea + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea + app.kubernetes.io/version: 1.23.8 + helm.sh/chart: gitea-12.0.0 + version: 1.23.8 + name: gitea-ssh + namespace: gitea +spec: + clusterIP: None + ports: + - name: ssh + port: 22 + protocol: TCP + targetPort: 2222 + selector: + app.kubernetes.io/instance: gitea + app.kubernetes.io/name: gitea + type: ClusterIP +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + helm.sh/resource-policy: keep + labels: {} + name: gitea-shared-storage + namespace: gitea +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: openebs-3-replicas + volumeMode: Filesystem +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea + app.kubernetes.io/version: 1.23.8 + helm.sh/chart: gitea-12.0.0 + version: 1.23.8 + name: gitea + namespace: gitea +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: gitea + app.kubernetes.io/name: gitea + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: d8124dc4651cfec8d98a3c9d5d6150b5dd8a684e615f9b6bc50500226a102888 + labels: + app: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea + app.kubernetes.io/version: 1.23.8 + helm.sh/chart: gitea-12.0.0 + version: 1.23.8 + spec: + containers: + - env: + - name: SSH_LISTEN_PORT + value: "2222" + - name: SSH_PORT + value: "22" + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TMPDIR + value: /tmp/gitea + - name: HOME + value: /data/gitea/git + image: docker.gitea.com/gitea:1.23.8-rootless + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + initialDelaySeconds: 200 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + name: gitea + ports: + - containerPort: 2222 + name: ssh + - containerPort: 3000 + name: http + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /tmp + name: temp + - mountPath: /data + name: data + initContainers: + - command: + - /usr/sbinx/init_directory_structure.sh + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + image: docker.gitea.com/gitea:1.23.8-rootless + imagePullPolicy: IfNotPresent + name: init-directories + resources: + limits: {} + requests: + cpu: 100m + memory: 128Mi + securityContext: {} + volumeMounts: + - mountPath: /usr/sbinx + name: init + - mountPath: /tmp + name: temp + - mountPath: /data + name: data + - command: + - /usr/sbinx/config_environment.sh + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TMP_EXISTING_ENVS_FILE + value: /tmp/existing-envs + - name: ENV_TO_INI_MOUNT_POINT + value: /env-to-ini-mounts + image: docker.gitea.com/gitea:1.23.8-rootless + imagePullPolicy: IfNotPresent + name: init-app-ini + resources: + limits: {} + requests: + cpu: 100m + memory: 128Mi + securityContext: {} + volumeMounts: + - mountPath: /usr/sbinx + name: config + - mountPath: /tmp + name: temp + - mountPath: /data + name: data + - mountPath: /env-to-ini-mounts/inlines/ + name: inline-config-sources + - command: + - /usr/sbinx/configure_gitea.sh + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: HOME + value: /data/gitea/git + - name: GITEA_ADMIN_USERNAME + value: gitea_admin + - name: GITEA_ADMIN_PASSWORD + value: r8sA8CPHD9!bt6d + - name: GITEA_ADMIN_PASSWORD_MODE + value: keepUpdated + image: docker.gitea.com/gitea:1.23.8-rootless + imagePullPolicy: IfNotPresent + name: configure-gitea + resources: + limits: {} + requests: + cpu: 100m + memory: 128Mi + securityContext: + runAsUser: 1000 + volumeMounts: + - mountPath: /usr/sbinx + name: init + - mountPath: /tmp + name: temp + - mountPath: /data + name: data + securityContext: + fsGroup: 1000 + terminationGracePeriodSeconds: 60 + volumes: + - name: init + secret: + defaultMode: 110 + secretName: gitea-init + - name: config + secret: + defaultMode: 110 + secretName: gitea + - name: inline-config-sources + secret: + secretName: gitea-inline-config + - emptyDir: {} + name: temp + - name: data + persistentVolumeClaim: + claimName: gitea-shared-storage +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + helm.sh/hook: test-success + labels: + app: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gitea + app.kubernetes.io/version: 1.23.8 + helm.sh/chart: gitea-12.0.0 + version: 1.23.8 + name: gitea-test-connection + namespace: gitea +spec: + containers: + - args: + - gitea-http:3000 + command: + - wget + image: busybox:latest + name: wget + restartPolicy: Never diff --git a/gitea/src/kustomization.yaml b/gitea/src/kustomization.yaml new file mode 100644 index 0000000..10497dd --- /dev/null +++ b/gitea/src/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +helmCharts: + - name: gitea + repo: https://dl.gitea.com/charts/ + version: 12.0.0 + releaseName: gitea + includeCRDs: true + namespace: gitea + valuesFile: values.yaml diff --git a/gitea/src/values.yaml b/gitea/src/values.yaml new file mode 100644 index 0000000..739f043 --- /dev/null +++ b/gitea/src/values.yaml @@ -0,0 +1,621 @@ +# Default values for gitea. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +## @section Global +# +## @param global.imageRegistry global image registry override +## @param global.imagePullSecrets global image pull secrets override; can be extended by `imagePullSecrets` +## @param global.storageClass global storage class override +## @param global.hostAliases global hostAliases which will be added to the pod's hosts files +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + hostAliases: [] + # - ip: 192.168.137.2 + # hostnames: + # - example.com + +## @param namespace An explicit namespace to deploy gitea into. Defaults to the release namespace if not specified +namespace: "" + +## @param replicaCount number of replicas for the deployment +replicaCount: 1 + +## @section strategy +## @param strategy.type strategy type +## @param strategy.rollingUpdate.maxSurge maxSurge +## @param strategy.rollingUpdate.maxUnavailable maxUnavailable +strategy: + type: "RollingUpdate" + rollingUpdate: + maxSurge: "100%" + maxUnavailable: 0 + +## @param clusterDomain cluster domain +clusterDomain: cluster.local + +## @section Image +## @param image.registry image registry, e.g. gcr.io,docker.io +## @param image.repository Image to start for this pod +## @param image.tag Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. +## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` +## @param image.pullPolicy Image pull policy +## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher +## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** +image: + registry: "docker.gitea.com" + repository: gitea + # Overrides the image tag whose default is the chart appVersion. + tag: "" + digest: "" + pullPolicy: IfNotPresent + rootless: true + fullOverride: "" + +## @param imagePullSecrets Secret to use for pulling the image +imagePullSecrets: [] + +## @section Security +# Security context is only usable with rootless image due to image design +## @param podSecurityContext.fsGroup Set the shared file system group for all containers in the pod. +podSecurityContext: + fsGroup: 1000 + +## @param containerSecurityContext Security context +containerSecurityContext: {} +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# # Add the SYS_CHROOT capability for root and rootless images if you intend to +# # run pods on nodes that use the container runtime cri-o. Otherwise, you will +# # get an error message from the SSH server that it is not possible to read from +# # the repository. +# # https://gitea.com/gitea/helm-gitea/issues/161 +# add: +# - SYS_CHROOT +# privileged: false +# readOnlyRootFilesystem: true +# runAsGroup: 1000 +# runAsNonRoot: true +# runAsUser: 1000 + +## @deprecated The securityContext variable has been split two: +## - containerSecurityContext +## - podSecurityContext. +## @param securityContext Run init and Gitea containers as a specific securityContext +securityContext: {} + +## @param podDisruptionBudget Pod disruption budget +podDisruptionBudget: {} +# maxUnavailable: 1 +# minAvailable: 1 + +## @section Service +service: + ## @param service.http.type Kubernetes service type for web traffic + ## @param service.http.port Port number for web traffic + ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None + ## @param service.http.loadBalancerIP LoadBalancer IP setting + ## @param service.http.nodePort NodePort for http service + ## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation + ## @param service.http.externalIPs External IPs for service + ## @param service.http.ipFamilyPolicy HTTP service dual-stack policy + ## @param service.http.ipFamilies HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). + ## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer + ## @param service.http.annotations HTTP service annotations + ## @param service.http.labels HTTP service additional labels + ## @param service.http.loadBalancerClass Loadbalancer class + http: + type: ClusterIP + port: 3000 + clusterIP: None + loadBalancerIP: + nodePort: + externalTrafficPolicy: + externalIPs: + ipFamilyPolicy: + ipFamilies: + loadBalancerSourceRanges: [] + annotations: {} + labels: {} + loadBalancerClass: + ## @param service.ssh.type Kubernetes service type for ssh traffic + ## @param service.ssh.port Port number for ssh traffic + ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None + ## @param service.ssh.loadBalancerIP LoadBalancer IP setting + ## @param service.ssh.nodePort NodePort for ssh service + ## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation + ## @param service.ssh.externalIPs External IPs for service + ## @param service.ssh.ipFamilyPolicy SSH service dual-stack policy + ## @param service.ssh.ipFamilies SSH service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). + ## @param service.ssh.hostPort HostPort for ssh service + ## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer + ## @param service.ssh.annotations SSH service annotations + ## @param service.ssh.labels SSH service additional labels + ## @param service.ssh.loadBalancerClass Loadbalancer class + ssh: + type: ClusterIP + port: 22 + clusterIP: None + loadBalancerIP: + nodePort: + externalTrafficPolicy: + externalIPs: + ipFamilyPolicy: + ipFamilies: + hostPort: + loadBalancerSourceRanges: [] + annotations: {} + labels: {} + loadBalancerClass: + +## @section Ingress +## @param ingress.enabled Enable ingress +## @param ingress.className DEPRECATED: Ingress class name. +## @param ingress.pathType Ingress Path Type +## @param ingress.annotations Ingress annotations +## @param ingress.hosts[0].host Default Ingress host +## @param ingress.hosts[0].paths[0].path Default Ingress path +## @param ingress.tls Ingress tls settings +ingress: + enabled: false + className: "" + pathType: Prefix + annotations: {} + hosts: + - host: git.example.com + paths: + - path: / + tls: [] + # - secretName: chart-example-tls + # hosts: + # - git.example.com + +## @section deployment +# +## @param resources Kubernetes resources +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +## @param schedulerName Use an alternate scheduler, e.g. "stork" +schedulerName: "" + +## @param nodeSelector NodeSelector for the deployment +nodeSelector: {} + +## @param tolerations Tolerations for the deployment +tolerations: [] + +## @param affinity Affinity for the deployment +affinity: {} + +## @param topologySpreadConstraints TopologySpreadConstraints for the deployment +topologySpreadConstraints: [] + +## @param dnsConfig dnsConfig for the deployment +dnsConfig: {} + +## @param priorityClassName priorityClassName for the deployment +priorityClassName: "" + +## @param deployment.env Additional environment variables to pass to containers +## @param deployment.terminationGracePeriodSeconds How long to wait until forcefully kill the pod +## @param deployment.labels Labels for the deployment +## @param deployment.annotations Annotations for the Gitea deployment to be created +deployment: + env: + [] + # - name: VARIABLE + # value: my-value + terminationGracePeriodSeconds: 60 + labels: {} + annotations: {} + +## @section ServiceAccount + +## @param serviceAccount.create Enable the creation of a ServiceAccount +## @param serviceAccount.name Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used. +## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token +## @param serviceAccount.imagePullSecrets Image pull secrets, available to the ServiceAccount +## @param serviceAccount.annotations Custom annotations for the ServiceAccount +## @param serviceAccount.labels Custom labels for the ServiceAccount +serviceAccount: + create: false + name: "" + automountServiceAccountToken: false + imagePullSecrets: [] + # - name: private-registry-access + annotations: {} + labels: {} + +## @section Persistence +# +## @param persistence.enabled Enable persistent storage +## @param persistence.create Whether to create the persistentVolumeClaim for shared storage +## @param persistence.mount