Allow existing secrets for passwords (#170)

Allow admin user and password to be configured via existing secrets

Allow LDAP bindDn and bindPassword to be configured via existing secrets

Update Readme

Fixes: #169

Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/170
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>

.drone.yml

@@ -9,7 +9,7 @@ platform:
 steps:
 - name: lint
   pull: always
-  image: alpine:3.12
+  image: alpine:3.13
   commands:
     - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
     - helm lint
@@ -42,21 +42,22 @@ trigger:
 steps:
   - name: generate-chart
     pull: always
-    image: alpine:3.12
+    image: alpine:3.13
     commands:
       - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+      - apk add --no-cache curl
       - helm dependency update
       - helm package --version "${DRONE_TAG##v}" ./
       - mkdir gitea
       - mv gitea*.tgz gitea/
-      - wget -O gitea/index.yaml https://dl.gitea.io/charts/index.yaml
+      - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
       - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
 
   - name: upload-chart
     pull: always
     image: plugins/s3:latest
     settings:
-      bucket: releases
+      bucket: gitea-artifacts
       endpoint: https://storage.gitea.io
       path_style: true
       access_key:

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.13.7
+appVersion: 1.14.2
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:

README.md

@@ -32,6 +32,13 @@ Dependencies:
 * Helm 3.0+
 * PV provisioner for persistent data support
 
+## Gitea Version 1.14.X repository ROOT
+
+Previously the ROOT folder for the gitea repositories was located at /data/git/gitea-repositories
+1.14 changed this to /data/gitea-repositories.
+
+This chart will set the gitea.config.repository.ROOT value default to /data/git/gitea-repositories
+
 ## Examples
 
 ### Gitea Configuration
@@ -198,6 +205,17 @@ If the built in cache should not be used simply configure the cache in gitea.con
 Gitea will be deployed as a statefulset. By simply enabling the persistence and setting the storage class according to your cluster
 everything else will be taken care of. The following example will create a PVC as a part of the statefulset. This PVC will not be deleted even if you uninstall the chart.
 
+Please note, that an empty storageClass in the persistence will result in kubernetes using your default storage class.
+
+If you want to use your own storageClass define it as followed:
+
+```yaml
+persistence:
+  enabled: true
+  storageClass: myOwnStorageClass
+
+```
+
 When using Postgresql as dependency, this will also be deployed as a statefulset by default.
 
 If you want to manage your own PVC you can simply pass the PVC name to the chart.
@@ -244,6 +262,25 @@ You cannot use `admin` as username.
       email: "gi@tea.com"
 ```
 
+You can also use an existing Secret to configure the admin user:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-admin-secret
+type: Opaque
+stringData:
+  username: MyAwesomeGiteaAdmin
+  password: AReallyAwesomeGiteaPassword
+```
+
+```yaml
+gitea:
+    admin:
+      existingSecret: gitea-admin-secret
+```
+
 ### LDAP Settings
 
 Like the admin user the LDAP settings can be updated, but also disabled or deleted.
@@ -288,6 +325,26 @@ kebab-case:
       bind-password: JustAnotherBindPw
       username-attribute: CN
 ```
+
+You can also use an existing secret to set the bindDn and bindPassword:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-ldap-secret
+type: Opaque
+stringData:
+  bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
+  bindPassword: JustAnotherBindPw
+```
+
+```yaml
+gitea:
+    ldap:
+      existingSecret: gitea-ldap-secret
+```
+
 ### OAuth2 Settings
 
 Like the admin user the OAuth2 settings can be updated but also disabled or deleted.
@@ -369,14 +426,16 @@ Annotations can be added to the Gitea pod.
 | extraVolumeMounts                         | Additional volumes mounts for the Gitea containers     | {}          |
 | initPreScript                             | Bash script copied verbatim to start of init container |             |
 | securityContext                           | Run as a specific securityContext                      | {}          |
+| schedulerName                             | Use an alternate scheduler, e.g. "stork"               |             |
 
 ### Image
 
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
 |image.repository| Image to start for this pod | gitea/gitea |
-|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.13.7 |
+|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.14.2 |
 |image.pullPolicy| Image pull policy | Always |
+|image.rootless | Wether or not to pull the rootless version of gitea, only works on gitea 1.14.x or higher | false |
 
