update to latest v of alpine

Signed-off-by: techknowlogick <techknowlogick@gitea.io>

.drone.yml

@@ -9,7 +9,7 @@ platform:
 steps:
 - name: lint
   pull: always
-  image: alpine:3.12
+  image: alpine:3.13
   commands:
     - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
     - helm lint
@@ -42,14 +42,15 @@ trigger:
 steps:
   - name: generate-chart
     pull: always
-    image: alpine:3.12
+    image: alpine:3.13
     commands:
       - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+      - apk add --no-cache curl
       - helm dependency update
       - helm package --version "${DRONE_TAG##v}" ./
       - mkdir gitea
       - mv gitea*.tgz gitea/
-      - wget -O gitea/index.yaml https://dl.gitea.io/charts/index.yaml
+      - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
       - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
 
   - name: upload-chart

.gitignore

@@ -1,2 +1,3 @@
 charts
 Chart.lock
+.DS_Store

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.13.1
+appVersion: 1.14.1
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:

README.md

@@ -5,12 +5,12 @@
 ## Introduction
 
 This helm chart has taken some inspiration from <https://github.com/jfelten/gitea-helm-chart>
-But takes a completly different approach in providing database and cache with dependencies.
-Also this chart provides LDAP and admin user configuration with values as well as it is deployed as statefulset to retain stored repositories.
+But takes a completely different approach in providing a database and cache with dependencies.
+Additionally, this chart provides LDAP and admin user configuration with values, as well as being deployed as a statefulset to retain stored repositories.
 
 ## Dependencies
 
-Gitea can be run with external database and cache. This chart provides those dependencies, which can be
+Gitea can be run with an external database and cache. This chart provides those dependencies, which can be
 enabled, or disabled via [configuration](#configuration).
 
 Dependencies:
@@ -32,11 +32,18 @@ Dependencies:
 * Helm 3.0+
 * PV provisioner for persistent data support
 
+## Gitea Version 1.14.X repository ROOT
+
+Previously the ROOT folder for the gitea repositories was located at /data/git/gitea-repositories
+1.14 changed this to /data/gitea-repositories.
+
+This chart will set the gitea.config.repository.ROOT value default to /data/git/gitea-repositories
+
 ## Examples
 
 ### Gitea Configuration
 
-Gitea offers lots of configuration. This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
+Gitea offers lots of configuration options. This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
 
 ```yaml
   gitea:
@@ -58,7 +65,7 @@ INSTALL_LOCK is always set to true, since we want to configure gitea with this h
 
 #### Database defaults
 
-If a builtIn database is enabled the database configuration is set automatically. For example postgresql builtIn which will appear in the app.ini as:
+If a builtIn database is enabled the database configuration is set automatically. For example, postgresql builtIn will appear in the app.ini as:
 
 ```ini
 [database]
@@ -71,7 +78,7 @@ USER = gitea
 
 #### Memcached defaults
 
-Memcached is handled the exakt same way as database builtIn. Once memcached builtIn is enabled, this chart will generate the following part in the app.ini:
+Memcached is handled the exact same way as database builtIn. Once memcached builtIn is enabled, this chart will generate the following part in the app.ini:
 
 ```ini
 [cache]
@@ -95,6 +102,16 @@ ROOT_URL = http://git.example.com
 SSH_DOMAIN = git.example.com
 SSH_LISTEN_PORT = 22
 SSH_PORT = 22
+ENABLE_PPROF = false
+```
+
+#### Metrics defaults
+
+The Prometheus `/metrics` endpoint is disabled by default.
+
+```ini
+[metrics]
+ENABLED = false
 ```
 
 ### External Database
@@ -186,8 +203,19 @@ If the built in cache should not be used simply configure the cache in gitea.con
 ### Persistence
 
 Gitea will be deployed as a statefulset. By simply enabling the persistence and setting the storage class according to your cluster
-everything else will be taken care of. The following example will create a PVC as a part of the statefulset. This PVC will not be deleted
-even if you uninstall the chart.
+everything else will be taken care of. The following example will create a PVC as a part of the statefulset. This PVC will not be deleted even if you uninstall the chart.
+
+Please note, that an empty storageClass in the persistence will result in kubernetes using your default storage class.
+
+If you want to use your own storageClass define it as followed:
+
+```yaml
+persistence:
+  enabled: true
+  storageClass: myOwnStorageClass
+
+```
+
 When using Postgresql as dependency, this will also be deployed as a statefulset by default.
 
