Add sshPublicKeyAttribute attribute setting for ldap auth，and Allow setting labels and annotations for gitea pvc. (#76)

1. sshPublicKeyAttribute is useful to sync ssh public keys from ldap.
2. It would be easier to set pvc annotations/labels for those who are using storage services from cloud providers.

Co-authored-by: 钱卫春 <qianwch@chinasofti.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/76
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Co-authored-by: sanigo <sanigo@noreply.gitea.io>
Co-committed-by: sanigo <sanigo@noreply.gitea.io>

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.13.0
+appVersion: 1.13.1
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:

README.md

@@ -95,6 +95,16 @@ ROOT_URL = http://git.example.com
 SSH_DOMAIN = git.example.com
 SSH_LISTEN_PORT = 22
 SSH_PORT = 22
+ENABLE_PPROF = false
+```
+
+#### Metrics defaults
+
+The Prometheus `/metrics` endpoint is disabled by default.
+
+```ini
+[metrics]
+ENABLED = false
 ```
 
 ### External Database
@@ -224,6 +234,7 @@ You can interact with the postgres settings as displayed in the following exampl
 
 This chart enables you to create a default admin user. It is also possible to update the password for this user by upgrading or redeloying the chart.
 It is not possible to delete an admin user after it has been created. This has to be done in the ui.
+You cannot use `admin` as username.
 
 ```yaml
   gitea:
@@ -256,6 +267,7 @@ camelCase:
       bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
       bindPassword: JustAnotherBindPw
       usernameAttribute: CN
+      sshPublicKeyAttribute: sshPublicKey
 ```
 
 kebab-case:
@@ -277,6 +289,24 @@ kebab-case:
       username-attribute: CN
 ```
 
+### Metrics and profiling
+
+A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling endpoints on port 6060 can be enabled under `gitea`. Beware that the metrics endpoint is exposed via the ingress, manage access using ingress annotations for example.
+
+To deploy the `ServiceMonitor`, you first need to ensure that you have deployed `prometheus-operator` and its CRDs: https://github.com/prometheus-operator/prometheus-operator#customresourcedefinitions.
+
+```yaml
+gitea:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+
+  config:
+    server:
+      PPROF_ENABLED: true
+```
+
 ### Pod Annotations
 
 Annotations can be added to the Gitea pod.
@@ -290,17 +320,20 @@ Annotations can be added to the Gitea pod.
 
 ### Others
 
-| Parameter           | Description                       | Default                      |
+| Parameter                                 | Description                                            | Default     |
-|---------------------|-----------------------------------|------------------------------|
+|-------------------------------------------|--------------------------------------------------------|-------------|
-|statefulset.terminationGracePeriodSeconds| Image to start for this pod | gitea/gitea |
+| statefulset.terminationGracePeriodSeconds | Image to start for this pod                            | gitea/gitea |
-|statefulset.env           | Additional environment variables to pass to containers | [] |
+| statefulset.env                           | Additional environment variables to pass to containers | []          |
+| extraVolumes                              | Additional volumes to mount to the Gitea statefulset   | {}          |
+| extraVolumeMounts                         | Additional volumes mounts for the Gitea containers     | {}          |
+| initPreScript                             | Bash script copied verbatim to start of init container |             |
 
 ### Image
 
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
 |image.repository| Image to start for this pod | gitea/gitea |
-|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.13.0 |
+|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.13.1 |
 |image.pullPolicy| Image pull policy | Always |
 
 ### Persistence
@@ -312,6 +345,8 @@ Annotations can be added to the Gitea pod.
 |persistence.size| Size for persistence to store repo information | 10Gi |
 |persistence.accessModes|AccessMode for persistence||
 |persistence.storageClass|Storage class for repository persistence||
+|persistence.labels|Labels for the persistence volume claim to be created|{}|
+|persistence.annotations|Annotations for the persistence volume claim to be created|{}|
 
 ### Ingress
 

templates/_helpers.tpl

@@ -99,7 +99,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- range $key, $val := .Values.gitea.ldap -}}
 {{- if ne $key "enabled" -}}
 {{- if eq $key "port" -}}
-{{- printf "--%s %s " ($key | kebabcase) $val -}}
+{{- printf "--%s %d " ($key | kebabcase) ($val | int) -}}
 {{- else -}}
 {{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
 {{- end -}}

templates/gitea/config.yaml

@@ -15,6 +15,10 @@ stringData:
     {{- $_ := set .Values.gitea.config "server" dict -}}
     {{- end -}}
 