 ### Persistence
 
@@ -405,11 +464,22 @@ Annotations can be added to the Gitea pod.
 |---------------------|-----------------------------------|------------------------------|
 |service.http.type| Kubernetes service type for web traffic | ClusterIP |
 |service.http.port| Port for web traffic | 3000 |
+|service.http.clusterIP| ClusterIP setting for http autosetup for statefulset is None | None |
+|service.http.loadBalancerIP| LoadBalancer Ip setting | |
+|service.http.nodePort| NodePort for http service | |
+|service.http.externalTrafficPolicy| If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
+|service.http.externalIPs| http service external IP addresses | 3000 |
+|service.http.loadBalancerSourceRanges| Source range filter for http loadbalancer | [] |
+|service.http.annotations| http service annotations | |
+
 |service.ssh.type| Kubernetes service type for ssh traffic | ClusterIP |
 |service.ssh.port| Port for ssh traffic | 22 |
+|service.ssh.loadBalancerIP| LoadBalancer Ip setting | |
+|service.ssh.nodePort| NodePort for ssh service | |
 |service.ssh.externalTrafficPolicy| If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
-|service.ssh.externalIPs| SSH service external IP addresses |[]|
-|service.ssh.annotations| Additional ssh annotations for the ssh service ||
+|service.ssh.externalIPs| ssh service external IP addresses | 3000 |
+|service.ssh.loadBalancerSourceRanges| Source range filter for ssh loadbalancer | [] |
+|service.ssh.annotations| ssh service annotations | |
 
 ### Gitea Configuration
 

templates/_helpers.tpl

@@ -31,6 +31,16 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create image name and tag used by the deployment.
+*/}}
+{{- define "gitea.image" -}}
+{{- $name := .Values.image.repository -}}
+{{- $tag := ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") -}}
+{{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
+{{- printf "%s:%s%s" $name $tag $rootless -}}
+{{- end -}}
+
 {{/*
 Common labels
 */}}
@@ -98,9 +108,21 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.ldap_settings" -}}
+{{- if or (not (hasKey .Values.gitea.ldap "bindDn")) (not (hasKey .Values.gitea.ldap "bind-dn")) -}}
+{{- $_ := set .Values.gitea.ldap "bindDn" "" -}}
+{{- end -}}
+
+{{- if or (not (hasKey .Values.gitea.ldap "bindPassword")) (not (hasKey .Values.gitea.ldap "bind-password")) -}}
+{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}}
+{{- end -}}
+
 {{- range $key, $val := .Values.gitea.ldap -}}
-{{- if ne $key "enabled" -}}
-{{- if eq $key "port" -}}
+{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
+{{- if eq  ($key | kebabcase) "bind-dn" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_BIND_DN}" | quote ) -}}
+{{- else if eq ($key | kebabcase) "bind-password" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}}
+{{- else if eq $key "port" -}}
 {{- printf "--%s %d " ($key | kebabcase) ($val | int) -}}
 {{- else -}}
 {{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
@@ -115,4 +137,4 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
 {{- end -}}
 {{- end -}}
-{{- end -}}
+{{- end -}}

templates/gitea/config.yaml

@@ -27,12 +27,21 @@ stringData:
     {{- $_ := set .Values.gitea.config "security" dict -}}
     {{- end -}}
 
-    {{- /* security default settings */ -}}   
+    {{- if not .Values.gitea.config.repository -}}
+    {{- $_ := set .Values.gitea.config "repository" dict -}}
+    {{- end -}}
+
+    {{- /* repository default settings */ -}}
+    {{- if not .Values.gitea.config.repository.ROOT -}}
+    {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}}
+    {{- end -}}
+
+    {{- /* security default settings */ -}}
     {{- if not .Values.gitea.config.security.INSTALL_LOCK -}}
     {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}}
     {{- end -}}
 
-    {{- /* server default settings */ -}}   
+    {{- /* server default settings */ -}}
     {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}}
     {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}}
     {{- end -}}
@@ -64,7 +73,16 @@ stringData:
     {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
     {{- end -}}
     {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
+    {{- if not .Values.image.rootless -}}
     {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
+    {{- else -}}
+    {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
+    {{- end -}}
+    {{- end -}}
+    {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
+    {{- if .Values.image.rootless -}}
+    {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
+    {{- end -}}
     {{- end -}}
     {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}
     {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}}
@@ -80,7 +98,7 @@ stringData:
 