 If you want to manage your own PVC you can simply pass the PVC name to the chart.
@@ -224,6 +252,7 @@ You can interact with the postgres settings as displayed in the following exampl
 
 This chart enables you to create a default admin user. It is also possible to update the password for this user by upgrading or redeloying the chart.
 It is not possible to delete an admin user after it has been created. This has to be done in the ui.
+You cannot use `admin` as username.
 
 ```yaml
   gitea:
@@ -235,7 +264,7 @@ It is not possible to delete an admin user after it has been created. This has t
 
 ### LDAP Settings
 
-Like the admin user the LDAP settings can be updated but also disabled or deleted.
+Like the admin user the LDAP settings can be updated, but also disabled or deleted.
 All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
 You can either use them in camel case or kebab case.
 
@@ -256,6 +285,7 @@ camelCase:
       bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
       bindPassword: JustAnotherBindPw
       usernameAttribute: CN
+      sshPublicKeyAttribute: sshPublicKey
 ```
 
 kebab-case:
@@ -276,6 +306,65 @@ kebab-case:
       bind-password: JustAnotherBindPw
       username-attribute: CN
 ```
+### OAuth2 Settings
+
+Like the admin user the OAuth2 settings can be updated but also disabled or deleted.
+All OAuth2 values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
+You can either use them in camel case or kebab case.
+
+camelCase:
+
+```yaml
+  gitea:
+    oauth:
+      enabled: true
+      name: 'MyAwesomeGiteaOAuth'
+      provider: 'openidConnect'
+      key: 'hello'
+      secret: 'world'
+      autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
+      #useCustomUrls:
+      #customAuthUrl:
+      #customTokenUrl:
+      #customProfileUrl:
+      #customEmailUrl:
+```
+
+kebab-case:
+
+```yaml
+  gitea:
+    oauth:
+      enabled: true
+      name: 'MyAwesomeGiteaOAuth'
+      provider: 'openidConnect'
+      key: 'hello'
+      secret: 'world'
+      auto-discover-url: 'https://gitea.example.com/.well-known/openid-configuration'
+      #use-custom-urls:
+      #custom-auth-url:
+      #custom-token-url:
+      #custom-profile-url:
+      #custom-email-url:
+```
+
+### Metrics and profiling
+
+A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling endpoints on port 6060 can be enabled under `gitea`. Beware that the metrics endpoint is exposed via the ingress, manage access using ingress annotations for example.
+
+To deploy the `ServiceMonitor`, you first need to ensure that you have deployed `prometheus-operator` and its CRDs: https://github.com/prometheus-operator/prometheus-operator#customresourcedefinitions.
+
+```yaml
+gitea:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+
+  config:
+    server:
+      ENABLE_PPROF: true
+```
 
 ### Pod Annotations
 
@@ -291,17 +380,23 @@ Annotations can be added to the Gitea pod.
 ### Others
 
 | Parameter                                 | Description                                            | Default     |
-|---------------------|-----------------------------------|------------------------------|
+|-------------------------------------------|--------------------------------------------------------|-------------|
 | statefulset.terminationGracePeriodSeconds | Image to start for this pod                            | gitea/gitea |
 | statefulset.env                           | Additional environment variables to pass to containers | []          |
+| extraVolumes                              | Additional volumes to mount to the Gitea statefulset   | {}          |
+| extraVolumeMounts                         | Additional volumes mounts for the Gitea containers     | {}          |
+| initPreScript                             | Bash script copied verbatim to start of init container |             |
+| securityContext                           | Run as a specific securityContext                      | {}          |
+| schedulerName                             | Use an alternate scheduler, e.g. "stork"               |             |
 
 ### Image
 
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
 |image.repository| Image to start for this pod | gitea/gitea |
-|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.13.1 |
+|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.14.2 |
 |image.pullPolicy| Image pull policy | Always |