Whether the persistentVolumeClaim should be mounted (even if not created) +## @param persistence.claimName Use an existing claim to store repository information +## @param persistence.size Size for persistence to store repo information +## @param persistence.accessModes AccessMode for persistence +## @param persistence.labels Labels for the persistence volume claim to be created +## @param persistence.annotations.helm.sh/resource-policy Resource policy for the persistence volume claim +## @param persistence.storageClass Name of the storage class to use +## @param persistence.subPath Subdirectory of the volume to mount at +## @param persistence.volumeName Name of persistent volume in PVC +persistence: + enabled: true + create: true + mount: true + claimName: gitea-shared-storage + size: 10Gi + accessModes: + - ReadWriteOnce + labels: {} + storageClass: openebs-3-replicas + subPath: + volumeName: "" + annotations: + helm.sh/resource-policy: keep + +## @param extraContainers Additional sidecar containers to run in the pod +extraContainers: [] +# - name: sidecar-bob +# image: busybox +# command: [/bin/sh, -c, 'echo "Hello world"; sleep 86400'] + +## @param extraVolumes Additional volumes to mount to the Gitea deployment +extraVolumes: [] +# - name: postgres-ssl-vol +# secret: +# secretName: gitea-postgres-ssl + +## @param extraContainerVolumeMounts Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. +extraContainerVolumeMounts: [] + +## @param extraInitVolumeMounts Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration. +extraInitVolumeMounts: [] + +## @deprecated The extraVolumeMounts variable has been split two: +## - extraContainerVolumeMounts +## - extraInitVolumeMounts +## As an example, can be used to mount a client cert when connecting to an external Postgres server. +## @param extraVolumeMounts **DEPRECATED** Additional volume mounts for init containers and the Gitea main container +extraVolumeMounts: [] +# - name: postgres-ssl-vol +# readOnly: true +# mountPath: "/pg-ssl" + +## @section Init +## @param initPreScript Bash shell script copied verbatim to the start of the init-container. +initPreScript: "" +## @param initContainersScriptsVolumeMountPath Path to mount the scripts consumed from the Secrets +initContainersScriptsVolumeMountPath: "/usr/sbinx" +# +# initPreScript: | +# mkdir -p /data/git/.postgresql +# cp /pg-ssl/* /data/git/.postgresql/ +# chown -R git:git /data/git/.postgresql/ +# chmod 400 /data/git/.postgresql/postgresql.key + +## @param initContainers.resources.limits initContainers.limits Kubernetes resource limits for init containers +## @param initContainers.resources.requests.cpu initContainers.requests.cpu Kubernetes cpu resource limits for init containers +## @param initContainers.resources.requests.memory initContainers.requests.memory Kubernetes memory resource limits for init containers +initContainers: + resources: + limits: {} + requests: + cpu: 100m + memory: 128Mi + +# Configure commit/action signing prerequisites +## @section Signing +# +## @param signing.enabled Enable commit/action signing +## @param signing.gpgHome GPG home directory +## @param signing.privateKey Inline private gpg key for signed internal Git activity +## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey` +signing: + enabled: false + gpgHome: /data/git/.gnupg + privateKey: "" + # privateKey: |- + # -----BEGIN PGP PRIVATE KEY BLOCK----- + # ... + # -----END PGP PRIVATE KEY BLOCK----- + existingSecret: "" + +## @section Gitea +# +gitea: + ## @param gitea.admin.username Username for the Gitea admin user + ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials + ## @param gitea.admin.password Password for the Gitea admin user + ## @param gitea.admin.email Email for the Gitea admin user + ## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated + admin: + # existingSecret: gitea-admin-secret + existingSecret: + username: gitea_admin + password: r8sA8CPHD9!bt6d + email: "gitea@local.domain" + passwordMode: keepUpdated + + ## @param gitea.metrics.enabled Enable Gitea metrics + ## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. + ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. + ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. + ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. + ## @param gitea.metrics.serviceMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`. Default is http. + ## @param gitea.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. + ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus. + metrics: + enabled: false + token: + serviceMonitor: + enabled: false + # additionalLabels: + # prometheus-release: prom1 + interval: "" + relabelings: [] + scheme: "" + scrapeTimeout: "" + tlsConfig: {} + + ## @param gitea.ldap LDAP configuration + ldap: + [] + # - name: "LDAP 1" + # existingSecret: + # securityProtocol: + # host: + # port: + # userSearchBase: + # userFilter: + # adminFilter: + # emailAttribute: + # bindDn: + # bindPassword: + # usernameAttribute: + # publicSSHKeyAttribute: + + # Either specify inline `key` and `secret` or refer to them via `existingSecret` + ## @param gitea.oauth OAuth configuration + oauth: + [] + # - name: 'OAuth 1' + # provider: + # key: + # secret: + # existingSecret: + # autoDiscoverUrl: + # useCustomUrls: + # customAuthUrl: + # customTokenUrl: + # customProfileUrl: + # customEmailUrl: + + ## @param gitea.config.server.SSH_PORT SSH port for rootlful Gitea image + ## @param gitea.config.server.SSH_LISTEN_PORT SSH port for rootless Gitea image + config: + # APP_NAME: "Gitea: Git with a cup of tea" + # RUN_MODE: dev + server: + SSH_PORT: 22 # rootful image + SSH_LISTEN_PORT: 2222 # rootless image + # + # security: + # PASSWORD_COMPLEXITY: spec + + ## @param gitea.additionalConfigSources Additional configuration from secret or configmap + additionalConfigSources: [] + # - secret: + # secretName: gitea-app-ini-oauth + # - configMap: + # name: gitea-app-ini-plaintext + + ## @param gitea.additionalConfigFromEnvs Additional configuration sources from environment variables + additionalConfigFromEnvs: [] + + ## @param gitea.podAnnotations Annotations for the Gitea pod + podAnnotations: {} + + ## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Gitea image. + ssh: + logLevel: "INFO" + + ## @section LivenessProbe + # + ## @param gitea.livenessProbe.enabled Enable liveness probe + ## @param gitea.livenessProbe.tcpSocket.port Port to probe for liveness + ## @param gitea.livenessProbe.initialDelaySeconds Initial delay before liveness probe is initiated + ## @param gitea.livenessProbe.timeoutSeconds Timeout for liveness probe + ## @param gitea.livenessProbe.periodSeconds Period for liveness probe + ## @param gitea.livenessProbe.successThreshold Success threshold for liveness probe + ## @param gitea.livenessProbe.failureThreshold Failure threshold for liveness probe + # Modify the liveness probe for your needs or completely disable it by commenting out. + livenessProbe: + enabled: true + tcpSocket: + port: http + initialDelaySeconds: 200 + timeoutSeconds: 1 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + + ## @section ReadinessProbe + # + ## @param gitea.readinessProbe.enabled Enable readiness probe + ## @param gitea.readinessProbe.tcpSocket.port Port to probe for readiness + ## @param gitea.readinessProbe.initialDelaySeconds Initial delay before readiness probe is initiated + ## @param gitea.readinessProbe.timeoutSeconds Timeout for readiness probe + ## @param gitea.readinessProbe.periodSeconds Period for readiness probe + ## @param gitea.readinessProbe.successThreshold Success threshold for readiness probe + ## @param gitea.readinessProbe.failureThreshold Failure threshold for readiness probe + # Modify the readiness probe for your needs or completely disable it by commenting out. + readinessProbe: + enabled: true + tcpSocket: + port: http + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + + # # Uncomment the startup probe to enable and modify it for your needs. + ## @section StartupProbe + # + ## @param gitea.startupProbe.enabled Enable startup probe + ## @param gitea.startupProbe.tcpSocket.port Port to probe for startup + ## @param gitea.startupProbe.initialDelaySeconds Initial delay before startup probe is initiated + ## @param gitea.startupProbe.timeoutSeconds Timeout for startup probe + ## @param gitea.startupProbe.periodSeconds Period for startup probe + ## @param gitea.startupProbe.successThreshold Success threshold for startup probe + ## @param gitea.startupProbe.failureThreshold Failure threshold for startup probe + startupProbe: + enabled: false + tcpSocket: + port: http + initialDelaySeconds: 60 + timeoutSeconds: 1 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + +## @section valkey-cluster +## @param valkey-cluster.enabled Enable valkey cluster +# ⚠️ The valkey charts do not work well with special characters in the password (). +# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed. +## @param valkey-cluster.usePassword Whether to use password authentication +## @param valkey-cluster.usePasswordFiles Whether to mount passwords as files instead of environment variables +## @param valkey-cluster.cluster.nodes Number of valkey cluster master nodes +## @param valkey-cluster.cluster.replicas Number of valkey cluster master node replicas +## @param valkey-cluster.service.ports.valkey Port of Valkey service +## @descriptionStart +## Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time. +## @descriptionEnd +valkey-cluster: + enabled: false + usePassword: false + usePasswordFiles: false + cluster: + nodes: 3 # default: 6 + replicas: 0 # default: 1 + service: + ports: + valkey: 6379 + +## @section valkey +## @param valkey.enabled Enable valkey standalone or replicated +## @param valkey.architecture Whether to use standalone or replication +# ⚠️ The valkey charts do not work well with special characters in the password (). +# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed. +## @param valkey.global.valkey.password Required password +## @param valkey.master.count Number of Valkey master instances to deploy +## @param valkey.master.service.ports.valkey Port of Valkey service +## @descriptionStart +## Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time. +## @descriptionEnd +valkey: + enabled: false + architecture: standalone + global: + valkey: + password: changeme + master: + count: 1 + service: + ports: + valkey: 6379 + +## @section PostgreSQL HA +# +## @param postgresql-ha.enabled Enable PostgreSQL HA +## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`) +## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`) +## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`) +## @param postgresql-ha.global.postgresql.password Name for a custom password to create (overrides `auth.password`) +## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password +## @param postgresql-ha.postgresql.postgresPassword postgres Password +## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword +## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) +## @param postgresql-ha.persistence.size PVC Storage Request for PostgreSQL HA volume +postgresql-ha: + enabled: false + global: + postgresql: + database: gitea + password: gitea + username: gitea + postgresql: + repmgrPassword: changeme2 + postgresPassword: changeme1 + password: changeme4 + pgpool: + adminPassword: changeme3 + service: + ports: + postgresql: 5432 + persistence: + size: 10Gi + +## @section PostgreSQL +# +## @param postgresql.enabled Enable PostgreSQL +## @param postgresql.global.postgresql.auth.password Password for the `gitea` user (overrides `auth.password`) +## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) +## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) +## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) +## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume +postgresql: + enabled: false + global: + postgresql: + auth: + password: gitea + database: gitea + username: gitea + service: + ports: + postgresql: 5432 + primary: + persistence: + size: 10Gi + storageClass: openebs-3-replicas + +# By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update. +# Set it to false to skip this basic validation check. +## @section Advanced +## @param checkDeprecation Set it to false to skip this basic validation check. +## @param test.enabled Set it to false to disable test-connection Pod. +## @param test.image.name Image name for the wget container used in the test-connection Pod. +## @param test.image.tag Image tag for the wget container used in the test-connection Pod. +checkDeprecation: true +test: + enabled: true + image: + name: busybox + tag: latest + +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: []