+    {{- if not (hasKey .Values.gitea.config "metrics") -}}
+    {{- $_ := set .Values.gitea.config "metrics" dict -}}
+    {{- end -}}
+
     {{- if not (hasKey .Values.gitea.config "database") -}}
     {{- $_ := set .Values.gitea.config "database" dict -}}
     {{- end -}}
@@ -65,6 +69,14 @@ stringData:
     {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}
     {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}}
     {{- end -}}
+    {{- if not (hasKey .Values.gitea.config.server "PPROF_ENABLED") -}}
+    {{- $_ := set .Values.gitea.config.server "PPROF_ENABLED" false -}}
+    {{- end -}}
+
+    {{- /* metrics default settings */ -}}
+    {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
+    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
+    {{- end -}}
 
     {{- /* database default settings */ -}}
     {{- if .Values.gitea.database.builtIn.postgresql.enabled -}}

templates/gitea/init.yaml

@@ -8,6 +8,14 @@ type: Opaque
 stringData:
   init_gitea.sh: |-
     #!/bin/bash
+    {{- if .Values.initPreScript }}
+    # BEGIN: initPreScript
+    {{- with .Values.initPreScript -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+    # END: initPreScript
+    {{- end }}
+
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
     mkdir -p /data/gitea/conf
@@ -32,4 +40,4 @@ stringData:
       {{- include "gitea.ldap_settings" . | nindent 6 }} \
     ) \
     {{- end }}
-    '
+    '

templates/gitea/servicemonitor.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "gitea.fullname" . }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels" . | nindent 6 }}
+  endpoints:
+  - port: http
+{{- end -}}

templates/gitea/statefulset.yaml

@@ -14,6 +14,7 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
+        checksum/ldap: {{ include "gitea.ldap_settings" . | sha256sum }}
         {{- with .Values.gitea.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -30,6 +31,11 @@ spec:
         - name: init
           image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
           command: ["/usr/sbin/init_gitea.sh"]
+          env:
+          {{- range .Values.statefulset.env }}
+          - name: {{ .name | quote | nospace }}
+            value: {{ .value | quote }}
+          {{- end }}
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
@@ -37,6 +43,9 @@ spec:
               mountPath: /etc/gitea/conf
             - name: data
               mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
@@ -57,6 +66,10 @@ spec:
               containerPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
             - name: http
               containerPort: {{ .Values.gitea.config.server.HTTP_PORT }}
+            {{- if .Values.gitea.config.server.PPROF_ENABLED }}
+            - name: profiler
+              containerPort: 6060
+            {{- end }}
           livenessProbe:
             tcpSocket:
               port: http
@@ -77,6 +90,9 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -97,6 +113,9 @@ spec:
         - name: config
           secret:
             secretName: {{ include "gitea.fullname" . }}
+        {{- if .Values.extraVolumes }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:
@@ -108,6 +127,18 @@ spec:
   volumeClaimTemplates:
     - metadata:
         name: data
+      {{- with .Values.persistence.annotations }}
+        annotations:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.persistence.labels }}
+        labels:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
       spec:
         accessModes:
           {{- range .Values.persistence.accessModes }}

values.yaml

@@ -8,7 +8,7 @@ clusterDomain: cluster.local
 
 image:
   repository: gitea/gitea
-  tag: 1.13.0
+  tag: 1.13.1
   pullPolicy: Always
 
 imagePullSecrets: []
@@ -69,10 +69,37 @@ statefulset:
 
 persistence:
   enabled: true
-  # existingClaim: 
+  # existingClaim:
   size: 10Gi
   accessModes:
     - ReadWriteOnce
+  labels: {}
+  annotations: {}
+
+# additional volumes to add to the Gitea statefulset.
+extraVolumes:
+# - name: postgres-ssl-vol
+#   secret:
+#     secretName: gitea-postgres-ssl
+
+
+# additional volumes to mount, both to the init container and to the main
+# container. As an example, can be used to mount a client cert when connecting
+# to an external Postgres server.
+extraVolumeMounts:
+# - name: postgres-ssl-vol
+#   readOnly: true
+#   mountPath: "/pg-ssl"
+
+# bash shell script copied verbatim to the start of the init-container.
+initPreScript: ""
+#
+# initPreScript: |
+#   mkdir -p /data/git/.postgresql
+#   cp /pg-ssl/* /data/git/.postgresql/
+#   chown -R git:git /data/git/.postgresql/
+#   chmod 400 /data/git/.postgresql/postgresql.key
+
 
 gitea:
   admin:
@@ -80,6 +107,11 @@ gitea:
     password: r8sA8CPHD9!bt6d
     email: "gitea@local.domain"
 
+  metrics:
+    enabled: false
+    serviceMonitor:
+      enabled: false
+
   ldap:
     enabled: false
     #name: 
@@ -93,11 +125,12 @@ gitea:
     #bindDn: 
     #bindPassword: 
     #usernameAttribute: 
+    #sshPublicKeyAttribute:
 
   config: {}
   #  APP_NAME: "Gitea: Git with a cup of tea"
-  #  RUN_MODE: dev   
+  #  RUN_MODE: dev
-  #   
+  #
   #  server:
   #    SSH_PORT: 22
   #