+|image.rootless | Wether or not to pull the rootless version of gitea, only works on gitea 1.14.x or higher | false |
 
 ### Persistence
 
@@ -312,6 +407,8 @@ Annotations can be added to the Gitea pod.
 |persistence.size| Size for persistence to store repo information | 10Gi |
 |persistence.accessModes|AccessMode for persistence||
 |persistence.storageClass|Storage class for repository persistence||
+|persistence.labels|Labels for the persistence volume claim to be created|{}|
+|persistence.annotations|Annotations for the persistence volume claim to be created|{}|
 
 ### Ingress
 
@@ -328,11 +425,22 @@ Annotations can be added to the Gitea pod.
 |---------------------|-----------------------------------|------------------------------|
 |service.http.type| Kubernetes service type for web traffic | ClusterIP |
 |service.http.port| Port for web traffic | 3000 |
+|service.http.clusterIP| ClusterIP setting for http autosetup for statefulset is None | None |
+|service.http.loadBalancerIP| LoadBalancer Ip setting | |
+|service.http.nodePort| NodePort for http service | |
+|service.http.externalTrafficPolicy| If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
+|service.http.externalIPs| http service external IP addresses | 3000 |
+|service.http.loadBalancerSourceRanges| Source range filter for http loadbalancer | [] |
+|service.http.annotations| http service annotations | |
+
 |service.ssh.type| Kubernetes service type for ssh traffic | ClusterIP |
 |service.ssh.port| Port for ssh traffic | 22 |
+|service.ssh.loadBalancerIP| LoadBalancer Ip setting | |
+|service.ssh.nodePort| NodePort for ssh service | |
 |service.ssh.externalTrafficPolicy| If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
-|service.ssh.externalIPs| SSH service external IP addresses |[]|
-|service.ssh.annotations| Additional ssh annotations for the ssh service ||
+|service.ssh.externalIPs| ssh service external IP addresses | 3000 |
+|service.ssh.loadBalancerSourceRanges| Source range filter for ssh loadbalancer | [] |
+|service.ssh.annotations| ssh service annotations | |
 
 ### Gitea Configuration
 
@@ -340,6 +448,34 @@ Annotations can be added to the Gitea pod.
 |---------------------|-----------------------------------|------------------------------|
 |gitea.config | Everything in app.ini can be configured with this dict. See Examples for more details | {} |
 
+### Gitea Probes
+
+Configure Liveness, Readiness and Startup [Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)
+
+| Parameter           | Description                       | Default                      |
+|---------------------|-----------------------------------|------------------------------|
+|gitea.livenessProbe.enabled | Enable liveness probe | true |
+|gitea.livenessProbe.initialDelaySeconds | Delay before probe start| 200 |
+|gitea.livenessProbe.timeoutSeconds | probe timeout | 1 |
+|gitea.livenessProbe.periodSeconds | period between probes | 10 |
+|gitea.livenessProbe.successThreshold | Minimum consecutive success probes | 1 |
+|gitea.livenessProbe.failureThreshold | Minimum consecutive error probes | 10 |
+|gitea.readinessProbe.enabled | Enable readiness probe | true |
+|gitea.readinessProbe.initialDelaySeconds | Delay before probe start| 200 |
+|gitea.readinessProbe.timeoutSeconds | probe timeout | 1 |
+|gitea.readinessProbe.periodSeconds | period between probes | 10 |
+|gitea.readinessProbe.successThreshold | Minimum consecutive success probes | 1 |
+|gitea.readinessProbe.failureThreshold | Minimum consecutive error probes | 10 |
+|gitea.startupProbe.enabled | Enable startup probe | false |
+|gitea.startupProbe.initialDelaySeconds | Delay before probe start| 200 |
+|gitea.startupProbe.timeoutSeconds | probe timeout | 1 |
+|gitea.startupProbe.periodSeconds | period between probes | 10 |
+|gitea.startupProbe.successThreshold | Minimum consecutive success probes | 1 |
+|gitea.startupProbe.failureThreshold | Minimum consecutive error probes | 10 |
+|gitea.customLivenessProbe | Custom liveness probe (needs `gitea.livenessProbe.enabled: false`) |  |
+|gitea.customReadinessProbe | Custom readiness probe (needs `gitea.readinessProbe.enabled: false`) |  |
+|gitea.customStartupProbe | Custom startup probe (needs `gitea.startupProbe.enabled: false`) |  |
+
 ### Memcached BuiltIn
 
 Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website.
@@ -367,7 +503,7 @@ The following parameters are the defaults set by this chart
 
 ### Postgresql BuiltIn
 
-Postgresql is loaded as a dependency from bitnami. Configuration can be found from this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql)
+Postgresql is loaded as a dependency from Bitnami. The chart configuration can be found from this [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) repository.
 
 The following parameters are the defaults set by this chart
 

templates/_helpers.tpl

@@ -31,14 +31,26 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create image name and tag used by the deployment.
+*/}}
+{{- define "gitea.image" -}}
+{{- $name := .Values.image.repository -}}
+{{- $tag := ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") -}}
+{{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
+{{- printf "%s:%s%s" $name $tag $rootless -}}
+{{- end -}}
+
 {{/*
 Common labels
 */}}
 {{- define "gitea.labels" -}}
 helm.sh/chart: {{ include "gitea.chart" . }}
+app: {{ include "gitea.name" . }}
 {{ include "gitea.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
@@ -58,7 +70,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- printf "%s-mysql" .Release.Name -}}
 {{- else if .Values.gitea.database.builtIn.mariadb.enabled -}}
 {{- printf "%s-mariadb" .Release.Name -}}
-{{- else -}}
+{{- else if ne .Values.gitea.config.database.DB_TYPE "sqlite3" -}}
 {{- $parts := split ":" .Values.gitea.config.database.HOST -}}
 {{- printf "%s %s" $parts._0 $parts._1 -}}
 {{- end -}}
@@ -99,10 +111,18 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- range $key, $val := .Values.gitea.ldap -}}
 {{- if ne $key "enabled" -}}
 {{- if eq $key "port" -}}
-{{- printf "--%s %s " ($key | kebabcase) $val -}}
+{{- printf "--%s %d " ($key | kebabcase) ($val | int) -}}
 {{- else -}}
 {{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{- define "gitea.oauth_settings" -}}
+{{- range $key, $val := .Values.gitea.oauth -}}
+{{- if ne $key "enabled" -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}

templates/gitea/config.yaml

@@ -15,6 +15,10 @@ stringData:
     {{- $_ := set .Values.gitea.config "server" dict -}}
     {{- end -}}
 
+    {{- if not (hasKey .Values.gitea.config "metrics") -}}
+    {{- $_ := set .Values.gitea.config "metrics" dict -}}
+    {{- end -}}
+
     {{- if not (hasKey .Values.gitea.config "database") -}}
     {{- $_ := set .Values.gitea.config "database" dict -}}
     {{- end -}}
@@ -23,6 +27,15 @@ stringData:
     {{- $_ := set .Values.gitea.config "security" dict -}}
     {{- end -}}
 
+    {{- if not .Values.gitea.config.repository -}}
+    {{- $_ := set .Values.gitea.config "repository" dict -}}
+    {{- end -}}
+
+    {{- /* repository default settings */ -}}
+    {{- if not .Values.gitea.config.repository.ROOT -}}
+    {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}}
+    {{- end -}}
+
     {{- /* security default settings */ -}}
     {{- if not .Values.gitea.config.security.INSTALL_LOCK -}}
     {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}}
@@ -60,11 +73,28 @@ stringData:
     {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
     {{- end -}}
     {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
+    {{- if not .Values.image.rootless -}}
     {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
+    {{- else -}}
+    {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
+    {{- end -}}
+    {{- end -}}
+    {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
+    {{- if .Values.image.rootless -}}
+    {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
+    {{- end -}}
     {{- end -}}
     {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}
     {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}}
     {{- end -}}
+    {{- if not (hasKey .Values.gitea.config.server "ENABLE_PPROF") -}}
+    {{- $_ := set .Values.gitea.config.server "ENABLE_PPROF" false -}}
+    {{- end -}}
+
+    {{- /* metrics default settings */ -}}
+    {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
+    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
+    {{- end -}}
 
     {{- /* database default settings */ -}}
     {{- if .Values.gitea.database.builtIn.postgresql.enabled -}}

templates/gitea/http-svc.yaml

@@ -11,6 +11,19 @@ spec:
   {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
   loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
   {{- end }}
+  {{- if .Values.service.http.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.http.loadBalancerSourceRanges }}
+    - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.service.http.externalIPs }}
+  externalIPs:
+    {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
+  {{- end }}
+  {{- if .Values.service.http.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }}
+  {{- end }}
   {{- if and .Values.service.http.clusterIP (eq .Values.service.http.type "ClusterIP") }}
   clusterIP: {{ .Values.service.http.clusterIP }}
   {{- end }}

templates/gitea/init.yaml

@@ -8,19 +8,39 @@ type: Opaque
 stringData:
   init_gitea.sh: |-
     #!/bin/bash
+    {{- if .Values.initPreScript }}
+    # BEGIN: initPreScript
+    {{- with .Values.initPreScript -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+    # END: initPreScript
+    {{- end }}
+
+    chown 1000:1000 /data
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
     mkdir -p /data/gitea/conf
+
+    # Copy config file to writable volume
     cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
     chmod a+rwx /data/gitea/conf/app.ini
+    {{- if include "db.servicename" . }}
+    # Wait for database to become avialble
     nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \
+    {{- end }}
+    {{- if not .Values.image.rootless }}
     su git -c ' \
+    {{- end }}
     set -x; \
     gitea migrate; \
     {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
-    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
+    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
     || \
-    gitea admin change-password --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}'; \
+    gitea admin change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} \
+    || \
+    gitea admin user create --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
+    || \
+    gitea admin user change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }}; \
     {{- end }}
     {{- if .Values.gitea.ldap.enabled }}
     gitea admin auth add-ldap \
@@ -32,4 +52,16 @@ stringData:
       {{- include "gitea.ldap_settings" . | nindent 6 }} \
     ) \
     {{- end }}
+    {{- if .Values.gitea.oauth.enabled }}
+    gitea admin auth add-oauth \
+    {{- include "gitea.oauth_settings" . | nindent 6 }} \
+    || \
+    ( \
+      export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.oauth.name | quote }} | awk -F " "  "{print \$1}"); \
+      gitea admin auth update-oauth --id ${GITEA_AUTH_ID} \
+      {{- include "gitea.oauth_settings" . | nindent 6 }} \
+    ) \
+    {{- end }}
+    {{- if not .Values.image.rootless }}
     '
+    {{- end }}

templates/gitea/servicemonitor.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "gitea.fullname" . }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
+    {{- toYaml .Values.gitea.metrics.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels" . | nindent 6 }}
+  endpoints:
+  - port: http
+{{- end -}}

templates/gitea/ssh-svc.yaml

@@ -8,8 +8,16 @@ metadata:
     {{- toYaml .Values.service.ssh.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.ssh.type }}
-  {{- if and .Values.service.ssh.loadBalancerIP (eq .Values.service.ssh.type "LoadBalancer") }}
+  {{- if eq .Values.service.ssh.type "LoadBalancer" }}
+  {{- if .Values.service.ssh.loadBalancerIP }}
   loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
+  {{- end -}}
+  {{- if .Values.service.ssh.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.ssh.loadBalancerSourceRanges }}
+    - {{ . }}
+  {{- end }}
+  {{- end }}
   {{- end }}
   {{- if and .Values.service.ssh.clusterIP (eq .Values.service.ssh.type "ClusterIP") }}
   clusterIP: {{ .Values.service.ssh.clusterIP }}

templates/gitea/statefulset.yaml

@@ -9,17 +9,28 @@ spec:
   selector:
     matchLabels:
       {{- include "gitea.selectorLabels" . | nindent 6 }}
+      {{- if .Values.statefulset.labels }}
+      {{- toYaml .Values.statefulset.labels | nindent 6 }}
+      {{- end }}
   serviceName: {{ include "gitea.fullname" . }}
   template:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
+        checksum/ldap: {{ include "gitea.ldap_settings" . | sha256sum }}
+        checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }}
         {{- with .Values.gitea.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
-        {{- include "gitea.selectorLabels" . | nindent 8 }}
+        {{- include "gitea.labels" . | nindent 8 }}
+        {{- if .Values.statefulset.labels }}
+        {{- toYaml .Values.statefulset.labels | nindent 8 }}
+        {{- end }}
     spec:
+      {{- if .Values.schedulerName }}
+      schedulerName: "{{ .Values.schedulerName }}"
+      {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -28,8 +39,18 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: init
-          image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
+          image: "{{ include "gitea.image" . }}"
           command: ["/usr/sbin/init_gitea.sh"]
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- end }}
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
@@ -37,10 +58,13 @@ spec:
               mountPath: /etc/gitea/conf
             - name: data
               mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
+          image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             # SSH Port values have to be set here as well for openssh configuration
@@ -48,35 +72,79 @@ spec:
               value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }}
             - name: SSH_PORT
               value: {{ .Values.gitea.config.server.SSH_PORT | quote }}
-            {{- range .Values.statefulset.env }}
-            - name: {{ .name | quote | nospace }}
-              value: {{ .value | quote }}
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            - name: TMPDIR
+              value: /tmp/gitea
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
           ports:
             - name: ssh
               containerPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
             - name: http
               containerPort: {{ .Values.gitea.config.server.HTTP_PORT }}
+            {{- if .Values.gitea.config.server.ENABLE_PPROF }}
+            - name: profiler
+              containerPort: 6060
+            {{- end }}
+          {{- if .Values.gitea.livenessProbe.enabled }}
           livenessProbe:
             tcpSocket:
               port: http
-            initialDelaySeconds: 200
-            timeoutSeconds: 1
-            periodSeconds: 10
-            successThreshold: 1
-            failureThreshold: 10
+            initialDelaySeconds: {{ .Values.gitea.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.gitea.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.gitea.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.gitea.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.gitea.livenessProbe.failureThreshold }}
+          {{- else if .Values.gitea.customLivenessProbe }}
+          livenessProbe:
+            {{- toYaml .Values.gitea.customLivenessProbe | nindent 12 }}
+          {{- end }}
+          {{- if .Values.gitea.readinessProbe.enabled }}
           readinessProbe:
             tcpSocket:
               port: http
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            successThreshold: 1
-            failureThreshold: 3
+            initialDelaySeconds: {{ .Values.gitea.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.gitea.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.gitea.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.gitea.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.gitea.readinessProbe.failureThreshold }}
+          {{- else if .Values.gitea.customReadinessProbe }}
+          readinessProbe:
+            {{- toYaml .Values.gitea.customReadinessProbe | nindent 12 }}
+          {{- end }}
+          {{- if .Values.gitea.startupProbe.enabled }}
+          startupProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: {{ .Values.gitea.startupProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.gitea.startupProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.gitea.startupProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.gitea.startupProbe.successThreshold }}
+            failureThreshold: {{ .Values.gitea.startupProbe.failureThreshold }}
+          {{- else if .Values.gitea.customStartupProbe }}
+          startupProbe:
+            {{- toYaml .Values.gitea.customStartupProbe | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           volumeMounts:
+            - name: temp
+              mountPath: /tmp
             - name: data
               mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -97,6 +165,11 @@ spec:
         - name: config
           secret:
             secretName: {{ include "gitea.fullname" . }}
+        {{- if .Values.extraVolumes }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
+        - name: temp
+          emptyDir: {}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:
@@ -108,6 +181,18 @@ spec:
   volumeClaimTemplates:
     - metadata:
         name: data
+      {{- with .Values.persistence.annotations }}
+        annotations:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.persistence.labels }}
+        labels:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
       spec:
         accessModes:
           {{- range .Values.persistence.accessModes }}

values.yaml

@@ -8,11 +8,24 @@ clusterDomain: cluster.local
 
 image:
   repository: gitea/gitea
-  tag: 1.13.1
+  tag: 1.14.2
   pullPolicy: Always
+  rootless: false # only possible when running 1.14 or later
 
 imagePullSecrets: []
 
+# only usable with rootless image due to image design
+securityContext: {}
+#  allowPrivilegeEscalation: false
+#  capabilities:
+#    drop:
+#      - ALL
+#  privileged: false
+#  readOnlyRootFilesystem: true
+#  runAsGroup: 1000
+#  runAsNonRoot: true
+#  runAsUser: 1000
+
 service:
   http:
     type: ClusterIP
@@ -20,6 +33,9 @@ service:
     clusterIP: None
     #loadBalancerIP:
     #nodePort:
+    #externalTrafficPolicy:
+    #externalIPs:
+    loadBalancerSourceRanges: []
     annotations:
   ssh:
     type: ClusterIP
@@ -29,6 +45,7 @@ service:
     #nodePort:
     #externalTrafficPolicy:
     #externalIPs:
+    loadBalancerSourceRanges: []
     annotations:
 
 ingress:
@@ -55,6 +72,11 @@ resources: {}
   #   cpu: 100m
   #   memory: 128Mi
 
+## Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+# schedulerName:
+
 nodeSelector: {}
 
 tolerations: []
@@ -66,6 +88,7 @@ statefulset:
     # - name: VARIABLE
     #   value: my-value
   terminationGracePeriodSeconds: 60
+  labels: {}
 
 persistence:
   enabled: true
@@ -73,6 +96,34 @@ persistence:
   size: 10Gi
   accessModes:
     - ReadWriteOnce
+  labels: {}
+  annotations: {}
+  # storageClass:
+
+# additional volumes to add to the Gitea statefulset.
+extraVolumes:
+# - name: postgres-ssl-vol
+#   secret:
+#     secretName: gitea-postgres-ssl
+
+
+# additional volumes to mount, both to the init container and to the main
+# container. As an example, can be used to mount a client cert when connecting
+# to an external Postgres server.
+extraVolumeMounts:
+# - name: postgres-ssl-vol
+#   readOnly: true
+#   mountPath: "/pg-ssl"
+
+# bash shell script copied verbatim to the start of the init-container.
+initPreScript: ""
+#
+# initPreScript: |
+#   mkdir -p /data/git/.postgresql
+#   cp /pg-ssl/* /data/git/.postgresql/
+#   chown -R git:git /data/git/.postgresql/
+#   chmod 400 /data/git/.postgresql/postgresql.key
+
 
 gitea:
   admin:
@@ -80,6 +131,13 @@ gitea:
     password: r8sA8CPHD9!bt6d
     email: "gitea@local.domain"
 
+  metrics:
+    enabled: false
+    serviceMonitor:
+      enabled: false
+      #  additionalLabels:
+      #    prometheus-release: prom1
+
   ldap:
     enabled: false
     #name:
@@ -93,6 +151,20 @@ gitea:
     #bindDn:
     #bindPassword:
     #usernameAttribute:
+    #sshPublicKeyAttribute:
+
+  oauth:
+    enabled: false
+    #name:
+    #provider:
+    #key:
+    #secret:
+    #autoDiscoverUrl:
+    #useCustomUrls:
+    #customAuthUrl:
+    #customTokenUrl:
+    #customProfileUrl:
+    #customEmailUrl:
 
   config: {}
   #  APP_NAME: "Gitea: Git with a cup of tea"
@@ -119,6 +191,52 @@ gitea:
     builtIn:
       enabled: true
 
+  livenessProbe:
+    enabled: true
+    initialDelaySeconds: 200
+    timeoutSeconds: 1
+    periodSeconds: 10
+    successThreshold: 1
+    failureThreshold: 10
+  readinessProbe:
+    enabled: true
+    initialDelaySeconds: 5
+    timeoutSeconds: 1
+    periodSeconds: 10
+    successThreshold: 1
+    failureThreshold: 3
+  startupProbe:
+    enabled: false
+    initialDelaySeconds: 60
+    periodSeconds: 10
+    successThreshold: 1
+    failureThreshold: 10
+
+  # customLivenessProbe:
+  #   httpGet:
+  #     path: /user/login
+  #     port: http
+  #   initialDelaySeconds: 60
+  #   periodSeconds: 10
+  #   successThreshold: 1
+  #   failureThreshold: 10
+  # customReadinessProbe:
+  #   httpGet:
+  #     path: /user/login
+  #     port: http
+  #   initialDelaySeconds: 5
+  #   periodSeconds: 10
+  #   successThreshold: 1
+  #   failureThreshold: 3
+  # customStartupProbe:
+  #   httpGet:
+  #     path: /user/login
+  #     port: http
+  #   initialDelaySeconds: 60
+  #   periodSeconds: 10
+  #   successThreshold: 1
+  #   failureThreshold: 10
+
 memcached:
   service:
     port: 11211