     {{- /* database default settings */ -}}
     {{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}} 
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
     {{- if not (.Values.gitea.config.database.HOST) -}}
     {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
     {{- end -}}
@@ -88,7 +106,7 @@ stringData:
     {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
     {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
     {{ else if .Values.gitea.database.builtIn.mysql.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}} 
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
     {{- if not (.Values.gitea.config.database.HOST) -}}
     {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
     {{- end -}}
@@ -113,7 +131,7 @@ stringData:
     {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
     {{- end -}}
     {{- end -}}
-    
+
     {{- /* autogenerate app.ini */ -}}
     {{- range $key, $value := .Values.gitea.config  }}
     {{- if kindIs "map" $value }}
@@ -127,4 +145,4 @@ stringData:
     {{- else }}
     {{ $key | upper }} = {{ $value }}
     {{- end }}
-    {{- end }}
+    {{- end }}

templates/gitea/http-svc.yaml

@@ -11,6 +11,19 @@ spec:
   {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
   loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
   {{- end }}
+  {{- if .Values.service.http.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.http.loadBalancerSourceRanges }}
+    - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.service.http.externalIPs }}
+  externalIPs:
+    {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
+  {{- end }}
+  {{- if .Values.service.http.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }}
+  {{- end }}
   {{- if and .Values.service.http.clusterIP (eq .Values.service.http.type "ClusterIP") }}
   clusterIP: {{ .Values.service.http.clusterIP }}
   {{- end }}

templates/gitea/init.yaml

@@ -16,22 +16,38 @@ stringData:
     # END: initPreScript
     {{- end }}
 
+    {{- if not .Values.image.rootless }}
     chown 1000:1000 /data
+    {{- end }}
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
     mkdir -p /data/gitea/conf
+
+    # prepare temp directory structure
+    mkdir -p "${GITEA_TEMP}"
+    chown 1000:1000 "${GITEA_TEMP}"
+    chmod ug+rwx "${GITEA_TEMP}"
+
+    # Copy config file to writable volume
     cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
     chmod a+rwx /data/gitea/conf/app.ini
     {{- if include "db.servicename" . }}
+    # Wait for database to become avialble
     nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \
     {{- end }}
+    {{- if not .Values.image.rootless }}
     su git -c ' \
+    {{- end }}
     set -x; \
     gitea migrate; \
     {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
-    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
+    gitea admin create-user --username  "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
     || \
-    gitea admin change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }}; \
+    gitea admin change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" \
+    || \
+    gitea admin user create --username  "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
+    || \
+    gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"; \
     {{- end }}
     {{- if .Values.gitea.ldap.enabled }}
     gitea admin auth add-ldap \
@@ -53,4 +69,6 @@ stringData:
       {{- include "gitea.oauth_settings" . | nindent 6 }} \
     ) \
     {{- end }}
+    {{- if not .Values.image.rootless }}
     '
+    {{- end }}

templates/gitea/servicemonitor.yaml

@@ -5,8 +5,8 @@ metadata:
   name: {{ include "gitea.fullname" . }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
-    {{- if .Values.gitea.metrics.serviceMonitor.prometheusSelector }}
-    prometheus: {{ .Values.gitea.metrics.serviceMonitor.prometheusSelector }}
+    {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
+    {{- toYaml .Values.gitea.metrics.serviceMonitor.additionalLabels | nindent 4 }}
     {{- end }}
 spec:
   selector:

templates/gitea/statefulset.yaml

@@ -28,6 +28,9 @@ spec:
         {{- toYaml .Values.statefulset.labels | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.schedulerName }}
+      schedulerName: "{{ .Values.schedulerName }}"
+      {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -36,16 +39,59 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: init
-          image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
+          image: "{{ include "gitea.image" . }}"
           command: ["/usr/sbin/init_gitea.sh"]
           env:
-          {{- range .Values.statefulset.env }}
-          - name: {{ .name | quote | nospace }}
-            value: {{ .value | quote }}
-          {{- end }}
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            {{- if .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_BIND_DN
+              valueFrom:
+                secretKeyRef:
+                  key:  bindDn
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  bindPassword
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            {{- else }}
+            - name: GITEA_LDAP_BIND_DN
+              value: {{ .Values.gitea.ldap.bindDn | quote }}
+            - name: GITEA_ADMIN_PASSWORD
+              value: {{ .Values.gitea.ldap.bindPassword | quote }}
+            {{- end }}
+            {{- if .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key:  username
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  password
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            {{- else }}
+            - name: GITEA_ADMIN_USERNAME
+              value: {{ .Values.gitea.admin.username | quote }}
+            - name: GITEA_ADMIN_PASSWORD
+              value: {{ .Values.gitea.admin.password | quote }}
+            {{- end }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- end }}
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
             - name: config
               mountPath: /etc/gitea/conf
             - name: data
@@ -56,7 +102,7 @@ spec:
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
+          image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             # SSH Port values have to be set here as well for openssh configuration
@@ -64,9 +110,18 @@ spec:
               value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }}
             - name: SSH_PORT
               value: {{ .Values.gitea.config.server.SSH_PORT | quote }}
-            {{- range .Values.statefulset.env }}
-            - name: {{ .name | quote | nospace }}
-              value: {{ .value | quote }}
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            - name: TMPDIR
+              value: /tmp/gitea
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
           ports:
             - name: ssh
@@ -121,6 +176,8 @@ spec:
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           volumeMounts:
+            - name: temp
+              mountPath: /tmp
             - name: data
               mountPath: /data
             {{- if .Values.extraVolumeMounts }}
@@ -149,6 +206,8 @@ spec:
         {{- if .Values.extraVolumes }}
         {{- toYaml .Values.extraVolumes | nindent 8 }}
         {{- end }}
+        - name: temp
+          emptyDir: {}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:

values.yaml

@@ -8,12 +8,23 @@ clusterDomain: cluster.local
 
 image:
   repository: gitea/gitea
-  tag: 1.13.7
+  tag: 1.14.2
   pullPolicy: Always
+  rootless: false # only possible when running 1.14 or later
 
 imagePullSecrets: []
 
+# only usable with rootless image due to image design
 securityContext: {}
+#  allowPrivilegeEscalation: false
+#  capabilities:
+#    drop:
+#      - ALL
+#  privileged: false
+#  readOnlyRootFilesystem: true
+#  runAsGroup: 1000
+#  runAsNonRoot: true
+#  runAsUser: 1000
 
 service:
   http:
@@ -22,6 +33,9 @@ service:
     clusterIP: None
     #loadBalancerIP:
     #nodePort:
+    #externalTrafficPolicy:
+    #externalIPs:
+    loadBalancerSourceRanges: []
     annotations:
   ssh:
     type: ClusterIP
@@ -58,6 +72,11 @@ resources: {}
   #   cpu: 100m
   #   memory: 128Mi
 
+## Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+# schedulerName:
+
 nodeSelector: {}
 
 tolerations: []
@@ -79,6 +98,7 @@ persistence:
     - ReadWriteOnce
   labels: {}
   annotations: {}
+  # storageClass:
 
 # additional volumes to add to the Gitea statefulset.
 extraVolumes:
@@ -107,6 +127,7 @@ initPreScript: ""
 
 gitea:
   admin:
+    #existingSecret: gitea-admin-secret
     username: gitea_admin
     password: r8sA8CPHD9!bt6d
     email: "gitea@local.domain"
@@ -115,29 +136,31 @@ gitea:
     enabled: false
     serviceMonitor:
       enabled: false
-      # prometheusSelector: default
+      #  additionalLabels:
+      #    prometheus-release: prom1
 
   ldap:
     enabled: false
-    #name: 
-    #securityProtocol: 
-    #host: 
-    #port: 
-    #userSearchBase: 
-    #userFilter: 
-    #adminFilter: 
-    #emailAttribute: 
-    #bindDn: 
-    #bindPassword: 
-    #usernameAttribute: 
+    #existingSecret: gitea-ldap-secret
+    #name:
+    #securityProtocol:
+    #host:
+    #port:
+    #userSearchBase:
+    #userFilter:
+    #adminFilter:
+    #emailAttribute:
+    #bindDn:
+    #bindPassword:
+    #usernameAttribute:
     #sshPublicKeyAttribute:
 
   oauth:
     enabled: false
     #name:
     #provider:
-    #key: 
-    #secret: 
+    #key:
+    #secret:
     #autoDiscoverUrl:
     #useCustomUrls:
     #customAuthUrl: